SlideShare a Scribd company logo

Process Whitelisting And Resource Access Control For Secure ICS

Download as PPTX, PDF
Digital Bond
Digital Bond

Kuniyasu Suzaki presented on using process whitelisting and resource access control on industrial control system (ICS) computers. He explained that as ICS systems have moved from specialized to commodity operating systems, whitelisting can be used to lock down the OS and limit vulnerabilities. He described how whitelisting restricts process creation and computing resource access to only approved processes and resources. Suzaki provided examples of whitelist rules and discussed implementing whitelisting on Windows. He concluded that whitelisting offers predictable delays suitable for ICS while limiting potential malware activities.

Technology
1 of 26
Process Whitelisting And Resource Access Control For ICS Computers Kuniyasu Suzaki National Institute of Advanced Industrial Science and Technology (AIST) & Control System Security Center (CSSC) At S4x14 SCADA Security Scientific Symposium OTDay 14/Jan/2014
Who am I? • Kuniyasu Suzaki is a researcher of – National Institute of Advanced Industrial Science and Technology (AIST) – Control System Security Center (CSSC) Entrance of Tohoku Tagajo Headquarters (TTHQ) of CSSC
What is CSSC? ■Outline http://www.css-center.or.jp/ Total 23 corporations (As of Dec, 2013) Control System Security Center • • • • • (Abbreviation) CSSC Name Established ※A corporation authorized by the Minister of Economics, Trade and Industry March 6, 2012 (The registration date) [Tohoku Tagajo Headquarters (TTHQ)] Tagajo City, Miyagi, Japan Location [Tokyo Research Center (TRC)] National Institute of Advanced Industrial Science and Technology Waterfront, Tokyo, Japan Association members (In alphabetical order) • • • • • • • • • • • • • • • • • • *8 starting member corporations Azbil Corporation * Fuji Electric Co., Ltd. FUJITSU LIMITED Hitachi, Ltd.* Information-technology Promotion Agency, Japan (IPA) Japan Quality Assurance Organization(JQA) LAC Co., Ltd. McAfee Co.,Ltd. Mitsubishi Electric Corporation Mitsubishi Heavy Industries Ltd.* Mitsubishi Research Institute Inc.* Mori Building Co., Ltd.* National Institute of Advanced Industrial Science and Technology (AIST) * NEC Corporation NRI Secure Technologies Ltd. NTT Corporation OMRON Corporation The University of Electro-Communications, Tohoku Information Systems Company, Incorporated Toshiba Corporation* Toyota InfoTechnology Center Co., Ltd. Trend Micro Incorporated Yokogawa Electric Corporation*
Organization and Activity • Under the supervision of the Steering Committee, 4 task committees were established. • Certification Laboratory (CSSC-CL) has also launched since 01/08/2013. Task Committee Activities R&D and Testbed Task Committee It sets the direction of R&D regarding control system security as well as the construction of testbeds and promotes R&D and leverages the testbeds. Certification and Standardization Task Committee It examines evaluation certification regarding control system security and strategies and policies of standardization. It leverages the testbeds for evaluation certification and standardization. Incident Handling Task Committee It prepares for security incidents in control systems and examines the directions of technical development needed for incident handling including the countermeasures of security incidents. Promotion and Human Resource Development Task Committee It sets the direction of awareness and human resource development for control system security as a technical research association. It enhances situational awareness and promotes human resource development, making the use of the testbeds. CL CSSC-CL Activities It promotes International standard compliance certification. Especially it conducts evaluation/certification of ICS and “Communication Robustness Test” defined in EDSA.
Testbed of CSSC Process automation systems Factory automation
Today’s Topic Why white list control is used on ICS? • Contents – Background – OS lockdown by white list control – Implementation detail – Case study on SCADA System
Background to introduce white list (1/3) • OSes on ICS were changed from Special to Commodity. – Commodity OS is cheap. It has plenty of functions, developers, users and vulnerabilities. – Example: Many SCADA systems on Windows Special OS Commodity OS Functions Few Many Vulnerabilities Few Many Apply White List Technology (Lockdown) inactivate necessary functions Reduce vulnerabilities
Background to introduce white list (2/3) • Best Effort vs.. Quality Control (Taguchi Method) – Quality Control is not real time processing. • Dispersion of overhead (time delay) must be controlled. – Commodity OS has many security tools(Anti-Virus tools), but they are based on best effort. • There is no guarantee for delay, because the black list must be updated periodically. • ICS systems require predictable delay. – The delay caused by security tools should be predictable.
Background to introduce white list (3/3) • White list control – The overhead is predictable. – It can add on an existing OS of ICS. • ICS does not need to run many applications. – E.g., SCADA system requires few applications. • White list control orders a lockdown of OS.
OS Lockdown • Lockdown for malware. • Legitimate applications work well, if necessary computing resources are registered. (1) Process Creation (2) Computing Resources Access from a process
Function of OS Lockdown (1) Limit the process creation – Parent-child relation • Necessary applications must register its parent applications on a process white list. – Integrity check for binary • SHA-1 of binaries must register to process white list. – [Useful Option] Conflict of interest • If an application must run exclusively with another application, they cannot run at the same time. • It can prevent TOCTOU attack (Time of check to time of use) • False operation is also prevented. – For example, administrator cannot run office applications during SCADA.
Function of OS Lockdown (2) Limit computing resource access from a process – The computing resources are file, device, and network (IP address and port). • If a relation between a resource and processes is registered to the white list, the resource is accessed from the processes only. – “don’t care” setting • If a resource is not registered, all process can access to it. • It is a request from ICS developers! • Traditional access control is too strict and difficult to make white list (e.g., SELinux). Furthermore, many elements of white list cause access delay. • Availability is important on ICS.
Example of OS Lockdown Normal OS on HMI Lockdown OS on HMI  Process White List (1) A creates B,D, and G. (2) D creates E. (3) E and G cannot run at same time.  Resource Access Control Applications have vulnerabilities, and resources have no limitation to use. is opened by A and B. Attack creates malicious C process. A B C creates G process to access the disk. Attack creates malicious C process. A Attack is opened by E and G B C D E No rule for the process creation Attack D E Attack accesses the green file. G creates G process to access the disk. No rule to access the file Attack accesses the green file. G G can be created by A and can access to the disk. However, G cannot run along with E at the same time to protect same resource access.
Related Works SE Linux Tomoyo Linux Commercial white list (Win) Our method (Win) Parent-Child relation ✔ ✔ ― ✔ Conflict of Interest ― ― ― ✔ SHA1 Integrity Check ― ― ― ✔ Access Control ✔ ✔ partially ✔ Log based List Creation ― ✔ ✔ ✔
Current Implementation • Process creation is implemented by a hook function – PsSetCreateProcessNotifyRoutineEX() • Resource Access control is implemented by Filter Manager PWC and RAC are implemented on Windows OS as device driver. User Space Parent Process Request to create process (system Call) Kernel Space White Child (SHA1)―Parent Request to access resources (system Call) Executive API Hook create process system call by PsSetCreateProcessNotifyRoutine Process List Child Process Process white list module … Executive API Access Control List I/O Manger Process Manger File Creation is denied if no statement on Process White List. Network Device File System Return “CreationStatus” to allow or disallow If process creation is allowed, a child process is created. Filter Manager (Resource Access Control) Device Driver Resource Access is denied if target resource is listed and the access is not allowed.
How to create white list • 4 types of white list are created. P: Process creation F: File access N: Network Access D: Device Access • Most parts are created by logs of trials. – The logs are formatted and refined by editing tool. Log gathering Application P F Driver for Log gathering Windows 7 N D Application Application Editing tool Controlled Controlled Process White List P Access Control F Windows 7 N D
Sample: Process White List Child process SHA-1 of child process binary Parent process C:WindowsSystem32smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,System C:WindowsSystem32autochk.exe,1bd90caff9f3ab1d3cb7136ce9146c1c2e69368b,C:WindowsSystem32smss.exe C:WindowsSystem32smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,C:WindowsSystem32smss.exe C:WindowsSystem32csrss.exe,53bc9b2ae89fcad6197ec519ae588f926c88e460,C:WindowsSystem32smss.exe C:WindowsSystem32smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,C:WindowsSystem32smss.exe C:WindowsSystem32wininit.exe,c7bba9840c44e7739fb314b7a3efe30e6b25cc48,C:WindowsSystem32smss.exe C:WindowsSystem32csrss.exe,53bc9b2ae89fcad6197ec519ae588f926c88e460,C:WindowsSystem32smss.exe C:WindowsSystem32services.exe,54a90c371155985420f455361a5b3ac897e6c96e,C:WindowsSystem32wininit.exe C:WindowsSystem32lsass.exe,d49245356dd4dc5e8f64037e4dc385355882a340,C:WindowsSystem32wininit.exe C:WindowsSystem32lsm.exe,e16beae2233832547bac23fbd82d5321cfc5d645,C:WindowsSystem32wininit.exe C:WindowsSystem32winlogon.exe,b8561be07a37c7414d6e059046ab0ad2c24bd2ad,C:WindowsSystem32smss.exe Parent-Child relation
Sample: Process White List Child process SHA-1 of child process binary Parent process C:WindowsSystem32smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,System C:WindowsSystem32autochk.exe,1bd90caff9f3ab1d3cb7136ce9146c1c2e69368b,C:WindowsSystem32smss.exe C:WindowsSystem32smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,C:WindowsSystem32smss.exe C:WindowsSystem32csrss.exe,53bc9b2ae89fcad6197ec519ae588f926c88e460,C:WindowsSystem32smss.exe C:WindowsSystem32smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,C:WindowsSystem32smss.exe C:WindowsSystem32wininit.exe,c7bba9840c44e7739fb314b7a3efe30e6b25cc48,C:WindowsSystem32smss.exe C:WindowsSystem32csrss.exe,53bc9b2ae89fcad6197ec519ae588f926c88e460,C:WindowsSystem32smss.exe C:WindowsSystem32services.exe,54a90c371155985420f455361a5b3ac897e6c96e,C:WindowsSystem32wininit.exe C:WindowsSystem32lsass.exe,d49245356dd4dc5e8f64037e4dc385355882a340,C:WindowsSystem32wininit.exe C:WindowsSystem32lsm.exe,e16beae2233832547bac23fbd82d5321cfc5d645,C:WindowsSystem32wininit.exe C:WindowsSystem32winlogon.exe,b8561be07a37c7414d6e059046ab0ad2c24bd2ad,C:WindowsSystem32smss.exe Parent-Child relation SHA-1 of binary is used for the integrity check. – It works as integrity check.
Sample: Resource Access Control • File Access Control File processes C:optSCADAlog.txt, C:optSCADASACA.exe,C:Windowsexplorer.exe C:optSCADAconfig, C:optSCADASACA.exe,C:Windowsexplorer.exe C:optOPCconfig, C:optOPCOPC.exe,C:Windowsexplorer.exe • Network Access Control IP Address, Port, Applications 192.168.0.12,80,C:Program FilesInternet Exploreriexplore.exe 192.168.0.11,80,C:UserstestGoogleChromeApplicationchrome.exe 192.168.0.10,0,C:optnetperfnetperf.exe,C:optnetperfnetserver.exe
Optimization for ICS • Small white list – “don’t care” setting allows small white list. • White list mechanism for file is applied on open() function only. It does not care for read()and write(). – String match takes much time. It takes about 200-300 μ-sec on current CPU. • White list mechanism for IP address and port takes less than 20 μ-sec, because it is achieved by arithmetic operations.
Case study on SCADA system • White List Control is applied on a SCADA system PLC Emulator PLC Emulator PLC Emulator PLC Emulator PLC Emulator PLC Emulator PLC Emulator PLC Emulator PLC Emulator PLC Emulator SCADA Config file Log file OPC Config file • SCADA and OPC get information from PLC every 1 second. NIC Modbus/TCP PLC Emulator PLC Emulator PLC Emulator PLC Emulator PLC Emulator
Detail of SCADA System • Server (Windows7 32bit) – SCADA (3 types are tested) PA-Panel, Winlog, OpenSCADA http://openscada.org/ – OPC DeviceExplore • PLC – Modbus PLC emulator http://www.plcsimulator.org/ • 5 emulators run on 3 PCs (Total 15).
OS Lockdown • Limit Process creation – About 100 parent-child relations • IP addresses and ports – 5 networks for SCADA, 10 networks for OPC • Configure and Log files are limited – 2 files for SCADA, 1 files for OPC Red line indicates access limitation for SCADA Green line indicates access limitation for OPC Each overhead is estimated less than 200 usec.
Attack on the SCADA system • IE’en [BlackHat’02] attacks on DCOM (port 135) which is used by OPC. – http://www.securityfriday.com/tools/IEen.html • The attack is prevented by white list control, because the attack requires process creation which is not registered on the white list.
Limitation of Current White List • Current White List control cannot reduce vulnerabilities. – Malware can exploit, but the activity is limited. • It is not easy to make perfect white list automatically. – Current white list is made from several trials. It is also refined by hand. – A method to create white list from a specification is needed. [future work]
Conclusions • OS Lockdown (White List Control) for Industrial Control Systems – ICS does not need to run many applications. – The white list control offers predictable time delay. – Some techniques for optimization reduce the overhead. • White List Control is applied on SCADA systems and confirmed its feasibility. It will be applied on testbed systems of CSSC.

Recommended

Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Digital Bond
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS CommunicationsDigital Bond
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing KeynoteDigital Bond
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaDigital Bond
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...Digital Bond
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?Digital Bond
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Digital Bond
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014Digital Bond
 

Recommended

Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...Digital Bond
 
Monitoring ICS Communications
Monitoring ICS CommunicationsMonitoring ICS Communications
Monitoring ICS CommunicationsDigital Bond
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing KeynoteDigital Bond
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaDigital Bond
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...Digital Bond
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?Digital Bond
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Digital Bond
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014Digital Bond
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Jim Gilsinn
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case StudyDigital Bond
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Digital Bond
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Digital Bond
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Digital Bond
 
Cybersecurity for modern industrial systems
Cybersecurity for modern industrial systemsCybersecurity for modern industrial systems
Cybersecurity for modern industrial systemsItex Solutions
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMJim Gilsinn
 
Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSJim Gilsinn
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network ArchitecturesEnergySec
 
The Future of ICS Security Products
The Future of ICS Security ProductsThe Future of ICS Security Products
The Future of ICS Security ProductsDigital Bond
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA Jeffrey Wang , P.Eng
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended Larry Vandenaweele
 
Nist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkNist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkMarcoAfzali
 
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)Digital Bond
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security WebinarAVEVA
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityChris Sistrunk
 
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...Shah Sheikh
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiClubHack
 
OSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdfOSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdfMohamed Taoufik TEKAYA
 
2020 safecomp-sep18
2020 safecomp-sep182020 safecomp-sep18
2020 safecomp-sep18Kenji Taguchi
 

More Related Content

What's hot

Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Jim Gilsinn
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case StudyDigital Bond
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Digital Bond
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)Digital Bond
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Digital Bond
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Digital Bond
 
Cybersecurity for modern industrial systems
Cybersecurity for modern industrial systemsCybersecurity for modern industrial systems
Cybersecurity for modern industrial systemsItex Solutions
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMJim Gilsinn
 
Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSJim Gilsinn
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network ArchitecturesEnergySec
 
The Future of ICS Security Products
The Future of ICS Security ProductsThe Future of ICS Security Products
The Future of ICS Security ProductsDigital Bond
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended Larry Vandenaweele
 
Nist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkNist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkMarcoAfzali
 
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)Digital Bond
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security WebinarAVEVA
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityChris Sistrunk
 
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...Shah Sheikh
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiClubHack
 

What's hot (20)

Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
 
Accelerating OT - A Case Study
Accelerating OT - A Case StudyAccelerating OT - A Case Study
Accelerating OT - A Case Study
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
 
Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security Unidirectional Security, Andrew Ginter of Waterfall Security
Unidirectional Security, Andrew Ginter of Waterfall Security
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
 
Cybersecurity for modern industrial systems
Cybersecurity for modern industrial systemsCybersecurity for modern industrial systems
Cybersecurity for modern industrial systems
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
 
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEMNetwork Reliability Monitoring for ICS: Going Beyond NSM and SIEM
Network Reliability Monitoring for ICS: Going Beyond NSM and SIEM
 
Cyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICSCyber & Process Attack Scenarios for ICS
Cyber & Process Attack Scenarios for ICS
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network Architectures
 
The Future of ICS Security Products
The Future of ICS Security ProductsThe Future of ICS Security Products
The Future of ICS Security Products
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA
 
The journey to ICS - Extended
The journey to ICS - Extended The journey to ICS - Extended
The journey to ICS - Extended
 
Nist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkNist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing Framework
 
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)
 
SCADA Security Webinar
SCADA Security WebinarSCADA Security Webinar
SCADA Security Webinar
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS Security
 
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
DTS Solution - Crypto Flow Segmentation addressing NESA IAF and ISO27001 comp...
 
Critical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh BelgiCritical Infrastructure Security by Subodh Belgi
Critical Infrastructure Security by Subodh Belgi
 

Similar to Process Whitelisting And Resource Access Control For Secure ICS

CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevMarina Krotofil
 
DockerCon Europe 2018 Monitoring & Logging Workshop
DockerCon Europe 2018 Monitoring & Logging WorkshopDockerCon Europe 2018 Monitoring & Logging Workshop
DockerCon Europe 2018 Monitoring & Logging WorkshopBrian Christner
 
Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Anton Chuvakin
 
SAD REPORTING GROUP 2BCFGGGGHHHJJJJ.pptx
SAD REPORTING GROUP 2BCFGGGGHHHJJJJ.pptxSAD REPORTING GROUP 2BCFGGGGHHHJJJJ.pptx
SAD REPORTING GROUP 2BCFGGGGHHHJJJJ.pptxJakeariesMacarayo
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summaryKarun Chennuri
 
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)mike parks
 
Getting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC AccessGetting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC AccessHelpSystems
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
 
A self adaptive learning approach for optimum path evaluation of process for ...
A self adaptive learning approach for optimum path evaluation of process for ...A self adaptive learning approach for optimum path evaluation of process for ...
A self adaptive learning approach for optimum path evaluation of process for ...Alexander Decker
 
Software Security: In the World of Cloud & CI-CD
Software Security: In the World of Cloud & CI-CDSoftware Security: In the World of Cloud & CI-CD
Software Security: In the World of Cloud & CI-CDOWASP Delhi
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat HuntingGIBIN JOHN
 
Clone of an organization
Clone of an organizationClone of an organization
Clone of an organizationIRJET Journal
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
 

Similar to Process Whitelisting And Resource Access Control For Secure ICS (20)

OSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdfOSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdf
 
2020 safecomp-sep18
2020 safecomp-sep182020 safecomp-sep18
2020 safecomp-sep18
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsev
 
DockerCon Europe 2018 Monitoring & Logging Workshop
DockerCon Europe 2018 Monitoring & Logging WorkshopDockerCon Europe 2018 Monitoring & Logging Workshop
DockerCon Europe 2018 Monitoring & Logging Workshop
 
Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
 
SAD REPORTING GROUP 2BCFGGGGHHHJJJJ.pptx
SAD REPORTING GROUP 2BCFGGGGHHHJJJJ.pptxSAD REPORTING GROUP 2BCFGGGGHHHJJJJ.pptx
SAD REPORTING GROUP 2BCFGGGGHHHJJJJ.pptx
 
IANS information security forum 2019 summary
IANS information security forum 2019 summaryIANS information security forum 2019 summary
IANS information security forum 2019 summary
 
Chapter 7
Chapter 7Chapter 7
Chapter 7
 
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
IoT Cyber+Physical+Social Engineering Attack Security (v0.1.6 / sep2020)
 
Getting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC AccessGetting Started with IBM i Security: Securing PC Access
Getting Started with IBM i Security: Securing PC Access
 
Wc4
Wc4Wc4
Wc4
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
 
A self adaptive learning approach for optimum path evaluation of process for ...
A self adaptive learning approach for optimum path evaluation of process for ...A self adaptive learning approach for optimum path evaluation of process for ...
A self adaptive learning approach for optimum path evaluation of process for ...
 
Software Security: In the World of Cloud & CI-CD
Software Security: In the World of Cloud & CI-CDSoftware Security: In the World of Cloud & CI-CD
Software Security: In the World of Cloud & CI-CD
 
NIST_Ignyte_OSCALWorkshop_2022.pdf
NIST_Ignyte_OSCALWorkshop_2022.pdfNIST_Ignyte_OSCALWorkshop_2022.pdf
NIST_Ignyte_OSCALWorkshop_2022.pdf
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
Clone of an organization
Clone of an organizationClone of an organization
Clone of an organization
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
 

More from Digital Bond

Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015Digital Bond
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE ExperienceDigital Bond
 
Windows Service Hardening
Windows Service HardeningWindows Service Hardening
Windows Service HardeningDigital Bond
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsDigital Bond
 
Unidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICSUnidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICSDigital Bond
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Digital Bond
 
Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Digital Bond
 
ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)Digital Bond
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Digital Bond
 
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Digital Bond
 
Havex Deep Dive (English)
Havex Deep Dive (English)Havex Deep Dive (English)
Havex Deep Dive (English)Digital Bond
 
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)Digital Bond
 
Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)Digital Bond
 
Industrial Wireless Security (Japanese)
Industrial Wireless Security (Japanese)Industrial Wireless Security (Japanese)
Industrial Wireless Security (Japanese)Digital Bond
 
S4x14 Session: You Name It; We Analyze It
S4x14 Session: You Name It; We Analyze ItS4x14 Session: You Name It; We Analyze It
S4x14 Session: You Name It; We Analyze ItDigital Bond
 
Writing ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisWriting ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisDigital Bond
 
HART as an Attack Vector
HART as an Attack VectorHART as an Attack Vector
HART as an Attack VectorDigital Bond
 

More from Digital Bond (18)

Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015Remote Control Automobiles at ESCAR US 2015
Remote Control Automobiles at ESCAR US 2015
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE Experience
 
Windows Service Hardening
Windows Service HardeningWindows Service Hardening
Windows Service Hardening
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
Assessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS SolutionsAssessing the Security of Cloud SaaS Solutions
Assessing the Security of Cloud SaaS Solutions
 
Unidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICSUnidirectional Security Appliances to Secure ICS
Unidirectional Security Appliances to Secure ICS
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)
 
Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)Survey and Analysis of ICS Vulnerabilities (Japanese)
Survey and Analysis of ICS Vulnerabilities (Japanese)
 
ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)ICS Security Training ... What Works and What Is Needed (Japanese)
ICS Security Training ... What Works and What Is Needed (Japanese)
 
Incubation of ICS Malware (English)
Incubation of ICS Malware (English)Incubation of ICS Malware (English)
Incubation of ICS Malware (English)
 
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Dynamic Zoning Based On Situational Activity in ICS (Japanese)
Dynamic Zoning Based On Situational Activity in ICS (Japanese)
 
Havex Deep Dive (English)
Havex Deep Dive (English)Havex Deep Dive (English)
Havex Deep Dive (English)
 
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)
 
Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)Application Whitelisting and DPI in ICS (English)
Application Whitelisting and DPI in ICS (English)
 
Industrial Wireless Security (Japanese)
Industrial Wireless Security (Japanese)Industrial Wireless Security (Japanese)
Industrial Wireless Security (Japanese)
 
S4x14 Session: You Name It; We Analyze It
S4x14 Session: You Name It; We Analyze ItS4x14 Session: You Name It; We Analyze It
S4x14 Session: You Name It; We Analyze It
 
Writing ICS Vulnerability Analysis
Writing ICS Vulnerability AnalysisWriting ICS Vulnerability Analysis
Writing ICS Vulnerability Analysis
 
HART as an Attack Vector
HART as an Attack VectorHART as an Attack Vector
HART as an Attack Vector
 

Recently uploaded

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Recently uploaded (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

Process Whitelisting And Resource Access Control For Secure ICS

  • 1. Process Whitelisting And Resource Access Control For ICS Computers Kuniyasu Suzaki National Institute of Advanced Industrial Science and Technology (AIST) & Control System Security Center (CSSC) At S4x14 SCADA Security Scientific Symposium OTDay 14/Jan/2014
  • 2. Who am I? • Kuniyasu Suzaki is a researcher of – National Institute of Advanced Industrial Science and Technology (AIST) – Control System Security Center (CSSC) Entrance of Tohoku Tagajo Headquarters (TTHQ) of CSSC
  • 3. What is CSSC? ■Outline http://www.css-center.or.jp/ Total 23 corporations (As of Dec, 2013) Control System Security Center • • • • • (Abbreviation) CSSC Name Established ※A corporation authorized by the Minister of Economics, Trade and Industry March 6, 2012 (The registration date) [Tohoku Tagajo Headquarters (TTHQ)] Tagajo City, Miyagi, Japan Location [Tokyo Research Center (TRC)] National Institute of Advanced Industrial Science and Technology Waterfront, Tokyo, Japan Association members (In alphabetical order) • • • • • • • • • • • • • • • • • • *8 starting member corporations Azbil Corporation * Fuji Electric Co., Ltd. FUJITSU LIMITED Hitachi, Ltd.* Information-technology Promotion Agency, Japan (IPA) Japan Quality Assurance Organization(JQA) LAC Co., Ltd. McAfee Co.,Ltd. Mitsubishi Electric Corporation Mitsubishi Heavy Industries Ltd.* Mitsubishi Research Institute Inc.* Mori Building Co., Ltd.* National Institute of Advanced Industrial Science and Technology (AIST) * NEC Corporation NRI Secure Technologies Ltd. NTT Corporation OMRON Corporation The University of Electro-Communications, Tohoku Information Systems Company, Incorporated Toshiba Corporation* Toyota InfoTechnology Center Co., Ltd. Trend Micro Incorporated Yokogawa Electric Corporation*
  • 4. Organization and Activity • Under the supervision of the Steering Committee, 4 task committees were established. • Certification Laboratory (CSSC-CL) has also launched since 01/08/2013. Task Committee Activities R&D and Testbed Task Committee It sets the direction of R&D regarding control system security as well as the construction of testbeds and promotes R&D and leverages the testbeds. Certification and Standardization Task Committee It examines evaluation certification regarding control system security and strategies and policies of standardization. It leverages the testbeds for evaluation certification and standardization. Incident Handling Task Committee It prepares for security incidents in control systems and examines the directions of technical development needed for incident handling including the countermeasures of security incidents. Promotion and Human Resource Development Task Committee It sets the direction of awareness and human resource development for control system security as a technical research association. It enhances situational awareness and promotes human resource development, making the use of the testbeds. CL CSSC-CL Activities It promotes International standard compliance certification. Especially it conducts evaluation/certification of ICS and “Communication Robustness Test” defined in EDSA.
  • 5. Testbed of CSSC Process automation systems Factory automation
  • 6. Today’s Topic Why white list control is used on ICS? • Contents – Background – OS lockdown by white list control – Implementation detail – Case study on SCADA System
  • 7. Background to introduce white list (1/3) • OSes on ICS were changed from Special to Commodity. – Commodity OS is cheap. It has plenty of functions, developers, users and vulnerabilities. – Example: Many SCADA systems on Windows Special OS Commodity OS Functions Few Many Vulnerabilities Few Many Apply White List Technology (Lockdown) inactivate necessary functions Reduce vulnerabilities
  • 8. Background to introduce white list (2/3) • Best Effort vs.. Quality Control (Taguchi Method) – Quality Control is not real time processing. • Dispersion of overhead (time delay) must be controlled. – Commodity OS has many security tools(Anti-Virus tools), but they are based on best effort. • There is no guarantee for delay, because the black list must be updated periodically. • ICS systems require predictable delay. – The delay caused by security tools should be predictable.
  • 9. Background to introduce white list (3/3) • White list control – The overhead is predictable. – It can add on an existing OS of ICS. • ICS does not need to run many applications. – E.g., SCADA system requires few applications. • White list control orders a lockdown of OS.
  • 10. OS Lockdown • Lockdown for malware. • Legitimate applications work well, if necessary computing resources are registered. (1) Process Creation (2) Computing Resources Access from a process
  • 11. Function of OS Lockdown (1) Limit the process creation – Parent-child relation • Necessary applications must register its parent applications on a process white list. – Integrity check for binary • SHA-1 of binaries must register to process white list. – [Useful Option] Conflict of interest • If an application must run exclusively with another application, they cannot run at the same time. • It can prevent TOCTOU attack (Time of check to time of use) • False operation is also prevented. – For example, administrator cannot run office applications during SCADA.
  • 12. Function of OS Lockdown (2) Limit computing resource access from a process – The computing resources are file, device, and network (IP address and port). • If a relation between a resource and processes is registered to the white list, the resource is accessed from the processes only. – “don’t care” setting • If a resource is not registered, all process can access to it. • It is a request from ICS developers! • Traditional access control is too strict and difficult to make white list (e.g., SELinux). Furthermore, many elements of white list cause access delay. • Availability is important on ICS.
  • 13. Example of OS Lockdown Normal OS on HMI Lockdown OS on HMI  Process White List (1) A creates B,D, and G. (2) D creates E. (3) E and G cannot run at same time.  Resource Access Control Applications have vulnerabilities, and resources have no limitation to use. is opened by A and B. Attack creates malicious C process. A B C creates G process to access the disk. Attack creates malicious C process. A Attack is opened by E and G B C D E No rule for the process creation Attack D E Attack accesses the green file. G creates G process to access the disk. No rule to access the file Attack accesses the green file. G G can be created by A and can access to the disk. However, G cannot run along with E at the same time to protect same resource access.
  • 14. Related Works SE Linux Tomoyo Linux Commercial white list (Win) Our method (Win) Parent-Child relation ✔ ✔ ― ✔ Conflict of Interest ― ― ― ✔ SHA1 Integrity Check ― ― ― ✔ Access Control ✔ ✔ partially ✔ Log based List Creation ― ✔ ✔ ✔
  • 15. Current Implementation • Process creation is implemented by a hook function – PsSetCreateProcessNotifyRoutineEX() • Resource Access control is implemented by Filter Manager PWC and RAC are implemented on Windows OS as device driver. User Space Parent Process Request to create process (system Call) Kernel Space White Child (SHA1)―Parent Request to access resources (system Call) Executive API Hook create process system call by PsSetCreateProcessNotifyRoutine Process List Child Process Process white list module … Executive API Access Control List I/O Manger Process Manger File Creation is denied if no statement on Process White List. Network Device File System Return “CreationStatus” to allow or disallow If process creation is allowed, a child process is created. Filter Manager (Resource Access Control) Device Driver Resource Access is denied if target resource is listed and the access is not allowed.
  • 16. How to create white list • 4 types of white list are created. P: Process creation F: File access N: Network Access D: Device Access • Most parts are created by logs of trials. – The logs are formatted and refined by editing tool. Log gathering Application P F Driver for Log gathering Windows 7 N D Application Application Editing tool Controlled Controlled Process White List P Access Control F Windows 7 N D
  • 17. Sample: Process White List Child process SHA-1 of child process binary Parent process C:WindowsSystem32smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,System C:WindowsSystem32autochk.exe,1bd90caff9f3ab1d3cb7136ce9146c1c2e69368b,C:WindowsSystem32smss.exe C:WindowsSystem32smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,C:WindowsSystem32smss.exe C:WindowsSystem32csrss.exe,53bc9b2ae89fcad6197ec519ae588f926c88e460,C:WindowsSystem32smss.exe C:WindowsSystem32smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,C:WindowsSystem32smss.exe C:WindowsSystem32wininit.exe,c7bba9840c44e7739fb314b7a3efe30e6b25cc48,C:WindowsSystem32smss.exe C:WindowsSystem32csrss.exe,53bc9b2ae89fcad6197ec519ae588f926c88e460,C:WindowsSystem32smss.exe C:WindowsSystem32services.exe,54a90c371155985420f455361a5b3ac897e6c96e,C:WindowsSystem32wininit.exe C:WindowsSystem32lsass.exe,d49245356dd4dc5e8f64037e4dc385355882a340,C:WindowsSystem32wininit.exe C:WindowsSystem32lsm.exe,e16beae2233832547bac23fbd82d5321cfc5d645,C:WindowsSystem32wininit.exe C:WindowsSystem32winlogon.exe,b8561be07a37c7414d6e059046ab0ad2c24bd2ad,C:WindowsSystem32smss.exe Parent-Child relation
  • 18. Sample: Process White List Child process SHA-1 of child process binary Parent process C:WindowsSystem32smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,System C:WindowsSystem32autochk.exe,1bd90caff9f3ab1d3cb7136ce9146c1c2e69368b,C:WindowsSystem32smss.exe C:WindowsSystem32smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,C:WindowsSystem32smss.exe C:WindowsSystem32csrss.exe,53bc9b2ae89fcad6197ec519ae588f926c88e460,C:WindowsSystem32smss.exe C:WindowsSystem32smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,C:WindowsSystem32smss.exe C:WindowsSystem32wininit.exe,c7bba9840c44e7739fb314b7a3efe30e6b25cc48,C:WindowsSystem32smss.exe C:WindowsSystem32csrss.exe,53bc9b2ae89fcad6197ec519ae588f926c88e460,C:WindowsSystem32smss.exe C:WindowsSystem32services.exe,54a90c371155985420f455361a5b3ac897e6c96e,C:WindowsSystem32wininit.exe C:WindowsSystem32lsass.exe,d49245356dd4dc5e8f64037e4dc385355882a340,C:WindowsSystem32wininit.exe C:WindowsSystem32lsm.exe,e16beae2233832547bac23fbd82d5321cfc5d645,C:WindowsSystem32wininit.exe C:WindowsSystem32winlogon.exe,b8561be07a37c7414d6e059046ab0ad2c24bd2ad,C:WindowsSystem32smss.exe Parent-Child relation SHA-1 of binary is used for the integrity check. – It works as integrity check.
  • 19. Sample: Resource Access Control • File Access Control File processes C:optSCADAlog.txt, C:optSCADASACA.exe,C:Windowsexplorer.exe C:optSCADAconfig, C:optSCADASACA.exe,C:Windowsexplorer.exe C:optOPCconfig, C:optOPCOPC.exe,C:Windowsexplorer.exe • Network Access Control IP Address, Port, Applications 192.168.0.12,80,C:Program FilesInternet Exploreriexplore.exe 192.168.0.11,80,C:UserstestGoogleChromeApplicationchrome.exe 192.168.0.10,0,C:optnetperfnetperf.exe,C:optnetperfnetserver.exe
  • 20. Optimization for ICS • Small white list – “don’t care” setting allows small white list. • White list mechanism for file is applied on open() function only. It does not care for read()and write(). – String match takes much time. It takes about 200-300 μ-sec on current CPU. • White list mechanism for IP address and port takes less than 20 μ-sec, because it is achieved by arithmetic operations.
  • 21. Case study on SCADA system • White List Control is applied on a SCADA system PLC Emulator PLC Emulator PLC Emulator PLC Emulator PLC Emulator PLC Emulator PLC Emulator PLC Emulator PLC Emulator PLC Emulator SCADA Config file Log file OPC Config file • SCADA and OPC get information from PLC every 1 second. NIC Modbus/TCP PLC Emulator PLC Emulator PLC Emulator PLC Emulator PLC Emulator
  • 22. Detail of SCADA System • Server (Windows7 32bit) – SCADA (3 types are tested) PA-Panel, Winlog, OpenSCADA http://openscada.org/ – OPC DeviceExplore • PLC – Modbus PLC emulator http://www.plcsimulator.org/ • 5 emulators run on 3 PCs (Total 15).
  • 23. OS Lockdown • Limit Process creation – About 100 parent-child relations • IP addresses and ports – 5 networks for SCADA, 10 networks for OPC • Configure and Log files are limited – 2 files for SCADA, 1 files for OPC Red line indicates access limitation for SCADA Green line indicates access limitation for OPC Each overhead is estimated less than 200 usec.
  • 24. Attack on the SCADA system • IE’en [BlackHat’02] attacks on DCOM (port 135) which is used by OPC. – http://www.securityfriday.com/tools/IEen.html • The attack is prevented by white list control, because the attack requires process creation which is not registered on the white list.
  • 25. Limitation of Current White List • Current White List control cannot reduce vulnerabilities. – Malware can exploit, but the activity is limited. • It is not easy to make perfect white list automatically. – Current white list is made from several trials. It is also refined by hand. – A method to create white list from a specification is needed. [future work]
  • 26. Conclusions • OS Lockdown (White List Control) for Industrial Control Systems – ICS does not need to run many applications. – The white list control offers predictable time delay. – Some techniques for optimization reduce the overhead. • White List Control is applied on SCADA systems and confirmed its feasibility. It will be applied on testbed systems of CSSC.