Presented @ Emerson Exchange
October 7, 2014
Industrial control systems (ICS) are large information technology (IT) systems. Office IT systems, failure of ICS can cause plant outages and even physical damage. Management of ICS needs to be different and smarter. IT vendors frequently recommend patches and configuration changes. Most have no impact to the ICS, which cannot implement changes in real time. ICS typically get one chance every few years to make changes - the turnaround. This paper describes optimization of ISC turnaround work, using cyber-vulnerability assessment to focus turnaround work to only what is necessary.
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade Activities During Turnaround
1. Using a CVA to Optimize ICS Upgrade
Activities During a Turnaround
Jim Gilsinn
Kenexis Security
2. Presenter
Jim Gilsinn
– Senior Investigator, Kenexis Security
– Current Co-Chair, ISA99 Committee (ISA/IEC
62443)
– Current Co-Chair, ISA99 WG2 Security
Program
– 23 years engineering, 13 years ICS cyber
security experience
– MSEE specializing in control theory
3. Overview
The Situation
Understanding Threats to ICS
The ICS-CVA Process
Using an ICS-CVA for Planning
Summary
5. The Challenge
Security Researcher Plant Manager
You have 438 Critical Vulnerabilities!
I could take control of your PLC from the Internet and do …!
So what? I’m not connected to the Internet.
I can write a worm that will make the PLC overspeed the turbine and put it into surge!
Good luck! There is a machine protection system separate from the PLC.
Well… fine.. You need to patch all these vulnerabilities!
My next scheduled shutdown is in 330 days.
Is this important enough to warrant a shutdown?
6. The Challenge (cont’d)
Security Researcher Plant Manager
Of course!
Why? I don’t process credit cards. I don’t run public websites.
I can take control of the boiler and blow it up!
So you set the PLC to over pressure the boiler?
Yes!!!
There are relief valves.
Have a nice day…
7. The Cyber Security Threat
2014 Data Breach Incident Report shows a 3x increase over 2013
Over 256 incidents to OT networks in 2013 reported to ICS-CERT
– Voluntarily reported by ICS owner/operators
– Most go undetected or unreported
Most major vendors have known vulnerabilities reported to ICS-CERT
8. Customer Concerns
Fragile OT networks often caused by comm. problems
– Unexplained process stoppages
– Slow HMI updates
At-risk or insecure OT networks
– Discrepancies between business and process support systems
(e.g. MES, ERP, LIMS, Historians)
– Unauthorized remote connections to OT networks
– Unauthorized changes to PLC’s, DCS, or other systems
– Viruses or malware from OT networks reported by IT staff
Communication errors & network problems risk:
– Production uptime
– Threaten process safety
– Open the OT network to cyber security threats
9. ICS Network & Security Failures
Intermittent Failures
– Corrected by logic conditions in the system
– Minimal to no process interruption
Nuisance Trips
– Corrected by logic conditions and fail safes
– Minor process interruptions
Unplanned outages
– Handled by maintenance personnel & layers of protection
– Sustained process interruptions & failures
Dangerous failures
– Kinetic and safety impacts
– Handled by emergency personnel & layers of protection
– Extended process interruptions & failures
10. Risk Management for Plant Managers:
3 Easy Steps
What is it?
Is it real?
What do I do about it?
Safety Risks Require Action…
If you cannot qualify the risk
AND give a solution, you are
wasting their time
12. Device Vulnerabilities: The Reality
Many think, “8:01am – Cyber Attack,
8:03am – Plant Goes Boom!”
Compromising an individual ICS is of limited value
Significant failures require compromise & disabling of
multiple components
True exploits are not needed for most parts of the process
A combination of factors are required to move from
nuisance trips to more significant failures
– Cyber security knowledge
– Process knowledge
– ICS knowledge
13. Attack Modes for ICS
Loss of View (LoV)
Manipulation of View (MoV)
Denial of Control (DoC)
Manipulation of Control (MoC)
Loss of Control (LoC)
Model each part of the process in terms
of how an attacker would bypass
protective systems
15. Turbine Overspeed Scenario:
Simplified Turbine Model
Steam Turbine for
Power Generation
Disconnect Safety Valve
Switch
Speed
Transmitter
16. Turbine Overspeed Scenario:
Creating the Turbine Overspeed
Disable the overspeed trip system
– Option 1 – “Force” the output of safety valve
– Option 2 – Freeze the value of the speed transmitter
Disconnect the load from generator
– Option 1 – Command generator disconnect switch to open
positon
– Option 2 – Open multiple disconnect switches at power
distributors or consumers
17. Turbine Overspeed Scenario:
Attack Methodology
Part 1 – Conduct Surveillance
Part 2 – Map Systems
Part 3 – Infect & Compromise
Part 4 – Exfiltrate Information
Part 5 – Prepare Final Attack
Part 6 – Initiate Attack for Max Damage
20. Requirements to Conduct an ICS-CVA
ICS-CVA = ICS Cyber Vulnerability Assessment
Regulatory
– Annual basis by NERC CIP, CFATS, etc.
Standards & Guidelines
– Periodic basis by ISA/IEC 62443 (ISA-99), NIST
Cybersecurity Framework, AWWA, NERC, etc.
21. Conducting an ICS-CVA
Understand affect of different systems on OT networks
– Installed base of equipment
– Information/IT systems
Should be part of validation
Recommended to be performed:
– After initial implementation of ICS
– After major modifications to ICS
– Periodically
Specific requirements for ICS-CVA defined in regulations,
standards, & guidelines
22. The ICS-CVA Process
Documentation Collection & Review
– Network Architecture
– Piping, Instrumentation, and Engineering Diagrams
– Asset Inventory
Network Traffic Capture
– Capture traffic (via tcpdump, Wireshark, etc.) at managed
switches via mirror port for a given time
23. The ICS-CVA Process (cont’d)
Ping Sweep
– Identify live hosts (via nmap)
– Verify Asset Inventory
– Identify Unknown/Rogue Devices
Port Scan Per Device
– Detect open ports & services (via nmap)
– Identify operating system
Service Detection
– Grab banners from active services (via nmap or netcat)
– Verify validity of open ports
– Detect known vulnerable ports/services
24. The ICS-CVA Process (cont’d)
Vulnerability Scanning
– Automated (via nessus, neXpose, etc.)
– Manual (via nmap, netcat, metasploit, etc.)
– Examination of vulnerability database (e.g. NIST, A/V
vendors, proprietary, etc.)
Open-Source Intelligence Collection
– Determine information leakage of information (via Google,
Shodan, Maltego, ARIN, Custom Code, etc.)
– Identify devices exposed to internet
– Identify leaks of proprietary information (.doc, .pdf, etc.)
– Determine ease of identifying devices
25. The ICS-CVA Process (cont’d)
Process Vulnerability Analysis
– P&ID
– HAZOP for max damage/impact scenarios
– Zone and conduit & security level analysis
– Vulnerability analysis with emphasis on physical impacts
– Failure Modeling
– Attack Modeling
27. ICS-CVA Results & Recommendations
Network improvements
– Architecture, zones, upgraded infrastructure, layering, etc.
Cyber security improvements
– Patching, policies/procedures, firewalls, etc.
Device improvements
– Upgraded firmware & hardware
Facility siting & physical security
– Barriers to entry
– Access control
SIS in place of controllers
– Safety interlocks replaced by SIS
28. Preparing for Turnaround
Conduct an ICS-CVA well before turnaround
– 6-9+ months prior depending on turnaround scope,
magnitude, duration, etc.
– Allow for new designs, capital expenditures, personnel
training, etc.
Stage equipment prior to turnaround
– Prepare equipment with necessary firmware upgrades,
programs, etc.
– If possible, test equipment in lab prior to deployment
30. Summary
Engineering problems require
engineering solutions!
Vulnerability analysis & discovery a
useful exercise, but only stop at
device impact
Qualifying the threat means that the
process must be considered
ICS-CVA includes all of the above
ICS-CVA can be used as a planning
tool for improvements
31. Where To Get More Information
Jim Gilsinn
– Email: jim.gilsinn@kenexis.com
– Phone: +1-614-323-2254
– Twitter: @JimGilsinn
– LinkedIn: http://www.linkedin.com/in/jimgilsinn/
– SlideShare: http://www.slideshare.net/gilsinnj
– Website: http://www.kenexis.com
32. Thank You for Attending!
Enjoy the rest of the conference.