Juan Figueras, CISA

#ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS
AGENDA
• Introduction to Industrial Control Systems
• Security Concerns (Cyber Incidents, CERT)
• Threats and Vulnerabilities (ICS Exploitation, SHODAN)
• IT/OT Convergence (Security Principles, Countermeasures)
• Best Practices, Guidelines and Frameworks
Juan Figueras, CISA
Security & Privacy Consultant

#ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS
ICS INTRODUCTION
Industrial processes
• Manufacturing
• Smart Grid
• Utilities
• Oil & Gas
• Transport
• Telecomm
• Chemicals

#ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS
ICS DEFINITION
Industrial Control Systems
(ICS) are command and control
network and systems designed
to support industrial processes[1]
[1] ENISA “Protecting Industrial Control Systems. Recommendations for Europe and Member States” (2011)

#ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS
ICS COMPONENTS
• IED – Intelligent Electronic Device
• RTU – Remote Terminal Units
• PLC – Programmable Logic Controllers
• DCS – Distributed Control Systems
• HMI – Human-Machine Interfaces
• SCADA – Supervisory Control and Data Acquisition

#ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS
ICS COMPONENTS
SCADA
DCS
RTU
PLC HMI
IED

#ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS
SECURITY CONCERNS
• Weak communication protocols
– Lack of authentication in most cases
– Lack of encryption
• Weak passwords
– Default passwords
– Insecure password management
• Poor QoS (Quality of Service)
– DoS “friendly”
• Internet connected web servers without protection
• Difficult or nonexistent patching
– “If it isn’t broke, don’t fix it”
– Extensive use of Windows XP

#ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS
CYBER INCIDENTS
Attack Year Description Vector Outcome Motivation
German Steel
Mill Cyber Attack
2014
Malware to gain access to
the corporate network an
then moved into the plant
network
Spear Phishing
email
Physical damage Unknown
DragonFly 2014
Campaign against energy
companies compromising
ICS equipment
SQL Injection &
Remote Access
Trojan
Sabotage
Espionage /
Sabotage
Telvent Canada
attack
2012
Access to SCADA Admin
Tools
Malware
New project files
stolen
Information Thief
Stuxnet 2010
Rootkit to take control of
ICS of nuclear power
plants
Infected USB
flash drive
Systems stop Sabotage
Baku – Tbilisi -
Ceyhan (BTC)
pipeline attack
2009
Access to the pipeline’s
control System to supress
alarms ans manipulate
the process
Physical access
to network
Temporary
disruption in
pipeline transfers
Geopolitics (?)

#ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS
ICS-CERT MONITOR
245 incidents received by ICS-CERT in 2014
[2]
[2] ICS-CERT Monitor, September 2014 - February 2015, NCCIC

#ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS
ICS-CERT MONITOR
245 incidents received by ICS-CERT in 2014
• Unauthorized access and exploitation of Internet facing ICS/Supervisory
Control and Data Acquisition (SCADA) devices
• Exploitation of zero-day vulnerabilities in control system devices and
software
• Malware infections within air-gapped control system networks
• SQL injection via exploitation of web application vulnerabilities
• Network scanning and probing
• Lateral movement between network zones
• Targeted spear-phishing campaigns

#ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS
ICS-CERT MONITOR

#ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS
ICS EXPLOITATION: SHODAN DEMO (I)
Gathering information

#ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS
ICS EXPLOITATION
Project SHINE, uncovered that over 1 million SCADA / ICS systems
are connected to the internet with unique IPs, and this figure is
growing by between 2000 – 8000 per day.

#ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS
ICS EXPLOITATION: SHODAN DEMO (II)
Common ICS ports
port 102 Siemens S7
port 502 Modbus
port 789 Red Lion
port 20000 DNP3
port 34980 EtherCAT
port 34962 PROFINET
port 44818 EtherNet/IP
port 47808 BACnet/IP

#ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS
ICS EXPLOITATION
Open Sourced Vulnerability Database (http://www.osvdb.org)

#ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS
IT/OT CONVERGENCE
«The purpose of ENTERPRISE security is to protect the data
residing in the servers from attack.
The purpose of ICS security is to protect the ability of the facility to
safely and securely operate, regardless of what may befall the rest
of the network» [3]
[3] Weiss, Joe; “Assuring Industrial Control Systems (ICS) Cyber Security”

#ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS
SECURITY PRINCIPLES (IT vs. OT)
CONFIDENTIALITY
INTEGRITY
AVAILABILITY
IT Systems OT Systems
(Business) (ICS)
+ importance - - importance +

#ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS
ISA95: ENTERPRISE – CONTROL SYSTEM INTEGRATION

#ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS
ISA95: ENTERPRISE – CONTROL SYSTEM INTEGRATION
Level 0
Level 1 I/O, Devices and Sensors
Production Process
Device
Networks
Level 2 HMI, SCADA
Level 3 MES, Batch, Historian
Level 4 ERP. CRM, BI
Business Planning
& Logistics
Manufacturing
Operations
Manufacturing
Control and
Monitoring
Automation
Networks
Operations
Networks
Business
Networks
PLCs, DCS

#ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS
COUNTERMEASURES [4]
1. Assess existing systems: Understand risk and prioritize vulnerabilities
2. Document policies and procedures: Determine position regarding ICS
and develop company-specific policies
3. Train personnel and contractors: Develop and institute policy awareness
and training programs
4. Segment the control system network: Create distinct network segments
and isolate critical parts of the system using a “zone and conduit” model
5. Control access to the system: Provide physical and logistical access
controls to both your zones and equipment
6. Harden the components of the system: Lock down the functionality of
components
7. Monitor and maintain the system: Update antivirus signatures, install
patches, and monitor the system for suspicious activity
[4] Byres, Eric; “The Industrial Cybersecurity Problem” – ISA White Paper

#ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS
BEST PRACTICES & GUIDELINES
• ISA99/IEC 62443
Security for Industrial Automation and Control Systems
• NIST SP 800-82
Guide to Industrial Control Systems (ICS) Security
• ENISA Report (2011)
Protecting Industrial Control Systems. Recommendations
for Europe and Member States
• IIC Technical Paper (2015)
Industrial Internet Reference Architecture

#ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS
FRAMEWORK: COBIT 5
Implementing NIST Cybersecurity
Framework Using COBIT 5

#ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS
ICS SECURITY FRAMEWORK
[5] Alcoforado, Ivan; “Leveraging Industrial Standards to Address Industrial Cybersecurity Risk”;
ISACA Journal, Volume 4, 2016
Standards Leveraged for IACS
Cybersecurity Framework Example [5]

#ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS
THANK YOU!
Juan Figueras, CISA
Security & Privacy Consultant
@JoanFiguerasT