c@g

Cyber security for Industrial Ethernet

Paul Comerford - Glyndwr University

paul.comerford@glyndwr.ac.uk

c@g

Common misperceptions

• Cyber security of industrial networks is not necessary

– The myth remains that an “air gap” separates the ICS from any possible source of digital attack or infection

– wireless diagnostics ports, removable media

• Industrial security is an impossibility

• The average number of days between the time a vulnerability was disclosed publicly and the time the vulnerability was discovered in a control system was 331 days

c@g

Attacks

• The most common initial vectors used for industrial systems include spear phishing, watering hole, and database injection methods

c@g

Spear Phishing

c@g

Insider threats

• Study: Only 35% of attacks originated from outsiders

• Employees, Subcontractors with access to specific ICS components or subsystems for operation

• Services providers with access to specific ICS components or subsystems for support.

c@g

Common industrial security recommendations

1. Identify what systems need to be protected 2. Separate systems logically into functional groups 3. Implement a defence-in-depth strategy 4. Controlling access into and between each group, 5. Monitoring activities that occur within and between groups 6. Limiting actions that can be executed within and between groups.

c@g

Security life cycle model and actions.

c@g

Asset Identification

• Hardware and Software Inventory

• Identify all network-connected hosts

• Confirm that the identified hosts are authorised for the industrial network

• Collect host platform and application information for each network-connected device

• Consolidate this information

c@g

Classifying assets

c@g

Risk Management

c@g

Risk Assessment Worksheet

c@g

Defence In Depth

c@g

Zone perimeters

c@g

Network Segmentation of Systems

Broad attack surface approach

c@g

Segmented approach

c@g

Access Control

• Multi-factor authentication

– Use both a digital and a physical key

– Password and a biometric scanner.

• Use of dedicated hosts for specific functions

c@g

Stuxnet

• Malicious computer worm,

• Targets industrial computer systems

• Responsible for causing substantial damage to Iran's nuclear program.

• Frequently described as a jointly built American-Israeli cyber-weapon

c@g

Lessons Learned from Stuxnet

Previous Beliefs Lessons Learned from Stuxnet

Control systems can be effectively isolated from other

networks, eliminating risk of a cyber incident.

Defence can be bypassed by a curious operator, a

USB drive, and poor security awareness.

PLCs and RTUs that do not run modern operating

systems lack the necessary attack surface to make

them vulnerable.

PLCs can and have been targeted and infected by

malware.

Highly specialised devices benefit from “security

through obscurity.” Because industrial control

systems are not readily available, it is impossible to

effectively engineer an attack against them

The motivation, intent, and resources are all available

to successfully engineer a highly specialised attack

against an industrial control system.

Firewalls and Intrusion Detection and Prevention

system (IDS/IPS) are sufficient to protect a control

system network from attack.

The use of multiple zero-day vulnerabilities to deploy

a targeted attack indicates that “blacklist” point

defences, which compare traffic to definitions that

indicate “bad” code are no longer sufficient, and

“whitelist” defences should be considered as a

catchall defence against unknown exploits.

c@g

Dealing with an infection

• Collect as much forensic detail as possible

• Have a documented and rehearsed incident response plan in place.

• Analyse available logs

• Sandbox and investigate infected systems.

• Analyze memory to find memory-resident rootkits.

• Clone disk for off-line analysis.

c@g

Vulnerability identification

Category Potential Vulnerabilities

Networks • Poor Physical Security • Configuration Errors • Poor Configuration Management • Inadequate Port Security • Use of Vulnerable ICS Protocols • Unnecessary Firewall Rules • Lack of Intrusion Detection Capabilities

Configuration • Poor Account Management • Poor Password Policies • Lack of Patch Management • Ineffective Anti-Virus / Application Whitelisting

Platforms • Lack of System Hardening • Insecure Embedded Applications • Untested Third-Party Applications • Lack of Patch Management • Zero-Days

Policy • Inadequate Security Awareness • Social Engineering Susceptibility • Inadequate Physical Security • Insufficient Access Control

c@g

Remote Access

• Control via specialised virtual private networks (VPNs) or remote access servers (RAS)

• Further protection

– Endpoint policy enforcement

– Application layer firewalls,

– Point-to-point authorisation

c@g

Network Traffic Inspection

c@g

Firewall Configuration Guidelines

• 1. Use a deny all rule placed at the end of the configuration

• 2. Configure specific exceptions for allowed traffic.

• 3. Verify that all Allow rules are explicitly defined—

– Prevent the use of “Any” parameters for IP Address and destination Port/Service entries

c@g

Selecting Host Cyber Security Systems

• Host Firewalls

• Host IDS

• Anti-virus

• Application Whitelisting

c@g

Behavioral anomaly detection

c@g

Splunk

c@g

Summary

• Use a defence-in-depth approach • Segment the network into zones to reduce

attack surface • Monitor the network at different levels • Use strong multifactor authentication of users • Ensure systems are patched and up-to-date • Protect against external and insider threats

c@g

Cybersecurity webinar

https://www.isa.org/templates/one-column.aspx?pageid=125964&productId=58794067

c@g

Thank you! Any Questions

Paul Comerford

p.comerford@glyndwr.ac.uk