idae
ICS Security Vulnerabilities:
Stay One Step AheadStay One Step Ahead
idae
We help our clients improve the safety, security and availability of their automation systemsand availability of their automation systems
Copyright © 2010 - exida
idaeJohn A. Cusimano, CFSE, CISSP
• Director of Security Solutions for exida• 20+ years experience in industrial automationy p• Employment History:
− Eastman Kodak− Moore Products − Siemens
• Certifications:− CFSE, Certified Functional Safety Expert, y p− CISSP, Certified Information Systems Security Professional
• Industry Associations:− ISA S99 Committee (WG4, WG5, WG7, WG8)( , , , )− ISA S84 Committee (WG9)− ISA Security Compliance Institute− ICSJWG Workforce Development & Vendor Subgroups
Copyright © 2010 - exida
idae Agenda
• SituationRecommended Strateg for S ppliers• Recommended Strategy for Suppliers
• Recommended Strategy for End Users
idae Situation
• ICS products have rapidly evolved to incorporate COTS technology
• Security was not a big concern in ICS environment until recentlyMost ICS vendors do not follow a mature security• Most ICS vendors do not follow a mature security development lifecycle
• Security researcher community has suddenly become y y yaware of the ICS market
• They are having success at finding and publishing l bilitivulnerabilities
idaeStuxnet Responsep
“Addressing Stuxnet goes beyond using quality security controls. The industry needs to demand higher quality software that is free from defects. Companies who develop products and write code need to continue to mature their development processes to become more secure.”
Mark WeatherfordVice President and Chief Security OfficerNERCNERC
idae
Software related SCADA incidentsSoftware related SCADA incidents
• Software Vendor Patch Crashes SCADA SystemSoftware Vendor Patch Crashes SCADA System• Computer Glitch Causes Major Power Outage• Faulty Software Causes Torrens Lake DrainFaulty Software Causes Torrens Lake Drain• SCADA System Collapse Leads to Tunnel
ClosureClosure• Computer Software Faults May Have Caused
Chinook Helicopter CrashC oo e copte C as• Gas Leak Caused by Computer Malfunction
7
Incidents from the Repository of Industrial Security Incidents (RISI) database(www.securityincidents.org)
idae Luigi Auriemma• March 21, 2011 • Independent security researcher Luigi Auriemma
published 34 zero day vulnerabilities affecting 4 differentpublished 34 zero-day vulnerabilities affecting 4 different SCADA/HMI products:– Iconics Genesis32 v9.21 and Genesis64 v10.51 (13)– Siemens Tecnomatix FactoryLink v8.0.1.1473 (6)– DATAC RealWin 2.1 build 6.1.10.10 (7)– 7-Technologies IGSS v9 00 00 11059 (8)7 Technologies IGSS v9.00.00.11059 (8)
• Included code and commands to exploit the vulnerabilities
• Vulnerabilities include stack and heap overflows, integer overflows, arbitrary commands execution, format strings, double and arbitrary memory frees memory corruptionsdouble and arbitrary memory frees, memory corruptions, directory traversals, design problems, etc.
idae Gleg Ltd. SCADA+ Pack
• Moscow-based security firm, Gleg Ltd., recently began sellling an exploit pack called SCADA+ Pack
• Includes both previously known and zero-day SCADA vulnerabilities– Atvise SCADA (zero-day)Atvise SCADA (zero day)– Control Microsystems ClearScada (zero-day)– DataRate SCADA WebControl and RuntimeHost
( d )(zero-day)– Indusoft SCADA Webstudio (zero-day) – ITS SCADAITS SCADA– Automated Solutions Modbus/TCP OPC Server– BACnet OPC client Advantech Studio Web server– Iconics Genesis
idae Rubén Santamarta• April 4, 2011• Independent security researcher, Rubén Santamarta,
identified an RPC vulnerability in Advantech/BroadWinWebAccess, a web browser-based HMI product
• The vulnerability affects the WebAccess Network• The vulnerability affects the WebAccess Network Service on 4592/TCP and allows remote code execution
• Rubén reported to ICS-CERT and publicly released p p ydetails of the vulnerability including exploit code and instructions on how to use it
idae Others• Joel Langill of SCADAhacker.com has
responsibly disclosed several zero-day vulnerabilities with exploits to ICS-CERT and the affected vendors
• Steve James of exploited security, recently notified ICS-CERT of a vulnerability in AGG OPC SCADAViewerOPC SCADAViewer
idae Dillon Beresford• May 9, 2011• Security researcher Dillon Beresford of NSS Labs
t d l it l biliti th Sireported several security vulnerabilities on the Siemens S7 PLC to ICS-CERT and Siemens, including proof-of-concept exploit code
• On May 18th he was asked to cancel his scheduled demonstration at the TakeDownCon security conferenceH l t t d hi fi di t A ti H k• He later presented his findings at Austin Hackers Anonymous on May 26th
• Beresford claims to be able to produce a Linux shell onBeresford claims to be able to produce a Linux shell on the PLC and have root level access to the OS
idae Exploit Hub
• Marketplace for validated, non-zero-day exploits• iPhone App-Store style marketplace for security• iPhone App-Store style marketplace for security
researchers to sell their exploits
idaeStuxnet Responsep
“Addressing Stuxnet goes beyond using quality security controls. The industry needs to demand higher quality software that is free from defects. Companies who develop products and write code need to continue to mature their development processes to become more secure.”
Mark WeatherfordVice President and Chief Security OfficerNERCNERC
idae
Software related SCADA incidentsSoftware related SCADA incidents
• Software Vendor Patch Crashes SCADA SystemSoftware Vendor Patch Crashes SCADA System• Computer Glitch Causes Major Power Outage• Faulty Software Causes Torrens Lake DrainFaulty Software Causes Torrens Lake Drain• SCADA System Collapse Leads to Tunnel
ClosureClosure• Computer Software Faults May Have Caused
Chinook Helicopter CrashC oo e copte C as• Gas Leak Caused by Computer Malfunction
15
Incidents from the Repository of Industrial Security Incidents (RISI) database(www.securityincidents.org)
idae
Recommended Strategy for Suppliers
idae Recommended Strategy f A t ti S lifor Automation Suppliers
• Integrate security into development lifecycle (SDL)
• Evaluate existing productsg p• Specific testing for security vulnerabilities• 3rd party evaluation• 3rd party evaluation• Be prepared to respond to a disclosure
idaeIncorporating Security into the Software p g y
Development LifecycleSecurity
Response Planning
Security Training
Security Requirements
gand
Execution
Security
Security Validation
TestingSecurity Architecture
Design
Fuzz testing, Abuse case testing
Testing
Security Risk Assessment g
and Threat Modeling
Security Coding
Security Code Reviews &Static Analysis
18
Coding Guidelines
idae Guidance• Microsoft - The Security Development Lifecycle1
• DACS - Enhancing the Development Life CycleDACS Enhancing the Development Life Cycle to Produce Secure Software2
• DHS – “Build Security In”3y• ISASecure – Software Development Security
Assessment (SDSA) specification4( ) p
1 Howard Michael and Steve Lipner The Security Development Lifecycle: SDL a Process for Developing Demonstrably More Secure1. Howard, Michael, and Steve Lipner. The Security Development Lifecycle: SDL, a Process for Developing Demonstrably More Secure Software. Redmond, WA: Microsoft, 2006. Print.2. Goertzel, Karen, Theodore Winograd, et al. for Department of Homeland Security and Department of Defense Data and Analysis Center for Software. Enhancing the Development Life Cycle to Produce Secure Software: A Reference Guidebook on Software Assurance, October 20083, https://buildsecurityin.us-cert.gov/bsi/home.html4. www.isasecure.org ESDA-312 Software Development Security Assessment (v1_4) (SDSA)
idae Threat Modeling
• Identify critical assets and interfacesCreate an architect re o er ie• Create an architecture overview
• Identify trust boundaries• Identify and rate threats • Identify vulnerabilitiesIdentify vulnerabilities• Identify existing mitigations
Quantify residual risk• Quantify residual risk
idae
Security Integration TestingSecurity Integration Testing
• Fuzz testingFuzz testing – Software testing technique, often automated or semi-
automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes or failing built-in codeexceptions such as crashes or failing built in code assertions.
• White box testing for security (abuse case)te bo test g o secu ty (abuse case)– Based on knowledge of how the system is
implemented– Comprehend and analyze security– Create tests to exploit software
idae Response Planning
• Acknowledge the issue• Be open and forthrightBe open and forthright• Analyze the risk• Develop a mitigation planDevelop a mitigation plan• Responsibly notify customers
idae
Recommended Strategy for End-Users
idae THE 7 THINGS
1. ASSESSMENT2. POLICY & PROCEDURE3 AWARENESS & TRAINING3. AWARENESS & TRAINING4. NETWORK SEGMENTATION5. ACCESS CONTROL 6. SYSTEM HARDENING7. MONITOR & MAINTAIN
© Copyright 2010 exida 25
idaeASSESS EXISTING SYSTEMS
• Perform control system security assessments of existing systems
• Identify critical control system assets• Compare current control system design, architecture,
policies and practices to standards & best practicespolicies and practices to standards & best practices• Identify risks, gaps and provide recommendations for
closure• Benefits:
– Provides management with solid understanding of i i d h f dcurrent situation, gaps and path forward
– Helps identify and prioritize investmentsFirst step in developing a security management– First step in developing a security management program
© Copyright 2010 exida 26
idae
idaePOLICY & PROCEDURE
• Establish control system security policies & procedures
S– Scope– Management Support– Roles & Responsibilities– Roles & Responsibilities– Specific Policies
• Remote access• Portable media• Patch mgmt • Anti-virus managementAnti virus management• Change Management• Backup & Restore
I id t R• Incident Response
– References© Copyright 2010 exida 28
ANSI/ISA S99.02.01-2009Establishing an IACS Security Program
idaeAWARENESS & TRAINING
• Make sure personnel are aware of the importance of security and companyimportance of security and company policies
• Provide role-based training – Visitors – Contractors
N hi– New hires – Operations
Maintenance– Maintenance – Engineering – ManagementManagement
© Copyright 2010 exida 29
idae NETWORK SEGMENTATION
• Defense-in-Depth strategy• Partition the system into distinctPartition the system into distinct
security zones– Logical grouping of assets sharing common
security requirementsy q– There can be zones within zones, or subzones,
that provide layered security– Zones can be defined physically and/or logically
• Define security objectives and strategy for each zone– Physical– Logical
• Create secure conduits for zone-to-zone communications
– Install boundary or edge devices where communications enter or leave a zone y gto provide monitoring and control capability over which data flows are permitted or denied between particular zones.
© Copyright 2010 exida 30
idae ACCESS CONTROL
• Control and monitor access to control system resources
• Logical & Physical• AAA
Ad i i t ti– Administration– Authentication– Authorization
• Review– Who has access?
To what resources?
• Zone-by-zone•Asset-by-Asset
•Role-by-Role– To what resources?– With what privileges?– How is it enforced?
y•Person-by-Person
© Copyright 2010 exida 31
idae SYSTEM HARDENING
• Remove or disable unused i ti tcommunication ports
• Remove unnecessary applications and services
• Apply patches when and pp y pwhere possible
• Consider ‘whitelisting’ toolsConsider whitelisting tools• Use ISASecure™ certified
productsproducts
© Copyright 2010 exida 32
idae MONITOR & MAINTAIN
• Install vendor recommended anti-virus and update signaturesvirus and update signatures regularly
• Review system logs periodically• Review system logs periodically• Consider Intrusion Detection (IDS)
or Host Intrusion Prevention (HIPS)or Host Intrusion Prevention (HIPS)• Pen testing (offline only)• Periodic assessments• Periodic assessments
© Copyright 2010 exida 33
idae
We help our clients improve the safety, security and availability of their automation systemsand availability of their automation systems
Copyright © 2010 - exida
idae Exida Security Services
Supplier Services• Certifications
End User Services• Control System Security
– ISASecure™ EDSA Certification– Achilles Certified Communications™
Certification
• Gap Analysis
Assessments• Security Policy / Procedure
DevelopmentFAT/SAT S i A
Gap Analysis– Software Development Security
Assurance Assessment
• Training & WorkshopsS S ft D l t f ICS
• FAT/SAT Security Assessments• Training & Workshops
– Secure Software Development for ICS Products
– Threat Modeling Workshop– Secure Coding Workshop
S it I t ti T ti– Security Integration Testing