Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)

Belden 123 Approach to Cybersecurity

Industrial Cyber Security: What You Dont Know MIGHT Hurt You (and others)September 21, 2016

David MeltzerChief Research OfficerBelden-Tripwire

Tony GoreChief Executive OfficerRed Trident Inc.

John PowellCritical Infrastructure Engineer

2015 Belden Inc. | belden.com | @BeldenInc#

1

Understand what cyber security risks may apply to your environmentIndustrial standards that may apply to your ICS Operations environmentLearn how to automate and simplify the inventory process and secure your assetsHear real-world tips on how to prioritize and work across functional silos within your companySuggestions and resources for future progressReceive an industrial cyber security self-assessment checklist as a starting point

Agenda and Objectives

2015 Belden Inc. | belden.com | @BeldenInc#You cant protect or secure what you dont know you have

(Therefore, at-risk industrial assets can put employee or public safety at risk)


ICS Risks - SANS 2016 State of ICS Survey Report

Top Attack Concern External/OutsidersTop Target Concern Commercial OS (Windows, Linux), and key assets: HMI, historians, operations engineering workstations, control systems, asset management systems,etc)


ICS Vulnerability Disclosures by Year 90% of 1552 in 2011 - April 2016123 Vendors have ICS vulnerabilities33% = No fixes or patches available at public disclosureRisks- ICS Vulnerabilities from 2000 - Q12016

- FireEye iSight Intelligence 2016 ICS Vulnerability Trend Report


Oil pipeline shut down for 6 hours after software is accidently uploaded to a PLC on the plant network instead of test network13 auto assembly plants were shut down by a simple Internet worm; 50,000 workers stop work for 1 hour while malware removedOperators at a major USA nuclear power plant forced to scram the reactor after cooling drive controllers crashed due to excessive network trafficIts Not All About Hackers & TerroristsConsider the Financial Implications of Disruptions

NET Impact:$250KNET Impact:$14MNET Impact:$2M


Tofino Industrial Security Solution Byres Security Inc. 6

What is an ICS Cyber Threat?

Cyber threat is an important category of industrial risk typically targeting plant and operations networks, endpoints and control systemsWho Does This?OutsidersControl system level breaches grew more than 33% during 2014 and 2015 fiscal years.Malicious Insiders49% believe insider threat is their top concern Human Error Employees, Contractors25% of ICS incidents were due to current employees or insiders- Sources: SANS Institute, ICS-CERT, PWC, FireEye


Skilled Have been working with industrial cyber security topics for some time, possibly have industry certifications for same, and/or have designed industrial operations networks and system architectures, policies and procedures for security. Knowledgeable Familiar with perhaps one or two technologies and some customer issues (typically some details of anti-virus, ID/authentication systems, and sometimes encryption)Conversant Knows terms and generally what they mean, often can ask good questions, but doesnt necessarily have the big pictureNewbie Ive heard the term cyber securitySurvey - Cyber Security Skills Self-Assessment

2015 Belden Inc. | belden.com | @BeldenInc#National Institute of Standards and TechnologyInternational Society of Automation International Electrotechnical CommissionInternational Organization for StandardizationStandards and Best Practices



10

NIST Framework

NIST CSF Mapping to ISA/IEC 62443

http://isa99.isa.org


11

NIST Risk AssessmentFunctionCategorySubcategoryInformative ReferencesIDENTIFY (ID)Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.ID.RA-1: Asset vulnerabilities are identified and documentedCCS CSC 4COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9, 4.2.3.12ISO/IEC 27001:2013 A.12.6.1, A.18.2.3NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5ID.RA-2: Threat and vulnerability information is received from information sharing forums and sourcesISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12ISO/IEC 27001:2013 A.6.1.4NIST SP 800-53 Rev. 4 PM-15, PM-16, SI-5ID.RA-3: Threats, both internal and external, are identified and documentedCOBIT 5 APO12.01, APO12.02, APO12.03, APO12.04ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12, PM-16ID.RA-4: Potential business impacts and likelihoods are identifiedCOBIT 5 DSS04.02ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-9, PM-11, SA-14ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine riskCOBIT 5 APO12.02ISO/IEC 27001:2013 A.12.6.1NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-16ID.RA-6: Risk responses are identified and prioritizedCOBIT 5 APO12.05, APO13.02NIST SP 800-53 Rev. 4 PM-4, PM-9


ISA/IEC 62443-2-1 RequirementsA.2.3.3.6.2 Characterize key IACSIdentifying and prioritizing IACS risks requires that an organization locate and identify key industrial automation and control systems and devices, and the characteristics of these systems that drive risk.Without an inventory of the IACS devices and networks, it is difficult to assess and prioritize where security measures are required and where they will have the most impact.

Asset NumberEquipment IDFunctionalityIP AddressZoneLocationOperating SystemEWS101EWS_101Engineering Workstation192.168.1.20BPCSControl RoomWindows 7, Pro SP1


NIST SP 800-82 Requirements4.5.1 Categorize ICS Systems and Networks AssetsThe information security team should define, inventory, and categorize the applications and computer systems within the ICS, as well as the networks within and interfacing to the ICS. The focus should be on systems rather than just devices, and should include PLCs, DCS, SCADA, and instrument-based systems that use a monitoring device such as an HMI. Assets that use a routable protocol or are dial-up accessible should be documented. The team should review and update the ICS asset list annually and after each asset addition or removal.


Document Assets andIdentify improper network designExample System Architecture Diagram


Partition the System into Zones and Conduits

ConduitsZones


Partition the System into Zones and Conduits

ConduitsZones

2015 Belden Inc. | belden.com | @BeldenInc#A DPI firewall is one way to segment SIS

Common starting point is with a risk assessmentFoundation - Inventory of hardware and software assetsApproaches:Manual Hire it OutAutomationHow to Mitigate the Organizational SilosStarting Point Assessing Current State, Gaps, and What to Do First


Hardware SoftwareFirmware CommunicationsPhysical (Facilities)Cyber-PhysicalWhat is an Asset within Industrial Environments?

20% are Network Assets (able to get configuration and topology location fairly easily)

Known - above the WaterlineUnknown below the Waterline

80% are Proprietary Assets (not easily known configurations and components such as I/O Servers, firmware, etc)


ICS Cyber Security Risk Model

- ARC Research

2015 Belden Inc. | belden.com | @BeldenInc#The Process

2015 Belden Inc. | belden.com | @BeldenInc#Cyber Security Life Cycle

High-Level Risk Assessment (Inventory)Management System: Policies, Procedures, Training & Awareness

Detailed Cyber Risk AssessmentPeriodic Cybersecurity AuditsInstallation, Commissioning & Validation of Countermeasures

Other Means of Risk Reduction

Cyber Incident Response & Recovery

Detailed Cyber Risk AssessmentAssessPhaseAllocation of IACS Assets to Security Zones or Conduits

Develop & Implement PhaseMaintenance, Monitoring & Management of Change

MaintainPhaseContinuousProcessesContinuousProcessesCybersecurity Countermeasures


Beldens 1-2-3 Approach to Industrial Cybersecurity


ConfigurationsMisconfigurationsWeak configurationsExploitable vulnerabilities previously unknownUnpatchedUnpatchableNo patch exists Insecure AccessWireless ModemsInappropriate internet-facingIndustrial protocols Unauthorized AccessWeak or stolen credentialsInfected filesInfected USBInfected ICS logicInsecure serial linksComplex and proprietary multi-vendor environmentsCommon Industrial Attack Vectors Tripwire Can Detect


No-Touch Visibility into ICS Cyber Security

Monitoring Full Operations Environments for Unauthorized Change and Cyber Threats

Standards-basedIntegration with FactoryTalk AssetCentre

2015 Belden Inc. | belden.com | @BeldenInc#Part of the Belden Industrial Cyber Security Portfolio Vendor-neutralStandards-basedIndustrial Network InfrastructureICS/SCADACyber Security Expertise is Our CoreMonitoring for change and threat detectionAlert NotificationVulnerability CheckingLog Intelligence/SIEM Automation and IntegrationsSupport for Heterogenous Industrial Environment Cyber Security

2015 Belden Inc. | belden.com | @BeldenInc#Tofino Xenon Industrial Security ApplianceField-Level Layer 2 Firewall with Security EnforcersThe Tofino Xenon Industrial Security Appliance delivers advanced cyber security protection for industrial networks, securing critical assets at Layer 2, making it easier to deploy and transparent to the networkNo IP or network architecture changes neededProtects endpoint systems and devices (PLCs, RTUs, IEDs, DCS, HMIs, Historians, Controller Consoles, etc)Easy to deploy with Plug and Protect - no downtimeSecure Zones and Conduits (IEC-62443)Deep Packet Inspection for industrial protocols to enforce security policyDNP3 and IEC 104Modbus/TCPOPCEtherNet/IPOthers comingAuto-generates firewall rules, and controls access and ingress and egress

#

2015 Belden Inc. | belden.com | @BeldenInc#Belden Industrial Cybersecurity Portfolio


Benefits of a current and automated asset inventory:Mitigate cyber security risks from outsiders, insiders, and human errorReduce / avoid unplanned downtimeImprove productivityAutomate to speed resolution, save time and reduce human errorProcess improvement and efficiencyAction? - Consider a cybersecurity risk assessment Summary - Benefits of Having an Asset Inventory

2015 Belden Inc. | belden.com | @BeldenInc#Learn good infrastructure design for cyber security all industry sectorsOriented toward technical and hands-on learning labsLearn More - http://info.belden.com/designseminar

Join Us - Industrial Ethernet Infrastructure Design SeminarOctober 10-13, 2016, Orlando Florida

2015 Belden Inc. | belden.com | @BeldenInc#Q&ATHANK YOU!


QuestionsAnswersAre Zones accomplished using VLANs?I'm not sure the point of the question here. There are always multiple VLAN's employed when there's differing environments or items consolidated on a common manageable switch. Special configurations to harden the switch and prohibit VLAN jumping are established, documented and tested. When we label zones VLANs, I'm not sure what that actually is that you're thinking of, but if you contact [email protected] with a question we can work to answer that question thoroughly. ZonesZones are essential for the establishment of environments that similar devices can coexist and operate. It also helps with monitoring, troubleshooting, and adding additional layers of security to an ICS architecture. NIST 800-82 as well as ANSI/IEC/ISA 62443 establish zones. It is also a very common practice within ICS environments that have a greater maturity and adoption of ICS Cyber Security. There are common practices found in other standards and advanced cyber security architectures.This is all well and good, but our industrial environment is set - at present we can't change anything. What do we do in that case?For many circumstances where physical changes in architecture cannot be immediately made, there are technology solutions that can be applied sometimes to mitigate the risks - even process changes can often solve for an interim period. Another consideration is to do the planning for the bigger needed changes, whether architecture or equipment while addressing the smaller things that can be altered such as password hygiene, not sharing logins, or simply knowing where the biggest concerns are.He just mentioned LANs - I think that Zones are accomplished by VLANs, but also can be accomplished via other technologiesYes, this is an absolute truth because there are a multitude of technologies that can establish zones. The best option for the most robust architecture are zones that can be monitored and be dynamic in defense of the Industrial Control System Environment. There's also some device hardening that occurs to further ensure the zones are areas of security.Walkdown?Per information on the NERC site and resounded in various other ICS standards: Include a physical walk-down of sites to verify Cyber Asset lists.A good method of ensuring that all Cyber Assets are documented and accounted for is to perform a physical walk-down of the computer rooms and control rooms that contain the Cyber Assets. A typical walk-down starts with an initial list of Cyber Assets and a network topology diagram showing connectivity. The walk-down involves ensuring that all the Cyber Assets on the drawing or Cyber Asset list are accounted for, all network and other connections are deployed as indicated on the network topology drawing, and no extra Cyber Assets or network connections are discovered that cannot be identified on the network topology diagrams. Any discrepancies between the Cyber Asset lists, the networktopology diagrams, and the actual physical systems must be resolved, either by updating the documentation orremoving the improperly installed or configured assets. This discovery validation method can normally be incorporated into the annual Cyber Vulnerability Assessment (CVA) process required under CIP-007 Requirement R8.So your approach is a walkdown to get the 80% Proprietary ICS asset inventory?No, Tripwires suite of tools can aid in the identification of many assets but through a combination of tools specifically configured for the ICS environment. We perform additional discovery activity outside the physical walkdown.


QuestionsAnswersHow long does an industrial cyber security risk assessment take?Scope and complexity of a environment can dramatically affect the length of time that a holistic risk assessment takes. Often times, we see risk assessments prematurely halted because there are common vulnerabilities or exposures that can be remediated or planned for. Some identified risks may also need immediate attention, because of the threat it poses to the revenue generating or ICS process. We do offer accelerated risk assessments rather than full risk assessments to immediately triage vulnerable environments. It's not as supporting as a holistic risk assessment, but it does assist with getting an immediate look at what could be potentially a threat to the environment.For risk assessment, how do you acquire the data for the likelihood of a particular vulnerability occurring and the likelihood that a particular security threat will be exploited? Does this data exist in a database somewhere?Likelihood is a very qualitative aspect to the over all vulnerability. If we take a workstation for example then we would look at the vulnerabilities present on the system. How those vulnerabilities score for that system. Determine if that system is a high consideration to the viability of the over all process. Then from the gap we will explore if there are compensating controls to reduce, mitigate, or eliminate the overall threat. We do have several databases that contain vulnerability data and leverage specially crafted tools that digest the vulnerability data for additional ranking.But that is just one vendor...ABB...what about Emerson, Honeywell, Yokagawa, Schneider and dozens of other ICS Automation System vendors? How do you gather ICS inventory beyond ABB Endpoints?We are working with most - you'll continue to hear more as we finish with each one.The solution appears to be for primarily IT-oriented assets at level 3 with the exception of ABB PLCs via Rockwell AssetCentre.If we are basing this strictly on one architecture that some ICS environments are based upon, then there are multiple levels of integration that the Tripwire can integrate into from level 1 to 5. This is an example of one type of integration and the capabilities are more broad-reaching than only one vendor. In a future architectural webinar, we can display how that integrates through those environments as well as contribute to a more mature adoption of cyber security that promotes continuous monitoring. Todays conversation was based as well as focused on the risk assessment enabling asset inventory rather than a deep dive of architectural adoption.There are no cyber personnel available in utilities teams - how do you see this gap closing? MSSP? Contractors? There is no motivation to hire personnel except with Energy where NERC CIP applies fines - otherwise no motivation to hire staff? Insight ?It's definitely a problem. There is "Zero" unemployment for those with cyber security skills and it's often tough to make the case to hire. MSSPs are a way around this, but not every infrastructure is suited for outsourcing despite getting cyber security skills. Also, some of the biggest trends we're seeing are in the areas of training and certifications where we're basically trying to grow our own. It will take time. What are you doing nationally to expand the talent pool?We are looking for enabling partners to construct a methodical and repeatable approach as well as networking with state officials. Please reach out to [email protected] to learn more and explore partnerships that are enabling the construction of such talent pools.
