This is the presentation I made at CornCON II: The Wrath OF Corn. The intent of this presentation is to put more tools in your toolbox to help protect Industrial Control Systems, SCADA or Distributed Control Systems from threats and vulnerabilities.

1. Securing Industrial
Control Systems
Eric Andresen
CornCON 2016
September 17, 2016

2. Eric Andresen
https://www.linkedin.com/in/andresen1206
2

3. In brief
► Nordic and US-based steel company with a global reach
► Leading producer of Advanced High Strength Steels
► About 17,300 employees in 50 countries
► Steel production facilities in Sweden, Finland and the US
► Annual steel production capacity of 8.8 million tons
► Listed on multiple public exchanges
100% Recyclable Products – 97% recycled raw materials,
saving 600,000 tires per year, production results in 66% less
CO2 emissions, recycle over 1 Million gallons of water a
year. Aiming for a CO2 free process Iowa facility makes steel
using 40% wind power.
3

4. 17,300 employees in over 50 countries
Nordic
Main production sites
in Sweden, Finland and US –
SSAB production sites
Sales coverage
4

5. Disclaimer
The views expressed in this presentation
are those of the author and do not
necessarily reflect the views of SSAB, IEEE
or the Quad Cities Cyber Security Alliance.
This presentation is “TLP: White” and may
be distributed, shared, remixed and reused
without restriction.
5

6. Good to have a goal
Your primary responsibility is to prevent
compromise.
You need to preserve the safety and reliability of
the physical process and not the system itself.
Adequately protect systems
ICS system failure can result in:
◦ Loss of life
◦ Loss of revenue
◦ Loss of equipment
◦ Environmental damage
◦ Loss of service
6

7. Basics
Know your network
Know your hosts
Know your enemy
Know what your enemy knows
Protection is key but detection is a must
Apply principals of least privilege
Apply defense in depth
Use what you have
7

8. You are not alone!
Quad Cities Cyber Security Alliance
https://www.facebook.com/groups/QCCyber/
US-CERT & ICS-CERT
www.us-cert.gov – ics-cert.us-cert.gov
877-776-7585
NIST - www.nist.gov
SCADAHACKER - https://scadahacker.com
C3 voluntary program –
https://www.us-cert.gov/ccubedvp
DHS – AIS and CISCP - cyberadvisor@hq.dhs.gov
https://www.dhs.gov/topic/cybersecurity-information-sharing
https://www.us-cert.gov/ais
https://www.dhs.gov/ciscp
InfraGard - www.infragard.org
FIRST.org and Information Sharing and Analysis Centers (ISACs)
National Strategy for Securing Control Systems
https://ics-cert.us-cert.gov/sites/default/files/documents/Strategy%20for%20Securing%20Control%20Systems.pdf

9. Network and Share
 InfraGard - www.infragard.org
 American Society for Industrial Security - www.asisonline.org
 National Cybersecurity Partnership
 HSIN –
dhs.gov/homeland-security-information-network-hsin
 Professional Relationships
 LinkedIn Groups - Industrial Control System Cyber Security
(ICS-CS) - linkedin.com/topic/industrial-control-systems-
security
 Local Organizations
◦ Quad Cities Cyber Security Alliance
◦ IEEE
◦ ISACA

10. Leverage CSF
NIST Cybersecurity Framework
http://www.nist.gov/cyberframework/
10

11. What is it?
 Standard expression of current state
 Standard way to express who you want to
be when you grow up.
 Identify and prioritize opportunities to
improve
 Measure Progress
 Drives communication to teams and
management
11

12. What’s in it?
 CORE SET
 Tiers
 Profiles
12

13. Identify
 Asset Management
 Identify and Categorize Risks
 Identify Stakeholder Communities
 Identify the correct Controls for your risks
 Secure Network Interconnections
 Identify Special Protocols
 Perform Risk Assessments
 Perform Protocol Analysis
 Strategies
 Indicators of Compromise
13

14. ICS-CERT will train you – For FREE
What is available?
https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT
Operational Security (OPSEC) for Control Systems (100W) - 1 hour
Cybersecurity for Industrial Control Systems (210W) - 15 hours
The 210W courses are:
210W-01 Differences in Deployments of Industrial Control Systems (ICS)
210W-02 Influence of Common Information Technology (IT) Components on ICS
210W-03 Common ICS Components
210W-04 Cybersecurity within IT and ICS Domains
210W-05 Cybersecurity Risk
210W-06 Current Trends - Threats
210W-07 Current Trends - Vulnerabilities
210W-08 Determining the Impact of a Cybersecurity Incident
210W-09 Attack Methodologies in IT and ICS
210W-10 Mapping IT Defense-in-Depth Security Solutions to ICS
ICS- CERT Virtual Training Portal
https://ics-cert-training.inl.gov

15. TEEX will also train you for free
What is available?
AWR138 Network Assurance
AWR139 Digital Forensics Basics
AWR168 Cyber Law and White Collar Crime
AWR169 Cyber Incident Analysis and Response
AWR173 Information Security Basics
AWR174 Cyber Ethics
AWR175 Information Security for Everyone
AWR176 Disaster Recovery for Information Systems
AWR177 Information Risk Management
AWR178 Secure Software
ICS- CERT Virtual Training Portal
https://teex.org/Pages/Program.aspx?catID=199
Source:
https://teex.org/Pages/default.aspx

16. FEMA will also train you for free
What is available?
Setup a free FEMA Student ID
https://cdp.dhs.gov/FEMASID
FEMA Continuity of Operations Workshop
https://www.fema.gov/continuity-operations-workshops
Incident Command System (ICS) training
Critical Infrastructure Support
National Infrastructure Plan
Protecting Critical Infrastructure Against Insider Threats

17. You get millions of dollars of research for free
What is available?
NIST Computer Security Resource Center
SP800-82 ICS Security
Developing a Risk Program
Secure Architecture
ICS Security Controls
ICS-CERT Defense-in-depth recommended practices

18. Start a project
If you don’t start somewhere
– you’re gonna go nowhere. –
Bob Marley
Build a risk based program
Know what your protecting
Segment in trust boundaries
Develop ICS relevant policies
Build a 60 second elevator
pitch and Always Be Closing

19. Industry Activity
Source:
https://www.youtube.com/watch?v=OVMwI2TWrZw

20. Know your stakeholders
Legal Team
Safety Team
ICS Engineers
Procurement Teams
Sr. Management Teams
Human Resources
Inside and Outside Sales
Quality
Research and Development

21. Many hands make light work
Don’t try and do it all yourself.
Divide work by stakeholder teams.
Ensure stakeholder teams understand their roles.

22. Work top down
Start at the TOP!
Have the top ask their managers
for support.
Work with those managers to
ask them for support.
Keep pushing to the bottom.

23. Cyber Resilience Review
Self Assessment - Simple PDF Questionnaire
Built before NIST CSF / Has been
Build on top of CERT-Resilience Management Model (RMM)
Measure your maturity in:
1 Asset Management
2 Controls Management
3 Configuration and Change Management
4 Vulnerability Management
5 Incident Management
6 Service Continuity Management
7 Risk Management
8 External Dependencies Management
9 Training and Awareness
10 Situational Awareness
Source:
https://www.us-cert.gov/ccubedvp/assessments

24. ICS-CERT CyberSecurity
Evaluation Tool - CSET
Source:
https://www.youtube.com/watch?v=nvVeeWvw97E&list=PLEFu5pmwnq0pZyEOWgysq4OzI_FIQaXhM&index=3

25. CSET Features
 Wizard approach to
setting security
assurance levels.
 Flexible standards
 Network diagrams
 Extensive Resource
Library
 Reporting

26. CSET Features–Analysis
26

27. CSET Features – Assurance Level
27

28. Cyber Security Evaluation Tool (CSET)
DHS Cyber Security Evaluation Tool
 Systematic
 Disciplined
 Repeatable
Version 8 launches September 13 for download
Supports 35 Industry Accepted Cybersecurity Standards
Supporting general environments as well as Chemical, Oil, Gas,
Electrical, Nuclear, and other models available.
Key Questions and Universal Questions
SP800-53, SP800-171, SP800-82
Wizard Based Assurance Level Calculator
Import and Export for Visio Drawings
Reports in PDF or DOCX:
Executive Summary, Site Summary, Detail Report, Security Plan
Source:
https://teex.org/Pages/default.aspx

29. Control System Architecture Analysis
Design Architecture Review (DAR)
2 to 3 day review of Network Architecture
On site by DHS staff ( iNL)
Meet with Information Technology and Operational Technology Teams
Review Vendor Support
Review Cyber Security Controls
Review Asset Inventory
ICS Network Architecture
Review Protective and Detective Controls
Review Device Configuration
Physical Security of Critical Assets
Source:
https://ics-cert.us-cert.gov/Assessments

30. Network Architecture - Zoning
30

31. Network Architecture - Zoning
31

32. Control System Architecture Analysis
Network Architecture Verification and
Validation
Review Protocol Hierarchy – Data flows and organization of network
Review Netflow device-to-device communication
Review traffic attempting to traverse boundaries
Baseline of network traffic
Validates that the network is clean and clear of known threats
Source:
https://ics-cert.us-cert.gov/Assessments

33. Infrastructure Visualization Platform
Supports Critical Infrastructure and Emergency Responders
DHS scans the environment and provides you with several copies
including viewpoints of Hostile Targets and Civil Response
Helps First responder teams help you during a Cyber Physical Event
Source:
https://www.dhs.gov/infrastructure-visualization-platform

34. Open Source Tools
 YARA - plusvic.github.io/yara/
 Yara Rules – ICS-CERT or http://yararules.com/
 Wireshark - https://www.wireshark.org/
 Moonsols Memory Toolkit - DumpIT –
www.moonsols.com
 Laura Chapell on YouTube
“Introduction to Wireshark Course WTC01 & WTC02”
 Grass Marlin -
https://github.com/iadgov/GRASSMARLIN
 Google Dorking
 Shodan – shodan.io
 Windows Built-In Tools

35. Windows Built-In Tools
> tasklist /svc - List all services running on a host
> Netstat –noa – List all ports with associated task number
◦ date /t > %1
◦ time /t >> %1
◦ whoami >> %1
◦ systeminfo >> %1
◦ ipconfig /all >> %1
◦ arp -a >> %1
◦ netstat -b >> %1
◦ schtasks >> %1
◦ doskey /h >> %1

36. Technology and Innovation
New Products are coming to market from security companies that
understand ICS and Scada Protocols. Not just for TCP anymore:
Modebus
Profinet
BACNet
S7
OPC
…and more…
ICS Vendors are catching up
Traditional Vendors are branching out….

37. Questions
Eric Andresen
https://www.linkedin.com/in/andresen1206

38. Sample Questions
 [Procurement] Are appropriate agreements finalized before access is
granted, including for third parties and contractors?
 [Code Protection] Are malicious code protection mechanisms used at
system entry and exit points and at workstations, servers, or mobile
computing devices?
 [Media Control] Is the capability for automatic execution of
code on removable media disabled?
 [Physical Security] Is entry to the facility controlled by physical
access devices and/or guards?
 [Awareness Training] Is basic security awareness training
provided to all system users before authorizing access