Highervista, profile picture
Uploaded byHighervista
PDF, PPTX140 views

Cyber security for manufacturers umuc cadf-ron mcfarland

1. The document discusses implications of cybersecurity for small and medium manufacturers, including risk management and compliance requirements. 2. It covers topics like being compliant with certifications but still being breached, cybersecurity for industrial control systems, and Department of Defense Federal Acquisition Regulation Supplement (DFARS) requirements. 3. The document provides an overview of various laws and standards around data security, including the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley Act (SOX), and Family Educational Rights and Privacy Act (FERPA).

Education
Related topics:
Information Security

Embed presentation

Download as PDF, PPTX
1 Implications of Cybersecurity on the Small and Medium-sized manufacturer: Risk Management and Compliance Dr. Ron McFarland, Ph.D., PMP, CISSP – Post Doctorate Fellow, University of Maryland University College Dean, School of Applied Technologies – College of the Canyons Center for Security Studies Funding provided by CAE Cybersecurity Grant Program - S-004-2017 CAE Cybersecurity (CAE-C) “Investment in Expansion of CAE-C Education Programs” Dr. Loyce Best Pailen, Principal Investigator
2 Topics 1. Compliant, but breeched 2. Cyber Security and Industrial Control Systems 3. DFARS Requirements
3 Compliant, but breeched
4 Hackers focus on beating security controls Security and compliance teams focus on adhering to laws and regulations The Essence of the problem
5 Compliant with Certifications -- but Breached • Target • Verizon • SecurePay • Experian • Sally Beauty • FedEx • Staples • Dairy Queen • KMart According to the SANS Institute: “The Payment Card Industry published the Data Security Standard 11 years ago; however, criminals are still breaching companies and getting access to cardholder data. The number of security breaches in the past two years has increased considerable, even among the companies for which assessors deemed compliant.”
6 • Compliance – the act or process of complying to a desire, demand, proposal, regimen or coercion to achieve security • Security – the state of being free from danger or threat What is Compliance and Security?
7 • Possible combinations: 1. Neither compliant with any standards or secure 2. Secure in a limited way but not compliant with any standards 3. Compliant with standards but insecure 4. Secure and compliant • Best option is to achieve security via compliance  Treat certifications of products and processes or regulatory compliance as assets Possible Combinations
8 • Established security standards for certain types of health information  regulated by Department of Health and Human Services • Procedural and technical measures to protect information and track the people using that information  User identification and authentication  Include auto logoff and emergency access procedures  System logging for security events  Personal Health Information (PHI) must be encrypted  Integrity controls Health Insurance Portability and Accountability Act (HIPAA)
9 • Established security standards for certain types of health information  regulated by Department of Health and Human Services • Procedural and technical measures to protect information and track the people using that information  User identification and authentication  Include auto logoff and emergency access procedures  System logging for security events  Personal Health Information (PHI) must be encrypted  Integrity controls Health Insurance Portability and Accountability Act (HIPAA)
10 • Organizations that issue and process credit and debit cards  regulated by VISA, MasterCard, Discover, JCB and American Express • Organizations track all access to network resources and cardholder data  Requires external assessments be performed  Vulnerability scans aka penetration testing  Become “certified” Payment Card Industry – Data Security Standards (PCI DSS)
11 PCI DSS Requirements 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti- virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security Payment Card Industry – Data Security Standards (PCI DSS)
12 • Requires financial institutions to protect customer information against security threats  Regulated by FTC • Privacy notice includes what they collect, where it is shared and how it is protected • SSN, financial account numbers, credit card numbers, DOB, Name, address, phone number, details of financial transactions Gramm-Leach-Bliley Act (GLBA)
13 • Information security program assigned to an employee • Risk assessments to identify risks • Assess safeguards to ensure they function properly and as intended • Design and implement safeguards • Service provider contracts include terms to protect customer information • Periodic review of information security policy Gramm-Leach-Bliley Act (GLBA)
14 • Requirements for financial and accounting practices for publicly-held companies  Regulated by the SEC • Auditor independence • Corporate governance (oversight) includes IT • Internal control assessment • Enhanced financial disclosure Sarbanes-Oxley Act (SOX)
15 • Financial reports, records, and data are accurately maintained • Transactions are prepared per GAAP rules and properly recorded • Unauthorized acquisition or use of data or assets that could affect financial statements will be prevented or detected in a timely manner • Records retention Sarbanes-Oxley Act (SOX)
16 • Schools receiving federal funds • Personal for students as it provides protection over:  Demographic information  Address and contact information  Parental demographic information  Parental address and contact information  Grade information  Disciplinary information Family Educational Rights and Privacy Act (FERPA)
17 Defense Federal Acquisition Regulation Supplement (DFARS)
18 Cyber Security and Industrial Control Systems
19 • The need to improve the security for ICS cannot be overstated. • Many industrial systems are built using  legacy devices  Running legacy protocols that have evolved to operate in routable networks. • Before the expansion of Internet connectivity, web-based applications, and real-time business information systems, energy systems were built for reliability. • Physical security was always a concern, but information security was not a concern, because  the control systems were air-gapped—that is physically separated with no common system (electronic or otherwise) crossing that gap Importance of Securing Industrial Networks
20 Before – Air Gap Separation
21 • The problem is that regardless of how justified or well intended the action the air gap ( from previous slide), it is no longer exists. Why?? • There is now a path into critical systems, and any path that exists can be found and exploited. Need to connect
22 Reality of the Air Gap
23 • Security consultants at Red Tiger Security presented research in 2010 that clearly indicates the current state of security in industrial networks. • Penetration tests were performed on approximately 100 North American electric power generation facilities. • Results: more than 38,000 security warning and vulnerabilities. Red Tiger Research
24 • Understanding the basic nature of industrial networks, and examining the many regulations and recommendations put forth by NERC, NIST, NRC, ISA, the ISO/IEC, and other organizations is the foundation of industrial network security. • By evaluating an industrial network, identifying and isolating its systems into functional groups ( Segmentation ), and applying a structured methodology of defense in depth and strong access control, the security of the network as a whole will be greatly improved Foundation to Securing ICS
25 • An industrial network is most typically made up of several distinct areas, which are simplified as  a business network or enterprise  business operations  a supervisory network  and process and control networks General Terms
26 • SCADA - Supervisory Control and Data Acquisition • ICS - Industrial Control Systems • DCS - Distributed Control Systems or Process Control Systems (PCS). • Each area has its own physical and log- ical security considerations, and each has its own policies and concerns. ICS Terms
27 • Industrial Network  is referring to any network operating some sort of automated control system that communicates digitally over a network. • Critical Infrastructure  is referring to critical network infrastructure, including any network used in the direct operation of any system upon which one of “critical infrastructures” depends. Industrial Network vs. Critical Infrastructure
28 Industrial Control Network
29 • Utilities  Utilities—water, gas, oil, electricity, and communications  Financial ?? • Nuclear Facilities  Nuclear facilities represent unique safety and security challenges  due to their inherent danger in the fueling and operation,  as well as the national security implications of the raw materials used. Critical Infrastructure examples
30 • Chemical Facilities  Chemical manufacture and distribution represent speci c challenges to securing an industrial manufacturing network. Critical Infrastructure examples - continued
31 • Homeland Security Presidential Directive Seven (HSPD-7) • North American Electric Reliability Corporation (NERC) has created a reliability standard called “Critical Infrastructure Protection” and enforces it heavily throughout the United States and Canada.  The NERC CIP reliability standard identifies security measures for protecting critical infrastructure with the goal of ensuring the reliability of the bulk power system.  Compliance is mandatory for any power generation facility  Fines for noncompliance can be steep. Standards and Organizations
32 • Nuclear Regulatory Commission (NRC).  The NRC was formed as an independent agency by Congress in 1974  The goal: attempt to guarantee the safe operation of nuclear facilities and to protect people and the environment.  This includes regulating the use of nuclear material including by-product, source, and special nuclear materials, as well as nuclear power.  NRC requires and enforces the cyber security of nuclear power facilities. Ultimately, all other industries rely upon energy to operate, and so the security of the energy infrastructure (and the development of the smart grid) impacts everything else, so that talking about securing industrial networks without talking about energy is practically impossible.  The NRC is responsible for ensuring the safe use of radioactive materials for ben- e cial civilian (nonmilitary) purposes by licensed nuclear facilities. Standards and Organizations - continued
33 • Homeland Security Presidential DirectiveSeven/HSPD-7  The HSPD-7 attempts to distinguish the critical versus noncritical systems.  HSPD-7 does not include specific security recommendations  relying instead upon other federal security recommendations such as those by the NIST on the security of both enterprise and industrial networks, as well as the Homeland Security Risk- Based Performance Standards used in securing chemical facilities. Standards and Organizations - continued
34 • NIST Special Publications (800 Series)  NIST’s 800 series documents provide best practices and information of general interest to information security.  All 800 series documents concern information security  It should be used as references where applicable.  Particular relevance to industrial network security is  SP 800-53 (“Recommended Security Controls for Federal Information Systems”)  SP 800-82 (“Guide to Supervisory Control and Data Acquisition [SCADA] and Industrial Control Systems Security”) Standards and Organizations - continued
35 • Other standards addresses security recommendations and best practices:  Federal Information Security Management Act -FISMA  Chemical Facility Anti-Terrorism Standards – CFATS  ISA-99  ISO 27002 Standards and Organizations - continued
36 • The separation of assets into functional groups allows specific services to be tightly locked down and controlled • This is one of the easiest methods of reducing the attack surface that is exposed to attackers. • Simply by disallowing all unnecessary ports and services, we also eliminate all of the vulnerabilities—known or unknown—that could potentially allow an attacker to exploit those services. • Control communications in both directions through a firewall ( key area) study your network??  Not all threats originate from outside. Open, outbound traffic policies can facilitate an insider attack, enable the internal spread of malware, enable outbound command and control capabilities, or allow for data leakage or information theft. Network Segmentation - isolation
37 Network Segmentation - isolation
38 Network Segmentation - isolation
39 Defense in Depth – Provision of additional layers of protection
40 Defense in Depth – Protective Measures
41 • Additional measures related to Access Control:  Only allow a user to log in to an HMI if the user has successfully badged into the control room (user credentials combined with physical access controls)  Only allow a user to operate a given control from a specific controller (user credentials limited within a security group)  Only allow a user to authenticate during that user’s shift (user credentials combined with personnel management) Additional Measures
42 • A routable network  Typically means Ethernet and TCP/IP,  “Routable” networks also include routable variants of SCADA and ICS protocols that have been modified to operate over TCP/IP, such as Modbus/TCP or ICCP over TCP/IP. • A non-routable network  Refers to those serial, bus, and point-to-point communication links that utilize Modbus/RTU, point-to-point ICCP, fieldbus, and other networks.  They are still networks: they interconnect devices and provide a communication path between digital devices  In many cases are designed for remote command and control. Routable and non-routable
43 Routable and non-routable
44 • An asset is a unique device that is used within an industrial control system. • Assets  computers, network switches, routers, firewalls, printers, alarm systems, Human–Machine Interfaces (HMIs), Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and the various relays, actuators, sensors, and other devices that make up a typical control loop. Assets in Industrial Control Systems
45 • A “cyber asset”  as any device connected via a routable protocol • A “critical cyber asset,”  is a cyber asset whose operation can impact the bulk energy system Assets (as defined by NERC CIP)
46 • In 2000, a disgruntled man in Australia who was rejected for a government job was accused of using a radio transmitter to alter electronic data within a sewerage pumping station, causing the release of over two hundred thousand gallons of raw sewage into nearby rivers. Example of Industrial Network Incidents
47 • In 2007, there was the Aurora Project: a controlled experiment by the Idaho National Laboratories (INL), which successfully demonstrated that a controller could be destroyed via a cyber attack. The vulnerability allowed hackers—which in this case were white-hat security researchers at the INL—to successfully open and close breakers on a diesel generator out of synch, causing an explosive failure. In September 2007, CNN reported on the experiment, bringing the security of our power infrastructure into the popular media. • The Aurora vulnerability remains a concern today. Although the North American Electric Reliability Corporation (NERC) first issued an alert on Aurora a few months before CNN’s report in June 2007, it has since provided additional alerts, as recent as an October 2010 alert that provides clear mitigation strategies for dealing with the vulnerability. Example of Industrial Network Incidents - continued
48 • In 2008, the agent.btz worm began infecting U.S. military machines and was reportedly carried into CENTCOM’s classified network on a USB thumb drive later that year. Although the CENTCOM breach, reported by CBS’ 60 Minutes in November 2009, was widely publicized, the specifics are difficult to ascertain and the damages and intentions remain highly speculative. Example of Industrial Network Incidents - continued
49 • The new weapon of cyber war • Which began to infect industrial control systems in 2010. • After Stuxnet, any speculation over the possibility of a targeted cyber attack against an industrial network has been overruled by this extremely complex and intelligent collection of malware Example of Industrial Network Incidents - Stuxnet
50 • Stuxnet looks for SIMATIC WinCC and PCS 7 programs from Siemens, and then using default SQL account credentials to infect connected Programmable Logic Controllers (PLCs) by injecting a rootkit via the Siemens fieldbus protocol, Profibus. • Stuxnet then looks for automation devices using a frequency converter that controls the speed of a motor. If it sees a controller operating within a range of 800–1200 Hz, it attempts to sabotage the operation Example of Industrial Network Incidents – Stuxnet (continued)
51 • In February 2011, McAfee announced the discovery of a series of coordinated attacks against oil, energy, and petrochemical companies. The attacks, which originated primarily in China, were believed to have originated in 2009, operating continuously and covertly for the purpose of information extraction • Night Dragon is further evidence of how an outside attacker can (and will) infiltrate critical systems. • Although the attack did not result in sabotage, as was the case with Stuxnet, it did involve the theft of sensitive information. Example of Industrial Network Incidents – Night Dragon
52 • Understanding how industrial networks operate requires a basic understanding of the underlying communications protocols that are used, where they are used, and why. • Designed for efficiency and reliability to support the economic and operational requirements of large distributed control systems. • Similarly, most industrial protocols are designed for real-time operation to support precision operations. Industrial Network Controls
53 • So for the sake of efficiency. Often not includes security features such as authentication and encryption, both of which require additional overhead. • To further complicate matters, many of these protocols have been modified to run over Ethernet and Internet Protocol (IP) networks in order to meet the evolving needs of business, potentially exposing these vulnerable protocols to attack. Industrial Network Protocols
54 • Industrial Network Protocols are real-time communications protocols. • Developed to interconnect the systems, interfaces, and instruments that make up an industrial control system. • Most were designed initially to communicate serially over RS- 232, RS-485, or other serial connections but have since evolved to operate over Ethernet networks using routable protocols such as TCP/IP. Industrial Network Protocols
55 • Modicon Communication Bus (Modbus) • Inter Control Center Protocol (ICCP, also known as TASE.2 or Telecontrol Application Service Element-2) • Distributed Network Protocol (DNP3) • Object Linking and Embedding for Process Control (OPC) Other Protocols
56 • The oldest and perhaps the most widely deployed industrial control communications protocol. • It was designed in 1979 by Modicon (now part of Schneider Electric) that invented the first Programmable Logic Controller (PLC). • Modbus has been widely adopted as a de facto standard and has been enhanced over the years into several distinct variants. MODBUS
57 • Modbus is an application layer messaging protocol, meaning that it operates at layer 7 of the OSI model. • It allows for efficient communications based on a request/reply methodology. • It can be used by extremely simple devices such as sensors or motors to communicate with a more complex computer, MODBUS - Continued
58 MODBUS - Continued
59 • Modbus RTU • Modbus ASCII • Modbus TCP • Modbus Plus MODBUS - Variants
60 • Lack of authentication.  Modbus sessions only require the use of a valid Modbus address and valid function code.  Can be easily guessed or spammed, whereas the other is easily obtainable information. • Lack of encryption  Commands and addresses are transmitted in clear text and can therefore be easily captured and spoofed due to the lack of encryption. • Lack of message checksum (Modbus TCP only).  A spoofed command is even easier over some implementations of Modbus TCP, as the checksum is generated at the transmission layer, not the application layer. Security Concerns
61 • Lack of broadcast suppression (serial Modbus variants only).  All serially connected devices will receive all messages, meaning a broadcast of unknown addresses can be used for effective denial of service (DoS) to a chain of serially connected devices. • Programmability. By far, the most dangerous quality of Modbus—which is shared with many industrial protocols—is that it is intentionally designed to program controllers, and could be used to inject malicious logic into an RTU or PLC. Security Concerns - continued
62 Modbus TCP
63 • Modbus, like many industrial control protocols  should only be used to communicate between sets of known devices  using expected function codes, and as such it is easily monitored by establishing clear groupings / separation  baselining acceptable behavior. Modbus – Security Recommendations
64 • Ethernet/IP uses standard Ethernet frames (ethertype 0x80E1) in conjunction with the Common Industrial Protocol (CIP) suite to communicate with nodes. • Communication is typically  client/server  although an “implicit” mode is supported to handle real-time requirements. • Implicit mode uses connectionless transport specifically the User Datagram Protocol (UDP) and multicast transmissions to minimize latency and jitter. Ethernet Industrial Protocol – Ethernet/IP
65 • The CIP uses object models to de ne the various qualities of a device. • There are three types of objects:  Required Objects, which define attributes such as device identifiers, routing identifiers, and other attributes of a device such as the manufacturer, serial number, date of manufacture, etc.;  Application Objects, which define input and output profiles for devices;  Vendor specific Objects, which enable vendors to add proprietary objects to a device. Objects (other than vendor-speci c objects) are standardized by device type and function, to facilitate interoperability: Common Industrial Protocol (CIP)
66 • Ethernet/IP is  a real-time Ethernet protocol  it is susceptible to any of the vulnerabilities of Ethernet. • Ethernet/IP over UDP is transaction-less and so there is no inherent network-layer mechanism for reliability, ordering, or data integrity checks. • The CIP also introduces some specific security concerns, due to its well-defined object model. Security Concerns
67 • The CIP does not define any explicit or implicit mechanisms for security. • The use of common “Required Objects” for device identification can facilitate device identification and enumeration, facilitating an attack. • The use of common “Application Objects” for device information exchange and control can enable broader industrial attacks, able to manipulate a broad range of industrial devices. • Ethernet/IP’s use of UDP and Multicast traffic—both of which lack transmission control—for real-time transmissions facilitate the injection of spoofed traffic or (in the case of multicast traffic) the manipulation of the transmission path using injected IGMP controls. Ethernet/IP Security Concerns
68 • Because Ethernet/IP is a real-time Ethernet protocol using UDP and IGMP, it is necessary to provide Ethernet and IP- based security at the perimeter of any Ethernet/IP network. • It is also recommended that passive network monitoring be used to ensure the integrity of the Ethernet/IP network, ensuring that the Ethernet/IP protocol is only being used by explicitly identified devices and that no Ethernet/IP traffic is originating from an unauthorized, outside source. This can be accomplished using a SCADA-IDS/IPS or other network monitoring device capable of detecting and interpreting the Ethernet/IP protocol. Security Recommendations
69 • Monitoring your network including ICS traffic • Creating Baseline • Security awareness program • Network isolation • Firmware update ( very challanging) • ID/IPS • Test network ( Pentesting ) never on production network Final Recommendations
70 • Failsafe • May apply forensics if needed • Implement security best practices • Connect with others who are expert in the filed Final Recommendations - continued

More Related Content

PPTX
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
byJohn Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
PPTX
Key Cyber Security Issues for Government Contractors
byGovernment Technology and Services Coalition
 
PPTX
Robert Nichols: Cybersecurity for Government Contractors
byGovernment Technology and Services Coalition
 
PPTX
New York Department of Financial Services Cybersecurity Regulations
byShawn Tuma
 
PDF
The Legal Case for Cybersecurity
byShawn Tuma
 
PPTX
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
byIgnyte Assurance Platform
 
PDF
NIST releases SP 800-160 Multi-discplinary approach to cybersecurity
byDavid Sweigert
 
PDF
Asset Security
byJagbir Singh
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
byJohn Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
Key Cyber Security Issues for Government Contractors
byGovernment Technology and Services Coalition
 
Robert Nichols: Cybersecurity for Government Contractors
byGovernment Technology and Services Coalition
 
New York Department of Financial Services Cybersecurity Regulations
byShawn Tuma
 
The Legal Case for Cybersecurity
byShawn Tuma
 
Full Cybersecurity Regulations Overview for DoD Prime and Subcontractors
byIgnyte Assurance Platform
 
NIST releases SP 800-160 Multi-discplinary approach to cybersecurity
byDavid Sweigert
 
Asset Security
byJagbir Singh
 

What's hot

PPTX
The general data protection act overview
byRoy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
PPTX
New Security Legislation and its Implications for OSS Management
byBlack Duck by Synopsys
 
PPTX
New Security Legislation & Its Implications for OSS Management
byJerika Phelps
 
PPT
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
byEric Vanderburg
 
PPTX
2 Day MOSTI Workshop
byCondition Zebra (CONZebra)
 
PPTX
Information Systems Policy
byAli Sadhik Shaik
 
PPTX
Domain 5 - Identity and Access Management
byMaganathin Veeraragaloo
 
DOCX
The Role of Information Security Policy
byRobot Mode
 
PPT
Information Security Background
byNicholas Davis
 
PDF
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
byIGN MANTRA
 
PDF
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
byKyle Lai
 
PPTX
Computing safety
bytitoferrus
 
PPTX
Importance Of A Security Policy
bycharlesgarrett
 
PDF
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
byfestival ICT 2016
 
PPTX
The privacy and security implications of AI, big data and predictive analytics
byDan Michaluk
 
PDF
Fadi Mutlak - Information security governance
bynooralmousa
 
PDF
Information Security Management 101
byJerod Brennen
 
PPT
Chapter 3: Information Security Framework
byNada G.Youssef
 
PPTX
Information Security - Back to Basics - Own Your Vulnerabilities
byJack Nichelson
 
PPS
02 ibm security for smart grids
byIBM Italia Web Team
 
The general data protection act overview
byRoy Biakpara, MSc.,CISA,CISSP,CISM,ISO27KLA
 
New Security Legislation and its Implications for OSS Management
byBlack Duck by Synopsys
 
New Security Legislation & Its Implications for OSS Management
byJerika Phelps
 
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
byEric Vanderburg
 
2 Day MOSTI Workshop
byCondition Zebra (CONZebra)
 
Information Systems Policy
byAli Sadhik Shaik
 
Domain 5 - Identity and Access Management
byMaganathin Veeraragaloo
 
The Role of Information Security Policy
byRobot Mode
 
Information Security Background
byNicholas Davis
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
byIGN MANTRA
 
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
byKyle Lai
 
Computing safety
bytitoferrus
 
Importance Of A Security Policy
bycharlesgarrett
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
byfestival ICT 2016
 
The privacy and security implications of AI, big data and predictive analytics
byDan Michaluk
 
Fadi Mutlak - Information security governance
bynooralmousa
 
Information Security Management 101
byJerod Brennen
 
Chapter 3: Information Security Framework
byNada G.Youssef
 
Information Security - Back to Basics - Own Your Vulnerabilities
byJack Nichelson
 
02 ibm security for smart grids
byIBM Italia Web Team
 

Similar to Cyber security for manufacturers umuc cadf-ron mcfarland

PPTX
Types of Security in Industrial Security
byRJCubillo
 
PPTX
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
bykevlekalakala
 
PPT
1 network securityIntroduction - MSC.ppt
bybilqesahmed608
 
PDF
BAIT1103 Chapter 1
bylimsh
 
PDF
Standards & Framework.pdf
bykarthikvcyber
 
PPT
Standards & Framework.ppt
bykarthikvcyber
 
PPT
Information Security Introduction Unit 1
byLokeshSaiKumarDasari2
 
PDF
Cybersecurity solution-guide
byAdilsonSuende
 
PDF
cyber security guidelines.pdf
byVarinSingh1
 
PDF
1 info sec+risk-mgmt
bymadunix
 
PDF
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
byFinancial Poise
 
PPT
MIS chap # 9.....
bySyed Muhammad Zeejah Hashmi
 
PDF
Information Security in term of computer science
bysaifafd343
 
PPTX
INFS2701 T2 2025 Lecture 1 Data Warehousing.pptx
bysaniyagadekar12
 
PPT
Network Security, Change Control, Outsourcing
byNicholas Davis
 
PPTX
Cybersecurity Law and Risk Management
byKeelan Stewart
 
PPT
Network security, change control, outsourcing
byNicholas Davis
 
PPTX
Cloud Security.pptx
byBinod Rimal
 
PPTX
U nit 4
byIntegral university, India
 
PPTX
abc.pptx
byBhargaviGorde1
 
Types of Security in Industrial Security
byRJCubillo
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
bykevlekalakala
 
1 network securityIntroduction - MSC.ppt
bybilqesahmed608
 
BAIT1103 Chapter 1
bylimsh
 
Standards & Framework.pdf
bykarthikvcyber
 
Standards & Framework.ppt
bykarthikvcyber
 
Information Security Introduction Unit 1
byLokeshSaiKumarDasari2
 
Cybersecurity solution-guide
byAdilsonSuende
 
cyber security guidelines.pdf
byVarinSingh1
 
1 info sec+risk-mgmt
bymadunix
 
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...
byFinancial Poise
 
MIS chap # 9.....
bySyed Muhammad Zeejah Hashmi
 
Information Security in term of computer science
bysaifafd343
 
INFS2701 T2 2025 Lecture 1 Data Warehousing.pptx
bysaniyagadekar12
 
Network Security, Change Control, Outsourcing
byNicholas Davis
 
Cybersecurity Law and Risk Management
byKeelan Stewart
 
Network security, change control, outsourcing
byNicholas Davis
 
Cloud Security.pptx
byBinod Rimal
 
U nit 4
byIntegral university, India
 
abc.pptx
byBhargaviGorde1
 

More from Highervista

PDF
Sq lite module1
byHighervista
 
PDF
Sq lite module2
byHighervista
 
PDF
Sq lite module3
byHighervista
 
PDF
Sq lite module4
byHighervista
 
PDF
Sq lite module5
byHighervista
 
PDF
Sq lite module6
byHighervista
 
PDF
Sq lite module7
byHighervista
 
PDF
Sq lite module8
byHighervista
 
PDF
Sq lite module9
byHighervista
 
PDF
Cyber security training using virtual labs 3 cs umuc presentation august 2018
byHighervista
 
PDF
Intro infosec version 2
byHighervista
 
PDF
How to create a maker space v2 ebook
byHighervista
 
PDF
Love and silence v3 scribd slide share
byHighervista
 
Sq lite module1
byHighervista
 
Sq lite module2
byHighervista
 
Sq lite module3
byHighervista
 
Sq lite module4
byHighervista
 
Sq lite module5
byHighervista
 
Sq lite module6
byHighervista
 
Sq lite module7
byHighervista
 
Sq lite module8
byHighervista
 
Sq lite module9
byHighervista
 
Cyber security training using virtual labs 3 cs umuc presentation august 2018
byHighervista
 
Intro infosec version 2
byHighervista
 
How to create a maker space v2 ebook
byHighervista
 
Love and silence v3 scribd slide share
byHighervista
 

Recently uploaded

PDF
Nutrients & Role in Horticulture.pdf, Dr. Sharad Bisen Horticulture
bybisensharad
 
PDF
DHA OPTOMETRY MCQ Question /HAAD/MOH.pdf
byAnmol Singh
 
DOCX
TOXICITY AND ITS MANAGEMENT 6th sem unit 5, PHARMACOLOGY-III B. PHARMACY
byjagdeepsinghynr7
 
PPTX
What is the Post load hook in Odoo 18
byCeline George
 
PPTX
Searching in PubMed andCochrane_Practical Presentation.pptx
bySystematic Reviews Network (SRN)
 
PDF
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
PPTX
CROP RESIDUE MANAGEMANT AND ITS EFFECT ON SOIL HEALTH
byShraddha Maurya
 
DOCX
Mobile applications Devlopment ReTest year 2025-2026
byDr. Mazin Mohamed alkathiri
 
PPTX
The Art Pastor's Guide to the Liturgical Calendar
bySteve Thomason
 
PDF
Basics of Systematic Literature Search - Nasra Gathoni
bySystematic Reviews Network (SRN)
 
PDF
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
PPTX
15 December 2025 Education for human flourishing Michael Stevenson .pptx
byEduSkills OECD
 
PPTX
CLASS -9 POLITICAL SCIENCE PPT CHAPTER -5 DEMOCRATIC RIGHTS.pptx
bydushyantchavhan
 
PPTX
Unit I — Introduction to Anatomical Terms and Organization of the Human Body
byRAKESH SAJJAN
 
PDF
Projecte de la porta d'i5B: Els animals marins
byeduardrubio1
 
PPTX
Unit I — General Physiology: Basic Concepts
byRAKESH SAJJAN
 
PDF
Models of Teaching - TNTEU - B.Ed I Semester - Teaching and Learning - BD1TL ...
byDr Raja Mohammed T
 
PDF
The Drift Principle: When Information Accelerates Faster Than Minds Can Compress
byReality Drift Archive
 
PPTX
Pain. definition, causes, factor influencing pain & pain assessment.pptx
byPompi Begum
 
PPTX
Rectal Surgery in Senior Citiizens .pptx
byJohn Thanakumar
 
Nutrients & Role in Horticulture.pdf, Dr. Sharad Bisen Horticulture
bybisensharad
 
DHA OPTOMETRY MCQ Question /HAAD/MOH.pdf
byAnmol Singh
 
TOXICITY AND ITS MANAGEMENT 6th sem unit 5, PHARMACOLOGY-III B. PHARMACY
byjagdeepsinghynr7
 
What is the Post load hook in Odoo 18
byCeline George
 
Searching in PubMed andCochrane_Practical Presentation.pptx
bySystematic Reviews Network (SRN)
 
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
CROP RESIDUE MANAGEMANT AND ITS EFFECT ON SOIL HEALTH
byShraddha Maurya
 
Mobile applications Devlopment ReTest year 2025-2026
byDr. Mazin Mohamed alkathiri
 
The Art Pastor's Guide to the Liturgical Calendar
bySteve Thomason
 
Basics of Systematic Literature Search - Nasra Gathoni
bySystematic Reviews Network (SRN)
 
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
15 December 2025 Education for human flourishing Michael Stevenson .pptx
byEduSkills OECD
 
CLASS -9 POLITICAL SCIENCE PPT CHAPTER -5 DEMOCRATIC RIGHTS.pptx
bydushyantchavhan
 
Unit I — Introduction to Anatomical Terms and Organization of the Human Body
byRAKESH SAJJAN
 
Projecte de la porta d'i5B: Els animals marins
byeduardrubio1
 
Unit I — General Physiology: Basic Concepts
byRAKESH SAJJAN
 
Models of Teaching - TNTEU - B.Ed I Semester - Teaching and Learning - BD1TL ...
byDr Raja Mohammed T
 
The Drift Principle: When Information Accelerates Faster Than Minds Can Compress
byReality Drift Archive
 
Pain. definition, causes, factor influencing pain & pain assessment.pptx
byPompi Begum
 
Rectal Surgery in Senior Citiizens .pptx
byJohn Thanakumar
 

Cyber security for manufacturers umuc cadf-ron mcfarland

  • 1.
    1 Implications of Cybersecurity onthe Small and Medium-sized manufacturer: Risk Management and Compliance Dr. Ron McFarland, Ph.D., PMP, CISSP – Post Doctorate Fellow, University of Maryland University College Dean, School of Applied Technologies – College of the Canyons Center for Security Studies Funding provided by CAE Cybersecurity Grant Program - S-004-2017 CAE Cybersecurity (CAE-C) “Investment in Expansion of CAE-C Education Programs” Dr. Loyce Best Pailen, Principal Investigator
  • 2.
    2 Topics 1. Compliant, butbreeched 2. Cyber Security and Industrial Control Systems 3. DFARS Requirements
  • 3.
  • 4.
    4 Hackers focus onbeating security controls Security and compliance teams focus on adhering to laws and regulations The Essence of the problem
  • 5.
    5 Compliant with Certifications-- but Breached • Target • Verizon • SecurePay • Experian • Sally Beauty • FedEx • Staples • Dairy Queen • KMart According to the SANS Institute: “The Payment Card Industry published the Data Security Standard 11 years ago; however, criminals are still breaching companies and getting access to cardholder data. The number of security breaches in the past two years has increased considerable, even among the companies for which assessors deemed compliant.”
  • 6.
    6 • Compliance –the act or process of complying to a desire, demand, proposal, regimen or coercion to achieve security • Security – the state of being free from danger or threat What is Compliance and Security?
  • 7.
    7 • Possible combinations: 1.Neither compliant with any standards or secure 2. Secure in a limited way but not compliant with any standards 3. Compliant with standards but insecure 4. Secure and compliant • Best option is to achieve security via compliance  Treat certifications of products and processes or regulatory compliance as assets Possible Combinations
  • 8.
    8 • Established securitystandards for certain types of health information  regulated by Department of Health and Human Services • Procedural and technical measures to protect information and track the people using that information  User identification and authentication  Include auto logoff and emergency access procedures  System logging for security events  Personal Health Information (PHI) must be encrypted  Integrity controls Health Insurance Portability and Accountability Act (HIPAA)
  • 9.
    9 • Established securitystandards for certain types of health information  regulated by Department of Health and Human Services • Procedural and technical measures to protect information and track the people using that information  User identification and authentication  Include auto logoff and emergency access procedures  System logging for security events  Personal Health Information (PHI) must be encrypted  Integrity controls Health Insurance Portability and Accountability Act (HIPAA)
  • 10.
    10 • Organizations thatissue and process credit and debit cards  regulated by VISA, MasterCard, Discover, JCB and American Express • Organizations track all access to network resources and cardholder data  Requires external assessments be performed  Vulnerability scans aka penetration testing  Become “certified” Payment Card Industry – Data Security Standards (PCI DSS)
  • 11.
    11 PCI DSS Requirements 1.Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Use and regularly update anti- virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security Payment Card Industry – Data Security Standards (PCI DSS)
  • 12.
    12 • Requires financialinstitutions to protect customer information against security threats  Regulated by FTC • Privacy notice includes what they collect, where it is shared and how it is protected • SSN, financial account numbers, credit card numbers, DOB, Name, address, phone number, details of financial transactions Gramm-Leach-Bliley Act (GLBA)
  • 13.
    13 • Information securityprogram assigned to an employee • Risk assessments to identify risks • Assess safeguards to ensure they function properly and as intended • Design and implement safeguards • Service provider contracts include terms to protect customer information • Periodic review of information security policy Gramm-Leach-Bliley Act (GLBA)
  • 14.
    14 • Requirements forfinancial and accounting practices for publicly-held companies  Regulated by the SEC • Auditor independence • Corporate governance (oversight) includes IT • Internal control assessment • Enhanced financial disclosure Sarbanes-Oxley Act (SOX)
  • 15.
    15 • Financial reports,records, and data are accurately maintained • Transactions are prepared per GAAP rules and properly recorded • Unauthorized acquisition or use of data or assets that could affect financial statements will be prevented or detected in a timely manner • Records retention Sarbanes-Oxley Act (SOX)
  • 16.
    16 • Schools receivingfederal funds • Personal for students as it provides protection over:  Demographic information  Address and contact information  Parental demographic information  Parental address and contact information  Grade information  Disciplinary information Family Educational Rights and Privacy Act (FERPA)
  • 17.
    17 Defense Federal AcquisitionRegulation Supplement (DFARS)
  • 18.
    18 Cyber Security andIndustrial Control Systems
  • 19.
    19 • The needto improve the security for ICS cannot be overstated. • Many industrial systems are built using  legacy devices  Running legacy protocols that have evolved to operate in routable networks. • Before the expansion of Internet connectivity, web-based applications, and real-time business information systems, energy systems were built for reliability. • Physical security was always a concern, but information security was not a concern, because  the control systems were air-gapped—that is physically separated with no common system (electronic or otherwise) crossing that gap Importance of Securing Industrial Networks
  • 20.
    20 Before – AirGap Separation
  • 21.
    21 • The problemis that regardless of how justified or well intended the action the air gap ( from previous slide), it is no longer exists. Why?? • There is now a path into critical systems, and any path that exists can be found and exploited. Need to connect
  • 22.
  • 23.
    23 • Security consultantsat Red Tiger Security presented research in 2010 that clearly indicates the current state of security in industrial networks. • Penetration tests were performed on approximately 100 North American electric power generation facilities. • Results: more than 38,000 security warning and vulnerabilities. Red Tiger Research
  • 24.
    24 • Understanding thebasic nature of industrial networks, and examining the many regulations and recommendations put forth by NERC, NIST, NRC, ISA, the ISO/IEC, and other organizations is the foundation of industrial network security. • By evaluating an industrial network, identifying and isolating its systems into functional groups ( Segmentation ), and applying a structured methodology of defense in depth and strong access control, the security of the network as a whole will be greatly improved Foundation to Securing ICS
  • 25.
    25 • An industrialnetwork is most typically made up of several distinct areas, which are simplified as  a business network or enterprise  business operations  a supervisory network  and process and control networks General Terms
  • 26.
    26 • SCADA -Supervisory Control and Data Acquisition • ICS - Industrial Control Systems • DCS - Distributed Control Systems or Process Control Systems (PCS). • Each area has its own physical and log- ical security considerations, and each has its own policies and concerns. ICS Terms
  • 27.
    27 • Industrial Network is referring to any network operating some sort of automated control system that communicates digitally over a network. • Critical Infrastructure  is referring to critical network infrastructure, including any network used in the direct operation of any system upon which one of “critical infrastructures” depends. Industrial Network vs. Critical Infrastructure
  • 28.
  • 29.
    29 • Utilities  Utilities—water,gas, oil, electricity, and communications  Financial ?? • Nuclear Facilities  Nuclear facilities represent unique safety and security challenges  due to their inherent danger in the fueling and operation,  as well as the national security implications of the raw materials used. Critical Infrastructure examples
  • 30.
    30 • Chemical Facilities Chemical manufacture and distribution represent speci c challenges to securing an industrial manufacturing network. Critical Infrastructure examples - continued
  • 31.
    31 • Homeland SecurityPresidential Directive Seven (HSPD-7) • North American Electric Reliability Corporation (NERC) has created a reliability standard called “Critical Infrastructure Protection” and enforces it heavily throughout the United States and Canada.  The NERC CIP reliability standard identifies security measures for protecting critical infrastructure with the goal of ensuring the reliability of the bulk power system.  Compliance is mandatory for any power generation facility  Fines for noncompliance can be steep. Standards and Organizations
  • 32.
    32 • Nuclear RegulatoryCommission (NRC).  The NRC was formed as an independent agency by Congress in 1974  The goal: attempt to guarantee the safe operation of nuclear facilities and to protect people and the environment.  This includes regulating the use of nuclear material including by-product, source, and special nuclear materials, as well as nuclear power.  NRC requires and enforces the cyber security of nuclear power facilities. Ultimately, all other industries rely upon energy to operate, and so the security of the energy infrastructure (and the development of the smart grid) impacts everything else, so that talking about securing industrial networks without talking about energy is practically impossible.  The NRC is responsible for ensuring the safe use of radioactive materials for ben- e cial civilian (nonmilitary) purposes by licensed nuclear facilities. Standards and Organizations - continued
  • 33.
    33 • Homeland SecurityPresidential DirectiveSeven/HSPD-7  The HSPD-7 attempts to distinguish the critical versus noncritical systems.  HSPD-7 does not include specific security recommendations  relying instead upon other federal security recommendations such as those by the NIST on the security of both enterprise and industrial networks, as well as the Homeland Security Risk- Based Performance Standards used in securing chemical facilities. Standards and Organizations - continued
  • 34.
    34 • NIST SpecialPublications (800 Series)  NIST’s 800 series documents provide best practices and information of general interest to information security.  All 800 series documents concern information security  It should be used as references where applicable.  Particular relevance to industrial network security is  SP 800-53 (“Recommended Security Controls for Federal Information Systems”)  SP 800-82 (“Guide to Supervisory Control and Data Acquisition [SCADA] and Industrial Control Systems Security”) Standards and Organizations - continued
  • 35.
    35 • Other standardsaddresses security recommendations and best practices:  Federal Information Security Management Act -FISMA  Chemical Facility Anti-Terrorism Standards – CFATS  ISA-99  ISO 27002 Standards and Organizations - continued
  • 36.
    36 • The separationof assets into functional groups allows specific services to be tightly locked down and controlled • This is one of the easiest methods of reducing the attack surface that is exposed to attackers. • Simply by disallowing all unnecessary ports and services, we also eliminate all of the vulnerabilities—known or unknown—that could potentially allow an attacker to exploit those services. • Control communications in both directions through a firewall ( key area) study your network??  Not all threats originate from outside. Open, outbound traffic policies can facilitate an insider attack, enable the internal spread of malware, enable outbound command and control capabilities, or allow for data leakage or information theft. Network Segmentation - isolation
  • 37.
  • 38.
  • 39.
    39 Defense in Depth– Provision of additional layers of protection
  • 40.
    40 Defense in Depth– Protective Measures
  • 41.
    41 • Additional measuresrelated to Access Control:  Only allow a user to log in to an HMI if the user has successfully badged into the control room (user credentials combined with physical access controls)  Only allow a user to operate a given control from a specific controller (user credentials limited within a security group)  Only allow a user to authenticate during that user’s shift (user credentials combined with personnel management) Additional Measures
  • 42.
    42 • A routablenetwork  Typically means Ethernet and TCP/IP,  “Routable” networks also include routable variants of SCADA and ICS protocols that have been modified to operate over TCP/IP, such as Modbus/TCP or ICCP over TCP/IP. • A non-routable network  Refers to those serial, bus, and point-to-point communication links that utilize Modbus/RTU, point-to-point ICCP, fieldbus, and other networks.  They are still networks: they interconnect devices and provide a communication path between digital devices  In many cases are designed for remote command and control. Routable and non-routable
  • 43.
  • 44.
    44 • An assetis a unique device that is used within an industrial control system. • Assets  computers, network switches, routers, firewalls, printers, alarm systems, Human–Machine Interfaces (HMIs), Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and the various relays, actuators, sensors, and other devices that make up a typical control loop. Assets in Industrial Control Systems
  • 45.
    45 • A “cyberasset”  as any device connected via a routable protocol • A “critical cyber asset,”  is a cyber asset whose operation can impact the bulk energy system Assets (as defined by NERC CIP)
  • 46.
    46 • In 2000,a disgruntled man in Australia who was rejected for a government job was accused of using a radio transmitter to alter electronic data within a sewerage pumping station, causing the release of over two hundred thousand gallons of raw sewage into nearby rivers. Example of Industrial Network Incidents
  • 47.
    47 • In 2007,there was the Aurora Project: a controlled experiment by the Idaho National Laboratories (INL), which successfully demonstrated that a controller could be destroyed via a cyber attack. The vulnerability allowed hackers—which in this case were white-hat security researchers at the INL—to successfully open and close breakers on a diesel generator out of synch, causing an explosive failure. In September 2007, CNN reported on the experiment, bringing the security of our power infrastructure into the popular media. • The Aurora vulnerability remains a concern today. Although the North American Electric Reliability Corporation (NERC) first issued an alert on Aurora a few months before CNN’s report in June 2007, it has since provided additional alerts, as recent as an October 2010 alert that provides clear mitigation strategies for dealing with the vulnerability. Example of Industrial Network Incidents - continued
  • 48.
    48 • In 2008,the agent.btz worm began infecting U.S. military machines and was reportedly carried into CENTCOM’s classified network on a USB thumb drive later that year. Although the CENTCOM breach, reported by CBS’ 60 Minutes in November 2009, was widely publicized, the specifics are difficult to ascertain and the damages and intentions remain highly speculative. Example of Industrial Network Incidents - continued
  • 49.
    49 • The newweapon of cyber war • Which began to infect industrial control systems in 2010. • After Stuxnet, any speculation over the possibility of a targeted cyber attack against an industrial network has been overruled by this extremely complex and intelligent collection of malware Example of Industrial Network Incidents - Stuxnet
  • 50.
    50 • Stuxnet looksfor SIMATIC WinCC and PCS 7 programs from Siemens, and then using default SQL account credentials to infect connected Programmable Logic Controllers (PLCs) by injecting a rootkit via the Siemens fieldbus protocol, Profibus. • Stuxnet then looks for automation devices using a frequency converter that controls the speed of a motor. If it sees a controller operating within a range of 800–1200 Hz, it attempts to sabotage the operation Example of Industrial Network Incidents – Stuxnet (continued)
  • 51.
    51 • In February2011, McAfee announced the discovery of a series of coordinated attacks against oil, energy, and petrochemical companies. The attacks, which originated primarily in China, were believed to have originated in 2009, operating continuously and covertly for the purpose of information extraction • Night Dragon is further evidence of how an outside attacker can (and will) infiltrate critical systems. • Although the attack did not result in sabotage, as was the case with Stuxnet, it did involve the theft of sensitive information. Example of Industrial Network Incidents – Night Dragon
  • 52.
    52 • Understanding howindustrial networks operate requires a basic understanding of the underlying communications protocols that are used, where they are used, and why. • Designed for efficiency and reliability to support the economic and operational requirements of large distributed control systems. • Similarly, most industrial protocols are designed for real-time operation to support precision operations. Industrial Network Controls
  • 53.
    53 • So forthe sake of efficiency. Often not includes security features such as authentication and encryption, both of which require additional overhead. • To further complicate matters, many of these protocols have been modified to run over Ethernet and Internet Protocol (IP) networks in order to meet the evolving needs of business, potentially exposing these vulnerable protocols to attack. Industrial Network Protocols
  • 54.
    54 • Industrial NetworkProtocols are real-time communications protocols. • Developed to interconnect the systems, interfaces, and instruments that make up an industrial control system. • Most were designed initially to communicate serially over RS- 232, RS-485, or other serial connections but have since evolved to operate over Ethernet networks using routable protocols such as TCP/IP. Industrial Network Protocols
  • 55.
    55 • Modicon CommunicationBus (Modbus) • Inter Control Center Protocol (ICCP, also known as TASE.2 or Telecontrol Application Service Element-2) • Distributed Network Protocol (DNP3) • Object Linking and Embedding for Process Control (OPC) Other Protocols
  • 56.
    56 • The oldestand perhaps the most widely deployed industrial control communications protocol. • It was designed in 1979 by Modicon (now part of Schneider Electric) that invented the first Programmable Logic Controller (PLC). • Modbus has been widely adopted as a de facto standard and has been enhanced over the years into several distinct variants. MODBUS
  • 57.
    57 • Modbus isan application layer messaging protocol, meaning that it operates at layer 7 of the OSI model. • It allows for efficient communications based on a request/reply methodology. • It can be used by extremely simple devices such as sensors or motors to communicate with a more complex computer, MODBUS - Continued
  • 58.
  • 59.
    59 • Modbus RTU •Modbus ASCII • Modbus TCP • Modbus Plus MODBUS - Variants
  • 60.
    60 • Lack ofauthentication.  Modbus sessions only require the use of a valid Modbus address and valid function code.  Can be easily guessed or spammed, whereas the other is easily obtainable information. • Lack of encryption  Commands and addresses are transmitted in clear text and can therefore be easily captured and spoofed due to the lack of encryption. • Lack of message checksum (Modbus TCP only).  A spoofed command is even easier over some implementations of Modbus TCP, as the checksum is generated at the transmission layer, not the application layer. Security Concerns
  • 61.
    61 • Lack ofbroadcast suppression (serial Modbus variants only).  All serially connected devices will receive all messages, meaning a broadcast of unknown addresses can be used for effective denial of service (DoS) to a chain of serially connected devices. • Programmability. By far, the most dangerous quality of Modbus—which is shared with many industrial protocols—is that it is intentionally designed to program controllers, and could be used to inject malicious logic into an RTU or PLC. Security Concerns - continued
  • 62.
  • 63.
    63 • Modbus, likemany industrial control protocols  should only be used to communicate between sets of known devices  using expected function codes, and as such it is easily monitored by establishing clear groupings / separation  baselining acceptable behavior. Modbus – Security Recommendations
  • 64.
    64 • Ethernet/IP usesstandard Ethernet frames (ethertype 0x80E1) in conjunction with the Common Industrial Protocol (CIP) suite to communicate with nodes. • Communication is typically  client/server  although an “implicit” mode is supported to handle real-time requirements. • Implicit mode uses connectionless transport specifically the User Datagram Protocol (UDP) and multicast transmissions to minimize latency and jitter. Ethernet Industrial Protocol – Ethernet/IP
  • 65.
    65 • The CIPuses object models to de ne the various qualities of a device. • There are three types of objects:  Required Objects, which define attributes such as device identifiers, routing identifiers, and other attributes of a device such as the manufacturer, serial number, date of manufacture, etc.;  Application Objects, which define input and output profiles for devices;  Vendor specific Objects, which enable vendors to add proprietary objects to a device. Objects (other than vendor-speci c objects) are standardized by device type and function, to facilitate interoperability: Common Industrial Protocol (CIP)
  • 66.
    66 • Ethernet/IP is a real-time Ethernet protocol  it is susceptible to any of the vulnerabilities of Ethernet. • Ethernet/IP over UDP is transaction-less and so there is no inherent network-layer mechanism for reliability, ordering, or data integrity checks. • The CIP also introduces some specific security concerns, due to its well-defined object model. Security Concerns
  • 67.
    67 • The CIPdoes not define any explicit or implicit mechanisms for security. • The use of common “Required Objects” for device identification can facilitate device identification and enumeration, facilitating an attack. • The use of common “Application Objects” for device information exchange and control can enable broader industrial attacks, able to manipulate a broad range of industrial devices. • Ethernet/IP’s use of UDP and Multicast traffic—both of which lack transmission control—for real-time transmissions facilitate the injection of spoofed traffic or (in the case of multicast traffic) the manipulation of the transmission path using injected IGMP controls. Ethernet/IP Security Concerns
  • 68.
    68 • Because Ethernet/IPis a real-time Ethernet protocol using UDP and IGMP, it is necessary to provide Ethernet and IP- based security at the perimeter of any Ethernet/IP network. • It is also recommended that passive network monitoring be used to ensure the integrity of the Ethernet/IP network, ensuring that the Ethernet/IP protocol is only being used by explicitly identified devices and that no Ethernet/IP traffic is originating from an unauthorized, outside source. This can be accomplished using a SCADA-IDS/IPS or other network monitoring device capable of detecting and interpreting the Ethernet/IP protocol. Security Recommendations
  • 69.
    69 • Monitoring yournetwork including ICS traffic • Creating Baseline • Security awareness program • Network isolation • Firmware update ( very challanging) • ID/IPS • Test network ( Pentesting ) never on production network Final Recommendations
  • 70.
    70 • Failsafe • Mayapply forensics if needed • Implement security best practices • Connect with others who are expert in the filed Final Recommendations - continued