This talk is about how to get into ICS security, whether you’re a control system engineer or an IT security analyst. It will cover the basic paths you can take to get involved, including some helpful resources and standards to help get you started. The ICS Security industry needs more people to help protect Critical Infrastructure!
WHAT WENT WRONG 1. Engineer investigating faulty voltage-control switch disabled two protective devices. 2. Short circuit occurred. 3. Because protection systems were disabled, they could not contain the short circuit.
Quingdao china, oil pipeline explosion, killed 62 people 22 November 2013
252 people were killed, nearly 500 injured and 15,000 were left homeless New water pipes, made of zinc-coated iron, were built too close to an existing steel gas pipeline Galvanic corrosion between dissimmilar metals caused the gas pipeline to leak into the water line
Replacement of power supply Breaker removed from service Control panel looses power Erroneous Low pressure signal Valves open Valves cannot be controlled with power out Line overpressured Weld breaks Ignition, explosion, fire
8 deaths, 58 injured
Talk briefly about what IT and OT are and how they work together in an enterprise “Enterprise-wide security” doesn’t mean just the IT side
2001 – 2010 = The Lost Decade 2010 – Present = The Age of Stuxnet
But you may lack the IT security know how
But you don’t understand the engineering or how the process works Electrical engineering Chemical engineering Mechanical engineering etc
Segmenting the network keeps commodity malware from spreading either direction It also keeps the Operators from surfing ebay from the Compressor Station
Visibility helps the SOC watch the ingress/egress points Visibility helps the ICS engineers keep a better inventory and find PLC misconfigurations
Explain This is a reference architecture produced by academics at Purdue University, and adopted by the International Society of Automation (ISA) The entire purpose of industrial automation and control systems is to remove humans from the loop. Program the logic into the machines so people don’t have to be at each location taking measurements and making adjustments.
Sensors and actuators operate at Level 0. Sensors measure things in the physical world; such as flow, temperature, pressure, level. Actuators move. Things like valves and connect/disconnect switches for motors They are wired into the controller They are generally not TCP/IP enabled, but this is changing
Controllers are programmable devices found at Level 1 The programming specifies how the actuators move when the sensors provide certain readings. They can also include Variable Frequency Drives and Protective Relays Many of these are TCP/IP enabled
Level 2 includes more standard computing and networking technology The SCADA stands for supervisory control and data acquisition. Supervisory means that it allows a human operator, normally seated at a human-machine interface screen to identify abnormalities (normally by viewing alarms that pop up on the screen), and step in and issue remote commands to the system. If a process loses SCADA, nothing is going to happen, at least for a while. The logic exists in the controllers themselves to regulate the process. The job of process operators has been described as 90% intense boredom, and 10% sheer panic. The engineering workstation is used to program the control logic. You can think of this as a software development environment. Instead of languages such as python, C, and VisualBasic, the languages used are called “ladder logic”, “Fuction block” and “structured text”. This machine would normally have the ability to talk to any PLC on the network to push new logic This layer also includes database technology called a process historian. The historian catalogs readings from the sensors and positions of the actuators to make available in other applications, such as predictive maintenance and process optimization efforts. The historian records data that is not displayed to the operator.
Ideally the SCADA network is segmented from the business network by a dual firewall DMZ. This facilitates firewall management, while limiting ingress and egress.
Hacker Halted 2016 - How to get into ICS security
How to get into ICS Security
Chris Sistrunk, PE
Chris Sistrunk, PE
Sr. Consultant, FireEye
• Control system security assessments
• NSM and DFIR for ICS
• ICS Village (DEF CON & RSA Conference)
Entergy (11+ years)
• SCADA Engineer (10 years)
• Project Robus (ICS Protocol Fuzzing)
• 30+ implementation vulnerabilities in DNP3 stacks
• Substation Security Team
How small mistakes lead to big disasters
FPL Blackout, February 26, 2008
Enormous possible consequences
Quingdao, China Pipeline
0.5% of Security
“LinkedIn data identified over
189,000 professionals in active
information security positions
worldwide as of June 2015.”
- Cory Scott
• You’ve got the engineering or technical background
• You know how the plant or process works
• You probably already work with:
• ICS components like PLCs and RTUs
• ICS protocols like Modbus, Ethernet/IP, DNP3, etc
• Networking (ethernet, serial, including wireless)
• NERC/CIP or CFATS requirements
• But you don’t know IT systems, risks, threats, and security
Get familiar with security
• Security Conferences!
• Lots and lots of security material online (SecurityTube, etc)
• ICS Security Training (ICS-CERT, SANS ICS, Red Tiger, SCADAhacker)
• SamuraiSTFU, Kali, Security Onion Linux Distros
• Make friends with the IT Security team
Make an ICS Security Lab
• Many companies with control systems have labs
• If not, you may have spare equipment laying around…get creative!
What would be your Stuxnet?
• Think like a bad guy…with a hard hat!
• …like an attacker has your prints
• Who knows…you might find a vulnerability
“To make things work well, you must break them”
“Find evil, or ways for evil to do evil things”
Red Team and Blue Team
• Learn how to use Metasploit
• Search shodan.io
• Learn about Modbus Fuzzing
• Write some Snort rules
• Read up on Digital Forensics &
Incident Response (DFIR)
• Take the ICS-CERT RvB Course
• You’ve got the computer and networking skills
• You know how business technology work
• You probably already know:
• Routers, switches, firewalls, domain controllers
• Web, email, and business applications
• Certifications like CCNA and CISSP
• HIPAA or PCI DSS requirements
• But you don’t know the engineering and physics behind the process
• What is it?
• Why is it important?
• How can we secure it?
Ladder logic on a PLC
Understand the why…
…then try to secure/monitor it
Take the opportunity to collaborate
• ICS network is flat with the corporate network
• ICS network has no logging or visibility
• IT has security goals
• OT has safety and uptime goals
• Can you do some things that satisfy both?
• SCADAsec email list at Infracritical
• ICS Security Conferences
• ICSJWG – FREE
• DigitalBond’s S4
• SANS ICS Summit
• Oil & Gas Security Summit
• ICS Cyber Security Conference “Weisscon”
National Council of ISACs
• Downstream Natural Gas www.dngisac.com
• Electricity www.esisac.com
• Oil & Natural Gas www.ongisac.org
• Water www.waterisac.org
ISAOs coming, knowledge sharing, ICS-ISAC, “BEER-ISAC”
• Robust Control System Networks, Ralph Langner
• Industrial Network Security, 2nd Edition, Knapp & Langill
• Cybersecurity for Industrial Control Systems, Macaulay & Singer
• Countdown to Zero Day, Kim Zetter
• Hacking Exposed Industrial Control Systems, Bodungen, et al
• Handbook of SCADA/Control Systems, 2nd Ed., Radvanovsky & Brodsky
• NIST SP800-82 Revision 2
• IEC 62443
• …to name a few
Purdue Model - Reference Architecture
• Free online training and resources
• Free 5-day Red vs Blue ICS exercise
• ICS Vendor Training
• SANS ICS
• ICS410 and ICS515
• Red Tiger Security
• Lofty Perch
• There isn’t a Professional Engineering license for Security...
…but not everyone is an engineer.
• GICSP is a new certification out to teach IT folks the basics of ICS and
OT folks the basics of security.
You’re still here
• What excites you about ICS security?
• Do you want to join us in ICS security?
Apply What You Have Learned Today
• Next week:
• Identify critical components within your ICS network
• Find out if they have any published security vulnerabilities, or if they are
connected to the IT network, or even the Internet
• In the next three months:
• Understand who is accessing the ICS, from where, and why
• Within six months:
• Drive an implementation project to protect the most critical ICS devices
• Develop a roadmap to enhance ICS security architecture
• Capture some ICS network traffic and look for “evil”