"What?

You didn't know Computers

Control you? / ICS and SCADA"

March 2, 2015
Start Time: 9am US Pacific
/12 noon US Eastern/ 5pm
London Time

T
Sponsored by:

#ISSAWebConf

Welcome
Conference Moderator

James McQuiggan
CISSP
Program Manager, NERC CIP, Siemens
March 2, 2015
Start Time: 9am US Pacific
12pm US Eastern/5pm London Time

Speaker Introduction
Del Rodillas- ICS & SCADA Solution Lead, Palo Alto Networks
Mario Chiock - CISSP, CISM & CISA, API Chair Security SubCommittee

Dr. Stefano Zanero, PhD - International Director,

ISSA,Chairman, Secure Network

Remember
Remember to
to type
type in
in your
your question
question in
in the
the Chat
Chat area
area of
of your
your screen.
screen. You
You may
may need
need to
to click
click
on
on the
the double
double arrows
arrows to
to open
open this
this function.
function.

Exposing Common Myths Around

Cyberthreats to SCADA and ICS

Del Rodillas
ICS & SCADA Solution Lead
Palo Alto Networks

Webinar Goals
Shed
Shed light
light on
on prevailing
prevailing ICS
ICS cybersecurity
cybersecurity myths
myths
Real-world
Real-world examples
examples to
to highlight
highlight the
the real
real risks
risks

Present
Present some
some good
good practices
practices and
and technologies
technologies to
to better
better secure
secure ICS
ICS
Basic
Basic block-and-tackle
block-and-tackle concepts
concepts
Next-generation
Next-generation technologies
technologies for
for better
better defense-in-depth
defense-in-depth

Myth #1
ICS cyber incidents havent damaged critical
infrastructure
~ 400 incidents world-wide
Most unintentional
Some malicious attacks
Impacts range from trivial to
major outages to equipment
damage to deaths
Most not identified as cyber

German Steel Factory Cyberattack

Involved
Involved spear
spear phishing
phishing and
and sophisticated
sophisticated

social
social engineering
engineering techniques
techniques to
to access
access
business
business network
network then
then pivot
pivot into
into the
the plant
plant

Evidence
Evidence of
of attackers
attackers strong
strong knowledge
knowledge of
of IT
IT

security
security and
and industrial
industrial control
control systems
systems

After
After the
the attack,
attack, individual
individual components
components or
or

even
even entire
entire systems
systems started
started to
to fail
fail frequently
frequently

One
One of
of the
the plants
plants blast
blast furnaces
furnaces could
could not
not be
be

shut
shut down
down in
in aa controlled
controlled manner,
manner, which
which
resulted
resulted in
in massive
massive damage
damage to
to plant.
plant.

Blast Furnace

Myth #2
You can air-gap industrial control systems
3rd Party
Support

Business
Network

Industrial
Control
System

Partners

Other
Plants/Faciliti
es

Myth #3
External, malicious threats are the only concern

Industrial Control System

Malicious
Insider Attacks

10

Unintended Cyber
Incidents

The Real World View

Examples

Insider attack Maroochyshire wastewater spill

Nation-state cyber attack Stuxnet
Unintended cyber incident San Bruno natural gas pipeline
rupture

Key Points
Visibility and segmentation are key
Both for external and internal traffic

11

Security Checklist
Create security zones vs. just having a single, flat network
Apply a zero-trust approach with all sources of traffic,
external or internal
Assume a least-privilege approach to network access
control
Audit all traffic to ensure proper use or to detect
anomalous use
Use technologies that allow you to have the proper
visibility and control

12

Myth #4
Firewalls are all you need to be secure
3rd Party
Support

ICS
Business
Network

Partners

13

Other
Plants/Faciliti
es

Myth #5
VPN/Encryption technology makes me secure

VP
N

3rd Party
Support

ICS

VP
N

Business
Network

Partners

14

Other
Plants/Faciliti
es

The Real World View

Telvent breach
Many asset owners had VPN connection to Telvent putting
their ICS networks at risk

Legacy firewalls are no longer adequate for the new

threat landscape
Port & IP based access controls
No deep packet inspection

VPNs give you a false sense of security

15

Security checklist

Employ
Employ appliances
appliances with
with must-have
must-have capabilities,
capabilities, e.g.
e.g. Next-generation
Next-generation firewalls
firewalls

Protocol
Protocol and
and Application
Application control
control
ICS-specific
Intrusion
Intrusion Detection/Prevention
Detection/Prevention
Anti-virus
Anti-virus and
and Anti-spyware
Anti-spyware
User
User // User-group
User-group based
based controls
controls
Ability
Ability to
to inspect
inspect and
and secure
secure traffic
traffic within
within VPNs
VPNs

Pick
Pick aa platform
platform that
that provides
provides sufficient
sufficient throughput/performance
throughput/performance when
when security
security
functions
functions are
are turned
turned on
on

Select
Select aa platform
platform that
that also
also simplifies
simplifies the
the administration
administration of
of these
these capabilities
capabilities
and
and analysis
analysis of
of the
the information
information

Single-pane
Single-pane of
of glass
glass management
management

Single-policy
Single-policy for
for all
all capabilities
capabilities

16

Myth #6
Securing IT is the same as securing OT
???

OT
Security

Security Admin

Industrial Control System

17

Availability & safety trump cybersecurity

Infrequent patching & AV updates
Industrial control protocols
HMIs, DCS, PLC, RTU
Default passwords
No port/vulnerability scanning

Myth #7
We know what threats to ICS look like
Capability
Black
Energy
Energetic Bear
Stuxnet
Exploits multiple ICS
vendor products
Trojan in ICS Software;
Utilizes ICS protocols
Exploits Siemens
Vulnerability

18

The Real World View

Unpatched/Unpatchable systems
ICSs are very vulnerable to malware and exploits due to
infrequent updating of patches and AV/Exploit signatures
Need a better way to to secure these systems

Advanced Threats
Threats are constantly evolving and it is difficult to predict
what the next advanced will do as far as attack
methodologies
It is important to be able to have technologies to detect and
stop zero day threats at the network and endpoints (HMI,
Server, Workstation)
19

Security Checklist

Deploy
Deploy aa defense-in-depth
defense-in-depth approach
approach to
to protect
protect unpatched
unpatched systems
systems

Apply
Apply Network
Network IPS/AV
IPS/AV to
to stop
stop known
known exploits
exploits &
& malware
malware

Apply
Apply network sandboxing
sandboxing to
to detect
detect & stop
stop network-borne,
network-borne, zero-day
zero-day
malware
malware

Make
Make sure
sure solution
solution supports
supports local
local creation
creation of
of protections
protections (AV,
(AV, URL/DNS
URL/DNS
signatures)
signatures)

At
At the
the endpoint
endpoint themselves,
themselves, use
use aa non-signature
non-signature based
based approach
approach to
to
stop
stop zero-day
zero-day exploits
exploits & malware

Consider
Consider the
the more
more effective
effective technique
technique based
based approach
approach

Develop
Develop clear ICS usage policies
policies and
and utilize
utilize granular traffic visibility to
detect
detect anomalies,
anomalies, ifif technologies
technologies do not detect
detect threats
threats

20

Other Myths
Myth #8 - Compliance to cyber regulations equals
security
Myth #9 Each industry requires a different approach
Myth #10 If we keep our heads down, they wont find
us

21

Palo Alto Networks Security Platform

Threat Intelligence Cloud

Gathers potential threats from network

and endpoints
Analyzes and correlates threat
intelligence
Clo Automat
ed
ud

Na
t

ive

Disseminates threat intelligence to

network and endpoints

gr
at

ed

t
oin
p
d
En

yi
Networ
nkt
e

Ex
t

en
si

bl
e

Next-Generation Firewall

Traps - Advanced Endpoint Protection

Inspects all traffic

Inspects all processes and files

Blocks known threats

Prevents both known & unknown exploits

Sends unknown to cloud

Integrates with cloud to prevent known &

unknown malware

Extensible to mobile & virtual networks

22 | 2014, Palo Alto Networks

Palo Alto Networks Security Platform

Threat Intelligence Cloud

Available as a local-cloud which

sandboxes threats and generates
protections onsite

Clo Automat
ed
ud

Na
t

Identify, network-borne, zero-day

attacks in as little as 5-minutes
ive

gr
at

ed

t
oin
p
d
En

yi
Networ
nkt
e

Control ICS Protocols and Applications

Apply role-based access control

Stop ICS protocol and product exploits,

ICS-specific malware and CNC traffic

High-performance, high-availability

23 | 2014, Palo Alto Networks

Ex
t

bl
e

en
si

Next-Generation Firewall

Traps - Advanced Endpoint Protection

Protect unpatched endpoints from malware and

exploits, even zero-days

Prevent unauthorized installation of software at

endpoints

Learn More
Whitepapers
Whitepapers
Defining
Defining the
the 21
21stst Century
Century ICS
ICS Cybersecurity
Cybersecurity Platform
Platform
https
https
://www.paloaltonetworks.com/resources/whitepapers/21-century-cybersecurity-prote
://www.paloaltonetworks.com/resources/whitepapers/21-century-cybersecurity-prote
ction-platformction-platformics.html
ics.html
Palo
Palo Alto
Alto Networks
Networks Security
Security Platform
Platform for
for ICS
ICS
https://www.paloaltonetworks.com/resources/whitepapers/enterprise-security-platform
https://www.paloaltonetworks.com/resources/whitepapers/enterprise-security-platform
-critical-criticalinfrastructure.html
infrastructure.html

Webinars
Webinars
Network
Network Segmentation
Segmentation for
for ICS
ICS
http://connect.paloaltonetworks.com/scada
http://connect.paloaltonetworks.com/scada
Grid
Grid Security/NERC
Security/NERC CIP
CIP
http://connect.paloaltonetworks.com/energy-sec-ondemand
http://connect.paloaltonetworks.com/energy-sec-ondemand

24

25

Question and
Answer
Del Rodillas
ICS
ICS &
& SCADA
SCADA Solution
Solution Lead
Lead
Palo
Palo Alto
Alto Networks
Networks
To
To ask
ask aa question,
question,
type
type your
your question
question in
in the
the Chat
Chat area
area of
of your
your screen.
screen.
You
You may
may need
need to
to click
click on
on the
the double
double arrows
arrows
to
to open
open this
this function.
function.

#ISSAWebConf
#ISSAWebConf

Thank you!

Del Rodillas
ICS & SCADA Solution Lead
Palo Alto Networks

26

"What? You didn't know Computers Control you?

ICS and SCADA"

Mario Chiock,,
CISSP, CISM & CISA
API Chair Security Sub-Committee

Webinar Goals
ICS & SCADA have no security by default
ICS & SCADA Challenges
Recommendations to reduce Risk

28

Where do we use ICS and SCADA ?

29

Why do we need Control Systems ?

Think Automation !
Manages, Commands, Directs or regulate behavior of
devices or systems.

What is ICS ?
Industrial Control Systems -> Automation for physical
process

What is SCADA ?
Supervisory Control and Data Acquisition

What is DCS ?
Distributed Control System
30

SCADA systems

Human-Machine Interfaces (HMI)

Touch screens or panel with buttons for people)
Programmable Logic Controllers
(PLC)
(watching system and making routine
decisions)
Remote Terminal Units (RTU)
(reading sensors and controlling valves
and switches)
Sensors Valves - Switches
(reading sensors and
controlling valves and switches)

31

Common protocols and ports

Modbus (port 502)
Bacnet (port 47808) HVAC PACS - CCTV
DNP3 (port 20000)
EtherNet/IP (port TCP 44818/UDP 2222)
Niagara Fox (ports 1911 and 4911)
(IEC 60870-5-104) (port 2404)
Red Lion (port 789)
Siemens S7 (port 102)
KNXnet/IP (port 3671)
32

Modbus
Oldest ICS Protocol
Controls I/O Interfaces
(MOSTLY!!!!)
No authentication or
encryption! (Surprise!!!)
No broadcast suppression
Vulnerabilities are
published

33

BACnet
Commonly used for Building Automation
No authentication
No encryption
No access rights

34

DNP3- Distributed Network Protocol

DNP3 has no security
Secure DNP3 adds :
user & device authentication
Integrity protection
Spoofing protection
Replay protection
Eavesdropping - on exchanges of cryptographic keys only,
not on other data.
It does not encrypt the messages, but does use a share key
encryption to keep session keys secure.

35

KNX Building Control System

Learn How to Control Every Room at a Luxury Hotel

https://www.blackhat.com/us-14/speakers/Jesus-Molina.html
36

Tools
Shodan - http://www.shodanhq.com/
Redpoint - Digital Bond's ICS Enumeration Tools
https://github.com/digitalbond/Redpoint

Snort-Quickdraw
http://www.digitalbond.com/tools/quickdraw/download/

Nessus SCADA Plugins

http://www.tenable.com/plugins/index.php?view=all&family=SCADA
http://www.tenable.com/plugins/index.php?view=all&family=SCADA
http://www.digitalbond.com/tools/the-rack/nessus/
http://www.digitalbond.com/tools/the-rack/nessus/

Wireshark -

37

Map of Industrial Control Systems on the Internet

38

ICS & SCADA Challenges

Design with No Security
Clear text transmissions
Patching (Firmware Update)
Remote locations
Remote access requirements

Exposed to public
networks
Unable to pen-test in
production
No time for remediation

Standardization

Share accounts or no
authentication
Connecting IT & OT

Downtime for maintenance

Skill set Proficiency

Vulnerability tracking

Unsupported OS
39

Ingredients to attack SCADA systems

Access
Skills and Know the
process &
Expertise facility

40

Recommendations to reduce risk

Network Segmentation & NGFW filtering
Application White listing
Data Diodes
Incident response preparedness
Build SCADA/ICS Cyber-Security Skill set
NIST Framework

41

Network segmentation & Protocol

Filtering ( Zero-trust )
Reduce Attack Surface

Isolate the ICS network

Sensors
Control
Processing

Use a NGFW to filter protocols as well as users /

devices
Use site to site VPN to tunnel traffic (encrypt traffic)
VPN to access ICS / SCADA network
42

Application White Listing (AWL)

AWL is a protection mechanism for servers / stations
that prevents that non-authorized executables are
started.
It acts at the moment an executable is started, either
by a user, another program or malware. So it blocks
malware to download code and initiate it.
Some AWL solutions have enhanced their products
with resource and device protection functions. Such
as memory protection, registry protection and USB
device protection.

43

Data Diodes
Also known as a unidirectional network or
unidirectional security gateway.
Data diodes ensure the safety of sensitive information
within a network By creating a physical barrier that
only allows data transfers in one direction (hence the
uni in unidirectional) we can enhance security in one
of two ways:
Write only
Read only

44

Incident response preparedness & Drills

Prepare for the worse

Perform Drills

Update plan

45

Build SCADA/ICS Cyber-Security Skill set

Most technical staff is train to insure resiliency not
security
Add security to the technical competency
SANS - ics.sans.org
Exchange with Network Security & End-point security
Training Available Through ICS-CERT
https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT

46

ICS-CERT & Tools

Join ICS-CERT - https://ics-cert.us-cert.gov/
Use the Cyber Security Evaluation Tool (CSET)
https://ics-cert.us-cert.gov/Downloading-and-Installing-CSET

Cybersecurity Tabletop Exercise

http://www.chemicalcybersecurity.org/Cybersecurity-Tabletop-Exercise.zip

Procurement Language
http://
energy.gov/sites/prod/files/oeprod/DocumentsandMedia/SCADA_Procurem
ent_Language.pdf

Training Available Through ICS-CERT

https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT
47

Summary
Incident Response
Cyber
Threat - Essentials
Information
Sharing
ICS-ISAC ES-ISAC
ONG-ISAC
InfraGard (US)
Engage with FBI DHS

Invest on Preparedness
Prepare for the worse
Desktop exercise
Lessons learned

Network Segmentation
& Application white
Everyone must be Responsiblelisting
& are
key Cyber-Security Skill set
Build
Accountable for cyber-security
Training
Adopt the Safety Culture into
Network with peers
Cyber-Security
Adopt Best Practices
IT & OT need to work together

Additional Documentation / References

NIST - Guide to Industrial Control Systems (ICS)
Security - Special Publication 800-82
http://
csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf

https://scadahacker.com/library/
http://www.digitalbond.com/

49

50

Question and
Answer
Mario
Chiock
CISSP, CISM & CISA
API Chair Security Sub-Committee
To ask a question,
type your question in the Chat area of your screen.
You may need to click on the double arrows
to open this function.

#ISSAWebConf

Thank you!

Mario Chiock
CISSP, CISM & CISA
API Chair Security Sub-Committee

51

Security Testing
the SCADA/ICS World

Dr. Stefano Zanero, PhD

International Director, ISSA
Chairman, Secure Network

SCADA-ICS Security
The original sin
53

54

SCADA/ICS Security
For years SCADA/ICS systems relied on security
through obscurity
Industrial systems, which have been designed and
intended to be alone, became magically connected to
the world
No perception of modern security threats and risks,
from both SCADA vendors and end consumers

55

SCADA/ICS Assessment - The Ecosystem

56

Security Assessment with SCADA/ICS

Still, pentesting goal is data: SCADA/ICS
environments include critical assets and information
Project plans, chemicals secret formulas, etc.

Slight differences with IT networks and systems

modus operandi
Most of the time no testing or quality environments are
available
Need of testing methodologies that minimize (nullify)
Interruptions for the industrial production process
Damages on industrial plants process raw materials
Disasters that may affect people safety
57

Security Assessment with SCADA/ICS

Opting for a white or grey box assessment strategy
Horizontal security analysis is completed with vertical
exploiting on pre-defined targets

Generalizing, we still have to

58

Hack into web interfaces

Exploit application or network services issues
Bypass authorization/authentication mechanisms
Reverse engineer embedded devices firmware

Step 1 - Attacking the Corporate Network

Corporate Network

59

Attacking the Corporate Network

Scenario-driven attacks

Corporate networks are likely to have been assessed

before but... context-specific attack scenarios should be
carefully evaluated
Verify proper network segregation between the corporate and
SCADA network - can we jump into the SCADA network from the
corporate one?
Network attacks against corporate employees that are authorized
to access SCADA network or systems
e.g. abusing whitelisted workstations as a bridge to the SCADA
network

Generalizing: can we gain somehow an unauthorized

access to the SCADA network?
60

Step 2 - Attacking the SCADA Network

SCADA Network

61

Attacking the SCADA Network

Again, scenario-driven attacks
Simulating attacks from malicious employees
Simulating attacks against legitimate employees

Vulnerability research on adopted software solutions

Production systems testing should be carefully
supervised by personnel or operators
A Point of Contact (PoC) should be available in order to
handle any incidents
Vulnerabilities exploiting must be specifically authorized and
monitored by the Customer

62

Step 3 - PLC/RTU Devices Testing

PLC/RTU Devices

63

PLC/RTU Devices Testing

In-lab devices testing (if available)
Devices are often considered out of scope, despite being
critical element in the ICS ecosystem

Custom protocols reversing and fuzzing

Testing on production environment is usually avoided
or explicitly denied
A crash or generic fault on production systems could have
unpredictable impact on people safety

64

Step 4 Policies and Procedures Review

Targeting non-technological issues
Identify process-related security weakness
Focus on SCADA/ICS systems management

65

SCADA Top 10 Security Risks

Security through obscurity

Unpatched or unsupported (operating) systems

Authentication and authorization issues
Transport layer insecurity
Input validation issues
Lack of proper security policies
Network isolation and/or segregation
Default or weak configuration
Lack of accountability
Availability issues Denial of Service (DoS)

66

Statistics from the Trenches

67

Conclusions
ICS are critical, vulnerable, exposed
Identifying their weaknesses is paramount
Security testing can be done safely
Specific methodologies and expertise are needed
Thanks for your attention! Get in touch: @raistolo or
s.zanero@securenetwork.it

68

69

Question and
Answer
Dr. Stefano
Zanero, PhD
International Director, ISSA
Chairman, Secure Network
To
To ask
ask aa question,
question, type
type
your
your question
question in
in the
the Chat
Chat area
area of
of your
your screen.
screen.
You
You may
may need
need to
to click
click on
on the
the double
double arrows
arrows
to
to open
open this
this function.
function.

#ISSAWebConf

Thank you!

Dr. Stefano Zanero, PhD

International Director, ISSA
Chairman, Secure Network

70

Open Panel with

Del Rodillas Q&A
Audience
ICS
ICS &
& SCADA
SCADA Solution
Solution Lead
Lead
Palo
Palo Alto
Alto Networks
Networks

Mario Chiock
CISSP,
CISSP, CISM
CISM &
& CISA
CISA
API
API Chair
Chair Security
Security Sub-Committee
Sub-Committee

To ask a question,
type your question in the
Chat area of your screen.
You may need to click on
the double arrows
to open this function.

Dr. Stefano Zanero, PhD

International
International Director,
Director, ISSA
ISSA
Chairman,
Chairman, Secure
Secure Network
Network

71

#ISSAWebConf

Closing Remarks
I would like to thank Del, Mario and
Stefano for lending their time and
expertise to this ISSA Educational
Program.
Thank you to Palo Alto Networks for
sponsoring this webinar.
Thank you Citrix for donating the Webcast
service.

#ISSAWebConf
72

CPE Credit
Within 24 hours of the conclusion of this webcast,
you will receive a link via email to a post Web
Conference quiz.
After the successful completion of the quiz you will be
given an opportunity to PRINT a certificate of
attendance to use for the submission of CPE credits.

On-Demand Viewers Quiz Link

http://
www.surveygizmo.com/s3/2032246/ISSA-Web-Conference
-Mar-2-2015-What-You-didn-t-know-Computers-Control
#ISSAWebConf
-you-ICS-and-SCADA
73