Cyber Security for Industry 4.0 International Conference 2_1200 - 1240_Mr. Justin Nga.pdf · Ring, Novell Netware, Appletalk, Sonet/SDH. 802.11 wireless, Bluetooth, 2G/3G Windows

© 2017 Belden Inc. | belden.com | @BeldenInc

Cyber Security for Industry 4.0 International Conference

Industrial Cyber Security:

Case Studies, Standards, Challenges and Practical solutions in APAC Justin Nga, CISSP Commercial Engineering Director & Industrial Cyber Security Lead APAC

© 2017 Belden Inc. | belden.com | @BeldenInc 2

Corporate and Industry Drivers


Industrial Megatrends are Driving IP Adoption

Legacy

Systems

Collaboration

between

IT & OT

Exposure to

Security

Risks

IP BENEFITS …

IP

CONSEQUENCES …

CHANGING

CONSUMER BEHAVIOR

More demanding consumers

create an opportunity to capture

share in a low growth environment

LABOR

SUBSTITUTION

Social, economic and political

trends are changing the mix of

labor and machinery in production

INCREASED

PRODUCTIVITY

Low growth environment is

increasing pressure on companies

to drive shareholder value through

improved productivity

MEGATRENDS DRIVE INVESTMENT

INTO AUTOMATION REQUIRING IP …

Industrial

IT

Remote

Access

Open

Standards

Leverage

Standard

Devices

Connected

Factory

to the

Enterprise


1. Joint study from ISACA and RSA. 2. Ponemon Institute study. 3. IBM/Ponemon Institute study 4. “Overload: Critical Lessons From 15 years of ICS Vulnerabilities”, FireEye iSight Intelligence

Incident and Breach Levels Continue to Soar

Need for tools to manage complexity with focus on risk, compliance


SKILLSETS WILL BE ONE OF THE LARGEST GAPS

FOR INDUSTRIAL CYBER SECURITY

Requires more automation and integration to solve critical needs

Increasing Connectivity and Skill Shortage

Solution that integrates the

security threat landscape

across endpoints and networks

becomes more important in

IT as well as OT environments

Increasing connectivity

continues to increase the risk,

i.e. the attack surface

Security skills shortage

continues to be a challenge as

threats grow in sophistication

and breadth. Customers cannot

fully use the solutions and

security providers cannot ramp

up faster

2016

22% 2020

CAGR in connected

devices

THE SKILLS GAP

63%

UNFILLED

SECURITY JOBS

WORLDWIDE 3 MONTHS OR

MORE TO HIRE

Organizations with problematic

shortage of security professionals

2016 46% 2015 28%

1 MILLION

EXPLOSIVE GROWTH IN ENDPOINTS / TARGETS

Automation is critical for IT Operations


SANS – Securing ICS 2017


Statistics and Incident Case Studies


© 2012 Security Incidents Organization

External

Hacker

Software or

Device Flaw

Human

Error

Malware

Infection

Disgruntled

Employee

Industrial Cyber Security is not only about Confidentiality but more

Integrity and Availability

ICS Cyber Security Incident Statistics - RISI


Source: Lipson, Howard F.: Tracking and Tracing Cyber-Attack: Technical

Challenges And Global Policy Issues CMU/SEI-2002-SR-009

Industrial Cyber Security Attacks Today

• Technology: Highly automated and require

little intruder knowledge

− Attack frequency is increasing

− Attack sophistication is increasing

− Attack expertise is decreasing

• Information: More information now than

ever before in the public domain, especially

for Industrial Control Systems (ICS)

− ICS Cert website, ScadaHacker, Kalitutorials,

etc

• Tools: Free / Cheap penetration testing

and scripting tools:

− Kali Linux, Raspberry Pis, etc.


ICS Cert Website


• Event: More than 750,000 gallons of

untreated sewage intentionally released into

parks, rivers, and hotel grounds

• Impact: Loss of marine life, public health

jeopardized, $200,000 in cleanup and

monitoring costs

• Specifics: SCADA system had 300 nodes

(142 pumping stations) governing sewage

and drinking water

− Used OPC ActiveX controls, DNP3, and ModBus

protocols

− Used packet radio communications to RTUs

• Caused as many as 46 different incidents

over a 3-month period

The Maroochydore Incident


The Maroochydore Incident


The Stuxnet Worm

• July, 2010: Stuxnet worm was discovered attacking

Siemens PCS7, S7 PLC and WIN-CC systems

around the world

• Infected 100,000 computers

and at least 22 industrial sites

• Created to attack Natanz, the uranium

enrichment centrifuge facility in Iran

• Stuxnet software can be reused, enabling

less sophisticated organizations to deliver

new attacks to new targets

• Brought unwanted attention to the

weaknesses of ICS/SCADA security


Stuxnet – Deep Dive

• “Stuxnet” name was created by security analysts. Original name is

rumoured to be “Olympic Games”.

• Natanz was air-gapped. Threat vector used was USB memory stick.

• The Code details:

− Dense and functional. Top researchers > 30 days.

− 20 times the average malware code

− Included 4 zero days exploits

− Virus was self sufficient and automated

− Once at the target, it waits for 13 days before executing payload

− 1st attack – Increased frequency until centrifuges hit resonance frequency

− 2nd attack – lowered the frequency until centrifuge rotor imbalances

− Both attacks cause physical damage

− Fake ‘healthy’ SCADA values were replayed

− Stealthily deployed that manufacturing / process control errors were initially

blamed for the damage

The Stuxnet Worm demonstrated it is possible to cross the bridge

between the Cyber and the Physical world

Impact to Safety


Shamoon

• Impacted Saudi Aramco, publicized Aug 2012

• Malware overwrote the HDD of workstations

• Malware has 3 key components:

− Dropper

− Wiper

− Reporter

• Errors in code concluded that the hackers were

“skilled amateurs”. Suspected insider help.

• Yet the destruction and damage was widespread –

30,000 workstations!

• Fortunately, there is no evidence it had any impact on

ICS or SCADA systems

Impact to Business Continuity


Dragonfly

• Surfaced Feb 2013

• Target most likely pharmaceuticals industry – first

major documented attack to the Discrete Manufacturing

sector

• 3 Threat attack vectors – Email spear phishing,

watering hole, Trojan software

• Malware was equipped with 3 Remote Access

Tools (RATs) – Havex, Karagany, and Sysmain

• Watering Hole – Malware was installed via

legitimate software of 3 ICS suppliers

• Majority of target machines were WinXP

• Well funded multi phase campaign

• Likely data theft was primary objective

Impact to Business – Corporate Espionage


BlackEnergy

• 23rd Dec 2016

• Targeted the Ukrainian Power Grid - western area

of Ukraine

• Estimated 80,000 customers and 700,000 homes

went without electricity for 3-6 hours

• Original vector via Spear Phishing, with Word

document containing the Malware.

• Malware BlackEnergy allowed unauthorized

remote access to the utilities’ computer networks

• Electricity was restored the same day – by field

staff manually reclosing the breakers

Impact to Nation State


CRASHOVERRIDE (aka Win32/Industroyer)

• Suspected to be the code platform for

Blackenergy

• 2nd known case of malicious code

purpose-built to disrupt physical systems

• 1st case to be a scalable and extensible

‘platform’ of tools.

• Current protocols IEC 101, 104, 61850,

OPC DA

• Modules perform:

− Denial-of-service (DoS)

− Backdoor/remote access

− Command and Control (C&C or C2)

for periodic connection to the command

server for updates

− Port scanning

− A wiper to hide its tracks, destroy files and even

overwrite the boot sector so that the system

cannot reboot itself


IT and OT Historical Trends


2010+


• Focusing on 2 areas of enabling OT technologies/trends – Operating Systems and

Networking/Communications

70s 80s 90s 2000s

CP/M, Unix/BSD/OS9

Ethernet, Frame Relay,X.25, Arcnet, Serial and Parallel protocols

MSDOS, PCDOS, Windows 1.0, OS/2, MACOS, Unix/SunOS

Ethernet, X.25, Arcnet, Token Ring, FDDI, Novell Netware, Appletalk, ATM/Sonet/SDH

Windows 3.0/NT/95/98, OS/2, MACOS, Unix /SunOS/Linux/Sun Solaris

Ethernet, X.25, Token Ring, Novell Netware, Appletalk, Sonet/SDH. 802.11 wireless, Bluetooth, 2G/3G

Windows 2000/XP/7 OS/2, OS X, Unix /Linux/Sun Solaris

Ethernet, MPLS, Sonet/SDH, 802.11 wireless, bluetooth WiMax, 2G/3G/4G/LTE, (IOT)

Windows 8 / 10, OS X, Unix /Linux/Oracle Solaris

Ethernet, MPLS, 802.11 wireless, 4G/LTE, IOE, ??

IT

CP/M, Proprietary interfaces, Ladder Logic

Hardwire, Serial based protocols, Modbus

MSDOS, Unix and Proprietary interfaces

Hardwire, HART, Serial, Modbus, FIP, Profibus

MSDOS, Windows NT (oper), Unix based (Eng)

Hardwire, HART, WorldFIP, Profibus, Foundation Fieldbus, DeviceNet, ControlNet, Ethernet – standards war

Windows for operator w/s, Unix for Eng w/s, XP, CE, Embedded

Hardwire -> IEDs, HART (wireless), IEC 61158, Ind. Ethernet based protocols (*) 802.11 wireless

Windows based and Unix based

Ind. Ethernet based protocols (*) MPLS, 802.11 wireless, 4G/LTE, IIOT, ??

OT

* Industrial Ethernet OSI Based Protocols – Ethernet/IP, Profinet (IO/IRT), Profisafe, Modbus TCP, 61850, DNP3, etc.

What can history tell us?


What can IT history teach us about OT’s future?

• No major surprises – enabling technologies

for OT has been tried and tested by IT before.

• Adoption timelines are getting shorter – 20

years, 10 years, < 10 years.

• Business drivers like higher performance, data

integration, increased collaboration and

skillset supportability moved systems to open

platforms like Windows, Ethernet, and

Wireless.

• IT and OT convergence and open standards

have made systems more vulnerable.

• Networking and Cyber Security are focused

disciplines by themselves

• What about IT Cyber Security History and

Statistics?


2010+


• Focusing on 2 areas of enabling technologies/trends – Viruses / Worms / etc. and Antivirus / Cyber Security

solutions

70s 80s 90s 2000s

Creeper, Rabbit, Animal (1st Trojan)

OS fixes / upgrades

Elk Cloner (Apple II), Brain (IBM Compatible), Yale, Stone, Ping Pong, Jerusalem, etc.

G Data/UVK2000 (Atari), Flushot+/Anti4US (Heuristic). First IDS.

Vienna, Cascade (Polymorphic), Concept (Macro virus for MS Word), CIH (ROM/Bios), Happy99/Melissa (Outlook)

McAfee, Norton, By late 90 – 19 brands. IDS systems become more prevalent

ILOVEYOU, Pikachu (Autoexec.bat), CodeRed, MyDoom,,Conficker, Slammer,many more.

Antivirus and specific Malware based programs, and IPS.

Stuxnet, Flame, Shamoon, Gameover Zeuz (keystroke logger), Locky (ransomware)

Combination and Evolution

IT

There is MINIMAL time transition for Cyber

Security Attacks between IT and OT


The Air Gap Fallacy and

the Impact of Open Platforms


The Air Gap

Let us take a look at the historical trends of ICS communication

− Automation in the 1980’s – isolated “islands”

PLCs PLCs

Serial or Proprietary Comm Link


Early 1990’s – Influx of Windows PCs

PLCs

Enterprise

Workstations

HMI Stations

PLCs

Enterprise

Servers

Serial or Proprietary Comm Link

THE AIR GAP


Late 1990’s – Industrial Ethernet

Control

Network

PLCs

Office

Network

Internet

Enterprise

Workstations

HMI Stations

Plant

Network

Dial-up

IT Firewall

Wireless

Engineering

StationsServers

PLCs

Enterprise

Servers


Control

Network

External

NetworkPLCs

Office

Network

Servers

Internet

IT Firewall

Enterprise

Workstations

HMI Stations

Plant

Network

Contractor Wireless Dial-up

IT Firewall

Wireless

Engineering

StationsServers

PLCs Remote

Diagnostics

Enterprise

Servers

2000’s - Interconnection to Enterprise Systems


Control

Network

External

NetworkPLCs

Office

Network

Servers

Internet

IT Firewall

Enterprise

Workstations

HMI Stations

Plant

Network


IT Firewall

Wireless

Engineering

StationsServers

PLCs Remote

Diagnostics

Enterprise

Servers

Today's Typical Threat Vector


Control

Network

External

NetworkPLCs

Office

Network

Servers

Internet

IT Firewall

Enterprise

Workstations

HMI Stations

Plant

Network


IT Firewall

Wireless

Engineering

StationsServers

PLCs Remote

Diagnostics

Enterprise

Servers

Faulty / Misconfigured Equipment Are Also Threats


Industrial Cyber Security

Frameworks and Standards


• These domains provide a vendor-independent overview

of a common security framework, supported in all type

of organizations worldwide

1. Security and Risk Management

2. Asset Security

3. Security Engineering

4. Communication and Network Security

5. Identity and Access Management

6. Security Assessment and Testing

7. Security Operations

8. Software Development Security

*International Information System Security Certification Consortium, Common

Body of Knowledge, 2017

8 Topical Domains of Security (based on ISC2 CBK*)


Where Standards Work and Where they Don’t

• Where they work:

• Standards are based on best practices

• Provides guidance and standard work

• Legal compliance

• Where they may not work:

• Compliance does not guarantee protection.

• Monolithic – slow to form, slow to change.

• Baseline, scope and tailor from a

combination of IT, OT, Industry based

standards, and security controls prioritized

from a risk assessment, and review

regularly.


APAC Region Standards and Initiatives

• Standards in individual countries under development and

evaluation. No known enforceable standards as yet.

• Commonalities:

• Large investments for research, cooperative and collaborative

initiatives

• CERTs – Regional and local Computer Emergency Response

Teams. APCERT (https://www.apcert.org/) and member countries

• Examples:

• Australia - Joint Cyber Security Centre opened in February 2017. >

20 organisations represented from the energy, water, finance,

transport and mining sectors.

• Singapore - The Ministry of Communications and Information (MCI)

and the Cyber Security Agency of Singapore (CSA) held a public

consultation exercise on the draft Cybersecurity Bill in July/Aug

2017. The purpose to establish a framework for the oversight and

maintenance of cybersecurity in Singapore.

• India - The Government of India launched their National Cyber

Security Policy in 2013, and in 2014, the Prime Minister’s Office

created the position of the National Cyber Security Coordinator.

https://www.apcert.org/

https://www.apcert.org/


• ISO/IEC 27001:2013 is an information

security standard.

• Organizations which meet the standard may

be certified compliant by an independent and

accredited certification body on successful

completion of a formal compliance audit.

ISO 27001 Information Security Standard


NERC / CIP Standard

• North American Electric Reliability Corporation’s (NERC) Critical Infrastructure

Protection (CIP) Cyber Security Standards overview


• ISA/IEC-62443 is a series of standards that define procedures for implementing

electronically secure Industrial Automation and Control Systems (IACS).

• Applies to end-users (i.e. asset owner), system integrators, security practitioners, and

control systems manufacturers responsible for manufacturing, designing, implementing,

or managing IACS.

IEC 62443 (previously ISA99)


IEC 62443 Security Levels Proposal*

• Similar to Functional Safety

* © Pierre Kobes (http://isa99.isa.org/Public/Meetings/Committee/201506-Frankfurt/ISA99-Protection-Levels.pdf)


Where Do You Start?


Maturity Curve

Beginner

Intermediate

Advanced

“Don’t Have One”

“Completed a risk / security assessment”

“Calibrating our security controls”

Where is your

organization on this

journey?

Cyber Security is a Journey

Cyber Security Programs are Strategic and Economic propositions

more than Technical solutions


Priority IT OT / ICS

#1 Confidentiality Availability

#2 Integrity Integrity

#3 Availability Confidentiality

• The Cyber Security Triad:

− Confidentiality, Integrity, Availability – Rank them by importance

• Same Issues, Different Perspectives:

Enterprise IT vs Industrial OT Perspectives

IT: Privacy First – “Protect the Data”, i.e. hosts and user

OT/SCADA/ICS: Safety First – “Protect the Process”, i.e. plant

assets, personnel, and environment


• Does your organization have a Cyber Security Policy with C-Suite support?

− What role does senior management play in Cyber Security decisions?

• What is your security compliance posture today?

− Describe your current posture and your target state for Cyber Security?

− What Security frameworks are you referencing? ISO27001, NERC, 62443, etc.

• Whose responsibility is Security?

− Security Management is ultimate responsibility is upper management, and must be

considered a business operations issue first and not an IT administration issue.

− Security is Everyone’s responsibility.

Where is your Organization on this Journey?


Security and Risk Assessments

CONSEQUENCE

RISK

• Risk = Threat (event likelihood) x Vulnerability (of asset) x Consequence (of

event to operations, environment, reputation, etc).


• Access Control refers to a broad range of controls that perform such

tasks as ensuring only authorized users can gain access to resources,

and denying unauthorized users

• Controls mitigate a wide variety of information security risks and can be

categorised as:

1. Deterrent

2. Preventive

3. Detective

4. Compensating

5. Corrective

6. Recovery

7. Directive

* International Information System Security Certification Consortium, Common Body of Knowledge, 2017

7 Categories of Access Controls (based on ISC2 CBK*)


High Level ICS Risk Assessment Output

• A Security Risk and Vulnerability Assessment will uncover:

− Your key threats, vulnerabilities and consequences

− How do you respond to these risks? Do you Mitigate, Transfer, Avoid, Accept?

− Access Controls to apply, and the residual risk

− Your Risk Appetite

* © Tofino Security / Exida consulting white paper)


APAC Best Practices

• People: Training and Awareness

• IT and OT convergence – I and OT

departments. Deploy rotational programs

• Employee awareness

• Technology: You cannot protect what

you cannot see:

• Asset management

• Configuration Compliance Management

• Change Management and Detection

• Network Management

• SIEMs

• Processes:

• Risk Assessment

• What’s Old is New again:

• Network security, design and segmentation

• Defense in Depth


Defense in Depth


• The Defense-in-Depth model limits the impact of

an incident and breach, regardless of where or

how it happens.

1. Multiple layers of defense – Layered in Series

2. Differentiated layers of defense – Using

different appliances, software or processes

3. Threat-specific layers of defense

Defense-in-Depth Model

• Defense-in-Depth also applies to People and Processes.

• The 4Ds – Deter, Deny, Detect, Delay


• A core concept in IEC-62443 security standard

is “Zones and Conduits”

• Offers a level of segmentation and traffic control

inside the control system.

• Control networks divided into layers or zones

based on control function – “Trust Boundary”

Defense in Depth for ICS via Network Segmentation


Control

Network

External

NetworkPLCs

Office

Network

Servers

Internet

IT Firewall

Enterprise

Workstations

HMI Stations

Plant

Network


IT Firewall

Wireless

Engineering

StationsServers

PLCs Remote

Diagnostics

Enterprise

Servers

Zones and Conduits provide Defense in Depth

Control

Network

External

NetworkPLCs

Office

Network

Servers

Internet

IT Firewall

Enterprise

Workstations

HMI Stations

Plant

Network


IT Firewall

Wireless

Engineering

StationsServers

PLCs Remote

Diagnostics

Enterprise

Servers


Control

Network

External

NetworkPLCs

Office

Network

Servers

Internet

IT Firewall

Enterprise

Workstations

HMI Stations

Plant

Network


IT Firewall

Wireless

Engineering

StationsServers

PLCs Remote

Diagnostics

Enterprise

Servers



Control

Network

External

NetworkPLCs

Office

Network

Servers

Internet

IT Firewall

Enterprise

Workstations

HMI Stations

Plant

Network


IT Firewall

Wireless

Engineering

StationsServers

PLCs Remote

Diagnostics

Enterprise

Servers



About Belden


Belden’s Industrial Cybersecurity Portfolio


Belden’s 1-2-3 Approach to Industrial Security

BELDEN HELPS CUSTOMERS ADAPT TO THE RAPIDLY CHANGING

ENVIRONMENT AT THEIR OWN PACE

SECURE

INDUSTRIAL

ENDPOINTS

SECURE

INDUSTRIAL

CONTROLLERS

SECURE

INDUSTRIAL

NETWORKS

• Segmentation

• Zoning and conduits

• Monitoring and alerts

• Wireless and remote

access

• Threat containment

• Inventory connected

assets

• Identify vulnerable and

exploitable endpoints

• Achieve and maintain

secure and authorized

configurations

• Identify unauthorized and

malicious changes

• Detection and visibility

into changes and threats

to ICS

• Protection for vulnerable

and exploitable controllers

• Assure authorized access

and change control for ICS

• Detect and contain threats


Key Takeaways


Key Takeaways

• ICS Cyber Security threats, incidents and breaches are real and increasing

• Cyber Security is a Journey

• C-Level sponsorship is Critical for Success

• It goes beyond Technology alone – People and Processes

• Training and Employee Awareness

• APAC is on this Journey – leverage recognized standards and frameworks

• Manage your Networks

• Use IEC 62443 Zones and Conduits design concepts for your ICS networks

• Create a Defense in Depth mindset – the 4Ds

• Manage your Risk Assessment

• Monitor for change, and implement continuous monitoring

© 2017 Belden Inc. | belden.com | @BeldenInc

THANK YOU!

Any Questions?

[email protected]

mailto:[email protected]

Documents

Cyber Security for Industry 4.0 International Conference 2_1200 - 1240_Mr. Justin Nga.pdf · Ring, Novell Netware, Appletalk, Sonet/SDH. 802.11 wireless, Bluetooth, 2G/3G Windows