Industrial Control System (ICS) Cyber Security

bustlingdivisionElectronics - Devices

Nov 15, 2013 (3 years and 9 months ago)

102 views

Applied Control Solutions Proprietary Information


Industrial Control System (ICS) Cyber
Security


Hacker Halted

September 19, 2013




Joe Weiss


PE, CISM, CRISC, ISA Fellow


(408) 253
-
7934


joe.weiss@realtimeacs.com


Important Considerations


ICSs are different than IT and requires you to think differently


ICS cyber forensics and logging is minimal at best


There will probably be a cyber Pearl Harbor but you won’t know it is cyber because of the lack
of ICS cyber forensics


ICS cyber threats are not just the network but insecure engineering
designs/features that cannot be patched (see Stuxnet and Aurora)


A good attacker wanting to cause damage will go after the engineering features


Securing ICSs is a trade
-
off between performance and security


Performance must win but by how much


It takes ICS experts that understand the domain and IT experts that understand
security working together to secure ICSs




Applied Control Solutions Proprietary Information

Definitions that can be Confusing


Cyber


Security


Denial of service


IT


SCADA


ICS






Applied Control Solutions Proprietary Information

Applied Control Solutions Proprietary Information

What are ICSs


ICSs operate power, water,
chemicals, pipelines, military
systems, medical devices, etc



ICSs include SCADA/EMS, DCS,
PLCs, RTUs, IEDs, smart sensors
and drives, emissions controls,
equipment diagnostics, AMI (Smart
Grid), programmable thermostats,
building controls,…



Focus is reliability and safety


Applied Control Solutions Proprietary Information

Cyber Incident Definition


An occurrence that actually or potentially jeopardizes the
confidentiality, integrity, or availability (CIA) of an information system
or the information the system processes, stores, or transmits or that
constitutes a violation or imminent threat of violation of security
policies, security procedures, or acceptable use policies.

(FIPS PUB 200,
Minimum Security Requirements for Federal Information and
Information System
, March 2006.)



What is important about this definition


Intentional or unintentional


Actual or potential compromise of CIA


Violation or imminent threat to CIA


Why care about unintentional


If it can be done unintentionally, it can probably be done intentionally


Applied Control Solutions Proprietary Information

ICS Basics

Where is ICS Technology Heading


More intelligence


Intelligence moving closer to the process


More interoperability


With ICS and IT


More networking


Inside and outside the facility


More applications


iPhone, ipad,…


More on
-
line interactions


Affecting control and safety

Cyber!


Applied Control Solutions Proprietary Information

Applied Control Solutions Proprietary Information

ICSs are Different than IT


The Internet and Microsoft are not necessarily the biggest ICS cyber threats


External malicious threats are not necessarily the biggest concerns


Firewalls and VPNs may not be adequate


IDS will probably not identify ICS attacks


Field devices have been hacked


Default passwords and backdoors are not uncommon


Many ICSs have hardware configurations that are cyber vulnerable and cannot be
patched or fixed


Patching is difficult and can have unintended consequences


Cyber forensics and logging may not exist



Applied Control Solutions Proprietary Information

Applied Control Solutions Proprietary Information

Issues with IT and IT Security


Generally lack of knowledge about ICS and Operations


Often reticence to work with Operations


Mission is security, not reliability and safety


Worried about confidentiality and data loss, not loss of
control or loss of view


Applied Control Solutions Proprietary Information

Applied Control Solutions Proprietary Information

Applied Control Solutions Proprietary Information

How did this apply to Stuxnet


World
-
class IT team (4 Microsoft zero
-
days, stolen digital
certificates)


World
-
class control system team (compromise of ladder
logic and replay of operator displays)


Undiscovered for >1 year


They worked together!

Applied Control Solutions Proprietary Information

International Issues with ICSs


Same systems used world
-
wide


Same training, default passwords, etc


Iranian paper on Stuxnet


Shine and Iran


Shine identifies control system devices directly connected to the Internet


>1,000,000 identified to date


An article detailing the project and describing the list was translated into
Persian and posted on hacker forums in January 2013.


ICS Honeypot


Attacked form China, Laos, etc


Applied Control Solutions Proprietary Information

Applied Control Solutions Proprietary Information

ICS Security Expertise Lacking

IT Security

ICS Security
Experts

ICS

Engineering

Applied Control Solutions Proprietary Information

Applied Control Solutions Proprietary Information

15

ICS Cyber Incidents


300+ incidents world
-
wide


Most unintentional


Some malicious attacks


Impacts range from trivial to
major outages to deaths


Most not identified as cyber


ICS incidents may not violate
IT security policies

Applied Control Solutions Proprietary Information

Turbine overstress due to
systems incompatibility

Applied Control Solutions Proprietary Information

Complete loss of all DCS logic with plant at power

Applied Control Solutions Proprietary Information

Broadcast storm shutting
down main coolant pumps

Applied Control Solutions Proprietary Information

Forced scram due to unknown interconnections

Applied Control Solutions Proprietary Information

Pipeline Ruptures

June 1999 Bellingham, WA

September 2010 San Bruno, CA

Applied Control Solutions Proprietary Information

DC Metro Train Crash

Applied Control Solutions Proprietary Information

Applied Control Solutions Proprietary Information

Possible Aurora Attack

Aurora Demonstration
-

INL

Iranshahr Power Plant
-

Iran

Common thread
-

Coupling failures

What Needs to be Done


Need Senior Management buy
-
in


Develop ICS cyber security policies, procedures, and awareness


Include security as part of the design basis


Recognize potential reliability and safety issues with digital systems


Treat security as an engineering issue


Know what you have installed


Develop relevant ICS cyber forensics and training


Include IT, operations, equipment vendors, plant designer, and
incident responders as a team

Applied Control Solutions Proprietary Information

Applied Control Solutions Proprietary Information

Conclusions


Can
not

fully secure ICSs


Worry about intentional and unintentional


Balance reliability/safety with security


Need to be able to recover


Threats are real


Lack of forensics complicates root cause analysis


Need appropriate knowledge and coordination


Needs teamwork between Operations, Maintenance, IT,
Forensics, and Telecom


Get involved!