Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade Activities During...
-
Upload
jim-gilsinn -
Category
Technology
-
view
140 -
download
0
description
Transcript of Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade Activities During...
Using a CVA to Optimize ICS Upgrade Activities During a Turnaround
Jim GilsinnKenexis Security
Presenter
Jim Gilsinn– Senior Investigator, Kenexis Security– Current Co-Chair, ISA99 Committee (ISA/IEC
62443)– Current Co-Chair, ISA99 WG2 Security
Program– 23 years engineering, 13 years ICS cyber
security experience– MSEE specializing in control theory
Overview
The Situation Understanding Threats to ICS The ICS-CVA Process Using an ICS-CVA for Planning Summary
THE SITUATION
The Challenge
Security Researcher Plant Manager
You have 438 Critical Vulnerabilities!
I could take control of your PLC from the Internet and do …!
So what? I’m not connected to the Internet.
I can write a worm that will make the PLC overspeed the turbine and put it into surge!
Good luck! There is a machine protection system separate from the PLC.
Well… fine.. You need to patch all these vulnerabilities!
My next scheduled shutdown is in 330 days.
Is this important enough to warrant a shutdown?
The Challenge (cont’d)
Security Researcher Plant Manager
Of course!
Why? I don’t process credit cards. I don’t run public websites.
I can take control of the boiler and blow it up!
So you set the PLC to over pressure the boiler?
Yes!!!
There are relief valves.
Have a nice day…
The Cyber Security Threat
2014 Data Breach Incident Report shows a 3x increase over 2013 Over 256 incidents to OT networks in 2013 reported to ICS-CERT
– Voluntarily reported by ICS owner/operators– Most go undetected or unreported
Most major vendors have known vulnerabilities reported to ICS-CERT
Customer Concerns
Fragile OT networks often caused by comm. problems– Unexplained process stoppages– Slow HMI updates
At-risk or insecure OT networks– Discrepancies between business and process support systems
(e.g. MES, ERP, LIMS, Historians) – Unauthorized remote connections to OT networks– Unauthorized changes to PLC’s, DCS, or other systems– Viruses or malware from OT networks reported by IT staff
Communication errors & network problems risk:– Production uptime– Threaten process safety– Open the OT network to cyber security threats
ICS Network & Security Failures
Intermittent Failures– Corrected by logic conditions in the system– Minimal to no process interruption
Nuisance Trips– Corrected by logic conditions and fail safes– Minor process interruptions
Unplanned outages– Handled by maintenance personnel & layers of protection– Sustained process interruptions & failures
Dangerous failures– Kinetic and safety impacts– Handled by emergency personnel & layers of protection– Extended process interruptions & failures
Risk Management for Plant Managers:3 Easy Steps
What is it? Is it real? What do I do about it?
Safety Risks Require Action…If you cannot qualify the risk AND give a solution, you are
wasting their time
UNDERSTANDING THREATS TO ICS
Device Vulnerabilities: The Reality
Many think, “8:01am – Cyber Attack,8:03am – Plant Goes Boom!”
Compromising an individual ICS is of limited value Significant failures require compromise & disabling of
multiple components True exploits are not needed for most parts of the process A combination of factors are required to move from
nuisance trips to more significant failures– Cyber security knowledge– Process knowledge– ICS knowledge
Attack Modes for ICS
Loss of View (LoV) Manipulation of View (MoV) Denial of Control (DoC) Manipulation of Control (MoC) Loss of Control (LoC)
Model each part of the process in terms of how
an attacker would bypass protective systems
Turbine Overspeed Scenario:Process Flow Diagram
Electrical Power Generation
with Steam Turbine
Turbine Overspeed Scenario:Simplified Turbine Model
Steam Turbine for
Power Generation
Safety ValveDisconnect
Switch
Speed
Transmitter
Turbine Overspeed Scenario:Creating the Turbine Overspeed
Disable the overspeed trip system– Option 1 – “Force” the output of safety valve– Option 2 – Freeze the value of the speed transmitter
Disconnect the load from generator– Option 1 – Command generator disconnect switch to open
positon– Option 2 – Open multiple disconnect switches at power
distributors or consumers
Turbine Overspeed Scenario:Attack Methodology
Part 1 – Conduct Surveillance Part 2 – Map Systems Part 3 – Infect & Compromise Part 4 – Exfiltrate Information Part 5 – Prepare Final Attack Part 6 – Initiate Attack for Max Damage
Potential Process Attack Points
Controller setpoints I/O values Controller commands Alarm conditions Safety interlocks Interconnected or integrated SIS
THE ICS-CVA PROCESS
Requirements to Conduct an ICS-CVA
ICS-CVA = ICS Cyber Vulnerability Assessment Regulatory
– Annual basis by NERC CIP, CFATS, etc. Standards & Guidelines
– Periodic basis by ISA/IEC 62443 (ISA-99), NIST Cybersecurity Framework, AWWA, NERC, etc.
Conducting an ICS-CVA
Understand affect of different systems on OT networks– Installed base of equipment– Information/IT systems
Should be part of validation Recommended to be performed:
– After initial implementation of ICS– After major modifications to ICS– Periodically
Specific requirements for ICS-CVA defined in regulations, standards, & guidelines
The ICS-CVA Process
Documentation Collection & Review– Network Architecture– Piping, Instrumentation, and Engineering Diagrams– Asset Inventory
Network Traffic Capture– Capture traffic (via tcpdump, Wireshark, etc.) at managed
switches via mirror port for a given time
The ICS-CVA Process (cont’d)
Ping Sweep– Identify live hosts (via nmap)– Verify Asset Inventory– Identify Unknown/Rogue Devices
Port Scan Per Device– Detect open ports & services (via nmap)– Identify operating system
Service Detection– Grab banners from active services (via nmap or netcat)– Verify validity of open ports– Detect known vulnerable ports/services
The ICS-CVA Process (cont’d)
Vulnerability Scanning– Automated (via nessus, neXpose, etc.)– Manual (via nmap, netcat, metasploit, etc.)– Examination of vulnerability database (e.g. NIST, A/V
vendors, proprietary, etc.) Open-Source Intelligence Collection
– Determine information leakage of information (via Google, Shodan, Maltego, ARIN, Custom Code, etc.)
– Identify devices exposed to internet– Identify leaks of proprietary information (.doc, .pdf, etc.)– Determine ease of identifying devices
The ICS-CVA Process (cont’d)
Process Vulnerability Analysis– P&ID– HAZOP for max damage/impact scenarios– Zone and conduit & security level analysis– Vulnerability analysis with emphasis on physical impacts– Failure Modeling– Attack Modeling
USING AN ICS-CVA FOR PLANNING
ICS-CVA Results & Recommendations
Network improvements– Architecture, zones, upgraded infrastructure, layering, etc.
Cyber security improvements– Patching, policies/procedures, firewalls, etc.
Device improvements– Upgraded firmware & hardware
Facility siting & physical security– Barriers to entry– Access control
SIS in place of controllers– Safety interlocks replaced by SIS
Preparing for Turnaround
Conduct an ICS-CVA well before turnaround– 6-9+ months prior depending on turnaround scope,
magnitude, duration, etc.– Allow for new designs, capital expenditures, personnel
training, etc. Stage equipment prior to turnaround
– Prepare equipment with necessary firmware upgrades, programs, etc.
– If possible, test equipment in lab prior to deployment
SUMMARY
Summary
Engineering problems require engineering solutions!
Vulnerability analysis & discovery a useful exercise, but only stop at device impact
Qualifying the threat means that the process must be considered
ICS-CVA includes all of the above ICS-CVA can be used as a planning
tool for improvements
Where To Get More Information
Jim Gilsinn– Email: [email protected]– Phone: +1-614-323-2254– Twitter: @JimGilsinn– LinkedIn: http://www.linkedin.com/in/jimgilsinn/– SlideShare: http://www.slideshare.net/gilsinnj– Website: http://www.kenexis.com
Thank You for Attending!
Enjoy the rest of the conference.