Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DHS ICS Security Presentation

12,292 views

Published on

DHS finding on the changing security landscape of ICS (Industry Control Systems).

Published in: Technology
  • You can ask here for a help. They helped me a lot an i`m highly satisfied with quality of work done. I can promise you 100% un-plagiarized text and good experts there. Use with pleasure! ⇒ www.HelpWriting.net ⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hello! I can recommend a site that has helped me. It's called ⇒ www.WritePaper.info ⇐ So make sure to check it out!
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THE BOOK INTO AVAILABLE FORMAT (New Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://urlzs.com/UABbn } ......................................................................................................................... Download Full EPUB Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download Full doc Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download PDF EBOOK here { https://urlzs.com/UABbn } ......................................................................................................................... Download EPUB Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download doc Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THE can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THE is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBOOK .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, CookBOOK, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, EBOOK, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THE Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THE the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THE Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I am so pleased that I found you! I have suffered from Sleep Apnea for years. I have tried everything to fix the problem but nothing has worked. For the last years I have been trying to use a CPAP machine on and off but it is very difficult to sleep with. It's noisy and very uncomfortable. I had no idea there was a natural way to help me. I am so pleased that I found you! ♥♥♥ http://ishbv.com/snoringno/pdf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Njce! Thanks for sharing.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

DHS ICS Security Presentation

  1. 1. Department of Homeland Security Control Systems Security Program Seán Paul McGurk Director, Control Systems Security National Cyber Security Division U.S. Department of Homeland Security
  2. 2. Overview of Control Systems
  3. 3. U.S. Critical Infrastructure Sectors Homeland Security Presidential Directive 7 (HSPD-7) along with the National Infrastructure Protection Plan (NIPP) identified and categorized U.S. critical infrastructure into the following 18 CIKR sectors • Agriculture and Food • National Monuments and • Banking and Finance Icons • Chemical • Nuclear Reactors, Materials, • Commercial Facilities and Waste • Critical Manufacturing • Postal and Shipping • Dams • Public Health and • Defense Industrial Base Healthcare • Emergency Services • Telecommunications • Energy • Transportation • Government Facilities • Water and Water Treatment • Information Technology Many of the processes controlled by computerized control systems have advanced to the point that they can no longer be operated without the control system.
  4. 4. Risk Drivers: Modernization and Globalization  Connections between Information Technology and Control System networks (inheriting vulnerabilities)  Shift from isolated systems to open protocols  Access to remote sites through the use of modems, wireless, private, and public networks  Shared or joint use systems for e-commerce
  5. 5. Vulnerability Lifecycle January 2008, Core Security Technologies discovers a vulnerability in the CitectSCADA product, and works with Citect and US-CERT June 2008, Citect releases patches for affected products June 11, 2008, US-CERT publishes Vulnerability Note regarding Citect buffer overflow
  6. 6. Vulnerability Lifecycle September 5, 2008, Metasploit exploit code posted September 6, 2008, Traffic increases for specified port
  7. 7. Control Systems Site Assessments ISA 99 Control Systems Security Model  Since 2002 over 100 site assessments conducted  Electric, Oil and Natural Gas, Chemical, Water, and Transportation (pipeline)  Over 38,000 vulnerabilities were identified and categorized
  8. 8. ICS Vulnerabilities categorized by ISA99 Security Zones Level 0-5 Data provided by
  9. 9. ICS Security Zones of Interest  Level 3 - Operational Zone  Network Device vulnerabilities 9.3% (1677 vulnerabilities)  Host based/application system vulnerabilities 90.7% (16288 vulnerabilities)  Primary security issue with:  Web Server Applications  Database Servers (MS SQL, mySQL, Oracle)  Business Applications Data provided by
  10. 10. ICS Security Zones of Interest  Level 2 – Supervisory HMI LAN  Network Device vulnerabilities 35.4% (1614 vulnerabilities)  Host based/application system vulnerabilities 64.6% (2914 vulnerabilities)  Primary security issue with:  Microsoft-based Operating System (migration)  Sun Solaris Operating Systems
  11. 11. General Findings  Default vendor accounts and passwords still in use  Some systems unable to be changed!  Guest accounts still available  Unused software and services still on systems  No security-level agreement with peer sites  No security-level agreement with vendors  Poor patch management (or patch programs)  Extensive auto-logon capability
  12. 12. General Findings continued  Typical IT protections not widely used (firewalls, IDS, etc.). This has been improving in the last 6 months  Little emphasis on reviewing security logs (Change management)  Common use of dynamic ARP tables with no ARP monitoring  Control system use of enterprise services (DNS, etc.)  Shared passwords  Writeable shares between hosts  User permissions allow for admin level access  Direct VPN from offsite to control systems  Web enabled field devices
  13. 13. Cyber Incidents and Consequences
  14. 14. Italian Traffic Lights Event: Feb, 2009 Italian authorities investigating unauthorized changes to traffic enforcement system Impact: Rise of over 1,400 traffic tickets costing > 250K Euros in two month period Specifics: Engineer accused of Lessons learned: conspiring with local authorities to rig traffic lights to have shorter yellow light  Do not underestimate the causing spike in camera enforced insider threat traffic tickets  Ensure separation of duties and auditing
  15. 15. Transportation – Road Signs Event: Jan 2009, Texas road signs compromised Impact: Motorists distracted and provided false information Specifics: Some commercial road signs, can be easily altered because their instrument panels are frequently left unlocked and their default passwords are not changed. Lessons learned: quot;Programming is as simple as scrolling  Use robust physical access down the menu selection,quot; a blog controls reports. quot;Type whatever you want to  Change all default passwords display … In all likelihood, the crew will not have changed [the password].quot;  Work with manufacturers to identify and protect password reset procedures 15
  16. 16. DaimlerChrysler Event: Aug, 2005 Internet worms infect DaimlerChrysler’s systems Impact: Workers were idle as infected Microsoft Windows systems were patched Specifics: A round of Internet worms Recovery time: knocked 13 of DaimlerChrysler’s U.S.  Took manufacturing plants offline automobile manufacturing plants offline for one hour Lessons learned:  Critical patches need to be applied  Provide adequate network segmentation between control and business networks  Place controls between segments to limit congestion and cascading effects
  17. 17. Polish Trains Event: A Polish teenager modifies a TV remote and hacks Lodz Tram system Impact: 12 people injured, 4 derailments Specifics: The 14-year-old modified a TV remote control so that it could be used to change track points. Local police said the youngster trespassed in tram depots to gather information needed to build the device. The Lessons learned: teenager told police that he modified  Do not rely on protocol track setting for a prank. obscurity for security  Apply appropriate access controls to all field devices
  18. 18. Maroochy Waste Water Event: More than 750,000 gallons of untreated sewage intentionally released into parks, rivers, and hotel grounds Impact: Loss of marine life, public health jeopardized, $200,000 in cleanup and monitoring costs Specifics: SCADA system had 300 nodes (142 pumping stations) governing sewage and drinking water  Used OPC ActiveX controls, DNP3, and ModBus protocols Lessons learned:  Suspend all access after  Used packet radio communications to RTUs terminations  Investigate anomalous system Used commercially available radios and stolen SCADA software to make behavior laptop appear as a pumping station  Secure radio and wireless transmissions  Caused as many as 46 different incidents over a 3-month period (Feb 9 to April 23)
  19. 19. Browns Ferry Power Plant Event: Aug, 2006 Two circulation pumps at Unit 3 of the nuclear power plant failed Impact: The unit had to be shut down manually Specifics: The failure of the pumps Recovery time: was traced to excessive traffic on the  SPDS – 4hours 50 minutes control system network, possibly  PPC – 6 hours 9 minutes caused by the failure of another control system device Lessons learned:  Provide adequate network segmentation  Place controls on multiple segments to limit congestion and cascading effects  Provide active network monitoring tools
  20. 20. Hatch Nuclear Power Plant Event: A software update caused control system to initiate plant shutdown. Impact: The Plant was shutdown for 48 hours Specifics: . An engineer installed a software update on a computer Recovery time: 48 Hours operating on the plant's business network. When the updated computer Lessons learned: rebooted, it reset the data on the  Patch management policy control system, causing safety systems must address testing to errantly interpret the lack of data as requirements before a drop in coolant water reservoirs integration in production environment  IT and ICS must be aware of connectivity …there was full two-way communication between certain computers on the plant's corporate and control networks. 20
  21. 21. Davis Besse Nuclear Power Plant Event: Aug 20, 2003 Slammer worm infects plant Impact: Complete shutdown of digital portion of Safety Parameter Display System (SPDS) and Plant Process Computer (PPC) Recovery time: Specifics: Worm started at contractors  SPDS – 4hours 50 minutes site  PPC – 6 hours 9 minutes  Worm jumped from corporate to plant Lessons learned: network and found an unpatched server  Secure remote (trusted) access channels Patch had been available for 6  Ensure Defense-in-depth months strategies with appropriate procurement requirements  Critical patches need to be applied
  22. 22. Olympic Pipeline Explosion Event: 16-inch gasoline pipeline explosion and fire, exacerbated by inability of SCADA system to perform control and monitoring functions. Impact: 3 fatalities, property damage >$45M, matching fines of $7.86M against two companies. Specifics: Erroneous changes to live photo by David Willoughby copyright Bellingham Herald historical database caused critical slowdown in system responsiveness (evidenced by sensor scan rate changing Lessons learned: from 3 second poll to over 6 minutes!)  Identify controls to Critical Assets  Communication link between main  Do not use administrative controls computer, field sensors, and controllers to solve system anomalies was a combination of leased phone lines and frame relay.  Do not perform database updates on live systems  Apply appropriate security to remote access
  23. 23. Arizona Salt River Project Event: 1994 - Unauthorized access into network of the Salt River Project Water Utility Impact: Estimated losses of $40,000, and lost productivity due to the compromise Specifics: A programmer and software developer, using a dial-up modem, was able to break into the SRP network with the intention of retrieving billing information. Compromised server monitored the water levels of canals in Lessons learned: the Phoenix area.  Provide adequate network Accessed data included monitoring and segmentation delivery information for water and  Place controls on another power processes, in addition to segment with no direct outside financial and customer data. Data access exfiltrated or altered included login/ password files and system log files.  Provide active network monitoring tools  Ensure defense-in-depth strategies, firewalls & Intrusion Detection Systems
  24. 24. Big Bang Experiment is Hacked Event: Sept, 2008 - Computer hackers broke into the Large Hadron Collider and defaced one of the project websites. Impact: “There seems to be no harm done. From what they can tell, it was someone making the point that CMS was hackable,quot; said James Gillies, spokesman for European Organization for Nuclear Research (also known as CERN) Specifics: Hackers targeted the Lessons learned: Compact Muon Solenoid Experiment, or  Provide adequate network CMS, one of the experiments at facility that will be analyzing the fallout of the Big segmentation Bang  Place controls on another segment with no direct outside CERN expressed concerned over what the hackers could do as they were “one access step away” from the computer control  Provide active network system monitoring tools  Ensure defense-in-depth strategies, firewalls & Intrusion Detection Systems
  25. 25. Space Station – Air Gap Bridged Event: Aug. 2008, Viruses intended to steal passwords and send them to a remote server infected laptops in the International Space Station (again). Impact: Created a “nuisance” to non- critical space station laptops Specifics:The virus did make it onto more than one laptop -- suggesting that it spread via some sort of intranet on the space station or via a thumb drive. Lessons learned:  Due to the human factor – there is no true airgap, for example, thumb drives, laptop connection, modems, VPN, CD/ DVD, etc. 25
  26. 26. Highlights  Control system security can no longer hide behind proprietary configurations and special training (Security by Obscurity)  Control systems are no longer isolated systems that require special skills; open systems and protocols  Control systems are no longer isolated from corporate and other networks  Hackers are smart, and the prevalence of information available via the Internet makes attacking control systems easier  Control systems are migrating away from their traditional shared and unrestricted configurations to more secure ones
  27. 27. Functional Areas  ICS Analysis and informational products  Training – Instructor and web base  Subject Matter Expertise support  Standards support  ICS Assessments  On site / Control Systems Analysis Center (CSAC)  Interviewing control system operators, engineers, and IT staff on configuration and use  “Table top” review of network and security (firewalls, IDS/IPS, etc.)  R&D gap analysis  Sector Agency Support  Government Coordinating Council  Sector Coordinating Council
  28. 28. ICS - CERT  CSAC analysis shared across all sectors through products and trainings  Mitigate vulnerability in partnership with vendors  Vulnerabilities patched by vendors  CSSP web site links US-CERT control systems “Vulnerability Notes”  Vulnerability reports submitted via US-CERT web site and entered into National Vulnerability Database (NVD)  PCII is an information-protection tool that facilitates private sector information sharing with the government
  29. 29. Cyber Security Self Assessment Tools  Assessment Covers Policy, Plans and Procedures in 10 Categories  Creates baseline security posture  Provides recommended solutions to improve security posture  Standards specific reports (e.g. NERC CIP, DOD 8500.2, NIST SP800-53)
  30. 30. Recommended Practices for Cyber Forensics for Control Systems Control Systems Forensics Addresses the issues encountered in developing and maintaining a cyber forensics plan Supports forensic practitioners in creating a control systems forensics plan Assumes evidentiary data collection and preservation using forensic best practices. Provides users with the appropriate foundation
  31. 31. Control Systems Security Publications Procurement language  New SCADA / control systems  Legacy systems  Maintenance contracts Patch Management  Network integration of Control Systems  Differences in patch deployment  Reliable patch information  Embedded commercial off-the-shelf packages
  32. 32. Standards Improvement Collaborations to evolve national and international standards for control system security  DHS Control System Security Program (CSSP)  DOE National SCADA Test Bed (NSTB)  Instrumentation, Systems, and Automation (ISA)  National Institute of Standards and Technology (NIST)  International Electrotechnical Commission (IEC) 32
  33. 33. Education & Training Web Based Training  “Cyber Security for Control Systems Engineers and Operators”  “Operational Security (OPSEC) for Control Systems”* Instructor Led Courses  Cyber Security Who Needs It?  Control Systems Security for Managers  Solutions for Process Control Security  Introduction to Control Systems Security for the Information Technology Professionals  Intermediate Control Systems Security  Cyber Security Advanced Training and Workshop *IOSS first place award
  34. 34. Industrial Control Systems Partnerships  Industrial Control Systems Joint Working Group (ICS- JWG) formed under the National Infrastructure Protection Plan framework to engage government and private sector control systems stakeholders  Private Sector Council  Government Council  Vendor Council  International Community
  35. 35. Cyber Security is a Shared Responsibility Report cyber incidents and vulnerabilities www.us-cert.gov Or send email to: soc@us-cert.gov, ics.cert@dhs.gov Or call: 888-282-0870 Get more information at: www.us-cert.gov/control_systems
  36. 36. Partnerships – Industry 37
  37. 37. Definition - Industrial Control System The term Industrial Control System (ICS) refers to a broad set of control systems, which include:  SCADA (Supervisory Control and Data Acquisition)  DCS (Distributed Control System)  PCS (Process Control System)  EMS (Energy Management System)  AS (Automation System)  SIS (Safety Instrumented System)  Any other automated control system
  38. 38. Los Angles Traffic Lights Event: Aug 21, 2006 Disgruntled traffic engineer hacked into the city's traffic control computer Impact: Shut down traffic signals at four critical points in the road network, causing crippling delays Recovery time: Specifics: Thought to have been part  Four days until return to normal of a pay-bargaining procedure between operations employers and the Engineers and Architects Association Lessons learned:  Do not underestimate the insider threat  Ensure separation of duties and auditing  Change passwords regularly
  39. 39. Texas City Explosion 3/23/05 Event: An explosion occurred during the restart of a hydrocarbon isomerization unit. Impact: 15 workers Killed, 180 Injured Specifics: At approximately 1:20 p.m. on March 23, 2005, a series of explosions occurred at the BP Texas City refinery during the restarting of a hydrocarbon isomerization unit. Fifteen workers were killed and 180 others were injured. The explosions occurred when a distillation tower flooded with Lessons learned: hydrocarbons and was over • Key alarms, indicators, and control pressurized, causing a geyser-like logic must be protected from cyber release from the vent stack. subversion
  40. 40. CSX Train Signaling System Event: Aug, 2003 Sobig computer virus was blamed for shutting down train signaling systems Impact: The virus infected the computer system at CSX Corporation’s Jacksonville, Florida, headquarters, shutting down signaling, dispatching, Recovery time: and other systems  Train service was shut down or delayed for six hours Specifics: Ten Amtrak trains were affected Lessons learned:  Critical patches and Anti-Virus needs to be applied and updated regularly  Defense-in-depth strategies, Firewalls  Isolate control networks from corporate networks
  41. 41. Taum Sauk Water Storage Dam Failure Event: Dec, 2005 Dam suffered a catastrophic failure Impact: Billion gallons of water was released 100 miles south of St. Louis, Missouri Specifics: Malfunction in gauges affected automated monitoring system Recovery time:  Replacement Dam scheduled for completion in the Fall of 2009 Lessons learned:  Calibrate instrumentation regularly  Add fail safe redundancy to critical safety systems.  Update contingency plans
  42. 42. Recommended Practices  Control Systems Cyber Security Defense in Depth Strategies  Creating Cyber Forensics Plans for Control Systems  Good Practice Guide on Firewall Deployment  Hardening Guidelines for OPC Hosts  Mitigations for Security Vulnerabilities Found in Control System Networks  Recommended Practice for Patch Management of Control Systems  Securing Control System Modems  Securing WLANs Using 802.11i  Securing ZigBee Wireless Networks in Process Control System Environments  Using Operational Security (OPSEC) to Support a Cyber Security Culture in Control Systems Environments http://csrp.inl.gov/Recommended_Practices.html 43
  43. 43. Significance of ICS  Many of the processes controlled by computerized control systems have advanced to the point that they can no longer be operated without the control system.  Control systems are migrating away from their traditional shared and unrestricted configurations to more secure ones  Currently, a cyber attack on Industrial Control Systems is one of the only ways to induce real-world physical actions from the cyber realm
  44. 44. Industrial Control Systems  Programmable Logic Controller (PLC) based systems  Ties back to integrated systems  Can control critical systems  Usually remote systems  Example systems  Railcar loading/unloading  Chemical loading/unloading  Water treatment  Conveyer/shipping  Hazardous Materials storage/filtering
  45. 45. Harrisburg Pennsylvania Water System Event: Oct, 2006 Foreign hacker penetrated security at a water filtering plant Impact: The intruder planted malicious software that was capable of affecting the plant’s water treatment operations Specifics: The infection occurred through the Internet and did not seem to be an attack that directly targeted the control system Lessons learned:  Secure remote computers  Defense-in-depth strategies, Firewalls & Intrusion Detection Systems  Critical patches and Anti-virus needs to be applied and updated regularly

×