The journey to

ICS

Disclaimer

I am employed in the Infosec industry

but not authorised to speak on behalf of my

employer or clients.

Everything I say is from a personal point of

view.

About me

@lvandenaweele- Security consultant at PwC Belgium

- +5 years information security

- +2 years within Industrial Security

- Travel, food, beer

..not an expert yet, but eager to learn.

Special thanks to

@chrissistrunk

- Proving Ground Mentor

About this talk..

Where can you find Operational Technology

And much more..

What are the risks?

- Human Safety

- Human Safety

- Environmental effects

What are the risks?

- Human Safety

- Environmental effects

- Material damage

What are the risks?

- Human Safety

- Environmental effects

- Material damage

- High Impact events

- Etc

What are the risks?

OT Clichés

- Built to last for decades

- Uses specific means of communication

- Availability is key, above security

- At some point, human interaction

(e.g. operators watching the grid)

Operational Technology [OT]

Operational

Technology

Industrial

Control

Systems [ICS]

Network

Other

components

(apps,

systems)

Some Vocabulary

- PCS - Process Control System

- BMS - Building Management System

- EMS - Energy Management System

- DMS - Distribution Management System

- DCS - Distributed Control System

- SCADA - Supervisory Control and Data Acquisition

- PLC - Programmable Logic Controller

- MTU - Master Terminal Unit

- HMI - Human Machine Interface

- WAN – Wide Area Network

- LAN – Local Area Network

- MAN – Metropolian Area Network

- FAN – Field Area Network

- PAN – Personal Area Network

Some Vocabulary

Industrial Control SystemsDCS vs SCADA

IT vs OT

IT Systems OT Systems

Data Confidentiality Low - High Low - Moderate

Data Integrity Low - Moderate Very High

Availability Low - Moderate Very High (99.9999% uptime common)

Time Criticality Delays tolerated Critical

Patching Frequent Infrequent to nearly impossible

System Life Cycle 3 - 5 years 10 - 30+ years

Security Standards ISO 27002, COBIT, NIST, etc. IEC 62443, CIP, NEI, IEEE 1686, etc.

Operating Systems COTS COTS, RTOS, Embedded OS (Firmware)

Interoperability Not critical Critical (security often not considered)

Communication Protocols TCP/IP primarily HART, DNP3, Mod/FieldBus, ICCP, TCP/IP,

etc.

Communication Topology LAN/WAN, Telco, etc. LAN/WAN, Telco, Satellite, Serial, MWave, etc.

What’s all inside?

Business Zone

DMZ

Operations Zone

Process Control Zone

Safety Zone

Enforcement Zone

Enforcement Zone

Industrial Switch Industrial FirewallData Diode

ICS Aware Routers

Safety Zone

Safety Valve Safety PLC

Safety Gear

Process Control Zone

Sensors Motors Actuators Instrumentation

PLC sDedicated Control

Operator Workstation

Control Processes RTU s

Data HistoriansEngineering

WorkstationsCommunication front

ends

Level 0Process Control

Network

Level 1Control Devices

Level 2Supervisory Control LAN

Pro

cess

Co

ntr

ol Z

on

e

Process Control ZoneLevel 0 – Process Control Network

Sensors Motors Actuators Instrumentation

Level 0Process Control

Network

Valves IED - Intelligent Electronic

Device

Sensors

Process Control ZoneLevel 1 – Control Devices

PLC sDedicated Control

Operator Workstation

Control Processes RTU sLevel 1Control Devices

PLC - Programmable Logic

Controller

RTU - Remote

Terminal UnitDedicated Operator

Workstation

Process Control ZoneLevel 2 – Supervisory Control LAN

Data HistoriansEngineering

WorkstationsCommunication front

ends

Level 2Supervisory Control LAN

Data Historian

Control Room

HMI Panel

Operations ZoneLevel 3 – Operations Support

Sensors Motors Actuators Instrumentation

PLC sDedicated Control

Operator Workstation

Control Processes RTU s

Data HistoriansEngineering

WorkstationsCommunication front

ends

Simulation & modeling systems

Operations Analysis Systems

Engineering workstation

Test systems

Level 0Process Control

Network

Level 1Control Devices

Level 2Supervisory Control LAN

Level 3Operations Support

Enforcement zone

Pro

cess

Co

ntr

ol Z

on

e

Op

era

tio

ns

Zon

e

DMZ, Business Zone

Jump host environment

Patch Management

AV Server Application Server

Enforcement zone

Site directory replicas

Local file serversSite specific Remote

Access

Corporate internet, e-mail, public websites,etc

DMZ

Level 4Plant Network

Level 5Enterprise Business Network

DM

ZB

usi

ne

ss Z

on

e

Sensors Motors Actuators Instrumentation

PLC sDedicated Control

Operator Workstation

Control Processes RTU s

Data HistoriansEngineering

WorkstationsCommunication front

ends

Simulation & modeling systems

Operations Analysis Systems

Engineering workstation

Test systems

Jump host environment

Patch Management

AV Server Application Server

Enforcement zone

Site directory replicas

Local file serversSite specific Remote

Access

Corporate internet, e-mail, public websites,etc

Level 0Process Control

Network

Level 1Control Devices

Level 2Supervisory Control LAN

Level 3Operations Support

DMZ

Level 4Plant Network

Level 5Enterprise Business Network

Enforcement zone

Enforcement zone

Pro

cess

Co

ntr

ol Z

on

e

Op

era

tio

ns

Zon

eD

MZ

Bu

sin

ess

Zo

ne

Source: https://isc.sans.edu/diaryimages/images/purdue.png

Network ArchitectureThe mystery of air gaps

What you think is in place

Source: ISBN-13: 978-1597496452

Network ArchitectureThe mystery of air gaps

But actually..

Source: ISBN-13: 978-1597496452

Network ArchitectureProtocols

Raw Data Protocols

- HART / ModBus

- Reads data (measurements)

- Sends commands (start pumps)

- Clear text

- No authentication

High Level Data Protocols

- OPC / ICCP / MMS

- Sending data, commands

between databases/applications

- Creates human readable

information

- Likely to act like bridge between

corporate and control networks

Network ArchitectureProtocols - ModBus TCP

- 502/TCP

- open protocol

- Master/Slave

- Simple request/response protocol

- Function codes

- No Security

Network ArchitectureProtocols - OPC

- Object Linking and Embedding for Process Control

- First released in 1996

- 4840/TCP

- Open Standard

- Acts as a bridge between different application

- Often the link between corporate and control network

Attack Landscape

Source: https://ics-radar.shodan.io

Attack LandscapeTypes of Attacks

- Denial of Service (DoS)

- Insecure Protocols

- Hardcoded Credentials

- Database Attacks

- Man-in-the-Middle Attacks

- Physical Attacks

- Rogue Modems

- Etc

Attack LandscapeTypes of Attacks

Common Weaknesses

- Unpatched systems

Common Weaknesses

- Approved patches

This document contains <<REDACTED >>proprietary information. Information contained

herein is to be used solely for the purpose submitted, and no part of this document or its

contents shall be reproduced, published, or disclosed to a third party without the express

permission of <<REDACTED >>.

<<REDACTED >> DISCLAIMS THE IMPLIED WARRANTIES OF MERCHANTABILITY

AND FITNESS FOR A PURPOSE AND MAKES NO EXPRESS WARRANTIES EXCEPT

AS MAY BE STATED IN ITS WRITTEN AGREEMENT WITH AND FOR ITS

CUSTOMER.

In no event is <<REDACTED >> liable to anyone for any direct, special, or consequential

damages. The information and specification in this document are subject to change

without notice.

(source: Publically available patch list on vendor website)

Common Weaknesses

- Poor authentication/authorisation

Common Weaknesses

- Ineffective physical security

Common Weaknesses

- Rogue Access Points

- Unnecessary software

- Harsh conditions

Common Weaknesses

- Limited use of host anti-virus

- Poor authentication/authorisation

- Little or no cyber security monitoring

- Requirement for 3rd party access

- Poor Audit and Logging

- Legacy equipment

- Unmanned field sites

- Harsh environments

- Etc

- Preferably in test environment or during FAT/SAT

(Things will break!)

- Know your toolbox

- Capture traffic across different levels

- Close communication with control center

Assessing Control Systems

So how can we protect ourselves

Industrial Control Systems

System Security

- Hardening

- Identity & Access Management

- Patch Management

- Malware detection & prevention

Network Security

- Security zoning & DMZs

- Firewalls & IPS

- VPN Access

Plant Security

- Physical Security

- Policies & procedures

- BCM & DRP

But first.. build a team

Operations, Security, Maintenance and IT

Have to work together to have a good

SCADA security team

Insight on current situation

- Create an Inventory

- Determine and verify current security levels

- Policies and Procedures

- Regulatory compliance

- Create awareness

- Talk to people

One step at a time

- Network Architecture changes

- Monitoring

- Authentication

- Responsabilities

- Compliance

Common pitfalls

- Compliance vs effectiveness

- Non-flexible approach

- Throwing money at the problem

- Lack of communication

Standards

- NERC CIP

- IEC 62443 (ISA99)

- IEEE 1686

- NIST SP800-82 rev 2

- Etc [link]

Questions