securing industrial control systems...2 1 evolving threat landscape 2 industrial control systems 3...
TRANSCRIPT
![Page 1: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/1.jpg)
Securing Industrial Control Systems
Kevin Wheeler, CISSP, CISA
![Page 2: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/2.jpg)
2
Evolving Threat Landscape 1
Industrial Control Systems 2
Emerging Industrial Control System Threats 3
Securing Industrial Control Systems 4
Agenda
Ques;ons and Discussion 5
![Page 3: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/3.jpg)
• More than 15 Years of Information Security Experience
• Founder and Managing Director of InfoDefense
• Frequent Speaker at Conferences and Industry Events
• Author of IT Auditing: Using Controls to Protect Information Assets
3
A Little About Me
![Page 4: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/4.jpg)
Evolving Threat Landscape
![Page 5: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/5.jpg)
5
Today’s Internet Threats
![Page 6: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/6.jpg)
In 2007
1,431 variants per day
Malware Growth
6
![Page 7: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/7.jpg)
• Kits Allow Novice Attackers to Launch Sophisticated Attacks
• Can Be Used to Easily Customize Attacks
• Create Unique Variants of Common Malware Threats
7
Attack Kits
![Page 8: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/8.jpg)
8
Threat Motives
8
Monetary Political National
Security
![Page 9: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/9.jpg)
Industrial Control Systems
![Page 10: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/10.jpg)
SCADA Functionality
• Industrial System Monitoring
• Industrial Actuator Control
• Used for: • Power Generation
and Transmission
• Water Supply
• Oil and Gas
• Wastewater Treatment
• Building Management
10
![Page 11: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/11.jpg)
SCADA Functionality
11
![Page 12: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/12.jpg)
SCADA System Architecture
12
![Page 13: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/13.jpg)
SCADA System Architecture
13
![Page 14: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/14.jpg)
Evolving Industrial Control System Threats
![Page 15: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/15.jpg)
15
Industrial Control System Threats
• Nation-state Threats are Increasing
• Cyber-Terrorism Has Become More Prevalent
• SCADA Remains Inherently Insecure
![Page 16: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/16.jpg)
Case Study: Illinois Water District
Occurred: November 8, 2011
Attack Vector: SCADA system software compromised by Russian hackers
Motive: Cyber Terrorism/Warfare
Effect of Breach: Equipment (water pump) destroyed
Remediation: IDs and passwords were changed, logical access control enhanced
https://krebsonsecurity.com/2011/11/cyber-strike-on-city-water-
system/
18
![Page 17: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/17.jpg)
Case Study: Iran Nuclear Program
Occurred: June, 2010
Attack Vector: SCADA system comprised by Israeli and US intelligence agencies through Stuxnet worm
Motive: Cyber Warfare
Effect of Breach: Equipment (Siemens centrifuges used for uranium enrichment) destroyed
Remediation: Authentication and logical access control enhanced
19
![Page 18: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/18.jpg)
Case Study: LA Traffic Control Center
Announced: August 21, 2006
Attack Vector: Stolen Supervisor
passwords
Motive: Cyber Terrorism, Union Strike
Effect of Breach: Traffic lights at four key LA intersections were disabled for four days jamming traffic at the intersections
Remediation: Attackers eventually relinquished control of the system. The city most likely changed passwords, implemented more stringent password policies and possibly implemented a strong authentication system.
20
![Page 19: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/19.jpg)
Securing Industrial Control Systems
![Page 20: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/20.jpg)
ISA99 and ISA/IEC 62443 Standards
© Industrial Society of Automation, http
www.isa.org
22
![Page 21: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/21.jpg)
Security Governance
1. Obtain Executive Sponsorship
2. Develop an Industrial Control System Security Committee
3. Define Policies
4. Provide Security Training for ICS Engineers
5. Implement Security Metrics and Reporting to Measure Progress
24
![Page 22: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/22.jpg)
Threat and Vulnerability Management
1. Implement a System Patch Management Process
2. Disable System Services and Functions that are not Required
3. Optimize Security Configurations
4. Implement an Ongoing Threat Identification and Assessment Procedure
5. Periodically Test for Vulnerabilities
25
![Page 23: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/23.jpg)
Logical Access Control
26
1. Isolate ICS Networks
2. Define Logical Security Zones
3. Implement Next Gen Firewall Technology
4. Deploy Role-based Access Control
5. Require Multi-factor Authentication
*Use Privileged Access Management Technology if Possible
![Page 24: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/24.jpg)
1. Centralize Network Access to Supervisory Level Industrial Control Systems Using Next Generation Firewall Technology
2. Provide Centralized Authentication and Accounting (Logging) for Industrial Control System Access
3. Isolate Industrial Control Network Access Using VPNs Over Internal Networks and VLANS to the Supervisory Level
4. Harden SCADA Management Systems as Single Purpose Devices
5. Monitor Supervisory Level Database Activity
6. Authenticate and Encrypt Dial-up and Wireless Access to Out-of-band Control Level PLCs and RTUs
7. Physically Secure the Device Level at Facilities
26
Recommendations
![Page 25: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/25.jpg)
SCADA Security Architecture
25
VPN
Authentication
Corporate Network
![Page 27: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/27.jpg)
Key Trends of the Future
![Page 28: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/28.jpg)
Enterprise Information Security
![Page 29: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/29.jpg)
29
Technical Controls
Physical Controls
Information Security Controls
Administrative Controls
![Page 30: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/30.jpg)
30
© ISACA
Information Security Maturity
![Page 31: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/31.jpg)
Risk Assessment
Security Strategy
Security Policy Security
Architecture
Security Management
Assurance and Measurement
Industrial Control System Security
Information Security Lifecycle
31
![Page 32: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/32.jpg)
32
[Company Logo]
Policy Title: Information Protection Policy
Policy Number: ITP‐01 Version: 0.1 Effective Date: mm/dd/yyyy
Approved By: (Authorized Signer Name) Date Approved
Overview
Description This policy contains high‐level information protection mandates as set forth by executive management in
response to enterprise risk and regulatory compliance requirements. As with all corporate IT policies, supporting
standards outline the technical security requirements and procedures outline the methods used to create or
maintain security controls. The following policy statements are not meant to specify the methods of protection.
Purpose The Information Protection Policy was set forth to protect [Company Name] from unauthorized information
disclosure and other information security risks. Many of the policy statements below have been developed in
response to regulatory requirements.
Applicability There are two audiences for policies: general users and users that perform IT functions. This policy is directed at
users that perform IT functions.
Sanctions for Non‐compliance This policy is compulsory. Failure to comply may result in reprimand and/or employment termination.
Policy Statements
Policy Information will be protected in a way that reduces IT risk and complies with applicable regulations.
Clarifying Policy Statements 1) System access must be strictly controlled. See the Access Control Standard for additional details.
2) Sensitive information residing on enterprise systems must be protected by appropriate security controls
according to its level of sensitivity. See the Systems Security Policy and Sensitive Information Protection
Standard for additional information.
3) Private cryptographic keys must be stored and managed in a secure manner. See the Encryption Standard
for more information.
4) New employees, contract employees and business partners that will have access to sensitive information
must undergo a background check.
Security Governance
![Page 33: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/33.jpg)
33
Security Architecture
![Page 34: Securing Industrial Control Systems...2 1 Evolving Threat Landscape 2 Industrial Control Systems 3 Emerging Industrial Control System Threats 4 Securing Industrial Control Systems•](https://reader030.vdocuments.us/reader030/viewer/2022041022/5ed3960deb47116359560677/html5/thumbnails/34.jpg)
ISA99 General Concepts
• Security Context
• Security Objectives
• Defense in Depth
• Threat-Risk Assessment
• Security Program Maturity
• Policies
• Role Based Access Control
23