Presented @ Emerson Exchange October 7, 2014 Industrial control systems (ICS) are large information technology (IT) systems. Office IT systems, failure of ICS can cause plant outages and even physical damage. Management of ICS needs to be different and smarter. IT vendors frequently recommend patches and configuration changes. Most have no impact to the ICS, which cannot implement changes in real time. ICS typically get one chance every few years to make changes - the turnaround. This paper describes optimization of ISC turnaround work, using cyber-vulnerability assessment to focus turnaround work to only what is necessary.

1. Using a CVA to Optimize ICS Upgrade
Activities During a Turnaround
Jim Gilsinn
Kenexis Security

2. Presenter
 Jim Gilsinn
– Senior Investigator, Kenexis Security
– Current Co-Chair, ISA99 Committee (ISA/IEC
62443)
– Current Co-Chair, ISA99 WG2 Security
Program
– 23 years engineering, 13 years ICS cyber
security experience
– MSEE specializing in control theory

3. Overview
 The Situation
 Understanding Threats to ICS
 The ICS-CVA Process
 Using an ICS-CVA for Planning
 Summary

4. THE SITUATION

5. The Challenge
Security Researcher Plant Manager
You have 438 Critical Vulnerabilities!
I could take control of your PLC from the Internet and do …!
So what? I’m not connected to the Internet.
I can write a worm that will make the PLC overspeed the turbine and put it into surge!
Good luck! There is a machine protection system separate from the PLC.
Well… fine.. You need to patch all these vulnerabilities!
My next scheduled shutdown is in 330 days.
Is this important enough to warrant a shutdown?

6. The Challenge (cont’d)
Security Researcher Plant Manager
Of course!
Why? I don’t process credit cards. I don’t run public websites.
I can take control of the boiler and blow it up!
So you set the PLC to over pressure the boiler?
Yes!!!
There are relief valves.
Have a nice day…

7. The Cyber Security Threat
 2014 Data Breach Incident Report shows a 3x increase over 2013
 Over 256 incidents to OT networks in 2013 reported to ICS-CERT
– Voluntarily reported by ICS owner/operators
– Most go undetected or unreported
 Most major vendors have known vulnerabilities reported to ICS-CERT

8. Customer Concerns
 Fragile OT networks often caused by comm. problems
– Unexplained process stoppages
– Slow HMI updates
 At-risk or insecure OT networks
– Discrepancies between business and process support systems
(e.g. MES, ERP, LIMS, Historians)
– Unauthorized remote connections to OT networks
– Unauthorized changes to PLC’s, DCS, or other systems
– Viruses or malware from OT networks reported by IT staff
Communication errors & network problems risk:
– Production uptime
– Threaten process safety
– Open the OT network to cyber security threats

9. ICS Network & Security Failures
 Intermittent Failures
– Corrected by logic conditions in the system
– Minimal to no process interruption
 Nuisance Trips
– Corrected by logic conditions and fail safes
– Minor process interruptions
 Unplanned outages
– Handled by maintenance personnel & layers of protection
– Sustained process interruptions & failures
 Dangerous failures
– Kinetic and safety impacts
– Handled by emergency personnel & layers of protection
– Extended process interruptions & failures

10. Risk Management for Plant Managers:
3 Easy Steps
 What is it?
 Is it real?
 What do I do about it?
Safety Risks Require Action…
If you cannot qualify the risk
AND give a solution, you are
wasting their time

11. UNDERSTANDING THREATS TO ICS

12. Device Vulnerabilities: The Reality
 Many think, “8:01am – Cyber Attack,
8:03am – Plant Goes Boom!”
 Compromising an individual ICS is of limited value
 Significant failures require compromise & disabling of
multiple components
 True exploits are not needed for most parts of the process
 A combination of factors are required to move from
nuisance trips to more significant failures
– Cyber security knowledge
– Process knowledge
– ICS knowledge

13. Attack Modes for ICS
 Loss of View (LoV)
 Manipulation of View (MoV)
 Denial of Control (DoC)
 Manipulation of Control (MoC)
 Loss of Control (LoC)
Model each part of the process in terms
of how an attacker would bypass
protective systems

14. Turbine Overspeed Scenario:
Process Flow Diagram
Electrical Power Generation
with Steam Turbine

15. Turbine Overspeed Scenario:
Simplified Turbine Model
Steam Turbine for
Power Generation
Disconnect Safety Valve
Switch
Speed
Transmitter

16. Turbine Overspeed Scenario:
Creating the Turbine Overspeed
 Disable the overspeed trip system
– Option 1 – “Force” the output of safety valve
– Option 2 – Freeze the value of the speed transmitter
 Disconnect the load from generator
– Option 1 – Command generator disconnect switch to open
positon
– Option 2 – Open multiple disconnect switches at power
distributors or consumers

17. Turbine Overspeed Scenario:
Attack Methodology
 Part 1 – Conduct Surveillance
 Part 2 – Map Systems
 Part 3 – Infect & Compromise
 Part 4 – Exfiltrate Information
 Part 5 – Prepare Final Attack
 Part 6 – Initiate Attack for Max Damage

18. Potential Process Attack Points
 Controller setpoints
 I/O values
 Controller commands
 Alarm conditions
 Safety interlocks
 Interconnected or integrated SIS

19. THE ICS-CVA PROCESS

20. Requirements to Conduct an ICS-CVA
 ICS-CVA = ICS Cyber Vulnerability Assessment
 Regulatory
– Annual basis by NERC CIP, CFATS, etc.
 Standards & Guidelines
– Periodic basis by ISA/IEC 62443 (ISA-99), NIST
Cybersecurity Framework, AWWA, NERC, etc.

21. Conducting an ICS-CVA
 Understand affect of different systems on OT networks
– Installed base of equipment
– Information/IT systems
 Should be part of validation
 Recommended to be performed:
– After initial implementation of ICS
– After major modifications to ICS
– Periodically
 Specific requirements for ICS-CVA defined in regulations,
standards, & guidelines

22. The ICS-CVA Process
 Documentation Collection & Review
– Network Architecture
– Piping, Instrumentation, and Engineering Diagrams
– Asset Inventory
 Network Traffic Capture
– Capture traffic (via tcpdump, Wireshark, etc.) at managed
switches via mirror port for a given time

23. The ICS-CVA Process (cont’d)
 Ping Sweep
– Identify live hosts (via nmap)
– Verify Asset Inventory
– Identify Unknown/Rogue Devices
 Port Scan Per Device
– Detect open ports & services (via nmap)
– Identify operating system
 Service Detection
– Grab banners from active services (via nmap or netcat)
– Verify validity of open ports
– Detect known vulnerable ports/services

24. The ICS-CVA Process (cont’d)
 Vulnerability Scanning
– Automated (via nessus, neXpose, etc.)
– Manual (via nmap, netcat, metasploit, etc.)
– Examination of vulnerability database (e.g. NIST, A/V
vendors, proprietary, etc.)
 Open-Source Intelligence Collection
– Determine information leakage of information (via Google,
Shodan, Maltego, ARIN, Custom Code, etc.)
– Identify devices exposed to internet
– Identify leaks of proprietary information (.doc, .pdf, etc.)
– Determine ease of identifying devices

25. The ICS-CVA Process (cont’d)
 Process Vulnerability Analysis
– P&ID
– HAZOP for max damage/impact scenarios
– Zone and conduit & security level analysis
– Vulnerability analysis with emphasis on physical impacts
– Failure Modeling
– Attack Modeling

26. USING AN ICS-CVA FOR PLANNING

27. ICS-CVA Results & Recommendations
 Network improvements
– Architecture, zones, upgraded infrastructure, layering, etc.
 Cyber security improvements
– Patching, policies/procedures, firewalls, etc.
 Device improvements
– Upgraded firmware & hardware
 Facility siting & physical security
– Barriers to entry
– Access control
 SIS in place of controllers
– Safety interlocks replaced by SIS

28. Preparing for Turnaround
 Conduct an ICS-CVA well before turnaround
– 6-9+ months prior depending on turnaround scope,
magnitude, duration, etc.
– Allow for new designs, capital expenditures, personnel
training, etc.
 Stage equipment prior to turnaround
– Prepare equipment with necessary firmware upgrades,
programs, etc.
– If possible, test equipment in lab prior to deployment

29. SUMMARY

30. Summary
 Engineering problems require
engineering solutions!
 Vulnerability analysis & discovery a
useful exercise, but only stop at
device impact
 Qualifying the threat means that the
process must be considered
 ICS-CVA includes all of the above
 ICS-CVA can be used as a planning
tool for improvements

31. Where To Get More Information
 Jim Gilsinn
– Email: jim.gilsinn@kenexis.com
– Phone: +1-614-323-2254
– Twitter: @JimGilsinn
– LinkedIn: http://www.linkedin.com/in/jimgilsinn/
– SlideShare: http://www.slideshare.net/gilsinnj
– Website: http://www.kenexis.com

32. Thank You for Attending!
Enjoy the rest of the conference.