Control system security understanding the basics

4,099 views

Published on

Presented at the Lehigh Valley ISA meeting on Nov. 9, 2010 this presentation covers the basics of control system cyber security and a case study of a control system security incident and assessment

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,099
On SlideShare
0
From Embeds
0
Number of Embeds
41
Actions
Shares
0
Downloads
492
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • It’s almost impossible to give a control system security talk these days without talking about Stuxnet. I’m sure most everyone in the room has heard something about Stuxnet so I’ll just take a moment to give a high level summary of what it is, how it works, what it can do and how it can be mitigated. The discovery of Stuxnet has “rocked” the industrial automation world as it is the first time we have seen malware that was written to specifically target an industrial control system. Furthermore, security researchers investigating the code have been shocked at the level of effort and skill with which this was written and deployed.
  • In safety we call this Analysis, Realization, and Operational phases.
  • System development & Maintenance:TestChange mgmtReview and maintain policies and procedures Establish and document a patch management procedure Establish and document antivirus/malware management procedure Establish backup and restoration procedure
  • The title of this presentation is borrowed from a book by Steven Covey on time management. One of the key principles of the book for when you are feeling overwhelmed with too many things to do, is to schedule the “big rocks” (major goals/activities) in your life first and allow the “little rocks” (the small stuff) to fill in the gaps. This concept can also be applied to control system security. At first, the task can seem overwhelming. The issues are complex and the standards and guidelines are very verbose. Where does one begin? This presentation will hopefully help you sort this out but identifying the “big rocks” in a control system security program.
  • While the “7 Things” don’t necessarily have to be done in any particular order, this one (assessing existing systems) really is one of the first things that should be done because provides the organization with a baseline understanding of where you are, where you are going and how to get there. Assessments can be performed using internal resources, third-party resources or a combination of the two. In our experience, a third-party can be helpful especially in cases where responsibility for control system security distributed between different organizations (e.g. IT and control systems).
  • It is important for organizations to document key policies and procedures regarding control system security. In general, corporate IT security policies, while providing a solid basis, need to be modified for the control system environment.
  • Policies are relatively useless if people aren’t aware of their existence, how they will be enforced, and aren’t trained on how to follow them. Most companies have mature awareness and training programs for safety but not for security. One can easily argue that you cannot achieve safety without security because weak security allows for unsafe conditions and behavior. Therefore, we recommend following a similar model for security as you already have for safety awareness and training.
  • Network segmentation is arguably the single-most important technical step that can be taken to improve the security of an industrial automation system. The concept of network segmentation is to partition the system into security zones and implement layers of protection to isolate the most critical parts of the system. It can help to draw an analogy to physical security zones as are commonly seen in airports, banks, prisons, military bases, etc. A key concept in control system security standards like ISA 99 is to partition the system into zones and conduits. It helps to visualize this concept so the next several slides are provided to give some examples.
  • Another key concept in any security program is access control. That is controlling and monitoring who or what has access to control system resources, both logically and physically. It is generally agreed there are 3 elements to access control (AAA).
  • System hardening is all about making the components of the system as robust as possible
  • During December 2009 a computer virus (W32.Sality) entered the DCS system of one of the process units belonging to a global energy  and chemicals company headquartered in South Africa. The virus infected two critical OPC servers and tried to infect a vibration monitoring computer. Due to this event, the OPC server shutdown, forcing the production operators to run the plant partially blind, without visualization from certain equipment, for nearly 8 hours while engineers had to rebuild the servers from scratch.  Fortunately, the plant recovered without any lost of production. 
  • However, immediately following the incident, the process unit’s management launched an in-depth investigation into the root cause and implemented numerous policy and procedural changes.   In August 2010 the same process unit hired a third-party control system cyber security expert to perform a thorough assessment of their control system as well as their present cyber security management program.   The assessment was performed following the ISA 99 series of standards.   This case study will present a summary of the process unit’s control system, the incident, the assessment process, key findings of the assessment and the subsequent changes implemented per the recommendations from the assessment. BCX to communicate and get permission from the line managers if they are requested to do any changes on our existing network topology.No third party software to be install on any server if it is not approved by the vendor.No server is allowed to be integrated in our network if it is not tested for viruses / virus freeNo remote access is allowed.Only used dedicated Memory stick in serve
  • Perform device level assessmentSoftware versions, applications and services, open ports, protection software, security settings, file shares, access control, user lists, physical security, etc.Recommend solutions to close identified gaps Policy/procedures, network architecture, system hardening, remote access, physical security, etc.
  • Control system security understanding the basics

    1. 1. idae Control System Cyber Security Understanding the Basics Lehigh Valley ISA Rumsey Electric Bethlehem, PA 9 November 2010
    2. 2. idae Copyright © 2010 - exida • We help our clients improve the safety, security and availability of their automation systems
    3. 3. idae John A. Cusimano, CFSE • Director of Security Solutions for exida • President, Byres Research • Executive Director, Security Incidents Organization • ISA S99 committee (voting member) • ISA Security Compliance Institute (voting member) • Formerly with Moore Products / Siemens • QUADLOG Product Manager • Global Process Safety Business Development • Process Automation Market Development Manager • CFSE, Certified Functional Safety Expert Copyright © 2010 - exida
    4. 4. idae Meeting Agenda • Intro to Control System Security • ISA 99 Standard • First Things First • Case Study • Summary
    5. 5. idae • Prevention of intentional or unintentional interference with the proper operation of industrial automation and control systems through the use of computers, networks, operating systems, applications and other programmable configurable components of the system • Goes by many names: – SCADA Security – PCN Security – Industrial Automation and Control System Security – Control System Cyber Security – Industrial Network Security – Electronic Security for Industrial Automation and Control Systems What is Control System Security? Copyright © 2010 - exida
    6. 6. idae • These systems control the services that we consider essential for our way of life – electricity, petroleum production, water, transportation, manufacturing and communications • Recent events have demonstrated the vulnerability of these systems to cyber incidents • The US and other governments have passed regulations requiring enhanced cyber security protection for control systems operating critical infrastructure Why is Control System Security Important? Copyright © 2010 - exida
    7. 7. idae • Safety • Lost Production • Equipment Damage • Information Theft • Company Image Risk to Asset Owners Copyright © 2010 - exida
    8. 8. idae • Heavy use of Commercial Off-the Shelf Technology (COTS) and protocols – Integration of technology such as MS Windows, SQL, and TCP/IP means that process control systems are now vulnerable to the same viruses, worms and trojans that affect IT systems • Increased Connectivity – Enterprise integration (using plant, corporate and even public networks) means that process control systems (legacy) are now being subjected to stresses they were not designed for • Demand for Remote Access – 24/7 access for engineering, operations or technical support means more insecure or rogue connections to control system • Public Information – Manuals on how to use control system are publicly available Control Systems are more vulnerable today than ever before Copyright © 2010 - exida
    9. 9. idae Actual Incident Types Intentional 24% Unintentional 76% Repository of Industrial Security Incidents (RISI) Incident Types Insider 11% Outsider 24%Eqpt Failure 65% Insider 53% Outsider 47% © 2009, Security IncidentsOrganization Malware (virus, worm, trojan) IT Dept, Technician Network device, software Disgruntled employee Hacker
    10. 10. idae Example incidents T h e R e p o s i t o r y o f I n d u s t r i a l S e c u r i t y I n c i d e n t s www.securityincidents.org Disgruntled Contractor Disables Pipeline Leak Detection System Source: The Repository of Industrial Security Incidents (www.securityincidents.org) Date: March 2009 Company: Pacific Energy Resources Ltd. Location: Long Beach, CA, USA Industry: Petroleum Incident Type: External Hacker Impact: Leak Detection System Disabled Description: A disgruntled employee, Mario Azar, accessed the system that monitors the detection of pipeline leaks for three oil derricks off the Southern California coast. He knowingly temporarily disabled the system. The FBI announced that, on September 14, 2009, Mario Azar pleaded guilty to intentionally damaging a computer system used in interstate and foreign commerce and faced ten years in prison. His sentencing is scheduled for December 7 in the United States District Court of Los Angeles.
    11. 11. idae Example incidents T h e R e p o s i t o r y o f I n d u s t r i a l S e c u r i t y I n c i d e n t s www.securityincidents.org Hackers Penetrate Water System Computers Description: A foreign-based hacker used the internet to infiltrate the laptop (via internet) of an employee at the Harrisburg water system. The hacker used the employee’s remote access as the entry point into the SCADA system and installed malware and spyware on a SCADA HMI computer. Source: The Repository of Industrial Security Incidents (www.securityincidents.org) Date: October 2006 Company: Harrisburg Water System Location: Harrisburg, PA, USA Industry: Water & Wastewater Incident Type: Intentional - External - Hacker Impact: Unknown
    12. 12. idae Example Incidents T h e R e p o s i t o r y o f I n d u s t r i a l S e c u r i t y I n c i d e n t s www.securityincidents.org Browns Ferry Nuclear Plant Scrammed Description: Operators manually scrammed Browns Ferry, Unit 3, following a loss of both the 3A and 3B reactor recirculation pumps. The root cause was the malfunction of the VFD controller due to excessive traffic on the plant Ethernet based integrated computer system (ICS) network. Source: The Repository of Industrial Security Incidents (www.securityincidents.org) Date: Aug. 2006 Company: Browns Ferry Nuclear Location: Athens, AL, USA Industry: Nuclear Power Incident Type: Accidental Equipment Failure Impact: Unit #3 shutdown
    13. 13. idae Stuxnet Summary • First malware specifically targeting industrial control systems • First discovered in June 2010 (in circulation since June 2009) © Copyright 2010 exida 13 • Has the ability reprogram Siemens S7 PLCs • Infects Siemens SIMATIC software running on Win PCs • Uses SIMATIC software to read S7 PLC memory and overwrite FB with its own code (hidden) • Spreads via USB memory sticks, local networks and Step 7 project files • Thousands of PC’s infected worldwide (predominantly Iran, India and Indonesia) • Approximately 17 cases reported on SIMATIC systems
    14. 14. idae US Government Efforts • Department of Homeland Security – 6 CFR part 27: Chemical Facility Anti- Terrorism Standards (CFATS) – National Cyber Security Division • Control Systems Security Program (CSSP) • Department of Energy – Federal Energy Regulatory Commission (FERC) • 18 CFR Part 40, Order 706 (mandates NERC CIPs 002- 009) • Nuclear Regulatory Commission – 10 CFR 73.54 Cyber Security Rule (2009) – RG 5.71 Copyright © 2010 - exida
    15. 15. idae Standards Efforts • International Society for Automation (ISA) – ISA99, Industrial Automation and Control System (IACS) Security • International Electrotechnical Commission (IEC) – IEC 62443 series of standards (equivalent to ISA 99) • National Institute for Standards and Technology (NIST) – SP800-82 Guide to Industrial Control Systems (ICS) Security Copyright © 2010 - exida
    16. 16. idae ISA 99 STANDARDS
    17. 17. idae ISA99 Work Products Copyright © 2010 - exida ISA-99.02.01 Establishing an IACS Security Program ISA-99.01.01 Terminology, Concepts And Models ISA-99.02.02 Operating an IACS Security Program ISA-TR99.01.02 Master Glossary of Terms and Abbreviations ISA-TR99.02.03 Patch Management in the IACS Environment ISA-99.03.04 Product Development Requirements ISA-99.04.01 Embedded Devices ISA-99.04.02 Host Devices ISA-99.04.03 Network Devices ISA-99.04.04 Applications, Data And Functions SecurityProgramTechnical-SystemTechnical-ComponentISA99Common ISA-99.03.03 System Security Requirements and Security Assurance Levels ISA-TR99.03.01 Security Technologies for Industrial Automation and Control Systems ISA-99.03.02 Security Assurance Levels for Zones and Conduits ISA-99.01.03 System Security Compliance Metrics Complete In Progress Planned Courtesy of ISA 99 Committee
    18. 18. idae ANSI/ISA-99.01.01 (Standard) Title Terminology, Concepts and Models Description This standard describes the terminology, concepts and models that form the basis for the ISA99 series of standards, practices and technical reports. IEC Number IEC/TS 62443-1-1 Status Released October 2007 Primary WG Product of ISA99 Work Group 3 (WG3). Comments The current version of this standard was published as ISA99.00.01. The new number will be assigned with the next revision. This standard has been designated as a technical specification by IEC (IEC/TS 62443-1-1) because it does not have normative content. A future revision will include clarification of language to allow it to be designated as a standard. 18Copyright © 2009 - exida
    19. 19. idae 5.2 Security Objectives Copyright © 2009 - exida 19 Clause5:Concepts
    20. 20. idae Risk Analysis Risk = Likelihood × Consequence Likelihood = Threat x Vulnerability Copyright © 2009 - exida 20
    21. 21. idae 5.3 Defense-in-Depth Copyright © 2009 - exida 21 Clause5:Concepts Control System Virus Scanners Firewalls Policies & Procedures Role-Based Access Control Secure Architectures Potential Threat Physical Security Account Management Virtual Private Networks (VPN) Demilitarized Zones (DMZ) Patch Management “Defense in Depth” – applying multiple countermeasures in a layered or stepwise manner. Source: Siemens (http://www.sea.siemens.com/us/Products/Process-Automation/safetyandsecurity/industrialsecurity/Pages/Process-Automation-SafetyandSecurity_Security_page1.aspx)
    22. 22. idae 5.8 Security Zones 5.8.1 General • A security zone is a logical grouping of physical, informational, and application assets sharing common security requirements • There can be zones within zones, or subzones, that provide layered security, giving defense in depth and addressing multiple levels of security requirements • A security zone has a border, which is the boundary between included and excluded elements • Zones can be defined physically (a physical zone) or logically (virtual zone) Copyright © 2009 - exida 22 Clause5:Concepts
    23. 23. idae 5.9 Conduits • 5.9.1 General • A conduit is a particular type of security zone that groups communications that can be logically organized into a grouping of information flows within and also external to a zone. • It can be a single service (i.e., a single Ethernet network) or can be made up of multiple data carrier • Can be defined physically or logically Copyright © 2009 - exida 23 Clause5:Concepts
    24. 24. idae System Architecture Copyright © 2010 - exida
    25. 25. idae Partitioning into Zones Copyright © 2010 - Clause6:Models
    26. 26. idae 6.5 Zone & Conduit Models Copyright © 2009 - exida 26 Clause6:Models
    27. 27. idae Specifying Zones & Conduits Image courtesy of Byres Security
    28. 28. idae Honeywell Reference Architecture Image Courtesy of Honeywell Process Control
    29. 29. idae Emerson Reference Architecture
    30. 30. idae Siemens Reference Architecture Image Courtesy of Siemens AG
    31. 31. idae DuPont Reference Architecture Image Courtesy of DuPont
    32. 32. idae 5.10 Security Levels • Categorizes the risk for a zone or conduit. • Corresponds to the required effectiveness of countermeasures and inherent security properties of devices and systems • Security levels provide a qualitative approach to addressing security for a zone • Security level concept is expected to move to a quantitative approach in the future • Organizations should establish a definition of what each level represents and how to measure the level of security for the zone Copyright © 2009 - exida 32 Clause5:Concepts
    33. 33. idae 5.10 Security Levels • A minimum of three security levels is recommended Copyright © 2009 - exida 33 Clause5:Concepts
    34. 34. idae The Security Lifecycle Adapted from ISA S99.01.01Copyright © 2010 - exida
    35. 35. idae ANSI/ISA-99.02.01 (Standard) Title Establishing an Industrial Automation and Control Systems Security Program Description This standard describes the elements contained in a cyber security management system for use in the industrial automation and control systems environment and provides guidance on how to meet the requirements described for each element. IEC Number IEC 62443-2-1 Status Released January 2009 Primary WG Product of ISA99 work group 2. Comments IEC 62443-2-1 Ed. 1.0 issued as Final Draft International Standard (FDIS) on 2010-06-18. Voting terminates on 2010-09- 03. 36Copyright © 2009 - exida
    36. 36. idae ANSI/ISA S99.02.01-2009 Establishing an IACS Security Program Copyright © 2010 - exida
    37. 37. idae F T F 7 things a chemical process professional should do to secure their facility from unwanted intrusion
    38. 38. idae THE 7 THINGS 1. ASSESSMENT 2. POLICY & PROCEDURE 3. AWARENESS & TRAINING 4. NETWORK SEGMENTATION 5. ACCESS CONTROL 6. SYSTEM HARDENING 7. MONITOR & MAINTAIN © Copyright 2010 exida 39
    39. 39. idae Risk Assessment Typical Risk Matrix
    40. 40. idae Threat Source Threat Existing Countermeasures Likelihood Consequence Risk Intentional - Insider Current employee Personnel screening, access controls Low High Medium Intentional - Insider Former employee Personnel screening, access controls Med High Medium Intentional - Insider Current Contractor Access controls Low High Medium Intentional - Insider Former Contractor Access controls Med High Medium Intentional - Outsider Network segmentation, remote access controls Low High Medium Unintentional - Insider Training, access controls Unintentional - Outsider Unintentional - Equipment Detailed Risk Assessment Example
    41. 41. idae ASSESS EXISTING SYSTEMS • Perform control system security assessments of existing systems • Compare current control system design, architecture, policies and practices to standards & best practices • Identify gaps and provide recommendations for closure • Benefits: – Provides management with solid understanding of current situation, gaps and path forward – Helps identify and prioritize investments – First step in developing a security management program © Copyright 2010 exida 43
    42. 42. idae POLICY & PROCEDURE • Establish control system security policies & procedures – Scope – Management Support – Roles & Responsibilities – Specific Policies • Remote access • Portable media • Patch mgmt • Anti-virus management • Change Management • Backup & Restore – References © Copyright 2010 exida 44
    43. 43. idae AWARENESS & TRAINING • Make sure personnel are aware of the importance of security and company policies • Provide role-based training – Visitors – Contractors – New hires – Operations – Maintenance – Engineering – Management © Copyright 2010 exida 45
    44. 44. idae NETWORK SEGMENTATION • Defense-in-Depth strategy • Partition the system into distinct security zones – Logical grouping of assets sharing common security requirements – There can be zones within zones, or subzones, that provide layered security – Zones can be defined physically and/or logically • Define security objectives and strategy for each zone – Physical – Logical • Create secure conduits for zone-to-zone communications – Install boundary or edge devices where communications enter or leave a zone to provide monitoring and control capability over which data flows are permitted or denied between particular zones. © Copyright 2010 exida 46
    45. 45. idae ACCESS CONTROL • Control and monitor access to control system resources • Logical & Physical • AAA – Administration – Authentication – Authorization © Copyright 2010 exida 47 • Review – Who has access? – To what resources? – With what privileges? – How is it enforced? • Zone-by-zone •Asset-by-Asset •Role-by-Role •Person-by-Person
    46. 46. idae SYSTEM HARDENING • Remove or disable unused communication ports • Remove unnecessary applications and services • Apply patches when and where possible • Consider ‘whitelisting’ tools • Use ISASecure™ certified products © Copyright 2010 exida 48
    47. 47. idae Port locking devices Ethernet RJ-45 • Tamper-proof outlet lock and lockable patch cord • Protects against unauthorized port access in unused outlets • Deters patch cord removal • Removable only with a specially designed key USB • USB lock physically locks and blocks the USB Ports. • Allows secured use of an authorized USB device by capturing the device's cable and locking it into the USB port Kensington USB Port LockSiemon LockIT™
    48. 48. idae Patch Management Observations: – Olin does not have a formal patch management policy or procedures for DCS – OMNX system does not require patching – Commercial, Windows-based platforms require greater attention to patching Recommendations: – See following slides
    49. 49. idae Patch Management • Prioritized and categorize all machines into groups that define when and how they are to be patched. Example: • “Early Adopters” receive patches as soon as available and act as Test/Quality Assurance machines. • “No Touch” machines require manual intervention and/or detailed vendor consultation. • Establish a procedure for keeping track of new patches and level of importance to control operations.
    50. 50. idae Patch Management • When new vulnerability is announced and/or a patch fix is available, conduct a PDA to evaluate the potential impact on the control system • This patch is then evaluated and prioritized for adoption based on its risk evaluation. Reaction Plan Aggressiveness Implementation Window Level of Testing Alpha Minimum Quarterly High Bravo Moderate By end of following week Best Effort Zebra Maximum Within 48 hours Minimal
    51. 51. idae Application Whitelisting • Unlike antivirus solutions, that rely on blacklists of known malware, whitelisting enforces a relatively small list of the authorized applications for each computer • Automatically blocks all unauthorized applications including unknown malware and rogue applications installed by users. • Minimal performance impact • Examples: – Core Trace Bouncer – Industrial Defender HIPS Copyright © 2010 - exida
    52. 52. idae ISASecure Embedded Device Security Certification Copyright © 2010 - exida ISA Security Compliance Institute Software Development Security Assurance (SDSA) Functional Security Assessment (FSA) Communications Robustness Testing (CRT) ISASecure Certification Process 1. CRT test all accessible TCP/IP interfaces 2. Perform FSA on device and all interfaces 3. Audit supplier’s software development process 4. Perform integrated threat analysis 5. Issue certification For more information visit: www.isasecure.org
    53. 53. idae MONITOR & MAINTAIN • Install vendor recommended anti- virus and update signatures regularly • Review system logs periodically • Consider Intrusion Detection (IDS) or Host Intrusion Prevention (HIPS) • Pen testing (offline only) • Periodic assessments © Copyright 2010 exida 55
    54. 54. idae Anti-virus Management Stuxnet is not the first malware to infect industrial control systems © 2010 Security Incidents Organization, The Repository of Industrial Security Incidents (RISI) database
    55. 55. idae Anti-virus Management Observations: – Olin does not have an anti-virus management policy or procedure for control systems Recommendations: – Develop an anti-virus policy for control systems – Consider a mixed deployment scheme: • Anti-virus scanning at the control system firewall • Automatic updating for non-critical systems or systems with vendor approved update schemes • Manual scheduled updates for more difficult systems • Focus on anti-virus signatures in all computers located in the DMZ • A dedicated anti-virus server can located in the DMZ
    56. 56. idae THE 7 THINGS 1. ASSESSMENT 2. POLICY & PROCEDURE 3. AWARENESS & TRAINING 4. NETWORK SEGMENTATION 5. ACCESS CONTROL 6. SYSTEM HARDENING 7. MONITOR & MAINTAIN © Copyright 2010 exida 58
    57. 57. idae DCS Virus Infection, Investigation and Response A Case Study
    58. 58. idae Stuxnet is not the first malware to infect ICS © 2010 Security Incidents Organization, The Repository of Industrial Security Incidents (RISI) database
    59. 59. idae Impact of Malware in ICS © 2010 Security Incidents Organization, The Repository of Industrial Security Incidents (RISI) database
    60. 60. idae Incident • December 2009 • Petrochemical company in South Africa • Virus (Win32/Sality) infected DCS system • Two OPC servers shutdown • Operators ran plant partially blind for 8 hours • Engineers rebuild servers • Recovered without loss of production
    61. 61. idae Scenario1.) Replaced servers and updated access control list 2. OPC servers stopped. Virus discovered.
    62. 62. idae Win32/Sality Virus • Discovered: April 18, 2009 • A worm that spreads by infecting executable files and copying itself to removable drives • Deletes files with .vdb, .avc and .key in the filename and also files listed under certain registry subkeys • Ends processes and lowers security settings by modifying the registry
    63. 63. idae Response • Conducted a root-cause investigation • Implemented policy & procedural changes – Configuration management policy for IT switches – 3rd party software policy – Anti-virus management policy – Prohibited remote access – Portable media policy • Hired third-party SME to perform a thorough control system security assessment – Familiar with DCS, SIS and SCADA systems – Knowledgeable of latest standards & technology – Experience in similar plants – Unbiased
    64. 64. idae The Project • exida hired to perform control system security assessment • Aug 23 – Aug 27, 2010 • Followed ANSI/ISA 99.02.01
    65. 65. idae Assessment Process 1. Understand and scope the system under assessment 2. Develop a clear understanding of the network architecture and all traffic flows 3. Develop an inventory of all networked control devices within the boundary of the system 4. Perform device level assessment 5. Interview key employees involved in operations and security of the control networks and equipment 6. Analyze collected data and compare with corporate standards and industry best practices to identify gaps 7. Recommend solutions to close identified gaps
    66. 66. idae Results • For each item in ISA 99.02.01 – Requirements – Importance to effective security – Industry best practices – Observations – Recommendations • 48 recommendations • 9 critical recommendations
    67. 67. idae Network Segmentation Observations: – Network connections not well documented – Insufficient separation between business LAN and control system (VLANS & ACL’s) – Boundaries unclear and no boundary devices – Several computers were found to have hundreds of established network connections – Several dual-zoned servers
    68. 68. idae Weak boundary Hundreds of computers in network neighborhood Dual-homed servers
    69. 69. idae DuPont Reference Architecture Image Courtesy of DuPont
    70. 70. idae
    71. 71. idae System Hardening Observation • Workstations extensive number of inappropriate applications – UltraVNC – Microsoft ActiveSync – Internet Explorer – Microsoft Outlook / Outlook Express – Windows NetMeeting – Internet checkers game – Remote access phonebook • Numerous files shares configured Recommendation • Remove all unnecessary applications and services • Apply the vendor recommended or NIST hardening settings to all workstations and servers • Immediately remove any unnecessary shares
    72. 72. idae System Hardening Observation • Numerous active, unused Ethernet ports • USB ports disabled by registry setting Recommendation • Disable or lock any unused ports • Use physical devices to lock cables into used ports and block access to unused ports
    73. 73. idae Lessons Learned Client • Network segmentation is critical • Anti-virus used per supplier recommendations • Portable media is dangerous • Awareness/training is important • Systems should be hardened and patched per supplier recommendations Assessor • ANSI/ISA 99.02.01 provides good structure but cannot be used as a checklist • Zone and conduit modeling works • Supplier’s reference architectures need to be adjusted for “real” applications • Data collection must be performed very carefully on a live control system
    74. 74. idae Next Steps • Client is developing corporate policies and procedures • Client is preparing to deploy recommended network changes • Role-based security training is being developed and integrated into existing training program • Monitoring technology (e.g. IDS, HIPS) being investigated • Access control (logical and physical) being reviewed • System hardening being implemented with supplier support • Additional units and sites will be assessed

    ×