Industrial Control Systems: A Primer for the Rest of...

www.isaca.org/cyber

Abstract In the current turbulent landscape of cybersecurity for industrial control systems (ICS), system owners struggle to protect systems that were never intended to be interconnected. This white paper presents a balanced, informed primer for cybersecurity practitioners, C-level executives and vendors. It scopes the threat environment, presents similarities and discusses special considerations for ICS to provide an overview of the concepts and issues related to these systems.

Industrial Control Systems: A Primer for the Rest of Us

2 2015 ISACA. All Rights Reserved.


INTRODUCTIONThe current landscape for cybersecurity of industrial control systems (ICS) is best described as turbulent, as system owners struggle to protect systems that were never intended to be interconnected. The systems have long existed in many industrial and manufacturing settings, but were traditionally isolated. Technological advances and convergence with traditional information and communications technology (ICT) necessitate unparalleled security for the critical services they provide. Headline stories such as those about Stuxnet, Duqu and Flame revealed certain fallibilities surrounding ICS and serve as constant reminders for vigilance about vulnerabilities and attack vectors. ICS security incidents have become more frequent and attack vectors have expanded in the brief period since Stuxnets 2010 discovery by antivirus vendor VirusBlokAda.1

Stuxnet caught many off-guard and created a tremendous demand for engineering expertise.2 Thirty minutes of searching in ones favorite browser makes it clear that disagreement between ICS and IT cybersecurity camps is as plentiful as malware traversing the Internet. Despite high-profile incidents, governmental involvement and an increase in information sharing, barriers still exist today. These barriers hinder significant advances in ICS cybersecurity, especially in converged environments.

This white paper was researched and written to present a balanced, informed primer for cybersecurity practitioners, C-level executives and vendors alike. It scopes the threat environment, presents similarities and, where appropriate, discusses special considerations for ICS. Significant effort was made

to limit use of the word differences when discussing cybersecurity considerations for an ICS vs. a traditional IT infrastructure. This decision not to focus on the dissimilar levels of maturity between the two arises from the recognition that it was not that long ago that modern-day IT networks were new themselves; the first dot-com top-level domain was registered on 15 March 1985, a mere three decades ago.3 Cybersecurity professionals across the globe, regardless of industry, are in the daunting position of consistently having to play defense. Research reveals massive quantities of educational material and discussion in the form of blogs, books, standards and publicationsnot unlike the mountain of knowledge surrounding IT. Many dedicated individuals selflessly contribute to tasks aimed at advancing the security posture of critical infrastructure. Is it enough? No. Even modern IT networks that employ the most sophisticated of controls are compromised. Is all the media attention afforded to breaches and vulnerabilities just hype? Doubtful, yet media coverage can excite emotions already known to influence consumer behavior.4

Budgets are continually manipulated to accomplish more with less. It was not too long ago that businesses struggled to spend money just to introduce technology, yet in 2015 global cybersecurity spending is forecast to exceed US $79 billion.5 Technology has undoubtedly positively affected business earnings. Similarly, many are getting rich in what could be described as an arms race to fight a losing battle.

1 Kaspersky, Eugene; The Man Who Found StuxnetSergey Ulasen in the Spotlight, Nota Bene, 2 November 2011, http://eugene.kaspersky.com/2011/11/02/the-man-who-found-stuxnet-sergey-ulasen-in-the-spotlight/ 2 Roberts, Paul; Security Firms Scramble for SCADA Talent after Stuxnet, Threatpost, 8 October 2010, http://threatpost.com/security-firms-scramble-scada-talent-after-stuxnet-100710/745623 Abell, John C.; March 15, 1985: Dot-com Revolution Starts With a Whimper, Wired, 15 March 2010, www.wired.com/2010/03/0315-symbolics-first-dotcom/4 Murray, Peter Noel; How Emotions Influence What We Buy, Psychology Today, 26 February 2013, www.psychologytoday.com/blog/inside-the-consumer-mind/201302/how-emotions-influence-what-we-buy5 Kovacs, Eduard; Global Cybersecurity Spending to Reach $76.9 Billion in 2015: Gartner, SecurityWeek, 25 August 2014, www.securityweek.com/global-cybersecurity-spending-reach-769-billion-2015-gartner



The term industrial control system, hereafter noted as ICS (the same acronym is traditionally used for the singular system and the plural systems), is understood to be those systems that reside in industrial and manufacturing environments, i.e., electricity, water and energy production. However, ICS encompass far more. It was not until the early 21st century that attempts were made to standardize language and terms such as process control systems (PCS), distributed control systems (DCS), and supervisory control and data acquisition (SCADA) systems. Before that, the terms were used interchangeably.6 Occasionally, one may find references to industrial automation or industrial automation and control systems (IACS), especially in older articles.

In 2008, the US National Institute of Standards and Technology (NIST) released Special Publication 800-82, Guide to Industrial Control Systems (ICS) Security, which defined ICS as a general term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations such as skid-mounted Programmable Logic Controllers (PLC) often found in the industrial sectors and critical infrastructures.7

The European Union Agency for Network and Information Security (ENISA) describes ICS as those systems used to control industrial processes such as manufacturing, product handling, production, and distribution.8

Comprehending the breadth of systems inferred by ICS requires looking past both definitions, especially by those who live or work outside the US or are unfamiliar with the subject matter. Within the US, the term industrial sector encompasses manufacturing, agriculture, mining and construction.9 Dr. Michael Chipleys definition may be more descriptive of the array of systems that can fall under the ICS title: physical equipment oriented technologies and systems that deal with the actual running of plants and equipment, include devices that ensure physical system integrity and meet technical constraints, and are event-driven and frequently real-time software applications or devices with embedded software.10 This elaboration supports the proper characterization of ICS to include building automation systems (BAS) that may otherwise be overlooked by those unfamiliar with types of DCS. BAS monitor and control the environment in commercial, industrial, and institutional facilities.11

Definitions can unnecessarily constrain thinking, reinforcing the importance of embracing the categorization of ICS as an operational technology (OT), which Gartner defines as hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise.12 Information technology (IT), on the other hand, is defined as the hardware, software, communication and other facilities used to input, store, process, transmit and output data in whatever form.13 This high-level distinction may be core to the varying thoughts with regard to securing the two.

Defining Industrial Control Systems

6 Macaulay, Tyson; Bryan L. Singer; Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS ,CRC Press, USA, 20127 Stouffer, Keith; Joe Falco; Karen Scarfone; Guide to Industrial Control Systems (ICS) Security, Special Publication 800-82, NIST, USA, 20118 Pauna, Adrian; Konstantinos Moulinos; Matina Lakka; Dr. John May; Dr. Theo Tryfonas; Can we learn from SCADA security incidents?, ENISA, 9 October 2013, http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-infrastructure-and-services/scada-industrial-control-systems/can-we-learn-from-scada-security-incidents 9 TeachMeFinance.com, www.teachmefinance.com/Scientific_Terms/Industrial_sector.html10 Chipley, Michael; Cybersecurity, Whole Building Design Guide, 23 October 2014, www.wbdg.org/resources/cybersecurity.php11 Understanding Building Automation and Control Systems, KMC Controls, www.kmccontrols.com/products/Understanding_Building_Automation_and_Control_Systems.aspx12 IT Glossary, Gartner, www.gartner.com/it-glossary/operational-technology-ot 13 Glossary, ISACA, www.isaca.org/glossary



ArchitectureAn ICS contains multiple components that span two broad categories: control and network. Components may appear in multiple systems or may be unique to just one type. The major components in both categories are listed and defined in figure 1. These definitions are from NIST Special Publication 800-82, a source document that is broadly accepted within the industry.

Demystifying the ICS

Term Definition

Control Components

Control server The control server hosts the DCS or PLC supervisory control software that communicates with lower-level control devices. It accesses subordinate control modules over an ICS network.

SCADA server or master terminal unit (MTU)

This is a device that acts as the master in a SCADA system. Remote terminal units and PLC devices (described below) located at remote field sites usually act as slaves.

Remote terminal unit (RTU) Also called a remote telemetry unit, an RTU is a special-purpose data acquisition and control unit designed to support SCADA remote stations. It is a field device often equipped with wireless radio interfaces to support remote situations where wire-based communications are unavailable.

Programmable logic controller (PLC) PLCs are small industrial computers originally designed to perform the logic functions executed by electrical hardware (relays, switches and mechanical timer/counters). They have evolved into controllers with the capability of controlling complex processes and they are used substantially in SCADA and DCS systems. Other controllers used at the field level are process controllers and RTUs; they provide the same control as PLCs, but are designed for specific control applications. In SCADA environments, PLCs are often used as field devices because they more economical, versatile, flexible and configurable than special-purpose RTUs. Sometimes PLCs are implemented as field devices to serve as RTUs; in this case, the PLC is often referred to as an RTU.

14 Stouffer, Keith; Joe Falco; Karen Scarfone; Guide to Industrial Control Systems (ICS) Security, Special Publication 800-82, NIST, USA, 2011

ICS Components14FIGURE

1



Intelligent electronic device (IED)

An IED is a smart sensor/actuator containing the intelligence required to acquire data, communicate to other devices, and perform local processing and control. It could combine an analog input sensor, analog output, low-level control capabilities, a communication system, and program memory in one device. The use of IEDs in SCADA systems and DCS allows for automatic control at the local level.

Human-machine interface (HMI)

An HMI is software and hardware that allow human operators to monitor the state of a process under control, modify control settings to change the control objective, and manually override automatic control operations in the event of an emergency. It also allows a control engineer or operator to configure set points or control algorithms and parameters in the controller. The HMI displays process status information, historical information, reports and other information to operators, administrators, managers, business partners and other authorized users. The location, platform and interface may vary a great deal. For example, an HMI could be a dedicated platform in the control center, a laptop on a wireless local area network (LAN) or a browser on any system connected to the Internet.

Data historian Information stored in this database can be accessed to support various analyses, from statistical process control to enterprise level planning.

Input/output (IO) serverThe IO server is a control component responsible for collecting, buffering and providing access to process information from control subcomponents such as PLCs, RTUs and IEDs. An IO server can reside on the control server or on a separate computer platform. IO servers are also used for interfacing third-party control components, such as an HMI and a control server.

Network Components

Fieldbus

The fieldbus network links sensors and other devices to a PLC or other controller. Use of fieldbus technologies eliminates the need for point-to-point wiring between the controller and each device. The devices communicate with the fieldbus controller using a variety of protocols. The messages sent between the sensors and the controller uniquely identify each of the sensors.

Control network It connects the supervisory control level to lower-level control modules.

Communications routerA router is a communications device that transfers messages between two networks. Common uses for routers include connecting a LAN to a wide area network (WAN), and connecting MTUs and RTUs to a long-distance network medium for SCADA communication.

The following three network components are not included in figure 1, as their definitions are undoubtedly well known to readers of this publication. However, their use in ICS may not be quite so familiar, so examples follow:

Firewalls are useful in managing ICS network segregation strategies.

Modems are often used in SCADA systems to enable long-distance serial communications between MTUs and remote field devices. They are also used in SCADA systems, DCS and PLCs for gaining remote access for operational and maintenance functions such as entering commands or modifying parameters, and for diagnostic purposes.



Set points,control algorithms,

parameter constraintsprocess data

Controlledvariables

Manipulatedvariable

Processoutputs

Disturbances

Processinputs

Source: Stouffer, Keith; Joe Falco; Karen Scarfone; Guide to Industrial Control Systems (ICS) Security, Special Publication 800-82, NIST, USA, 2013, figure 2.1. Reprinted courtesy of the National Institute of Standards and Technology, US Department of Commerce. Not copyrightable in the United States.

Basic Operation of ICSFIGURE

2

An example of the role of a remote access point is using a personal digital assistant (PDA) to access data over a LAN through a wireless access point, and using a laptop and modem connection to remotely access an ICS system.

Simply stated, ICS perform monitoring and control functions, depending on the specific implementation. Typical ICS implementations exist in the form of DCS or SCADA systems, but hybrids, containing elements of both, are found. A typical system contains multiple

control loops, HMIs, and remote diagnostics and maintenance tools that have been built using network protocols on layered network architectures. The control loops can be interdependent, in that variables determined in one loop can set off another, different loop. Supervisory-level loops and lower-level loops, whose cycle times can range from fractions of a second to minutes, operate continuously over the duration of a process. The basic operation of an ICS is illustrated in figure 2.



Term Definition

Control loop

The control loop consists of sensors for measurement, controller hardware such as PLCs, actuators such as control valves, breakers, switches and motors, and the communication of variables. Controlled variables are transmitted to the controller from the sensors. The controller interprets the signals and generates corresponding manipulated variables, based on set points, which it transmits to the actuators. Process changes from disturbances result in new sensor signals, identifying the state of the process, to again be transmitted to the controller.

Human-machine interface (HMI)Operators and engineers use HMIs to monitor and configure set points, control algorithms, and adjust and establish parameters in the controller. The HMI also displays process status information and historical information.

Remote diagnostics and maintenance utilities

Diagnostics and maintenance utilities are used to prevent, identify and recover from abnormal operation or failures.

The key components of the operation of an ICS are defined in figure 3, again with thanks to NIST Special Publication 800-82.

15 Stouffer, Keith; Joe Falco; Karen Scarfone; Guide to Industrial Control Systems (ICS) Security, Special Publication 800-82, NIST, USA, 2013

No discussion of ICS would be complete without at least a basic understanding of the following ICS types and configurations. NIST Special Publication 800-82 is the source of these brief descriptions.

Key Components of Operation of ICS15FIGURE

3



Distributed Control Systems (DCS) DCS control industrial processes within the same geographic location and are integrated as a control architecture containing a supervisory level of control overseeing multiple, integrated subsystems that are responsible for controlling the details of a localized process. DCS are used extensively in process-based industries. They distribute control components, unlike SCADA systems, which are centralized. In many modern systems, the DCS are interfaced with the corporate network to give business operations a view of production. An example DCS implementation is shown in figure 4.


Example of DCS ImplementationFIGURE

4



Supervisory Control and Data Acquisition (SCADA) Systems SCADA systems consist of both hardware and software and are highly distributed systems used to control geographically dispersed assets where centralized data acquisition and control are critical to system operation. They integrate data acquisition systems with data transmission systems and HMI software to provide a centralized monitoring and control system for numerous process inputs and outputs. SCADA systems are designed to collect field information and transfer it to a central computer facility so that an operator can centrally monitor or control an entire system in real time. Control of any individual system, operation or task can be automatic or can be accomplished through operator commands, dependent on system sophistication and setup. They are usually designed to be fault-tolerant systems with significant redundancy built into the system architecture. A SCADA system general layout is depicted in figure 5.


SCADA System General LayoutFIGURE

5



Process Logic Controllers (PLC) PLCs are computer-based solid-state devices that control industrial equipment and processes. While PLCs are used throughout SCADA and DCS systems, they are often the primary components in smaller control system configurations used to provide operational control of discrete processes such as automobile assembly lines and power plant soot blower controls. PLCs are used extensively in almost all industrial processes. Figure 6 illustrates an example of a PLC control system implementation.


Example PLC Control System ImplementationFIGURE

6



The short answer is yes and no. It is true that performance requirements, protocols, network architecture and priorities of the cybersecurity triad (confidentiality, integrity, available) do not align, but there are other aspects that reveal more similarities than may be obvious at first glance. The linchpin may be a major cultural difference. Those who work with ICS are operational people; they understand the purpose and processes of the systems and know the systems down to the device level. They have to, because lives are often at stake. On the other hand, many IT professionals have a focus that is system- or task-specific. This compartmentalization is reinforced by many operating system (OS) and software certifications.

The following section takes a deeper look at, and sometimes challenges, some of the differences that have been defined between the two technologies.16 The intention is not to discount any efforts to distinguish between the two disciplines, but rather to provide additional context where possible to explore similarities or explain distinctions.

Access to componentsRegardless of technology, components may or may not be difficult to access. Due to the unique roles that ICS often serve, authorized technicians are often needed to diagnose, repair and/or replace components. This is prevalent in SCADA systems and BAS. The same can be said for backhaul and even backbone trunks laid underground.

Are ICS really that dissimilar from IT? AvailabilityLittle can be disputed about the importance of ICS availability. ICS are designed to monitor and respond to abnormal conditions and unavailability may jeopardize life, safety, and often expensive equipment and/or processing plants. (No reports of death from a system reboot were found in the research for this publication.) Alternatively, IT outages affect productivity and customer satisfaction. The notion that only ICS outages must be planned well in advance and changes thoroughly tested is false. Generally speaking, people have grown to accept lower IT system up time, also known as availability, likely in part because instabilities in non-*nix environments have led most to freely adopt the three-step troubleshooting technique: Refresh, reboot, reload.

Change managementIt is ironic that NISTs comparison of the two systems17 made no mention of thoroughly testing changes prior to deployment on an IT system. Outages to Facebook,18 Bing,19 eBay20 and Google21 reinforce the need for change management.

CommunicationAlthough protocols do vary, they are simply a means for devices to communicate. One way of thinking about this is to compare protocols to spoken languages. For example, Ethernet is like English: Regardless where one is in the world, many can speak it. On the other hand, ICS protocols areproprietary and thus foreign to those outside of the industry.

16 Stouffer, Keith; Joe Falco; Karen Scarfone; Guide to Industrial Control Systems (ICS) Security, Special Publication 800-82, NIST, USA, 2011, table 3.117 Ibid. 18 Kincaid, Jason; Facebook Gives A Post-Mortem On Worse Downtime In Four Years, Techcrunch, 23 September 2010, www.techcrunch.com/2010/09/23/facebook-downtime/19 Albenesius, Chloe; Configuration Change Takes Down Microsofts Bing on Friday, PCMag.com, 7 December 2009, www.appscout.pcmag.com/security-spyware/271010-configuration-change-takes-down-microsoft-s-bing-on-friday20 Balza, Melissa; eBay blames outage on server maintenance, Prestige Essence, 4 September 2014, www.wslifestyle.com/site/news/ebay-blames-outage-on-server-maintenance/21 OReilly, Lara; Google suffered a rare but major outage on Thursday, Yahoo! Finance, 12 March 2015, www.finance.yahoo.com/news/google-appears-down-now-090900626.html;_ylt=A0LEV7kcPwJVIh0AVCQnnIlQ



When asked how long it takes to be proficient with SCADA protocols, most ICS practitioners will respond, Years. Yet many who are new to IT can become Network+ or Cisco Certified Networking Associate (CCNA)-certified in a month. As ICS and IT systems continue to converge, one of three things is likely to occur: (1) More Ethernet will be introduced to ICS networks, (2) the industry will embrace and teach this art to larger audiences or (3) a new protocol that achieves what current propriety protocols do, yet can communicate with Ethernet, will be developed.

Physical securityBanks do not leave vaults open. Why? Because they are entrusted with safeguarding their customers money. The same should hold true for IT and ICS systems. Cybersecurity is the protection of digital assets, including hardware and software media.22 The best security for any computer component is to leave it in the box, not connected to a network. IT systems safeguard intellectual property and a great deal of personally identifiable information (PII), whereas ICS monitor and control some of the worlds most lucrative manufacturing processes and production plants. Unlike many IT environments, ICS are typically monitored every hour of every day of the year. Access to key architecture must be adequately protected, not only from outsiders, but also from insiders. Good policies, robust technical controls, deeper background checks for privileged users and audits are all necessary components for safeguarding both IT and ICS.

Cybersecurity professionals across the globe have a daunting role in that they are constantly playing defense. Challenges are abundant regardless of industry sector. Unlike traditional IT defense, ICS defense requires its security practitioners to face the overwhelming task of defending a critical infrastructure that is full of antiquated technology. According to the SCADA Asia Summit, these systems are typically 10 to 15 years behind the security curve of IT used in home and offices around the world.23

Threat agents and attack vectors do not differ between ICS and IT systems. ENISA and the US Department of Homeland Securitys Industrial Control Systems Cyber Emergency Response Team (ISC-CERT) have identified and characterized threat agents, as illustrated in figures 7 and 8.

Threat Environment

22 ISACA, Cybersecurity Fundamentals Study Guide, USA, 201523 Pain, Richard; The 5 Most Critical SCADA Security Failures, 7th Annual SCADA Asia Summit, 27-30 January 2015, www.scadasummit.com/redForms.aspx?eventid=1000535&id=389080&FormID=%2011&frmType=1&m=34731&FrmBypass=False&mLoc=F&SponsorOpt=False&utm_ campaign=ISG_SIA&utm_medium=ISG_SIA&utm_source=ISG_SIA&utm_content=ISG_SIA&utm_term=ISG_SIA&MAC=ISG_SIA



Source: ENISA, ENISA Threat Landscape 2014, Overview of current and emerging cyber-threats, 2014, www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/enisa-threat-landscape/enisa-threat-landscape-2014

Source: Timpany, Bob; ISC-CERT Update, Industrial Control Systems Cyber Emergency Response Team (ISC-CERT), February 2015

Cybersecurity Threat AgentsFIGURE

7

Incident Threat ActorsFIGURE

8



An actors motivations ultimately influence the designation of target. Up until now, ICS attacks have typically been attributed to nation-states. It is important to note that convergence of ICS with corporate IT systems has significantly increased exposure. These interconnectionsknown and unknownreveal that ICS are no longer susceptible only to direct attacks, but also are at tremendous risk for collateral effects due to the tremendous opportunities that IT systems afford. However, long before ICS were connected to corporate networks they were still at risk. In 1982, a Trojan was inserted into a SCADA system responsible for the Siberian Pipeline, resulting in its explosion. Two years later, a hacker gained unauthorized root level access to the Salt River Project via a modem, resulting in significant information disclosure. In 1992, a malicious insider sabotaged the Chevron Emergency Alert System, which was not noticed until an emergency occurred, jeopardizing the lives of thousands of people.24

For decades, many believed the air gap to be a viable security measure. Air gap traditionally refers to physically isolating sensitive/secure systems from nonsecure ones, but for this discussion it will be used to mean isolating the control networks from the business network and, more specifically, the Internet. Vendor documentation is a great source of highlighting air gaps. According to Tofino Security, the use of air gaps was attractive for two

reasons: Digital information cannot cross a physical gap and bad things never get into control systems.25 Multiple events have proven this to be untrue:

1. Many air-gapped systems are actually connected directly to the Internet. Project SHINE was a 22-month study to see whether researchers could locate any Internet-connected critical control systems. The results were astonishing. Sampling 2.2 million devices, researchers identified 586,997 industrial systems, 13,475 HVAC and BAS, and 204,416 serial-to-Ethernet devices from a staggering 182 manufacturers.26

2. Many air-gapped systems rely on the use of USB thumb drives. Stuxnet and the data exfiltration of US Department of Defense systems are powerful reminders of the damage these devices can do.

3. Even if removable devices are not infected, people can extract and disseminate information that was never intended to be shared. WikiLeaks27 and Snowden28 are modern-day examples. Additionally, telecommunications signals are susceptible to eavesdropping.

4. There are proof-of-concept attacks that demonstrate successful acoustical infections.29 Van Eck phreaking is one form of this; it relies on specialized equipment to monitor electromagnetic emanations.30

24 Miller, Bill; Dale C. Rowe; A Survey of SCADA and Critical Infrastructure Incidents, RIIT 12, Proceedings of the First Annual Conference on Research in Information Technology, Association for Computing Machinery, 2012, http://dl.acm.org/citation.cfm?id=238080525 Byres, Eric; Unicorns and Air GapsDo They Really Exist? Living with Reality in Critical Control Systems, Automation World, 6 June 2013, www.automationworld.com/security/unicorns-air-gaps-do-they-really-exist26 Rashid, Fahmida Y.; Project SHINE Reveals Magnitude of Internet-connected Critical Control Systems, SecurityWeek, 6 October 2014, www.securityweek.com/project-shine-reveals-magnitude-internet-connected-critical-control-systems27 Khan, MD.Obaiduzzaman, US Military Bans Removable Media Again, The Tech Journal, 13 December 2010, http://thetechjournal.com/tech-news/us-military-bans-removable-media-again.xhtml28 Schwartz, Matthew J.; Thumb Drive Security: Snowden 1, NSA 0, InformationWeek Network Computing, 14 June 2013, www.networkcomputing.com/storage/thumb-drive-security-snowden-1-nsa-0/d/d-id/1110380?29 TechTarget accoustical infection http://whatis.techtarget.com/definition/acoustical-infection30 Rouse, Margaret; van Eck phreaking, TechTarget Search Security, http://searchsecurity.techtarget.com/definition/van-Eck-phreaking



Another threat vector lies in the supply chain. Within the IT industry it is common practice to ship devices with default usernames and passwords for devices. Specifically, equipment manufacturers have a long history of installing backdoors for ease in troubleshooting remotely. Unlike most ICS, these passwords are user-configurable. Within ICS, user accounts (if they even exist) and backdoors are hard-coded, which prevents local hardening.31

Sophos predicts the gap between ICS and IT security will continue to broaden and far more serious flaws will be exposed.32 Figure 9 dissects, by vendor, the 398 ICS-CERT security issues, vulnerabilities and exploits experienced in the early months of 2015.

Additional information can be gleaned from Open Source Vulnerability Database (OSVDB, www.osvdb.org). Figure 10, adapted from the SCADAhacker.com site and built on OSVDB vulnerability trend statistics, is a good representation of the type of data tracked by OSVDB.

31 Zetter, Kim; Equipment Maker Caught Installing Backdoor Account in Control System Code, Wired, 25 April 2012, www.wired.com/2012/04/ruggedcom-backdoor/ and Goodin, Dan; Intruders hack industrial heating system using backdoor posted online, Arstechnica, 13 December 2012, http://arstechnica.com/security/2012/12/intruders-hack-industrial-control-system-using-backdoor-exploit/32 Sophos, Our top 10 predictions for security threats in 2015 and beyond, 12 November 2014, http://blogs.sophos.com/2014/12/11/our-top-10-predictions-for-security-threats-in-2015-and-beyond/

Source: Adapted from Timpany, Bob; ISC-CERT Update, Industrial Control Systems Cyber Emergency Response Team (ISC-CERT), February 2015

ICS CERT Advisories Through 12 March 2015FIGURE

9



Sources: Open Source Vulnerability Database, www.osvdb.org. SCADAhacker.com, Vulnerability Trend Data, 14 March 2015, https://scadahacker.com/resources.html#sansics

Security simply cannot be bolted on with any expectation of success. Early attempts by vendors to produce ICS security products and appliances were rightfully met with resistance because the offerings highlighted a profound lack of understanding of the unique operating environment they were built to secure.

Cyberattacks against ICS are growing in sophistication. As if this were not enough, a security researcher discovered banking Trojans being packaged as legitimate ICS patches.33 In these instances, ICS are not believed to be targeted for system interruption, but rather to steal financial information.

33 Higgins,, Kelly Jackson; Banking Trojans Disguised as ICS/SCADA Software Infecting Plants, InformationWeek Dark Reading, 8 January 2015, www.darkreading.com/attacks-breaches/banking-trojans-disguised-as-ics-scada-software-infecting-plants/d/d-id/1318542?_mc=RSS_DR_EDT

Vendors persistently release patches but, as in IT, they take time to develop and make available. A sampling of the vendors listed in figure 9 revealed a surprisingly high patch availabilitygreater than 90 percent, on average. (In this context, patch also includes hot fix, maintenance release, firmware updates and software upgrades.) In some instances, vendors do include mitigation language encouraging administrators to limit exposure and verify firewall rules. When this language is not provided, ICS-CERT typically publishes similar guidance.

Vulnerability Trends Through 14 March 2015FIGURE

10

Mitigation



Unfortunately, just because a patch is available does not mean it can or will be implemented. Comprehensive risk assessments are necessary to determine whether any particular patch is a necessary control and, if so, testing must be conducted to ensure it performs as expected and does not adversely affect other components or systems. Then again, if operations can never be interrupted, the patch would likely not even be entertained. In these situations, defense in depth is not only good practice, but is paramount.

ICS implementations vary, so it goes without saying that defense-in-depth architecture strategies will differ. Defense in depth can be implemented using concentric rings, overlapping redundancy, compartmentalization or any combination or thereof.34 Architecture specificity is beyond the scope of this document.

Few can dispute that attempting to secure technology or devices about which one has no technical understanding is intimidating. Some might argue it is reckless. Regardless of prevailing opinion, that scenario is playing out in many organizations when cross-discipline teams are not leveraged for development and execution of enterprise cybersecurity strategies.

Earl Perkins, Gartner consultant, noted this disconnect in a 2014 report: As vulnerabilities in SCADA and industrial control system protocols become exposed, exploited and become incidents, and because of their experience in vulnerability management, CISOs will become responsible for Operational Technology (OT) patch and change management and will become ultimately responsible for gaps in operational control systems that were never specifically designed with security in mind.35

Research has revealed that a great deal of work has been accomplished to date by individuals who selflessly

contribute to creating standards, offer training and education, hold conferences and help create relevant certifications. Many belong to professional associations such as the International Society of Automation (ISA), which reports on its web site a membership in excess of 30,000. Organizations such as ISA (and ISACA) rely heavily on member contributions to support industry professionals with training and education, conferences and certifications. ISAs recent notable achievements in this area include the creation of ISA99, Industrial Automation and Control Systems Security, which has become the global industrial cybersecurity standard from the Industrial Electrotechnical Commission, the IEC 62443 series, as well as the ISA99/IEC 62443 Cybersecurity Fundamentals Specialist Certificate, designed specifically for industrial control security and systems professionals.

Risk management and governance are paramount, regardless of whether one is charged with defending critical infrastructure, manufacturing plants, building automation or building the corporate network. Rarely will any two networks require identical cybersecurity strategies. Business objectives differ, as do risk assessments, which influences risk appetite. ICS is no exception.

There are tremendous advantages to creating and sustaining cross-functional teams. Both ICS and IT cybersecurity professionals bring valuable and unique perspectives to the table. IT risk and governance are not new concepts and should serve the ICS community well, especially in converged enterprises. ICS professionals are operationally-minded individuals, similar to the military, who understand the criticality of repeatable processes, preplanned responses and profound familiarity with the network they are charged with maintaining. Many IT departments could learn a great deal from the ICS camp about the importance of accurate inventories and network data flow.

34 Op cit, ISACA35 Perkins, Earl; How to Organize IT/IOT Security for Success, Gartner, 29 January 2014, www.bayshorenetworks.com/2014/07/bayshore-networks-announces-four-new-scada-firewalls/

Summary


DisclaimerISACA has designed and Industrial Control Systems: A Primer for the Rest of Us (the Work) primarily as an educational resource for security professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, security professionals should apply their own professional judgment to the specific circumstances presented by the particular systems or information technology environment.

3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USA

Phone: +1.847.253.1545

Fax: +1.847.253.1443

Email: [email protected]

Web site: www.isaca.org

Provide feedback: www.isaca.org/industrial-control-systems

Participate in the ISACA Knowledge Center:www.isaca.org/knowledge-center

Follow ISACA on Twitter: https://twitter.com/ISACANews

Join ISACA on LinkedIn:ISACA (Official), http://linkd.in/ISACAOfficial

Like ISACA on Facebook: www.facebook.com/ISACAHQ

ISACAWith more than 115,000 constituents in 180 countries, ISACA (www.isaca.org) helps business and IT leaders build trust in, and value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge, standards, networking, and career development for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA offers the Cybersecurity Nexus, a comprehensive set of resources for cybersecurity professionals, and COBIT, a business framework that helps enterprises govern and manage their information and technology. ISACA also advances and validates business-critical skills and knowledge through the globally respected Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) credentials. The association has more than 200 chapters worldwide.


Expert ReviewersChase Cunningham PhD, CTRC,USN (retired), USA

Monica JainCGEIT,USA

Cheryl SantorCISA, CISM, CGEIT, CISSP,USA

Sidney Sakota USA

Stephanie Schaeffer CISSP, CEH, GCIH,USA

ISACA Board of DirectorsRobert E Stroud CGEIT, CRISC, CA, USA, International President

Steven A. BabbCGEIT, CRISC, ITIL, Vodafone, UK, Vice President

Garry J. BarnesCISA, CISM, CGEIT, CRISC, Vital Interacts, Australia, Vice President

Robert A. ClydeCISM, Clyde Consulting LLC, USA, Vice President

Ramses GallegoCISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain, Vice President

Theresa GrafenstineCISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of Representatives, USA, Vice President

Vittal R. RajCISA, CISM, CGEIT, CRISC, CFE, CIA, CISSP, FCA, Kumar & Raj, India, Vice President

Tony HayesCGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Past International President

ACKNOWLEDGMENTSPhil J. Lageschulte CGEIT, CPA, KPMG LLP, USA

Anthony P. Noble CISA, Viacom, USA

Jamie Pasfield CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK

Ivan Sanchez Lopez CISA, CISM, ISO 27001 LA, CISSP, DHL Global Forwarding & Freight, Germany

Cybersecurity Task ForceEddie SchwartzCISA, CISM, CISSP, MCSE, PMP,USA, Chairman

Manuel AcevesCISA, CISM, CGEIT, CRISC,CISSP, FCITSM,Cerberian Consulting, SA de CV, Mexico

Sanjay BahlCISM, CIPP,India

Neil Patrick BarlowCISA, CISM, CRISC, CISSP,Capital One, UK

Brent ConranCISA, CISM, CISSP,Intel, USA

Derek GrockeHAMBS, Australia

Samuel LinaresCISA, CISM, CGEIT, CRISC, CISSP, GICSP,Industrial Cybersecurity Center (CCI), Spain

Marc SachsVerizon, USA

Gregory T. GrocholskiCISA, SABIC, Saudi Arabia, Past International President

Debbie A. LewCISA, CRISC, Ernst & Young LLP, USA, Director

Frank K.M. YamCISA, CIA, FHKCS, FHKIoD, Focus Strategic Group Inc., Hong Kong, Director

Alexander Zapata LenisCISA, CGEIT, CRISC, ITIL, PMP, Grupo Cynthus S.A. de C.V., Mexico, Director

Knowledge BoardSteven A. BabbCGEIT, CRISC, ITILVodafone, UK, Chairman

Rosemary M. Amato CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands

Neil Patrick Barlow CISA, CISM, CRISC, CISSP,Capital One, UK

Charlie Blanchard CISA, CISM, CRISC, CIPP/US, CIPP/E, CISSP, FBCS, ACA, Amgen Inc., USA

Sushil ChatterjiCGEIT, Edutech Enterprises, Singapore

Industrial Control Systems: A Primer for the Rest of...

Documents

Transcript of Industrial Control Systems: A Primer for the Rest of...