My talk from the ICS Cyber Security Conference in Atlanta on October 24th. Really enjoyed the great conversations on a topic which really can highlight the difference of opinions in the ICSsec community. Hope you all enjoy!
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Encryption in industrial control systems; Is the juice worth the squeeze?
1. Brian Proctor – ICS Cyber Security Conference 2017
Encryption in ICS; ?
2. Who am I?
Brian Proctor – GICSP, CISSP, CRISC
13+ years of cybersecurity utility experience
• Southern California Edison (SCE)
- ICS/SCADA Cybersecurity Engineer
- NERC CIP Compliance Manager
• San Diego Gas & Electric (SDG&E)
- Principal Cybersecurity Engineer – Smart Grid and Electric Operations
- Team Lead - Information Security Engineering, Research, & Development
• Joined SecurityMatters in Feb 2017
Career focused on securing Operational Technology (OT)
- SCADA (Electric Transmission & Distribution, Gas Storage & Transmission)
- DCS (Power Generation, Distributed Energy Resources
Speaker at Distributech, EnergySec, EPRI, UTC, ICSJWG
- Situational awareness with a side of cybersecurity
- Life After Ukraine; Real world strategies and trends
- Do you know what time it is? Precision timing attacks and their impacts to utility
operations
2www.secmatters.com - Public
3. Trivia Time!!!
What 2004 movie is the quote “Because in your heart
you know, that the juice is worth the squeeze?”
www.secmatters.com - Public 3
The Girl Next Door
4. Conference vote!
Idea from hotel bar last night; lets see how this goes…
www.secmatters.com - Public 4
Raise hand if you
believe you should
encrypt remote access
ICS/DCS protocols?
5. Why I wrote this talk….
www.secmatters.com - Public 5
6. Let’s start with the basics….
Encryption
• Value
- Confidentiality
- Integrity
- Non-repudiation
- Authentication
ICS Protocols
• DNP3, MODBUS, Ethernet IP (CIP), MMS (ICCP), Step7, many
other legacy or propriety protocols
- No confidentiality
- No integrity
- No authentication
• Encryption commonly used to wrap ICS protocols over untrusted
networks or segments
- Between modems, routers, firewalls (IPsec)
- SSL/TLS between data concentrators or gateways
- Wireless
www.secmatters.com - Public 6
7. Sample utility architecture
7
Internet
Field network
(ISA 99 – Level 1)
Business LAN
(ISA 99 – Level 4)
Supervisory
Network DMZ
(ISA 99 – Level 3)
Historian
www @
Control
Network
(ISA 99 – Level 2)
Engineering
WS
DB
MTU/FEPRTU IEDs/PLCsIEDs/PLCs
SCADA/
HMI
www.secmatters.com - Public
DER/IEDs/PLCs
Std encrypted paths
Clear text LANs
New End to End
8. Sample process control network architecture
www.secmatters.com - Public 8
Level1
(Controllers)
Level2
(Supervisory)
Level3
(PCNMgmt)
Level4
(PCNDMZ)
Historian
HMI
EWS
PLC
Controller
IED Std encrypted path
Clear text LANs
AD SFTP/FTP Jump/PAM
DCS Server
New End to End
9. Is the juice worth the squeeze?
What’s the juice?
• E2E encryption; GW and device on LAN
Is it worth losing the following:
• Asset inventory (vendor, model, firmware)
• Remote and engineering monitoring
- Users
- Activities
• Passive vulnerability management
• ICS/DCS command monitoring
• Behavior based alerting
• Signature based alerting
• SCADA firewall command filtering
• Great DFIR artifacts
www.secmatters.com - Public 9
10. With great powers comes great responsibility….
How are keys generated? Is it truly random?
• Vendor default? Asset Owner PKI? Self-signed?
• How is key stored?
• What if private key compromised?
Key management
• Any commercial CAs which issue certificate types?
• Lifetime
• Rotation
• Deployment
Cryptographic algorithms deprecation
Quantum computing =
Public 10
11. So what does this all mean from my perspective?
Use encryption where it makes sense
• Wireless
• Untrusted networks
Understand what you lose if you do go end to end
Understand operational responsibilities to support
Understand long term implications
Clear text can be your friend
• Great situational awareness
- Asset inventory/classification
- Remote and engineering monitoring
- Insider threat monitoring (rogue operator, engineer)
- Provides SOC and IR/Forensics great info
• Threats (insiders or external) can’t hide their activities
Threat modeling and red teaming exercises
Public 11
12. Is the juice worth the squeeze for you?
My vote is no; gateway to gateway is sufficient
• What attack scenarios are you preventing against?
Lose situational awareness and visibility to your own
systems
Hide anomalous or malicious traffic
Hide vendor activities or poor practices
Introduces more open security questions and
responsibilities
Authentication and integrity can be achieve without
encryption
• Secure SCADA protocol of the 21st century (SSP-21)
End of day = risk based decision
Public 12
13. Questions and Thank You!
Public 13
Twitter: @bproctor67
Email: Brian.proctor@secmatters.com
Notas do Editor
Thanks for the introduction, wanted to start off with a little about me as I’m new to the speaking circuit. I’ve had the opportunity to work in the cybersecurity field for electric utilities my entire career which has been an amazing opportunity.; 7 years up at Southern California Edison and 4 years at San Diego Gas & Electric. The majority of my career has been mainly focused on the Operational Technology or OT side of things working in a variety of SCADA and DCS environments
To describe the basic principles of the ICS Networks pointing out the connection among business lan, supervisory network and control system network.
An industrial network is most typically made up of several distinct areas, which are simplified here as a business network or enterprise, business operations, a supervisory network, and process and control networks.
The separation of assets into functional groups allows specific services to be tightly locked down and controlled, and is one of the easiest methods of reducing the attack surface that is exposed to attackers. Simply by disallowing all unnecessary ports and services, we also eliminate all of the vulnerabilities—known or unknown—that could potentially allow an attacker to exploit those services. That’s why we expect to find firewall to isolate these three areas.
--------------- ISA 99 levels
Level0: Defines the actual physical processes.
Level1: Defines the activities involved in sensing and manipulating the physical processes.
Level2: Defines the activities of monitoring and controlling the physical processes.
Level3: Defines the activities of the work flow to produce the desired end-products.
Level4: Defines the business-related activities needed to manage a manufacturing organization.