Industrial Control Systems (ICS) refer to various types of technology that control physical infrastructure ranging from industrial production - like valves in a manufacturing plant, to environment controls - like lighting and cooling systems in an office building. Think you don't have ICS on your network? Think again. Data centers, offices and corporate campuses rely on Industrial Control Systems to operate. In fact, virtually every modern building, and corporate campus around the world plays host to environmental controls, building entry systems, safety systems, and many other automation systems that are considered ICS. As with any system, ICS have known vulnerabilities, which now that they are network-accessible represent a tantalizing target for attackers. Why bother trying to defeat carefully constructed network security measures if you can more easily turn on the sprinkler system and bring down the entire data center? This webinar will review ICS basics and then detail their various security risks. It will also recommend general do's and don'ts when dealing with ICS. Our featured speakers for this timely webinar are: - Billy Rios, Technical Director at Cylance. Billy is seasoned security professional whose background spans both the military and the private sector. He is a noted expert in ICS security. -Ted Julian, Chief Marketing Officer at Co3 Systems. Ted is a serial entrepreneur who has launched four companies during his ~20 years in the security / compliance industry.

1. Industrial Control Systems 101
Why Hack The Network If You Can
Shut Down The Data Center?

2. Page 2
Agenda
• Introductions
• What are Industrial Control Systems (ICS)?
• Security Risks associated with ICS
• Do’s & Don’ts of ICS
• Q&A

3. Page 3
Remembering Boston – 4/15/13
http://onefundboston.org/

4. Page 4
Introductions: Today’s Speakers
• Ted Julian – Chief Marketing Officer, Co3 Systems
Ted is a serial entrepreneur who has launched four
companies during his ~20 years in the security /
compliance industry.
• Billy Rios – Technical Director, Cylance
Billy is seasoned security professional whose
background spans both the military and the private
sector. He is a noted expert in ICS security.

5. Page 5
Co3 Automates Breach Management
PREPARE
Improve Organizational
Readiness
• Assign response team
• Describe environment
• Simulate events and incidents
• Focus on organizational gaps
REPORT
Document Results and
Track Performance
• Document incident results
• Track historical performance
• Demonstrate organizational
preparedness
• Generate audit/compliance reports
ASSESS
Quantify Potential Impact,
Support Privacy Impact
Assessments
• Track events
• Scope regulatory requirements
• See $ exposure
• Send notice to team
• Generate Impact Assessments
MANAGE
Easily Generate Detailed
Incident Response Plans
• Escalate to complete IR plan
• Oversee the complete plan
• Assign tasks: who/what/when
• Notify regulators and clients
• Monitor progress to completion

6. Page 6
• Cyber Services &
Technology
• Led by Stuart McClure,
former CTO McAfee &
founder of Foundstone
Vulnerability Mgmt Co.
• 55 employees
• Irvine, CA HQ
Cylance, Inc. – Secures the Unsecurable

7. Page 7
ICS Expertise
• http://www.us-cert.gov/control_systems/pdf/ICSA-11-175-01.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-11-175-02.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-11-182-01.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-11-182-02.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-11-195-01.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-11-243-02.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-11-244-01.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-11-273-01.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-11-279-03.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-11-279-03A.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-11-285-01.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-11-356-01.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-12-024-01.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-12-039-01.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-12-047-01A.pdf

8. Page 8
ICS Expertise
• http://www.us-cert.gov/control_systems/pdf/ICSA-12-062-01.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-12-083-01.pdf
• http://www.us-cert.gov/control_systems/pdf/ICSA-12-095-01.pdf
• https://ics-cert.us-cert.gov/pdf/ICS-ALERT-12-195-01.pdf
• http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-343-01.pdf
• http://ics-cert.us-cert.gov/pdf/ICS-ALERT-11-343-01A.pdf
• https://ics-cert.us-cert.gov/pdf/ICSA-12-228-01.pdf
• http://ics-cert.us-cert.gov/pdf/ICSA-13-079-03.pdf

9. Page 9
You might have ICS… 

10. Page 10
Unoccupied building, Saturday night
Card Access
Video
Intrusion Elevator HVAC Lighting
Energy
Tenant Billing
System
Interaction:
Examples of ICS

11. Page 11
Scott swipes card at main entrance, works on 4th floor South
Card Access
Video
Intrusion Elevator HVAC Lighting
Energy
Tenant Billing
System
Interaction:
“Access Granted,
Zone 4”
Examples of ICS

12. Page 12
Video system needs to verify and record Scott’s entrance
Card Access
Video
Intrusion Elevator HVAC Lighting
Energy
Tenant Billing
System
Interaction:
“Access Granted,
Zone 4”
“Camera Preset 1,
Initiate Recording”
HTTP
Examples of ICS

13. Page 13
Alarm system armed, need to disarm 4th floor intrusion zone
Card Access
Video
Intrusion Elevator HVAC Lighting
Energy
Tenant Billing
System
Interaction:
“Access Granted,
Zone 4”
“Camera Preset 1,
Initiate Recording”
HTTP
“Disarm Intrusion
Zone 4”
LEGACY
Examples of ICS

14. Page 14
Allow access to 4th floor
Card Access
Video
Intrusion Elevator HVAC Lighting
Energy
Tenant Billing
System
Interaction:
“Access Granted,
Zone 4”
“Camera Preset 1,
Initiate Recording”
HTTP
“Disarm Intrusion
Zone 4”
“Floor 3 Enable”
XML
LEGACY
Examples of ICS

15. Page 15
It is hot in Scott’s office, turn on AC
Card Access
Video
Intrusion Elevator HVAC Lighting
Energy
Tenant Billing
System
Interaction:
“Access Granted,
Zone 4”
“Camera Preset 1,
Initiate Recording”
HTTP
“Disarm Intrusion
Zone 4”
“Floor 3 Enable”
XML
“Zone 4 Occupied”
LEGACY
Examples of ICS

16. Page 16
Scott needs light on 4th floor hallway and office
Card Access
Video
Intrusion Elevator HVAC Lighting
Energy
Tenant Billing
System
Interaction:
“Access Granted,
Zone 4”
“Camera Preset 1,
Initiate Recording”
HTTP
“Disarm Intrusion
Zone 4”
“Floor 3 Enable”
XML
“Zone 4 Occupied”
“Circuit 1, 2 ON”
MODBUS
®
LEGACY
Examples of ICS

17. Page 17
Lights and AC for Scott used 50 kWH
Card Access
Video
Intrusion Elevator HVAC Lighting
Energy
Tenant Billing
System
Interaction:
“Access Granted,
Zone 4”
“Camera Preset 1,
Initiate Recording”
HTTP
“Disarm Intrusion
Zone 4”
“Floor 3 Enable”
XML
“Zone 4 Occupied”
“Circuit 1, 2 ON”
MODBUS
®
“Totalize light and
HVAC for Zone
4”
LEGACY
Examples of ICS

18. Page 18
Invoice Scott for $150 of after hours energy usage
Card Access
Video
Intrusion Elevator HVAC Lighting
Energy
Tenant Billing
System
Interaction:
“Access Granted,
Zone 4”
“Camera Preset 1,
Initiate Recording”
HTTP
“Disarm Intrusion
Zone 4”
LEGACY
“Floor 3 Enable”
XML
“Zone 4 Occupied”
“Circuit 1, 2 ON”
MODBUS
®
“Totalize light and
HVAC for Zone
4”
“Generate / email
Invoice for Sat”
SMTP
Examples of ICS

19. Page 19
We can work without AC

20. Page 20
We can work without AC

21. Page 21
We can work without AC

22. Page 22
But Billy… who would do such a thing?

23. Page 23
But Billy… who would do such a thing?

24. Page 24
We need to move quickly

25. Page 25
We need to move quickly

26. Page 26
We need to move quickly

27. Page 27
We need to move quickly

28. POLL

29. Page 29
ICS Security – Current State
• Software:
• Extremely poor, Windows XP
• Vulnerable to common, unsophisticated attacks
(remote/local)
• Lack of industry standard exploit mitigations (DEP/ASLR)
• Deployment:
• Extremely poor
• Be wary of remote access
• Poor guidance from vendors
• Impossible/unreasonable deployment architectures
• Lack of automated verification

30. Page 30
ICS Security – Current State
• Vulnerability Management:
• Extremely poor
• Lack of managed awareness
• Lack of managed patch management
• Lack of vulnerability detection
• Lack of mature reporting
• Lack of awareness
• Inability to scale limited expertise

31. Page 31
ICS Security – Current State
• Detection and Enumeration:
• Foundation for all ICS security operations
• Safety is a priority
• Differentiate between ICS deployments
• Manual processes are common
• Expertise is limited

32. POLL

33. Page 33
ICS Dos and Don’ts
• Don’ts
• Run a traditional vulnerability scanner on ICS
devices/software
• Expect traditional tools to identify vulnerabilities with ICS
software
• Expect notification of vulnerabilities
• Expect centralized patch management from vendors

34. Page 34
ICS Dos and Don’ts
• Do
• Identify where your ICS is on the network
• Identify the paths to reaching ICS
• Monitor paths to ICS devices
• Identify users/engineers that work with ICS

35. QUESTIONS

36. Page 36
Next Webinar
“Introducing the Co3 Security Module”
• IR for security incidents: malware, system
intrusion, DDoS, etc.
• Wednesday, May 1 @ 1 PM ET
“One of the hottest products at RSA…”
NETWORK WORLD – FEBRUARY 2013
“…an invaluable weapon when responding
to security incidents.”
GOVERNMENT COMPUTER NEWS – APRIL 2013

37. One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 Systems makes the process of
planning for a nightmare scenario as
painless as possible, making it an Editors’
Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“Co3…defines what software packages
for privacy look like.”
GARTNER
“Platform is comprehensive, user
friendly, and very well designed.”
PONEMON INSTITUTE
Billy Rios
Technical Director
Cylance
brios@cylance.com
www.cylance.com