Implications of Cybersecurity on Small and Medium Manufacturers
1. 1
Implications of
Cybersecurity on the
Small and Medium-sized
manufacturer: Risk
Management and
Compliance
Dr. Ron McFarland, Ph.D., PMP, CISSP – Post Doctorate Fellow,
University of Maryland University College
Dean, School of Applied Technologies – College of the Canyons
Center for Security Studies
Funding provided by CAE Cybersecurity Grant Program -
S-004-2017 CAE Cybersecurity (CAE-C) “Investment in
Expansion of CAE-C Education Programs”
Dr. Loyce Best Pailen, Principal Investigator
2. 2
Topics
1. Compliant, but breeched
2. Cyber Security and Industrial Control Systems
3. DFARS Requirements
4. 4
Hackers focus on beating security
controls
Security and compliance teams
focus on adhering to laws and
regulations
The Essence of the problem
5. 5
Compliant with Certifications -- but Breached
• Target
• Verizon
• SecurePay
• Experian
• Sally Beauty
• FedEx
• Staples
• Dairy Queen
• KMart
According to the SANS Institute: “The Payment Card Industry published the
Data Security Standard 11 years ago; however, criminals are still breaching
companies and getting access to cardholder data. The number of security
breaches in the past two years has increased considerable, even among the
companies for which assessors deemed compliant.”
6. 6
• Compliance – the act or process of complying to a desire,
demand, proposal, regimen or coercion to achieve security
• Security – the state of being free from danger or threat
What is Compliance and Security?
7. 7
• Possible combinations:
1. Neither compliant with any standards or secure
2. Secure in a limited way but not compliant with any standards
3. Compliant with standards but insecure
4. Secure and compliant
• Best option is to achieve security via compliance
Treat certifications of products and processes or regulatory
compliance as assets
Possible Combinations
8. 8
• Established security standards for certain types of
health information
regulated by Department of Health and Human Services
• Procedural and technical measures to protect
information and track the people using that
information
User identification and authentication
Include auto logoff and emergency access procedures
System logging for security events
Personal Health Information (PHI) must be encrypted
Integrity controls
Health Insurance Portability and Accountability Act (HIPAA)
9. 9
• Established security standards for certain types of
health information
regulated by Department of Health and Human Services
• Procedural and technical measures to protect
information and track the people using that
information
User identification and authentication
Include auto logoff and emergency access procedures
System logging for security events
Personal Health Information (PHI) must be encrypted
Integrity controls
Health Insurance Portability and Accountability Act (HIPAA)
10. 10
• Organizations that issue and process credit and debit cards
regulated by VISA, MasterCard, Discover, JCB and American
Express
• Organizations track all access to network resources and
cardholder data
Requires external assessments be performed
Vulnerability scans aka penetration testing
Become “certified”
Payment Card Industry – Data Security Standards (PCI DSS)
11. 11
PCI DSS Requirements
1. Install and maintain a firewall
configuration to protect
cardholder data
2. Do not use vendor-supplied
defaults for system passwords
and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of
cardholder data across open,
public networks
5. Use and regularly update anti-
virus software
6. Develop and maintain secure
systems and applications
7. Restrict access to cardholder
data by business need-to-know
8. Assign a unique ID to each
person with computer access
9. Restrict physical access to
cardholder data
10. Track and monitor all access to
network resources and
cardholder data
11. Regularly test security systems
and processes
12. Maintain a policy that
addresses information security
Payment Card Industry – Data Security Standards (PCI DSS)
12. 12
• Requires financial institutions to protect customer information
against security threats
Regulated by FTC
• Privacy notice includes what they collect, where it is shared and
how it is protected
• SSN, financial account numbers, credit card numbers, DOB,
Name, address, phone number, details of financial transactions
Gramm-Leach-Bliley Act (GLBA)
13. 13
• Information security program assigned to an employee
• Risk assessments to identify risks
• Assess safeguards to ensure they function properly and as
intended
• Design and implement safeguards
• Service provider contracts include terms to protect customer
information
• Periodic review of information security policy
Gramm-Leach-Bliley Act (GLBA)
14. 14
• Requirements for financial and accounting practices for
publicly-held companies
Regulated by the SEC
• Auditor independence
• Corporate governance (oversight) includes IT
• Internal control assessment
• Enhanced financial disclosure
Sarbanes-Oxley Act (SOX)
15. 15
• Financial reports, records, and data are accurately maintained
• Transactions are prepared per GAAP rules and properly
recorded
• Unauthorized acquisition or use of data or assets that could
affect financial statements will be prevented or detected in a
timely manner
• Records retention
Sarbanes-Oxley Act (SOX)
16. 16
• Schools receiving federal funds
• Personal for students as it provides protection over:
Demographic information
Address and contact information
Parental demographic information
Parental address and contact information
Grade information
Disciplinary information
Family Educational Rights and Privacy Act (FERPA)
19. 19
• The need to improve the security for ICS cannot be overstated.
• Many industrial systems are built using
legacy devices
Running legacy protocols that have evolved to operate in routable
networks.
• Before the expansion of Internet connectivity, web-based
applications, and real-time business information systems, energy
systems were built for reliability.
• Physical security was always a concern, but information security
was not a concern, because
the control systems were air-gapped—that is physically separated with
no common system (electronic or otherwise) crossing that gap
Importance of Securing Industrial Networks
21. 21
• The problem is that regardless of how justified or well intended
the action the air gap ( from previous slide), it is no longer
exists. Why??
• There is now a path into critical systems, and any path that
exists can be found and exploited.
Need to connect
23. 23
• Security consultants at Red Tiger Security presented research
in 2010 that clearly indicates the current state of security in
industrial networks.
• Penetration tests were performed on approximately 100 North
American electric power generation facilities.
• Results: more than 38,000 security warning and
vulnerabilities.
Red Tiger Research
24. 24
• Understanding the basic nature of industrial networks, and
examining the many regulations and recommendations put
forth by NERC, NIST, NRC, ISA, the ISO/IEC, and other
organizations is the foundation of industrial network security.
• By evaluating an industrial network, identifying and isolating
its systems into functional groups ( Segmentation ), and
applying a structured methodology of defense in depth and
strong access control, the security of the network as a whole will
be greatly improved
Foundation to Securing ICS
25. 25
• An industrial network is most typically made up of several
distinct areas, which are simplified as
a business network or enterprise
business operations
a supervisory network
and process and control networks
General Terms
26. 26
• SCADA - Supervisory Control and Data Acquisition
• ICS - Industrial Control Systems
• DCS - Distributed Control Systems or Process Control Systems
(PCS).
• Each area has its own physical and log- ical security
considerations, and each has its own policies and concerns.
ICS Terms
27. 27
• Industrial Network
is referring to any network operating some sort of automated
control system that communicates digitally over a network.
• Critical Infrastructure
is referring to critical network infrastructure, including any
network used in the direct operation of any system upon which
one of “critical infrastructures” depends.
Industrial Network vs. Critical Infrastructure
29. 29
• Utilities
Utilities—water, gas, oil, electricity, and communications
Financial ??
• Nuclear Facilities
Nuclear facilities represent unique safety and security challenges
due to their inherent danger in the fueling and operation,
as well as the national security implications of the raw materials used.
Critical Infrastructure examples
30. 30
• Chemical Facilities
Chemical manufacture and distribution represent speci c
challenges to securing an industrial manufacturing network.
Critical Infrastructure examples - continued
31. 31
• Homeland Security Presidential Directive Seven (HSPD-7)
• North American Electric Reliability Corporation (NERC) has
created a reliability standard called “Critical Infrastructure Protection”
and enforces it heavily throughout the United States and Canada.
The NERC CIP reliability standard identifies security measures for protecting
critical infrastructure with the goal of ensuring the reliability of the bulk
power system.
Compliance is mandatory for any power generation facility
Fines for noncompliance can be steep.
Standards and Organizations
32. 32
• Nuclear Regulatory Commission (NRC).
The NRC was formed as an independent agency by Congress in 1974
The goal: attempt to guarantee the safe operation of nuclear facilities and to
protect people and the environment.
This includes regulating the use of nuclear material including by-product,
source, and special nuclear materials, as well as nuclear power.
NRC requires and enforces the cyber security of nuclear power facilities.
Ultimately, all other industries rely upon energy to operate, and so the security
of the energy infrastructure (and the development of the smart grid) impacts
everything else, so that talking about securing industrial networks without
talking about energy is practically impossible.
The NRC is responsible for ensuring the safe use of radioactive materials for
ben- e cial civilian (nonmilitary) purposes by licensed nuclear facilities.
Standards and Organizations - continued
33. 33
• Homeland Security Presidential
DirectiveSeven/HSPD-7
The HSPD-7 attempts to distinguish the critical versus noncritical
systems.
HSPD-7 does not include specific security recommendations
relying instead upon other federal security recommendations such
as those by the NIST on the security of both enterprise and
industrial networks, as well as the Homeland Security Risk- Based
Performance Standards used in securing chemical facilities.
Standards and Organizations - continued
34. 34
• NIST Special Publications (800 Series)
NIST’s 800 series documents provide best practices and
information of general interest to information security.
All 800 series documents concern information security
It should be used as references where applicable.
Particular relevance to industrial network security is
SP 800-53 (“Recommended Security Controls for Federal Information
Systems”)
SP 800-82 (“Guide to Supervisory Control and Data Acquisition
[SCADA] and Industrial Control Systems Security”)
Standards and Organizations - continued
35. 35
• Other standards addresses security recommendations and
best practices:
Federal Information Security Management Act -FISMA
Chemical Facility Anti-Terrorism Standards – CFATS
ISA-99
ISO 27002
Standards and Organizations - continued
36. 36
• The separation of assets into functional groups allows specific
services to be tightly locked down and controlled
• This is one of the easiest methods of reducing the attack surface
that is exposed to attackers.
• Simply by disallowing all unnecessary ports and services, we also
eliminate all of the vulnerabilities—known or unknown—that could
potentially allow an attacker to exploit those services.
• Control communications in both directions through a firewall ( key
area) study your network??
Not all threats originate from outside. Open, outbound traffic policies
can facilitate an insider attack, enable the internal spread of malware,
enable outbound command and control capabilities, or allow for data
leakage or information theft.
Network Segmentation - isolation
41. 41
• Additional measures related to Access Control:
Only allow a user to log in to an HMI if the user has successfully
badged into the control room (user credentials combined with
physical access controls)
Only allow a user to operate a given control from a specific
controller (user credentials limited within a security group)
Only allow a user to authenticate during that user’s shift (user
credentials combined with personnel management)
Additional Measures
42. 42
• A routable network
Typically means Ethernet and TCP/IP,
“Routable” networks also include routable variants of SCADA and
ICS protocols that have been modified to operate over TCP/IP,
such as Modbus/TCP or ICCP over TCP/IP.
• A non-routable network
Refers to those serial, bus, and point-to-point communication
links that utilize Modbus/RTU, point-to-point ICCP, fieldbus,
and other networks.
They are still networks: they interconnect devices and provide a
communication path between digital devices
In many cases are designed for remote command and control.
Routable and non-routable
44. 44
• An asset is a unique device that is used within an industrial
control system.
• Assets
computers, network switches, routers, firewalls, printers, alarm
systems, Human–Machine Interfaces (HMIs), Programmable
Logic Controllers (PLCs), Remote Terminal Units (RTUs),
and the various relays, actuators, sensors, and other devices that
make up a typical control loop.
Assets in Industrial Control Systems
45. 45
• A “cyber asset”
as any device connected via a routable protocol
• A “critical cyber asset,”
is a cyber asset whose operation can impact the bulk energy
system
Assets (as defined by NERC CIP)
46. 46
• In 2000, a disgruntled man in Australia who was rejected for a
government job was accused of using a radio transmitter to
alter electronic data within a sewerage pumping station,
causing the release of over two hundred thousand gallons of
raw sewage into nearby rivers.
Example of Industrial Network Incidents
47. 47
• In 2007, there was the Aurora Project: a controlled experiment
by the Idaho National Laboratories (INL), which successfully
demonstrated that a controller could be destroyed via a cyber
attack. The vulnerability allowed hackers—which in this case were
white-hat security researchers at the INL—to successfully open and
close breakers on a diesel generator out of synch, causing an
explosive failure. In September 2007, CNN reported on the
experiment, bringing the security of our power infrastructure into
the popular media.
• The Aurora vulnerability remains a concern today. Although the
North American Electric Reliability Corporation (NERC) first
issued an alert on Aurora a few months before CNN’s report in
June 2007, it has since provided additional alerts, as recent as an
October 2010 alert that provides clear mitigation strategies for
dealing with the vulnerability.
Example of Industrial Network Incidents - continued
48. 48
• In 2008, the agent.btz worm began infecting U.S. military
machines and was reportedly carried into CENTCOM’s
classified network on a USB thumb drive later that year.
Although the CENTCOM breach, reported by CBS’ 60 Minutes
in November 2009, was widely publicized, the specifics are
difficult to ascertain and the damages and intentions remain
highly speculative.
Example of Industrial Network Incidents - continued
49. 49
• The new weapon of cyber war
• Which began to infect industrial control systems in 2010.
• After Stuxnet, any speculation over the possibility of a targeted
cyber attack against an industrial network has been overruled
by this extremely complex and intelligent collection of malware
Example of Industrial Network Incidents - Stuxnet
50. 50
• Stuxnet looks for SIMATIC WinCC and PCS 7 programs from
Siemens, and then using default SQL account credentials to
infect connected Programmable Logic Controllers (PLCs) by
injecting a rootkit via the Siemens fieldbus protocol, Profibus.
• Stuxnet then looks for automation devices using a frequency
converter that controls the speed of a motor. If it sees a
controller operating within a range of 800–1200 Hz, it
attempts to sabotage the operation
Example of Industrial Network Incidents – Stuxnet (continued)
51. 51
• In February 2011, McAfee announced the discovery of a series
of coordinated attacks against oil, energy, and petrochemical
companies. The attacks, which originated primarily in China,
were believed to have originated in 2009, operating
continuously and covertly for the purpose of information
extraction
• Night Dragon is further evidence of how an outside attacker
can (and will) infiltrate critical systems.
• Although the attack did not result in sabotage, as was the case
with Stuxnet, it did involve the theft of sensitive information.
Example of Industrial Network Incidents – Night Dragon
52. 52
• Understanding how industrial networks operate requires a
basic understanding of the underlying communications
protocols that are used, where they are used, and why.
• Designed for efficiency and reliability to support the economic
and operational requirements of large distributed control
systems.
• Similarly, most industrial protocols are designed for real-time
operation to support precision operations.
Industrial Network Controls
53. 53
• So for the sake of efficiency. Often not includes security features
such as authentication and encryption, both of which require
additional overhead.
• To further complicate matters, many of these protocols have
been modified to run over Ethernet and Internet Protocol (IP)
networks in order to meet the evolving needs of business,
potentially exposing these vulnerable protocols to attack.
Industrial Network Protocols
54. 54
• Industrial Network Protocols are real-time communications
protocols.
• Developed to interconnect the systems, interfaces, and
instruments that make up an industrial control system.
• Most were designed initially to communicate serially over RS-
232, RS-485, or other serial connections but have since evolved
to operate over Ethernet networks using routable protocols
such as TCP/IP.
Industrial Network Protocols
55. 55
• Modicon Communication Bus (Modbus)
• Inter Control Center Protocol (ICCP, also known as
TASE.2 or Telecontrol Application Service Element-2)
• Distributed Network Protocol (DNP3)
• Object Linking and Embedding for Process Control (OPC)
Other Protocols
56. 56
• The oldest and perhaps the most widely deployed industrial
control communications protocol.
• It was designed in 1979 by Modicon (now part of Schneider
Electric) that invented the first Programmable Logic Controller
(PLC).
• Modbus has been widely adopted as a de facto standard and has
been enhanced over the years into several distinct variants.
MODBUS
57. 57
• Modbus is an application layer messaging protocol, meaning
that it operates at layer 7 of the OSI model.
• It allows for efficient communications based on a request/reply
methodology.
• It can be used by extremely simple devices such as sensors or
motors to communicate with a more complex computer,
MODBUS - Continued
60. 60
• Lack of authentication.
Modbus sessions only require the use of a valid Modbus address and
valid function code.
Can be easily guessed or spammed, whereas the other is easily
obtainable information.
• Lack of encryption
Commands and addresses are transmitted in clear text and can
therefore be easily captured and spoofed due to the lack of encryption.
• Lack of message checksum (Modbus TCP only).
A spoofed command is even easier over some implementations of
Modbus TCP, as the checksum is generated at the transmission layer,
not the application layer.
Security Concerns
61. 61
• Lack of broadcast suppression (serial Modbus variants
only).
All serially connected devices will receive all messages, meaning a
broadcast of unknown addresses can be used for effective denial of
service (DoS) to a chain of serially connected devices.
• Programmability. By far, the most dangerous quality of
Modbus—which is shared with many industrial protocols—is
that it is intentionally designed to program controllers, and
could be used to inject malicious logic into an RTU or PLC.
Security Concerns - continued
63. 63
• Modbus, like many industrial control protocols
should only be used to communicate between sets of known
devices
using expected function codes, and as such it is easily monitored
by establishing clear groupings / separation
baselining acceptable behavior.
Modbus – Security Recommendations
64. 64
• Ethernet/IP uses standard Ethernet frames (ethertype 0x80E1)
in conjunction with the Common Industrial Protocol (CIP) suite
to communicate with nodes.
• Communication is typically
client/server
although an “implicit” mode is supported to handle real-time
requirements.
• Implicit mode uses connectionless transport specifically the
User Datagram Protocol (UDP) and multicast transmissions to
minimize latency and jitter.
Ethernet Industrial Protocol – Ethernet/IP
65. 65
• The CIP uses object models to de ne the various qualities of a
device.
• There are three types of objects:
Required Objects, which define attributes such as device
identifiers, routing identifiers, and other attributes of a device
such as the manufacturer, serial number, date of manufacture,
etc.;
Application Objects, which define input and output profiles for
devices;
Vendor specific Objects, which enable vendors to add
proprietary objects to a device. Objects (other than vendor-speci c
objects) are standardized by device type and function, to facilitate
interoperability:
Common Industrial Protocol (CIP)
66. 66
• Ethernet/IP is
a real-time Ethernet protocol
it is susceptible to any of the vulnerabilities of Ethernet.
• Ethernet/IP over UDP is transaction-less and so there is no
inherent network-layer mechanism for reliability, ordering, or
data integrity checks.
• The CIP also introduces some specific security concerns, due to
its well-defined object model.
Security Concerns
67. 67
• The CIP does not define any explicit or implicit mechanisms for
security.
• The use of common “Required Objects” for device identification
can facilitate device identification and enumeration, facilitating an
attack.
• The use of common “Application Objects” for device information
exchange and control can enable broader industrial attacks, able to
manipulate a broad range of industrial devices.
• Ethernet/IP’s use of UDP and Multicast traffic—both of which lack
transmission control—for real-time transmissions facilitate the
injection of spoofed traffic or (in the case of multicast traffic) the
manipulation of the transmission path using injected IGMP
controls.
Ethernet/IP Security Concerns
68. 68
• Because Ethernet/IP is a real-time Ethernet protocol using
UDP and IGMP, it is necessary to provide Ethernet and IP-
based security at the perimeter of any Ethernet/IP network.
• It is also recommended that passive network monitoring be
used to ensure the integrity of the Ethernet/IP network,
ensuring that the Ethernet/IP protocol is only being used by
explicitly identified devices and that no Ethernet/IP traffic is
originating from an unauthorized, outside source. This can be
accomplished using a SCADA-IDS/IPS or other network
monitoring device capable of detecting and interpreting the
Ethernet/IP protocol.
Security Recommendations
69. 69
• Monitoring your network including ICS traffic
• Creating Baseline
• Security awareness program
• Network isolation
• Firmware update ( very challanging)
• ID/IPS
• Test network ( Pentesting ) never on production network
Final Recommendations
70. 70
• Failsafe
• May apply forensics if needed
• Implement security best practices
• Connect with others who are expert in the filed
Final Recommendations - continued