Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012


Published on

Protecting Industrial Control Systems, my presentation at the Saudi SCADA Summit 2012

  • Be the first to comment

Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012

  2. 2. • It is the basic physical and organizational structures needed for the operation of a society or enterprise (Wikipedia)• What makes the infrastructure – Electricity – Oil and gas plants – Telecommunications – Water treatment plants – Food productions – Medical and Health – Transportation – Traffic control – Banks – Government security• Why is it critical? – The national security and economy depends on it – Supports the modern human life – Sustains inhabitable environment – Hard to replace – Expensive repairs – Catastrophic impacts12/03/2012 Protecting DCS and SCADA 3
  3. 3. • Obviously it is not new• Why it is becoming a pressing issue? – It impacts the whole nation, resulting in loss of life, environment, and billions of dollars. – Why fighting battles while you can from a single computer do more damage? – Structured cyber attacks are becoming easier as automated tools are emerging (backtrack, malware). – Becoming more exposed to threats. – Designed with poor security Incident events by date from 1982 to June 1, 2006 THE INDUSTRIAL ETHERNETBOOK, May 200712/03/2012 Protecting DCS and SCADA 4
  4. 4. 2010 Stuxnet worm The worm attacks windows machines and replaces a DLL file used by Siemens systems with a modified DLL file that provides the same functions but executes additional code which enables the attacker to spy on databases and projects and alter data sent to PLCs. The affected countries are Iran (58.85%), Indonesia (18.22%), India (8.31%), Azerbaijan (2.57%), United States (1.56%), Pakistan (1.28%), Others (9.2%) 20Malware%20Targeting%20SCADA%20Systems.html12/03/2012 Protecting DCS and SCADA 5
  5. 5. 2009 Disgruntled Employee Former IT consultant intentionally tampered with California’s oil and gas company computer systems, one of them is the system used to detect gas leaks ilty_plea/12/03/2012 Protecting DCS and SCADA 6
  6. 6. 2008 Network design After pushing software update from business network to SCADA network, the SCADA safety system forced an emergency shutdown causing Hatch nuclear power plant in Georgia millions of dollars and substantial expense of repair and restoration. The business network was in two-way communication with the plants SCADA network and the update synchronized information on both systems which caused missing some data related to the cooling system. Protecting DCS and SCADA 7
  7. 7. 2006 Hacker The hacker exploited Pennsylvania’s water treatment plant and injected virus and spyware into the computer systems and used them to distribute emails and pirated software which affected water treatment operations Protecting DCS and SCADA 8
  8. 8. 2005 Zotob worm 13 DaimlerChrysler’s U.S. automobile manufacturing plant was knocked offline for almost an hour Computer outages at heavy-equipment maker Caterpillar Inc. Computer outages at aircraft maker Boeing Protecting DCS and SCADA 9
  9. 9. 2003 Slammer worm Crashed the network and disabled the safety monitoring system of Davis-Besse nuclear power plant in Oak Harbor, Ohio for nearly 5 hours 13,000 ATMs knocked offline in U.S. 11,000 Postal knocked office offline in Italy 911 service stopped in Seattle SCADA of two U.S. utilities stopped Flights delayed or canceled at Huston Protecting DCS and SCADA 10
  10. 10. 2003 Sobig email virus Knocked out the train signaling systems throughout the east coast of the U.S. Protecting DCS and SCADA 11
  11. 11. 2000 Disgruntled contractor Through wireless link he broke into Maroochy’s Water Services SCADA system in Australia, and released 800,000 liters of raw sewage into local parks, rivers and even the grounds of a Hyatt Regency hotel. hy-Water-Services-Case-Study_report.pdf12/03/2012 Protecting DCS and SCADA 12
  12. 12. 1999 Hacker Controlled the gas flows running in the pipelines of the Russian energy company, Gazprom, for a short time Protecting DCS and SCADA 13
  13. 13. 1997 Hacker Broke into the Bell Atlantic computer system in Worcester, Massachusetts, and disabled part of the public switched telephone network using a dial-up modem connected to the system. This attack disabled phone service at the control tower, airport security, the airport fire department, the weather service, and carriers that use the airport. The tower’s main radio transmitter and another transmitter that activates runway lights were shut down, as well as a printer that controllers use to monitor flight progress. The attack also knocked out phone service to 600 homes and businesses in the nearby town of Rutland Protecting DCS and SCADA 14
  14. 14. Either • We are doing a better job than 1st and 2nd world countries who invented these technologies. • Every body is happy and we don’t have any enemies. • We don’t care about losses and we are good at covering up.12/03/2012 Protecting DCS and SCADA 15
  15. 15. • Different networks Internet – Field Network DMZ Extranet – Control Network Internet Security Control – Corporate network Intranet – WAN• Three-tier architecture Em Ad En De• Challenges – Management Cor. Con. Corporate Servers – Security Server Server – Resources – Support Cor. DB Con. DB – Vendor – Budget• Trends Control Control Center Corporate Field – Cut cost Center – Integration Business Control and Automation Field Services – Centralization Services – Consolidation Corporate Service Production Production Information – Virtualization and Could Computing – Shared Services IT Services Control Control Data Information – Outsourcing• Different Security Zones Field Gaining Maintainin Covering Have Reconnaissance Scanning Access g Access Tracks FUN Network Penetration12/03/2012 Protecting DCS and SCADA 16
  16. 16. Live SCADA Hacking Demonstration12/03/2012 Protecting DCS and SCADA 17
  17. 17. Possible Threats Possible Impacts• Humans, always the weakest link in the chain • Loss• Natural disasters and extreme conditions. • Life• Cyber warfare • Money• Foreign intelligence services. • Trust• Identity theft. • Reputation• Malicious code. • Competition• Data and information leakage • Disruption• Denial of service. • Destruction• Criminals, Hacktivists, terrorists. • Disclosure• Industrial spies. • Violation Natural Impact Areas Human/Political • LifeEnvironmental/Physical • Environment Logical/Technical • Technology You • Business12/03/2012 Protecting DCS and SCADA 18
  18. 18. • Weak security controls (design, configuration)• Poor network design• Improper input validation – Buffer overflow – Injections (SQL injection) – Cross-site encryption – Path traversal• Poor access and identity control• Weak communication protocols• Poor authentication• Code flaws• Poor patch and change management• Weak encryption US National Vulnerability Database Open Source Vulnerability Database SecurityFocus Vulnerability Database Exploit-DB12/03/2012 Protecting DCS and SCADA 19
  19. 19. Consequences Catastrophic Insignificant Moderate • Minor Major Follow a proven approach to risk management (AS/NZ 4360, OCTAVE, NIST SP 800-30, ISO27005) Likelihood 1 2 3 4 5 • Qualitative Risk analysis: Scenario based that describes the likelihood of threat/event and A (almost certain) H H E E E its impact on the business. B (likely) M H H E E • Qualitative Risk analysis: calculation of ALE, very difficult to put monetary value on C (possible) L M H E E unquantifiable variables such as reputation. D (unlikely) L L M H E E (rare) L L M H HAnnual Loss Expectancy = Annual Rate of Occurrence X (Asset Value X Percent of Loss) E Extreme Risk, immediate action High Risk, action should be taken to H Identify Identify and compensate Select vulnerabiliti evaluate Moderate Risk, action should be taken Identify Identify the Analyse and control es that options for M Identify Assets threats to impacts on evaluate objectives assets might be the assets the risks. the and to monitor exploited by treatment controls the threats of risks L Low Risk, routine acceptance of risk Risk Weakness/ Counter Technical Business Threat Source Vulnerability Safeguards Assets Measures Impact ImpactThreat Agent Attack / Exploit Exposure Compromised Asset Controls Threat Based OWSAP Model CC Risk Management Concept Flow 12/03/2012 Protecting DCS and SCADA 20
  20. 20. Board• National ICS Security Strategy – Establish Saudi ICS Cyber Emergency Response Team (Saudi ICS-CERT) based on US- CERT example, the ICS-CERT • Respond to and analyze control systems related incidents Steering Committee • Conduct vulnerability and malware analysis • Provide onsite support for incident response and forensic analysis SE • Provide situational awareness in the form of actionable intelligence • Coordinate the responsible disclosure of vulnerabilities/mitigations GM GM • Share and coordinate vulnerability information and threat analysis through GM GM information products and alerts – Coordinate with Saudi CERT ( Enterprise strategy• Corporate Security Strategy Part of enterprise governance – Establish security governance, read the Information Security Governance Guidance Executives’ responsibility for Boards of Directors and Executive Management, 2nd Edition Business requirement – Establish Audit Program (ISO 19011), Vulnerability Management, Pen-Tests Support commitment – Design with security in mind (Security Zones) Roles and responsibilities are defined – Follow a proven security framework (ISO27001) and carefully design the scope and Based on risk objectives. Enforced Awareness – Choose certified ICS vendors. Continuous review and enhancement12/03/2012 Protecting DCS and SCADA 21
  21. 21. • Why the ISO27001?• It is applicable on any business or system.1. Establish the ISMS 1. Get management support. 2. Define scope and objectives 3. Define ISMS policy 4. Define the risk assessment approach 5. Identify the risks 6. Analyse and evaluate the risks 7. Identify and evaluate options for the treatment of risks 8. Select control objectives and controls for the treatment of risks 9. Obtain management approval of the proposed residual risks 10. Prepare a Statement of Applicability2. Implement and operate the ISMS3. Monitor and review the ISMS4. Maintain and improve the ISMS 12/03/2012 Protecting DCS and SCADA 22