Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ics presentation

47 views

Published on

Industrial Control Systems

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Ics presentation

  1. 1. ICS Networks PRESENTED AT OREGON INFRAGARD MEETING 26 JUNE 2018
  2. 2. Who Am I  Chad Hunter  Security Analyst at Portland General Electric (all views / opinions / information presented are my own and do not reflect the opinion of PGE in any way shape or form)  Formerly Network Admin on a CIP controlled network at Bonneville Power Administration (same disclaimer apples)  GIAC GICSP (Industrial Control Security Professional) and GRID (Response and Industrial Defense) certified.
  3. 3. What is an Industrial Control System
  4. 4. What is an Industrial Control System  Device or devices that manages, commands, directs, or regulates the behavior of other devices or systems  Intersection of Digital / Cyber and the physical world  Feedback loops  Sensor reads a value  Value is forwarded to controller and compared to a set of parameters  Controller sends command to actuator  Actuator acts on physical environment  Repeat
  5. 5. Common ICS Components  Programmable Logic Controller (PLC) – Computer based, multiple I/O (feedback loop), logic executed based on state, resistant to physical stress  Remote Terminal Unit (RTU) – Communication link between control systems and supervisory systems. Can connect IEDs or PLCs to Supervisory system or multiple discrete processes to centralized control. RTUs and PLCs are converging in function  Intelligent Electronic Device (IED) – devices with limited programming that have a limited specialized function (protective relay or PMU)
  6. 6. Common ICS Components  Instrumented Devices – Sensors and Actuators that physically interact with the plant  Supervisory Components –  Human Machine Interface (HMI) – Presents process data to operator. May be read only or facilitate manual control.  Historian – stores historical data about process  Alarms  Operator / Engineer Workstations – used for changes or maintenance  Safety Instrumented Systems – monitors and remediates situations that may impact plant or personnel safety
  7. 7. Types of Control Systems  Process Control System – monitors the environment and can electronically control the process
  8. 8. Types of Control Systems  Distributed Control System (DCS) – A collection of process control systems , usually within a plant or confined region, connected to a central controller or master server
  9. 9. Types of Control Systems  Supervisory Control and Data Acquisition (SCADA) – Traditionally large scale process that can span multiple sites or large geographic areas. Term is beginning to be used interchangeably with ICS and DCS.
  10. 10. Differences between IT and ICS Systems
  11. 11. Differences between IT and ICS Systems
  12. 12. Common Threats to ICS Systems  Insider  Hacktivist  Nation State  Cyber criminal Nation States are of particular interest in the context of ICS networks. Compromising an ICS network, especially maintaining persistence is usually more complicated than compromising an IT network and requires a level of resources most commonly associated with Nation States.
  13. 13. Cyber Kill Chain
  14. 14. ICS Cyber Kill Chain
  15. 15. ICS Specific Threats  Stuxnet  Havex  Blackenergy  CRASHOVERRIDE  Triton/Trisis
  16. 16. Stuxnet  Nation State developer  Earliest traces 2005 discovered 2010  Targets Siemens Step7 software  3 modules  Worm  Link file – propagates to other systems  Rootkit – hides activities  Used infected USBs to cross airgap
  17. 17. Havex  Discovered 2015  Mainly distributed via watering hole attack  Scans and Targets ports commonly used by Rockwell and Siemens  Maps ICS networks that use DCOM based OPC  Mainly used for intelligence gathering but the RAT payload allows complete control of targeted system
  18. 18. BlackEnergy  Multiple variants  BlackEnergy2 – targeted infrastructure in the US  Modular – dropper can deliver payloads capable of executing files and updating itself  BlackEnergy3 – used in 2014 Ukraine attack  Installs .dlls directly doesn’t need driver component anymore
  19. 19. CRASHOVERRIDE  Used in 2016 Ukraine attacks  Specifically targets the electric grid  Modular  Backdoor  can execute various commands including copying files and start stopping services  Launcher  Can wipe registry keys, ICS configs and render system unusable  Payload  Can extend capabilities  Specifically designed to destroy and disrupt
  20. 20. TRITON / TRISIS  Discovered 2017  Specifically targeted Triconex Safety Instrumented Systems  Mimics Trilog controller software
  21. 21. Securing ICS  DHS – Seven Steps to Effectively Defend Industrial Control Systems  Prioritized by effectiveness  1. Whitelisting – because ICS systems are relative static this is easier than on a traditional IT network  2. Configuration / Patch Management  3. Reduce Attack Surface – turn off unneeded ports / services, segment  4. Defensible Environment – Network segmentation  5. Authentication  6. Secure Remote Access  7. Monitor and Respond – know your normal (baselines) – This is the essence of active defense
  22. 22. Securing ICS - Sliding Scale of Cyber Defense
  23. 23. References  SANS ICS 410 ICS/SCADA Security Essentials  SANS ICS 515 Active Defense and Incident Response for ICS Systems  NIST SP 800-82 Rev 2 Guide to Industrial Control System Security  CRASHOVERRIDE: Threat to Electric Grid Operations https://dragos.com/blog/crashoverride/CrashOverride-01.pdf  Securing Industrial Control Systems with Tripwire

×