Standards

Certification

Education & Training

Publishing

Conferences & Exhibits

2017

Cyber Security ISA 99 / IEC 62443

Where Policy Meets Technology

City

Next2017

Presenter

2

Mayur Mehta

Manager - ICS security

PwC

City

Next2017

3

My Professional Journey

• Over 9.5 years of experience in ICS/SCADA domain and an expert in determining

threats and risk exposure on ICS products & plants, Interoperability and FAT test.

• Currently an ICS/ SCADA Risk Assessor with the Cyber Security practice of Big 4

Advisory function, based in Bengaluru.

• Member of ISA99/IEC62443 standards committee and leading ISA99 standard in ISA

Bangalore chapter.

• Certified on “Global Industrial Cyber Security Professional” (GICSP) from GIAC.

Certified Scrum Master (CSM), CTFL (ISTQB), Security+ (Cybrary), OPSEC(ICS

CERT), ATD (Advanced threat detection in ICS/ SCADA - Concise courses).

• Experience includes leading projects on Vulnerability analysis and penetration testing,

Secure Conduit design. Risk framework development and assessment, and cyber

reviews based on industry standards such as NERC-CIP, NIST800-82, IEC62443,

NCIIPC, ISO2700x, SANS Top20 Critical Control and OWASP Top10.

• Have also worked with Schneider Electric and SIEMENS.

• M.Tech from “BITS Pilani” in Software Systems (Networks and Networked Systems)

• B.E. from “JNCT/RGPV Bhopal” in “Electronics and Communications Engineering”

City

Next2017

CIA triad

• CIA or AIC triad Availability

- System are available and operational

when needed

Integrity

- Data is consistent, accurate and trustworthy

Confidentiality

- Protection against from disclosure to

untheorized individuals

• OT has two more requirements Reliability

- System performs intended functions

Safety

- Physical and environmental safety is

ensured

Confidentiality Integrity

Availability

City

Next2017

Why are we here

Source: ICS CERT

Chemical1%

Commercial Facilities

1%

Communications4%

Critical Manufacturing

33%

Dams2%

Defense1%

Energy16%

Nuclear Reactors2%

Financial…

Food & Agriculture1%

Government Facilities6%

Halthcare5%

Information Technology2%

Transportation8%

Water8%

Unknown9%

City

Next2017

Top10 ICS Cyber Threats

1. Social Engineering and Phishing (3)

2. Infiltration of Malware via Removable Media and External Hardware (2)

3. Malware Infection via Internet and Intranet (1)

4. Intrusion via Remote Access (5)

5. Human Error and Sabotage (4)

6. Control Components Connected to the Internet (6)

7. Technical Malfunctions and Force Majeure (7)

8. Compromising of Extranet and Cloud Components (9)

9. (D)DoS Attacks (10)

10.Compromising of Smartphones in the Production Environment (8)

Source: BSI Publications on Cyber-Security report

City

Next2017

Case#1: WannaCry

Step 3: WannaCry encrypts data files and ask users to pay a

US$300 ransom in bitcoins. The ransom note indicates that the

payment amount will be doubled after three days. If payment is

not made after seven days, the encrypted files will be deleted.

Step 4: It also drops a file named ! Please Read Me!.txt which

contains the text explaining what has happened and how to pay

the ransom

Step 5: WannaCry encrypts files with the following

extensions, appending .WCRY to the end of the file name

Step 6: It propagates to other computers by exploiting a known

SMBv2 remote code execution vulnerability in Microsoft

Windows computers: MS17-010

Step 1: 12 May 2017: WannaCry ransomware infections surge

• Preliminary analysis identifies self-propagating exploit

• Targets MS17-010, SMBv1 Critical Vulnerability - Shadow

Brokers

Step 2: Initial infection vector is unknown

• Once on host, malware launches process to:

• Scan for TCP Port 445 (SMB)

• If open port identified, exploit attempted

• Exploit modeled after ‘ErernalBlue’

• Malware also drops implant ‘DoublePulsar’

City

Next2017

Case#1: WannaCry

3

3

4

4

5

5

6

6 7

Download of patch and

reverse engineering for

vulnerability identification

Exploit development

Testing and deployment of

exploit

Successful attack

Testing of patch with

applications by ICS

vendors

Publishing of patches for

applications or approval for OS

patch

Asset owner download

and test the patch in test environment

Patch deployment

in downtime

Protection from cyber

attack

Vulnerability identificationand patch development

Patch ReleaseBy OS vendor

21

ICS community actions

Black hat actions

Hackers are one step

ahead in the game of

security.

Organizations Needs

to work together to

reduce the response

time.

~ >150 days

~ < 30 days

Need for Timely Patch Management

City

Next2017

Case#1: WannaCry

City

Next2017

Case#1: WannaCry

Count measures In the Event of An Attack

Isolate the system from the network to counter any

spread of the ransomware

Decryption is not available now.

Format the system if needed.

Block 445 on AD, if that’s feasible

Domains/Remote IPs (Firewalls/IPS/IDS/Proxy)

-- www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

57g7spgrzlojinas.onion, 76jdd2ir2embyv47.onion

cwwnhwhlz52maqm7.onion, gx7ekbenv2riucmf.onion

sqjolphimrr7jqw6.onion, xxlvbrloxvriy2c5.onion

-- 128.31.0.39, 144.76.92.176, 148.244.38.101, 149.202.160.69,

163.172.149.155, 171.25.193.9, 195.22.26.248, 197.231.221.221

198.96.155.3, 213.61.66.117, 46.101.142.174, 46.101.166.19

62.210.124.124, 91.121.65.179, 91.219.237.229

-- www.bancomer.com.mx, graficagbin.com.br, dyc5m6xx36kxj.net

gurj5i6cvyi.net, bcbnprjwry2.net, bqmvdaew.net, sxdcmua5ae7saa2.net

rbacrbyq2czpwnl5.net, ow24dxhmuhwx6uj.net, fa3e7yyp7slwb2.com

wwld4ztvwurz4.com, bqkv73uv72t.com, xanznp2kq.com

chy4j2eqieccuk.com, lkry2vwbd.com, ju2ymymh4zlsk.com

43bwabxrduicndiocpo.net, sdhjjekfp4k.com

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

File Hash Values (AV/Sandboxing Tool)Available, can be shared offline (SHA-256, MD5, .

(To put a filter on the email gateway/end-point to detect the

following hash values)

Antivirus Signatures

Put a filter on the AV for the detection of following signatures

Ransom.CryptXXX

Trojan.Gen.8!Cloud

Trojan.Gen.2

Ransom.Wannacry

AV signatures to be updated with latest definitions (DAT)

Need to have strong Incident response and DR plan.

Communications were observed to the below

IP addresses from the compromised systems

• 197[.]231[.]221[.]211

• 128[.]31[.]0[.]39:9191

• 149[.]202[.]160[.]69

• 46[.]101[.]166[.]19

• 91[.]121[.]65[.]179

City

Next2017

Case#2: STUXNET

Sophisticated attack destroyed up to 1,000 uranium

enrichment centrifuges at a high-security Iranian

nuclear facility

Multi-stage attack

Social engineering techniques used to penetrate plant

defenses

Replicated worm in PCs and infected LAN

PLCs located; looked for centrifuges

Once located spun them up to eventually fail

Masked control room monitors

Key security compromises: Integrity & Availability

Infiltration of Malware via Removable Media and External Hardware

City

Next2017

Case#2: STUXNET

Source: Symantec

Infiltration of Malware via Removable Media and External Hardware

City

Next2017

ISA 99 / IEC 62443

City

Next2017

Few ICS Security Standards

ISA 99 / IEC 62443 NIST 800-82

enisaISO 27001/2 ICS-CERT

NERC

City

Next2017

History of ISA99 / IEC62443

• ISA/IEC 62443 is a series of standards being developed by two groups:

– ISA99 ANSI/ISA-62443

– IEC TC65/WG10 IEC 62443

• In consultation with:

– ISO/IEC JTC1/SC27 ISO/IEC 2700x

• International in scope

• Requirement contributions come from other standards like NERC-CIP, NIST etc

• Flexible framework which serves a basis for Country and Local standards as well as

Manufacturing guidelines.

City

Next2017

ISA 99 / IEC 62443 Standards

The first (top) category includes common or

foundational information such as concepts, models

and terminology. Also included are work products

that describe security metrics and security life

cycles for IACS.

The second category of work products targets the

Asset Owner. These address various aspects of

creating and maintaining an effective IACS

security program.

The third category includes work products that

describe system design guidance and

requirements for the secure integration of

control systems. Core in this is the zone and

conduit design model.

The fourth category includes work products that

describe the specific product development and

secure technical requirements of control

system products. This is primarily intended for

control product vendors, but can be used by

integrator and asset owners for to assist in the

procurement of secure products

1.1 Terminology,

concepts and

models

1.2 Master

glossary of terms

and abbreviations

1.3 System

security

compliance

metrics

1.4 IACS security

lifecycle/use cases

2.1 Requirements

for IACS security

management

system

2.2 Implementation

guidance for

security system

management

2.3 Patch

management in

the IACS

environment

2.4 Installation and

maintenance

requirement

3.1 Security

technologies for

IACS

3.2 Security

assurance levels

for zones and

conduits

3.3 System

security

requirements and

security levels

4.1 Product

development

requirements

4.2 Technical

security

requirements for

IACS components

Gen

era

lP

oli

cie

s &

Pro

ced

ure

Syste

mC

om

po

ne

nts

ISA99/IEC-62443 standard is a family of standards with a large scope of use for ICS / OT / SCADA

environments. Some guidelines are rather general, while others are precise, specific and focussed. Many

of those guidelines are still in the process of being defined or upgraded.

City

Next2017

A holistic security concept is context

dependent

Onsite

Designs and

Deploys

Operates and

Maintains

System Integrator

Asset Owner

Service Provider

Operational policies and procedures review

and creation and risk management.

Basic Process

Control System

(BPCS) assessment

and design

Safety Instrumented

System (SIS) review

and design

Complementary

HW/SW

implementation

Maintenance policies and procedures,

patch and vendor management

2-4

3-2

2-1

2-42-3

3-3

ISA99 reference

Offsite

Develops control

systems

4-1

3-3

4-2Product Supplier

Vendor scope

Secure architecture design, zones and conduits.

CSAT

Industrial Automation and Control System (IACS)

Automation solution deployment

Secure product and system development.

CFAT

City

Next2017

Zones and Conduits

Field level

Sensors, Pre

Actuators

& Actuators.

Operation level

SCADA/DCS, Operators,

HMIs

IT-OT separation zone

Mirror Historian, Patch Mgmt, AV Server

Control level

PLC /Controllers/

LHMIs

DMZ

Plat management level

Engineering station, Historian, OPC

Management level

Enterprise Resource Planning, IT &

Mobile devices

Level 0

Level 1

Level 2

Level 3

Level 4

Level 5

Unidirectional gateway/Data Diode,

Network monitoring, Log management

& Auditing

Next-gen Firewalls

System Hardening, Active Directory

(AD), App whitelisting, Secure design

implementation, Patch Management,

Configuration management, Password

Management, Change Management,

Backup & Restoration and User

specific access control

Harden automation

controllers, Disable

unwanted ports

Harden

automation field

devices, CCTVs,

physical

protection

Harden handheld devices and Database

servers

City

Next2017

Need of the hour

• OT Security Governance

• OT planning & Project

• Audit of the important security processes

• OT Cyber Security Team

Governance

• Vulnerability and patch management

• Security incident management

• OT Physical Controls Area SecurityOperations

• OT Security Infrastructure – System Architecture

Review

• Vulnerability assessment and penetration testing

• End user environment audit

Infrastructure

Ensure proactively

implementing appropriate OT

security controls to support

security’s mission in a cost-

effective manner while

managing evolving OT

security risks.

Ensure a safe setup of infrastructure by implementing appropriate security controls following a defence in depth design concept in the network infrastructure.

Continuously monitor performance of systems to ensure that it is consistent with agreed security requirements, and needed system modifications are incorporated.

City

Next2017

Lots to be done by vendors

SDL

ISA99 StandardICS Secure Levels Security requirement

Security Test Plan

Secure Feature implementation

Security Test Cases

SL based Test cases

Identify product

level in ICS layer

Secure by design approach

City

Next2017

ISA/IEC 62443 Cybersecurity Certification

Programs

• Certificate 1: ISA/IEC 62443 Cybersecurity Fundamentals Specialist

• Certificate 2: ISA/IEC 62443 Cybersecurity Risk Assessment Specialist

• Certificate 3: ISA/IEC 62443 Cybersecurity Design Specialist

• Certificate 4: ISA/IEC 62443 Cybersecurity Maintenance Specialist

• ISA/IEC 62443 Cybersecurity Expert: Individuals who achieve Certificates 1,

2, 3, and 4

• Certificate Steps:

– Complete a designated training program

– Pass a multiple choice exam through the Prometric testing center

City

Next2017

Q&A