Holistic View of Industrial Control Cybersecurity · 2016-09-21 · o ICS Capable o SCADA HoneyNet Project ... o Advanced Persistent Threats (APTs) o Advanced Evasion Techniques (AETs)

Holistic View of Industrial Control Cyber Security

A Deep Dive into Fundamentals of Industrial Control Cyber Security

© Copyright 2014 Netsecuris Inc. All rights reserved

Learning Goals

o Understanding security implications involving industrial control systems and environments

o Understanding design considerations for industrial control networks

o Understanding differences between traditional IT networks vs. industrial networks

o Understanding solutions and techniques to harden security of industrial networks


What is Industrial Control?


Industrial Control Defined

o A system that controls a process

o Industrial Control System – traditionally a general term defining several types of control systems used in industrial production o Distributed Control System (DCS)

o Supervisory Control and Data Acquisition System (SCADA)

o Remote Terminal Units (RTU)

o Programmable Logic Controllers (PLC)


Why learn about this topic?

o Industrial controls are everywhere!

o Utilities

o Factories

o Automobiles

o Military

o Data Centers

o Appliances

o Industrial controls are being networked like traditional IT networks.


Some industrial controls that might surprise you o Environmental controls in your data center

o Missiles launched by the military

o Assembly line controller in a factory

o SCADA systems at utilities

o Gasoline pumps at a convenience store


Distributed Control System


Basic DCS Configuration



Example of a DCS HMI Display



Functional Levels of DCS Example

SCADA


Example of a SCADA Network

SCADA


Example of a Electric SCADA Network

SCADA


Example of a SCADA HMI Display

Evolution 1

o Transition from mechanical switches or relays to Programmable Logic or Relay Logic


Programmable Logic Controllers (PLC)


Example of a PLC Panel

Programmable Logic Controllers (PLC)


Example of PLC Programming

PLC vs. RTU

o RTUs are utilize to collect data over a wide geographic area as input to SCADA. o Such as with a network of electric substations

o PLCs are utilized in a localize fashion to control a process. o Such as with a local area network on a factory floor


Industrial Control Evolution 2

o Transition from Standard Serial Communications (e.g. RS-232, RS-485, Async 2 wire) to higher performance non-Ethernet Fieldbus communications (e.g. BACnet MS/TP, ModBus RTU, CAN, ProfiBus, InterBus, LonWorks, SERCOS).


T-shirt Question 1

oWhat has been considered the first “Industrial Control” virus?

oWhat did it do?


Industrial Control Evolution 3

o Transition from Non-Ethernet Fieldbuses to Ethernet-based Communications (e.g. EtherCAT, Ethernet POWERLink).


Industrial Ethernet vs. Non-Ethernet Fieldbuses Advantages o Better performance

o Greater bandwidth and larger data packages for communications with intelligent industrial devices

o Faster real-time communications and synchronization for demanding control applications

o Simple to integrate with networks that already exist in the business office environment


Industrial Ethernet vs. Non-Ethernet Fieldbuses Disadvantages o It is collision-based and not inherently

deterministic—and process controls demand real-time operation.

o Universal acceptance of Ethernet tempts users to try to do too many things that could generate security issues.

o Standard telephone-type connectors do not meet the physical demands of industrial equipment.


Impact of “Industrial Internet” o GE reported that “enabling Internet-connected

machines to communicate and operate automatically can bring substantial efficiency gains.”

o According to GE, the Industrial Internet will help eliminate hundreds of billions of dollars of wasted time and resources across critical industries.

o “The Industrial Internet has the potential to add $10 to 15 trillion U.S. dollars to the global GDP by 2030.”


Rise of Industrial Internet o IMS Research predicts that in 2016, “Ethernet

will account for over 30 percent of all new nodes installed in industrial applications.”

o Ethernet TCP/IP was estimated to account for over one-third of new Ethernet nodes installed in 2011.

o Wireless networking to grow 75% by 2017 compared to 2012.

o Fieldbus protocols still have the high ground but Industrial Ethernet adoption is on the rise.


Evolution 4

o Transition from Ethernet-based Non-TCP/IP Communications to Ethernet-based TCP/IP Communications (e.g. BACnet/I, ModBus-TCP, EtherNet-IP, PROFINET-IO).


Cyber Security Implications


Cyber Security Implications

o Cybersecurity failures have the potential to cause physical consequences.

o Cybersecurity issues can manifest as process anomalies.

o Cybersecurity is hard to manage.

o Cybersecurity threats or issues can be complex.


Cybersecurity Implication – Physical Consequences o Electric Power Blackouts

o September 2007 cyber attack in Brazil

o 2003 Northeast blackout

o 1999 Southern Brazil blackout

o 1965 Northeast blackout

o 1979 Three Mile Island Nuclear Plant Accident

o 2000 Maroochy Shire cyber event

o 2007 Aurora Generator Test

o 2009 Stuxnet

o 2010 San Bruno natural gas pipeline explosion


Aurora Generator Test


Implications – Process Anomalies

o Actual cyber security issue vs. real process problem o Can be difficult to distinguish a real cyber security

issue from a process anomaly.

o Inadequate cyber security training for operators could lead to an attack not being recognized.


Implications – Security Management Difficulties

o Introduced latency and jitter o Measurement of time for packets to travel between

nodes.

o Variation in time between packets arriving to be process.

o Difference in managing IT vs. OT


Implications – Complexities

o Non-typical network protocols

o Commands that cannot be blocked due to safety or production issues.

o Attackers using valid communications in invalid ways.


IT Cyber Security vs. OT Cyber Security


IT Cyber Security vs. OT Cyber Security - Performance Requirements


Source: Derived from the NIST 800-82 Standard

IT Cyber Security vs. OT Cyber Security - Availability Requirements



IT Cyber Security vs. OT Cyber Security - Risk Management Requirements



IT Cyber Security vs. OT Cyber Security - Change Management Requirements



IT Cyber Security vs. OT Cyber Security - Unintended Consequences Requirements



Survey of Specialized Communications Protocols


Modbus


o Open protocol standard

o Moves raw bits or words without placing many restrictions on vendors.

o TCP/IP packet may look perfectly normal but the Modbus frame could crafted to carry malicious code.

DNP3 (Distributed Network Protocol)


o Open Standard

o Designed to be reliable but not secure.

o Header may look perfectly normal but the data payload could crafted to carry malicious code.

o No authentication mechanism in basic DNP3. o Secure DNP3

OPC (Open Platform Communications


o Based on the OLE, COM, and DCOM technologies developed by Microsoft.

o Any vulnerabilities in these technologies is carried into this protocol.

o OPC is firewall unfriendly because OPC servers dynamically assign TCP ports.

o DCOM and RPC are extremely complicated protocols that can be translated into attack surfaces for malicious actors.

o OPC is complicated to setup so some vendors leave exposures in their products.

Cyber Security Problems and Issues


Cyber Security Problems and Issues - TCP/IP Stack and Industrial Protocols

o Problems exist due to original design and purpose for Internet.

o Poor software design

o Fragility caused by deviation from RFC o Internet Protocol (IP version 4) (RFC 791)

o User Datagram Protocol (UDP) (RFC 768)

o Transmission Control Protocol (TCP) (RFC 793)

o Address Resolution Protocol (ARP) (RFC 826)

o Internet Control Messaging Protocol (ICMP) (RFC 792)

o Internet Group Management Protocol (IGMP) (RFC 1112 & 2236)

o IEEE 802.3 (Ethernet) as defined in RFC 894

o Protocol Complexity o ModBus TCP adds additional fields to standard TCP (Function Codes)

o Session Manipulation


Cyber Security Problems and Issues - Lack of Strong Authentication

o Risk of compromise o Spoofing

o Brute Force Attacks

o Session Hijacking


Cyber Security Problems and Issues - Lack of Strong Authorization Practices

o Malicious actors could gain access or perform a function that they are not entitled to perform.


Cyber Security Problems and Issues - Lack of Strong Encryption Practices o Commands and addresses passed in clear text;

which can be captured and spoofed or manipulated.

o Some encryption mandates are making it into regulations in some industrial control using industries.


Cyber Security Problems and Issues - Programmability

o ICS devices are meant to be programmable; which makes them inherently vulnerable.

o A whole lot of Fuzzing going on.


Cyber Security Problems and Issues - Lack of Message Checksum

o Ability to spoofed commands is easier since the checksum is generated at the Transmission Layer and not the Application Layer.


Cyber Security Problems and Issues - Accessibility

o Some protocols are meant to be used for Wide Area networks making them highly accessible and susceptible to many kinds of attacks.


Cyber Security Controls


Cyber Security Controls - Firewall

o A firewall can become a sieve.

o Not a “catch all”, “be all” security control but still a necessity.

o Protocol recognition.

o Don’t forget a secure default rule; Deny All.


Cyber Security Controls - Intrusion Detection and Prevention

o Intrusion Prevention vs. Intrusion Detection

o Why is IPS a necessity?

o Behavior recognition


Cyber Security Controls - ICS Honeypots

o Sets a trap

o Decoy

o ICS Capable

o SCADA HoneyNet Project

o http://scadahoneynet.sourceforge.net/


Cyber Security Controls - Anti-Malware

o If you cannot install host-based anti-malware software on any particular ICS system, implement network-based anti-malware.

o Implement and configure host-based firewalls; if possible.


Cyber Security Controls - Security Information and Event Management

o Log, Log, Log!

o Real-Time or Near Real-Time Alerts


Cyber Security Recommendations


Industrial Control Network Cyber Security Recommendations o Defend against the unknown

o Advanced Persistent Threats (APTs)

o Advanced Evasion Techniques (AETs)

o Alternative threat detection or prevention

o Situational Awareness

o Behavior Analysis and Detection

o Practice Defense in Depth o Patch, Patch, Patch

o Whitelisting

o Collect and analyze logs


Industrial Control Network Cyber Security Recommendations

o Avoid misconceptions o Avoid the Air Gap Myth

o “We have a firewall!”

o “We’re just a small site, we’re not a target”


Industrial Control Network Cyber Security Recommendations

o Utilize Egress Filtering

o Change Default Accounts and Passwords

o Check your IP addresses with Shodan


Shodan

o An industrial control system and network search engine.

o http://www.shodanhq.com/


Shodan


Netsecuris

o A leading Managed Security Service Provider specializing in protecting Industrial Control, Financial Services, Healthcare, and Government network environments.

o Contact Information o Leonard Jacobs, MBA, CISSP

o President/CEO

o [email protected]

o 952-641-1421


mailto:[email protected]

Questions and Answers

Thank you


Documents

Holistic View of Industrial Control Cybersecurity · 2016-09-21 · o ICS Capable o SCADA HoneyNet Project ... o Advanced Persistent Threats (APTs) o Advanced Evasion Techniques (AETs)