Slide 1
WWHMI SCADA-12
Cyber Security
Best Practices in the Industrial World
Paul Forney, MCSE, CSSLP
Chief Technologist
R&D Security Team
Software Platform
Invensys Operations Management
© 2012 Invensys. All Rights Reserved. The names, logos, and taglines identifying the products and services of Invensys are proprietary marks of
Invensys or its subsidiaries. All third party trademarks and service marks are the proprietary marks of their respective owners.
Acknowledgements
Pike Research –
Monitoring and
Securing SCADA
Networks
The Department
of Homeland
Security CSSP
Ernie Rakaczsky
– Program
Manager,
Invensys CyberSecurity
Slide 3
All the folks at
McAfee (thanks
for your help
and support)
The Invensys
Critical
Infrastructure &
Security Practice
Team
Invensys Operations Management
We work with:
We help produce:
• 23 of the top 25 petroleum
companies
• 23% of the world’s
chemicals
• 47 of the top 50 chemical
companies
• 62% of the world’s LNG
• 19 of the top 20 pharmaceutical
companies
• 30 of the top 50 nuclear power
plants
• 20% of the world’s
electricity generation
• 36% of the world’s nuclear
energy generation
• 17% of the world’s refined
• More than 650 fossil power plants
products
• Annual sales US$ 2 Billion
• 9,000 employees serving 35,000 customers, in more than 200,000
Locations across 180 countries
• Over 585,000 active software licenses
Slide 4
Control System Accessibility
Slide 5
Typical Network Architecture
An Attacker has three challenges
1. Gain access to the control system LAN
2. Through Discovery, gain understanding of the process
3. Gain control of the process
Slide 6
Man-in-the Middle Attack
An Attacker has three challenges:
1. Modify packets in transit
2. Spoof the Operator Displays
3. Issue Arbitrary and targeted commands
Slide 8
The Existence of Threats
Terrorism
• Rogue States
• Someone with a “cause”
Cyber Warfare
Disgruntled ex-employees
• May seek out script kiddies or hackers to cause damage
Extortion
• Threatening to disrupt a facility
Privacy of Company Assets
•
•
•
•
Slide 9
Recipes
Formulas
Proprietary data
IP
Consequences of a Successful Control
System Attack
Shutdown of Critical Infrastructure
• Leads to loss of utilities for large number of people and companies
Incorrect Operation of Industrial Equipment
• Potential safety consequences or destruction of equipment
Incorrect Information Displayed to Operators or Reports
• Can lead to significant operational consequences
Faulty Products Caused by Changes in Recipes or Processing
• Could have major consequences if the products are for human
consumption
Exposure of Intellectual Property to Competitors
• Leads to financial loss for the owner of the information
Slide 10
SCADA Cyber has been Escalating 10+ Years…
Slide 11
Reported ICS Vulnerabilities
ACTUAL - 215
Slide 12
Stealth Attacks Increasing
• More than 1,200 new rootkits detected
each day
AURORA:
STUXNET:
• More than 2.1M
unique rootkits detected
SLAMMER:
ZEUS:
• More than 75M malware detected
Government
Sponsored
• Number of reports
of data
breaches
via
Physical
Harm
Hacking
For
Fun
Organized
hacking, malware,
fraud,
andCrime
insiders has
Cyber
Espionage
more than doubled since 2009
– TDSS rootkit is used as a persistent
backdoor to install other types
– SpyEye is hidden with a rootkit to steal
banking credentials
STAKES Are Rising Rapidly– Stuxnet used a rootkit to hide an APT
targeting government infrastructure
Slide 13
An Increasing Critical Need*
As Industrial Control Systems (ICS)
rely more and more on digital
technology and networking, they
become increasingly vulnerable
to cyber attack.
The digital workstations
used in control centers
inherit many of the vulnerabilities
of conventional IT systems, but
lag in security best practices for
a variety of reasons specific to ICS.
*Pike Research – Monitoring and
Securing SCADA Networks
Slide 14
Community of Concern
Oil
EPRI
Chemical
Gas
Industry
Sectors
Nuclear
Power
Owner\Operators
LOGIC2
I3P
IFAC
Academia &
Research
Electric
NIST
ISA/ISCI
IEEE
SRI
Standards
Water
API
NCSD
ISAC
TSWG
CSSP
Department
of Homeland
Security
Control System Cyber
Security Community
AGA
PNNL
INL
HSARPA
LLNL
National
Labs
US- CERT
Engineering
Firms
ICSJWG
ARGONNE
Control
Systems
Vendors
Security
Consultants
Slide 15
IEC
NERC
Security
Technologies
Labs &
Research
SANDIA
Industrial Control System Networks are
Different than IT Networks*
• Different Security Objectives
• Most of the endpoints actors are machines rather than people
• Incidents can have immediate physical consequences
• More Likely to be the target of hostile actors like terrorists
• Securing the network is a highly contextual activity
• Security must be aware of the types of actions that are legally
occurring within policies
• SCADA security products must be able to quickly receive,
store and correlate very large amounts of data
*Pike Research – Monitoring and
Securing SCADA Networks
Slide 16
Security Objectives
• Prevent unauthorized changes to values in a Controller, PLC, process
or configuration
• Prevent misrepresentation of process values on the HMI
• Reduce possibility of a production slowdown due to ICS software
• Protect integrity of process and event information
• Prevent loss of genealogy information
• Provide availability of the system and safety for the plant personnel
and surrounding environment
Slide 17
Slide 17
Special Restrictions for ICS Security Products*
• Do nothing that negatively impacts network latency
• Restrict SCADA traffic to known and expected message types
• Isolate the SCADA network from any other networks, including the
enterprise
• Collect and analyze from multiple sources beyond only IT events
• Prioritize situational awareness to prevent cyber incidents
• Implement strong change management for all SCADA modifications
• Use security products that are simple to deploy and manage
• Involve SCADA operations personnel in all SCADA security decisions
*Pike Research – Monitoring and
Securing SCADA Networks
Slide 18
A successful Cyber Security Program
has 3 major areas of focus with…
People
Policy and
Procedures
15%
65%
20%
Technology
Dennis Brandl – “Three Pillars of Industrial Cyber Security”
Slide 19
Operational Excellence and
Focus of This Discussion
C
Y
B
E
R
Operational
Excellence
Level 3
Environment
And Safety
(Multi-plant/Multi-site)
People
Level 2
(Plant Floor/Area)
Asset
Level 1
(Resource/Asset)
Control
Slide 20
S
E
C
U
R
I
T
Y
In today's environment
the ability to accomplish,
Operational Excellence has
many requirements…
“ And now, a well
implemented and
managed Cyber
Security Program… has
become imperative to
achieve Operational
Excellence.”
A Layered Defense
Internet
Internet
Zone
Perimeter
Firewall
Intrusion
Prevention
Data
Center
Zone
Network
Monitoring
Content
Filtering
Anti-Virus
Server
Monitoring
Web Usage
Reporting
Wireless
Security
Service Level
Management
User
Management
Server
Management
PC
Workstation
File & Print
Services
Wireless
Remote
Access
Anti-SPAM
Intranet
Firewall
Plant
Network
Zone
Control Network
Firewall
Anti-Virus
Intrusion
Prevention
PC Portal
Application
Workstation
Controls
Network
Zone
Interface
Control Node Bus
Control
Station
Interface
I/O
I/O
Field I/O
Multiple Zone Network
Slide 21
PLC
I/O
I/O
I/O
I/O
Security Solution Life Cycle
Offerings to
Compliment and
support any starting
point…
Manage &
Optimize
Plan &
Assess
Architecture
& Design
Modernization
&
Implementation
Becomes the
foundation for a
lifetime program….
A Life Cycle includes four interdependent stages
that complement and feed into each other.
Slide 22
Data
What We Need to Protect
SCADA, HMI
Ladder Logic
Ethernet, TCP/IP
Ethernet, Serial
Ethernet, Serial, Relays
Modern Computers
(Windows, Linux, Mac)
Legacy Computers
(Windows)
Special Function
(Embedded OS)
Corporate IT
SCADA
Device Network
Endpoint
Network
Enterprise Apps
Slide 23
Best Practices for Securing an ICS
Maintain the
latest
Invensysauthorized
Operating
System
(OS) and
application
patches.
Slide 24
Test every
patch to
ensuring
deployment
does not
impact
operations.
Always use
current
anti-virus
definitions.
Verify
update was
successfully
installed.
Update
authorized
application
software.
Enable
Network
Anti-Virus /
Intrusion
Prevention
System.
Enable
System
policies on
all capable
network
appliances
Best Practices, USB Devices…
Do not use a
USB stick unless
it has been
scanned
Designate and
use specific USB
equipment
To bridge airgaps, use a
specific
designated
station
WITHOUT restriction on USB devices, their portable nature
can be used to compromise your security perimeter!
Slide 25
Machine Hardening
(typically no negative effects on the ICS)
Harden Servers and Workstations and
Non-ICS assets
Ensure all software and hardware
patches and updates are current.
Run A/V scans.
Disable all unused ports and services.
Harden Bios.
Use static IP addresses, disable DHCP
Disable NetBIOS and NetBIOS over
TCIP/IP.
Slide 26
Best Practices, Cont….
Change default “admin” passwords.
Use strong passwords consisting of more than 6-8
characters using special characters when applicable.
Control User Rights.
Do not use accounts across domains.
Implement password aging, history, and complexity
requirements.
Always implement Backup and Restore to a network
repository.
Slide 27
More To Do’s!
Inventory network assets and keep it up to date.
Run regular network audits
Use physical network isolation when possible
Use logical network segmentation (secure zones) when possible with
strict Firewall Rules.
Isolate and control flow of information between Business Network(s)
from PCN through use of firewalls.
Require strict firewall rules with specific (/32) source, destination,
port, and protocol.
Use DMZs
Slide 28
Network Access
Enable Firewall Logging and Monitor as appropriate
Implement NMS to provide system audit and logging and monitor
Don’t click links or files that aren’t verified
ICS assets should not have internet access
Some ICS assets may need to have access to business network website
interfaces so verify all access leaving the ICS network to un-trusted networks
Slide 29
In the event of a Cyber incident
Create an Incident Response Plan before an incident so that you
are prepared. Steps that are typically part of incident response
plans are:
§ Do make a VM
image of the
affected system.
§ Do get a triage
team together.
§ Do get copies of
all the logs.
§ Do not start updating anti-virus.
§ Do not start running anti-virus patches.
Slide 30
Work with the
antivirus vendor
and other
agencies to
collect the
necessary
forensics.
Vendor Responsibility - Secure By Design
Secure Software is responsible to provide:
 Confidentiality: Protect against unauthorized information disclosure.
 Integrity: Prevent unauthorized changes to data.
 Availability: Provide the required services uninterrupted 24x7
 Authenticity: Determine identity of components and users in reliable and
consistent manner.
 Authorization: Control access to various parts of the system based on the user
or code’s credentials.
 Non-repudiation: Establish audit trails through system and establish evidence
to track a system operation.
Slide 31
Slide 31
Project Ozone – Cyber Security Initiative
Vision
To create and enhance processes, knowledge and an ingrained culture for
building secure and robust solutions our Customers can trust.
What is it:
• Assess existing
vulnerabilities in
solution offerings
• Enhance products,
processes and tools
from a security view
• Improve
responsiveness to
Cyber Security
issues
Why is it Important:
• Increased awareness in the
Industry to Cyber Security
threats and their impact
• Impact on credibility and
cost after Cyber Security
attacks is severe
• Strategic Alignment for an
enterprise connected platform
Success is Defined As:
• Real-time Indicators:
 SDL Process Violations (Reduced prerelease process violations per product)
 Security vulnerabilities per product
(Reduction in reported vulnerabilities
closed proactively, found pre-release)
Primary Indicators:
 Security Defect Reports (Zero post
release reports)
 Responsiveness to threats/issues
(Response time less than 35 days)
Slide 32
Cyber Security Updates Released
Date
Notice
Identification
Number
LFSEC00000054
4-8-2011
2-18-2011
7-14-2010
Stack Based buffer
overflow in the InBatch
BatchField ActiveX
Control
LFSEC00000051
Server lm_tcp buffer
overflow
LFSEC00000037
Wonderware ArchestrA
ConfigurationAccessCo
mponent ActiveX Stack
Overflow
Slide 33
Security Vulnerability
Description
A vulnerability (Stack overflow) has been discovered in
the InBatch BatchField ActiveX Control. This control is
installed as part of the InBatch Server and on all
InBatch Runtime Clients, including when used
embedded in InTouch® and any third party InBatch
Client Programs (VB or C++). In addition, this control
can be used in publishing InTouch graphics in
Wonderware Information Server.
A vulnerability has been discovered in InBatch Server
and I/A Batch Server in all supported versions of
Wonderware InBatch and Foxboro I/A Series Batch.
This vulnerability, if exploited, could allow Denial of
Service (DoS), the consequence of which is a crash of
the InBatch Server.
A vulnerability has been discovered in a component
used by the Wonderware ArchestrA IDE (Integrated
Development Environment) and the InFusion IEE
(Integrated Engineering Environment) and if exploited,
could allow remote code execution.
Detailed
Information
April 8, 2011 LFSEC00000054
February 18,
2011 LFSEC00000051
July 14 2010
Security Update
LFSEC00000037
Project Execution Approach
People
Training
Process
Enhancements
SOP’s and
Tools
Product
Enhancements
Institutionalized Across Invensys Operations Management
Slide 34
Secure By Design
• Security Built in not Added On
• The Microsoft SDL is a software development policy for all products with
meaningful business risk and/or access to sensitive data
• Key part of Invensys’ commitment to protect its customers
• Implementing the SDL reduces the Total Cost of Ownership (TCO) for
Software Products
• Fewer security patch events required for our products
• Secure software is by nature Quality software
Slide 35
Slide 35
Threat Modeling Approach
A Careful study of the design of an
application to identify weaknesses
and vulnerabilities includes 5 steps
1. Identify security objectives
2. Create an application overview
3. Decompose the application
4. Identify threat vectors
5. Identify vulnerabilities
Slide 36
Slide 36
Defend Against S.T.R.I.D.E. Attacks
Slide 37
S
Spoofing Identity: Allows an attacker to pose as something or
someone else
T
Tampering with Data: Involves malicious modification of data or code.
R
Repudiation: Allows an attacker to perform actions that other parties
can neither confirm or contradict
I
Information Disclosure: Involves the exposure of information to
individuals who are not supposed to have access to it
D
Denial of Service: DoS attacks deny or degrade service to valid users
E
Elevation of Privilege: Occurs when a user gains increased capability
often as an anonymous user taking advantage of a coding error to gain
admin capability
Our Solution
Stop incurring
“Technical Debt”
New Code
Implement the Security Development
Lifecycle for all new projects.
Reduce
“Technical Debt”
Legacy
Evaluate and model our most critical
software for threats, strengthening
with tools from the SDL
Institutionalize Across Invensys Operations Management R&D
Slide 38
Please Subscribe to Security Central!
https://wdn.wonderware.com/sites/WDN/Pages/Security%20Central/CyberSecurityUpdates.aspx
Slide 39
Slide 40
Conclusion
Secure systems start with design – both hardware, software and
application deployments
The security journey must be a collaboration between people,
processes and technology – there is no silver bullet!
No substitute for a practical security program that provides a long
term, self perpetuating maturity model that can be engrained into the
culture of an organization to produce the foundation for secure and
robust solutions we can trust.
“Within Invensys Operations Management R&D, our journey
has begun for a more Secure Critical Infrastructure.”
Slide 41