Uploaded byturveycharlyn
DOCX, PDF38 views

Tonight, March 5th – Class 7 (last class) your test” on ICS.docx

The document outlines key concepts of industrial control system (ICS) security, emphasizing the importance of network segmentation, access control, and the implementation of security measures to mitigate risks. It discusses a malicious cyber-attack case study involving the Maroochy Water Services in Australia, highlighting vulnerabilities within ICS frameworks. The guidelines provided aim to enhance the resilience of ICS against both insider and outsider threats through comprehensive risk management strategies.

Embed presentation

Download to read offline
Tonight, March 5th – Class 7 (last class) your “test” on ICS 210W (6,7). (100 pts) March 12 – no class research assignment due ICS210W (9,10) final cert (100, total 400) - enter the all pdfs for all 10 sessions! © 2016 Applied Control Engineering, Inc. NIST 800-82 Rev 2. 5. ICS Security Architecture 6. Applying Security Controls to ICS © 2016 Applied Control Engineering, Inc. ICS Security Architecture Network Segmentation and Segregation Logical network separation enforced by encryption or network device-enforced partitioning VLANS, Encrypted Virtual Private Networks (VPNs), Unidirectional gateways. Physical network separation to completely prevent any interconnectivity of traffic between domains. Network traffic filtering, Network layer filtering, State‐based filtering Port and/or protocol level filtering Application filtering including application-level firewalls, proxies, and content-based filters.
© 2016 Applied Control Engineering, Inc. ICS Security Architecture Network Segmentation and Segregation Four common themes that implement the concept of defense-in- depth by providing for good network segmentation and segregation: Apply technologies at more than just the network layer. Each system and network should be segmented and segregated, where possible, from the data link layer up to and including the application layer. Use the principles of least privilege and need‐to‐know. If a system doesn’t need to communicate with another system, it should not be allowed to. If a system needs to talk only to another system on a specific port or protocol and nothing else– or it needs to transfer a limited set of labeled or fixed-format data, it should be restricted as such. Separate information and infrastructure based on security requirements. This may include using different hardware or platforms based on different threat and risk environments in which each system or network segment operates. The most critical components require more strict isolation from other components. In addition to network separation, the use of virtualization could be employed to accomplish the required isolation. Implement whitelisting instead of blacklisting; that is, grant access to the known good, rather than denying access to the known bad. The set of applications that run in ICS is essentially static. Look at the details and examples from section 5. This is
important to your final paper! © 2016 Applied Control Engineering, Inc. 5.1 Network Segmentation and Segregation 5-1 5.2 Boundary Protection .5-3 5.3 Firewalls .5-4 5.4 Logically Separated Control Network 5-6 5.5 Network Segregation 5-7 5.5.1 Dual-Homed Computer/Dual Network Interface Cards (NIC) 5-7 5.5.2 Firewall between Corporate Network and Control Network 5-7 5.5.3 Firewall and Router between Corporate Network and Control Network 5-9 5.5.4 Firewall with DMZ between Corporate Network and Control Network . 5-10 5.5.5 Paired Firewalls between Corporate Network and Control Network 5-12 5.5.6 Network Segregation Summary 5-13 5.6 Recommended Defense-in-Depth Architecture. 5-13 5.7 General Firewall Policies for ICS 5-14 ICS Security Architecture © 2016 Applied Control Engineering, Inc. 5.8 Recommended Firewall Rules for Specific Services . 5-16 5.8.1 Domain Name System (DNS) . 5-17 5.8.2 Hypertext Transfer Protocol (HTTP) . 5-17 5.8.3 FTP and Trivial File Transfer Protocol (TFTP) 5-17 5.8.4 Telnet . 5-17 5.8.5 Dynamic Host Configuration Protocol (DHCP) . 5-18 5.8.6 Secure Shell (SSH) 5-18 5.8.7 Simple Object Access Protocol (SOAP) . 5-18
5.8.8 Simple Mail Transfer Protocol (SMTP) . 5-18 5.8.9 Simple Network Management Protocol (SNMP) . 5-18 5.8.10 Distributed Component Object Model (DCOM) . 5-19 5.8.11 SCADA and Industrial Protocols . 5-19 5.9 Network Address Translation (NAT) . 5-19 ICS Security Architecture © 2016 Applied Control Engineering, Inc. 5.10 Specific ICS Firewall Issues . 5-20 5.10.1 Data Historians 5-20 5.10.2 Remote Support Access . 5-20 5.10.3 Multicast Traffic 5-20 5.11 Unidirectional Gateways . 5-21 5.12 Single Points of Failure . 5-21 5.13 Redundancy and Fault Tolerance . 5-21 5.14 Preventing Man-in-the-Middle Attacks 5-22 5.15 Authentication and Authorization 5-24 5.15.1 ICS Implementation Considerations . 5-25 5.16 Monitoring, Logging, and Auditing 5-25 5.17 Incident Detection, Response, and System Recovery 5-25 ICS Security Architecture © 2016 Applied Control Engineering, Inc. Applying Security Controls to ICS Executing the Risk Management Framework Tasks for ICS Step 1: Categorize Information Systems Step 2: Select Security Controls Step 3: Implement Security Controls Step 4: Assess Security Controls Step 5: Authorize Information System Step 6: Monitor Security Controls
This is what your previous assignment was about. © 2016 Applied Control Engineering, Inc. Applying Security Controls to ICS Executing the Risk Management Framework Tasks for ICS Access Control – Role-based, Wireless, VLANs, web-servers, Dial-up Awareness and Training Audit and Accountability Security Assessment and Authorization Configuration Management Contingency Planning /Business Continuity – identify the recovery objective, DRP Identification and Authentication – Password, 2-Factor, Biometric, Smart Cards, Tokens © 2016 Applied Control Engineering, Inc. 9 Applying Security Controls to ICS Executing the Risk Management Framework Tasks for ICS Incident Response – symptoms of an incident Unusually heavy network traffic. Out of disk space or significantly reduced free disk space. Unusually high CPU usage. Creation of new user accounts. Attempted or actual use of administrator-level accounts. Locked-out accounts. Account in-use when the user is not at work.
Cleared log files. Full log files with unusually large number of events. Antivirus or IDS alerts. Disabled antivirus software and other security controls. Unexpected patch changes. Machines connecting to outside IP addresses. Requests for information about the system (social engineering attempts). Unexpected changes in configuration settings. Unexpected system shutdown. Plan a response - Classification of Incidents; Response Actions; Recovery Actions. © 2016 Applied Control Engineering, Inc. 10 Applying Security Controls to ICS Executing the Risk Management Framework Tasks for ICS Maintenance Media Protection Physical and Environmental Protection Planning Personnel Security Hiring Policies Organization Policies and Practices Terms and Conditions of Employment Risk Assessment System and Services Acquisition System and Communications Protection – Encryption, VPNs System and Information Integrity Virus detection and malicious code Intrusion detection
Patch management Program Management Privacy Controls © 2016 Applied Control Engineering, Inc. 11 Good Luck with your Career! Please fill out the IDEA survey! Spring B1 2018 IDEA surveys are available to students. Students can access their surveys by entering their full Wilmington University email address and password at wilmu.campuslabs.com/courseeval. Faculty are encouraged to promote student participation in the IDEA survey. Faculty can view real-time response rates, as well as past survey results via https://wilmu.campuslabs.com/faculty. (Please note that survey histories begin with Fall 2016 course reports). © 2016 Applied Control Engineering, Inc. 12 © 2016 Applied Control Engineering, Inc. © 2008 The MITRE Corporation. All rights Reserved.
Malicious Control System Cyber Security Attack Case Study– Maroochy Water Services, Australia Marshall D. Abrams, The MITRE Corporation Joe Weiss, Applied Control Solution s, LLC Annual Computer Security Applications Conference December 2008 © 2008 The MITRE Corporation. All rights Reserved. 2 NIST Industrial Control System (ICS) Cyber Security Project ■ Objective: to improve the cyber security of federally
owned/operated ICS ■ ICS pervasive throughout all critical infrastructures ■ Improve the security of public and private sector ICS – Work with voluntary industry standards groups (e.g., The Instrumentation, Systems, and Automation Society – ISA) oAssist in ICS cyber security standards and guideline development oFoster ICS cyber security standards convergence – Raise the level of ICS security through R&D and testing ■ Purpose of case studies is to focus in on factors otherwise overlooked, not to ascribe any blame © 2008 The MITRE Corporation. All rights Reserved. 3 NIST Cyber Security Strategic Vision
■ Promote the development of key security standards and guidelines to support the implementation of and compliance with the Federal Information Security Management Act (FISMA) ■ Build a solid foundation of information security across one of the largest information technology infrastructures in the world based on comprehensive security standards and technical guidance. ■ Institutionalize a comprehensive Risk Management Framework that promotes flexible, cost-effective information security programs for federal agencies. ■ Establish a fundamental level of “security due diligence” for federal agencies and their contractors based on minimum security requirements and security controls. © 2008 The MITRE Corporation. All rights Reserved. 4
The Current Landscape dependent on information systems to carry out their missions and business functions. systems become open and internet-connected, thus putting the national services critical infrastructure at risk. usiness success, enterprise information systems must be dependable in the face of serious cyber threats. must be appropriately protected. © 2008 The MITRE Corporation. All rights Reserved. 5 The Threat Situation
■ ICS are becoming more open making them vulnerable to intentional and unintentional cyber threats ■ Effects of errors and omissions increasingly catastrophic ■ Attacks are organized, disciplined, aggressive, and well resourced; many are extremely sophisticated ■ Adversaries are nation states, terrorist groups, criminals, hackers, and individuals or groups with intentions of compromising information systems ■ Significant exfiltration of critical and sensitive information and implantation of malicious software occurring on a regular basis ■ Largely untutored work force with little interest in IT security ■ ICS community diverse using different protocols (many archaic) © 2008 The MITRE Corporation. All rights Reserved.
6 NIST ICS Project Deliverables ■ Support public & private sectors, and standards organizations that want to use NIST Standards & Guidelines for ICS ■ Evolve SP 800-53 Recommended Security Controls for Federal Information Systems to better address ICS – Revision 2 published December 2007 – Revision 3 first public draft scheduled for (end of) December 2008 ■ Develop SP 800-82 Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control System Security – Second draft September 2007 – Final in 2009 © 2008 The MITRE Corporation. All rights Reserved.
7 Case Study Overview ■ Examine actual control system cyber event – Resulted in significant environmental and economic damage – Malicious attack by knowledgeable insider, who had been a trusted contractor employee – Timelines, control system response, and control system policies ■ Identify operating policies and procedures that were missing or had readily identifiable cyber security vulnerabilities ■ Identify NIST SP 800-53 management, operational, and technical safeguards or countermeasures that, if implemented, could have prevented or ameliorated the event © 2008 The MITRE Corporation. All rights Reserved.
Attack Synopsis ■ Vitek Boden worked for Hunter Watertech, an Australian firm that installed SCADA radio-controlled sewage equipment for the Maroochy Shire Council in Queensland, Australia (a rural area of great natural beauty and a tourist destination ) – Applied for a job with the Maroochy Shire Council – Walked away from a “strained relationship” with Hunter Watertech – The Council decided not to hire him – Boden decided to get even with both the Council and his former employer ■ On at least 46 occasions issued radio commands to the sewage equipment – Caused 800,000 liters of raw sewage to spill out into local parks, rivers and even the grounds of a Hyatt Regency hotel – Marine life died, the creek water turned black and the stench was unbearable for residents
8 © 2008 The MITRE Corporation. All rights Reserved. Time Line ■ 1997-December 1999 – Boden employed by Hunter Watertech ■ December 3, 1999 – Boden resigns from Hunter Watertech ■ Early December 1999 – Boden seeks City Council employment ■ Early January 2000 – Boden turned down ■ February 9-April 23, 2000 – SCADA system experiences series of faults ■ March 16, 2000 – Hunter Watertech investigator tried to troubleshoot system ■ April 19, 2000 – Log indicates system program had been run at least 31 times
■ April 23, 2000 – Boden disabled alarms at four pumping stations using the identification of pumping station 4. ■ April 23, 2000 – Boden pulled over by police with computer equipment in car ■ October 31, 2001 – Boden convicted in trial – sentenced to 2 years ■ March 21, 2002 – Appeal rejected 9 © 2008 The MITRE Corporation. All rights Reserved. Evidence Found in Boden’s Vehicle ■ Laptop – Reloaded February 28, 2000 – Software used in the sewerage system (re)installed February 29 o Run at least 31 times prior to April 19
o Last run on April 23 ■ Motorola M120 two-way radio same type used in the Council’s system – Tuned into the frequencies of the repeater stations – Serial numbers matched delivery docket provided by the supplier of the radios to Hunter Watertech ■ PDS Compact 500 computer control device – Address set to spoof pumping station – Serial number identified it as a device which should have been in the possession of Hunter Watertech 10 © 2008 The MITRE Corporation. All rights Reserved. Observations (1/2)
■ Boden was an insider who was never an employee of the organization he attacked – Employee of contractor that supplied IT/control system technology – With his knowledge he was the “ultimate insider” ■ Contractor’s responsibilities unstated or inadequate – Management, technical and operational cyber security controls – Personnel security controls o Background investigations o Protection from disgruntled employees ■ As a skillful adversary, Boden was able to disguise his actions – A number of anomalous events occurred before recognition that the incidents were intentional – Extensive digital forensics were required to determine that a deliberate attack was underway ■ No existing cyber security policies or procedures ■ No cyber security defenses
11 © 2008 The MITRE Corporation. All rights Reserved. Observations (2/2) ■ Difficult to differentiate attacks from malfunctions ■ When/why is it important to determine whether intentional attack, or unintentional flaw or error? ■ Difficult to protect against insider attacks ■ Radio communications commonly used in SCADA systems are often insecure or improperly configured ■ SCADA devices and software should be secured to the extent possible using physical and logical controls ■ Security controls often not implemented or used properly ■ Generally SCADA systems lack adequate logging mechanisms for forensic purposes ■ Also recommended
• Anti- encryption • Upgrade-able SCADA systems (from a security perspective) 12 © 2008 The MITRE Corporation. All rights Reserved. 13 SP 800-53 Security Control Classes, Families, and Identifiers © 2008 The MITRE Corporation. All rights Reserved. SP 800-53 Pervasive Cyber Security Prophylactic Controls PROBLEM CONTROL FAMILY
Policy and Procedures The first control in every control family addresses policy and procedure. Personnel Security Personnel Security (PS) Hardware & Software System and Services Acquisition (SA) Awareness and Training Awareness and Training (AT) Audit Audit and Accountability (AU) Contingency Planning Contingency Planning (CP) Incident Response Incident Response (IR) Cryptographic Protection System and Communications Protection (SC)
14 © 2008 The MITRE Corporation. All rights Reserved. SP 800-53 Controls for Malicious Activities MALICIOUS ACTIVITY CONTROL FAMILY Issuing radio commands Access Control (AC) Identification and Authentication (IA) Falsifying network address Access Control (AC) Sending false data
and instructions System and Information Integrity (SI) Disabling alarms 15 © 2008 The MITRE Corporation. All rights Reserved. Access Control (AC) AC-1 Access Control Policy and Procedures AC-11 Session Lock AC-2 Account Management AC-12 Session Termination AC-3 Access Enforcement AC-13 Supervision and Review— Access Control AC-4 Information Flow Enforcement AC-14 Permitted Actions without
Identification or Authentication AC-5 Separation of Duties AC-15 Automated Marking AC-6 Least Privilege AC-16 Automated Labeling AC-7 Unsuccessful Login Attempts AC-17 Remote Access AC-8 System Use Notification AC-18 Wireless Access Restrictions AC-9 Previous Logon Notification AC-19 Access Control for Portable and Devices AC-10 Concurrent Session Control AC-20 Use of External Information Systems 16
■ A combination of access controls would have alleviated or prevented the attack ■ Tightly coupled with Identification and Authentication © 2008 The MITRE Corporation. All rights Reserved. Learning From the 2000 Maroochy Shire Cyber Attack ■ Public record of an intentional, targeted attack by a knowledgeable person on an industrial control system teaches us to consider: – Critical physical, administrative, and supply chain vulnerabilities – Vulnerabilities coming from suppliers or others outside the organization – Contractor and sub-contractor personnel as a potential attack source ■ Need to be concerned with both inside & outside attack ■ Difficulty in identifying a control system cyber incident as a
malicious attack and retaking control of a “hijacked” system ■ A determined, knowledgeable adversary could potentially defeat most controls ■ Structured defense-in-depth security is best 17 © 2008 The MITRE Corporation. All rights Reserved. 18 Additional Information ■Authors – Marshall Abrams <[email protected]> – Joe Weiss <[email protected]> ■ Incident – See references in paper ■Case Study
– http://csrc.nist.gov/sec-cert/ics/papers.html ■NIST Industrial Control System Security Project – http://csrc.nist.gov/sec-cert/ics/index.html ■NIST Project Managers – Stu Katzke <[email protected]> – Keith Stouffer <[email protected]> http://csrc.nist.gov/sec-cert/ics/papers.html http://csrc.nist.gov/sec-cert/ics/papers.html ICS ARCHITECTURE FINAL PROJECT TEMPLATE ICS Architecture Final Project Template
SEC6082 Your Name Running Head: ICS Architecture Final Project Template Table of Contents Executive SummaryX ICS Industry Architecture Being DesignedX OverviewX Statement of NeedX Detailed DescriptionX ICS Network ArchitectureX Physical and Logical DesignsX ProtocolsX DevicesX ICS Security ArchitectureX Device Security ConfigurationX Device Security ConfigurationX Device Security ConfigurationX EtcX AppendixX *Comprehensive Network MapX Example: Device Data FlowsX Example: Security Design DocumentsX
Example: Intrusion Detection SystemX Example: Honeypot ConfigurationX *The comprehensive network map must include all devices and communication protocols. List of Tables and Figures Figure 1. Example: Total Network DesignX Figure 2. Example: Device Data FlowX Figure 3. Example: Intrusion Detection SystemX Figure 4. Example: Honeypot ConfigurationX Executive Summary An Executive Summary provides a brief overview for C-level Executives who only need to know what the material is about, not the details of the material. Give a brief summary, one page
or less, of what this project is about. ICS Industry Architecture Being Designed This is arguably the most important part of the ICS architecture project. The logistical work done during this phase makes it possible to architect a successful ICS network. The origins of all problems experienced during the other phases can usually be tracked back to a lack of planning and understanding of your project during this phase. You will describe the industry you are architecting this ICS network for. 1. Overview Begin describing the types of network designs commonly used to architect this network. 2. Statement of Need Discuss the network needs of this architectural project. Your ICS network must include a SCADA network controlling at least two remote DCS networks. The SCADA network must securely share data with a traditional business IT network. 3. Detailed Description Now that you know the types of network commonly found and used in this industry and you know the particular needs of this architectural project, address how you will design this ICS network.
ICS Network Architecture Provide a brief description of what will occur during this phase. For example: This is the phase where you will describe the physical and logical design of your network, etc. This phase has three sections: Physical and Logical Designs; Protocols; and Devices. 1. Physical and Logical Designs There are many physical and logical network designs possible. ICS networks usually have more than one physical and logical network solution. Describe your physical and logical ICS network designs here. Include Visios or Excel designs to graphically illustrate your designs. A block of words is provided below to jog your mind: Ring, star, bus, mesh, twisted pair, coax, fiber, microwave, satellite. 2. Protocols This section is where you will document and describe the protocols in use, where, and why. The protocols listed should be represented in your network diagram(s). A block of words is provided below to jog your mind: DNP3, Fieldbus, Modbus, Profibus, Ethernet. 3. Devices A list of devices should be provided with as much information as possible. Identify the open ports and services running on each. List them here and explain why you’ve chosen them. All
devices listed should appear in your network diagram(s). Follow these steps below: a. Identify the device. b. Identify what the device does. c. Identify the open ports. d. Identify the services running on these ports. Example devices include, but are not limited to: Router, firewall, IDS/IPS, Honeypot, Historian, PLC, RTU, IED, data acquisition server, HMI, protocol gateway, SCADA master station, sensors. ICS Security Architecture List each device you previously documented in “3. Devices” but this time annotate how they will be secured. This will require you to research vendor documentation, industry best practices, and other authoritative sources. Identify known weaknesses of the devices and how you will mitigate them.
Reference
Appendix WILMINGTON UNIVERSITY Course: SEC 6082 Final Research Paper Instructor: Dirk Sweigart Student:___________________ Weighted Content:______CT:______Comm:______ Weighted Rubric Score:__________ _ Performance Unsatisfactory 1 Developing 2 Competent 3 Accomplished
4 Exemplary 5 Knowledge of Content 50% of rubric score Work does not reflect the assignment purpose Work marginally reflects the assignment purpose Work reflects the assignment purpose Work is accurately detailed, and in line with course content Work stands-out as exemplary, is accurately detailed, and in
line with course content Minimal details of ICS Industry being designed Overview and description provides only basic information Overview and Description provides general information Architecture section provides a detailed need and description Architecture section provides a clear and concise statement and description Does not include physical, logical, protocols or devices Includes a basic overview of physical, logical, protocols or devices Includes a general overview of the physical, logical, protocols or devices Includes a relatively detailed overview physical, logical, protocols or devices Includes a clear and concise overview of the network architecture including detailed description physical, logical, protocols or devices No description of ICS security architecture Basic description of ICS security architecture with no details on devices Includes a general description of of ICS security architecture but minimal device details
Includes a relatively detailed description of ICS security architecture along with device details Includes a clear and concise description of ICS security architecture and detailed description of device security configurations Does not include appendices Includes minimal appendices Include basic description of appendixes with good content Include detailed appendices that are appropriate to the content Include clear and concise appendices that build on the main content. No figures or descriptions (these can be embedded) Minor figures but not very relevant Good figures, tables and descriptions appropriate to content Well-defined figures and tables appropriate to the content Figures and descriptions are the content and express the ideas beyond the text. Ineffective documentation of research/support or 0 Prof references used Uses at least 2 Prof ref to support research with poor integration Uses at least 3 Prof ref to support research with adequate integration
Uses at least 4 references and integrates them acceptably into the document Uses 5 or more references and integrates them clearly and concisely into the document Unsatisfactory Developing Competent Accomplished Exemplary Critical Thinking 30% of rubric score Ability to incorporate graphical data/info is lacking Ability to incorporate graphical data/info is emerging Ability to incorporate graphical data/info is basic Ability to incorporate graphical data/info & link key relationships is proficient Ability to incorporate graphical data/info & link key relationships is superior Design does not discuss the impact of the unique challenges that
exist in securing Industrial Control Systems Design marginally describes the impact of the unique challenges that exist in securing Industrial Control Systems Design assesses the impact of the unique challenges that exist in securing Industrial Control Systems Design effectively assess the impact of the unique challenges that exist in securing Industrial Control Systems with generalized solutions to address those challenges Design assess in technical detail the impact of the unique challenges that exist in securing Industrial Control Systems with customized solutions to address those challenges Design does not address methods to balance security with potential negative impact to process operations and productivity. Design documents need for balanced security but includes no discussion of how to achieve it. Design provides a basic description of methods to balance security with potential negative impact to process operations and productivity. Design provides a detailed description of methods to balance security with potential negative impact to process operations and productivity. Design provides a clear and concise description of methods to balance security with potential negative impact to process
operations and productivity. Design does not provide any options for security implementations Design provides a small number of options for security implementations Design provides options for security implementations Design provides some options for security implementations with detailed guidance Design provides lots of options for security implementations with detailed guidance Unsatisfactory Developing Competent Accomplished Exemplary Communications (Written)20% of rubric score Sentences are not well-constructed and often lack clarity.
Formats and patterns are repetitive Sentences are somewhat clear and well constructed, but lack variety in format& length Most sentences are clear and well-constructed some evidence of variety in format, length, and complexity. Sentences are clear and well-constructed - Some evidence of variety in format, length, and complexity Varied well-constructed sentences are evident throughout the document with an appropriate stylistic flair Paper is riddled with spelling, punctuation, and/or grammatical errors Paper contains 5 or 6 spelling, punctuation, and/or grammatical errors Paper contains 3 or 4 spelling, punctuation, and/or grammatical errors Paper contains 1 or 2 spelling, punctuation, and/or grammatical errors No spelling, punctuation, and/or grammatical errors are readily apparent Paper is riddled with APA errors Paper contains 5 or 6 APA errors Paper contains 3 or 4 APA errors Paper contains 1 or 2 APA
errors No APA errors are readily apparent Executive summary lacking or does not create interest Executive summary evident but not particularly engaging Executive summary creates interest and engages the audience Executive summary creates interest and engages the audience, sets the stage for the main presentation Creates interest, engages and involves the audience, sets stage for the main presentation Main points are not clear or well organized - Lacks supporting evidence and detail Main points are clear but not well developed - More supporting evidence and detail are needed Main points are clear and well developed - Evidence and detail adequately support the presentation Main points are clear and well developed. Evidence and detail provide strong support for the presentation Main points are clear and well developed - Etc. Logical development is easy to follow
No conclusion, paper just ends Conclusion exists but does not summarize Conclusion mentions main points Conclusion summarizes main points Conclusion summarizes and drives home main points. No presentation aids used Basic presentation aids used, either not well designed or well integrated into the presentation Presentation aids are designed and integrated to communicate content but lack variety Presentation aids are well designed & integrated, as well as varied (some use of graphics/visual or sound effects) Presentation aids are of professional quality, enhancing the flow and persuasiveness (well integrated graphs, video or other electronic media)

More Related Content

PPT
Industrial control systems cybersecurity.ppt
byDelforChacnCornejo
 
PDF
ICS security
byAhmed Shitta
 
PPT
Control system including PLC cybersecurity
byDr.Maged Mikhail
 
PPT
Power Grid Communications & Control Systems
byfajjarrehman
 
PPTX
ICS_Security_Use_Case_Presentation (1).pptx
bySubhashriC
 
PDF
Cybersecurity Practices for Industrial Control Systems
byholloworangutanxjej
 
PPTX
Securing Industrial Control Systems - CornCON II: The Wrath Of Corn
byEric Andresen
 
PDF
Guide to industrial control systems (ics) security
byericv83
 
Industrial control systems cybersecurity.ppt
byDelforChacnCornejo
 
ICS security
byAhmed Shitta
 
Control system including PLC cybersecurity
byDr.Maged Mikhail
 
Power Grid Communications & Control Systems
byfajjarrehman
 
ICS_Security_Use_Case_Presentation (1).pptx
bySubhashriC
 
Cybersecurity Practices for Industrial Control Systems
byholloworangutanxjej
 
Securing Industrial Control Systems - CornCON II: The Wrath Of Corn
byEric Andresen
 
Guide to industrial control systems (ics) security
byericv83
 

Similar to Tonight, March 5th – Class 7 (last class) your test” on ICS.docx

PDF
Nist.sp.800 82r2
byvimal Kumar Gupta
 
PPT
industrialcontrolsystemscybersecurity-230201070859-90cfc987 (1).ppt
byJotiramShinde4
 
PDF
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
byTI Safe
 
PDF
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...
byResilient Systems
 
PDF
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
byHoneywell
 
PDF
Securing Industrial Control System
byHemanth M
 
PPTX
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
byDawn Yankeelov
 
PDF
Nist 800 82
bymajolic
 
PDF
How to Get into ICS Security byChris Sistrunk
byEC-Council
 
PPTX
Hacker Halted 2016 - How to get into ICS security
byChris Sistrunk
 
PDF
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
byJiunn-Jer Sun
 
PDF
amrapali builders -- maroochy water-services-case-study briefing.pdf
byamrapalibuildersreviews
 
PDF
Cyber security for manufacturers umuc cadf-ron mcfarland
byHighervista
 
PDF
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
byShakeel Ali
 
PPTX
Computer security aspects in
byVishnu Suresh
 
PDF
Cybersecurity For Industrial Control Systems Scada Dcs Plc Hmi And Sis 1st Ed...
byjnjnoguu1594
 
PDF
BOSNOG NAC stack 2018
byGENIANS, INC.
 
PDF
Sb securing-industrial-control-systems-with-fortinet
byIvan Carmona
 
PPTX
Critical Infrastructure Security by Subodh Belgi
byClubHack
 
ODP
Securing control systems v0.4
byCrispnCrunch
 
Nist.sp.800 82r2
byvimal Kumar Gupta
 
industrialcontrolsystemscybersecurity-230201070859-90cfc987 (1).ppt
byJotiramShinde4
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
byTI Safe
 
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...
byResilient Systems
 
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
byHoneywell
 
Securing Industrial Control System
byHemanth M
 
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
byDawn Yankeelov
 
Nist 800 82
bymajolic
 
How to Get into ICS Security byChris Sistrunk
byEC-Council
 
Hacker Halted 2016 - How to get into ICS security
byChris Sistrunk
 
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
byJiunn-Jer Sun
 
amrapali builders -- maroochy water-services-case-study briefing.pdf
byamrapalibuildersreviews
 
Cyber security for manufacturers umuc cadf-ron mcfarland
byHighervista
 
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
byShakeel Ali
 
Computer security aspects in
byVishnu Suresh
 
Cybersecurity For Industrial Control Systems Scada Dcs Plc Hmi And Sis 1st Ed...
byjnjnoguu1594
 
BOSNOG NAC stack 2018
byGENIANS, INC.
 
Sb securing-industrial-control-systems-with-fortinet
byIvan Carmona
 
Critical Infrastructure Security by Subodh Belgi
byClubHack
 
Securing control systems v0.4
byCrispnCrunch
 

More from turveycharlyn

DOCX
Exam #3 ReviewChapter 10· Balance of payment statements · .docx
byturveycharlyn
 
DOCX
Evolving Role of the Nursing Informatics Specialist Ly.docx
byturveycharlyn
 
DOCX
eworkMarket45135.0 (441)adminNew bid from Madam Cathy.docx
byturveycharlyn
 
DOCX
Evolving Technology Please respond to the following Analyze t.docx
byturveycharlyn
 
DOCX
Evolving Health Care Environment and Political ActivismRead and .docx
byturveycharlyn
 
DOCX
Evolving Families PresentationPrepare a PowerPoint presentatio.docx
byturveycharlyn
 
DOCX
EvolutionLets keep this discussion scientific! I do not want .docx
byturveycharlyn
 
DOCX
Evolutionary Theory ApproachDiscuss your understanding of .docx
byturveycharlyn
 
DOCX
Evolution or change over time occurs through the processes of natura.docx
byturveycharlyn
 
DOCX
Evolution, Religion, and Intelligent DesignMany people mistakenl.docx
byturveycharlyn
 
DOCX
Evolution of Millon’sPersonality PrototypesJames P. Choc.docx
byturveycharlyn
 
DOCX
Evolution and Its ProcessesFigure 1 Diversity of Life on Eart.docx
byturveycharlyn
 
DOCX
Evolution in Animals and Population of HumansHumans belong t.docx
byturveycharlyn
 
DOCX
Evolution of Seoul City in South KoreaHow the City changed s.docx
byturveycharlyn
 
DOCX
evise your own definition of homegrown terrorism. Then using t.docx
byturveycharlyn
 
DOCX
eview the Paraphrasing tutorial here (Links to an external sit.docx
byturveycharlyn
 
DOCX
Evidenced-Based Practice- Sample Selection and Application .docx
byturveycharlyn
 
DOCX
Evidenced-Based Practice- Evaluating a Quantitative Research S.docx
byturveycharlyn
 
DOCX
eview the Captain Edith Strong case study in Ch. 6 of Organi.docx
byturveycharlyn
 
DOCX
Evidenced based practice In this writing, locate an article pert.docx
byturveycharlyn
 
Exam #3 ReviewChapter 10· Balance of payment statements · .docx
byturveycharlyn
 
Evolving Role of the Nursing Informatics Specialist Ly.docx
byturveycharlyn
 
eworkMarket45135.0 (441)adminNew bid from Madam Cathy.docx
byturveycharlyn
 
Evolving Technology Please respond to the following Analyze t.docx
byturveycharlyn
 
Evolving Health Care Environment and Political ActivismRead and .docx
byturveycharlyn
 
Evolving Families PresentationPrepare a PowerPoint presentatio.docx
byturveycharlyn
 
EvolutionLets keep this discussion scientific! I do not want .docx
byturveycharlyn
 
Evolutionary Theory ApproachDiscuss your understanding of .docx
byturveycharlyn
 
Evolution or change over time occurs through the processes of natura.docx
byturveycharlyn
 
Evolution, Religion, and Intelligent DesignMany people mistakenl.docx
byturveycharlyn
 
Evolution of Millon’sPersonality PrototypesJames P. Choc.docx
byturveycharlyn
 
Evolution and Its ProcessesFigure 1 Diversity of Life on Eart.docx
byturveycharlyn
 
Evolution in Animals and Population of HumansHumans belong t.docx
byturveycharlyn
 
Evolution of Seoul City in South KoreaHow the City changed s.docx
byturveycharlyn
 
evise your own definition of homegrown terrorism. Then using t.docx
byturveycharlyn
 
eview the Paraphrasing tutorial here (Links to an external sit.docx
byturveycharlyn
 
Evidenced-Based Practice- Sample Selection and Application .docx
byturveycharlyn
 
Evidenced-Based Practice- Evaluating a Quantitative Research S.docx
byturveycharlyn
 
eview the Captain Edith Strong case study in Ch. 6 of Organi.docx
byturveycharlyn
 
Evidenced based practice In this writing, locate an article pert.docx
byturveycharlyn
 

Recently uploaded

PDF
Nursing care plan for Vomiting /B.Sc nsg
byDr. Sudhadevi Sadanandan
 
PPTX
Greengnorance Toolkit Module1 Climate Change
byKarl Donert
 
PDF
Unit3 Phases and process of curriculum development.pdf
byziaoria016
 
PPTX
How to Change Shipping Label Size in Odoo 18 Inventory
byCeline George
 
PPTX
How to Track & Manage My Time Section in Odoo 18 Time Off
byCeline George
 
PDF
How "Raiders of the Lost Ark" and "Ordinary People" Employ Non-Verbal Acting
by6x5csns4pn
 
PPTX
Math 8 Quarter 4 Week 4-SECONDARY DATA.pptx
byshahanieabbat3
 
PDF
Beyond the Absurd: A Comparative Reading of Waiting for Godot and the Bhagava...
byKruti Vyas
 
PDF
Family and Marriage __ Sociology __ Jhasketan Kuanar __ NURSING VIBE ONLY .pdf
byJK NURSING VIBES ONLY JHASKETAN KUANAR
 
PDF
Judgement Regarding Land Acquisition Act not Applicable to Encroachers.pdf
byssuser9d8e4e
 
PPTX
ECP Demo ppt.pptx Visualizing and Identifying solid figures using concrete an...
byireneodechavez1
 
PPTX
How to Manage Checkout Policy & Customer Portal in Odoo 18 Website
byCeline George
 
PDF
Pratishta Educational Society., Courses & Opportunities
byGanapathiVankudoth
 
PPTX
Chapter 1: Introduction to Strategic Management.pptx
byFJ M
 
PPTX
Fluorimetric Analysis- Theory, Instrumentation and Application
bySayali Powar
 
PPTX
Math 8 Quarter 4 Week 3 PRIMARY DATA.pptx
byshahanieabbat3
 
PPTX
Lesson_1 Acceleration.pptx_Science 8-4th quarter
byAnnabelAlarcon
 
PPTX
How to Manage Reservation Method in Odoo 18 Inventory
byCeline George
 
PDF
Pharmaceutical Quality Assurance Unit 1 (BP606T)
byChetan Mali
 
PPTX
Greengnorance Toolkit Module 3 Shopping and Food
byKarl Donert
 
Nursing care plan for Vomiting /B.Sc nsg
byDr. Sudhadevi Sadanandan
 
Greengnorance Toolkit Module1 Climate Change
byKarl Donert
 
Unit3 Phases and process of curriculum development.pdf
byziaoria016
 
How to Change Shipping Label Size in Odoo 18 Inventory
byCeline George
 
How to Track & Manage My Time Section in Odoo 18 Time Off
byCeline George
 
How "Raiders of the Lost Ark" and "Ordinary People" Employ Non-Verbal Acting
by6x5csns4pn
 
Math 8 Quarter 4 Week 4-SECONDARY DATA.pptx
byshahanieabbat3
 
Beyond the Absurd: A Comparative Reading of Waiting for Godot and the Bhagava...
byKruti Vyas
 
Family and Marriage __ Sociology __ Jhasketan Kuanar __ NURSING VIBE ONLY .pdf
byJK NURSING VIBES ONLY JHASKETAN KUANAR
 
Judgement Regarding Land Acquisition Act not Applicable to Encroachers.pdf
byssuser9d8e4e
 
ECP Demo ppt.pptx Visualizing and Identifying solid figures using concrete an...
byireneodechavez1
 
How to Manage Checkout Policy & Customer Portal in Odoo 18 Website
byCeline George
 
Pratishta Educational Society., Courses & Opportunities
byGanapathiVankudoth
 
Chapter 1: Introduction to Strategic Management.pptx
byFJ M
 
Fluorimetric Analysis- Theory, Instrumentation and Application
bySayali Powar
 
Math 8 Quarter 4 Week 3 PRIMARY DATA.pptx
byshahanieabbat3
 
Lesson_1 Acceleration.pptx_Science 8-4th quarter
byAnnabelAlarcon
 
How to Manage Reservation Method in Odoo 18 Inventory
byCeline George
 
Pharmaceutical Quality Assurance Unit 1 (BP606T)
byChetan Mali
 
Greengnorance Toolkit Module 3 Shopping and Food
byKarl Donert
 

Tonight, March 5th – Class 7 (last class) your test” on ICS.docx

  • 1.
    Tonight, March 5th– Class 7 (last class) your “test” on ICS 210W (6,7). (100 pts) March 12 – no class research assignment due ICS210W (9,10) final cert (100, total 400) - enter the all pdfs for all 10 sessions! © 2016 Applied Control Engineering, Inc. NIST 800-82 Rev 2. 5. ICS Security Architecture 6. Applying Security Controls to ICS © 2016 Applied Control Engineering, Inc. ICS Security Architecture Network Segmentation and Segregation Logical network separation enforced by encryption or network device-enforced partitioning VLANS, Encrypted Virtual Private Networks (VPNs), Unidirectional gateways. Physical network separation to completely prevent any interconnectivity of traffic between domains. Network traffic filtering, Network layer filtering, State‐based filtering Port and/or protocol level filtering Application filtering including application-level firewalls, proxies, and content-based filters.
  • 2.
    © 2016 AppliedControl Engineering, Inc. ICS Security Architecture Network Segmentation and Segregation Four common themes that implement the concept of defense-in- depth by providing for good network segmentation and segregation: Apply technologies at more than just the network layer. Each system and network should be segmented and segregated, where possible, from the data link layer up to and including the application layer. Use the principles of least privilege and need‐to‐know. If a system doesn’t need to communicate with another system, it should not be allowed to. If a system needs to talk only to another system on a specific port or protocol and nothing else– or it needs to transfer a limited set of labeled or fixed-format data, it should be restricted as such. Separate information and infrastructure based on security requirements. This may include using different hardware or platforms based on different threat and risk environments in which each system or network segment operates. The most critical components require more strict isolation from other components. In addition to network separation, the use of virtualization could be employed to accomplish the required isolation. Implement whitelisting instead of blacklisting; that is, grant access to the known good, rather than denying access to the known bad. The set of applications that run in ICS is essentially static. Look at the details and examples from section 5. This is
  • 3.
    important to yourfinal paper! © 2016 Applied Control Engineering, Inc. 5.1 Network Segmentation and Segregation 5-1 5.2 Boundary Protection .5-3 5.3 Firewalls .5-4 5.4 Logically Separated Control Network 5-6 5.5 Network Segregation 5-7 5.5.1 Dual-Homed Computer/Dual Network Interface Cards (NIC) 5-7 5.5.2 Firewall between Corporate Network and Control Network 5-7 5.5.3 Firewall and Router between Corporate Network and Control Network 5-9 5.5.4 Firewall with DMZ between Corporate Network and Control Network . 5-10 5.5.5 Paired Firewalls between Corporate Network and Control Network 5-12 5.5.6 Network Segregation Summary 5-13 5.6 Recommended Defense-in-Depth Architecture. 5-13 5.7 General Firewall Policies for ICS 5-14 ICS Security Architecture © 2016 Applied Control Engineering, Inc. 5.8 Recommended Firewall Rules for Specific Services . 5-16 5.8.1 Domain Name System (DNS) . 5-17 5.8.2 Hypertext Transfer Protocol (HTTP) . 5-17 5.8.3 FTP and Trivial File Transfer Protocol (TFTP) 5-17 5.8.4 Telnet . 5-17 5.8.5 Dynamic Host Configuration Protocol (DHCP) . 5-18 5.8.6 Secure Shell (SSH) 5-18 5.8.7 Simple Object Access Protocol (SOAP) . 5-18
  • 4.
    5.8.8 Simple MailTransfer Protocol (SMTP) . 5-18 5.8.9 Simple Network Management Protocol (SNMP) . 5-18 5.8.10 Distributed Component Object Model (DCOM) . 5-19 5.8.11 SCADA and Industrial Protocols . 5-19 5.9 Network Address Translation (NAT) . 5-19 ICS Security Architecture © 2016 Applied Control Engineering, Inc. 5.10 Specific ICS Firewall Issues . 5-20 5.10.1 Data Historians 5-20 5.10.2 Remote Support Access . 5-20 5.10.3 Multicast Traffic 5-20 5.11 Unidirectional Gateways . 5-21 5.12 Single Points of Failure . 5-21 5.13 Redundancy and Fault Tolerance . 5-21 5.14 Preventing Man-in-the-Middle Attacks 5-22 5.15 Authentication and Authorization 5-24 5.15.1 ICS Implementation Considerations . 5-25 5.16 Monitoring, Logging, and Auditing 5-25 5.17 Incident Detection, Response, and System Recovery 5-25 ICS Security Architecture © 2016 Applied Control Engineering, Inc. Applying Security Controls to ICS Executing the Risk Management Framework Tasks for ICS Step 1: Categorize Information Systems Step 2: Select Security Controls Step 3: Implement Security Controls Step 4: Assess Security Controls Step 5: Authorize Information System Step 6: Monitor Security Controls
  • 5.
    This is whatyour previous assignment was about. © 2016 Applied Control Engineering, Inc. Applying Security Controls to ICS Executing the Risk Management Framework Tasks for ICS Access Control – Role-based, Wireless, VLANs, web-servers, Dial-up Awareness and Training Audit and Accountability Security Assessment and Authorization Configuration Management Contingency Planning /Business Continuity – identify the recovery objective, DRP Identification and Authentication – Password, 2-Factor, Biometric, Smart Cards, Tokens © 2016 Applied Control Engineering, Inc. 9 Applying Security Controls to ICS Executing the Risk Management Framework Tasks for ICS Incident Response – symptoms of an incident Unusually heavy network traffic. Out of disk space or significantly reduced free disk space. Unusually high CPU usage. Creation of new user accounts. Attempted or actual use of administrator-level accounts. Locked-out accounts. Account in-use when the user is not at work.
  • 6.
    Cleared log files. Fulllog files with unusually large number of events. Antivirus or IDS alerts. Disabled antivirus software and other security controls. Unexpected patch changes. Machines connecting to outside IP addresses. Requests for information about the system (social engineering attempts). Unexpected changes in configuration settings. Unexpected system shutdown. Plan a response - Classification of Incidents; Response Actions; Recovery Actions. © 2016 Applied Control Engineering, Inc. 10 Applying Security Controls to ICS Executing the Risk Management Framework Tasks for ICS Maintenance Media Protection Physical and Environmental Protection Planning Personnel Security Hiring Policies Organization Policies and Practices Terms and Conditions of Employment Risk Assessment System and Services Acquisition System and Communications Protection – Encryption, VPNs System and Information Integrity Virus detection and malicious code Intrusion detection
  • 7.
    Patch management Program Management PrivacyControls © 2016 Applied Control Engineering, Inc. 11 Good Luck with your Career! Please fill out the IDEA survey! Spring B1 2018 IDEA surveys are available to students. Students can access their surveys by entering their full Wilmington University email address and password at wilmu.campuslabs.com/courseeval. Faculty are encouraged to promote student participation in the IDEA survey. Faculty can view real-time response rates, as well as past survey results via https://wilmu.campuslabs.com/faculty. (Please note that survey histories begin with Fall 2016 course reports). © 2016 Applied Control Engineering, Inc. 12 © 2016 Applied Control Engineering, Inc. © 2008 The MITRE Corporation. All rights Reserved.
  • 8.
    Malicious Control SystemCyber Security Attack Case Study– Maroochy Water Services, Australia Marshall D. Abrams, The MITRE Corporation Joe Weiss, Applied Control Solution s, LLC Annual Computer Security Applications Conference December 2008 © 2008 The MITRE Corporation. All rights Reserved. 2 NIST Industrial Control System (ICS) Cyber Security Project ■ Objective: to improve the cyber security of federally
  • 9.
    owned/operated ICS ■ ICS pervasivethroughout all critical infrastructures ■ Improve the security of public and private sector ICS – Work with voluntary industry standards groups (e.g., The Instrumentation, Systems, and Automation Society – ISA) oAssist in ICS cyber security standards and guideline development oFoster ICS cyber security standards convergence – Raise the level of ICS security through R&D and testing ■ Purpose of case studies is to focus in on factors otherwise overlooked, not to ascribe any blame © 2008 The MITRE Corporation. All rights Reserved. 3 NIST Cyber Security Strategic Vision
  • 10.
    ■ Promote thedevelopment of key security standards and guidelines to support the implementation of and compliance with the Federal Information Security Management Act (FISMA) ■ Build a solid foundation of information security across one of the largest information technology infrastructures in the world based on comprehensive security standards and technical guidance. ■ Institutionalize a comprehensive Risk Management Framework that promotes flexible, cost-effective information security programs for federal agencies. ■ Establish a fundamental level of “security due diligence” for federal agencies and their contractors based on minimum security requirements and security controls. © 2008 The MITRE Corporation. All rights Reserved. 4
  • 11.
    The Current Landscape dependenton information systems to carry out their missions and business functions. systems become open and internet-connected, thus putting the national services critical infrastructure at risk. usiness success, enterprise information systems must be dependable in the face of serious cyber threats. must be appropriately protected. © 2008 The MITRE Corporation. All rights Reserved. 5 The Threat Situation
  • 12.
    ■ ICS arebecoming more open making them vulnerable to intentional and unintentional cyber threats ■ Effects of errors and omissions increasingly catastrophic ■ Attacks are organized, disciplined, aggressive, and well resourced; many are extremely sophisticated ■ Adversaries are nation states, terrorist groups, criminals, hackers, and individuals or groups with intentions of compromising information systems ■ Significant exfiltration of critical and sensitive information and implantation of malicious software occurring on a regular basis ■ Largely untutored work force with little interest in IT security ■ ICS community diverse using different protocols (many archaic) © 2008 The MITRE Corporation. All rights Reserved.
  • 13.
    6 NIST ICS ProjectDeliverables ■ Support public & private sectors, and standards organizations that want to use NIST Standards & Guidelines for ICS ■ Evolve SP 800-53 Recommended Security Controls for Federal Information Systems to better address ICS – Revision 2 published December 2007 – Revision 3 first public draft scheduled for (end of) December 2008 ■ Develop SP 800-82 Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control System Security – Second draft September 2007 – Final in 2009 © 2008 The MITRE Corporation. All rights Reserved.
  • 14.
    7 Case Study Overview ■Examine actual control system cyber event – Resulted in significant environmental and economic damage – Malicious attack by knowledgeable insider, who had been a trusted contractor employee – Timelines, control system response, and control system policies ■ Identify operating policies and procedures that were missing or had readily identifiable cyber security vulnerabilities ■ Identify NIST SP 800-53 management, operational, and technical safeguards or countermeasures that, if implemented, could have prevented or ameliorated the event © 2008 The MITRE Corporation. All rights Reserved.
  • 15.
    Attack Synopsis ■ VitekBoden worked for Hunter Watertech, an Australian firm that installed SCADA radio-controlled sewage equipment for the Maroochy Shire Council in Queensland, Australia (a rural area of great natural beauty and a tourist destination ) – Applied for a job with the Maroochy Shire Council – Walked away from a “strained relationship” with Hunter Watertech – The Council decided not to hire him – Boden decided to get even with both the Council and his former employer ■ On at least 46 occasions issued radio commands to the sewage equipment – Caused 800,000 liters of raw sewage to spill out into local parks, rivers and even the grounds of a Hyatt Regency hotel – Marine life died, the creek water turned black and the stench was unbearable for residents
  • 16.
    8 © 2008 TheMITRE Corporation. All rights Reserved. Time Line ■ 1997-December 1999 – Boden employed by Hunter Watertech ■ December 3, 1999 – Boden resigns from Hunter Watertech ■ Early December 1999 – Boden seeks City Council employment ■ Early January 2000 – Boden turned down ■ February 9-April 23, 2000 – SCADA system experiences series of faults ■ March 16, 2000 – Hunter Watertech investigator tried to troubleshoot system ■ April 19, 2000 – Log indicates system program had been run at least 31 times
  • 17.
    ■ April 23,2000 – Boden disabled alarms at four pumping stations using the identification of pumping station 4. ■ April 23, 2000 – Boden pulled over by police with computer equipment in car ■ October 31, 2001 – Boden convicted in trial – sentenced to 2 years ■ March 21, 2002 – Appeal rejected 9 © 2008 The MITRE Corporation. All rights Reserved. Evidence Found in Boden’s Vehicle ■ Laptop – Reloaded February 28, 2000 – Software used in the sewerage system (re)installed February 29 o Run at least 31 times prior to April 19
  • 18.
    o Last runon April 23 ■ Motorola M120 two-way radio same type used in the Council’s system – Tuned into the frequencies of the repeater stations – Serial numbers matched delivery docket provided by the supplier of the radios to Hunter Watertech ■ PDS Compact 500 computer control device – Address set to spoof pumping station – Serial number identified it as a device which should have been in the possession of Hunter Watertech 10 © 2008 The MITRE Corporation. All rights Reserved. Observations (1/2)
  • 19.
    ■ Boden wasan insider who was never an employee of the organization he attacked – Employee of contractor that supplied IT/control system technology – With his knowledge he was the “ultimate insider” ■ Contractor’s responsibilities unstated or inadequate – Management, technical and operational cyber security controls – Personnel security controls o Background investigations o Protection from disgruntled employees ■ As a skillful adversary, Boden was able to disguise his actions – A number of anomalous events occurred before recognition that the incidents were intentional – Extensive digital forensics were required to determine that a deliberate attack was underway ■ No existing cyber security policies or procedures ■ No cyber security defenses
  • 20.
    11 © 2008 TheMITRE Corporation. All rights Reserved. Observations (2/2) ■ Difficult to differentiate attacks from malfunctions ■ When/why is it important to determine whether intentional attack, or unintentional flaw or error? ■ Difficult to protect against insider attacks ■ Radio communications commonly used in SCADA systems are often insecure or improperly configured ■ SCADA devices and software should be secured to the extent possible using physical and logical controls ■ Security controls often not implemented or used properly ■ Generally SCADA systems lack adequate logging mechanisms for forensic purposes ■ Also recommended
  • 21.
    • Anti- encryption • Upgrade-ableSCADA systems (from a security perspective) 12 © 2008 The MITRE Corporation. All rights Reserved. 13 SP 800-53 Security Control Classes, Families, and Identifiers © 2008 The MITRE Corporation. All rights Reserved. SP 800-53 Pervasive Cyber Security Prophylactic Controls PROBLEM CONTROL FAMILY
  • 22.
    Policy and ProceduresThe first control in every control family addresses policy and procedure. Personnel Security Personnel Security (PS) Hardware & Software System and Services Acquisition (SA) Awareness and Training Awareness and Training (AT) Audit Audit and Accountability (AU) Contingency Planning Contingency Planning (CP) Incident Response Incident Response (IR) Cryptographic Protection System and Communications Protection (SC)
  • 23.
    14 © 2008 TheMITRE Corporation. All rights Reserved. SP 800-53 Controls for Malicious Activities MALICIOUS ACTIVITY CONTROL FAMILY Issuing radio commands Access Control (AC) Identification and Authentication (IA) Falsifying network address Access Control (AC) Sending false data
  • 24.
    and instructions Systemand Information Integrity (SI) Disabling alarms 15 © 2008 The MITRE Corporation. All rights Reserved. Access Control (AC) AC-1 Access Control Policy and Procedures AC-11 Session Lock AC-2 Account Management AC-12 Session Termination AC-3 Access Enforcement AC-13 Supervision and Review— Access Control AC-4 Information Flow Enforcement AC-14 Permitted Actions without
  • 25.
    Identification or Authentication AC-5 Separationof Duties AC-15 Automated Marking AC-6 Least Privilege AC-16 Automated Labeling AC-7 Unsuccessful Login Attempts AC-17 Remote Access AC-8 System Use Notification AC-18 Wireless Access Restrictions AC-9 Previous Logon Notification AC-19 Access Control for Portable and Devices AC-10 Concurrent Session Control AC-20 Use of External Information Systems 16
  • 26.
    ■ A combinationof access controls would have alleviated or prevented the attack ■ Tightly coupled with Identification and Authentication © 2008 The MITRE Corporation. All rights Reserved. Learning From the 2000 Maroochy Shire Cyber Attack ■ Public record of an intentional, targeted attack by a knowledgeable person on an industrial control system teaches us to consider: – Critical physical, administrative, and supply chain vulnerabilities – Vulnerabilities coming from suppliers or others outside the organization – Contractor and sub-contractor personnel as a potential attack source ■ Need to be concerned with both inside & outside attack ■ Difficulty in identifying a control system cyber incident as a
  • 27.
    malicious attack andretaking control of a “hijacked” system ■ A determined, knowledgeable adversary could potentially defeat most controls ■ Structured defense-in-depth security is best 17 © 2008 The MITRE Corporation. All rights Reserved. 18 Additional Information ■Authors – Marshall Abrams <[email protected]> – Joe Weiss <[email protected]> ■ Incident – See references in paper ■Case Study
  • 28.
    – http://csrc.nist.gov/sec-cert/ics/papers.html ■NIST IndustrialControl System Security Project – http://csrc.nist.gov/sec-cert/ics/index.html ■NIST Project Managers – Stu Katzke <[email protected]> – Keith Stouffer <[email protected]> http://csrc.nist.gov/sec-cert/ics/papers.html http://csrc.nist.gov/sec-cert/ics/papers.html ICS ARCHITECTURE FINAL PROJECT TEMPLATE ICS Architecture Final Project Template
  • 29.
    SEC6082 Your Name Running Head:ICS Architecture Final Project Template Table of Contents Executive SummaryX ICS Industry Architecture Being DesignedX OverviewX Statement of NeedX Detailed DescriptionX ICS Network ArchitectureX Physical and Logical DesignsX ProtocolsX DevicesX ICS Security ArchitectureX Device Security ConfigurationX Device Security ConfigurationX Device Security ConfigurationX EtcX AppendixX *Comprehensive Network MapX Example: Device Data FlowsX Example: Security Design DocumentsX
  • 30.
    Example: Intrusion DetectionSystemX Example: Honeypot ConfigurationX *The comprehensive network map must include all devices and communication protocols. List of Tables and Figures Figure 1. Example: Total Network DesignX Figure 2. Example: Device Data FlowX Figure 3. Example: Intrusion Detection SystemX Figure 4. Example: Honeypot ConfigurationX Executive Summary An Executive Summary provides a brief overview for C-level Executives who only need to know what the material is about, not the details of the material. Give a brief summary, one page
  • 31.
    or less, ofwhat this project is about. ICS Industry Architecture Being Designed This is arguably the most important part of the ICS architecture project. The logistical work done during this phase makes it possible to architect a successful ICS network. The origins of all problems experienced during the other phases can usually be tracked back to a lack of planning and understanding of your project during this phase. You will describe the industry you are architecting this ICS network for. 1. Overview Begin describing the types of network designs commonly used to architect this network. 2. Statement of Need Discuss the network needs of this architectural project. Your ICS network must include a SCADA network controlling at least two remote DCS networks. The SCADA network must securely share data with a traditional business IT network. 3. Detailed Description Now that you know the types of network commonly found and used in this industry and you know the particular needs of this architectural project, address how you will design this ICS network.
  • 32.
    ICS Network Architecture Providea brief description of what will occur during this phase. For example: This is the phase where you will describe the physical and logical design of your network, etc. This phase has three sections: Physical and Logical Designs; Protocols; and Devices. 1. Physical and Logical Designs There are many physical and logical network designs possible. ICS networks usually have more than one physical and logical network solution. Describe your physical and logical ICS network designs here. Include Visios or Excel designs to graphically illustrate your designs. A block of words is provided below to jog your mind: Ring, star, bus, mesh, twisted pair, coax, fiber, microwave, satellite. 2. Protocols This section is where you will document and describe the protocols in use, where, and why. The protocols listed should be represented in your network diagram(s). A block of words is provided below to jog your mind: DNP3, Fieldbus, Modbus, Profibus, Ethernet. 3. Devices A list of devices should be provided with as much information as possible. Identify the open ports and services running on each. List them here and explain why you’ve chosen them. All
  • 33.
    devices listed shouldappear in your network diagram(s). Follow these steps below: a. Identify the device. b. Identify what the device does. c. Identify the open ports. d. Identify the services running on these ports. Example devices include, but are not limited to: Router, firewall, IDS/IPS, Honeypot, Historian, PLC, RTU, IED, data acquisition server, HMI, protocol gateway, SCADA master station, sensors. ICS Security Architecture List each device you previously documented in “3. Devices” but this time annotate how they will be secured. This will require you to research vendor documentation, industry best practices, and other authoritative sources. Identify known weaknesses of the devices and how you will mitigate them.
  • 34.
  • 35.
    Appendix WILMINGTON UNIVERSITY Course: SEC6082 Final Research Paper Instructor: Dirk Sweigart Student:___________________ Weighted Content:______CT:______Comm:______ Weighted Rubric Score:__________ _ Performance Unsatisfactory 1 Developing 2 Competent 3 Accomplished
  • 36.
    4 Exemplary 5 Knowledge of Content 50%of rubric score Work does not reflect the assignment purpose Work marginally reflects the assignment purpose Work reflects the assignment purpose Work is accurately detailed, and in line with course content Work stands-out as exemplary, is accurately detailed, and in
  • 37.
    line with coursecontent Minimal details of ICS Industry being designed Overview and description provides only basic information Overview and Description provides general information Architecture section provides a detailed need and description Architecture section provides a clear and concise statement and description Does not include physical, logical, protocols or devices Includes a basic overview of physical, logical, protocols or devices Includes a general overview of the physical, logical, protocols or devices Includes a relatively detailed overview physical, logical, protocols or devices Includes a clear and concise overview of the network architecture including detailed description physical, logical, protocols or devices No description of ICS security architecture Basic description of ICS security architecture with no details on devices Includes a general description of of ICS security architecture but minimal device details
  • 38.
    Includes a relativelydetailed description of ICS security architecture along with device details Includes a clear and concise description of ICS security architecture and detailed description of device security configurations Does not include appendices Includes minimal appendices Include basic description of appendixes with good content Include detailed appendices that are appropriate to the content Include clear and concise appendices that build on the main content. No figures or descriptions (these can be embedded) Minor figures but not very relevant Good figures, tables and descriptions appropriate to content Well-defined figures and tables appropriate to the content Figures and descriptions are the content and express the ideas beyond the text. Ineffective documentation of research/support or 0 Prof references used Uses at least 2 Prof ref to support research with poor integration Uses at least 3 Prof ref to support research with adequate integration
  • 39.
    Uses at least4 references and integrates them acceptably into the document Uses 5 or more references and integrates them clearly and concisely into the document Unsatisfactory Developing Competent Accomplished Exemplary Critical Thinking 30% of rubric score Ability to incorporate graphical data/info is lacking Ability to incorporate graphical data/info is emerging Ability to incorporate graphical data/info is basic Ability to incorporate graphical data/info & link key relationships is proficient Ability to incorporate graphical data/info & link key relationships is superior Design does not discuss the impact of the unique challenges that
  • 40.
    exist in securingIndustrial Control Systems Design marginally describes the impact of the unique challenges that exist in securing Industrial Control Systems Design assesses the impact of the unique challenges that exist in securing Industrial Control Systems Design effectively assess the impact of the unique challenges that exist in securing Industrial Control Systems with generalized solutions to address those challenges Design assess in technical detail the impact of the unique challenges that exist in securing Industrial Control Systems with customized solutions to address those challenges Design does not address methods to balance security with potential negative impact to process operations and productivity. Design documents need for balanced security but includes no discussion of how to achieve it. Design provides a basic description of methods to balance security with potential negative impact to process operations and productivity. Design provides a detailed description of methods to balance security with potential negative impact to process operations and productivity. Design provides a clear and concise description of methods to balance security with potential negative impact to process
  • 41.
    operations and productivity. Designdoes not provide any options for security implementations Design provides a small number of options for security implementations Design provides options for security implementations Design provides some options for security implementations with detailed guidance Design provides lots of options for security implementations with detailed guidance Unsatisfactory Developing Competent Accomplished Exemplary Communications (Written)20% of rubric score Sentences are not well-constructed and often lack clarity.
  • 42.
    Formats and patternsare repetitive Sentences are somewhat clear and well constructed, but lack variety in format& length Most sentences are clear and well-constructed some evidence of variety in format, length, and complexity. Sentences are clear and well-constructed - Some evidence of variety in format, length, and complexity Varied well-constructed sentences are evident throughout the document with an appropriate stylistic flair Paper is riddled with spelling, punctuation, and/or grammatical errors Paper contains 5 or 6 spelling, punctuation, and/or grammatical errors Paper contains 3 or 4 spelling, punctuation, and/or grammatical errors Paper contains 1 or 2 spelling, punctuation, and/or grammatical errors No spelling, punctuation, and/or grammatical errors are readily apparent Paper is riddled with APA errors Paper contains 5 or 6 APA errors Paper contains 3 or 4 APA errors Paper contains 1 or 2 APA
  • 43.
    errors No APA errorsare readily apparent Executive summary lacking or does not create interest Executive summary evident but not particularly engaging Executive summary creates interest and engages the audience Executive summary creates interest and engages the audience, sets the stage for the main presentation Creates interest, engages and involves the audience, sets stage for the main presentation Main points are not clear or well organized - Lacks supporting evidence and detail Main points are clear but not well developed - More supporting evidence and detail are needed Main points are clear and well developed - Evidence and detail adequately support the presentation Main points are clear and well developed. Evidence and detail provide strong support for the presentation Main points are clear and well developed - Etc. Logical development is easy to follow
  • 44.
    No conclusion, paperjust ends Conclusion exists but does not summarize Conclusion mentions main points Conclusion summarizes main points Conclusion summarizes and drives home main points. No presentation aids used Basic presentation aids used, either not well designed or well integrated into the presentation Presentation aids are designed and integrated to communicate content but lack variety Presentation aids are well designed & integrated, as well as varied (some use of graphics/visual or sound effects) Presentation aids are of professional quality, enhancing the flow and persuasiveness (well integrated graphs, video or other electronic media)