Keeping the Lights On

Transcription

1 Keeping the Lights On Fundamentals of Industrial Control Risks, Vulnerabilities, Mitigating Controls, and Regulatory Compliance

2 Learning Goals o Understanding definition of industrial controls o Understanding differences between traditional IT networks vs. industrial control networks o Understanding risks and mitigating controls associated with industrial controls o Understanding regulatory compliance and service resilience

3 What is Industrial Control?

4 Industrial Control Defined o A system that controls a process o Industrial Control System traditionally a general term defining several types of control systems used in industrial production o Distributed Control System (DCS) o Supervisory Control and Data Acquisition System (SCADA) o Remote Terminal Units (RTU) o Programmable Logic Controllers (PLC)

5 Why learn about this topic? o Industrial controls are pervasive! o Utilities o Factories o Automobiles o Military o Data Centers o Appliances o Industrial controls are being networked like traditional IT networks.

6 Industrial Controls that might Surprise You o Environmental controls in your data center o Missiles launched by the military o Assembly line controller in a factory o SCADA systems at utilities o Gasoline pumps at a convenience store

7 T-shirt Question Can you name an industrial control or application I have not already mentioned?

8 National Critical Infrastructures o Chemical o Commercial Facilities o Communications o Critical Manufacturing o Dams o Defense Industrial Base o Emergency Services o Energy o Financial Services o Food and Agriculture o Government Facilities o Healthcare and Public Health o Information Technology o Nuclear Reactors, Materials, and Waste o Transportation Systems o Water and Wastewater Systems

9 Get Involved o Join a Cyber Security or Physical Security Working Group in your Sector. o o Join an Information Sharing Analysis Center (ISAC) in your industry. o o alysis_center

10 What s important in the industrial space o Life Safety is foremost. o Reliability is a close second. o Integrity and Availability is primary. o Confidentiality is secondary or not important at all.

11 What can happen o Cyber Security failures have the potential to cause physical consequences. o Cyber Security issues can arise out of supply chain relationships. o Human decisions can cause devastating consequences. o Productivity can be affected.

12 Cyber Security Implication Physical Consequences o Electric Power Blackouts o September 2007 cyber attack in Brazil o 2003 Northeast blackout o 1999 Southern Brazil blackout o 1965 Northeast blackout o 1979 Three Mile Island Nuclear Plant Accident o 2000 Maroochy Shire cyber event o 2007 Aurora Generator Test o 2009 Stuxnet o 2010 San Bruno natural gas pipeline explosion

13 Look what happens when

14 Supply Chain Cybersecurity o Google s headquarters in Sydney, Australia was breached due to building management vendor. o Researchers discovered that they could breach the circuit breakers of a Sochi Olympic arena through their HVAC supplier. o Watering hole attack on a major oil company s network o Major retailer breach due to relationship with HVAC vendor.

15 What makes an Industrial Control System fragile? o COTS o Microsoft Windows o Use of specialized communications protocols o Modbus o DNP3 (Distributed Network Protocol) o OPC (Open Platform Communications formerly known as OLE for Process Control) o Manufacturers deviating from RFC o Poor software design

16 Survey of Specialized Communications Protocols

17 Modbus o Open protocol standard o Moves raw bits or words without placing many restrictions on vendors. o TCP/IP packet may look perfectly normal but the Modbus frame could crafted to carry malicious code.

18 DNP3 o An Open Standard o Designed to be reliable but not secure. o Header may look perfectly normal but the data payload could crafted to carry malicious code. o No authentication mechanism in basic DNP3. o Secure DNP3

19 OPC o Based on the OLE, COM, and DCOM technologies developed by Microsoft. o Any vulnerabilities in these technologies is carried into this protocol. o OPC is firewall unfriendly because OPC servers dynamically assign TCP ports. o DCOM and RPC are extremely complicated protocols that can be translated into attack surfaces for malicious actors. o OPC is complicated to setup so some vendors leave exposures in their products.

20 IT Cyber Security vs. OT Cyber Security

21 IT Cyber Security vs. OT Cyber Security - Performance Requirements Source: Derived from the NIST Standard

22 IT Cyber Security vs. OT Cyber Security - Availability Requirements Source: Derived from the NIST Standard

23 IT Cyber Security vs. OT Cyber Security - Risk Management Requirements Source: Derived from the NIST Standard

24 IT Cyber Security vs. OT Cyber Security - Change Management Requirements Source: Derived from the NIST Standard

25 IT Cyber Security vs. OT Cyber Security - Unintended Consequences Requirements Source: Derived from the NIST Standard

26 Regulatory Compliance Survey

27 Regulatory Compliance - Electric o North American Electric Reliability Corporation (NERC) o Transmission and Generation o Critical Infrastructure Protection (CIP) v3 o Requirements CIP-002 to CIP-009 o CIP-003 Security Management Controls o CIP-005 Electronic Security Perimeter(s) o CIP-007 Systems Security Management o CIP v5 is approved and is in effect April 2016 for all High and Medium Assets and April 2017 for Low Assets.

28 Regulatory Compliance Oil and Natural Gas o US Department of Transportation in conjunction with US Department of Homeland Security s Transportation Security Administration (TSA) o TSA wrote the Pipeline Security Guidelines and published in April o Section 7 Cyber Asset Security Measures o Baseline Cyber Security Measures o Enhanced Cyber Security Measures o TSA performs audits and reports results to US DOT. o US DOT enforces regulation and levies fines.

29 Regulatory Compliance - Dams o Federal Energy Regulatory Commission (FERC) has jurisdictional authority, granted by Congress, over non-public hydroelectric dams and facilities. o Provides cyber security guidelines o Cannot levy fines but can stop a company from selling electricity produced by the hydroelectric facility

30 Regulatory Compliance - Chemical o US Department of Homeland Security developed and released the Chemical Facility Anti-Terrorism Standards in o Risk-Based Performance Standards (RBPS) o RBPS8 covers cyber security requirements. o RBPS address to primary risks. o Sabotage o Diversion o Heavy fines o Divulging information about a CFATS tiered facility o Divulging information about Security Plans and Procedures o Not meeting RBPS requirements

31 Avoid Cyber Security Misconceptions o Avoid the Air Gap Myth o We have a firewall! o We re just a small company, we re not a target

32 Shodan oan industrial control system and network search engine ohttp://

33 Shodan

34 Netsecuris o A leading Managed Security Service Provider specializing in protecting Industrial Control, Financial Services, Healthcare, and Government network environments. o Contact Information o Leonard Jacobs, MBA, CISSP o President/CEO o [email protected] o

35 Questions and Answers Thank you