Cyber Security for SCADA/ICS Networks GANESH NARAYANAN HEAD-CONSULTING CYBER SECURITY SERVICES www.thalesgroup.com
Increasing Cyber Attacks on SCADA / ICS Systems 2
What is SCADA Supervisory Control And Data Acquisition is a type of, computer controlled, Industrial Control systems that monitor/ control industrial processes SCADA Cyber Issues Complex & Digital Connected Industrial & External Legacy-Not designed for Security Internet ed with inadequate protection Poor encryption & Password protection Ability to intrude & manipulate controls 3
SCADA systems (vs) Enterprise Systems Differences Business IT Cyber Issues Intellectual Property theft Financial or Strategic info theft Denial of Services Insider leakage Financial & Reputational Risk Industrial IT- Cyber Issues Loss of visualization of sensor readings Loss of control of the plant Human Safety + Operational Risk 4
A holistic view of Security A holistic view of security 5
Digital Control of Critical National Infrastructure 6
Exploitation of SCADA systems SHODAN pinpoints shoddy industrial controls. the Google for hackers. METASPLOIT Online vulnerability scanner Exploit codes for Vulnerabilities TOR Services free software for enabling anonymous communication conceal a user's location and usage from anyone 7
SCADA Scare! SCADA Exploitation Use SHODAN indexing http headers to find routers, servers, traffic lights and other industrial control equipment 1 Million SCDA/ICS connected, growing by 2000-8000/ day, many exploitable Find out the device facing internet, revealing software version Use Metasploit, to retrieve the relevant exploit code for that device Use proxy connection like TOR to keep anonymity & exploit the remote system Legacy SCADA controls Robustness to cyber attack is poor ( no FW, Data diodes, identity/ access mgnt.) Presence of ActiveX, Back door admin accounts, hardcoded authentication Fuzzing crash, buffer over flow, no password time out for login Readymade plug-ins for Metasploit, Nessus to access real time systems 8
SCADA Scare. The attack Once owned, ladder logic of PLC, uploaded Causing vital parameters to speed up/ down, pressure/ temperature/ interlocks Attacks are rare, but honeypot proves attackers could manipulate Solutions Robust SCADA/ICS products with Cyber security built-in ( if possible) In most cases, we need to segregate critical network from risky internet/ business network Do not allow IP numbers for SCADA/ICS to be directly accessible from Internet Careful routing of industrial protocol with additional layer of security/ control 9
Cyber Security for SCADA/ ICS Networks Understanding Business Risk 10 Threat Sources Criminals/ Organized crime Corporate Intelligence Disgruntled staff Hackers Terrorists Activists Untrained/ unauthorized staff Representation of Threat Financial gain Competitors/ Intellectual property Compromising security, data leakage Website defacement, theft of data Physical attack + Cyber to compromise availability Hacktivism willful unauthorized penetration to block facilities/ political mileage Use of USB causing malware to enter, other unauthorized, insecure actions
Know the Regulatory Compliance Modern Security Std for other industries PCI-DSS, HIPPA not possible to adapt in legacy SCADA/ICS Adapting old systems to the new framework is difficult USA- NIST 800-82 ISA 99 IEC62443 11
Zoning, Segregation & Protection of Industrial Metworks Access to data generated in real time Risk of intrusion & safety Protection from External threat : Thorough Risk Assessment, Secure G/way, Data diodes Zoning of Architecture IEC62443, ISA99 Secure remote conduits like VPN, WAN 12
Situational Awareness Picture of an attack Real Time Cyber monitoring of Critical Info-com Infrastructure High security environments vulnerable to sophisticated attacks Many ICS directly controlled via host business networks Attack vectors, attack surfaces, likelihood of attack increase If ICS design/ configuration can t be changed, need full Situational Awareness of the nature of the attack, even if it can t be prevented Incorporate pro-active monitoring technology, process, policies, with experienced analysts to detect suspicious activity 24 x 7 security monitoring (or) CSoC as a Service Full situational awareness picture of physical, environmental, logical and personnel domains effective, controlled and recorded response 13
Forensic Readiness Scrutiny on time taken to investigate and remediate / how the incident is managed is monitored by agencies Various compliances may be mandated, including Forensic Readiness UK Govt Security policy framework in 20 areas, including risk treatment section, that talks about Forensic Readiness Maximize the ability to preserve and analyze data generated by IT systems for legal and management CESG s Good Practice Guide (GPG) with Information Assurance Implementation with Forensic Readiness Planning Scenario based approach to Forensics planning, with hypothetical risks and real previous incidents Corresponding security response, documented and exercised 14
Incident Response Assured Cyber Incident Response Key to successful investigation & remediation is : - Assured Cyber Incident Response Provider - Forensics Service Provider in advance of an accident Entire enterprise network to be examined concurrently for malware / APT by looking at suspicious applications Once identified, forensics snapshot of data to be taken All systems on network forensically searched, followed by remediation Option is to stop those processes or to forensically wipe off, across all systems 15
Critical Infrastructure Cyber Security Services 16
Individual Components of a CSoC Services 17
Individual Components of Integrated Cyber Security Ops Centre 18
19 / Cyber Range Simulation Solutions THALES GROUP CONFIDENTIAL
Where does Thales fit in Thales in SCADA security 20
Conclusions SCADA threats are changing very fast Many misconceptions on the type of SCADA threat, extent of dmaage, or disruption, effort & skills required for protection Significant consequences of ignoring/ inadequate controls on cyber security of SCADA/ICS Cyber & SCADA Key concern for all industrial infrastructures Demands rapid, accurate and informed decisions to ensure safety, security & efectiveness A holistic approach to SCADA protection, using Cyber Security Operation Centres and Situation Awareness monitoring solutions Inter-related cyber, physical and industrial IT Vulnerbilities must be managed 21
Thank You In Heaven, we trust rest all networks should have Cyber Security Protection!! For some information on Cyber Security for Critical Infrastructure, please contact Ganesh Narayanan, Head- Consulting Cyber Security ganesh.narayanan1970@gmail.com +65 9758 9646 22