This talk is about how to get into ICS security, whether you’re a control system engineer or an IT security analyst. It will cover the basic paths you can take to get involved, including some helpful resources and standards to help get you started. The ICS Security industry needs more people to help protect Critical Infrastructure!
1. How to get into ICS Security
Chris Sistrunk, PE
1
2. About Me
Chris Sistrunk, PE
@chrissistrunk
Electrical Engineer
Sr. Consultant, FireEye
• Control system security assessments
• NSM and DFIR for ICS
• ICS Village (DEF CON & RSA Conference)
Entergy (11+ years)
• SCADA Engineer (10 years)
• Project Robus (ICS Protocol Fuzzing)
• 30+ implementation vulnerabilities in DNP3 stacks
• Substation Security Team
BSidesJackson
2
3. How small mistakes lead to big disasters
3
FPL Blackout, February 26, 2008
9. Some numbers
Industrial Control
System Humans
MANY
Engineers, Technicians
Operators, Vendors,
etc
Security
Humans
~189,000
ICS Security
Humans
<1000
0.5% of Security
“LinkedIn data identified over
189,000 professionals in active
information security positions
worldwide as of June 2015.”
- Cory Scott
9
11. So…what would you say you do here?
• Why are you here?
• What excites you about ICS
security?
• Is ICS or security in your job now?
• Do you want it to be?
11
14. Operational Technology
• You’ve got the engineering or technical background
• You know how the plant or process works
• You probably already work with:
• ICS components like PLCs and RTUs
• ICS protocols like Modbus, Ethernet/IP, DNP3, etc
• Networking (ethernet, serial, including wireless)
• NERC/CIP or CFATS requirements
• But you don’t know IT systems, risks, threats, and security
14
15. Get familiar with security
• Learn
• Security Conferences!
• Lots and lots of security material online (SecurityTube, etc)
• ICS Security Training (ICS-CERT, SANS ICS, Red Tiger, SCADAhacker)
• SamuraiSTFU, Kali, Security Onion Linux Distros
• shodan.io
• Make friends with the IT Security team
15
16. Make an ICS Security Lab
• Many companies with control systems have labs
• If not, you may have spare equipment laying around…get creative!
16
18. What would be your Stuxnet?
• Think like a bad guy…with a hard hat!
• …like an attacker has your prints
• Who knows…you might find a vulnerability
“To make things work well, you must break them”
“Find evil, or ways for evil to do evil things”
18
19. Red Team and Blue Team
• Learn how to use Metasploit
• Search shodan.io
• Learn about Modbus Fuzzing
• Write some Snort rules
• Read up on Digital Forensics &
Incident Response (DFIR)
• Take the ICS-CERT RvB Course
19
24. Information Technology
• You’ve got the computer and networking skills
• You know how business technology work
• You probably already know:
• Routers, switches, firewalls, domain controllers
• Web, email, and business applications
• Certifications like CCNA and CISSP
• HIPAA or PCI DSS requirements
• But you don’t know the engineering and physics behind the process
24
26. Google all the things
• Modbus.org > modbus specification
• Tons of code on github: opendnp3, modbus, etc
• Wireshark
• Pcaps online > Netresec has a library, SANS, S4
26
28. Make an ICS network at home
• Raspberry Pi
• opendnp3, modbus, BACnet
• Arduino
• modbus
• $15 HMI from eBay
(got lucky)
• ~$700 for a new
Phoenix Contact PLC
28
29. You know security, but not ICS…yet
• What I am about to tell you is the single greatest secret to go from IT
Security into ICS…
29
32. Ask questions
• What is it?
• Why is it important?
• How can we secure it?
Example:
Ladder logic on a PLC
Understand the why…
…then try to secure/monitor it
32
33. Take the opportunity to collaborate
Problem:
• ICS network is flat with the corporate network
• ICS network has no logging or visibility
• IT has security goals
• OT has safety and uptime goals
• Can you do some things that satisfy both?
33
35. Connect!
• SCADAsec email list at Infracritical
• ICS Security Conferences
• ICSJWG – FREE
• DigitalBond’s S4
• SANS ICS Summit
• 4SICS
• EnergySec
• Oil & Gas Security Summit
• ICS Cyber Security Conference “Weisscon”
35
36. Information Sharing
National Council of ISACs
• Downstream Natural Gas www.dngisac.com
• Electricity www.esisac.com
• Oil & Natural Gas www.ongisac.org
• Water www.waterisac.org
ISAOs coming, knowledge sharing, ICS-ISAC, “BEER-ISAC”
36
37. Books
• Robust Control System Networks, Ralph Langner
• Industrial Network Security, 2nd Edition, Knapp & Langill
• Cybersecurity for Industrial Control Systems, Macaulay & Singer
• Countdown to Zero Day, Kim Zetter
• Hacking Exposed Industrial Control Systems, Bodungen, et al
• Handbook of SCADA/Control Systems, 2nd Ed., Radvanovsky & Brodsky
37
40. Purdue Model - Reference Architecture
L0L1L2L3L4
L0L1L2L3L4
41. Training
• ICS-CERT
• Free online training and resources
• Free 5-day Red vs Blue ICS exercise
• ICS Vendor Training
• SANS ICS
• ICS410 and ICS515
• Red Tiger Security
• Lofty Perch
• SCADAhacker
41
42. Certification
• There isn’t a Professional Engineering license for Security...
…but not everyone is an engineer.
• GICSP is a new certification out to teach IT folks the basics of ICS and
OT folks the basics of security.
42
44. You’re still here
• What excites you about ICS security?
• Do you want to join us in ICS security?
44
45. Apply What You Have Learned Today
• Next week:
• Identify critical components within your ICS network
• Find out if they have any published security vulnerabilities, or if they are
connected to the IT network, or even the Internet
• In the next three months:
• Understand who is accessing the ICS, from where, and why
• Within six months:
• Drive an implementation project to protect the most critical ICS devices
• Develop a roadmap to enhance ICS security architecture
• Capture some ICS network traffic and look for “evil”
45
WHAT WENT WRONG
1. Engineer investigating faulty voltage-control switch disabled two protective devices.
2. Short circuit occurred.
3. Because protection systems were disabled, they could not contain the short circuit.
Quingdao china, oil pipeline explosion, killed 62 people
22 November 2013
252 people were killed, nearly 500 injured and 15,000 were left homeless
New water pipes, made of zinc-coated iron, were built too close to an existing steel gas pipeline
Galvanic corrosion between dissimmilar metals caused the gas pipeline to leak into the water line
Replacement of power supply
Breaker removed from service
Control panel looses power
Erroneous Low pressure signal
Valves open
Valves cannot be controlled with power out
Line overpressured
Weld breaks
Ignition, explosion, fire
8 deaths, 58 injured
Talk briefly about what IT and OT are and how they work together in an enterprise
“Enterprise-wide security” doesn’t mean just the IT side
2001 – 2010 = The Lost Decade
2010 – Present = The Age of Stuxnet
Audience participation
But you may lack the IT security know how
But you don’t understand the engineering or how the process works
Electrical engineering
Chemical engineering
Mechanical engineering
etc
Segmenting the network keeps commodity malware from spreading either direction
It also keeps the Operators from surfing ebay from the Compressor Station
Visibility helps the SOC watch the ingress/egress points
Visibility helps the ICS engineers keep a better inventory and find PLC misconfigurations
Explain
This is a reference architecture produced by academics at Purdue University, and adopted by the International Society of Automation (ISA)
The entire purpose of industrial automation and control systems is to remove humans from the loop. Program the logic into the machines so people don’t have to be at each location taking measurements and making adjustments.
Sensors and actuators operate at Level 0. Sensors measure things in the physical world; such as flow, temperature, pressure, level.
Actuators move. Things like valves and connect/disconnect switches for motors
They are wired into the controller
They are generally not TCP/IP enabled, but this is changing
Controllers are programmable devices found at Level 1
The programming specifies how the actuators move when the sensors provide certain readings.
They can also include Variable Frequency Drives and Protective Relays
Many of these are TCP/IP enabled
Level 2 includes more standard computing and networking technology
The SCADA stands for supervisory control and data acquisition. Supervisory means that it allows a human operator, normally seated at a human-machine interface screen to identify abnormalities (normally by viewing alarms that pop up on the screen), and step in and issue remote commands to the system. If a process loses SCADA, nothing is going to happen, at least for a while. The logic exists in the controllers themselves to regulate the process. The job of process operators has been described as 90% intense boredom, and 10% sheer panic.
The engineering workstation is used to program the control logic. You can think of this as a software development environment. Instead of languages such as python, C, and VisualBasic, the languages used are called “ladder logic”, “Fuction block” and “structured text”. This machine would normally have the ability to talk to any PLC on the network to push new logic
This layer also includes database technology called a process historian. The historian catalogs readings from the sensors and positions of the actuators to make available in other applications, such as predictive maintenance and process optimization efforts. The historian records data that is not displayed to the operator.
Ideally the SCADA network is segmented from the business network by a dual firewall DMZ. This facilitates firewall management, while limiting ingress and egress.