SlideShare una empresa de Scribd logo

Should I Patch My ICS?

Digital Bond
Digital Bond

The document discusses whether patching control systems is an effective security practice given the challenges of securing industrial control systems. It makes three key points: 1. Patching insecure-by-design devices provides minimal risk reduction since attackers can achieve their goals by exploiting legitimate system features rather than vulnerabilities. 2. Most industrial control systems operate within an insecure-by-design zone, so patching may not prevent attacks since attackers do not need to exploit systems to cause damage. 3. Many control system components have low impact even if compromised, so patching provides little benefit given the effort. Prioritizing patching for systems directly accessible from untrusted networks is recommended over broadly patching everything.

Tecnología
1 de 28
Descargar para leer sin conexión
It’s My Job To Secure Our Control Systems Should I Patch? Dale Peterson of Digital Bond peterson@digitalbond.com Twitter: @digitalbond / Instagram: @s4xphoto
It’s a Big and Difficult Job •  Technology challenges •  Cultural challenges •  Budgeting challenges •  Measurement challenges Good Security Practices
Good Security Practice ü Patching is a good security practice ü Patching will reduce risk But By How Much? Disclaimer: Periodic (annual, bi-annual) patching and updates are part of a cyber maintenance program to maintain a supportable system … but not necessarily warranted for risk reduction related to a cyber attack
Important Term: Insecure By Design •  An attacker does not need a vulnerability to accomplish his goal –  Loss of control, loss of view, deceptive view –  Search Digital Bond Project Basecamp for videos and info •  Attacker uses legitimate features and functions to achieve goal Insecure By Design Is Much Worse Than A Lack of Secure By Design
Keep Two Divergent Thoughts In Your Head 1.  ICS protocols, design, deployment, operation and maintenance need dramatic changes if you believe there are people who want to do bad things Push Hard For Secure, True NextGen Solutions 2.  I’m stuck with an Insecure By Design legacy system or Insecure By Design choices for new solutions (TRAGIC in 2016) Triage: Efficient Risk Reduction
Efficient Risk Reduction Where will you maximize risk reduction for the next dollar or hour spent?
ICS-CERT Issues An Alert / Advisory Should I Patch? How much risk reduction for the effort? 1.  Insecure By Design Devices
Case 1: Insecure By Design Devices •  2015: 1 Modicon Alert & 2 Advisories –  Hard coded credential, stack overflow on TCP/80, XSS / RFI –  Firmware upgrades •  Function code 90 –  All an attacker would want/need –  Modicon_stux_transfer Metasploit module –  Unity/EWS software capability •  No need for a vulnerability
Another Insecure By Design Case •  CoDeSys Gateway and Runtime Tools –  3 Advisories in 2015: 2 x Null Pointer Denial of Service, 1 x Heap Overflow –  Patches issued, yes but … •  Replay of my 2013 SANS talk –  Unauthenticated logic / program upload still there –  CoDeSys is ported to numerous OS –  Some OS allow attacker to gain root on the device and use it as an attack platform for the ICS
Warning #1 ICS patches often stop the exploit code, but don’t fix the vulnerability
Warning #2 Engineering Work Station (EWS) authentication is typically only authenticating the user to the EWS application, not to the PLC Attackers go right at the PLC
ICS-CERT Issues An Alert / Advisory Should I Patch? How much risk reduction for the effort? 1.  Insecure By Design Devices 2.  Insecure By Design Zone
Insecure By Design Zone •  Main reason why most security patching provides minimal risk reduction
Examples •  Windows XP Panels connected to Insecure By Design PLC/RTU –  Hacking the panel is actually an extra, unnecessary step for an attacker •  Hacking RSLogix/RSLinx or most other engineering workstations –  If an attacker is on the network he doesn’t need the EWS or HMI •  Hacking a SCADA Server –  Depends if there are internal ICS zones Most ICS are flat at Levels 1 and 2
Prioritized Security Patching •  Create groups and patch frequency based on efficient risk reduction •  Example: –  Priority 1 (ASAP / Monthly): Anything accessible from an untrusted zone, such as systems in an ICS DMZ, perimeter security devices, removable media transfer stations •  Typically don’t affect operations •  Should be a very small number or you are doing something wrong –  Priority 2 (Quarterly): Anything that communicates with Priority 1 computers … or ... most critical ICS components in a further segmented zone … or … –  Priority 3 (Annual): Everything else for cyber maintenance
2015 Examples •  Priority 1 Examples –  Historians like OSIsoft PI family (2 Advisories) –  DNP3 Stacks in SCADA system with unmanned remote sites •  Project ROBUS vulnerabilities were hugely important •  2 Advisories (Kepware and TOP Server) –  OT firewalls: 1 advisory for mGuard but only denial of service –  Remote access solutions ... Siemens SPCanywhere Advisory •  Not in ICS-CERT –  IT firewall and router vulns, RDP vulns, database vulns, …
Consider All Of The Software •  Operating System •  3rd Party Applications •  ICS Applications •  Libraries and Components that are often hidden –  Triangle Microworks DNP3 Stacks (from Robus in 2013/2014) –  CoDeSys Software Inventory is Key
ICS-CERT Numbers Are Almost Meaningless •  They do: –  Indicate the level of effort by researchers willing to disclose vulns –  Indicate what products researchers can access •  They do not: –  Provide any metric related to ICS code quality –  Provide any metric to what vendors are better or worse in security –  Provide any metric related to quantity or skill level of threat agents –  Provide any data about what sectors are being targeted by attackers
Better ICS-CERT Statistics To Track •  Does the vendor have a published security contact with PGP key? •  How long did it take the vendor to respond to ICS-CERT? •  Did the vendor test and disclose if the vuln was in other products? •  Is the vulnerability in an insecure by design product? •  Did the vendor fix the vuln and has the fix been validated? •  Does the vendor have key elements of an SDL DHS/ICS-CERT Should Focus Efforts
ICS-CERT Issues An Alert / Advisory Should I Patch? How much risk reduction for the effort? 1.  Insecure By Design Devices 2.  Insecure By Design Zone 3.  Low Impact If Compromised
Low Impact If Compromised •  Many components provide low value –  Monitoring of tank farm when a human checks level daily –  Metering when back end checks will detect fraud •  Many components have mechanical, offline or secondary processes in place to prevent medium or high impact events WARNING: Be sure, assume a malicious directed attack, and don’t rely on a networked safety system for low impact
So What Should I Be Doing •  Focus on your physical and cyber security perimeter •  Focus on devices accessible through the cyber security perimeter •  Insure you have Recovery Time Objectives (RTO) set by management and can meet them –  RTO is based on recovering capabilities not computers •  Detect when you are being attacked / have been compromised ___________ •  Develop and measure a Cyber Maintenance Program
Questions

Recomendados

Cybersecurity for modern industrial systems
Cybersecurity for modern industrial systemsCybersecurity for modern industrial systems
Cybersecurity for modern industrial systems
Itex Solutions
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
Digital Bond
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar Asia
Digital Bond
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
Patricia M Watson
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing Keynote
Digital Bond
 
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
Eran Goldstein
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Jim Gilsinn
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA
Jeffrey Wang , P.Eng
 

Recomendados

Cybersecurity for modern industrial systems
Cybersecurity for modern industrial systemsCybersecurity for modern industrial systems
Cybersecurity for modern industrial systems
Itex Solutions
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
Digital Bond
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar Asia
Digital Bond
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia WatsonSCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
Patricia M Watson
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing Keynote
Digital Bond
 
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
Eran Goldstein
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Jim Gilsinn
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA
Jeffrey Wang , P.Eng
 
Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICS
Jim Gilsinn
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Digital Bond
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
Digital Bond
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
Chris Sistrunk
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)
Joan Figueras Tugas
 
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Digital Bond
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security
Digital Bond
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security Webinar
AVEVA
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
Lancope, Inc.
 
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
Shah Sheikh
 
Scada security presentation by Stephen Miller
Scada security presentation by Stephen MillerScada security presentation by Stephen Miller
Scada security presentation by Stephen Miller
AVEVA
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
Digital Bond
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Jim Gilsinn
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Digital Bond
 
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin WheelerNTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
North Texas Chapter of the ISSA
 
Securing Industrial Control Systems
Securing Industrial Control SystemsSecuring Industrial Control Systems
Securing Industrial Control Systems
Eric Andresen
 
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
AVEVA
 
Nist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkNist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing Framework
MarcoAfzali
 
The Future of ICS Security Products
The Future of ICS Security ProductsThe Future of ICS Security Products
The Future of ICS Security Products
Digital Bond
 
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Priyanka Aash
 
ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)
Digital Bond
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
Digital Bond
 

Más contenido relacionado

La actualidad más candente

Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Digital Bond
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
Digital Bond
 
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Digital Bond
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security
Digital Bond
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Jim Gilsinn
 
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin WheelerNTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
North Texas Chapter of the ISSA
 

La actualidad más candente (20)

Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICS
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
 
Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)
 
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security Webinar
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
 
Scada security presentation by Stephen Miller
Scada security presentation by Stephen MillerScada security presentation by Stephen Miller
Scada security presentation by Stephen Miller
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
 
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin WheelerNTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
NTXISSACSC2 - Securing Industrial Control Systems by Kevin Wheeler
 
Securing Industrial Control Systems
Securing Industrial Control SystemsSecuring Industrial Control Systems
Securing Industrial Control Systems
 
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
 
Nist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkNist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing Framework
 
The Future of ICS Security Products
The Future of ICS Security ProductsThe Future of ICS Security Products
The Future of ICS Security Products
 
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
 

Destacado

PLC Code Protection
PLC Code ProtectionPLC Code Protection
PLC Code Protection
Digital Bond
 
PT - Siemens WinCC Flexible Security Hardening Guide
PT - Siemens WinCC Flexible Security Hardening GuidePT - Siemens WinCC Flexible Security Hardening Guide
PT - Siemens WinCC Flexible Security Hardening Guide
qqlan
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
qqlan
 

Destacado (20)

ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)
 
Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015
 
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
 
Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
Unidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICSUnidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICS
 
PLC Code Protection
PLC Code ProtectionPLC Code Protection
PLC Code Protection
 
Havex Deep Dive (English)
Havex Deep Dive (English)Havex Deep Dive (English)
Havex Deep Dive (English)
 
Windows Service Hardening
Windows Service HardeningWindows Service Hardening
Windows Service Hardening
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE Experience
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA Defense
 
PT - Siemens WinCC Flexible Security Hardening Guide
PT - Siemens WinCC Flexible Security Hardening GuidePT - Siemens WinCC Flexible Security Hardening Guide
PT - Siemens WinCC Flexible Security Hardening Guide
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
 

Similar a Should I Patch My ICS?

Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
Infocyte
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testing
Cu Nguyen
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
EnclaveSecurity
 

Similar a Should I Patch My ICS? (20)

Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systems
 
Managing security threats in today’s enterprise
Managing security threats in today’s enterpriseManaging security threats in today’s enterprise
Managing security threats in today’s enterprise
 
The New Security Practitioner
The New Security PractitionerThe New Security Practitioner
The New Security Practitioner
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
 
Fundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product DevelopmentFundamental Best Practices in Secure IoT Product Development
Fundamental Best Practices in Secure IoT Product Development
 
Beyond security testing
Beyond security testingBeyond security testing
Beyond security testing
 
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS NetworksLessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These Years
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Web Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingWeb Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN Testing
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Nagios Conference 2014 - Jorge Higueros - SNAPS
Nagios Conference 2014 - Jorge Higueros - SNAPSNagios Conference 2014 - Jorge Higueros - SNAPS
Nagios Conference 2014 - Jorge Higueros - SNAPS
 
LoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated CybersecurityLoginCat - Zero Trust Integrated Cybersecurity
LoginCat - Zero Trust Integrated Cybersecurity
 
Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015Keynote at the Cyber Security Summit Prague 2015
Keynote at the Cyber Security Summit Prague 2015
 
Information Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to MeasurementInformation Assurance Metrics: Practical Steps to Measurement
Information Assurance Metrics: Practical Steps to Measurement
 
The myth of secure computing; management information system; MIS
The myth of secure computing; management information system; MISThe myth of secure computing; management information system; MIS
The myth of secure computing; management information system; MIS
 

Más de Digital Bond

HART as an Attack Vector
HART as an Attack VectorHART as an Attack Vector
HART as an Attack Vector
Digital Bond
 

Más de Digital Bond (8)

Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS Solutions
 
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
 
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
 
Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)
 
Industrial Wireless Security (Japanese)
Industrial Wireless Security (Japanese)Industrial Wireless Security (Japanese)
Industrial Wireless Security (Japanese)
 
S4x14 Session: You Name It; We Analyze It
S4x14 Session: You Name It; We Analyze ItS4x14 Session: You Name It; We Analyze It
S4x14 Session: You Name It; We Analyze It
 
Writing ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisWriting ICS Vulnerability Analysis
Writing ICS Vulnerability Analysis
 
HART as an Attack Vector
HART as an Attack VectorHART as an Attack Vector
HART as an Attack Vector
 

Último

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 

Último (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Should I Patch My ICS?

  • 1. It’s My Job To Secure Our Control Systems Should I Patch? Dale Peterson of Digital Bond peterson@digitalbond.com Twitter: @digitalbond / Instagram: @s4xphoto
  • 2. It’s a Big and Difficult Job •  Technology challenges •  Cultural challenges •  Budgeting challenges •  Measurement challenges Good Security Practices
  • 3. Good Security Practice ü Patching is a good security practice ü Patching will reduce risk But By How Much? Disclaimer: Periodic (annual, bi-annual) patching and updates are part of a cyber maintenance program to maintain a supportable system … but not necessarily warranted for risk reduction related to a cyber attack
  • 4.
  • 5. Important Term: Insecure By Design •  An attacker does not need a vulnerability to accomplish his goal –  Loss of control, loss of view, deceptive view –  Search Digital Bond Project Basecamp for videos and info •  Attacker uses legitimate features and functions to achieve goal Insecure By Design Is Much Worse Than A Lack of Secure By Design
  • 6.
  • 7. Keep Two Divergent Thoughts In Your Head 1.  ICS protocols, design, deployment, operation and maintenance need dramatic changes if you believe there are people who want to do bad things Push Hard For Secure, True NextGen Solutions 2.  I’m stuck with an Insecure By Design legacy system or Insecure By Design choices for new solutions (TRAGIC in 2016) Triage: Efficient Risk Reduction
  • 8. Efficient Risk Reduction Where will you maximize risk reduction for the next dollar or hour spent?
  • 9. ICS-CERT Issues An Alert / Advisory Should I Patch? How much risk reduction for the effort? 1.  Insecure By Design Devices
  • 10. Case 1: Insecure By Design Devices •  2015: 1 Modicon Alert & 2 Advisories –  Hard coded credential, stack overflow on TCP/80, XSS / RFI –  Firmware upgrades •  Function code 90 –  All an attacker would want/need –  Modicon_stux_transfer Metasploit module –  Unity/EWS software capability •  No need for a vulnerability
  • 11. Another Insecure By Design Case •  CoDeSys Gateway and Runtime Tools –  3 Advisories in 2015: 2 x Null Pointer Denial of Service, 1 x Heap Overflow –  Patches issued, yes but … •  Replay of my 2013 SANS talk –  Unauthenticated logic / program upload still there –  CoDeSys is ported to numerous OS –  Some OS allow attacker to gain root on the device and use it as an attack platform for the ICS
  • 12. Warning #1 ICS patches often stop the exploit code, but don’t fix the vulnerability
  • 13. Warning #2 Engineering Work Station (EWS) authentication is typically only authenticating the user to the EWS application, not to the PLC Attackers go right at the PLC
  • 14. ICS-CERT Issues An Alert / Advisory Should I Patch? How much risk reduction for the effort? 1.  Insecure By Design Devices 2.  Insecure By Design Zone
  • 15. Insecure By Design Zone •  Main reason why most security patching provides minimal risk reduction
  • 16.
  • 17. Examples •  Windows XP Panels connected to Insecure By Design PLC/RTU –  Hacking the panel is actually an extra, unnecessary step for an attacker •  Hacking RSLogix/RSLinx or most other engineering workstations –  If an attacker is on the network he doesn’t need the EWS or HMI •  Hacking a SCADA Server –  Depends if there are internal ICS zones Most ICS are flat at Levels 1 and 2
  • 18.
  • 19. Prioritized Security Patching •  Create groups and patch frequency based on efficient risk reduction •  Example: –  Priority 1 (ASAP / Monthly): Anything accessible from an untrusted zone, such as systems in an ICS DMZ, perimeter security devices, removable media transfer stations •  Typically don’t affect operations •  Should be a very small number or you are doing something wrong –  Priority 2 (Quarterly): Anything that communicates with Priority 1 computers … or ... most critical ICS components in a further segmented zone … or … –  Priority 3 (Annual): Everything else for cyber maintenance
  • 20. 2015 Examples •  Priority 1 Examples –  Historians like OSIsoft PI family (2 Advisories) –  DNP3 Stacks in SCADA system with unmanned remote sites •  Project ROBUS vulnerabilities were hugely important •  2 Advisories (Kepware and TOP Server) –  OT firewalls: 1 advisory for mGuard but only denial of service –  Remote access solutions ... Siemens SPCanywhere Advisory •  Not in ICS-CERT –  IT firewall and router vulns, RDP vulns, database vulns, …
  • 21. Consider All Of The Software •  Operating System •  3rd Party Applications •  ICS Applications •  Libraries and Components that are often hidden –  Triangle Microworks DNP3 Stacks (from Robus in 2013/2014) –  CoDeSys Software Inventory is Key
  • 22.
  • 23. ICS-CERT Numbers Are Almost Meaningless •  They do: –  Indicate the level of effort by researchers willing to disclose vulns –  Indicate what products researchers can access •  They do not: –  Provide any metric related to ICS code quality –  Provide any metric to what vendors are better or worse in security –  Provide any metric related to quantity or skill level of threat agents –  Provide any data about what sectors are being targeted by attackers
  • 24. Better ICS-CERT Statistics To Track •  Does the vendor have a published security contact with PGP key? •  How long did it take the vendor to respond to ICS-CERT? •  Did the vendor test and disclose if the vuln was in other products? •  Is the vulnerability in an insecure by design product? •  Did the vendor fix the vuln and has the fix been validated? •  Does the vendor have key elements of an SDL DHS/ICS-CERT Should Focus Efforts
  • 25. ICS-CERT Issues An Alert / Advisory Should I Patch? How much risk reduction for the effort? 1.  Insecure By Design Devices 2.  Insecure By Design Zone 3.  Low Impact If Compromised
  • 26. Low Impact If Compromised •  Many components provide low value –  Monitoring of tank farm when a human checks level daily –  Metering when back end checks will detect fraud •  Many components have mechanical, offline or secondary processes in place to prevent medium or high impact events WARNING: Be sure, assume a malicious directed attack, and don’t rely on a networked safety system for low impact
  • 27. So What Should I Be Doing •  Focus on your physical and cyber security perimeter •  Focus on devices accessible through the cyber security perimeter •  Insure you have Recovery Time Objectives (RTO) set by management and can meet them –  RTO is based on recovering capabilities not computers •  Detect when you are being attacked / have been compromised ___________ •  Develop and measure a Cyber Maintenance Program