This presentation was given at BSides Las Vegas 2015. The modern times that we live in, the gentle shift that we are making towards the Internet of Things (IoT) is slowly but surely getting a grip on our day to day lives. The same goes for securing our Industrial Control Systems (ICS). We see that the demand for ICS security is raising and governmental regulations are being established and implement. However, this also means that the need for ICS security professionals is raising as well. More and more security professionals/firms are starting to perform security assessments such as penetration testing on an ICS level. Two years ago I got the question if I was up for the challenge, converting myself from a ‘normal’ security professional to a ICS specific security professional. The purpose of this talk would be to provide a starting point for security professionals that want to make the shift towards ICS Security, just like I did two years ago. While the term starting point might be a bit misleading, the goal would be to provide an ICS 001 talk instead in contrast to an ICS 101 talk.

1. The journey to
ICS

2. Disclaimer
I am employed in the Infosec industry
but not authorised to speak on behalf of my
employer or clients.
Everything I say is from a personal point of
view.

3. About me
@lvandenaweele
- Security consultant at PwC Belgium
- +5 years information security
- +2 years within Industrial Security
- Travel, food, beer
..not an expert yet, but eager to learn.

4. Special thanks to
@chrissistrunk
- Proving Ground Mentor

5. About this talk..

6. Where can you find Operational Technology
And much more..

7. What are the risks?
- Human Safety

8. - Human Safety
- Environmental effects
What are the risks?

9. - Human Safety
- Environmental effects
- Material damage
What are the risks?

10. - Human Safety
- Environmental effects
- Material damage
- High Impact events
- Etc
What are the risks?

11. OT Clichés
- Built to last for decades
- Uses specific means of communication
- Availability is key, above security
- At some point, human interaction
(e.g. operators watching the grid)

12. Operational Technology [OT]
Operational
Technology
Industrial
Control
Systems [ICS]
Network
Other
components
(apps,
systems)

13. Some Vocabulary
- PCS - Process Control System
- BMS - Building Management System
- EMS - Energy Management System
- DMS - Distribution Management System
- DCS - Distributed Control System
- SCADA - Supervisory Control and Data Acquisition
- PLC - Programmable Logic Controller
- MTU - Master Terminal Unit
- HMI - Human Machine Interface

14. - WAN – Wide Area Network
- LAN – Local Area Network
- MAN – Metropolian Area Network
- FAN – Field Area Network
- PAN – Personal Area Network
Some Vocabulary

15. Industrial Control Systems
DCS vs SCADA

16. IT vs OT
IT Systems OT Systems
Data Confidentiality Low - High Low - Moderate
Data Integrity Low - Moderate Very High
Availability Low - Moderate Very High (99.9999% uptime common)
Time Criticality Delays tolerated Critical
Patching Frequent Infrequent to nearly impossible
System Life Cycle 3 - 5 years 10 - 30+ years
Security Standards ISO 27002, COBIT, NIST, etc. IEC 62443, CIP, NEI, IEEE 1686, etc.
Operating Systems COTS COTS, RTOS, Embedded OS (Firmware)
Interoperability Not critical Critical (security often not considered)
Communication Protocols TCP/IP primarily HART, DNP3, Mod/FieldBus, ICCP, TCP/IP,
etc.
Communication Topology LAN/WAN, Telco, etc. LAN/WAN, Telco, Satellite, Serial, MWave, etc.

17. What’s all inside?

18. Business Zone
DMZ
Operations Zone
Process Control Zone
Safety Zone
Enforcement Zone

19. Enforcement Zone
Industrial Switch Industrial FirewallData Diode
ICS Aware Routers

20. Safety Zone
Safety Valve Safety PLC
Safety Gear

21. Process Control Zone
Sensors Motors Actuators Instrumentation
PLC s
Dedicated Control
Operator
Workstation
Control Processes RTU s
Data Historians
Engineering
Workstations
Communication front
ends
Level 0
Process Control
Network
Level 1
Control Devices
Level 2
Supervisory Control LAN
ProcessControlZone

22. Process Control Zone
Level 0 – Process Control Network
Sensors Motors Actuators Instrumentation
Level 0
Process Control
Network
Valves IED - Intelligent Electronic
Device
Sensors

23. Process Control Zone
Level 1 – Control Devices
PLC s
Dedicated Control
Operator
Workstation
Control Processes RTU s
Level 1
Control Devices
PLC - Programmable Logic
Controller
RTU - Remote
Terminal Unit
Dedicated Operator
Workstation

24. Process Control Zone
Level 2 – Supervisory Control LAN
Data Historians
Engineering
Workstations
Communication front
ends
Level 2
Supervisory Control LAN
Data Historian
Control Room
HMI Panel

25. Operations Zone
Level 3 – Operations Support
Sensors Motors Actuators Instrumentation
PLC s
Dedicated Control
Operator
Workstation
Control Processes RTU s
Data Historians
Engineering
Workstations
Communication front
ends
Simulation &
modeling systems
Operations
Analysis Systems
Engineering
workstation
Test systems
Level 0
Process Control
Network
Level 1
Control Devices
Level 2
Supervisory Control LAN
Level 3
Operations Support
Enforcement zone
ProcessControlZone
OperationsZone

26. DMZ, Business Zone
Jump host
environment
Patch
Management
AV Server Application Server
Enforcement zone
Site directory
replicas
Local file servers
Site specific Remote
Access
Corporate internet, e-mail, public websites,etc
DMZ
Level 4
Plant Network
Level 5
Enterprise Business Network
DMZBusinessZone

27. Sensors Motors Actuators Instrumentation
PLC s
Dedicated Control
Operator
Workstation
Control Processes RTU s
Data Historians
Engineering
Workstations
Communication front
ends
Simulation &
modeling systems
Operations
Analysis Systems
Engineering
workstation
Test systems
Jump host
environment
Patch
Management
AV Server Application Server
Enforcement zone
Site directory
replicas
Local file servers
Site specific Remote
Access
Corporate internet, e-mail, public websites,etc
Level 0
Process Control
Network
Level 1
Control Devices
Level 2
Supervisory Control LAN
Level 3
Operations Support
DMZ
Level 4
Plant Network
Level 5
Enterprise Business Network
Enforcement zone
Enforcement zone
ProcessControlZone
OperationsZone
DMZBusinessZone
Source: https://isc.sans.edu/diaryimages/images/purdue.png

28. Network Architecture
The mystery of air gaps
What you think is in place
Source: ISBN-13: 978-1597496452

29. Network Architecture
The mystery of air gaps
But actually..
Source: ISBN-13: 978-1597496452

30. Network Architecture
Protocols
Raw Data Protocols
- HART / ModBus
- Reads data (measurements)
- Sends commands (start pumps)
- Clear text
- No authentication
High Level Data Protocols
- OPC / ICCP / MMS
- Sending data, commands
between databases/applications
- Creates human readable
information
- Likely to act like bridge between
corporate and control networks

31. Network Architecture
Protocols - ModBus TCP
- 502/TCP
- open protocol
- Master/Slave
- Simple request/response protocol
- Function codes
- No Security

32. Network Architecture
Protocols - OPC
- Object Linking and Embedding for Process Control
- First released in 1996
- 4840/TCP
- Open Standard
- Acts as a bridge between different application
- Often the link between corporate and control network

33. Attack Landscape
Source: https://ics-radar.shodan.io

34. Attack Landscape
Types of Attacks
- Denial of Service (DoS)
- Insecure Protocols
- Hardcoded Credentials
- Database Attacks
- Man-in-the-Middle Attacks
- Physical Attacks
- Rogue Modems
- Etc

35. Attack Landscape
Types of Attacks

36. Common Weaknesses
- Unpatched systems

37. Common Weaknesses
- Approved patches
This document contains <<REDACTED >>proprietary information. Information contained
herein is to be used solely for the purpose submitted, and no part of this document or its
contents shall be reproduced, published, or disclosed to a third party without the express
permission of <<REDACTED >>.
<<REDACTED >> DISCLAIMS THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PURPOSE AND MAKES NO EXPRESS WARRANTIES EXCEPT
AS MAY BE STATED IN ITS WRITTEN AGREEMENT WITH AND FOR ITS
CUSTOMER.
In no event is <<REDACTED >> liable to anyone for any direct, special, or consequential
damages. The information and specification in this document are subject to change
without notice.
(source: Publically available patch list on vendor website)

38. Common Weaknesses
- Poor authentication/authorisation

39. Common Weaknesses
- Ineffective physical security

40. Common Weaknesses
- Rogue Access Points
- Unnecessary software
- Harsh conditions

41. Common Weaknesses
- Limited use of host anti-virus
- Poor authentication/authorisation
- Little or no cyber security monitoring
- Requirement for 3rd party access
- Poor Audit and Logging
- Legacy equipment
- Unmanned field sites
- Harsh environments
- Etc

43. - Preferably in test environment or during FAT/SAT
(Things will break!)
- Know your toolbox
- Capture traffic across different levels
- Close communication with control center
Assessing Control Systems

44. So how can we protect ourselves
Industrial Control Systems
System Security
- Hardening
- Identity & Access Management
- Patch Management
- Malware detection & prevention
Network Security
- Security zoning & DMZs
- Firewalls & IPS
- VPN Access
Plant Security
- Physical Security
- Policies & procedures
- BCM & DRP

45. But first.. build a team
Operations, Security, Maintenance and IT
Have to work together to have a good
SCADA security team

46. Insight on current situation
- Create an Inventory
- Determine and verify current security levels
- Policies and Procedures
- Regulatory compliance
- Create awareness
- Talk to people

47. One step at a time
- Network Architecture changes
- Monitoring
- Authentication
- Responsabilities
- Compliance

48. Common pitfalls
- Compliance vs effectiveness
- Non-flexible approach
- Throwing money at the problem
- Lack of communication

49. Standards
- NERC CIP
- IEC 62443 (ISA99)
- IEEE 1686
- NIST SP800-82 rev 2
- Etc [link]

50. Questions