There are new threats to cybersecurity for HMI/SCADA applications every week, and it can be difficult to stay on top of current threats and concerns. InduSoft is here to help, with an analysis of recent cybersecurity threats and how to take steps to protect SCADA/HMI systems from the vulnerabilities they seek to exploit. We will also be discussing the security features available in InduSoft Web Studio and how to take advantage of them to create the most stable, secure HMI or SCADA application possible.
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Presentation 1
1. InduSoft Cybersecurity Webinar:
Overview of Current Events and General Cybersecurity Guidance,
Protection and Remediation Techniques, and Advanced InduSoft Web
Studio Data Protection and Encryption
Presenters: Richard Clark and Fabio Terezinho
June 24, 2015
2. Speakers Today (in order of presentation)
Richard Clark
– Technical Marketing, Process and Controls Engineer, Cybersecurity
Engineer
3. Richard H Clark
Cybersecurity Background
Mr. Clark has been in Mechatronics, Automation, Process Control,
Industrial Control System Cybersecurity, and automation implementation for
more than 15 years. He was employed by Wonderware where he
developed a non-proprietary means of using IP-Sec for securing current
and legacy Automation, SCADA, and Process Control Systems, and
developed non-proprietary IT security techniques. Industry expert by peer
review and spokesperson on IT security; consultant, analyst and voting
member of ISA/IEC 62443 (SP99). Contributor to PCSF Vendor Forum.
Consultant to NIST and other government labs and NSA during the
development of NIST Special Publications 800-53/82. Published
engineering white papers, manuals, and instruction documents, developed
and given classes and lectures on the topic of ICS/SCADA Security.
– Participated in forming the NIST Cybersecurity Framework during the
workshops last year.
4. Speakers Today (in order of presentation)
Richard Clark
– Technical Marketing, Process and Controls Engineer, Cybersecurity
Engineer
Fabio Terezinho
– Director of Engineering and Consulting Services for InduSoft
5. Fabio Terezinho
Engineering and Cybersecurity Background
VP/Director of Engineering and Consulting Services
InduSoft/InduSoft-Wonderware
January 1999 – Present (16 years 6 months)
Application Engineer
Altus Sistemas de Informatica SA
January 1995 – March 1998 (3 years 3 months)
Selected Publications:
Remote access, any time, any place
InTech Magazine
October 2012
Designing New SCADA Systems
Plant Engineering
January 2012
Secure Against Process Automation Errors
Control Design Magazine
November 2011
Honors & Awards:
Beta Gamma Sigma
Beta Gamma Sigma (AACSB International - The
Association to Advance Collegiate Schools of Business)
March 2011
Patent:
Method and system for communicating between an
embedded device and relational databases
United States 11/243,780
Education:
Baylor University - Hankamer School of Business
Executive Master of Business Administration (EMBA)
2010 – 2011
Escola de Engenharia Maua
Electrical Engineering, Automation and Control
1999 – 2003
Mr. Terezinho has been in Mechatronics, Automation, Process Control, Industrial Control System Cybersecurity,
automation implementation, and product development at InduSoft/InduSoft-Wonderware for more than 16 years.
6. Announcements
This is an audio broadcast-only WebEx, so we can’t
hear you speaking.
– If you want to give us a comment or question, please type it into
the Q&A or Chat Field in the WebEx presentation interface. We
will answer your questions at the end in the Q&A section of the
broadcast.
7. Announcements
This is an audio broadcast-only WebEx, so we can’t
hear you speaking.
– If you want to give us a comment or question, please type it into
the Q&A or Chat Field in the WebEx presentation interface. We
will answer your questions at the end in the Q&A section of the
broadcast.
Fill out the InduSoft webinar survey that we will send
you at the email address that you used to sign in,
and get a free famous InduSoft webinar series Tee-
Shirt!
8. Services On Demand is Available Now!
Engineering assistance is available when designing
projects and implementing project security
9. SCADA Cybersecurity eBooks
InduSoft Security Guide NIST Cybersecurity Framework
ISBN 978-1311-49042-1 ISBN 978-1310-30996-0
Available at Smashwords.com and other major booksellers
10. Available to you as “Name Your Price”
InduSoft Security Guide NIST Cybersecurity Framework
ISBN 978-1311-49042-1 ISBN 978-1310-30996-0
Download at Smashwords.com to “Name Your Price”
11. All eBook Proceeds Benefit the Eastern
New Mexico University-Ruidoso Foundation
18. Webinar Agenda
Introductions
Our Cybersecurity Guidance eBooks and Engineering
Services available from InduSoft
Current events that are relevant to Control Systems
Discussion of the current state of Cybersecurity for
Control Systems
19. Webinar Agenda
Introductions
Our Cybersecurity Guidance eBooks and Engineering
Services available from InduSoft
Current events that are relevant to Control Systems
Discussion of the current state of Cybersecurity for
Control Systems
Remediation and System Protection
20. Webinar Agenda
Introductions
Our Cybersecurity Guidance eBooks and Engineering
Services available from InduSoft
Current events that are relevant to Control Systems
Discussion of the current state of Cybersecurity for
Control Systems
Remediation and System Protection
Fabio: Advanced InduSoft Web Studio configurations
for Data Protection and Encryption
22. Where do we start?
There have been an unprecedented number of
Cybersecurity incidents
23. Where do we start?
There have been an unprecedented number of
Cybersecurity incidents
There have been a lot of business-centered cyber-
events, but we are interested in ICS and SCADA events
24. Where do we start?
There have been an unprecedented number of
Cybersecurity incidents
There have been a lot of business-centered cyber-
events, but we are interested in ICS and SCADA events
Therefore, the best place to start is the state of the
industry and current knowledge of known cyber-events
26. Stuxnet was the most infamous breach
A lot of noise has been made about Stuxnet, and for
good reason…
27. Stuxnet was the most infamous breach
A lot of noise has been made about Stuxnet, and for
good reason…
Stuxnet really scared a lot of Cybersecurity
professionals and antivirus/anti-malware companies,
along with ICS-CERT organizations around the globe.
28. Stuxnet was the most infamous breach
A lot of noise has been made about Stuxnet, and for
good reason…
Stuxnet really scared a lot of Cybersecurity
professionals and antivirus/anti-malware companies,
along with ICS-CERT organizations around the globe.
– it was heretofore unprecedented in its sophistication and differing
methods of attack and intrusion.
29. Stuxnet was the most infamous breach
A lot of noise has been made about Stuxnet, and for
good reason…
Stuxnet really scared a lot of Cybersecurity
professionals and antivirus/anti-malware companies,
along with ICS-CERT organizations around the globe.
– it was heretofore unprecedented in its sophistication and differing
methods of attack and intrusion.
After a quick War Room analysis, it was quickly
determined that the attack was specifically targeted
31. Theorized Stuxnet Analyses and Findings
1) the sophistication of the programming could only have
been done with a large, coordinated team of professional
developers
32. Theorized Stuxnet Analyses and Findings
1) the sophistication of the programming of the malware-- some of which was uncovered by reverse-
engineering, and could only have been done with a large, coordinated team of professional developers
2) the specificity and required intimate insider knowledge
33. Theorized Stuxnet Analyses and Findings
1) the sophistication of the programming of the malware-- some of which was uncovered by reverse-
engineering, and could only have been done with a large, coordinated team of professional developers
2) the specificity and required intimate insider knowledge of the control systems, and their networks and
configurations
3) the Zero Day exploits of the unpatched Siemens PLCs
34. Theorized Stuxnet Analyses and Findings
1) the sophistication of the programming of the malware-- some of which was uncovered by reverse-
engineering, and could only have been done with a large, coordinated team of professional developers
2) the specificity and required intimate insider knowledge of the control systems, and their networks and
configurations
3) the Zero Day exploits of the unpatched Siemens PLCs they were using, and the insider knowledge that
they were unpatched
4) the differing vectors of infection and spread, which
initially was likely a USB drive…
35. Theorized Stuxnet Analyses and Findings
1) the sophistication of the programming of the malware-- some of which was uncovered by reverse-
engineering, and could only have been done with a large, coordinated team of professional developers
2) the specificity and required intimate insider knowledge of the control systems, and their networks and
configurations
3) the Zero Day exploits of the unpatched Siemens PLCs they were using, and the insider knowledge that
they were unpatched
4) the differing vectors of infection and spread, which initially was likely a USB drive, then appeared to
spread through network connectivity and printer ports to other computers using administrator
credentials…
5) the fact that it stayed dormant and surreptitious for a
long time …
36. Theorized Stuxnet Analyses and Findings
1) the sophistication of the programming of the malware-- some of which was uncovered by reverse-
engineering, and could only have been done with a large, coordinated team of professional developers
2) the specificity and required intimate insider knowledge of the control systems, and their networks and
configurations
3) the Zero Day exploits of the unpatched Siemens PLCs they were using, and the insider knowledge that
they were unpatched
4) the differing vectors of infection and spread, which initially was likely a USB drive, then appeared to
spread through network connectivity and printer ports to other computers using administrator
credentials…
5) the fact that it stayed dormant and surreptitious for a long time before becoming active, apparently
reporting to some home base ( C&C or, Command and Control Center) with findings at various intervals…
6) …and then apparently receiving updated instructions
from a C&C (Command and Control center)
37. Theorized Stuxnet Analyses and Findings
1) the sophistication of the programming of the malware-- some of which was uncovered by reverse-
engineering, and could only have been done with a large, coordinated team of professional developers
2) the specificity and required intimate insider knowledge of the control systems, and their networks and
configurations
3) the Zero Day exploits of the unpatched Siemens PLCs they were using, and the insider knowledge that
they were unpatched
4) the differing vectors of infection and spread, which initially was likely a USB drive, then appeared to
spread through network connectivity and printer ports to other computers using administrator
credentials…
5) the fact that it stayed dormant and surreptitious for a long time before becoming active, apparently
reporting to some home base ( C&C or, Command and Control Center) with findings at various intervals…
6) …and then apparently receiving updated instructions from a C&C (Command and Control center) before
proceeding with machine infiltration and attack vectors
7) the apparent social engineering that had to have been
used…
38. Theorized Stuxnet Analyses and Findings
1) the sophistication of the programming of the malware-- some of which was uncovered by reverse-
engineering, and could only have been done with a large, coordinated team of professional developers
2) the specificity and required intimate insider knowledge of the control systems, and their networks and
configurations
3) the Zero Day exploits of the unpatched Siemens PLCs they were using, and the insider knowledge that
they were unpatched
4) the differing vectors of infection and spread, which initially was likely a USB drive, then appeared to
spread through network connectivity and printer ports to other computers using administrator
credentials…
5) the fact that it stayed dormant and surreptitious for a long time before becoming active, apparently
reporting to some home base ( C&C or, Command and Control Center) with findings at various intervals…
6) …and then apparently receiving updated instructions from a C&C (Command and Control center) before
proceeding with machine infiltration and attack vectors
7) the apparent social engineering that had to have been used to gain such intimate access to the
systems…
8) …which ultimately led to attacking and reprogramming
the PLCs
39. Theorized Stuxnet Analyses and Findings
1) the sophistication of the programming of the malware-- some of which was uncovered by reverse-
engineering, and could only have been done with a large, coordinated team of professional developers
2) the specificity and required intimate insider knowledge of the control systems, and their networks and
configurations
3) the Zero Day exploits of the unpatched Siemens PLCs they were using, and the insider knowledge that
they were unpatched
4) the differing vectors of infection and spread, which initially was likely a USB drive, then appeared to
spread through network connectivity and printer ports to other computers using administrator
credentials…
5) the fact that it stayed dormant and surreptitious for a long time before becoming active, apparently
reporting to some home base ( C&C or, Command and Control Center) with findings at various intervals…
6) …and then apparently receiving updated instructions from a C&C (Command and Control center) before
proceeding with machine infiltration and attack vectors
7) the apparent social engineering that had to have been used to gain such intimate access to the
systems…
8) …which ultimately led to attacking and reprogramming the PLCs to control the centrifuge Variable
Frequency Drives (or VFD’s) in a completely different way than originally intended and programmed
9) and to operate surreptitiously in order to prematurely
wear out the equipment…
40. Theorized Stuxnet Analyses and Findings
1) the sophistication of the programming of the malware-- some of which was uncovered by reverse-
engineering, and could only have been done with a large, coordinated team of professional developers
2) the specificity and required intimate insider knowledge of the control systems, and their networks and
configurations
3) the Zero Day exploits of the unpatched Siemens PLCs they were using, and the insider knowledge that
they were unpatched
4) the differing vectors of infection and spread, which initially was likely a USB drive, then appeared to
spread through network connectivity and printer ports to other computers using administrator
credentials…
5) the fact that it stayed dormant and surreptitious for a long time before becoming active, apparently
reporting to some home base ( C&C or, Command and Control Center) with findings at various intervals…
6) …and then apparently receiving updated instructions from a C&C (Command and Control center) before
proceeding with machine infiltration and attack vectors
7) the apparent social engineering that had to have been used to gain such intimate access to the
systems…
8) …which ultimately led to attacking and reprogramming the PLCs to control the centrifuge Variable
Frequency Drives (or VFD’s) in a completely different way than originally intended and programmed
9) and to operate slowly and surreptitiously over weeks or months in order to prematurely wear out or
severely damage the equipment, ultimately limiting and destroying the production lines
…the conclusion was that Stuxnet was a deliberate,
single, targeted attack by one or more Nation-States.
41. Stuxnet was the most infamous breach
A lot of noise has been made about Stuxnet, and for
good reason…
Stuxnet really scared a lot of Cybersecurity
professionals and antivirus/anti-malware companies,
along with ICS-CERT organizations around the globe.
– it was heretofore unprecedented in its sophistication and differing
methods of attack and intrusion.
After a quick War Room analysis, it was quickly
determined that the attack was specifically targeted
Is Stuxnet, because of all these factors, a danger to
your facility?
42. Stuxnet was the most infamous breach
A lot of noise has been made about Stuxnet, and for
good reason…
Stuxnet really scared a lot of Cybersecurity
professionals and antivirus/anti-malware companies,
along with ICS-CERT organizations around the globe.
– it was heretofore unprecedented in its sophistication and differing
methods of attack and intrusion
After a quick War Room analysis, it was quickly
determined that the attack was specifically targeted
Is Stuxnet, because of all these factors, a danger to
your facility?
– yes and no
44. So is Stuxnet a danger to your system?
Stuxnet, as it was used, could only work on the one
targeted system
45. So is Stuxnet a danger to your system?
Stuxnet, as it was used, could only work on the one
targeted system
Some bits of the Stuxnet code has been found in other
types of malware in the wild
46. So is Stuxnet a danger to your system?
Stuxnet, as it was used, could only work on the one
targeted system
Some bits of the Stuxnet code has been found in other
types of malware in the wild
Malware/antivirus companies have updated their
databases to protect against Stuxnet-like code in other
malware
47. So is Stuxnet a danger to your system?
Stuxnet, as it was used, could only work on the one
targeted system
Some bits of the Stuxnet code has been found in other
types of malware in the wild
Malware/antivirus companies have updated their
databases to protect against Stuxnet-like code in other
malware
Additionally, the Zero Day exploits used in the Siemens
PLC’s have been patched
48. So is Stuxnet a danger to your system?
Stuxnet, as it was used, could only work on the one
targeted system
Some bits of the Stuxnet code has been found in other
types of malware in the wild
Malware/antivirus companies have updated their
databases to protect against Stuxnet-like code in other
malware
Additionally, the Zero Day exploits used in the Siemens
PLC’s have been patched
Stuxnet employed a very sophisticated Man-in-the-
Middle scheme requiring PLC reprogramming
50. So moving forward in time…
2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
51. So moving forward in time…
2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
52. So moving forward in time…
2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
53. So moving forward in time…
2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
54. So moving forward in time…
2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
Also in 2012, were Duku and Flame (sKyWIper) which
utilized Stuxnet modules and did not need to report
home
55. 2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
Also in 2012, were Duku and Flame (sKyWIper) which
utilized Stuxnet modules and did not need to report
home
So moving forward in time…
56. 2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
Also, was Duku and Flame (sKyWIper) which utilized
Stuxnet modules and did not need to report home
So moving forward in time…
57. 2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
Also, was Duku and Flame (sKyWIper) which utilized
Stuxnet modules and did not need to report home
So moving forward in time…
58. So moving forward in time…
2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
Also, was Duku and Flame (sKyWIper) which utilized
Stuxnet modules and did not need to report home
Next in 2013 and 2014 were Dragonfly and RAT (Remote
Access Trojans or Tools) malware that did target
Industrial Control Systems
59. So moving forward in time…
2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
Also, was Duku and Flame (sKyWIper) which utilized
Stuxnet modules and did not need to report home
Next in 2013 and 2014 were Dragonfly and Havex or RAT
(Remote Access Trojans or Tools) malware that did
target Industrial Control Systems
60. So moving forward in time…
2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
Also, was Duku and Flame (sKyWIper) which utilized
Stuxnet modules and did not need to report home
Next in 2013 and 2014 were Dragonfly and RAT (Remote
Access Trojans or Tools) malware that did target
Industrial Control Systems
During the various End-of-Year news sometime during
December 2014 was an attack at a German steel mill,
doing a substantial amount of physical damage…
61. So moving forward in time…
2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
Also, was Duku and Flame (sKyWIper) which utilized
Stuxnet modules and did not need to report home
Next in 2013 and 2014 were Dragonfly and RAT (Remote
Access Trojans or Tools) malware that did target
Industrial Control Systems
During the various End-of-Year news sometime during
December 2014 was an attack at a German steel mill,
doing a substantial amount of physical damage…
– The attack was a result of “Spearfishing” or sending emails
containing a malware payload that gave access to the plant’s
Industrial Control System.
62. 2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
Also, was Duku and Flame (sKyWIper) which utilized
Stuxnet modules and did not need to report home
Next in 2013 and 2014 were Dragonfly and RAT (Remote
Access Trojans or Tools) malware that did target
Industrial Control Systems
During the various End-of-Year news sometime during
December 2014 was an attack at a German steel mill,
doing a substantial amount of physical damage…
– The attack was a result of “Spearfishing” or sending emails
containing a malware payload that gave access to the plant’s
Industrial Control System.
So moving forward in time…
63. 2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
Also, was Duku and Flame (sKyWIper) which utilized
Stuxnet modules and did not need to report home
Next in 2013 and 2014 were Dragonfly and RAT (Remote
Access Trojans or Tools) malware that did target
Industrial Control Systems
During the various End-of-Year news sometime during
December 2014 was an attack at a German steel mill,
doing a substantial amount of physical damage…
– The attack was a result of “Spearfishing” or sending emails
containing a malware payload that gave access to the plant’s
Industrial Control System.
So moving forward in time…
64. 2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
Also, was Duku and Flame (sKyWIper) which utilized
Stuxnet modules and did not need to report home
Next in 2013 and 2014 were Dragonfly and RAT (Remote
Access Trojans or Tools) malware that did target
Industrial Control Systems
During the various End-of-Year news sometime during
December 2014 was an attack at a German steel mill,
doing a substantial amount of physical damage…
– The attack was a result of “Spearfishing” or sending emails
containing a malware payload that gave access to the plant’s
Industrial Control System.
So moving forward in time…
65. 2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
Also, was Duku and Flame (sKyWIper) which utilized
Stuxnet modules and did not need to report home
Next in 2013 and 2014 were Dragonfly and RAT (Remote
Access Trojans or Tools) malware that did target
Industrial Control Systems
During the various End-of-Year news sometime during
December 2014 was an attack at a German steel mill,
doing a substantial amount of physical damage…
– The attack was a result of “Spearfishing” or sending emails
containing a malware payload that gave access to the plant’s
Industrial Control System.
So moving forward in time…
67. The Dell Annual Security Report (April 13, 2015)
Shows that in 2014, attacks more than doubled from the
previous year to 675,186
68. The Dell Annual Security Report (April 13, 2015)
Shows that in 2014, attacks more than doubled from the
previous year to 675,186
69. The Dell Annual Security Report (April 13, 2015)
Shows that in 2014, attacks more than doubled from the
previous year to 675,186
“Whereas the motive behind data-focused attacks is
typically financial, SCADA attacks tend to be political in
nature, since they target operational capabilities within
power plants, factories, and refineries, rather than credit
card information.”, Dell said.
70. The Dell Annual Security Report (April 13, 2015)
Shows that in 2014, attacks more than doubled from the
previous year to 675,186
“Whereas the motive behind data-focused attacks is
typically financial, SCADA attacks tend to be political in
nature, since they target operational capabilities within
power plants, factories, and refineries, rather than credit
card information.”, Dell said.
Buffer overflow vulnerabilities were the primary point of
attack against SCADA systems, which control remote
equipment and collect data on equipment performance,
accounting for 25% of the attacks witnessed by Dell.
72. Article Comments by Shawn McConnon
“These emerging attacks are now being waged against
a much wider variety of hardware, including mobile
devices”, he explains..
– "There is no perimeter anymore," he says.
– "There are many more touch-points in a company today," which, in
turn, has made it easier for hackers penetrate networks.
73. Article Comments by Shawn McConnon
Hackers, especially nation-state actors, know that most
organizations fail to adequately address risks posed to
their networks by third parties, McConnon says.
– "Businesses today outsource everything ... and it's very hard to
ensure security when you're outsourcing."
74. Article Comments by Shawn McConnon
Hackers are increasingly targeting less- secure third
parties to ultimately gain access to organizations'
primary networks, McConnon explains.
– "You can't prevent hacks. But you should focus on the information,"
he says.
– "You've got to be able to look at your third-party risk and have
somebody on your team who's looking at that risk regularly."
97. What are the takeaways?
That cybercrime is on the increase, with more than
double the number of attacks since last year.
98. What are the takeaways?
That cybercrime is on the increase, with more than
double the number of attacks since last year.
That criminals involved are everything from amateurs to
Nation States with deep pockets and many resources
99. What are the takeaways?
That cybercrime is on the increase, with more than
double the number of attacks since last year.
The criminals involved are everything from amateurs to
Nation States with deep pockets and many resources
The trend is that SCADA and control system attacks will
only increase using online tools that have been
continually evolving
100. What are the takeaways?
That cybercrime is on the increase, with more than
double the number of attacks since last year.
The criminals involved are everything from amateurs to
Nation States with deep pockets and many resources
The trend is that SCADA and control system attacks will
only increase using online tools that have been
continually evolving
People still use insufficient security to protect
themselves and/or their systems
101. What are the takeaways?
That cybercrime is on the increase, with more than
double the number of attacks since last year.
The criminals involved are everything from amateurs to
Nation States with deep pockets and many resources
The trend is that SCADA and control system attacks will
only increase using online tools that have been
continually evolving
People still use insufficient security to protect
themselves and/or their systems
– Everything from poor password enforcement to inadequate perimeter
defense, relying on 3rd parties with no in-house checking or reviews
103. What steps need to be taken?
First and foremost, understand your assets, and how
they are configured together
104. What steps need to be taken?
First and foremost, understand your assets, and how
they are configured together
– This step initially requires a complete hardware and software
inventory
105. What steps need to be taken?
First and foremost, understand your assets, and how
they are configured together
– This step initially requires a complete hardware and software
inventory
– Understanding their configuration will provide information about how
they may be either secure or vulnerable within their current states
106. What steps need to be taken?
First and foremost, understand your assets, and how
they are configured together
– This step initially requires a complete hardware and software
inventory
– Understanding their configuration will provide information about how
they may be either secure or vulnerable within their current states
Next, categorize and classify your assets
107. What steps need to be taken?
First and foremost, understand your assets, and how
they are configured together
– This step initially requires a complete hardware and software
inventory
– Understanding their configuration will provide information about how
they may be either secure or vulnerable within their current states
Next, categorize and classify your assets
– Asset categories might include: critical, essential, supporting role,
etc.
108. What steps need to be taken?
First and foremost, understand your assets, and how
they are configured together
– This step initially requires a complete hardware and software
inventory
– Understanding their configuration will provide information about how
they may be either secure or vulnerable within their current states
Next, categorize and classify your assets
– Asset categories might include: critical, essential, supporting role,
etc.
– Further classifications might include: production, business,
administrative, analysis, infrastructure backbone, executive, etc.
109. What steps need to be taken?
First and foremost, understand your assets, and how
they are configured together
– This step initially requires a complete hardware and software
inventory
– Understanding their configuration will provide information about how
they may be either secure or vulnerable within their current states
Next, categorize and classify your assets
– Asset categories might include: critical, essential, supporting role,
etc.
– Further classifications might include: production, business,
administrative, analysis, infrastructure backbone, executive, etc.
– Understanding these classifications will help when creating your Gap
Analysis and Risk Assessment for the whole system:
• http://www.belden.com/blog/industrialsecurity/Industrial-Networking-
Easy-Security-Risk-Assessment.cfm
110. What steps need to be taken?
Once a Gap Analysis is complete, you will have an
understanding of what is missing in terms of security
111. What steps need to be taken?
Once a Gap Analysis is complete, you will have an
understanding of what is missing in terms of security
– A Gap Analysis is crucial before an understanding of the elements
that need to be addressed can take place
112. What steps need to be taken?
Once a Gap Analysis is complete, you will have an
understanding of what is missing in terms of security
– A Gap Analysis is crucial before an understanding of the elements
that need to be addressed can take place
– Each deficiency that is uncovered can be addressed with a Risk
Assessment, which is a cost to address it vs the risk to leave it alone
113. What steps need to be taken?
Once a Gap Analysis is complete, you will have an
understanding of what is missing in terms of security
– A Gap Analysis is crucial before an understanding of the elements
that need to be addressed can take place
– Each deficiency that is uncovered can be addressed with a Risk
Assessment, which is a cost to address it vs the risk to leave it alone
– As the cybersecurity landscape changes, each risk can be reviewed
and recalculated as the protection costs or technologies change
114. What steps need to be taken?
Once a Gap Analysis is complete, you will have an
understanding of what is missing in terms of security
– A Gap Analysis is crucial before an understanding of the elements
that need to be addressed can take place
– Each deficiency that is uncovered can be addressed with a Risk
Assessment, which is a cost to address it vs the risk to leave it alone
– As the cybersecurity landscape changes, each risk can be reviewed
and recalculated as the protection costs or technologies change
– This approach is called a Business Process Management (BPM)
Approach to managing your assets and the system security
115. What steps need to be taken?
Once a Gap Analysis is complete, you will have an
understanding of what is missing in terms of security
– A Gap Analysis is crucial before an understanding of the elements
that need to be addressed can take place
– Each deficiency that is uncovered can be addressed with a Risk
Assessment, which is a cost to address it vs the risk to leave it alone
– As the cybersecurity landscape changes, each risk can be reviewed
and recalculated as the protection costs or technologies change
– This approach is called a Business Process Management (BPM)
Approach to managing your assets and the system security
– Ad hoc approaches to security finally disappear and an organized
methodology to asset management will come into focus.
116. What steps need to be taken?
Once a Gap Analysis is complete, you will have an
understanding of what is missing in terms of security
– A Gap Analysis is crucial before an understanding of the elements
that need to be addressed can take place
– Each deficiency that is uncovered can be addressed with a Risk
Assessment, which is a cost to address it vs the risk to leave it alone
– As the cybersecurity landscape changes, each risk can be reviewed
and recalculated as the protection costs or technologies change
– This approach is called a Business Process Management (BPM)
Approach to managing your assets and the system security
– Ad hoc approaches to security finally disappear and an organized
methodology to asset management will come into focus.
– Note that it is not necessary to “do everything at once”, since
implementing various security phases or changes can be expensive
118. Analysis tools that can help you
The NIST Cybersecurity Framework is a good place to
start
119. Analysis tools that can help you
The NIST Cybersecurity Framework is a good place to
start
– Using the methodology described within the Framework
documentation can help you get started, even though you may not
end up using it.
120. Analysis tools that can help you
The NIST Cybersecurity Framework is a good place to
start
– Using the methodology described within the Framework
documentation can help you get started, even though you may not
end up using it.
– The Framework was contributed to by a wide variety of industry
professionals, to make it extremely flexible.
121. Analysis tools that can help you
The NIST Cybersecurity Framework is a good place to
start
– Using the methodology described within the Framework
documentation can help you get started, even though you may not
end up using it.
– The Framework was contributed to by a wide variety of industry
professionals, to make it extremely flexible.
Another tool that can be extremely useful is the ICS-
CERT CSET Tool
122. Analysis tools that can help you
The NIST Cybersecurity Framework is a good place to
start
– Using the methodology described within the Framework
documentation can help you get started, even though you may not
end up using it.
– The Framework was contributed to by a wide variety of industry
professionals, to make it extremely flexible.
Another tool that can be extremely useful is the ICS-
CERT CSET Tool
– This tool allows you to plug in any set of standards that you want to
and it will start asking you questions based on those standards and
the inventory/gap analysis that you performed
• https://ics-cert.us-cert.gov/Downloading-and-Installing-CSET
123. SCADA Cybersecurity eBooks
InduSoft Security Guide NIST Cybersecurity Framework
ISBN 978-1311-49042-1 ISBN 978-1310-30996-0
Available at Smashwords.com and other major booksellers
124. The cybersecurity webinars detail the steps
InduSoft’s Cybersecurity Webinars from January 28th
and February 17th of 2015 discussing guidance and the
eBooks will also help you in moving forward
– http://www.indusoft.com/Marketing/Article/ArticleID/555/ArtMID/684
– http://www.indusoft.com/Marketing/Article/ArticleID/562/ArtMID/684
– Professor Miller discusses the new changes to the CSET Tool
126. Due to your various system differences…
It is not possible to give specific guidance for the
process, platform, or enterprise.
127. Due to your various system differences…
It is not possible to give specific guidance for the
process, platform, or enterprise.
Specific guidance for one type of system may be
entirely inappropriate for a different configuration
131. Control System Generalities include:
Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.c
om/blog/why-vlan-security-
isnt-scada-security-all
132. Control System Generalities include:
Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.c
om/blog/why-vlan-security-
isnt-scada-security-all
– DMZ needed for Historian
133. Control System Generalities include:
Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.c
om/blog/why-vlan-security-
isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful
Packet inspection
• http://www.belden.com/blog/
industrialsecurity/Why-
SCADA-Firewalls-Need-to-
be-Stateful-Part-1-of-3.cfm
134. Control System Generalities include:
Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.c
om/blog/why-vlan-security-
isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful
Packet inspection
• http://www.belden.com/blog/
industrialsecurity/Why-
SCADA-Firewalls-Need-to-
be-Stateful-Part-1-of-3.cfm
Electronic Access Point
Controls
135. Control System Generalities include:
Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.c
om/blog/why-vlan-security-
isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful
Packet inspection
• http://www.belden.com/blog/
industrialsecurity/Why-
SCADA-Firewalls-Need-to-
be-Stateful-Part-1-of-3.cfm
Electronic Access Point
Controls
– Device Authentication may be
appropriate
136. Control System Generalities include:
Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.c
om/blog/why-vlan-security-
isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful
Packet inspection
• http://www.belden.com/blog/
industrialsecurity/Why-
SCADA-Firewalls-Need-to-
be-Stateful-Part-1-of-3.cfm
Electronic Access Point
Controls
– Device Authentication may be
appropriate
– Control ingress and egress
points of Control System
137. Control System Generalities include:
Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.c
om/blog/why-vlan-security-
isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful
Packet inspection
• http://www.belden.com/blog/
industrialsecurity/Why-
SCADA-Firewalls-Need-to-
be-Stateful-Part-1-of-3.cfm
Electronic Access Point
Controls
– Device Authentication may be
appropriate
– Control ingress and egress
points of Control System
System Hardening
138. Control System Generalities include:
Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.c
om/blog/why-vlan-security-
isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful
Packet inspection
• http://www.belden.com/blog/
industrialsecurity/Why-
SCADA-Firewalls-Need-to-
be-Stateful-Part-1-of-3.cfm
Electronic Access Point
Controls
– Device Authentication may be
appropriate
– Control ingress and egress
points of Control System
System Hardening
– Remove unused software and
other items
139. Control System Generalities include:
Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.c
om/blog/why-vlan-security-
isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful
Packet inspection
• http://www.belden.com/blog/
industrialsecurity/Why-
SCADA-Firewalls-Need-to-
be-Stateful-Part-1-of-3.cfm
Electronic Access Point
Controls
– Device Authentication may be
appropriate
– Control ingress and egress
points of Control System
System Hardening
– Remove unused software and
other items
– Turn off unused services/ports
to reduce attack surfaces
140. Control System Generalities include:
Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.c
om/blog/why-vlan-security-
isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful
Packet inspection
• http://www.belden.com/blog/
industrialsecurity/Why-
SCADA-Firewalls-Need-to-
be-Stateful-Part-1-of-3.cfm
Electronic Access Point
Controls
– Device Authentication may be
appropriate
– Control ingress and egress
points of Control System
System Hardening
– Remove unused software and
other items
– Turn off unused services/ports
to reduce attack surfaces
Role Based Access Controls
141. Control System Generalities include:
Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.c
om/blog/why-vlan-security-
isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful
Packet inspection
• http://www.belden.com/blog/
industrialsecurity/Why-
SCADA-Firewalls-Need-to-
be-Stateful-Part-1-of-3.cfm
Electronic Access Point
Controls
– Device Authentication may be
appropriate
– Control ingress and egress
points of Control System
System Hardening
– Remove unused software and
other items
– Turn off unused services/ports
to reduce attack surfaces
Role Based Access Controls
– Use Active Directory or LDAP
for Centralized Management
142. Control System Generalities include:
Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.c
om/blog/why-vlan-security-
isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful
Packet inspection
• http://www.belden.com/blog/
industrialsecurity/Why-
SCADA-Firewalls-Need-to-
be-Stateful-Part-1-of-3.cfm
Electronic Access Point
Controls
– Device Authentication may be
appropriate
– Control ingress and egress
points of Control System
System Hardening
– Remove unused software and
other items
– Turn off unused services/ports
to reduce attack surfaces
Role Based Access Controls
– Use Active Directory or LDAP
for Centralized Management
– Use of minimum needed
privileges
143. Control System Generalities include:
Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.c
om/blog/why-vlan-security-
isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful
Packet inspection
• http://www.belden.com/blog/
industrialsecurity/Why-
SCADA-Firewalls-Need-to-
be-Stateful-Part-1-of-3.cfm
Electronic Access Point
Controls
– Device Authentication may be
appropriate
– Control ingress and egress
points of Control System
System Hardening
– Remove unused software and
other items
– Turn off unused services/ports
to reduce attack surfaces
Role Based Access Controls
– Use Active Directory or LDAP
for Centralized Management
– Use of minimum needed
privileges
– Device Control such as USB
controls in place
144. Control System Generalities include:
Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.c
om/blog/why-vlan-security-
isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful
Packet inspection
• http://www.belden.com/blog/
industrialsecurity/Why-
SCADA-Firewalls-Need-to-
be-Stateful-Part-1-of-3.cfm
Electronic Access Point
Controls
– Device Authentication may be
appropriate
– Control ingress and egress
points of Control System
System Hardening
– Remove unused software and
other items
– Turn off unused services/ports
to reduce attack surfaces
Role Based Access Controls
– Use Active Directory or LDAP
for Centralized Management
– Use of minimum needed
privileges
– Device Control such as USB
controls in place
Patching Server installed
145. Control System Generalities include:
Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.c
om/blog/why-vlan-security-
isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful
Packet inspection
• http://www.belden.com/blog/
industrialsecurity/Why-
SCADA-Firewalls-Need-to-
be-Stateful-Part-1-of-3.cfm
Electronic Access Point
Controls
– Device Authentication may be
appropriate
– Control ingress and egress
points of Control System
System Hardening
– Remove unused software and
other items
– Turn off unused services/ports
to reduce attack surfaces
Role Based Access Controls
– Use Active Directory or LDAP
for Centralized Management
– Use of minimum needed
privileges
– Device Control such as USB
controls in place
Patching Server installed
Centralized Backups
146. Control System Generalities include:
Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.c
om/blog/why-vlan-security-
isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful
Packet inspection
• http://www.belden.com/blog/
industrialsecurity/Why-
SCADA-Firewalls-Need-to-
be-Stateful-Part-1-of-3.cfm
Electronic Access Point
Controls
– Device Authentication may be
appropriate
– Control ingress and egress
points of Control System
System Hardening
– Remove unused software and
other items
– Turn off unused services/ports
to reduce attack surfaces
Role Based Access Controls
– Use Active Directory or LDAP
for Centralized Management
– Use of minimum needed
privileges
– Device Control such as USB
controls in place
Patching Server installed
Centralized Backups
Logging Server
147. Control System Generalities include:
Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.c
om/blog/why-vlan-security-
isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful
Packet inspection
• http://www.belden.com/blog/
industrialsecurity/Why-
SCADA-Firewalls-Need-to-
be-Stateful-Part-1-of-3.cfm
Electronic Access Point
Controls
– Device Authentication may be
appropriate
– Control ingress and egress
points of Control System
System Hardening
– Remove unused software and
other items
– Turn off unused services/ports
to reduce attack surfaces
Role Based Access Controls
– Use Active Directory or LDAP
for Centralized Management
– Use of minimum needed
privileges
– Device Control such as USB
controls in place
Patching Server installed
Centralized Backups
Logging Server
Performance Server
148. Control System Generalities include:
Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.c
om/blog/why-vlan-security-
isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful
Packet inspection
• http://www.belden.com/blog/
industrialsecurity/Why-
SCADA-Firewalls-Need-to-
be-Stateful-Part-1-of-3.cfm
Electronic Access Point
Controls
– Device Authentication may be
appropriate
– Control ingress and egress
points of Control System
System Hardening
– Remove unused software and
other items
– Turn off unused services/ports
to reduce attack surfaces
Role Based Access Controls
– Use Active Directory or LDAP
for Centralized Management
– Use of minimum needed
privileges
– Device Control such as USB
controls in place
Patching Server installed
Centralized Backups
Logging Server
Performance Server
-or-
Centralized Management
Server or System