securing industrial control systems - corncon ii: the wrath of corn
TRANSCRIPT
Introduciton
Securing Industrial Control SystemsEric AndresenCornCON 2016
September 17, 2016
Q. How many people are here at CornCON for the first time?
1
Eric Andresenhttps://www.linkedin.com/in/andresen1206
2
30 years technical experience, 27 years IT Experience, Information Security Manager, IT for SSAB AmericasFounding member of the Quad Cities Cybersecurity AllianceExperience in Electronics, Field Service, ISP Webmaster and Internet Services, and Enterprise Communications. Founding Quad Cities Cybersecurity Alliance, member IEEE and the Chicago Infragard ChapterCertified by FEMA, HP, CompTIA, Microsoft, and othersPrevious positions as Project Manager, Server Management, Critical Infrastructure Management and IT Operations Management.
2
In briefNordic and US-based steel company with a global reachLeading producer of Advanced High Strength SteelsAbout 17,300 employees in 50 countriesSteel production facilities in Sweden, Finland and the USAnnual steel production capacity of 8.8 million tonsListed on multiple public exchanges100% Recyclable Products 97% recycled raw materials, saving 600,000 tires per year, production results in 66% less CO2 emissions, recycle over 1 Million gallons of water a year. Aiming for a CO2 free process Iowa facility makes steel using 40% wind power.
3
Making a Worldof Difference
3
17,300 employees in over 50 countriesNordicMain production sites in Sweden, Finland and US SSAB production sitesSales coverage
4
4
Disclaimer
The views expressed in this presentation are those of the author and do not necessarily reflect the views of SSAB, IEEE or the Quad Cities Cyber Security Alliance.
This presentation is TLP: White and may be distributed, shared, remixed and reused without restriction.5
5
Good to have a goalYour primary responsibility is to prevent compromise.
You need to preserve the safety and reliability of the physical process and not the system itself.
Adequately protect systems
ICS system failure can result in:Loss of lifeLoss of revenueLoss of equipmentEnvironmental damageLoss of service
6
Q. Who do we have in the room?Manufacturing?Energy?Nuclear?Power?Brewing or other scientific?6
BasicsKnow your networkKnow your hostsKnow your enemyKnow what your enemy knowsProtection is key but detection is a mustApply principals of least privilegeApply defense in depthUse what you have
7
7
You are not alone!Quad Cities Cyber Security Alliancehttps://www.facebook.com/groups/QCCyber/
US-CERT & ICS-CERT www.us-cert.gov ics-cert.us-cert.gov877-776-7585
NIST - www.nist.gov SCADAHACKER - https://scadahacker.com
C3 voluntary program https://www.us-cert.gov/ccubedvp
DHS AIS and CISCP - [email protected]://www.dhs.gov/topic/cybersecurity-information-sharinghttps://www.us-cert.gov/ais https://www.dhs.gov/ciscp
InfraGard - www.infragard.orgFIRST.org and Information Sharing and Analysis Centers (ISACs)National Strategy for Securing Control Systemshttps://ics-cert.us-cert.gov/sites/default/files/documents/Strategy%20for%20Securing%20Control%20Systems.pdf
Automated Indicator SharingCyber Information Sharing and Collaboration ProgramQ. Who is an alliance member?Q. Any C-Cubed Members?
8
Network and Share
InfraGard - www.infragard.orgAmerican Society for Industrial Security - www.asisonline.orgNational Cybersecurity PartnershipHSIN dhs.gov/homeland-security-information-network-hsinProfessional RelationshipsLinkedIn Groups - Industrial Control System Cyber Security (ICS-CS) - linkedin.com/topic/industrial-control-systems-securityLocal Organizations Quad Cities Cyber Security AllianceIEEEISACA
9
Leverage CSFNIST Cybersecurity Frameworkhttp://www.nist.gov/cyberframework/
10
Q. Anyone using the NIST CSF?
Its a little simplistic but a good start. Up to 30% of organizations are already using CSF in some mannerPowerful Crosswalks available. Identify protect and detect are right on. Respond and recover is a little lackluster in an ICS environment. If you are trying to protect a process and not information once the genie is out of the bottle well, its over.
10
What is it?
Standard expression of current stateStandard way to express who you want to be when you grow up.Identify and prioritize opportunities to improveMeasure ProgressDrives communication to teams and management 11
11
Whats in it?
CORE SETTiersProfiles12
12
Identify
Asset ManagementIdentify and Categorize RisksIdentify Stakeholder CommunitiesIdentify the correct Controls for your risksSecure Network InterconnectionsIdentify Special ProtocolsPerform Risk AssessmentsPerform Protocol AnalysisStrategiesIndicators of Compromise
13
13
ICS-CERT will train you For FREEWhat is available?https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERTOperational Security (OPSEC) for Control Systems (100W) - 1 hourCybersecurity for Industrial Control Systems (210W) - 15 hours
The 210W courses are:210W-01 Differences in Deployments of Industrial Control Systems (ICS)210W-02 Influence of Common Information Technology (IT) Components on ICS210W-03 Common ICS Components210W-04 Cybersecurity within IT and ICS Domains210W-05 Cybersecurity Risk210W-06 Current Trends - Threats210W-07 Current Trends - Vulnerabilities210W-08 Determining the Impact of a Cybersecurity Incident210W-09 Attack Methodologies in IT and ICS210W-10 Mapping IT Defense-in-Depth Security Solutions to ICS
ICS- CERT Virtual Training Portalhttps://ics-cert-training.inl.gov
14
TEEX will also train you for freeWhat is available?
AWR138 Network Assurance
AWR139 Digital Forensics Basics
AWR168 Cyber Law and White Collar Crime
AWR169 Cyber Incident Analysis and Response
AWR173 Information Security Basics
AWR174 Cyber Ethics
AWR175 Information Security for Everyone
AWR176 Disaster Recovery for Information Systems
AWR177 Information Risk Management
AWR178 Secure Software
ICS- CERT Virtual Training Portalhttps://teex.org/Pages/Program.aspx?catID=199
Source: https://teex.org/Pages/default.aspx
15
FEMA will also train you for freeWhat is available?
Setup a free FEMA Student IDhttps://cdp.dhs.gov/FEMASID
FEMA Continuity of Operations Workshophttps://www.fema.gov/continuity-operations-workshops
Incident Command System (ICS) trainingCritical Infrastructure SupportNational Infrastructure PlanProtecting Critical Infrastructure Against Insider Threats
Q. Anyone here with a FEMA Training ID?
16
You get millions of dollars of research for freeWhat is available?
NIST Computer Security Resource CenterSP800-82 ICS SecurityDeveloping a Risk ProgramSecure ArchitectureICS Security Controls
ICS-CERT Defense-in-depth recommended practices
17
Start a project
If you dont start somewhere youre gonna go nowhere. Bob Marley
Build a risk based programKnow what your protectingSegment in trust boundariesDevelop ICS relevant policies
Build a 60 second elevator pitch and Always Be Closing
All Control systems are software and all software can be hacked!
Create a business case for an ICS Security Program, prioritize your potential costs, and estimate damage scenarios.How many could be hospitalized? How many could be killed, what is the potential for capital investment loss, what is the potential for an environmental cleanup need?
Know your brushes from your diamonds. If you try and protect your toothbrushes and your diamonds you will lose less toothbrushes and more diamonds.
Use a risk based approach know hat you are protecting - your threats vulnerabilities likelihood and impact only you can know these things in your context.
18
Industry ActivitySource:https://www.youtube.com/watch?v=OVMwI2TWrZw
Before Video:Reflecting on this story will help you to understand why SSAB and myself both care deeply about protecting industrial control systems.This is a news story from 2014 that talks about another steel company from Germany. Just to be clear this is not an SSAB facility.
After Video:
The steel company depicted in this video lost the ability to control their furnaces, and eventually this lead to a runaway condition that resulted in the loss of property. In this case it was just property. Industrial controls control physical processes and so the consequences of a breach are often much higher than in traditional IT systems.19
Know your stakeholders
Legal Team
Safety Team
ICS Engineers
Procurement Teams
Sr. Management Teams
Human Resources
Inside and Outside Sales
Quality
Research and Development
Q. What other stakeholder groups might we see?
20
Many hands make light work
Dont try and do it all yourself.
Divide work by stakeholder teams.
Ensure stakeholder teams understand their roles.
21
Work top downStart at the TOP!
Have the top ask their managers for support.
Work with those managers to ask them for support.
Keep pushing to the bottom.
22
Cyber Resilience ReviewSelf Assessment - Simple PDF Questionnaire
Built before NIST CSF / Has been
Build on top of CERT-Resilience Management Model (RMM)
Measure your maturity in:1 Asset Management2 Controls Management3 Configuration and Change Management4 Vulnerability Management5 Incident Management6 Service Continuity Management7 Risk Management8 External Dependencies Management9 Training and Awareness10 Situational Awareness
Source: https://www.us-cert.gov/ccubedvp/assessments
23
ICS-CERT CyberSecurity Evaluation Tool - CSET
Source:https://www.youtube.com/watch?v=nvVeeWvw97E&list=PLEFu5pmwnq0pZyEOWgysq4OzI_FIQaXhM&index=3
This slide contains video content with audio
ICS-CERT maintains a little known but powerful tool called the Cybersecurity Evaluation Toolkit. If you are interested in Cybersecurity it is likely you would benefit from CSET.
24
CSET FeaturesWizard approach to setting security assurance levels.Flexible standards Network diagramsExtensive Resource LibraryReporting
CSET offers a Wizard based approach to setting security assurance levels, Flexible standards, Network diagraming tools, an Extensive Resource Library good for anyone interested in cyber and custom reporting tools.
25
CSET FeaturesAnalysis
26
The analysis screen provides you with a way to measure your security posture against selected standards and uses charts to provide a visual display of your data and at the same time allows for comparisons across categories, questions, and subject areas.The analysis screen will also allow you to drill down on specific data from a given chart for more information.
The charts presented are fixed and dependent on your evaluation mode.Selecting the CSF evaluation mode will result in a different set of charts than the question or framework modes.
26
CSET Features Assurance Level
27
One of the fundamental decisions you must make when performing an evaluation is to select a Security Assurance level. Sometimes you know based on a standard what level you need to conform to, but others may not have a clue where to start to determine what assurance level is best.
CSET offers several ways to make this decision.
Using CSET setting an assurance levelManually Set Low, Moderate, High or Very High for each of CIAQuestions based YES or NO answers questions using FIPS and NIST standards as guidance.Consequence based approach uses a series of sliders to indicate a number of people or dollar from each category.
An assurance level set to low will result in questions later that are less demanding than would result from a moderate, high or very high assurance level. 27
Cyber Security Evaluation Tool (CSET)DHS Cyber Security Evaluation Tool
SystematicDisciplinedRepeatable
Version 8 launches September 13 for download
Supports 35 Industry Accepted Cybersecurity StandardsSupporting general environments as well as Chemical, Oil, Gas, Electrical, Nuclear, and other models available.
Key Questions and Universal QuestionsSP800-53, SP800-171, SP800-82
Wizard Based Assurance Level CalculatorImport and Export for Visio Drawings
Reports in PDF or DOCX: Executive Summary, Site Summary, Detail Report, Security PlanSource: https://teex.org/Pages/default.aspx
28
Control System Architecture AnalysisDesign Architecture Review (DAR)2 to 3 day review of Network Architecture
On site by DHS staff ( iNL)
Meet with Information Technology and Operational Technology TeamsReview Vendor SupportReview Cyber Security Controls
Review Asset InventoryICS Network ArchitectureReview Protective and Detective Controls
Review Device ConfigurationPhysical Security of Critical Assets
Source: https://ics-cert.us-cert.gov/Assessments
29
Network Architecture - Zoning
30
See in SP800-82 Zones establish a trust boundary and in over 200 incidents each year ICS-CERT finds boundary protection to be a key finding.Big flat networks are bad they expose you dont build them.
The following zones segment information architecture into five basic functions:
External Zone is the area of connectivity to the Internet, communication with peer, and remote facilities. It is the point of connectivity that is usually considered untrusted. For industrial control systems, the external zone has the least amount of priority and the highest variety of risks.
Corporate Zone is the area of connectivity for corporate communications. E-mail servers, DNS servers, and IT business system infrastructure components are typical resources in this zone. A wide variety of risks exist in this zone because of the amount of systems and connectivity to the External Zone. However, because of the maturity of the security posture and redundancy of systems, the Corporate Zones precedence can be considered to be at a lower priority than other zones, but much higher than the External Zone.
Manufacturing/Data Zone is the area of connectivity where a vast majority of monitoring and control takes place. It is a critical area for continuity and management of a control network. Operational support and engineering management devices are located in this zone along side spedial servers called data historians that log events. The Manufacturing Zone is central in the operation of both the end devices and the business requirements of the Corporate Zone, and the priority of this area is considered to be high. Risks are associated with direct connectivity to the External Zone and the Corporate Zone.
Control Zone is the area of connectivity to devices such as Programmable Logic Controllers (PLCs), HMIs, and basic input/output devices such as actuators and sensors. The priority of this zone is very high as this is the area where the functions of the devices affect the physical end devices. In a modern control network, these devices will have support for TCP/IP and other common protocols.
Safety Zone usually has the highest priority because these devices have the ability to automatically control the safety level of an end device (such as Safety Instrument Systems). Typically, the risk is lower in this zone as these devices are only connected to the end devices but recently many of these devices have started to offer functionality for TCP/IP connectivity for the purposes of remote monitoring and redundancy support. 30
Network Architecture - Zoning31
The following zones segment information architecture into five basic functions:
External Zone is the area of connectivity to the Internet, communication with peer, and remote facilities. It is the point of connectivity that is usually considered untrusted. For industrial control systems, the external zone has the least amount of priority and the highest variety of risks.
Corporate Zone is the area of connectivity for corporate communications. E-mail servers, DNS servers, and IT business system infrastructure components are typical resources in this zone. A wide variety of risks exist in this zone because of the amount of systems and connectivity to the External Zone. However, because of the maturity of the security posture and redundancy of systems, the Corporate Zones precedence can be considered to be at a lower priority than other zones, but much higher than the External Zone.
Manufacturing/Data Zone is the area of connectivity where a vast majority of monitoring and control takes place. It is a critical area for continuity and management of a control network. Operational support and engineering management devices are located in this zone along side spedial servers called data historians that log events. The Manufacturing Zone is central in the operation of both the end devices and the business requirements of the Corporate Zone, and the priority of this area is considered to be high. Risks are associated with direct connectivity to the External Zone and the Corporate Zone.
Control Zone is the area of connectivity to devices such as Programmable Logic Controllers (PLCs), HMIs, and basic input/output devices such as actuators and sensors. The priority of this zone is very high as this is the area where the functions of the devices affect the physical end devices. In a modern control network, these devices will have support for TCP/IP and other common protocols.
Safety Zone usually has the highest priority because these devices have the ability to automatically control the safety level of an end device (such as Safety Instrument Systems). Typically, the risk is lower in this zone as these devices are only connected to the end devices but recently many of these devices have started to offer functionality for TCP/IP connectivity for the purposes of remote monitoring and redundancy support. 31
Control System Architecture AnalysisNetwork Architecture Verification and Validation
Review Protocol Hierarchy Data flows and organization of network
Review Netflow device-to-device communication
Review traffic attempting to traverse boundaries
Baseline of network traffic
Validates that the network is clean and clear of known threats
Source: https://ics-cert.us-cert.gov/Assessments
Look at functionality correctness - reliability usability
You can do a light version of this yourself but not the analytics. These are performed by running the data through Security Onion and Bro Scripts32
Infrastructure Visualization Platform
Supports Critical Infrastructure and Emergency Responders
DHS scans the environment and provides you with several copies including viewpoints of Hostile Targets and Civil Response
Helps First responder teams help you during a Cyber Physical Event
Source: https://www.dhs.gov/infrastructure-visualization-platform
33
Open Source Tools
YARA - plusvic.github.io/yara/Yara Rules ICS-CERT or http://yararules.com/Wireshark - https://www.wireshark.org/Moonsols Memory Toolkit - DumpIT www.moonsols.com Laura Chapell on YouTube Introduction to Wireshark Course WTC01 & WTC02Grass Marlin - https://github.com/iadgov/GRASSMARLINGoogle Dorking Shodan shodan.ioWindows Built-In Tools
34
Windows Built-In Tools
> tasklist /svc - List all services running on a host> Netstat noa List all ports with associated task number
date /t > %1time /t >> %1whoami >> %1systeminfo >> %1ipconfig /all >> %1arp -a >> %1netstat -b >> %1schtasks >> %1doskey /h >> %1
35
Technology and Innovation
New Products are coming to market from security companies that understand ICS and Scada Protocols. Not just for TCP anymore:
ModebusProfinetBACNetS7OPC
and more
ICS Vendors are catching upTraditional Vendors are branching out.
36
QuestionsEric Andresenhttps://www.linkedin.com/in/andresen1206
37
Sample Questions
[Procurement] Are appropriate agreements finalized before access is granted, including for third parties and contractors?
[Code Protection] Are malicious code protection mechanisms used at system entry and exit points and at workstations, servers, or mobile computing devices?
[Media Control] Is the capability for automatic execution of code on removable media disabled?
[Physical Security] Is entry to the facility controlled by physical access devices and/or guards?
[Awareness Training] Is basic security awareness training provided to all system users before authorizing access
38