The document discusses the evolving threat landscape for industrial control systems (ICS), highlighting the rise in cyber-terrorism and nation-state threats. It reviews specific case studies, such as the Stuxnet worm and attacks on SCADA systems, which illustrate the vulnerabilities and potential impacts on critical infrastructure. Recommendations are provided for enhancing security governance, threat management, and access control within ICS environments.

1. Securing Industrial Control Systems
Kevin Wheeler, CISSP, CISA

2. 2
Evolving Threat Landscape1
Industrial Control Systems2
Emerging Industrial Control System Threats3
Securing Industrial Control Systems4
Agenda
Questions and Discussion5

3. Evolving Threat Landscape

4. 5
Today’s Internet Threats

5. In 2007
1,431
variants per day
Malware Growth
6

6. • Kits Allow Novice Attackers to Launch
Sophisticated Attacks
• Can Be Used to Easily Customize Attacks
• Create Unique Variants of Common Malware
Threats
7
Attack Kits

7. 8
Threat Motives
8
Monetary Political
National
Security

8. Industrial Control Systems

9. SCADA Functionality
• Industrial System
Monitoring
• Industrial Actuator
Control
• Used for:
• Power Generation
and Transmission
• Water Supply
• Oil and Gas
• Wastewater
Treatment
• Building
Management
10

10. SCADA Functionality
11

11. SCADA System Architecture
12

12. SCADA System Architecture
13

13. Evolving Industrial Control System
Threats

14. 15
Industrial Control System Threats
• Nation-state Threats are Increasing
• Cyber-Terrorism Has Become More
Prevalent
• SCADA Remains Inherently Insecure

15. Case Study: Illinois Water District
Occurred: November 8, 2011
Attack Vector: SCADA system
software compromised by Russian
hackers
Motive: Cyber Terrorism/Warfare
Effect of Breach: Equipment (water
pump) destroyed
Remediation: IDs and passwords
were changed, logical access control
enhanced
https://krebsonsecurity.com/2011/11/cyber-strike-on-city-water-
system/
18

16. Case Study: Iran Nuclear Program
Occurred: June, 2010
Attack Vector: SCADA system
comprised by Israeli and US
intelligence agencies through
Stuxnet worm
Motive: Cyber Warfare
Effect of Breach: Equipment
(Siemens centrifuges used for
uranium enrichment) destroyed
Remediation: Authentication
and logical access control
enhanced
19

17. Case Study: LA Traffic Control Center
Announced: August 21, 2006
Attack Vector: Stolen Supervisor
passwords
Motive: Cyber Terrorism, Union Strike
Effect of Breach: Traffic lights at four
key LA intersections were disabled for
four days jamming traffic at the
intersections
Remediation: Attackers eventually
relinquished control of the system. The
city most likely changed passwords,
implemented more stringent password
policies and possibly implemented a
strong authentication system.
20

18. Securing Industrial Control Systems

19. ISA99 and ISA/IEC 62443 Standards
© Industrial Society of Automation,
https://www.isa.org
22

20. Security Governance
1. Obtain Executive
Sponsorship
2. Develop an Industrial
Control System Security
Committee
3. Define Policies
4. Provide Security Training
for ICS Engineers
5. Implement Security
Metrics and Reporting to
Measure Progress
24

21. Threat and Vulnerability Management
1. Implement a System
Patch Management
Process
2. Disable System Services
and Functions that are
not Required
3. Optimize Security
Configurations
4. Implement an Ongoing
Threat Identification and
Assessment Procedure
5. Periodically Test for
Vulnerabilities
25

22. Logical Access Control
26
1. Isolate ICS Networks
2. Define Logical Security
Zones
3. Implement Next Gen
Firewall Technology
4. Deploy Role-based Access
Control
5. Require Multi-factor
Authentication
*Use Privileged Access Management Technology if Possible

23. 1. Centralize Network Access to Supervisory Level Industrial
Control Systems Using Next Generation Firewall
Technology
2. Provide Centralized Authentication and Accounting
(Logging) for Industrial Control System Access
3. Isolate Industrial Control Network Access Using VPNs Over
Internal Networks and VLANS to the Supervisory Level
4. Harden SCADA Management Systems as Single Purpose
Devices
5. Monitor Supervisory Level Database Activity
6. Authenticate and Encrypt Dial-up and Wireless Access to
Out-of-band Control Level PLCs and RTUs
7. Physically Secure the Device Level at Facilities
26
Recommendations

24. SCADA Security Architecture
25
VPN
Authentication
Corporate Network

25. Questions and Discussion
Kevin Wheeler, CISSP, CISA
(972) 992-3100 Ext 101
kevin.wheeler@infodefense.com