SCADA Security Webinar

CyberDefensesInformation Assurance

CyberDefenses, Inc.

• Californian by birth (Got to Texas as soon as I could)

• Oceanographer by degree from US Naval Academy

• Nuclear Engineer by Adm Rickover

• Submarine Officer by US Navy

• Disaster Relief Coordinator by ADRN

• CSO for Cyber Defenses by career

Vern Williams2

Proprietary and Confidential 2013 CyberDefenses, Inc. ©

Industrial Control System (ICS) Security:3

• Unique impact on both physical and cyber worlds• Consequences can be more severe than in IT• Lifecycles of 5-30 years• Designed to operate in a bubble• So what is the threat to ICSs?• How can we defend them from the evil in the world?


How bad is it really?3

"An Italian security researcher, Luigi Auriemma, has disclosed a laundry list of unpatched vulnerabilities and detailed proof-of-concept exploits that allow hackers to completely compromise major industrial control systems. The attacks work against six SCADA systems, including one manufactured by U.S. giant Rockwell Automation. The researcher published step-by-step exploits that allowed attackers to execute full remote compromises and denial of service attacks. Auriemma appeared unrepentant for the disclosures in a post on his website.“ Slashdot: mask.of.sanity


History of attacks on water plants3

• SALT River Project SCADA Hack• Maroochy Shire Sewage Spill• Trojan/Key logger on Ontario Water SCADA System • Viruses Found on Auzzie SCADA Laptops• Software Flaw makes MA Water undrinkable• Audit/Blaster Causes Water SCADA Crash• DoS Attack on Water System via Korean Telecom• Penetration of California Irrigation District Wastewater Treatment

Plant• SCADA Breach in Harrisburg, PA by an external hacker


What do the Execs think?3

• Close to 30% of respondents believe their company was not prepared for a cyberattack, and more than 40% expect a major cyberattack within the next year, according to a survey of 200 IT security executives from electricity infrastructure enterprises in 14 countries conducted by Vanson Bourne for McAfee and CSIS.

By Infosecurity, 27 April 2011


The Patria Group3

This was the result of an instrument failure. What can “they” do to us when they intend harm?

3

And the really bad news? Stuxnet and variants!Stuxnet infects Windows systems in its search for industrial control systems which consist of Programmable Logic Controllers (PLCs), and contain special code that controls the automation of industrial processes—for instance, to control machinery in a plant or a factory. Stuxnet has the ability to take advantage of the programming software to also upload its own code to the PLC in an industrial control system that is typically monitored by SCADA systems. In addition, Stuxnet then hides these code blocks, so when a programmer using an infected machine tries to view all of the code blocks on a PLC, they will not see the code injected by Stuxnet. Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is the first publicly known rootkit that is able to hide injected code located on a PLC.

Stuxnet Introduces the First Known Rootkit for Industrial Control Systems, from Symantec Blog


What does DHS say?3

DHS Warns ICS, SCADA Owners About Increase in Malicious Activity• Be proactive in auditing the security, particularly,

authentication controls of their systems.• Alert is in response to a growing concern over the

number of exploit tools available online targeting ICS and SCADA systems.

• Growing interest from hacktivists using special search engines to find ICS accessible online.


Who is affected?3

Exploit kits were made publicly available that target programmable logic controllers for industrial control systems• Affects: GE, Rockwell Automation, Schneider Electric and

Koyo• Another exploit was built for the Ethernet/IP protocol

used by a number of PLC vendors• Added to report of a backdoor in CoDeSys ladder logic

system used by 261 PLC manufacturers to execute ladder logic.


What else do we have to worry about?3

• Kaspersky Labs believes four other malwares, which they call Duqu, Flame, Gauss, and MiniFlame, were developed by the same US “cyber-weapons factory”.

• 2012 ICS CERT tracked 171 unique vulnerabilities• Shodan used to identify 20K Internet accessible and

vulnerable ICS • Shamoon destroyed 30K of Saudi Aramco computers

(seems to be a lone perpetrator)


Can we continue like this?3

The status quo is broken. (we need to fix it)Doing the same things we are now, is doomed to failure.Working together with IT and Corporate Security, we can make the bad guys day harder!

The one thing worse than the operator not having control, is “them” having control.


What can we do?3

• Practice Defense in Depth by Policy• Avoid any attempt to bypass controls• Establish accountability for actions• Ask the hard questions:

– How good was Identity Proofing when “Joe” was hired?

– If the contract requires me to be vulnerable, maybe it is time to get a new contractor or provider.



Security Goals

• Develop / review the security policy for your ICS environment

• Architect a robust ICS environment • Build security concerns into your contracts• Require your provider to “Build Security In”• Train your staff and Educate your users • Require accountability• Develop and Train a ICS Incident Response Team

Incident Response3

Current State of the Art Response• Emergency Operations Management• Cyber Incident Response

– US-CERT– CERT, CMU

• ICS CERT– Control Systems Security Program (CSSP) DHS– New but taking advantage of experience from both– http://www.us-cert.gov/control_systems/index.html


Phases of Incident Response 3

• Planning• Incident Prevention• Incident Management

– Detection– Containment– Remediation– Recovery

• Post Incident Analysis


Incident Response Key Elements3

Recommended Practice: Developing an Industrial Control Systems Cybersecurity Incident Response Capability October 2009


Where to start?3

So where do we start to achieve this capability?We have existing resources that can be brought to bear, but we first have to have the will of management and funding.In developing an Incident Response Plan, you have to engage all of the stakeholders and they each have to have ownership of the results.


Key Response and Monitoring3

Emergency ManagementPhysical Security, Loss Prevention, Fire Protection, EOC StaffRespond to physical effects

Cyber Incident ResponseIT Help Desk, Anti-Virus, USB management, Network and System Security Controls, Forensics, Change ManagementDeals well with traditional IT systems and networks

ICS OperationsChange Management, Typically Strong Physical Access Weak Encryption and Identity Management, Long Lifecycles


Obstacles to overcome?3

• Distrust between InfoSec, IT and ICS staff• Tools that do not support ICS protocols• Response Time vs Encryption• Robust IdM vs Easy Operator Access• “Starting” a new industry in ICS SecurityThe one thing worse than the operator not having control, is “them” having control.


Lets get started!3

• Get buy in from the TOP• Form the team (provide incentive)• Develop an ICS Incident Response Plan

Plagiarism is the quickest way• Train your staff, get the tools needed• Develop outsourcing and comms channels• Exercise, Feedback, Exercise, etc.


Team Members3

• ICS-CERT Team Manager• Process or Control System Engineer• Network and System Admins• Plant Manager / CIO / Chief Engineer• Security and Legal SMEs• PR and HR Specialists• Vendor Support Engineers and others


Build and Exercise the Plan3

• Get started and work out the bugs• Basic plan should provide guides for phases• Build check lists and forms to standardize actions• Develop outside contacts with LEO, Fire etc.• Establish communications methods • Some ONE has to be in charge• Use realistic scenarios to exercise your plan, use actual

incidents if available


What else can we do?3

• Assess your vulnerabilities (cross discipline)• Mitigate where possible• Architect with Security in mind• Encryption is the best defense against

compromise and delays can be minimal• Identity is key. If you do not know who, you do

not know much.


CyberDefenses, Inc.

Key SCADA Questions For your CEOHere are five questions chief executives should ask about cyber risks:

1) How is our executive leadership informed about the current level and business impact of cyber risks to our company? 2) What is the current level and business impact of cyber risks to our company? What is our plan to address identified risks?

3) How does our cyber security program apply industry standards and best practices?

4) How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership?

5) How comprehensive is our cyber incident response plan? How often is it tested?

Posted by Greg Hale on Feb 28 2013, This is an excerpt from ISSSource

Axioms:3

• “You will do 85% or worse in competition than your best in practice.” Karl Rehn

• Train the way you expect to “fight”.• Learn to “fight” wounded.


References:3

• Guide to Industrial Control Systems (ICS) Security, NIST 800-82, May 2013 – http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r1.pdf

• Recommended Practice: Developing an Industrial Control Systems Cybersecurity Incident Response Capability, October 2009, DHS– http://ics-cert.us-cert.gov/content/recommended-practices

• In the Dark; Crucial Industries Confront Cyberattacks– http://www.mcafee.com/us/resources/reports/rp-critical-infrastructure-protection.pdf

• CERT Resources:– http://www.us-cert.gov/resources.html

• Control Systems Security Program (CSSP)– http://www.us-cert.gov/control_systems/ics-cert/

• ICS Information Sharing and Analysis Center (ISAC)– http://www.ics-isac.org


Vern Williams, CSO, Cyber Defenses, Inc.CISSP, CSSLP, ISSEP, ISAM, CCSK, CBCP

ISSA Distinguished FellowSenior Member, IEEE (Institute of Electrical and Electronics Engineers)Member ISA and CSAISSA International Honor Roll, 2007ISSA 2005 Security Practitioner of the Year512.297.8798 (mobile)

1205 Sam Bass Road, Suite 300, Round Rock, TX [email protected]@IEEE.org


mailto:[email protected]

mailto:[email protected]

CyberDefenses, Inc.

CyberDefensesInformation Assurance

SCADA Security Webinar

Technology

Transcript of SCADA Security Webinar