This is the presentation I made at CornCON II: The Wrath OF Corn. The intent of this presentation is to put more tools in your toolbox to help protect Industrial Control Systems, SCADA or Distributed Control Systems from threats and vulnerabilities.
3. In brief
► Nordic and US-based steel company with a global reach
► Leading producer of Advanced High Strength Steels
► About 17,300 employees in 50 countries
► Steel production facilities in Sweden, Finland and the US
► Annual steel production capacity of 8.8 million tons
► Listed on multiple public exchanges
100% Recyclable Products – 97% recycled raw materials,
saving 600,000 tires per year, production results in 66% less
CO2 emissions, recycle over 1 Million gallons of water a
year. Aiming for a CO2 free process Iowa facility makes steel
using 40% wind power.
3
4. 17,300 employees in over 50 countries
Nordic
Main production sites
in Sweden, Finland and US –
SSAB production sites
Sales coverage
4
5. Disclaimer
The views expressed in this presentation
are those of the author and do not
necessarily reflect the views of SSAB, IEEE
or the Quad Cities Cyber Security Alliance.
This presentation is “TLP: White” and may
be distributed, shared, remixed and reused
without restriction.
5
6. Good to have a goal
Your primary responsibility is to prevent
compromise.
You need to preserve the safety and reliability of
the physical process and not the system itself.
Adequately protect systems
ICS system failure can result in:
◦ Loss of life
◦ Loss of revenue
◦ Loss of equipment
◦ Environmental damage
◦ Loss of service
6
7. Basics
Know your network
Know your hosts
Know your enemy
Know what your enemy knows
Protection is key but detection is a must
Apply principals of least privilege
Apply defense in depth
Use what you have
7
8. You are not alone!
Quad Cities Cyber Security Alliance
https://www.facebook.com/groups/QCCyber/
US-CERT & ICS-CERT
www.us-cert.gov – ics-cert.us-cert.gov
877-776-7585
NIST - www.nist.gov
SCADAHACKER - https://scadahacker.com
C3 voluntary program –
https://www.us-cert.gov/ccubedvp
DHS – AIS and CISCP - cyberadvisor@hq.dhs.gov
https://www.dhs.gov/topic/cybersecurity-information-sharing
https://www.us-cert.gov/ais
https://www.dhs.gov/ciscp
InfraGard - www.infragard.org
FIRST.org and Information Sharing and Analysis Centers (ISACs)
National Strategy for Securing Control Systems
https://ics-cert.us-cert.gov/sites/default/files/documents/Strategy%20for%20Securing%20Control%20Systems.pdf
9. Network and Share
InfraGard - www.infragard.org
American Society for Industrial Security - www.asisonline.org
National Cybersecurity Partnership
HSIN –
dhs.gov/homeland-security-information-network-hsin
Professional Relationships
LinkedIn Groups - Industrial Control System Cyber Security
(ICS-CS) - linkedin.com/topic/industrial-control-systems-
security
Local Organizations
◦ Quad Cities Cyber Security Alliance
◦ IEEE
◦ ISACA
11. What is it?
Standard expression of current state
Standard way to express who you want to
be when you grow up.
Identify and prioritize opportunities to
improve
Measure Progress
Drives communication to teams and
management
11
13. Identify
Asset Management
Identify and Categorize Risks
Identify Stakeholder Communities
Identify the correct Controls for your risks
Secure Network Interconnections
Identify Special Protocols
Perform Risk Assessments
Perform Protocol Analysis
Strategies
Indicators of Compromise
13
14. ICS-CERT will train you – For FREE
What is available?
https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT
Operational Security (OPSEC) for Control Systems (100W) - 1 hour
Cybersecurity for Industrial Control Systems (210W) - 15 hours
The 210W courses are:
210W-01 Differences in Deployments of Industrial Control Systems (ICS)
210W-02 Influence of Common Information Technology (IT) Components on ICS
210W-03 Common ICS Components
210W-04 Cybersecurity within IT and ICS Domains
210W-05 Cybersecurity Risk
210W-06 Current Trends - Threats
210W-07 Current Trends - Vulnerabilities
210W-08 Determining the Impact of a Cybersecurity Incident
210W-09 Attack Methodologies in IT and ICS
210W-10 Mapping IT Defense-in-Depth Security Solutions to ICS
ICS- CERT Virtual Training Portal
https://ics-cert-training.inl.gov
15. TEEX will also train you for free
What is available?
AWR138 Network Assurance
AWR139 Digital Forensics Basics
AWR168 Cyber Law and White Collar Crime
AWR169 Cyber Incident Analysis and Response
AWR173 Information Security Basics
AWR174 Cyber Ethics
AWR175 Information Security for Everyone
AWR176 Disaster Recovery for Information Systems
AWR177 Information Risk Management
AWR178 Secure Software
ICS- CERT Virtual Training Portal
https://teex.org/Pages/Program.aspx?catID=199
Source:
https://teex.org/Pages/default.aspx
16. FEMA will also train you for free
What is available?
Setup a free FEMA Student ID
https://cdp.dhs.gov/FEMASID
FEMA Continuity of Operations Workshop
https://www.fema.gov/continuity-operations-workshops
Incident Command System (ICS) training
Critical Infrastructure Support
National Infrastructure Plan
Protecting Critical Infrastructure Against Insider Threats
17. You get millions of dollars of research for free
What is available?
NIST Computer Security Resource Center
SP800-82 ICS Security
Developing a Risk Program
Secure Architecture
ICS Security Controls
ICS-CERT Defense-in-depth recommended practices
18. Start a project
If you don’t start somewhere
– you’re gonna go nowhere. –
Bob Marley
Build a risk based program
Know what your protecting
Segment in trust boundaries
Develop ICS relevant policies
Build a 60 second elevator
pitch and Always Be Closing
20. Know your stakeholders
Legal Team
Safety Team
ICS Engineers
Procurement Teams
Sr. Management Teams
Human Resources
Inside and Outside Sales
Quality
Research and Development
21. Many hands make light work
Don’t try and do it all yourself.
Divide work by stakeholder teams.
Ensure stakeholder teams understand their roles.
22. Work top down
Start at the TOP!
Have the top ask their managers
for support.
Work with those managers to
ask them for support.
Keep pushing to the bottom.
23. Cyber Resilience Review
Self Assessment - Simple PDF Questionnaire
Built before NIST CSF / Has been
Build on top of CERT-Resilience Management Model (RMM)
Measure your maturity in:
1 Asset Management
2 Controls Management
3 Configuration and Change Management
4 Vulnerability Management
5 Incident Management
6 Service Continuity Management
7 Risk Management
8 External Dependencies Management
9 Training and Awareness
10 Situational Awareness
Source:
https://www.us-cert.gov/ccubedvp/assessments
28. Cyber Security Evaluation Tool (CSET)
DHS Cyber Security Evaluation Tool
Systematic
Disciplined
Repeatable
Version 8 launches September 13 for download
Supports 35 Industry Accepted Cybersecurity Standards
Supporting general environments as well as Chemical, Oil, Gas,
Electrical, Nuclear, and other models available.
Key Questions and Universal Questions
SP800-53, SP800-171, SP800-82
Wizard Based Assurance Level Calculator
Import and Export for Visio Drawings
Reports in PDF or DOCX:
Executive Summary, Site Summary, Detail Report, Security Plan
Source:
https://teex.org/Pages/default.aspx
29. Control System Architecture Analysis
Design Architecture Review (DAR)
2 to 3 day review of Network Architecture
On site by DHS staff ( iNL)
Meet with Information Technology and Operational Technology Teams
Review Vendor Support
Review Cyber Security Controls
Review Asset Inventory
ICS Network Architecture
Review Protective and Detective Controls
Review Device Configuration
Physical Security of Critical Assets
Source:
https://ics-cert.us-cert.gov/Assessments
32. Control System Architecture Analysis
Network Architecture Verification and
Validation
Review Protocol Hierarchy – Data flows and organization of network
Review Netflow device-to-device communication
Review traffic attempting to traverse boundaries
Baseline of network traffic
Validates that the network is clean and clear of known threats
Source:
https://ics-cert.us-cert.gov/Assessments
33. Infrastructure Visualization Platform
Supports Critical Infrastructure and Emergency Responders
DHS scans the environment and provides you with several copies
including viewpoints of Hostile Targets and Civil Response
Helps First responder teams help you during a Cyber Physical Event
Source:
https://www.dhs.gov/infrastructure-visualization-platform
34. Open Source Tools
YARA - plusvic.github.io/yara/
Yara Rules – ICS-CERT or http://yararules.com/
Wireshark - https://www.wireshark.org/
Moonsols Memory Toolkit - DumpIT –
www.moonsols.com
Laura Chapell on YouTube
“Introduction to Wireshark Course WTC01 & WTC02”
Grass Marlin -
https://github.com/iadgov/GRASSMARLIN
Google Dorking
Shodan – shodan.io
Windows Built-In Tools
35. Windows Built-In Tools
> tasklist /svc - List all services running on a host
> Netstat –noa – List all ports with associated task number
◦ date /t > %1
◦ time /t >> %1
◦ whoami >> %1
◦ systeminfo >> %1
◦ ipconfig /all >> %1
◦ arp -a >> %1
◦ netstat -b >> %1
◦ schtasks >> %1
◦ doskey /h >> %1
36. Technology and Innovation
New Products are coming to market from security companies that
understand ICS and Scada Protocols. Not just for TCP anymore:
Modebus
Profinet
BACNet
S7
OPC
…and more…
ICS Vendors are catching up
Traditional Vendors are branching out….
38. Sample Questions
[Procurement] Are appropriate agreements finalized before access is
granted, including for third parties and contractors?
[Code Protection] Are malicious code protection mechanisms used at
system entry and exit points and at workstations, servers, or mobile
computing devices?
[Media Control] Is the capability for automatic execution of
code on removable media disabled?
[Physical Security] Is entry to the facility controlled by physical
access devices and/or guards?
[Awareness Training] Is basic security awareness training
provided to all system users before authorizing access
Notas do Editor
Q. How many people are here at CornCON for the first time?
30 years technical experience, 27 years IT Experience,
Information Security Manager, IT for SSAB Americas
Founding member of the Quad Cities Cybersecurity Alliance
Experience in Electronics, Field Service, ISP Webmaster and Internet Services, and Enterprise Communications.
Founding Quad Cities Cybersecurity Alliance, member IEEE and the Chicago Infragard Chapter
Certified by FEMA, HP, CompTIA, Microsoft, and others
Previous positions as Project Manager, Server Management, Critical Infrastructure Management and IT Operations Management.
Q. Who do we have in the room?
Manufacturing?
Energy?
Nuclear?
Power?
Brewing or other scientific?
Automated Indicator Sharing
Cyber Information Sharing and Collaboration Program
Q. Who is an alliance member?
Q. Any C-Cubed Members?
Q. Anyone using the NIST CSF?
It’s a little simplistic but a good start. Up to 30% of organizations are already using CSF in some manner
Powerful Crosswalks available.
Identify protect and detect are right on. Respond and recover is a little lackluster in an ICS environment.
If you are trying to protect a process and not information once the genie is out of the bottle well, its over.
Q. Anyone here with a FEMA Training ID?
All Control systems are software and all software can be hacked!
Create a business case for an ICS Security Program, prioritize your potential costs, and estimate damage scenarios.
How many could be hospitalized? How many could be killed, what is the potential for capital investment loss, what is the potential for an environmental cleanup need?
Know your brushes from your diamonds. If you try and protect your toothbrushes and your diamonds you will lose less toothbrushes and more diamonds.
Use a risk based approach – know hat you are protecting - your threats vulnerabilities likelihood and impact – only you can know these things in your context.
Before Video:
Reflecting on this story will help you to understand why SSAB and myself both care deeply about protecting industrial control systems.
This is a news story from 2014 that talks about another steel company from Germany. Just to be clear this is not an SSAB facility.
After Video:
The steel company depicted in this video lost the ability to control their furnaces, and eventually this lead to a runaway condition that resulted in the loss of property. In this case it was just property. Industrial controls control physical processes and so the consequences of a breach are often much higher than in traditional IT systems.
Q. What other stakeholder groups might we see?
This slide contains video content with audio –
ICS-CERT maintains a little known but powerful tool called the Cybersecurity Evaluation Toolkit.
If you are interested in Cybersecurity it is likely you would benefit from CSET.
CSET offers a Wizard based approach to setting security assurance levels, Flexible standards, Network diagraming tools, an Extensive Resource Library good for anyone interested in cyber and custom reporting tools.
The analysis screen provides you with a way to measure your security posture against selected standards and uses charts to provide a visual display of your data and at the same time allows for comparisons across categories, questions, and subject areas.
The analysis screen will also allow you to drill down on specific data from a given chart for more information.
The charts presented are fixed and dependent on your evaluation mode.
Selecting the CSF evaluation mode will result in a different set of charts than the question or framework modes.
One of the fundamental decisions you must make when performing an evaluation is to select a Security Assurance level. Sometimes you know based on a standard what level you need to conform to, but others may not have a clue where to start to determine what assurance level is best.
CSET offers several ways to make this decision.
Using CSET – setting an assurance level
Manually Set – Low, Moderate, High or Very High for each of CIA
Questions based YES or NO answers questions using FIPS and NIST standards as guidance.
Consequence based approach uses a series of sliders to indicate a number of people or dollar from each category.
An assurance level set to low will result in questions later that are less demanding than would result from a moderate, high or very high assurance level.
See in SP800-82 – Zones establish a trust boundary and in over 200 incidents each year ICS-CERT finds boundary protection to be a key finding.
Big flat networks are bad – they expose you – don’t build them.
The following zones segment information architecture into five basic functions:
External Zone is the area of connectivity to the Internet, communication with peer, and remote facilities. It is the point of connectivity that is usually considered untrusted. For industrial control systems, the external zone has the least amount of priority and the highest variety of risks.
Corporate Zone is the area of connectivity for corporate communications. E-mail servers, DNS servers, and IT business system infrastructure components are typical resources in this zone. A wide variety of risks exist in this zone because of the amount of systems and connectivity to the External Zone. However, because of the maturity of the security posture and redundancy of systems, the Corporate Zone’s precedence can be considered to be at a lower priority than other zones, but much higher than the External Zone.
Manufacturing/Data Zone is the area of connectivity where a vast majority of monitoring and control takes place. It is a critical area for continuity and management of a control network. Operational support and engineering management devices are located in this zone along side spedial servers called data historians that log events. The Manufacturing Zone is central in the operation of both the end devices and the business requirements of the Corporate Zone, and the priority of this area is considered to be high. Risks are associated with direct connectivity to the External Zone and the Corporate Zone.
Control Zone is the area of connectivity to devices such as Programmable Logic Controllers (PLCs), HMIs, and basic input/output devices such as actuators and sensors. The priority of this zone is very high as this is the area where the functions of the devices affect the physical end devices. In a modern control network, these devices will have support for TCP/IP and other common protocols.
Safety Zone usually has the highest priority because these devices have the ability to automatically control the safety level of an end device (such as Safety Instrument Systems). Typically, the risk is lower in this zone as these devices are only connected to the end devices but recently many of these devices have started to offer functionality for TCP/IP connectivity for the purposes of remote monitoring and redundancy support.
The following zones segment information architecture into five basic functions:
External Zone is the area of connectivity to the Internet, communication with peer, and remote facilities. It is the point of connectivity that is usually considered untrusted. For industrial control systems, the external zone has the least amount of priority and the highest variety of risks.
Corporate Zone is the area of connectivity for corporate communications. E-mail servers, DNS servers, and IT business system infrastructure components are typical resources in this zone. A wide variety of risks exist in this zone because of the amount of systems and connectivity to the External Zone. However, because of the maturity of the security posture and redundancy of systems, the Corporate Zone’s precedence can be considered to be at a lower priority than other zones, but much higher than the External Zone.
Manufacturing/Data Zone is the area of connectivity where a vast majority of monitoring and control takes place. It is a critical area for continuity and management of a control network. Operational support and engineering management devices are located in this zone along side spedial servers called data historians that log events. The Manufacturing Zone is central in the operation of both the end devices and the business requirements of the Corporate Zone, and the priority of this area is considered to be high. Risks are associated with direct connectivity to the External Zone and the Corporate Zone.
Control Zone is the area of connectivity to devices such as Programmable Logic Controllers (PLCs), HMIs, and basic input/output devices such as actuators and sensors. The priority of this zone is very high as this is the area where the functions of the devices affect the physical end devices. In a modern control network, these devices will have support for TCP/IP and other common protocols.
Safety Zone usually has the highest priority because these devices have the ability to automatically control the safety level of an end device (such as Safety Instrument Systems). Typically, the risk is lower in this zone as these devices are only connected to the end devices but recently many of these devices have started to offer functionality for TCP/IP connectivity for the purposes of remote monitoring and redundancy support.
Look at functionality – correctness - reliability usability
You can do a light version of this yourself – but not the analytics. These are performed by running the data through Security Onion and Bro Scripts