SCADA Security Webinar

CyberDefenses
Information Assurance
CyberDefenses, Inc.

• Californian by birth (Got to Texas as soon as I could)
• Oceanographer by degree from US Naval Academy
• Nuclear Engineer by Adm Rickover
• Submarine Officer by US Navy
• Disaster Relief Coordinator by ADRN
• CSO for Cyber Defenses by career
Vern Williams
2
Proprietary and Confidential 2013 CyberDefenses, Inc. ©

Industrial Control System (ICS) Security:
3
• Unique impact on both physical and cyber worlds
• Consequences can be more severe than in IT
• Lifecycles of 5-30 years
• Designed to operate in a bubble
• So what is the threat to ICSs?
• How can we defend them from the evil in the world?
Proprietary and Confidential 2013
CyberDefenses, Inc. ©

How bad is it really?
3
"An Italian security researcher, Luigi Auriemma, has disclosed a
laundry list of unpatched vulnerabilities and detailed proof-of-
concept exploits that allow hackers to completely compromise
major industrial control systems. The attacks work against six
SCADA systems, including one manufactured by U.S. giant
Rockwell Automation. The researcher published step-by-step
exploits that allowed attackers to execute full remote
compromises and denial of service attacks. Auriemma
appeared unrepentant for the disclosures in a post on his
website.“
Slashdot: mask.of.sanity

History of attacks on water plants
3
• SALT River Project SCADA Hack
• Maroochy Shire Sewage Spill
• Trojan/Key logger on Ontario Water SCADA System
• Viruses Found on Auzzie SCADA Laptops
• Software Flaw makes MA Water undrinkable
• Audit/Blaster Causes Water SCADA Crash
• DoS Attack on Water System via Korean Telecom
• Penetration of California Irrigation District Wastewater Treatment
Plant
• SCADA Breach in Harrisburg, PA by an external hacker

What do the Execs think?
3
• Close to 30% of respondents believe their company was
not prepared for a cyberattack, and more than 40%
expect a major cyberattack within the next
year, according to a survey of 200 IT security executives
from electricity infrastructure enterprises in 14
countries conducted by Vanson Bourne for McAfee and
CSIS.
By Infosecurity, 27 April 2011

The Patria Group
3
This was the result of an instrument failure. What can “they” do to us when they intend harm?

3
And the really bad news? Stuxnet and variants!
Stuxnet infects Windows systems in its search for industrial control
systems which consist of Programmable Logic Controllers
(PLCs), and contain special code that controls the automation of
industrial processes—for instance, to control machinery in a plant
or a factory. Stuxnet has the ability to take advantage of the
programming software to also upload its own code to the PLC in an
industrial control system that is typically monitored by SCADA
systems. In addition, Stuxnet then hides these code blocks, so when
a programmer using an infected machine tries to view all of the
code blocks on a PLC, they will not see the code injected by Stuxnet.
Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but is
the first publicly known rootkit that is able to hide injected code
located on a PLC.
Stuxnet Introduces the First Known Rootkit for Industrial Control Systems, from Symantec Blog

What does DHS say?
3
DHS Warns ICS, SCADA Owners About Increase in
Malicious Activity
• Be proactive in auditing the
security, particularly, authentication controls of their
systems.
• Alert is in response to a growing concern over the
number of exploit tools available online targeting ICS
and SCADA systems.
• Growing interest from hacktivists using special search
engines to find ICS accessible online.

Who is affected?
3
Exploit kits were made publicly available that
target programmable logic controllers for industrial
control systems
• Affects: GE, Rockwell Automation, Schneider Electric
and Koyo
• Another exploit was built for the Ethernet/IP protocol
used by a number of PLC vendors
• Added to report of a backdoor in CoDeSys ladder logic
system used by 261 PLC manufacturers to execute
ladder logic.

What else do we have to worry about?
3
• Kaspersky Labs believes four other malwares, which
they call Duqu, Flame, Gauss, and MiniFlame, were
developed by the same US “cyber-weapons factory”.
• 2012 ICS CERT tracked 171 unique vulnerabilities
• Shodan used to identify 20K Internet accessible and
vulnerable ICS
• Shamoon destroyed 30K of Saudi Aramco computers
(seems to be a lone perpetrator)

Can we continue like this?
3
The status quo is broken. (we need to fix it)
Doing the same things we are now, is doomed to
failure.
Working together with IT and Corporate
Security, we can make the bad guys day harder!
The one thing worse than the operator not
having control, is “them” having control.

What can we do?
3
• Practice Defense in Depth by Policy
• Avoid any attempt to bypass controls
• Establish accountability for actions
• Ask the hard questions:
– How good was Identity Proofing when “Joe” was
hired?
– If the contract requires me to be
vulnerable, maybe it is time to get a new
contractor or provider.

Security Goals
• Develop / review the security policy for your ICS
environment
• Architect a robust ICS environment
• Build security concerns into your contracts
• Require your provider to “Build Security In”
• Train your staff and Educate your users
• Require accountability
• Develop and Train a ICS Incident Response Team

Incident Response
3
Current State of the Art Response
• Emergency Operations Management
• Cyber Incident Response
– US-CERT
– CERT, CMU
• ICS CERT
– Control Systems Security Program (CSSP) DHS
– New but taking advantage of experience from both
– http://www.us-cert.gov/control_systems/index.html

Phases of Incident Response
3
• Planning
• Incident Prevention
• Incident Management
– Detection
– Containment
– Remediation
– Recovery
• Post Incident Analysis

Incident Response Key Elements
3
Recommended Practice: Developing an Industrial Control Systems Cybersecurity
Incident Response Capability October 2009

Where to start?
3
So where do we start to achieve this capability?
We have existing resources that can be brought
to bear, but we first have to have the will of
management and funding.
In developing an Incident Response Plan, you
have to engage all of the stakeholders and they
each have to have ownership of the results.

Key Response and Monitoring
3
Emergency Management
Physical Security, Loss Prevention, Fire Protection, EOC Staff
Respond to physical effects
Cyber Incident Response
IT Help Desk, Anti-Virus, USB management, Network and System
Security Controls, Forensics, Change Management
Deals well with traditional IT systems and networks
ICS Operations
Change Management, Typically Strong Physical Access Weak
Encryption and Identity Management, Long Lifecycles

Obstacles to overcome?
3
• Distrust between InfoSec, IT and ICS staff
• Tools that do not support ICS protocols
• Response Time vs Encryption
• Robust IdM vs Easy Operator Access
• “Starting” a new industry in ICS Security
The one thing worse than the operator not
having control, is “them” having control.

Lets get started!
3
• Get buy in from the TOP
• Form the team (provide incentive)
• Develop an ICS Incident Response Plan
Plagiarism is the quickest way
• Train your staff, get the tools needed
• Develop outsourcing and comms channels
• Exercise, Feedback, Exercise, etc.

Team Members
3
• ICS-CERT Team Manager
• Process or Control System Engineer
• Network and System Admins
• Plant Manager / CIO / Chief Engineer
• Security and Legal SMEs
• PR and HR Specialists
• Vendor Support Engineers and others

Build and Exercise the Plan
3
• Get started and work out the bugs
• Basic plan should provide guides for phases
• Build check lists and forms to standardize actions
• Develop outside contacts with LEO, Fire etc.
• Establish communications methods
• Some ONE has to be in charge
• Use realistic scenarios to exercise your plan, use actual
incidents if available

What else can we do?
3
• Assess your vulnerabilities (cross discipline)
• Mitigate where possible
• Architect with Security in mind
• Encryption is the best defense against
compromise and delays can be minimal
• Identity is key. If you do not know who, you do
not know much.

Key SCADA Questions For your CEO
Here are five questions chief executives should ask about cyber risks:
1) How is our executive leadership informed about the current level and
business impact of cyber risks to our company?
2) What is the current level and business impact of cyber risks to our
company? What is our plan to address identified risks?
3) How does our cyber security program apply industry standards and best
practices?
4) How many and what types of cyber incidents do we detect in a normal
week? What is the threshold for notifying our executive leadership?
5) How comprehensive is our cyber incident response plan? How often is it
tested?
CyberDefenses, Inc.
Posted by Greg Hale on Feb 28 2013, This is an excerpt from ISSSource

Axioms:
3
• “You will do 85% or worse in competition
than your best in practice.” Karl Rehn
• Train the way you expect to “fight”.
• Learn to “fight” wounded.

References:
3
• Guide to Industrial Control Systems (ICS) Security, NIST 800-82, May 2013
– http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r1.pdf
• Recommended Practice: Developing an Industrial Control Systems
Cybersecurity Incident Response Capability, October 2009, DHS
– http://ics-cert.us-cert.gov/content/recommended-practices
• In the Dark; Crucial Industries Confront Cyberattacks
– http://www.mcafee.com/us/resources/reports/rp-critical-infrastructure-protection.pdf
• CERT Resources:
– http://www.us-cert.gov/resources.html
• Control Systems Security Program (CSSP)
– http://www.us-cert.gov/control_systems/ics-cert/
• ICS Information Sharing and Analysis Center (ISAC)
– http://www.ics-isac.org

Vern Williams, CSO, Cyber Defenses, Inc.
CISSP, CSSLP, ISSEP, ISAM, CCSK, CBCP
ISSA Distinguished Fellow
Senior Member, IEEE (Institute of Electrical and Electronics
Engineers)
Member ISA and CSA
ISSA International Honor Roll, 2007
ISSA 2005 Security Practitioner of the Year
512.297.8798 (mobile)
1205 Sam Bass Road, Suite 300, Round Rock, TX 78681
Vern.Williams@CyberDefenses.com
Vern.Williams@IEEE.org

SCADA Security Webinar

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to SCADA Security Webinar

Similar to SCADA Security Webinar (20)

More from AVEVA

More from AVEVA (20)

Recently uploaded

Recently uploaded (20)

SCADA Security Webinar

Editor's Notes