SlideShare a Scribd company logo

Mission Critical Security in a Post-Stuxnet World Part 2

Byres Security Inc.
Byres Security Inc.

This 2-part presentation, "Mission Critical Security in a Post-Stuxnet World," contains slides from the Hirschmann 2011 Mission Critical Network Design Seminar. It summarizes a lot of information about the Stuxnet malware and discusses what it means for the future of SCADA and ICS security. The presentation is ideal for anyone needing a crash course on Stuxnet, or as a tool for informing management about the implications of it.

TechnologyBusiness
1 of 42
Download to read offline
Addressing the Son-of- Son of Stuxnet Cyber Security Solutions for Mission Critical Systems Eric Byres, P.Eng. CTO, CTO Byres Security Inc Inc.
The Stuxnet Worm • July, 2010: Stuxnet worm was discovered attacking Siemens PCS7 S7 PLC and WIN-CC systems PCS7, around the world • Infected 100,000 computers • Infected at least 22 manufacturing sites • Appears t have i A to h impactedt d its possible target, Iran’s nuclear enrichment program
Stuxnet Had Many Paths to its Victim PLCs
The “Air Gap Is Dead Air Gap” • A modern ICS or SCADA system is highly complex and interconnected • Multiple potential pathways exist from the outside world to the process controllers • Assuming an air-gap between ICS and corporate networks is unrealistic • Focusing security efforts on a few obvious pathways F i it ff t f b i th (such as USB storage drives or the Enterprise/ICS firewall) is a flawed defense
SCADA and ICS in the Bull s Eye Bull’s • ICS platforms are becoming an obvious target for attacks • “Security Researchers” focusing on SCADA/ICS because it is easy money/fame (little malicious intent) • Actors with intent have access to the weapons: • Download exploits for free (Italian list) • Purchase tool kits (Gleg) • Directed where to look for more vulnerabilities
Stuxnet s Stuxnet’s Legacy • Model for simple, destructive SCADA worms • Exploits E ploits inherent PLC design iss es issues • Applicable to almost all industrial controllers • There are no possible “patches” to the PLC patches
Protecting Against the “Son of Stuxnet” Son-of-Stuxnet • Understanding and Managing the Pathways • Protecting the Critical Pieces First • ISA-99 and IEC 62433 Security Standards • Making Security Simple and Focused
Understanding the Pathways
Look At All Possible Pathways • Don’t focus on a single pathway such as USB keys • Consider all possible infection path a s pathways: • Removable Media (CDs, DVDs, USB Drives) • File Transfer (Database, PDFs, PLC Project Files) • Portable Equipment (Laptops, Storage Units, Config Tools) • Internal Network Connections (Business, Lab, QA, Support) • External Connections (Support Contractor Customer) (Support, Contractor, • Wireless (802.11, 802.15, Licensed-band, Cellular, Wireless HART, ISA-100a, Bluetooth, USB tethering) • Other Interfaces (Serial Data Highways) (Serial, • Have strategies for discovering/mitigating ALL pathways
Protecting the Critical Pieces First • The Attack/Consequence Funnel
Practical Solutions for ICS Professionals • You are NOT going to be able to: • Restructure your IT department’s focus and practices department s • Get suppliers to provide vulnerability-free products • Patch every ICS system immediately • Cut off all pathways in to and out of your ICS
Practical Solutions for ICS Professionals • You should be able to: • Restrict and manage the data flows into your systems • Restrict and manage the data flows out of your systems • Detect unusual behaviors in you systems • Patch most ICS products within a patch management strategy • Progressively reduce the probably of attacker success the deeper into the ICS/SCADA system they go
The Attack/ Consequence Funnel External Corporate Internal Enterprise Assets Explo Opport Avai Att Co Process DMZ oit onsequen ilablePath tack Qua HMI/Supervisory Systems antity nces hways tunities Primary Control Systems Safety Systems Process
Keeping All the Rubbish Out External Corporate Internal Enterprise Assets Process DMZ is a critical Choke Point Process DMZ HMI/Supervisory Limited Pathways Systems Primary Control Limited Protocols Systems Managed Egress Safety Systems Disjoint Protocols Process
Reducing the Vulnerable Systems in the Middle External Corporate Internal Enterprise Assets  Windows-based applications offer a major Process DMZ attack opportunity pp y HMI/Supervisory Patch applications, not Systems just the O/S Primary Control Systems A/V Deployment Safety Systems White Listing ( ) g (?) Process Separation of HMI & Control
Securing Last line of Defense Critical Systems Last-line-of-Defense External Corporate Internal Enterprise Assets Process DMZ High Consequence HMI/Supervisory Systems Focus on monitoring and Primary Control securing SIS B i Boundary d Systems Limited Pathways Safety Systems Anomaly Detection Process
ISA 99 ISA-99 and IEC 62433 Security Standards • Using Zones and Conduits to Focus your Efforts
ANSI/ISA-99: ANSI/ISA 99: Dividing Up The Control System • A core concept in the ANSI/ISA-99 (now IEC 62443.02.01) 62443 02 01) security standard is “Zones and Zones Conduits” • Offers a level of segmentation and traffic control inside the control system. • Control networks divided into layers or zones based on control function function. • Multiple separated zones manage that “defense in depth” strategy
ANSI/ISA-99: ANSI/ISA 99: Connecting the Zones • Connections between the zones are called conduits, and these must have security controls to: • Control access to zones • Resist Denial of Service (DoS) attacks or the transfer of malware l • Shield other network systems • Protect the integrity and confidentiality of network traffic • It is important to understand and manage all your conduits between zones, not just the obvious ones.
Security Zone Definition • “Security zone: grouping of logical or physical assets that share common security requirements . requirements” [ANSI/ISA-99.02.01–2007- 3.2.116] • A zone has a clearly defined border (either logical or physical), which i th b h i l) hi h is the boundary b t d between i l d d and included d excluded elements. HMI Zone PLC Zone
Conduits • A conduit is a path for the flow of data between two zones. zones • can provide the security functions that allow different zones to communicate securely. • Any A communications b t i ti between zone must h t have a conduit. d it Conduit HMI Zone PLC Zone
Protecting the Network with Zones and Conduits • A firewall in each conduit will allow only the MINIMUM network traffic necessary for correct plant operation Firewall HMI Zone PLC Zone
Using Zones: An Example Oil Refinery
Specifying the Zones
Defining the Conduits
Protecting the Conduits with Firewalls Corporate Firewall Hirschmann Firewall
Making Security Simple
An Industrial Firewall Installation Gone Bad Bad… • An automotive company wanted layered protection for key PLCs and robots • Decided to install over 100 personal firewalls in front of indentified critical devices • All firewalls had to be removed within a few months… • Why? Wh ?
BCIT SCADA Firewall Research Project • In 2003 the research centre at the British Columbia Institute of Technology (BCIT) was commissioned to investigate issues and best practices in firewall deployment in SCADA systems • Results: • “CPNI Good Practice Guide on SCADA Firewall Deployment” p y • “The Special Needs of SCADA/PCN Firewalls: Architectures and Test Results” • Several restricted access documents restricted-access documents…
What We Found Found… “While the results indicate that commercial firewalls can b successfully used, th study fi ll be f ll d the t d also shows important differences between the configuration of firewalls in industrial and IT settings.” The Special Needs of SCADA/PCN Firewalls: Architectures and Test Results Byres, Hoffman, et. al. y , ,
Misapplication of IT Security Assumptions • There are important differences between information technology (IT) networks and industrial automation and control systems (IACS) networks. • Problems occur because assumptions that are valid in the IT world may not be on the plant floor • Some examples: • Valid types of outbound traffic • Importance of web “customers” • Assumed protection from DoS attacks via routers • “Critical” protocols • Desired state on failure
An Example Assumption and Its Impact on a Chemical Plant • IT Assumption: Outbound traffic is safe, inbound traffic is unsafe • Result: By default, all ports are blocked on the outside y , p interface, and all ports are open on the inside interface of the security appliance. Cisco ASA 5500 Adaptive Security Appliances Document ID: 91970
An Example Assumption and Its Impact on a Chemical Plant • Plant Floor Reality: Cisco ASA firewall is installed between DCS and PLCs with DCS as SCADA master (thus inbound traffic to PLC must be allowed) • Event: Firewall installed with default rule sets • Impact: All traffic to PLCs is blocked, plant down for three hours
Conclusion • Security technology may be excellent, but the default assumptions determine its usability in an environment.
SCADA/ICS-Appropriate SCADA/ICS Appropriate Technologies • Select security solutions that are easy for engineers and technicians to deploy • Use ICS-appropriate detection technologies can raise an alarm when equipment is compromised or at risk of compromise • Deploy ICS-appropriate security technologies • Look beyond t diti L kb d traditional network l l t k layer fi firewalls, ll towards firewalls that are capable of Deep Packet Inspection of key SCADA and ICS protocols
Example: SCADA Focused Monitoring SCADA-Focused • Stuxnet had to connect to and reprogram the victim PLCs to be successful • Win-CC Servers likely the reprogramming point • Q Question: Should an HMI server be reprogramming p g g a PLC? • Traffic analysis beyond the basic IP Address / TCP port would d t t thi t ld detect this…
Example: Fixed Configuration Safety Firewall • Firewalls designed specifically for a single purpose • Cannot be disabled or mis configured by staff mis-configured • Can be tuned for specific control systems • Aware of SCADA protocols and capable of deep packet inspection • Sanity checking of protocols like Modbus • Can provide fine grained controls of allowed commands
Example: Deep Packet Inspection for OPC • Stuxnet made extensive use of RPC protocol, which is the basis of OPC • IT firewalls can’t manage RPC or OPC traffic • Firewall needs to be able to “understand” SCADA protocols like OPC • Requires “Deep Packet Inspection” technology f automation systems t h l for t ti t • Example: Hirschmann OPC Enforcer automatically inspects and manages OPC traffic
Some Final Thoughts
Making Security Work in the SCADA World • "Certainly controls engineers and operators need to be security aware but they should not all need to be aware, security experts.“ • "We have to make this [security] something a plant superintendent, engineer, or senior operator can do in their spare time, or it will flop." ISA-99 Discussion Forum
Some Final Thoughts • IT and SCADA systems are different • Translates to differing req irements for safe and requirements reliable deployments of security systems in SCADA • We can’t stop all infections p • We can prevent attackers from reaching their goals • Security AND safety can be significantly improved with good policy and appropriate technology
Mission Critical Security in a Post-Stuxnet World Part 2

Recommended

Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723Iftach Ian Amit
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for Mainframes
Cheryl Biswas
 
Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1
Byres Security Inc.
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case Study
Amr Thabet
 
Stuxnet
StuxnetStuxnet
Stuxnet
Symantec
 
I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart Stuxnet
Gil Megidish
 
Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]
Sarod Paichayonrittha
 
Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attack
Ajinkya Nikam
 

Recommended

Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723Iftach Ian Amit
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for Mainframes
Cheryl Biswas
 
Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1
Byres Security Inc.
 
Stuxnet - Case Study
Stuxnet - Case StudyStuxnet - Case Study
Stuxnet - Case Study
Amr Thabet
 
Stuxnet
StuxnetStuxnet
Stuxnet
Symantec
 
I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart Stuxnet
Gil Megidish
 
Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]
Sarod Paichayonrittha
 
Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attack
Ajinkya Nikam
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.
Hardeep Bhurji
 
Stuxnet
StuxnetStuxnet
Stuxnetbueno buono good
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flame
Santosh Khadsare
 
The World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetThe World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - Stuxnet
Sean Xie
 
Stuxnet worm
Stuxnet wormStuxnet worm
Stuxnet worm
sommerville-videos
 
Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the future
Hardeep Bhurji
 
How stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsHow stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsYury Chemerkin
 
Stuxnet
StuxnetStuxnet
Stuxnetshiva_sathish
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
INSIGHT FORENSIC
 
Automated defense from rootkit attacks
Automated defense from rootkit attacksAutomated defense from rootkit attacks
Automated defense from rootkit attacksUltraUploader
 
Malware freak show
Malware freak showMalware freak show
Malware freak show
sr1nu
 
Stuxnet
StuxnetStuxnet
Stuxnet
Shishir Aryal
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
TI Safe
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System Security
Adel Barkam
 
McAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesMcAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesIşınsu Akçetin
 
Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...
Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...
Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...
ESS BILBAO
 
Defense
DefenseDefense
DefenseTawfiq Shah
 
Security in embedded systems
Security in embedded systemsSecurity in embedded systems
Security in embedded systems
Raghav S
 
Stuxnet, a malicious computer worm
Stuxnet, a malicious computer wormStuxnet, a malicious computer worm
Stuxnet, a malicious computer worm
Sumaiya Ismail
 
Security for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutSecurity for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangout
mentoresd
 
Tobii T60 T120 User Manual
Tobii T60 T120 User ManualTobii T60 T120 User Manual
Tobii T60 T120 User Manual
Acuity ETS Limited
 
The Stuxnet Virus FINAL
The Stuxnet Virus FINALThe Stuxnet Virus FINAL
The Stuxnet Virus FINALNicholas Poole
 

More Related Content

What's hot

Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.
Hardeep Bhurji
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flame
Santosh Khadsare
 
The World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetThe World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - Stuxnet
Sean Xie
 
Stuxnet worm
Stuxnet wormStuxnet worm
Stuxnet worm
sommerville-videos
 
Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the future
Hardeep Bhurji
 
How stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsHow stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsYury Chemerkin
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
INSIGHT FORENSIC
 
Automated defense from rootkit attacks
Automated defense from rootkit attacksAutomated defense from rootkit attacks
Automated defense from rootkit attacksUltraUploader
 
Malware freak show
Malware freak showMalware freak show
Malware freak show
sr1nu
 
Stuxnet
StuxnetStuxnet
Stuxnet
Shishir Aryal
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
TI Safe
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System Security
Adel Barkam
 
McAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesMcAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesIşınsu Akçetin
 
Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...
Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...
Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...
ESS BILBAO
 
Security in embedded systems
Security in embedded systemsSecurity in embedded systems
Security in embedded systems
Raghav S
 
Stuxnet, a malicious computer worm
Stuxnet, a malicious computer wormStuxnet, a malicious computer worm
Stuxnet, a malicious computer worm
Sumaiya Ismail
 
Security for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutSecurity for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangout
mentoresd
 

What's hot (20)

Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flame
 
The World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - StuxnetThe World's First Cyber Weapon - Stuxnet
The World's First Cyber Weapon - Stuxnet
 
Stuxnet worm
Stuxnet wormStuxnet worm
Stuxnet worm
 
Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the future
 
How stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systemsHow stuxnet spreads – a study of infection paths in best practice systems
How stuxnet spreads – a study of infection paths in best practice systems
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
 
Automated defense from rootkit attacks
Automated defense from rootkit attacksAutomated defense from rootkit attacks
Automated defense from rootkit attacks
 
Malware freak show
Malware freak showMalware freak show
Malware freak show
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim[CLASS2014] Palestra Técnica - Franzvitor Fiorim
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
 
introduction to Embedded System Security
introduction to Embedded System Securityintroduction to Embedded System Security
introduction to Embedded System Security
 
McAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded DevicesMcAffee_Security and System Integrity in Embedded Devices
McAffee_Security and System Integrity in Embedded Devices
 
Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...
Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...
Update On The Cern. Computing And Network Infrastructure For Controls. (Cnic)...
 
Defense
DefenseDefense
Defense
 
Security in embedded systems
Security in embedded systemsSecurity in embedded systems
Security in embedded systems
 
Stuxnet, a malicious computer worm
Stuxnet, a malicious computer wormStuxnet, a malicious computer worm
Stuxnet, a malicious computer worm
 
Security for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangoutSecurity for io t apr 29th mentor embedded hangout
Security for io t apr 29th mentor embedded hangout
 

Viewers also liked

Tobii T60 T120 User Manual
Tobii T60 T120 User ManualTobii T60 T120 User Manual
Tobii T60 T120 User Manual
Acuity ETS Limited
 
The Stuxnet Virus FINAL
The Stuxnet Virus FINALThe Stuxnet Virus FINAL
The Stuxnet Virus FINALNicholas Poole
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
INSIGHT FORENSIC
 
Sitrain blocos de orgazação
Sitrain blocos de orgazaçãoSitrain blocos de orgazação
Sitrain blocos de orgazação
confidencial
 
Apostila pcs7 v8.0 v2
Apostila pcs7 v8.0 v2Apostila pcs7 v8.0 v2
Apostila pcs7 v8.0 v2confidencial
 
Manejo de avisos y alarmas en HMI
Manejo de avisos y alarmas en HMIManejo de avisos y alarmas en HMI
Manejo de avisos y alarmas en HMI
john piñeros
 
Sitrain introdução a ihm
Sitrain introdução a ihmSitrain introdução a ihm
Sitrain introdução a ihm
confidencial
 
Teoria s7 300-basico
Teoria s7 300-basicoTeoria s7 300-basico
Teoria s7 300-basico
Gerardo Moya
 
Programación estructurada Siemens - TIA PORTAL
Programación estructurada Siemens - TIA PORTALProgramación estructurada Siemens - TIA PORTAL
Programación estructurada Siemens - TIA PORTAL
john piñeros
 
01tiaportal handson-basicov11v2-140421084257-phpapp01
01tiaportal handson-basicov11v2-140421084257-phpapp0101tiaportal handson-basicov11v2-140421084257-phpapp01
01tiaportal handson-basicov11v2-140421084257-phpapp01
confidencial
 
Ejercicios de-programacic3b3n-resueltos-con-step-7
Ejercicios de-programacic3b3n-resueltos-con-step-7Ejercicios de-programacic3b3n-resueltos-con-step-7
Ejercicios de-programacic3b3n-resueltos-con-step-7
Guido Carmona Girón
 
Manual manejo TIA PORTAL SIEMENS
Manual manejo TIA PORTAL SIEMENSManual manejo TIA PORTAL SIEMENS
Manual manejo TIA PORTAL SIEMENS
john piñeros
 

Viewers also liked (12)

Tobii T60 T120 User Manual
Tobii T60 T120 User ManualTobii T60 T120 User Manual
Tobii T60 T120 User Manual
 
The Stuxnet Virus FINAL
The Stuxnet Virus FINALThe Stuxnet Virus FINAL
The Stuxnet Virus FINAL
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
 
Sitrain blocos de orgazação
Sitrain blocos de orgazaçãoSitrain blocos de orgazação
Sitrain blocos de orgazação
 
Apostila pcs7 v8.0 v2
Apostila pcs7 v8.0 v2Apostila pcs7 v8.0 v2
Apostila pcs7 v8.0 v2
 
Manejo de avisos y alarmas en HMI
Manejo de avisos y alarmas en HMIManejo de avisos y alarmas en HMI
Manejo de avisos y alarmas en HMI
 
Sitrain introdução a ihm
Sitrain introdução a ihmSitrain introdução a ihm
Sitrain introdução a ihm
 
Teoria s7 300-basico
Teoria s7 300-basicoTeoria s7 300-basico
Teoria s7 300-basico
 
Programación estructurada Siemens - TIA PORTAL
Programación estructurada Siemens - TIA PORTALProgramación estructurada Siemens - TIA PORTAL
Programación estructurada Siemens - TIA PORTAL
 
01tiaportal handson-basicov11v2-140421084257-phpapp01
01tiaportal handson-basicov11v2-140421084257-phpapp0101tiaportal handson-basicov11v2-140421084257-phpapp01
01tiaportal handson-basicov11v2-140421084257-phpapp01
 
Ejercicios de-programacic3b3n-resueltos-con-step-7
Ejercicios de-programacic3b3n-resueltos-con-step-7Ejercicios de-programacic3b3n-resueltos-con-step-7
Ejercicios de-programacic3b3n-resueltos-con-step-7
 
Manual manejo TIA PORTAL SIEMENS
Manual manejo TIA PORTAL SIEMENSManual manejo TIA PORTAL SIEMENS
Manual manejo TIA PORTAL SIEMENS
 

Similar to Mission Critical Security in a Post-Stuxnet World Part 2

Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control System
Hemanth M
 
The Stuxnet Worm creation process
The Stuxnet Worm creation processThe Stuxnet Worm creation process
The Stuxnet Worm creation process
Ajay Ohri
 
Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles
Cisco Canada
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar Asia
Digital Bond
 
Operational Technology Security Solution for Utilities
Operational Technology Security Solution for UtilitiesOperational Technology Security Solution for Utilities
Operational Technology Security Solution for Utilities
Krishna Chennareddy
 
Linked In Presentation
Linked In PresentationLinked In Presentation
Linked In Presentation
dbrownindustrialdefender
 
Applying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter GatewaysApplying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter GatewaysMarcel Winandy
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systems
Peter Wood
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsev
Marina Krotofil
 
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
Byres Security Inc.
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
Microsoft Tech Community
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
Commit Software Sh.p.k.
 
Acme Enterprise Scenario Residency WeekAcme Enterprise is a pr.docx
Acme Enterprise Scenario Residency WeekAcme Enterprise is a pr.docxAcme Enterprise Scenario Residency WeekAcme Enterprise is a pr.docx
Acme Enterprise Scenario Residency WeekAcme Enterprise is a pr.docx
MARK547399
 
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Jiunn-Jer Sun
 
III SEM MCA-Module 4 -Ch2.pdf- Securing IoT
III SEM MCA-Module 4 -Ch2.pdf- Securing IoTIII SEM MCA-Module 4 -Ch2.pdf- Securing IoT
III SEM MCA-Module 4 -Ch2.pdf- Securing IoT
RAJESHWARI M
 
Fadi El Moussa Secure Cloud 2012 V2
Fadi El Moussa Secure Cloud 2012 V2Fadi El Moussa Secure Cloud 2012 V2
Fadi El Moussa Secure Cloud 2012 V2
fadielmoussa
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT Gateway
LF Events
 
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
Next Generation Embedded Systems Security for IOT: Powered by KasperskyNext Generation Embedded Systems Security for IOT: Powered by Kaspersky
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
L. Duke Golden
 
Kl iot cebit_dg_200317_finalmktg
Kl iot cebit_dg_200317_finalmktgKl iot cebit_dg_200317_finalmktg
Kl iot cebit_dg_200317_finalmktg
L. Duke Golden
 

Similar to Mission Critical Security in a Post-Stuxnet World Part 2 (20)

Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control System
 
The Stuxnet Worm creation process
The Stuxnet Worm creation processThe Stuxnet Worm creation process
The Stuxnet Worm creation process
 
Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles
 
Attacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar AsiaAttacking and Defending Autos Via OBD-II from escar Asia
Attacking and Defending Autos Via OBD-II from escar Asia
 
ICS security
ICS securityICS security
ICS security
 
Operational Technology Security Solution for Utilities
Operational Technology Security Solution for UtilitiesOperational Technology Security Solution for Utilities
Operational Technology Security Solution for Utilities
 
Linked In Presentation
Linked In PresentationLinked In Presentation
Linked In Presentation
 
Applying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter GatewaysApplying a Security Kernel Framework to Smart Meter Gateways
Applying a Security Kernel Framework to Smart Meter Gateways
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systems
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsev
 
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
 
Removing Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment SuccessRemoving Security Roadblocks to IoT Deployment Success
Removing Security Roadblocks to IoT Deployment Success
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Acme Enterprise Scenario Residency WeekAcme Enterprise is a pr.docx
Acme Enterprise Scenario Residency WeekAcme Enterprise is a pr.docxAcme Enterprise Scenario Residency WeekAcme Enterprise is a pr.docx
Acme Enterprise Scenario Residency WeekAcme Enterprise is a pr.docx
 
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
 
III SEM MCA-Module 4 -Ch2.pdf- Securing IoT
III SEM MCA-Module 4 -Ch2.pdf- Securing IoTIII SEM MCA-Module 4 -Ch2.pdf- Securing IoT
III SEM MCA-Module 4 -Ch2.pdf- Securing IoT
 
Fadi El Moussa Secure Cloud 2012 V2
Fadi El Moussa Secure Cloud 2012 V2Fadi El Moussa Secure Cloud 2012 V2
Fadi El Moussa Secure Cloud 2012 V2
 
Secure IOT Gateway
Secure IOT GatewaySecure IOT Gateway
Secure IOT Gateway
 
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
Next Generation Embedded Systems Security for IOT: Powered by KasperskyNext Generation Embedded Systems Security for IOT: Powered by Kaspersky
Next Generation Embedded Systems Security for IOT: Powered by Kaspersky
 
Kl iot cebit_dg_200317_finalmktg
Kl iot cebit_dg_200317_finalmktgKl iot cebit_dg_200317_finalmktg
Kl iot cebit_dg_200317_finalmktg
 

Recently uploaded

State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 

Recently uploaded (20)

State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 

Mission Critical Security in a Post-Stuxnet World Part 2

  • 1. Addressing the Son-of- Son of Stuxnet Cyber Security Solutions for Mission Critical Systems Eric Byres, P.Eng. CTO, CTO Byres Security Inc Inc.
  • 2. The Stuxnet Worm • July, 2010: Stuxnet worm was discovered attacking Siemens PCS7 S7 PLC and WIN-CC systems PCS7, around the world • Infected 100,000 computers • Infected at least 22 manufacturing sites • Appears t have i A to h impactedt d its possible target, Iran’s nuclear enrichment program
  • 3. Stuxnet Had Many Paths to its Victim PLCs
  • 4. The “Air Gap Is Dead Air Gap” • A modern ICS or SCADA system is highly complex and interconnected • Multiple potential pathways exist from the outside world to the process controllers • Assuming an air-gap between ICS and corporate networks is unrealistic • Focusing security efforts on a few obvious pathways F i it ff t f b i th (such as USB storage drives or the Enterprise/ICS firewall) is a flawed defense
  • 5. SCADA and ICS in the Bull s Eye Bull’s • ICS platforms are becoming an obvious target for attacks • “Security Researchers” focusing on SCADA/ICS because it is easy money/fame (little malicious intent) • Actors with intent have access to the weapons: • Download exploits for free (Italian list) • Purchase tool kits (Gleg) • Directed where to look for more vulnerabilities
  • 6. Stuxnet s Stuxnet’s Legacy • Model for simple, destructive SCADA worms • Exploits E ploits inherent PLC design iss es issues • Applicable to almost all industrial controllers • There are no possible “patches” to the PLC patches
  • 7. Protecting Against the “Son of Stuxnet” Son-of-Stuxnet • Understanding and Managing the Pathways • Protecting the Critical Pieces First • ISA-99 and IEC 62433 Security Standards • Making Security Simple and Focused
  • 9. Look At All Possible Pathways • Don’t focus on a single pathway such as USB keys • Consider all possible infection path a s pathways: • Removable Media (CDs, DVDs, USB Drives) • File Transfer (Database, PDFs, PLC Project Files) • Portable Equipment (Laptops, Storage Units, Config Tools) • Internal Network Connections (Business, Lab, QA, Support) • External Connections (Support Contractor Customer) (Support, Contractor, • Wireless (802.11, 802.15, Licensed-band, Cellular, Wireless HART, ISA-100a, Bluetooth, USB tethering) • Other Interfaces (Serial Data Highways) (Serial, • Have strategies for discovering/mitigating ALL pathways
  • 10. Protecting the Critical Pieces First • The Attack/Consequence Funnel
  • 11. Practical Solutions for ICS Professionals • You are NOT going to be able to: • Restructure your IT department’s focus and practices department s • Get suppliers to provide vulnerability-free products • Patch every ICS system immediately • Cut off all pathways in to and out of your ICS
  • 12. Practical Solutions for ICS Professionals • You should be able to: • Restrict and manage the data flows into your systems • Restrict and manage the data flows out of your systems • Detect unusual behaviors in you systems • Patch most ICS products within a patch management strategy • Progressively reduce the probably of attacker success the deeper into the ICS/SCADA system they go
  • 13. The Attack/ Consequence Funnel External Corporate Internal Enterprise Assets Explo Opport Avai Att Co Process DMZ oit onsequen ilablePath tack Qua HMI/Supervisory Systems antity nces hways tunities Primary Control Systems Safety Systems Process
  • 14. Keeping All the Rubbish Out External Corporate Internal Enterprise Assets Process DMZ is a critical Choke Point Process DMZ HMI/Supervisory Limited Pathways Systems Primary Control Limited Protocols Systems Managed Egress Safety Systems Disjoint Protocols Process
  • 15. Reducing the Vulnerable Systems in the Middle External Corporate Internal Enterprise Assets  Windows-based applications offer a major Process DMZ attack opportunity pp y HMI/Supervisory Patch applications, not Systems just the O/S Primary Control Systems A/V Deployment Safety Systems White Listing ( ) g (?) Process Separation of HMI & Control
  • 16. Securing Last line of Defense Critical Systems Last-line-of-Defense External Corporate Internal Enterprise Assets Process DMZ High Consequence HMI/Supervisory Systems Focus on monitoring and Primary Control securing SIS B i Boundary d Systems Limited Pathways Safety Systems Anomaly Detection Process
  • 17. ISA 99 ISA-99 and IEC 62433 Security Standards • Using Zones and Conduits to Focus your Efforts
  • 18. ANSI/ISA-99: ANSI/ISA 99: Dividing Up The Control System • A core concept in the ANSI/ISA-99 (now IEC 62443.02.01) 62443 02 01) security standard is “Zones and Zones Conduits” • Offers a level of segmentation and traffic control inside the control system. • Control networks divided into layers or zones based on control function function. • Multiple separated zones manage that “defense in depth” strategy
  • 19. ANSI/ISA-99: ANSI/ISA 99: Connecting the Zones • Connections between the zones are called conduits, and these must have security controls to: • Control access to zones • Resist Denial of Service (DoS) attacks or the transfer of malware l • Shield other network systems • Protect the integrity and confidentiality of network traffic • It is important to understand and manage all your conduits between zones, not just the obvious ones.
  • 20. Security Zone Definition • “Security zone: grouping of logical or physical assets that share common security requirements . requirements” [ANSI/ISA-99.02.01–2007- 3.2.116] • A zone has a clearly defined border (either logical or physical), which i th b h i l) hi h is the boundary b t d between i l d d and included d excluded elements. HMI Zone PLC Zone
  • 21. Conduits • A conduit is a path for the flow of data between two zones. zones • can provide the security functions that allow different zones to communicate securely. • Any A communications b t i ti between zone must h t have a conduit. d it Conduit HMI Zone PLC Zone
  • 22. Protecting the Network with Zones and Conduits • A firewall in each conduit will allow only the MINIMUM network traffic necessary for correct plant operation Firewall HMI Zone PLC Zone
  • 23. Using Zones: An Example Oil Refinery
  • 26. Protecting the Conduits with Firewalls Corporate Firewall Hirschmann Firewall
  • 28. An Industrial Firewall Installation Gone Bad Bad… • An automotive company wanted layered protection for key PLCs and robots • Decided to install over 100 personal firewalls in front of indentified critical devices • All firewalls had to be removed within a few months… • Why? Wh ?
  • 29. BCIT SCADA Firewall Research Project • In 2003 the research centre at the British Columbia Institute of Technology (BCIT) was commissioned to investigate issues and best practices in firewall deployment in SCADA systems • Results: • “CPNI Good Practice Guide on SCADA Firewall Deployment” p y • “The Special Needs of SCADA/PCN Firewalls: Architectures and Test Results” • Several restricted access documents restricted-access documents…
  • 30. What We Found Found… “While the results indicate that commercial firewalls can b successfully used, th study fi ll be f ll d the t d also shows important differences between the configuration of firewalls in industrial and IT settings.” The Special Needs of SCADA/PCN Firewalls: Architectures and Test Results Byres, Hoffman, et. al. y , ,
  • 31. Misapplication of IT Security Assumptions • There are important differences between information technology (IT) networks and industrial automation and control systems (IACS) networks. • Problems occur because assumptions that are valid in the IT world may not be on the plant floor • Some examples: • Valid types of outbound traffic • Importance of web “customers” • Assumed protection from DoS attacks via routers • “Critical” protocols • Desired state on failure
  • 32. An Example Assumption and Its Impact on a Chemical Plant • IT Assumption: Outbound traffic is safe, inbound traffic is unsafe • Result: By default, all ports are blocked on the outside y , p interface, and all ports are open on the inside interface of the security appliance. Cisco ASA 5500 Adaptive Security Appliances Document ID: 91970
  • 33. An Example Assumption and Its Impact on a Chemical Plant • Plant Floor Reality: Cisco ASA firewall is installed between DCS and PLCs with DCS as SCADA master (thus inbound traffic to PLC must be allowed) • Event: Firewall installed with default rule sets • Impact: All traffic to PLCs is blocked, plant down for three hours
  • 34. Conclusion • Security technology may be excellent, but the default assumptions determine its usability in an environment.
  • 35. SCADA/ICS-Appropriate SCADA/ICS Appropriate Technologies • Select security solutions that are easy for engineers and technicians to deploy • Use ICS-appropriate detection technologies can raise an alarm when equipment is compromised or at risk of compromise • Deploy ICS-appropriate security technologies • Look beyond t diti L kb d traditional network l l t k layer fi firewalls, ll towards firewalls that are capable of Deep Packet Inspection of key SCADA and ICS protocols
  • 36. Example: SCADA Focused Monitoring SCADA-Focused • Stuxnet had to connect to and reprogram the victim PLCs to be successful • Win-CC Servers likely the reprogramming point • Q Question: Should an HMI server be reprogramming p g g a PLC? • Traffic analysis beyond the basic IP Address / TCP port would d t t thi t ld detect this…
  • 37. Example: Fixed Configuration Safety Firewall • Firewalls designed specifically for a single purpose • Cannot be disabled or mis configured by staff mis-configured • Can be tuned for specific control systems • Aware of SCADA protocols and capable of deep packet inspection • Sanity checking of protocols like Modbus • Can provide fine grained controls of allowed commands
  • 38. Example: Deep Packet Inspection for OPC • Stuxnet made extensive use of RPC protocol, which is the basis of OPC • IT firewalls can’t manage RPC or OPC traffic • Firewall needs to be able to “understand” SCADA protocols like OPC • Requires “Deep Packet Inspection” technology f automation systems t h l for t ti t • Example: Hirschmann OPC Enforcer automatically inspects and manages OPC traffic
  • 40. Making Security Work in the SCADA World • "Certainly controls engineers and operators need to be security aware but they should not all need to be aware, security experts.“ • "We have to make this [security] something a plant superintendent, engineer, or senior operator can do in their spare time, or it will flop." ISA-99 Discussion Forum
  • 41. Some Final Thoughts • IT and SCADA systems are different • Translates to differing req irements for safe and requirements reliable deployments of security systems in SCADA • We can’t stop all infections p • We can prevent attackers from reaching their goals • Security AND safety can be significantly improved with good policy and appropriate technology