This 2-part presentation, "Mission Critical Security in a Post-Stuxnet World," contains slides from the Hirschmann 2011 Mission Critical Network Design Seminar. It summarizes a lot of information about the Stuxnet malware and discusses what it means for the future of SCADA and ICS security.
The presentation is ideal for anyone needing a crash course on Stuxnet, or as a tool for informing management about the implications of it.
You say SCADA, I say … mainframes. There are some remarkable - and scary - parallels between the worlds of SCADA ICS and mainframes. Each system is critical to our lives. Their worlds are insular, proprietary, and seemingly shut-off to everyone else. Except for when they aren’t. Extrapolate the future of security for mainframes based on the challenges and failures of SCADA ICS as it has evolved from sequestered to connected. SCADA serves as a cautionary tale for securing mainframes against acts of God, nature and man in this scenario of a Stuxnet for Mainframes.
This 2-part presentation, "Mission Critical Security in a Post-Stuxnet World," contains slides from the Hirschmann 2011 Mission Critical Network Design Seminar. It summarizes a lot of information about the Stuxnet malware and discusses what it means for the future of SCADA and ICS security.
The presentation is ideal for anyone needing a crash course on Stuxnet, or as a tool for informing management about the implications of it.
"Building HMI with Visual Basic Technologies - 1998". Though they are old slides but still worth having a look especially for those who are new to HMI and SCADA technologies.
You say SCADA, I say … mainframes. There are some remarkable - and scary - parallels between the worlds of SCADA ICS and mainframes. Each system is critical to our lives. Their worlds are insular, proprietary, and seemingly shut-off to everyone else. Except for when they aren’t. Extrapolate the future of security for mainframes based on the challenges and failures of SCADA ICS as it has evolved from sequestered to connected. SCADA serves as a cautionary tale for securing mainframes against acts of God, nature and man in this scenario of a Stuxnet for Mainframes.
This 2-part presentation, "Mission Critical Security in a Post-Stuxnet World," contains slides from the Hirschmann 2011 Mission Critical Network Design Seminar. It summarizes a lot of information about the Stuxnet malware and discusses what it means for the future of SCADA and ICS security.
The presentation is ideal for anyone needing a crash course on Stuxnet, or as a tool for informing management about the implications of it.
"Building HMI with Visual Basic Technologies - 1998". Though they are old slides but still worth having a look especially for those who are new to HMI and SCADA technologies.
Understand the world’s first cyber weapon – Stuxnet in 10 minutes.
* Discovery Of the First Cyber Weapon
* High Level Architecture Overview Of The Target
* How Does Stuxnet Sabotage A Uranium Enrichment Plant – Cyber-physical Attack
* Summary
* References
Accompanies YouTube video at
http://www.youtube.com/watch?v=RilxHjt5yRE
which describes an instance of cyberwarfare where a worm was used to attack a uranium processing facility in Iran
This article is all about "STUXNET", the first weapon built entirely out of code.
It gives a brief insight of what is it all about. A new world of computer programming where you can make deadly weapons with codes. Read the complete article to know more about it.
For my presentation on this article visit : http://www.slideshare.net/hardeep4u/stuxnet-more-then-a-virus
Stuxnet is a malicious computer worm, first uncovered in 2010, thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran.
Security for io t apr 29th mentor embedded hangoutmentoresd
Security Strategies for Internet of Things From Devices to The Cloud -- these slides were presented during a live Google+ On-Air Hangout Panel on April 29th, 2014, presented by Mentor Graphics Embedded Software
Understand the world’s first cyber weapon – Stuxnet in 10 minutes.
* Discovery Of the First Cyber Weapon
* High Level Architecture Overview Of The Target
* How Does Stuxnet Sabotage A Uranium Enrichment Plant – Cyber-physical Attack
* Summary
* References
Accompanies YouTube video at
http://www.youtube.com/watch?v=RilxHjt5yRE
which describes an instance of cyberwarfare where a worm was used to attack a uranium processing facility in Iran
This article is all about "STUXNET", the first weapon built entirely out of code.
It gives a brief insight of what is it all about. A new world of computer programming where you can make deadly weapons with codes. Read the complete article to know more about it.
For my presentation on this article visit : http://www.slideshare.net/hardeep4u/stuxnet-more-then-a-virus
Stuxnet is a malicious computer worm, first uncovered in 2010, thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran.
Security for io t apr 29th mentor embedded hangoutmentoresd
Security Strategies for Internet of Things From Devices to The Cloud -- these slides were presented during a live Google+ On-Air Hangout Panel on April 29th, 2014, presented by Mentor Graphics Embedded Software
Attacking and Defending Autos Via OBD-II from escar AsiaDigital Bond
This presentation from escar Asia does go into detail on the Progressive Snapshot dongle security problems, but it also addresses common issues found in ICS security and the path forward. For example the insecure by design problem, no thought on embedded product security, importance of a security perimeter as the immediate best security solution, and the medium to long term solutions.
This presentation explains the ANSI/ISA-99 and IEC 62443 standards for industrial control systems (ICS). It describes the Zone and Conduit security model and how it is used in an plant or factory. As well, the issues of security configuration errors are discussed. A case history of zone security deployment for a Safety Integrated System in a refinery is provided. For additional information see www.tofinosecurity.com.
Acme Enterprise Scenario Residency WeekAcme Enterprise is a pr.docxMARK547399
Acme Enterprise Scenario Residency Week
Acme Enterprise is a private company that is gearing up for an initial public offering (IPO). Prior to going public Acme must be in compliance with: GDPR, PCI DSS, and SOX. Acme is in the water purification business with new technologies that purify water in any form whether it is sewage, ocean, lake etc.
Part of its IPO process is to show due diligence and due care. Acme has identified your team to conduct a risk assessment and analysis of its information technology infrastructure to uncover any threats and exposures and provide mitigations and controls to reduce those uncovered threat/exposures, so it can have a successful IPO.
Using the Network Infrastructure design of the Acme Enterprise you are to assess risk of Acme’s:
1. Perimeter Security
2. Network Security
3. Endpoint Security
4. Application Security
5. Data Security
6. Operations
7. Policy Management
Acme Perimeter Security
Acme is currently protected by two dual Dynamic Stateful Inspection Firewalls that are configured in active and stand by mode. Acme is also configured to use PAT (port address translation) where 200.200.200.1 represents Acme on the public Internet. Acme translates this public IP through its clustered firewall to the internal IP space of 10.100.0.0/16 giving Acme 65334 useable IP addresses.
As part of Acme’s infrastructure, it also accesses cloud services for its business office tools through Office 365 and uses Dropbox for end user’s storage. Acme uses a web hosting service for its web front end and ecommerce which is connected to a back-end Oracle Database using enterprise MySQL. The database administrators have full access to all database information, but they lack oversight from anyone else.
There are two DMZ’s, but they are not utilized.
Network Security
Acme has a collapsed core design which means all internal LAN routing and Internet access occurs on its distribution level devices. This means, wireless access, web proxy access, access control lists and entries are located at this layer of the infrastructure. Currently Acme is using WPA 2 (wireless protected access 2) for is wireless security. The web proxy is configured with the following: General, Limited, and Exclusive Internet access. Each of these categories dictates what type of Internet access an end user will experience if belongs to one of these groups.
The Local area network uses the IP block in the following way: 10.100.1.0/24 User VLAN, 10.100.2.0/24 Research and Development VLAN.
Current access control lists are permit 10.100.2.0 0.0.0.255, permit 10.100.1.0 0.0.0.255. All other devices use the rest of the unallocated IP block of 10.100.0.0/16.
Also, all IP space is statically assigned. There is one default route to Internet but users of complain about access to internal services.
Endpoint Security
There is a mixture of MAC and Windows systems, XP, 7, and 10. JAMF is used to control and monitor MAC systems, the Windows devices.
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...Jiunn-Jer Sun
Agenda
- The unknown truth of cyber threats
- The myths of network security
- Attack and defense analysis
- IEC 62443 standard and how it impacts on you
- IT vs. OT security and the golden rule of defense
- A foundation where technology meets humanity
This presentation goes through several topics areas that are of specific interest in developing IoT Gateway solutions. IoT is a popular area of development that presents unique challenges like hardware and operating system selection, product life-cycle support and maintainability, software architectural solutions, connectivity, security, secure updates, and API availability. We discuss technologies and concepts like Hardware acceleration support, Linux kernel maintenance, Edge networking, LXC/Docker/KVM, Zigbee, 6loPAN, BLE, IoTivity, Allseen Alliance, SELinux and Trusted boot.
The aim of the presentation is to give an overview of the challenges in building an IoT Gateway and the Solutions available using Embedded Linux.
This presentation was delivered at LinuxCon Japan 2016 by Jim Gallagher
Next Generation Embedded Systems Security for IOT: Powered by KasperskyL. Duke Golden
In an increasingly connected world full of new IOT technologies, the security risks are becoming the single biggest challenge as we advance toward a fully tech-enabled society. Kaspersky's security strategy is always - SECURE BY DESIGN.
Next Generation Embedded Security for IOT - Powered by Kaspersky Secure OS. This presentation examines our "Secure by Design" alternative to legacy Microsoft / Linux OS - together with an end-to-end IOT security strategy. This presentation was originally given publicly at the CEBIT 2017 Event in Hannover, Germany.
Similar to Mission Critical Security in a Post-Stuxnet World Part 2 (20)
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Mission Critical Security in a Post-Stuxnet World Part 2
1. Addressing the Son-of-
Son of
Stuxnet
Cyber Security Solutions for Mission Critical
Systems
Eric Byres, P.Eng.
CTO,
CTO Byres Security Inc
Inc.
2. The Stuxnet Worm
• July, 2010: Stuxnet worm was discovered attacking
Siemens PCS7 S7 PLC and WIN-CC systems
PCS7,
around the world
• Infected 100,000 computers
• Infected at least 22
manufacturing sites
• Appears t have i
A to h impactedt d
its possible target, Iran’s
nuclear enrichment
program
4. The “Air Gap Is Dead
Air Gap”
• A modern ICS or SCADA system is highly complex
and interconnected
• Multiple potential pathways exist from the outside
world to the process controllers
• Assuming an air-gap between ICS and corporate
networks is unrealistic
• Focusing security efforts on a few obvious pathways
F i it ff t f b i th
(such as USB storage drives or the Enterprise/ICS
firewall) is a flawed defense
5. SCADA and ICS in the Bull s Eye
Bull’s
• ICS platforms are becoming an obvious target for
attacks
• “Security Researchers” focusing on SCADA/ICS
because it is easy money/fame (little malicious
intent)
• Actors with intent have access to the weapons:
• Download exploits for free (Italian list)
• Purchase tool kits (Gleg)
• Directed where to look for more vulnerabilities
6. Stuxnet s
Stuxnet’s Legacy
• Model for simple, destructive SCADA worms
• Exploits
E ploits inherent PLC design iss es
issues
• Applicable to almost all industrial controllers
• There are no possible “patches” to the PLC
patches
7. Protecting Against the “Son of Stuxnet”
Son-of-Stuxnet
• Understanding and Managing the Pathways
• Protecting the Critical Pieces First
• ISA-99 and IEC 62433 Security Standards
• Making Security Simple and Focused
9. Look At All Possible Pathways
• Don’t focus on a single pathway such as USB keys
• Consider all possible infection path a s
pathways:
• Removable Media (CDs, DVDs, USB Drives)
• File Transfer (Database, PDFs, PLC Project Files)
• Portable Equipment (Laptops, Storage Units, Config Tools)
• Internal Network Connections (Business, Lab, QA, Support)
• External Connections (Support Contractor Customer)
(Support, Contractor,
• Wireless (802.11, 802.15, Licensed-band, Cellular,
Wireless HART, ISA-100a, Bluetooth, USB tethering)
• Other Interfaces (Serial Data Highways)
(Serial,
• Have strategies for discovering/mitigating ALL
pathways
11. Practical Solutions for ICS Professionals
• You are NOT going to be able to:
• Restructure your IT department’s focus and practices
department s
• Get suppliers to provide vulnerability-free products
• Patch every ICS system immediately
• Cut off all pathways in to and out of your ICS
12. Practical Solutions for ICS Professionals
• You should be able to:
• Restrict and manage the data flows into your systems
• Restrict and manage the data flows out of your systems
• Detect unusual behaviors in you systems
• Patch most ICS products within a patch management
strategy
• Progressively reduce the probably of attacker success the
deeper into the ICS/SCADA system they go
13. The Attack/ Consequence Funnel
External Corporate
Internal Enterprise Assets
Explo Opport
Avai
Att
Co
Process DMZ
oit
onsequen
ilablePath
tack Qua
HMI/Supervisory
Systems
antity
nces
hways
tunities
Primary Control
Systems
Safety
Systems
Process
14. Keeping All the Rubbish Out
External Corporate
Internal Enterprise Assets Process DMZ is a critical
Choke Point
Process DMZ
HMI/Supervisory Limited Pathways
Systems
Primary Control
Limited Protocols
Systems
Managed Egress
Safety
Systems
Disjoint Protocols
Process
15. Reducing the Vulnerable Systems in the
Middle
External Corporate
Internal Enterprise Assets Windows-based
applications offer a major
Process DMZ attack opportunity
pp y
HMI/Supervisory Patch applications, not
Systems just the O/S
Primary Control
Systems A/V Deployment
Safety
Systems
White Listing ( )
g (?)
Process Separation of HMI & Control
16. Securing Last line of Defense Critical Systems
Last-line-of-Defense
External Corporate
Internal Enterprise Assets
Process DMZ High Consequence
HMI/Supervisory
Systems Focus on monitoring and
Primary Control securing SIS B
i Boundary
d
Systems
Limited Pathways
Safety
Systems
Anomaly Detection
Process
17. ISA 99
ISA-99 and IEC 62433
Security Standards
• Using Zones and Conduits to Focus your Efforts
18. ANSI/ISA-99:
ANSI/ISA 99: Dividing Up The Control System
• A core concept in the ANSI/ISA-99 (now IEC
62443.02.01)
62443 02 01) security standard is “Zones and
Zones
Conduits”
• Offers a level of segmentation and traffic control
inside the control system.
• Control networks divided into layers or zones based
on control function
function.
• Multiple separated zones manage that “defense in
depth” strategy
19. ANSI/ISA-99:
ANSI/ISA 99: Connecting the Zones
• Connections between the zones are called conduits,
and these must have security controls to:
• Control access to zones
• Resist Denial of Service (DoS) attacks or the transfer of
malware
l
• Shield other network systems
• Protect the integrity and confidentiality of network traffic
• It is important to understand and manage all your
conduits between zones, not just the obvious ones.
20. Security Zone Definition
• “Security zone: grouping of logical or physical assets
that share common security requirements .
requirements”
[ANSI/ISA-99.02.01–2007- 3.2.116]
• A zone has a clearly defined border (either logical or
physical), which i th b
h i l) hi h is the boundary b t
d between i l d d and
included d
excluded elements.
HMI Zone
PLC Zone
21. Conduits
• A conduit is a path for the flow of data between two
zones.
zones
• can provide the security functions that allow different zones
to communicate securely.
• Any
A communications b t
i ti between zone must h
t have a conduit.
d it
Conduit
HMI Zone
PLC Zone
22. Protecting the Network with Zones and
Conduits
• A firewall in each conduit will allow only the
MINIMUM network traffic necessary for correct plant
operation
Firewall
HMI Zone
PLC Zone
28. An Industrial Firewall Installation Gone Bad
Bad…
• An automotive company wanted layered protection
for key PLCs and robots
• Decided to install over 100 personal firewalls in front
of indentified critical devices
• All firewalls had to be removed within a few
months…
• Why?
Wh ?
29. BCIT SCADA Firewall Research Project
• In 2003 the research centre at the British Columbia
Institute of Technology (BCIT) was commissioned to
investigate issues and best practices in firewall
deployment in SCADA systems
• Results:
• “CPNI Good Practice Guide on SCADA Firewall
Deployment”
p y
• “The Special Needs of SCADA/PCN Firewalls:
Architectures and Test Results”
• Several restricted access documents
restricted-access documents…
30. What We Found
Found…
“While the results indicate that commercial
firewalls can b successfully used, th study
fi ll be f ll d the t d
also shows important differences between
the configuration of firewalls in industrial and
IT settings.”
The Special Needs of SCADA/PCN Firewalls:
Architectures and Test Results
Byres, Hoffman, et. al.
y , ,
31. Misapplication of IT Security Assumptions
• There are important differences between information
technology (IT) networks and industrial automation
and control systems (IACS) networks.
• Problems occur because assumptions that are valid
in the IT world may not be on the plant floor
• Some examples:
• Valid types of outbound traffic
• Importance of web “customers”
• Assumed protection from DoS attacks via routers
• “Critical” protocols
• Desired state on failure
32. An Example Assumption and Its Impact on a
Chemical Plant
• IT Assumption: Outbound traffic is safe, inbound
traffic is unsafe
• Result:
By default, all ports are blocked on the outside
y , p
interface, and all ports are open on the inside
interface of the security appliance.
Cisco ASA 5500 Adaptive Security Appliances
Document ID: 91970
33. An Example Assumption and Its Impact on a
Chemical Plant
• Plant Floor Reality: Cisco ASA firewall is installed
between DCS and PLCs with DCS as SCADA
master (thus inbound traffic to PLC must be allowed)
• Event: Firewall installed with default rule sets
• Impact: All traffic to PLCs is blocked, plant down for
three hours
35. SCADA/ICS-Appropriate
SCADA/ICS Appropriate Technologies
• Select security solutions that are easy for engineers
and technicians to deploy
• Use ICS-appropriate detection technologies can
raise an alarm when equipment is compromised or
at risk of compromise
• Deploy ICS-appropriate security technologies
• Look beyond t diti
L kb d traditional network l
l t k layer fi
firewalls,
ll
towards firewalls that are capable of Deep Packet
Inspection of key SCADA and ICS protocols
36. Example: SCADA Focused Monitoring
SCADA-Focused
• Stuxnet had to connect to and reprogram the victim
PLCs to be successful
• Win-CC Servers likely the reprogramming point
• Q
Question: Should an HMI server be reprogramming
p g g
a PLC?
• Traffic analysis beyond the basic IP Address / TCP
port would d t t thi
t ld detect this…
37. Example: Fixed Configuration Safety Firewall
• Firewalls designed specifically for a single purpose
• Cannot be disabled or mis configured by staff
mis-configured
• Can be tuned for specific control systems
• Aware of SCADA protocols and capable of deep
packet inspection
• Sanity checking of protocols like Modbus
• Can provide fine grained controls of
allowed commands
38. Example: Deep Packet Inspection for OPC
• Stuxnet made extensive use of RPC protocol, which
is the basis of OPC
• IT firewalls can’t manage RPC or OPC traffic
• Firewall needs to be able to “understand” SCADA
protocols like OPC
• Requires “Deep Packet Inspection”
technology f automation systems
t h l for t ti t
• Example: Hirschmann OPC Enforcer
automatically inspects and manages
OPC traffic
40. Making Security Work in the SCADA World
• "Certainly controls engineers and operators need to
be security aware but they should not all need to be
aware,
security experts.“
• "We have to make this [security] something a plant
superintendent, engineer, or senior operator can do
in their spare time, or it will flop."
ISA-99 Discussion Forum
41. Some Final Thoughts
• IT and SCADA systems are different
• Translates to differing req irements for safe and
requirements
reliable deployments of security systems in SCADA
• We can’t stop all infections
p
• We can prevent attackers from reaching their goals
• Security AND safety can be significantly improved
with good policy and appropriate technology