Embed Size (px)
Citation preview
Introduction to Industrial Control Systems
Cybersecurity
R. Minicucci, CCNP, CEH, Security+ GE Oil & Gas – Principal Cyber Security Engineer
2
Agenda
1
2
3
4
Context---30m
IT vs. SCADA---30m Threats & Attack surface---30m
Architecture and components ---3h
5 Overview of applicable standards---30m
6 Countermeasures ---30m
7 Horizon---10m
CONTEXT
Courtesy of GE Oil & Gas
Hiring practices
Access control
Training
Vulnerability monitoring & security
events
Incident report & response
Security software updates*
Information mgmt
Backup & restore
Documentation
Closed ports
Remote Connection*
Access & account management
Physical Security
CRITICAL CYBER ASSETS
Electronic Security
Incident Response
System Security
Mgmt
* Most critical areas
CONTEXT – Industry Landscape
5
CONTEXT - What are SCADA/ICS ?
• SCADA=Supervisory Control and Data Acquisition • ICS= Industrial Control Systems PCS=Process Control Systems, • DCS= Distributed Control Systems EMS=Energy Management System etc.
Similar technologies and names depending on application and history Typically DCS are single vendor solutions, with small footprint, fast rate/response, and emphasis on safety; SCADA may extend geographically, have a slower poll rate, interface with physical devices for DAQ and provide operations status
Generally refer to the systems which control, monitor, and manage critical infrastructures such as: • electric power generators, • subway systems • dams • telecommunication systems, • natural gas pipelines, and many others.
Simply stated, a control system gathers information and then performs a function based on established parameters and/or information it received. (DHS “Recommended Procurement Lang.”)
Traditionally, control systems were stand-alone devices, not connected to business networks or the outside world via the Internet.
Technologies involved, though quite old, are remarkably reliable
6
CONTEXT - But why do we need this now ?
• Evolution of Automation Technology towards Collaboration environments (Digitization, Connectedness, etc.)
• Collision course of Business and Industrial networks
• Rise of the Internet of Things
• Market forces of Mobility, Remote management & Cost reduction across Critical Infrastructure domains
• Legislation, Regulatory & Standards pressures
• Increasing pattern of attacks against Critical Infrastructures
7
CONTEXT - Examples of incidents
ICS security was a minor problem until Stuxnet… • Stuxnet (2010)
a worm struck Iranian nuclear facility. Initially spread thru removable media, used four ‘zero-day vulnerabilities’. Employs Siemens’ default passwords to access Windows operating systems that run WinCC and PCS7 programs, then hunts down frequency-converter drives used to power centrifuges used in the concentration of the uranium-235 isotope. Stuxnet altered the frequency of the electrical current to the drives causing them to switch between high and low speeds for which they were not designed hence causing the centrifuges to fail at a higher than normal rate…900+ damaged…
• Night Dragon (2011) five global energy firms were targeted by a combination of attacks including social engineering, Trojans and Windows-based exploits. The corporate network segments belonging to companies that operate SCADA infrastructures were attacked and exfiltrated data such as operational blueprints
• Flame (2012) malware operating in Iran, Lebanon, Syria, Sudan, the West Bank and other places in the Middle East and North Africa for at least two years. Designed to steal data, including documents, recorded conversations and keystrokes. It also opens a backdoor to infected systems to allow the attackers to tweak the toolkit and add new functionality
8
CONTEXT – Interconnected world of Critical Infrastructures
Security is about the weakest link
IT vs. SCADA
10
IT vs. SCADA - Characteristics of SCADA/ICS
Designed for functionality Standalone systems
• Tight procedures control • Strict Management of Change process • Physical security • Safety and equipment protection
Deterministic
• Defined functions and traffic • Reliability first (“Treat Reliability like Safety”) • Very conservative approach (“no release 1, nor release 2, maybe rel. 3..”) • PRODUCTION is king
Ethernet is deterministic ? Serial ?
11
IT vs. SCADA – IT key points
Confidentiality & Performance • Data available to those with a right to know
– Third Party Agreements – Contractual Details – Commercial Advantage (IP protection) – High throughput (some delay acceptable) Typically protected by encryption/monitoring (SSL, IPsec, sFTP, DLP tools etc.)
Integrity • “Information protected against Unauthorized alteration” (Accidental or
Deliberate)
Availability • Information is usable when needed
– systems that provide it, can resist attacks and recover from failure
12
IT vs. SCADA – ICS key points
Availability • No loss of view/control • No denial of service (DoS)
Safety • Predictable Failures to a Safe State • Independence of Control and Safety Systems
Integrity/Authentication • No unauthorized access • No data/configuration change
IT cyber attacks tend to focus on stealing Intellectual Property / Sensitive information, thus Confidentiality is high
ICS cyber attacks tend to focus on destabilization of assets/disruption of activities, thus Integrity and Availability are high
13
IT vs. SCADA – Comparison
Topic IT world ICS («OT» world)
Security triad CIA (Confid./Integrity/Availab.) AS (Availab. & Safety)
Lifecycle 20-40 months 20+ years
Antivirus Common Uncommon\impossible
Patching Widely used, weekly or faster Yearly or never
SW config Mgmt Yes Partly
Time critical Generally delays OK/ Best effort Critical/Deterministic (10-50ms)
Availability Interruptions generally tolerated Limited consequences
24x7x365xforever Catastrophic consequences
Sec. Awareness Good Poor
Security testing Mandatory Initial stage
Physical Security Yes Yes
Protocols Standardized Proprietary
..but at the end they will be convergent
THREATS and ATTACK SURFACE
15
THREATS AND ATTACK SURFACE - Trends
*Threat Trend
Drive-by Exploits
à injection of malicious code in HTML code of websites that exploits vulnerabilities in user web browsers. For Android as well.
Worms/Trojans à From USB keys, Social networks and mobile platforms
Code Injection à SQL injection, cross-site scripting, cross-site request forgery (CSRF)
Exploit Kits à ready-to-use software packages that “automate” tasks. Malware-as-a-Service (MaaS) emerging criminal business model
DoS Â Mostly work at the application layer. HTTP, DNS and SMTP are the most frequently targeted ones. Often used as “distraction”.
Phishing  Fraudulent e-mails and legitimate looking websites
Data Steal à Key to many data breaches are web application vulnerabilities
Spam Ä increased pressures on spammers in the last 2 years (e.g. Rustock botnets takedown, etc.)
Targeted Attacks
à The energy sector reported most of these incidents. The rise in existing vulnerabilities in SCADA systems is an indication for success perspectives of this kind of threat
Top vulnerability by type: 1. Buffer Overflow 2. Input Validation 3. Authentication & XSS
Incidents by sector - 2012
*Source ENISA Threat Landscape report 2012 In RED top emerging threats for critical infrastructures
Energy; 41,0%
Dams; 0,5%
Critical Mfg; 4,2%
Communications; 2,1%
Commercial ; 9,5%
Chemical; 3,7%
Banking; 0,5%
Water; 14,5%
Internet-facing; 10,5%
Transportation; 2,7%
Nuclear; 3,1%
IT; 0,5%
HC; 2,6% Gov't; 3,7%
Food & Ag; 1,0%
16
THREATS AND ATTACK SURFACE - ICS vulnerabilities trend
ICS vulnerabilities by Quarter*
*From Critical Intelligence Inc.
Sophisticated tools/techniques shifted from IT onto ICS, resulting in: 750+ % reported vulnerability disclosed in 2011 40% include working attack code 20000+ unauthorized internet access to ICS in 2012
Researches/Hackers paid to disclosure serious vulnerability to “brokers” who then sell exploits for as much as $75 - $120K….
17
THREATS AND ATTACK SURFACE - Typical Findings in ICS THREATS AND ATTACK SURFACE - Typical Findings in ICS
• VOIP software • Software license cracking executable • Online Dating services • AOL/MSN/Torrent clients • MP3/iTunes etc. • Gaming software servers (Quake etc.) • Anonymous FTP servers
+ ¾ Linux \ Windows hosts unpatched for years ¾ Unsupported OS (Win95/NT) ¾ No removable media control ¾ Flat networks ¾ Unauthenticated WLAN ¾ Unprotected switches ¾ APC battery vulnerable web interface .....
ARCHITECTURE and COMPONENTS
19
ARCHITECTURE AND COMPONENTS – ICS Network
BUSIN
ESS ZO
NE
Internet DMZ
Corporate LAN
DMZ (3.5)
OPERATIO
NS ZO
NE
OPS DMZ
PROCESS CONTROL / SCADA
ZONE
- Goal: secure segregation between Business Zone (L4-5) and Process Control Zone (L2-1-0) - L3 as a staging area between L2 and L4 - Any Internet access must be handled thru L4, not directly from L3 - VLAN and Virtual machines should not cross security zones - Firewall disjoint rules (except fo AV updates, patches, Historian traffic)
20
ARCHITECTURE AND COMPONENTS – Case Study
21
ARCHITECTURE AND COMPONENTS – Case Study
Lev0
Lev1
Lev2
Lev3
Lev4
Lev5
22
ARCHITECTURE AND COMPONENTS – Case Study
OVERVIEW OF APPLICABLE STANDARDS
24
OVERVIEW OF APPLICABLE STANDARDS -Energy sector
CIP Rev. Rev. 5 (2014) • Generators • Distributors • Transmission Operators
NEI 08-09 Rev. 6 • Cyber Security Plan for Nuclear Reactors • North American nuclear plants
International Instrument Users’ Assoc., WIB 2.0 • Requirements for Vendors
ISA-99 / IEC 62443-4-1, -4-2, -2-4 • Asset owners • System Integrators • Automation component suppliers
800-53
Large N. America Power Gen
Nuclear
Int’l Oil Companies & Euro Power Gen
Int’l Oil Companies & Global Power Gen
Regardless of industry vertical, geo zone and application, all refer to the same originating one
Guide for assessing the security controls in Federal Information Systems
25
OVERVIEW OF APPLICABLE STANDARDS - Terminology
Standards Recommendations - Use is voluntary Available to Public - Approved by recognised standardisation body Provides rules, guidelines or characteristics for activities or results Example: QWERTY keyboard / ISA99
Regulations Legislation - Use is mandatory Available to Public - Developed by designated authority Specify product, process or service characteristics Enforced by authority. Penalties. Example: power plugs / NERC CIP
Most important goals of industry standardization are : • Setting a minimum acceptable level of quality for a given scope of a standard • Enabling technical interoperability of products from different vendors
A standard, given widespread use, may become practically mandatory Also, while it is voluntary, organizations that do not adopt them may face negligence, shareholder or breach of contract lawsuits if they suffer a breachÆ$$$
OVERVIEW OF APPLICABLE STANDARDS – NERC CIP (cont’d)
NERC Cybersecurity CIP-002 Critical Asset Identification
CIP-003 Security Management Controls
CIP-004 Personnel & Training
CIP-005 Electronic Security perimeter(s)
CIP-006 Physical Security of CCA
CIP-007 Systems Security management
CIP-008 Incident Reporting and Response Planning
CIP-009 Recovery Plans for CCA
1. Critical Asset Identification Method 2. Critical Asset identification 3. Critical Cyber Asset Identification 4. Annual Approval
1. Cyber Security Policy
2. Leadership
3. Exceptions
4. Information Protection
5. Access Controls
6. Change Control and Configuration mgmt
1. Awareness
2. Training 3. Personnel Risk Assessment 4. Access
1. Electronic Security Perimeter
2. Electronic Access controls
3. Monitoring Electronic Access
4. Cyber Vulnerability Assessment 5. Documentation review and maintenance
1. Physical Security Plan 2. Phisical Access controls 3. Monitoring physical access 4. Logging physical access 5. Access log retention 6. Maintenance and testing
1. Test procedures
2. Ports and Services 3. Security Patch mgmt 4. Malware protection 5.Account mgmt 6. Security status monitoring 7. Disposal or redeployment 8. Cyber Vuln. Assessment 9. Doc review and mainten.
1. Cyber Security Incident response Plan
2. Cyber Security Incident Documentation
1. Recovery Plans
2. Exercises 3. Change Control 4. Backup and restore 5. Testing backup media
27
OVERVIEW OF APPLICABLE STANDARDS – ISA99/IEC62443
28
OVERVIEW OF APPLICABLE STANDARDS – Certifications
Compliance towards standards created several industry automation certification schemes, e.g.:
• Achilles (ACC, APC, Lev 1, Lev2...) • ISASecure (EDSA, SDSA...) • Exida Etc. May test products properties, process capabilities (from Design to Commissioning to Maintenance) Some focus more on Risk Assessment, some on Product/Process assessment, some on Lifecycle
Limitations: o Buyer not involved in the certification process, which may lead to
intransparency o May generate false sense of security (no source authentication for basic
levels, no control system protocol fuzzing, relaxed SDL if environment «secure», etc..)
COUNTERMEASURES
30 Source: Recommended Practice: Improving Industrial Control Systems Cyber
security with Defense-In-Depth Strategies, DHS, October 2009.
Defense-in-Depth Strategy supports critical controls and related networks, which in turn can be applied to support compliance towards cyber security regulations & standards
30
COUNTERMEASURES – Defense in Depth
31
COUNTERMEASURES – To patch or not to patch
#1 - SCADA products designed for safety, reliability, efficiency and ease-of-use. Not for Security. Until Stuxnet #2 - researchers, hackers etc. shifted from the IT environment, where multiple patching is extensively used to address vulnerabilities #3 - research shows that high quality SW has 0.03 vulnerabilities (not defects, which are 100x) per KLOC. Low quality SW has 0.5 vuln./KLOC Example: WinXP has 40 MLOC and displayed 1100+ vuln Æ 0.027 ratioÆgood # 4 - ICS/SCADA firmware have 1000-5000 KLOCÆ30-50 vuln ICS sw on control network has ~60MLOCÆ1800+ vuln #5 - 15-25% of patches impact users (hangs/functionalities etc.)Æneed validation #6 – Not all vendors release patches (50% of vuln have patches available) #7 – ICS users download 10% of released patch
CONTINUOUS PATCHING is DIFFICULT
32
COUNTERMEASURES – Compensating Controls
Workaround that does not correct the underlying vulnerability but help block known attack vectors before you apply the update . Compensating controls are a means to delay patching at first scheduled maintenance shutdown). Examples: 9 Product reconfiguration (e.g. port disabling etc.)
9 Use of industrial firewalls to filter specific traffic (e.g. allow OPC, deny any any)
9 Firewall configuration to deny specific actions within defined protocols (e.g. no RW)
9 SW enforced outbound data flow
9 HW enforced unidirectional data flow (data diodes)
Must be simple (plug in and walk away) and upgradable Must not impact operations
NEED COMBINED APPROACH
Prioritized Patching List Compensating controls
33
COUNTERMEASURES – (In)Secure by Design
� Vulnerabilities are many and easy to find in ICS � Often they are not even necessary: device or protocols features (protocols
that do not provide integrity, access control, or authentication) already ARE attack vectors
� Pass the buck: � Asset owners blame vendors for lack of features or strict reqs � Vendors blame lack of demand from asset owners � There is no way to stop sophisticated attackers to get in
34
9 Do not panic, risk is there, need be managed
9 Treat Security like a Technical and Operational risk
9 Most problem sources are tied with lack of cyber conditions control
9 Defense-in-depth & Detect-in-depth approach
9 Least Privilege
9 Start simple (AV, USB, Passwd/Roles, Patch, Unused ports, DMZ, Awareness, etc.)
9 Design with security in mind (Assumption of Breach):
Consider Security requirements as Functional reqs
Consider SDL in RFP (e.g. Microsoft, ISA Secure etc.) and in FAT
9 Security testing (Scans, Input verification, Fuzzing etc.)
9 Process whitelisting
9 Encrypt external communication ALWAYS
9 Incident Response team
COUNTERMEASURES – Ok, what can I do ?
HORIZON
A print-out of this Procedure is a non-controlled copy
36
HORIZON
¾ Cloud security enters teenage years Data will be safer but failures will have higher impacts Searching thru encrypted data problem remain Not only data, exploit clouds for quick-to-create botnets
¾ Cross platform malware, Leveraging smartphone novel features/sensors
¾ Healthcare security As data go online, risks are greater Securing doctors offices is problematic
¾ Leverage Social Networks Facebook is not your friend. LinkedIn and Twitter neither
¾ Internet of Things 50-500 billion «things» connected to Internet No traditional input/feedback channel (keyboard/screen) Internet of Malware (botnets)
37
Bibliography & Resources
¾ Resources ¾ SANS ICS homepage:www.sans.org ¾ DHS ICS-CERT: ics-cert.us-cert.gov ¾ NERC CIP standards: www.nerc.com/pa/Stand/pages/ReliabilityStandards.aspx ¾ ISA99: isa99.isa.org/ISA99%20Wiki/Home.aspx ¾ NIST SP 800-82: csrc.nist.gov/publications/800-82/SP800-82-final.pdf ¾ Microsoft SDL: http://www.microsoft.com/security/sdl/default.aspx
¾ Bibliography Miller B., Dale, C. -2012 - A Survey of SCADA and Critical Infrastructure Incidents BSI-CS 035, 2012 – Recommendation for Industrial System Security Byres, E. -2013 – Solving the SCADA/ICS Security Patch problem GeorgiaTech – Emerging cyber threats report 2013 NSS Labs – Vulnerability Threat report 2013
QUESTIONS ?
A print-out of this Procedure is a non-controlled copy
