Joe Weiss: Cyber Effects on Industrial Control Systems (ICS)

JOE WEISS, PE, CISM,

CRISC, ISA FELLOW Cyber Effects on Industrial Control Systems (ICS)

What are the Issues with ICS Cyber

security?

• Protecting vs attacking

• Industrial control

systems vs SCADA

• Electronic threats vs

hacking

Applied Control Solutions Proprietary

ICSs – What are they

• ICSs are critical to operating

industrial assets including power,

refineries, pipelines, chemicals,

manufacturing, water, military

systems, medical systems, etc

• ICSs include Distributed Control

Systems – DCS, Supervisory

Control and Data Acquisition

(SCADA), Programmable Logic

Controllers (PLC), Remote

Terminal Units (RTU), Intelligent

Electronic Devices (IEDs)

• ICSs monitor and control physical

processes in real time

Focus is reliability and safety

Applied Control Solutions Proprietary Information

Control Systems Basics

Support Systems

ERP

MES

Data

Ware

house

Internet

Internet

Applied Control Solutions Proprietary Information

ICS Security Expertise Lacking

IT Security

ICS Security Experts

ICS Engineering

What are ICS-Unique Threats

• Cyber-physical, not just the network

• ICS vendor engineering manuals are available online

detailing most facets of the systems (e.g. command line

functionality)

• Persistent Design Vulnerabilities as well as APT

• Control of the process not denial-of-service

• Gap in protection of the process • eg, Aurora

• Compromise of the measurement • eg, HART vulnerability

• Compromise design features of the controller • eg, Stuxnet

Applied Control Solutions Proprietary Information

Don’t need to be a Nation-State

• ICS exploits exist

• Metasploits available on

the Internet

• SCADA exploit pack with

200 vulnerabilities

including >90 zero days for

<$10,000

• More vulnerabilities being

discovered

• Don’t need to have

malicious intent to cause

damage

Applied Control Solutions Proprietary Information

What is an ICS Cyber Incident

• Electronic communications

between systems and/or

people that impacts

Confidentiality, Integrity,

and/or Availability (CIA)

• Missing “S” - Safety

• Doesn’t have to be

malicious or targeted

• Doesn’t need to be

connected to the Internet

Applied Control Solutions Proprietary Information

Applied Control Solutions Proprietary Information

ICS Cyber Threats are Real • >750 actual ICS cyber

incidents (and counting)

• Impacts ranged from significant discharges to significant equipment damage to deaths

• Affects all industries

• Very few ICS-specific cyber security technologies, training, and policies

• >2,000,000 ICS devices directly connected to the Internet (and counting)

Applied Control Solutions Proprietary Information

Count

Total >750

Malicious >250

Targeted >100 (of the 250+)

Loss of View/Loss of Control >300

Injury/Deaths >50 (>1,000 deaths)

Equipment Damage >100

Environmental Damage >70

Operational Impact >500

Financial Impact >$30B

Summary of ICS Cyber Incidents

Consequences of ICS Cyber Incidents • Blocked or delayed data flow has disrupted ICS operation

• Unauthorized changes to instructions, commands, or alarm

thresholds has damaged, disabled, and shut down equipment

and created environmental impacts

• Inaccurate information sent to system operators, either to

disguise unauthorized changes, or to cause the operators to

initiate inappropriate actions has had serious operational

impacts

• Modification of ICS software or configuration settings or ICS

software infected with malware has had serious operational

impacts

• Interference with safety systems has led to equipment

damage, environmental releases, and killed people

Applied Control Solutions Proprietary Information

Issues with ICS Cyber Forensics

• Technical issues

• Cyber forensics exist at the Windows and IP-level

• May not always work

• Minimal, if any, cyber forensics at non-IP level

• Electric industry not even looking as out-of-scope

• Minimal training for Operations staff to identify cyber incidents

• Policy issues

• Required to identify cyber incidents if you know they were cyber

attacks

• Reticence to identify incidents as being cyber-related

• If you don’t know it was a cyber attack, don’t have to disclose

Applied Control Solutions Proprietary Information

Summary • Need Senior Management buy-in

• Need economic drivers- insurance, etc

• Share information

• Develop ICS cyber security policies, procedures, and

awareness

• Develop relevant ICS cyber forensics and training

• Develop ICS cyber resiliency and recovery programs

• Develop more robust ICSs

• Treat ICS cyber security as a reliability and safety issue

• Include IT, operations, equipment vendors, plant

designers, telecom, incident responders, etc as a team

• Be careful about IOT when it comes to safety

Applied Control Solutions Proprietary Information

Contact Information

Joe Weiss

joe.weiss@realtimeacs.com

(408) 253-7934