InduSoft Cybersecurity Webinar: Overview of Current Events and General Cybersecurity Guidance,
Protection and Remediation Techniques, and Advanced InduSoft Web
Studio Data Protection and Encryption
Presenters: Richard Clark and Fabio Terezinho
June 24, 2015
Speakers Today (in order of presentation)
Richard Clark
– Technical Marketing, Process and Controls Engineer, Cybersecurity
Engineer
Richard H Clark
Cybersecurity Background
Mr. Clark has been in Mechatronics, Automation, Process Control,
Industrial Control System Cybersecurity, and automation implementation for
more than 15 years. He was employed by Wonderware where he
developed a non-proprietary means of using IP-Sec for securing current
and legacy Automation, SCADA, and Process Control Systems, and
developed non-proprietary IT security techniques. Industry expert by peer
review and spokesperson on IT security; consultant, analyst and voting
member of ISA/IEC 62443 (SP99). Contributor to PCSF Vendor Forum.
Consultant to NIST and other government labs and NSA during the
development of NIST Special Publications 800-53/82. Published
engineering white papers, manuals, and instruction documents, developed
and given classes and lectures on the topic of ICS/SCADA Security.
– Participated in forming the NIST Cybersecurity Framework during the
workshops last year.
Speakers Today (in order of presentation)
Richard Clark
– Technical Marketing, Process and Controls Engineer, Cybersecurity
Engineer
Fabio Terezinho
– Director of Engineering and Consulting Services for InduSoft
Fabio Terezinho
Engineering and Cybersecurity Background
VP/Director of Engineering and Consulting Services
InduSoft/InduSoft-Wonderware
January 1999 – Present (16 years 6 months)
Application Engineer
Altus Sistemas de Informatica SA
January 1995 – March 1998 (3 years 3 months)
Selected Publications:
Remote access, any time, any place
InTech Magazine
October 2012
Designing New SCADA Systems
Plant Engineering
January 2012
Secure Against Process Automation Errors
Control Design Magazine
November 2011
Honors & Awards:
Beta Gamma Sigma
Beta Gamma Sigma (AACSB International - The
Association to Advance Collegiate Schools of Business)
March 2011
Patent:
Method and system for communicating between an
embedded device and relational databases
United States 11/243,780
Education:
Baylor University - Hankamer School of Business
Executive Master of Business Administration (EMBA)
2010 – 2011
Escola de Engenharia Maua
Electrical Engineering, Automation and Control
1999 – 2003
Mr. Terezinho has been in Mechatronics, Automation, Process Control, Industrial Control System Cybersecurity,
automation implementation, and product development at InduSoft/InduSoft-Wonderware for more than 16 years.
Announcements
This is an audio broadcast-only WebEx, so we can’t
hear you speaking.
– If you want to give us a comment or question, please type it into
the Q&A or Chat Field in the WebEx presentation interface. We
will answer your questions at the end in the Q&A section of the
broadcast.
Announcements
This is an audio broadcast-only WebEx, so we can’t
hear you speaking.
– If you want to give us a comment or question, please type it into
the Q&A or Chat Field in the WebEx presentation interface. We
will answer your questions at the end in the Q&A section of the
broadcast.
Fill out the InduSoft webinar survey that we will send
you at the email address that you used to sign in,
and get a free famous InduSoft webinar series Tee-
Shirt!
Services On Demand is Available Now!
Engineering assistance is available when designing
projects and implementing project security
SCADA Cybersecurity eBooks
InduSoft Security Guide NIST Cybersecurity Framework
ISBN 978-1311-49042-1 ISBN 978-1310-30996-0
Available at Smashwords.com and other major booksellers
Available to you as “Name Your Price”
InduSoft Security Guide NIST Cybersecurity Framework
ISBN 978-1311-49042-1 ISBN 978-1310-30996-0
Download at Smashwords.com to “Name Your Price”
All eBook Proceeds Benefit the Eastern New Mexico University-Ruidoso Foundation
Announcements
How to get Product Update Announcements
Announcements
How to get Product Update Announcements
Webinar Agenda
Webinar Agenda
Introductions
Webinar Agenda
Introductions
Our Cybersecurity Guidance eBooks and Engineering
Services available from InduSoft
Webinar Agenda
Introductions
Our Cybersecurity Guidance eBooks and Engineering
Services available from InduSoft
Current events that are relevant to Control Systems
Webinar Agenda
Introductions
Our Cybersecurity Guidance eBooks and Engineering
Services available from InduSoft
Current events that are relevant to Control Systems
Discussion of the current state of Cybersecurity for
Control Systems
Webinar Agenda
Introductions
Our Cybersecurity Guidance eBooks and Engineering
Services available from InduSoft
Current events that are relevant to Control Systems
Discussion of the current state of Cybersecurity for
Control Systems
Remediation and System Protection
Webinar Agenda
Introductions
Our Cybersecurity Guidance eBooks and Engineering
Services available from InduSoft
Current events that are relevant to Control Systems
Discussion of the current state of Cybersecurity for
Control Systems
Remediation and System Protection
Fabio: Advanced InduSoft Web Studio configurations
for Data Protection and Encryption
Where do we start?
Where do we start?
There have been an unprecedented number of
Cybersecurity incidents
Where do we start?
There have been an unprecedented number of
Cybersecurity incidents
There have been a lot of business-centered cyber-
events, but we are interested in ICS and SCADA events
Where do we start?
There have been an unprecedented number of
Cybersecurity incidents
There have been a lot of business-centered cyber-
events, but we are interested in ICS and SCADA events
Therefore, the best place to start is the state of the
industry and current knowledge of known cyber-events
Stuxnet was the most infamous breach
Stuxnet was the most infamous breach
A lot of noise has been made about Stuxnet, and for
good reason…
Stuxnet was the most infamous breach
A lot of noise has been made about Stuxnet, and for
good reason…
Stuxnet really scared a lot of Cybersecurity
professionals and antivirus/anti-malware companies,
along with ICS-CERT organizations around the globe.
Stuxnet was the most infamous breach
A lot of noise has been made about Stuxnet, and for
good reason…
Stuxnet really scared a lot of Cybersecurity
professionals and antivirus/anti-malware companies,
along with ICS-CERT organizations around the globe.
– it was heretofore unprecedented in its sophistication and differing
methods of attack and intrusion.
Stuxnet was the most infamous breach
A lot of noise has been made about Stuxnet, and for
good reason…
Stuxnet really scared a lot of Cybersecurity
professionals and antivirus/anti-malware companies,
along with ICS-CERT organizations around the globe.
– it was heretofore unprecedented in its sophistication and differing
methods of attack and intrusion.
After a quick War Room analysis, it was quickly
determined that the attack was specifically targeted
Theorized Stuxnet Analyses and Findings
Theorized Stuxnet Analyses and Findings
1) the sophistication of the programming could only have
been done with a large, coordinated team of professional
developers
Theorized Stuxnet Analyses and Findings1) the sophistication of the programming of the malware-- some of which was uncovered by reverse-engineering, and could only have been done with a large, coordinated team of professional developers
2) the specificity and required intimate insider knowledge
Theorized Stuxnet Analyses and Findings1) the sophistication of the programming of the malware-- some of which was uncovered by reverse-engineering, and could only have been done with a large, coordinated team of professional developers
2) the specificity and required intimate insider knowledge of the control systems, and their networks and configurations
3) the Zero Day exploits of the unpatched Siemens PLCs
Theorized Stuxnet Analyses and Findings1) the sophistication of the programming of the malware-- some of which was uncovered by reverse-engineering, and could only have been done with a large, coordinated team of professional developers
2) the specificity and required intimate insider knowledge of the control systems, and their networks and configurations
3) the Zero Day exploits of the unpatched Siemens PLCs they were using, and the insider knowledge that they were unpatched
4) the differing vectors of infection and spread, which
initially was likely a USB drive…
Theorized Stuxnet Analyses and Findings1) the sophistication of the programming of the malware-- some of which was uncovered by reverse-engineering, and could only have been done with a large, coordinated team of professional developers
2) the specificity and required intimate insider knowledge of the control systems, and their networks and configurations
3) the Zero Day exploits of the unpatched Siemens PLCs they were using, and the insider knowledge that they were unpatched
4) the differing vectors of infection and spread, which initially was likely a USB drive, then appeared to spread through network connectivity and printer ports to other computers using administrator credentials…
5) the fact that it stayed dormant and surreptitious for a
long time …
Theorized Stuxnet Analyses and Findings1) the sophistication of the programming of the malware-- some of which was uncovered by reverse-engineering, and could only have been done with a large, coordinated team of professional developers
2) the specificity and required intimate insider knowledge of the control systems, and their networks and configurations
3) the Zero Day exploits of the unpatched Siemens PLCs they were using, and the insider knowledge that they were unpatched
4) the differing vectors of infection and spread, which initially was likely a USB drive, then appeared to spread through network connectivity and printer ports to other computers using administrator credentials…
5) the fact that it stayed dormant and surreptitious for a long time before becoming active, apparently reporting to some home base ( C&C or, Command and Control Center) with findings at various intervals…
6) …and then apparently receiving updated instructions
from a C&C (Command and Control center)
Theorized Stuxnet Analyses and Findings1) the sophistication of the programming of the malware-- some of which was uncovered by reverse-engineering, and could only have been done with a large, coordinated team of professional developers
2) the specificity and required intimate insider knowledge of the control systems, and their networks and configurations
3) the Zero Day exploits of the unpatched Siemens PLCs they were using, and the insider knowledge that they were unpatched
4) the differing vectors of infection and spread, which initially was likely a USB drive, then appeared to spread through network connectivity and printer ports to other computers using administrator credentials…
5) the fact that it stayed dormant and surreptitious for a long time before becoming active, apparently reporting to some home base ( C&C or, Command and Control Center) with findings at various intervals…
6) …and then apparently receiving updated instructions from a C&C (Command and Control center) before proceeding with machine infiltration and attack vectors
7) the apparent social engineering that had to have been
used…
Theorized Stuxnet Analyses and Findings1) the sophistication of the programming of the malware-- some of which was uncovered by reverse-engineering, and could only have been done with a large, coordinated team of professional developers
2) the specificity and required intimate insider knowledge of the control systems, and their networks and configurations
3) the Zero Day exploits of the unpatched Siemens PLCs they were using, and the insider knowledge that they were unpatched
4) the differing vectors of infection and spread, which initially was likely a USB drive, then appeared to spread through network connectivity and printer ports to other computers using administrator credentials…
5) the fact that it stayed dormant and surreptitious for a long time before becoming active, apparently reporting to some home base ( C&C or, Command and Control Center) with findings at various intervals…
6) …and then apparently receiving updated instructions from a C&C (Command and Control center) before proceeding with machine infiltration and attack vectors
7) the apparent social engineering that had to have been used to gain such intimate access to the systems…
8) …which ultimately led to attacking and reprogramming
the PLCs
Theorized Stuxnet Analyses and Findings1) the sophistication of the programming of the malware-- some of which was uncovered by reverse-engineering, and could only have been done with a large, coordinated team of professional developers
2) the specificity and required intimate insider knowledge of the control systems, and their networks and configurations
3) the Zero Day exploits of the unpatched Siemens PLCs they were using, and the insider knowledge that they were unpatched
4) the differing vectors of infection and spread, which initially was likely a USB drive, then appeared to spread through network connectivity and printer ports to other computers using administrator credentials…
5) the fact that it stayed dormant and surreptitious for a long time before becoming active, apparently reporting to some home base ( C&C or, Command and Control Center) with findings at various intervals…
6) …and then apparently receiving updated instructions from a C&C (Command and Control center) before proceeding with machine infiltration and attack vectors
7) the apparent social engineering that had to have been used to gain such intimate access to the systems…
8) …which ultimately led to attacking and reprogramming the PLCs to control the centrifuge Variable Frequency Drives (or VFD’s) in a completely different way than originally intended and programmed
9) and to operate surreptitiously in order to prematurely wear out the equipment…
Theorized Stuxnet Analyses and Findings1) the sophistication of the programming of the malware-- some of which was uncovered by reverse-engineering, and could only have been done with a large, coordinated team of professional developers
2) the specificity and required intimate insider knowledge of the control systems, and their networks and configurations
3) the Zero Day exploits of the unpatched Siemens PLCs they were using, and the insider knowledge that they were unpatched
4) the differing vectors of infection and spread, which initially was likely a USB drive, then appeared to spread through network connectivity and printer ports to other computers using administrator credentials…
5) the fact that it stayed dormant and surreptitious for a long time before becoming active, apparently reporting to some home base ( C&C or, Command and Control Center) with findings at various intervals…
6) …and then apparently receiving updated instructions from a C&C (Command and Control center) before proceeding with machine infiltration and attack vectors
7) the apparent social engineering that had to have been used to gain such intimate access to the systems…
8) …which ultimately led to attacking and reprogramming the PLCs to control the centrifuge Variable Frequency Drives (or VFD’s) in a completely different way than originally intended and programmed
9) and to operate slowly and surreptitiously over weeks or months in order to prematurely wear out or severely damage the equipment, ultimately limiting and destroying the production lines
…the conclusion was that Stuxnet was a deliberate, single, targeted attack by one or more Nation-States.
Stuxnet was the most infamous breach
A lot of noise has been made about Stuxnet, and for
good reason…
Stuxnet really scared a lot of Cybersecurity
professionals and antivirus/anti-malware companies,
along with ICS-CERT organizations around the globe.
– it was heretofore unprecedented in its sophistication and differing
methods of attack and intrusion.
After a quick War Room analysis, it was quickly
determined that the attack was specifically targeted
Is Stuxnet, because of all these factors, a danger to
your facility?
Stuxnet was the most infamous breach
A lot of noise has been made about Stuxnet, and for
good reason…
Stuxnet really scared a lot of Cybersecurity
professionals and antivirus/anti-malware companies,
along with ICS-CERT organizations around the globe.
– it was heretofore unprecedented in its sophistication and differing
methods of attack and intrusion
After a quick War Room analysis, it was quickly
determined that the attack was specifically targeted
Is Stuxnet, because of all these factors, a danger to
your facility?
– yes and no
So is Stuxnet a danger to your system?
So is Stuxnet a danger to your system?
Stuxnet, as it was used, could only work on the one
targeted system
So is Stuxnet a danger to your system?
Stuxnet, as it was used, could only work on the one
targeted system
Some bits of the Stuxnet code has been found in other
types of malware in the wild
So is Stuxnet a danger to your system?
Stuxnet, as it was used, could only work on the one
targeted system
Some bits of the Stuxnet code has been found in other
types of malware in the wild
Malware/antivirus companies have updated their
databases to protect against Stuxnet-like code in other
malware
So is Stuxnet a danger to your system?
Stuxnet, as it was used, could only work on the one
targeted system
Some bits of the Stuxnet code has been found in other
types of malware in the wild
Malware/antivirus companies have updated their
databases to protect against Stuxnet-like code in other
malware
Additionally, the Zero Day exploits used in the Siemens
PLC’s have been patched
So is Stuxnet a danger to your system?
Stuxnet, as it was used, could only work on the one
targeted system
Some bits of the Stuxnet code has been found in other
types of malware in the wild
Malware/antivirus companies have updated their
databases to protect against Stuxnet-like code in other
malware
Additionally, the Zero Day exploits used in the Siemens
PLC’s have been patched
Stuxnet employed a very sophisticated Man-in-the-
Middle scheme requiring PLC reprogramming
So moving forward in time…
So moving forward in time…
2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
So moving forward in time…
2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
So moving forward in time…
2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
So moving forward in time…
2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
So moving forward in time…
2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
Also in 2012, were Duku and Flame (sKyWIper) which
utilized Stuxnet modules and did not need to report
home
2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
Also in 2012, were Duku and Flame (sKyWIper) which
utilized Stuxnet modules and did not need to report
home
So moving forward in time…
2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
Also, was Duku and Flame (sKyWIper) which utilized
Stuxnet modules and did not need to report home
So moving forward in time…
2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
Also, was Duku and Flame (sKyWIper) which utilized
Stuxnet modules and did not need to report home
So moving forward in time…
So moving forward in time…
2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
Also, was Duku and Flame (sKyWIper) which utilized
Stuxnet modules and did not need to report home
Next in 2013 and 2014 were Dragonfly and RAT (Remote
Access Trojans or Tools) malware that did target
Industrial Control Systems
So moving forward in time…
2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
Also, was Duku and Flame (sKyWIper) which utilized
Stuxnet modules and did not need to report home
Next in 2013 and 2014 were Dragonfly and Havex or RAT
(Remote Access Trojans or Tools) malware that did
target Industrial Control Systems
So moving forward in time…
2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
Also, was Duku and Flame (sKyWIper) which utilized
Stuxnet modules and did not need to report home
Next in 2013 and 2014 were Dragonfly and RAT (Remote
Access Trojans or Tools) malware that did target
Industrial Control Systems
During the various End-of-Year news sometime during
December 2014 was an attack at a German steel mill,
doing a substantial amount of physical damage…
So moving forward in time…
2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
Also, was Duku and Flame (sKyWIper) which utilized
Stuxnet modules and did not need to report home
Next in 2013 and 2014 were Dragonfly and RAT (Remote
Access Trojans or Tools) malware that did target
Industrial Control Systems
During the various End-of-Year news sometime during
December 2014 was an attack at a German steel mill,
doing a substantial amount of physical damage…
– The attack was a result of “Spearfishing” or sending emails
containing a malware payload that gave access to the plant’s
Industrial Control System.
2012: Shamoon malware infiltrates Aramco and
damages data on more than 30,000 computers…
Also, was Duku and Flame (sKyWIper) which utilized
Stuxnet modules and did not need to report home
Next in 2013 and 2014 were Dragonfly and RAT (Remote
Access Trojans or Tools) malware that did target
Industrial Control Systems
During the various End-of-Year news sometime during
December 2014 was an attack at a German steel mill,
doing a substantial amount of physical damage…
– The attack was a result of “Spearfishing” or sending emails
containing a malware payload that gave access to the plant’s
Industrial Control System.
So moving forward in time…
2012: Shamoon malware infiltrates Aramco and damages data on more than 30,000 computers…
Also, was Duku and Flame (sKyWIper) which utilized Stuxnet modules and did not need to report home
Next in 2013 and 2014 were Dragonfly and RAT (Remote Access Trojans or Tools) malware that did target Industrial Control Systems
During the various End-of-Year news sometime during December 2014 was an attack at a German steel mill, doing a substantial amount of physical damage…– The attack was a result of “Spearfishing” or sending emails
containing a malware payload that gave access to the plant’s Industrial Control System.
So moving forward in time…
2012: Shamoon malware infiltrates Aramco and damages data on more than 30,000 computers…
Also, was Duku and Flame (sKyWIper) which utilized Stuxnet modules and did not need to report home
Next in 2013 and 2014 were Dragonfly and RAT (Remote Access Trojans or Tools) malware that did target Industrial Control Systems
During the various End-of-Year news sometime during December 2014 was an attack at a German steel mill, doing a substantial amount of physical damage…– The attack was a result of “Spearfishing” or sending emails
containing a malware payload that gave access to the plant’s Industrial Control System.
So moving forward in time…
2012: Shamoon malware infiltrates Aramco and damages data on more than 30,000 computers…
Also, was Duku and Flame (sKyWIper) which utilized Stuxnet modules and did not need to report home
Next in 2013 and 2014 were Dragonfly and RAT (Remote Access Trojans or Tools) malware that did target Industrial Control Systems
During the various End-of-Year news sometime during December 2014 was an attack at a German steel mill, doing a substantial amount of physical damage…– The attack was a result of “Spearfishing” or sending emails
containing a malware payload that gave access to the plant’s Industrial Control System.
So moving forward in time…
The Dell Annual Security Report (April 13, 2015)
The Dell Annual Security Report (April 13, 2015)
Shows that in 2014, attacks more than doubled from the
previous year to 675,186
The Dell Annual Security Report (April 13, 2015)
Shows that in 2014, attacks more than doubled from the
previous year to 675,186
The Dell Annual Security Report (April 13, 2015)
Shows that in 2014, attacks more than doubled from the
previous year to 675,186
“Whereas the motive behind data-focused attacks is
typically financial, SCADA attacks tend to be political in
nature, since they target operational capabilities within
power plants, factories, and refineries, rather than credit
card information.”, Dell said.
The Dell Annual Security Report (April 13, 2015)
Shows that in 2014, attacks more than doubled from the
previous year to 675,186
“Whereas the motive behind data-focused attacks is
typically financial, SCADA attacks tend to be political in
nature, since they target operational capabilities within
power plants, factories, and refineries, rather than credit
card information.”, Dell said.
Buffer overflow vulnerabilities were the primary point of
attack against SCADA systems, which control remote
equipment and collect data on equipment performance,
accounting for 25% of the attacks witnessed by Dell.
Other interesting items in April and May
Article Comments by Shawn McConnon
“These emerging attacks are now being waged against
a much wider variety of hardware, including mobile
devices”, he explains..
– "There is no perimeter anymore," he says.
– "There are many more touch-points in a company today," which, in
turn, has made it easier for hackers penetrate networks.
Article Comments by Shawn McConnon
Hackers, especially nation-state actors, know that most
organizations fail to adequately address risks posed to
their networks by third parties, McConnon says.
– "Businesses today outsource everything ... and it's very hard to
ensure security when you're outsourcing."
Article Comments by Shawn McConnon
Hackers are increasingly targeting less- secure third
parties to ultimately gain access to organizations'
primary networks, McConnon explains.
– "You can't prevent hacks. But you should focus on the information,"
he says.
– "You've got to be able to look at your third-party risk and have
somebody on your team who's looking at that risk regularly."
Other interesting items in April and May
Other interesting items in April and May
Other interesting items in April and May
Other interesting items in April and May
Other interesting items in April and May
Other interesting items in April and May
Other interesting items in April and May
Other interesting items in April and May
And just in the past 3 weeks…
And just in the past 3 weeks…
And just in the past 3 weeks…
And just in the past 3 weeks…
And just in the past 3 weeks…
And just in the past 3 weeks…
And just in the past 3 weeks…
And just in the past 3 weeks…
And just in the past 3 weeks…
And just in the past 3 weeks…
And just in the past 3 weeks…
And just in the past 3 weeks…
And just in the past 3 weeks…
What are the takeaways?
What are the takeaways?
That cybercrime is on the increase, with more than
double the number of attacks since last year.
What are the takeaways?
That cybercrime is on the increase, with more than
double the number of attacks since last year.
That criminals involved are everything from amateurs to
Nation States with deep pockets and many resources
What are the takeaways?
That cybercrime is on the increase, with more than
double the number of attacks since last year.
The criminals involved are everything from amateurs to
Nation States with deep pockets and many resources
The trend is that SCADA and control system attacks will
only increase using online tools that have been
continually evolving
What are the takeaways?
That cybercrime is on the increase, with more than
double the number of attacks since last year.
The criminals involved are everything from amateurs to
Nation States with deep pockets and many resources
The trend is that SCADA and control system attacks will
only increase using online tools that have been
continually evolving
People still use insufficient security to protect
themselves and/or their systems
What are the takeaways?
That cybercrime is on the increase, with more than
double the number of attacks since last year.
The criminals involved are everything from amateurs to
Nation States with deep pockets and many resources
The trend is that SCADA and control system attacks will
only increase using online tools that have been
continually evolving
People still use insufficient security to protect
themselves and/or their systems
– Everything from poor password enforcement to inadequate perimeter
defense, relying on 3rd parties with no in-house checking or reviews
What steps need to be taken?
What steps need to be taken?
First and foremost, understand your assets, and how
they are configured together
What steps need to be taken?
First and foremost, understand your assets, and how
they are configured together
– This step initially requires a complete hardware and software
inventory
What steps need to be taken?
First and foremost, understand your assets, and how
they are configured together
– This step initially requires a complete hardware and software
inventory
– Understanding their configuration will provide information about how
they may be either secure or vulnerable within their current states
What steps need to be taken?
First and foremost, understand your assets, and how
they are configured together
– This step initially requires a complete hardware and software
inventory
– Understanding their configuration will provide information about how
they may be either secure or vulnerable within their current states
Next, categorize and classify your assets
What steps need to be taken?
First and foremost, understand your assets, and how
they are configured together
– This step initially requires a complete hardware and software
inventory
– Understanding their configuration will provide information about how
they may be either secure or vulnerable within their current states
Next, categorize and classify your assets
– Asset categories might include: critical, essential, supporting role,
etc.
What steps need to be taken?
First and foremost, understand your assets, and how
they are configured together
– This step initially requires a complete hardware and software
inventory
– Understanding their configuration will provide information about how
they may be either secure or vulnerable within their current states
Next, categorize and classify your assets
– Asset categories might include: critical, essential, supporting role,
etc.
– Further classifications might include: production, business,
administrative, analysis, infrastructure backbone, executive, etc.
What steps need to be taken?
First and foremost, understand your assets, and how
they are configured together
– This step initially requires a complete hardware and software
inventory
– Understanding their configuration will provide information about how
they may be either secure or vulnerable within their current states
Next, categorize and classify your assets
– Asset categories might include: critical, essential, supporting role,
etc.
– Further classifications might include: production, business,
administrative, analysis, infrastructure backbone, executive, etc.
– Understanding these classifications will help when creating your Gap
Analysis and Risk Assessment for the whole system:
• http://www.belden.com/blog/industrialsecurity/Industrial-Networking-
Easy-Security-Risk-Assessment.cfm
What steps need to be taken?
Once a Gap Analysis is complete, you will have an
understanding of what is missing in terms of security
What steps need to be taken?
Once a Gap Analysis is complete, you will have an
understanding of what is missing in terms of security
– A Gap Analysis is crucial before an understanding of the elements
that need to be addressed can take place
What steps need to be taken?
Once a Gap Analysis is complete, you will have an
understanding of what is missing in terms of security
– A Gap Analysis is crucial before an understanding of the elements
that need to be addressed can take place
– Each deficiency that is uncovered can be addressed with a Risk
Assessment, which is a cost to address it vs the risk to leave it alone
What steps need to be taken?
Once a Gap Analysis is complete, you will have an
understanding of what is missing in terms of security
– A Gap Analysis is crucial before an understanding of the elements
that need to be addressed can take place
– Each deficiency that is uncovered can be addressed with a Risk
Assessment, which is a cost to address it vs the risk to leave it alone
– As the cybersecurity landscape changes, each risk can be reviewed
and recalculated as the protection costs or technologies change
What steps need to be taken?
Once a Gap Analysis is complete, you will have an
understanding of what is missing in terms of security
– A Gap Analysis is crucial before an understanding of the elements
that need to be addressed can take place
– Each deficiency that is uncovered can be addressed with a Risk
Assessment, which is a cost to address it vs the risk to leave it alone
– As the cybersecurity landscape changes, each risk can be reviewed
and recalculated as the protection costs or technologies change
– This approach is called a Business Process Management (BPM)
Approach to managing your assets and the system security
What steps need to be taken?
Once a Gap Analysis is complete, you will have an
understanding of what is missing in terms of security
– A Gap Analysis is crucial before an understanding of the elements
that need to be addressed can take place
– Each deficiency that is uncovered can be addressed with a Risk
Assessment, which is a cost to address it vs the risk to leave it alone
– As the cybersecurity landscape changes, each risk can be reviewed
and recalculated as the protection costs or technologies change
– This approach is called a Business Process Management (BPM)
Approach to managing your assets and the system security
– Ad hoc approaches to security finally disappear and an organized
methodology to asset management will come into focus.
What steps need to be taken?
Once a Gap Analysis is complete, you will have an
understanding of what is missing in terms of security
– A Gap Analysis is crucial before an understanding of the elements
that need to be addressed can take place
– Each deficiency that is uncovered can be addressed with a Risk
Assessment, which is a cost to address it vs the risk to leave it alone
– As the cybersecurity landscape changes, each risk can be reviewed
and recalculated as the protection costs or technologies change
– This approach is called a Business Process Management (BPM)
Approach to managing your assets and the system security
– Ad hoc approaches to security finally disappear and an organized
methodology to asset management will come into focus.
– Note that it is not necessary to “do everything at once”, since
implementing various security phases or changes can be expensive
Analysis tools that can help you
Analysis tools that can help you
The NIST Cybersecurity Framework is a good place to
start
Analysis tools that can help you
The NIST Cybersecurity Framework is a good place to
start
– Using the methodology described within the Framework
documentation can help you get started, even though you may not
end up using it.
Analysis tools that can help you
The NIST Cybersecurity Framework is a good place to
start
– Using the methodology described within the Framework
documentation can help you get started, even though you may not
end up using it.
– The Framework was contributed to by a wide variety of industry
professionals, to make it extremely flexible.
Analysis tools that can help you
The NIST Cybersecurity Framework is a good place to
start
– Using the methodology described within the Framework
documentation can help you get started, even though you may not
end up using it.
– The Framework was contributed to by a wide variety of industry
professionals, to make it extremely flexible.
Another tool that can be extremely useful is the ICS-
CERT CSET Tool
Analysis tools that can help you
The NIST Cybersecurity Framework is a good place to
start
– Using the methodology described within the Framework
documentation can help you get started, even though you may not
end up using it.
– The Framework was contributed to by a wide variety of industry
professionals, to make it extremely flexible.
Another tool that can be extremely useful is the ICS-
CERT CSET Tool
– This tool allows you to plug in any set of standards that you want to
and it will start asking you questions based on those standards and
the inventory/gap analysis that you performed
• https://ics-cert.us-cert.gov/Downloading-and-Installing-CSET
SCADA Cybersecurity eBooks
InduSoft Security Guide NIST Cybersecurity Framework
ISBN 978-1311-49042-1 ISBN 978-1310-30996-0
Available at Smashwords.com and other major booksellers
The cybersecurity webinars detail the steps
InduSoft’s Cybersecurity Webinars from January 28th
and February 17th of 2015 discussing guidance and the
eBooks will also help you in moving forward
– http://www.indusoft.com/Marketing/Article/ArticleID/555/ArtMID/684
– http://www.indusoft.com/Marketing/Article/ArticleID/562/ArtMID/684
– Professor Miller discusses the new changes to the CSET Tool
Due to your various system differences…
Due to your various system differences…
It is not possible to give specific guidance for the
process, platform, or enterprise.
Due to your various system differences…
It is not possible to give specific guidance for the
process, platform, or enterprise.
Specific guidance for one type of system may be
entirely inappropriate for a different configuration
Control System Generalities include:
Control System Generalities include:Network Segregation
Control System Generalities include:Network Segregation
– Simple firewalls don’t work
Control System Generalities include:Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.com/blog/why-vlan-security-isnt-scada-security-all
Control System Generalities include:Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.com/blog/why-vlan-security-isnt-scada-security-all
– DMZ needed for Historian
Control System Generalities include:Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.com/blog/why-vlan-security-isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful Packet inspection
• http://www.belden.com/blog/industrialsecurity/Why-SCADA-Firewalls-Need-to-be-Stateful-Part-1-of-3.cfm
Control System Generalities include:Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.com/blog/why-vlan-security-isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful Packet inspection
• http://www.belden.com/blog/industrialsecurity/Why-SCADA-Firewalls-Need-to-be-Stateful-Part-1-of-3.cfm
Electronic Access Point Controls
Control System Generalities include:Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.com/blog/why-vlan-security-isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful Packet inspection
• http://www.belden.com/blog/industrialsecurity/Why-SCADA-Firewalls-Need-to-be-Stateful-Part-1-of-3.cfm
Electronic Access Point Controls
– Device Authentication may be appropriate
Control System Generalities include:Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.com/blog/why-vlan-security-isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful Packet inspection
• http://www.belden.com/blog/industrialsecurity/Why-SCADA-Firewalls-Need-to-be-Stateful-Part-1-of-3.cfm
Electronic Access Point Controls
– Device Authentication may be appropriate
– Control ingress and egress points of Control System
Control System Generalities include:Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.com/blog/why-vlan-security-isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful Packet inspection
• http://www.belden.com/blog/industrialsecurity/Why-SCADA-Firewalls-Need-to-be-Stateful-Part-1-of-3.cfm
Electronic Access Point Controls
– Device Authentication may be appropriate
– Control ingress and egress points of Control System
System Hardening
Control System Generalities include:Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.com/blog/why-vlan-security-isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful Packet inspection
• http://www.belden.com/blog/industrialsecurity/Why-SCADA-Firewalls-Need-to-be-Stateful-Part-1-of-3.cfm
Electronic Access Point Controls
– Device Authentication may be appropriate
– Control ingress and egress points of Control System
System Hardening– Remove unused software and
other items
Control System Generalities include:Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.com/blog/why-vlan-security-isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful Packet inspection
• http://www.belden.com/blog/industrialsecurity/Why-SCADA-Firewalls-Need-to-be-Stateful-Part-1-of-3.cfm
Electronic Access Point Controls
– Device Authentication may be appropriate
– Control ingress and egress points of Control System
System Hardening– Remove unused software and
other items
– Turn off unused services/ports to reduce attack surfaces
Control System Generalities include:Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.com/blog/why-vlan-security-isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful Packet inspection
• http://www.belden.com/blog/industrialsecurity/Why-SCADA-Firewalls-Need-to-be-Stateful-Part-1-of-3.cfm
Electronic Access Point Controls
– Device Authentication may be appropriate
– Control ingress and egress points of Control System
System Hardening– Remove unused software and
other items
– Turn off unused services/ports to reduce attack surfaces
Role Based Access Controls
Control System Generalities include:Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.com/blog/why-vlan-security-isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful Packet inspection
• http://www.belden.com/blog/industrialsecurity/Why-SCADA-Firewalls-Need-to-be-Stateful-Part-1-of-3.cfm
Electronic Access Point Controls
– Device Authentication may be appropriate
– Control ingress and egress points of Control System
System Hardening– Remove unused software and
other items
– Turn off unused services/ports to reduce attack surfaces
Role Based Access Controls– Use Active Directory or LDAP
for Centralized Management
Control System Generalities include:Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.com/blog/why-vlan-security-isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful Packet inspection
• http://www.belden.com/blog/industrialsecurity/Why-SCADA-Firewalls-Need-to-be-Stateful-Part-1-of-3.cfm
Electronic Access Point Controls
– Device Authentication may be appropriate
– Control ingress and egress points of Control System
System Hardening– Remove unused software and
other items
– Turn off unused services/ports to reduce attack surfaces
Role Based Access Controls– Use Active Directory or LDAP
for Centralized Management
– Use of minimum needed privileges
Control System Generalities include:Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.com/blog/why-vlan-security-isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful Packet inspection
• http://www.belden.com/blog/industrialsecurity/Why-SCADA-Firewalls-Need-to-be-Stateful-Part-1-of-3.cfm
Electronic Access Point Controls
– Device Authentication may be appropriate
– Control ingress and egress points of Control System
System Hardening– Remove unused software and
other items
– Turn off unused services/ports to reduce attack surfaces
Role Based Access Controls– Use Active Directory or LDAP
for Centralized Management
– Use of minimum needed privileges
– Device Control such as USB controls in place
Control System Generalities include:Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.com/blog/why-vlan-security-isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful Packet inspection
• http://www.belden.com/blog/industrialsecurity/Why-SCADA-Firewalls-Need-to-be-Stateful-Part-1-of-3.cfm
Electronic Access Point Controls
– Device Authentication may be appropriate
– Control ingress and egress points of Control System
System Hardening– Remove unused software and
other items
– Turn off unused services/ports to reduce attack surfaces
Role Based Access Controls– Use Active Directory or LDAP
for Centralized Management
– Use of minimum needed privileges
– Device Control such as USB controls in place
Patching Server installed
Control System Generalities include:Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.com/blog/why-vlan-security-isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful Packet inspection
• http://www.belden.com/blog/industrialsecurity/Why-SCADA-Firewalls-Need-to-be-Stateful-Part-1-of-3.cfm
Electronic Access Point Controls
– Device Authentication may be appropriate
– Control ingress and egress points of Control System
System Hardening– Remove unused software and
other items
– Turn off unused services/ports to reduce attack surfaces
Role Based Access Controls– Use Active Directory or LDAP
for Centralized Management
– Use of minimum needed privileges
– Device Control such as USB controls in place
Patching Server installed
Centralized Backups
Control System Generalities include:Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.com/blog/why-vlan-security-isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful Packet inspection
• http://www.belden.com/blog/industrialsecurity/Why-SCADA-Firewalls-Need-to-be-Stateful-Part-1-of-3.cfm
Electronic Access Point Controls
– Device Authentication may be appropriate
– Control ingress and egress points of Control System
System Hardening– Remove unused software and
other items
– Turn off unused services/ports to reduce attack surfaces
Role Based Access Controls– Use Active Directory or LDAP
for Centralized Management
– Use of minimum needed privileges
– Device Control such as USB controls in place
Patching Server installed
Centralized Backups
Logging Server
Control System Generalities include:Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.com/blog/why-vlan-security-isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful Packet inspection
• http://www.belden.com/blog/industrialsecurity/Why-SCADA-Firewalls-Need-to-be-Stateful-Part-1-of-3.cfm
Electronic Access Point Controls
– Device Authentication may be appropriate
– Control ingress and egress points of Control System
System Hardening– Remove unused software and
other items
– Turn off unused services/ports to reduce attack surfaces
Role Based Access Controls– Use Active Directory or LDAP
for Centralized Management
– Use of minimum needed privileges
– Device Control such as USB controls in place
Patching Server installed
Centralized Backups
Logging Server
Performance Server
Control System Generalities include:Network Segregation
– Simple firewalls don’t work
– VLANs don’t work
• https://www.tofinosecurity.com/blog/why-vlan-security-isnt-scada-security-all
– DMZ needed for Historian
– Firewalls should have Stateful Packet inspection
• http://www.belden.com/blog/industrialsecurity/Why-SCADA-Firewalls-Need-to-be-Stateful-Part-1-of-3.cfm
Electronic Access Point Controls
– Device Authentication may be appropriate
– Control ingress and egress points of Control System
System Hardening– Remove unused software and
other items
– Turn off unused services/ports to reduce attack surfaces
Role Based Access Controls– Use Active Directory or LDAP
for Centralized Management
– Use of minimum needed privileges
– Device Control such as USB controls in place
Patching Server installed
Centralized Backups
Logging Server
Performance Server
-or-
Centralized Management Server or System
FABIO TEREZINHO
Q&A (use the Q&A or Chat fields to ask a question)
THANKS FOR ATTENDING…
HOW TO CONTACT INDUSOFT
Email(US) [email protected](Brazil) [email protected](Germany) [email protected]
Support [email protected] site
(English) www.indusoft.com(Portuguese) www.indusoft.com.br(German) www.indusoft.com.de
Phone (512) 349-0334 (US)+55-11-3293-9139 (Brazil)+49 (0) 6227-732510 (Germany)
Toll-Free 877-INDUSOFT (877-463-8763)Fax (512) 349-0375
Germany
USA
Brazil
Contact InduSoft Today