the journey to ics - extended
TRANSCRIPT
Disclaimer
I am employed in the Infosec industry
but not authorised to speak on behalf of my
employer or clients.
Everything I say is from a personal point of
view.
About me
@lvandenaweele- Security consultant at PwC Belgium
- +5 years information security
- +2 years within Industrial Security
- Travel, food, beer
..not an expert yet, but eager to learn.
- Human Safety
- Environmental effects
- Material damage
- High Impact events
- Etc
What are the risks?
OT Clichés
- Built to last for decades
- Uses specific means of communication
- Availability is key, above security
- At some point, human interaction
(e.g. operators watching the grid)
Operational Technology [OT]
Operational
Technology
Industrial
Control
Systems [ICS]
Network
Other
components
(apps,
systems)
Some Vocabulary
- PCS - Process Control System
- BMS - Building Management System
- EMS - Energy Management System
- DMS - Distribution Management System
- DCS - Distributed Control System
- SCADA - Supervisory Control and Data Acquisition
- PLC - Programmable Logic Controller
- MTU - Master Terminal Unit
- HMI - Human Machine Interface
- WAN – Wide Area Network
- LAN – Local Area Network
- MAN – Metropolian Area Network
- FAN – Field Area Network
- PAN – Personal Area Network
Some Vocabulary
IT vs OT
IT Systems OT Systems
Data Confidentiality Low - High Low - Moderate
Data Integrity Low - Moderate Very High
Availability Low - Moderate Very High (99.9999% uptime common)
Time Criticality Delays tolerated Critical
Patching Frequent Infrequent to nearly impossible
System Life Cycle 3 - 5 years 10 - 30+ years
Security Standards ISO 27002, COBIT, NIST, etc. IEC 62443, CIP, NEI, IEEE 1686, etc.
Operating Systems COTS COTS, RTOS, Embedded OS (Firmware)
Interoperability Not critical Critical (security often not considered)
Communication Protocols TCP/IP primarily HART, DNP3, Mod/FieldBus, ICCP, TCP/IP,
etc.
Communication Topology LAN/WAN, Telco, etc. LAN/WAN, Telco, Satellite, Serial, MWave, etc.
Process Control Zone
Sensors Motors Actuators Instrumentation
PLC sDedicated Control
Operator Workstation
Control Processes RTU s
Data HistoriansEngineering
WorkstationsCommunication front
ends
Level 0Process Control
Network
Level 1Control Devices
Level 2Supervisory Control LAN
Pro
cess
Co
ntr
ol Z
on
e
Process Control ZoneLevel 0 – Process Control Network
Sensors Motors Actuators Instrumentation
Level 0Process Control
Network
Valves IED - Intelligent Electronic
Device
Sensors
Process Control ZoneLevel 1 – Control Devices
PLC sDedicated Control
Operator Workstation
Control Processes RTU sLevel 1Control Devices
PLC - Programmable Logic
Controller
RTU - Remote
Terminal UnitDedicated Operator
Workstation
Process Control ZoneLevel 2 – Supervisory Control LAN
Data HistoriansEngineering
WorkstationsCommunication front
ends
Level 2Supervisory Control LAN
Data Historian
Control Room
HMI Panel
Operations ZoneLevel 3 – Operations Support
Sensors Motors Actuators Instrumentation
PLC sDedicated Control
Operator Workstation
Control Processes RTU s
Data HistoriansEngineering
WorkstationsCommunication front
ends
Simulation & modeling systems
Operations Analysis Systems
Engineering workstation
Test systems
Level 0Process Control
Network
Level 1Control Devices
Level 2Supervisory Control LAN
Level 3Operations Support
Enforcement zone
Pro
cess
Co
ntr
ol Z
on
e
Op
era
tio
ns
Zon
e
DMZ, Business Zone
Jump host environment
Patch Management
AV Server Application Server
Enforcement zone
Site directory replicas
Local file serversSite specific Remote
Access
Corporate internet, e-mail, public websites,etc
DMZ
Level 4Plant Network
Level 5Enterprise Business Network
DM
ZB
usi
ne
ss Z
on
e
Sensors Motors Actuators Instrumentation
PLC sDedicated Control
Operator Workstation
Control Processes RTU s
Data HistoriansEngineering
WorkstationsCommunication front
ends
Simulation & modeling systems
Operations Analysis Systems
Engineering workstation
Test systems
Jump host environment
Patch Management
AV Server Application Server
Enforcement zone
Site directory replicas
Local file serversSite specific Remote
Access
Corporate internet, e-mail, public websites,etc
Level 0Process Control
Network
Level 1Control Devices
Level 2Supervisory Control LAN
Level 3Operations Support
DMZ
Level 4Plant Network
Level 5Enterprise Business Network
Enforcement zone
Enforcement zone
Pro
cess
Co
ntr
ol Z
on
e
Op
era
tio
ns
Zon
eD
MZ
Bu
sin
ess
Zo
ne
Source: https://isc.sans.edu/diaryimages/images/purdue.png
Network ArchitectureThe mystery of air gaps
What you think is in place
Source: ISBN-13: 978-1597496452
Network ArchitectureThe mystery of air gaps
But actually..
Source: ISBN-13: 978-1597496452
Network ArchitectureProtocols
Raw Data Protocols
- HART / ModBus
- Reads data (measurements)
- Sends commands (start pumps)
- Clear text
- No authentication
High Level Data Protocols
- OPC / ICCP / MMS
- Sending data, commands
between databases/applications
- Creates human readable
information
- Likely to act like bridge between
corporate and control networks
Network ArchitectureProtocols - ModBus TCP
- 502/TCP
- open protocol
- Master/Slave
- Simple request/response protocol
- Function codes
- No Security
Network ArchitectureProtocols - OPC
- Object Linking and Embedding for Process Control
- First released in 1996
- 4840/TCP
- Open Standard
- Acts as a bridge between different application
- Often the link between corporate and control network
Attack LandscapeTypes of Attacks
- Denial of Service (DoS)
- Insecure Protocols
- Hardcoded Credentials
- Database Attacks
- Man-in-the-Middle Attacks
- Physical Attacks
- Rogue Modems
- Etc
Common Weaknesses
- Approved patches
This document contains <<REDACTED >>proprietary information. Information contained
herein is to be used solely for the purpose submitted, and no part of this document or its
contents shall be reproduced, published, or disclosed to a third party without the express
permission of <<REDACTED >>.
<<REDACTED >> DISCLAIMS THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PURPOSE AND MAKES NO EXPRESS WARRANTIES EXCEPT
AS MAY BE STATED IN ITS WRITTEN AGREEMENT WITH AND FOR ITS
CUSTOMER.
In no event is <<REDACTED >> liable to anyone for any direct, special, or consequential
damages. The information and specification in this document are subject to change
without notice.
(source: Publically available patch list on vendor website)
Common Weaknesses
- Limited use of host anti-virus
- Poor authentication/authorisation
- Little or no cyber security monitoring
- Requirement for 3rd party access
- Poor Audit and Logging
- Legacy equipment
- Unmanned field sites
- Harsh environments
- Etc
- Preferably in test environment or during FAT/SAT
(Things will break!)
- Know your toolbox
- Capture traffic across different levels
- Close communication with control center
Assessing Control Systems
So how can we protect ourselves
Industrial Control Systems
System Security
- Hardening
- Identity & Access Management
- Patch Management
- Malware detection & prevention
Network Security
- Security zoning & DMZs
- Firewalls & IPS
- VPN Access
Plant Security
- Physical Security
- Policies & procedures
- BCM & DRP
But first.. build a team
Operations, Security, Maintenance and IT
Have to work together to have a good
SCADA security team
Insight on current situation
- Create an Inventory
- Determine and verify current security levels
- Policies and Procedures
- Regulatory compliance
- Create awareness
- Talk to people
One step at a time
- Network Architecture changes
- Monitoring
- Authentication
- Responsabilities
- Compliance
Common pitfalls
- Compliance vs effectiveness
- Non-flexible approach
- Throwing money at the problem
- Lack of communication
Standards
- NERC CIP
- IEC 62443 (ISA99)
- IEEE 1686
- NIST SP800-82 rev 2
- Etc [link]