Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Keeping the Lights On
Fundamentals of Industrial Control Risks, Vulnerabilities, Mitigating Controls, and Regulatory Compliance
© Copyright 2014 Netsecuris Inc. All rights reserved
Learning Goals
o Understanding definition of industrial controls
o Understanding differences between traditional IT networks vs. industrial control networks
o Understanding risks and mitigating controls associated with industrial controls
o Understanding regulatory compliance and service resilience
© Copyright 2014 Netsecuris Inc. All rights reserved
What is Industrial Control?
© Copyright 2014 Netsecuris Inc. All rights reserved
Industrial Control Defined
o A system that controls a process
o Industrial Control System – traditionally a general term defining several types of control systems used in industrial production o Distributed Control System (DCS)
o Supervisory Control and Data Acquisition System (SCADA)
o Remote Terminal Units (RTU)
o Programmable Logic Controllers (PLC)
© Copyright 2014 Netsecuris Inc. All rights reserved
Why learn about this topic?
o Industrial controls are pervasive!
o Utilities
o Factories
o Automobiles
o Military
o Data Centers
o Appliances
o Industrial controls are being networked like traditional IT networks.
© Copyright 2014 Netsecuris Inc. All rights reserved
Industrial Controls that might Surprise You o Environmental controls in your data center
o Missiles launched by the military
o Assembly line controller in a factory
o SCADA systems at utilities
o Gasoline pumps at a convenience store
© Copyright 2014 Netsecuris Inc. All rights reserved
T-shirt Question
Can you name an industrial control or application I have not already mentioned?
© Copyright 2014 Netsecuris Inc. All rights reserved
National Critical Infrastructures
© Copyright 2014 Netsecuris Inc. All rights reserved
o Chemical
o Commercial Facilities
o Communications
o Critical Manufacturing
o Dams
o Defense Industrial Base
o Emergency Services
o Energy
o Financial Services
o Food and Agriculture
o Government Facilities
o Healthcare and Public Health
o Information Technology
o Nuclear Reactors, Materials, and Waste
o Transportation Systems
o Water and Wastewater Systems
Get Involved
o Join a Cyber Security or Physical Security Working Group in your Sector. o https://www.dhs.gov/critical-infrastructure-sectors
o Join an Information Sharing Analysis Center (ISAC) in your industry. o http://www.isaccouncil.org/memberisacs.html
o http://itlaw.wikia.com/wiki/Information_Sharing_and_Analysis_Center
© Copyright 2014 Netsecuris Inc. All rights reserved
What’s important in the industrial space
© Copyright 2014 Netsecuris Inc. All rights reserved
o Life Safety is foremost.
o Reliability is a close second.
o Integrity and Availability is primary.
o Confidentiality is secondary or not important at all.
What can happen
o Cyber Security failures have the potential to cause physical consequences.
o Cyber Security issues can arise out of supply chain relationships.
o Human decisions can cause devastating consequences.
o Productivity can be affected.
© Copyright 2014 Netsecuris Inc. All rights reserved
Cyber Security Implication – Physical Consequences o Electric Power Blackouts
o September 2007 cyber attack in Brazil
o 2003 Northeast blackout
o 1999 Southern Brazil blackout
o 1965 Northeast blackout
o 1979 Three Mile Island Nuclear Plant Accident
o 2000 Maroochy Shire cyber event
o 2007 Aurora Generator Test
o 2009 Stuxnet
o 2010 San Bruno natural gas pipeline explosion
© Copyright 2014 Netsecuris Inc. All rights reserved
Look what happens when …
© Copyright 2014 Netsecuris Inc. All rights reserved
Supply Chain Cybersecurity
© Copyright 2014 Netsecuris Inc. All rights reserved
o Google’s headquarters in Sydney, Australia was breached due to building management vendor.
o Researchers discovered that they could breach the circuit breakers of a Sochi Olympic arena through their HVAC supplier.
o Watering hole attack on a major oil company’s network
o Major retailer breach due to relationship with HVAC vendor.
What makes an Industrial Control System fragile? o COTS
o Microsoft Windows
o Use of specialized communications protocols o Modbus
o DNP3 (Distributed Network Protocol)
o OPC (Open Platform Communications formerly known as OLE for Process Control)
o Manufacturers deviating from RFC
o Poor software design
© Copyright 2014 Netsecuris Inc. All rights reserved
Survey of Specialized Communications Protocols
© Copyright 2014 Netsecuris Inc. All rights reserved
Modbus
© Copyright 2014 Netsecuris Inc. All rights reserved
o Open protocol standard
o Moves raw bits or words without placing many restrictions on vendors.
o TCP/IP packet may look perfectly normal but the Modbus frame could crafted to carry malicious code.
DNP3
© Copyright 2014 Netsecuris Inc. All rights reserved
o An Open Standard
o Designed to be reliable but not secure.
o Header may look perfectly normal but the data payload could crafted to carry malicious code.
o No authentication mechanism in basic DNP3. o Secure DNP3
OPC
© Copyright 2014 Netsecuris Inc. All rights reserved
o Based on the OLE, COM, and DCOM technologies developed by Microsoft.
o Any vulnerabilities in these technologies is carried into this protocol.
o OPC is firewall unfriendly because OPC servers dynamically assign TCP ports.
o DCOM and RPC are extremely complicated protocols that can be translated into attack surfaces for malicious actors.
o OPC is complicated to setup so some vendors leave exposures in their products.
IT Cyber Security vs. OT Cyber Security
© Copyright 2014 Netsecuris Inc. All rights reserved
IT Cyber Security vs. OT Cyber Security - Performance Requirements
© Copyright 2014 Netsecuris Inc. All rights reserved
Source: Derived from the NIST 800-82 Standard
IT Cyber Security vs. OT Cyber Security - Availability Requirements
© Copyright 2014 Netsecuris Inc. All rights reserved
Source: Derived from the NIST 800-82 Standard
IT Cyber Security vs. OT Cyber Security - Risk Management Requirements
© Copyright 2014 Netsecuris Inc. All rights reserved
Source: Derived from the NIST 800-82 Standard
IT Cyber Security vs. OT Cyber Security - Change Management Requirements
© Copyright 2014 Netsecuris Inc. All rights reserved
Source: Derived from the NIST 800-82 Standard
IT Cyber Security vs. OT Cyber Security - Unintended Consequences Requirements
© Copyright 2014 Netsecuris Inc. All rights reserved
Source: Derived from the NIST 800-82 Standard
Regulatory Compliance Survey
© Copyright 2014 Netsecuris Inc. All rights reserved
Regulatory Compliance - Electric
© Copyright 2014 Netsecuris Inc. All rights reserved
o North American Electric Reliability Corporation (NERC)
o Transmission and Generation
o Critical Infrastructure Protection (CIP) v3 o Requirements CIP-002 to CIP-009
o CIP-003 Security Management Controls
o CIP-005 Electronic Security Perimeter(s)
o CIP-007 Systems Security Management
o CIP v5 is approved and is in effect April 2016 for all High and Medium Assets and April 2017 for Low Assets.
Regulatory Compliance – Oil and Natural Gas o US Department of Transportation in conjunction
with US Department of Homeland Security’s Transportation Security Administration (TSA) o TSA wrote the “Pipeline Security Guidelines” and
published in April 2011. o Section 7 Cyber Asset Security Measures
o Baseline Cyber Security Measures
o Enhanced Cyber Security Measures
o TSA performs audits and reports results to US DOT.
o US DOT enforces regulation and levies fines.
© Copyright 2014 Netsecuris Inc. All rights reserved
Regulatory Compliance - Dams
o Federal Energy Regulatory Commission (FERC) has jurisdictional authority, granted by Congress, over non-public hydroelectric dams and facilities. o Provides cyber security guidelines
o Cannot levy fines but can stop a company from selling electricity produced by the hydroelectric facility
© Copyright 2014 Netsecuris Inc. All rights reserved
Regulatory Compliance - Chemical o US Department of Homeland Security developed and
released the Chemical Facility Anti-Terrorism Standards in 2007.
o Risk-Based Performance Standards (RBPS) o RBPS8 covers cyber security requirements.
o RBPS address to primary risks.
o Sabotage
o Diversion
o Heavy fines o Divulging information about a CFATS tiered facility
o Divulging information about Security Plans and Procedures
o Not meeting RBPS requirements
© Copyright 2014 Netsecuris Inc. All rights reserved
Avoid Cyber Security Misconceptions
o Avoid the Air Gap Myth
o “We have a firewall!”
o “We’re just a small company, we’re not a target”
© Copyright 2014 Netsecuris Inc. All rights reserved
Shodan
oAn industrial control system and network search engine
ohttp://www.shodanhq.com/
© Copyright 2014 Netsecuris Inc. All rights reserved
Shodan
© Copyright 2014 Netsecuris Inc. All rights reserved
Netsecuris
o A leading Managed Security Service Provider specializing in protecting Industrial Control, Financial Services, Healthcare, and Government network environments.
o Contact Information o Leonard Jacobs, MBA, CISSP
o President/CEO
o 952-641-1421
© Copyright 2014 Netsecuris Inc. All rights reserved
Questions and Answers
Thank you
© Copyright 2014 Netsecuris Inc. All rights reserved