Using a CVA to Optimize ICS Upgrade Activities During a Turnaround

Jim GilsinnKenexis Security

Presenter

Jim Gilsinn– Senior Investigator, Kenexis Security– Current Co-Chair, ISA99 Committee (ISA/IEC

62443)– Current Co-Chair, ISA99 WG2 Security

Program– 23 years engineering, 13 years ICS cyber

security experience– MSEE specializing in control theory

Overview

The Situation Understanding Threats to ICS The ICS-CVA Process Using an ICS-CVA for Planning Summary

THE SITUATION

The Challenge

Security Researcher Plant Manager

You have 438 Critical Vulnerabilities!

I could take control of your PLC from the Internet and do …!

So what? I’m not connected to the Internet.

I can write a worm that will make the PLC overspeed the turbine and put it into surge!

Good luck! There is a machine protection system separate from the PLC.

Well… fine.. You need to patch all these vulnerabilities!

My next scheduled shutdown is in 330 days.

Is this important enough to warrant a shutdown?

The Challenge (cont’d)

Security Researcher Plant Manager

Of course!

Why? I don’t process credit cards. I don’t run public websites.

I can take control of the boiler and blow it up!

So you set the PLC to over pressure the boiler?

Yes!!!

There are relief valves.

Have a nice day…

The Cyber Security Threat

2014 Data Breach Incident Report shows a 3x increase over 2013 Over 256 incidents to OT networks in 2013 reported to ICS-CERT

– Voluntarily reported by ICS owner/operators– Most go undetected or unreported

Most major vendors have known vulnerabilities reported to ICS-CERT

Customer Concerns

Fragile OT networks often caused by comm. problems– Unexplained process stoppages– Slow HMI updates

At-risk or insecure OT networks– Discrepancies between business and process support systems

(e.g. MES, ERP, LIMS, Historians) – Unauthorized remote connections to OT networks– Unauthorized changes to PLC’s, DCS, or other systems– Viruses or malware from OT networks reported by IT staff

Communication errors & network problems risk:– Production uptime– Threaten process safety– Open the OT network to cyber security threats

ICS Network & Security Failures

Intermittent Failures– Corrected by logic conditions in the system– Minimal to no process interruption

Nuisance Trips– Corrected by logic conditions and fail safes– Minor process interruptions

Unplanned outages– Handled by maintenance personnel & layers of protection– Sustained process interruptions & failures

Dangerous failures– Kinetic and safety impacts– Handled by emergency personnel & layers of protection– Extended process interruptions & failures

Risk Management for Plant Managers:3 Easy Steps

What is it? Is it real? What do I do about it?

Safety Risks Require Action…If you cannot qualify the risk AND give a solution, you are

wasting their time

UNDERSTANDING THREATS TO ICS

Device Vulnerabilities: The Reality

Many think, “8:01am – Cyber Attack,8:03am – Plant Goes Boom!”

Compromising an individual ICS is of limited value Significant failures require compromise & disabling of

multiple components True exploits are not needed for most parts of the process A combination of factors are required to move from

nuisance trips to more significant failures– Cyber security knowledge– Process knowledge– ICS knowledge

Attack Modes for ICS

Loss of View (LoV) Manipulation of View (MoV) Denial of Control (DoC) Manipulation of Control (MoC) Loss of Control (LoC)

Model each part of the process in terms of how

an attacker would bypass protective systems

Turbine Overspeed Scenario:Process Flow Diagram

Electrical Power Generation

with Steam Turbine

Turbine Overspeed Scenario:Simplified Turbine Model

Steam Turbine for

Power Generation

Safety ValveDisconnect

Switch

Speed

Transmitter

Turbine Overspeed Scenario:Creating the Turbine Overspeed

Disable the overspeed trip system– Option 1 – “Force” the output of safety valve– Option 2 – Freeze the value of the speed transmitter

Disconnect the load from generator– Option 1 – Command generator disconnect switch to open

positon– Option 2 – Open multiple disconnect switches at power

distributors or consumers

Turbine Overspeed Scenario:Attack Methodology

Part 1 – Conduct Surveillance Part 2 – Map Systems Part 3 – Infect & Compromise Part 4 – Exfiltrate Information Part 5 – Prepare Final Attack Part 6 – Initiate Attack for Max Damage

Potential Process Attack Points

Controller setpoints I/O values Controller commands Alarm conditions Safety interlocks Interconnected or integrated SIS

THE ICS-CVA PROCESS

Requirements to Conduct an ICS-CVA

ICS-CVA = ICS Cyber Vulnerability Assessment Regulatory

– Annual basis by NERC CIP, CFATS, etc. Standards & Guidelines

– Periodic basis by ISA/IEC 62443 (ISA-99), NIST Cybersecurity Framework, AWWA, NERC, etc.

Conducting an ICS-CVA

Understand affect of different systems on OT networks– Installed base of equipment– Information/IT systems

Should be part of validation Recommended to be performed:

– After initial implementation of ICS– After major modifications to ICS– Periodically

Specific requirements for ICS-CVA defined in regulations, standards, & guidelines

The ICS-CVA Process

Documentation Collection & Review– Network Architecture– Piping, Instrumentation, and Engineering Diagrams– Asset Inventory

Network Traffic Capture– Capture traffic (via tcpdump, Wireshark, etc.) at managed

switches via mirror port for a given time

The ICS-CVA Process (cont’d)

Ping Sweep– Identify live hosts (via nmap)– Verify Asset Inventory– Identify Unknown/Rogue Devices

Port Scan Per Device– Detect open ports & services (via nmap)– Identify operating system

Service Detection– Grab banners from active services (via nmap or netcat)– Verify validity of open ports– Detect known vulnerable ports/services

The ICS-CVA Process (cont’d)

Vulnerability Scanning– Automated (via nessus, neXpose, etc.)– Manual (via nmap, netcat, metasploit, etc.)– Examination of vulnerability database (e.g. NIST, A/V

vendors, proprietary, etc.) Open-Source Intelligence Collection

– Determine information leakage of information (via Google, Shodan, Maltego, ARIN, Custom Code, etc.)

– Identify devices exposed to internet– Identify leaks of proprietary information (.doc, .pdf, etc.)– Determine ease of identifying devices

The ICS-CVA Process (cont’d)

Process Vulnerability Analysis– P&ID– HAZOP for max damage/impact scenarios– Zone and conduit & security level analysis– Vulnerability analysis with emphasis on physical impacts– Failure Modeling– Attack Modeling

USING AN ICS-CVA FOR PLANNING

ICS-CVA Results & Recommendations

Network improvements– Architecture, zones, upgraded infrastructure, layering, etc.

Cyber security improvements– Patching, policies/procedures, firewalls, etc.

Device improvements– Upgraded firmware & hardware

Facility siting & physical security– Barriers to entry– Access control

SIS in place of controllers– Safety interlocks replaced by SIS

Preparing for Turnaround

Conduct an ICS-CVA well before turnaround– 6-9+ months prior depending on turnaround scope,

magnitude, duration, etc.– Allow for new designs, capital expenditures, personnel

training, etc. Stage equipment prior to turnaround

– Prepare equipment with necessary firmware upgrades, programs, etc.

– If possible, test equipment in lab prior to deployment

SUMMARY

Summary

Engineering problems require engineering solutions!

Vulnerability analysis & discovery a useful exercise, but only stop at device impact

Qualifying the threat means that the process must be considered

ICS-CVA includes all of the above ICS-CVA can be used as a planning

tool for improvements

Where To Get More Information

Jim Gilsinn– Email: jim.gilsinn@kenexis.com– Phone: +1-614-323-2254– Twitter: @JimGilsinn– LinkedIn: http://www.linkedin.com/in/jimgilsinn/– SlideShare: http://www.slideshare.net/gilsinnj– Website: http://www.kenexis.com

Thank You for Attending!

Enjoy the rest of the conference.