Slide 1

© 2012 Invensys. All Rights Reserved. The names, logos, and taglines identifying the products and services of Invensys are proprietary marks of Invensys or its subsidiaries. All third party trademarks and service marks are the proprietary marks of their respective owners.

WWHMI SCADA-12 Cyber Security Best Practices in the Industrial World

Chris J Smith

for

Paul Forney, MCSE, CSSLP

Chief Technologist

R&D Security Team

Invensys Operations Management

Slide 3

Acknowledgements

Pike Research – Monitoring and

Securing SCADA Networks

All the folks at McAfee (thanks for your help and support)

The Invensys Critical

Infrastructure & Security Practice

Team

Ernie Rakaczsky – Program Manager,

Invensys Cyber-Security

The Department of Homeland

Security CSSP

Slide 4

Stealth Attacks Increasing

SLAMMER:

Hacking For Fun

ZEUS:

Organized Crime

AURORA:

Government Sponsored

Cyber Espionage

STUXNET:

Physical Harm

• More than 1,200 new rootkits detected each day

• More than 2.1M unique rootkits detected

• More than 75M malware detected

• Number of reports of data breaches via hacking, malware, fraud, and insiders has more than doubled since 2009

– TDSS rootkit is used as a persistent backdoor to install other types

– SpyEye is hidden with a rootkit to steal banking credentials

– Stuxnet used a rootkit to hide an APT targeting government infrastructure

STAKES Are Rising Rapidly

Slide 6

Typical Network Architecture

An Attacker has three challenges

1. Gain access to the control system LAN

2. Through Discovery, gain understanding of the process

3. Gain control of the process

Slide 11

Reported ICS Vulnerabilities

ACTUAL - 215

Slide 13

Community of Concern

Standards

NIST

NERC IEC

AGA API

ISA/ISCI IEEE

Industry

Sectors Owner\Operators

Nuclear

Power

Gas

Electric

Water

Oil

Chemical

Control System Cyber

Security Community

National

Labs

SANDIA ARGONNE

INL

PNNL

LLNL Department

of Homeland

Security CSSP

ISAC

HSARPA

US- CERT

NCSD

TSWG

ICSJWG

Academia &

Research

IFAC

SRI

I3P

EPRI

LOGIC2

Vendors

Security

Consultants

Control

Systems

Engineering

Firms

Security

Technologies

Labs &

Research

Slide 15

65%

20%

15%

People Policy and Procedures

Technology

Dennis Brandl – “Three Pillars of Industrial Cyber Security”

A successful Cyber Security Program has 3 major areas of focus with…

Slide 16 Slide 16

Security Objectives

• Prevent unauthorized changes to values in a Controller, PLC, process

or configuration

• Prevent misrepresentation of process values on the HMI

• Reduce possibility of a production slowdown due to ICS software

• Protect integrity of process and event information

• Prevent loss of genealogy information

• Provide availability of the system and safety for the plant personnel

and surrounding environment

Slide 17

Special Restrictions for ICS Security Products*

• Do nothing that negatively impacts network latency

• Restrict SCADA traffic to known and expected message types

• Isolate the SCADA network from any other networks, including the

enterprise

• Collect and analyze from multiple sources beyond only IT events

• Prioritize situational awareness to prevent cyber incidents

• Implement strong change management for all SCADA modifications

• Use security products that are simple to deploy and manage

• Involve SCADA operations personnel in all SCADA security decisions

*Pike Research – Monitoring and

Securing SCADA Networks

Slide 20

End

po

int

Ne

twork

D

ata

Corporate IT SCADA Device Network

Enterprise Apps

Ethernet, TCP/IP

Modern Computers

(Windows, Linux, Mac)

SCADA, HMI

Ethernet, Serial

Legacy Computers

(Windows)

Ladder Logic

Ethernet, Serial, Relays

Special Function

(Embedded OS)

What We Need to Protect

Slide 21

Multiple Zone Network

Anti-Virus Intrusion

Prevention

Controls

Network

Zone

PC Portal

Interface

Control Node Bus

Application

Workstation

Field I/O

I/O

I/O

Interface

PLC

I/O

I/O

I/O

I/O

Control

Station

Plant

Network

Zone

PC

Workstation

File & Print

Services Wireless

Control Network

Firewall

Data

Center

Zone

Network

Monitoring

Content

Filtering Anti-Virus

Remote

Access

Server

Monitoring

Web Usage

Reporting

Wireless

Security

Service Level

Management

User

Management

Server

Management Anti-SPAM

Intrusion

Prevention

Internet

Firewall

Internet

Internet

Zone Perimeter

Firewall

Established Adaptation for over 8 years

Slide 23

Best Practices for Securing an ICS

Maintain the latest

Invensys-authorized Operating System

(OS) and application patches.

Test every patch to ensuring

deployment does not impact

operations.

Always use current

anti-virus definitions.

Verify update was successfully

installed.

Update authorized application software.

Enable Network

Anti-Virus / Intrusion

Prevention System.

Enable System

policies on all capable network

appliances

Slide 24

Best Practices, USB Devices…

Do not use a USB stick unless

it has been scanned

Designate and use specific USB

equipment

To bridge air-gaps, use a

specific designated

station

WITHOUT restriction on USB devices, their portable nature

can be used to compromise your security perimeter!

Slide 25

Machine Hardening (typically no negative effects on the ICS)

Harden Servers and Workstations and

Non-ICS assets

Ensure all software and hardware patches and updates are current.

Run A/V scans.

Disable all unused ports and services.

Harden Bios.

Use static IP addresses, disable DHCP

Disable NetBIOS and NetBIOS over TCIP/IP.

Slide 26

Best Practices, Cont….

Change default “admin” passwords.

Use strong passwords consisting of more than 6-8 characters using special characters when applicable.

Control User Rights.

Do not use accounts across domains.

Implement password aging, history, and complexity requirements.

Always implement Backup and Restore to a network repository.

Slide 27

More To Do’s!

Inventory network assets and keep it up to date.

Run regular network audits

Use physical network isolation when possible

Use logical network segmentation (secure zones) when possible with strict Firewall Rules.

Isolate and control flow of information between Business Network(s) from PCN through use of firewalls.

Require strict firewall rules with specific (/32) source, destination, port, and protocol.

Use DMZs

Slide 28

Network Access

Enable Firewall Logging and Monitor as appropriate

Implement NMS to provide system audit and logging and monitor

Don’t click links or files that aren’t verified

ICS assets should not have internet access

Some ICS assets may need to have access to business network website interfaces so verify all access leaving the ICS network to un-trusted networks

Slide 29

In the event of a Cyber incident

§ Do get a triage team together.

§ Do get copies of all the logs.

§ Do make a VM image of the

affected system.

Work with the antivirus vendor

and other agencies to collect the necessary forensics.

Create an Incident Response Plan before an incident so that you

are prepared. Steps that are typically part of incident response

plans are:

§ Do not start updating anti-virus.

§ Do not start running anti-virus patches.

Slide 30 Slide 30

Vendor Responsibility - Secure By Design

Confidentiality: Protect against unauthorized information disclosure.

Integrity: Prevent unauthorized changes to data.

Availability: Provide the required services uninterrupted 24x7

Authenticity: Determine identity of components and users in reliable and

consistent manner.

Authorization: Control access to various parts of the system based on the user

or code’s credentials.

Non-repudiation: Establish audit trails through system and establish evidence

to track a system operation.

Secure Software is responsible to provide:

Slide 31

Security: Meeting Cyber Security

Requirements

• As a supplier we are positioned to support cyber security requirements throughout the Life-Cycle from within our:

• Software Development Lifecycle – SDL, Testing, Certification, Source Code validation, etc.

• Project Execution – FAT/SAT Security Baseline, Possible Security features and function fully implemented and updated, etc.

• Life-Time Support – Patch Validation, Security updates, vulnerability mitigation, etc.

Slide 32

Project Ozone – Cyber Security Initiative

What is it: Why is it Important: Success is Defined As:

• Assess existing

vulnerabilities in

solution offerings

• Enhance products,

processes and tools

from a security view

• Improve

responsiveness to

Cyber Security

issues

• Increased awareness in the

Industry to Cyber Security

threats and their impact

• Impact on credibility and

cost after Cyber Security

attacks is severe

• Strategic Alignment for an

enterprise connected platform

• Real-time Indicators:

SDL Process Violations (Reduced pre-

release process violations per product)

Security vulnerabilities per product

(Reduction in reported vulnerabilities

closed proactively, found pre-release)

Primary Indicators:

Security Defect Reports (Zero post

release reports)

Responsiveness to threats/issues

(Response time less than 35 days)

Vision To create and enhance processes, knowledge and an ingrained culture for

building secure and robust solutions our Customers can trust.

Slide 33

Cyber Security Updates Released Date Notice

Identification Number

Security Vulnerability Description

Detailed Information

4-8-2011

LFSEC00000054 Stack Based buffer overflow in the InBatch BatchField ActiveX Control

A vulnerability (Stack overflow) has been discovered in the InBatch BatchField ActiveX Control. This control is installed as part of the InBatch Server and on all InBatch Runtime Clients, including when used embedded in InTouch® and any third party InBatch Client Programs (VB or C++). In addition, this control can be used in publishing InTouch graphics in Wonderware Information Server.

April 8, 2011 - LFSEC00000054

2-18-2011

LFSEC00000051 Server lm_tcp buffer overflow

A vulnerability has been discovered in InBatch Server and I/A Batch Server in all supported versions of Wonderware InBatch and Foxboro I/A Series Batch. This vulnerability, if exploited, could allow Denial of Service (DoS), the consequence of which is a crash of the InBatch Server.

February 18, 2011 -

LFSEC00000051

7-14-2010 LFSEC00000037 Wonderware ArchestrA ConfigurationAccessComponent ActiveX Stack Overflow

A vulnerability has been discovered in a component used by the Wonderware ArchestrA IDE (Integrated Development Environment) and the InFusion IEE (Integrated Engineering Environment) and if exploited, could allow remote code execution.

July 14 2010 Security Update LFSEC00000037

Slide 34

Project Execution Approach

People Training

Process Enhancements

SOP’s and Tools

Product Enhancements

Institutionalized Across Invensys Operations Management

Slide 35 Slide 35

Secure By Design • Security Built in not Added On

• The Microsoft SDL is a software development policy for all products with meaningful business risk and/or access to sensitive data

• Key part of Invensys’ commitment to protect its customers

• Implementing the SDL reduces the Total Cost of Ownership (TCO) for Software Products

• Fewer security patch events required for our products

• Secure software is by nature Quality software

Slide 36 Slide 36

A Careful study of the design of an application to identify weaknesses and vulnerabilities includes 5 steps

1. Identify security objectives

2. Create an application overview

3. Decompose the application

4. Identify threat vectors

5. Identify vulnerabilities

Threat Modeling Approach

Slide 37

Spoofing Identity: Allows an attacker to pose as something or

someone else

Tampering with Data: Involves malicious modification of data or code.

Repudiation: Allows an attacker to perform actions that other parties

can neither confirm or contradict

Information Disclosure: Involves the exposure of information to

individuals who are not supposed to have access to it

Denial of Service: DoS attacks deny or degrade service to valid users

Elevation of Privilege: Occurs when a user gains increased capability

often as an anonymous user taking advantage of a coding error to gain

admin capability

S

T

R

I

D

E

Defend Against S.T.R.I.D.E. Attacks

Slide 38

Our Solution

Implement the Security Development

Lifecycle for all new projects.

Evaluate and model our most critical software for threats, strengthening

with tools from the SDL

Institutionalize Across Invensys Operations Management R&D

Reduce

“Technical Debt”

Legacy

Stop incurring

“Technical Debt”

New Code

Slide 39

Please Subscribe to Security Central!

https://wdn.wonderware.com/sites/WDN/Pages/Security%20Central/CyberSecurityUpdates.aspx

Slide 40

Slide 41

Conclusion

Secure systems start with design – both hardware, software and application deployments

The security journey must be a collaboration between people, processes and technology – there is no silver bullet!

No substitute for a practical security program that provides a long term, self perpetuating maturity model that can be engrained into the culture of an organization to produce the foundation for secure and robust solutions we can trust.

“Within Invensys Operations Management R&D, our journey

has begun for a more Secure Critical Infrastructure.”