Industrial Control Systems and Incident Response
•
0 likes•15 views
The document discusses industrial control systems (ICS) and incident response. It provides an overview of ICS operations, including common system types like SCADA, DCS, PLCs and HMIs. It then outlines an industrial cyber incident response process that includes preparation, detection/analysis, eradication/containment, and recovery. Key aspects of planning for ICS incident response are also summarized, such as organizing a response team, setting policies and procedures, and exercising response plans. Methods for incidence prevention and maintaining system visibility are briefly covered.
Recommended
More Related Content
Similar to Industrial Control Systems and Incident Response
Similar to Industrial Control Systems and Incident Response (20)
Recently uploaded
Recently uploaded (20)
Industrial Control Systems and Incident Response
- 1. IndustrialControl Systems and Incident Response Presented By: Yugal Pathak Digital ForensicAnalyst
- 2. Agenda Introduction ICS Operations Industrial Incident Response ICS Incident Response Planning Incidence Prevention Incidence Management Post Incidence Analysis and forensics Challenges
- 3. Introduction The term industrial control system refers to supervisory control and data acquisition, process control, distributed control, and any other systems that control, monitor, and manage the nation's critical infrastructure. Cyber incident response is the way in which an organization responds to a perceived cyber-related incident that may impact ICS owner assets or their ability to operate.
- 4. Introduction Industrial control system (ICS) is a general term that encompasses several types of control systems. Control and Data Acquisition (SCADA) Systems Distributed control systems (DCS) Programmable Logic Controllers (PLC) Human Machine Interfaces ( HMIS)
- 5. IndustrialControlSystems (ICS)/SCADA areAllAround us … and we rely on it every day for our basic functions and needs. Industrial Automation Oil & Gas Critical manufacturing Water & Sewage Electricity Transportation Building Management
- 7. Legacy System Default Configuration Less/No Updates Less/No Encryption Policies & Procedures Less/No Segmentation Latency Concerns WhyAre These Attacks Possible?
- 10. Industrial Cyber Incident Response Process Preparation: • This involves monitoring, compiling, and determining the relevance of IT assets such as network and servers to identify the critical/sensitive assets and prepare for incidents. Detection/Analysis: • Detection includes gathering data from IT systems, security tools, publicly available information, and people.This also involves predicting whether an incident will occur in the future or whether it has already occurred. • In Analysis, the baselines of the impacted systems are identified and linked to relevant events to determine if they vary from normal behavior. Eradication/Containment: • This aims to halt and contain attacks before they cause significant harm. Recovery: • Following the incident, it’s essential to learn and ask important questions. Questions like: • What happened and when did it happen? • How was the situation handled? • Were the procedures followed? • Were there any grave mistakes? • What could have been done differently? • What tools do we need to mitigate similar incidents? • How will this be avoided in the future?
- 12. Planning Organizing theTeam Team Responsibilities Team Organization Staffing Roles Setting Policies and Procedures Building the Cyber Incident Response Plan Exercising the Plan System State and Status Reporting
- 13. Incidence Prevention Preventing a cyber incident is preferable to responding to one, but prevention takes on a whole new dimension in the ICS environment. This is because compared with typical IT, beyond the network there are far fewer, and in some cases, no detection capabilities available in system devices. In addition, working components may have vulnerabilities that may never be fixed, and the results of the most severe attacks could include injury, loss of life, and severe financial loss. Because the relative vulnerability and consequences are both high, the facility should put sufficient resources into incident prevention.
- 14. Industrial Security Process Visibility - Independently log all SCADA activity: Network, Protocols,Commands,Values Define Baseline and Policies Set Rules based on Known / Unknown / Not Allowed or Anomaly Based Behavior Analysis Detection - Identify Deviations andAttacks / Anomaly Detection Based on the defined rules, time of day, attack patterns Enforcement – Passive (Alert) / Active (Prevent) Based on configuration and/or topology – In-line orTap
Editor's Notes
- So what is ICS? ICS is around us and most days we do not even notice. It supplies the water when we turn on the faucet and takes waste away when we flush the toilet. It powers our lights and electronics, ensures our aircraft run on time and do not collide mid-air. It dispatches our emergency services and ships cargo around the world by sea, land, and air. It even ensures that our traffic flows smoothly, automates manufacturing and helps manage natural resources. ICS is the backbone of our nation’s economy, security and health.
- When logging SCADA traffic, it is also important to log the actual parameters, registers and values being transferred. An attacker may be able to replay correct network flows (for example between different PLCs), but he may change the values transferred in the communication to affect the operation of the machines. For example, a furnace may receive a higher level of temperature to work in, and damage the operation. This parameter level functionality is unique to Check Point. None of our competitors offers this level of detail.