practical scada cyber security lifecycle...

Standards

Certification

Education & Training

Publishing

Conferences & Exhibits

Practical SCADA Cyber

Security Lifecycle

Steps

Jim McGlone

CMO, Kenexis

2016 ISA WWAC Symposium

Aug 2-4, 2016 – Orlando, Florida, USA



Bio

• Jim McGlone,

• CMO, Kenexis

• GICSP

• ISA Safety & Security Division

Director

• Tridium (Honeywell)

• Rockwell Automation

• US Navy Submarine Nuclear

Reactor Operator



Introduction

• Slight changes to process lifecycle to incorporate cybersecurity

– Improve the ICS ability to withstand a cyber security problem

– Improve overall network performance and reliability

– Specific attention will be paid to Factory Acceptance Testing (FAT) portion of the

lifecycle, recognizing the challenges of connecting new equipment into an

existing process



Hackers

Who Owns The Problem

• Few publicized ICS incidents, news is about money

– We process… at my facility, it is not critical infrastructure, and the IT department

is protecting the perimeter anyway.

– Meanwhile, HMI station in your facility cannot get the data to refresh on one of

the processes in the plant, you are not sure why, but you cannot let IT just scan

your network to look for the problem

EXXONMOBIL 2014 CORPORATE CITIZEN REPORT

On average, our cybersecurity screening programs block more

than 70 million emails, 140 million Internet access attempts and

150,000 other potentially malicious actions each month.





Embedded Microprocessors

Built to Run a Very Long Time

• ICS were built to run a

process in an isolated

environment

– Built to run for many years

very reliably

– Often running from

commissioning until

decommissioning without

a code change or reboot

– Now we connected them

– Even directly to the

Internet

SHOWDAN, HTTPS://WWW.SHODAN.IO





Embedded Microprocessors

Everywhere

• Embedded microprocessor can

be found on virtually every asset

– Even simple auxiliary systems have

a PLC because it is easier than

using relays

– Vendor wants to monitor it as a

service to keep it running well

– HVAC industry is monitoring units

over the Internet for efficiency,

maintenance, and energy programs

– These programs add great value,

but they also increase the threat

vector for the bad guys

PURDUE REFERENCE MODEL FOR CONTROL

HIERARCHY

Who has access to your ICS systems?



ICS Protocols

• Industrial protocols are different from the IT focused

protocols

– Developed to run originally on serial connections direct from

a 9-pin D shell on the programming terminal and later a

computer connected directly to the device

– Developed long before you had a web-browser

– ICS protocols are proprietary by design to support inter-

process communications

– Now they are layered on Ethernet

– Communication standard is published on the Internet

– Commonly lack authentication or integrity checking and are

vulnerable



The Problem

• Skid-based process arrives from a trusted vendor

– It was checked out and connected into the network

– Skid checked out clean, but the vendor’s laptop had malware on it

– Laptop was connected to the controller for final setup

– Ransomware broadcast itself onto most of the machines in manufacturing and

the business network before IT caught it

• Unfortunately, this is a common problem

– Similar to the Target breach, the Iranian centrifuge Stuxnet attack, and at least

one nuclear power plant

– Easy to accidently let bad stuff in

– Fastest way inside your company is by dropping an expensive new looking USB

memory stick in the employee parking lot

– It is easy to overlook connecting a piece of industrial equipment to the network on the

factory floor



ICS Cybersecurity Lifecycle

• Cyber lifecycle should line up logically and support the organization

until the process is shutdown and decommissioned

• These are all projects that have finite budgets with start and stop

time limits






Policy

• Step One

– Establishes Requirements &

Responsibility, and

Governance

– Dictates the vendor’s laptop

and the incoming equipment

scanned prior to connecting

– Executive Sponsorship

– Facilitate Budgeting

– Drives Training & Awareness

– Solid behaviors so mistakes

are infrequent

– Response to incidents is

planned and appropriate






Cyber Design

• Before & During Design

– Cybersecurity design

phase

– Insure policy is met

– Reducing the risk to the

process from cyber threats

with a properly designed

network

– Design cyber SAT and

FAT






Acceptance Testing

• Don’t Plug It In

– SAT should be run on new

equipment, process,

systems or the facility to

insure you will not

introduced a problem

– An improper connection to

your business network,

and engineering computer,

or remote access could

cause a network

performance problem right

from the beginning






Compliance Audit

• Are We Good

– Verify periodically, that staff

are aware of policy and

compliant

– Determining short comings

and needed training

– Audits based on regulation

are very different and I am

going to skip it in this

discussion because most

of us do not need to do

them yet






Vulnerability Assessment

• Required periodically by

standards, or policy, or some

impetuous has inspired you to

get budget and have an expert

evaluate your status

– Documents the security

posture of control systems

– Identifying vulnerabilities that

might result in security

incidents

– Evaluating operational and

change management

processes

– Provides an actionable list of

recommendations for

improving security







– Vulnerability Assessment

includes:

– Design review

– Data flow analysis

– Traffic analysis

– Procedure and policy review

– Focuses on the devices and

connections that would allow

an attacker to access

– ICS knowledge is critical

– Running IT tools to evaluate

the ICS network can be

hazardous







– During the walk down

– Observations are noted

– Ethernet communications packet

traffic data is collected at key

switch locations

– Packet traffic is analyzed

extensively for patterns,

signatures, and traffic problems

– Configuration of devices and

systems are evaluated

– Best practices from the industry

– Recommendations from each

equipment manufacturer

– Patch levels and patch

management

– Common misconfigurations

– Default or common user names /

passwords

– Remote access controls

– Segmentation of business and

control system networks will also

be evaluated







– Penetration Testing

– Non-Destructive

– Vulnerability Assessment teams

document what is found, but in a

penetration test we pursue what

we find to see how far we can get

and what your ultimate

vulnerability exposure looks like

– Agreed to prior to performance

– Non-Destructive






Incident Response

• You want someone that knows

the path to your door so that

they can get to work as soon

as possible

– Designed the system and kept

it safe all along

– Otherwise, you are starting

from zero and probably do not

have time to properly evaluate

all options

– You need to know if the expert

team in incident response are

going to build a forensic case

for you or are you hiring them

to just kill the bad stuff and

remove it from your networks



The Solution

• Earlier, a skid-based process arrived from a trusted

vendor

– It was checked out according to policy and the acceptance test

agreed on including an anti-virus / anti-malware scan, and a

cybersecurity check for versions, default passwords, and all

configurations prior to connecting it into the network

– When the vendor arrived with a laptop, the IT team assigned the

vendor a remote access connection into the corporate VPN and

a remote desktop connection on one of their verified computer

stations, preventing the malware from propagating onto your

networks and allowing the vendor to finish

• It might seem like a little extra work and thought, but it

will be far less expensive and stressful than dealing with

what can happen if you don’t make the effort



Conclusion

• Process Lifecycle is ongoing, cybersecurity is too

• Projects kickoff based on impetuous

• Impetuous varies based on lifecycle and events

– Stale or missing data in an HMI screen or historian

– Incident, IT catches message traffic to unknown external site

– Policy violation, incorrect remote access

– New process equipment, refurbished



Thank you

• Jim McGlone

– Columbus, Ohio USA

– [email protected]

– www.Kenexis.com

– +1-614-975-6783

CYBERSECURITY FOR INDUSTRIAL CONTROL SYSTEMS: SCADA, DCS, PLC, HMI, and SIS 1st Edition

by Tyson Macaulay (Author), Bryan L. Singer (Author)

INDUSTRIAL AUTOMATION AND CONTROL SYSTEM SECURITY PRINCIPLES Author: Ronald L. Krutz, Ph.D., P.E.

mailto:[email protected]

http://www.kenexis.com/