Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
4.0 19 12 03
Industrial Cyber Security
Attacks and Relevant Events
INTRODUCTION
INDUSTRIAL CYBER SECURITY
IT Cyber Security
The Information Technology has themain target to protect theconfidentiality and the integrity ofthe data exchanged and guaranteenetwork availability.
OT Cyber Security
Operation Technology is orientedto protect the infrastructure andits operability. The availability ofoperation infrastructure is themain target.
Information Technology
Cyber security(DATA ORIENTED)
Operational Technology
Cyber security(INFRASTRUCTURE
ORIENTED)
IT vs OT
INDUSTRIAL CYBER SECURITY
Today the Operation Technology is
connected with the IT world in
several ways and the volume of
data exchanged growing up quickly.
The technology used for the
network infrastructure is in
continuously merging between IT
and OT.
2010 Stuxnet
Developed by America’s National Security Agency, working in conjunction with Israeli intelligence, themalware was a computer worm, or code that replicates itself from computer to computer without humanintervention. Most likely smuggled in on a USB stick, it targeted programmable logic controllers whichgovern automated processes, and caused the destruction of centrifuges used in the enrichment ofuranium at a facility in Iran.
2013 Havex
Havex was designed to snoop on systems controlling industrial equipment, presumably so that hackerscould work out how to mount attacks on the gear. The code was a remote access Trojan, or RAT, which iscyber-speak for software that lets hackers take control of computers remotely. Havex targeted thousandsof US, European, and Canadian businesses, and especially ones in the energy and petrochemicalindustries.
OT CYBER ATTACKS
2015 BlackEnergy
BlackEnergy, which is another Trojan, had been circulating in the criminal underworld for a while before itwas adapted by Russian hackers to launch an attack in December 2015 on several Ukranian powercompanies that helped trigger blackouts. The malware was used to gather intelligence about the powercompanies’ systems, and to steal log-in credentials from employees.
2016 CrashOverride
Also known as Industroyer, this was developed by Russian cyber warriors too, who used it to mount anattack on a part of Ukraine’s electrical grid in December 2016. The malware replicated the protocols, orcommunications languages, that different elements of a grid used to talk to one another. This let it dothings like show that a circuit breaker is closed when it’s really open. The code was used to strike anelectrical transmission substation in Kiev, blacking out part of the city for a short time.
OT CYBER ATTACKS
.01
2014-today TRITON – The First ICS Cyber Attack on Safety Instrument Systems
First detected in 2017, when it was targeting the Saudi Arabian petrol company Petro Rabigh, this malwarecould have caused enormous harm, including marine pollution, a spike in petrol prices, and even deaths dueto explosion. It work by reprogramming the controllers of the Triconex Safety Instrumented System (SIS).
OT CYBER ATTACKS
According to the latest reports on this cyberattack, Triton went unnoticedfor three years before being detected. An unsettling piece of news, nowthat the malware seems to have resurfaced in April 2019.
OT CYBER ATTACKS
Many people think that hackers don't understand control systems -this is nolonger true. In addition, hacking is no longer for fun - hackers now sell zero-day exploits to organized crime.
Unintentional80%
Intentional20%
ICS Incident types
Targeted worms for very specific applications or victims are now becomingcommon (and in some cases available for free). SCADA and process controlsystems are now common topics at hacker's "Blackhat" conferences.
You don't have to be a target to be a victim, 80% of actual control systemsecurity incidents are unintentional, and in some cases generated using theprinciple of “ransom”.
OT CYBER ATTACKS
OT CYBER ATTACKS NOW BECOMES KNOWN
The OT cyber attacks victims prefer not to
divulge details about how their systems have
been compromised and the amount of loss are
confidential information, but from 2016 some
cyber attacks have not be contained within the
company limits and had become known. In
some cases the consequences have been of
public domain...
OT CYBER ATTACKS NOW BECOMES KNOWN
Critical infrastructures are one of the first targets ofcybercrime, the attacks on it ramps quickly more than thefinancial sector (banks, atm, credit cards, etc.).
Cyber Security
Differences between IT and OT
There are important differencesbetween IT systems and IACS.
Problems occur because assumptionsthat are valid in an IT environmentmay not be valid on the plant floor andthe IACS Cyber Security must addressissues of safety, which is not usually anissue with conventional IT CyberSecurity
Pri
ori
ty
Integrity
Availability
Confidentiality
Integrity
Confidentiality
Availability
IACS Cybersecurity IT Information Security
INDUSTRIAL CYBER SECURITY IT vs OT
ICS Cyber Security
Threats and Vulnerabilities
ANATOMY OF A CYBER ATTACK
A cyber attack generally follows a process
allowing the attacker to perform reconnaissance
or discovery of the targeted business, then
develops and executes the attack, and finally
uses the attacker’s command and control
presence to extract data and/or achieve the
attacker’s goals on the target system.
• Characterize the system
• Find exploitable vulnerabilities
• Exploit vulnerabilities (people, system and components)
• Data extraction
• Compromise Functionality
• Uncontrolled shutdown
ANATOMY OF A CYBER ATTACK
Threat:
Circumstance or event with the potential to
adversely affect operations (including mission,
functions, image or reputation), assets, control
systems or individuals via unauthorized access,
destruction, disclosure, modification of data
and/or denial of service (IEC 62443-2-1 3.1.46).
Control Systems are more vulnerable today than
ever before because:
• Now use commercial technology (COTS)
• Highly connected
• Offer remote access
• Technical information is publically available
• Hackers are now targeting control systems
OT VULNERABILITIES
The OT vulnerabilities affect more or less allindustrial control system platformindependently from the manufacturer, brand ortechnology used.
This list is an extract, only for the 2019, of allvulnerability advice listed by The Cybersecurityand Infrastructure Security Agency (CISA).
https://www.us-cert.gov/ics/advisories?page=0
OT VULNERABILITIES
OT VULNERABILITIES
System vulnerabilities are related tointerconnecting and how the equipment hasbeen set up. Firewall, layer 3 switches, routeretc. are often misconfigured allowingunauthorized access or network misuse.
Vulnerabilities are also hidden into thearchitecture, think that one firewall on accesspoint could be enough is one of the mostcommon vulnerabilities put in place.
THE HUMAN FACTOR
The first one weakness or vulnerability for an ICS are the humans.
Humans are a vulnerability that can be exploited. The social engineer is able
to take advantage of people to obtain information with or without the use
of technology.
A Social Engineering attack is articulated in 4 steps:
1. Footprinting
2. Establishing Trust
3. Psychological Manipulation
4. The Exit
Now, after all the actual informationhas been extracted, the Social Engineerhas to make a clear exit in such a wayso as not to divert any kind ofunnecessary suspicion to himself.
TRUSTEDDCS login
credentials
OR
Social Engineering
From: [email protected]: [email protected]: New Career Opportunities
Gain network login
credentials
THE HUMAN FACTOR
ICS Cyber Security
How to attack,
Countermeasures and Defense Strategy
Attacks directly from Internet to Internet-connected ICSdevices.
Establish direct access deep into the ICS systems.
Attacks initiated using remote access credentials stolenor hijacked from authorized ICS organization users.
Establish direct access deep into the ICS systems.
Attacks on the external business web interface.
Leverage exploits to vulnerabilities existing in the webservices.
CYBER PROTECTION PRINCIPLES
CYBER PROTECTION PRINCIPLES
INDUSTRIAL CYBER SECURITY
LAWS AND STANDARDS:
THE IEC 62443
TOPICS
• Introduction: Worldwide Laws and Applicable Standards for OT Cyber Security
• The ISA / IEC 62443 standard as a method
• Risk Assessment
• Addressing risk with a Cyber Security Management System (CSMS)
• Security Levels allocation
• Systems: Foundational & System requirements
• Equipment: Security Lifecycle and requirements
• Monitoring and improving with a CSMS
Applicable Worldwide Laws and Standards
for OT Cyber Security
INTRODUCTION
POTENTIAL CONSEQUENCES
One of the main difference between Cyber Security and Information Security lies on potential
consequences. The consequences of a Cyber Attack on OT infrastructures may have impacts on a larger
scope than IT. Among others, the standards gathers the following:
• Health and Safety
• Environment
• Social utilities availability
• Financial loss or impacts
• Damages to company image
• Loss on production
• Products quality
• ….
LAWS AND STANDARDS
Several countries are adopting at law level OT Cyber Security frameworks. A few examples:
The State of Art
COUNTRIES ACT AUTHORITY WEB
EUROPENIS DIRECTIVE 2016/1148Cybersecurity Act 2019/881 ENISA https://www.enisa.europa.eu/
ITALY D.Lgs. 65/2018 Several https://www.csirt-ita.it/
RUSSIAN FEDERATIONFZ-187/2017Order 239/2017 FSTEC https://fstec.ru/
UNITED STATESCybersecurity and Infrastructure Security Agency Acts of 2013/18
CISANIST
https://www.cisa.gov/https://www.nist.gov/
AUSTRALIASecurity of Critical Infrastructure Act2018 (No. 29, 2018) Australian Gov. -
CHINA Cybersecurity Law - 2017 CAC http://www.cac.gov.cn/
INTERNATIONAL STANDARDS FOR CYBER SECURITY
International Electrotechnical Commission
IEC 62443 (series) Industrial Communication Networks -
Network and System Security
International Society for Automation
ISA 99 (series) Industrial Automation and Control
System (IACS) Security
SP 800-82 Guide to Industrial Control System (ICS) Security
NISTIR 7628 Guidelines for Smart Grid Cyber Security
Critical Infrastructure Protection (CIP) -002
through -011
Guidance for Addressing Cyber Security in the
Chemical Industry
Protecting Industrial Control Systems
Recommendations for Europe and Member States
Guidance of Security for Industrial Control Systems
THE IEC 62443
A Framework for OT Cyber Security
ISA/IEC 62443 STRUCTURE
ISA/IEC 62443 STRUCTURE
MAIN STEPS OF A CSMS
Security policy,
organization and
awareness
Organize for security
Staff training and
security awareness
Business continuity
plan
Security policies and
procedures
Selected security
countermeasures
Personnel security
Physical and
environment
Network
segmentation
Access control:
Account admin
Access control:
Authentication
Access control:
Authorization
Implementation
Risk Management
and implementation
System development
and maintenance
Information
Management
Incident planning
and response
Risk Analysis
Addressing risks with the CSMS
Monitoring &Improving
CSMS Scope
Review, Improve and
MaintainConformance
Business RationaleRisk identification/
Assessment
ISA/IEC 62443 STRUCTURE
MAIN STEPS OF A CSMS
Security policy,
organization and
awareness
Organize for security
Staff training and
security awareness
Business continuity
plan
Security policies and
procedures
Selected security
countermeasures
Personnel security
Physical and
environment
Network
segmentation
Access control:
Account admin
Access control:
Authentication
Access control:
Authorization
Implementation
Risk Management
and implementation
System development
and maintenance
Information
Management
Incident planning
and response
Risk Analysis
Addressing risks with the CSMS
Monitoring &Improving
CSMS Scope
Review, improve and
maintainConformance
Business RationaleRisk identification/
Assessment
MAIN STEPS OF A CSMS
Each of these is further divided into elements group.
ASSESS
IMPLEMENTMAINTAIN
The first main category of the CSMS is Risk Assessment.
Security policy,
organization and
awareness
Organize for security
Staff training and
security awareness
Business continuity
plan
Security policies and
procedures
Selected security
countermeasures
Personnel security
Physical and
environment
Network
segmentation
Access control:
Account admin
Access control:
Authentication
Access control:
Authorization
Implementation
Risk Management
and implementation
System development
and maintenance
Information
Management
Incident planning
and response
Risk Analysis
Addressing risk with the CSMS
Monitoring & Improving
CSMS Scope
Review, improve and
maintainConformance
Business RationaleRisk identification/
assessment
IEC 62443-2-1 BASICS
Cyber Security Lifecycle and
Management System (CSMS)
CYBER SECURITY LIFECYCLE
The IEC 62443-2-1 specifies the elements required for a CSMS. The Cyber
Security Management Systems is divided in three categories:
• ASSESS
• IMPLEMENT
• MAINTAIN
Each of these is further divided into elements group and/or elements.
ASSESS
IMPLEMENT
MAINTAIN
IEC 62443-2-1:
High Level and Detailed Risk Assessment
SYSTEMATIC APPROACH
The first category contains much of the background
information that feeds into many of the other
elements in the CSMS.
The first set of requirements presents the actions
an organization takes to carry out both a High Level
and a Detailed Risk Assessment that incorporates
vulnerability assessment in a chronological order.
Security policy,
organization and
awareness
Selected security
countermeasuresImplementation
Risk Analysis
Monitoring & Improving
Risk identification/
assessmentBusiness Rationale
Addressing risk with the CSMS
Risk Assessment
BUSINESS RATIONALE
The organization should develop a Business Rationale
as a basis:
• Prioritized Business Consequences (as potential
consequences).
• Prioritized Threats (as potential and credible
threats).
• Estimated Business Impact (the highest priority
items and estimate of the annual business
impact).
Security policy,
organization and
awareness
Selected security
countermeasuresImplementation
Risk Analysis
Monitoring & Improving
Risk identification/
assessmentBusiness Rationale
Addressing risk with the CSMS
HIGH LEVEL AND DETAILED RISK ANALYSIS
Risk Analysis identifies:
• Assets
• Threats (from BR and expanded)
• Vulnerabilities
• Consequences (from BR)
• Likelihood of Successful Attack
• Countermeasures
Security policy,
organization and
awareness
Selected security
countermeasuresImplementation
Risk Analysis
Monitoring & Improving
Risk identification/
assessment
Addressing risk with the CSMS
Business Rationale
HIGH LEVEL AND DETAILED RISK ANALYSIS
Risk is formally defined as an expectation of loss expressed as the probability that a particular threat will exploit a
particular vulnerability with a particular consequence.
RISK = THREAT x VULNERABILITY x CONSEQUENCE
Risk assessment can be carried out at several levels. The standard IEC 62443-2-1 requires risk assessment at two levels of
detail, called High Level Risk Assessment and Detailed Risk Assessment.
IEC 62443-2-1 and IEC 62443-3-2
Addressing Risks with a
CSMS Security Level Allocation
CYBER SECURITY MANAGEMENT SYSTEM
An IACS cannot be safe at 100%Security is really a balance of Risk versus Cost.
The foundation of any CSMS or security program
is to maintain risk at an acceptable level.
.
CSMS
ADDRESSING RISKS WITH THE CSMS
Standards typically provide guidance on what should be
included in a Management System, but do not provide
guidance on how to go about developing the Management
System.
Security policy,
organization and
awareness
Security policies and
procedures
Selected security
countermeasures
Personnel security
Physical and
environment
Network
segmentation
Access control:
Account admin
Access control:
Authentication
Access control:
Authorization
Implementation
Risk Management
and implementation
System development
and maintenance
Incident planning
and response
Organize for security
Staff training and
security awareness
Business continuity
plan
CSMS Scope
Information
Management
Addressing Cyber Security on an organization-wide basis
can be seen like a daunting task.
Unfortunately, there is no simple cookbook for security and
there is not a one-size-fits-all set of security practices.
SAFETY LEVELS (SL)
SLs have been broken down into 3 different types:
1. Target SLs (SL-T) which are the desired level of security for a
particular system, usually determined by performing a risk
assessment.
2. Achieved SLs (SL-A) which are the actual level of security for a
particular system used to establish whether a security system is
meeting the goals.
3. Capability SLs (SL-C) which are the security levels that components or
systems (in general a subsystem) can provide when properly
configured. These levels state that a component or system can meet
the target SLs natively.
SECURITY LEVELS (SL)
IEC 62443-3-3 expands 7 Foundational
Requirements (FR) into System Requirements (SR).
Each SR has further Requirement Enhancements
(REs) for stronger security. All 7 FRs have a defined
set of 4 SLs.
IEC 62443-1-1
Security Levels
Foundational Requirements
SAFETY LEVELS (SL)
As defined in IEC-62443-1-1 there are a total of 7 FRs:
1. Identification and authentication control (lAC),
2. Use control (UC),
3. System integrity (SI),
4. Data confidentiality (DC),
5. Restricted data flow (RDF),
6. Timely response to events (TRE), and
7. Resource availability (RA).
FOUNDATIONAL REQUIREMENTS (FR)
These seven requirements are the
foundation for control system capability
SLs, SL-C (control system).
The IEC 62443-3-3 provides detailed
technical control System Requirements
(SRs) associated with this seven
Foundational Requirements (FRs).
IEC 62443-3-3
Security Levels System Requirements
SAFETY LEVELS (SL)
System integrators, product suppliers and service providers shall evaluate
whether products and services can provide the Functional Security
Capability that meets the asset owner's target security level (SL-T)
requirements.
SECURITY LEVELS SYSTEM REQUIREMENTS
As with the assignment of SL-Ts, the applicability of individual control system
requirements (SRs) and Requirement Enhancements (REs) needs to be
based on an asset owner's security policies, procedures and risk assessment
in the context of their specific site.
SAFETY LEVELS (SL)EXAMPLES OF SL SYSTEM REQUIREMENTS
SRs and REs SL 1 SL 2 SL 3 SL 4
FR 1 - Identification and authentication control (IAC)
SR 1.1 -Human user identification and authentication X X X X
RE (1) Unique identification and authentication X X X
RE (2) Multifactor authentication for untrusted networks X X
RE (3) Multifactor authentication for all networks X
SR 1.2 - Software process and device identification and authentication X X X
RE (1) Unique identification and authentication X X
SR 1.3- Account management X X X X
RE (1) Unified account management X X
SR 1.4 - Identifier management X X X X
SR 1.5 - Authenticator management X X X X
RE (1) Hardware security for software process identity credentials X X
IEC 62443-4-1
Equipment: Security Lifecycle
SAFETY LEVELS (SL)
The IEC 62443-4-1 provides a framework to address a secure by
design, approach to defense-in-depth designing, maintaining and
retiring products.
EQUIPMENT SECURITY LIFECYCLE AND EVALUATION TECHNIQUES
Security Management
Security guidelines
Specification of security
requirements
Security V&V
testing
Secure Implementation
Security by design
Defense – In –Depht
StrategyThe framework is composed by 8 practices.
The standard defines the requirements to align the development
process with the elevated security needs of product users of IACS.
SAFETY LEVELS (SL)
• Practice 1 – Security management
• Practice 2 – Specification of security requirements
• Practice 3 – Secure by design
• Practice 4 – Secure implementation
• Practice 5 – Security verification and validation testing
• Practice 6 – Management of security-related issues
• Practice 7 – Security update management
• Practice 8 – Security guidelines
EQUIPMENT SECURITY LIFECYCLE AND EVALUATION TECHNIQUES
IEC 62443-4-2
Equipment: Security Requirements
SAFETY LEVELS (SL)
• Component Requirements (CR)
• Software Application Requirements (SAR)
• Embedded Device Requirements (EDR)
• Host Device Requirements (HDR)
• Network Device Requirements (NDR)
TECHNICAL SECURITY REQUIREMENTS FOR IACS COMPONENTS
SAFETY LEVELS (SL)TECHNICAL SECURITY REQUIREMENTS FOR IACS COMPONENTS
IEC 62443-2-1
Monitoring and Improving with a CSMS
MAINTAIN AND IMPROVING THE CSMS
The last category is the monitoring and improving the CSMS.
ASSESS
IMPLEMENTMAINTAIN
This category is important to ensure the safety
performance along the entire system life.
Security policy,
organization and
awareness
Selected security
countermeasuresImplementation
Risk Analysis
Monitoring & Improving
Review, Improve and
Maintain the CSMSConformance
Addressing risk with the CSMS
THANK YOU!
H-ON ConsultingPrato | Viadana | Houston | Glasgow
Tel. +39 0574 870 800 [email protected] www.h-on.it
Follow us on
Industrial Security for Digital IndustriesBologna – 03.12.2019
• siemens.com/industrial-networks• Unrestricted © Siemens 2019
Unrestricted © Siemens 2019
Marcello ScalfiSales Specialist
Industrial Networks & SecuritySiemens Spa
Via Vipiteno, 420128 – Milano
mailto: [email protected]