SlideShare a Scribd company logo

Critical Infrastructure Security by Subodh Belgi

ClubHack
ClubHack

Industrial Automation & Control Systems are an integral part of various manufacturing & process industries as well as national critical infrastructure. Concerns regarding cyber-security of control systems are related to both the legacy nature of some of the systems as well as the growing trend to connect industrial control systems to corporate networks. These concerns have led to a number of identified vulnerabilities and have introduced new categories of threats that have not been seen before in the industrial control systems domain. Many of the legacy systems may not have appropriate security capabilities that can defend against modern day threats, and the requirements for availability and performance can preclude using contemporary cyber-security solutions. To address cyber-security issues for industrial control systems, a clear understanding of the security challenges and specific defensive countermeasures is required. The session will highlight some of the latest cyber security risks faced by industrial automation and control systems along with essential security controls & countermeasures.

1 of 19
Subodh Belgi VP & Chief Security Evangelist
Critical Infrastructure & Control Systems • Modern society is dependent on several critical infrastructure industries • Industrial Control Systems (SCADA/DCS/PLCs) are extensively used to manage the operation of critical infrastructure Copyright © 2012 MIEL e-Security Pvt. Ltd. 2
Critical Infrastructure is Under Attack !! Copyright © 2012 MIEL e-Security Pvt. Ltd. 3
SCADA/Control Systems Becoming Easy Target.. Copyright © 2012 MIEL e-Security Pvt. Ltd. 4
Stuxnet Attack – The Wakeup Call ! • Most sophisticated and targeted attack on Industrial Control Systems • Disabling specific types of drives used in Uranium Enrichment process by infecting a specific model of Siemens PLC • 7 different modes of propagation, 4 different zero day vulnerabilities exploited • 2 rootkits – For windows and Siemens PLC • Using stolen certificates to sign the rootkit code • Remote command & control • P2P update capability Copyright © 2012 MIEL e-Security Pvt. Ltd. 5
ICS Security : Risk Drivers Increased Connectivity • Need for ‘REAL TIME’ information, for taking Informed decisions. • Control systems are linked to corporate information systems & networks. Open Technology • Increasingly using standardized IT Technologies • IP based network for PLCs, DCS, IEDs, Field devices etc. Copyright © 2012 MIEL e-Security Pvt. Ltd. 6
ICS Security : Risk Drivers Design Limitations • Historically, designed for productivity, safety and reliability • Security by obscurity – Proprietary protocols, air gapped network Lack of Cyber Security Awareness • Enterprise IT Security professionals lack control systems expertise • Control systems professionals not aware of security issues and controls Copyright © 2012 MIEL e-Security Pvt. Ltd. 7
Industrial Control Systems in an Organization Copyright © 2012 MIEL e-Security Pvt. Ltd. 8
ICS Security Not Same as IT Security Topic IT Systems Industrial Control Systems Typical Lifespan 3-5 years 10-15 years Security Awareness Good Poor, except physical Time Critical Content Generally delays accepted Critical due to safety Availability Occasional downtime 24x7x365 accepted Security Testing/Audit Scheduled, mandated Occasional, uncommon Patch Management Regular, Scheduled Slow, vendor dependent Change Management Regular, scheduled Uncommon Security Controls Extensively deployed Uncommon, except safety related Business Impact Disruption, Monetary Loss, Loss of Life, Loss of Business, Legal sanctions Physical Damage, Environmental Impact, National Security & Economy Copyright © 2012 MIEL e-Security Pvt. Ltd. 9
Who are the Adversaries? • Usual Suspects.. – Script Kiddies – Hackers – Cyber Criminals – Malware Authors/Operators – Organized Crime Groups • Growing Threat.. – Industrial Espionage – Hacktivists – Disgruntled Insiders – State Sponsored Terrorists – Foreign Intelligence Agencies Copyright © 2012 MIEL e-Security Pvt. Ltd. 10
Reported Vulnerabilities – Tip of the Iceberg Inadequate Security Architecture & Design No Periodic Security Assessment/Audit Firewall Non-existent or Improperly Configured Unsecured Remote Access OS and Application Patches not Updated Use of Default Configuration, User Accounts Lack of Verifying Data Authenticity, Integrity Malware Protection not Installed Copyright © 2012 MIEL e-Security Pvt. Ltd. 11
Critical Infrastructure Security Challenges & Opportunities 12
Typical ICS Architecture Copyright © 2012 MIEL e-Security Pvt. Ltd. 13
ICS Communication Protocols • SCADA Modbus, DNP3, ICCP, IEC 60870, IEC 61850 • DCS/Process Automation CIP, ControlNet, DeviceNet, DirectNet, EtherCAT, EtherNet/IP, EtherNet Powerlink, HART, Fieldbus, Modbus, Hostlink, Modbus RTU, Modbus TCP, Profibus, ProfiNet, RAPIENet, Honeywell SDS, SERCOS III, GE SRTP, Sinec, OPC, OPC UA • Smart Buildings/Meters/Vehicles BACnet, C-Bus, CC-Link, Dynet, LonTalk, S-Bus, VSCP, xAP, X10, Zigbee ANSI C12.18, DLMS/IEC 62056, IEC 61107, M-Bus, Zigbee Smart Energy CAN, DC-Bus, FlexRay, IEBus, J1708, J1939, VAN, SMARTWireX, LIN Copyright © 2012 MIEL e-Security Pvt. Ltd. 14
ICS Communication Protocols – Challenges • Lack of Authentication - Works with device addresses and function codes • Lack of Encryption - Command and addresses sent in clear-text • Lack of Message Integrity - No data validity checking • Broadcast Functionality - All devices receive all messages • Programmability - Able to program controllers, PLCs and RTUs • Susceptible to Message spoofing, MITM, DOS attacks • Protocols not supported by commercial firewalls • Not supported by security tools – Snort, Wireshark Copyright © 2012 MIEL e-Security Pvt. Ltd. 15
Automation Devices – Controllers, PLC, RTUs, IEDs… • Used for Communication, Control, I/O, Protection, Monitoring, Metering etc. • Runs vxworks, embedded linux/windows, or proprietary OS on custom hardware • TCP/IP connectivity • Lack of basic security features • Highly susceptible to cyber attacks Copyright © 2012 MIEL e-Security Pvt. Ltd. 16
Automation Devices – Challenges Copyright © 2012 MIEL e-Security Pvt. Ltd. 17
How Could You Contribute ? Building Research Community Focused on Industrial Control Systems Security  Network Protocol Analysis  Firmware Analysis/Hacking  Embedded Systems Hacking  Vulnerability Analysis  Exploit Development  Malware Analysis  Security Tools Development Copyright © 2012 MIEL e-Security Pvt. Ltd. 18
Thank you! Subodh Belgi sbelgi@miel.in

Recommended

The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security
Tripwire
 
cyber security
cyber securitycyber security
cyber security
abithajayavel
 
IOT Security
IOT SecurityIOT Security
IOT Security
Sylvain Martinez
 
How to Prepare for the CISSP Exam
How to Prepare for the CISSP ExamHow to Prepare for the CISSP Exam
How to Prepare for the CISSP Exam
koidis
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?
John Gilligan
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
IoT security (Internet of Things)
IoT security (Internet of Things)IoT security (Internet of Things)
IoT security (Internet of Things)
Sanjay Kumar (Seeking options outside India)
 
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
NetEnrich, Inc.
 

Recommended

The Zero Trust Model of Information Security
The Zero Trust Model of Information Security The Zero Trust Model of Information Security
The Zero Trust Model of Information Security
Tripwire
 
cyber security
cyber securitycyber security
cyber security
abithajayavel
 
IOT Security
IOT SecurityIOT Security
IOT Security
Sylvain Martinez
 
How to Prepare for the CISSP Exam
How to Prepare for the CISSP ExamHow to Prepare for the CISSP Exam
How to Prepare for the CISSP Exam
koidis
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?
John Gilligan
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
IoT security (Internet of Things)
IoT security (Internet of Things)IoT security (Internet of Things)
IoT security (Internet of Things)
Sanjay Kumar (Seeking options outside India)
 
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
NetEnrich, Inc.
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash
 
Cyber security in power sector
Cyber security in power sectorCyber security in power sector
Cyber security in power sector
P K Agarwal
 
Security architecture proposal template
Security architecture proposal templateSecurity architecture proposal template
Security architecture proposal template
Moti Sagey מוטי שגיא
 
Zero Trust Network Access
Zero Trust Network Access Zero Trust Network Access
Zero Trust Network Access
Er. Ajay Sirsat
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
IoT Security
IoT SecurityIoT Security
IoT Security
Narudom Roongsiriwong, CISSP
 
8. operations security
8. operations security8. operations security
8. operations security
7wounders
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
Brencil Kaimba
 
Zero Trust
Zero TrustZero Trust
Zero Trust
Boaz Shunami
 
Security Audit View
Security Audit ViewSecurity Audit View
Security Audit View
PLN9 Security Services Pvt. Ltd.
 
Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​
AlgoSec
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control System
Hemanth M
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System Security
Adel Barkam
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
Elimity
 
PHISHING PROTECTION
PHISHING PROTECTIONPHISHING PROTECTION
PHISHING PROTECTION
Sylvain Martinez
 
Introduction to Tenable
Introduction to TenableIntroduction to Tenable
Introduction to Tenable
Bharat Jindal
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesVulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation Slides
SlideTeam
 
Internet of things startup basic
Internet of things startup basicInternet of things startup basic
Internet of things startup basic
Mathan kumar
 
TrendMicro
TrendMicroTrendMicro
TrendMicro
1CloudRoad.com
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Denim Group
 
Defining Security Intelligence for the Enterprise - What CISOs Need to Know
Defining Security Intelligence for the Enterprise - What CISOs Need to KnowDefining Security Intelligence for the Enterprise - What CISOs Need to Know
Defining Security Intelligence for the Enterprise - What CISOs Need to Know
IBM Security
 

More Related Content

What's hot

NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
8. operations security
8. operations security8. operations security
8. operations security
7wounders
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesVulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation Slides
SlideTeam
 

What's hot (20)

Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Cyber security in power sector
Cyber security in power sectorCyber security in power sector
Cyber security in power sector
 
Security architecture proposal template
Security architecture proposal templateSecurity architecture proposal template
Security architecture proposal template
 
Zero Trust Network Access
Zero Trust Network Access Zero Trust Network Access
Zero Trust Network Access
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
IoT Security
IoT SecurityIoT Security
IoT Security
 
8. operations security
8. operations security8. operations security
8. operations security
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
 
Zero Trust
Zero TrustZero Trust
Zero Trust
 
Security Audit View
Security Audit ViewSecurity Audit View
Security Audit View
 
Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​Zero Trust Framework for Network Security​
Zero Trust Framework for Network Security​
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control System
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System Security
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
 
PHISHING PROTECTION
PHISHING PROTECTIONPHISHING PROTECTION
PHISHING PROTECTION
 
Introduction to Tenable
Introduction to TenableIntroduction to Tenable
Introduction to Tenable
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesVulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation Slides
 
Internet of things startup basic
Internet of things startup basicInternet of things startup basic
Internet of things startup basic
 
TrendMicro
TrendMicroTrendMicro
TrendMicro
 

Similar to Critical Infrastructure Security by Subodh Belgi

Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
Denim Group
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
Security Innovation
 
Cyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsCyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutions
Schneider Electric
 
Protecting health and life science organizations from breaches and ransomware
Protecting health and life science organizations from breaches and ransomwareProtecting health and life science organizations from breaches and ransomware
Protecting health and life science organizations from breaches and ransomware
Cloudera, Inc.
 
Avoiding data breach using security intelligence and big data to stay out of ...
Avoiding data breach using security intelligence and big data to stay out of ...Avoiding data breach using security intelligence and big data to stay out of ...
Avoiding data breach using security intelligence and big data to stay out of ...
IBM Security
 
Key Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales PresentationKey Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales Presentation
rfragola
 
Challenges2013
Challenges2013Challenges2013
Challenges2013
Lancope, Inc.
 
Waterfall Security Solutions Overview Q1 2012
Waterfall Security Solutions Overview Q1 2012Waterfall Security Solutions Overview Q1 2012
Waterfall Security Solutions Overview Q1 2012
henkpieper
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical Data
IBM Security
 

Similar to Critical Infrastructure Security by Subodh Belgi (20)

Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
 
Defining Security Intelligence for the Enterprise - What CISOs Need to Know
Defining Security Intelligence for the Enterprise - What CISOs Need to KnowDefining Security Intelligence for the Enterprise - What CISOs Need to Know
Defining Security Intelligence for the Enterprise - What CISOs Need to Know
 
Best Practices for Cloud Security
Best Practices for Cloud SecurityBest Practices for Cloud Security
Best Practices for Cloud Security
 
Enterprise Security and Cyber Security Cases
Enterprise Security and Cyber Security CasesEnterprise Security and Cyber Security Cases
Enterprise Security and Cyber Security Cases
 
Security and smart grid what you need to know john chowdhury 2012 final
Security and smart grid what you need to know john chowdhury 2012 finalSecurity and smart grid what you need to know john chowdhury 2012 final
Security and smart grid what you need to know john chowdhury 2012 final
 
IoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" MythIoT Security: Debunking the "We Aren't THAT Connected" Myth
IoT Security: Debunking the "We Aren't THAT Connected" Myth
 
Cyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsCyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutions
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security Webinar
 
Risks vs real life
Risks vs real lifeRisks vs real life
Risks vs real life
 
Protecting health and life science organizations from breaches and ransomware
Protecting health and life science organizations from breaches and ransomwareProtecting health and life science organizations from breaches and ransomware
Protecting health and life science organizations from breaches and ransomware
 
Avoiding data breach using security intelligence and big data to stay out of ...
Avoiding data breach using security intelligence and big data to stay out of ...Avoiding data breach using security intelligence and big data to stay out of ...
Avoiding data breach using security intelligence and big data to stay out of ...
 
From SIEM to SA: The Path Forward
From SIEM to SA: The Path ForwardFrom SIEM to SA: The Path Forward
From SIEM to SA: The Path Forward
 
Key Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales PresentationKey Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales Presentation
 
The Identity-infused Enterprise
The Identity-infused EnterpriseThe Identity-infused Enterprise
The Identity-infused Enterprise
 
Challenges2013
Challenges2013Challenges2013
Challenges2013
 
Io t security defense in depth charles li v1 20180425c
Io t security defense in depth charles li v1 20180425cIo t security defense in depth charles li v1 20180425c
Io t security defense in depth charles li v1 20180425c
 
Dell Solutions Tour 2015 - Reduce IT admin work load and reduce complexity an...
Dell Solutions Tour 2015 - Reduce IT admin work load and reduce complexity an...Dell Solutions Tour 2015 - Reduce IT admin work load and reduce complexity an...
Dell Solutions Tour 2015 - Reduce IT admin work load and reduce complexity an...
 
Waterfall Security Solutions Overview Q1 2012
Waterfall Security Solutions Overview Q1 2012Waterfall Security Solutions Overview Q1 2012
Waterfall Security Solutions Overview Q1 2012
 
Security on a budget
Security on a budget Security on a budget
Security on a budget
 
Bridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical DataBridging the Gap Between Your Security Defenses and Critical Data
Bridging the Gap Between Your Security Defenses and Critical Data
 

More from ClubHack

The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas Kurian
ClubHack
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
ClubHack
 
Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun Rathod
ClubHack
 
Legal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalLegal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara Agrawal
ClubHack
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
ClubHack
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanHybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
ClubHack
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish Bomisstty
ClubHack
 
Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012
ClubHack
 
ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012
ClubHack
 
ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack Magazine – December 2011
ClubHack Magazine – December 2011
ClubHack
 

More from ClubHack (20)

India legal 31 october 2014
India legal 31 october 2014India legal 31 october 2014
India legal 31 october 2014
 
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ BangaloreCyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
Cyberlaw by Mr. Pavan Duggal at ClubHack Infosec KeyNote @ Bangalore
 
Cyber Insurance
Cyber InsuranceCyber Insurance
Cyber Insurance
 
Summarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threatSummarising Snowden and Snowden as internal threat
Summarising Snowden and Snowden as internal threat
 
Fatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep KambleFatcat Automatic Web SQL Injector by Sandeep Kamble
Fatcat Automatic Web SQL Injector by Sandeep Kamble
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas Kurian
 
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
Stand Close to Me & You're pwned! Owning Smart Phones using NFC by Aditya Gup...
 
Smart Grid Security by Falgun Rathod
Smart Grid Security by Falgun RathodSmart Grid Security by Falgun Rathod
Smart Grid Security by Falgun Rathod
 
Legal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara AgrawalLegal Nuances to the Cloud by Ritambhara Agrawal
Legal Nuances to the Cloud by Ritambhara Agrawal
 
Infrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy HiremathInfrastructure Security by Sivamurthy Hiremath
Infrastructure Security by Sivamurthy Hiremath
 
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar KuppanHybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
Hybrid Analyzer for Web Application Security (HAWAS) by Lavakumar Kuppan
 
Hacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish BomissttyHacking and Securing iOS Applications by Satish Bomisstty
Hacking and Securing iOS Applications by Satish Bomisstty
 
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman GuptaContent Type Attack Dark Hole in the Secure Environment by Raman Gupta
Content Type Attack Dark Hole in the Secure Environment by Raman Gupta
 
XSS Shell by Vandan Joshi
XSS Shell by Vandan JoshiXSS Shell by Vandan Joshi
XSS Shell by Vandan Joshi
 
Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012Clubhack Magazine Issue February 2012
Clubhack Magazine Issue February 2012
 
ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012ClubHack Magazine issue 26 March 2012
ClubHack Magazine issue 26 March 2012
 
ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012ClubHack Magazine issue April 2012
ClubHack Magazine issue April 2012
 
ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012ClubHack Magazine Issue May 2012
ClubHack Magazine Issue May 2012
 
ClubHack Magazine – December 2011
ClubHack Magazine – December 2011ClubHack Magazine – December 2011
ClubHack Magazine – December 2011
 
One link Facebook (Anand Pandey)
One link Facebook (Anand Pandey)One link Facebook (Anand Pandey)
One link Facebook (Anand Pandey)
 

Critical Infrastructure Security by Subodh Belgi

  • 1. Subodh Belgi VP & Chief Security Evangelist
  • 2. Critical Infrastructure & Control Systems • Modern society is dependent on several critical infrastructure industries • Industrial Control Systems (SCADA/DCS/PLCs) are extensively used to manage the operation of critical infrastructure Copyright © 2012 MIEL e-Security Pvt. Ltd. 2
  • 3. Critical Infrastructure is Under Attack !! Copyright © 2012 MIEL e-Security Pvt. Ltd. 3
  • 4. SCADA/Control Systems Becoming Easy Target.. Copyright © 2012 MIEL e-Security Pvt. Ltd. 4
  • 5. Stuxnet Attack – The Wakeup Call ! • Most sophisticated and targeted attack on Industrial Control Systems • Disabling specific types of drives used in Uranium Enrichment process by infecting a specific model of Siemens PLC • 7 different modes of propagation, 4 different zero day vulnerabilities exploited • 2 rootkits – For windows and Siemens PLC • Using stolen certificates to sign the rootkit code • Remote command & control • P2P update capability Copyright © 2012 MIEL e-Security Pvt. Ltd. 5
  • 6. ICS Security : Risk Drivers Increased Connectivity • Need for ‘REAL TIME’ information, for taking Informed decisions. • Control systems are linked to corporate information systems & networks. Open Technology • Increasingly using standardized IT Technologies • IP based network for PLCs, DCS, IEDs, Field devices etc. Copyright © 2012 MIEL e-Security Pvt. Ltd. 6
  • 7. ICS Security : Risk Drivers Design Limitations • Historically, designed for productivity, safety and reliability • Security by obscurity – Proprietary protocols, air gapped network Lack of Cyber Security Awareness • Enterprise IT Security professionals lack control systems expertise • Control systems professionals not aware of security issues and controls Copyright © 2012 MIEL e-Security Pvt. Ltd. 7
  • 8. Industrial Control Systems in an Organization Copyright © 2012 MIEL e-Security Pvt. Ltd. 8
  • 9. ICS Security Not Same as IT Security Topic IT Systems Industrial Control Systems Typical Lifespan 3-5 years 10-15 years Security Awareness Good Poor, except physical Time Critical Content Generally delays accepted Critical due to safety Availability Occasional downtime 24x7x365 accepted Security Testing/Audit Scheduled, mandated Occasional, uncommon Patch Management Regular, Scheduled Slow, vendor dependent Change Management Regular, scheduled Uncommon Security Controls Extensively deployed Uncommon, except safety related Business Impact Disruption, Monetary Loss, Loss of Life, Loss of Business, Legal sanctions Physical Damage, Environmental Impact, National Security & Economy Copyright © 2012 MIEL e-Security Pvt. Ltd. 9
  • 10. Who are the Adversaries? • Usual Suspects.. – Script Kiddies – Hackers – Cyber Criminals – Malware Authors/Operators – Organized Crime Groups • Growing Threat.. – Industrial Espionage – Hacktivists – Disgruntled Insiders – State Sponsored Terrorists – Foreign Intelligence Agencies Copyright © 2012 MIEL e-Security Pvt. Ltd. 10
  • 11. Reported Vulnerabilities – Tip of the Iceberg Inadequate Security Architecture & Design No Periodic Security Assessment/Audit Firewall Non-existent or Improperly Configured Unsecured Remote Access OS and Application Patches not Updated Use of Default Configuration, User Accounts Lack of Verifying Data Authenticity, Integrity Malware Protection not Installed Copyright © 2012 MIEL e-Security Pvt. Ltd. 11
  • 13. Typical ICS Architecture Copyright © 2012 MIEL e-Security Pvt. Ltd. 13
  • 14. ICS Communication Protocols • SCADA Modbus, DNP3, ICCP, IEC 60870, IEC 61850 • DCS/Process Automation CIP, ControlNet, DeviceNet, DirectNet, EtherCAT, EtherNet/IP, EtherNet Powerlink, HART, Fieldbus, Modbus, Hostlink, Modbus RTU, Modbus TCP, Profibus, ProfiNet, RAPIENet, Honeywell SDS, SERCOS III, GE SRTP, Sinec, OPC, OPC UA • Smart Buildings/Meters/Vehicles BACnet, C-Bus, CC-Link, Dynet, LonTalk, S-Bus, VSCP, xAP, X10, Zigbee ANSI C12.18, DLMS/IEC 62056, IEC 61107, M-Bus, Zigbee Smart Energy CAN, DC-Bus, FlexRay, IEBus, J1708, J1939, VAN, SMARTWireX, LIN Copyright © 2012 MIEL e-Security Pvt. Ltd. 14
  • 15. ICS Communication Protocols – Challenges • Lack of Authentication - Works with device addresses and function codes • Lack of Encryption - Command and addresses sent in clear-text • Lack of Message Integrity - No data validity checking • Broadcast Functionality - All devices receive all messages • Programmability - Able to program controllers, PLCs and RTUs • Susceptible to Message spoofing, MITM, DOS attacks • Protocols not supported by commercial firewalls • Not supported by security tools – Snort, Wireshark Copyright © 2012 MIEL e-Security Pvt. Ltd. 15
  • 16. Automation Devices – Controllers, PLC, RTUs, IEDs… • Used for Communication, Control, I/O, Protection, Monitoring, Metering etc. • Runs vxworks, embedded linux/windows, or proprietary OS on custom hardware • TCP/IP connectivity • Lack of basic security features • Highly susceptible to cyber attacks Copyright © 2012 MIEL e-Security Pvt. Ltd. 16
  • 17. Automation Devices – Challenges Copyright © 2012 MIEL e-Security Pvt. Ltd. 17
  • 18. How Could You Contribute ? Building Research Community Focused on Industrial Control Systems Security  Network Protocol Analysis  Firmware Analysis/Hacking  Embedded Systems Hacking  Vulnerability Analysis  Exploit Development  Malware Analysis  Security Tools Development Copyright © 2012 MIEL e-Security Pvt. Ltd. 18

Editor's Notes

  1. Performance – Real time response is critical, May not require high-throughput Controls should not hamper normal or emergency operations Availability – Very high uptime requirement, Outages are not acceptable and may result into physical events, simply rebooting IT systems is not the solution, downtime planning is critical and any changes require extensive testingSecurity Goals differ – Availability is priority, unlike confidentiality for IT systemsResource Constraints – Compute power, memory, bandwidth limitation Typical IT security solutions do consume lot of computing resourcesLong Technology Life Cycle – 10-20 years compared to 3-5 years for IT. Proprietary and complex & non standard systems and communication protocols, not easy to deploy usual IT security solutions in IACS spaceSecurity Staff – Expertise widely differ, Control systems expertise is not available with typical IT staff, require special training and staff development