IoT & SCADA Cyber Security Services

RIOT SOLUTIONS PTY LTD P.O. Box 10087 Adelaide St Brisbane QLD 4000

BRISBANE HEAD OFFICE Level 22, 144 Edward St Brisbane, QLD 4000 T: 1300 744 028

Email: sales@RIoTSolutions.com.au

www.RIoTSolutions.com.au

RIoT Solutions Pty Ltd IoT & SCADA Cyber Security Services

Page 2 of 12

Table of Contents

1 Overview ........................................................................................... 3

1.1 Offer of Professional Services ................................................................................................. 3

1.2 Skills and Experience ............................................................................................................... 4

2 Services .............................................................................................. 5

2.1 IoT Cyber Security Assessment ............................................................................................... 5

2.2 ICS/SCADA Cyber Security Assessment ................................................................................... 9

3 Pricing .............................................................................................. 12

RIoT Solutions Pty Ltd IoT & SCADA Cyber Security Services

Page 3 of 12

1 Overview

RIoT Solutions offers a range of cyber security services to meet clients’ digital technology needs. Specifically, these relate to IoT (Internet of Things) technologies and SCADA (Supervisory Control and Data Acquisition) systems.

As technology solutions are designed and implemented for IoT projects, there is a requirements for security assessments that are performed by an independent 3rd party organisation specialising in cyber security, with an appropriately qualified resources.

The purpose of this document is to outline the approach and proposed services that RIoT Solutions recommends, and to assist organisations in understanding the scope of the work and effort required to achieve the desired business outcomes.

1.1 Offer of Professional Services

RIoT Solutions offers the following key cyber security services to enable organisations to attain the desired outcomes listed in the previous section. The services are packaged and available on a fixed-scope fee basis. Further aspects of each service are listed in section 2: Services.

1.1.1. IoT Systems

Service Description Deliverables

IoT Cyber

Security

Assessment

(High-level)

Review overall security against

key IOT vulnerability categories

in:

OWASP IoT Top 10

Provide a report with:

- Identified vulnerabilities, and the resulting

risks

- Prioritised list of recommendations for risk

mitigations

IoT Cyber

Security

Assessment

(Detailed)

Review overall security design

and the elements of a Protection

Architecture for IoT, utilising

Cloud Security Alliance (CSA)

reference:

Security Guidance for Early

Adopters of the IoT

Provide a report with:

- Identified security architecture issues,

vulnerabilities, and the resulting risks, plus

rating against CSA’s list of recommended

security controls

- Prioritised list of recommendations for

addressing security architecture weaknesses

IoT Security

Vulnerability

Testing

Perform vulnerability testing of

the supporting infrastructure

(devices, hosts, networks and

services) of the target IoT

solution

Identify, and where safe to do so,

exploit vulnerabilities to confirm

risk exposure

Provide a report with:

- Identified technical vulnerabilities, sample

attack / exploitation steps, and the resulting

risks

- Identified effective security controls

- Prioritised list of recommendations for risk

mitigations

Table 1: Professional Services – Security Assessments of IoT Systems

RIoT Solutions Pty Ltd IoT & SCADA Cyber Security Services

Page 4 of 12

1.1.2. SCADA Systems

Service Description Deliverables

SCADA Cyber

Security

Operations

Review

Review the current state of SCADA

cyber security operations against

industry best practice guidelines:

NIST Framework for Improving

Critical Infrastructure Cybersecurity

Provide a report showing:

- How management of cyber security

risks compares to best practice

- Recommendations for addressing

any identified gaps

SCADA Security

Vulnerability

Assessment

Perform an independent testing of

nominated SCADA network

segments

Provide a report with:

- Identified technical vulnerabilities

- Sample attack / exploitation steps (if

permitted), and the resulting risks

- Identified effective security controls

- Prioritised list of recommendations

for risk mitigations

Table 2: Professional Services – Security Assessments of SCADA Systems

Note: the services above do not constitute a finite, locked service scope offering—this initial service range had been put together without the known aspects of the scale and complexity of the targeted IoT or SCADA systems. RIoT Solutions can customise the services, or add additional ones, depending on specific requirements.

1.2 Skills and Experience

Our experience covers all areas of cyber security and risk assessments of critical infrastructure consisting of potentially fragile network-connected systems such as Real-Time SCADA and other devices deployed within healthcare, transportation and energy supply industries.

We are one of the few organisations that offer resources with ICS/SCADA security specific training and certification—RIoT Solutions consultants have attained the Certified SCADA Security Architect (CSSA) qualification, attended a diverse range of ICS security focused training courses and conferences in Europe and USA, and have provided critical infrastructure security assessment services to many Queensland organisations that operate and/or build critical infrastructure systems.

Our consultants had been involved in developing and executing successful Social Engineering campaigns, performing cyber-attack simulations, and also security research that led to identification of 0-day vulnerabilities and development of proof-of-concept exploits against Smart Meter infrastructure, SCADA power meter equipment, a national wireless BYOD rollout, and a biomedical infusion pump control unit.

RIoT Solutions Pty Ltd IoT & SCADA Cyber Security Services

Page 5 of 12

2 Services

The proposed cyber security services are specifically tailored to the unique characteristics of IoT and ICS/SCADA solutions. Sections 2.1 and 2.2 detail the approach and methodologies of each service offering.

2.1 IoT Cyber Security Assessment

Assuring the security of each component within an IoT system is imperative in order to prevent malicious actors from gaining unauthorised access to, or the ability to tamper with, systems and data that form the IoT solution.

Since a typical IoT solution will introduce large quantities of new devices and/or embedded components throughout an organization, it is highly likely that this will lead to an increase of potential cyber security risks within the IoT solution’s deployment, and—where connected to enterprise or ICS/SCADA systems—it might also introduce additional risks of the IoT solution being used as an attack vector into an organisation’s other critical assets.

RIoT Solutions offers the following levels of cyber security assessment services, to allow organisations to select the most appropriate option for a particular requirement and budgeted funds for each unique solution requiring a security review:

High-level Assessment

Detailed Assessment

Security Vulnerability Testing

2.1.1. High-level Assessment

Service scope:

Review overall security of the target IoT solution against list of the 10 key vulnerability categories specified in the OWASP Internet of Things Top 10 Project

The Open Web Application Security Project (OWASP) is not-for-profit organisation focused on improving the security of software. Since 2003, it has been providing applications security testing and design guidance, and in 2014, OWASP compiled an IoT dedicated list: IoT Top 10.

Whilst it is intended only as a high-level guidance for reviewing IoT security, it was designed to cover all attack surface areas, in order to get a good, high-level assessment of overall security. The ‘IoT Top 10’ categories are:

Rank Title

I-1 Insecure Web Interface

I-2 Insufficient Authentication/Authorization

I-3 Insecure Network Services

I-4 Lack of Transport Encryption

RIoT Solutions Pty Ltd IoT & SCADA Cyber Security Services

Page 6 of 12

I-5 Privacy Concerns

I-6 Insecure Cloud Interface

I-7 Insecure Mobile Interface

I-8 Insufficient Security Configurability

I-9 Insecure Software/Firmware

I-10 Poor Physical Security

Table 3: Top 10 IoT Vulnerabilities (OWASP 2014)

Objectives:

Evaluate the target IoT solution for security weaknesses, map the main attack surface areas for any IoT device, communication network and back-end systems, in order to provide guidance on how to avoid or mitigate vulnerabilities within each component.

Key benefits:

Improve security of systems designed and implemented

Identify and remediate key security vulnerabilities before solutions go live

Demonstrate to clients that technology solutions are designed and delivered with systems & data security in mind

Allow organisations to design and deploy (or at least recommend) compensating controls where vulnerabilities cannot be patches or removed, especially given the fact that many IoT devices have very little or no in-built security features.

Deliverables:

Provide a detailed report, clearly documenting any vulnerabilities and resulting risks, and showing the remediation recommendations. The report will also highlight all areas where best practice recommendations are already being met.

Constraints:

A comprehensive testing against every single category. For example, extended testing of the ‘Insecure Web Interface’ of a complex IoT data analytics platform could involve an in-depth testing against OWASP Top 10 for web application security—such engagements usually take more than five days.

2.1.2. Detailed Assessment

Service Scope:

Review overall security design and applicable details of the target IoT solution against guidance for the secure implementation of IoT-based systems, specified in Cloud Security Alliance (CSA) Security Guidance for Early Adopters of the Internet of Things

RIoT Solutions Pty Ltd IoT & SCADA Cyber Security Services

Page 7 of 12

The CSA is an organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. It maintains Working Groups across 28 domains of Cloud Security. One of the groups is the Internet of Things Working Group that conducts research into best practices for securing IoT implementations.

The Security Guidance for Early Adopters of the IoT outlines the current challenges to secure IoT deployments, and seeks to address them via suggested Recommended Security Controls, tailored to IoT-specific characteristics.

The CSA key recommended security controls are:

Analyse privacy impacts to stakeholders (e.g. data capture at points of collection, processing, transport and storage)

Apply a Secure Systems Engineering approach to architecting and deploying a new IoT System (e.g. threat modelling, secure development, and secure supply chain)

Implement layered security protections to defend IoT assets (at the Network, Application, Device, Physical and Human layers)

Implement data protection best-practices to protect sensitive information (data identification, classification and security)

Define lifecycle controls for IoT devices (plan, deploy, manage, monitor and detect, remediate)

Define and implement an authentication/authorization framework for the organisation’s IoT Deployments (the authentication method will depend on the constraints of the device)

Define and implement a logging/audit framework for the organisation’s IoT ecosystem (what events and metadata to log, and to where).

CSA have tailored these controls to IoT-specific characteristics to allow early adopters of the IoT to mitigate many of the risks associated with this new technology.

Objectives:

Evaluate the target IoT solution for security architecture weaknesses, document resulting risks, and provide rating against CSA’s list of recommended security controls.

Provide guidance on how to avoid or mitigate vulnerabilities within each IoT architecture component.

Key benefits:

Improve security of systems designed and implemented

Identify and remediate key security vulnerabilities and security architecture weaknesses before solutions go live

RIoT Solutions Pty Ltd IoT & SCADA Cyber Security Services

Page 8 of 12

Demonstrate to clients that technology solutions are designed and delivered with systems & data security in mind

Allow organisations to design and deploy (or at least recommend) compensating controls where vulnerabilities cannot be patches or removed.

Deliverables:

Provide a detailed report documenting the identified security architecture issues, vulnerabilities, the resulting risks, and rating against CSA’s list of recommended security controls. Include a prioritised list of recommendations for addressing security architecture weaknesses.

Constraints:

As per the previously listed constraints for the High-level assessment service, extended review of all aspects of the IOT solution’s application-layer, unless it is requested as an additional service focused on application security testing and design review.

2.1.3. Security Vulnerability Testing

Service Scope:

Perform an independent security testing of the supporting infrastructure (devices, hosts, networks and services) of the target IoT solution, in the context of an unauthenticated, anonymous user

Where applicable, login with provided test user account with low privileges, to check for weak access restrictions to sensitive data, systems and management interfaces for authenticated users.

Objectives:

Identify and document any risks to the target IoT solution, posed by a potential attacker connected to any of the IoT solution components, and/or by an authenticated low-privilege user

Provide guidance on how to avoid or mitigate vulnerabilities within each component.

Key benefit:

Identification and ensuing reduction of risks within designed and/or implemented IoT solution environment.

Deliverables:

Provide a detailed report documenting Identified technical vulnerabilities, sample attack / exploitation steps, and the resulting risks. Document any effective security controls where identified, and include a prioritised list of recommendations for risk mitigations.

RIoT Solutions Pty Ltd IoT & SCADA Cyber Security Services

Page 9 of 12

Constraints:

High-intensity automated vulnerability scanning and other aggressive testing methods (e.g. Denial of Service attacks, brute-force password guessing, etc.), due to potential impact on live environments.

For any systems or components that are deemed too critical and potentially fragile, RIoT Solutions will work closely with the customer in order to come up with an alternative, safe testing approach, such as hands-off security review (e.g. an off-line review of system configuration files and documentation), or testing a spare system(s) in a LAB environment.

2.2 ICS/SCADA Cyber Security Assessment

RIoT Solutions offers the following two types of cyber security assessment services, to allow organisations to select the most appropriate option for a particular requirement and budgeted funds for each unique SCADA environment requiring a security review:

Cyber Security Operations Review

Security Vulnerability Assessment.

The Cyber Security Operations Review service utilises passive, off-line review methods for ascertaining the security posture of the target SCADA system, and such poses no risk to systems and data in production environments.

The Security Vulnerability Assessment service includes testing activities that utilise network level connections to nominated (and approved) parts of the target SCADA system. Whilst RIoT Solutions takes appropriate precautions and our customised testing methodology takes inherent risks of testing time-critical systems operations of ICS/SCADA into consideration, some risks cannot be completely eliminated. Therefore, whenever possible, active cyber security testing should be performed on a backup or offline systems.

If there are any components of the target SCADA system deemed critical and potentially fragile (e.g. a legacy system with known performance and/or stability issues), RIoT Solutions will work closely with customers in order to come up with an alternative, safe testing approach, such as hands-off security review (e.g. an off-line review of system configuration files and documentation), or testing a spare system in a LAB environment.

2.2.1. SCADA Cyber Security Operations Review

Scope:

Review the current state of the target SCADA systems’ cyber security operation against industry best practice guidelines

RIoT Solutions proposes to utilise the following well established best practice framework that is appropriate for Industrial Control Systems / SCADA systems:

NIST Framework for Improving Critical Infrastructure Cybersecurity

RIoT Solutions Pty Ltd IoT & SCADA Cyber Security Services

Page 10 of 12

The National Institute of Standards and Technology (NIST) Framework is technology neutral and relies on a variety of existing standards, guidelines, and practices to enable critical infrastructure providers to achieve resilience. The Framework is a risk-based approach to managing cybersecurity risk, and its core consists of five concurrent and continuous functions:

Identify, Protect, Detect, Respond and Recover.

When considered together, these functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.

Objectives:

Enable organisations to determine their current cyber security capabilities, set individual goals for a target state, and establish a plan for improving and maintaining cyber security programs.

Identify and prioritize actions for reducing cyber security risk, and align policy, business, and technological approaches to managing that risk.

Key benefits:

Enable organisations to apply the principles and best practices of risk management to improving the security and resilience of their Operation Technology network(s).

Deliverables:

Provide a detailed report outlining how management of cyber security risks within the target SCADA system compares to best practice (NIST guidelines), and include recommendations for addressing any identified gaps.

Constraints:

A detailed compliance type audit, as this would have high cost and time implications, whilst providing limited benefits.

2.2.2. SCADA Security Vulnerability Assessment

Scope:

Perform an independent testing of nominated SCADA network segments, in the context of an unauthenticated, anonymous user. All testing is conditional on approval of an agreed testing plan and applicable restrictions and precautions, if any testing targets are in production environments.

Login with provided test user account with low privileges, to check for weak access restrictions to SCADA management and monitoring systems for authenticated users (privilege escalation, overly permissive access to internal resources, etc.)

RIoT Solutions Pty Ltd IoT & SCADA Cyber Security Services

Page 11 of 12

Objectives:

Identify and document any risks to the target SCADA system, posed by an authenticated low-privilege user, and by a potential attacker connected to the SCADA network and/or identified external network connection entry points.

Key benefit:

Identification and ensuing reduction of risks within a SCADA environment

Verification of restrictions applicable to configuration of role-based security controls, for non-administrative and non-privileged user accounts on the SCADA network.

Deliverables:

Provide a detailed report documenting Identified technical vulnerabilities, and the resulting risks. Document any effective security controls where identified, and include a prioritised list of recommendations for risk mitigations.

Where SCADA components vulnerability confirmation testing was permitted, document the steps an attacker might take. Regarding evidence, ensure the approach does not put the target system at risk (e.g. use screen shots of accessible system administration interfaces, but do not alter any settings and/or data).

Constraints:

High-intensity automated vulnerability scanning and other aggressive testing methods (e.g. exhaustive network port scans, Denial of Service attacks, brute-force password guessing, etc.) due to potential impact on live environments.

RIoT Solutions Pty Ltd IoT & SCADA Cyber Security Services

Page 12 of 12

3 Pricing

The proposed services are offered at a fixed price, and can be consumed individually in any order that fits the organisation’s requirements.

Due to the unknown scale and complexity of the IoT or SCADA targets, the assessment effort estimates are based on our previous work on small to medium size sites. For example, SCADA Vulnerability Testing of one Control Centre and network connected devices on few remote field sites (where travel to sites was not required) usually takes a minimum of 7 days.

3.1.1. IoT Systems

Service Price (excl. GST)

IoT Cyber Security Assessment (High-level) $ 8,250

IoT Cyber Security Assessment (Detailed) $ 11,550

IoT Security Vulnerability Testing $ 8,250

Table 4: Investment – IoT Cyber Security Services

3.1.2. SCADA Systems

Service Price (excl. GST)

SCADA Cyber Security Operations Review $ 8,250

SCADA Security Vulnerability Testing $ 11,550

Table 5: Investment – SCADA Cyber Security Services