Using Open

Source
Intelligence to
Improve ICS &
SCADA Security
Richard Piggin

Agenda
1.
2.
3.

4.
5.

6.
7.
8.

Our expertise
Sources
Methodology
Physical Vulnerabilities
Social Media and Social Engineering
Control Systems Vulnerabilities
Threat Assessment
Key Points

Our
expertise

Atkins Capability

Sources

Mainstream
media

Academic
material

Methodology

Antagonist attack cycle

Physical
Vulnerabilities

MAPPING & IMAGERY

Mapping: Threats & Mitigation

THREATS

MITIGATION

Several semi-detailed internal

plans of the facility with
itemised locations that could
greatly assist any trespasser

Requirement to establish
sources for accuracy and to
investigate the potential to
reduce footprint and request
removal of some sources

Security
Infrastructure

Commercial in Confidence

Security
Infrastructure

Commercial in Confidence

Social Media &

Social
Engineering

Job Title

Social Media Platform

Notes

Lead Control and Instrumentation

Engineer

Facebook

Comments have shown that he has a

strong association with the companys ICS
infrastructure. Lives in .......

C&I Lead Engineer

LinkedIn, Facebook

Has given presentations on plant upgrades.

These include imagery of servers and
systems.

EC&I Engineer

LinkedIn, Facebook

EC&I Engineer
EC&I Section Head
Electrical Engineer
Former EC&I Team Leader

LinkedIn
N/A
LinkedIn
LinkedIn

Process Control Engineer

Project Engineer
Project Engineer
Project Engineer
Maintenance Technician
Operator Maintainer
Safety and Outage Section Head

LinkedIn
LinkedIn
N/A
LinkedIn
LinkedIn
Facebook
LinkedIn

Mechanical Engineer
Fire Alarm Engineer
Head of Mechanical Engineering

LinkedIn
LinkedIn
LinkedIn

Link

Link

Social Media: Threats & Mitigations

THREATS

MITIGATIONS

The personal information made

publicly available by employees
significantly increases the risk
of social engineering and/or
phishing attacks by hostile
actors

Raise awareness of security

risks and third party media

Provide guidance and policy on

posting company-related details
on social media

Control
Systems
Vulnerabilities

Publicly available information

Consequences
Understand
targets
Identify components

Gauge scope, scale

& effort required

SHODAN results
Interrogates connected devices and catalogues the response from
a device.
The response, known as a banner, provides information on the
particular service and details of the service.

Commercial in Confidence

Commercial in Confidence

OSINT control system

threat matrix
Industrial
control
Systems

OSINT
System
Identification

System
Context

Control
system A
Control
system B
Control
system C
Control
system D

Most significant

Moderate
Insignificant / None

Physical/Net
work Access

Engineering
Personnel
Identified

Third Party
Identified

SHODAN
Exploit

Vulnerability
/Exploit

Industrial Control Systems: Threats &

Mitigations
THREAT

MITIGATION

Photos of the installations

Reduce Open Source footprint
provide detailed insight into the
and request removal of
deployed hardware and software appropriate identified sources
configuration
Increase security awareness
with the marketing function

Establish guidelines for the

guidelines for the publication of
its information by third parties

Threat
Assessment

Industrial control system security

themes and challenges
Security Theme

Challenge

Anti-malware & malicious

code countermeasures

Systems may not support protection. Alternative measures are

required. Delays in adequate protection may result.

Application of patches

Inconsistent protection or delay in achieving suitable protection whilst

vendor patches are validated and tested on offline systems

Host systems

Security measures need to address different host systems, taking

longer to apply

Operating systems

Security measures must address operating system requirements,

particularly where systems are needed beyond end of life support

Networks

Security products often do not support industrial protocols and their

implementation cannot interfere with the real time operation of ICS

Applications

Application of security will need to be tailored and cannot interfere

with real time operation of ICS.

Time critical operation

Time constraints require security measures not to impact ICS

operation

...Continued
Security Theme

Challenge

Availability

Application of security maybe delayed due to production. There is

necessity to continue to operate in the presence of a security incident.
Non availability of systems is likely to impact production

Security goals

Contrasting goals and priorities reflect differing domain approaches,

highlighting potential diverse security strategies

IT security awareness

Control engineers do not tend to have cyber security education/training

ICS security awareness

Domain knowledge often limits understanding required to implement

effective security. Fragmented team working (demarcation/lack of
ownership) leads to potential security weaknesses

Security testing

Knowledge of ICS testing is required to prevent unintended downtime

and system outage. Testing should be performed on non-production
systems

Forensics

Implementation requires ICS and forensics knowledge and will be

limited to those systems supported

Technology lifetime and Integration can be a technically demanding over such long time frames.
support
Delay in technology adoption into ICS (typically 10 years) exacerbates
risk
Source: Development of industrial cyber security standards: IEC 62443 for SCADA and Industrial control systems, Piggin, R.

Key points

Identification of control systems

Staff a rich source: social media, control systems experience

and potential for social engineering

Link between internet footprint and spear-phishing

Third parties data leakage and access

Widely available vulnerabilities and exploit information for

specific control systems

ICS security cuts across the organisation its not just

Engineering or IT