Introduciton

Securing Industrial Control SystemsEric AndresenCornCON 2016

September 17, 2016

Q. How many people are here at CornCON for the first time?

1

Eric Andresenhttps://www.linkedin.com/in/andresen1206

2

30 years technical experience, 27 years IT Experience, Information Security Manager, IT for SSAB AmericasFounding member of the Quad Cities Cybersecurity AllianceExperience in Electronics, Field Service, ISP Webmaster and Internet Services, and Enterprise Communications. Founding Quad Cities Cybersecurity Alliance, member IEEE and the Chicago Infragard ChapterCertified by FEMA, HP, CompTIA, Microsoft, and othersPrevious positions as Project Manager, Server Management, Critical Infrastructure Management and IT Operations Management.

2

In briefNordic and US-based steel company with a global reachLeading producer of Advanced High Strength SteelsAbout 17,300 employees in 50 countriesSteel production facilities in Sweden, Finland and the USAnnual steel production capacity of 8.8 million tonsListed on multiple public exchanges100% Recyclable Products 97% recycled raw materials, saving 600,000 tires per year, production results in 66% less CO2 emissions, recycle over 1 Million gallons of water a year. Aiming for a CO2 free process Iowa facility makes steel using 40% wind power.

3

Making a Worldof Difference

3

17,300 employees in over 50 countriesNordicMain production sites in Sweden, Finland and US SSAB production sitesSales coverage

4

4

Disclaimer

The views expressed in this presentation are those of the author and do not necessarily reflect the views of SSAB, IEEE or the Quad Cities Cyber Security Alliance.

This presentation is TLP: White and may be distributed, shared, remixed and reused without restriction.5

5

Good to have a goalYour primary responsibility is to prevent compromise.

You need to preserve the safety and reliability of the physical process and not the system itself.

Adequately protect systems

ICS system failure can result in:Loss of lifeLoss of revenueLoss of equipmentEnvironmental damageLoss of service

6

Q. Who do we have in the room?Manufacturing?Energy?Nuclear?Power?Brewing or other scientific?6

BasicsKnow your networkKnow your hostsKnow your enemyKnow what your enemy knowsProtection is key but detection is a mustApply principals of least privilegeApply defense in depthUse what you have

7

7

You are not alone!Quad Cities Cyber Security Alliancehttps://www.facebook.com/groups/QCCyber/

US-CERT & ICS-CERT www.us-cert.gov ics-cert.us-cert.gov877-776-7585

NIST - www.nist.gov SCADAHACKER - https://scadahacker.com

C3 voluntary program https://www.us-cert.gov/ccubedvp

DHS AIS and CISCP - cyberadvisor@hq.dhs.govhttps://www.dhs.gov/topic/cybersecurity-information-sharinghttps://www.us-cert.gov/ais https://www.dhs.gov/ciscp

InfraGard - www.infragard.orgFIRST.org and Information Sharing and Analysis Centers (ISACs)National Strategy for Securing Control Systemshttps://ics-cert.us-cert.gov/sites/default/files/documents/Strategy%20for%20Securing%20Control%20Systems.pdf

Automated Indicator SharingCyber Information Sharing and Collaboration ProgramQ. Who is an alliance member?Q. Any C-Cubed Members?

8

Network and Share

InfraGard - www.infragard.orgAmerican Society for Industrial Security - www.asisonline.orgNational Cybersecurity PartnershipHSIN dhs.gov/homeland-security-information-network-hsinProfessional RelationshipsLinkedIn Groups - Industrial Control System Cyber Security (ICS-CS) - linkedin.com/topic/industrial-control-systems-securityLocal Organizations Quad Cities Cyber Security AllianceIEEEISACA

9

Leverage CSFNIST Cybersecurity Frameworkhttp://www.nist.gov/cyberframework/

10

Q. Anyone using the NIST CSF?

Its a little simplistic but a good start. Up to 30% of organizations are already using CSF in some mannerPowerful Crosswalks available. Identify protect and detect are right on. Respond and recover is a little lackluster in an ICS environment. If you are trying to protect a process and not information once the genie is out of the bottle well, its over.

10

What is it?

Standard expression of current stateStandard way to express who you want to be when you grow up.Identify and prioritize opportunities to improveMeasure ProgressDrives communication to teams and management 11

11

Whats in it?

CORE SETTiersProfiles12

12

Identify

Asset ManagementIdentify and Categorize RisksIdentify Stakeholder CommunitiesIdentify the correct Controls for your risksSecure Network InterconnectionsIdentify Special ProtocolsPerform Risk AssessmentsPerform Protocol AnalysisStrategiesIndicators of Compromise

13

13

ICS-CERT will train you For FREEWhat is available?https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERTOperational Security (OPSEC) for Control Systems (100W) - 1 hourCybersecurity for Industrial Control Systems (210W) - 15 hours

The 210W courses are:210W-01 Differences in Deployments of Industrial Control Systems (ICS)210W-02 Influence of Common Information Technology (IT) Components on ICS210W-03 Common ICS Components210W-04 Cybersecurity within IT and ICS Domains210W-05 Cybersecurity Risk210W-06 Current Trends - Threats210W-07 Current Trends - Vulnerabilities210W-08 Determining the Impact of a Cybersecurity Incident210W-09 Attack Methodologies in IT and ICS210W-10 Mapping IT Defense-in-Depth Security Solutions to ICS

ICS- CERT Virtual Training Portalhttps://ics-cert-training.inl.gov

14

TEEX will also train you for freeWhat is available?

AWR138 Network Assurance

AWR139 Digital Forensics Basics

AWR168 Cyber Law and White Collar Crime

AWR169 Cyber Incident Analysis and Response

AWR173 Information Security Basics

AWR174 Cyber Ethics

AWR175 Information Security for Everyone

AWR176 Disaster Recovery for Information Systems

AWR177 Information Risk Management

AWR178 Secure Software

ICS- CERT Virtual Training Portalhttps://teex.org/Pages/Program.aspx?catID=199

Source: https://teex.org/Pages/default.aspx

15

FEMA will also train you for freeWhat is available?

Setup a free FEMA Student IDhttps://cdp.dhs.gov/FEMASID

FEMA Continuity of Operations Workshophttps://www.fema.gov/continuity-operations-workshops

Incident Command System (ICS) trainingCritical Infrastructure SupportNational Infrastructure PlanProtecting Critical Infrastructure Against Insider Threats

Q. Anyone here with a FEMA Training ID?

16

You get millions of dollars of research for freeWhat is available?

NIST Computer Security Resource CenterSP800-82 ICS SecurityDeveloping a Risk ProgramSecure ArchitectureICS Security Controls

ICS-CERT Defense-in-depth recommended practices

17

Start a project

If you dont start somewhere youre gonna go nowhere. Bob Marley

Build a risk based programKnow what your protectingSegment in trust boundariesDevelop ICS relevant policies

Build a 60 second elevator pitch and Always Be Closing

All Control systems are software and all software can be hacked!

Create a business case for an ICS Security Program, prioritize your potential costs, and estimate damage scenarios.How many could be hospitalized? How many could be killed, what is the potential for capital investment loss, what is the potential for an environmental cleanup need?

Know your brushes from your diamonds. If you try and protect your toothbrushes and your diamonds you will lose less toothbrushes and more diamonds.

Use a risk based approach know hat you are protecting - your threats vulnerabilities likelihood and impact only you can know these things in your context.

18

Industry ActivitySource:https://www.youtube.com/watch?v=OVMwI2TWrZw

Before Video:Reflecting on this story will help you to understand why SSAB and myself both care deeply about protecting industrial control systems.This is a news story from 2014 that talks about another steel company from Germany. Just to be clear this is not an SSAB facility.

After Video:

The steel company depicted in this video lost the ability to control their furnaces, and eventually this lead to a runaway condition that resulted in the loss of property. In this case it was just property. Industrial controls control physical processes and so the consequences of a breach are often much higher than in traditional IT systems.19

Know your stakeholders

Legal Team

Safety Team

ICS Engineers

Procurement Teams

Sr. Management Teams

Human Resources

Inside and Outside Sales

Quality

Research and Development

Q. What other stakeholder groups might we see?

20

Many hands make light work

Dont try and do it all yourself.

Divide work by stakeholder teams.

Ensure stakeholder teams understand their roles.

21

Work top downStart at the TOP!

Have the top ask their managers for support.

Work with those managers to ask them for support.

Keep pushing to the bottom.

22

Cyber Resilience ReviewSelf Assessment - Simple PDF Questionnaire

Built before NIST CSF / Has been

Build on top of CERT-Resilience Management Model (RMM)

Measure your maturity in:1 Asset Management2 Controls Management3 Configuration and Change Management4 Vulnerability Management5 Incident Management6 Service Continuity Management7 Risk Management8 External Dependencies Management9 Training and Awareness10 Situational Awareness

Source: https://www.us-cert.gov/ccubedvp/assessments

23

ICS-CERT CyberSecurity Evaluation Tool - CSET

Source:https://www.youtube.com/watch?v=nvVeeWvw97E&list=PLEFu5pmwnq0pZyEOWgysq4OzI_FIQaXhM&index=3

This slide contains video content with audio

ICS-CERT maintains a little known but powerful tool called the Cybersecurity Evaluation Toolkit. If you are interested in Cybersecurity it is likely you would benefit from CSET.

24

CSET FeaturesWizard approach to setting security assurance levels.Flexible standards Network diagramsExtensive Resource LibraryReporting

CSET offers a Wizard based approach to setting security assurance levels, Flexible standards, Network diagraming tools, an Extensive Resource Library good for anyone interested in cyber and custom reporting tools.

25

CSET FeaturesAnalysis

26

The analysis screen provides you with a way to measure your security posture against selected standards and uses charts to provide a visual display of your data and at the same time allows for comparisons across categories, questions, and subject areas.The analysis screen will also allow you to drill down on specific data from a given chart for more information.

The charts presented are fixed and dependent on your evaluation mode.Selecting the CSF evaluation mode will result in a different set of charts than the question or framework modes.

26

CSET Features Assurance Level

27

One of the fundamental decisions you must make when performing an evaluation is to select a Security Assurance level. Sometimes you know based on a standard what level you need to conform to, but others may not have a clue where to start to determine what assurance level is best.

CSET offers several ways to make this decision.

Using CSET setting an assurance levelManually Set Low, Moderate, High or Very High for each of CIAQuestions based YES or NO answers questions using FIPS and NIST standards as guidance.Consequence based approach uses a series of sliders to indicate a number of people or dollar from each category.

An assurance level set to low will result in questions later that are less demanding than would result from a moderate, high or very high assurance level. 27

Cyber Security Evaluation Tool (CSET)DHS Cyber Security Evaluation Tool

SystematicDisciplinedRepeatable

Version 8 launches September 13 for download

Supports 35 Industry Accepted Cybersecurity StandardsSupporting general environments as well as Chemical, Oil, Gas, Electrical, Nuclear, and other models available.

Key Questions and Universal QuestionsSP800-53, SP800-171, SP800-82

Wizard Based Assurance Level CalculatorImport and Export for Visio Drawings

Reports in PDF or DOCX: Executive Summary, Site Summary, Detail Report, Security PlanSource: https://teex.org/Pages/default.aspx

28

Control System Architecture AnalysisDesign Architecture Review (DAR)2 to 3 day review of Network Architecture

On site by DHS staff ( iNL)

Meet with Information Technology and Operational Technology TeamsReview Vendor SupportReview Cyber Security Controls

Review Asset InventoryICS Network ArchitectureReview Protective and Detective Controls

Review Device ConfigurationPhysical Security of Critical Assets

Source: https://ics-cert.us-cert.gov/Assessments

29

Network Architecture - Zoning

30

See in SP800-82 Zones establish a trust boundary and in over 200 incidents each year ICS-CERT finds boundary protection to be a key finding.Big flat networks are bad they expose you dont build them.

The following zones segment information architecture into five basic functions:

External Zone is the area of connectivity to the Internet, communication with peer, and remote facilities. It is the point of connectivity that is usually considered untrusted. For industrial control systems, the external zone has the least amount of priority and the highest variety of risks.

Corporate Zone is the area of connectivity for corporate communications. E-mail servers, DNS servers, and IT business system infrastructure components are typical resources in this zone. A wide variety of risks exist in this zone because of the amount of systems and connectivity to the External Zone. However, because of the maturity of the security posture and redundancy of systems, the Corporate Zones precedence can be considered to be at a lower priority than other zones, but much higher than the External Zone.

Manufacturing/Data Zone is the area of connectivity where a vast majority of monitoring and control takes place. It is a critical area for continuity and management of a control network. Operational support and engineering management devices are located in this zone along side spedial servers called data historians that log events. The Manufacturing Zone is central in the operation of both the end devices and the business requirements of the Corporate Zone, and the priority of this area is considered to be high. Risks are associated with direct connectivity to the External Zone and the Corporate Zone.

Control Zone is the area of connectivity to devices such as Programmable Logic Controllers (PLCs), HMIs, and basic input/output devices such as actuators and sensors. The priority of this zone is very high as this is the area where the functions of the devices affect the physical end devices. In a modern control network, these devices will have support for TCP/IP and other common protocols.

Safety Zone usually has the highest priority because these devices have the ability to automatically control the safety level of an end device (such as Safety Instrument Systems). Typically, the risk is lower in this zone as these devices are only connected to the end devices but recently many of these devices have started to offer functionality for TCP/IP connectivity for the purposes of remote monitoring and redundancy support. 30

Network Architecture - Zoning31

The following zones segment information architecture into five basic functions:

External Zone is the area of connectivity to the Internet, communication with peer, and remote facilities. It is the point of connectivity that is usually considered untrusted. For industrial control systems, the external zone has the least amount of priority and the highest variety of risks.

Corporate Zone is the area of connectivity for corporate communications. E-mail servers, DNS servers, and IT business system infrastructure components are typical resources in this zone. A wide variety of risks exist in this zone because of the amount of systems and connectivity to the External Zone. However, because of the maturity of the security posture and redundancy of systems, the Corporate Zones precedence can be considered to be at a lower priority than other zones, but much higher than the External Zone.

Manufacturing/Data Zone is the area of connectivity where a vast majority of monitoring and control takes place. It is a critical area for continuity and management of a control network. Operational support and engineering management devices are located in this zone along side spedial servers called data historians that log events. The Manufacturing Zone is central in the operation of both the end devices and the business requirements of the Corporate Zone, and the priority of this area is considered to be high. Risks are associated with direct connectivity to the External Zone and the Corporate Zone.

Control Zone is the area of connectivity to devices such as Programmable Logic Controllers (PLCs), HMIs, and basic input/output devices such as actuators and sensors. The priority of this zone is very high as this is the area where the functions of the devices affect the physical end devices. In a modern control network, these devices will have support for TCP/IP and other common protocols.

Safety Zone usually has the highest priority because these devices have the ability to automatically control the safety level of an end device (such as Safety Instrument Systems). Typically, the risk is lower in this zone as these devices are only connected to the end devices but recently many of these devices have started to offer functionality for TCP/IP connectivity for the purposes of remote monitoring and redundancy support. 31

Control System Architecture AnalysisNetwork Architecture Verification and Validation

Review Protocol Hierarchy Data flows and organization of network

Review Netflow device-to-device communication

Review traffic attempting to traverse boundaries

Baseline of network traffic

Validates that the network is clean and clear of known threats

Source: https://ics-cert.us-cert.gov/Assessments

Look at functionality correctness - reliability usability

You can do a light version of this yourself but not the analytics. These are performed by running the data through Security Onion and Bro Scripts32

Infrastructure Visualization Platform

Supports Critical Infrastructure and Emergency Responders

DHS scans the environment and provides you with several copies including viewpoints of Hostile Targets and Civil Response

Helps First responder teams help you during a Cyber Physical Event

Source: https://www.dhs.gov/infrastructure-visualization-platform

33

Open Source Tools

YARA - plusvic.github.io/yara/Yara Rules ICS-CERT or http://yararules.com/Wireshark - https://www.wireshark.org/Moonsols Memory Toolkit - DumpIT www.moonsols.com Laura Chapell on YouTube Introduction to Wireshark Course WTC01 & WTC02Grass Marlin - https://github.com/iadgov/GRASSMARLINGoogle Dorking Shodan shodan.ioWindows Built-In Tools

34

Windows Built-In Tools

> tasklist /svc - List all services running on a host> Netstat noa List all ports with associated task number

date /t > %1time /t >> %1whoami >> %1systeminfo >> %1ipconfig /all >> %1arp -a >> %1netstat -b >> %1schtasks >> %1doskey /h >> %1

35

Technology and Innovation

New Products are coming to market from security companies that understand ICS and Scada Protocols. Not just for TCP anymore:

ModebusProfinetBACNetS7OPC

and more

ICS Vendors are catching upTraditional Vendors are branching out.

36

QuestionsEric Andresenhttps://www.linkedin.com/in/andresen1206

37

Sample Questions

[Procurement] Are appropriate agreements finalized before access is granted, including for third parties and contractors?

[Code Protection] Are malicious code protection mechanisms used at system entry and exit points and at workstations, servers, or mobile computing devices?

[Media Control] Is the capability for automatic execution of code on removable media disabled?

[Physical Security] Is entry to the facility controlled by physical access devices and/or guards?

[Awareness Training] Is basic security awareness training provided to all system users before authorizing access

38