Post on 31-Aug-2021
Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
2017
Cyber Security ISA 99 / IEC 62443
Where Policy Meets Technology
City
Next2017
Presenter
2
Mayur Mehta
Manager - ICS security
PwC
City
Next2017
3
My Professional Journey
• Over 9.5 years of experience in ICS/SCADA domain and an expert in determining
threats and risk exposure on ICS products & plants, Interoperability and FAT test.
• Currently an ICS/ SCADA Risk Assessor with the Cyber Security practice of Big 4
Advisory function, based in Bengaluru.
• Member of ISA99/IEC62443 standards committee and leading ISA99 standard in ISA
Bangalore chapter.
• Certified on “Global Industrial Cyber Security Professional” (GICSP) from GIAC.
Certified Scrum Master (CSM), CTFL (ISTQB), Security+ (Cybrary), OPSEC(ICS
CERT), ATD (Advanced threat detection in ICS/ SCADA - Concise courses).
• Experience includes leading projects on Vulnerability analysis and penetration testing,
Secure Conduit design. Risk framework development and assessment, and cyber
reviews based on industry standards such as NERC-CIP, NIST800-82, IEC62443,
NCIIPC, ISO2700x, SANS Top20 Critical Control and OWASP Top10.
• Have also worked with Schneider Electric and SIEMENS.
• M.Tech from “BITS Pilani” in Software Systems (Networks and Networked Systems)
• B.E. from “JNCT/RGPV Bhopal” in “Electronics and Communications Engineering”
City
Next2017
CIA triad
• CIA or AIC triad Availability
- System are available and operational
when needed
Integrity
- Data is consistent, accurate and trustworthy
Confidentiality
- Protection against from disclosure to
untheorized individuals
• OT has two more requirements Reliability
- System performs intended functions
Safety
- Physical and environmental safety is
ensured
Confidentiality Integrity
Availability
City
Next2017
Why are we here
Source: ICS CERT
Chemical1%
Commercial Facilities
1%
Communications4%
Critical Manufacturing
33%
Dams2%
Defense1%
Energy16%
Nuclear Reactors2%
Financial…
Food & Agriculture1%
Government Facilities6%
Halthcare5%
Information Technology2%
Transportation8%
Water8%
Unknown9%
City
Next2017
Top10 ICS Cyber Threats
1. Social Engineering and Phishing (3)
2. Infiltration of Malware via Removable Media and External Hardware (2)
3. Malware Infection via Internet and Intranet (1)
4. Intrusion via Remote Access (5)
5. Human Error and Sabotage (4)
6. Control Components Connected to the Internet (6)
7. Technical Malfunctions and Force Majeure (7)
8. Compromising of Extranet and Cloud Components (9)
9. (D)DoS Attacks (10)
10.Compromising of Smartphones in the Production Environment (8)
Source: BSI Publications on Cyber-Security report
City
Next2017
Case#1: WannaCry
Step 3: WannaCry encrypts data files and ask users to pay a
US$300 ransom in bitcoins. The ransom note indicates that the
payment amount will be doubled after three days. If payment is
not made after seven days, the encrypted files will be deleted.
Step 4: It also drops a file named ! Please Read Me!.txt which
contains the text explaining what has happened and how to pay
the ransom
Step 5: WannaCry encrypts files with the following
extensions, appending .WCRY to the end of the file name
Step 6: It propagates to other computers by exploiting a known
SMBv2 remote code execution vulnerability in Microsoft
Windows computers: MS17-010
Step 1: 12 May 2017: WannaCry ransomware infections surge
• Preliminary analysis identifies self-propagating exploit
• Targets MS17-010, SMBv1 Critical Vulnerability - Shadow
Brokers
Step 2: Initial infection vector is unknown
• Once on host, malware launches process to:
• Scan for TCP Port 445 (SMB)
• If open port identified, exploit attempted
• Exploit modeled after ‘ErernalBlue’
• Malware also drops implant ‘DoublePulsar’
City
Next2017
Case#1: WannaCry
3
3
4
4
5
5
6
6 7
Download of patch and
reverse engineering for
vulnerability identification
Exploit development
Testing and deployment of
exploit
Successful attack
Testing of patch with
applications by ICS
vendors
Publishing of patches for
applications or approval for OS
patch
Asset owner download
and test the patch in test environment
Patch deployment
in downtime
Protection from cyber
attack
Vulnerability identificationand patch development
Patch ReleaseBy OS vendor
21
ICS community actions
Black hat actions
Hackers are one step
ahead in the game of
security.
Organizations Needs
to work together to
reduce the response
time.
~ >150 days
~ < 30 days
Need for Timely Patch Management
City
Next2017
Case#1: WannaCry
City
Next2017
Case#1: WannaCry
Count measures In the Event of An Attack
Isolate the system from the network to counter any
spread of the ransomware
Decryption is not available now.
Format the system if needed.
Block 445 on AD, if that’s feasible
Domains/Remote IPs (Firewalls/IPS/IDS/Proxy)
-- www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
57g7spgrzlojinas.onion, 76jdd2ir2embyv47.onion
cwwnhwhlz52maqm7.onion, gx7ekbenv2riucmf.onion
sqjolphimrr7jqw6.onion, xxlvbrloxvriy2c5.onion
-- 128.31.0.39, 144.76.92.176, 148.244.38.101, 149.202.160.69,
163.172.149.155, 171.25.193.9, 195.22.26.248, 197.231.221.221
198.96.155.3, 213.61.66.117, 46.101.142.174, 46.101.166.19
62.210.124.124, 91.121.65.179, 91.219.237.229
-- www.bancomer.com.mx, graficagbin.com.br, dyc5m6xx36kxj.net
gurj5i6cvyi.net, bcbnprjwry2.net, bqmvdaew.net, sxdcmua5ae7saa2.net
rbacrbyq2czpwnl5.net, ow24dxhmuhwx6uj.net, fa3e7yyp7slwb2.com
wwld4ztvwurz4.com, bqkv73uv72t.com, xanznp2kq.com
chy4j2eqieccuk.com, lkry2vwbd.com, ju2ymymh4zlsk.com
43bwabxrduicndiocpo.net, sdhjjekfp4k.com
iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
File Hash Values (AV/Sandboxing Tool)Available, can be shared offline (SHA-256, MD5, .
(To put a filter on the email gateway/end-point to detect the
following hash values)
Antivirus Signatures
Put a filter on the AV for the detection of following signatures
Ransom.CryptXXX
Trojan.Gen.8!Cloud
Trojan.Gen.2
Ransom.Wannacry
AV signatures to be updated with latest definitions (DAT)
Need to have strong Incident response and DR plan.
Communications were observed to the below
IP addresses from the compromised systems
• 197[.]231[.]221[.]211
• 128[.]31[.]0[.]39:9191
• 149[.]202[.]160[.]69
• 46[.]101[.]166[.]19
• 91[.]121[.]65[.]179
City
Next2017
Case#2: STUXNET
Sophisticated attack destroyed up to 1,000 uranium
enrichment centrifuges at a high-security Iranian
nuclear facility
Multi-stage attack
Social engineering techniques used to penetrate plant
defenses
Replicated worm in PCs and infected LAN
PLCs located; looked for centrifuges
Once located spun them up to eventually fail
Masked control room monitors
Key security compromises: Integrity & Availability
Infiltration of Malware via Removable Media and External Hardware
City
Next2017
Case#2: STUXNET
Source: Symantec
Infiltration of Malware via Removable Media and External Hardware
City
Next2017
ISA 99 / IEC 62443
City
Next2017
Few ICS Security Standards
ISA 99 / IEC 62443 NIST 800-82
enisaISO 27001/2 ICS-CERT
NERC
City
Next2017
History of ISA99 / IEC62443
• ISA/IEC 62443 is a series of standards being developed by two groups:
– ISA99 ANSI/ISA-62443
– IEC TC65/WG10 IEC 62443
• In consultation with:
– ISO/IEC JTC1/SC27 ISO/IEC 2700x
• International in scope
• Requirement contributions come from other standards like NERC-CIP, NIST etc
• Flexible framework which serves a basis for Country and Local standards as well as
Manufacturing guidelines.
City
Next2017
ISA 99 / IEC 62443 Standards
The first (top) category includes common or
foundational information such as concepts, models
and terminology. Also included are work products
that describe security metrics and security life
cycles for IACS.
The second category of work products targets the
Asset Owner. These address various aspects of
creating and maintaining an effective IACS
security program.
The third category includes work products that
describe system design guidance and
requirements for the secure integration of
control systems. Core in this is the zone and
conduit design model.
The fourth category includes work products that
describe the specific product development and
secure technical requirements of control
system products. This is primarily intended for
control product vendors, but can be used by
integrator and asset owners for to assist in the
procurement of secure products
1.1 Terminology,
concepts and
models
1.2 Master
glossary of terms
and abbreviations
1.3 System
security
compliance
metrics
1.4 IACS security
lifecycle/use cases
2.1 Requirements
for IACS security
management
system
2.2 Implementation
guidance for
security system
management
2.3 Patch
management in
the IACS
environment
2.4 Installation and
maintenance
requirement
3.1 Security
technologies for
IACS
3.2 Security
assurance levels
for zones and
conduits
3.3 System
security
requirements and
security levels
4.1 Product
development
requirements
4.2 Technical
security
requirements for
IACS components
Gen
era
lP
oli
cie
s &
Pro
ced
ure
Syste
mC
om
po
ne
nts
ISA99/IEC-62443 standard is a family of standards with a large scope of use for ICS / OT / SCADA
environments. Some guidelines are rather general, while others are precise, specific and focussed. Many
of those guidelines are still in the process of being defined or upgraded.
City
Next2017
A holistic security concept is context
dependent
Onsite
Designs and
Deploys
Operates and
Maintains
System Integrator
Asset Owner
Service Provider
Operational policies and procedures review
and creation and risk management.
Basic Process
Control System
(BPCS) assessment
and design
Safety Instrumented
System (SIS) review
and design
Complementary
HW/SW
implementation
Maintenance policies and procedures,
patch and vendor management
2-4
3-2
2-1
2-42-3
3-3
ISA99 reference
Offsite
Develops control
systems
4-1
3-3
4-2Product Supplier
Vendor scope
Secure architecture design, zones and conduits.
CSAT
Industrial Automation and Control System (IACS)
Automation solution deployment
Secure product and system development.
CFAT
City
Next2017
Zones and Conduits
Field level
Sensors, Pre
Actuators
& Actuators.
Operation level
SCADA/DCS, Operators,
HMIs
IT-OT separation zone
Mirror Historian, Patch Mgmt, AV Server
Control level
PLC /Controllers/
LHMIs
DMZ
Plat management level
Engineering station, Historian, OPC
Management level
Enterprise Resource Planning, IT &
Mobile devices
Level 0
Level 1
Level 2
Level 3
Level 4
Level 5
Unidirectional gateway/Data Diode,
Network monitoring, Log management
& Auditing
Next-gen Firewalls
System Hardening, Active Directory
(AD), App whitelisting, Secure design
implementation, Patch Management,
Configuration management, Password
Management, Change Management,
Backup & Restoration and User
specific access control
Harden automation
controllers, Disable
unwanted ports
Harden
automation field
devices, CCTVs,
physical
protection
Harden handheld devices and Database
servers
City
Next2017
Need of the hour
• OT Security Governance
• OT planning & Project
• Audit of the important security processes
• OT Cyber Security Team
Governance
• Vulnerability and patch management
• Security incident management
• OT Physical Controls Area SecurityOperations
• OT Security Infrastructure – System Architecture
Review
• Vulnerability assessment and penetration testing
• End user environment audit
Infrastructure
Ensure proactively
implementing appropriate OT
security controls to support
security’s mission in a cost-
effective manner while
managing evolving OT
security risks.
Ensure a safe setup of infrastructure by implementing appropriate security controls following a defence in depth design concept in the network infrastructure.
Continuously monitor performance of systems to ensure that it is consistent with agreed security requirements, and needed system modifications are incorporated.
City
Next2017
Lots to be done by vendors
SDL
ISA99 StandardICS Secure Levels Security requirement
Security Test Plan
Secure Feature implementation
Security Test Cases
SL based Test cases
Identify product
level in ICS layer
Secure by design approach
City
Next2017
ISA/IEC 62443 Cybersecurity Certification
Programs
• Certificate 1: ISA/IEC 62443 Cybersecurity Fundamentals Specialist
• Certificate 2: ISA/IEC 62443 Cybersecurity Risk Assessment Specialist
• Certificate 3: ISA/IEC 62443 Cybersecurity Design Specialist
• Certificate 4: ISA/IEC 62443 Cybersecurity Maintenance Specialist
• ISA/IEC 62443 Cybersecurity Expert: Individuals who achieve Certificates 1,
2, 3, and 4
• Certificate Steps:
– Complete a designated training program
– Pass a multiple choice exam through the Prometric testing center
City
Next2017
Q&A