The document discusses industrial control systems (ICS) and incident response. It provides an overview of ICS operations, including common system types like SCADA, DCS, PLCs and HMIs. It then outlines an industrial cyber incident response process that includes preparation, detection/analysis, eradication/containment, and recovery. Key aspects of planning for ICS incident response are also summarized, such as organizing a response team, setting policies and procedures, and exercising response plans. Methods for incidence prevention and maintaining system visibility are briefly covered.
3. Introduction
The term industrial control system refers to supervisory
control and data acquisition, process control, distributed
control, and any other systems that control, monitor, and
manage the nation's critical infrastructure.
Cyber incident response is the way in which an
organization responds to a perceived cyber-related
incident that may impact ICS owner assets or their ability
to operate.
4. Introduction
Industrial control system (ICS) is a general term that encompasses
several types of control systems.
Control and Data
Acquisition (SCADA)
Systems
Distributed control
systems (DCS)
Programmable
Logic Controllers
(PLC)
Human Machine
Interfaces ( HMIS)
5. IndustrialControlSystems (ICS)/SCADA areAllAround us
… and we rely on it every day for our basic functions and needs.
Industrial Automation Oil & Gas
Critical manufacturing
Water & Sewage Electricity Transportation
Building Management
10. Industrial
Cyber Incident
Response
Process
Preparation:
• This involves monitoring, compiling, and determining the relevance of IT assets such as network and servers to
identify the critical/sensitive assets and prepare for incidents.
Detection/Analysis:
• Detection includes gathering data from IT systems, security tools, publicly available information, and people.This
also involves predicting whether an incident will occur in the future or whether it has already occurred.
• In Analysis, the baselines of the impacted systems are identified and linked to relevant events to determine if they
vary from normal behavior.
Eradication/Containment:
• This aims to halt and contain attacks before they cause significant harm.
Recovery:
• Following the incident, it’s essential to learn and ask important questions. Questions like:
• What happened and when did it happen?
• How was the situation handled?
• Were the procedures followed?
• Were there any grave mistakes?
• What could have been done differently?
• What tools do we need to mitigate similar incidents?
• How will this be avoided in the future?
13. Incidence
Prevention
Preventing a cyber incident is preferable to responding to one,
but prevention takes on a whole new dimension in the ICS
environment.
This is because compared with typical IT, beyond the network
there are far fewer, and in some cases, no detection capabilities
available in system devices.
In addition, working components may have vulnerabilities that
may never be fixed, and the results of the most severe attacks
could include injury, loss of life, and severe financial loss.
Because the relative vulnerability and consequences are both
high, the facility should put sufficient resources into incident
prevention.
14. Industrial
Security
Process
Visibility - Independently log all SCADA activity:
Network, Protocols,Commands,Values
Define Baseline and Policies
Set Rules based on Known / Unknown / Not Allowed or
Anomaly Based Behavior Analysis
Detection - Identify Deviations andAttacks / Anomaly
Detection
Based on the defined rules, time of day, attack patterns
Enforcement – Passive (Alert) / Active (Prevent)
Based on configuration and/or topology – In-line orTap
Editor's Notes
So what is ICS?
ICS is around us and most days we do not even notice. It supplies the water when we turn on the faucet and takes waste away when we flush the toilet. It powers our lights and electronics, ensures our aircraft run on time and do not collide mid-air. It dispatches our emergency services and ships cargo around the world by sea, land, and air. It even ensures that our traffic flows smoothly, automates manufacturing and helps manage natural resources.
ICS is the backbone of our nation’s economy, security and health.
When logging SCADA traffic, it is also important to log the actual parameters, registers and values being transferred.
An attacker may be able to replay correct network flows (for example between different PLCs), but he may change the values transferred in the communication to affect the operation of the machines.
For example, a furnace may receive a higher level of temperature to work in, and damage the operation.
This parameter level functionality is unique to Check Point.
None of our competitors offers this level of detail.