15. Attack Synopsis
■ Vitek Boden worked for Hunter Watertech, an Australian
firm that installed SCADA radio-controlled sewage
equipment for the Maroochy Shire Council in Queensland,
Australia (a rural area of great natural beauty and a tourist
destination )
– Applied for a job with the Maroochy Shire Council
– Walked away from a “strained relationship” with Hunter
Watertech
– The Council decided not to hire him
– Boden decided to get even with both the Council and his
former employer
■ On at least 46 occasions issued radio commands to the
sewage equipment
– Caused 800,000 liters of raw sewage to spill out into local
parks, rivers and even the grounds of a Hyatt Regency hotel
– Marine life died, the creek water turned black and the stench
was unbearable for residents
19. ■ Boden was an insider who was never an employee of the
organization he attacked
– Employee of contractor that supplied IT/control system
technology
– With his knowledge he was the “ultimate insider”
■ Contractor’s responsibilities unstated or inadequate
– Management, technical and operational cyber security controls
– Personnel security controls
o Background investigations
o Protection from disgruntled employees
■ As a skillful adversary, Boden was able to disguise his
actions
– A number of anomalous events occurred before recognition
that the
incidents were intentional
– Extensive digital forensics were required to determine that a
deliberate attack was underway
■ No existing cyber security policies or procedures
■ No cyber security defenses
22. Policy and Procedures The first control in every control family
addresses policy and procedure.
Personnel Security Personnel Security (PS)
Hardware & Software System and Services Acquisition (SA)
Awareness and
Training
Awareness and Training (AT)
Audit Audit and Accountability (AU)
Contingency Planning Contingency Planning (CP)
Incident Response Incident Response (IR)
Cryptographic
Protection
System and Communications Protection
(SC)
25. Identification or
Authentication
AC-5 Separation of Duties AC-15 Automated Marking
AC-6 Least Privilege AC-16 Automated Labeling
AC-7 Unsuccessful Login
Attempts
AC-17 Remote Access
AC-8 System Use Notification AC-18 Wireless Access
Restrictions
AC-9 Previous Logon Notification AC-19 Access Control for
Portable
and Devices
AC-10 Concurrent Session Control AC-20 Use of External
Information
Systems
16
28. – http://csrc.nist.gov/sec-cert/ics/papers.html
■NIST Industrial Control System Security Project
– http://csrc.nist.gov/sec-cert/ics/index.html
■NIST Project Managers
– Stu Katzke <[email protected]>
– Keith Stouffer <[email protected]>
http://csrc.nist.gov/sec-cert/ics/papers.html
http://csrc.nist.gov/sec-cert/ics/papers.html
ICS ARCHITECTURE FINAL PROJECT TEMPLATE
ICS Architecture Final Project Template
29. SEC6082
Your Name
Running Head: ICS Architecture Final Project Template
Table of Contents
Executive SummaryX
ICS Industry Architecture Being DesignedX
OverviewX
Statement of NeedX
Detailed DescriptionX
ICS Network ArchitectureX
Physical and Logical DesignsX
ProtocolsX
DevicesX
ICS Security ArchitectureX
Device Security ConfigurationX
Device Security ConfigurationX
Device Security ConfigurationX
EtcX
AppendixX
*Comprehensive Network MapX
Example: Device Data FlowsX
Example: Security Design DocumentsX
30. Example: Intrusion Detection SystemX
Example: Honeypot ConfigurationX
*The comprehensive network map must include all devices and
communication protocols.
List of Tables and Figures
Figure 1. Example: Total Network DesignX
Figure 2. Example: Device Data FlowX
Figure 3. Example: Intrusion Detection SystemX
Figure 4. Example: Honeypot ConfigurationX
Executive Summary
An Executive Summary provides a brief overview for C-level
Executives who only need to know what the material is about,
not the details of the material. Give a brief summary, one page
31. or less, of what this project is about.
ICS Industry Architecture Being Designed
This is arguably the most important part of the ICS architecture
project. The logistical work done during this phase makes it
possible to architect a successful ICS network. The origins of
all problems experienced during the other phases can usually be
tracked back to a lack of planning and understanding of your
project during this phase. You will describe the industry you
are architecting this ICS network for.
1. Overview
Begin describing the types of network designs commonly used
to architect this network.
2. Statement of Need
Discuss the network needs of this architectural project. Your
ICS network must include a SCADA network controlling at
least two remote DCS networks. The SCADA network must
securely share data with a traditional business IT network.
3. Detailed Description
Now that you know the types of network commonly found and
used in this industry and you know the particular needs of this
architectural project, address how you will design this ICS
network.
32. ICS Network Architecture
Provide a brief description of what will occur during this phase.
For example: This is the phase where you will describe the
physical and logical design of your network, etc. This phase
has three sections: Physical and Logical Designs; Protocols; and
Devices.
1. Physical and Logical Designs
There are many physical and logical network designs possible.
ICS networks usually have more than one physical and logical
network solution. Describe your physical and logical ICS
network designs here. Include Visios or Excel designs to
graphically illustrate your designs.
A block of words is provided below to jog your mind:
Ring, star, bus, mesh, twisted pair, coax, fiber, microwave,
satellite.
2. Protocols
This section is where you will document and describe the
protocols in use, where, and why. The protocols listed should
be represented in your network diagram(s). A block of words is
provided below to jog your mind:
DNP3, Fieldbus, Modbus, Profibus, Ethernet.
3. Devices
A list of devices should be provided with as much information
as possible. Identify the open ports and services running on
each. List them here and explain why you’ve chosen them. All
33. devices listed should appear in your network diagram(s).
Follow these steps below:
a. Identify the device.
b. Identify what the device does.
c. Identify the open ports.
d. Identify the services running on these ports.
Example devices include, but are not limited to: Router,
firewall, IDS/IPS, Honeypot, Historian, PLC, RTU, IED, data
acquisition server, HMI, protocol gateway, SCADA master
station, sensors.
ICS Security Architecture
List each device you previously documented in “3. Devices” but
this time annotate how they will be secured. This will require
you to research vendor documentation, industry best practices,
and other authoritative sources. Identify known weaknesses of
the devices and how you will mitigate them.
35. Appendix
WILMINGTON UNIVERSITY
Course: SEC 6082 Final
Research Paper
Instructor: Dirk Sweigart
Student:___________________ Weighted
Content:______CT:______Comm:______ Weighted Rubric
Score:__________
_
Performance
Unsatisfactory
1
Developing
2
Competent
3
Accomplished
36. 4
Exemplary
5
Knowledge of Content
50% of rubric score
Work does not reflect the assignment purpose
Work marginally reflects the assignment purpose
Work reflects the assignment purpose
Work is accurately detailed, and in line with course content
Work stands-out as exemplary, is accurately detailed, and in
37. line with course content
Minimal details of ICS Industry being designed
Overview and description provides only basic information
Overview and Description provides general information
Architecture section provides a detailed need and description
Architecture section provides a clear and concise statement and
description
Does not include physical, logical, protocols or devices
Includes a basic overview of physical, logical, protocols or
devices
Includes a general overview of the physical, logical, protocols
or devices
Includes a relatively detailed overview physical, logical,
protocols or devices
Includes a clear and concise overview of the network
architecture including detailed description physical, logical,
protocols or devices
No description of ICS security architecture
Basic description of ICS security architecture with no details on
devices
Includes a general description of of ICS security architecture
but minimal device details
38. Includes a relatively detailed description of ICS security
architecture along with device details
Includes a clear and concise description of ICS security
architecture and detailed description of device security
configurations
Does not include appendices
Includes minimal appendices
Include basic description of appendixes with good content
Include detailed appendices that are appropriate to the content
Include clear and concise appendices that build on the main
content.
No figures or descriptions (these can be embedded)
Minor figures but not very relevant
Good figures, tables and descriptions appropriate to content
Well-defined figures and tables appropriate to the content
Figures and descriptions are the content and express the ideas
beyond the text.
Ineffective documentation of research/support or 0 Prof
references used
Uses at least 2 Prof ref to support research with poor integration
Uses at least 3 Prof ref to support research with adequate
integration
39. Uses at least 4 references and integrates them acceptably into
the document
Uses 5 or more references and integrates them clearly and
concisely into the document
Unsatisfactory
Developing
Competent
Accomplished
Exemplary
Critical Thinking
30% of rubric score
Ability to incorporate graphical data/info is lacking
Ability to incorporate graphical data/info is emerging
Ability to incorporate graphical data/info is basic
Ability to incorporate graphical data/info & link key
relationships is proficient
Ability to incorporate graphical data/info & link key
relationships is superior
Design does not discuss the impact of the unique challenges that
40. exist in securing Industrial Control Systems
Design marginally describes the impact of the unique
challenges that exist in securing Industrial Control Systems
Design assesses the impact of the unique challenges that exist
in securing Industrial Control Systems
Design effectively assess the impact of the unique challenges
that exist in securing Industrial Control Systems with
generalized solutions to address those challenges
Design assess in technical detail the impact of the unique
challenges that exist in securing Industrial Control Systems
with customized solutions to address those challenges
Design does not address methods to balance security with
potential negative impact to process operations and
productivity.
Design documents need for balanced security but includes no
discussion of how to achieve it.
Design provides a basic description of methods to balance
security with potential negative impact to process operations
and productivity.
Design provides a detailed description of methods to balance
security with potential negative impact to process operations
and productivity.
Design provides a clear and concise description of methods to
balance security with potential negative impact to process
41. operations and productivity.
Design does not provide any options for security
implementations
Design provides a small number of options for security
implementations
Design provides options for security implementations
Design provides some options for security implementations with
detailed guidance
Design provides lots of options for security implementations
with detailed guidance
Unsatisfactory
Developing
Competent
Accomplished
Exemplary
Communications
(Written)20% of rubric score
Sentences are not well-constructed and often lack clarity.
42. Formats and patterns are repetitive
Sentences are somewhat clear and well constructed, but lack
variety in format& length
Most sentences are clear and well-constructed some evidence of
variety in format, length, and complexity.
Sentences are clear and well-constructed - Some evidence of
variety in format, length, and complexity
Varied well-constructed sentences are evident throughout the
document with an appropriate stylistic flair
Paper is riddled with spelling, punctuation, and/or grammatical
errors
Paper contains 5 or 6 spelling, punctuation, and/or grammatical
errors
Paper contains 3 or 4 spelling, punctuation, and/or grammatical
errors
Paper contains 1 or 2 spelling, punctuation, and/or grammatical
errors
No spelling, punctuation, and/or grammatical errors are readily
apparent
Paper is riddled with APA errors
Paper contains 5 or 6 APA errors
Paper contains 3 or 4 APA errors
Paper contains 1 or 2 APA
43. errors
No APA errors are readily apparent
Executive summary lacking or does not create interest
Executive summary evident but not particularly engaging
Executive summary creates interest and engages the audience
Executive summary creates interest and engages the audience,
sets the stage for the main presentation
Creates interest, engages and involves the audience, sets stage
for the main presentation
Main points are not clear or well organized - Lacks supporting
evidence and detail
Main points are clear but not well developed - More supporting
evidence and detail are needed
Main points are clear and well developed - Evidence and detail
adequately support the presentation
Main points are clear and well developed. Evidence and detail
provide strong support for the presentation
Main points are clear and well developed - Etc. Logical
development is easy to follow
44. No conclusion, paper just ends
Conclusion exists but does not summarize
Conclusion mentions main points
Conclusion summarizes main points
Conclusion summarizes and drives home main points.
No presentation aids used
Basic presentation aids used, either not well designed or well
integrated into the presentation
Presentation aids are designed and integrated to communicate
content but lack variety
Presentation aids are well designed & integrated, as well as
varied (some use of graphics/visual or sound effects)
Presentation aids are of professional quality, enhancing the flow
and persuasiveness (well integrated graphs, video or other
electronic media)