FIRSTTHINGSFIRST<br />7 things a chemical process professional should do to secure their facility from unwanted intrusion<...
John A. Cusimano<br /><ul><li>Director of Security Solutions for exida
President, Byres Research
Executive Director, Security Incidents Organization
ISA S99 committee (voting member)
ISA Security Compliance Institute (voting member)
Formerly with Moore Products / Siemens
QUADLOG Product Manager
Global Process Safety Business Development
Process Automation Market Development Manager
CFSE, Certified Functional Safety Expert</li></ul>Copyright © 2010 - exida<br />
Stuxnet Summary<br />First malware specifically targeting industrial control systems<br />First discovered in June 2010 (i...
Infects Siemens SIMATIC software running on Win PCs
Uses SIMATIC software to read S7 PLC memory and overwrite FB with its own code (hidden)
Spreads via USB memory sticks, local networks and Step 7 project files
Thousands of PC’s infected worldwide (predominantly Iran, India and Indonesia)
Approximately 17 cases reported on SIMATIC systems</li></li></ul><li>What is Stuxnet?<br />Computer worm<br />Infects Micr...
Actions<br />After infecting the computer, it looks for Siemens SIMATIC software (SIMATIC Manager, Step 7, WinCC, PCS 7)<b...
Consequences<br />Appears to be to reprogram and sabotage very specific targets<br />Little effect on Windows systems that...
Upcoming SlideShare
Loading in …5
×

First Things First: Responding to Threat such as Stuxnet

5,092
-1

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
5,092
On Slideshare
0
From Embeds
0
Number of Embeds
57
Actions
Shares
0
Downloads
78
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • This presentation focuses on common sense things that will markedly improve the security of your facility.
  • MoCAnti-virusPatch MgmtScans/auditsPortable mediaRemote accessConnectivity to business networks
  • MoCAnti-virusPatch MgmtScans/auditsPortable mediaRemote accessConnectivity to business networks
  • First Things First: Responding to Threat such as Stuxnet

    1. 1. FIRSTTHINGSFIRST<br />7 things a chemical process professional should do to secure their facility from unwanted intrusion<br />
    2. 2. John A. Cusimano<br /><ul><li>Director of Security Solutions for exida
    3. 3. President, Byres Research
    4. 4. Executive Director, Security Incidents Organization
    5. 5. ISA S99 committee (voting member)
    6. 6. ISA Security Compliance Institute (voting member)
    7. 7. Formerly with Moore Products / Siemens
    8. 8. QUADLOG Product Manager
    9. 9. Global Process Safety Business Development
    10. 10. Process Automation Market Development Manager
    11. 11. CFSE, Certified Functional Safety Expert</li></ul>Copyright © 2010 - exida<br />
    12. 12. Stuxnet Summary<br />First malware specifically targeting industrial control systems<br />First discovered in June 2010 (in circulation since June 2009)<br />© Copyright 2010 exida<br />3<br /><ul><li>Has the ability reprogram Siemens S7 PLCs
    13. 13. Infects Siemens SIMATIC software running on Win PCs
    14. 14. Uses SIMATIC software to read S7 PLC memory and overwrite FB with its own code (hidden)
    15. 15. Spreads via USB memory sticks, local networks and Step 7 project files
    16. 16. Thousands of PC’s infected worldwide (predominantly Iran, India and Indonesia)
    17. 17. Approximately 17 cases reported on SIMATIC systems</li></li></ul><li>What is Stuxnet?<br />Computer worm<br />Infects Microsoft Windows computers<br />Windows 2000<br />Windows XP<br />Server 2003<br />Vista<br />Server 2008<br />Windows 7<br />Infects Siemens SIMATIC software and embedded controllers<br />WinCC<br />PCS 7<br />SIMATIC Manager<br />Step 7<br />S7 315 and S7 417 PLC’s<br />© Copyright 2010 exida<br />4<br />
    18. 18. Actions<br />After infecting the computer, it looks for Siemens SIMATIC software (SIMATIC Manager, Step 7, WinCC, PCS 7)<br />Replaces Step 7 DLL’s to hide the PLC logic changes from the user<br />Looks for connected PLC’s (S7-315 and S7-417 models)<br />Reads PLC, looking for specific configuration information<br />If found, injects code into the PLC (replaces PROFIBUS driver, OB1, OB35 and injects additional FB’s)<br />Waits for a trigger (0xDEADF007) then executes <br />Self-propagates (see “Propagation”)<br />© Copyright 2010 exida<br />5<br />
    19. 19. Consequences<br />Appears to be to reprogram and sabotage very specific targets<br />Little effect on Windows systems that are not running SIMATIC software<br />Modifies offline configuration files on systems running SIMATIC software but not connected to a PLC<br />Monitors and reprograms connected PLC’s (S7-315 & S7-417 models)<br />Execute modified program if it finds its target and trigger condition exists – consequences unknown<br />© Copyright 2010 exida<br />6<br />
    20. 20. Propagation<br />Infected USB Memory Sticks<br />Uses shortcut vulnerability (MS10-046)<br />Earlier versions used Autorun exploit<br />Local Networks<br />Network shares<br />Print spooler vulnerability (MS08-061)<br />Server service vulnerability (MS08-067)<br />WinCC using hardcoded passwords to log into SQL server<br />SIMATIC Project Files<br />Copies itself into STEP 7 project files (*.S7P, *.MCP and *.TMP) and auto-execute when project is opened<br />© Copyright 2010 exida<br />7<br />
    21. 21. Spread<br />Versions of the Stuxnet were first detected in March of 2009 according to Microsoft<br />Under continued development, authors added additional components, encryption and exploits<br />© Copyright 2010 exida<br />8<br /><ul><li>Approximately 100,000 infected hosts as of late September, 2010
    22. 22. According to the Siemens website, there are 15 known control systems that have been infected by the Stuxnet malware</li></li></ul><li>Detection & Removal<br />All major anti-virus have signatures since July 25, 2010<br />ICS-CERT has released an advisory listing primary Stuxnet indicators<br />Siemens has released a utility (Sysclean) for detecting and removing the virus and the SIMATIC Security Update patch<br />Windows patches are available for three of the vulnerabilities (MS08-067, MS10-046 and MS10-061)<br />Two other vulnerabilities that allow escalation of privilege are still unpatched (as of 8 Oct 2010)<br />© Copyright 2010 exida<br />9<br />
    23. 23. Security Lifecycle<br />© Copyright 2010 exida<br />10<br />
    24. 24. THE 7 THINGS<br />ASSESSMENT<br />POLICY & PROCEDURE<br />AWARENESS & TRAINING<br />NETWORK SEGMENTATION<br />ACCESS CONTROL <br />SYSTEM HARDENING<br />MONITORING<br />© Copyright 2010 exida<br />11<br />
    25. 25. ASSESSMENT<br />Evaluate current control system design, architecture, policies and practices<br />Compare results to standards & best practices<br />Identify gaps and provide recommendations for closure<br /><ul><li>Benefits:
    26. 26. Provides management with solid understanding of current situation, gaps and path forward
    27. 27. Helps identify and prioritize investments
    28. 28. First step in developing a security management program</li></ul>© Copyright 2010 exida<br />12<br />
    29. 29. POLICY & PROCEDURE<br />Establish control system security policies & procedures<br />Scope<br />Management Support<br />Roles & Responsibilities<br />Specific Policies<br />Remote access<br />Portable media<br />Patch mgmt <br />Anti-virus management<br />Change Management<br />Backup & Restore<br />References<br />© Copyright 2010 exida<br />13<br />
    30. 30. AWARENESS & TRAINING<br /><ul><li>Make sure personnel are aware of the importance of security and company policies
    31. 31. Provide role-based training
    32. 32. Visitors
    33. 33. Contractors
    34. 34. New hires
    35. 35. Operations
    36. 36. Maintenance
    37. 37. Engineering
    38. 38. Management</li></ul>© Copyright 2010 exida<br />14<br />
    39. 39. NETWORK SEGMENTATION<br />Defense-in-Depth strategy<br />Partition the system into distinct security zones<br />Logical grouping of assets sharing common security requirements<br />There can be zones within zones, or subzones, that provide layered security<br />Zones can be defined physically and/or logically<br /><ul><li>Define security objectives and strategy for each zone
    40. 40. Physical
    41. 41. Logical
    42. 42. Create secure conduits for zone-to-zone communications
    43. 43. Install boundary or edge devices where communications enter or leave a zone to provide monitoring and control capability over which data flows are permitted or denied between particular zones.</li></ul>© Copyright 2010 exida<br />15<br />
    44. 44. SYSTEM ARCHITECTURE<br />Copyright © 2010 - exida<br />Source: ANSI/ISA 99.00.01-2007<br />
    45. 45. PARTITIONING INTO ZONES<br />Source: ANSI/ISA 99.00.01-2007<br />
    46. 46. Reference Architecture<br />Image courtesy of Byres Security<br />
    47. 47. Honeywell Reference Architecture<br />Image Courtesy of Honeywell Process Control <br />
    48. 48. Emerson Reference Architecture<br />Image Courtesy of Emerson Process Management <br />
    49. 49. Siemens Reference Architecture<br />Image Courtesy of Siemens AG <br />
    50. 50. DuPont Reference Architecture<br />Image Courtesy of DuPont<br />
    51. 51. ACCESS CONTROL<br />Control and monitor access to control system resources<br />Logical & Physical<br />AAA<br />Administration<br />Authentication<br />Authorization<br />© Copyright 2010 exida<br />23<br /><ul><li>Review
    52. 52. Who has access?
    53. 53. To what resources?
    54. 54. With what privileges?
    55. 55. How is it enforced?
    56. 56. Zone-by-zone
    57. 57. Asset-by-Asset
    58. 58. Role-by-Role
    59. 59. Person-by-Person</li></li></ul><li>SYSTEM HARDENING<br />Remove or disable unused communication ports<br />Remove unnecessary applications and services<br />Apply patches when and where possible<br />Consider ‘whitelisting’ tools<br />Use ISASecure™ certified products<br />© Copyright 2010 exida<br />24<br />
    60. 60. SYSTEM MONITORING<br />Install vendor recommended anti-virus and update signatures regularly<br />Review system logs periodically<br />Consider IDS or HIPS<br />Periodic assessments <br />© Copyright 2010 exida<br />25<br />
    61. 61. THE 7 THINGS<br />ASSESSMENT<br />POLICY & PROCEDURE<br />AWARENESS & TRAINING<br />NETWORK SEGMENTATION<br />ACCESS CONTROL <br />SYSTEM HARDENING<br />MONITORING<br />© Copyright 2010 exida<br />26<br />
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×