Implications of

Cybersecurity on the
Small and Medium-sized
manufacturer: Risk
Management and
Compliance

Dr. Ron McFarland, Ph.D., PMP, CISSP – Post Doctorate Fellow,

University of Maryland University College
Dean, School of Applied Technologies – College of the Canyons

Center for Security Studies

Funding provided by CAE Cybersecurity Grant Program -
S-004-2017 CAE Cybersecurity (CAE-C) “Investment in
Expansion of CAE-C Education Programs”
Dr. Loyce Best Pailen, Principal Investigator
1
Topics
1. Compliant, but breeched
2. Cyber Security and Industrial Control Systems
3. DFARS Requirements

2
Compliant, but breeched

3
The Essence of the problem

Hackers focus on beating security

controls

Security and compliance teams

focus on adhering to laws and
regulations

4
 Compliant with Certifications -- but Breached

• Target • Dairy Queen

• Verizon • KMart
• SecurePay
• Experian
• Sally Beauty
• FedEx
• Staples

According to the SANS Institute: “The Payment Card Industry published the
Data Security Standard 11 years ago; however, criminals are still breaching
companies and getting access to cardholder data. The number of security
breaches in the past two years has increased considerable, even among the
companies for which assessors deemed compliant.”

5
What is Compliance and Security?

• Compliance – the act or process of complying to a desire,

demand, proposal, regimen or coercion to achieve security
• Security – the state of being free from danger or threat

6
Possible Combinations

• Possible combinations:
1. Neither compliant with any standards or secure
2. Secure in a limited way but not compliant with any standards
3. Compliant with standards but insecure
4. Secure and compliant
• Best option is to achieve security via compliance
 Treat certifications of products and processes or regulatory
compliance as assets

7
Health Insurance Portability and Accountability Act (HIPAA)

• Established security standards for certain types of

health information
 regulated by Department of Health and Human Services
• Procedural and technical measures to protect
information and track the people using that
information
 User identification and authentication
 Include auto logoff and emergency access procedures
 System logging for security events
 Personal Health Information (PHI) must be encrypted
 Integrity controls

8
Health Insurance Portability and Accountability Act (HIPAA)

• Established security standards for certain types of

health information
 regulated by Department of Health and Human Services
• Procedural and technical measures to protect
information and track the people using that
information
 User identification and authentication
 Include auto logoff and emergency access procedures
 System logging for security events
 Personal Health Information (PHI) must be encrypted
 Integrity controls

9
Payment Card Industry – Data Security Standards (PCI DSS)

• Organizations that issue and process credit and debit cards

 regulated by VISA, MasterCard, Discover, JCB and American
Express
• Organizations track all access to network resources and
cardholder data
 Requires external assessments be performed
 Vulnerability scans aka penetration testing
 Become “certified”

10
Payment Card Industry – Data Security Standards (PCI DSS)
PCI DSS Requirements
1. Install and maintain a firewall
configuration to protect
cardholder data
2. Do not use vendor-supplied
defaults for system passwords
and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of
cardholder data across open,
public networks
5. Use and regularly update anti-
virus software
6. Develop and maintain secure
systems and applications
7. Restrict access to cardholder
data by business need-to-know
8. Assign a unique ID to each
person with computer access
9. Restrict physical access to
cardholder data
10. Track and monitor all access to
network resources and
cardholder data
11. Regularly test security systems
and processes
12. Maintain a policy that
addresses information security
11
Gramm-Leach-Bliley Act (GLBA)

• Requires financial institutions to protect customer information

against security threats
 Regulated by FTC
• Privacy notice includes what they collect, where it is shared and
how it is protected
• SSN, financial account numbers, credit card numbers, DOB,
Name, address, phone number, details of financial transactions

12
Gramm-Leach-Bliley Act (GLBA)

• Information security program assigned to an employee

• Risk assessments to identify risks
• Assess safeguards to ensure they function properly and as
intended
• Design and implement safeguards
• Service provider contracts include terms to protect customer
information
• Periodic review of information security policy

13
Sarbanes-Oxley Act (SOX)

• Requirements for financial and accounting practices for

publicly-held companies
 Regulated by the SEC
• Auditor independence
• Corporate governance (oversight) includes IT
• Internal control assessment
• Enhanced financial disclosure

14
Sarbanes-Oxley Act (SOX)

• Financial reports, records, and data are accurately maintained

• Transactions are prepared per GAAP rules and properly
recorded
• Unauthorized acquisition or use of data or assets that could
affect financial statements will be prevented or detected in a
timely manner
• Records retention

15
Family Educational Rights and Privacy Act (FERPA)

• Schools receiving federal funds

• Personal for students as it provides protection over:
 Demographic information
 Address and contact information
 Parental demographic information
 Parental address and contact information
 Grade information
 Disciplinary information

16
Defense Federal Acquisition Regulation
Supplement (DFARS)

17
Cyber Security and Industrial Control
Systems

18
Importance of Securing Industrial Networks

• The need to improve the security for ICS cannot be overstated.

• Many industrial systems are built using
 legacy devices
 Running legacy protocols that have evolved to operate in routable
networks.
• Before the expansion of Internet connectivity, web-based
applications, and real-time business information systems, energy
systems were built for reliability.
• Physical security was always a concern, but information security
was not a concern, because
 the control systems were air-gapped—that is physically separated with
no common system (electronic or otherwise) crossing that gap

19
Before – Air Gap Separation

20
Need to connect

• The problem is that regardless of how justified or well intended

the action the air gap ( from previous slide), it is no longer
exists. Why??
• There is now a path into critical systems, and any path that
exists can be found and exploited.

21
Reality of the Air Gap

22
Red Tiger Research

• Security consultants at Red Tiger Security presented research

in 2010 that clearly indicates the current state of security in
industrial networks.
• Penetration tests were performed on approximately 100 North
American electric power generation facilities.
• Results: more than 38,000 security warning and
vulnerabilities.

23
Foundation to Securing ICS

• Understanding the basic nature of industrial networks, and

examining the many regulations and recommendations put
forth by NERC, NIST, NRC, ISA, the ISO/IEC, and other
organizations is the foundation of industrial network security.
• By evaluating an industrial network, identifying and isolating
its systems into functional groups ( Segmentation ), and
applying a structured methodology of defense in depth and
strong access control, the security of the network as a whole will
be greatly improved

24
General Terms

• An industrial network is most typically made up of several

distinct areas, which are simplified as
 a business network or enterprise
 business operations
 a supervisory network
 and process and control networks

25
ICS Terms

• SCADA - Supervisory Control and Data Acquisition

• ICS - Industrial Control Systems
• DCS - Distributed Control Systems or Process Control Systems
(PCS).
• Each area has its own physical and log- ical security
considerations, and each has its own policies and concerns.

26
Industrial Network vs. Critical Infrastructure

• Industrial Network
 is referring to any network operating some sort of automated
control system that communicates digitally over a network.
• Critical Infrastructure
 is referring to critical network infrastructure, including any
network used in the direct operation of any system upon which
one of “critical infrastructures” depends.

27
Industrial Control Network

28
Critical Infrastructure examples

• Utilities
 Utilities—water, gas, oil, electricity, and communications
 Financial ??
• Nuclear Facilities
 Nuclear facilities represent unique safety and security challenges
 due to their inherent danger in the fueling and operation,
 as well as the national security implications of the raw materials used.

29
Critical Infrastructure examples - continued

• Chemical Facilities
 Chemical manufacture and distribution represent speci c
challenges to securing an industrial manufacturing network.

30
Standards and Organizations

• Homeland Security Presidential Directive Seven (HSPD-7)

• North American Electric Reliability Corporation (NERC) has
created a reliability standard called “Critical Infrastructure Protection”
and enforces it heavily throughout the United States and Canada.
 The NERC CIP reliability standard identifies security measures for protecting
critical infrastructure with the goal of ensuring the reliability of the bulk
power system.
 Compliance is mandatory for any power generation facility
 Fines for noncompliance can be steep.

31
Standards and Organizations - continued

• Nuclear Regulatory Commission (NRC).

 The NRC was formed as an independent agency by Congress in 1974
 The goal: attempt to guarantee the safe operation of nuclear facilities and to
protect people and the environment.
 This includes regulating the use of nuclear material including by-product,
source, and special nuclear materials, as well as nuclear power.
 NRC requires and enforces the cyber security of nuclear power facilities.
Ultimately, all other industries rely upon energy to operate, and so the security
of the energy infrastructure (and the development of the smart grid) impacts
everything else, so that talking about securing industrial networks without
talking about energy is practically impossible.
 The NRC is responsible for ensuring the safe use of radioactive materials for
ben- e cial civilian (nonmilitary) purposes by licensed nuclear facilities.

32
Standards and Organizations - continued

• Homeland Security Presidential

DirectiveSeven/HSPD-7
 The HSPD-7 attempts to distinguish the critical versus noncritical
systems.
 HSPD-7 does not include specific security recommendations
 relying instead upon other federal security recommendations such
as those by the NIST on the security of both enterprise and
industrial networks, as well as the Homeland Security Risk- Based
Performance Standards used in securing chemical facilities.

33
Standards and Organizations - continued

• NIST Special Publications (800 Series)

 NIST’s 800 series documents provide best practices and
information of general interest to information security.
 All 800 series documents concern information security
 It should be used as references where applicable.
 Particular relevance to industrial network security is
 SP 800-53 (“Recommended Security Controls for Federal Information
Systems”)
 SP 800-82 (“Guide to Supervisory Control and Data Acquisition
[SCADA] and Industrial Control Systems Security”)

34
Standards and Organizations - continued

• Other standards addresses security recommendations and

best practices:
 Federal Information Security Management Act -FISMA
 Chemical Facility Anti-Terrorism Standards – CFATS
 ISA-99
 ISO 27002

35
Network Segmentation - isolation

• The separation of assets into functional groups allows specific

services to be tightly locked down and controlled
• This is one of the easiest methods of reducing the attack surface
that is exposed to attackers.
• Simply by disallowing all unnecessary ports and services, we also
eliminate all of the vulnerabilities—known or unknown—that could
potentially allow an attacker to exploit those services.
• Control communications in both directions through a firewall ( key
area) study your network??
 Not all threats originate from outside. Open, outbound traffic policies
can facilitate an insider attack, enable the internal spread of malware,
enable outbound command and control capabilities, or allow for data
leakage or information theft.

36
Network Segmentation - isolation

37
Network Segmentation - isolation

38
Defense in Depth – Provision of additional layers of protection

39
Defense in Depth – Protective Measures

40
Additional Measures

• Additional measures related to Access Control:

 Only allow a user to log in to an HMI if the user has successfully
badged into the control room (user credentials combined with
physical access controls)
 Only allow a user to operate a given control from a specific
controller (user credentials limited within a security group)
 Only allow a user to authenticate during that user’s shift (user
credentials combined with personnel management)

41
Routable and non-routable

• A routable network
 Typically means Ethernet and TCP/IP,
 “Routable” networks also include routable variants of SCADA and
ICS protocols that have been modified to operate over TCP/IP,
such as Modbus/TCP or ICCP over TCP/IP.
• A non-routable network
 Refers to those serial, bus, and point-to-point communication
links that utilize Modbus/RTU, point-to-point ICCP, fieldbus,
and other networks.
 They are still networks: they interconnect devices and provide a
communication path between digital devices
 In many cases are designed for remote command and control.

42
Routable and non-routable

43
Assets in Industrial Control Systems

• An asset is a unique device that is used within an industrial

control system.
• Assets
 computers, network switches, routers, firewalls, printers, alarm
systems, Human–Machine Interfaces (HMIs), Programmable
Logic Controllers (PLCs), Remote Terminal Units (RTUs),
and the various relays, actuators, sensors, and other devices that
make up a typical control loop.

44
Assets (as defined by NERC CIP)

• A “cyber asset”
 as any device connected via a routable protocol
• A “critical cyber asset,”
 is a cyber asset whose operation can impact the bulk energy
system

45
Example of Industrial Network Incidents

• In 2000, a disgruntled man in Australia who was rejected for a

government job was accused of using a radio transmitter to
alter electronic data within a sewerage pumping station,
causing the release of over two hundred thousand gallons of
raw sewage into nearby rivers.

46
Example of Industrial Network Incidents - continued

• In 2007, there was the Aurora Project: a controlled experiment

by the Idaho National Laboratories (INL), which successfully
demonstrated that a controller could be destroyed via a cyber
attack. The vulnerability allowed hackers—which in this case were
white-hat security researchers at the INL—to successfully open and
close breakers on a diesel generator out of synch, causing an
explosive failure. In September 2007, CNN reported on the
experiment, bringing the security of our power infrastructure into
the popular media.
• The Aurora vulnerability remains a concern today. Although the
North American Electric Reliability Corporation (NERC) first
issued an alert on Aurora a few months before CNN’s report in
June 2007, it has since provided additional alerts, as recent as an
October 2010 alert that provides clear mitigation strategies for
dealing with the vulnerability.

47
Example of Industrial Network Incidents - continued

• In 2008, the agent.btz worm began infecting U.S. military

machines and was reportedly carried into CENTCOM’s
classified network on a USB thumb drive later that year.
Although the CENTCOM breach, reported by CBS’ 60 Minutes
in November 2009, was widely publicized, the specifics are
difficult to ascertain and the damages and intentions remain
highly speculative.

48
Example of Industrial Network Incidents - Stuxnet

• The new weapon of cyber war

• Which began to infect industrial control systems in 2010.
• After Stuxnet, any speculation over the possibility of a targeted
cyber attack against an industrial network has been overruled
by this extremely complex and intelligent collection of malware

49
Example of Industrial Network Incidents – Stuxnet (continued)

• Stuxnet looks for SIMATIC WinCC and PCS 7 programs from

Siemens, and then using default SQL account credentials to
infect connected Programmable Logic Controllers (PLCs) by
injecting a rootkit via the Siemens fieldbus protocol, Profibus.
• Stuxnet then looks for automation devices using a frequency
converter that controls the speed of a motor. If it sees a
controller operating within a range of 800–1200 Hz, it
attempts to sabotage the operation

50
Example of Industrial Network Incidents – Night Dragon

• In February 2011, McAfee announced the discovery of a series

of coordinated attacks against oil, energy, and petrochemical
companies. The attacks, which originated primarily in China,
were believed to have originated in 2009, operating
continuously and covertly for the purpose of information
extraction
• Night Dragon is further evidence of how an outside attacker
can (and will) infiltrate critical systems.
• Although the attack did not result in sabotage, as was the case
with Stuxnet, it did involve the theft of sensitive information.

51
Industrial Network Controls

• Understanding how industrial networks operate requires a

basic understanding of the underlying communications
protocols that are used, where they are used, and why.
• Designed for efficiency and reliability to support the economic
and operational requirements of large distributed control
systems.
• Similarly, most industrial protocols are designed for real-time
operation to support precision operations.

52
Industrial Network Protocols

• So for the sake of efficiency. Often not includes security features

such as authentication and encryption, both of which require
additional overhead.
• To further complicate matters, many of these protocols have
been modified to run over Ethernet and Internet Protocol (IP)
networks in order to meet the evolving needs of business,
potentially exposing these vulnerable protocols to attack.

53
Industrial Network Protocols

• Industrial Network Protocols are real-time communications

protocols.
• Developed to interconnect the systems, interfaces, and
instruments that make up an industrial control system.
• Most were designed initially to communicate serially over RS-
232, RS-485, or other serial connections but have since evolved
to operate over Ethernet networks using routable protocols
such as TCP/IP.

54
Other Protocols

• Modicon Communication Bus (Modbus)

• Inter Control Center Protocol (ICCP, also known as
TASE.2 or Telecontrol Application Service Element-2)
• Distributed Network Protocol (DNP3)
• Object Linking and Embedding for Process Control (OPC)

55
MODBUS

• The oldest and perhaps the most widely deployed industrial

control communications protocol.
• It was designed in 1979 by Modicon (now part of Schneider
Electric) that invented the first Programmable Logic Controller
(PLC).
• Modbus has been widely adopted as a de facto standard and has
been enhanced over the years into several distinct variants.

56
MODBUS - Continued

• Modbus is an application layer messaging protocol, meaning

that it operates at layer 7 of the OSI model.
• It allows for efficient communications based on a request/reply
methodology.
• It can be used by extremely simple devices such as sensors or
motors to communicate with a more complex computer,

57
MODBUS - Continued

58
MODBUS - Variants

• Modbus RTU
• Modbus ASCII
• Modbus TCP
• Modbus Plus

59
Security Concerns

• Lack of authentication.
 Modbus sessions only require the use of a valid Modbus address and
valid function code.
 Can be easily guessed or spammed, whereas the other is easily
obtainable information.
• Lack of encryption
 Commands and addresses are transmitted in clear text and can
therefore be easily captured and spoofed due to the lack of encryption.
• Lack of message checksum (Modbus TCP only).
 A spoofed command is even easier over some implementations of
Modbus TCP, as the checksum is generated at the transmission layer,
not the application layer.

60
Security Concerns - continued

• Lack of broadcast suppression (serial Modbus variants

only).
 All serially connected devices will receive all messages, meaning a
broadcast of unknown addresses can be used for effective denial of
service (DoS) to a chain of serially connected devices.
• Programmability. By far, the most dangerous quality of
Modbus—which is shared with many industrial protocols—is
that it is intentionally designed to program controllers, and
could be used to inject malicious logic into an RTU or PLC.

61
Modbus TCP

62
Modbus – Security Recommendations

• Modbus, like many industrial control protocols

 should only be used to communicate between sets of known
devices
 using expected function codes, and as such it is easily monitored
by establishing clear groupings / separation
 baselining acceptable behavior.

63
Ethernet Industrial Protocol – Ethernet/IP

• Ethernet/IP uses standard Ethernet frames (ethertype 0x80E1)

in conjunction with the Common Industrial Protocol (CIP) suite
to communicate with nodes.
• Communication is typically
 client/server
 although an “implicit” mode is supported to handle real-time
requirements.
• Implicit mode uses connectionless transport specifically the
User Datagram Protocol (UDP) and multicast transmissions to
minimize latency and jitter.

64
Common Industrial Protocol (CIP)

• The CIP uses object models to de ne the various qualities of a

device.
• There are three types of objects:
 Required Objects, which define attributes such as device
identifiers, routing identifiers, and other attributes of a device
such as the manufacturer, serial number, date of manufacture,
etc.;
 Application Objects, which define input and output profiles for
devices;
 Vendor specific Objects, which enable vendors to add
proprietary objects to a device. Objects (other than vendor-speci c
objects) are standardized by device type and function, to facilitate
interoperability:

65
Security Concerns

• Ethernet/IP is
 a real-time Ethernet protocol
 it is susceptible to any of the vulnerabilities of Ethernet.
• Ethernet/IP over UDP is transaction-less and so there is no
inherent network-layer mechanism for reliability, ordering, or
data integrity checks.
• The CIP also introduces some specific security concerns, due to
its well-defined object model.

66
Ethernet/IP Security Concerns
• The CIP does not define any explicit or implicit mechanisms for
security.
• The use of common “Required Objects” for device identification
can facilitate device identification and enumeration, facilitating an
attack.
• The use of common “Application Objects” for device information
exchange and control can enable broader industrial attacks, able to
manipulate a broad range of industrial devices.
• Ethernet/IP’s use of UDP and Multicast traffic—both of which lack
transmission control—for real-time transmissions facilitate the
injection of spoofed traffic or (in the case of multicast traffic) the
manipulation of the transmission path using injected IGMP
controls.

67
Security Recommendations

• Because Ethernet/IP is a real-time Ethernet protocol using

UDP and IGMP, it is necessary to provide Ethernet and IP-
based security at the perimeter of any Ethernet/IP network.
• It is also recommended that passive network monitoring be
used to ensure the integrity of the Ethernet/IP network,
ensuring that the Ethernet/IP protocol is only being used by
explicitly identified devices and that no Ethernet/IP traffic is
originating from an unauthorized, outside source. This can be
accomplished using a SCADA-IDS/IPS or other network
monitoring device capable of detecting and interpreting the
Ethernet/IP protocol.

68
Final Recommendations

• Monitoring your network including ICS traffic

• Creating Baseline
• Security awareness program
• Network isolation
• Firmware update ( very challanging)
• ID/IPS
• Test network ( Pentesting ) never on production network

69
Final Recommendations - continued

• Failsafe
• May apply forensics if needed
• Implement security best practices
• Connect with others who are expert in the filed

70