Industrial control systems (ICS) are used to control industrial processes and manufacturing equipment. They face unique security challenges compared to traditional IT systems due to their real-time operation and custom hardware and software. This document discusses several past ICS cyber attacks and identifies vulnerabilities in ICS security architecture, configuration management, patch management, and change testing. Proper ICS security requires a cross-functional team approach and careful management of the specialized ICS environment.
The document discusses the NIST Cybersecurity Framework, which provides guidelines for critical infrastructure security and management of cybersecurity risks. It was created through a collaboration between government and industry to help organizations manage and reduce cybersecurity risks. The framework consists of five concurrent and continuous functions - Identify, Protect, Detect, Respond, Recover. It also outlines implementation tiers from Partial to Adaptive to help organizations determine their cybersecurity risk management practices. The framework is meant to be flexible and not prescriptive in order to accommodate different sectors and risks profiles.
Cybersecurity roadmap : Global healthcare security architecture
Using NIST cybersecurity framework, one of the largest healthcare IT firms in the US developed the global security architecture and roadmap addressing security gaps by architecture domain and common security capability. This session will discuss the architecture framework, capability matrix, the architecture development methodology and key deliverables.
(Source : RSA Conference USA 2017)
The NIST SP 800-82 document provides guidance on establishing secure industrial control systems (ICS). It discusses ICS characteristics and security challenges. It recommends developing a comprehensive ICS security program that includes senior management support, risk assessments, defined policies and procedures, inventory of assets, and training. It also provides recommendations on network architecture design and implementing NIST SP 800-53 security controls for ICS environments.
This document discusses ICS/SCADA cybersecurity. It introduces the speaker as a security enthusiast with 2 years of ICS experience. It then provides commands to list and view ICS files. The document defines ICS components like sensors, actuators, PLCs, HMIs, and data historians. It lists resources for ICS security training and trends.
Chris Sistrunk discussed implementing network security monitoring (NSM) on industrial control systems (ICS). NSM involves collecting network data through tools like Security Onion, analyzing the data to detect anomalies, and investigating anomalies to identify potential threats. While ICS networks pose different challenges than typical IT networks, the same NSM methodology of collection, detection, and analysis can be applied. Free and open source tools like Security Onion allow implementing NSM on ICS to hunt for threats without disrupting operations. The most important part of NSM is having knowledgeable people to interpret data and identify what is normal versus potentially malicious activity on the network.
This document discusses requirements for physical and information security systems for data centers. It outlines two major types of protection: physical security, involving safeguarding assets and personnel through controls like access points, alarms and cameras; and information security, protecting data through measures such as firewalls, antivirus software and identity management. The document provides steps for physical security including site placement, utilities redundancy, and access limitations. It also presents examples of Cisco security products that can be used like the ASA firewall and NAC appliance for network admission control.
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
This session will present a real case study of methodology and advanced cybersecurity tools used along with important tips and lessons learned on implementing an ISOC project at the second largest city of the nation. Topics include the critical success factors, advanced tools and technologies for ISOC, Situational Awareness, Threat Intelligence Sharing and cybersecurity collaboration.
(Source: RSA USA 2016-San Francisco)
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
This document provides an overview of how security architecture fits within enterprise architecture. It begins by noting that security architecture is a subset of enterprise architecture. It then discusses a presentation given on this topic, highlighting how security practices are often misunderstood by both IT and security professionals. The presentation explores how to better integrate security architecture with enterprise architecture frameworks and processes to ensure security priorities are properly considered throughout enterprise initiatives. It emphasizes the importance of understanding enterprise architecture, aligning security language with business needs, and using evidence-based approaches to integrate security architecture within overall enterprise architecture.
This document discusses implementing a secure software development lifecycle (SDLC). It emphasizes building security into software from the start rather than adding it later. The summary is:
The document outlines a secure SDLC process involving defining security requirements, designing for security, implementing secure coding practices, testing software security, and ongoing security monitoring. It notes that software security is a shared responsibility and discusses challenges like team pushback and measuring security benefits. The document also presents a case study of a company that implemented a secure SDLC process to address client security issues and prevent future problems.
The document discusses information security governance and strategy. It defines governance and management, with governance determining decision rights and providing oversight, while management implements controls. Effective governance is risk-based, defines roles and responsibilities, and commits adequate resources. Challenges include understanding security implications and establishing proper structures. Outcomes include strategic alignment of security and risk management. Governance structures depend on desired outcomes such as revenue growth or profit.
The Cybersecurity Risk Management Framework Strategy for Defense Platform Systems course prepares command leadership to implement the National Institute of Standards and Technology’s (NIST) cybersecurity Risk Management Framework (RMF) from a Platform Information Technology (PIT) perspective.
This one-day workshop reviews the five functions of cybersecurity that leadership must consider when making decisions about program resources and requirements.
This document discusses security and compliance when using AWS. It makes three main points:
1. AWS and customers share responsibility for security, with AWS managing security of the cloud infrastructure and customers responsible for security in their use of AWS services.
2. AWS provides security tools and features that customers can use to protect their cloud resources and data. Customers can architect for security and follow security best practices.
3. AWS offers certifications and assurance programs to help customers meet various compliance standards and regulations.
In September 2011, Prolifics & IBM hosted a speaking session at a Cyber Security Summit in California. The presentation focused on the importance of Identity and Access Management in the Energy & Utilities industry as well as today's critical regulatory requirements.
What is the NIST Cybersecurity Framework?
Why YOU should care?
How would I apply it?
Would you drive BLINDFOLDED?
A false sense of security?
Without a Security Framework…
Why Cyber Security Framework?
How would I measure my effectiveness?
The project title for this task force is “Cyber Security Maturity Model for Organizations”. Some of the
key things that you are going to learn from this presentation is:
The user organizations will learn, how to easily adapt a cyber security maturity assessmentmodel based on the widely accepted frameworks such as NIST CSF and ISO27001:2013
The readers will learn about the core information security domains and how to plan forsecurity activities around those core domains
The readers will learn how to prioritize the security budget and draw out the securitycontrol implementation roadmap for their organization
The readers will learn to apply a risk informed approach to information security for theirorganizations which can be used to educate about and sell security to their CEO’s and board members.
The document discusses securing industrial control systems (ICS) infrastructure for compliance with NERC CIP standards and beyond. It outlines the network security challenges for bulk power systems in meeting compliance standards while balancing performance and costs. Real-world security vulnerabilities are described from assessments done by the GAO and Department of Energy. The paper then explains how a unified threat management approach using a single security platform can help simplify NERC compliance by providing firewall, VPN, antivirus, IPS, and authentication capabilities required without needing separate point products. This integrated solution secures the infrastructure while maintaining performance.
Supervisory Control And Data Acquisition (SCADA) networks are used to control large industrial machines and systems remotely. SCADA systems were designed for efficiency, not security, so they are vulnerable to exploitation. There are numerous entry points for attackers, including wireless networks connecting SCADA systems, gateways between computer and SCADA networks, and modifying unencrypted command traffic. Organizations need to implement controls separating SCADA networks, monitor for abnormalities, regularly upgrade firmware, and consider the human element for securely controlling SCADA systems.
Security Issues in SCADA based Industrial Control Systems
This document discusses security concerns in industrial control systems. It provides an overview of industrial control systems (ICS) and SCADA systems, which are widely used to control infrastructure systems. It outlines several vulnerabilities in ICS, including issues with legacy systems not being designed with modern cybersecurity threats in mind. Specific threats like zero-day vulnerabilities, non-prioritized tasks, and database/communication protocol issues are examined. The conclusion states that additional digital security techniques are needed to protect critical infrastructure control systems.
Industrial networks safety & security - e+h june 2018 ben murphy
This presentation discusses why cybersecurity is an issue for safety instrumented systems and will examine example architectures when communicating with the SIS.
The security of critical networks is at the center of attention of industry and government regulators alike. Check Point and RAD offer a joint end-to-end cyber security solution that protects any utility operational technology (OT) network by eliminating RTU and SCADA equipment vulnerabilities, as well as defends against cyber-attacks on the network’s control and data planes. This solution brief explains how the joint solution enables compliance with NERC-CIP directives, provides deep visibility and control of ICS/SCADA communications, and allows secure remote access into OT networks.
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...
Federal agencies are moving their industrial control systems (ICS) from operational business networks to separate, dedicated networks in order to enhance security. However, without a system to test the new equipment and software coming into these separate networks, security risks will persist. This paper explores the impact on security of instituting a sanctioned ICS test lab and recommends best practices for setting up and operating these labs.
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
SCADA systems control some of the most vital infrastructure in industrial and energy sectors, from oil and gas pipelines to nuclear facilities to water treatment plants.
Critical infrastructure is defined as the physical and IT assets, networks and services that if disrupted or destroyed would have a serious impact on the health, security, or economic wellbeing of citizens and the efficient functioning of a country’s government.
Augmentation of a SCADA based firewall against foreign hacking devices
This document summarizes a research paper that implemented a SCADA-based firewall to protect data transmission from external hacking devices. The paper first discusses a case study where an industrial control system was hacked 46 times. It then provides an overview of industrial firewalls and the differences between industrial and IT firewalls. The paper describes configuring a Tofino industrial firewall with SCADA-HMI and PLC assets. It tests the firewall by simulating scenarios without and with the firewall, showing the firewall prevents an attacker from accessing the PLC simulator based on communication protocols. The paper concludes customized industrial firewalls are needed and protocols must be regularly updated as cyber attacks evolve.
1. Cloud computing provides flexibility and economies of scale but introduces new security risks as sensitive data and infrastructure are placed outside traditional secure perimeters.
2. Traditional security measures like firewalls and intrusion detection become more difficult in cloud environments where virtual machines are dynamically allocated across shared physical servers.
3. Ensuring data integrity, updating security software, complying with regulations, and monitoring administrator access require new solutions to prove security and respond to vulnerabilities in cloud infrastructure and virtual environments.
Information Security Principles - Access Controlidingolay
The document discusses various concepts related to access controls and authentication methods in information security. It covers identification, authentication, authorization, accountability and different authentication factors like something you know, something you have, something you are. It also discusses access control models, biometrics, passwords and single sign-on systems.
Slides for the presentation about SCADA hacking given on Hackers 2 Hackers Conference 10th edition at São Paulo, Brazil
Demo videos:
- Wago 0day DOS: https://www.youtube.com/watch?v=ACMJmXy4hSg
- Modbus Replay: https://www.youtube.com/watch?v=1pfZDiUUQHQ
Presentation Video (pt_BR)
- https://www.youtube.com/watch?v=R1snsQ_WS9Y
The document discusses security operation centers (SOCs) and their functions. It describes what a SOC is and its main purpose of monitoring, preventing, detecting, investigating and responding to cyber threats. It outlines the typical roles in a SOC including tier 1, 2 and 3 analysts and security engineers. It also discusses the common tools, skills needed for each role, and types of SOCs such as dedicated, distributed, multifunctional and virtual SOCs.
The document discusses the NIST Cybersecurity Framework, which provides guidelines for critical infrastructure security and management of cybersecurity risks. It was created through a collaboration between government and industry to help organizations manage and reduce cybersecurity risks. The framework consists of five concurrent and continuous functions - Identify, Protect, Detect, Respond, Recover. It also outlines implementation tiers from Partial to Adaptive to help organizations determine their cybersecurity risk management practices. The framework is meant to be flexible and not prescriptive in order to accommodate different sectors and risks profiles.
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
Using NIST cybersecurity framework, one of the largest healthcare IT firms in the US developed the global security architecture and roadmap addressing security gaps by architecture domain and common security capability. This session will discuss the architecture framework, capability matrix, the architecture development methodology and key deliverables.
(Source : RSA Conference USA 2017)
The NIST SP 800-82 document provides guidance on establishing secure industrial control systems (ICS). It discusses ICS characteristics and security challenges. It recommends developing a comprehensive ICS security program that includes senior management support, risk assessments, defined policies and procedures, inventory of assets, and training. It also provides recommendations on network architecture design and implementing NIST SP 800-53 security controls for ICS environments.
This document discusses ICS/SCADA cybersecurity. It introduces the speaker as a security enthusiast with 2 years of ICS experience. It then provides commands to list and view ICS files. The document defines ICS components like sensors, actuators, PLCs, HMIs, and data historians. It lists resources for ICS security training and trends.
Chris Sistrunk discussed implementing network security monitoring (NSM) on industrial control systems (ICS). NSM involves collecting network data through tools like Security Onion, analyzing the data to detect anomalies, and investigating anomalies to identify potential threats. While ICS networks pose different challenges than typical IT networks, the same NSM methodology of collection, detection, and analysis can be applied. Free and open source tools like Security Onion allow implementing NSM on ICS to hunt for threats without disrupting operations. The most important part of NSM is having knowledgeable people to interpret data and identify what is normal versus potentially malicious activity on the network.
This document discusses requirements for physical and information security systems for data centers. It outlines two major types of protection: physical security, involving safeguarding assets and personnel through controls like access points, alarms and cameras; and information security, protecting data through measures such as firewalls, antivirus software and identity management. The document provides steps for physical security including site placement, utilities redundancy, and access limitations. It also presents examples of Cisco security products that can be used like the ASA firewall and NAC appliance for network admission control.
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationPriyanka Aash
This session will present a real case study of methodology and advanced cybersecurity tools used along with important tips and lessons learned on implementing an ISOC project at the second largest city of the nation. Topics include the critical success factors, advanced tools and technologies for ISOC, Situational Awareness, Threat Intelligence Sharing and cybersecurity collaboration.
(Source: RSA USA 2016-San Francisco)
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
This document provides an overview of how security architecture fits within enterprise architecture. It begins by noting that security architecture is a subset of enterprise architecture. It then discusses a presentation given on this topic, highlighting how security practices are often misunderstood by both IT and security professionals. The presentation explores how to better integrate security architecture with enterprise architecture frameworks and processes to ensure security priorities are properly considered throughout enterprise initiatives. It emphasizes the importance of understanding enterprise architecture, aligning security language with business needs, and using evidence-based approaches to integrate security architecture within overall enterprise architecture.
This document discusses implementing a secure software development lifecycle (SDLC). It emphasizes building security into software from the start rather than adding it later. The summary is:
The document outlines a secure SDLC process involving defining security requirements, designing for security, implementing secure coding practices, testing software security, and ongoing security monitoring. It notes that software security is a shared responsibility and discusses challenges like team pushback and measuring security benefits. The document also presents a case study of a company that implemented a secure SDLC process to address client security issues and prevent future problems.
Information Security Governance and Strategy - 3Dam Frank
The document discusses information security governance and strategy. It defines governance and management, with governance determining decision rights and providing oversight, while management implements controls. Effective governance is risk-based, defines roles and responsibilities, and commits adequate resources. Challenges include understanding security implications and establishing proper structures. Outcomes include strategic alignment of security and risk management. Governance structures depend on desired outcomes such as revenue growth or profit.
The Cybersecurity Risk Management Framework Strategy for Defense Platform Systems course prepares command leadership to implement the National Institute of Standards and Technology’s (NIST) cybersecurity Risk Management Framework (RMF) from a Platform Information Technology (PIT) perspective.
This one-day workshop reviews the five functions of cybersecurity that leadership must consider when making decisions about program resources and requirements.
This document discusses security and compliance when using AWS. It makes three main points:
1. AWS and customers share responsibility for security, with AWS managing security of the cloud infrastructure and customers responsible for security in their use of AWS services.
2. AWS provides security tools and features that customers can use to protect their cloud resources and data. Customers can architect for security and follow security best practices.
3. AWS offers certifications and assurance programs to help customers meet various compliance standards and regulations.
Cyber Security in Energy & Utilities IndustryProlifics
In September 2011, Prolifics & IBM hosted a speaking session at a Cyber Security Summit in California. The presentation focused on the importance of Identity and Access Management in the Energy & Utilities industry as well as today's critical regulatory requirements.
What is the NIST Cybersecurity Framework?
Why YOU should care?
How would I apply it?
Would you drive BLINDFOLDED?
A false sense of security?
Without a Security Framework…
Why Cyber Security Framework?
How would I measure my effectiveness?
The project title for this task force is “Cyber Security Maturity Model for Organizations”. Some of the
key things that you are going to learn from this presentation is:
The user organizations will learn, how to easily adapt a cyber security maturity assessmentmodel based on the widely accepted frameworks such as NIST CSF and ISO27001:2013
The readers will learn about the core information security domains and how to plan forsecurity activities around those core domains
The readers will learn how to prioritize the security budget and draw out the securitycontrol implementation roadmap for their organization
The readers will learn to apply a risk informed approach to information security for theirorganizations which can be used to educate about and sell security to their CEO’s and board members.
The document discusses securing industrial control systems (ICS) infrastructure for compliance with NERC CIP standards and beyond. It outlines the network security challenges for bulk power systems in meeting compliance standards while balancing performance and costs. Real-world security vulnerabilities are described from assessments done by the GAO and Department of Energy. The paper then explains how a unified threat management approach using a single security platform can help simplify NERC compliance by providing firewall, VPN, antivirus, IPS, and authentication capabilities required without needing separate point products. This integrated solution secures the infrastructure while maintaining performance.
Supervisory Control And Data Acquisition (SCADA) networks are used to control large industrial machines and systems remotely. SCADA systems were designed for efficiency, not security, so they are vulnerable to exploitation. There are numerous entry points for attackers, including wireless networks connecting SCADA systems, gateways between computer and SCADA networks, and modifying unencrypted command traffic. Organizations need to implement controls separating SCADA networks, monitor for abnormalities, regularly upgrade firmware, and consider the human element for securely controlling SCADA systems.
Security Issues in SCADA based Industrial Control Systems aswanthmrajeev112
This document discusses security concerns in industrial control systems. It provides an overview of industrial control systems (ICS) and SCADA systems, which are widely used to control infrastructure systems. It outlines several vulnerabilities in ICS, including issues with legacy systems not being designed with modern cybersecurity threats in mind. Specific threats like zero-day vulnerabilities, non-prioritized tasks, and database/communication protocol issues are examined. The conclusion states that additional digital security techniques are needed to protect critical infrastructure control systems.
This presentation discusses why cybersecurity is an issue for safety instrumented systems and will examine example architectures when communicating with the SIS.
Robust Cyber Security for Power UtilitiesNir Cohen
The security of critical networks is at the center of attention of industry and government regulators alike. Check Point and RAD offer a joint end-to-end cyber security solution that protects any utility operational technology (OT) network by eliminating RTU and SCADA equipment vulnerabilities, as well as defends against cyber-attacks on the network’s control and data planes. This solution brief explains how the joint solution enables compliance with NERC-CIP directives, provides deep visibility and control of ICS/SCADA communications, and allows secure remote access into OT networks.
How Test Labs Reduce Cyber Security Threats to Industrial Control Systemse cy...Schneider Electric
Federal agencies are moving their industrial control systems (ICS) from operational business networks to separate, dedicated networks in order to enhance security. However, without a system to test the new equipment and software coming into these separate networks, security risks will persist. This paper explores the impact on security of instituting a sanctioned ICS test lab and recommends best practices for setting up and operating these labs.
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Abhishek Goel
SCADA systems control some of the most vital infrastructure in industrial and energy sectors, from oil and gas pipelines to nuclear facilities to water treatment plants.
Critical infrastructure is defined as the physical and IT assets, networks and services that if disrupted or destroyed would have a serious impact on the health, security, or economic wellbeing of citizens and the efficient functioning of a country’s government.
Augmentation of a SCADA based firewall against foreign hacking devices IJECEIAES
This document summarizes a research paper that implemented a SCADA-based firewall to protect data transmission from external hacking devices. The paper first discusses a case study where an industrial control system was hacked 46 times. It then provides an overview of industrial firewalls and the differences between industrial and IT firewalls. The paper describes configuring a Tofino industrial firewall with SCADA-HMI and PLC assets. It tests the firewall by simulating scenarios without and with the firewall, showing the firewall prevents an attacker from accessing the PLC simulator based on communication protocols. The paper concludes customized industrial firewalls are needed and protocols must be regularly updated as cyber attacks evolve.
1. Cloud computing provides flexibility and economies of scale but introduces new security risks as sensitive data and infrastructure are placed outside traditional secure perimeters.
2. Traditional security measures like firewalls and intrusion detection become more difficult in cloud environments where virtual machines are dynamically allocated across shared physical servers.
3. Ensuring data integrity, updating security software, complying with regulations, and monitoring administrator access require new solutions to prove security and respond to vulnerabilities in cloud infrastructure and virtual environments.
III SEM MCA-Module 4 -Ch2.pdf- Securing IoTRAJESHWARI M
This document discusses securing industrial internet of things (IoT) environments. It provides a brief history of operational technology (OT) security, detailing how OT security has evolved over time and some common challenges. Some key differences between securing IT and OT environments are explored, including the Purdue model for control hierarchy and how OT network characteristics impact security. Common challenges in OT security are then examined, such as erosion of network architecture, pervasive legacy systems, insecure operational protocols, device insecurity, dependence on external vendors, and lack of security knowledge.
The Nozomi Networks solution improves ICS cyber resiliency and provides real-time operational visibility. Major customers have improved reliability, cybersecurity and operational efficiency using our technology. Learn more about our solutions and technology here and how they can bring immediate benefit to your industrial control system (ICS)
This document provides an overview of Nathan Wallace's background and experience in power engineering and cybersecurity. It discusses some of the challenges in implementing cybersecurity for power systems, including identifying critical cyber assets, determining responsibilities between IT and OT departments, and addressing compliance needs versus best practices. It also outlines major hurdles to improving cybersecurity such as overclassification of information, viewing it only as an IT issue or in defending only against threats. The document advocates for an engineering-based approach and standardization to help drive the field forward.
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Jim Gilsinn
Presented @ Emerson Exchange
October 7, 2014
Industrial control systems (ICS) are large information technology (IT) systems. Office IT systems, failure of ICS can cause plant outages and even physical damage. Management of ICS needs to be different and smarter. IT vendors frequently recommend patches and configuration changes. Most have no impact to the ICS, which cannot implement changes in real time. ICS typically get one chance every few years to make changes - the turnaround. This paper describes optimization of ISC turnaround work, using cyber-vulnerability assessment to focus turnaround work to only what is necessary.
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...Dawn Yankeelov
"Understanding Cyber Industrial Controls in the Manufacturing and Utilities Environment," By Dr. John Naber, Co-Founder & Partner in True Secure SCADA, which is KY-based and holds 2 key patents in this area. This was given at the TALK Cybersecurity Summit 2018 in Louisville, KY.
The document discusses threats to industrial control systems and strategies for improving security. It notes that industrial systems have unique vulnerabilities and consequences compared to traditional IT systems. Several real-world attacks on industrial systems like water treatment plants are described. The need for improved incident response planning, staff training, and security practices like encryption and identity management is emphasized. Developing an incident response team and testing response plans through exercises is presented as a key starting point for organizations.
This document provides an overview of Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS), including fundamentals, evolution over time, vulnerabilities, security frameworks, good practices, and resources. It defines SCADA/ICS, describes how they have become more interconnected, lists vulnerabilities like outdated systems and remote access, outlines security standards like NIST and NERC, recommends practices like segmentation and patching, and provides example frameworks and resources.
Cyber attacks on industrial control systems pose a serious threat. Several incidents around the world have shown that critical infrastructure systems controlling functions like power grids and water treatment have been hacked, in some cases shutting down safety monitoring systems. These control systems were not designed with security in mind and connecting them to corporate networks and the internet has increased vulnerabilities. Stronger security measures are needed to protect against growing cyber threats.
In today’s connected world, cyber security is a topic that nobody can afford to ignore. In recent years the number and frequency of attacks on industrial devices and other critical infrastructure has risen dramatically. Recent news stories about hackers shutting down critical infrastructure have left many companies wondering if they are vulnerable to similar attacks. In this webinar we will discuss the most common security threats and unique challenges in securing industrial networks. We will introduce the current standards and share some useful resources and best practices for addressing industrial cyber security.
Key Takeaways:
1. Gain perspective regarding common security threats facing industrial networks.
2. Learn about the relevant standards governing industrial cyber security.
3. Increase understanding of some best practices for securing industrial networks.
2. What is Industrial Control Systems ?
•Industrial Control System (ICS) is a general term that encompasses several types
of control systems used in industrial process control for production and
manufacture, including SCADA, DCS and PLC systems
•ICS’s are typically used in industries such as oil & gas production, power
generation and nuclear installations. ICS’s are specifically designed and
manufactured for the industrial environment, they are designed to be installed
Industrial Control Systems cyber Security
manufactured for the industrial environment, they are designed to be installed
for offshore and onshore applications.
Typical examples of ICS
3. What is Cyber security ?
Cyber-security is the body of technologies, processes and practices designed to protect
networks, computers, programs and data from attack, damage or unauthorized access. In
a computing context, security includes both cyber-security and physical security.
Industrial Control Systems cyber Security
Do we really need this in the industrial process control network ? ?
4. To simply answer this question, history says it all !!
Do we really need this in the industrial process control network ?
Incident Description
2000 Maroochy Water
Treatment ,Australia
( SCADA system)
A disgruntled former
employee hacked into the
system, took control of 150
pumping stations and releasedpumping stations and released
1 million liters of raw sewage
into local parks, rivers and
even the grounds of a Hyatt
Regency hotel over a 3 month
period.
Observations •Radio communications commonly used in SCADA systems are often
insecure or improperly configured
•SCADA devices and software should be secured to the extent possible using
physical and logical controls
•Difficult to differentiate attacks from malfunctions
•Also recommended : Anti-virus , Firewall protection, Appropriate use of
encryption , Upgrade-able SCADA systems (from a security perspective) ,
Proper staff training and Security auditing and control.
5. 2000 Maroochy Water Treatment
•There was no active protection not even a properly configured firewall .
6. Famous ICS cyber attacks !!
Incident Description
2003 PDVSA Oil Terminal , Venezuela
( PLC Controller)
Details of the cyber attacks on PDVSA’s systems
were slow to emerge, but it seemed that
hackers were able to penetrate the SCADA
system responsible for tanker loading at a
marine terminal in eastern Venezuela. Once
inside, the hackers erased the programs in the
programmable logic controllers (PLCs)
operating the facility, preventing tanker
loading for eight hours. Fortunately for PDVSA,
the tactics of attackers were unsophisticated,the tactics of attackers were unsophisticated,
making detection of the problem relatively
easy, and backups of the PLC programs were
unaffected, making recovery straightforward.
Observations •Internal surveys at several major oil companies indicated that managers
often misunderstand the situation they face when it comes to SCADA
security. First, many believe that the Information Technology (IT) group
automatically looks after SCADA security
•While IT departments are very good at providing security for systems they
understand, such as Windows® servers and accounting databases, the
critical control systems that run the pipelines and refineries day in and day
out are forbidding beasts to the IT professional .
7. Incident Description
2006 Brown’s Ferry Nuclear
Plant , USA
( PLC Controller and VFD)
•Unit 3 was manually shutdown after the failure of both reactor
recirculation pumps and the condensate demineralizer controller.
The condensate demineralizer used a programmable logic
controller (PLC); the recirculation pumps depend on variable
frequency drives (VFD) to modulate motor speed.
• Both kinds of devices have embedded microprocessors that can
communicate data over the Ethernet LAN. However, both devices
are prone to failure in high traffic environments. A device using
Famous ICS cyber attacks !!
are prone to failure in high traffic environments. A device using
Ethernet broadcasts data packets to every other device
connected to the network. Receiving devices must examine each
packet to determine which ones are addressed to them and to
ignore those that are not.
• It appears the Browns Ferry control network produced more
traffic than the PLC and VFD controllers could handle; it is also
possible that the PLC malfunctioned and flooded the Ethernet
with spurious traffic, disabling the VFD controllers; tests
conducted after the incident were inconclusive.
8. Incident Description
2010 Iran Nuclear
Processing, Iran ( PLC
Controller and DCS)
•Stuxnet specifically targets programmable logic controllers
(PLCs), which allow the automation of electromechanical
processes such as those used to control machinery on factory
assembly lines, amusement rides, or centrifuges for separating
nuclear material. Exploiting four zero-day flaws, Stuxnet
functions by targeting machines using the Microsoft
Windows operating system and networks, then seeking
out Siemens Step7 software.
Famous ICS cyber attacks !!
out Siemens Step7 software.
•Stuxnet is typically introduced to the target environment via an
infected USB flash drive. The worm then propagates across the
network, scanning for Siemens Step7 software on computers
controlling a PLC. In the absence of either criterion, Stuxnet
becomes dormant inside the computer. If both the conditions are
fulfilled, Stuxnet introduces the infected rootkit onto the PLC and
Step7 software, modifying the codes and giving unexpected
commands to the PLC while returning a loop of normal
operations system values feedback to the users
10. •Managers often misunderstand the situation they face when it comes to ICS security.
First, many believe that the Information Technology (IT) group automatically looks
after ICS security
IT system Vs ICS system
Category Information Technology System Industrial Control System
Performance Requirements •Non-real-time
•Response must be consistent
•Tightly restricted access control
can be implemented to the
degree necessary for security
•Real-time
•Response is time-critical
•Access to ICS should be
strictly controlled, but should
not hamper or interfere with
human-machine interactionhuman-machine interaction
System Operation •Systems are designed for use
with typical operating systems
•Upgrades are straightforward
with the availability of
automated deployment tools
•Differing and possibly
proprietary operating systems,
often without security
capabilities built in
•Software changes must be
carefully made, usually by
software vendors, because of
the specialized control
algorithms and perhaps
modified hardware and
software involved
11. IT system Vs ICS system
Category Information Technology System Industrial Control System
Communications •Standard communications
protocols
•Primarily wired networks with
some localized wireless capabilities
•Typical IT networking practices
•Many proprietary and standard
communication protocols.
•Several types of communications
media used including dedicated
wire and wireless (radio and
satellite)
•Networks are complex and
sometimes require the expertise
of control engineersof control engineers
Managed Support •Allow for diversified support styles •Service support is usually via a
single vendor
Component Lifetime •Lifetime on the order of 3 to 5
years
•Lifetime on the order of 10 to 15
years
Conclusion :
•The operational and risk differences between ICS and IT systems create the need for increased
sophistication in applying cybersecurity and operational strategies.
• A cross-functional team of control engineers, control system operators and IT security
professionals needs to work closely to understand the possible implications of the installation,
operation, and maintenance of security solutions
13. Identifying Possible hazards and Vulnerable points
Vulnerability Description
Inadequate
incorporation of
security into
architecture and
design.
Incorporating security into the ICS architecture, design must start with
budget, and schedule of the ICS. The security architecture is part of
the Enterprise Architecture. The architectures must address the
identification and authorization of users, access control mechanism,
network topologies, and system configuration and integrity
mechanisms.
Hardware, firmware,
and software not
The organization doesn’t know what it has, what versions it has, where
they are, or what their patch status is, resulting in an inconsistent, andand software not
under configuration
management.
they are, or what their patch status is, resulting in an inconsistent, and
ineffective defense posture. A process for controlling modifications to
hardware, firmware, software, and documentation should be
implemented to ensure an ICS is protected against inadequate or
improper modifications before, during, and after system
implementation. A lack of configuration change management
procedures can lead to security oversights, exposures, and risks. To
properly secure an ICS, there should be an accurate listing of the
assets in the system and their current configurations. These
procedures are critical to executing business continuity and disaster
recovery plans.
14. Identifying Possible hazards and Vulnerable points
Vulnerability Description
OS and application
security patches are
not maintained or
vendor declines to
patch vulnerability
Out-of-date OSs and applications may contain newly discovered
vulnerabilities that could be exploited. Documented procedures should
be developed for how security patches will be maintained. Security
patch support may not even be available for ICS that use outdated OSs,
so procedures should include contingency plans for mitigating
vulnerabilities where patches may never be available.
Inadequate testing of
security changes
Modifications to hardware, firmware, and software deployed without
testing could compromise normal operation of the ICS. Documentedsecurity changes testing could compromise normal operation of the ICS. Documented
procedures should be developed for testing all changes for security
impact. The live operational systems should never be used for testing.
The testing of system modifications may need to be coordinated with
system vendors and integrators
Poor remote access
controls
There are many reasons why an ICS may need to be remotely
accessed, including vendors and system integrators performing system
maintenance functions, and also ICS engineers accessing
geographically remote system components. Remote access capabilities
must be adequately controlled to prevent unauthorized individuals
from gaining access to the ICS.
15. Identifying Possible hazards and Vulnerable points
Vulnerability Description
Critical configurations
are not stored or
backed up
Procedures should be available for restoring ICS configuration settings
in the event of accidental or adversary-initiated configuration changes
to maintain system availability and prevent loss of data. Documented
procedures should be developed for maintaining ICS configuration
settings.
Improper data linking ICS data storage systems may be linked with non-ICS data sources. An
example of this is database links, which allow data from one database
to be automatically replicated to others. Data linkage may create ato be automatically replicated to others. Data linkage may create a
vulnerability if it is not properly configured and may allow
unauthorized data access or manipulation
Malware protection
not installed or up to
date
Installation of malicious software, or malware, is a common attack.
Malware protection software, such as antivirus software, must be kept
current in a very dynamic environment. Outdated malware protection
software and definitions leave the system open to new malware
threats.
16. Identifying Possible hazards and Vulnerable points
Vulnerability Description
Denial of service (DoS) ICS software could be vulnerable to DoS attacks, resulting in the
prevention of authorized access to a system resource or delaying
system operations and functions.
Logs not maintained Without proper and accurate logs, it might be impossible to determine
what caused a security event to occur
Unauthorized
personnel have
Physical access to ICS equipment should be restricted to only the
necessary personnel, taking into account safety requirements, such aspersonnel have
physical access to
equipment
necessary personnel, taking into account safety requirements, such as
emergency shutdown or restarts. Improper access to ICS equipment
can lead to any of the following:
Physical theft of data and hardware
Physical damage or destruction of data and hardware
Unauthorized changes to the functional environment (e.g., data
connections, unauthorized use of removable media, adding/removing
resources)
Disconnection of physical data links
Undetectable interception of data (keystroke and other input
logging)
17. Identifying Possible hazards and Vulnerable points
Vulnerability Description
Radio frequency,
electromagnetic pulse
(EMP), static discharge,
brownouts and voltage
spikes
The hardware used for control systems is vulnerable to radio frequency
and electro-magnetic pulses (EMP), static discharge, brownouts and
voltage spikes.. The impact can range from temporary disruption of
command and control to permanent damage to circuit boards. Proper
shielding, grounding, power conditioning, and/or surge suppression is
recommended
Lack of backup power Without backup power to critical assets, a general loss of power will
shut down the ICS and could create an unsafe situation. Loss of power
could also lead to insecure default settings.could also lead to insecure default settings.
Unsecured physical
ports
Unsecured universal serial bus (USB) and PS/2 ports could allow
unauthorized connection of thumb drives, keystroke loggers, etc.
Inadequate
authentication,
privileges, and access
control in software
Unauthorized access to configuration and programming software could
provide the ability to corrupt a device.
Firewalls nonexistent
or improperly
configured
A lack of properly configured firewalls could permit unnecessary data
to pass between networks, such as control and corporate networks,
allowing attacks and malware to spread between networks, making
sensitive data susceptible to monitoring/eavesdropping, and providing
individuals with unauthorized access to systems
18. Security means access control
To secure the ICS network we must
•Control data flow and access
Between each two layers
•Control direct access to the hardware•Control direct access to the hardware
In the control network layer We need
Control
Who and
What will
Pass through
But how ? Also we
must
control
who gets
access
19. Security means access control
•What is a Firewall?
•Types of Firewalls
•Classes of Firewalls
•Overall Security Goals of ICS network Firewalls
Firewalls
•Overall Security Goals of ICS network Firewalls
•Common ICS network Segregation Architectures
20. Security means access control
•What is a Firewall?
Firewalls
A firewall is a mechanism used to control and monitor traffic to and from a network
for the purpose of protecting devices on the network. It compares the traffic passing
through it to a predefined security criteria or policy, discarding messages that do not
meet the policy’smeet the policy’s
21. Security means access control
•Types of Firewalls
Firewalls
A firewall can come in many different designs and configurations
1. It can be a separate hardware device
physically connected to a network
(such as the Cisco ASA® or
the Symantec Security Gateway® firewalls)
2. a completely host-based software solution
installed directly on the workstation
to be protected
(such as Norton Personal Firewall® or Sygate Personal Firewall®).
22. Security means access control
•Classes of Firewalls
Firewalls
•Packet Filter Firewalls
•Stateful Firewalls
•Application Proxy Firewalls
•Deep Packet Inspection Firewalls
As an Automation engineer all you need to know
Network traffic is sent in discrete groups of bits, called a packet. Each packet
typically contains a number of separate pieces of information, including (but
not limited to) items such as the:
• Sender's identity (Source Address).
• Recipient's identity (Destination Address).
• Service to which the packet pertains (Port Number).
• Network operation and status flags.
• Actual payload of data to be delivered to the service.
A firewall, determines what action to take with the packet, These decisions are
based on a series of rules commonly referred to as Access Control Lists (ACLs).
As an Automation engineer all you need to know
23. Security means access control
Firewalls
•Overall Security Goals of ICS network Firewalls
Ideally, a process control or SCADA network would be a closed system, accessible only
by trusted internal components such as the Human Machine Interface (HMI) stations
and data historians.
But
the need for external access from both corporate users and selected 3rd parties
exists
•production and maintenance management information needs to be relayed to
computers and users outside of the plant floor for management purposes
•vendors may need to access controllers for support purposes. Implicitly this means
that some network paths exist from the outside
24. Security means access control
Firewalls
•Overall Security Goals of ICS network Firewalls
The goal of the firewall, simply stated, is to minimize the risk of unauthorized access
(or network traffic) to internal components on the ICS systems. Such a risk
minimization strategy will typically include the following general objectives.
1. No direct connections from the Internet to the PCN/SCADA network and viceversa.1. No direct connections from the Internet to the PCN/SCADA network and viceversa.
2. Restricted access from the enterprise network to the control network.
3. Unrestricted (but only authorized) access from the enterprise network to shared
PCN/enterprise servers
4. Secure methods for authorized remote support of control systems.
5. Secure connectivity for wireless devices (if used).
6. Monitoring of traffic attempting to enter and on the PCN.
25. Security means access control
Firewalls
•Common ICS network Segregation Architectures.
1. Dual-Homed Computers .
2. Dual-Homed Server with Personal Firewall Software .
3. Packet Filtering Router/Layer-3 Switch between PCN and EN.3. Packet Filtering Router/Layer-3 Switch between PCN and EN.
4. Two-Port Firewall between PCN and EN.
5. Router/Firewall Combination between PCN and EN .
6. Firewall with Demilitarized Zones between PCN and EN .
7. Paired Firewalls between PCN and EN .
26. Common ICS network Segregation Architectures
1.Dual-Homed Computers.
Observations •A computer without proper security controls could pose additional threats
•All connections between the control network and the corporate network
should be through a firewall. This configuration provides no security
improvement and should not be used to bridge networks (e.g., ICS and
corporate networks).
27. Common ICS network Segregation Architectures
2.Dual-Homed Server with Personal Firewall Software .
Observations •The first issue with this solution is that it will only provide a mechanism to
allow the sharing of server data. If there is any other traffic that needs to
traverse the PCN to EN boundary (such as remote maintenance access to a
controller) then this architecture will either completely block that traffic or
leave the PCN poorly secured.
28. Common ICS network Segregation Architectures
3. Packet Filtering Router/Layer-3 Switch between PCN and EN.
Observations •This type of packet filter design is only secure if the enterprise network is
known to be highly secure in its own right and is not generally subject to
attacks.
29. Common ICS network Segregation Architectures
4.Two-Port Firewall between PCN and EN.
30. Common ICS network Segregation Architectures
4.Two-Port Firewall between PCN and EN.
Observations •this communication occurs at the application layer as Structured Query
Language (SQL) or Hypertext Transfer Protocol (HTTP) requests. Flaws in the
historian’s application layer code could result in a compromised historian
•if HTTP packets are allowed through the firewall, then Trojan horse
software accidentally introduced on an HMI or control network laptop could
be controlled by a remote entity and send data .
•while this architecture is a significant improvement over a non-segregated
network, it requires the use of firewall rules that allow direct
communications between the corporate network and control network
devices. This can result in possible security breaches if not very carefully
designed and monitored
31. Common ICS network Segregation Architectures
5.Router/Firewall Combination between PCN and EN .
32. Common ICS network Segregation Architectures
5.Router/Firewall Combination between PCN and EN .
Observations •The use of a router/firewall combination. The router sits in front of the
firewall and offers basic packet filtering services, while the firewall handles
the more complex issues using either stateful inspection or proxy
techniques. This type of design is very popular in Internet-facing firewalls
because it allows the faster router to handle the bulk of the incoming
packets, especially in the case of DoS attacks, and reduces the load on the
firewall. It also offers improved defense-in-depth because there are two
different devices an adversary must bypassdifferent devices an adversary must bypass
33. Common ICS network Segregation Architectures
6.Firewall with Demilitarized Zones between PCN and EN .
34. Common ICS network Segregation Architectures
6.Firewall with Demilitarized Zones between PCN and EN .
Observations •By placing corporate-accessible components in the DMZ, no direct
communication paths are required from the corporate network to the
control network; each path effectively ends in the DMZ. Most firewalls can
allow for multiple DMZs, and can specify what type of traffic may be
forwarded between zones.
•If a patch management server, an antivirus server, or other security server
is to be used for the control network, it should be located directly on theis to be used for the control network, it should be located directly on the
DMZ. Both functions could reside on a single server. Having patch
management and antivirus management
•The primary security risk in this type of architecture is that if a computer in
the DMZ is compromised, then it can be used to launch an attack against
the control network via application traffic permitted from the DMZ to the
control network
35. Common ICS network Segregation Architectures
7.Paired Firewalls between PCN and EN .
36. Common ICS network Segregation Architectures
7.Paired Firewalls between PCN and EN .
Observations •If firewalls from two different manufacturers are used, then this solution
may offer a “defence in depth” advantage. It also allows process control
groups and the IT groups to have clearly separated device responsibility
since each can manage a firewall on its own. In fact it is the study team’s
understanding that this design is recommended in the Federal Energy
Regulatory Commission (FERC) Proposal for Security Standards for this
reason
38. Industrial Control Systems cyber Security
references
1. "NRC Information Notice 2003-14: Potential Vulnerability of Plant Computer
Network to Worm Infection", United States Nuclear Regulatory Commission,
Washington, DC, August 29, 2003
2. “Process Control Network Reference Architecture v 1.0”, Invensys Inc., January
2004, pg. 2, 5
3. “Experion PKS Network and Security Planning Guide EP-DSX173, Release 210”,
Honeywell Limited Australia, October 2004
4. “Presentation: Securing SIMATIC PCS7 and SIMATIC IT in Networks”, Siemens,
2003
39. Industrial Control Systems cyber Security
Prepared by: Ahmed Shitta
Automation Section Head at Egyptian Projects Operation and
Maintenance (EPROM)
Email: ahmedshitta@gmail.com