Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)

© 2015 Belden Inc. | belden.com | @BeldenInc 1
Industrial Cyber Security:
What You Don’t Know MIGHT Hurt You (and others…)
September 21, 2016
David Meltzer
Chief Research Officer
Belden-Tripwire
Tony Gore
Chief Executive Officer
Red Trident Inc.
John Powell
Critical Infrastructure
Engineer

• Understand what cyber security risks may apply to your environment
• Industrial standards that may apply to your ICS Operations environment
• Learn how to automate and simplify the inventory process and secure your assets
• Hear real-world tips on how to prioritize and work across functional silos within
your company
• Suggestions and resources for future progress
• Receive an industrial cyber security self-assessment checklist as a starting point
Agenda and Objectives

You can’t protect or secure
what you don’t know you have
(Therefore, at-risk industrial assets can put employee or public safety at risk)

ICS Risks - SANS 2016 State of ICS Survey Report
• Top Attack Concern – External/Outsiders
• Top Target Concern – Commercial OS (Windows,
Linux), and key assets: HMI, historians, operations
engineering workstations, control systems, asset
management systems,etc)

• ICS Vulnerability Disclosures by Year – 90% of 1552 in 2011 - April 2016
• 123 Vendors have ICS vulnerabilities
• 33% = No fixes or patches available at public disclosure
Risks- ICS Vulnerabilities from 2000 - Q12016
- FireEye iSight Intelligence 2016 ICS Vulnerability Trend Report

• Oil pipeline shut down for 6 hours after software is
accidently uploaded to a PLC on the plant network
instead of test network
• 13 auto assembly plants were shut down by a simple
Internet worm; 50,000 workers stop work for 1 hour
while malware removed
• Operators at a major USA nuclear power plant forced
to “scram” the reactor after cooling drive controllers
crashed due to “excessive network traffic”
It’s Not All About Hackers & Terrorists
Consider the Financial Implications of Disruptions

What is an ICS Cyber Threat?
• Cyber threat is an important category of industrial risk
typically targeting plant and operations networks, endpoints
and control systems
• Who Does This?
• Outsiders
• Control system level breaches grew more than 33% during 2014 and 2015
fiscal years.
• Malicious Insiders
• 49% believe insider threat is their top concern
• Human Error – Employees, Contractors
• 25% of ICS incidents were due to current employees or insiders
- Sources: SANS Institute, ICS-CERT, PWC, FireEye

 Skilled – Have been working with industrial cyber security topics for some time, possibly
have industry certifications for same, and/or have designed industrial operations
networks and system architectures, policies and procedures for security.
 Knowledgeable – Familiar with perhaps one or two technologies and some customer
issues (typically some details of anti-virus, ID/authentication systems, and sometimes
encryption)
 Conversant – Knows terms and generally what they mean, often can ask good
questions, but doesn’t necessarily have the big picture
 Newbie – I’ve heard the term “cyber security”
Survey - Cyber Security Skills Self-Assessment

• National Institute of Standards and Technology
• International Society of Automation
• International Electrotechnical Commission
• International Organization for Standardization
Standards and Best Practices

NIST Framework
NIST CSF Mapping to ISA/IEC 62443
http://isa99.isa.org

NIST Risk Assessment
Function Category Subcategory Informative References
IDENTIFY (ID)
Risk Assessment (ID.RA):
The organization understands the
cybersecurity risk to organizational
operations (including mission, functions,
image, or reputation), organizational
assets, and individuals.
ID.RA-1: Asset vulnerabilities are identified and
documented
CCS CSC 4
COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04
ISA 62443-2-1:2009 4.2.3, 4.2.3.7, 4.2.3.9, 4.2.3.12
ISO/IEC 27001:2013 A.12.6.1, A.18.2.3
NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA-3, RA-5, SA-
5, SA-11, SI-2, SI-4, SI-5
ID.RA-2: Threat and vulnerability information is
received from information sharing forums and
sources
ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12
ISO/IEC 27001:2013 A.6.1.4
NIST SP 800-53 Rev. 4 PM-15, PM-16, SI-5
ID.RA-3: Threats, both internal and external, are
identified and documented
COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04
ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12
NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12, PM-16
ID.RA-4: Potential business impacts and likelihoods
are identified
COBIT 5 DSS04.02
ISA 62443-2-1:2009 4.2.3, 4.2.3.9, 4.2.3.12
NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-9, PM-11, SA-14
ID.RA-5: Threats, vulnerabilities, likelihoods, and
impacts are used to determine risk
COBIT 5 APO12.02
ISO/IEC 27001:2013 A.12.6.1
NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-16
ID.RA-6: Risk responses are identified and
prioritized
COBIT 5 APO12.05, APO13.02
NIST SP 800-53 Rev. 4 PM-4, PM-9

ISA/IEC 62443-2-1 Requirements
A.2.3.3.6.2 Characterize key IACS
Identifying and prioritizing IACS risks requires that an organization
locate and identify key industrial automation and control systems and
devices, and the characteristics of these systems that drive risk.
Without an inventory of the IACS devices and networks, it is difficult to
assess and prioritize where security measures are required and where
they will have the most impact.
ENTERPRIZE ZONE
PLANT BUSINESS ZONE
SIS ZONE
PROCESS CONTROL ZONE
Equipment
Room
Control Room
Router
WAN
Historian
Printer
Operator 1 Operator 2 Operator 3
Eng
Workstation
ERP
Tag
Server B
Tag
Server A
Batch
Corporate Data
Center
Eng Laptop Plant Staff Laptops
Tank Farm /
Loading & Unloading
BPCS SIS
Asset
Number Equipment ID Functionality IP Address Zone Location Operating System
EWS101 EWS_101 Engineering
Workstation
192.168.1.20 BPCS Control
Room
Windows 7, Pro SP1

NIST SP 800-82 Requirements
4.5.1 Categorize ICS Systems and Networks Assets
• The information security team should define, inventory, and
categorize the applications and computer systems within the ICS, as
well as the networks within and interfacing to the ICS.
• The focus should be on systems rather than just devices, and should
include PLCs, DCS, SCADA, and instrument-based systems that use
a monitoring device such as an HMI. Assets that use a routable
protocol or are dial-up accessible should be documented.
• The team should review and update the ICS asset list annually and
after each asset addition or removal.
ENTERPRIZE ZONE
PLANT BUSINESS ZONE
SIS ZONE
Equipment
Room
Control Room
Router
WAN
Historian
Printer
Eng
Workstation
ERP
Tag
Server B
Tag
Server A
Batch
Corporate Data
Center
Tank Farm /
Loading & Unloading
BPCS SIS

Equipment
Room
Control Room
Router
WAN
Historian
Printer
Eng
Workstation
ERP
Tag
Server B
Tag
Server A
Batch
Corporate Data
Center
Tank Farm /
Loading & Unloading
BPCS SIS
Document Assets and
Identify improper network design
Example System Architecture Diagram

Partition the System into Zones and Conduits
ENTERPRIZE ZONE
PLANT BUSINESS ZONE
SIS ZONE
Equipment
Room
Control Room
Router
WAN
Historian
Printer
Eng
Workstation
ERP
Tag
Server B
Tag
Server A
Batch
Corporate Data
Center
Tank Farm /
Loading & Unloading
BPCS SIS
Conduits
Zones

• Common starting point is with a risk
assessment
• Foundation - Inventory of
hardware and software assets
• Approaches:
−Manual
−Hire it Out
−Automation
• How to Mitigate the Organizational Silos
Starting Point – Assessing Current State, Gaps, and What to Do First

• Hardware
• Software
• Firmware
• Communications
• Physical (Facilities)
• Cyber-Physical
What is an “Asset” within Industrial Environments?
20% are Network Assets
(able to get configuration and topology location fairly easily)
“Known” - above the Waterline
“Unknown” below the Waterline
80% are Proprietary Assets
(not easily known configurations and components
such as I/O Servers, firmware, etc)

ICS Cyber Security Risk Model
- ARC Research

The Process

Cyber Security Life Cycle
High-Level
Risk
Assessment
(Inventory)
Management
System:
Policies,
Procedures,
Training &
Awareness
Detailed Cyber
Risk Assessment
Periodic
Cybersecurity
Audits
Installation,
Commissioning &
Validation of
Countermeasures
Other Means of
Risk Reduction
Cyber Incident
Response &
Recovery
Detailed Cyber
Risk Assessment
Assess
Phase
Allocation of
IACS Assets to
Security Zones or
Conduits
Develop & Implement Phase
Maintenance,
Monitoring &
Management of
Change
Maintain
Phase
Continuous
Processes
Continuous
Processes
Cybersecurity
Countermeasures

Belden’s 1-2-3 Approach to Industrial Cybersecurity
1
Secure
Industrial
Networks
• Segmentation
• Zoning and conduits
• Monitoring and alerts
• Wireless and remote access
• Threat containment
2
Secure
Industrial
Endpoints
• Inventory connected assets
• Identify vulnerable & exploitable
endpoints
• Achieve and maintain secure and
authorized configurations
• Identify unauthorized & malicious
change
3
Secure
Industrial
Controllers
• Detection and visibility into ICS
changes and threats
• Protection for vulnerable &
exploitable controllers
• Assure authorized access and
change control for ICS
• Detect and contain threats

• Configurations
− Misconfigurations
− Weak configurations
− Exploitable vulnerabilities –
 previously unknown
 Unpatched
 Unpatchable
 No patch exists
• Insecure Access
− Wireless
− Modems
− Inappropriate internet-facing
• Industrial protocols
• Unauthorized Access
− Weak or stolen credentials
• Infected files
• Infected USB
• Infected ICS logic
• Insecure serial links
• Complex and proprietary
multi-vendor environments
Common Industrial Attack Vectors Tripwire Can Detect

No-Touch Visibility into
ICS Cyber Security
Monitoring Full Operations
Environments for Unauthorized
Change and Cyber Threats
Standards-based
Integration with FactoryTalk®
AssetCentre

• Part of the Belden Industrial Cyber Security Portfolio
• Vendor-neutral
• Standards-based
• Industrial Network Infrastructure
• ICS/SCADA
• Cyber Security Expertise is Our Core
− Monitoring for change and threat detection
− Alert Notification
− Vulnerability Checking
− Log Intelligence/SIEM
− Automation and Integrations
Support for Heterogenous Industrial Environment Cyber Security

‹#›
Tofino™ Xenon Industrial Security Appliance
Field-Level Layer 2 Firewall with Security Enforcers
The Tofino Xenon Industrial Security Appliance delivers
advanced cyber security protection for industrial networks,
securing critical assets at Layer 2, making it easier to deploy
and transparent to the network
 No IP or network architecture changes needed
 Protects endpoint systems and devices
(PLCs, RTUs, IEDs, DCS, HMIs, Historians, Controller Consoles, etc)
 Easy to deploy with Plug and Protect™ - no downtime
 Secure Zones and Conduits (IEC-62443)
 Deep Packet Inspection for industrial protocols to enforce security policy
 DNP3 and IEC 104
 Modbus/TCP
 OPC
 EtherNet/IP
 Others coming
 Auto-generates firewall rules, and controls access and ingress and egress

Belden Industrial Cybersecurity Portfolio

Benefits of a current and automated asset inventory:
• Mitigate cyber security risks from outsiders, insiders, and human error
• Reduce / avoid unplanned downtime
• Improve productivity
• Automate to speed resolution, save time and reduce human error
• Process improvement and efficiency
Action? - Consider a cybersecurity risk assessment
Summary - Benefits of Having an Asset Inventory

• Learn good infrastructure design for cyber security – all industry sectors
• Oriented toward technical and hands-on learning labs
• Learn More - http://info.belden.com/designseminar
Join Us - Industrial Ethernet Infrastructure Design Seminar
October 10-13, 2016, Orlando Florida

Q&A THANK YOU!

Questions Answers
Are Zones accomplished using VLANs? I'm not sure the point of the question here. There are always multiple
VLAN's employed when there's differing environments or items
consolidated on a common manageable switch. Special
configurations to harden the switch and prohibit VLAN jumping are
established, documented and tested. When we label zones VLANs,
I'm not sure what that actually is that you're thinking of, but if you
contact info@redtridentinc.com with a question we can work to
answer that question thoroughly.
Zones Zones are essential for the establishment of environments that similar
devices can coexist and operate. It also helps with monitoring,
troubleshooting, and adding additional layers of security to an ICS
architecture. NIST 800-82 as well as ANSI/IEC/ISA 62443 establish
zones. It is also a very common practice within ICS environments that
have a greater maturity and adoption of ICS Cyber Security. There
are common practices found in other standards and advanced cyber
security architectures.
This is all well and good, but our industrial environment is set
- at present we can't change anything. What do we do in that
case?
For many circumstances where physical changes in architecture
cannot be immediately made, there are technology solutions that can
be applied sometimes to mitigate the risks - even process changes
can often solve for an interim period. Another consideration is to do
the planning for the bigger needed changes, whether architecture or
equipment while addressing the smaller things that can be altered
such as password hygiene, not sharing logins, or simply knowing
where the biggest concerns are.
He just mentioned LANs - I think that Zones are Yes, this is an absolute truth because there are a multitude of

Questions Answers
How long does an industrial cyber security risk
assessment take?
Scope and complexity of a environment can dramatically
affect the length of time that a holistic risk assessment
takes. Often times, we see risk assessments prematurely
halted because there are common vulnerabilities or
exposures that can be remediated or planned for. Some
identified risks may also need immediate attention, because
of the threat it poses to the revenue generating or ICS
process. We do offer accelerated risk assessments rather
than full risk assessments to immediately triage vulnerable
environments. It's not as supporting as a holistic risk
assessment, but it does assist with getting an immediate
look at what could be potentially a threat to the
environment.
For risk assessment, how do you acquire the data
for the likelihood of a particular vulnerability
occurring and the likelihood that a particular security
threat will be exploited? Does this data exist in a
database somewhere?
Likelihood is a very qualitative aspect to the over all
vulnerability. If we take a workstation for example then we
would look at the vulnerabilities present on the system. How
those vulnerabilities score for that system. Determine if that
system is a high consideration to the viability of the over all
process. Then from the gap we will explore if there are
compensating controls to reduce, mitigate, or eliminate the
overall threat. We do have several databases that contain
vulnerability data and leverage specially crafted tools that

Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (20)

Similar a Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)

Similar a Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...) (20)

Más de Tripwire

Más de Tripwire (20)

Último

Último (20)

Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)