Slide 1
© 2012 Invensys. All Rights Reserved. The names, logos, and taglines identifying the products and services of Invensys are proprietary marks of Invensys or its subsidiaries. All third party trademarks and service marks are the proprietary marks of their respective owners.
WWHMI SCADA-12 Cyber Security Best Practices in the Industrial World
Chris J Smith
for
Paul Forney, MCSE, CSSLP
Chief Technologist
R&D Security Team
Invensys Operations Management
Slide 3
Acknowledgements
Pike Research – Monitoring and
Securing SCADA Networks
All the folks at McAfee (thanks for your help and support)
The Invensys Critical
Infrastructure & Security Practice
Team
Ernie Rakaczsky – Program Manager,
Invensys Cyber-Security
The Department of Homeland
Security CSSP
Slide 4
Stealth Attacks Increasing
SLAMMER:
Hacking For Fun
ZEUS:
Organized Crime
AURORA:
Government Sponsored
Cyber Espionage
STUXNET:
Physical Harm
• More than 1,200 new rootkits detected each day
• More than 2.1M unique rootkits detected
• More than 75M malware detected
• Number of reports of data breaches via hacking, malware, fraud, and insiders has more than doubled since 2009
– TDSS rootkit is used as a persistent backdoor to install other types
– SpyEye is hidden with a rootkit to steal banking credentials
– Stuxnet used a rootkit to hide an APT targeting government infrastructure
STAKES Are Rising Rapidly
Slide 6
Typical Network Architecture
An Attacker has three challenges
1. Gain access to the control system LAN
2. Through Discovery, gain understanding of the process
3. Gain control of the process
Slide 11
Reported ICS Vulnerabilities
ACTUAL - 215
Slide 13
Community of Concern
Standards
NIST
NERC IEC
AGA API
ISA/ISCI IEEE
Industry
Sectors Owner\Operators
Nuclear
Power
Gas
Electric
Water
Oil
Chemical
Control System Cyber
Security Community
National
Labs
SANDIA ARGONNE
INL
PNNL
LLNL Department
of Homeland
Security CSSP
ISAC
HSARPA
US- CERT
NCSD
TSWG
ICSJWG
Academia &
Research
IFAC
SRI
I3P
EPRI
LOGIC2
Vendors
Security
Consultants
Control
Systems
Engineering
Firms
Security
Technologies
Labs &
Research
Slide 15
65%
20%
15%
People Policy and Procedures
Technology
Dennis Brandl – “Three Pillars of Industrial Cyber Security”
A successful Cyber Security Program has 3 major areas of focus with…
Slide 16 Slide 16
Security Objectives
• Prevent unauthorized changes to values in a Controller, PLC, process
or configuration
• Prevent misrepresentation of process values on the HMI
• Reduce possibility of a production slowdown due to ICS software
• Protect integrity of process and event information
• Prevent loss of genealogy information
• Provide availability of the system and safety for the plant personnel
and surrounding environment
Slide 17
Special Restrictions for ICS Security Products*
• Do nothing that negatively impacts network latency
• Restrict SCADA traffic to known and expected message types
• Isolate the SCADA network from any other networks, including the
enterprise
• Collect and analyze from multiple sources beyond only IT events
• Prioritize situational awareness to prevent cyber incidents
• Implement strong change management for all SCADA modifications
• Use security products that are simple to deploy and manage
• Involve SCADA operations personnel in all SCADA security decisions
*Pike Research – Monitoring and
Securing SCADA Networks
Slide 20
End
po
int
Ne
twork
D
ata
Corporate IT SCADA Device Network
Enterprise Apps
Ethernet, TCP/IP
Modern Computers
(Windows, Linux, Mac)
SCADA, HMI
Ethernet, Serial
Legacy Computers
(Windows)
Ladder Logic
Ethernet, Serial, Relays
Special Function
(Embedded OS)
What We Need to Protect
Slide 21
Multiple Zone Network
Anti-Virus Intrusion
Prevention
Controls
Network
Zone
PC Portal
Interface
Control Node Bus
Application
Workstation
Field I/O
I/O
I/O
Interface
PLC
I/O
I/O
I/O
I/O
Control
Station
Plant
Network
Zone
PC
Workstation
File & Print
Services Wireless
Control Network
Firewall
Data
Center
Zone
Network
Monitoring
Content
Filtering Anti-Virus
Remote
Access
Server
Monitoring
Web Usage
Reporting
Wireless
Security
Service Level
Management
User
Management
Server
Management Anti-SPAM
Intrusion
Prevention
Internet
Firewall
Internet
Internet
Zone Perimeter
Firewall
Established Adaptation for over 8 years
Slide 23
Best Practices for Securing an ICS
Maintain the latest
Invensys-authorized Operating System
(OS) and application patches.
Test every patch to ensuring
deployment does not impact
operations.
Always use current
anti-virus definitions.
Verify update was successfully
installed.
Update authorized application software.
Enable Network
Anti-Virus / Intrusion
Prevention System.
Enable System
policies on all capable network
appliances
Slide 24
Best Practices, USB Devices…
Do not use a USB stick unless
it has been scanned
Designate and use specific USB
equipment
To bridge air-gaps, use a
specific designated
station
WITHOUT restriction on USB devices, their portable nature
can be used to compromise your security perimeter!
Slide 25
Machine Hardening (typically no negative effects on the ICS)
Harden Servers and Workstations and
Non-ICS assets
Ensure all software and hardware patches and updates are current.
Run A/V scans.
Disable all unused ports and services.
Harden Bios.
Use static IP addresses, disable DHCP
Disable NetBIOS and NetBIOS over TCIP/IP.
Slide 26
Best Practices, Cont….
Change default “admin” passwords.
Use strong passwords consisting of more than 6-8 characters using special characters when applicable.
Control User Rights.
Do not use accounts across domains.
Implement password aging, history, and complexity requirements.
Always implement Backup and Restore to a network repository.
Slide 27
More To Do’s!
Inventory network assets and keep it up to date.
Run regular network audits
Use physical network isolation when possible
Use logical network segmentation (secure zones) when possible with strict Firewall Rules.
Isolate and control flow of information between Business Network(s) from PCN through use of firewalls.
Require strict firewall rules with specific (/32) source, destination, port, and protocol.
Use DMZs
Slide 28
Network Access
Enable Firewall Logging and Monitor as appropriate
Implement NMS to provide system audit and logging and monitor
Don’t click links or files that aren’t verified
ICS assets should not have internet access
Some ICS assets may need to have access to business network website interfaces so verify all access leaving the ICS network to un-trusted networks
Slide 29
In the event of a Cyber incident
§ Do get a triage team together.
§ Do get copies of all the logs.
§ Do make a VM image of the
affected system.
Work with the antivirus vendor
and other agencies to collect the necessary forensics.
Create an Incident Response Plan before an incident so that you
are prepared. Steps that are typically part of incident response
plans are:
§ Do not start updating anti-virus.
§ Do not start running anti-virus patches.
Slide 30 Slide 30
Vendor Responsibility - Secure By Design
Confidentiality: Protect against unauthorized information disclosure.
Integrity: Prevent unauthorized changes to data.
Availability: Provide the required services uninterrupted 24x7
Authenticity: Determine identity of components and users in reliable and
consistent manner.
Authorization: Control access to various parts of the system based on the user
or code’s credentials.
Non-repudiation: Establish audit trails through system and establish evidence
to track a system operation.
Secure Software is responsible to provide:
Slide 31
Security: Meeting Cyber Security
Requirements
• As a supplier we are positioned to support cyber security requirements throughout the Life-Cycle from within our:
• Software Development Lifecycle – SDL, Testing, Certification, Source Code validation, etc.
• Project Execution – FAT/SAT Security Baseline, Possible Security features and function fully implemented and updated, etc.
• Life-Time Support – Patch Validation, Security updates, vulnerability mitigation, etc.
Slide 32
Project Ozone – Cyber Security Initiative
What is it: Why is it Important: Success is Defined As:
• Assess existing
vulnerabilities in
solution offerings
• Enhance products,
processes and tools
from a security view
• Improve
responsiveness to
Cyber Security
issues
• Increased awareness in the
Industry to Cyber Security
threats and their impact
• Impact on credibility and
cost after Cyber Security
attacks is severe
• Strategic Alignment for an
enterprise connected platform
• Real-time Indicators:
SDL Process Violations (Reduced pre-
release process violations per product)
Security vulnerabilities per product
(Reduction in reported vulnerabilities
closed proactively, found pre-release)
Primary Indicators:
Security Defect Reports (Zero post
release reports)
Responsiveness to threats/issues
(Response time less than 35 days)
Vision To create and enhance processes, knowledge and an ingrained culture for
building secure and robust solutions our Customers can trust.
Slide 33
Cyber Security Updates Released Date Notice
Identification Number
Security Vulnerability Description
Detailed Information
4-8-2011
LFSEC00000054 Stack Based buffer overflow in the InBatch BatchField ActiveX Control
A vulnerability (Stack overflow) has been discovered in the InBatch BatchField ActiveX Control. This control is installed as part of the InBatch Server and on all InBatch Runtime Clients, including when used embedded in InTouch® and any third party InBatch Client Programs (VB or C++). In addition, this control can be used in publishing InTouch graphics in Wonderware Information Server.
April 8, 2011 - LFSEC00000054
2-18-2011
LFSEC00000051 Server lm_tcp buffer overflow
A vulnerability has been discovered in InBatch Server and I/A Batch Server in all supported versions of Wonderware InBatch and Foxboro I/A Series Batch. This vulnerability, if exploited, could allow Denial of Service (DoS), the consequence of which is a crash of the InBatch Server.
February 18, 2011 -
LFSEC00000051
7-14-2010 LFSEC00000037 Wonderware ArchestrA ConfigurationAccessComponent ActiveX Stack Overflow
A vulnerability has been discovered in a component used by the Wonderware ArchestrA IDE (Integrated Development Environment) and the InFusion IEE (Integrated Engineering Environment) and if exploited, could allow remote code execution.
July 14 2010 Security Update LFSEC00000037
Slide 34
Project Execution Approach
People Training
Process Enhancements
SOP’s and Tools
Product Enhancements
Institutionalized Across Invensys Operations Management
Slide 35 Slide 35
Secure By Design • Security Built in not Added On
• The Microsoft SDL is a software development policy for all products with meaningful business risk and/or access to sensitive data
• Key part of Invensys’ commitment to protect its customers
• Implementing the SDL reduces the Total Cost of Ownership (TCO) for Software Products
• Fewer security patch events required for our products
• Secure software is by nature Quality software
Slide 36 Slide 36
A Careful study of the design of an application to identify weaknesses and vulnerabilities includes 5 steps
1. Identify security objectives
2. Create an application overview
3. Decompose the application
4. Identify threat vectors
5. Identify vulnerabilities
Threat Modeling Approach
Slide 37
Spoofing Identity: Allows an attacker to pose as something or
someone else
Tampering with Data: Involves malicious modification of data or code.
Repudiation: Allows an attacker to perform actions that other parties
can neither confirm or contradict
Information Disclosure: Involves the exposure of information to
individuals who are not supposed to have access to it
Denial of Service: DoS attacks deny or degrade service to valid users
Elevation of Privilege: Occurs when a user gains increased capability
often as an anonymous user taking advantage of a coding error to gain
admin capability
S
T
R
I
D
E
Defend Against S.T.R.I.D.E. Attacks
Slide 38
Our Solution
Implement the Security Development
Lifecycle for all new projects.
Evaluate and model our most critical software for threats, strengthening
with tools from the SDL
Institutionalize Across Invensys Operations Management R&D
Reduce
“Technical Debt”
Legacy
Stop incurring
“Technical Debt”
New Code
Slide 39
Please Subscribe to Security Central!
https://wdn.wonderware.com/sites/WDN/Pages/Security%20Central/CyberSecurityUpdates.aspx
Slide 40
Slide 41
Conclusion
Secure systems start with design – both hardware, software and application deployments
The security journey must be a collaboration between people, processes and technology – there is no silver bullet!
No substitute for a practical security program that provides a long term, self perpetuating maturity model that can be engrained into the culture of an organization to produce the foundation for secure and robust solutions we can trust.
“Within Invensys Operations Management R&D, our journey
has begun for a more Secure Critical Infrastructure.”