30 July 2014 ISACA Professional Guidance Webinar
EMEA Series
Cybersecurity Diagnosis in Industrial Environments
Attendee Questions & Answers
On 30 July 2014, ISACA presented a 60-minute webinar on Cybersecurity Diagnosis in Industrial
Environments. It will be available on archive until July 2015; please visit
http://www.isaca.org/Education/Online-Learning/Pages/Webinar-Cybersecurity-Diagnosis-in-IndustrialEnvironments.aspx to access.
Our Speaker, Ignacio Paredes, CISA, CISM, CRISC, Security Consultant has been able to respond to the
many of questions that were asked by attendees. Below is a recap:
#
1
2
3
QUESTION
Do you have any other favorite tool sets
such as Kali Linux?
If a contract is signed before work starts
and there is a clause in the contract on
confidentiality, Is it necessary to still sign
a Non-Disclosure Agreement?
Could you please give an example of a
regulation mandating industrial cyber
security measures?
Aren't there systems (e.g. those
delivering a Safety function) for which
Integrity is more significant than
availability?
4
What is the best way to do the patching
in the operation environment
5
6
Could you recommend any books,
publications or research documents?
ANSWER
I use lots of different tools, many of them included in
distros like Kali, but the important point about using a
tool is to know how it works on a low level and how to
use it in each environment.
In that case you already have the NDA. The important
thing is to have it signed before starting the work.
NERC CIP for North America electric system, CFATS for
chemical facilities, and in general every Critical
Infrastructure Protection law.
Of course. Think about the systems to do the mixing of
ingredients in the right proportion for a medicine. The
main issue here is the integrity of the process (you don't
want a wrong mix). But, in general, the main
cybersecurity dimension in industrial environments is
availability. The same happens on corporate IT where
the main dimension is confidentiality, but of course,
here you also have systems whose availability is
paramount.
There is no silver bullet here. You must rely on different
components such as a proper change management
process and testing on advance in non-production
systems. But manufacturers have a lot to say here. They
must take their responsibility on this issue and provide
suitable solutions for patching their systems timely and
securely. It is usual that manufacturers have their
support service for end users systems associated to a
given patching level that isn't necessarily the optimal
one. You can find more info about patching ICS in the
DHS paper "Recommended Practice for Patch
Management of Control Systems"
A good introduction to ICS cybersecurity is NIST Special
Publication 800-82 "Guide to ICS Security". We at the
1
30 July 2014 ISACA Professional Guidance Webinar
EMEA Series
Cybersecurity Diagnosis in Industrial Environments
Attendee Questions & Answers
7
8
9
10
Does an IT auditor require to review the
sensor calibration to ensure that the
right data is fed into the Level1
How does a non-OT IT personnel learn
about the complex OT technologies
deployed by the client in the stipulated
deadlines?
What other controls for security of ICS
could be deployed that would enhance
the security of these systems like SIEM,
IDS/IPS, etc. Please provide some
examples which would be helpful to
enhance security measures
Could you elaborate more on passive
scanning? For example, is using
programs such as nmap ok for scanning
industrial systems, or does this
constitute automated scanning?"
What framework can be used as a
reference for your security diagnosis?
11
What kind of extra training do you
recommend for a CISA qualified auditor
12
13
Who is the person who would typically
ask for this kind of diagnosis? IT person
Industrial Cybersecurity Center have also developed
some good documents on the topic. In addition we have
a weekly newsletter with a section dedicated to
documents specific to industrial cybersecurity. If you
want to subscribe just let me know.
Nope, there are people in the facility whose work is
precisely that, but related to this, the cybersecurity
auditor should be aware of possible ways of tampering
with the sensors.
This is a very complex environment, so gathering all the
needed knowledge requires a lot of effort and time. A
way to obtain that knowledge is to offer to your
industrial customers a free-diagnostic of their industrial
environments. You will not earn money, but you will gain
a lot of valuable knowledge.
Having an IDS (detection mode) in the industrial network
is a big advance on cybersecurity. This environments
have very deterministic traffic (it is very well defined
which systems should communicate) so the IDS is easy to
setup and can give very valuable information about
possible threats. Other important technical measures
are industrial firewalls able to understand the context of
industrial protocols.
Nmap is definitely active. Every tool that injects traffic
on the network is active and therefore potentially could
damage the ICS.
There is not a single framework that can address all the
aspects of the diagnosis. You should use a combination
of standards and frameworks depending on your
environment. ISA-99/ISA-62443, ISO 2700X, NERC CIP,
CFATS, and DHS provides a handy tool called CSET that
can help you to assess the cybersecurity of an industrial
facility against different frameworks.
Currently there is not so much training specific to
industrial cybersecurity: The Global Industrial Cyber
Security Professional (GICSP) is a new certification
focused on this topic. Scadahacker.com has very good
training on industrial cybersecurity, the ICS-CERT offers
good courses on the topic (some of them online) and we,
the Industrial Cybersecurity Center have also training on
industrial cybersecurity.
Both. I have had petitions for this service coming from
IT, OT, security and general management, as in many
2
30 July 2014 ISACA Professional Guidance Webinar
EMEA Series
Cybersecurity Diagnosis in Industrial Environments
Attendee Questions & Answers
14
or industrial person?
Which is an estimation of the duration
of this kind of audit to a complex/big
plant?
What are the most important skills to be
mastered for someone who will run
Cybersecurity Diagnosis?
15
16
Do you have any specific engagements
with the oil and gas industry? What are
the specific areas of focus?
17
Could you name some of your clients for
this kind of service?
18
Is page 38 taken from some official
documentation (e.g. NIST?)
What is the usefulness of Shodan 8?
19
20
Just a quick note, the ISA-99 series were
renamed to ISA-62443 (slide 33).
organizations this responsibility is not clearly defined.
Difficult to say. Assuming a single consultant, as a
reference you could take a couple of days of previous
work (studying general information), 3-5 days of field
work, and probably 3-5 days more for development of
the report
Good knowledge of: information security,
communications, industrial control systems. The more
the better. But in my experience I have found that being
able to understand and communicate with people from
different backgrounds is equally important. Also to be
professional and rigorous. You must be prepared to
justify with evidences every assertion you have made in
the final report.
After the Aramco incident, Oil&Gas industry has been
one of the biggest boosters of industrial cybersecurity.
Right now, this sector is developing very exciting
initiatives such as the Smart Oil Fields (taking the smart
grid concepts to the oil fields)
Nope, but I have made this type of work in energy
production facilities, energy distribution infrastructures,
chemical plants, EPC firms, …
It is a network architecture reference provided by
vendor Industrial Defender
Shodan allows searching of devices connected to the
Internet. Many of these devices are industrial control
systems. Using advanced search operators Shodan can
help in the identification of ICS directly connected to the
Internet in a given facility.
Right. The reference is from the copy I own that still was
ISA-99
21
22
23
24
25
3