SlideShare una empresa de Scribd logo

ICS security

Ahmed Shitta
Ahmed Shitta
1 de 39
Descargar para leer sin conexión
Industrial Control Systems cyber Security Prepared by: Ahmed Shitta
What is Industrial Control Systems ? •Industrial Control System (ICS) is a general term that encompasses several types of control systems used in industrial process control for production and manufacture, including SCADA, DCS and PLC systems •ICS’s are typically used in industries such as oil & gas production, power generation and nuclear installations. ICS’s are specifically designed and manufactured for the industrial environment, they are designed to be installed Industrial Control Systems cyber Security manufactured for the industrial environment, they are designed to be installed for offshore and onshore applications. Typical examples of ICS
What is Cyber security ? Cyber-security is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, security includes both cyber-security and physical security. Industrial Control Systems cyber Security Do we really need this in the industrial process control network ? ?
To simply answer this question, history says it all !! Do we really need this in the industrial process control network ? Incident Description 2000 Maroochy Water Treatment ,Australia ( SCADA system) A disgruntled former employee hacked into the system, took control of 150 pumping stations and releasedpumping stations and released 1 million liters of raw sewage into local parks, rivers and even the grounds of a Hyatt Regency hotel over a 3 month period. Observations •Radio communications commonly used in SCADA systems are often insecure or improperly configured •SCADA devices and software should be secured to the extent possible using physical and logical controls •Difficult to differentiate attacks from malfunctions •Also recommended : Anti-virus , Firewall protection, Appropriate use of encryption , Upgrade-able SCADA systems (from a security perspective) , Proper staff training and Security auditing and control.
2000 Maroochy Water Treatment •There was no active protection not even a properly configured firewall .
Famous ICS cyber attacks !! Incident Description 2003 PDVSA Oil Terminal , Venezuela ( PLC Controller) Details of the cyber attacks on PDVSA’s systems were slow to emerge, but it seemed that hackers were able to penetrate the SCADA system responsible for tanker loading at a marine terminal in eastern Venezuela. Once inside, the hackers erased the programs in the programmable logic controllers (PLCs) operating the facility, preventing tanker loading for eight hours. Fortunately for PDVSA, the tactics of attackers were unsophisticated,the tactics of attackers were unsophisticated, making detection of the problem relatively easy, and backups of the PLC programs were unaffected, making recovery straightforward. Observations •Internal surveys at several major oil companies indicated that managers often misunderstand the situation they face when it comes to SCADA security. First, many believe that the Information Technology (IT) group automatically looks after SCADA security •While IT departments are very good at providing security for systems they understand, such as Windows® servers and accounting databases, the critical control systems that run the pipelines and refineries day in and day out are forbidding beasts to the IT professional .
Incident Description 2006 Brown’s Ferry Nuclear Plant , USA ( PLC Controller and VFD) •Unit 3 was manually shutdown after the failure of both reactor recirculation pumps and the condensate demineralizer controller. The condensate demineralizer used a programmable logic controller (PLC); the recirculation pumps depend on variable frequency drives (VFD) to modulate motor speed. • Both kinds of devices have embedded microprocessors that can communicate data over the Ethernet LAN. However, both devices are prone to failure in high traffic environments. A device using Famous ICS cyber attacks !! are prone to failure in high traffic environments. A device using Ethernet broadcasts data packets to every other device connected to the network. Receiving devices must examine each packet to determine which ones are addressed to them and to ignore those that are not. • It appears the Browns Ferry control network produced more traffic than the PLC and VFD controllers could handle; it is also possible that the PLC malfunctioned and flooded the Ethernet with spurious traffic, disabling the VFD controllers; tests conducted after the incident were inconclusive.
Incident Description 2010 Iran Nuclear Processing, Iran ( PLC Controller and DCS) •Stuxnet specifically targets programmable logic controllers (PLCs), which allow the automation of electromechanical processes such as those used to control machinery on factory assembly lines, amusement rides, or centrifuges for separating nuclear material. Exploiting four zero-day flaws, Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens Step7 software. Famous ICS cyber attacks !! out Siemens Step7 software. •Stuxnet is typically introduced to the target environment via an infected USB flash drive. The worm then propagates across the network, scanning for Siemens Step7 software on computers controlling a PLC. In the absence of either criterion, Stuxnet becomes dormant inside the computer. If both the conditions are fulfilled, Stuxnet introduces the infected rootkit onto the PLC and Step7 software, modifying the codes and giving unexpected commands to the PLC while returning a loop of normal operations system values feedback to the users
2010 Iran Nuclear Processing Stuxnet
•Managers often misunderstand the situation they face when it comes to ICS security. First, many believe that the Information Technology (IT) group automatically looks after ICS security IT system Vs ICS system Category Information Technology System Industrial Control System Performance Requirements •Non-real-time •Response must be consistent •Tightly restricted access control can be implemented to the degree necessary for security •Real-time •Response is time-critical •Access to ICS should be strictly controlled, but should not hamper or interfere with human-machine interactionhuman-machine interaction System Operation •Systems are designed for use with typical operating systems •Upgrades are straightforward with the availability of automated deployment tools •Differing and possibly proprietary operating systems, often without security capabilities built in •Software changes must be carefully made, usually by software vendors, because of the specialized control algorithms and perhaps modified hardware and software involved
IT system Vs ICS system Category Information Technology System Industrial Control System Communications •Standard communications protocols •Primarily wired networks with some localized wireless capabilities •Typical IT networking practices •Many proprietary and standard communication protocols. •Several types of communications media used including dedicated wire and wireless (radio and satellite) •Networks are complex and sometimes require the expertise of control engineersof control engineers Managed Support •Allow for diversified support styles •Service support is usually via a single vendor Component Lifetime •Lifetime on the order of 3 to 5 years •Lifetime on the order of 10 to 15 years Conclusion : •The operational and risk differences between ICS and IT systems create the need for increased sophistication in applying cybersecurity and operational strategies. • A cross-functional team of control engineers, control system operators and IT security professionals needs to work closely to understand the possible implications of the installation, operation, and maintenance of security solutions
Identifying Possible hazards and Vulnerable points
Identifying Possible hazards and Vulnerable points Vulnerability Description Inadequate incorporation of security into architecture and design. Incorporating security into the ICS architecture, design must start with budget, and schedule of the ICS. The security architecture is part of the Enterprise Architecture. The architectures must address the identification and authorization of users, access control mechanism, network topologies, and system configuration and integrity mechanisms. Hardware, firmware, and software not The organization doesn’t know what it has, what versions it has, where they are, or what their patch status is, resulting in an inconsistent, andand software not under configuration management. they are, or what their patch status is, resulting in an inconsistent, and ineffective defense posture. A process for controlling modifications to hardware, firmware, software, and documentation should be implemented to ensure an ICS is protected against inadequate or improper modifications before, during, and after system implementation. A lack of configuration change management procedures can lead to security oversights, exposures, and risks. To properly secure an ICS, there should be an accurate listing of the assets in the system and their current configurations. These procedures are critical to executing business continuity and disaster recovery plans.
Identifying Possible hazards and Vulnerable points Vulnerability Description OS and application security patches are not maintained or vendor declines to patch vulnerability Out-of-date OSs and applications may contain newly discovered vulnerabilities that could be exploited. Documented procedures should be developed for how security patches will be maintained. Security patch support may not even be available for ICS that use outdated OSs, so procedures should include contingency plans for mitigating vulnerabilities where patches may never be available. Inadequate testing of security changes Modifications to hardware, firmware, and software deployed without testing could compromise normal operation of the ICS. Documentedsecurity changes testing could compromise normal operation of the ICS. Documented procedures should be developed for testing all changes for security impact. The live operational systems should never be used for testing. The testing of system modifications may need to be coordinated with system vendors and integrators Poor remote access controls There are many reasons why an ICS may need to be remotely accessed, including vendors and system integrators performing system maintenance functions, and also ICS engineers accessing geographically remote system components. Remote access capabilities must be adequately controlled to prevent unauthorized individuals from gaining access to the ICS.
Identifying Possible hazards and Vulnerable points Vulnerability Description Critical configurations are not stored or backed up Procedures should be available for restoring ICS configuration settings in the event of accidental or adversary-initiated configuration changes to maintain system availability and prevent loss of data. Documented procedures should be developed for maintaining ICS configuration settings. Improper data linking ICS data storage systems may be linked with non-ICS data sources. An example of this is database links, which allow data from one database to be automatically replicated to others. Data linkage may create ato be automatically replicated to others. Data linkage may create a vulnerability if it is not properly configured and may allow unauthorized data access or manipulation Malware protection not installed or up to date Installation of malicious software, or malware, is a common attack. Malware protection software, such as antivirus software, must be kept current in a very dynamic environment. Outdated malware protection software and definitions leave the system open to new malware threats.
Identifying Possible hazards and Vulnerable points Vulnerability Description Denial of service (DoS) ICS software could be vulnerable to DoS attacks, resulting in the prevention of authorized access to a system resource or delaying system operations and functions. Logs not maintained Without proper and accurate logs, it might be impossible to determine what caused a security event to occur Unauthorized personnel have Physical access to ICS equipment should be restricted to only the necessary personnel, taking into account safety requirements, such aspersonnel have physical access to equipment necessary personnel, taking into account safety requirements, such as emergency shutdown or restarts. Improper access to ICS equipment can lead to any of the following:  Physical theft of data and hardware  Physical damage or destruction of data and hardware  Unauthorized changes to the functional environment (e.g., data connections, unauthorized use of removable media, adding/removing resources)  Disconnection of physical data links  Undetectable interception of data (keystroke and other input logging)
Identifying Possible hazards and Vulnerable points Vulnerability Description Radio frequency, electromagnetic pulse (EMP), static discharge, brownouts and voltage spikes The hardware used for control systems is vulnerable to radio frequency and electro-magnetic pulses (EMP), static discharge, brownouts and voltage spikes.. The impact can range from temporary disruption of command and control to permanent damage to circuit boards. Proper shielding, grounding, power conditioning, and/or surge suppression is recommended Lack of backup power Without backup power to critical assets, a general loss of power will shut down the ICS and could create an unsafe situation. Loss of power could also lead to insecure default settings.could also lead to insecure default settings. Unsecured physical ports Unsecured universal serial bus (USB) and PS/2 ports could allow unauthorized connection of thumb drives, keystroke loggers, etc. Inadequate authentication, privileges, and access control in software Unauthorized access to configuration and programming software could provide the ability to corrupt a device. Firewalls nonexistent or improperly configured A lack of properly configured firewalls could permit unnecessary data to pass between networks, such as control and corporate networks, allowing attacks and malware to spread between networks, making sensitive data susceptible to monitoring/eavesdropping, and providing individuals with unauthorized access to systems
Security means access control To secure the ICS network we must •Control data flow and access Between each two layers •Control direct access to the hardware•Control direct access to the hardware In the control network layer We need Control Who and What will Pass through But how ? Also we must control who gets access
Security means access control •What is a Firewall? •Types of Firewalls •Classes of Firewalls •Overall Security Goals of ICS network Firewalls Firewalls •Overall Security Goals of ICS network Firewalls •Common ICS network Segregation Architectures
Security means access control •What is a Firewall? Firewalls A firewall is a mechanism used to control and monitor traffic to and from a network for the purpose of protecting devices on the network. It compares the traffic passing through it to a predefined security criteria or policy, discarding messages that do not meet the policy’smeet the policy’s
Security means access control •Types of Firewalls Firewalls A firewall can come in many different designs and configurations 1. It can be a separate hardware device physically connected to a network (such as the Cisco ASA® or the Symantec Security Gateway® firewalls) 2. a completely host-based software solution installed directly on the workstation to be protected (such as Norton Personal Firewall® or Sygate Personal Firewall®).
Security means access control •Classes of Firewalls Firewalls •Packet Filter Firewalls •Stateful Firewalls •Application Proxy Firewalls •Deep Packet Inspection Firewalls As an Automation engineer all you need to know Network traffic is sent in discrete groups of bits, called a packet. Each packet typically contains a number of separate pieces of information, including (but not limited to) items such as the: • Sender's identity (Source Address). • Recipient's identity (Destination Address). • Service to which the packet pertains (Port Number). • Network operation and status flags. • Actual payload of data to be delivered to the service. A firewall, determines what action to take with the packet, These decisions are based on a series of rules commonly referred to as Access Control Lists (ACLs). As an Automation engineer all you need to know
Security means access control Firewalls •Overall Security Goals of ICS network Firewalls Ideally, a process control or SCADA network would be a closed system, accessible only by trusted internal components such as the Human Machine Interface (HMI) stations and data historians. But the need for external access from both corporate users and selected 3rd parties exists •production and maintenance management information needs to be relayed to computers and users outside of the plant floor for management purposes •vendors may need to access controllers for support purposes. Implicitly this means that some network paths exist from the outside
Security means access control Firewalls •Overall Security Goals of ICS network Firewalls The goal of the firewall, simply stated, is to minimize the risk of unauthorized access (or network traffic) to internal components on the ICS systems. Such a risk minimization strategy will typically include the following general objectives. 1. No direct connections from the Internet to the PCN/SCADA network and viceversa.1. No direct connections from the Internet to the PCN/SCADA network and viceversa. 2. Restricted access from the enterprise network to the control network. 3. Unrestricted (but only authorized) access from the enterprise network to shared PCN/enterprise servers 4. Secure methods for authorized remote support of control systems. 5. Secure connectivity for wireless devices (if used). 6. Monitoring of traffic attempting to enter and on the PCN.
Security means access control Firewalls •Common ICS network Segregation Architectures. 1. Dual-Homed Computers . 2. Dual-Homed Server with Personal Firewall Software . 3. Packet Filtering Router/Layer-3 Switch between PCN and EN.3. Packet Filtering Router/Layer-3 Switch between PCN and EN. 4. Two-Port Firewall between PCN and EN. 5. Router/Firewall Combination between PCN and EN . 6. Firewall with Demilitarized Zones between PCN and EN . 7. Paired Firewalls between PCN and EN .
Common ICS network Segregation Architectures 1.Dual-Homed Computers. Observations •A computer without proper security controls could pose additional threats •All connections between the control network and the corporate network should be through a firewall. This configuration provides no security improvement and should not be used to bridge networks (e.g., ICS and corporate networks).
Common ICS network Segregation Architectures 2.Dual-Homed Server with Personal Firewall Software . Observations •The first issue with this solution is that it will only provide a mechanism to allow the sharing of server data. If there is any other traffic that needs to traverse the PCN to EN boundary (such as remote maintenance access to a controller) then this architecture will either completely block that traffic or leave the PCN poorly secured.
Common ICS network Segregation Architectures 3. Packet Filtering Router/Layer-3 Switch between PCN and EN. Observations •This type of packet filter design is only secure if the enterprise network is known to be highly secure in its own right and is not generally subject to attacks.
Common ICS network Segregation Architectures 4.Two-Port Firewall between PCN and EN.
Common ICS network Segregation Architectures 4.Two-Port Firewall between PCN and EN. Observations •this communication occurs at the application layer as Structured Query Language (SQL) or Hypertext Transfer Protocol (HTTP) requests. Flaws in the historian’s application layer code could result in a compromised historian •if HTTP packets are allowed through the firewall, then Trojan horse software accidentally introduced on an HMI or control network laptop could be controlled by a remote entity and send data . •while this architecture is a significant improvement over a non-segregated network, it requires the use of firewall rules that allow direct communications between the corporate network and control network devices. This can result in possible security breaches if not very carefully designed and monitored
Common ICS network Segregation Architectures 5.Router/Firewall Combination between PCN and EN .
Common ICS network Segregation Architectures 5.Router/Firewall Combination between PCN and EN . Observations •The use of a router/firewall combination. The router sits in front of the firewall and offers basic packet filtering services, while the firewall handles the more complex issues using either stateful inspection or proxy techniques. This type of design is very popular in Internet-facing firewalls because it allows the faster router to handle the bulk of the incoming packets, especially in the case of DoS attacks, and reduces the load on the firewall. It also offers improved defense-in-depth because there are two different devices an adversary must bypassdifferent devices an adversary must bypass
Common ICS network Segregation Architectures 6.Firewall with Demilitarized Zones between PCN and EN .
Common ICS network Segregation Architectures 6.Firewall with Demilitarized Zones between PCN and EN . Observations •By placing corporate-accessible components in the DMZ, no direct communication paths are required from the corporate network to the control network; each path effectively ends in the DMZ. Most firewalls can allow for multiple DMZs, and can specify what type of traffic may be forwarded between zones. •If a patch management server, an antivirus server, or other security server is to be used for the control network, it should be located directly on theis to be used for the control network, it should be located directly on the DMZ. Both functions could reside on a single server. Having patch management and antivirus management •The primary security risk in this type of architecture is that if a computer in the DMZ is compromised, then it can be used to launch an attack against the control network via application traffic permitted from the DMZ to the control network
Common ICS network Segregation Architectures 7.Paired Firewalls between PCN and EN .
Common ICS network Segregation Architectures 7.Paired Firewalls between PCN and EN . Observations •If firewalls from two different manufacturers are used, then this solution may offer a “defence in depth” advantage. It also allows process control groups and the IT groups to have clearly separated device responsibility since each can manage a firewall on its own. In fact it is the study team’s understanding that this design is recommended in the Federal Energy Regulatory Commission (FERC) Proposal for Security Standards for this reason
Industrial Control Systems cyber Security summary
Industrial Control Systems cyber Security references 1. "NRC Information Notice 2003-14: Potential Vulnerability of Plant Computer Network to Worm Infection", United States Nuclear Regulatory Commission, Washington, DC, August 29, 2003 2. “Process Control Network Reference Architecture v 1.0”, Invensys Inc., January 2004, pg. 2, 5 3. “Experion PKS Network and Security Planning Guide EP-DSX173, Release 210”, Honeywell Limited Australia, October 2004 4. “Presentation: Securing SIMATIC PCS7 and SIMATIC IT in Networks”, Siemens, 2003
Industrial Control Systems cyber Security Prepared by: Ahmed Shitta Automation Section Head at Egyptian Projects Operation and Maintenance (EPROM) Email: ahmedshitta@gmail.com

Recomendados

Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control System
Hemanth M
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
Jiunn-Jer Sun
 
Industrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptIndustrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.ppt
DelforChacnCornejo
 
Introduction to ICS/SCADA security
Introduction to ICS/SCADA securityIntroduction to ICS/SCADA security
Introduction to ICS/SCADA security
Cysinfo Cyber Security Community
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
Digital Bond
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How To
Jim Gilsinn
 

Recomendados

Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control System
Hemanth M
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
Jiunn-Jer Sun
 
Industrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptIndustrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.ppt
DelforChacnCornejo
 
Introduction to ICS/SCADA security
Introduction to ICS/SCADA securityIntroduction to ICS/SCADA security
Introduction to ICS/SCADA security
Cysinfo Cyber Security Community
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
Digital Bond
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How To
Jim Gilsinn
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
Larry Vandenaweele
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
Edureka!
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
Krutarth Vasavada
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
PECB
 
Information Security Career Day Presentation
Information Security Career Day PresentationInformation Security Career Day Presentation
Information Security Career Day Presentation
djglass
 
Security architecture
Security architectureSecurity architecture
Security architecture
Duncan Unwin
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Rahmat Suhatman
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
CODE BLUE
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 
Nist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkNist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing Framework
MarcoAfzali
 
Cissp Training PPT
Cissp Training PPTCissp Training PPT
Cissp Training PPT
ADEPT TECHNOLOGY
 
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
NetEnrich, Inc.
 
Advice for CISOs: How to Approach OT Cybersecurity
Advice for CISOs: How to Approach OT CybersecurityAdvice for CISOs: How to Approach OT Cybersecurity
Advice for CISOs: How to Approach OT Cybersecurity
Mighty Guides, Inc.
 
SOC2 Intro and Mindfulness
SOC2 Intro and MindfulnessSOC2 Intro and Mindfulness
SOC2 Intro and Mindfulness
EmilyGladstoneCole
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
ParishSummer
 
SCADA hacking industrial-scale fun
SCADA hacking industrial-scale funSCADA hacking industrial-scale fun
SCADA hacking industrial-scale fun
Jan Seidl
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
Aravind R
 
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
Edureka!
 
What is zero trust model (ztm)
What is zero trust model (ztm)What is zero trust model (ztm)
What is zero trust model (ztm)
Ahmed Banafa
 
White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)
Ivan Carmona
 
SCADA Exposure Will Short-Circuit US Utilities
SCADA Exposure Will Short-Circuit US UtilitiesSCADA Exposure Will Short-Circuit US Utilities
SCADA Exposure Will Short-Circuit US Utilities
FitCEO, Inc. (FCI)
 

Más contenido relacionado

La actualidad más candente

The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
Larry Vandenaweele
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
PECB
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
CODE BLUE
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Edureka!
 

La actualidad más candente (20)

The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
 
Introduction to Cybersecurity
Introduction to CybersecurityIntroduction to Cybersecurity
Introduction to Cybersecurity
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
Understanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for OrganizationUnderstanding Penetration Testing & its Benefits for Organization
Understanding Penetration Testing & its Benefits for Organization
 
Information Security Career Day Presentation
Information Security Career Day PresentationInformation Security Career Day Presentation
Information Security Career Day Presentation
 
Security architecture
Security architectureSecurity architecture
Security architecture
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
 
Nist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkNist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing Framework
 
Cissp Training PPT
Cissp Training PPTCissp Training PPT
Cissp Training PPT
 
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
 
Advice for CISOs: How to Approach OT Cybersecurity
Advice for CISOs: How to Approach OT CybersecurityAdvice for CISOs: How to Approach OT Cybersecurity
Advice for CISOs: How to Approach OT Cybersecurity
 
SOC2 Intro and Mindfulness
SOC2 Intro and MindfulnessSOC2 Intro and Mindfulness
SOC2 Intro and Mindfulness
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
 
SCADA hacking industrial-scale fun
SCADA hacking industrial-scale funSCADA hacking industrial-scale fun
SCADA hacking industrial-scale fun
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
 
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
 
What is zero trust model (ztm)
What is zero trust model (ztm)What is zero trust model (ztm)
What is zero trust model (ztm)
 

Similar a ICS security

SCADA Exposure Will Short-Circuit US Utilities
SCADA Exposure Will Short-Circuit US UtilitiesSCADA Exposure Will Short-Circuit US Utilities
SCADA Exposure Will Short-Circuit US Utilities
FitCEO, Inc. (FCI)
 
Nist 800 82
Nist 800 82Nist 800 82
Nist 800 82
majolic
 
Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices
IJECEIAES
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Jim Gilsinn
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
Patricia M Watson
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
Creekside Marketing Group, LLC
 

Similar a ICS security (20)

White paper scada (2)
White paper scada (2)White paper scada (2)
White paper scada (2)
 
SCADA Exposure Will Short-Circuit US Utilities
SCADA Exposure Will Short-Circuit US UtilitiesSCADA Exposure Will Short-Circuit US Utilities
SCADA Exposure Will Short-Circuit US Utilities
 
Security Issues in SCADA based Industrial Control Systems
Security Issues in SCADA based Industrial Control Systems Security Issues in SCADA based Industrial Control Systems
Security Issues in SCADA based Industrial Control Systems
 
Nist 800 82
Nist 800 82Nist 800 82
Nist 800 82
 
Industrial networks safety & security - e+h june 2018 ben murphy
Industrial networks safety & security - e+h june 2018 ben murphyIndustrial networks safety & security - e+h june 2018 ben murphy
Industrial networks safety & security - e+h june 2018 ben murphy
 
Robust Cyber Security for Power Utilities
Robust Cyber Security for Power UtilitiesRobust Cyber Security for Power Utilities
Robust Cyber Security for Power Utilities
 
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
 
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
 
Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
III SEM MCA-Module 4 -Ch2.pdf- Securing IoT
III SEM MCA-Module 4 -Ch2.pdf- Securing IoTIII SEM MCA-Module 4 -Ch2.pdf- Securing IoT
III SEM MCA-Module 4 -Ch2.pdf- Securing IoT
 
Nozomi networks-solution brief
Nozomi networks-solution briefNozomi networks-solution brief
Nozomi networks-solution brief
 
IEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkIEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel Talk
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
 
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security Webinar
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
 
SCADA Security in CDIC 2009
SCADA Security in CDIC 2009SCADA Security in CDIC 2009
SCADA Security in CDIC 2009
 
Scada security presentation by Stephen Miller
Scada security presentation by Stephen MillerScada security presentation by Stephen Miller
Scada security presentation by Stephen Miller
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
 

ICS security

  • 1. Industrial Control Systems cyber Security Prepared by: Ahmed Shitta
  • 2. What is Industrial Control Systems ? •Industrial Control System (ICS) is a general term that encompasses several types of control systems used in industrial process control for production and manufacture, including SCADA, DCS and PLC systems •ICS’s are typically used in industries such as oil & gas production, power generation and nuclear installations. ICS’s are specifically designed and manufactured for the industrial environment, they are designed to be installed Industrial Control Systems cyber Security manufactured for the industrial environment, they are designed to be installed for offshore and onshore applications. Typical examples of ICS
  • 3. What is Cyber security ? Cyber-security is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, security includes both cyber-security and physical security. Industrial Control Systems cyber Security Do we really need this in the industrial process control network ? ?
  • 4. To simply answer this question, history says it all !! Do we really need this in the industrial process control network ? Incident Description 2000 Maroochy Water Treatment ,Australia ( SCADA system) A disgruntled former employee hacked into the system, took control of 150 pumping stations and releasedpumping stations and released 1 million liters of raw sewage into local parks, rivers and even the grounds of a Hyatt Regency hotel over a 3 month period. Observations •Radio communications commonly used in SCADA systems are often insecure or improperly configured •SCADA devices and software should be secured to the extent possible using physical and logical controls •Difficult to differentiate attacks from malfunctions •Also recommended : Anti-virus , Firewall protection, Appropriate use of encryption , Upgrade-able SCADA systems (from a security perspective) , Proper staff training and Security auditing and control.
  • 5. 2000 Maroochy Water Treatment •There was no active protection not even a properly configured firewall .
  • 6. Famous ICS cyber attacks !! Incident Description 2003 PDVSA Oil Terminal , Venezuela ( PLC Controller) Details of the cyber attacks on PDVSA’s systems were slow to emerge, but it seemed that hackers were able to penetrate the SCADA system responsible for tanker loading at a marine terminal in eastern Venezuela. Once inside, the hackers erased the programs in the programmable logic controllers (PLCs) operating the facility, preventing tanker loading for eight hours. Fortunately for PDVSA, the tactics of attackers were unsophisticated,the tactics of attackers were unsophisticated, making detection of the problem relatively easy, and backups of the PLC programs were unaffected, making recovery straightforward. Observations •Internal surveys at several major oil companies indicated that managers often misunderstand the situation they face when it comes to SCADA security. First, many believe that the Information Technology (IT) group automatically looks after SCADA security •While IT departments are very good at providing security for systems they understand, such as Windows® servers and accounting databases, the critical control systems that run the pipelines and refineries day in and day out are forbidding beasts to the IT professional .
  • 7. Incident Description 2006 Brown’s Ferry Nuclear Plant , USA ( PLC Controller and VFD) •Unit 3 was manually shutdown after the failure of both reactor recirculation pumps and the condensate demineralizer controller. The condensate demineralizer used a programmable logic controller (PLC); the recirculation pumps depend on variable frequency drives (VFD) to modulate motor speed. • Both kinds of devices have embedded microprocessors that can communicate data over the Ethernet LAN. However, both devices are prone to failure in high traffic environments. A device using Famous ICS cyber attacks !! are prone to failure in high traffic environments. A device using Ethernet broadcasts data packets to every other device connected to the network. Receiving devices must examine each packet to determine which ones are addressed to them and to ignore those that are not. • It appears the Browns Ferry control network produced more traffic than the PLC and VFD controllers could handle; it is also possible that the PLC malfunctioned and flooded the Ethernet with spurious traffic, disabling the VFD controllers; tests conducted after the incident were inconclusive.
  • 8. Incident Description 2010 Iran Nuclear Processing, Iran ( PLC Controller and DCS) •Stuxnet specifically targets programmable logic controllers (PLCs), which allow the automation of electromechanical processes such as those used to control machinery on factory assembly lines, amusement rides, or centrifuges for separating nuclear material. Exploiting four zero-day flaws, Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens Step7 software. Famous ICS cyber attacks !! out Siemens Step7 software. •Stuxnet is typically introduced to the target environment via an infected USB flash drive. The worm then propagates across the network, scanning for Siemens Step7 software on computers controlling a PLC. In the absence of either criterion, Stuxnet becomes dormant inside the computer. If both the conditions are fulfilled, Stuxnet introduces the infected rootkit onto the PLC and Step7 software, modifying the codes and giving unexpected commands to the PLC while returning a loop of normal operations system values feedback to the users
  • 9. 2010 Iran Nuclear Processing Stuxnet
  • 10. •Managers often misunderstand the situation they face when it comes to ICS security. First, many believe that the Information Technology (IT) group automatically looks after ICS security IT system Vs ICS system Category Information Technology System Industrial Control System Performance Requirements •Non-real-time •Response must be consistent •Tightly restricted access control can be implemented to the degree necessary for security •Real-time •Response is time-critical •Access to ICS should be strictly controlled, but should not hamper or interfere with human-machine interactionhuman-machine interaction System Operation •Systems are designed for use with typical operating systems •Upgrades are straightforward with the availability of automated deployment tools •Differing and possibly proprietary operating systems, often without security capabilities built in •Software changes must be carefully made, usually by software vendors, because of the specialized control algorithms and perhaps modified hardware and software involved
  • 11. IT system Vs ICS system Category Information Technology System Industrial Control System Communications •Standard communications protocols •Primarily wired networks with some localized wireless capabilities •Typical IT networking practices •Many proprietary and standard communication protocols. •Several types of communications media used including dedicated wire and wireless (radio and satellite) •Networks are complex and sometimes require the expertise of control engineersof control engineers Managed Support •Allow for diversified support styles •Service support is usually via a single vendor Component Lifetime •Lifetime on the order of 3 to 5 years •Lifetime on the order of 10 to 15 years Conclusion : •The operational and risk differences between ICS and IT systems create the need for increased sophistication in applying cybersecurity and operational strategies. • A cross-functional team of control engineers, control system operators and IT security professionals needs to work closely to understand the possible implications of the installation, operation, and maintenance of security solutions
  • 12. Identifying Possible hazards and Vulnerable points
  • 13. Identifying Possible hazards and Vulnerable points Vulnerability Description Inadequate incorporation of security into architecture and design. Incorporating security into the ICS architecture, design must start with budget, and schedule of the ICS. The security architecture is part of the Enterprise Architecture. The architectures must address the identification and authorization of users, access control mechanism, network topologies, and system configuration and integrity mechanisms. Hardware, firmware, and software not The organization doesn’t know what it has, what versions it has, where they are, or what their patch status is, resulting in an inconsistent, andand software not under configuration management. they are, or what their patch status is, resulting in an inconsistent, and ineffective defense posture. A process for controlling modifications to hardware, firmware, software, and documentation should be implemented to ensure an ICS is protected against inadequate or improper modifications before, during, and after system implementation. A lack of configuration change management procedures can lead to security oversights, exposures, and risks. To properly secure an ICS, there should be an accurate listing of the assets in the system and their current configurations. These procedures are critical to executing business continuity and disaster recovery plans.
  • 14. Identifying Possible hazards and Vulnerable points Vulnerability Description OS and application security patches are not maintained or vendor declines to patch vulnerability Out-of-date OSs and applications may contain newly discovered vulnerabilities that could be exploited. Documented procedures should be developed for how security patches will be maintained. Security patch support may not even be available for ICS that use outdated OSs, so procedures should include contingency plans for mitigating vulnerabilities where patches may never be available. Inadequate testing of security changes Modifications to hardware, firmware, and software deployed without testing could compromise normal operation of the ICS. Documentedsecurity changes testing could compromise normal operation of the ICS. Documented procedures should be developed for testing all changes for security impact. The live operational systems should never be used for testing. The testing of system modifications may need to be coordinated with system vendors and integrators Poor remote access controls There are many reasons why an ICS may need to be remotely accessed, including vendors and system integrators performing system maintenance functions, and also ICS engineers accessing geographically remote system components. Remote access capabilities must be adequately controlled to prevent unauthorized individuals from gaining access to the ICS.
  • 15. Identifying Possible hazards and Vulnerable points Vulnerability Description Critical configurations are not stored or backed up Procedures should be available for restoring ICS configuration settings in the event of accidental or adversary-initiated configuration changes to maintain system availability and prevent loss of data. Documented procedures should be developed for maintaining ICS configuration settings. Improper data linking ICS data storage systems may be linked with non-ICS data sources. An example of this is database links, which allow data from one database to be automatically replicated to others. Data linkage may create ato be automatically replicated to others. Data linkage may create a vulnerability if it is not properly configured and may allow unauthorized data access or manipulation Malware protection not installed or up to date Installation of malicious software, or malware, is a common attack. Malware protection software, such as antivirus software, must be kept current in a very dynamic environment. Outdated malware protection software and definitions leave the system open to new malware threats.
  • 16. Identifying Possible hazards and Vulnerable points Vulnerability Description Denial of service (DoS) ICS software could be vulnerable to DoS attacks, resulting in the prevention of authorized access to a system resource or delaying system operations and functions. Logs not maintained Without proper and accurate logs, it might be impossible to determine what caused a security event to occur Unauthorized personnel have Physical access to ICS equipment should be restricted to only the necessary personnel, taking into account safety requirements, such aspersonnel have physical access to equipment necessary personnel, taking into account safety requirements, such as emergency shutdown or restarts. Improper access to ICS equipment can lead to any of the following:  Physical theft of data and hardware  Physical damage or destruction of data and hardware  Unauthorized changes to the functional environment (e.g., data connections, unauthorized use of removable media, adding/removing resources)  Disconnection of physical data links  Undetectable interception of data (keystroke and other input logging)
  • 17. Identifying Possible hazards and Vulnerable points Vulnerability Description Radio frequency, electromagnetic pulse (EMP), static discharge, brownouts and voltage spikes The hardware used for control systems is vulnerable to radio frequency and electro-magnetic pulses (EMP), static discharge, brownouts and voltage spikes.. The impact can range from temporary disruption of command and control to permanent damage to circuit boards. Proper shielding, grounding, power conditioning, and/or surge suppression is recommended Lack of backup power Without backup power to critical assets, a general loss of power will shut down the ICS and could create an unsafe situation. Loss of power could also lead to insecure default settings.could also lead to insecure default settings. Unsecured physical ports Unsecured universal serial bus (USB) and PS/2 ports could allow unauthorized connection of thumb drives, keystroke loggers, etc. Inadequate authentication, privileges, and access control in software Unauthorized access to configuration and programming software could provide the ability to corrupt a device. Firewalls nonexistent or improperly configured A lack of properly configured firewalls could permit unnecessary data to pass between networks, such as control and corporate networks, allowing attacks and malware to spread between networks, making sensitive data susceptible to monitoring/eavesdropping, and providing individuals with unauthorized access to systems
  • 18. Security means access control To secure the ICS network we must •Control data flow and access Between each two layers •Control direct access to the hardware•Control direct access to the hardware In the control network layer We need Control Who and What will Pass through But how ? Also we must control who gets access
  • 19. Security means access control •What is a Firewall? •Types of Firewalls •Classes of Firewalls •Overall Security Goals of ICS network Firewalls Firewalls •Overall Security Goals of ICS network Firewalls •Common ICS network Segregation Architectures
  • 20. Security means access control •What is a Firewall? Firewalls A firewall is a mechanism used to control and monitor traffic to and from a network for the purpose of protecting devices on the network. It compares the traffic passing through it to a predefined security criteria or policy, discarding messages that do not meet the policy’smeet the policy’s
  • 21. Security means access control •Types of Firewalls Firewalls A firewall can come in many different designs and configurations 1. It can be a separate hardware device physically connected to a network (such as the Cisco ASA® or the Symantec Security Gateway® firewalls) 2. a completely host-based software solution installed directly on the workstation to be protected (such as Norton Personal Firewall® or Sygate Personal Firewall®).
  • 22. Security means access control •Classes of Firewalls Firewalls •Packet Filter Firewalls •Stateful Firewalls •Application Proxy Firewalls •Deep Packet Inspection Firewalls As an Automation engineer all you need to know Network traffic is sent in discrete groups of bits, called a packet. Each packet typically contains a number of separate pieces of information, including (but not limited to) items such as the: • Sender's identity (Source Address). • Recipient's identity (Destination Address). • Service to which the packet pertains (Port Number). • Network operation and status flags. • Actual payload of data to be delivered to the service. A firewall, determines what action to take with the packet, These decisions are based on a series of rules commonly referred to as Access Control Lists (ACLs). As an Automation engineer all you need to know
  • 23. Security means access control Firewalls •Overall Security Goals of ICS network Firewalls Ideally, a process control or SCADA network would be a closed system, accessible only by trusted internal components such as the Human Machine Interface (HMI) stations and data historians. But the need for external access from both corporate users and selected 3rd parties exists •production and maintenance management information needs to be relayed to computers and users outside of the plant floor for management purposes •vendors may need to access controllers for support purposes. Implicitly this means that some network paths exist from the outside
  • 24. Security means access control Firewalls •Overall Security Goals of ICS network Firewalls The goal of the firewall, simply stated, is to minimize the risk of unauthorized access (or network traffic) to internal components on the ICS systems. Such a risk minimization strategy will typically include the following general objectives. 1. No direct connections from the Internet to the PCN/SCADA network and viceversa.1. No direct connections from the Internet to the PCN/SCADA network and viceversa. 2. Restricted access from the enterprise network to the control network. 3. Unrestricted (but only authorized) access from the enterprise network to shared PCN/enterprise servers 4. Secure methods for authorized remote support of control systems. 5. Secure connectivity for wireless devices (if used). 6. Monitoring of traffic attempting to enter and on the PCN.
  • 25. Security means access control Firewalls •Common ICS network Segregation Architectures. 1. Dual-Homed Computers . 2. Dual-Homed Server with Personal Firewall Software . 3. Packet Filtering Router/Layer-3 Switch between PCN and EN.3. Packet Filtering Router/Layer-3 Switch between PCN and EN. 4. Two-Port Firewall between PCN and EN. 5. Router/Firewall Combination between PCN and EN . 6. Firewall with Demilitarized Zones between PCN and EN . 7. Paired Firewalls between PCN and EN .
  • 26. Common ICS network Segregation Architectures 1.Dual-Homed Computers. Observations •A computer without proper security controls could pose additional threats •All connections between the control network and the corporate network should be through a firewall. This configuration provides no security improvement and should not be used to bridge networks (e.g., ICS and corporate networks).
  • 27. Common ICS network Segregation Architectures 2.Dual-Homed Server with Personal Firewall Software . Observations •The first issue with this solution is that it will only provide a mechanism to allow the sharing of server data. If there is any other traffic that needs to traverse the PCN to EN boundary (such as remote maintenance access to a controller) then this architecture will either completely block that traffic or leave the PCN poorly secured.
  • 28. Common ICS network Segregation Architectures 3. Packet Filtering Router/Layer-3 Switch between PCN and EN. Observations •This type of packet filter design is only secure if the enterprise network is known to be highly secure in its own right and is not generally subject to attacks.
  • 29. Common ICS network Segregation Architectures 4.Two-Port Firewall between PCN and EN.
  • 30. Common ICS network Segregation Architectures 4.Two-Port Firewall between PCN and EN. Observations •this communication occurs at the application layer as Structured Query Language (SQL) or Hypertext Transfer Protocol (HTTP) requests. Flaws in the historian’s application layer code could result in a compromised historian •if HTTP packets are allowed through the firewall, then Trojan horse software accidentally introduced on an HMI or control network laptop could be controlled by a remote entity and send data . •while this architecture is a significant improvement over a non-segregated network, it requires the use of firewall rules that allow direct communications between the corporate network and control network devices. This can result in possible security breaches if not very carefully designed and monitored
  • 31. Common ICS network Segregation Architectures 5.Router/Firewall Combination between PCN and EN .
  • 32. Common ICS network Segregation Architectures 5.Router/Firewall Combination between PCN and EN . Observations •The use of a router/firewall combination. The router sits in front of the firewall and offers basic packet filtering services, while the firewall handles the more complex issues using either stateful inspection or proxy techniques. This type of design is very popular in Internet-facing firewalls because it allows the faster router to handle the bulk of the incoming packets, especially in the case of DoS attacks, and reduces the load on the firewall. It also offers improved defense-in-depth because there are two different devices an adversary must bypassdifferent devices an adversary must bypass
  • 33. Common ICS network Segregation Architectures 6.Firewall with Demilitarized Zones between PCN and EN .
  • 34. Common ICS network Segregation Architectures 6.Firewall with Demilitarized Zones between PCN and EN . Observations •By placing corporate-accessible components in the DMZ, no direct communication paths are required from the corporate network to the control network; each path effectively ends in the DMZ. Most firewalls can allow for multiple DMZs, and can specify what type of traffic may be forwarded between zones. •If a patch management server, an antivirus server, or other security server is to be used for the control network, it should be located directly on theis to be used for the control network, it should be located directly on the DMZ. Both functions could reside on a single server. Having patch management and antivirus management •The primary security risk in this type of architecture is that if a computer in the DMZ is compromised, then it can be used to launch an attack against the control network via application traffic permitted from the DMZ to the control network
  • 35. Common ICS network Segregation Architectures 7.Paired Firewalls between PCN and EN .
  • 36. Common ICS network Segregation Architectures 7.Paired Firewalls between PCN and EN . Observations •If firewalls from two different manufacturers are used, then this solution may offer a “defence in depth” advantage. It also allows process control groups and the IT groups to have clearly separated device responsibility since each can manage a firewall on its own. In fact it is the study team’s understanding that this design is recommended in the Federal Energy Regulatory Commission (FERC) Proposal for Security Standards for this reason
  • 37. Industrial Control Systems cyber Security summary
  • 38. Industrial Control Systems cyber Security references 1. "NRC Information Notice 2003-14: Potential Vulnerability of Plant Computer Network to Worm Infection", United States Nuclear Regulatory Commission, Washington, DC, August 29, 2003 2. “Process Control Network Reference Architecture v 1.0”, Invensys Inc., January 2004, pg. 2, 5 3. “Experion PKS Network and Security Planning Guide EP-DSX173, Release 210”, Honeywell Limited Australia, October 2004 4. “Presentation: Securing SIMATIC PCS7 and SIMATIC IT in Networks”, Siemens, 2003
  • 39. Industrial Control Systems cyber Security Prepared by: Ahmed Shitta Automation Section Head at Egyptian Projects Operation and Maintenance (EPROM) Email: ahmedshitta@gmail.com