ICS Risk & Compliance

CHRISTY THOMAS
Senior Cyber Security Advisor (OT & IT)
Objectives

About A Control System?

SCADA Security Objectives
ICS Cybersecurity
Industrial Control System

Security Issues in Industrial Control System

ICS – Sec. Standards

ICS Risk and Compliance
IT vs ICS
Types of Industrial Control Systems (ICS)
• Distributed Control Systems (DCS)
• Monitor and control large centralized facilities such as power plants and
refineries
• Supervisory Control and Data Acquisition (SCADA) systems
• Monitor and control dispersed assets such as electric grids, pipelines, and
water systems
• Programmable Logic Controllers (PLCs)
• Control individual processes
• Remote Terminal Units (RTUs)
• Act as data concentrators
• Field devices—such as sensors
• Measure process parameters (pressure, temperature, flow, etc.);
• Analyzers that monitor chemical constituents
• Drives that open and close valves; etc.
Historical ICS

• Proprietary
• Complete vertical solutions
• Customized
• Specialized communications
• Wired, fiber, microwave, dialup, serial, etc.
• 100s of different protocols
• Slow; e.g. 1200 baud
• Long service lifetimes: 15–20 years
• Not designed with security in mind
 Technology Trends in ICS
COTS (Commercial-Off-The-
Shelf) technologies
Operating systems—
Windows, WinCE, Lynuxs
Applications—Databases,
web servers, web browsers,
etc.
IT protocols—HTTP, SMTP,
FTP, DCOM, XML, SNMP, etc.
Networking equipment—
switches, routers, firewalls,
etc.
Connectivity of ICS to
enterprise LAN
Improved business visibility,
business process efficiency
Remote access to control
center and field devices
IP Networking
Common in higher level
networks, gaining in lower
levels
Many legacy protocols
wrapped in TCP or UDP
Most new industrial devices
have Ethernet ports
Most new ICS architectures
are IP-based
Eg. IP-Based ICS
• Honeywell Experion
• Emerson DeltaV
• Yokogawa VNET/IP
• Invensys Infusion
• Survalent
• ODVA (Rockwell)
• Profinet
• Foundation Fieldbus HSE
• Telvent
• ABB 800xA
• IP to the Control Network or even Device Network
• Not all are fully compatible with “ordinary IP”
Security Risks to Modern ICS
Worms and Viruses Legacy OSes and applications

DOS and DDOS impairing availability Inability to limit access

Unauthorized access Inability to revoke access

Unknown access Unexamined system logs

COTS + IP + Connectivity Unpatched systems Accidental misconfiguration

= Little or no use of anti-virus Improperly secured devices

Multiple security risks (all of those at

Limited use of host-based firewalls Improperly secured wireless
Enterprise networks plus more..)
Improper use of ICS workstations Unencrypted links to remote sites

Unauthorized applications Passwords sent in clear text

Unnecessary applications Default passwords

Open FTP, Telnet, SNMP, HTML ports Password management problems

Fragile control devices Default OS security configurations

Network scans by IT staff Unpatched routers / switches

SCADA Security Objectives
• Restrict logical access to SCADA n/w
• Use of DMZ in n/w architecture
• Separate authentication / credentials for BLAN & SCADA n/w.
• Restrict physical access to SCADA n/w and devices
• Protect individual SCADA components from exploitation
• Maintain functionality during adverse conditions
• Apply AIC
• Maintenance
• Resilience
Evolution – ICS Cybersecurity

Designed and Security Airgaps IT-OT

developed before through to protect Convergence –
cybersecurity obscurity against who is
threats were external attacks responsible?
relevant

Assets are not Proprietary & Physical access

always undocumented a blind spot
known control- for cyber security
plane protocols teams
Common Control System vulnerabilities & weaknesses
Configuration Network Security
Permissions, Privileges
Access & Authentication Network design flaws
Credentials Management Weak firewall rules
Security config. & Policies. Network Implementation
Audit and Accountability

Application Security
SW code quality
Privileges and access controls
Authentication
Cryptographic issues
Credentials management

Source: Cyber–Physical System Security for the Electric Power Grid , Proceedings of the IEEE | Vol. 100, No. 1, January 2012
ICS Cybersecurity
 Vulnerabilities across ICS Components

Number of vulnerabilities in different ICS components

Percentage of vulnerabilities by risk level (based on CVSS v.3

base scores), 2018 vs 2017

Number of vulnerable products across industries Source: US ICS-CERT classification - Vulnerabilities published in 2018
Major Flaws of ICS ..How to

Unpatched
Vulnerabilities
There is Architecture &
No Segmentation Issues

Silver Bullet !!! Access &

Password
Security Issues – ICS

Unpatched Systems Lack of OS and Uncertified Patching often Before

Patching application patches can requires installation of
patches can invalidate system reboot a patch:
break ICS warranty
Poor Authentication and Authorization

Vendor default Password Unauthorized Applications

Legacy Equipment Inappropriate Use of ICS Desktops

Little or No Cybersecurity monitoring Requirement for 3rd Party Access

Poor Audit and Logging Harsh Environments

CS Standards & Compliance
IEC 62443
Defense in-depth: Strategy & Building Blocks
Risk Management
Program

Cybersecurity Architecture

Physical Security
Recovery Prevention
ICS Perimeter Security

ICS Network Architecture

Host Security
Response Detection
Security Monitoring

Vendor Management

The Human Element

IEC 62443 – Zones & Conduits

Shares Common Security Requirements Controls Access to Zones

(group of logical or physical assets (resists DoS attacks, transfer of malware and protects
based on criticality and consequence) integrity and confidentiality of network traffic).
IEC-62443 - Reference Model
Sample Risk Assessment
What needs to be done?
Assess existing systems: Understand
risk and prioritize vulnerabilities
Segment the control system
network: Create distinct network
segments and isolate critical parts of
the system using a “zone and
conduit” model
Monitor and maintain the system:
Update antivirus signatures, install
patches, and monitor the system for
suspicious activity
Document policies and procedures:
Train personnel and contractors:
Determine position regarding ICS
Develop and institute policy
and develop company-specific
awareness and training programs
policies
Control access to the system:
Harden the components of the
Provide physical and logistical access
system: Lock down the functionality
controls to both your zones and
of components
equipment
Q&A