Your SlideShare is downloading. ×
  • Like
Security Vulnerabilities: Stay One Step Ahead
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Security Vulnerabilities: Stay One Step Ahead

  • 1,137 views
Published

exida webinar that explores strategies that automation system suppliers can employ to improve the inherent security of their products while also staying one step ahead of the researchers who aim to …

exida webinar that explores strategies that automation system suppliers can employ to improve the inherent security of their products while also staying one step ahead of the researchers who aim to expose their flaws. These strategies can also be useful in preparing to react to vulnerabilities found either internally and externally. We will also discuss suggestions for how end-users can enhance the security of their installed systems and respond to news of vulnerabilities found in the products they use.

Published in Technology , News & Politics
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,137
On SlideShare
0
From Embeds
0
Number of Embeds
2

Actions

Shares
Downloads
119
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. e idaICS Security Vulnerabilities: Stay One Step Ahead
  • 2. e ida We help our clients improve the safety, security and availability of their automation systemsCopyright © 2010 - exida
  • 3. e ida John A. Cusimano, CFSE, CISSP • Director of Security Solutions for exida • 20+ years experience in industrial automation y p • Employment History: − Eastman Kodak − Moore Products − Siemens • Certifications: − CFSE, Certified Functional Safety Expert , y p − CISSP, Certified Information Systems Security Professional • Industry Associations: − ISA S99 Committee (WG4, WG5, WG7, WG8) ( , , , ) − ISA S84 Committee (WG9) − ISA Security Compliance Institute − ICSJWG Workforce Development & Vendor SubgroupsCopyright © 2010 - exida
  • 4. e ida Agenda• Situation• Recommended Strateg for S ppliers Strategy Suppliers• Recommended Strategy for End Users
  • 5. e ida Situation• ICS products have rapidly evolved to incorporate COTS technology• Security was not a big concern in ICS environment until recently• Most ICS vendors do not follow a mature security development lifecycle• Security researcher community has suddenly become y y y aware of the ICS market• They are having success at finding and publishing vulnerabilities l biliti
  • 6. e ida Stuxnet Response p“Addressing Stuxnet goes beyond usingquality security controls. The industry needsto demand higher quality software that isfree from defects. Companies who developproducts and write code need to continue tomature their development processes tobecome more secure.” Mark Weatherford Vice President and Chief Security Officer NERC
  • 7. e ida Software related SCADA incidents• Software Vendor Patch Crashes SCADA System• Computer Glitch Causes Major Power Outage• Faulty Software Causes Torrens Lake Drain• SCADA System Collapse Leads to Tunnel Closure• Computer Software Faults May Have Caused C oo Chinook Helicopter C as e copte Crash• Gas Leak Caused by Computer Malfunction Incidents from the Repository of Industrial Security Incidents (RISI) database (www.securityincidents.org) 7
  • 8. e ida Luigi Auriemma• March 21, 2011• Independent security researcher Luigi Auriemma published 34 zero day vulnerabilities affecting 4 different zero-day SCADA/HMI products: – Iconics Genesis32 v9.21 and Genesis64 v10.51 (13) – Siemens Tecnomatix FactoryLink v8.0.1.1473 (6) – DATAC RealWin 2.1 build 6.1.10.10 (7) – 7 Technologies 7-Technologies IGSS v9 00 00 11059 (8) v9.00.00.11059• Included code and commands to exploit the vulnerabilities• Vulnerabilities include stack and heap overflows, integer overflows, arbitrary commands execution, format strings, double and arbitrary memory frees memory corruptions frees, corruptions, directory traversals, design problems, etc.
  • 9. e ida Gleg Ltd. SCADA+ Pack• Moscow-based security firm, Gleg Ltd., recently began sellling an exploit pack called SCADA+ Pack• Includes both previously known and zero-day SCADA vulnerabilities – Atvise SCADA (zero-day) (zero day) – Control Microsystems ClearScada (zero-day) – DataRate SCADA WebControl and RuntimeHost (zero-day) ( d ) – Indusoft SCADA Webstudio (zero-day) – ITS SCADA – Automated Solutions Modbus/TCP OPC Server – BACnet OPC client Advantech Studio Web server – Iconics Genesis
  • 10. e ida Rubén Santamarta• April 4, 2011• Independent security researcher, Rubén Santamarta, identified an RPC vulnerability in Advantech/BroadWin WebAccess, a web browser-based HMI product• The vulnerability affects the WebAccess Network Service on 4592/TCP and allows remote code execution• Rubén reported to ICS-CERT and publicly released p p y details of the vulnerability including exploit code and instructions on how to use it
  • 11. e ida Others• Joel Langill of SCADAhacker.com has responsibly disclosed several zero-day vulnerabilities with exploits to ICS-CERT and the affected vendors• Steve James of exploited security, recently notified ICS-CERT of a vulnerability in AGG OPC SCADAViewer
  • 12. e ida Dillon Beresford• May 9, 2011• Security researcher Dillon Beresford of NSS Labs reported several security vulnerabilities on th Si t d l it l biliti the Siemens S7 PLC to ICS-CERT and Siemens, including proof-of- concept exploit code• On May 18th he was asked to cancel his scheduled demonstration at the TakeDownCon security conference• H l t presented hi fi di He later t d his findings at A ti H k t Austin Hackers Anonymous on May 26th• Beresford claims to be able to produce a Linux shell on the PLC and have root level access to the OS
  • 13. e ida Exploit Hub• Marketplace for validated, non-zero-day exploits• iPhone App-Store style marketplace for security researchers to sell their exploits
  • 14. e ida Stuxnet Response p“Addressing Stuxnet goes beyond usingquality security controls. The industry needsto demand higher quality software that isfree from defects. Companies who developproducts and write code need to continue tomature their development processes tobecome more secure.” Mark Weatherford Vice President and Chief Security Officer NERC
  • 15. e ida Software related SCADA incidents• Software Vendor Patch Crashes SCADA System• Computer Glitch Causes Major Power Outage• Faulty Software Causes Torrens Lake Drain• SCADA System Collapse Leads to Tunnel Closure• Computer Software Faults May Have Caused C oo Chinook Helicopter C as e copte Crash• Gas Leak Caused by Computer Malfunction Incidents from the Repository of Industrial Security Incidents (RISI) database (www.securityincidents.org) 15
  • 16. e ida Recommended Strategy for Suppliers
  • 17. e ida Recommended Strategy for A t f Automation Suppliers ti S li• Integrate security into development lifecycle (SDL)• Evaluate existing p g products• Specific testing for security vulnerabilities• 3rd party evaluation• Be prepared to respond to a disclosure
  • 18. e ida Incorporating Security into the Software p g y Development Lifecycle Security Security Response Training Planningg and Security ExecutionRequirements Security Validation Security Testing Architecture Design Security Risk Fuzz testing, Abuse Assessment case testingg and Threat Modeling Security Code Reviews & Security Static Analysis Coding Guidelines 18
  • 19. e ida Guidance• Microsoft - The Security Development Lifecycle1• DACS - Enhancing the Development Life Cycle to Produce Secure Software2• DHS – “Build Security In”3 y• ISASecure – Software Development Security Assessment (SDSA) specification4 ( ) p 1. Howard, Michael, 1 Howard Michael and Steve Lipner The Security Development Lifecycle: SDL a Process for Developing Demonstrably More Secure Lipner. SDL, Software. Redmond, WA: Microsoft, 2006. Print. 2. Goertzel, Karen, Theodore Winograd, et al. for Department of Homeland Security and Department of Defense Data and Analysis Center for Software. Enhancing the Development Life Cycle to Produce Secure Software: A Reference Guidebook on Software Assurance, October 2008 3, https://buildsecurityin.us-cert.gov/bsi/home.html 4. www.isasecure.org ESDA-312 Software Development Security Assessment (v1_4) (SDSA)
  • 20. e ida Threat Modeling• Identify critical assets and interfaces• Create an architect re o er ie architecture overview• Identify trust boundaries• Identify and rate threats• Identify vulnerabilities• Identify existing mitigations• Quantify residual risk
  • 21. e ida Security Integration Testing• Fuzz testing – Software testing technique, often automated or semi- automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes or failing built-in code built in assertions.• White box testing for secu ty (abuse case) te bo test g o security – Based on knowledge of how the system is implemented – Comprehend and analyze security – Create tests to exploit software
  • 22. e ida Response Planning• Acknowledge the issue• Be open and forthright• Analyze the risk• Develop a mitigation plan• Responsibly notify customers
  • 23. e ida Recommended Strategy for End-Users
  • 24. e ida THE 7 THINGS 1. ASSESSMENT 2. POLICY & PROCEDURE 3. 3 AWARENESS & TRAINING 4. NETWORK SEGMENTATION 5. ACCESS CONTROL 6. SYSTEM HARDENING 7. MONITOR & MAINTAIN© Copyright 2010 exida 25
  • 25. e ida ASSESS EXISTING SYSTEMS • Perform control system security assessments of existing systems • Identify critical control system assets • Compare current control system design, architecture, policies and practices to standards & best practices • Identify risks, gaps and provide recommendations for closure • Benefits: – Provides management with solid understanding of current situation, gaps and path f i i d h forward d – Helps identify and prioritize investments – First step in developing a security management program© Copyright 2010 exida 26
  • 26. e ida
  • 27. e ida POLICY & PROCEDURE • Establish control system security policies & procedures –SScope – Management Support – Roles & Responsibilities – Specific Policies • Remote access • Portable media • Patch mgmt • Anti virus Anti-virus management • Change Management • Backup & Restore • Incident R I id t Response – References ANSI/ISA S99.02.01-2009 Establishing an IACS Security Program© Copyright 2010 exida 28
  • 28. e ida AWARENESS & TRAINING • Make sure personnel are aware of the importance of security and company policies • Provide role-based training – Visitors – Contractors –NNew hihires – Operations – Maintenance – Engineering – Management© Copyright 2010 exida 29
  • 29. e ida NETWORK SEGMENTATION • Defense-in-Depth strategy • Partition the system into distinct security zones – Logical grouping of assets sharing common security requirements y q – There can be zones within zones, or subzones, that provide layered security – Zones can be defined physically and/or logically • Define security objectives and strategy for each zone – Physical – Logical • Create secure conduits for zone-to-zone communications – Install boundary or edge devices where communications enter or leave a zone y g to provide monitoring and control capability over which data flows are permitted or denied between particular zones.© Copyright 2010 exida 30
  • 30. e ida ACCESS CONTROL • Control and monitor access to control system resources • Logical & Physical • AAA – Ad i i t ti Administration – Authentication – Authorization • Review • Zone-by-zone – Who has access? •Asset-by-Asset – To what resources? •Role-by-Role y •Person-by-Person – With what privileges? – How is it enforced?© Copyright 2010 exida 31
  • 31. e ida SYSTEM HARDENING • Remove or disable unused communication ports i ti t • Remove unnecessary applications and services • Apply p pp y patches when and where possible • Consider ‘whitelisting’ tools whitelisting • Use ISASecure™ certified products© Copyright 2010 exida 32
  • 32. e ida MONITOR & MAINTAIN • Install vendor recommended anti- virus and update signatures regularly • Review system logs periodically • Consider Intrusion Detection (IDS) or Host Intrusion Prevention (HIPS) • Pen testing (offline only) • Periodic assessments© Copyright 2010 exida 33
  • 33. e ida We help our clients improve the safety, security and availability of their automation systemsCopyright © 2010 - exida
  • 34. e ida Exida Security Services Supplier Services End User Services• Certifications • Control System Security – ISASecure™ EDSA Certification Assessments – Achilles Certified Communications™ • Security Policy / Procedure Certification Development• Gap Analysis • FAT/SAT Security Assessments S i A – Software Development Security Assurance Assessment • Training & Workshops• Training & Workshops – Secure Software D S S ft Development f ICS l t for Products – Threat Modeling Workshop – Secure Coding Workshop – Security I t S it Integration Testing ti T ti