Securing Control Systems

Securing Control Systems

An introduction to security techniques for use in Control System Networks

Introduction

Crispin HarrisSecurity SpecialistCrispin.Harris@gmail.com

10th May, 2010

Overview

Part 1 UnderstandingWhat is a Control System?

Why they are different?

Key attributes

Understanding the risks

Part 2 ProtectionDesign & Network

Hosts & Operating Systems

Applications & Vendors

Vulnerability Management

Part 4 - SummaryReview & summary

Web Resources

Aus Gov Resources

US Gov Resources

Part 3 GovernancePolicy & Process

(Penetration) Testing

Vendor Relationships

Information/Software stores

Learning Objectives

Be able to identify:Key attributes of a Control System

Strengths and weaknesses of normal CS design

Useful non-technical controls

Safe & useful technical controls

Be able to Find further resources

But most importantly: Be able toKnowledgeably discuss Control System security

Intro to Control Systems Security

PART 1 UNDERSTANDING
CONTROL SYSTEMS

What is a Control System?

A Control System is any computerised or automated system that is used to control, monitor, support or operate a known process. Most Control Systems manage an Industrial Process such as:Manufacturing, Energy, Water, Gas,

But they are also found where other repeatable processes occur:Rail & Air Transportation, Healthcare, Finance,

Road Infrastructure, Fleet Management, etc

What is a Control System?

A Control System (Industrial Control System) is an umbrella term that refers to a broad set of control systems.

These include: SCADA (Supervisory Control and Data Acquisition)

DCS (Distributed Control System)

PCS (Process Control System)

EMS (Emergency Management System)

AS (Automated System)

SIS (Safety Instrumentation System)

And any other automated control system.

Talk briefly about the different types of control systems, and w

Why are ICS networks special?

Control Systems are designed to provide day-in, day-out management of a well known process. The integrity and continued operation of this process frequently has key safety or financial impact.Control Systems need: INTEGRITY

AVAILABILITY

And a bit of:CONFIDENTIALITY

Attributes of ICS networks

Constant & Unchanging

Stable

Well documented

Old & un-patched systems

Isolated*

Internally redundant

Small*

Rare/Obscure Customised Applications

Self Contained

A quick review of the sensitivities that Control Systems have to Impact & Change

Control System Risks

Operator ControlsLoss of Control

Loss of View

Historical DataCorruption

Disclosure

Denial of Access

Insults to
the SystemInsults to the data Generated by the system, and USED by the business

ICS Weaknesses

Well Known and stable operation

VERY few changesUn-patched, un-managed Operating Systems

10-year-old (or more) devices w/ Embedded OS

Fragile devices that are very sensitive to change

Design assumptions have proved inaccurate

Networks already experience many transient failures

Custom or insecure network protocols

Immature network tunnelling/bridging techniques.

ICS Strengths

VERY FEW changes

Well Known & Stable operation

Custom/Uncommon software

Generally well documented

Isolated Networks

Anomalous Activity Detection

Gateway Access Controls

Historical Assumptions

Some (one) key historical assumptions underpin the current situation:Isolated network environmentDevices Work but only just.may not be not RFC Compliant

Network is ISOLATED & not attackablethus not defended or updated

Network is resilient to (many) individual faults & failures.

Intro to Control Systems Security

PART 2 PROTECTIONS FOR
CONTROL SYSTEMS

What can we do?

It's all about:People

Process

Technology

We constantly Inspect

Assess

Review

All the standard security tools, processes and concepts apply.

Security is a Process not a Product

Firewalls, IPS, Anti-Virus, Structural Separation,

Protections - People

All the 'standard' People and Personnel controls for working in sensitive areas apply in Control Systems.The Big Stuff:Get buy-in for security from Control System owners or senior executive.

Small Stuff:Most Operators are NOT IT People. Give them somewhere 'safe' to play.

Already have a safety culture.
Add systems security increases your safety.

Operators know how their systems work.

Protections - Process

Regular Liaison with key stakeholders:Vendor liaison

System owner

Executives

Relationships can make or break your systemsReporting & MonitoringSystem Monitoring

Incident & Anomaly Reporting

Software & Vulnerability Management

(Try to) Ensure products are up-to-dateVendor Patches & Updates

Related & Ancillary packages

Operating System Updates

Protections Technical Defence in Depth

Protections - Network Separation

Network SeparationIncreases attack complexity

Increases time-to-compromise

Decreases vulnerable devices at each step

Isolates fragile devices

Not applicable on some older legacy networks

Difficult to retro-fit

Protections - Network Access Control

Many protections can be implemented in the network infrastructure both at the transition points and on the network fabric.Ingress/Egress ControlsRouting & Access Lists

Gateway Firewalls

Network FabricSwitch-port access controls

ARP security

Protections Host-based Controls

Host-based controls can be contentious.Anti-Virus & Anti-Malware

File Integrity Checking

Process Privilege Escalation

Host-Based IPS

Host Firewalls

Host Authentication (Active Directory)

Centralised Logging

Protections - Applications

Recent high-publicity events have highlighted application-based weaknesses & vulnerabilities.Plain-text passwords if they exist at all

Default database/application/server passwords

Vulnerable web services

Private software is publicly availablepentesters/attackers can download demo from the web to attack your secure because it is obscure system.

Intro to Control Systems Security

PART 3 - GOVERNANCE & REVIEW

Policy & Process

Key policy DocumentsAcceptable Use Policy

Network Access Control Policy

3rd Party access and Remote Access Policies

Software & Vulnerability Management Policy

Key ProcessesSoftware/Patch Management

Change Management

Compliance & Audit

Compliance Audits are your KEY tool for ongoing safety/assurance of these networks!

Determine an appropriate standard / policy set.NIST 800-82

NISTA 52

NERC

Perform policy/standard audit of processes and controlsCyber Security Evaluation Tool (CSET)

Router/Switch/Firewall configuration Audit

Testing Control System Security

ICS Penetration TestingAustralian and International resources available. A VERY specialised area.

Internal/amateur vulnerability testingIt is suggested that this NOT be performed on your production network

Other practices include:Network Sniffing,

Configuration Testing &

Gateway traffic analysis

Protecting Secondary Information

Software LibraryPLC Firmware

Source Code

Application installers

Operators Manuals

Authentication Systems (AD, LDAP, DB etc)

See StuxNet & the public knowledge/understanding of attacks against Firmware. How safe is YOUR firmware library

Intro to Control System Security

PART 4 WRAP-UP

Summary

Integrity vs. Confidentiality

Network Separation

Network Modelling &

Network Anomaly Detection & IDS

Testing (Penetration & Compliance)

Auditing (Policies, Controls & Processes)

Stay (as) current (as you can be)

Standards & Guides

ANSI/ISA95 Enterprise-Control System Integration, Part 1: Models and Terminology

NIST SP 800-82 Guide for Industrial Control Systems (ICS) Security

NERC CIP-002-3 to CIP-009-3 NERC CIP standards provide a cyber security framework for the identification and protection of Critical Cyber Assets

ISA TR99.00.02 Integrating Electronic Security into the Manufacturing and Control Systems Environment

DHS CSSP - Control Systems Defence in Depth Strategieshttp://www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf

Resources

Australian ResourcesCERTAustralia

Department of Broadband, Communication and the Digital Economy

Department of the Attorney General

Control System Pen-Testing companies

International ResourcesUS CERT Control Systems Security Program

US Department of Homeland Security &
US Department of Energy

UK Centre for the Protection of National Infrastructure

Web Resources

AustraliaCERTAustralia
http://govcert.gov.au/

InternationalUS-CERT Control Systems Website
http://www.us-cert.gov.au/control_systems

DHS Cyber Security Evaluation Tool (CSET)
http://www.us-cert.gov/control_systems/satool.html

SANS http://sans.org.au/

CPNI SCADA Guidelines & Recommendations
http://www.cpni.gov.uk/scada

Questions & Answers

Controls

Firewalls

Intrusion Management: Detection vs. Prevention

Penetration Testing

ISA95 Control Hierachy Levels

ISA95 IT Systems View

Muokkaa otsikon tekstimuotoa napsauttamalla

Muokkaa jsennyksen tekstimuotoa napsauttamallaToinen jsennystasoKolmas jsennystasoNeljs jsennystasoViides jsennystasoKuudes jsennystasoSeitsems jsennystasoKahdeksas jsennystasoYhdekss jsennystaso

Muokkaa otsikon tekstimuotoa napsauttamalla

Muokkaa jsennyksen tekstimuotoa napsauttamallaToinen jsennystasoKolmas jsennystasoNeljs jsennystasoViides jsennystasoKuudes jsennystasoSeitsems jsennystasoKahdeksas jsennystasoYhdekss jsennystaso