'The 80% Solution at 20% of the Cost' The Utilization of 'Cyber Hygiene' to

Mitigate SCADA System Vulnerabilities

November 2014

Roger W. Kuhn, Jr.Advisory Director Education Fellow

Cyber Security Forum Initiative

AgendaDisclaimer

Current SCADA Vulnerability Factors

Industrial Control Systems 101

Proposed Countermeasures

Recommended Countermeasure

Recommended Controls

Conclusion

Disclaimer

The following information is presented from the private perspective of the Cyber Security Forum Initiative (CSFI) and its analysis of the named subject. CSFI is comprised of over 40,000 Cyber Operations and Cyber Security Professionals spanning government, military, private sector and academic organizations. However, this presentation does not represent any official endorsement of, nor does it speak for any organization outside of CSFI.

Current SCADA Vulnerability Factors

•A single standard Supervisory Control and Data Acquisition (SCADA)

architecture does not exist, e.g., Field bus communications: Profibus,

Modbus, EtherNetIP, etc.

•Standard SCADA HMI OS vendor: Microsoft, e.g., Windows XP (Microsoft

support ending 08APR14 ,

www.support.microsoft.com/product/windows/windows-xp)

• Most legacy SCADA systems are supported by physically-isolated or

“federated”, dedicated networks accessible via remote access: internet,

modem or Corporate WAN

• Pre-Internet, e.g., non- Transmission Control Protocol (TCP)/Internet

Protocol (IP)- based

• Availability, Integrity, Confidentiality (AIC) , e.g., “five (5) nine’s (9’s)

focus vice CIA focus, e.g., Desktop Systems

• Many have remote access via HMI interface

•No Engineering baseline SCADA system, only Production baseline SCADA

system

OSI & TCP/IP Models verses Devices

Applications (Data)

(Data)

(Data)

(Segments)

Router (Packet/Datagram)

Switch/Bridge (Frame)

Hub (Bit)

Industrial Control Systems 101

•Control Center/Human Machine Interface (HMI): Personal Computer-based

•HMI-to-Controller Communications (Controller may be physically remote)

• Ethernet/TCP/IP• Serial, e.g., RS-422• Wireless, etc.

• Controllers• Programmable Logic Controller (PLC)• Remote Terminal Unit (RTU), etc.

• Fieldbus Communications• Serial, e.g., RS-422• Modbus• Profibus• EtherNet/IP (Common Industrial Protocol over IP), etc.

Input/Output (I/O) Field Devices• Sensors• Valve/motor controllers• Meters, etc.

Source: NIST SP 800-82 Rev1, “Guide to Industrial Control Systems (ICS) Security”, May 2013

Risk Analysis & Management

• Intent: Identification of risk mitigation methods

•No such thing as a 100% secure system

•Risk must be identified, understood, and properly mitigated to a manageable level , i.e., residual risk acceptable to enterprise decision makers

•Total Risk is what exists prior to a countermeasure/control being implemented.

Threat x Vulnerability x Asset Value = Risk (Total)

•In contrast, Residual Risk is what risk remains after a countermeasure/control is implemented.

Total Risk x countermeasure(s) = Residual Risk

Source: Mike Myer’s CISSP Certification Passport, 2002

Proposed Countermeasures

• Implement “black” industrial architecture ($$$)• Migrate fieldbus architecture to Peer-to-Peer, e.g., TCP/IP• Utilize Internet Protocol Security (IPsec) Virtual Private

Network (VPN)-based encrypted communications (HMI-to-Controller-to-I/O)

• Implement Extensible Authentication Protocol (EAP)/IEEE 802.1X (EAP over Local Area Network (LAN)) authentication for all nodes

• Implement extensive security controls cited in NIST Special Publication 800-82 Revision 1, “Guide to Industrial Control Systems (ICS) Security”, May 2013 (http://dx.doi.org/10.6028/NIST.SP.800-82r1) • Implement short-term countermeasures to mitigate vulnerabilities specific to “SCADA HMI” layer of Control System, i.e., “Cyber-Hygiene” security controls

Qualitative Cost

$$$

$$

$

Recommended Countermeasure

• “Cyber-Hygiene” security controls

• Allows for 80% risk mitigation solution while providing time to evaluate impact of relatively invasive NIST Special Publication 800-82 Revision 1 solution, e.g., ICS Vulnerability Assessment

• Current Insider threat higher than prospective internet-based attacker threat*

• Relatively low immediate cost of implementation compared to other two(2) options

* Source: Cybercrime, Criminal Threats From Cyberspace, 2010

Preventative – Passive• Effective security policies and procedures that cover all aspects of a security program, including training, security awareness, forensics, business continuation, etc.) are the first step to securing control systems.

•These policies and procedures then need to be reviewed and updated as part of a continuous improvement program.

• Implement a security awareness program within the organization that provides a baseline level of education relating to control systems security and includes regular re-training as risks and technologies change.

• Disable USB devices within the more secure control systems “zones” (security “zones” as defined by “Industrial Automation & Control System Security (ISA-99). Not allowing external USB devices in these critical areas should become common knowledge.

•Implementation of Software Restriction Policies (SRP) that prevent the execution of code on remote and removable media (USB, CD/DVD, network shares, etc.)

“Cyber-Hygiene” Controls

Preventative – Passive (Cont’d)•Exceptions can be granted on a limited basis when required to support software maintenance and upgrades.

•Microsoft introduced the SRP capability with Windows XP (the de facto standard SCADA HMI operating system) with limited implementation. Until the SCADA world has transitioned from Windows XP, i.e., Win NT kernel-based OS platforms SRP is a viable countermeasure.

•Security Policies should be created that address specific host-to-host, and zone-to-zone communication requirements, including protocols, ports, etc.

•This communications information is vital and will be used in subsequent countermeasures to identify suspect traffic and is a basic requirement in compliance with ISA-99 standards.

•Follow the vendor’s recommendations for disabling of all unnecessary services.

•Confirm that any default username/passwords have been removed or modified

Recommended Countermeasures

•Utilize active vulnerability scanners on these systems (during testing or other times)non-production use) to evaluate and document the configuration against known vulnerabilities and predetermine compliance guidelines.

•The fact that the “Stuxnet” trojan/worm exploited the Microsoft OS MS08-067 vulnerability conveys that vendors may not even be aware of the power of exploiting this vulnerability, or vendors assume that no one will target these systems and there is not a need to address this patch.

Recommended CountermeasuresPreventative – Passive (cont’d)

Recommended CountermeasuresPreventative – Active• If allowed by the system vendor, all hosts should be installed with applicable host-basedfirewall, anti-virus and anti-malware applications.

•Host-based intrusion detection system (HIDS) applications should be utilized where allowed, e.g., HBSS.

•Many vendors are not embracing the value of HIDS on control systems, some tests have shown that certain activities of Stuxnet would have triggered HIDS alerts, including DLL injection and rootkit installation attempts.

•“Whitelisting” based applications should be considered over “blacklisting” or “heuristic”based solutions whenever possible to increase the likelihood that zero-days will be detected.

•Firewall rules should be implemented to deny by default all outbound traffic from thecontrol system networks and zones. •Justification needs to be given for outbound access, just like it is required for inbound, and when outbound traffic must be allowed, it should be between specific hosts AND for specific services

Recommended CountermeasuresPreventative – Active (Cont’d)•Outbound SMB traffic should not be allowed.

•Utilize code signing of all critical systems (in addition to whitelisting).

•Updates and changes should go through a unique traceable process at which code should be compared to an out-of-band provided signature from the vendor.

•Unless verified, code should not be allowed to run on the system.

Reactive – Passive•Identification of a threat is a valuable aspect of minimizing negative consequences of an attack.

•It may not be possible to eliminate completely all threats that exploit zero-day vulnerabilities but it should be a goal to be able to identify suspect activity that could signify an attack and minimize the consequences.

• Implement intrusion monitoring sensors within SCADA network(s) that aredesigned to evaluate data traffic patterns between system components, e.g., a SCADAserver should never be attempting an external file share (SMB) connection.

•Use the data obtained from the security policy to map out the allowed data paths that should exist within the system architecture. •Said sensors can also detect traffic that is not typically allowed between nodes and could signify a rogue peer-to-peer network within the system or a possible backdoor or callback resulting from an attack.

• Implement passive vulnerability scanners (PVS) on the control systems network that can be used to observe any unusual traffic patterns and correlate this against previous patterns, and provide an alert mechanism to signal deviations from normal.

Recommended Countermeasures

Reactive – Passive (Cont’d)

•PVS can be used in conjunction with HIDS

•Review the system logs in the various computer hosts and network appliances.

• A security information event monitoring (SIEM) system needs to be installed that can automatically analyze and correlate the data generated and stored in system logs and event journals throughout the system.

•Set up test and validation systems that mimic the production systems (at least for all thecritical components), and implement a recurring comparison process between the production and test systems.

Recommended Countermeasures

Reactive - Active•At the point of the attack when all the other countermeasures have failed, it is very important to not destroy forensic data that can be used for a variety of purposes.

•Most of these security measures are used for forensic purposes in learning what failed and what can be done to prevent a similar attack in the future.

•Once the attack has been confirmed, all non-essential communication conduits shouldbe terminated to contain the attack.

•Incident Response and Business Continuity procedures should be in place and initiatedto maintain or re-establish essential operations while recovering from an attack.

• Care needs to be taken in following established and rehearsed forensic procedures tomaintain the integrity of the data contained within the infected systems.

•Plans should be in place, tested on a recurring basis, and updated in order to beeffective in the event of an attack.

•As a last resort, it may be necessary to initiate a shutdown of SCADA systemto minimize the potential for environmental or loss-of-life resulting from a potential controlsystem failure.

Recommended Countermeasures

ConclusionVulnerability Factors

•A single standard SCADA architecture does not exist

•Standard SCADA HMI OS vendor: Microsoft

• Most legacy SCADA systems are supported by physically-isolated or “federated”,

dedicated networks accessible via remote access: internet, modem or Corporate

WAN

• Pre-Internet

• AIC, e.g., “five (5) nine’s (9’s) focus vice CIA focus

• Many have remote access via HMI interface

Conclusion (Cont’d)Recommended Countermeasure: “Cyber-Hygiene”

Recommended Controls

•Preventative – Passive

• Effective security policies and procedures

• Security Awareness

• Disable external media interfaces, e.g., USB Thumb Drives

•Preventative – Active: Employ HIDS

•Reactive – Passive: Employ PVS

•Reactive – Active: Employ Incident Response and Business Continuity procedures