Your SlideShare is downloading. ×
Securing control systems v0.4
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Securing control systems v0.4

767
views

Published on

An introduction to Security in Control Systems. …

An introduction to Security in Control Systems.
Includes a brief description of what a Control System is, and what the basic constraints that are encountered when attempting to secure these systems

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
767
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
59
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Talk briefly about the different types of control systems, and w
  • A quick review of the sensitivities that Control Systems have to Impact & Change
  • Firewalls, IPS, Anti-Virus, Structural Separation,
  • See StuxNet & the public knowledge/understanding of attacks against Firmware. How safe is YOUR firmware library
  • Transcript

    • 1.
        Securing Control Systems
        An introduction to security techniques for use in Control System Networks
    • 2.
        Introduction
      Crispin Harris Security Specialist [email_address] 10 th May, 2010
    • 3.
        Overview
      Part 1 – Understanding
      • What is a Control System?
      • 4. Why they are different?
      • 5. Key attributes
      • 6. Understanding the risks
      Part 2 – Protection
      • Design & Network
      • 7. Hosts & Operating Systems
      • 8. Applications & Vendors
      • 9. Vulnerability Management
      Part 4 - Summary
      • Review & summary
      • 10. Web Resources
      • 11. Aus Gov Resources
      • 12. US Gov Resources
      Part 3 – Governance
      • Policy & Process
      • 13. (Penetration) Testing
      • 14. Vendor Relationships
      • 15. Information/Software stores
    • 16.
        Learning Objectives
      Be able to identify:
      • Key attributes of a Control System
      • 17. Strengths and weaknesses of normal CS design
      • 18. Useful non-technical controls
      • 19. Safe & useful technical controls
      Be able to
      • Find further resources
      But most importantly: Be able to
      • Knowledgeably discuss Control System security
    • 20. Intro to Control Systems Security PART 1 – UNDERSTANDING CONTROL SYSTEMS
    • 21. What is a Control System? A Control System is any computerised or automated system that is used to control, monitor, support or operate a known process. Most Control Systems manage an Industrial Process such as:
      • Manufacturing, Energy, Water, Gas,
      But they are also found where other repeatable processes occur:
      • Rail & Air Transportation, Healthcare, Finance,
      • 22. Road Infrastructure, Fleet Management, etc
    • 23.
        What is a “Control System”?
      A “Control System” (“Industrial Control System”) is an umbrella term that refers to a broad set of control systems. These include:
      • SCADA (Supervisory Control and Data Acquisition)
      • 24. DCS (Distributed Control System)
      • 25. PCS (Process Control System)
      • 26. EMS (Emergency Management System)
      • 27. AS (Automated System)
      • 28. SIS (Safety Instrumentation System)
      And any other automated control system.
    • 29.
        Why are ICS networks special?
      Control Systems are designed to provide day-in, day-out management of a well known process. The integrity and continued operation of this process frequently has key safety or financial impact. Control Systems need:
      • INTEGRITY
      • 30. AVAILABILITY
      And a bit of:
      • CONFIDENTIALITY
    • 31.
        Attributes of ICS networks
    • 40. Control System Risks Operator Controls
      • Loss of Control
      • 41. Loss of View
      Historical Data Insults to the System Insults to the data Generated by the system, and USED by the business
    • 44.
        ICS Weaknesses
      • Well Known and stable operation
      • 45. VERY few changes
        • Un-patched, un-managed Operating Systems
        • 46. 10-year-old (or more) devices w/ Embedded OS
      • Fragile devices that are very sensitive to change
      • 47. Design assumptions have proved inaccurate
      • 48. Networks already experience many transient failures
      • 49. Custom or insecure network protocols
      • 50. Immature network tunnelling/bridging techniques.
    • 51.
        ICS Strengths
      • VERY FEW changes
      • 52. Well Known & Stable operation
      • 53. Custom/Uncommon software
      • 54. Generally well documented
      • 55. “Isolated” Networks
      • Anomalous Activity Detection
      • 56. Gateway Access Controls
    • 57.
        Historical Assumptions
      Some (one) key historical assumptions underpin the current situation: Isolated network environment
      • Devices Work – but only just.
        • may not be not RFC Compliant
      • Network is ISOLATED & not attackable
        • thus not defended or updated
      • Network is resilient to (many) individual faults & failures.
    • 58. Intro to Control Systems Security PART 2 – PROTECTIONS FOR CONTROL SYSTEMS
    • 59.
        What can we do?
      It's all about: We constantly All the standard security tools, processes and concepts apply. Security is a Process not a Product
    • 64. Protections - People All the 'standard' People and Personnel controls for working in sensitive areas apply in Control Systems. The Big Stuff: Get buy-in for security from Control System owners or senior executive . Small Stuff:
      • Most Operators are NOT “IT People”.
      • 65. Give them somewhere 'safe' to play.
      • 66. Already have a “safety culture”. Add “systems security increases your safety”.
      • 67. Operators know how their systems work.
    • 68. Protections - Process Regular Liaison with key stakeholders: Relationships can make or break your systems Reporting & Monitoring
      • System Monitoring
      • 71. Incident & Anomaly Reporting
    • 72.
        Software & Vulnerability Management
      (Try to) Ensure products are up-to-date
      • Vendor Patches & Updates
      • 73. Related & Ancillary packages
      • 74. Operating System Updates
    • 75. Protections – Technical Defence in Depth
    • 76.
        Protections - Network Separation
      Network Separation
      • Increases attack complexity
      • 77. Increases time-to-compromise
      • 78. Decreases vulnerable devices at each step
      • 79. Isolates fragile devices
      • 80. Not applicable on some older legacy networks
      • 81. Difficult to retro-fit
    • 82.
        Protections - Network Access Control
      Many protections can be implemented in the network infrastructure – both at the transition points and on the network fabric. Ingress/Egress Controls
      • Routing & Access Lists
      • 83. Gateway Firewalls
      Network Fabric
      • Switch-port access controls
      • 84. ARP security
    • 85.
        Protections – Host-based Controls
      Host-based controls can be contentious.
      • Anti-Virus & Anti-Malware
      • 86. File Integrity Checking
      • 87. Process Privilege Escalation
      • 88. Host-Based IPS
      • 89. Host Firewalls
      • 90. Host Authentication (Active Directory)
      • 91. Centralised Logging
    • 92.
        Protections - Applications
      Recent high-publicity events have highlighted application-based weaknesses & vulnerabilities.
      • Plain-text passwords if they exist at all
      • 93. Default database/application/server passwords
      • 94. Vulnerable web services
      • 95. “Private” software is publicly available
        • pentesters/attackers can download demo from the web to attack your “secure because it is obscure” system.
    • 96. Intro to Control Systems Security
        PART 3 - GOVERNANCE & REVIEW
    • 97.
        Policy & Process
      Key policy Documents
      • Acceptable Use Policy
      • 98. Network Access Control Policy
      • 99. 3 rd Party access and Remote Access Policies
      • 100. Software & Vulnerability Management Policy
      Key Processes
      • Software/Patch Management
      • 101. Change Management
    • 102. Compliance & Audit Compliance Audits are your KEY tool for ongoing safety/assurance of these networks!
      • Determine an appropriate standard / policy set.
      • Perform policy/standard audit of processes and controls
        • Cyber Security Evaluation Tool (CSET)
        • 105. Router/Switch/Firewall configuration Audit
    • 106.
        Testing Control System Security
      • ICS Penetration Testing
        • Australian and International resources available. A VERY specialised area.
      • Internal/amateur vulnerability testing
        • It is suggested that this NOT be performed on your production network
      Other practices include:
      • Network Sniffing,
      • 107. Configuration Testing &
      • 108. Gateway traffic analysis
    • 109.
        Protecting Secondary Information
      • Software Library
      • Operators Manuals
      • 112. Authentication Systems (AD, LDAP, DB etc)
    • 113. Intro to Control System Security
        PART 4 – WRAP-UP
    • 114.
        Summary
      • Integrity vs. Confidentiality
      • 115. Network Separation
      • 116. Network Modelling &
      • 117. Network Anomaly Detection & IDS
      • 118. Testing (Penetration & Compliance)
      • 119. Auditing (Policies, Controls & Processes)
      • 120. Stay (as) current (as you can be)
    • 121. Standards & Guides
      • ANSI/ISA95 – Enterprise-Control System Integration, Part 1: Models and Terminology
      • 122. NIST SP 800-82 – Guide for Industrial Control Systems (ICS) Security
      • 123. NERC CIP-002-3 to CIP-009-3
        • NERC CIP standards provide a cyber security framework for the identification and protection of Critical Cyber Assets
      • ISA TR99.00.02 – Integrating Electronic Security into the Manufacturing and Control Systems Environment
      • 124. DHS CSSP - Control Systems Defence in Depth Strategies
      • 125. http://www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf
    • 126.
        Resources
      Australian Resources
      • CERTAustralia
      • 127. Department of Broadband, Communication and the Digital Economy
      • 128. Department of the Attorney General
      • 129. Control System Pen-Testing companies
      International Resources
      • US CERT Control Systems Security Program
      • 130. US Department of Homeland Security & US Department of Energy
      • 131. UK Centre for the Protection of National Infrastructure
    • 132.
        Web Resources
      Australia
      • CERTAustralia http://govcert.gov.au/
      International
      • US-CERT Control Systems Website http://www.us-cert.gov.au/control_systems
      • 133. DHS Cyber Security Evaluation Tool (CSET) http://www.us-cert.gov/control_systems/satool.html
      • 134. SANS http://sans.org.au/
      • 135. CPNI SCADA Guidelines & Recommendations http://www.cpni.gov.uk/scada
    • 136. Questions & Answers
      • Controls
      • 137. Firewalls
      • 138. Intrusion Management: Detection vs. Prevention
      • 139. Penetration Testing
    • 140. ISA95 – Control Hierachy Levels
    • 141. ISA95 – IT Systems View