Upload
trinhque
View
218
Download
0
Embed Size (px)
Citation preview
Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
Practical SCADA Cyber
Security Lifecycle
Steps
Jim McGlone
CMO, Kenexis
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
Bio
• Jim McGlone,
• CMO, Kenexis
• GICSP
• ISA Safety & Security Division
Director
• Tridium (Honeywell)
• Rockwell Automation
• US Navy Submarine Nuclear
Reactor Operator
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
Introduction
• Slight changes to process lifecycle to incorporate cybersecurity
– Improve the ICS ability to withstand a cyber security problem
– Improve overall network performance and reliability
– Specific attention will be paid to Factory Acceptance Testing (FAT) portion of the
lifecycle, recognizing the challenges of connecting new equipment into an
existing process
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
Hackers
Who Owns The Problem
• Few publicized ICS incidents, news is about money
– We process… at my facility, it is not critical infrastructure, and the IT department
is protecting the perimeter anyway.
– Meanwhile, HMI station in your facility cannot get the data to refresh on one of
the processes in the plant, you are not sure why, but you cannot let IT just scan
your network to look for the problem
EXXONMOBIL 2014 CORPORATE CITIZEN REPORT
On average, our cybersecurity screening programs block more
than 70 million emails, 140 million Internet access attempts and
150,000 other potentially malicious actions each month.
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
Embedded Microprocessors
Built to Run a Very Long Time
• ICS were built to run a
process in an isolated
environment
– Built to run for many years
very reliably
– Often running from
commissioning until
decommissioning without
a code change or reboot
– Now we connected them
– Even directly to the
Internet
SHOWDAN, HTTPS://WWW.SHODAN.IO
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
Embedded Microprocessors
Everywhere
• Embedded microprocessor can
be found on virtually every asset
– Even simple auxiliary systems have
a PLC because it is easier than
using relays
– Vendor wants to monitor it as a
service to keep it running well
– HVAC industry is monitoring units
over the Internet for efficiency,
maintenance, and energy programs
– These programs add great value,
but they also increase the threat
vector for the bad guys
PURDUE REFERENCE MODEL FOR CONTROL
HIERARCHY
Who has access to your ICS systems?
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
ICS Protocols
• Industrial protocols are different from the IT focused
protocols
– Developed to run originally on serial connections direct from
a 9-pin D shell on the programming terminal and later a
computer connected directly to the device
– Developed long before you had a web-browser
– ICS protocols are proprietary by design to support inter-
process communications
– Now they are layered on Ethernet
– Communication standard is published on the Internet
– Commonly lack authentication or integrity checking and are
vulnerable
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
The Problem
• Skid-based process arrives from a trusted vendor
– It was checked out and connected into the network
– Skid checked out clean, but the vendor’s laptop had malware on it
– Laptop was connected to the controller for final setup
– Ransomware broadcast itself onto most of the machines in manufacturing and
the business network before IT caught it
• Unfortunately, this is a common problem
– Similar to the Target breach, the Iranian centrifuge Stuxnet attack, and at least
one nuclear power plant
– Easy to accidently let bad stuff in
– Fastest way inside your company is by dropping an expensive new looking USB
memory stick in the employee parking lot
– It is easy to overlook connecting a piece of industrial equipment to the network on the
factory floor
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
ICS Cybersecurity Lifecycle
• Cyber lifecycle should line up logically and support the organization
until the process is shutdown and decommissioned
• These are all projects that have finite budgets with start and stop
time limits
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
ICS Cybersecurity Lifecycle
Policy
• Step One
– Establishes Requirements &
Responsibility, and
Governance
– Dictates the vendor’s laptop
and the incoming equipment
scanned prior to connecting
– Executive Sponsorship
– Facilitate Budgeting
– Drives Training & Awareness
– Solid behaviors so mistakes
are infrequent
– Response to incidents is
planned and appropriate
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
ICS Cybersecurity Lifecycle
Cyber Design
• Before & During Design
– Cybersecurity design
phase
– Insure policy is met
– Reducing the risk to the
process from cyber threats
with a properly designed
network
– Design cyber SAT and
FAT
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
ICS Cybersecurity Lifecycle
Acceptance Testing
• Don’t Plug It In
– SAT should be run on new
equipment, process,
systems or the facility to
insure you will not
introduced a problem
– An improper connection to
your business network,
and engineering computer,
or remote access could
cause a network
performance problem right
from the beginning
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
ICS Cybersecurity Lifecycle
Compliance Audit
• Are We Good
– Verify periodically, that staff
are aware of policy and
compliant
– Determining short comings
and needed training
– Audits based on regulation
are very different and I am
going to skip it in this
discussion because most
of us do not need to do
them yet
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
ICS Cybersecurity Lifecycle
Vulnerability Assessment
• Required periodically by
standards, or policy, or some
impetuous has inspired you to
get budget and have an expert
evaluate your status
– Documents the security
posture of control systems
– Identifying vulnerabilities that
might result in security
incidents
– Evaluating operational and
change management
processes
– Provides an actionable list of
recommendations for
improving security
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
ICS Cybersecurity Lifecycle
Vulnerability Assessment
– Vulnerability Assessment
includes:
– Design review
– Data flow analysis
– Traffic analysis
– Procedure and policy review
– Focuses on the devices and
connections that would allow
an attacker to access
– ICS knowledge is critical
– Running IT tools to evaluate
the ICS network can be
hazardous
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
ICS Cybersecurity Lifecycle
Vulnerability Assessment
– During the walk down
– Observations are noted
– Ethernet communications packet
traffic data is collected at key
switch locations
– Packet traffic is analyzed
extensively for patterns,
signatures, and traffic problems
– Configuration of devices and
systems are evaluated
– Best practices from the industry
– Recommendations from each
equipment manufacturer
– Patch levels and patch
management
– Common misconfigurations
– Default or common user names /
passwords
– Remote access controls
– Segmentation of business and
control system networks will also
be evaluated
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
ICS Cybersecurity Lifecycle
Vulnerability Assessment
– Penetration Testing
– Non-Destructive
– Vulnerability Assessment teams
document what is found, but in a
penetration test we pursue what
we find to see how far we can get
and what your ultimate
vulnerability exposure looks like
– Agreed to prior to performance
– Non-Destructive
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
ICS Cybersecurity Lifecycle
Incident Response
• You want someone that knows
the path to your door so that
they can get to work as soon
as possible
– Designed the system and kept
it safe all along
– Otherwise, you are starting
from zero and probably do not
have time to properly evaluate
all options
– You need to know if the expert
team in incident response are
going to build a forensic case
for you or are you hiring them
to just kill the bad stuff and
remove it from your networks
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
The Solution
• Earlier, a skid-based process arrived from a trusted
vendor
– It was checked out according to policy and the acceptance test
agreed on including an anti-virus / anti-malware scan, and a
cybersecurity check for versions, default passwords, and all
configurations prior to connecting it into the network
– When the vendor arrived with a laptop, the IT team assigned the
vendor a remote access connection into the corporate VPN and
a remote desktop connection on one of their verified computer
stations, preventing the malware from propagating onto your
networks and allowing the vendor to finish
• It might seem like a little extra work and thought, but it
will be far less expensive and stressful than dealing with
what can happen if you don’t make the effort
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
Conclusion
• Process Lifecycle is ongoing, cybersecurity is too
• Projects kickoff based on impetuous
• Impetuous varies based on lifecycle and events
– Stale or missing data in an HMI screen or historian
– Incident, IT catches message traffic to unknown external site
– Policy violation, incorrect remote access
– New process equipment, refurbished
2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA
Thank you
• Jim McGlone
– Columbus, Ohio USA
– www.Kenexis.com
– +1-614-975-6783
CYBERSECURITY FOR INDUSTRIAL CONTROL SYSTEMS: SCADA, DCS, PLC, HMI, and SIS 1st Edition
by Tyson Macaulay (Author), Bryan L. Singer (Author)
INDUSTRIAL AUTOMATION AND CONTROL SYSTEM SECURITY PRINCIPLES Author: Ronald L. Krutz, Ph.D., P.E.