How to get into ICS Security

How to get into ICS SecurityChris Sistrunk, PE1

About MeChris Sistrunk, PE @chrissistrunkElectrical EngineerSr. Consultant, FireEyeControl system security assessmentsNSM and DFIR for ICSICS Village (DEF CON & RSA Conference)Entergy (11+ years)SCADA Engineer (10 years)Project Robus (ICS Protocol Fuzzing)30+ implementation vulnerabilities in DNP3 stacksSubstation Security TeamBSidesJackson

2

How small mistakes lead to big disasters3

FPL Blackout, February 26, 2008

WHAT WENT WRONG1. Engineer investigating faulty voltage-control switch disabled two protective devices.2. Short circuit occurred.3. Because protection systems were disabled, they could not contain the short circuit.

3

Enormous possible consequences

Quingdao, China PipelineNovember 2013

Quingdao china, oil pipeline explosion, killed 62 people22 November 20134

Guadalajara, Mexico - 1992

252 people were killed, nearly 500 injured and 15,000 were left homelessNew water pipes, made ofzinc-coatediron, were built too close to an existingsteelgas pipelineGalvanic corrosion between dissimmilar metals caused the gas pipeline to leak into the water line5

San Bruno, California September 2010

68 deaths, 58 injuredPG&E fined $1.6 Billion

Replacement of power supplyBreaker removed from serviceControl panel looses powerErroneous Low pressure signalValves openValves cannot be controlled with power outLine overpressured Weld breaksIgnition, explosion, fire

8 deaths, 58 injured

6

EnterpriseICS Security7OTIT

Talk briefly about what IT and OT are and how they work together in an enterpriseEnterprise-wide security doesnt mean just the IT side7

Some numbers

https://www2.fireeye.com/industrial-control-systems-vulnerability-trend-report-2016.html

8

2001 2010 = The Lost Decade2010 Present = The Age of Stuxnet8

Some numbers

Industrial ControlSystem HumansMANY

Engineers, TechniciansOperators, Vendors,etc

SecurityHumans~189,000ICS SecurityHumans ICSsec13

Operational TechnologyYouve got the engineering or technical backgroundYou know how the plant or process worksYou probably already work with:ICS components like PLCs and RTUsICS protocols like Modbus, Ethernet/IP, DNP3, etcNetworking (ethernet, serial, including wireless)NERC/CIP or CFATS requirements

But you dont know IT systems, risks, threats, and security

14

But you may lack the IT security know how14

Get familiar with securityLearnSecurity Conferences!Lots and lots of security material online (SecurityTube, etc)ICS Security Training (ICS-CERT, SANS ICS, Red Tiger, SCADAhacker)SamuraiSTFU, Kali, Security Onion Linux Distrosshodan.ioMake friends with the IT Security team15

Make an ICS Security LabMany companies with control systems have labsIf not, you may have spare equipment laying aroundget creative!

16

SoStuxnet happened

17

What would be your Stuxnet?Think like a bad guywith a hard hat!like an attacker has your printsWho knowsyou might find a vulnerability

To make things work well, you must break themFind evil, or ways for evil to do evil things

18

Red Team and Blue TeamLearn how to use MetasploitSearch shodan.ioLearn about Modbus FuzzingWrite some Snort rulesRead up on Digital Forensics & Incident Response (DFIR)Take the ICS-CERT RvB Course

19

Energy drinks20

Get to know your IT Security gurus

21

22

22

IT Side > ICSsec23

Information TechnologyYouve got the computer and networking skillsYou know how business technology workYou probably already know:Routers, switches, firewalls, domain controllersWeb, email, and business applicationsCertifications like CCNA and CISSPHIPAA or PCI DSS requirements

But you dont know the engineering and physics behind the process

24

But you dont understand the engineering or how the process worksElectrical engineeringChemical engineeringMechanical engineeringetc24

ICS Engineers

25

https://www.youtube.com/watch?v=RXJKdh1KZ0w

25

Google all the thingsModbus.org > modbus specificationTons of code on github: opendnp3, modbus, etcWiresharkPcaps online > Netresec has a library, SANS, S4

26

VideosYouTube & VimeoSCADAControl SystemsPLCConference TalksHow Its Made Marathon!

27

Make an ICS network at homeRaspberry Piopendnp3, modbus, BACnetArduinomodbus$15 HMI from eBay(got lucky)~$700 for a newPhoenix Contact PLC

28

You know security, but not ICSyetWhat I am about to tell you is the single greatest secret to go from IT Security into ICS29

Donuts

30

Get your hardhat dirty

31

Ask questionsWhat is it?Why is it important?How can we secure it?Example:Ladder logic on a PLC

Understand the whythen try to secure/monitor it

32

Take the opportunity to collaborateProblem: ICS network is flat with the corporate networkICS network has no logging or visibility

IT has security goalsOT has safety and uptime goalsCan you do some things that satisfy both?

33

Segmenting the network keeps commodity malware from spreading either directionIt also keeps the Operators from surfing ebay from the Compressor Station

Visibility helps the SOC watch the ingress/egress pointsVisibility helps the ICS engineers keep a better inventory and find PLC misconfigurations33

ICS Security Resources

34

Connect!SCADAsec email list at InfracriticalICS Security ConferencesICSJWG FREEDigitalBonds S4SANS ICS Summit4SICSEnergySecOil & Gas Security SummitICS Cyber Security Conference Weisscon35

Information SharingNational Council of ISACs Downstream Natural Gas www.dngisac.com Electricity www.esisac.com Oil & Natural Gas www.ongisac.org Water www.waterisac.org

ISAOs coming, knowledge sharing, ICS-ISAC, BEER-ISAC

36

BooksRobust Control System Networks, Ralph LangnerIndustrial Network Security, 2nd Edition, Knapp & LangillCybersecurity for Industrial Control Systems, Macaulay & SingerCountdown to Zero Day, Kim ZetterHacking Exposed Industrial Control Systems, Bodungen, et alHandbook of SCADA/Control Systems, 2nd Ed., Radvanovsky & Brodsky37

Intelligence SourcesICS-CERT portalISAC portalsFBI InfragardFireEye iSight (ICS intel)Twitter #ICS #SCADAGoogle

38

38

StandardsNIST SP800-82 Revision 2IEC 62443NERC/CIPCFATSto name a few

39

Purdue Model - Reference ArchitectureL0L1L2L3L4

L0L1L2L3L4

ExplainThis is a reference architecture produced by academics at Purdue University, and adopted by the International Society of Automation (ISA)The entire purpose of industrial automation and control systems is to remove humans from the loop. Program the logic into the machines so people dont have to be at each location taking measurements and making adjustments.

Sensors and actuators operate at Level 0. Sensors measure things in the physical world; such as flow, temperature, pressure, level.Actuators move. Things like valves and connect/disconnect switches for motorsThey are wired into the controllerThey are generally not TCP/IP enabled, but this is changing

Controllers are programmable devices found at Level 1The programming specifies how the actuators move when the sensors provide certain readings.They can also include Variable Frequency Drives and Protective RelaysMany of these are TCP/IP enabled

Level 2 includes more standard computing and networking technologyThe SCADA stands for supervisory control and data acquisition. Supervisory means that it allows a human operator, normally seated at a human-machine interface screen to identify abnormalities (normally by viewing alarms that pop up on the screen), and step in and issue remote commands to the system. If a process loses SCADA, nothing is going to happen, at least for a while. The logic exists in the controllers themselves to regulate the process. The job of process operators has been described as 90% intense boredom, and 10% sheer panic.The engineering workstation is used to program the control logic. You can think of this as a software development environment. Instead of languages such as python, C, and VisualBasic, the languages used are called ladder logic, Fuction block and structured text. This machine would normally have the ability to talk to any PLC on the network to push new logicThis layer also includes database technology called a process historian. The historian catalogs readings from the sensors and positions of the actuators to make available in other applications, such as predictive maintenance and process optimization efforts. The historian records data that is not displayed to the operator.

Ideally the SCADA network is segmented from the business network by a dual firewall DMZ. This facilitates firewall management, while limiting ingress and egress.

40

TrainingICS-CERTFree online training and resourcesFree 5-day Red vs Blue ICS exerciseICS Vendor TrainingSANS ICS ICS410 and ICS515Red Tiger SecurityLofty PerchSCADAhacker

41

CertificationThere isnt a Professional Engineering license for Security...but not everyone is an engineer.GICSP is a new certification out to teach IT folks the basics of ICS and OT folks the basics of security.

42

Linkshttps://ics-cert.us-cert.gov/Standards-and-Referenceshttp://dx.doi.org/10.6028/NIST.SP.800-82r2https://scadahacker.com/library/index.htmlhttp://www.dhs.gov/dhs-daily-open-source-infrastructure-reporthttp://news.infracritical.com/mailman/listinfo/scadasechttp://scadaperspective.com/http://pen-testing.sans.org/holiday-challenge/2013http://www.netresec.com/?page=PcapFileshttp://www.giac.org/certification/global-industrial-cyber-security-professional-gicsphttps://www.shodan.io/explore/category/industrial-control-systemshttp://www.robertmlee.org/a-collection-of-resources-for-getting-started-in-icsscada-cybersecurity/

43

Youre still hereWhat excites you about ICS security?Do you want to join us in ICS security?44

Apply What You Have Learned TodayNext week:Identify critical components within your ICS networkFind out if they have any published security vulnerabilities, or if they are connected to the IT network, or even the InternetIn the next three months:Understand who is accessing the ICS, from where, and whyWithin six months:Drive an implementation project to protect the most critical ICS devicesDevelop a roadmap to enhance ICS security architectureCapture some ICS network traffic and look for evil45

Questions?

chris.sistrunk@mandiant.com@chrissistrunk

46