Your SlideShare is downloading. ×
First Things First: Responding to Threat such as Stuxnet
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

First Things First: Responding to Threat such as Stuxnet

4,440
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
4,440
On Slideshare
0
From Embeds
0
Number of Embeds
49
Actions
Shares
0
Downloads
76
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • This presentation focuses on common sense things that will markedly improve the security of your facility.
  • MoCAnti-virusPatch MgmtScans/auditsPortable mediaRemote accessConnectivity to business networks
  • MoCAnti-virusPatch MgmtScans/auditsPortable mediaRemote accessConnectivity to business networks
  • Transcript

    • 1. FIRSTTHINGSFIRST
      7 things a chemical process professional should do to secure their facility from unwanted intrusion
    • 2. John A. Cusimano
      • Director of Security Solutions for exida
      • 3. President, Byres Research
      • 4. Executive Director, Security Incidents Organization
      • 5. ISA S99 committee (voting member)
      • 6. ISA Security Compliance Institute (voting member)
      • 7. Formerly with Moore Products / Siemens
      • 8. QUADLOG Product Manager
      • 9. Global Process Safety Business Development
      • 10. Process Automation Market Development Manager
      • 11. CFSE, Certified Functional Safety Expert
      Copyright © 2010 - exida
    • 12. Stuxnet Summary
      First malware specifically targeting industrial control systems
      First discovered in June 2010 (in circulation since June 2009)
      © Copyright 2010 exida
      3
      • Has the ability reprogram Siemens S7 PLCs
      • 13. Infects Siemens SIMATIC software running on Win PCs
      • 14. Uses SIMATIC software to read S7 PLC memory and overwrite FB with its own code (hidden)
      • 15. Spreads via USB memory sticks, local networks and Step 7 project files
      • 16. Thousands of PC’s infected worldwide (predominantly Iran, India and Indonesia)
      • 17. Approximately 17 cases reported on SIMATIC systems
    • What is Stuxnet?
      Computer worm
      Infects Microsoft Windows computers
      Windows 2000
      Windows XP
      Server 2003
      Vista
      Server 2008
      Windows 7
      Infects Siemens SIMATIC software and embedded controllers
      WinCC
      PCS 7
      SIMATIC Manager
      Step 7
      S7 315 and S7 417 PLC’s
      © Copyright 2010 exida
      4
    • 18. Actions
      After infecting the computer, it looks for Siemens SIMATIC software (SIMATIC Manager, Step 7, WinCC, PCS 7)
      Replaces Step 7 DLL’s to hide the PLC logic changes from the user
      Looks for connected PLC’s (S7-315 and S7-417 models)
      Reads PLC, looking for specific configuration information
      If found, injects code into the PLC (replaces PROFIBUS driver, OB1, OB35 and injects additional FB’s)
      Waits for a trigger (0xDEADF007) then executes
      Self-propagates (see “Propagation”)
      © Copyright 2010 exida
      5
    • 19. Consequences
      Appears to be to reprogram and sabotage very specific targets
      Little effect on Windows systems that are not running SIMATIC software
      Modifies offline configuration files on systems running SIMATIC software but not connected to a PLC
      Monitors and reprograms connected PLC’s (S7-315 & S7-417 models)
      Execute modified program if it finds its target and trigger condition exists – consequences unknown
      © Copyright 2010 exida
      6
    • 20. Propagation
      Infected USB Memory Sticks
      Uses shortcut vulnerability (MS10-046)
      Earlier versions used Autorun exploit
      Local Networks
      Network shares
      Print spooler vulnerability (MS08-061)
      Server service vulnerability (MS08-067)
      WinCC using hardcoded passwords to log into SQL server
      SIMATIC Project Files
      Copies itself into STEP 7 project files (*.S7P, *.MCP and *.TMP) and auto-execute when project is opened
      © Copyright 2010 exida
      7
    • 21. Spread
      Versions of the Stuxnet were first detected in March of 2009 according to Microsoft
      Under continued development, authors added additional components, encryption and exploits
      © Copyright 2010 exida
      8
      • Approximately 100,000 infected hosts as of late September, 2010
      • 22. According to the Siemens website, there are 15 known control systems that have been infected by the Stuxnet malware
    • Detection & Removal
      All major anti-virus have signatures since July 25, 2010
      ICS-CERT has released an advisory listing primary Stuxnet indicators
      Siemens has released a utility (Sysclean) for detecting and removing the virus and the SIMATIC Security Update patch
      Windows patches are available for three of the vulnerabilities (MS08-067, MS10-046 and MS10-061)
      Two other vulnerabilities that allow escalation of privilege are still unpatched (as of 8 Oct 2010)
      © Copyright 2010 exida
      9
    • 23. Security Lifecycle
      © Copyright 2010 exida
      10
    • 24. THE 7 THINGS
      ASSESSMENT
      POLICY & PROCEDURE
      AWARENESS & TRAINING
      NETWORK SEGMENTATION
      ACCESS CONTROL
      SYSTEM HARDENING
      MONITORING
      © Copyright 2010 exida
      11
    • 25. ASSESSMENT
      Evaluate current control system design, architecture, policies and practices
      Compare results to standards & best practices
      Identify gaps and provide recommendations for closure
      • Benefits:
      • 26. Provides management with solid understanding of current situation, gaps and path forward
      • 27. Helps identify and prioritize investments
      • 28. First step in developing a security management program
      © Copyright 2010 exida
      12
    • 29. POLICY & PROCEDURE
      Establish control system security policies & procedures
      Scope
      Management Support
      Roles & Responsibilities
      Specific Policies
      Remote access
      Portable media
      Patch mgmt
      Anti-virus management
      Change Management
      Backup & Restore
      References
      © Copyright 2010 exida
      13
    • 30. AWARENESS & TRAINING
      • Make sure personnel are aware of the importance of security and company policies
      • 31. Provide role-based training
      • 32. Visitors
      • 33. Contractors
      • 34. New hires
      • 35. Operations
      • 36. Maintenance
      • 37. Engineering
      • 38. Management
      © Copyright 2010 exida
      14
    • 39. NETWORK SEGMENTATION
      Defense-in-Depth strategy
      Partition the system into distinct security zones
      Logical grouping of assets sharing common security requirements
      There can be zones within zones, or subzones, that provide layered security
      Zones can be defined physically and/or logically
      • Define security objectives and strategy for each zone
      • 40. Physical
      • 41. Logical
      • 42. Create secure conduits for zone-to-zone communications
      • 43. Install boundary or edge devices where communications enter or leave a zone to provide monitoring and control capability over which data flows are permitted or denied between particular zones.
      © Copyright 2010 exida
      15
    • 44. SYSTEM ARCHITECTURE
      Copyright © 2010 - exida
      Source: ANSI/ISA 99.00.01-2007
    • 45. PARTITIONING INTO ZONES
      Source: ANSI/ISA 99.00.01-2007
    • 46. Reference Architecture
      Image courtesy of Byres Security
    • 47. Honeywell Reference Architecture
      Image Courtesy of Honeywell Process Control
    • 48. Emerson Reference Architecture
      Image Courtesy of Emerson Process Management
    • 49. Siemens Reference Architecture
      Image Courtesy of Siemens AG
    • 50. DuPont Reference Architecture
      Image Courtesy of DuPont
    • 51. ACCESS CONTROL
      Control and monitor access to control system resources
      Logical & Physical
      AAA
      Administration
      Authentication
      Authorization
      © Copyright 2010 exida
      23
    • SYSTEM HARDENING
      Remove or disable unused communication ports
      Remove unnecessary applications and services
      Apply patches when and where possible
      Consider ‘whitelisting’ tools
      Use ISASecure™ certified products
      © Copyright 2010 exida
      24
    • 60. SYSTEM MONITORING
      Install vendor recommended anti-virus and update signatures regularly
      Review system logs periodically
      Consider IDS or HIPS
      Periodic assessments
      © Copyright 2010 exida
      25
    • 61. THE 7 THINGS
      ASSESSMENT
      POLICY & PROCEDURE
      AWARENESS & TRAINING
      NETWORK SEGMENTATION
      ACCESS CONTROL
      SYSTEM HARDENING
      MONITORING
      © Copyright 2010 exida
      26