SlideShare una empresa de Scribd logo

Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade Activities During Turnaround

Descargar como PPTX, PDF
Jim Gilsinn
Jim Gilsinn

Presented @ Emerson Exchange October 7, 2014 Industrial control systems (ICS) are large information technology (IT) systems. Office IT systems, failure of ICS can cause plant outages and even physical damage. Management of ICS needs to be different and smarter. IT vendors frequently recommend patches and configuration changes. Most have no impact to the ICS, which cannot implement changes in real time. ICS typically get one chance every few years to make changes - the turnaround. This paper describes optimization of ISC turnaround work, using cyber-vulnerability assessment to focus turnaround work to only what is necessary.

Tecnología
1 de 32
Using a CVA to Optimize ICS Upgrade Activities During a Turnaround Jim Gilsinn Kenexis Security
Presenter  Jim Gilsinn – Senior Investigator, Kenexis Security – Current Co-Chair, ISA99 Committee (ISA/IEC 62443) – Current Co-Chair, ISA99 WG2 Security Program – 23 years engineering, 13 years ICS cyber security experience – MSEE specializing in control theory
Overview  The Situation  Understanding Threats to ICS  The ICS-CVA Process  Using an ICS-CVA for Planning  Summary
THE SITUATION
The Challenge Security Researcher Plant Manager You have 438 Critical Vulnerabilities! I could take control of your PLC from the Internet and do …! So what? I’m not connected to the Internet. I can write a worm that will make the PLC overspeed the turbine and put it into surge! Good luck! There is a machine protection system separate from the PLC. Well… fine.. You need to patch all these vulnerabilities! My next scheduled shutdown is in 330 days. Is this important enough to warrant a shutdown?
The Challenge (cont’d) Security Researcher Plant Manager Of course! Why? I don’t process credit cards. I don’t run public websites. I can take control of the boiler and blow it up! So you set the PLC to over pressure the boiler? Yes!!! There are relief valves. Have a nice day…
The Cyber Security Threat  2014 Data Breach Incident Report shows a 3x increase over 2013  Over 256 incidents to OT networks in 2013 reported to ICS-CERT – Voluntarily reported by ICS owner/operators – Most go undetected or unreported  Most major vendors have known vulnerabilities reported to ICS-CERT
Customer Concerns  Fragile OT networks often caused by comm. problems – Unexplained process stoppages – Slow HMI updates  At-risk or insecure OT networks – Discrepancies between business and process support systems (e.g. MES, ERP, LIMS, Historians) – Unauthorized remote connections to OT networks – Unauthorized changes to PLC’s, DCS, or other systems – Viruses or malware from OT networks reported by IT staff Communication errors & network problems risk: – Production uptime – Threaten process safety – Open the OT network to cyber security threats
ICS Network & Security Failures  Intermittent Failures – Corrected by logic conditions in the system – Minimal to no process interruption  Nuisance Trips – Corrected by logic conditions and fail safes – Minor process interruptions  Unplanned outages – Handled by maintenance personnel & layers of protection – Sustained process interruptions & failures  Dangerous failures – Kinetic and safety impacts – Handled by emergency personnel & layers of protection – Extended process interruptions & failures
Risk Management for Plant Managers: 3 Easy Steps  What is it?  Is it real?  What do I do about it? Safety Risks Require Action… If you cannot qualify the risk AND give a solution, you are wasting their time
UNDERSTANDING THREATS TO ICS
Device Vulnerabilities: The Reality  Many think, “8:01am – Cyber Attack, 8:03am – Plant Goes Boom!”  Compromising an individual ICS is of limited value  Significant failures require compromise & disabling of multiple components  True exploits are not needed for most parts of the process  A combination of factors are required to move from nuisance trips to more significant failures – Cyber security knowledge – Process knowledge – ICS knowledge
Attack Modes for ICS  Loss of View (LoV)  Manipulation of View (MoV)  Denial of Control (DoC)  Manipulation of Control (MoC)  Loss of Control (LoC) Model each part of the process in terms of how an attacker would bypass protective systems
Turbine Overspeed Scenario: Process Flow Diagram Electrical Power Generation with Steam Turbine
Turbine Overspeed Scenario: Simplified Turbine Model Steam Turbine for Power Generation Disconnect Safety Valve Switch Speed Transmitter
Turbine Overspeed Scenario: Creating the Turbine Overspeed  Disable the overspeed trip system – Option 1 – “Force” the output of safety valve – Option 2 – Freeze the value of the speed transmitter  Disconnect the load from generator – Option 1 – Command generator disconnect switch to open positon – Option 2 – Open multiple disconnect switches at power distributors or consumers
Turbine Overspeed Scenario: Attack Methodology  Part 1 – Conduct Surveillance  Part 2 – Map Systems  Part 3 – Infect & Compromise  Part 4 – Exfiltrate Information  Part 5 – Prepare Final Attack  Part 6 – Initiate Attack for Max Damage
Potential Process Attack Points  Controller setpoints  I/O values  Controller commands  Alarm conditions  Safety interlocks  Interconnected or integrated SIS
THE ICS-CVA PROCESS
Requirements to Conduct an ICS-CVA  ICS-CVA = ICS Cyber Vulnerability Assessment  Regulatory – Annual basis by NERC CIP, CFATS, etc.  Standards & Guidelines – Periodic basis by ISA/IEC 62443 (ISA-99), NIST Cybersecurity Framework, AWWA, NERC, etc.
Conducting an ICS-CVA  Understand affect of different systems on OT networks – Installed base of equipment – Information/IT systems  Should be part of validation  Recommended to be performed: – After initial implementation of ICS – After major modifications to ICS – Periodically  Specific requirements for ICS-CVA defined in regulations, standards, & guidelines
The ICS-CVA Process  Documentation Collection & Review – Network Architecture – Piping, Instrumentation, and Engineering Diagrams – Asset Inventory  Network Traffic Capture – Capture traffic (via tcpdump, Wireshark, etc.) at managed switches via mirror port for a given time
The ICS-CVA Process (cont’d)  Ping Sweep – Identify live hosts (via nmap) – Verify Asset Inventory – Identify Unknown/Rogue Devices  Port Scan Per Device – Detect open ports & services (via nmap) – Identify operating system  Service Detection – Grab banners from active services (via nmap or netcat) – Verify validity of open ports – Detect known vulnerable ports/services
The ICS-CVA Process (cont’d)  Vulnerability Scanning – Automated (via nessus, neXpose, etc.) – Manual (via nmap, netcat, metasploit, etc.) – Examination of vulnerability database (e.g. NIST, A/V vendors, proprietary, etc.)  Open-Source Intelligence Collection – Determine information leakage of information (via Google, Shodan, Maltego, ARIN, Custom Code, etc.) – Identify devices exposed to internet – Identify leaks of proprietary information (.doc, .pdf, etc.) – Determine ease of identifying devices
The ICS-CVA Process (cont’d)  Process Vulnerability Analysis – P&ID – HAZOP for max damage/impact scenarios – Zone and conduit & security level analysis – Vulnerability analysis with emphasis on physical impacts – Failure Modeling – Attack Modeling
USING AN ICS-CVA FOR PLANNING
ICS-CVA Results & Recommendations  Network improvements – Architecture, zones, upgraded infrastructure, layering, etc.  Cyber security improvements – Patching, policies/procedures, firewalls, etc.  Device improvements – Upgraded firmware & hardware  Facility siting & physical security – Barriers to entry – Access control  SIS in place of controllers – Safety interlocks replaced by SIS
Preparing for Turnaround  Conduct an ICS-CVA well before turnaround – 6-9+ months prior depending on turnaround scope, magnitude, duration, etc. – Allow for new designs, capital expenditures, personnel training, etc.  Stage equipment prior to turnaround – Prepare equipment with necessary firmware upgrades, programs, etc. – If possible, test equipment in lab prior to deployment
SUMMARY
Summary  Engineering problems require engineering solutions!  Vulnerability analysis & discovery a useful exercise, but only stop at device impact  Qualifying the threat means that the process must be considered  ICS-CVA includes all of the above  ICS-CVA can be used as a planning tool for improvements
Where To Get More Information  Jim Gilsinn – Email: jim.gilsinn@kenexis.com – Phone: +1-614-323-2254 – Twitter: @JimGilsinn – LinkedIn: http://www.linkedin.com/in/jimgilsinn/ – SlideShare: http://www.slideshare.net/gilsinnj – Website: http://www.kenexis.com
Thank You for Attending! Enjoy the rest of the conference.

Recomendados

Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Jim Gilsinn
 
Practical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and ProductionPractical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and Production
Jim Gilsinn
 
Nist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkNist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing Framework
MarcoAfzali
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
Chris Sistrunk
 
Integrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsIntegrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of Standards
Jim Gilsinn
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?
Digital Bond
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
Digital Bond
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
Digital Bond
 

Recomendados

Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Jim Gilsinn
 
Practical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and ProductionPractical Approaches to Securely Integrating Business and Production
Practical Approaches to Securely Integrating Business and Production
Jim Gilsinn
 
Nist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkNist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing Framework
MarcoAfzali
 
Hacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS securityHacker Halted 2016 - How to get into ICS security
Hacker Halted 2016 - How to get into ICS security
Chris Sistrunk
 
Integrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of StandardsIntegrating the Alphabet Soup of Standards
Integrating the Alphabet Soup of Standards
Jim Gilsinn
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?
Digital Bond
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS Communications
Digital Bond
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
Digital Bond
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing Keynote
Digital Bond
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA
Jeffrey Wang , P.Eng
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Digital Bond
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
Digital Bond
 
Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICS
Jim Gilsinn
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar Asia
Digital Bond
 
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar NCritical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
null The Open Security Community
 
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
Byres Security Inc.
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
Digital Bond
 
DHS ICS Security Presentation
DHS ICS Security PresentationDHS ICS Security Presentation
DHS ICS Security Presentation
guest85a34f
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
Jiunn-Jer Sun
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh Belgi
ClubHack
 
IEC and cyber security (June 2018)
IEC and cyber security (June 2018)IEC and cyber security (June 2018)
IEC and cyber security (June 2018)
International Electrotechnical Commission (IEC)
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
Larry Vandenaweele
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
Digital Bond
 
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
Eran Goldstein
 
CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2
David Spinks
 
Industrial Control System Security Overview
Industrial Control System Security OverviewIndustrial Control System Security Overview
Industrial Control System Security Overview
pgmaynard
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
OWASP Delhi
 
ICS security
ICS securityICS security
ICS security
Ahmed Shitta
 
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
promediakw
 

Más contenido relacionado

La actualidad más candente

Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
Yokogawa1
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Digital Bond
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh Belgi
ClubHack
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
Larry Vandenaweele
 

La actualidad más candente (20)

Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing Keynote
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
 
Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICS
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar Asia
 
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar NCritical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
 
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
 
DHS ICS Security Presentation
DHS ICS Security PresentationDHS ICS Security Presentation
DHS ICS Security Presentation
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh Belgi
 
IEC and cyber security (June 2018)
IEC and cyber security (June 2018)IEC and cyber security (June 2018)
IEC and cyber security (June 2018)
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
 
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
2016 Top 10 Critical Infrastructures and SCADA/ICS Cyber Security Vulnerabili...
 
CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2
 
Industrial Control System Security Overview
Industrial Control System Security OverviewIndustrial Control System Security Overview
Industrial Control System Security Overview
 
ICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep SinghICS Security 101 by Sandeep Singh
ICS Security 101 by Sandeep Singh
 

Similar a Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade Activities During Turnaround

DTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsDTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security Solutions
Shah Sheikh
 
Sicurezza Industrie4.0 - E M Tieghi templ Assintel_short
Sicurezza Industrie4.0 - E M Tieghi templ Assintel_shortSicurezza Industrie4.0 - E M Tieghi templ Assintel_short
Sicurezza Industrie4.0 - E M Tieghi templ Assintel_short
Enzo M. Tieghi
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
Shah Sheikh
 
PT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolPT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrol
Shah Sheikh
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
EnergySec
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT Gateway
LF Events
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
scada-130512133852-phpapp01.pptx
scada-130512133852-phpapp01.pptxscada-130512133852-phpapp01.pptx
scada-130512133852-phpapp01.pptx
surangagw
 
BlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALBlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINAL
Marina Krotofil
 
Acceleration_and_Security_draft_v2
Acceleration_and_Security_draft_v2Acceleration_and_Security_draft_v2
Acceleration_and_Security_draft_v2
Srinivasa Addepalli
 
Developing an Effective
Developing an Effective Developing an Effective
Developing an Effective
webhostingguy
 

Similar a Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade Activities During Turnaround (20)

ICS security
ICS securityICS security
ICS security
 
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
 
IEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel TalkIEEE PES GM 2017 Cybersecurity Panel Talk
IEEE PES GM 2017 Cybersecurity Panel Talk
 
DTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsDTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security Solutions
 
Sicurezza Industrie4.0 - E M Tieghi templ Assintel_short
Sicurezza Industrie4.0 - E M Tieghi templ Assintel_shortSicurezza Industrie4.0 - E M Tieghi templ Assintel_short
Sicurezza Industrie4.0 - E M Tieghi templ Assintel_short
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS EnvironmentsBuilding a Cyber Security Operations Center for SCADA/ICS Environments
Building a Cyber Security Operations Center for SCADA/ICS Environments
 
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
Mr. Sayed Rabbani - Quality Assurance - The 80% of Industrial Control System ...
 
PT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrolPT-DTS SCADA Security using MaxPatrol
PT-DTS SCADA Security using MaxPatrol
 
Where Are All The ICS Attacks?
Where Are All The ICS Attacks?Where Are All The ICS Attacks?
Where Are All The ICS Attacks?
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-SheetNozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks SCADAguardian - Data-Sheet
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT Gateway
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
scada-130512133852-phpapp01.pptx
scada-130512133852-phpapp01.pptxscada-130512133852-phpapp01.pptx
scada-130512133852-phpapp01.pptx
 
SCADA Systems and its security!
SCADA Systems and its security!SCADA Systems and its security!
SCADA Systems and its security!
 
Scada
ScadaScada
Scada
 
BlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINALBlackHat_2015_Slides_Krotofil_FINAL
BlackHat_2015_Slides_Krotofil_FINAL
 
Securing SCADA
Securing SCADASecuring SCADA
Securing SCADA
 
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
CLASS 2018 - Palestra de Shad Harris (Senior Subject Matter Expert on Securit...
 
Acceleration_and_Security_draft_v2
Acceleration_and_Security_draft_v2Acceleration_and_Security_draft_v2
Acceleration_and_Security_draft_v2
 
Developing an Effective
Developing an Effective Developing an Effective
Developing an Effective
 

Más de Jim Gilsinn

Low-Cost ICS Network Performance Testing
Low-Cost ICS Network Performance TestingLow-Cost ICS Network Performance Testing
Low-Cost ICS Network Performance Testing
Jim Gilsinn
 
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Jim Gilsinn
 
You name it, we analyze it
You name it, we analyze itYou name it, we analyze it
You name it, we analyze it
Jim Gilsinn
 
Test Tool for Industrial Ethernet Network Performance (June 2009)
Test Tool for Industrial Ethernet Network Performance (June 2009)Test Tool for Industrial Ethernet Network Performance (June 2009)
Test Tool for Industrial Ethernet Network Performance (June 2009)
Jim Gilsinn
 

Más de Jim Gilsinn (10)

ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How To
 
Network Security: Protecting SOHO Networks
Network Security: Protecting SOHO NetworksNetwork Security: Protecting SOHO Networks
Network Security: Protecting SOHO Networks
 
Cook Like a Hacker!
Cook Like a Hacker!Cook Like a Hacker!
Cook Like a Hacker!
 
ICS Performance Lab
ICS Performance LabICS Performance Lab
ICS Performance Lab
 
Low-Cost ICS Network Performance Testing
Low-Cost ICS Network Performance TestingLow-Cost ICS Network Performance Testing
Low-Cost ICS Network Performance Testing
 
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
Evaluating System-Level Cyber Security vs. ANSI/ISA-62443-3-3
 
You name it, we analyze it
You name it, we analyze itYou name it, we analyze it
You name it, we analyze it
 
Wireshark Network Protocol Analyzer
Wireshark Network Protocol AnalyzerWireshark Network Protocol Analyzer
Wireshark Network Protocol Analyzer
 
Network Packet Analysis with Wireshark
Network Packet Analysis with WiresharkNetwork Packet Analysis with Wireshark
Network Packet Analysis with Wireshark
 
Test Tool for Industrial Ethernet Network Performance (June 2009)
Test Tool for Industrial Ethernet Network Performance (June 2009)Test Tool for Industrial Ethernet Network Performance (June 2009)
Test Tool for Industrial Ethernet Network Performance (June 2009)
 

Último

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Último (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade Activities During Turnaround

  • 1. Using a CVA to Optimize ICS Upgrade Activities During a Turnaround Jim Gilsinn Kenexis Security
  • 2. Presenter  Jim Gilsinn – Senior Investigator, Kenexis Security – Current Co-Chair, ISA99 Committee (ISA/IEC 62443) – Current Co-Chair, ISA99 WG2 Security Program – 23 years engineering, 13 years ICS cyber security experience – MSEE specializing in control theory
  • 3. Overview  The Situation  Understanding Threats to ICS  The ICS-CVA Process  Using an ICS-CVA for Planning  Summary
  • 5. The Challenge Security Researcher Plant Manager You have 438 Critical Vulnerabilities! I could take control of your PLC from the Internet and do …! So what? I’m not connected to the Internet. I can write a worm that will make the PLC overspeed the turbine and put it into surge! Good luck! There is a machine protection system separate from the PLC. Well… fine.. You need to patch all these vulnerabilities! My next scheduled shutdown is in 330 days. Is this important enough to warrant a shutdown?
  • 6. The Challenge (cont’d) Security Researcher Plant Manager Of course! Why? I don’t process credit cards. I don’t run public websites. I can take control of the boiler and blow it up! So you set the PLC to over pressure the boiler? Yes!!! There are relief valves. Have a nice day…
  • 7. The Cyber Security Threat  2014 Data Breach Incident Report shows a 3x increase over 2013  Over 256 incidents to OT networks in 2013 reported to ICS-CERT – Voluntarily reported by ICS owner/operators – Most go undetected or unreported  Most major vendors have known vulnerabilities reported to ICS-CERT
  • 8. Customer Concerns  Fragile OT networks often caused by comm. problems – Unexplained process stoppages – Slow HMI updates  At-risk or insecure OT networks – Discrepancies between business and process support systems (e.g. MES, ERP, LIMS, Historians) – Unauthorized remote connections to OT networks – Unauthorized changes to PLC’s, DCS, or other systems – Viruses or malware from OT networks reported by IT staff Communication errors & network problems risk: – Production uptime – Threaten process safety – Open the OT network to cyber security threats
  • 9. ICS Network & Security Failures  Intermittent Failures – Corrected by logic conditions in the system – Minimal to no process interruption  Nuisance Trips – Corrected by logic conditions and fail safes – Minor process interruptions  Unplanned outages – Handled by maintenance personnel & layers of protection – Sustained process interruptions & failures  Dangerous failures – Kinetic and safety impacts – Handled by emergency personnel & layers of protection – Extended process interruptions & failures
  • 10. Risk Management for Plant Managers: 3 Easy Steps  What is it?  Is it real?  What do I do about it? Safety Risks Require Action… If you cannot qualify the risk AND give a solution, you are wasting their time
  • 12. Device Vulnerabilities: The Reality  Many think, “8:01am – Cyber Attack, 8:03am – Plant Goes Boom!”  Compromising an individual ICS is of limited value  Significant failures require compromise & disabling of multiple components  True exploits are not needed for most parts of the process  A combination of factors are required to move from nuisance trips to more significant failures – Cyber security knowledge – Process knowledge – ICS knowledge
  • 13. Attack Modes for ICS  Loss of View (LoV)  Manipulation of View (MoV)  Denial of Control (DoC)  Manipulation of Control (MoC)  Loss of Control (LoC) Model each part of the process in terms of how an attacker would bypass protective systems
  • 14. Turbine Overspeed Scenario: Process Flow Diagram Electrical Power Generation with Steam Turbine
  • 15. Turbine Overspeed Scenario: Simplified Turbine Model Steam Turbine for Power Generation Disconnect Safety Valve Switch Speed Transmitter
  • 16. Turbine Overspeed Scenario: Creating the Turbine Overspeed  Disable the overspeed trip system – Option 1 – “Force” the output of safety valve – Option 2 – Freeze the value of the speed transmitter  Disconnect the load from generator – Option 1 – Command generator disconnect switch to open positon – Option 2 – Open multiple disconnect switches at power distributors or consumers
  • 17. Turbine Overspeed Scenario: Attack Methodology  Part 1 – Conduct Surveillance  Part 2 – Map Systems  Part 3 – Infect & Compromise  Part 4 – Exfiltrate Information  Part 5 – Prepare Final Attack  Part 6 – Initiate Attack for Max Damage
  • 18. Potential Process Attack Points  Controller setpoints  I/O values  Controller commands  Alarm conditions  Safety interlocks  Interconnected or integrated SIS
  • 20. Requirements to Conduct an ICS-CVA  ICS-CVA = ICS Cyber Vulnerability Assessment  Regulatory – Annual basis by NERC CIP, CFATS, etc.  Standards & Guidelines – Periodic basis by ISA/IEC 62443 (ISA-99), NIST Cybersecurity Framework, AWWA, NERC, etc.
  • 21. Conducting an ICS-CVA  Understand affect of different systems on OT networks – Installed base of equipment – Information/IT systems  Should be part of validation  Recommended to be performed: – After initial implementation of ICS – After major modifications to ICS – Periodically  Specific requirements for ICS-CVA defined in regulations, standards, & guidelines
  • 22. The ICS-CVA Process  Documentation Collection & Review – Network Architecture – Piping, Instrumentation, and Engineering Diagrams – Asset Inventory  Network Traffic Capture – Capture traffic (via tcpdump, Wireshark, etc.) at managed switches via mirror port for a given time
  • 23. The ICS-CVA Process (cont’d)  Ping Sweep – Identify live hosts (via nmap) – Verify Asset Inventory – Identify Unknown/Rogue Devices  Port Scan Per Device – Detect open ports & services (via nmap) – Identify operating system  Service Detection – Grab banners from active services (via nmap or netcat) – Verify validity of open ports – Detect known vulnerable ports/services
  • 24. The ICS-CVA Process (cont’d)  Vulnerability Scanning – Automated (via nessus, neXpose, etc.) – Manual (via nmap, netcat, metasploit, etc.) – Examination of vulnerability database (e.g. NIST, A/V vendors, proprietary, etc.)  Open-Source Intelligence Collection – Determine information leakage of information (via Google, Shodan, Maltego, ARIN, Custom Code, etc.) – Identify devices exposed to internet – Identify leaks of proprietary information (.doc, .pdf, etc.) – Determine ease of identifying devices
  • 25. The ICS-CVA Process (cont’d)  Process Vulnerability Analysis – P&ID – HAZOP for max damage/impact scenarios – Zone and conduit & security level analysis – Vulnerability analysis with emphasis on physical impacts – Failure Modeling – Attack Modeling
  • 26. USING AN ICS-CVA FOR PLANNING
  • 27. ICS-CVA Results & Recommendations  Network improvements – Architecture, zones, upgraded infrastructure, layering, etc.  Cyber security improvements – Patching, policies/procedures, firewalls, etc.  Device improvements – Upgraded firmware & hardware  Facility siting & physical security – Barriers to entry – Access control  SIS in place of controllers – Safety interlocks replaced by SIS
  • 28. Preparing for Turnaround  Conduct an ICS-CVA well before turnaround – 6-9+ months prior depending on turnaround scope, magnitude, duration, etc. – Allow for new designs, capital expenditures, personnel training, etc.  Stage equipment prior to turnaround – Prepare equipment with necessary firmware upgrades, programs, etc. – If possible, test equipment in lab prior to deployment
  • 30. Summary  Engineering problems require engineering solutions!  Vulnerability analysis & discovery a useful exercise, but only stop at device impact  Qualifying the threat means that the process must be considered  ICS-CVA includes all of the above  ICS-CVA can be used as a planning tool for improvements
  • 31. Where To Get More Information  Jim Gilsinn – Email: jim.gilsinn@kenexis.com – Phone: +1-614-323-2254 – Twitter: @JimGilsinn – LinkedIn: http://www.linkedin.com/in/jimgilsinn/ – SlideShare: http://www.slideshare.net/gilsinnj – Website: http://www.kenexis.com
  • 32. Thank You for Attending! Enjoy the rest of the conference.