securing control systems v0.4
TRANSCRIPT
Securing Control Systems
Securing Control Systems
An introduction to security techniques for use in Control System Networks
Introduction
Crispin HarrisSecurity [email protected]
10th May, 2010
Overview
Part 1 UnderstandingWhat is a Control System?
Why they are different?
Key attributes
Understanding the risks
Part 2 ProtectionDesign & Network
Hosts & Operating Systems
Applications & Vendors
Vulnerability Management
Part 4 - SummaryReview & summary
Web Resources
Aus Gov Resources
US Gov Resources
Part 3 GovernancePolicy & Process
(Penetration) Testing
Vendor Relationships
Information/Software stores
Learning Objectives
Be able to identify:Key attributes of a Control System
Strengths and weaknesses of normal CS design
Useful non-technical controls
Safe & useful technical controls
Be able to Find further resources
But most importantly: Be able toKnowledgeably discuss Control System security
Intro to Control Systems Security
PART 1 UNDERSTANDING
CONTROL SYSTEMS
What is a Control System?
A Control System is any computerised or automated system that is used to control, monitor, support or operate a known process. Most Control Systems manage an Industrial Process such as:Manufacturing, Energy, Water, Gas,
But they are also found where other repeatable processes occur:Rail & Air Transportation, Healthcare, Finance,
Road Infrastructure, Fleet Management, etc
What is a Control System?
A Control System (Industrial Control System) is an umbrella term that refers to a broad set of control systems.
These include: SCADA (Supervisory Control and Data Acquisition)
DCS (Distributed Control System)
PCS (Process Control System)
EMS (Emergency Management System)
AS (Automated System)
SIS (Safety Instrumentation System)
And any other automated control system.
Talk briefly about the different types of control systems, and w
Why are ICS networks special?
Control Systems are designed to provide day-in, day-out management of a well known process. The integrity and continued operation of this process frequently has key safety or financial impact.Control Systems need: INTEGRITY
AVAILABILITY
And a bit of:CONFIDENTIALITY
Attributes of ICS networks
Constant & Unchanging
Stable
Well documented
Old & un-patched systems
Isolated*
Internally redundant
Small*
Rare/Obscure Customised Applications
Self Contained
A quick review of the sensitivities that Control Systems have to Impact & Change
Control System Risks
Operator ControlsLoss of Control
Loss of View
Historical DataCorruption
Disclosure
Denial of Access
Insults to
the SystemInsults to the data Generated by the system, and USED by
the business
ICS Weaknesses
Well Known and stable operation
VERY few changesUn-patched, un-managed Operating Systems
10-year-old (or more) devices w/ Embedded OS
Fragile devices that are very sensitive to change
Design assumptions have proved inaccurate
Networks already experience many transient failures
Custom or insecure network protocols
Immature network tunnelling/bridging techniques.
ICS Strengths
VERY FEW changes
Well Known & Stable operation
Custom/Uncommon software
Generally well documented
Isolated Networks
Anomalous Activity Detection
Gateway Access Controls
Historical Assumptions
Some (one) key historical assumptions underpin the current situation:Isolated network environmentDevices Work but only just.may not be not RFC Compliant
Network is ISOLATED & not attackablethus not defended or updated
Network is resilient to (many) individual faults & failures.
Intro to Control Systems Security
PART 2 PROTECTIONS FOR
CONTROL SYSTEMS
What can we do?
It's all about:People
Process
Technology
We constantly Inspect
Assess
Review
All the standard security tools, processes and concepts
apply.
Security is a Process not a Product
Firewalls, IPS, Anti-Virus, Structural Separation,
Protections - People
All the 'standard' People and Personnel controls for working in sensitive areas apply in Control Systems.The Big Stuff:Get buy-in for security from Control System owners or senior executive.
Small Stuff:Most Operators are NOT IT People. Give them somewhere 'safe' to play.
Already have a safety culture.
Add systems security increases your safety.
Operators know how their systems work.
Protections - Process
Regular Liaison with key stakeholders:Vendor liaison
System owner
Executives
Relationships can make or break your systemsReporting & MonitoringSystem Monitoring
Incident & Anomaly Reporting
Software & Vulnerability Management
(Try to) Ensure products are up-to-dateVendor Patches & Updates
Related & Ancillary packages
Operating System Updates
Protections Technical Defence in Depth
Protections - Network Separation
Network SeparationIncreases attack complexity
Increases time-to-compromise
Decreases vulnerable devices at each step
Isolates fragile devices
Not applicable on some older legacy networks
Difficult to retro-fit
Protections - Network Access Control
Many protections can be implemented in the network infrastructure both at the transition points and on the network fabric.Ingress/Egress ControlsRouting & Access Lists
Gateway Firewalls
Network FabricSwitch-port access controls
ARP security
Protections Host-based Controls
Host-based controls can be contentious.Anti-Virus & Anti-Malware
File Integrity Checking
Process Privilege Escalation
Host-Based IPS
Host Firewalls
Host Authentication (Active Directory)
Centralised Logging
Protections - Applications
Recent high-publicity events have highlighted application-based weaknesses & vulnerabilities.Plain-text passwords if they exist at all
Default database/application/server passwords
Vulnerable web services
Private software is publicly availablepentesters/attackers can download demo from the web to attack your secure because it is obscure system.
Intro to Control Systems Security
PART 3 - GOVERNANCE & REVIEW
Policy & Process
Key policy DocumentsAcceptable Use Policy
Network Access Control Policy
3rd Party access and Remote Access Policies
Software & Vulnerability Management Policy
Key ProcessesSoftware/Patch Management
Change Management
Compliance & Audit
Compliance Audits are your KEY tool for ongoing safety/assurance of these networks!
Determine an appropriate standard / policy set.NIST 800-82
NISTA 52
NERC
Perform policy/standard audit of processes and controlsCyber Security Evaluation Tool (CSET)
Router/Switch/Firewall configuration Audit
Testing Control System Security
ICS Penetration TestingAustralian and International resources available. A VERY specialised area.
Internal/amateur vulnerability testingIt is suggested that this
NOT be performed on your production network
Other practices include:Network Sniffing,
Configuration Testing &
Gateway traffic analysis
Protecting Secondary Information
Software LibraryPLC Firmware
Source Code
Application installers
Operators Manuals
Authentication Systems (AD, LDAP, DB etc)
See StuxNet & the public knowledge/understanding of attacks against Firmware. How safe is YOUR firmware library
Intro to Control System Security
PART 4 WRAP-UP
Summary
Integrity vs. Confidentiality
Network Separation
Network Modelling &
Network Anomaly Detection & IDS
Testing (Penetration & Compliance)
Auditing (Policies, Controls & Processes)
Stay (as) current (as you can be)
Standards & Guides
ANSI/ISA95 Enterprise-Control System Integration, Part 1: Models and Terminology
NIST SP 800-82 Guide for Industrial Control Systems (ICS) Security
NERC CIP-002-3 to CIP-009-3 NERC CIP standards provide a cyber security framework for the identification and protection of Critical Cyber Assets
ISA TR99.00.02 Integrating Electronic Security into the Manufacturing and Control Systems Environment
DHS CSSP - Control Systems Defence in Depth Strategieshttp://www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf
Resources
Australian ResourcesCERTAustralia
Department of Broadband, Communication and the Digital Economy
Department of the Attorney General
Control System Pen-Testing companies
International ResourcesUS CERT Control Systems Security Program
US Department of Homeland Security &
US Department of Energy
UK Centre for the Protection of National Infrastructure
Web Resources
AustraliaCERTAustralia
http://govcert.gov.au/
InternationalUS-CERT Control Systems Website
http://www.us-cert.gov.au/control_systems
DHS Cyber Security Evaluation Tool (CSET)
http://www.us-cert.gov/control_systems/satool.html
SANS http://sans.org.au/
CPNI SCADA Guidelines & Recommendations
http://www.cpni.gov.uk/scada
Questions & Answers
Controls
Firewalls
Intrusion Management: Detection vs. Prevention
Penetration Testing
ISA95 Control Hierachy Levels
ISA95 IT Systems View
Muokkaa otsikon tekstimuotoa napsauttamalla
Muokkaa jsennyksen tekstimuotoa napsauttamallaToinen jsennystasoKolmas jsennystasoNeljs jsennystasoViides jsennystasoKuudes jsennystasoSeitsems jsennystasoKahdeksas jsennystasoYhdekss jsennystaso
Muokkaa otsikon tekstimuotoa napsauttamalla
Muokkaa jsennyksen tekstimuotoa napsauttamallaToinen jsennystasoKolmas jsennystasoNeljs jsennystasoViides jsennystasoKuudes jsennystasoSeitsems jsennystasoKahdeksas jsennystasoYhdekss jsennystaso