Presented @ BSidesDE
Industrial automation and control system (IACS) and supervisory control and data acquisition (SCADA) cyber security has gotten a lot of press recently due to those systems being the target of attacks by Stuxnet, Duqu, Flame, and others. These are not the first viruses, worms, or malware to affect IACS and SCADA systems, but they carried payloads specifically targeting those systems. While the exact vulnerabilities exploited were considered zero-days, the basic methods they used to infect their target systems were not unknown: infected removable media and drives, peer-to-peer infection on a network, rootkits, and hard-coded passwords. It is unlikely that all of these infections could have been prevented completely, but many common cyber security methods and controls could have prevented different aspects of each of these attacks.
IACS and SCADA cyber security is more about using proven security methods, controls, and technology than it is about the newest widget being sold by your favorite vendor. Many of the same methods, controls, and technology used in the IT environment can be used in the industrial environment, but their usage needs to be carefully analyzed before they can be applied. IACS and SCADA systems have real-world consequences that necessitate taking a risk-based approach to security. The International Society of Automation’s (ISA’s) committee on security for IACS (ISA99) and IEC have developed a series of standards (ISA/IEC 62443) to define procedures for implementing and measuring cyber security. This talk is a primer on the ISA/IEC 62443 series. It’s not intended as a deep-dive, but an introduction to what is and what is not part of the series and where you can go for more information.