Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3...

34
Securing Industrial Control Systems Kevin Wheeler, CISSP, CISA

Transcript of Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3...

Page 1: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

Securing Industrial Control Systems

Kevin Wheeler, CISSP, CISA

Page 2: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

Evolving Threat Landscape 1 

Industrial Control Systems 2 

Emerging Industrial Control System Threats 3 

Securing Industrial Control Systems 4 

Agenda

Ques;ons and Discussion 5 

Page 3: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

•  More than 15 Years of Information Security Experience

•  Founder and Managing Director of InfoDefense

•  Frequent Speaker at Conferences and Industry Events

•  Author of IT Auditing: Using Controls to Protect Information Assets

A Little About Me

Page 4: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

Evolving Threat Landscape

Page 5: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

Today’s Internet Threats

Page 6: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

In 2007

1,431 variants per day

Malware Growth

Page 7: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

•  Kits Allow Novice Attackers to Launch Sophisticated Attacks

•  Can Be Used to Easily Customize Attacks

•  Create Unique Variants of Common Malware Threats

Attack Kits

Page 8: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

Threat Motives

Monetary Political National

Security

Page 9: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

Industrial Control Systems

Page 10: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

SCADA Functionality

•  Industrial System Monitoring

•  Industrial Actuator Control

•  Used for: •  Power Generation

and Transmission

•  Water Supply

•  Oil and Gas

•  Wastewater Treatment

•  Building Management

10 

Page 11: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

SCADA Functionality

11 

Page 12: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

SCADA System Architecture

12 

Page 13: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

SCADA System Architecture

13 

Page 14: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

Evolving Industrial Control System Threats

Page 15: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

15 

Industrial Control System Threats

•  Nation-state Threats are Increasing

•  Cyber-Terrorism Has Become More Prevalent

•  SCADA Remains Inherently Insecure

Page 16: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

Case Study: Illinois Water District

Occurred: November 8, 2011

Attack Vector: SCADA system software compromised by Russian hackers

Motive: Cyber Terrorism/Warfare

Effect of Breach: Equipment (water pump) destroyed

Remediation: IDs and passwords were changed, logical access control enhanced

https://krebsonsecurity.com/2011/11/cyber-strike-on-city-water-

system/

18 

Page 17: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

Case Study: Iran Nuclear Program

Occurred: June, 2010

Attack Vector: SCADA system comprised by Israeli and US intelligence agencies through Stuxnet worm

Motive: Cyber Warfare

Effect of Breach: Equipment (Siemens centrifuges used for uranium enrichment) destroyed

Remediation: Authentication and logical access control enhanced

19 

Page 18: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

Case Study: LA Traffic Control Center

Announced: August 21, 2006

Attack Vector: Stolen Supervisor

passwords

Motive: Cyber Terrorism, Union Strike

Effect of Breach: Traffic lights at four key LA intersections were disabled for four days jamming traffic at the intersections

Remediation: Attackers eventually relinquished control of the system. The city most likely changed passwords, implemented more stringent password policies and possibly implemented a strong authentication system.

20 

Page 19: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

Securing Industrial Control Systems

Page 20: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

ISA99 and ISA/IEC 62443 Standards

© Industrial Society of Automation, http

www.isa.org

22 

Page 21: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

Security Governance

1.  Obtain Executive Sponsorship

2.  Develop an Industrial Control System Security Committee

3.  Define Policies

4.  Provide Security Training for ICS Engineers

5.  Implement Security Metrics and Reporting to Measure Progress

24 

Page 22: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

Threat and Vulnerability Management

1.  Implement a System Patch Management Process

2.  Disable System Services and Functions that are not Required

3.  Optimize Security Configurations

4.  Implement an Ongoing Threat Identification and Assessment Procedure

5.  Periodically Test for Vulnerabilities

25 

Page 23: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

Logical Access Control

26 

1.  Isolate ICS Networks

2.  Define Logical Security Zones

3.  Implement Next Gen Firewall Technology

4.  Deploy Role-based Access Control

5.  Require Multi-factor Authentication

*Use Privileged Access Management Technology if Possible

Page 24: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

1.  Centralize Network Access to Supervisory Level Industrial Control Systems Using Next Generation Firewall Technology

2.  Provide Centralized Authentication and Accounting (Logging) for Industrial Control System Access

3.  Isolate Industrial Control Network Access Using VPNs Over Internal Networks and VLANS to the Supervisory Level

4.  Harden SCADA Management Systems as Single Purpose Devices

5.  Monitor Supervisory Level Database Activity

6.  Authenticate and Encrypt Dial-up and Wireless Access to Out-of-band Control Level PLCs and RTUs

7.  Physically Secure the Device Level at Facilities

26 

Recommendations

Page 25: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

SCADA Security Architecture

25 

VPN

Authentication

Corporate Network

Page 26: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

Questions and Discussion

Kevin Wheeler, CISSP, CISA

(972) 992-3100 Ext 101 [email protected]

Page 27: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

Key Trends of the Future

Page 28: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

Enterprise Information Security

Page 29: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

29 

Technical Controls

Physical Controls

Information Security Controls

Administrative Controls

Page 30: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

30 

© ISACA

Information Security Maturity

Page 31: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

Risk Assessment

Security Strategy

Security Policy Security

Architecture

Security Management

Assurance and Measurement

Industrial Control System Security

Information Security Lifecycle

31 

Page 32: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

32 

  [Company Logo]

      

Policy Title:  Information Protection Policy 

Policy Number:  ITP‐01  Version:  0.1  Effective Date:  mm/dd/yyyy 

 

     

Approved By: (Authorized Signer Name)    Date Approved 

 

Overview 

Description This policy contains high‐level information protection mandates as set forth by executive management in 

response to enterprise risk and regulatory compliance requirements. As with all corporate IT policies, supporting 

standards outline the technical security requirements and procedures outline the methods used to create or 

maintain security controls. The following policy statements are not meant to specify the methods of protection. 

Purpose The Information Protection Policy was set forth to protect [Company Name] from unauthorized information 

disclosure and other information security risks.  Many of the policy statements below have been developed in 

response to regulatory requirements. 

Applicability There are two audiences for policies: general users and users that perform IT functions. This policy is directed at 

users that perform IT functions. 

Sanctions for Non‐compliance This policy is compulsory. Failure to comply may result in reprimand and/or employment termination. 

Policy Statements 

Policy Information will be protected in a way that reduces IT risk and complies with applicable regulations. 

Clarifying Policy Statements 1) System access must be strictly controlled. See the Access Control Standard for additional details. 

2) Sensitive information residing on enterprise systems must be protected by appropriate security controls 

according to its level of sensitivity. See the Systems Security Policy and Sensitive Information Protection 

Standard for additional information. 

3) Private cryptographic keys must be stored and managed in a secure manner. See the Encryption Standard 

for more information. 

4) New employees, contract employees and business partners that will have access to sensitive information 

must undergo a background check. 

Security Governance

Page 33: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

33 

Security Architecture

Page 34: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•

ISA99 General Concepts

•  Security Context

•  Security Objectives

•  Defense in Depth

•  Threat-Risk Assessment

•  Security Program Maturity

•  Policies

•  Role Based Access Control

23