Cybersecurity in Industrial Control Systems (ICS)

1.899 visualizaciones

Publicado el

Presented at ISACA's EuroCACS 2015 (Copenhaguen).
Understand the impact of Industrial Control Systems (ICS) on the security ecosystem.
Expand the knowledge on SCADA systems and how cyberattacks can have physical consequences, bridging the cyber and physical worlds.

Publicado en: Tecnología
  • Sé el primero en comentar

Cybersecurity in Industrial Control Systems (ICS)

  1. 1. Juan Figueras, CISA
  2. 2. #ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS AGENDA • Introduction to Industrial Control Systems • Security Concerns (Cyber Incidents, CERT) • Threats and Vulnerabilities (ICS Exploitation, SHODAN) • IT/OT Convergence (Security Principles, Countermeasures) • Best Practices, Guidelines and Frameworks Juan Figueras, CISA Security & Privacy Consultant
  3. 3. #ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS ICS INTRODUCTION Industrial processes • Manufacturing • Smart Grid • Utilities • Oil & Gas • Transport • Telecomm • Chemicals
  4. 4. #ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS ICS DEFINITION Industrial Control Systems (ICS) are command and control network and systems designed to support industrial processes[1] [1] ENISA “Protecting Industrial Control Systems. Recommendations for Europe and Member States” (2011)
  5. 5. #ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS ICS COMPONENTS • IED – Intelligent Electronic Device • RTU – Remote Terminal Units • PLC – Programmable Logic Controllers • DCS – Distributed Control Systems • HMI – Human-Machine Interfaces • SCADA – Supervisory Control and Data Acquisition
  6. 6. #ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS ICS COMPONENTS SCADA DCS RTU PLC HMI IED
  7. 7. #ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS SECURITY CONCERNS • Weak communication protocols – Lack of authentication in most cases – Lack of encryption • Weak passwords – Default passwords – Insecure password management • Poor QoS (Quality of Service) – DoS “friendly” • Internet connected web servers without protection • Difficult or nonexistent patching – “If it isn’t broke, don’t fix it” – Extensive use of Windows XP
  8. 8. #ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS CYBER INCIDENTS Attack Year Description Vector Outcome Motivation German Steel Mill Cyber Attack 2014 Malware to gain access to the corporate network an then moved into the plant network Spear Phishing email Physical damage Unknown DragonFly 2014 Campaign against energy companies compromising ICS equipment SQL Injection & Remote Access Trojan Sabotage Espionage / Sabotage Telvent Canada attack 2012 Access to SCADA Admin Tools Malware New project files stolen Information Thief Stuxnet 2010 Rootkit to take control of ICS of nuclear power plants Infected USB flash drive Systems stop Sabotage Baku – Tbilisi - Ceyhan (BTC) pipeline attack 2009 Access to the pipeline’s control System to supress alarms ans manipulate the process Physical access to network Temporary disruption in pipeline transfers Geopolitics (?)
  9. 9. #ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS ICS-CERT MONITOR 245 incidents received by ICS-CERT in 2014 [2] [2] ICS-CERT Monitor, September 2014 - February 2015, NCCIC
  10. 10. #ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS ICS-CERT MONITOR 245 incidents received by ICS-CERT in 2014 • Unauthorized access and exploitation of Internet facing ICS/Supervisory Control and Data Acquisition (SCADA) devices • Exploitation of zero-day vulnerabilities in control system devices and software • Malware infections within air-gapped control system networks • SQL injection via exploitation of web application vulnerabilities • Network scanning and probing • Lateral movement between network zones • Targeted spear-phishing campaigns
  11. 11. #ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS ICS-CERT MONITOR
  12. 12. #ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS ICS EXPLOITATION: SHODAN DEMO (I) Gathering information
  13. 13. #ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS ICS EXPLOITATION Project SHINE, uncovered that over 1 million SCADA / ICS systems are connected to the internet with unique IPs, and this figure is growing by between 2000 – 8000 per day.
  14. 14. #ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS ICS EXPLOITATION: SHODAN DEMO (II) Common ICS ports port 102 Siemens S7 port 502 Modbus port 789 Red Lion port 20000 DNP3 port 34980 EtherCAT port 34962 PROFINET port 44818 EtherNet/IP port 47808 BACnet/IP
  15. 15. #ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS ICS EXPLOITATION Open Sourced Vulnerability Database (
  16. 16. #ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS IT/OT CONVERGENCE «The purpose of ENTERPRISE security is to protect the data residing in the servers from attack. The purpose of ICS security is to protect the ability of the facility to safely and securely operate, regardless of what may befall the rest of the network» [3] [3] Weiss, Joe; “Assuring Industrial Control Systems (ICS) Cyber Security”
  17. 17. #ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS SECURITY PRINCIPLES (IT vs. OT) CONFIDENTIALITY INTEGRITY AVAILABILITY IT Systems OT Systems (Business) (ICS) + importance - - importance +
  18. 18. #ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS ISA95: ENTERPRISE – CONTROL SYSTEM INTEGRATION
  19. 19. #ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS ISA95: ENTERPRISE – CONTROL SYSTEM INTEGRATION Level 0 Level 1 I/O, Devices and Sensors Production Process Device Networks Level 2 HMI, SCADA Level 3 MES, Batch, Historian Level 4 ERP. CRM, BI Business Planning & Logistics Manufacturing Operations Manufacturing Control and Monitoring Automation Networks Operations Networks Business Networks PLCs, DCS
  20. 20. #ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS COUNTERMEASURES [4] 1. Assess existing systems: Understand risk and prioritize vulnerabilities 2. Document policies and procedures: Determine position regarding ICS and develop company-specific policies 3. Train personnel and contractors: Develop and institute policy awareness and training programs 4. Segment the control system network: Create distinct network segments and isolate critical parts of the system using a “zone and conduit” model 5. Control access to the system: Provide physical and logistical access controls to both your zones and equipment 6. Harden the components of the system: Lock down the functionality of components 7. Monitor and maintain the system: Update antivirus signatures, install patches, and monitor the system for suspicious activity [4] Byres, Eric; “The Industrial Cybersecurity Problem” – ISA White Paper
  21. 21. #ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS BEST PRACTICES & GUIDELINES • ISA99/IEC 62443 Security for Industrial Automation and Control Systems • NIST SP 800-82 Guide to Industrial Control Systems (ICS) Security • ENISA Report (2011) Protecting Industrial Control Systems. Recommendations for Europe and Member States • IIC Technical Paper (2015) Industrial Internet Reference Architecture
  22. 22. #ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS FRAMEWORK: COBIT 5 Implementing NIST Cybersecurity Framework Using COBIT 5
  23. 23. #ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS ICS SECURITY FRAMEWORK [5] Alcoforado, Ivan; “Leveraging Industrial Standards to Address Industrial Cybersecurity Risk”; ISACA Journal, Volume 4, 2016 Standards Leveraged for IACS Cybersecurity Framework Example [5]
  24. 24. #ICSSecurity Juan Figueras (@JoanFiguerasT) #EUROCACS THANK YOU! Juan Figueras, CISA Security & Privacy Consultant @JoanFiguerasT