SCADA Security Webinar


Published on

SCADA Security Presented by Vern Williams, Chief Security Officer, CyberDefenses, Inc (CDI)

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • .
  • .
  • .
  • .
  • .
  • .
  • .
  • SCADA Security Webinar

    1. 1. CyberDefensesInformation AssuranceCyberDefenses, Inc.
    2. 2. • Californian by birth (Got to Texas as soon as I could)• Oceanographer by degree from US Naval Academy• Nuclear Engineer by Adm Rickover• Submarine Officer by US Navy• Disaster Relief Coordinator by ADRN• CSO for Cyber Defenses by careerVern Williams2Proprietary and Confidential 2013 CyberDefenses, Inc. ©
    3. 3. Industrial Control System (ICS) Security:3• Unique impact on both physical and cyber worlds• Consequences can be more severe than in IT• Lifecycles of 5-30 years• Designed to operate in a bubble• So what is the threat to ICSs?• How can we defend them from the evil in the world?Proprietary and Confidential 2013CyberDefenses, Inc. ©
    4. 4. How bad is it really?3"An Italian security researcher, Luigi Auriemma, has disclosed alaundry list of unpatched vulnerabilities and detailed proof-of-concept exploits that allow hackers to completely compromisemajor industrial control systems. The attacks work against sixSCADA systems, including one manufactured by U.S. giantRockwell Automation. The researcher published step-by-stepexploits that allowed attackers to execute full remotecompromises and denial of service attacks. Auriemmaappeared unrepentant for the disclosures in a post on hiswebsite.“Slashdot: mask.of.sanityProprietary and Confidential 2013CyberDefenses, Inc. ©
    5. 5. History of attacks on water plants3• SALT River Project SCADA Hack• Maroochy Shire Sewage Spill• Trojan/Key logger on Ontario Water SCADA System• Viruses Found on Auzzie SCADA Laptops• Software Flaw makes MA Water undrinkable• Audit/Blaster Causes Water SCADA Crash• DoS Attack on Water System via Korean Telecom• Penetration of California Irrigation District Wastewater TreatmentPlant• SCADA Breach in Harrisburg, PA by an external hackerProprietary and Confidential 2013CyberDefenses, Inc. ©
    6. 6. What do the Execs think?3• Close to 30% of respondents believe their company wasnot prepared for a cyberattack, and more than 40%expect a major cyberattack within the nextyear, according to a survey of 200 IT security executivesfrom electricity infrastructure enterprises in 14countries conducted by Vanson Bourne for McAfee andCSIS.By Infosecurity, 27 April 2011Proprietary and Confidential 2013CyberDefenses, Inc. ©
    7. 7. The Patria Group3This was the result of an instrument failure. What can “they” do to us when they intend harm?
    8. 8. 3And the really bad news? Stuxnet and variants!Stuxnet infects Windows systems in its search for industrial controlsystems which consist of Programmable Logic Controllers(PLCs), and contain special code that controls the automation ofindustrial processes—for instance, to control machinery in a plantor a factory. Stuxnet has the ability to take advantage of theprogramming software to also upload its own code to the PLC in anindustrial control system that is typically monitored by SCADAsystems. In addition, Stuxnet then hides these code blocks, so whena programmer using an infected machine tries to view all of thecode blocks on a PLC, they will not see the code injected by Stuxnet.Thus, Stuxnet isn’t just a rootkit that hides itself on Windows, but isthe first publicly known rootkit that is able to hide injected codelocated on a PLC.Stuxnet Introduces the First Known Rootkit for Industrial Control Systems, from Symantec BlogProprietary and Confidential 2013CyberDefenses, Inc. ©
    9. 9. What does DHS say?3DHS Warns ICS, SCADA Owners About Increase inMalicious Activity• Be proactive in auditing thesecurity, particularly, authentication controls of theirsystems.• Alert is in response to a growing concern over thenumber of exploit tools available online targeting ICSand SCADA systems.• Growing interest from hacktivists using special searchengines to find ICS accessible online.Proprietary and Confidential 2013CyberDefenses, Inc. ©
    10. 10. Who is affected?3Exploit kits were made publicly available thattarget programmable logic controllers for industrialcontrol systems• Affects: GE, Rockwell Automation, Schneider Electricand Koyo• Another exploit was built for the Ethernet/IP protocolused by a number of PLC vendors• Added to report of a backdoor in CoDeSys ladder logicsystem used by 261 PLC manufacturers to executeladder logic.Proprietary and Confidential 2013CyberDefenses, Inc. ©
    11. 11. What else do we have to worry about?3• Kaspersky Labs believes four other malwares, whichthey call Duqu, Flame, Gauss, and MiniFlame, weredeveloped by the same US “cyber-weapons factory”.• 2012 ICS CERT tracked 171 unique vulnerabilities• Shodan used to identify 20K Internet accessible andvulnerable ICS• Shamoon destroyed 30K of Saudi Aramco computers(seems to be a lone perpetrator)Proprietary and Confidential 2013CyberDefenses, Inc. ©
    12. 12. Can we continue like this?3The status quo is broken. (we need to fix it)Doing the same things we are now, is doomed tofailure.Working together with IT and CorporateSecurity, we can make the bad guys day harder!The one thing worse than the operator nothaving control, is “them” having control.Proprietary and Confidential 2013CyberDefenses, Inc. ©
    13. 13. What can we do?3• Practice Defense in Depth by Policy• Avoid any attempt to bypass controls• Establish accountability for actions• Ask the hard questions:– How good was Identity Proofing when “Joe” washired?– If the contract requires me to bevulnerable, maybe it is time to get a newcontractor or provider.Proprietary and Confidential 2013CyberDefenses, Inc. ©
    14. 14. Security Goals• Develop / review the security policy for your ICSenvironment• Architect a robust ICS environment• Build security concerns into your contracts• Require your provider to “Build Security In”• Train your staff and Educate your users• Require accountability• Develop and Train a ICS Incident Response TeamProprietary and Confidential 2013CyberDefenses, Inc. ©
    15. 15. Incident Response3Current State of the Art Response• Emergency Operations Management• Cyber Incident Response– US-CERT– CERT, CMU• ICS CERT– Control Systems Security Program (CSSP) DHS– New but taking advantage of experience from both– and Confidential 2013CyberDefenses, Inc. ©
    16. 16. Phases of Incident Response3• Planning• Incident Prevention• Incident Management– Detection– Containment– Remediation– Recovery• Post Incident AnalysisProprietary and Confidential 2013CyberDefenses, Inc. ©
    17. 17. Incident Response Key Elements3Recommended Practice: Developing an Industrial Control Systems CybersecurityIncident Response Capability October 2009Proprietary and Confidential 2013CyberDefenses, Inc. ©
    18. 18. Where to start?3So where do we start to achieve this capability?We have existing resources that can be broughtto bear, but we first have to have the will ofmanagement and funding.In developing an Incident Response Plan, youhave to engage all of the stakeholders and theyeach have to have ownership of the results.Proprietary and Confidential 2013CyberDefenses, Inc. ©
    19. 19. Key Response and Monitoring3Emergency ManagementPhysical Security, Loss Prevention, Fire Protection, EOC StaffRespond to physical effectsCyber Incident ResponseIT Help Desk, Anti-Virus, USB management, Network and SystemSecurity Controls, Forensics, Change ManagementDeals well with traditional IT systems and networksICS OperationsChange Management, Typically Strong Physical Access WeakEncryption and Identity Management, Long LifecyclesProprietary and Confidential 2013CyberDefenses, Inc. ©
    20. 20. Obstacles to overcome?3• Distrust between InfoSec, IT and ICS staff• Tools that do not support ICS protocols• Response Time vs Encryption• Robust IdM vs Easy Operator Access• “Starting” a new industry in ICS SecurityThe one thing worse than the operator nothaving control, is “them” having control.Proprietary and Confidential 2013CyberDefenses, Inc. ©
    21. 21. Lets get started!3• Get buy in from the TOP• Form the team (provide incentive)• Develop an ICS Incident Response PlanPlagiarism is the quickest way• Train your staff, get the tools needed• Develop outsourcing and comms channels• Exercise, Feedback, Exercise, etc.Proprietary and Confidential 2013CyberDefenses, Inc. ©
    22. 22. Team Members3• ICS-CERT Team Manager• Process or Control System Engineer• Network and System Admins• Plant Manager / CIO / Chief Engineer• Security and Legal SMEs• PR and HR Specialists• Vendor Support Engineers and othersProprietary and Confidential 2013CyberDefenses, Inc. ©
    23. 23. Build and Exercise the Plan3• Get started and work out the bugs• Basic plan should provide guides for phases• Build check lists and forms to standardize actions• Develop outside contacts with LEO, Fire etc.• Establish communications methods• Some ONE has to be in charge• Use realistic scenarios to exercise your plan, use actualincidents if availableProprietary and Confidential 2013CyberDefenses, Inc. ©
    24. 24. What else can we do?3• Assess your vulnerabilities (cross discipline)• Mitigate where possible• Architect with Security in mind• Encryption is the best defense againstcompromise and delays can be minimal• Identity is key. If you do not know who, you donot know much.Proprietary and Confidential 2013CyberDefenses, Inc. ©
    25. 25. Key SCADA Questions For your CEOHere are five questions chief executives should ask about cyber risks:1) How is our executive leadership informed about the current level andbusiness impact of cyber risks to our company?2) What is the current level and business impact of cyber risks to ourcompany? What is our plan to address identified risks?3) How does our cyber security program apply industry standards and bestpractices?4) How many and what types of cyber incidents do we detect in a normalweek? What is the threshold for notifying our executive leadership?5) How comprehensive is our cyber incident response plan? How often is ittested?CyberDefenses, Inc.Posted by Greg Hale on Feb 28 2013, This is an excerpt from ISSSource
    26. 26. Axioms:3• “You will do 85% or worse in competitionthan your best in practice.” Karl Rehn• Train the way you expect to “fight”.• Learn to “fight” wounded.Proprietary and Confidential 2013CyberDefenses, Inc. ©
    27. 27. References:3• Guide to Industrial Control Systems (ICS) Security, NIST 800-82, May 2013–• Recommended Practice: Developing an Industrial Control SystemsCybersecurity Incident Response Capability, October 2009, DHS–• In the Dark; Crucial Industries Confront Cyberattacks–• CERT Resources:–• Control Systems Security Program (CSSP)–• ICS Information Sharing and Analysis Center (ISAC)– http://www.ics-isac.orgProprietary and Confidential 2013CyberDefenses, Inc. ©
    28. 28. Vern Williams, CSO, Cyber Defenses, Inc.CISSP, CSSLP, ISSEP, ISAM, CCSK, CBCPISSA Distinguished FellowSenior Member, IEEE (Institute of Electrical and ElectronicsEngineers)Member ISA and CSAISSA International Honor Roll, 2007ISSA 2005 Security Practitioner of the Year512.297.8798 (mobile)1205 Sam Bass Road, Suite 300, Round Rock, TX 78681Vern.Williams@CyberDefenses.comVern.Williams@IEEE.orgProprietary and Confidential 2013CyberDefenses, Inc. ©
    29. 29. CyberDefensesInformation AssuranceCyberDefenses, Inc.