Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of...

Architecting Secure ICS Environments

Don C. Weber - @cutaway

Principal Consultant, Founder

Presented at Wild West Hackin' Fest – Deadwood, SD on October 24, 2019

Cutaway Security, LLC

• Don C. Weber - Jack of All Trades• Security Management• Penetration Testing• Security Assessments• Security Researcher• Instructor / Presenter• Incident Response

Full Disclosure: Instructor for ICS Classes

ControlThings.io A&ECS Course

SANS ICS 410 Course

GIAC GICSP Certification

SANS ICS 612 Course <- I don't teach this, but it is going to be awesome.

Agenda

• Purpose• ICS Implementations and Equipment• ICS Concerns• ICS410 Reference Architecture• Recap

Image Source: SANS ICS410 ICS / SCADA Security Essentials

Purpose

Things to get over…

• Clear Text Protocols• Insecure Applications• Vulnerable Firmware• Brittle Services

Worst Case Scenario

ICS Implementations and Equipment

What are ICS implementations?

• A process is a group of devices and servers that perform a specific function, typically combined with other processes.

• Plants are multiple processes, that can be independent or dependent, which can be centrally controlled.

• SCADA are processes and plants that are mutually dependent but spread over a wide region.

Image Source: Google Maps

What are ICS Devices?

1. 120 VAC field IO

2. Branch circuit breaker

3. Motor starters

4. Main power feed

5. Main fuses

6. 24 VDC power supplies

7. Allen Bradley Compact Logix PLC

8. Allen Bradley Compact Logix IO rack

9. Motor starters

10. Phoenix Contact Industrial Ethernet switch

11. 24 VDC field IO

12. 4-20 mA field instrumentation

13. Allen Bradley Variable Frequency Devices

14. A general purpose Ethernet switch (rogue device)

• Floor/Field Components Include:– 1 Data Historian Server– 2 Wonderware HMI's– 2 Panel Views– 4 Automation Direct Operation Interfaces– Many PLCs

This control cabinet controls a chemical wash process. A local integrator made this panel with Allen Bradley and Phoenix Contact components.

Image Source: ControlThings.io Accessing and Exploiting Control Systems

What is a process?

How are processes managed?

• Human Machine Interfaces• Master Servers• Engineer Workstations• Business Servers

How are processes deployed?

Image Source: SANS ICS410 ICS / SCADA Security Essentials

• ISA-95 <- Process only• ISA-99 <- Process with security• IEC/ISA-62443 <- ISA-99 renamed

ICS Concerns

What are ICS business concerns?

• Safety to personnel, environment, and process.

• Sustained operations, availability and integrity, of the process.

• Regulation, due to safety, environmental hazard, or public impact.

Image Source: https://s3-us-west-1.amazonaws.com/umbrella-blog-uploads/wp-content/uploads/2015/08/Cannisters_After.jpg

What are the Operational Technology (OT) team's concerns?

• Breaking devices and negatively impacting the processes.

• Causing delays because assessments conflict with important milestones.

• Do not know or understand goals of assessment.

• Showing how their baby is ugly…. err…. challenged.

• Making their jobs harder, less efficient.

Image Source: Boyd Animation https://boydanimation.com/

What are the states of ICS environments?

• Each process control deployment is unique by industry, vendor, and company.

• Security may be built in, added on, or not considered.

• Regulations may have dictated security, lack of regulations may have dictated lack of security.

SANS ICS410 Reference Architecture

Worst Case Scenario

Expected Architecture – ICS410 Reference ModelPl

Purdue Level 4 - Plant's Business Network

ICS DMZ - ICS to Busnss ICS DMZ - Busnss to ICS ICS DMZ - Cloud Access

Purdue Level 3PlantSupervisory

Enforcement between Cell / Lines and Plant Supervisory (ACL on router / layer-3 switch or Firewall)

2 - Local Supervisory

1 - Local Control

0 - Field Devices

Safety SystemsAirgap / Enforcement Ce

ll / L

1 - Local Control

0 - Field Devices

ll / L

1 - Local Control

0 - Field Devices

ll / L

1 - Local Control

0 - Field Devices

Safety SystemsAirgap / Enforcement

Enforcement between Control Networks and ICS DMZ (Control pulls from or pushes to iDMZ)

Enforcement between ICS DMZ and Business Networks (Business pulls from or pushes to iDMZ)ICS DMZ - Remote Access

Jump Hosts(per vendor orgroup/role)

Cyber SecurityOperations

Testing/Staging(per system)

Workstations(per group/role)

Master Servers,Historian, andHMIs

Best Case Scenario

IT / OT Security Effort Prioritization

• Separate policies for IT and OT environments• Segmentation and Isolation• Access Control• Logging and Monitoring• Assessment Inventory• Incident Response and Recovery

Tactical ICS Security Considerations

• Separate policies for IT and OT environments• Segmentation and Isolation• Access Control• Logging and Monitoring• Assessment Inventory• Incident Response and Recovery

• Purpose• ICS Implementations and

Equipment• ICS Concerns• ICS410 Reference Architecture• Recap

ControlThings.ioA&ECS Course

SANS ICS 410 Course

GIAC GICSP Certification

SANS ICS 612 Course

Don C. Weber - @cutawayPrincipal Consultant, Founder

http://www.cutawaysecurity.comhttp://linkedin.com/in/cutaway

https://www.sans.org/instructors/don-c-weber

Architecting Secure ICS Environments...What are ICS implementations? •A process is a group of...

Documents

Styles of Architecting

Architecting extremelylargescalewebapplications

04 Architecting Navigation

Architecting for failure

Architecting Social Media

Architecting a robust manufacturing network for the ...dsg.files.gecom.digital.com.s3.amazonaws.com/Architecting a Robu… · Architecting a robust manufacturing network for the Internet

ICS 1431 8. Virtual Memory 8.1 Principles of Virtual Memory 8.2 Implementations of Virtual Memory –Paging –Segmentation –Paging With Segmentation –Paging

Architecting JavaScript Code

Architecting e learning

Architecting a High Performance Storage Systemdocs.media.bitpipe.com/io_11x/io_117307/item_963935/architecting... · Architecting a High-Performance Storage System Figure 2. A storage

Module 3 Architecting & Transformation...Module 3 Architecting & Transformation Appreciate VariousVarious architecting architecting transformationtransformation with with tthhee businessbusiness

Architecting cloud

ABB ICS Cyber Security Reference Architecture · 2021. 8. 13. · and IEC standards. As a template solution, it provides a common vocabulary for discussing implementations, often

System Architecting

The emerging opportunities for service providers … Unified Infrastructure Management can help. 2 ... applications as Citrix XenDesktop, ... architecting implementations and

Vanderlande Warehousing Platform “new paradigm ahead”€¦ · Architecting Systems Concepting Product Architecting Integration & Solution Architecting Competence Architecting

End User Architecting

Topics2. To shorten design time (compared to application specific – or custom – ICs (ASICs), PLD implementations can be achieved faster). 3. To allow design changes (reprogramming

Architecting Your Enterprise

Protecting Critical Infrastructure by Fuzzing Protocol ... · PDF fileProtecting Critical infrastructure by Fuzzing Protocol implementations Industrial control system (ICS) networks