industrial control systems cyber security...industrial control systems cyber security proven risk to...
TRANSCRIPT
![Page 1: Industrial Control Systems Cyber Security...Industrial Control Systems Cyber Security Proven Risk to Supply Chain Operations Mark Fabro Chief Security Scientist, Lofty Perch Inc. Wednesday](https://reader030.vdocuments.site/reader030/viewer/2022040610/5ed37a3559f0c92a7d325b09/html5/thumbnails/1.jpg)
Industrial Control Systems Cyber Security
Proven Risk to Supply Chain Operations
Mark Fabro
Chief Security Scientist, Lofty Perch Inc.
Wednesday June 7, 2017
6/20/2017 1
![Page 2: Industrial Control Systems Cyber Security...Industrial Control Systems Cyber Security Proven Risk to Supply Chain Operations Mark Fabro Chief Security Scientist, Lofty Perch Inc. Wednesday](https://reader030.vdocuments.site/reader030/viewer/2022040610/5ed37a3559f0c92a7d325b09/html5/thumbnails/2.jpg)
Overview
• The role of industrial control systems (ICS) in supply chain
• Cyber Risk and ICS
• ICS attacks and trends
• Mitigation considerations
6/20/2017 2
![Page 3: Industrial Control Systems Cyber Security...Industrial Control Systems Cyber Security Proven Risk to Supply Chain Operations Mark Fabro Chief Security Scientist, Lofty Perch Inc. Wednesday](https://reader030.vdocuments.site/reader030/viewer/2022040610/5ed37a3559f0c92a7d325b09/html5/thumbnails/3.jpg)
The Main Points
• Industrial Control Systems (ICS), SCADA, DCS, OT are the heart of manufacturing and industry
• The suppliers you depend on use ICS to make/move/fix the materials you need
• Those systems can be vulnerable to attack, have been attacked and attacks are increasing
• Attacks impact availability of products, integrity of products, movement of products, timely delivery, health and well-being of people and ultimately effectiveness of force
6/20/2017 3
![Page 4: Industrial Control Systems Cyber Security...Industrial Control Systems Cyber Security Proven Risk to Supply Chain Operations Mark Fabro Chief Security Scientist, Lofty Perch Inc. Wednesday](https://reader030.vdocuments.site/reader030/viewer/2022040610/5ed37a3559f0c92a7d325b09/html5/thumbnails/4.jpg)
ICS in the Supply Chain – Everywhere…
• Manufacturing and Repair
• Road, Rail, Airfield Operations
• Seaways
• Ports
• Water/Wastewater
• Refineries
• Pipelines (oil, gas, other)
• Grid operations
• Energy Generation
• Healthcare
• Building Environmental Control
6/20/2017 4
![Page 5: Industrial Control Systems Cyber Security...Industrial Control Systems Cyber Security Proven Risk to Supply Chain Operations Mark Fabro Chief Security Scientist, Lofty Perch Inc. Wednesday](https://reader030.vdocuments.site/reader030/viewer/2022040610/5ed37a3559f0c92a7d325b09/html5/thumbnails/5.jpg)
Why is This Important to You?
• Your supply chain uses ICS
• Compromising ICS can result in:• Unavailable systems
• Compromise of sensitive production data
• Impact delivery of materials/parts/weapons
• Impact integrity of the part being produced/repaired
• ICS security is rarely part of a governed cyber security program
6/20/2017 5
![Page 6: Industrial Control Systems Cyber Security...Industrial Control Systems Cyber Security Proven Risk to Supply Chain Operations Mark Fabro Chief Security Scientist, Lofty Perch Inc. Wednesday](https://reader030.vdocuments.site/reader030/viewer/2022040610/5ed37a3559f0c92a7d325b09/html5/thumbnails/6.jpg)
Kinetic Impacts
6/20/2017 6
![Page 7: Industrial Control Systems Cyber Security...Industrial Control Systems Cyber Security Proven Risk to Supply Chain Operations Mark Fabro Chief Security Scientist, Lofty Perch Inc. Wednesday](https://reader030.vdocuments.site/reader030/viewer/2022040610/5ed37a3559f0c92a7d325b09/html5/thumbnails/7.jpg)
• As earlier as 1982 (Gazprom)
• Worchester Airfield
• 1994 (Salt River Project)
Cyber Incidents and Infrastructure
![Page 8: Industrial Control Systems Cyber Security...Industrial Control Systems Cyber Security Proven Risk to Supply Chain Operations Mark Fabro Chief Security Scientist, Lofty Perch Inc. Wednesday](https://reader030.vdocuments.site/reader030/viewer/2022040610/5ed37a3559f0c92a7d325b09/html5/thumbnails/8.jpg)
• 2003 ‘Slammer’ disables Davis-Besse safety mechanism• May 2001 Cal-ISO attack
• Undetected for 17 days from Californian and China (last source)• Compromise almost penetrated into energy provisioning systems
• August 2003 Blackout• Malfunction in Alarm and Event Processing (AEPR) due to race condition
• 2004 ‘Sasser’ disables connected oil platforms for several days• Sept 2004 SOCAL air traffic control failure
• Windows bug forced server to auto-reboot after 49.7 days• 800 planes in the air w/o contact for 3 hours• 400 delays, 600 cancellations
• 2005 ‘Zotob’ attacks Daimler-Chrysler• 2009 Brazilian Power Grid
More Interesting Cyber Events
![Page 9: Industrial Control Systems Cyber Security...Industrial Control Systems Cyber Security Proven Risk to Supply Chain Operations Mark Fabro Chief Security Scientist, Lofty Perch Inc. Wednesday](https://reader030.vdocuments.site/reader030/viewer/2022040610/5ed37a3559f0c92a7d325b09/html5/thumbnails/9.jpg)
Know Incidents Since 1982 (lots)
6/20/2017 9
![Page 10: Industrial Control Systems Cyber Security...Industrial Control Systems Cyber Security Proven Risk to Supply Chain Operations Mark Fabro Chief Security Scientist, Lofty Perch Inc. Wednesday](https://reader030.vdocuments.site/reader030/viewer/2022040610/5ed37a3559f0c92a7d325b09/html5/thumbnails/10.jpg)
EDIST 2010 © Lofty Perch, Inc.
DoD
![Page 11: Industrial Control Systems Cyber Security...Industrial Control Systems Cyber Security Proven Risk to Supply Chain Operations Mark Fabro Chief Security Scientist, Lofty Perch Inc. Wednesday](https://reader030.vdocuments.site/reader030/viewer/2022040610/5ed37a3559f0c92a7d325b09/html5/thumbnails/11.jpg)
Vulnerability Discovered by Year
• Research community gone wild
• Evolution of new techniques
• Looking for ‘zero days’
6/20/2017 11
Kapersky Lab
![Page 12: Industrial Control Systems Cyber Security...Industrial Control Systems Cyber Security Proven Risk to Supply Chain Operations Mark Fabro Chief Security Scientist, Lofty Perch Inc. Wednesday](https://reader030.vdocuments.site/reader030/viewer/2022040610/5ed37a3559f0c92a7d325b09/html5/thumbnails/12.jpg)
Disclosure by Year
6/20/2017 12
2016 FireEye
![Page 13: Industrial Control Systems Cyber Security...Industrial Control Systems Cyber Security Proven Risk to Supply Chain Operations Mark Fabro Chief Security Scientist, Lofty Perch Inc. Wednesday](https://reader030.vdocuments.site/reader030/viewer/2022040610/5ed37a3559f0c92a7d325b09/html5/thumbnails/13.jpg)
Zero Days in the Wild
• All well before Shadow Brokers
• Libraries part of larger suite?
6/20/2017 13
2016 FireEye
![Page 14: Industrial Control Systems Cyber Security...Industrial Control Systems Cyber Security Proven Risk to Supply Chain Operations Mark Fabro Chief Security Scientist, Lofty Perch Inc. Wednesday](https://reader030.vdocuments.site/reader030/viewer/2022040610/5ed37a3559f0c92a7d325b09/html5/thumbnails/14.jpg)
Going Unfixed
• Of 1,552 ICS vulnerabilities 516 did not have a patch at time of disclosure
• That means 33% are ‘0 days’
6/20/2017 14
2016 FireEye
![Page 15: Industrial Control Systems Cyber Security...Industrial Control Systems Cyber Security Proven Risk to Supply Chain Operations Mark Fabro Chief Security Scientist, Lofty Perch Inc. Wednesday](https://reader030.vdocuments.site/reader030/viewer/2022040610/5ed37a3559f0c92a7d325b09/html5/thumbnails/15.jpg)
Incidents by Sector and Vector 2015
6/20/2017 15
U.S. DHS ICS-CERT
![Page 16: Industrial Control Systems Cyber Security...Industrial Control Systems Cyber Security Proven Risk to Supply Chain Operations Mark Fabro Chief Security Scientist, Lofty Perch Inc. Wednesday](https://reader030.vdocuments.site/reader030/viewer/2022040610/5ed37a3559f0c92a7d325b09/html5/thumbnails/16.jpg)
By end of 2016
• Look at the top 3
• How will they affect operations?
6/20/2017 16
Kapersky Lab
![Page 17: Industrial Control Systems Cyber Security...Industrial Control Systems Cyber Security Proven Risk to Supply Chain Operations Mark Fabro Chief Security Scientist, Lofty Perch Inc. Wednesday](https://reader030.vdocuments.site/reader030/viewer/2022040610/5ed37a3559f0c92a7d325b09/html5/thumbnails/17.jpg)
Mitigation Activities
• Expand security assessment to the control systems of private sector partners
• Code analysis
• Develop attack trees and use cases to model the kill chain of the adversary
• Consider blended cyber/physical attacks• Exploit SME experience from around the globe
• Customization of COTS IT security to fit ICS/SCADA
• Learn from work done across sector
6/20/2017 17