Introduciton

Securing Industrial Control SystemsEric AndresenIowa Infragard Feb 12, 2016

Objectives:Importance of Security Cyber-Physical Control systemsUnderstand some basic components of a Industrial control systemUnderstand Critical Manufacturing in the Supply ChainUnderstand Consequences of Cyber Attacks in Industrial Control EnvironmentsShare resources that allow you to better identify, protect, detect respond and recover from Cyber incidents

1

Eric Andresenhttps://www.linkedin.com/in/andresen1206

2

30 years technical experience, 27 years IT Experience, Information Security Manager, IT for SSAB Americas

Founding member of the Quad Cities Cybersecurity Alliance

Experience in Electronics, Field Service, ISP Webmaster and Internet Services, and Enterprise Communications.

Founding Quad Cities Cybersecurity Alliance, member IEEE and the Chicago Infragard Chapter

Certified by FEMA, HP, CompTIA, Microsoft, and others

Previous positions as Project Manager, Server Management, Critical Infrastructure Management and IT Operations Management.

2

Resourceshttps://ics-cert.us-cert.gov/Response ResourcesTrainingAlertsAdvisoriesICS-CERT MonitorJoint Security Awareness Program (JSARS)Tips, Annual ReportCyber Security Evaluation Tool (CSET)Best Practices (https://ics-cert.us-cert.gov/Recommended-Practices)

We almost cant have a discussion about Industrial control systems without first introducing ICS-CERT.

ICS-CERT is a powerful resource and offers many valuable services. They exist within US-CERT which exits within the Department of Homeland Security. US CERT is responsible for analyzing and reducing cyber threats, reducing vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities at a national level for both private and public organizations.

ICS-CERT has established a specialized team focusing on industrial control systems. The name ICS-CERT is short for Industrial Control Systems Cyber Emergency Response Team they and play a key role in securing control systems. In addition to their role in analysis and information sharing, ICS offers some services that are not so obvious and all of them free.

They conduct vulnerability, malware, and digital media analysis; provide onsite incident response services, provide situational awareness in the form of actionable intelligence, and coordinate responsible disclosure of vulnerabilities along with any associated mitigations.

3

Threat Trend in Industrial ControlStuxnetBlack EnergyHavex (aka Dragonfly or Energetic Bear)

In July of 2010, the ICS-CERT was notified of the existence of new malware called Stuxnet. It was believed to have been introduced to the victim through a USB stick. The code was very complex and contained over 4,000 functions; as much code as some commercial products.

While it is not the first time that hackers have targeted industrial control systems, it is the first discovered malware that subverts industrial systems by including a programmable logic controller (PLC) rootkit.

In February of 2012, ICS-CERT reported on several new exploits publicly released specifically target programmable logic controllers (PLCs), the building blocks of many industrial control systems.

In December of 2014 ICS-CERT reported numerous industrial control systems being compromised in campaigns with multiple victims. The malware reported was attacking the human-machine interface components use in industrial control systems.

Within the last 60 days reports have circulated of a power outage in Ukraine was caused by Malware leaving 700 thousand people without power.

The SANS assessment of the attacks concluded that the attackers used malware to gain a foothold in the targeted utilities, initiated command and control, and then used deliberately-destructive malware to frustrate recovery.4

Industry ActivitySource:https://www.youtube.com/watch?v=OVMwI2TWrZw

Before Video:Reflecting on this story will help you to understand why I care deeply about protecting industrial control systems.This is a news story from 2014 that talks about a steel company from Germany.

After Video:The steel company depicted in this video lost the ability to control their furnaces, and eventually this lead to a runaway condition that resulted in the loss of property. In this case it was just property. Industrial controls control physical processes and so the consequences of a breach are often much higher than in traditional IT systems.5

Importance of Securing Industrial Control Systems

President Barack Obama:

Speech at the National Cybersecurity andCommunications Integration Center Jan 13, 2015:

It's one of the most serious economic and national security challenges we face as a nation. Foreign governments, criminals, and hackers probe Americas computer networks every single day.

Source:https://www.whitehouse.gov/the-press-office/2015/01/13/remarks-president-national-cybersecurity-communications-integration-cent

In January of 2013 at the National Cybersecurity and Communications Integration Center President Barack Obama said cyber is one of the most serious economic and national security challenges we face as a nation. Foreign governments, criminals, and hackers probe Americas computer networks every single day.

Obama also noted:protecting the nations critical infrastructure is essential to public health and safety and Neither government, nor the private sector can defend the nation alone. Its going to have to be a shared mission government and industry working together

In fact on January 29th James Clapper director of national intelligence, told midshipmen during a speech for the Naval Academys Cyber Lecture Series that Cyber has surpassed terrorism as the No. 1 threat facing our nation.6

Importance of Securing Industrial Control SystemsNSA Director, Admiral Michael Rogers:

Testimony to House Select IntelligenceCommittee Nov. 20, 2014:

There shouldnt be any doubt in our minds that there are nation-states and groups out there that have thecapability to enter industrial control systems and to shut down [and] forestall our ability to operate our basicinfrastructure.

Source: https://www.nsa.gov/public_info/_files/speeches_testimonies/ADM.ROGERS.Hill.20.Nov.pdf

Michael Rogers is a United States Navy admiral who serves as Commander of the U.S. Cyber Command.

Rogers testified before the House Select Intelligence Committee in November of 2014 saying There shouldnt be any doubt in our minds that there are nation-states and groups out there that have the capability to enter industrial control systems and to shut down [and] forestall our ability to operate our basic infrastructure.

He went on to say All of that leads me to believe it is only a matter of when, and not if we are going to see something dramatic [as a result].

Mike Rogers (coincidentally a different Mike Rogers), former chairman of the House Intelligence Committee said Cyber attacks by nation states are a serious threat to U.S. business. Companies should not rely on the government to protect them and also noted importantly 85% of U.S. networks are private-sector networks and The (National Security Agency) is not permitted to be on your networks; its against the law of the United States. The only way they catch an attack coming in is if they catch it overseas first, so every American with your own network, youre on your own.

7

Cyber-Physical Consequence

Source:https://www.schneier.com/blog/archives/2007/10/staged_attack_c.html

This slide contains video content without audio

In an industrial control system, cyber attacks end in physical consequences. This video depicts a demonstration from March of 2007 when the U.S. Department of Homeland Security conducted an exercise codenamed 'Aurora.

This exercise proved that researchers are able to cause a power generator to self-destruct by remotely changing the operating cycles and frequency of the generator over a network as it operates.

This staged exercise resulted in changes to computer software and physical hardware to protect power generating equipment. The consequences of attacks of this type in power, water, or nuclear systems could result in life altering injuries or death of an operator. Just imaging if this had been a crane under the control of a system.

The consequences could include loss of life, hospitalization, loss of capital assets, damage to property, environmental damages and even the cost of environmental cleanup if any environmental damages results from the attack.

Attacks of this type shine a light on the need to control who has remote access to a control systems, but there are a lot of other things we can do to further protect an environment like this. 8

DHS Sectors

There are 16 different sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States, that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety.

I work in the Critical Manufacturing Sector.

Companies that are categorized into critical manufacturing include Primary Metal, Machinery, Electrical Equipment, Appliance, as well as Transportation Equipment Manufacturing.

The company where I work is a primary metals manufacturer, and in turn we supply goods to other organizations both in and outside our own sector

To understand this interconnectedness it is important to look at manufactures from a supply chain perspective. 9

Supply Chain Consequences

SafetyWasteEnvironment

Energy

Thermal

Electric

Pneumatic

All manufacturing processes have dependencies on other processes and products. Each process creates business and economic opportunities for parties both up and down the supply stream from our process.

Each process has to be viewed as part of a supply chain to see the true impact of a disruption. The raw goods no only come form a supplier, but often the suppliers supplier. For example, Crude oil might be turned into plastic pellets which in turn become a keyboard that might be built into a laptop. That laptop might be sent to a wholesaler, and end up in a computer store.

The transportation system sector might be involved two or three times in that one example as these products change hands.

So when any process is interrupted as a result of a failure in industrial control systems, there is not just a local impact. Indirectly there is a cascading economic impact both up and down the supply chain. When calculating the potential economic impact of attacks on industrial control systems you must consider these costs along with the lost productivity of hundreds of staff members.

10

A word about manufacturing

11

To help you understand how Industrial controls systems are used in a company like ours, lets discuss Manufacturing in very broad terms.

All manufacturing can be categorized as either Discrete manufacturing or process manufacturing.

Industrial controls systems are used in both discrete and process manufacturing to control motors and collect data using sensors for example to measure gas and fluid distribution or energy consumption.

11

Industrial Controls in ManufacturingDiscrete Manufacturing

Parts and Sub-Assemblies

Measured in Units

Measured in whole numbers

Discrete manufacturing involves handling many parts to make a finished product and are often based on a bill of materials.

It involves creating and assembling many individual components or sub-assemblies and is often measured in whole units.

When you make a pen or a machine for example you make one or 1000; you don't make .95 or 995.2

12

Industrial Controls in ManufacturingProcess Manufacturing

Process manufacturing involves formulas and is less exact in nature.

Formulas frequently involve a variety of units of measure, and often use fractional units.

You might for example use 2 gallons of this and 1 ounce of that but only use a quarter ounces of something else.

When you make cheese or produce chemicals or blend pharmaceuticals, you don't always know going in if you'll end up with or 10,000 or 10,215 of something, and when you're done making your product, quality control is often used to answer questions about the properties of whatever you are making. This involves testing and measurements to find percentages, yields or the potencies of a product. Quality control in both process and discreet manufacturing results in a lot of testing and measurement that is often controlled with an industrial control system. Manufacturing will sometimes result in a byproduct. This could be a scrap component, or something later sold as animal feed or whatever, but these byproducts usually need to be controlled in a process too.

What discrete and process manufacturing share in common is a need to use instrumentation along the way, not only to produce it, but also to ensure that whatever you are producing meets the goals and criteria for the process.

Often times these processes involve a dizzying array of devices that all need to be managed. That is the function of an industrial control system. 13

What are Industrial Controls (ICS)

In any complex process we need to have a system that controls the process.

In a manufacturing plant you often find motors that moving products up and down and assembly line. You need to cut things apart, heat things up and cool things dow. You need to pick things up and put things down. When you heat things up you need to make sure they get hot enough and also ensure they dont overheat. When you cut things apart, you need to track the parts. A product ID for an element cut in two part might turn into two product IDs once the element is cut.

All of these lower level processes and devices require management and that happens a lot of different places throughout a process. 14

What are Industrial Controls (ICS)

Whats in a name?ICSPLCSCADA

Level 4Level 3Level 1 & 2

An Industrial control systems or I.C.S. is the generic term that describes any system managing an industrial process.

Because the integration of business systems and manufacturing systems is difficult and complex, we have seen standards rise to help model this complexity. One such standard is the ISA standard based on the 1990 Perdue model of control hierarchy.

At the bottom of the model is the foundation and it includes level 1 and level 2.

Level 1contains Intelligent devices, it involves sensing and manipulating the physical processes and includes sensors, analyzers, actuators and related instrumentation. Switches and motors live here.

Level 2 also at the base of the model involves control systems, these Supervise, monitor and control the physical processes. It involves real-time controls and software; the Human to machine interfaces or HMI and supervisory and data acquisition software SCADA systems live here.

Just up a level we have manufacturing execution systems or what we call MES systems. MES systems include product scheduling, batch management; laboratory, maintenance and plant performance management systems.

Level 4contains Business logistics systems that managing the business-related activities of manufacturing operation. ERP is the primary system; establishing the basic plant production schedule, material use, shipping and inventory levels. Sales and order entry all live here.

These systems are all combined to schedule, dispatch, track and analyze processes within a production facility.

15

Programmable Logic Controllers (PLC)

16

We dont need to know how to build a clock here, but it is worthwhile to introduce two components by name just so you know a little about what makes up a control system. A fundamental building block in industrial control systems is the PLC. PLCs or Programmable Logic Controllers are the backbone of manufacturing systems. In the late 60s General Motors used a complex system of relays, timers, and sequencers to control the manufacturing line. Any change in the line configuration required like changes in a complex array of hundreds or thousands of devices that was both time consuming and costly. A better way was needed.

The result was the PLC. The PLC is similar to a general purpose computer, with inputs and outputs that are controlled by programming. In addition to monitoring inputs or controlling outputs, PLC connects to sensors and convert sensor signals into digital signals.

Make no mistake, a PLC is a computer, maybe not general purpose, but very similar. These computers are real-time systems. Their outputs MUST produced a response to input conditions within a specific and limited time or unpredictable results may occur.

These real-time systems require a real time operating system and like we use Windows on a desktop computer, we use operating systems like OS-9 or VxWorks on a PLC. With the advent of the PLC, you can simply load a different program and obtain a different result and thereby make changes to a product line without expensive retooling.

Prior to the discovery of Stuxnet PLCs received very little thought in terms of security, but malware exists for PLCs no differently than it does for desktop computers. In the old days PLCs were not directly connected to a network, they were neven ON the network, but today to gain productivity and for convenience they are commonly attached to networks. Doing so allows specially trained staff to connect to them and make changes without driving all the way into an office or flying out to a plant to troubleshoot a problem. There are many great reasons to connect devices like PLCs to a network, but that is not without risk. 16

17SCADA

Lastly lets talk about SCADA systems because like PLCs this term will come up a lot in any discussion about control systems. In fact a PLC is one component of a SCADA system. SCADA means Supervisory control and data acquisition and SCADA systems are used frequently to monitor power distribution, water distribution and even heating and air conditioning. SCADA is often deployed in remote locations or across very large geographic areas, or possibly multiple facilities.

Remember the PLC? While the PLC connects to sensors in the process, converting sensor signals to digital signals, the SCADA system connects to the PLCs along with devices called HMI the human to machine interface the apparatus or device which presents processed data to a human operator. It is through this view that the human operator monitors and interacts with the process.Think of HMI as a specialized type of monitor in a SCADA system that graphically represents a process to the operator.

In this example the SCADA system reads a measured flow and level and sends setpoints to the PLCs.

PLC 1 compares the measured flow to the setpoint, and controls the pump speed as required to match the flow to the setpoint.

PLC 2 compares the measured level to the setpoint, and controls the flow through the valve to match the level to the setpoint.

17

IT Systems and Control Systems

I call this slide when traditional IT and control systems collide because there is an increasing dependency on control systems, and because of business demands, to leverage the economic benefits and the convenience of the Internet. Over time control systems were connected to insecure external networks. When we first started connecting control systems to networks the industry didnt give much thought to it really. It happened a little bit here and there over time.

We use technologies today we know to have threats. Its commonplace really. Do you ever use Abode Acrobat or Java? Sure you do. There have been hundreds of vulnerabilities published for these products in this past year. Of course we do.

..and these systems have a significant amount of documentation that used to come in the form of printed manuals. Today vendors are shipping these manuals as PDF files, manuals dont come in the box anymore, and Technicians often view these documents on the same systems that are used to control the process. Another threat vector comes from a considerable amount of documentation distributed on the web if not by the manufacturer, certainly by third parties, and this information can now be studied without the need to make large investments in the systems to be attacked.

We see vulnerabilities not only specific to ICS but also an alarming number of vulnerabilities in traditional tools like Java, Flash and Adobe products that support control systems.

Many ICS processes are continuous in nature, think about the nature of an assembly line. Unexpected outages at one point are unacceptable because they can disrupt hundreds of people from working downstream in a process. For this reason outages must be planned and scheduled months in advance and executed only after significant testing. ( maybe as a planned 10 day outage every 18 months for example). A typical IT strategy like rebooting a PC is not only unacceptable, but it can be dangerous. ( Discuss how ICS could contribute to safety).

As we see, the impact of cyber intrusion to any organization with Industrial controls may be great.

18

Availability, Integrity Confidentiality

19

In a traditional IT environments we learn that Information Security is what we do to protect confidentiality, integrity and the availability of a process. This is beat into any self-respecting cybersecurity analyst. In cyber security you often encounter a diagram like this one they call it the C-I-A triad and it represents this focus on Confidentiality, Integrity and Availability.

In control systems because of the unique impact downtime can have on a process, the typical CIA triad is re-ordered. You can probably guess that this is referred to as A-I-C (availability, integrity, confidentiality). Availability has to come first. Since it is assumed that these systems are isolated confidentiality has a long history of coming last.

When we combine what are traditional IT systems with industrial control systems our risk is amplified exponentially. We know in the past these systems were very isolated and could be acted upon only by trained operators within reach, but with the advent of IP based networks the environments may be controlled by an intruder that doesnt even know what they are attached to. Uninformed and unintentional manipulation to a process can have devastating consequences.

Another problem that compounds the security problems in these systems is as built control systems are likely to have been around a very long time, some can date back 30 years or more. While the equipment replacement cycle for IT is 3 to 5 years, the equipment replacement cycle for control systems can be 10, 20, as much as 30 years. Patching these systems has to be performed during costly outages and requires significant testing. Often those who are testing may not understand the need for specific changes in the software and as a result will lobby against them because hey its working. In industry keeping something that works working is the primary job of many who support the process. Security may be viewed as just another distraction, but that security could be that change that prevents someone from going home to their family after a shift.

The requirements for availabilityin these systems may exceed five 9s (99.999% uptime). Services must be running 24 hours per day 7 days per week 365 days per year because jobs depend on it.19

Attack methods in IT and ICS

This is the basic lifecycle of an attack. The attack chain, and viewed another way it becomes the kill chain for those attacks. If we can disrupt an attack early in the chain of events, maybe we can prevent something bad happening later on.

Attacks often begin with research. Research may consist of online or offline information gathering that results in the attacker choosing a definitive target. This research often involves social engineering or sending what looks like spam to a target. This can be used to obtain browser headers that reveal quite lot. What operating system you use, what browser, what versions of the OS or browser etc.

This helps to target devices specifically with known vulnerabilities. It helps to know this stuff before you start an attack.

After discovering as much information as possible, the next step in an attack is exploit any vulnerability discovered in a system. Once a system on the target network is compromised, then modifying that system to facilitate persistent access is required. This access will need to survive system reboots and other activities that would normally force disconnection.A compromised system may only allow limited access, so an attacker will continue to exploit vulnerabilities to get the highest possible credentials on the compromised system. To avoid detection and reduce the number of artifacts that could lead to discovery, the attacker will remove as much of the attack evidence as possible.

This brings us to the center piece of the attack life cycle. Depending on the system, the data can be compromised, or services can be corrupted. If the attack is against an ICS, data could be related to operational profiles of field devices or business sensitive information, i.e., production rates and formulas.

Information theft is certainly not the worst thing that could happen in an industrial environment. Small variations in the process can be injected or malicious setpoints can be set. Devices can be reprogrammed so when you press a button up a device will move down exactly the opposite as one might expect, but not all the time, randomly just enough so it might appear to be an accident.

What can we do to mitigate the attack? Some people look at this attack model as a kill chain because if you can stop a threat early in the process, you can protect yourself from damage later. In the first stages a little prevention goes a long way. An inventory of applications and hardware, and a little patching awareness could protect against discovery of exploitable vulnerabilities. Unusual traffic patterns between servers that dont normally connect with one another can be a sign you have been exploite, but that is only useful if you know what devices your servers usually connect with. That takes some planning.

All of these attack actions create logs, so using tools that can monitor logs and recognize unusual traffic patterns like downloads or uploads from devices you never expect to do these things, is one way to detect malware and stop it before your data gets out, but that requires we know what normal looks like.

20

Automating Vulnerability Discovery

21

In the past research and discovery of systems to exploit and understanding what vulnerabilities each system has was a lot of hard work. Much of that work today has already been done by an attacker. Websites now exist active as vulnerability search engines. What started as a pet project for John Matherly has now being billed as the first search engine for the Internet of Things.

These site continually search for devices that are exposed and vulnerable, adding them to their database of search results.

Every vulnerable device is publically searchable along with their addresses, open ports, known default passwords and vulnerabilities so that anyone with enough interest can find and exploit a target in seconds. It took me only seconds to find devices made by the PLC manufacture Rockwell directly connected to the Internet, and here is one of them.

The tool does not discriminate on its findings and has indeed become the Dark Google of the web. You can find things that you expect there like Garage Door openers and DVRs, but you will also find industrial control systems, community traffic lights and even license plate recognition systems. People often connect devices to the internet thinking that no one will be interested, or know its there, not considering that automated systems now exist that can connect curious folks and hard core hackers to things we just dont expect them to find.

21

Identify

Asset ManagementStakeholder CommunitiesControlsNetwork InterconnectionsSpecial ProtocolsPerform Risk AssessmentsStrategiesIndicators of Compromise

22

The bad guys are using automated tools like Shodan to discover, and we can too.

In the event that a breach occurs you will need to know what systems can be effected, and who they can effect. You need to know who your stakeholders are and how you can connect with them.

Without proper asset management, how do you know what systems to include in a targeted response?

Knowing who your stakeholders are and how to contact them is a critical asset. Simple tools like phone lists, call trees and setting up a process to manage a hotline can be very valuable. Its all just pre-planning you hope you never need to use. Hmm. Thats starting to sound like emergency management!

There are several control frameworks one can use to evaluate controls in an IT environment. The most widely accepted and adopted control framework is called NIST Special publication 800-53 or simply SP 800-53.

Tailoring your control framework around the specific needs of industrial can be helpful. NIST has developed guidelines that go beyond these general IT controls outlined in NIST SP800-53 and specifically address the needs of industrial controls. These are published in SP 800-82. For example NIST SP 800-82 recommends implementing control SI-17 Fail Safe Procedures not found in SP800-53. Mechanical and analog systems can be used to provide mechanisms to ensure systems fail-safe which could impact human safety, physical systems and the environment. These are not typical considerations for most IT systems so they are often overlooked, so it is good to look at the special guidance found in 800-82.

Control systems often use specialized protocols for inter-processor communication like Profibus, Ethernet/IP and Modbus. Ensure someone on your teams understands the protocols, these people are likely not in your IT teams.

Lastly performing targeted risk assessments that focus on industrial control will help to find opportunities to improve security around your industrial control systems.22

ICS-CERT CyberSecurity Evaluation Tool - CSET

This slide contains video content with audio

ICS-CERT maintains a little known but powerful tool called the Cybersecurity Evaluation Toolkit. If you are interested in Cybersecurity it is likely you would benefit from CSET.

23

CSET FeaturesWizard approach to setting security assurance levels.Flexible standards Network diagramsExtensive Resource LibraryReporting

CSET offers a Wizard based approach to setting security assurance levels, Flexible standards, Network diagraming tools, an Extensive Resource Library good for anyone interested in cyber and custom reporting tools.

24

CSET Features Assurance Level

25

One of the fundamental decisions you must make when performing an evaluation is to select a Security Assurance level. Sometimes you know based on a standard what level you need to conform to, but others may not have a clue where to start to determine what assurance level is best.

CSET offers several ways to make this decision.

Using CSET setting an assurance levelManually Set Low, Moderate, High or Very High for each of CIAQuestions based YES or NO answers questions using FIPS and NIST standards as guidance.Consequence based approach uses a series of sliders to indicate a number of people or dollar from each category.

An assurance level set to low will result in questions later that are less demanding than would result from a moderate, high or very high assurance level. 25

CSET Features Standards

26

CSET is just as flexible in the presentation of standards as it is in selecting an assurance level.A quick start mode is available that selects questions that apply to most organizations, but if you want to or need to customize the control set you are using you can.

The question mode and the requirements mode both present you with a series of compliance standards to choose from. These standards can be standard you choose to adopt such as NIST SP800-53 or sector based standards appropriate for Chemical, Energy, Nuclear and other sectors.

Lastly if you would like to adopt the latest NIST Cybersecurity Framework you can select the Cybersecurity Framework mode that is based around the five functions of the framework, Identify, protect, detect, respond and recover.

26

CSET FeaturesNetwork Diagrams

27

Understanding the layout of your network is important, and I have some slide around that coming up.

CSET includes a drawing tool that is valuable in several ways. First, it provides a place to graphically capture a picture of the control system or information technology (IT) network. Second, it incorporates simple network analysis features to identify areas of vulnerability and recommendations for protection. Third, it is used to create the foundation for the question set that is incorporated into the overall assessment and analysis. Build the diagram from scratch using the drawing tools and available objects and shapes.Import a pre-built template from a list of templates provided with the tool.Import a diagram file from another CSET user including diagrams from previous releases.Import a diagram file created or modified in Microsoft Visio. Export a diagram to Microsoft Visio for modification.Import a diagram file from Grass Marlin27

CSET FeaturesAnalysis

28

The analysis screen provides you with a way to measure your security posture against selected standards and uses charts to provide a visual display of your data and at the same time allows for comparisons across categories, questions, and subject areas.The analysis screen will also allow you to drill down on specific data from a given chart for more information.

The charts presented are fixed and dependent on your evaluation mode.Selecting the CSF evaluation mode will result in a different set of charts than the question or framework modes.

28

CSET Features - Reports

29

After you have completed developing the network diagram and finished answering both the standards and the component questions, you can then review the results by either using the online analysis capabilities or by creating and reviewing hardcopy reports.The intent of the reporting functionality is to provide you with a way to print and publish assessment information, including summary charts and lists. It also gives you a hardcopy of the results to be used in meetings, for communications to management, and as a way to assign tasks to technical staff. Combined with the online analysis, these reports can help you clearly understand where weaknesses are and where improvements should be made.

Several basic report templates are availableYou can export the reports in both the PDF and DOCX formatProbably cannot be used as is unless the evaluation is just for you, wont be C-Level ready, but quite good and valuable reports.

The Executive Summary Report is designed for an executive level audience. The intent is to provide limited graphical and high level, summary information that can be understood quickly. This report is limited to around five or six pages and does not include any detailed information beyond listing the top categories and areas of concern.

Selecting the Site Summary option produces the Site Summary Report. The intended audience for this report is a technical manager or supervisor who is responsible for directing the implementation of the recommendations. The report includes everything in the Executive Report plus additional charts at a more detailed level. The Site Summary Report provides mostly summary information in the form of a variety of charts; however, it is more detailed than the Executive Summary Report and provides additional charts that the Executive Summary Report does not have.

29

Protective controls

Access Controls and Physical AccessAwareness and TrainingMaintenanceNetwork SegmentationAttachment Filters

30

There is a lot that can be done in this area.

Ensure your HMI is not connected to the Internet. Minimize your exposure, control system devices should never connect directly to the internet.

Ensure systems are patched especially systems that run HTTP. FTP, mail and DNS services. Especially ensure effected windows systems have the Sandworm patch installed (MS014-060).

Verify what your HMI is logging. If a set point was changed would you know when, from where and by whom?

Enable Attachment filters that capture, block or trap emails with .xls attachments. You needs something that will at the very least inspect them for known malware.

If feasible enable group policies to disable macros in Microsoft office documents with notification

Run AV where you can and ensure AV is updated

Ensure you are blocking port 6789 in external zones

Disable Autoplay, Change default passwords and make sure you have not used weak passwords.

The latest version of Black energy includes a weak password file, and will try and login to systems with passwords like 123456, admin, and password so be sure anything like this has been changed.30

Network Architecture31

Source:https://ics-cert.us-cert.gov/Secure-Architecture-Design

Now that we are connecting the open architecture of traditional IT systems with industrial control systems we need to protect industrial control systems from the threats that can migrate to control system domains. These threats include viruses, worms, escalation of privileges through code manipulation, network reconnaissance, covert traffic analysis, and unauthorized intrusions through or around perimeter defenses.

One great strategy to protect these systems is to implement a strong network architecture. When combined with procedures, and a good patching program, it becomes part of an overall defense-in-depth approach.

To create a layered defense, a clear understanding is essential of how all the technology fits together and where all the interconnectivity resides.

Dividing common control systems architecture into zones can assist in creating clear boundaries resulting in multiple layers of defense.

Knowing where to place routers, firewalls, switches and other tools can have an substantial effect on the security of industrial controls.

In a layered network design critical communications and services are contained in their own reliable layer, isolated form other forms of communication.

ICS-CERT has a great page dedicated to secure architecture that is worth reviewing and the department of homeland security published a document in October of 2009 titled Recommended Practices: Improving Industrial Control Systems Cybersecurity with Defense-In-Depth strategies that does a deep dive into this subject.

All these things said, proper configuration of firewalls and routers demands skills from skilled administrators. It requires considerable understanding of network protocols and of computer security. Small mistakes can render a firewall worthless as a security tool.

31

Network Architecture - Zoning

32

The following zones segment information architecture into five basic functions:

External Zone is the area of connectivity to the Internet, communication with peer, and remote facilities. It is the point of connectivity that is usually considered untrusted. For industrial control systems, the external zone has the least amount of priority and the highest variety of risks.

Corporate Zone is the area of connectivity for corporate communications. E-mail servers, DNS servers, and IT business system infrastructure components are typical resources in this zone. A wide variety of risks exist in this zone because of the amount of systems and connectivity to the External Zone. However, because of the maturity of the security posture and redundancy of systems, the Corporate Zones precedence can be considered to be at a lower priority than other zones, but much higher than the External Zone.

Manufacturing/Data Zone is the area of connectivity where a vast majority of monitoring and control takes place. It is a critical area for continuity and management of a control network. Operational support and engineering management devices are located in this zone along side spedial servers called data historians that log events. The Manufacturing Zone is central in the operation of both the end devices and the business requirements of the Corporate Zone, and the priority of this area is considered to be high. Risks are associated with direct connectivity to the External Zone and the Corporate Zone.

Control Zone is the area of connectivity to devices such as Programmable Logic Controllers (PLCs), HMIs, and basic input/output devices such as actuators and sensors. The priority of this zone is very high as this is the area where the functions of the devices affect the physical end devices. In a modern control network, these devices will have support for TCP/IP and other common protocols.

Safety Zone usually has the highest priority because these devices have the ability to automatically control the safety level of an end device (such as Safety Instrument Systems). Typically, the risk is lower in this zone as these devices are only connected to the end devices but recently many of these devices have started to offer functionality for TCP/IP connectivity for the purposes of remote monitoring and redundancy support. 32

Network Architecture - Fail33Source:https://ics-cert.us-cert.gov/Secure-Architecture-Design

Because architectural decisions and changes may sometimes have unintended consequences ICS-CERT provides some examples of common network architectural design error like this back door that is made available through an access point.

33

% of Events Mitigated by Strategy in 2014 2015 Based on ICS_CERT Investigations

Source: https://ics-cert.us-cert.gov/Seven-Steps-Effectively-Defend-Industrial-Control-Systems

Defend

ICS-CERT investigated 245 incidents in 2014 and 295 incidents in 2015.Based on these investigations this is the list of seven strategies that work and the percentage of events mitigated by strategy.

ICS-CERT recently responded to an incident where the victim had to rebuild the network from scratch at great expense. A particular malware compromised over 80 percent of its assets. Antivirus software was ineffective; the malware had a 0 percent detection rate on VirusTotal.

Application white listing would have provided notification and blocked the malware execution

Adversaries are targeting unpatched systems like burglars target unlocked cars at the mall. Unpacked systems like unlock doors are low hanging fruit for bad actors.

A configuration/patch management program centered on the safe importation and implementation of trusted patches will help ensure systems cannot be exploited even if they can be accessed.

These two strategies alone can twart over 60% of all threats to Industrial control systems. 34

Response PlanningIdentify Internal StakeholdersDetermine what to do and whenRestore ICS safely and quickly (without destroying evidence)Preserve and Review logs and other forensic dataIdentify root causeDocument lessons learned

35

35

Response RealitiesIncident response procedures don't neatly map to the ICS/SCADA environmentNot all ICS organizations include regulations that include IR in ICSLife & Limb security trumps the need to patch36Source:http://www.darkreading.com/perimeter/how-incident-response-fails-in-industrial-control-system-networks/d/d-id/1324094

Chris Sistrunk, senior ICS security consultant for Mandiant/FireEye notes: Responding to an attack on an industrial control system (ICS) comes with challenges the pure IT environment typically does not face, and some of the standard IR steps just don't translate to a power plant or manufacturing plant

Industrial sites under NERC/CIP (North American Electric Reliability Corporation's Critical Infrastructure Protection) and Chemical Facility Anti-Terrorism Standards (CFATS) regulations have IR plans but most commercial facilities do not share these requirements or plan for IR in ICS.

Uptime and availability are king in the ICS/SCADA space, as is physical (life and limb) security. Operators of those networks rarely apply vendor patch updates for security bugs : if a patch could potentially disturb an existing system configuration, or require any downtime or disruption, it's not likely to be installed. In fact If a critical system has a virus and it hasn't actually affected the system, they may not do anything about it at least not right away.

A programmable logic controller (PLC) cannot be re-imaged the same way a laptop. An industrial control system typically doesn't collect logs of events like a conventional computer does, either, and if it does, the logs may not feed to a centralized system like Splunk. Some devices just don't have syslog or other types of logs. If you do have them it is important to capture them and if possible capture them to a separate system. A data historian or process historian often used for process data may not collect the forensic data of the system that you will need to investigate an attack. Identify what you have and what you need to preserve before the time comes that you need to preserve it.36

Recover

Know who to callMandiantICS-CERT Operations Center 877-776-7585ics-cert@hq.dhs.govhttp://ics-cert.us-cert.gov

37

Why should I report to ICS-CERT?

Reporting is completely voluntary when working with ICSCERT, however, your information is extremely useful for understanding the threat landscape that includes the techniques adversaries are using, types of malware, possible intent of campaigns, and sectors targeted. Reporting to ICS-CERT allows for the correlation of incident activity and has led to the discovery of campaigns aimed at certain sectors or groups. Moreover, the reports are anonymized and the analytically relevant data such as attacker IP addresses, command and control domains, malware, time stamps, email address and header information, and other data are shared with the rest of the critical infrastructure community to alert them of malicious activity. Prompt and detailed reporting can lead to early detection and prevent incidents from occurring against the nations critical infrastructure. ICS-CERTs policy is to keep confidential any reported information specific to your organization or activity. Organizations can also leverage the Protective Critical Infrastructure Information (PCII) program to further protect and safeguard their information. If assistance is needed in responding to the incident, ICS-CERT can provide analytic support (malware, hard-drive, log file analysis), detailed remediation recommendations, and onsite support in responding to a cyber-incident. Your information will always be protected up to and including the use of PCII when appropriate37

Training OpportunitiesICS-CERT Virtual Learning PortalCourses in Common ICS Components, Risk, Trends, Threats, Vulnerabilities, Impacts, Attack Methodologies 12 courses in all.

SANS38

ICS VPN CoursesOperational Security, and ten other ICS specific courses

In addition to these great courses ICS-CERT offers lots of recommended practice documents.

SANS covers the identification of, response to, and analysis of threats in SANS ICS515

38

NetworkingInfragardAmerican Society for Industrial SecurityNational Cybersecurity PartnershipHSINProfessional RelationshipsLinkedIn Groups - Industrial Control System Cyber Security (ICS-CS)Local Organizations

American Society for Industrial Security In Alabama they are combining their meetings with the Infragard meetings.

National Cybersecurity Partnership is a sister organization to Infragard. Currently only a chapter in Virginia but one to watch.

The Homeland Security Information Network (HSIN) is the trusted network for homeland security mission operations to share Sensitive But Unclassified information. Federal, State, Local, Territorial, Tribal, International and Private Sector homeland security partners use HSIN to manage operations, analyze data, send alerts and notices, and in general, share the information they need to do their jobs.HSIN access is based on nomination and acceptance into one or more Communities of Interest (COIs). If you are not currently a HSIN user, please send an email toHSIN.Outreach@hq.dhs.govto request access to HSIN and First and last name, Valid email address, Requested COI, Reason for access. The application will be reviewed by the sponsoring organization of the requested COI.

39

QuestionsEric Andresenhttps://www.linkedin.com/in/andresen1206

40