JOE WEISS, PE, CISM, CRISC, ISA FELLOW Cyber Effects on Industrial Control Systems (ICS)
JOE WEISS, PE, CISM,
CRISC, ISA FELLOW Cyber Effects on Industrial Control Systems (ICS)
What are the Issues with ICS Cyber
security?
• Protecting vs attacking
• Industrial control
systems vs SCADA
• Electronic threats vs
hacking
Applied Control Solutions Proprietary
ICSs – What are they
• ICSs are critical to operating
industrial assets including power,
refineries, pipelines, chemicals,
manufacturing, water, military
systems, medical systems, etc
• ICSs include Distributed Control
Systems – DCS, Supervisory
Control and Data Acquisition
(SCADA), Programmable Logic
Controllers (PLC), Remote
Terminal Units (RTU), Intelligent
Electronic Devices (IEDs)
• ICSs monitor and control physical
processes in real time
Focus is reliability and safety
Applied Control Solutions Proprietary Information
Control Systems Basics
Support Systems
ERP
MES
Data
Ware
house
Internet
Internet
Applied Control Solutions Proprietary Information
ICS Security Expertise Lacking
IT Security
ICS Security Experts
ICS Engineering
What are ICS-Unique Threats
• Cyber-physical, not just the network
• ICS vendor engineering manuals are available online
detailing most facets of the systems (e.g. command line
functionality)
• Persistent Design Vulnerabilities as well as APT
• Control of the process not denial-of-service
• Gap in protection of the process • eg, Aurora
• Compromise of the measurement • eg, HART vulnerability
• Compromise design features of the controller • eg, Stuxnet
Applied Control Solutions Proprietary Information
Don’t need to be a Nation-State
• ICS exploits exist
• Metasploits available on
the Internet
• SCADA exploit pack with
200 vulnerabilities
including >90 zero days for
<$10,000
• More vulnerabilities being
discovered
• Don’t need to have
malicious intent to cause
damage
Applied Control Solutions Proprietary Information
What is an ICS Cyber Incident
• Electronic communications
between systems and/or
people that impacts
Confidentiality, Integrity,
and/or Availability (CIA)
• Missing “S” - Safety
• Doesn’t have to be
malicious or targeted
• Doesn’t need to be
connected to the Internet
Applied Control Solutions Proprietary Information
Applied Control Solutions Proprietary Information
ICS Cyber Threats are Real • >750 actual ICS cyber
incidents (and counting)
• Impacts ranged from significant discharges to significant equipment damage to deaths
• Affects all industries
• Very few ICS-specific cyber security technologies, training, and policies
• >2,000,000 ICS devices directly connected to the Internet (and counting)
Applied Control Solutions Proprietary Information
Count
Total >750
Malicious >250
Targeted >100 (of the 250+)
Loss of View/Loss of Control >300
Injury/Deaths >50 (>1,000 deaths)
Equipment Damage >100
Environmental Damage >70
Operational Impact >500
Financial Impact >$30B
Summary of ICS Cyber Incidents
Consequences of ICS Cyber Incidents • Blocked or delayed data flow has disrupted ICS operation
• Unauthorized changes to instructions, commands, or alarm
thresholds has damaged, disabled, and shut down equipment
and created environmental impacts
• Inaccurate information sent to system operators, either to
disguise unauthorized changes, or to cause the operators to
initiate inappropriate actions has had serious operational
impacts
• Modification of ICS software or configuration settings or ICS
software infected with malware has had serious operational
impacts
• Interference with safety systems has led to equipment
damage, environmental releases, and killed people
Applied Control Solutions Proprietary Information
Issues with ICS Cyber Forensics
• Technical issues
• Cyber forensics exist at the Windows and IP-level
• May not always work
• Minimal, if any, cyber forensics at non-IP level
• Electric industry not even looking as out-of-scope
• Minimal training for Operations staff to identify cyber incidents
• Policy issues
• Required to identify cyber incidents if you know they were cyber
attacks
• Reticence to identify incidents as being cyber-related
• If you don’t know it was a cyber attack, don’t have to disclose
Applied Control Solutions Proprietary Information
Summary • Need Senior Management buy-in
• Need economic drivers- insurance, etc
• Share information
• Develop ICS cyber security policies, procedures, and
awareness
• Develop relevant ICS cyber forensics and training
• Develop ICS cyber resiliency and recovery programs
• Develop more robust ICSs
• Treat ICS cyber security as a reliability and safety issue
• Include IT, operations, equipment vendors, plant
designers, telecom, incident responders, etc as a team
• Be careful about IOT when it comes to safety
Applied Control Solutions Proprietary Information