2. INDUSTRIAL CONTROL SYSTEMS AND SCADA
• Industrial Control Systems (ICSs) and Supervisory Control & Data Accusation
(SCADA) Systems are the backbone of any major infrastructures of every city
in the world. Protecting these systems and preventing security breaches has
become a priority for all governments.
• A simple breach can shut down a power grids, disturb traffic control system,
cause major aviation disasters and contaminate the water supply.
• Industrial Control Systems (ICSs) were originally built as stand-alone systems
that were not interconnected and had little in the way of security protections.
The internet and ubiquitous internet protocol networks have changed the
design of many ICS such that the control network is now often a protected
extension of the corporate network. This means that these delicate ICSs are
potentially reachable from the Internet by malicious and skilled adversaries.
3. DIFFERENCES BETWEEN IT AND OT SYSTEMS
ATTRIBUTE IT SYSTEMS OT SYSTEMS
MESSAGE INTEGRITY LOW-MEDIUM VERY HIGH
SYSTEM AVAILABILITY LOW-MEDIUM VERY HIGH
TIME CRITICALITY DAYS TOLERATED CRITICAL
SYSTEM DOWNTIME TOLERATED NOT ACCEPTABLE
SYSTEM LIFE CYCLE 3-5 YEARS 15-25 YEARS
INTEROPERABILITY NOT CRITICAL CRITICAL
COMPUTING RESOURCES "ALMOST UNLIMITED" VERY LIMITED ESPECIALLY WITH
LEGACY SYSTEMS
SOFTWARE CHANGES FREQUENT RARE
WORST CASE IMPACTS LOSS OF DATA EQUIPMENT DESTRUCTION /
INJURIES / LOSS OF LIFE
4. NEED FOR CONVERGENCE ?
Traditionally OT systems were passively
secured by AIR GAP, that is OT systems
were not connected like IT systems
thereby reducing the exposure to risk. OT
systems were protected majorly by
physical security.
However Industrial Revolution 4.0 is
changing this, now there is a strong need
to connect OT with IT for better productivity
and increasing efficiency of overall system.
Businesses always trade convenience to
security/privacy.
This convergence of OT with IT has
leveled the attack surface and OT systems
are more vulnerable due to the difference
of context, especially in System Life Cycle
and Worst Case Impacts.
7. ICS SECURITY CHALLENGES
• SCADA systems and PLC software are developed by engineering companies with very
limited experience of securing system development and are developed under guidance
of domain experts who may have not had any training on security techniques.
• Lack of processing power in legacy systems makes it challenging to install anti-virus
protection.
• Security testing on ICS systems must be approached with caution as it can seriously
affect the operation of many control devices.
• Not only the process runs on legacy systems but the standard fieldbus protocols like
modbus lack basic encryption and authentication.
• Longer life cycle gives enough time for an hacker to plan and design an intrude.
• Fewer opportunities to take the system offline for routine testing, patching and
maintenance.
8. PURDUE MODEL – TYPICAL ICS ARCHITECTURE
The Purdue model divides this
ICS architecture into three zones
and six levels.
Level 5: Enterprise network
Level 4: Site business and
logistics
Industrial Demilitarized zone.
Manufacturing zone (also called
the Industrial zone):
Level 3: Site operations
Level 2: Area supervisory control
Level 1: Basic control
Level 0: The process
9. PURDUE MODEL
• In between the enterprise zone and systems and the Industrial zone lies the
Industrial Demilitarized Zone or IDMZ. Much like a traditional (IT) DMZ, the OT-oriented
IDMZ allows you to securely connect networks with different security requirements.
• The IDMZ is the result of the efforts taken to create security standards such as the NIST
Cybersecurity Framework and NERC CIP. The IDMZ is an information sharing layer between the
business or IT systems in levels 4 and 5 and the production or OT systems in levels 3 and lower.
• By preventing direct communication between IT and OT systems and having a broker service in
the IDMZ relay the communications, an extra layer of separation and inspection is added to the
overall architecture. Systems in the lower layers are not directly exposed to attacks or
compromise. If something were to compromise a system at some point in the IDMZ, the IDMZ
could be shut down, the compromise could be contained, and production could continue.
• Trust Zones :
Enterprise Zone: Low trust ,Industrial DMZ: Medium trust, Industrial Zone: High trust,
Subzones of the Industrial Zone : High trust.
10. ICS RISK ASSESSMENT PROCESS
Process IT systems OT system
Asset identification and system
characterization
Discovery of assets is often
accomplished with scanning tools,
running ping sweeps and ARP scans
ICS networks are often more sensitive to
active scanning techniques will result in
performance degradation and if any
single one of those devices fails, the
entire process fails. Active scanning is
done when systems are out of production
or passive scanning techniques are used.
Vulnerability identification and
threat modeling
By Scanning using industry standard
tools.
By comparison. The comparison method
takes all the running software, firmware,
and OS versions and compares them to
online vulnerability databases, searching
for known vulnerabilities. Ex. ICS – CERT
vulnerability database.
Risk calculation and mitigation Quantify the risk by assigning a risk
score to every risk scenario
Quantify the risk by assigning a risk
score to every risk scenario
11. ICS SECURITY RESTRICTIONS
Segment Restrictions
Device related restrictions Resource restrained ICS control and automation devices prevents the manufacturer
from implementing power hungry and resource demanding security controls like
authentication or encryption. Extremely long life span makes them more fragile.
Network related restrictions Many ICS run critical functions, where continuous, real-time communications and
connection to process values is a must. The latency or delay network firewall and
NIDS introduce can be enough to bring a process down.
Safety related restrictions 18-character randomly generated password or password lockout systems can
prevent an operator from logging in to a system to make changes or interact,
resulting in an unsafe situation like loss of life or process meltdown.
Runtime and
uptime requirements
Many ICS run processes and production systems with extremely high uptime
requirements. There is simply no time to do any maintenance, patching, or security
related activities on systems with these kinds of uptime requirements. Compounding
the matter is the fact that many ICS have strict integrity requirements. The slightest
change in the ICS setup or configuration will trigger a mandatory revalidation
process for the entire ICS.
12. DEFENDING AN ICS ?
Strategy Explanation
Security by obscurity The idea is that by hiding or obscuring the ICS network, an attacker will not be able to
find the network, and one cannot attack what one cannot find. To a degree, this strategy
actually worked when the ICS protocols and communication media were proprietary and
restrive or limited in what they could achieve
Perimeter defense With perimeter defense, a security appliance such as a firewall is placed at the edge or
perimeter of a network to inspect and filter all ingress and sometimes egress traffic.
What this model doesn’t take into consideration is the state of the systems inside the
network that is being protected. If systems that are already compromised are introduced
in that network (think infected laptops), a perimeter defense strategy is useless.
By nature ICS are very defensible Because ICS systems tend to be stagnant in configuration it is easier to detect
anomalies. For example, it is relatively easy to establish a standard traffic pattern on a controls network and start
looking for deviations from normal. Also, because ICS don't change very often, the environment they are in is easier
to secure. An example to that point is that a PLC can be placed in a locked cabinet with it's program locked into
run mode, because once a PLC is running changes are hardly ever necessary. If changes are needed, a change
control program should secure the proper management of those changes.
13. SECURING ICS - DEFENSE-IN-DEPTH MODEL
Area zone/Cell Actions that can be taken during Design phase of an ICS
Physical Security Limit physical access for authorized personnel to cell/area zones, control
panels, devices, cabling, and control rooms, through the use of
locks, gates, key cards, and biometrics
Network Security Security framework for example, firewall policies, ACL policies for switches
and routers, AAA, intrusion detection systems. Network segmentation and
establishing Zones and Conduits. Note: It is not advisable for IPS as it
hinders availability, which is the key factor of any ICS.
Computer Security Patch management, anti-malware software, removal of unused
applications/protocols/services, closing unnecessary logical ports, and
protecting physical ports.
Application Security Authentication, authorization and accounting (AAA) as well as
vulnerability management, patch management and secure development
life cycle management.
Device Security Device hardening, communication encryption and restrictive access as
well as patch management, device life cycle management, and
configuration and change management.
Policies,
procedures, and
awareness
Finally, gluing all the security controls together are policies, procedures,
and awareness. Policies are a high-level guideline on what the expected
security stance is for ICS systems and devices.
Awareness (training) helps get and keep attention on security-related
aspects of the ICS and its operation
14. SECURING ICS - SAFETY INSTRUMENTED SYSTEMS
Safety instrumented systems, or SIS,
are dedicated safety monitoring
systems. They are there to safely and
gracefully shut down the monitored
system or bring that system to a
predefined safe state in case of a
hardware malfunction. An SIS uses a
set of voting systems to determine
whether a system is performing
normally.
15. SECURING ICS - DATA DIODE
IEC 62443 (ISA99) zoning requires creating boundaries between IT and
OT systems requiring a range of measures covering differing information
exchange requirements between domains.
Next generation data diode offers guarded one-way feeds across zones