— ABB LIMITED Securing industrial systems in a digital world Ben Dickinson, Cyber Security Consultant, ABB [email protected]
Jul 26, 2020
—ABB LIMITED
Securing industrial systems in a digital worldBen Dickinson, Cyber Security Consultant, ABB
—
• A quick introduction to Cyber Security
• Cyber challenges and pain points
• Common vulnerabilities
• Key components of a Cyber Security Management System (CSMS)
Introduction
September 18, 2018 Slide 2
—
Cyber Security
September 18, 2018 Slide 3
Definition Guiding Principles
“Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access.”
Reality
There is no such thing as being 100% secure
Process
Cyber Security is not a destination
but a moving target. It is a process not a
product.
Balance
Cyber Security is about finding the right
balance. It impacts usability and increases
costs.
—
There are no magic solutions; security maturity takes time
September 18, 2018 Slide 4
3 Cyber Pillars:
– People, Process and Technology: each must be leveraged to protect digital systems
People
– People are critical in preventing and protecting against cyber threats.
– Organizations need competent people to implement and sustain cyber security technology and processes.
Process
– Policies and Procedures are key for an organization’s effective security strategy.
– Processes should adapt to changes as cyber threats evolve.
Technology
– Technology is important in preventing and mitigating cyber risks.
– Technology needs people, process and procedures to mitigate risks.
Must engage and educate people, develop and deploy processes, and design and deliver protected technology
—
Pain points
September 18, 2018 Slide 5
Increased ICS Cyber ThreatsSTUXNET, BLACKENERGY, HAVEX, CRASHOVERRIDE, TRISIS, WannaCry.
Few people understand how to protect our control systemsWe need more experts in both Operational Technology and Cyber Security.
IT/OT convergence CISOs require OT systems to following corporate security standards for patching, anti-virus and monitoring.
Desire to extend the life spanIndustrial control systems are running on EoL software with known vulnerabilities. Operators are looking for ways to extend the life.
Current challenges and changes
Workforce focusing on high-value tasksOrganizations scaling back on dedicated headcount, limited resources need to focus on higher value activities - looking for ways to automate sustaining secure systems.
Distributed assets difficult to secureAssets are becoming more intelligent and distributed, the attack surface is expanding making it difficult to protect with traditional approaches.
Compliance with industry standardsHSE Compliance example
Lack of situational awareness toolsICS asset owners have no visibility into the security posture and status. Monitoring cyber security across operational assets is difficult to implement.
CostMinimize Optimize
PerformanceExceed Meet or beat
RiskAvoid Manage
$
—
– Internet connected OT devices
– Dual homed machines
– Web and Email access from control systems
• 90%+ of successful attacks start with a phishing email
– Default passwords and configurations
– Insecure protocol use
– Poor password management
– Lack of physical security
– Lack of intrusion detection capability
Common Vulnerabilities
September 18, 2018 Slide 6
Potential Impact
•Shut down fuel system•Cause a fuel leak•Change fuel prices•Circumvent payment terminal to steal money•Steal driver details•Gain access to wider network
—
Through Operational Guidance 86, The Health and Safety Executive now calls upon duty holders to:
“Manage the risk of potential safety impacts arising from a breakdown in cyber security.”
Loss of Confidential Information
Loss of Production
Invasion into Privacy
Loss of control in “High Hazard” facilities which could result in a catastrophic incident.
Prevention and mitigation of accidents is the responsibility of the duty holder, this is typically the owner or operator of the Industrial Automation and Control System (IACS).
HSE Requirements
September 18, 2018 Slide 7
—
TRITON / TRISIS - Schneider Triconex SIS
September 18, 2018 Slide 8
– First cyber attack to specifically target human life
– Operators first notified when system went down
– Shutdown was not intended
– They could have simply uploaded flawed code to shutdown system
– Made several attempts to deliver functioning code to cause serious damage
– Researchers have tracked the actor in other systems
– Cyber Security best practices would likely have prevented this attack.
– Available online: https://github.com/ICSrepo/TRISIS-TRITON-HATMAN
—
– This process can be integrated into other site safety management systems
A Process for Management of Cyber Security on IACS
September 18, 2018 Slide 9
Summary
ProtectIdentify Detect Respond Recover
Know where to fixIdentifying what needs to be protected.
Know how & what to fixImplement solutions for protection.
Ability to detectMonitor system and detect breaches and vulnerabilities.
Ability to helpRespond to an incident if compromised.
Ability to restoreBackup and recovery.
—
Identify your Assets
September 18, 2018 Slide 10
ProtectIdentify Detect Respond Recover
Cyber Asset Management
– Identify all your assets, zones and conduits.
– Identify vulnerable assets, insecure device configurations
– Identify suspicious devices
– Automatically generate reports related to asset inventory
Key deliverables: Simple Network Diagram, Asset Register.
—
Identify your Vulnerabilities
September 18, 2018 Slide 11
ProtectIdentify Detect Respond Recover
Vulnerability Management
Do you have a good understanding of what vulnerabilities are in your system?
Your Vulnerabilities
Penetration Testing
Vendor Website
Journal Publications
National Vulnerability
Database (NVD)
ExploitDB
ICS-Cert
—
Identify your Threats
September 18, 2018 Slide 12
ProtectIdentify Detect Respond Recover
Threat Intelligence
Helps you answer some important questions:
– Who is targeting…
• Your employees
• Your equipment
• Your organisation
• Your market sector
– What tactics and methods do they use
– What weaknesses they are exploiting
Surface Web
Deep Web
Dark Web
—
Cyber Security Risk Assessments
– Describe the devices covered by the assessment
– Describe the threats (Phishing, Ransomware, Disgruntled Employee)
– Classify and prioritise the risk
– Make decisions on security controls
Identify your Risks
September 18, 2018 L = Likelihood C = Consequence R = Overall RiskSlide 13
Risk Assessment
Threat Intelligence
Vulnerability Management
Asset Management
ProtectIdentify Detect Respond Recover
—
Implement Security Controls
September 18, 2018 L = Likelihood C = Consequence R = Overall RiskSlide 14
ProtectIdentify Detect Respond Recover
Use the Risk Assessment to identify which security controls require implementing:
– Policies & Procedures
– Physical Security
– Device Hardening
– Malware protection management
– Patch Management
– Backups and Recovery Management
– User and Access Management
– Network Security Management
– Cyber Security Training
—
Detect any intrusions
September 18, 2018 Slide 15
ProtectIdentify Detect Respond Recover
System Security Management
– Collect your data
• Syslogs
• Firewall Logs
• Netflow data
– How to detect malicious activity
• Threat Intelligence
• Anomaly detection
Do you have the ability to detect?
61%of oil and gas organizationsbelieve it’s unlikely or highly unlikely that they would beable to detect a sophisticated attack*
https://www.ey.com/Publication/vwLUAssets/EY-oil-and-gas-cybersecurity-time-for-a-seismic-shift/$FILE/EY-oil-and-gas-cybersecurity-time-for-a-seismic-shift.pdf
—
Detect any intrusions
September 18, 2018 Slide 16
ProtectIdentify Detect Respond Recover
System Security Management
– Example MODBUS command
https://www.ey.com/Publication/vwLUAssets/EY-oil-and-gas-cybersecurity-time-for-a-seismic-shift/$FILE/EY-oil-and-gas-cybersecurity-time-for-a-seismic-shift.pdf
01 05 00 00 FF 00 8C 3A
Modbus Address
Function Code
Register Address
Set high
Checksum
Pattern of life analysis
01 05 00 00 FF 00 8C 3A19 Sep 2018, 02:04:00
Username:JoeBloggs ProcessName:example.dll
MaintenanceScheduled:Yes/No
When? Unusual time?
Who? What user, application or process
Context? Any maintenance activity scheduled?
—
Incident Response and Recovery
September 18, 2018 Slide 17
ProtectIdentify Detect Respond Recover
Things to consider:
– Roles and Responsibilities
– Incident Response plan
– Communications with media, customers, law enforcement, government and vendors
– Post incident forensics
– Exercising your plan
– Recovery and restoration
* https://www.ey.com/Publication/vwLUAssets/ey-oil-and-gas-information-security-survye-2016-17/$FILE/ey-oil-and-gas-information-security-survye-2016-17.pdf
6%of Oil & Gas companies have a robust incident response program and
regularly conduct table-top exercises.*