Fundamentals of Industrial Control Risks, Vulnerabilities...
Transcript of Fundamentals of Industrial Control Risks, Vulnerabilities...
![Page 1: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/1.jpg)
Keeping the Lights On
Fundamentals of Industrial Control Risks, Vulnerabilities, Mitigating Controls, and Regulatory Compliance
© Copyright 2014 Netsecuris Inc. All rights reserved
![Page 2: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/2.jpg)
Learning Goals
o Understanding definition of industrial controls
o Understanding differences between traditional IT networks vs. industrial control networks
o Understanding risks and mitigating controls associated with industrial controls
o Understanding regulatory compliance and service resilience
© Copyright 2014 Netsecuris Inc. All rights reserved
![Page 3: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/3.jpg)
What is Industrial Control?
© Copyright 2014 Netsecuris Inc. All rights reserved
![Page 4: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/4.jpg)
Industrial Control Defined
o A system that controls a process
o Industrial Control System – traditionally a general term defining several types of control systems used in industrial production o Distributed Control System (DCS)
o Supervisory Control and Data Acquisition System (SCADA)
o Remote Terminal Units (RTU)
o Programmable Logic Controllers (PLC)
© Copyright 2014 Netsecuris Inc. All rights reserved
![Page 5: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/5.jpg)
Why learn about this topic?
o Industrial controls are pervasive!
o Utilities
o Factories
o Automobiles
o Military
o Data Centers
o Appliances
o Industrial controls are being networked like traditional IT networks.
© Copyright 2014 Netsecuris Inc. All rights reserved
![Page 6: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/6.jpg)
Industrial Controls that might Surprise You o Environmental controls in your data center
o Missiles launched by the military
o Assembly line controller in a factory
o SCADA systems at utilities
o Gasoline pumps at a convenience store
© Copyright 2014 Netsecuris Inc. All rights reserved
![Page 7: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/7.jpg)
T-shirt Question
Can you name an industrial control or application I have not already mentioned?
© Copyright 2014 Netsecuris Inc. All rights reserved
![Page 8: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/8.jpg)
National Critical Infrastructures
© Copyright 2014 Netsecuris Inc. All rights reserved
o Chemical
o Commercial Facilities
o Communications
o Critical Manufacturing
o Dams
o Defense Industrial Base
o Emergency Services
o Energy
o Financial Services
o Food and Agriculture
o Government Facilities
o Healthcare and Public Health
o Information Technology
o Nuclear Reactors, Materials, and Waste
o Transportation Systems
o Water and Wastewater Systems
![Page 9: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/9.jpg)
Get Involved
o Join a Cyber Security or Physical Security Working Group in your Sector. o https://www.dhs.gov/critical-infrastructure-sectors
o Join an Information Sharing Analysis Center (ISAC) in your industry. o http://www.isaccouncil.org/memberisacs.html
o http://itlaw.wikia.com/wiki/Information_Sharing_and_Analysis_Center
© Copyright 2014 Netsecuris Inc. All rights reserved
![Page 10: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/10.jpg)
What’s important in the industrial space
© Copyright 2014 Netsecuris Inc. All rights reserved
o Life Safety is foremost.
o Reliability is a close second.
o Integrity and Availability is primary.
o Confidentiality is secondary or not important at all.
![Page 11: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/11.jpg)
What can happen
o Cyber Security failures have the potential to cause physical consequences.
o Cyber Security issues can arise out of supply chain relationships.
o Human decisions can cause devastating consequences.
o Productivity can be affected.
© Copyright 2014 Netsecuris Inc. All rights reserved
![Page 12: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/12.jpg)
Cyber Security Implication – Physical Consequences o Electric Power Blackouts
o September 2007 cyber attack in Brazil
o 2003 Northeast blackout
o 1999 Southern Brazil blackout
o 1965 Northeast blackout
o 1979 Three Mile Island Nuclear Plant Accident
o 2000 Maroochy Shire cyber event
o 2007 Aurora Generator Test
o 2009 Stuxnet
o 2010 San Bruno natural gas pipeline explosion
© Copyright 2014 Netsecuris Inc. All rights reserved
![Page 13: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/13.jpg)
Look what happens when …
© Copyright 2014 Netsecuris Inc. All rights reserved
![Page 14: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/14.jpg)
Supply Chain Cybersecurity
© Copyright 2014 Netsecuris Inc. All rights reserved
o Google’s headquarters in Sydney, Australia was breached due to building management vendor.
o Researchers discovered that they could breach the circuit breakers of a Sochi Olympic arena through their HVAC supplier.
o Watering hole attack on a major oil company’s network
o Major retailer breach due to relationship with HVAC vendor.
![Page 15: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/15.jpg)
What makes an Industrial Control System fragile? o COTS
o Microsoft Windows
o Use of specialized communications protocols o Modbus
o DNP3 (Distributed Network Protocol)
o OPC (Open Platform Communications formerly known as OLE for Process Control)
o Manufacturers deviating from RFC
o Poor software design
© Copyright 2014 Netsecuris Inc. All rights reserved
![Page 16: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/16.jpg)
Survey of Specialized Communications Protocols
© Copyright 2014 Netsecuris Inc. All rights reserved
![Page 17: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/17.jpg)
Modbus
© Copyright 2014 Netsecuris Inc. All rights reserved
o Open protocol standard
o Moves raw bits or words without placing many restrictions on vendors.
o TCP/IP packet may look perfectly normal but the Modbus frame could crafted to carry malicious code.
![Page 18: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/18.jpg)
DNP3
© Copyright 2014 Netsecuris Inc. All rights reserved
o An Open Standard
o Designed to be reliable but not secure.
o Header may look perfectly normal but the data payload could crafted to carry malicious code.
o No authentication mechanism in basic DNP3. o Secure DNP3
![Page 19: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/19.jpg)
OPC
© Copyright 2014 Netsecuris Inc. All rights reserved
o Based on the OLE, COM, and DCOM technologies developed by Microsoft.
o Any vulnerabilities in these technologies is carried into this protocol.
o OPC is firewall unfriendly because OPC servers dynamically assign TCP ports.
o DCOM and RPC are extremely complicated protocols that can be translated into attack surfaces for malicious actors.
o OPC is complicated to setup so some vendors leave exposures in their products.
![Page 20: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/20.jpg)
IT Cyber Security vs. OT Cyber Security
© Copyright 2014 Netsecuris Inc. All rights reserved
![Page 21: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/21.jpg)
IT Cyber Security vs. OT Cyber Security - Performance Requirements
© Copyright 2014 Netsecuris Inc. All rights reserved
Source: Derived from the NIST 800-82 Standard
![Page 22: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/22.jpg)
IT Cyber Security vs. OT Cyber Security - Availability Requirements
© Copyright 2014 Netsecuris Inc. All rights reserved
Source: Derived from the NIST 800-82 Standard
![Page 23: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/23.jpg)
IT Cyber Security vs. OT Cyber Security - Risk Management Requirements
© Copyright 2014 Netsecuris Inc. All rights reserved
Source: Derived from the NIST 800-82 Standard
![Page 24: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/24.jpg)
IT Cyber Security vs. OT Cyber Security - Change Management Requirements
© Copyright 2014 Netsecuris Inc. All rights reserved
Source: Derived from the NIST 800-82 Standard
![Page 25: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/25.jpg)
IT Cyber Security vs. OT Cyber Security - Unintended Consequences Requirements
© Copyright 2014 Netsecuris Inc. All rights reserved
Source: Derived from the NIST 800-82 Standard
![Page 26: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/26.jpg)
Regulatory Compliance Survey
© Copyright 2014 Netsecuris Inc. All rights reserved
![Page 27: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/27.jpg)
Regulatory Compliance - Electric
© Copyright 2014 Netsecuris Inc. All rights reserved
o North American Electric Reliability Corporation (NERC)
o Transmission and Generation
o Critical Infrastructure Protection (CIP) v3 o Requirements CIP-002 to CIP-009
o CIP-003 Security Management Controls
o CIP-005 Electronic Security Perimeter(s)
o CIP-007 Systems Security Management
o CIP v5 is approved and is in effect April 2016 for all High and Medium Assets and April 2017 for Low Assets.
![Page 28: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/28.jpg)
Regulatory Compliance – Oil and Natural Gas o US Department of Transportation in conjunction
with US Department of Homeland Security’s Transportation Security Administration (TSA) o TSA wrote the “Pipeline Security Guidelines” and
published in April 2011. o Section 7 Cyber Asset Security Measures
o Baseline Cyber Security Measures
o Enhanced Cyber Security Measures
o TSA performs audits and reports results to US DOT.
o US DOT enforces regulation and levies fines.
© Copyright 2014 Netsecuris Inc. All rights reserved
![Page 29: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/29.jpg)
Regulatory Compliance - Dams
o Federal Energy Regulatory Commission (FERC) has jurisdictional authority, granted by Congress, over non-public hydroelectric dams and facilities. o Provides cyber security guidelines
o Cannot levy fines but can stop a company from selling electricity produced by the hydroelectric facility
© Copyright 2014 Netsecuris Inc. All rights reserved
![Page 30: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/30.jpg)
Regulatory Compliance - Chemical o US Department of Homeland Security developed and
released the Chemical Facility Anti-Terrorism Standards in 2007.
o Risk-Based Performance Standards (RBPS) o RBPS8 covers cyber security requirements.
o RBPS address to primary risks.
o Sabotage
o Diversion
o Heavy fines o Divulging information about a CFATS tiered facility
o Divulging information about Security Plans and Procedures
o Not meeting RBPS requirements
© Copyright 2014 Netsecuris Inc. All rights reserved
![Page 31: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/31.jpg)
Avoid Cyber Security Misconceptions
o Avoid the Air Gap Myth
o “We have a firewall!”
o “We’re just a small company, we’re not a target”
© Copyright 2014 Netsecuris Inc. All rights reserved
![Page 32: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/32.jpg)
Shodan
oAn industrial control system and network search engine
ohttp://www.shodanhq.com/
© Copyright 2014 Netsecuris Inc. All rights reserved
![Page 33: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/33.jpg)
Shodan
© Copyright 2014 Netsecuris Inc. All rights reserved
![Page 34: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/34.jpg)
Netsecuris
o A leading Managed Security Service Provider specializing in protecting Industrial Control, Financial Services, Healthcare, and Government network environments.
o Contact Information o Leonard Jacobs, MBA, CISSP
o President/CEO
o 952-641-1421
© Copyright 2014 Netsecuris Inc. All rights reserved
![Page 35: Fundamentals of Industrial Control Risks, Vulnerabilities ...secure360.org/wp-content/uploads/2014/06/Keeping... · with US Department of Homeland Security’s Transportation Security](https://reader033.fdocuments.net/reader033/viewer/2022060703/606facc70bcf5973211c5cc4/html5/thumbnails/35.jpg)
Questions and Answers
Thank you
© Copyright 2014 Netsecuris Inc. All rights reserved