Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3...
Transcript of Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3...
Securing Industrial Control Systems
Kevin Wheeler, CISSP, CISA
2
Evolving Threat Landscape 1
Industrial Control Systems 2
Emerging Industrial Control System Threats 3
Securing Industrial Control Systems 4
Agenda
Ques;ons and Discussion 5
• More than 15 Years of Information Security Experience
• Founder and Managing Director of InfoDefense
• Frequent Speaker at Conferences and Industry Events
• Author of IT Auditing: Using Controls to Protect Information Assets
3
A Little About Me
Evolving Threat Landscape
5
Today’s Internet Threats
In 2007
1,431 variants per day
Malware Growth
6
• Kits Allow Novice Attackers to Launch Sophisticated Attacks
• Can Be Used to Easily Customize Attacks
• Create Unique Variants of Common Malware Threats
7
Attack Kits
8
Threat Motives
8
Monetary Political National
Security
Industrial Control Systems
SCADA Functionality
• Industrial System Monitoring
• Industrial Actuator Control
• Used for: • Power Generation
and Transmission
• Water Supply
• Oil and Gas
• Wastewater Treatment
• Building Management
10
SCADA Functionality
11
SCADA System Architecture
12
SCADA System Architecture
13
Evolving Industrial Control System Threats
15
Industrial Control System Threats
• Nation-state Threats are Increasing
• Cyber-Terrorism Has Become More Prevalent
• SCADA Remains Inherently Insecure
Case Study: Illinois Water District
Occurred: November 8, 2011
Attack Vector: SCADA system software compromised by Russian hackers
Motive: Cyber Terrorism/Warfare
Effect of Breach: Equipment (water pump) destroyed
Remediation: IDs and passwords were changed, logical access control enhanced
https://krebsonsecurity.com/2011/11/cyber-strike-on-city-water-
system/
18
Case Study: Iran Nuclear Program
Occurred: June, 2010
Attack Vector: SCADA system comprised by Israeli and US intelligence agencies through Stuxnet worm
Motive: Cyber Warfare
Effect of Breach: Equipment (Siemens centrifuges used for uranium enrichment) destroyed
Remediation: Authentication and logical access control enhanced
19
Case Study: LA Traffic Control Center
Announced: August 21, 2006
Attack Vector: Stolen Supervisor
passwords
Motive: Cyber Terrorism, Union Strike
Effect of Breach: Traffic lights at four key LA intersections were disabled for four days jamming traffic at the intersections
Remediation: Attackers eventually relinquished control of the system. The city most likely changed passwords, implemented more stringent password policies and possibly implemented a strong authentication system.
20
Securing Industrial Control Systems
ISA99 and ISA/IEC 62443 Standards
© Industrial Society of Automation, http
www.isa.org
22
Security Governance
1. Obtain Executive Sponsorship
2. Develop an Industrial Control System Security Committee
3. Define Policies
4. Provide Security Training for ICS Engineers
5. Implement Security Metrics and Reporting to Measure Progress
24
Threat and Vulnerability Management
1. Implement a System Patch Management Process
2. Disable System Services and Functions that are not Required
3. Optimize Security Configurations
4. Implement an Ongoing Threat Identification and Assessment Procedure
5. Periodically Test for Vulnerabilities
25
Logical Access Control
26
1. Isolate ICS Networks
2. Define Logical Security Zones
3. Implement Next Gen Firewall Technology
4. Deploy Role-based Access Control
5. Require Multi-factor Authentication
*Use Privileged Access Management Technology if Possible
1. Centralize Network Access to Supervisory Level Industrial Control Systems Using Next Generation Firewall Technology
2. Provide Centralized Authentication and Accounting (Logging) for Industrial Control System Access
3. Isolate Industrial Control Network Access Using VPNs Over Internal Networks and VLANS to the Supervisory Level
4. Harden SCADA Management Systems as Single Purpose Devices
5. Monitor Supervisory Level Database Activity
6. Authenticate and Encrypt Dial-up and Wireless Access to Out-of-band Control Level PLCs and RTUs
7. Physically Secure the Device Level at Facilities
26
Recommendations
SCADA Security Architecture
25
VPN
Authentication
Corporate Network
Key Trends of the Future
Enterprise Information Security
29
Technical Controls
Physical Controls
Information Security Controls
Administrative Controls
30
© ISACA
Information Security Maturity
Risk Assessment
Security Strategy
Security Policy Security
Architecture
Security Management
Assurance and Measurement
Industrial Control System Security
Information Security Lifecycle
31
32
[Company Logo]
Policy Title: Information Protection Policy
Policy Number: ITP‐01 Version: 0.1 Effective Date: mm/dd/yyyy
Approved By: (Authorized Signer Name) Date Approved
Overview
Description This policy contains high‐level information protection mandates as set forth by executive management in
response to enterprise risk and regulatory compliance requirements. As with all corporate IT policies, supporting
standards outline the technical security requirements and procedures outline the methods used to create or
maintain security controls. The following policy statements are not meant to specify the methods of protection.
Purpose The Information Protection Policy was set forth to protect [Company Name] from unauthorized information
disclosure and other information security risks. Many of the policy statements below have been developed in
response to regulatory requirements.
Applicability There are two audiences for policies: general users and users that perform IT functions. This policy is directed at
users that perform IT functions.
Sanctions for Non‐compliance This policy is compulsory. Failure to comply may result in reprimand and/or employment termination.
Policy Statements
Policy Information will be protected in a way that reduces IT risk and complies with applicable regulations.
Clarifying Policy Statements 1) System access must be strictly controlled. See the Access Control Standard for additional details.
2) Sensitive information residing on enterprise systems must be protected by appropriate security controls
according to its level of sensitivity. See the Systems Security Policy and Sensitive Information Protection
Standard for additional information.
3) Private cryptographic keys must be stored and managed in a secure manner. See the Encryption Standard
for more information.
4) New employees, contract employees and business partners that will have access to sensitive information
must undergo a background check.
Security Governance
33
Security Architecture
ISA99 General Concepts
• Security Context
• Security Objectives
• Defense in Depth
• Threat-Risk Assessment
• Security Program Maturity
• Policies
• Role Based Access Control
23