e idaICS Security Vulnerabilities:        Stay One Step Ahead
e ida            We help our clients improve the safety, security              and availability of their automation system...
e ida                       John A. Cusimano, CFSE, CISSP   • Director of Security Solutions for exida   • 20+ years exper...
e ida                Agenda• Situation• Recommended Strateg for S ppliers              Strategy     Suppliers• Recommended...
e ida                       Situation• ICS products have rapidly evolved to incorporate COTS  technology• Security was not...
e ida             Stuxnet Response                        p“Addressing Stuxnet goes beyond usingquality security controls....
e ida        Software related SCADA incidents• Software Vendor Patch Crashes SCADA System• Computer Glitch Causes Major Po...
e ida                       Luigi Auriemma• March 21, 2011• Independent security researcher Luigi Auriemma  published 34 z...
e ida            Gleg Ltd. SCADA+ Pack• Moscow-based security firm, Gleg Ltd., recently began  sellling an exploit pack ca...
e ida                Rubén Santamarta• April 4, 2011• Independent security researcher, Rubén Santamarta,  identified an RP...
e ida                     Others• Joel Langill of SCADAhacker.com has  responsibly disclosed several zero-day  vulnerabili...
e ida                   Dillon Beresford• May 9, 2011• Security researcher Dillon Beresford of NSS Labs  reported several ...
e ida                  Exploit Hub• Marketplace for validated, non-zero-day exploits• iPhone App-Store style marketplace f...
e ida             Stuxnet Response                        p“Addressing Stuxnet goes beyond usingquality security controls....
e ida        Software related SCADA incidents• Software Vendor Patch Crashes SCADA System• Computer Glitch Causes Major Po...
e ida        Recommended Strategy for Suppliers
e ida          Recommended Strategy          for A t          f Automation Suppliers                  ti S     li• Integra...
e ida           Incorporating Security into the Software                p      g        y                   Development Li...
e ida                                                     Guidance• Microsoft - The Security Development Lifecycle1• DACS ...
e ida                 Threat Modeling•   Identify critical assets and interfaces•   Create an architect re o er ie        ...
e ida          Security Integration Testing• Fuzz testing   – Software testing technique, often automated or semi-     aut...
e ida                Response Planning•   Acknowledge the issue•   Be open and forthright•   Analyze the risk•   Develop a...
e ida    Recommended Strategy for End-Users
e ida                         THE 7 THINGS    1.    ASSESSMENT    2.    POLICY & PROCEDURE    3.    3     AWARENESS & TRAI...
e ida                   ASSESS EXISTING SYSTEMS   • Perform control system security assessments of existing     systems   ...
e ida
e ida                         POLICY & PROCEDURE    • Establish control system security      policies & procedures       –...
e ida                         AWARENESS & TRAINING  • Make sure personnel are aware of the    importance of security and c...
e ida                    NETWORK SEGMENTATION  • Defense-in-Depth strategy  • Partition the system into distinct    securi...
e ida                          ACCESS CONTROL    • Control and monitor access to control      system resources    • Logica...
e ida                         SYSTEM HARDENING   • Remove or disable unused     communication ports              i ti     ...
e ida                         MONITOR & MAINTAIN   • Install vendor recommended anti-     virus and update signatures     ...
e ida            We help our clients improve the safety, security              and availability of their automation system...
e ida                      Exida Security Services      Supplier Services                           End User Services•   C...
Upcoming SlideShare
Loading in...5
×

Security Vulnerabilities: Stay One Step Ahead

1,230

Published on

exida webinar that explores strategies that automation system suppliers can employ to improve the inherent security of their products while also staying one step ahead of the researchers who aim to expose their flaws. These strategies can also be useful in preparing to react to vulnerabilities found either internally and externally. We will also discuss suggestions for how end-users can enhance the security of their installed systems and respond to news of vulnerabilities found in the products they use.

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,230
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
133
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Security Vulnerabilities: Stay One Step Ahead

  1. 1. e idaICS Security Vulnerabilities: Stay One Step Ahead
  2. 2. e ida We help our clients improve the safety, security and availability of their automation systemsCopyright © 2010 - exida
  3. 3. e ida John A. Cusimano, CFSE, CISSP • Director of Security Solutions for exida • 20+ years experience in industrial automation y p • Employment History: − Eastman Kodak − Moore Products − Siemens • Certifications: − CFSE, Certified Functional Safety Expert , y p − CISSP, Certified Information Systems Security Professional • Industry Associations: − ISA S99 Committee (WG4, WG5, WG7, WG8) ( , , , ) − ISA S84 Committee (WG9) − ISA Security Compliance Institute − ICSJWG Workforce Development & Vendor SubgroupsCopyright © 2010 - exida
  4. 4. e ida Agenda• Situation• Recommended Strateg for S ppliers Strategy Suppliers• Recommended Strategy for End Users
  5. 5. e ida Situation• ICS products have rapidly evolved to incorporate COTS technology• Security was not a big concern in ICS environment until recently• Most ICS vendors do not follow a mature security development lifecycle• Security researcher community has suddenly become y y y aware of the ICS market• They are having success at finding and publishing vulnerabilities l biliti
  6. 6. e ida Stuxnet Response p“Addressing Stuxnet goes beyond usingquality security controls. The industry needsto demand higher quality software that isfree from defects. Companies who developproducts and write code need to continue tomature their development processes tobecome more secure.” Mark Weatherford Vice President and Chief Security Officer NERC
  7. 7. e ida Software related SCADA incidents• Software Vendor Patch Crashes SCADA System• Computer Glitch Causes Major Power Outage• Faulty Software Causes Torrens Lake Drain• SCADA System Collapse Leads to Tunnel Closure• Computer Software Faults May Have Caused C oo Chinook Helicopter C as e copte Crash• Gas Leak Caused by Computer Malfunction Incidents from the Repository of Industrial Security Incidents (RISI) database (www.securityincidents.org) 7
  8. 8. e ida Luigi Auriemma• March 21, 2011• Independent security researcher Luigi Auriemma published 34 zero day vulnerabilities affecting 4 different zero-day SCADA/HMI products: – Iconics Genesis32 v9.21 and Genesis64 v10.51 (13) – Siemens Tecnomatix FactoryLink v8.0.1.1473 (6) – DATAC RealWin 2.1 build 6.1.10.10 (7) – 7 Technologies 7-Technologies IGSS v9 00 00 11059 (8) v9.00.00.11059• Included code and commands to exploit the vulnerabilities• Vulnerabilities include stack and heap overflows, integer overflows, arbitrary commands execution, format strings, double and arbitrary memory frees memory corruptions frees, corruptions, directory traversals, design problems, etc.
  9. 9. e ida Gleg Ltd. SCADA+ Pack• Moscow-based security firm, Gleg Ltd., recently began sellling an exploit pack called SCADA+ Pack• Includes both previously known and zero-day SCADA vulnerabilities – Atvise SCADA (zero-day) (zero day) – Control Microsystems ClearScada (zero-day) – DataRate SCADA WebControl and RuntimeHost (zero-day) ( d ) – Indusoft SCADA Webstudio (zero-day) – ITS SCADA – Automated Solutions Modbus/TCP OPC Server – BACnet OPC client Advantech Studio Web server – Iconics Genesis
  10. 10. e ida Rubén Santamarta• April 4, 2011• Independent security researcher, Rubén Santamarta, identified an RPC vulnerability in Advantech/BroadWin WebAccess, a web browser-based HMI product• The vulnerability affects the WebAccess Network Service on 4592/TCP and allows remote code execution• Rubén reported to ICS-CERT and publicly released p p y details of the vulnerability including exploit code and instructions on how to use it
  11. 11. e ida Others• Joel Langill of SCADAhacker.com has responsibly disclosed several zero-day vulnerabilities with exploits to ICS-CERT and the affected vendors• Steve James of exploited security, recently notified ICS-CERT of a vulnerability in AGG OPC SCADAViewer
  12. 12. e ida Dillon Beresford• May 9, 2011• Security researcher Dillon Beresford of NSS Labs reported several security vulnerabilities on th Si t d l it l biliti the Siemens S7 PLC to ICS-CERT and Siemens, including proof-of- concept exploit code• On May 18th he was asked to cancel his scheduled demonstration at the TakeDownCon security conference• H l t presented hi fi di He later t d his findings at A ti H k t Austin Hackers Anonymous on May 26th• Beresford claims to be able to produce a Linux shell on the PLC and have root level access to the OS
  13. 13. e ida Exploit Hub• Marketplace for validated, non-zero-day exploits• iPhone App-Store style marketplace for security researchers to sell their exploits
  14. 14. e ida Stuxnet Response p“Addressing Stuxnet goes beyond usingquality security controls. The industry needsto demand higher quality software that isfree from defects. Companies who developproducts and write code need to continue tomature their development processes tobecome more secure.” Mark Weatherford Vice President and Chief Security Officer NERC
  15. 15. e ida Software related SCADA incidents• Software Vendor Patch Crashes SCADA System• Computer Glitch Causes Major Power Outage• Faulty Software Causes Torrens Lake Drain• SCADA System Collapse Leads to Tunnel Closure• Computer Software Faults May Have Caused C oo Chinook Helicopter C as e copte Crash• Gas Leak Caused by Computer Malfunction Incidents from the Repository of Industrial Security Incidents (RISI) database (www.securityincidents.org) 15
  16. 16. e ida Recommended Strategy for Suppliers
  17. 17. e ida Recommended Strategy for A t f Automation Suppliers ti S li• Integrate security into development lifecycle (SDL)• Evaluate existing p g products• Specific testing for security vulnerabilities• 3rd party evaluation• Be prepared to respond to a disclosure
  18. 18. e ida Incorporating Security into the Software p g y Development Lifecycle Security Security Response Training Planningg and Security ExecutionRequirements Security Validation Security Testing Architecture Design Security Risk Fuzz testing, Abuse Assessment case testingg and Threat Modeling Security Code Reviews & Security Static Analysis Coding Guidelines 18
  19. 19. e ida Guidance• Microsoft - The Security Development Lifecycle1• DACS - Enhancing the Development Life Cycle to Produce Secure Software2• DHS – “Build Security In”3 y• ISASecure – Software Development Security Assessment (SDSA) specification4 ( ) p 1. Howard, Michael, 1 Howard Michael and Steve Lipner The Security Development Lifecycle: SDL a Process for Developing Demonstrably More Secure Lipner. SDL, Software. Redmond, WA: Microsoft, 2006. Print. 2. Goertzel, Karen, Theodore Winograd, et al. for Department of Homeland Security and Department of Defense Data and Analysis Center for Software. Enhancing the Development Life Cycle to Produce Secure Software: A Reference Guidebook on Software Assurance, October 2008 3, https://buildsecurityin.us-cert.gov/bsi/home.html 4. www.isasecure.org ESDA-312 Software Development Security Assessment (v1_4) (SDSA)
  20. 20. e ida Threat Modeling• Identify critical assets and interfaces• Create an architect re o er ie architecture overview• Identify trust boundaries• Identify and rate threats• Identify vulnerabilities• Identify existing mitigations• Quantify residual risk
  21. 21. e ida Security Integration Testing• Fuzz testing – Software testing technique, often automated or semi- automated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. The program is then monitored for exceptions such as crashes or failing built-in code built in assertions.• White box testing for secu ty (abuse case) te bo test g o security – Based on knowledge of how the system is implemented – Comprehend and analyze security – Create tests to exploit software
  22. 22. e ida Response Planning• Acknowledge the issue• Be open and forthright• Analyze the risk• Develop a mitigation plan• Responsibly notify customers
  23. 23. e ida Recommended Strategy for End-Users
  24. 24. e ida THE 7 THINGS 1. ASSESSMENT 2. POLICY & PROCEDURE 3. 3 AWARENESS & TRAINING 4. NETWORK SEGMENTATION 5. ACCESS CONTROL 6. SYSTEM HARDENING 7. MONITOR & MAINTAIN© Copyright 2010 exida 25
  25. 25. e ida ASSESS EXISTING SYSTEMS • Perform control system security assessments of existing systems • Identify critical control system assets • Compare current control system design, architecture, policies and practices to standards & best practices • Identify risks, gaps and provide recommendations for closure • Benefits: – Provides management with solid understanding of current situation, gaps and path f i i d h forward d – Helps identify and prioritize investments – First step in developing a security management program© Copyright 2010 exida 26
  26. 26. e ida
  27. 27. e ida POLICY & PROCEDURE • Establish control system security policies & procedures –SScope – Management Support – Roles & Responsibilities – Specific Policies • Remote access • Portable media • Patch mgmt • Anti virus Anti-virus management • Change Management • Backup & Restore • Incident R I id t Response – References ANSI/ISA S99.02.01-2009 Establishing an IACS Security Program© Copyright 2010 exida 28
  28. 28. e ida AWARENESS & TRAINING • Make sure personnel are aware of the importance of security and company policies • Provide role-based training – Visitors – Contractors –NNew hihires – Operations – Maintenance – Engineering – Management© Copyright 2010 exida 29
  29. 29. e ida NETWORK SEGMENTATION • Defense-in-Depth strategy • Partition the system into distinct security zones – Logical grouping of assets sharing common security requirements y q – There can be zones within zones, or subzones, that provide layered security – Zones can be defined physically and/or logically • Define security objectives and strategy for each zone – Physical – Logical • Create secure conduits for zone-to-zone communications – Install boundary or edge devices where communications enter or leave a zone y g to provide monitoring and control capability over which data flows are permitted or denied between particular zones.© Copyright 2010 exida 30
  30. 30. e ida ACCESS CONTROL • Control and monitor access to control system resources • Logical & Physical • AAA – Ad i i t ti Administration – Authentication – Authorization • Review • Zone-by-zone – Who has access? •Asset-by-Asset – To what resources? •Role-by-Role y •Person-by-Person – With what privileges? – How is it enforced?© Copyright 2010 exida 31
  31. 31. e ida SYSTEM HARDENING • Remove or disable unused communication ports i ti t • Remove unnecessary applications and services • Apply p pp y patches when and where possible • Consider ‘whitelisting’ tools whitelisting • Use ISASecure™ certified products© Copyright 2010 exida 32
  32. 32. e ida MONITOR & MAINTAIN • Install vendor recommended anti- virus and update signatures regularly • Review system logs periodically • Consider Intrusion Detection (IDS) or Host Intrusion Prevention (HIPS) • Pen testing (offline only) • Periodic assessments© Copyright 2010 exida 33
  33. 33. e ida We help our clients improve the safety, security and availability of their automation systemsCopyright © 2010 - exida
  34. 34. e ida Exida Security Services Supplier Services End User Services• Certifications • Control System Security – ISASecure™ EDSA Certification Assessments – Achilles Certified Communications™ • Security Policy / Procedure Certification Development• Gap Analysis • FAT/SAT Security Assessments S i A – Software Development Security Assurance Assessment • Training & Workshops• Training & Workshops – Secure Software D S S ft Development f ICS l t for Products – Threat Modeling Workshop – Secure Coding Workshop – Security I t S it Integration Testing ti T ti
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×