Chad Hunter presented on industrial control systems (ICS) networks. He discussed common ICS components like PLCs, RTUs, and HMIs. Types of control systems include process control, DCS, and SCADA. ICS networks differ from IT networks in prioritizing availability over confidentiality and integrity. Major ICS threats discussed included Stuxnet, Havex, BlackEnergy, CRASHOVERRIDE, and TRITON. Securing ICS involves whitelisting, configuration management, reducing attack surface, network segmentation, authentication, and monitoring as outlined in the DHS Seven Steps framework.

1. ICS Networks
PRESENTED AT OREGON INFRAGARD MEETING
26 JUNE 2018

2. Who Am I
 Chad Hunter
 Security Analyst at Portland General Electric (all views / opinions / information
presented are my own and do not reflect the opinion of PGE in any way shape
or form)
 Formerly Network Admin on a CIP controlled network at Bonneville Power
Administration (same disclaimer apples)
 GIAC GICSP (Industrial Control Security Professional) and GRID (Response and
Industrial Defense) certified.

3. What is an Industrial Control System

4. What is an Industrial Control System
 Device or devices that manages, commands, directs, or
regulates the behavior of other devices or systems
 Intersection of Digital / Cyber and the physical world
 Feedback loops
 Sensor reads a value
 Value is forwarded to controller and compared to a set of parameters
 Controller sends command to actuator
 Actuator acts on physical environment
 Repeat

5. Common ICS Components
 Programmable Logic Controller (PLC) – Computer based, multiple I/O
(feedback loop), logic executed based on state, resistant to physical stress
 Remote Terminal Unit (RTU) – Communication link between control
systems and supervisory systems. Can connect IEDs or PLCs to Supervisory
system or multiple discrete processes to centralized control. RTUs and
PLCs are converging in function
 Intelligent Electronic Device (IED) – devices with limited programming
that have a limited specialized function (protective relay or PMU)

6. Common ICS Components
 Instrumented Devices – Sensors and Actuators that physically interact
with the plant
 Supervisory Components –
 Human Machine Interface (HMI) – Presents process data to operator. May
be read only or facilitate manual control.
 Historian – stores historical data about process
 Alarms
 Operator / Engineer Workstations – used for changes or maintenance
 Safety Instrumented Systems – monitors and remediates situations that may
impact plant or personnel safety

7. Types of Control Systems
 Process Control System – monitors the environment and can
electronically control the process

8. Types of Control Systems
 Distributed Control System (DCS) – A collection of process control
systems , usually within a plant or confined region, connected to a central
controller or master server

9. Types of Control Systems
 Supervisory Control and Data Acquisition (SCADA) – Traditionally large
scale process that can span multiple sites or large geographic areas. Term
is beginning to be used interchangeably with ICS and DCS.

10. Differences between IT and ICS Systems

11. Differences between IT and ICS Systems

12. Common Threats to ICS Systems
 Insider
 Hacktivist
 Nation State
 Cyber criminal
Nation States are of particular interest in the context of ICS networks.
Compromising an ICS network, especially maintaining persistence is usually
more complicated than compromising an IT network and requires a level of
resources most commonly associated with Nation States.

13. Cyber Kill Chain

14. ICS Cyber Kill Chain

15. ICS Specific Threats
 Stuxnet
 Havex
 Blackenergy
 CRASHOVERRIDE
 Triton/Trisis

16. Stuxnet
 Nation State developer
 Earliest traces 2005 discovered 2010
 Targets Siemens Step7 software
 3 modules
 Worm
 Link file – propagates to other systems
 Rootkit – hides activities
 Used infected USBs to cross airgap

17. Havex
 Discovered 2015
 Mainly distributed via watering hole attack
 Scans and Targets ports commonly used by Rockwell and Siemens
 Maps ICS networks that use DCOM based OPC
 Mainly used for intelligence gathering but the RAT payload allows
complete control of targeted system

18. BlackEnergy
 Multiple variants
 BlackEnergy2 – targeted infrastructure in the US
 Modular – dropper can deliver payloads capable of executing files and
updating itself
 BlackEnergy3 – used in 2014 Ukraine attack
 Installs .dlls directly doesn’t need driver component anymore

19. CRASHOVERRIDE
 Used in 2016 Ukraine attacks
 Specifically targets the electric grid
 Modular
 Backdoor
 can execute various commands including copying files and start stopping services
 Launcher
 Can wipe registry keys, ICS configs and render system unusable
 Payload
 Can extend capabilities
 Specifically designed to destroy and disrupt

20. TRITON / TRISIS
 Discovered 2017
 Specifically targeted Triconex Safety Instrumented Systems
 Mimics Trilog controller software

21. Securing ICS
 DHS – Seven Steps to Effectively Defend Industrial Control Systems
 Prioritized by effectiveness
 1. Whitelisting – because ICS systems are relative static this is easier than on a
traditional IT network
 2. Configuration / Patch Management
 3. Reduce Attack Surface – turn off unneeded ports / services, segment
 4. Defensible Environment – Network segmentation
 5. Authentication
 6. Secure Remote Access
 7. Monitor and Respond – know your normal (baselines) – This is the essence of
active defense

22. Securing ICS - Sliding Scale of Cyber Defense

23. References
 SANS ICS 410 ICS/SCADA Security Essentials
 SANS ICS 515 Active Defense and Incident Response for ICS Systems
 NIST SP 800-82 Rev 2 Guide to Industrial Control System Security
 CRASHOVERRIDE: Threat to Electric Grid Operations
https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
 Securing Industrial Control Systems with Tripwire