2012

Eran Salfati, Amir Ellenbogen, Meir Arad, Yagil KadmonSecurity Standards Implementation To Improve ICS and SCADA Security

- Nuclear Research Center Negev (NRCN)Society of Electrical and Electronics Engineers inIsrael (SEEEI) 20121Introduction.Cyber Attacks.ICS Weakness.Security Model.Case Study.

Subjects

Introduction.Cyber Attacks.ICS Weakness.Security Model.Case Study.

SubjectsIntroductionICS - Industrial Control System:SCADA - Supervisory Control and Data Acquisition DCS - Distributed Control Systems PLC - Programmable Logic Controllers

What is a Cyber Attack?A cyber attack can include a wide variety of computer-based events that could impact:Confidentiality: violate the security of data or software. Unauthorized access (internal or external) by those without appropriate authorization and need to know. Integrity: unauthorized modification, destroy of data, systems, and information. Availability: deny access to systems, networks, services, or data. CIAConfidentiality - Integrity Availability -

A large percentage of deployed control system hardwareand software is proprietary. However, some vendors are moving toward marketing products that usenonproprietary, commercial off-the-shelf technologies, as these newer systems provide morefunctions, with better efficiency, costs (acquisition, operation, and maintenance), and effectiveness.Control system networks also may use proprietary or industry-specific protocols. The proprietarynature of installed control systems currently requires professionals with system-specific knowledge tooperate them, but that is slowly changing as older systems get replaced and upgraded.5Introduction.Cyber Attacks.ICS Weakness.Security Model.Case Study.

SubjectsAttack Vectors

Trustworthiness Deception , 7ICS Security Vs IT Security

Cyber Incidents types

Incidents - ( )Intentional / 9Introduction.Cyber Attacks.ICS Weakness.Security Model.Case Study.

SubjectsICS WeaknessNo AuthenticationWhat is the identity of an automated system?How would policies such as change password monthly be applied on systems that supposed to run un attended for years?How do you manage rights for each person?No PatchingSystems have never needed security patches in the past. Old: Install a system, replace it in 5 years.New: Install a system, patch it every month.

ICS WeaknessDenial about how much they are connected to the internetBelief: not connection at all.Reality:numerous uncontrolled connections.Reality: even network that are separate get connected via roaming USB drives and laptops.

Introduction.Cyber Attacks.ICS Weakness.Security Model.Case Study.

SubjectsAwarenessStandardization EffortsInternational Society for Automation International Electro technical CommissionNational Institute for Standards and TechnologyUnited State Computer Emergency Readiness Team

1.Terminology There is a need for Solid understanding of the term definitions and abbreviation which are used in ICS and IT industry.2.Standards Organization such as ISA, IEC, NIST, CERT were developed industry specific roadmaps, guidelines and standards addressing the subject of ICS\SCADA to assist with design and implementation of ICS\SCADA security program. Those guidelines are dealing with terminology, concept, models, requirements and actions that need to be taken to improve the ICS\SCADA security

14ISA 99 Work Products

The cyber security program must be designed to:Prevention and Mitigation Coordinates activities to reduce the likelihood of success and severity of impact of a cyber attack through risk-mitigation activities. Defense-in Depth Apply and maintain protective strategies to ensure the capability to detect, respond to, and recover from cyber attacks.

Control Systems Security Program (CSSP)

A-I-M A Assess. I Implement. M Maintain. Security ModelNecessary steps need to be taken daily to ensure the integrity of data and security of ICS. The process of hardening the system software and hardware is not a one-time event, it is a dynamic and reiterative process since security breaches are constantly exposed in operating systems and ICS\SCADA programs17A AssessRisk assessments and critical asset identification.Perform a ICS & SCADA assessment.Perform a risk analysisCreate a security policy.A Assess

19

A AssessConsequence / Breach 20Design for desired security level.Deploy protective measures.Mitigation.Test Security.I Implement

21Update assessment.Review and update risk analysis.Update security policy.Apply Standards to Future Projects.Continue to Test your Protected System.

M MaintainIntroduction.Cyber Attacks.ICS Weakness.Security Model.Case Study.

SubjectsCase StudyThis case study is referring to the following SCADA security viewpoints: Different security stations (computers) on one control network. HMI software product. Restrict access. Cycle pass codes. No connection to other networks.

Physical & Hardware hardring Restricted number of technicians responsible for maintenance.No CD-ROM driveNo internet access.No keyboard touch screen interface only.Segregated control network, no connection to other networks.Each computer is locked in a restricted room or cabinet.

Case Study CD

25Software Restrictions No Windows games loaded. Only runtime versions deployed. Development computer located in a restricted access room. Boot up automatically starts application in run mode. In run mode the Windows key and alt key are disabled. Only a unique key sequence can interrupt the runtime application.

Case Study