![Page 1: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/1.jpg)
Architecting Secure ICS Environments
Don C. Weber - @cutaway
Principal Consultant, Founder
© 2019 Cutaway Security, LLC. All Rights Reserved.
Presented at Wild West Hackin' Fest – Deadwood, SD on October 24, 2019
![Page 2: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/2.jpg)
Cutaway Security, LLC
• Don C. Weber - Jack of All Trades• Security Management• Penetration Testing• Security Assessments• Security Researcher• Instructor / Presenter• Incident Response
10/25/19 © 2019 Cutaway Security, LLC. All Rights Reserved. 2
![Page 3: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/3.jpg)
Full Disclosure: Instructor for ICS Classes
© 2019 Cutaway Security, LLC. All Rights Reserved.
ControlThings.io A&ECS Course
SANS ICS 410 Course
GIAC GICSP Certification
SANS ICS 612 Course <- I don't teach this, but it is going to be awesome.
![Page 4: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/4.jpg)
Agenda
• Purpose• ICS Implementations and Equipment• ICS Concerns• ICS410 Reference Architecture• Recap
© 2019 Cutaway Security, LLC. All Rights Reserved.
Image Source: SANS ICS410 ICS / SCADA Security Essentials
![Page 5: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/5.jpg)
Purpose
© 2019 Cutaway Security, LLC. All Rights Reserved.
![Page 6: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/6.jpg)
Things to get over…
• Clear Text Protocols• Insecure Applications• Vulnerable Firmware• Brittle Services
© 2019 Cutaway Security, LLC. All Rights Reserved.
![Page 7: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/7.jpg)
© 2019 Cutaway Security, LLC. All Rights Reserved.
Worst Case Scenario
![Page 8: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/8.jpg)
ICS Implementations and Equipment
© 2019 Cutaway Security, LLC. All Rights Reserved.
![Page 9: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/9.jpg)
What are ICS implementations?
• A process is a group of devices and servers that perform a specific function, typically combined with other processes.
• Plants are multiple processes, that can be independent or dependent, which can be centrally controlled.
• SCADA are processes and plants that are mutually dependent but spread over a wide region.
© 2019 Cutaway Security, LLC. All Rights Reserved.
Image Source: Google Maps
![Page 10: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/10.jpg)
What are ICS Devices?
© 2019 Cutaway Security, LLC. All Rights Reserved.
![Page 11: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/11.jpg)
© 2019 Cutaway Security, LLC. All Rights Reserved.
1. 120 VAC field IO
2. Branch circuit breaker
3. Motor starters
4. Main power feed
5. Main fuses
6. 24 VDC power supplies
7. Allen Bradley Compact Logix PLC
8. Allen Bradley Compact Logix IO rack
9. Motor starters
10. Phoenix Contact Industrial Ethernet switch
11. 24 VDC field IO
12. 4-20 mA field instrumentation
13. Allen Bradley Variable Frequency Devices
14. A general purpose Ethernet switch (rogue device)
• Floor/Field Components Include:– 1 Data Historian Server– 2 Wonderware HMI's– 2 Panel Views– 4 Automation Direct Operation Interfaces– Many PLCs
This control cabinet controls a chemical wash process. A local integrator made this panel with Allen Bradley and Phoenix Contact components.
Image Source: ControlThings.io Accessing and Exploiting Control Systems
![Page 12: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/12.jpg)
What is a process?
© 2019 Cutaway Security, LLC. All Rights Reserved.
![Page 13: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/13.jpg)
How are processes managed?
• Human Machine Interfaces• Master Servers• Engineer Workstations• Business Servers
© 2019 Cutaway Security, LLC. All Rights Reserved.
Image Source: ControlThings.io Accessing and Exploiting Control Systems
![Page 14: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/14.jpg)
How are processes deployed?
© 2019 Cutaway Security, LLC. All Rights Reserved.
Image Source: SANS ICS410 ICS / SCADA Security Essentials
• ISA-95 <- Process only• ISA-99 <- Process with security• IEC/ISA-62443 <- ISA-99 renamed
![Page 15: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/15.jpg)
ICS Concerns
© 2019 Cutaway Security, LLC. All Rights Reserved.
![Page 16: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/16.jpg)
What are ICS business concerns?
• Safety to personnel, environment, and process.
• Sustained operations, availability and integrity, of the process.
• Regulation, due to safety, environmental hazard, or public impact.
© 2019 Cutaway Security, LLC. All Rights Reserved.
Image Source: https://s3-us-west-1.amazonaws.com/umbrella-blog-uploads/wp-content/uploads/2015/08/Cannisters_After.jpg
![Page 17: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/17.jpg)
What are the Operational Technology (OT) team's concerns?
• Breaking devices and negatively impacting the processes.
• Causing delays because assessments conflict with important milestones.
• Do not know or understand goals of assessment.
• Showing how their baby is ugly…. err…. challenged.
• Making their jobs harder, less efficient.
© 2019 Cutaway Security, LLC. All Rights Reserved.
Image Source: Boyd Animation https://boydanimation.com/
![Page 18: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/18.jpg)
What are the states of ICS environments?
• Each process control deployment is unique by industry, vendor, and company.
• Security may be built in, added on, or not considered.
• Regulations may have dictated security, lack of regulations may have dictated lack of security.
© 2019 Cutaway Security, LLC. All Rights Reserved.
Image Source: ControlThings.io Accessing and Exploiting Control Systems
![Page 19: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/19.jpg)
SANS ICS410 Reference Architecture
© 2019 Cutaway Security, LLC. All Rights Reserved.
![Page 20: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/20.jpg)
© 2019 Cutaway Security, LLC. All Rights Reserved.
Worst Case Scenario
![Page 21: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/21.jpg)
© 2019 Cutaway Security, LLC. All Rights Reserved.
Expected Architecture – ICS410 Reference ModelPl
ant N
etw
orks
Cont
rol N
etw
ork
Purdue Level 4 - Plant's Business Network
ICS DMZ - ICS to Busnss ICS DMZ - Busnss to ICS ICS DMZ - Cloud Access
Purdue Level 3PlantSupervisory
Enforcement between Cell / Lines and Plant Supervisory (ACL on router / layer-3 switch or Firewall)
Cell
/ Lin
e / P
roce
ss A
2 - Local Supervisory
1 - Local Control
0 - Field Devices
Safety SystemsAirgap / Enforcement Ce
ll / L
ine
/ Pro
cess
B
2 - Local Supervisory
1 - Local Control
0 - Field Devices
Safety SystemsAirgap / Enforcement Ce
ll / L
ine
/ Pro
cess
C
2 - Local Supervisory
1 - Local Control
0 - Field Devices
Safety SystemsAirgap / Enforcement Ce
ll / L
ine
/ Pro
cess
D
2 - Local Supervisory
1 - Local Control
0 - Field Devices
Safety SystemsAirgap / Enforcement
Enforcement between Control Networks and ICS DMZ (Control pulls from or pushes to iDMZ)
Enforcement between ICS DMZ and Business Networks (Business pulls from or pushes to iDMZ)ICS DMZ - Remote Access
Jump Hosts(per vendor orgroup/role)
Cyber SecurityOperations
Testing/Staging(per system)
Workstations(per group/role)
Master Servers,Historian, andHMIs
Image Source: ControlThings.io Accessing and Exploiting Control Systems
![Page 22: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/22.jpg)
© 2019 Cutaway Security, LLC. All Rights Reserved.
Best Case Scenario
![Page 23: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/23.jpg)
IT / OT Security Effort Prioritization
• Separate policies for IT and OT environments• Segmentation and Isolation• Access Control• Logging and Monitoring• Assessment Inventory• Incident Response and Recovery
© 2019 Cutaway Security, LLC. All Rights Reserved.
![Page 24: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/24.jpg)
© 2019 Cutaway Security, LLC. All Rights Reserved.
Tactical ICS Security Considerations
• Separate policies for IT and OT environments• Segmentation and Isolation• Access Control• Logging and Monitoring• Assessment Inventory• Incident Response and Recovery
![Page 25: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/25.jpg)
Recap
• Purpose• ICS Implementations and
Equipment• ICS Concerns• ICS410 Reference Architecture• Recap
© 2019 Cutaway Security, LLC. All Rights Reserved.
ControlThings.ioA&ECS Course
SANS ICS 410 Course
GIAC GICSP Certification
SANS ICS 612 Course
![Page 26: Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of devices and servers that perform a specific function, typically combined with other](https://reader035.vdocuments.site/reader035/viewer/2022070214/61107ab6bbd88a63853368a2/html5/thumbnails/26.jpg)
Don C. Weber - @cutawayPrincipal Consultant, Founder
http://www.cutawaysecurity.comhttp://linkedin.com/in/cutaway
https://www.sans.org/instructors/don-c-weber
© 2019 Cutaway Security, LLC. All Rights Reserved.