<ul>Securing Control Systems </ul><ul>An introduction to security techniques for use in  Control System Networks </ul>
<ul>Introduction </ul>Crispin Harris Security Specialist [email_address] 10 th  May, 2010
<ul>Overview </ul>Part 1 – Understanding <ul><li>What is a Control System?
Why they are different?
Key attributes
Understanding the risks </li></ul>Part 2 – Protection <ul><li>Design & Network
Hosts & Operating Systems
Applications & Vendors
Vulnerability Management </li></ul>Part 4 - Summary <ul><li>Review & summary
Web Resources
Aus Gov Resources
US Gov Resources </li></ul>Part 3 – Governance <ul><li>Policy & Process
(Penetration) Testing
Vendor Relationships
Information/Software stores </li></ul>
<ul>Learning Objectives </ul>Be able to identify: <ul><li>Key attributes of a Control System
Strengths and weaknesses of normal CS design
Useful non-technical controls
Safe & useful technical controls </li></ul>Be able to  <ul><li>Find further resources </li></ul>But most importantly: Be a...
Intro to Control Systems Security PART 1 – UNDERSTANDING  CONTROL SYSTEMS
What is a Control System? A Control System is any computerised or automated system that is used to control, monitor, suppo...
Road Infrastructure, Fleet Management, etc </li></ul>
<ul>What is a “Control System”? </ul>A “Control System” (“Industrial Control System”) is an umbrella term that refers to a...
DCS (Distributed Control System)
PCS (Process Control System)
EMS (Emergency Management System)
AS (Automated System)
SIS (Safety Instrumentation System) </li></ul>And any other automated control system.
<ul>Why are ICS networks special? </ul>Control Systems are designed to provide day-in, day-out management of a  well known...
AVAILABILITY </li></ul>And a bit of: <ul><li>CONFIDENTIALITY </li></ul>
<ul>Attributes of ICS networks </ul><ul><li>Constant & Unchanging
Stable
Well documented
Old & un-patched systems
Isolated*
Internally redundant
Upcoming SlideShare
Loading in …5
×

Securing control systems v0.4

1,028 views
925 views

Published on

An introduction to Security in Control Systems.
Includes a brief description of what a Control System is, and what the basic constraints that are encountered when attempting to secure these systems

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,028
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
72
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Talk briefly about the different types of control systems, and w
  • A quick review of the sensitivities that Control Systems have to Impact &amp; Change
  • Firewalls, IPS, Anti-Virus, Structural Separation,
  • See StuxNet &amp; the public knowledge/understanding of attacks against Firmware. How safe is YOUR firmware library
  • Securing control systems v0.4

    1. 1. <ul>Securing Control Systems </ul><ul>An introduction to security techniques for use in Control System Networks </ul>
    2. 2. <ul>Introduction </ul>Crispin Harris Security Specialist [email_address] 10 th May, 2010
    3. 3. <ul>Overview </ul>Part 1 – Understanding <ul><li>What is a Control System?
    4. 4. Why they are different?
    5. 5. Key attributes
    6. 6. Understanding the risks </li></ul>Part 2 – Protection <ul><li>Design & Network
    7. 7. Hosts & Operating Systems
    8. 8. Applications & Vendors
    9. 9. Vulnerability Management </li></ul>Part 4 - Summary <ul><li>Review & summary
    10. 10. Web Resources
    11. 11. Aus Gov Resources
    12. 12. US Gov Resources </li></ul>Part 3 – Governance <ul><li>Policy & Process
    13. 13. (Penetration) Testing
    14. 14. Vendor Relationships
    15. 15. Information/Software stores </li></ul>
    16. 16. <ul>Learning Objectives </ul>Be able to identify: <ul><li>Key attributes of a Control System
    17. 17. Strengths and weaknesses of normal CS design
    18. 18. Useful non-technical controls
    19. 19. Safe & useful technical controls </li></ul>Be able to <ul><li>Find further resources </li></ul>But most importantly: Be able to <ul><li>Knowledgeably discuss Control System security </li></ul>
    20. 20. Intro to Control Systems Security PART 1 – UNDERSTANDING CONTROL SYSTEMS
    21. 21. What is a Control System? A Control System is any computerised or automated system that is used to control, monitor, support or operate a known process. Most Control Systems manage an Industrial Process such as: <ul><li>Manufacturing, Energy, Water, Gas, </li></ul>But they are also found where other repeatable processes occur: <ul><li>Rail & Air Transportation, Healthcare, Finance,
    22. 22. Road Infrastructure, Fleet Management, etc </li></ul>
    23. 23. <ul>What is a “Control System”? </ul>A “Control System” (“Industrial Control System”) is an umbrella term that refers to a broad set of control systems. These include: <ul><li>SCADA (Supervisory Control and Data Acquisition)
    24. 24. DCS (Distributed Control System)
    25. 25. PCS (Process Control System)
    26. 26. EMS (Emergency Management System)
    27. 27. AS (Automated System)
    28. 28. SIS (Safety Instrumentation System) </li></ul>And any other automated control system.
    29. 29. <ul>Why are ICS networks special? </ul>Control Systems are designed to provide day-in, day-out management of a well known process. The integrity and continued operation of this process frequently has key safety or financial impact. Control Systems need: <ul><li>INTEGRITY
    30. 30. AVAILABILITY </li></ul>And a bit of: <ul><li>CONFIDENTIALITY </li></ul>
    31. 31. <ul>Attributes of ICS networks </ul><ul><li>Constant & Unchanging
    32. 32. Stable
    33. 33. Well documented
    34. 34. Old & un-patched systems
    35. 35. Isolated*
    36. 36. Internally redundant
    37. 37. Small*
    38. 38. Rare/Obscure Customised Applications
    39. 39. Self Contained </li></ul>
    40. 40. Control System Risks Operator Controls <ul><li>Loss of Control
    41. 41. Loss of View </li></ul>Historical Data <ul><li>Corruption
    42. 42. Disclosure
    43. 43. Denial of Access </li></ul>Insults to the System Insults to the data Generated by the system, and USED by the business
    44. 44. <ul>ICS Weaknesses </ul><ul><li>Well Known and stable operation
    45. 45. VERY few changes </li><ul><li>Un-patched, un-managed Operating Systems
    46. 46. 10-year-old (or more) devices w/ Embedded OS </li></ul><li>Fragile devices that are very sensitive to change
    47. 47. Design assumptions have proved inaccurate
    48. 48. Networks already experience many transient failures
    49. 49. Custom or insecure network protocols
    50. 50. Immature network tunnelling/bridging techniques. </li></ul>
    51. 51. <ul>ICS Strengths </ul><ul><li>VERY FEW changes
    52. 52. Well Known & Stable operation
    53. 53. Custom/Uncommon software
    54. 54. Generally well documented
    55. 55. “Isolated” Networks </li></ul><ul><li>Anomalous Activity Detection
    56. 56. Gateway Access Controls </li></ul>
    57. 57. <ul>Historical Assumptions </ul>Some (one) key historical assumptions underpin the current situation: Isolated network environment <ul><li>Devices Work – but only just. </li><ul><li>may not be not RFC Compliant </li></ul><li>Network is ISOLATED & not attackable </li><ul><li>thus not defended or updated </li></ul><li>Network is resilient to (many) individual faults & failures. </li></ul>
    58. 58. Intro to Control Systems Security PART 2 – PROTECTIONS FOR CONTROL SYSTEMS
    59. 59. <ul>What can we do? </ul>It's all about: <ul><li>People
    60. 60. Process
    61. 61. Technology </li></ul>We constantly <ul><li>Inspect
    62. 62. Assess
    63. 63. Review </li></ul>All the standard security tools, processes and concepts apply. Security is a Process not a Product
    64. 64. Protections - People All the 'standard' People and Personnel controls for working in sensitive areas apply in Control Systems. The Big Stuff: Get buy-in for security from Control System owners or senior executive . Small Stuff: <ul><li>Most Operators are NOT “IT People”.
    65. 65. Give them somewhere 'safe' to play.
    66. 66. Already have a “safety culture”. Add “systems security increases your safety”.
    67. 67. Operators know how their systems work. </li></ul>
    68. 68. Protections - Process Regular Liaison with key stakeholders: <ul><li>Vendor liaison
    69. 69. System owner
    70. 70. Executives </li></ul>Relationships can make or break your systems Reporting & Monitoring <ul><li>System Monitoring
    71. 71. Incident & Anomaly Reporting </li></ul>
    72. 72. <ul>Software & Vulnerability Management </ul>(Try to) Ensure products are up-to-date <ul><li>Vendor Patches & Updates
    73. 73. Related & Ancillary packages
    74. 74. Operating System Updates </li></ul>
    75. 75. Protections – Technical Defence in Depth
    76. 76. <ul>Protections - Network Separation </ul>Network Separation <ul><li>Increases attack complexity
    77. 77. Increases time-to-compromise
    78. 78. Decreases vulnerable devices at each step
    79. 79. Isolates fragile devices
    80. 80. Not applicable on some older legacy networks
    81. 81. Difficult to retro-fit </li></ul>
    82. 82. <ul>Protections - Network Access Control </ul>Many protections can be implemented in the network infrastructure – both at the transition points and on the network fabric. Ingress/Egress Controls <ul><li>Routing & Access Lists
    83. 83. Gateway Firewalls </li></ul>Network Fabric <ul><li>Switch-port access controls
    84. 84. ARP security </li></ul>
    85. 85. <ul>Protections – Host-based Controls </ul>Host-based controls can be contentious. <ul><li>Anti-Virus & Anti-Malware
    86. 86. File Integrity Checking
    87. 87. Process Privilege Escalation
    88. 88. Host-Based IPS
    89. 89. Host Firewalls
    90. 90. Host Authentication (Active Directory)
    91. 91. Centralised Logging </li></ul>
    92. 92. <ul>Protections - Applications </ul>Recent high-publicity events have highlighted application-based weaknesses & vulnerabilities. <ul><li>Plain-text passwords if they exist at all
    93. 93. Default database/application/server passwords
    94. 94. Vulnerable web services
    95. 95. “Private” software is publicly available </li><ul><li>pentesters/attackers can download demo from the web to attack your “secure because it is obscure” system. </li></ul></ul>
    96. 96. Intro to Control Systems Security <ul>PART 3 - GOVERNANCE & REVIEW </ul>
    97. 97. <ul>Policy & Process </ul>Key policy Documents <ul><li>Acceptable Use Policy
    98. 98. Network Access Control Policy
    99. 99. 3 rd Party access and Remote Access Policies
    100. 100. Software & Vulnerability Management Policy </li></ul>Key Processes <ul><li>Software/Patch Management
    101. 101. Change Management </li></ul>
    102. 102. Compliance & Audit Compliance Audits are your KEY tool for ongoing safety/assurance of these networks! <ul><li>Determine an appropriate standard / policy set. </li><ul><li>NIST 800-82
    103. 103. NISTA 52
    104. 104. NERC </li></ul><li>Perform policy/standard audit of processes and controls </li><ul><li>Cyber Security Evaluation Tool (CSET)
    105. 105. Router/Switch/Firewall configuration Audit </li></ul></ul>
    106. 106. <ul>Testing Control System Security </ul><ul><li>ICS Penetration Testing </li><ul><li>Australian and International resources available. A VERY specialised area. </li></ul><li>Internal/amateur vulnerability testing </li><ul><li>It is suggested that this NOT be performed on your production network </li></ul></ul>Other practices include: <ul><li>Network Sniffing,
    107. 107. Configuration Testing &
    108. 108. Gateway traffic analysis </li></ul>
    109. 109. <ul>Protecting Secondary Information </ul><ul><li>Software Library </li><ul><li>PLC Firmware
    110. 110. Source Code
    111. 111. Application installers </li></ul><li>Operators Manuals
    112. 112. Authentication Systems (AD, LDAP, DB etc) </li></ul>
    113. 113. Intro to Control System Security <ul>PART 4 – WRAP-UP </ul>
    114. 114. <ul>Summary </ul><ul><li>Integrity vs. Confidentiality
    115. 115. Network Separation
    116. 116. Network Modelling &
    117. 117. Network Anomaly Detection & IDS
    118. 118. Testing (Penetration & Compliance)
    119. 119. Auditing (Policies, Controls & Processes)
    120. 120. Stay (as) current (as you can be) </li></ul>
    121. 121. Standards & Guides <ul><li>ANSI/ISA95 – Enterprise-Control System Integration, Part 1: Models and Terminology
    122. 122. NIST SP 800-82 – Guide for Industrial Control Systems (ICS) Security
    123. 123. NERC CIP-002-3 to CIP-009-3 </li><ul><li>NERC CIP standards provide a cyber security framework for the identification and protection of Critical Cyber Assets </li></ul><li>ISA TR99.00.02 – Integrating Electronic Security into the Manufacturing and Control Systems Environment
    124. 124. DHS CSSP - Control Systems Defence in Depth Strategies
    125. 125. http://www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf </li></ul>
    126. 126. <ul>Resources </ul>Australian Resources <ul><li>CERTAustralia
    127. 127. Department of Broadband, Communication and the Digital Economy
    128. 128. Department of the Attorney General
    129. 129. Control System Pen-Testing companies </li></ul>International Resources <ul><li>US CERT Control Systems Security Program
    130. 130. US Department of Homeland Security & US Department of Energy
    131. 131. UK Centre for the Protection of National Infrastructure </li></ul>
    132. 132. <ul>Web Resources </ul>Australia <ul><li>CERTAustralia http://govcert.gov.au/ </li></ul>International <ul><li>US-CERT Control Systems Website http://www.us-cert.gov.au/control_systems
    133. 133. DHS Cyber Security Evaluation Tool (CSET) http://www.us-cert.gov/control_systems/satool.html
    134. 134. SANS http://sans.org.au/
    135. 135. CPNI SCADA Guidelines & Recommendations http://www.cpni.gov.uk/scada </li></ul>
    136. 136. Questions & Answers <ul><li>Controls
    137. 137. Firewalls
    138. 138. Intrusion Management: Detection vs. Prevention
    139. 139. Penetration Testing </li></ul>
    140. 140. ISA95 – Control Hierachy Levels
    141. 141. ISA95 – IT Systems View

    ×