Demystifying Cyber Attacks on ICS-.pdf

Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
Demystifying Cyber
Attacks on ICS:
How They Work and How to Use
Engineered and Cyber Layer of
Protections Put title Here
2016 ISA Water / Wastewater and Automatic Controls Symposium
August 2-4, 2016 – Orlando, Florida, USA
Speaker:
Bryan L Singer, CISSP, CAP

2016 ISA WWAC Symposium
Aug 2-4, 2016 – Orlando, Florida, USA 2
Presenter
About the Presenter Bryan L Singer, CISSP, CAP
• Bryan Singer is a Principal Investigator with Kenexis
Security Corporation, specializing primarily in Industrial
Control Systems and SCADA Security. He began his
professional career with the US Army as a paratrooper
and Intelligence Analyst. Since the military, Mr. Singer
has designed, developed, and implemented large scale
industrial networks, cyber security architectures, and
conducted penetration tests and cyber security
assessments worldwide across various critical
infrastructure fields including power, oil and gas, food and
beverage, nuclear, automotive, chemical, and
pharmaceutical operations. In 2002, Mr. Singer became
the founding chairman of the ISA-99 / 62443 standard,
which he lead up until 2012. His areas of technical
expertise are in software development, reverse
engineering, forensics, network design, penetration
testing, and conducting cyber security vulnerability
assessments.

Why all the Fuss?
• “Vulnerabilities” are being released with increased
prevalence against ICS
• Most of these allow common IT type exploits against
endpoint ICS devices
• Engineering and operations don’t take many of these
seriously as they rely on engineered safeguards to protect a
process rather than IT integrity
• Actual attack analysis shows that successful ICS attackers
possess:
– Knowledge of cyber security
– Knowledge of ICS devices and their operations
– Knowledge of the specific industrial process and its operation
Fundamentally most ICS processes today are insufficiently
hardened against true ICS cyber attack

Mechanical Integrity
• “Mechanical Integrity means the process of ensuring that
process equipment is fabricated from the proper materials
of construction and is properly installed, maintained, and
replaced to prevent failures and accidental releases.” 19
CFR 2735.3
• Governed by OSHA 1910.119(j)
– By designing to meet or exceed standards
– By fabricating with proper materials, using proper construction and
installation techniques and confirming equipment suitability with
tests
– By ensuring that the equipment remains fit for service.

Mechanical Integrity (Cont)
• Mechanical Integrity (MI) can
be defined as the
management of critical
process equipment to ensure
it is designed and installed
correctly, and that it operates
properly

Achieving Mechanical Integrity in
Ethernet
• Predictable Failure
(Probability of Failure on
Demand)
• Equipment regular serviced
and in good order
• Properly documented
• No mechanical deficiencies
• Can provide assured control
over inputs and outputs

Analysis of ICS for Cyber Security
• Assessment: Analyze the process to understand safety,
reliability, and security threats
– Attack Modeling: Think like an Attacker
– Engineering Analysis: Understand the safeguards and control
systems – and how to bypass them
– Cyber Security Analysis: Understand how to gain access to, and
pwn the ICS
• Network Security Monitoring – What alarms and signals
should be watched?
• Forensics – If all goes wrong, where’s the data?

Mechanical Integrity Versus Cyber-
Physical Integrity
• Mechanical Integrity: The sum total of the parts will
operate as expected, despite predicable and foreknown
failure of one or more components
• Cyber-Mechanical Integrity: The system is resilient to
fault against unpredictable and known or unknown failure of
any single component

Achieving Cyber Physical Integrity
• Traditional ICS Security controls are insufficient:
– Firewalls can control the point of origination of a message and the type of
network traffic, but not the message itself
– Access control can prevent unauthorized change but non-repudiation in ICS
is nearly impossible
– Message integrity and encryption can help assure message integrity
– Input validation can be violated by changing logic or firmware, or masking
signals
• Layer of Protection Analysis with cyber (Cyber LOPA):
– Determine mechanical safeguards to prevent compromise of cyber-
mechanical integrity
– Even where traditional safety calculations say SIS or additional engineered
layers of protection are insufficient, cyber LOPA will likely demonstrate
otherwise

Cold
Water
DISTILLATE
REFLUX
Steam
BOTTOM
S
T
Distillation
Column
Reboiler
Reboile
r
L
F
T
L
T
Flare
P
P
Distillatio
n
Column
Natural
Gas
Gasoline
Kerosene,
Jet Fuel
Diesel
Lubricants,
Motor Oil
Fuel Oil
Asphalt
T
Condenser
T
Reflux
Accumulator
FEED
F
BOTTOMS LIQUID
VAPOR
OFFGAS
OFFGAS
Putting it all Together, Cyber-
Physical Attacks
10% Ethanol /
Water Mix
>40L / Min

• Part 1 – Surveillance
– Social Engineering, OSINT, Integrators
• Part 2 – System Mapping
– Modbus or vendor tag searches
• Part 3 – Initial Infections and Compromise
• Part 4 – Information Exfiltration
• Part 5 – The Final Attack
– Alarm Suppression
– Operator Misdirection
– MITM HMI / deploy RDP
– TCP Read / Replay
Sample: Distillation Column
Attack
There is a crossover point in which cyber security attacks
must yield to process attacks

IT versus OT Countermeasures
Then Why are Firewalls are IT Counter Measures Our Go
To Solution?
• Firewall
• IDS
• Data Diodes
• SIEM
• Antivirus
These effective at keeping attacks off the network and
containing attacks, but not at stopping compromise at the PLC

SPR Process – Identifying Cyber –
Physical Safeguards
13

Assessing Cyber-Mechanical Integrity
(SAMSEN)
• Signal Manipulation
– Modification of set points, logic, firmware,
radio signals, or others
• Access Control Violation
– Credential loss, modification, or other
compromise
• Mechanical Manipulation
– Changes to physical machine behavior, fail
energized, fail closed, frequency
modifications, introductions of RF
interference, jamming, or other electrical
noise (EMP)
– Modifying behavior of physical components
• Social Engineering, Extortion, and
Collusion
– Forcing operators to do your bidding
• Environmental Manipulation
– Forcing hazardous releases or conditions,
modifications to HVAC
• Network Interruption on Modification
– MITM, replay attacks, sidejacking, hijacking

Discussion – Turbine Gas Generator
• Objective: Close Suction
and Discharge Valves to
create surge condition
• S – Change firmware to
report false valve state
• A – Access safety builder
to modify firmware
• M – Force valve states,
what if physical required?
Spoof alarms
• S - Collusion to bypass
Over Speed Protection
• E – None needed
• N – Possible MITM?
• Possible Additional Layers
of Protection
– Condition Based Monitoring
– Hardwired light panels
– Mechanical Machine
overspeed

Discussion – Distillation Column
Cold
Water
DISTILLATE
REFLUX
Steam
BOTT
OMS
T
Distillation
Column
Reboiler
Reb
oiler
L
F
T
L
T
Flare
P
P
Distill
ation
Colum
n
Natur
al Gas
Gasoli
ne
Keros
ene,
Jet
Fuel
Diesel
Lubricants,
Motor Oil
Fuel Oil
Asphalt
T
Condens
er
T
Reflux
Accumul
ator
FEED
F
BOTTOMS LIQUID
VAPOR
OFFGAS
OFFGAS
10% Ethanol /
Water Mix
>40L / Min
Physical Blow-up, Not possible
due to Emergency Relief Valve
(properly sized)
What would be alternate
motivation? Financial Impact
S – False report of valve state and
burner
A – Hijack HMI
M – Take advantage of improper
ERV
S - Extort process information
E – Set process alarms to
misdirect operators
N – Spoof / MITM HMI
Additional Layers of Protection
Properly sized ERV

Drinking Water: Disinfection
Technologies
• Disinfection using Chemical Dosing
• Most Common: Chlorine(Gas, Sodium Hypochlorite)
• Ultraviolet / Ozonation systems
• Used as primary disinfectant , but also maintained residual
levels in distribution system
• Threats:
• Chemical dosing may be pace on Flow and Residual
Levels monitored by analyzers.
• Override of Flow/analyzer values
• Show lower flow rate, Less Dosing
• Override Residual CL2 level out plant output to
show high level.
• Override directly PLC that controls UV and Ozone
• The system will under chlorinate allowing harmful micro-
organisms to enter drinking water system
• Lab testing will catch this , but will it be too late??
• Water Notice to be sent to all customers

Safeguards Inherently Cyber-Safe
• Pressure Relief Valves
• Mechanical Overspeed Trips
• Non-Return Check Valves
• Motor Overload Relays
• Motor Current Monitor Relays
• Generalized Control Loop Current
Monitor Relays
• Bypass or manipulation of these
*may* be possible, but would require
physical intervention, making attack
far less likely than a connected
system

Conclusions
• Process plant loss of
containment can result in
extreme consequences
• These consequence are
protected against by a variety
of safeguards, some of which
are inherently safe against
cyber-attack
• Use of a PHA Cyber-Check
can ensure that these
safeguards are deployed in
the proper locations, making
the plant inherently safe
against cyber attack

Thank You, and Stay Safe!
Bryan L Singer, CISSP, CAP
Principal Investigator
Bryan.singer@Kenexis.com

Demystifying Cyber Attacks on ICS-.pdf

More Related Content

Similar to Demystifying Cyber Attacks on ICS-.pdf

Recently uploaded

Demystifying Cyber Attacks on ICS-.pdf