Control system security understanding the basics

idae

Control System Cyber Security Understanding the Basics

Lehigh Valley ISARumsey ElectricBethlehem, PA

9 November 2010

idae

Copyright © 2010 - exida

• We help our clients improve the safety, security and availability of their automation systems

idaeJohn A. Cusimano, CFSE

• Director of Security Solutions for exida• President, Byres Research• Executive Director, Security Incidents Organization

• ISA S99 committee (voting member)• ISA Security Compliance Institute (voting

member)• Formerly with Moore Products / Siemens

• QUADLOG Product Manager• Global Process Safety Business Development• Process Automation Market Development Manager

• CFSE, Certified Functional Safety Expert


idae

Meeting Agenda

• Intro to Control System Security• ISA 99 Standard• First Things First• Case Study• Summary

idae


• Prevention of intentional or unintentional interference with the proper operation of industrial automation and control systems through the use of computers, networks, operating systems, applications and other programmable configurable components of the system

• Goes by many names:– SCADA Security– PCN Security– Industrial Automation and Control System Security– Control System Cyber Security– Industrial Network Security– Electronic Security for Industrial Automation and Control Systems

What is Control System Security?

idae


• These systems control the services that we consider essential for our way of life – electricity, petroleum production, water, transportation, manufacturing and communications

• Recent events have demonstrated the vulnerability of these systems to cyber incidents

• The US and other governments have passed regulations requiring enhanced cyber security protection for control systems operating critical infrastructure

Why is Control System Security Important?

idae


• Safety• Lost Production• Equipment Damage• Information Theft• Company Image

Risk to Asset Owners

idae


• Heavy use of Commercial Off-the Shelf Technology (COTS) and protocols– Integration of technology such as MS Windows, SQL, and TCP/IP means

that process control systems are now vulnerable to the same viruses, worms and trojans that affect IT systems

• Increased Connectivity– Enterprise integration (using plant, corporate and even public networks)

means that process control systems (legacy) are now being subjected to stresses they were not designed for

• Demand for Remote Access– 24/7 access for engineering, operations or technical support means more

insecure or rogue connections to control system• Public Information

– Manuals on how to use control system are publicly available

Control Systems are more vulnerable today than ever before

idae Actual Incident Types

Intentional24%

Unintentional76%

Repository of Industrial Security Incidents (RISI)Incident Types

Insider11%

Outsider24%Eqpt

Failure65%

Insider53%

Outsider47%

© 2009, Security Incidents Organization

Malware (virus, worm, trojan)

IT Dept, Technician

Network device, software

Disgruntled employee

Hacker

idae Example incidents

T h e R e p o s i t o r y o f I n d u s t r i a l S e c u r i t y I n c i d e n t swww.securityincidents.org

Disgruntled Contractor Disables Pipeline Leak Detection System

Source: The Repository of Industrial Security Incidents (www.securityincidents.org)

Date: March 2009

Company: Pacific Energy Resources Ltd.

Location: Long Beach, CA, USA

Industry: Petroleum

Incident Type: External Hacker

Impact: Leak Detection System Disabled

Description:A disgruntled employee, Mario Azar, accessed the system that monitors the detection of pipeline leaks for three oil derricks off the Southern California coast. He knowingly temporarily disabled the system.

The FBI announced that, on September 14, 2009, Mario Azar pleaded guilty to intentionally damaging a computer system used in interstate and foreign commerce and faced ten years in prison. His sentencing is scheduled for December 7 in the United States District Court of Los Angeles.

idae Example incidents

T h e R e p o s i t o r y o f I n d u s t r i a l S e c u r i t y I n c i d e n t swww.securityincidents.org

Hackers Penetrate Water System Computers

Description:

A foreign-based hacker used the internet to infiltrate the laptop (via internet) of an employee at the Harrisburg water system. The hacker used the employee’s remote access as the entry point into the SCADA system and installed malware and spyware on a SCADA HMI computer.


Date: October 2006

Company: Harrisburg Water System

Location: Harrisburg, PA, USA

Industry: Water & Wastewater

Incident Type: Intentional - External - Hacker

Impact: Unknown

idae Example IncidentsT h e R e p o s i t o r y o f I n d u s t r i a l S e c u r i t y I n c i d e n t s

www.securityincidents.org

Browns Ferry Nuclear Plant Scrammed

Description:

Operators manually scrammed Browns Ferry, Unit 3, following a loss of both the 3A and 3B reactor recirculation pumps. The root cause was the malfunction of the VFD controller due to excessive traffic on the plant Ethernet based integrated computer system (ICS) network.


Date: Aug. 2006

Company: Browns Ferry Nuclear

Location: Athens, AL, USA

Industry: Nuclear Power

Incident Type: Accidental Equipment Failure

Impact: Unit #3 shutdown

idae

© Copyright 2010 exida 13

Stuxnet Summary• First malware specifically targeting

industrial control systems• First discovered in June 2010 (in

circulation since June 2009)• Has the ability reprogram Siemens S7 PLCs• Infects Siemens SIMATIC software running on Win PCs• Uses SIMATIC software to read S7 PLC memory and

overwrite FB with its own code (hidden)• Spreads via USB memory sticks, local networks and Step

7 project files• Thousands of PC’s infected worldwide (predominantly

Iran, India and Indonesia)• Approximately 17 cases reported on SIMATIC systems

idaeUS Government Efforts

• Department of Homeland Security– 6 CFR part 27: Chemical Facility Anti-

Terrorism Standards (CFATS)– National Cyber Security Division

• Control Systems Security Program (CSSP)

• Department of Energy– Federal Energy Regulatory Commission (FERC)

• 18 CFR Part 40, Order 706 (mandates NERC CIPs 002-009)

• Nuclear Regulatory Commission– 10 CFR 73.54 Cyber Security Rule (2009)– RG 5.71


idae Standards Efforts

• International Society for Automation (ISA)– ISA99, Industrial Automation and Control

System (IACS) Security• International Electrotechnical Commission (IEC)

– IEC 62443 series of standards (equivalent to ISA 99)

• National Institute for Standards and Technology (NIST)– SP800-82 Guide to Industrial Control

Systems (ICS) Security


idae

ISA 99 STANDARDS

idae ISA99 Work Products


ISA-99.02.01 Establishing an IACS

Security Program

ISA-99.01.01Terminology, Concepts

And Models

ISA-99.02.02 Operating an IACS Security Program

ISA-TR99.01.02Master Glossary of

Terms and Abbreviations

ISA-TR99.02.03 Patch Management in the

IACS Environment

ISA-99.03.04Product Development

Requirements

ISA-99.04.01Embedded Devices

ISA-99.04.02Host Devices

ISA-99.04.03Network Devices

ISA-99.04.04Applications, Data

And Functions

Sec

uri

ty P

rogr

amT

ech

nic

al -

Sys

tem

Tec

hn

ical

- C

omp

onen

tIS

A99

Com

mon

ISA-99.03.03System Security

Requirements and Security Assurance Levels

ISA-TR99.03.01 Security Technologies for Industrial Automation and

Control Systems

ISA-99.03.02Security Assurance Levels

for Zones and Conduits

ISA-99.01.03System Security

Compliance Metrics

Complete In Progress PlannedCourtesy of ISA 99 Committee

idaeANSI/ISA-99.01.01 (Standard)

Title Terminology, Concepts and Models

Description This standard describes the terminology, concepts and models that form the basis for the ISA99 series of standards, practices and technical reports.

IEC Number IEC/TS 62443-1-1

Status Released October 2007

Primary WG Product of ISA99 Work Group 3 (WG3).

Comments The current version of this standard was published as ISA99.00.01. The new number will be assigned with the next revision. This standard has been designated as a technical specification by IEC (IEC/TS 62443-1-1) because it does not have normative content. A future revision will include clarification of language to allow it to be designated as a standard.

18Copyright © 2009 - exida

idae5.2 Security Objectives

Copyright © 2009 - exida 19

Cla

use

5: C

once

pts

idae Risk Analysis

Risk = Likelihood × Consequence

Likelihood = Threat x Vulnerability


idae

5.3 Defense-in-Depth


Cla

use

5: C

once

pts

ControlSystem

Virus Scanners

Firewalls

Policies & Procedures

Role-Based Access Control

Secure Architectures

Potential Threat

Physical Security

Account Management

Virtual Private Networks (VPN)

Demilitarized Zones (DMZ)

Patch Management

“Defense in Depth” – applying multiple countermeasures in a layered or stepwise manner.

Source: Siemens (http://www.sea.siemens.com/us/Products/Process-Automation/safetyandsecurity/industrialsecurity/Pages/Process-Automation-SafetyandSecurity_Security_page1.aspx)

idae

5.8 Security Zones5.8.1 General• A security zone is a logical grouping of physical,

informational, and application assets sharing common security requirements

• There can be zones within zones, or subzones, that provide layered security, giving defense in depth and addressing multiple levels of security requirements

• A security zone has a border, which is the boundary between included and excluded elements

• Zones can be defined physically (a physical zone) or logically (virtual zone)


Cla

use

5: C

once

pts

idae

5.9 Conduits• 5.9.1 General• A conduit is a particular type of security zone that

groups communications that can be logically organized into a grouping of information flows within and also external to a zone.

• It can be a single service (i.e., a single Ethernet network) or can be made up of multiple data carrier

• Can be defined physically or logically


Cla

use

5: C

once

pts

idae System Architecture


idae Partitioning into Zones


Cla

use

6: M

odel

s

idae 6.5 Zone & Conduit Models


Cla

use

6: M

odel

s

idae Specifying Zones & Conduits

Image courtesy of Byres Security

idae

Honeywell Reference Architecture

Image Courtesy of Honeywell Process Control

idaeEmerson Reference Architecture

idaeSiemens Reference Architecture

Image Courtesy of Siemens AG

idae

OMN

IP.21ServerPM&C

latigid latigid

PEClients

Manufacturing ApplicationServer

3Co m

DUPONTNET Resource Domain Controllers

Web.21Server(optional)

latigid Manufacturing ApplicationServer

ProcessExplorerClients

latigidlatigid

PCNFirewall

DUPONTNET Domain Controller

DNS Server

Manufacturing Message BusAdaptors: SAP,EConnect)

Corporate Patch ManagementServer

PEClients

latigidlatigidlatigidlatigid

WAN

LAN

FBN

Field Bus Gateway

Field Devices

M odem Ban k

DCSControllers

3Com

Field Devices

RCN

M odem Ban k


latigid DCS Application

Server

latigid DCS AD Domain

ControllersDCS

consoles

PCN

Process Control Zone

Operations Management Zone

Business Zone

DuPont Reference Architecture

SIS

Field Devices

Safety System Zone

M odem Ban k

EthernetSwitch


Image Courtesy of DuPont

idae

5.10 Security Levels• Categorizes the risk for a zone or conduit.• Corresponds to the required effectiveness of

countermeasures and inherent security properties of devices and systems

• Security levels provide a qualitative approach to addressing security for a zone

• Security level concept is expected to move to a quantitative approach in the future

• Organizations should establish a definition of what each level represents and how to measure the level of security for the zone


Cla

use

5: C

once

pts

idae

5.10 Security Levels• A minimum of three security levels is recommended


Cla

use

5: C

once

pts

idaeThe Security Lifecycle

Adapted from ISA S99.01.01Copyright © 2010 - exida

idaeANSI/ISA-99.02.01 (Standard)

Title Establishing an Industrial Automation and Control Systems Security Program

Description This standard describes the elements contained in a cyber security management system for use in the industrial automation and control systems environment and provides guidance on how to meet the requirements described for each element.

IEC Number IEC 62443-2-1

Status Released January 2009

Primary WG Product of ISA99 work group 2.

Comments IEC 62443-2-1 Ed. 1.0 issued as Final Draft International Standard (FDIS) on 2010-06-18. Voting terminates on 2010-09-03.

36Copyright © 2009 - exida

idae ANSI/ISA S99.02.01-2009 Establishing an IACS Security Program


idae

FIRST THINGS

FIRST7 things a chemical process professional should do to

secure their facility from unwanted intrusion

idae


THE 7 THINGS

1. ASSESSMENT

2. POLICY & PROCEDURE

3. AWARENESS & TRAINING

4. NETWORK SEGMENTATION

5. ACCESS CONTROL

6. SYSTEM HARDENING

7. MONITOR & MAINTAIN

idae

Risk Assessment

Typical Risk Matrix

idae

Threat Source Threat Existing Countermeasures Likelihood Consequence Risk

Intentional - Insider Current employee

Personnel screening, access controls

Low High Medium

Intentional - Insider Former employee

Personnel screening, access controls

Med High Medium

Intentional - Insider Current Contractor

Access controls Low High Medium

Intentional - Insider Former Contractor

Access controls Med High Medium

Intentional - Outsider Network segmentation, remote access controls

Low High Medium

Unintentional - Insider Training, access controls

Unintentional - Outsider

Unintentional - Equipment

Detailed Risk Assessment Example

idae


ASSESS EXISTING SYSTEMS

• Perform control system security assessments of existing systems

• Compare current control system design, architecture, policies and practices to standards & best practices

• Identify gaps and provide recommendations for closure

• Benefits:– Provides management with solid understanding of

current situation, gaps and path forward– Helps identify and prioritize investments– First step in developing a security management

program

idae


POLICY & PROCEDURE

• Establish control system security policies & procedures– Scope– Management Support– Roles & Responsibilities– Specific Policies

• Remote access• Portable media• Patch mgmt • Anti-virus management• Change Management• Backup & Restore

– References

idae


AWARENESS & TRAINING

• Make sure personnel are aware of the importance of security and company policies

• Provide role-based training – Visitors – Contractors– New hires – Operations – Maintenance – Engineering – Management

idae


NETWORK SEGMENTATION

• Defense-in-Depth strategy• Partition the system into distinct

security zones– Logical grouping of assets sharing common

security requirements– There can be zones within zones, or subzones,

that provide layered security– Zones can be defined physically and/or logically

• Define security objectives and strategy for each zone– Physical– Logical

• Create secure conduits for zone-to-zone communications– Install boundary or edge devices where communications enter or leave a zone

to provide monitoring and control capability over which data flows are permitted or denied between particular zones.

idae


ACCESS CONTROL

• Control and monitor access to control system resources

• Logical & Physical• AAA

– Administration– Authentication– Authorization

• Review– Who has access?– To what resources?– With what privileges?– How is it enforced?

• Zone-by-zone• Asset-by-Asset

• Role-by-Role• Person-by-Person

idae


SYSTEM HARDENING

• Remove or disable unused communication ports

• Remove unnecessary applications and services

• Apply patches when and where possible

• Consider ‘whitelisting’ tools• Use ISASecure™ certified

products

idaePort locking devices

Ethernet RJ-45• Tamper-proof outlet lock

and lockable patch cord• Protects against

unauthorized port access in unused outlets

• Deters patch cord removal

• Removable only with a specially designed key

USB• USB lock physically locks

and blocks the USB Ports.

• Allows secured use of an authorized USB device by

capturing the device's cable and locking it into

the USB port

Kensington USB Port LockSiemon LockIT™

idaePatch Management

Observations:– Olin does not have a formal patch management policy

or procedures for DCS– OMNX system does not require patching– Commercial, Windows-based platforms require

greater attention to patching

Recommendations:– See following slides


• Prioritized and categorize all machines into groups that define when and how they are to be patched. Example:

• “Early Adopters” receive patches as soon as available and act as Test/Quality Assurance machines.

• “No Touch” machines require manual intervention and/or detailed vendor consultation.

• Establish a procedure for keeping track of new patches and level of importance to control operations.


• When new vulnerability is announced and/or a patch fix is available, conduct a PDA to evaluate the potential impact on the control system

• This patch is then evaluated and prioritized for adoption based on its risk evaluation.

Reaction Plan Aggressiveness Implementation Window Level of Testing

Alpha Minimum Quarterly High

Bravo Moderate By end of following week Best Effort

Zebra Maximum Within 48 hours Minimal

idae


Application Whitelisting• Unlike antivirus solutions, that rely on blacklists of known

malware, whitelisting enforces a relatively small list of the authorized applications for each computer

• Automatically blocks all unauthorized applications including unknown malware and rogue applications installed by users.

• Minimal performance impact• Examples:

– Core Trace Bouncer– Industrial Defender HIPS

idae


ISASecureEmbedded Device Security Certification

ISA Security Compliance Institute

Software Development Security Assurance

(SDSA)

Functional Security Assessment

(FSA)

Communications Robustness Testing

(CRT)

ISASecure Certification Process1. CRT test all accessible TCP/IP interfaces2. Perform FSA on device and all interfaces3. Audit supplier’s software development process4. Perform integrated threat analysis5. Issue certification

For more information visit: www.isasecure.org

idae


MONITOR & MAINTAIN

• Install vendor recommended anti-virus and update signatures regularly

• Review system logs periodically• Consider Intrusion Detection (IDS)

or Host Intrusion Prevention (HIPS)• Pen testing (offline only)• Periodic assessments

idaeAnti-virus Management

Stuxnet is not the first malware to infect industrial control systems

© 2010 Security Incidents Organization, The Repository of Industrial Security Incidents (RISI) database

idaeAnti-virus Management

Observations:– Olin does not have an anti-virus management policy

or procedure for control systems

Recommendations:– Develop an anti-virus policy for control systems– Consider a mixed deployment scheme:

• Anti-virus scanning at the control system firewall• Automatic updating for non-critical systems or systems with

vendor approved update schemes• Manual scheduled updates for more difficult systems• Focus on anti-virus signatures in all computers located in the

DMZ• A dedicated anti-virus server can located in the DMZ

idae


THE 7 THINGS

1. ASSESSMENT

2. POLICY & PROCEDURE

3. AWARENESS & TRAINING

4. NETWORK SEGMENTATION

5. ACCESS CONTROL

6. SYSTEM HARDENING

7. MONITOR & MAINTAIN

idae

DCS Virus Infection, Investigation and

Response

A Case Study

idae Stuxnet is not the first malware to infect ICS


idae

Impact of Malware in ICS


idae Incident

• December 2009• Petrochemical company in South Africa• Virus (Win32/Sality) infected DCS system• Two OPC servers shutdown• Operators ran plant partially blind for 8 hours• Engineers rebuild servers• Recovered without loss of production

idae Scenario1.) Replaced servers and updated access control list

2. OPC servers stopped. Virus discovered.

idae Win32/Sality Virus

• Discovered: April 18, 2009• A worm that spreads by infecting executable files

and copying itself to removable drives• Deletes files with .vdb, .avc and .key in the

filename and also files listed under certain registry subkeys

• Ends processes and lowers security settings by modifying the registry

idae Response• Conducted a root-cause investigation• Implemented policy & procedural changes

– Configuration management policy for IT switches– 3rd party software policy– Anti-virus management policy– Prohibited remote access– Portable media policy

• Hired third-party SME to perform a thorough control system security assessment– Familiar with DCS, SIS and SCADA systems– Knowledgeable of latest standards & technology– Experience in similar plants– Unbiased

idae The Project

• exida hired to perform control system security assessment

• Aug 23 – Aug 27, 2010• Followed ANSI/ISA 99.02.01

idae Assessment Process

1. Understand and scope the system under assessment

2. Develop a clear understanding of the network architecture and all traffic flows

3. Develop an inventory of all networked control devices within the boundary of the system

4. Perform device level assessment

5. Interview key employees involved in operations and security of the control networks and equipment

6. Analyze collected data and compare with corporate standards and industry best practices to identify gaps

7. Recommend solutions to close identified gaps

idae Results

• For each item in ISA 99.02.01– Requirements– Importance to effective

security– Industry best practices– Observations– Recommendations

• 48 recommendations • 9 critical

recommendations

idae Network Segmentation

Observations:– Network connections not well documented– Insufficient separation between business LAN

and control system (VLANS & ACL’s)– Boundaries unclear and no boundary devices– Several computers were found to have

hundreds of established network connections– Several dual-zoned servers

idaeWeak boundary

Hundreds of computers in network neighborhood

Dual-homedservers

idae

OMN

IP.21ServerPM&C

latigid latigid

PEClients

Manufacturing ApplicationServer

3Com

DUPONTNET Resource Domain Controllers

Web.21Server(optional)

latigid Manufacturing ApplicationServer


latigidlatigid

PCNFirewall

DUPONTNET Domain Controller

DNS Server

Manufacturing Message BusAdaptors: SAP,EConnect)

Corporate Patch ManagementServer

PEClients

latigidlatigidlatigidlatigid

WAN

LAN

FBN

Field Bus Gateway

Field Devices

M odem Bank

DCSControllers

3Com

Field Devices

RCN

M odem Bank


latigid DCS Application

Server

latigid DCS AD Domain

ControllersDCS

consoles

PCN

Process Control Zone

Operations Management Zone

Business Zone


SIS

Field Devices

Safety System Zone

M odem Bank

EthernetSwitch


Image Courtesy of DuPont

idae

idae System HardeningObservation

• Workstations extensive number of inappropriate applications– UltraVNC– Microsoft ActiveSync– Internet Explorer– Microsoft Outlook / Outlook

Express– Windows NetMeeting– Internet checkers game– Remote access phonebook

• Numerous files shares configured

Recommendation• Remove all unnecessary

applications and services• Apply the vendor

recommended or NIST hardening settings to all workstations and servers

• Immediately remove any unnecessary shares

idae System HardeningObservation

• Numerous active, unused Ethernet ports

• USB ports disabled by registry setting

Recommendation• Disable or lock any

unused ports• Use physical devices to

lock cables into used ports and block access to unused ports

idae Lessons LearnedClient

• Network segmentation is critical

• Anti-virus used per supplier recommendations

• Portable media is dangerous

• Awareness/training is important

• Systems should be hardened and patched per supplier recommendations

Assessor• ANSI/ISA 99.02.01

provides good structure but cannot be used as a checklist

• Zone and conduit modeling works

• Supplier’s reference architectures need to be adjusted for “real” applications

• Data collection must be performed very carefully on a live control system

idae Next Steps

• Client is developing corporate policies and procedures• Client is preparing to deploy recommended network

changes• Role-based security training is being developed and

integrated into existing training program• Monitoring technology (e.g. IDS, HIPS) being

investigated• Access control (logical and physical) being reviewed• System hardening being implemented with supplier

support• Additional units and sites will be assessed

Control system security understanding the basics

Documents

novice hackerlowshutdown

local community impactmediumlowlow

process control systems

iacs security program

industrial security incidents

control system security

control systems

control system