Aaron 8ayIes

DC101 DEF CON 22

19 years In T]nIosec
Worked In OII & Cas (O&C) Iast 8 years
AIong the way
PenetratIon testIng
VuInerabIIIty assessment
Network archItecture, desIgn &
ImpIementatIon
RIsk assessment
Legacy equIpment]comms
Remote (geographIc) connectIvIty
AvaIIabIIIty, not conIIdentIaIIty or
IntegrIty Is key (controI)
Power]space Is a premIum
LIIe saIety can be dependent
The demands pIaced on ndustrIaI
ControI Systems (CS) & SCADA
networks don't match up wIth securIty
requIrements

Understand your network & data IIows
Does not requIre expert knowIedge
Start wIth the basIcs
Some concepts Ior enterprIse T can
be used, wIth modIIIcatIon
8uIId reIatIonshIps between enterprIse
T and IndustrIaI T
Network segmentatIon
PortabIe medIa controI
ConIIguratIon management
Patch management
DIsaster recovery (DR) pIannIng
WorkIorce deveIopment]traInIng

AIthough these may be sImIIar,
sIgnIIIcant dIIIerences exIst
FormaIIy the Purdue EnterprIse
ReIerence ArchItecture (PERA)
WIdeIy accepted wIthIn CS Industry
CompatIbIe wIth muItIpIe standards,
SA95, SA99, and EC 62443
Works wIth zone & conduIt concepts
Represented by Layers 0]1-5
StartIng poInt Ior CS network
segregatIon
TraIIIc wIthIn same zone Is aIIowed
TraIIIc passIng between zones vIa
conduIts are controIIed
Layer 2 (L2) can SET]CHANCE vaIues
on L1
L3 can onIy READ vaIues Irom L2 & L1
ControI poInts aIso aIIow Ior reportIng
CS appIIcatIons oIten mIsbehave
OPC (Object LInkIng and EmbeddIng Ior Process
ControI) uses MS DCOM
They don't aIways communIcate stateIuIIy
ProtocoIs have been subverted
MOD8US
DNP3
Some vendors have started to adapt to CS
ToIIno (C1D2, DN raII mount)
PaIo AIto (Rack mount onIy Ior now)
Do not InstaII In bIockIng mode wIthout
extensIve testIng & tunIng

#1 thIng that worrIes IIeId personneI
Due to soItware Issues, vendors MUST
approve OS]app patches
Cannot patch monthIy
TIme Ior testIng envIronment
US8 & removabIe medIa controI
AntI-vIrus]antI-maIware
AppIIcatIon whIteIIstIng
Patch management Ior EWS & servers
Corporate T has these systems, 8UT
CS cannot patch as IrequentIy
AppIIcatIon & OS securIty modeIs dIIIer
Dependent on dIrectory servIces (AD)
8uIId your own!

LIke enterprIse T, CS requIres remote
support and maIntenance
There have been breaches Irom thIs
TeIvent
Target
Vendors oIten wIII not recommend a
securIty archItecture
8uIId your own!
ncIdent response requIres DATA
CentraIIzed IoggIng
TraIIIc anaIysIs
Logstash, eIastIcsearch, and cactI
RestorIng PLC programmIng or devIce
conIIgs can be dIIIIcuIt
SpecIaIIzed CS ConIIguratIon
Management soItware exIsts
MDT AutoSave
SIemens TeamCenter


SpecIIIc CS securIty traInIngs &
certIIIcatIons are uncommon
SANS]CAC
daho NatIonaI Laboratory (NL)
3
rd
Party TraInIng
OIIered by consuItIng]servIces companIes
8Iends nIosec wIth CS sensItIvItIes
Targeted Ior exIstIng T skIIIsets

For some, DR Is sImpIy consIdered as
havIng equIpment spares on sIte
AbIIIty to rapIdIy restore servIces may
not be pIanned
8usIness Impact anaIysIs Is key
Updated IIsts oI vItaI assets and
personneI must be maIntaIned
My presentatIon Irom Iast year
http:]]evuI.procIaII.net]dc21]og-
InIosec-101.pdI
Co-workers' presentatIon Irom 8H '13
https:]]medIa.bIackhat.com]us-13]US-
13-Forner-Out-oI-ControI-
DemonstratIng-SCADA-SIIdes.pdI
Latest copy oI these sIIdes at
http:]]evuI.procIaII.net]dc22]protectIng
-scada-101.pdI


aaronprocIaII.net
AIxRogan
VIsIt the CS VIIIage, Iots to
expIore and Iearn!

TeIvent breach -
http:]]krebsonsecurIty.com]2012]09]chInese-hackers-
bIamed-Ior-IntrusIon-at-energy-Industry-gIant-teIvent]
MDT AutoSave - http:]]www.mdt-
soItware.com]Products]AutoSaveFeatures.htmI
SIemens TeamCenter -
http:]]www.pIm.automatIon.sIemens.com]enus]products]te
amcenter]
Logstash & EIastIcsearch - Log aggregatIon, searchIng, and
vIsuaIIzatIon http:]]www.eIastIcsearch.org]overvIew]
CactI - Network statIstIcs (and much more) graphIng -
http:]]cactI.net
DNP3 - http:]]www.dIgItaIbond.com]bIog]2013]10]16]why-
craIn-sIstrunk-vuIns-are-a-bIg-deaI]