ida e Control System Cyber Security Understanding the Basics Lehigh Valley ISA Rumsey Electric Bethlehem, PA 9 November 2010
Sep 12, 2014
idae
Control System Cyber Security Understanding the Basics
Lehigh Valley ISARumsey ElectricBethlehem, PA
9 November 2010
idae
Copyright © 2010 - exida
• We help our clients improve the safety, security and availability of their automation systems
idaeJohn A. Cusimano, CFSE
• Director of Security Solutions for exida• President, Byres Research• Executive Director, Security Incidents Organization
• ISA S99 committee (voting member)• ISA Security Compliance Institute (voting
member)• Formerly with Moore Products / Siemens
• QUADLOG Product Manager• Global Process Safety Business Development• Process Automation Market Development Manager
• CFSE, Certified Functional Safety Expert
Copyright © 2010 - exida
idae
Meeting Agenda
• Intro to Control System Security• ISA 99 Standard• First Things First• Case Study• Summary
idae
Copyright © 2010 - exida
• Prevention of intentional or unintentional interference with the proper operation of industrial automation and control systems through the use of computers, networks, operating systems, applications and other programmable configurable components of the system
• Goes by many names:– SCADA Security– PCN Security– Industrial Automation and Control System Security– Control System Cyber Security– Industrial Network Security– Electronic Security for Industrial Automation and Control Systems
What is Control System Security?
idae
Copyright © 2010 - exida
• These systems control the services that we consider essential for our way of life – electricity, petroleum production, water, transportation, manufacturing and communications
• Recent events have demonstrated the vulnerability of these systems to cyber incidents
• The US and other governments have passed regulations requiring enhanced cyber security protection for control systems operating critical infrastructure
Why is Control System Security Important?
idae
Copyright © 2010 - exida
• Safety• Lost Production• Equipment Damage• Information Theft• Company Image
Risk to Asset Owners
idae
Copyright © 2010 - exida
• Heavy use of Commercial Off-the Shelf Technology (COTS) and protocols– Integration of technology such as MS Windows, SQL, and TCP/IP means
that process control systems are now vulnerable to the same viruses, worms and trojans that affect IT systems
• Increased Connectivity– Enterprise integration (using plant, corporate and even public networks)
means that process control systems (legacy) are now being subjected to stresses they were not designed for
• Demand for Remote Access– 24/7 access for engineering, operations or technical support means more
insecure or rogue connections to control system• Public Information
– Manuals on how to use control system are publicly available
Control Systems are more vulnerable today than ever before
idae Actual Incident Types
Intentional24%
Unintentional76%
Repository of Industrial Security Incidents (RISI)Incident Types
Insider11%
Outsider24%Eqpt
Failure65%
Insider53%
Outsider47%
© 2009, Security Incidents Organization
Malware (virus, worm, trojan)
IT Dept, Technician
Network device, software
Disgruntled employee
Hacker
idae Example incidents
T h e R e p o s i t o r y o f I n d u s t r i a l S e c u r i t y I n c i d e n t swww.securityincidents.org
Disgruntled Contractor Disables Pipeline Leak Detection System
Source: The Repository of Industrial Security Incidents (www.securityincidents.org)
Date: March 2009
Company: Pacific Energy Resources Ltd.
Location: Long Beach, CA, USA
Industry: Petroleum
Incident Type: External Hacker
Impact: Leak Detection System Disabled
Description:A disgruntled employee, Mario Azar, accessed the system that monitors the detection of pipeline leaks for three oil derricks off the Southern California coast. He knowingly temporarily disabled the system.
The FBI announced that, on September 14, 2009, Mario Azar pleaded guilty to intentionally damaging a computer system used in interstate and foreign commerce and faced ten years in prison. His sentencing is scheduled for December 7 in the United States District Court of Los Angeles.
idae Example incidents
T h e R e p o s i t o r y o f I n d u s t r i a l S e c u r i t y I n c i d e n t swww.securityincidents.org
Hackers Penetrate Water System Computers
Description:
A foreign-based hacker used the internet to infiltrate the laptop (via internet) of an employee at the Harrisburg water system. The hacker used the employee’s remote access as the entry point into the SCADA system and installed malware and spyware on a SCADA HMI computer.
Source: The Repository of Industrial Security Incidents (www.securityincidents.org)
Date: October 2006
Company: Harrisburg Water System
Location: Harrisburg, PA, USA
Industry: Water & Wastewater
Incident Type: Intentional - External - Hacker
Impact: Unknown
idae Example IncidentsT h e R e p o s i t o r y o f I n d u s t r i a l S e c u r i t y I n c i d e n t s
www.securityincidents.org
Browns Ferry Nuclear Plant Scrammed
Description:
Operators manually scrammed Browns Ferry, Unit 3, following a loss of both the 3A and 3B reactor recirculation pumps. The root cause was the malfunction of the VFD controller due to excessive traffic on the plant Ethernet based integrated computer system (ICS) network.
Source: The Repository of Industrial Security Incidents (www.securityincidents.org)
Date: Aug. 2006
Company: Browns Ferry Nuclear
Location: Athens, AL, USA
Industry: Nuclear Power
Incident Type: Accidental Equipment Failure
Impact: Unit #3 shutdown
idae
© Copyright 2010 exida 13
Stuxnet Summary• First malware specifically targeting
industrial control systems• First discovered in June 2010 (in
circulation since June 2009)• Has the ability reprogram Siemens S7 PLCs• Infects Siemens SIMATIC software running on Win PCs• Uses SIMATIC software to read S7 PLC memory and
overwrite FB with its own code (hidden)• Spreads via USB memory sticks, local networks and Step
7 project files• Thousands of PC’s infected worldwide (predominantly
Iran, India and Indonesia)• Approximately 17 cases reported on SIMATIC systems
idaeUS Government Efforts
• Department of Homeland Security– 6 CFR part 27: Chemical Facility Anti-
Terrorism Standards (CFATS)– National Cyber Security Division
• Control Systems Security Program (CSSP)
• Department of Energy– Federal Energy Regulatory Commission (FERC)
• 18 CFR Part 40, Order 706 (mandates NERC CIPs 002-009)
• Nuclear Regulatory Commission– 10 CFR 73.54 Cyber Security Rule (2009)– RG 5.71
Copyright © 2010 - exida
idae Standards Efforts
• International Society for Automation (ISA)– ISA99, Industrial Automation and Control
System (IACS) Security• International Electrotechnical Commission (IEC)
– IEC 62443 series of standards (equivalent to ISA 99)
• National Institute for Standards and Technology (NIST)– SP800-82 Guide to Industrial Control
Systems (ICS) Security
Copyright © 2010 - exida
idae
ISA 99 STANDARDS
idae ISA99 Work Products
Copyright © 2010 - exida
ISA-99.02.01 Establishing an IACS
Security Program
ISA-99.01.01Terminology, Concepts
And Models
ISA-99.02.02 Operating an IACS Security Program
ISA-TR99.01.02Master Glossary of
Terms and Abbreviations
ISA-TR99.02.03 Patch Management in the
IACS Environment
ISA-99.03.04Product Development
Requirements
ISA-99.04.01Embedded Devices
ISA-99.04.02Host Devices
ISA-99.04.03Network Devices
ISA-99.04.04Applications, Data
And Functions
Sec
uri
ty P
rogr
amT
ech
nic
al -
Sys
tem
Tec
hn
ical
- C
omp
onen
tIS
A99
Com
mon
ISA-99.03.03System Security
Requirements and Security Assurance Levels
ISA-TR99.03.01 Security Technologies for Industrial Automation and
Control Systems
ISA-99.03.02Security Assurance Levels
for Zones and Conduits
ISA-99.01.03System Security
Compliance Metrics
Complete In Progress PlannedCourtesy of ISA 99 Committee
idaeANSI/ISA-99.01.01 (Standard)
Title Terminology, Concepts and Models
Description This standard describes the terminology, concepts and models that form the basis for the ISA99 series of standards, practices and technical reports.
IEC Number IEC/TS 62443-1-1
Status Released October 2007
Primary WG Product of ISA99 Work Group 3 (WG3).
Comments The current version of this standard was published as ISA99.00.01. The new number will be assigned with the next revision. This standard has been designated as a technical specification by IEC (IEC/TS 62443-1-1) because it does not have normative content. A future revision will include clarification of language to allow it to be designated as a standard.
18Copyright © 2009 - exida
idae5.2 Security Objectives
Copyright © 2009 - exida 19
Cla
use
5: C
once
pts
idae Risk Analysis
Risk = Likelihood × Consequence
Likelihood = Threat x Vulnerability
Copyright © 2009 - exida 20
idae
5.3 Defense-in-Depth
Copyright © 2009 - exida 21
Cla
use
5: C
once
pts
ControlSystem
Virus Scanners
Firewalls
Policies & Procedures
Role-Based Access Control
Secure Architectures
Potential Threat
Physical Security
Account Management
Virtual Private Networks (VPN)
Demilitarized Zones (DMZ)
Patch Management
“Defense in Depth” – applying multiple countermeasures in a layered or stepwise manner.
Source: Siemens (http://www.sea.siemens.com/us/Products/Process-Automation/safetyandsecurity/industrialsecurity/Pages/Process-Automation-SafetyandSecurity_Security_page1.aspx)
idae
5.8 Security Zones5.8.1 General• A security zone is a logical grouping of physical,
informational, and application assets sharing common security requirements
• There can be zones within zones, or subzones, that provide layered security, giving defense in depth and addressing multiple levels of security requirements
• A security zone has a border, which is the boundary between included and excluded elements
• Zones can be defined physically (a physical zone) or logically (virtual zone)
Copyright © 2009 - exida 22
Cla
use
5: C
once
pts
idae
5.9 Conduits• 5.9.1 General• A conduit is a particular type of security zone that
groups communications that can be logically organized into a grouping of information flows within and also external to a zone.
• It can be a single service (i.e., a single Ethernet network) or can be made up of multiple data carrier
• Can be defined physically or logically
Copyright © 2009 - exida 23
Cla
use
5: C
once
pts
idae System Architecture
Copyright © 2010 - exida
idae Partitioning into Zones
Copyright © 2010 - exida
Cla
use
6: M
odel
s
idae 6.5 Zone & Conduit Models
Copyright © 2009 - exida 26
Cla
use
6: M
odel
s
idae Specifying Zones & Conduits
Image courtesy of Byres Security
idae
Honeywell Reference Architecture
Image Courtesy of Honeywell Process Control
idaeEmerson Reference Architecture
idaeSiemens Reference Architecture
Image Courtesy of Siemens AG
idae
OMN
IP.21ServerPM&C
latigid latigid
PEClients
Manufacturing ApplicationServer
3Co m
DUPONTNET Resource Domain Controllers
Web.21Server(optional)
latigid Manufacturing ApplicationServer
ProcessExplorerClients
latigidlatigid
PCNFirewall
DUPONTNET Domain Controller
DNS Server
Manufacturing Message BusAdaptors: SAP,EConnect)
Corporate Patch ManagementServer
PEClients
latigidlatigidlatigidlatigid
WAN
LAN
FBN
Field Bus Gateway
Field Devices
M odem Ban k
DCSControllers
3Com
Field Devices
RCN
M odem Ban k
ProcessExplorerClients
latigid DCS Application
Server
latigid DCS AD Domain
ControllersDCS
consoles
PCN
Process Control Zone
Operations Management Zone
Business Zone
DuPont Reference Architecture
SIS
Field Devices
Safety System Zone
M odem Ban k
EthernetSwitch
DuPont Reference Architecture
Image Courtesy of DuPont
idae
5.10 Security Levels• Categorizes the risk for a zone or conduit.• Corresponds to the required effectiveness of
countermeasures and inherent security properties of devices and systems
• Security levels provide a qualitative approach to addressing security for a zone
• Security level concept is expected to move to a quantitative approach in the future
• Organizations should establish a definition of what each level represents and how to measure the level of security for the zone
Copyright © 2009 - exida 32
Cla
use
5: C
once
pts
idae
5.10 Security Levels• A minimum of three security levels is recommended
Copyright © 2009 - exida 33
Cla
use
5: C
once
pts
idaeThe Security Lifecycle
Adapted from ISA S99.01.01Copyright © 2010 - exida
idaeANSI/ISA-99.02.01 (Standard)
Title Establishing an Industrial Automation and Control Systems Security Program
Description This standard describes the elements contained in a cyber security management system for use in the industrial automation and control systems environment and provides guidance on how to meet the requirements described for each element.
IEC Number IEC 62443-2-1
Status Released January 2009
Primary WG Product of ISA99 work group 2.
Comments IEC 62443-2-1 Ed. 1.0 issued as Final Draft International Standard (FDIS) on 2010-06-18. Voting terminates on 2010-09-03.
36Copyright © 2009 - exida
idae ANSI/ISA S99.02.01-2009 Establishing an IACS Security Program
Copyright © 2010 - exida
idae
FIRST THINGS
FIRST7 things a chemical process professional should do to
secure their facility from unwanted intrusion
idae
© Copyright 2010 exida 39
THE 7 THINGS
1. ASSESSMENT
2. POLICY & PROCEDURE
3. AWARENESS & TRAINING
4. NETWORK SEGMENTATION
5. ACCESS CONTROL
6. SYSTEM HARDENING
7. MONITOR & MAINTAIN
idae
Risk Assessment
Typical Risk Matrix
idae
Threat Source Threat Existing Countermeasures Likelihood Consequence Risk
Intentional - Insider Current employee
Personnel screening, access controls
Low High Medium
Intentional - Insider Former employee
Personnel screening, access controls
Med High Medium
Intentional - Insider Current Contractor
Access controls Low High Medium
Intentional - Insider Former Contractor
Access controls Med High Medium
Intentional - Outsider Network segmentation, remote access controls
Low High Medium
Unintentional - Insider Training, access controls
Unintentional - Outsider
Unintentional - Equipment
Detailed Risk Assessment Example
idae
© Copyright 2010 exida 43
ASSESS EXISTING SYSTEMS
• Perform control system security assessments of existing systems
• Compare current control system design, architecture, policies and practices to standards & best practices
• Identify gaps and provide recommendations for closure
• Benefits:– Provides management with solid understanding of
current situation, gaps and path forward– Helps identify and prioritize investments– First step in developing a security management
program
idae
© Copyright 2010 exida 44
POLICY & PROCEDURE
• Establish control system security policies & procedures– Scope– Management Support– Roles & Responsibilities– Specific Policies
• Remote access• Portable media• Patch mgmt • Anti-virus management• Change Management• Backup & Restore
– References
idae
© Copyright 2010 exida 45
AWARENESS & TRAINING
• Make sure personnel are aware of the importance of security and company policies
• Provide role-based training – Visitors – Contractors– New hires – Operations – Maintenance – Engineering – Management
idae
© Copyright 2010 exida 46
NETWORK SEGMENTATION
• Defense-in-Depth strategy• Partition the system into distinct
security zones– Logical grouping of assets sharing common
security requirements– There can be zones within zones, or subzones,
that provide layered security– Zones can be defined physically and/or logically
• Define security objectives and strategy for each zone– Physical– Logical
• Create secure conduits for zone-to-zone communications– Install boundary or edge devices where communications enter or leave a zone
to provide monitoring and control capability over which data flows are permitted or denied between particular zones.
idae
© Copyright 2010 exida 47
ACCESS CONTROL
• Control and monitor access to control system resources
• Logical & Physical• AAA
– Administration– Authentication– Authorization
• Review– Who has access?– To what resources?– With what privileges?– How is it enforced?
• Zone-by-zone• Asset-by-Asset
• Role-by-Role• Person-by-Person
idae
© Copyright 2010 exida 48
SYSTEM HARDENING
• Remove or disable unused communication ports
• Remove unnecessary applications and services
• Apply patches when and where possible
• Consider ‘whitelisting’ tools• Use ISASecure™ certified
products
idaePort locking devices
Ethernet RJ-45• Tamper-proof outlet lock
and lockable patch cord• Protects against
unauthorized port access in unused outlets
• Deters patch cord removal
• Removable only with a specially designed key
USB• USB lock physically locks
and blocks the USB Ports.
• Allows secured use of an authorized USB device by
capturing the device's cable and locking it into
the USB port
Kensington USB Port LockSiemon LockIT™
idaePatch Management
Observations:– Olin does not have a formal patch management policy
or procedures for DCS– OMNX system does not require patching– Commercial, Windows-based platforms require
greater attention to patching
Recommendations:– See following slides
idaePatch Management
• Prioritized and categorize all machines into groups that define when and how they are to be patched. Example:
• “Early Adopters” receive patches as soon as available and act as Test/Quality Assurance machines.
• “No Touch” machines require manual intervention and/or detailed vendor consultation.
• Establish a procedure for keeping track of new patches and level of importance to control operations.
idaePatch Management
• When new vulnerability is announced and/or a patch fix is available, conduct a PDA to evaluate the potential impact on the control system
• This patch is then evaluated and prioritized for adoption based on its risk evaluation.
Reaction Plan Aggressiveness Implementation Window Level of Testing
Alpha Minimum Quarterly High
Bravo Moderate By end of following week Best Effort
Zebra Maximum Within 48 hours Minimal
idae
Copyright © 2010 - exida
Application Whitelisting• Unlike antivirus solutions, that rely on blacklists of known
malware, whitelisting enforces a relatively small list of the authorized applications for each computer
• Automatically blocks all unauthorized applications including unknown malware and rogue applications installed by users.
• Minimal performance impact• Examples:
– Core Trace Bouncer– Industrial Defender HIPS
idae
Copyright © 2010 - exida
ISASecureEmbedded Device Security Certification
ISA Security Compliance Institute
Software Development Security Assurance
(SDSA)
Functional Security Assessment
(FSA)
Communications Robustness Testing
(CRT)
ISASecure Certification Process1. CRT test all accessible TCP/IP interfaces2. Perform FSA on device and all interfaces3. Audit supplier’s software development process4. Perform integrated threat analysis5. Issue certification
For more information visit: www.isasecure.org
idae
© Copyright 2010 exida 55
MONITOR & MAINTAIN
• Install vendor recommended anti-virus and update signatures regularly
• Review system logs periodically• Consider Intrusion Detection (IDS)
or Host Intrusion Prevention (HIPS)• Pen testing (offline only)• Periodic assessments
idaeAnti-virus Management
Stuxnet is not the first malware to infect industrial control systems
© 2010 Security Incidents Organization, The Repository of Industrial Security Incidents (RISI) database
idaeAnti-virus Management
Observations:– Olin does not have an anti-virus management policy
or procedure for control systems
Recommendations:– Develop an anti-virus policy for control systems– Consider a mixed deployment scheme:
• Anti-virus scanning at the control system firewall• Automatic updating for non-critical systems or systems with
vendor approved update schemes• Manual scheduled updates for more difficult systems• Focus on anti-virus signatures in all computers located in the
DMZ• A dedicated anti-virus server can located in the DMZ
idae
© Copyright 2010 exida 58
THE 7 THINGS
1. ASSESSMENT
2. POLICY & PROCEDURE
3. AWARENESS & TRAINING
4. NETWORK SEGMENTATION
5. ACCESS CONTROL
6. SYSTEM HARDENING
7. MONITOR & MAINTAIN
idae
DCS Virus Infection, Investigation and
Response
A Case Study
idae Stuxnet is not the first malware to infect ICS
© 2010 Security Incidents Organization, The Repository of Industrial Security Incidents (RISI) database
idae
Impact of Malware in ICS
© 2010 Security Incidents Organization, The Repository of Industrial Security Incidents (RISI) database
idae Incident
• December 2009• Petrochemical company in South Africa• Virus (Win32/Sality) infected DCS system• Two OPC servers shutdown• Operators ran plant partially blind for 8 hours• Engineers rebuild servers• Recovered without loss of production
idae Scenario1.) Replaced servers and updated access control list
2. OPC servers stopped. Virus discovered.
idae Win32/Sality Virus
• Discovered: April 18, 2009• A worm that spreads by infecting executable files
and copying itself to removable drives• Deletes files with .vdb, .avc and .key in the
filename and also files listed under certain registry subkeys
• Ends processes and lowers security settings by modifying the registry
idae Response• Conducted a root-cause investigation• Implemented policy & procedural changes
– Configuration management policy for IT switches– 3rd party software policy– Anti-virus management policy– Prohibited remote access– Portable media policy
• Hired third-party SME to perform a thorough control system security assessment– Familiar with DCS, SIS and SCADA systems– Knowledgeable of latest standards & technology– Experience in similar plants– Unbiased
idae The Project
• exida hired to perform control system security assessment
• Aug 23 – Aug 27, 2010• Followed ANSI/ISA 99.02.01
idae Assessment Process
1. Understand and scope the system under assessment
2. Develop a clear understanding of the network architecture and all traffic flows
3. Develop an inventory of all networked control devices within the boundary of the system
4. Perform device level assessment
5. Interview key employees involved in operations and security of the control networks and equipment
6. Analyze collected data and compare with corporate standards and industry best practices to identify gaps
7. Recommend solutions to close identified gaps
idae Results
• For each item in ISA 99.02.01– Requirements– Importance to effective
security– Industry best practices– Observations– Recommendations
• 48 recommendations • 9 critical
recommendations
idae Network Segmentation
Observations:– Network connections not well documented– Insufficient separation between business LAN
and control system (VLANS & ACL’s)– Boundaries unclear and no boundary devices– Several computers were found to have
hundreds of established network connections– Several dual-zoned servers
idaeWeak boundary
Hundreds of computers in network neighborhood
Dual-homedservers
idae
OMN
IP.21ServerPM&C
latigid latigid
PEClients
Manufacturing ApplicationServer
3Com
DUPONTNET Resource Domain Controllers
Web.21Server(optional)
latigid Manufacturing ApplicationServer
ProcessExplorerClients
latigidlatigid
PCNFirewall
DUPONTNET Domain Controller
DNS Server
Manufacturing Message BusAdaptors: SAP,EConnect)
Corporate Patch ManagementServer
PEClients
latigidlatigidlatigidlatigid
WAN
LAN
FBN
Field Bus Gateway
Field Devices
M odem Bank
DCSControllers
3Com
Field Devices
RCN
M odem Bank
ProcessExplorerClients
latigid DCS Application
Server
latigid DCS AD Domain
ControllersDCS
consoles
PCN
Process Control Zone
Operations Management Zone
Business Zone
DuPont Reference Architecture
SIS
Field Devices
Safety System Zone
M odem Bank
EthernetSwitch
DuPont Reference Architecture
Image Courtesy of DuPont
idae
idae System HardeningObservation
• Workstations extensive number of inappropriate applications– UltraVNC– Microsoft ActiveSync– Internet Explorer– Microsoft Outlook / Outlook
Express– Windows NetMeeting– Internet checkers game– Remote access phonebook
• Numerous files shares configured
Recommendation• Remove all unnecessary
applications and services• Apply the vendor
recommended or NIST hardening settings to all workstations and servers
• Immediately remove any unnecessary shares
idae System HardeningObservation
• Numerous active, unused Ethernet ports
• USB ports disabled by registry setting
Recommendation• Disable or lock any
unused ports• Use physical devices to
lock cables into used ports and block access to unused ports
idae Lessons LearnedClient
• Network segmentation is critical
• Anti-virus used per supplier recommendations
• Portable media is dangerous
• Awareness/training is important
• Systems should be hardened and patched per supplier recommendations
Assessor• ANSI/ISA 99.02.01
provides good structure but cannot be used as a checklist
• Zone and conduit modeling works
• Supplier’s reference architectures need to be adjusted for “real” applications
• Data collection must be performed very carefully on a live control system
idae Next Steps
• Client is developing corporate policies and procedures• Client is preparing to deploy recommended network
changes• Role-based security training is being developed and
integrated into existing training program• Monitoring technology (e.g. IDS, HIPS) being
investigated• Access control (logical and physical) being reviewed• System hardening being implemented with supplier
support• Additional units and sites will be assessed