Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill...
Transcript of Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill...
![Page 1: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/1.jpg)
Copyright Belden 2013
Hirschmann and Tofino Implementing Security
Sven Burkard
Industrial Solution Manager [email protected] or 717.491.1770
![Page 2: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/2.jpg)
Copyright Belden 2013
Where network failures occur…
Source: Datacom, Network Management Special
Network Reliability in the OSI Model
8 %
10 %
35 %
25 %
12 %
7 %
3 %
Physical
Data Link
Network
Transport
Session
Presentation
Application
3
How Belden mitigates this…
Cable
Switches
Routers &
Firewalls
Deep-Packet
Inspection
![Page 3: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/3.jpg)
Copyright Belden 2013
ICS and SCADA
Security
Are you at risk?
5
![Page 4: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/4.jpg)
Copyright Belden 2013
• Salt River Project SCADA Hack
• Maroochy Shire Sewage Spill
• Software Flaw Makes MA Water Undrinkable
• Trojan/Keylogger on Ontario Water SCADA System
• Viruses Found on Auzzie SCADA Laptops
• Audit/Blaster Causes Water SCADA Crash
• DoS attack on water system via Korean telecom
• Penetration of California irrigation district wastewater
treatment plant SCADA.
• SCADA system tagged with message, "I enter in your
server like you in Iraq."
Security Incidents in the Water Industry
Source: Repository of Industrial Security Incident (RISI) Database 6
![Page 5: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/5.jpg)
Copyright Belden 2013
• Electronic Sabotage of Venezuela Oil Operations
• CIA Trojan Causes Siberian Gas Pipeline Explosion
• Anti-Virus Software Prevents Boiler Safety Shutdown
• Slammer Infected Laptop Shuts Down DCS
• Virus Infection of Operator Training Simulator
• Electronic Sabotage of Gas Processing Plant
• Slammer Impacts Offshore Platforms
• SQL Slammer Impacts Drill Site
• Code Red Worm Defaces Automation Web Pages
• Penetration Test Locks-Up Gas SCADA System
• Contractor Laptop Infects Control System
Security Incidents in the Oil Industry
Source: Repository of Industrial Security Incident (RISI) Database 7
![Page 6: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/6.jpg)
Copyright Belden 2013
• IP Address Change Shuts Down Chemical Plant
• Hacker Changes Chemical Plant Set Points via
Modem
• Nachi Worm on Advanced Process Control
Servers
• SCADA Attack on Plant of Chemical Company
• Contractor Accidentally Connects to Remote PLC
• Sasser Causes Loss of View in Chemical Plant
• Infected New HMI Infects Chemical Plant DCS
• Blaster Worm Infects Chemical Plant
Security Incidents in the Chemical Industry
Source: Repository of Industrial Security Incident (RISI) Database 8
![Page 7: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/7.jpg)
Copyright Belden 2013
• Slammer Infects Control Central LAN via VPN
• Slammer Causes Loss of Comms to Substations
• Slammer Infects Ohio Nuclear Plant SPDS
• Iranian Hackers Attempt to Disrupt Israel Power
System
• Utility SCADA System Attacked
• Virus Attacks a European Utility
• Facility Cyber Attacks Reported by Asian Utility
• E-Tag Forgery Incident in Power PSE
• Power Plant Security Details Leaked on Internet
Security Incidents in the Power Industry
Source: Repository of Industrial Security Incident (RISI) Database 9
![Page 8: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/8.jpg)
Copyright Belden 2013
Stuxnet Had Many Paths to its
Victim PLCs
![Page 9: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/9.jpg)
Copyright Belden 2013
Some Lessons Learned
•A modern ICS or SCADA system is highly
complex and interconnected
•Multiple potential pathways exist from the outside
world to the process controllers
•Assuming an air-gap between ICS and corporate
networks is unrealistic
•Focusing security efforts on a few obvious
pathways (such as USB storage drives or the
Enterprise/ICS firewall) is a flawed defense
![Page 10: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/10.jpg)
Copyright Belden 2013
Cyber Security Incident Types
© 2011 Security Incidents Organization
External
Hacker
Software or
Device Flaw
Human
Error
Malware
Infection
Disgruntled
Employee
12
![Page 11: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/11.jpg)
Copyright Belden 2013
• January 2001: Oil pipeline shut down for 6 hours after
software is accidently uploaded to a PLC on the plant
network instead of test network
• August 2005: 13 Chrysler auto plants were shut down by
a simple Internet worm; 50,000 workers stop work for 1
hour while malware removed
• August 2006: Operators at the Browns Ferry nuclear
power plant forced to “scram” the reactor after cooling
drive controllers crashed due to “excessive network
traffic”
Typical ICS Cyber Security Incidents
13
![Page 12: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/12.jpg)
Copyright Belden 2013
• “Soft” Targets
• PCs run 24x7 without security updates or even
antivirus
• Controllers are optimized for real-time I/O, not for
robust networking connections
• Multiple Network Entry Points
• The majority of cyber security incidents originate from
secondary points of entry to the network
• USB keys, maintenance connections, laptops, etc.
• Poor Network Segmentation
• Many control networks are “wide-open” with no
isolation between different sub-systems
• As a result problems spread rapidly through the
network
Security Issues in Control Networks
14
![Page 13: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/13.jpg)
Copyright Belden 2013 15
![Page 14: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/14.jpg)
Copyright Belden 2013 16
![Page 15: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/15.jpg)
Copyright Belden 2013
Five Important Differences
IT and SCADA
#1 - Differing Risk Management Goals
#2 - Differing Performance Requirements
#3 - Differing Reliability Requirements
#4 - “Unusual” Operating Systems and Applications
#5 - Differing Security Architectures
•Problems occur because assumptions that are
valid in the IT world may not be valid on the plant
floor
17
![Page 16: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/16.jpg)
Copyright Belden 2013
Why is SCADA Security a Challenge?
“Why not just apply the already developed
practices and technologies from existing
Information Technology security to plant floor
security - isn't that good enough to solve the
problem?”
Cisco Researcher
July 2002
18
![Page 17: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/17.jpg)
Copyright Belden 2013
Why is SCADA Security a Challenge?
“None of this would be a problem if those █████
plant floor people just used proper security policies –
what █████ is wrong with them?”
IT Manager after a Security Incident
19
![Page 18: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/18.jpg)
Copyright Belden 2013
Differing Security Focus
• IT…. Privacy First - “Protect the Data”
•SCADA/ICS… Safety First - “Protect the Process”
Priority IT SCADA/ICS
#1 Confidentiality Availability
#2 Integrity Integrity
#3 Availability Confidentiality
20
![Page 19: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/19.jpg)
Copyright Belden 2013
• Cost Savings
• Reduced down time and maintenance costs
• Improved productivity
• Enhanced business continuity
• Enhanced Security and Safety
• Improved safety for the plant, employees and
community
• Improved defense against malicious attacks
• Simplified Regulatory and Standards Compliance
• FERC / NERC CIP
• ISA/IEC-62443 (formerly ISA-99)
• More to Come…
Why is Cyber Security Important?
21
![Page 20: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/20.jpg)
Copyright Belden 2013
7 Steps to ICS and
SCADA Security
22
![Page 21: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/21.jpg)
Copyright Belden 2013
Step 1 – Assess Existing Systems
•Security starts with understanding the risks that
control system security (or insecurity) can have on
a business
• Determine threats that pose a danger to the business
• Rank these risks
• Lets companies prioritize their security dollars and
effort.
•Don’t throw money into a solution for a minor risk,
and leave more serious risks unaddressed
•Consider 3rd-party/independent industrial cyber-
security firms (www.exida.com), for risk assessment
and actions needed
23
![Page 22: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/22.jpg)
Copyright Belden 2013
Example Risk Analysis at Oil Refinery
Event Vulnerability
Possible Threat
Source
Skill Level
Required Potential Consequence Severity Likelihood Risk Release of
hazardous
product
Manipulate control
system
Organized Crime,
Activist
Intermediate Major Injury
Complaints or Local Community
Impact
Medium Low Low
Disable/manipulate
emergency
shutdown
Terrorist, Organized
Crime, Activist
High Fatality or Major Community
Incident
High Low Medium
Process
reactivity
incident
Manipulate control
system
Domestic or Foreign
Terrorist,
Disgruntled
Employee
Intermediate Lost Workday or Major Injury
Complaints or Local Community
Impact
Medium Low Low
Disable/manipulate
emergency
shutdown
Domestic or Foreign
Terrorist
High Fatality or Major Community
Incident
High Very Low Medium
Process
shutdown
Trip emergency
shutdown
Malware, Novice
Hacker
Low Shutdown > 6 Hours Medium High High
Cause Loss of View
of SIS
Malware, Novice
Hacker
Low Shutdown > 6 Hours Medium High High
Manipulate control
system
Hacker, Disgruntled
Employee
Intermediate Shutdown > 6 Hours Medium Medium Medium
Disable PCN
communications
Malware, Novice
Hacker
Low Shutdown < 6 Hours Low High Medium
Spoof operators Hacker, Disgruntled
Employee
Intermediate Shutdown < 6 Hours Low Medium Low
Environmental
spill
Manipulate control
system
Activist Intermediate Citation by Local Agency Medium Low Low
Mislead operators Activist Intermediate Citation by Local Agency Medium Low Low
24
![Page 23: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/23.jpg)
Copyright Belden 2013
Step 2 – Document Policies & Procedures
•Start With Policy, Not Technology
•Should be technology and architecture
independent
•Do not include the implementing procedures and processes
•Leave the details of specific technologies and how to implement them for later
Security policy outlines what you want to achieve, NOT how to do it
25
![Page 24: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/24.jpg)
Copyright Belden 2013
Step 3 – Train Personnel & Contractors
•Ensure personnel are aware of the
existence and importance of these
materials
•First conduct an awareness program
•Second is a staff training program that
informs employees:
•How to be secure
•What their roles and responsibilities are
•What to do if they suspect there is a security
breach
26
![Page 25: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/25.jpg)
Copyright Belden 2013
Step 4 – Design a Secure Control System
Architecture
• A core concept in the ISA/IEC 62443.02.01
security standard (Formerly ISA-99) is known
as “Zones and Conduits”
• ICS networks divided into layers or zones
based on control function
• Separate zones allow a “defense in depth”
strategy
27
![Page 26: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/26.jpg)
Copyright Belden 2013
Control
Network
External
NetworkPLCs
Office
Network
Servers
Internet
IT Firewall
Enterprise
Workstations
HMI Stations
Plant
Network
Contractor Wireless Dial-up
IT Firewall
Wireless
Engineering
StationsServers
PLCs Remote
Diagnostics
Enterprise
Servers
Typical Control Network Architecture
28
![Page 27: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/27.jpg)
Copyright Belden 2013
Control
Network
External
NetworkPLCs
Office
Network
Servers
Internet
IT Firewall
Enterprise
Workstations
HMI Stations
Plant
Network
Contractor Wireless Dial-up
IT Firewall
Wireless
Engineering
StationsServers
PLCs Remote
Diagnostics
Enterprise
Servers
Typical Control Network Architecture
29
![Page 28: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/28.jpg)
Copyright Belden 2013
•We can’t just install a firewall at the edge of
the network and forget about security.
• The bad guys will eventually get in
• Many problems originate inside the plant network
•We must harden the plant floor.
•We need Defense in Depth.
A Perimeter Defense is Not Enough
We’re crunchy on the Outside - Soft in the
Middle
30
![Page 29: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/29.jpg)
Copyright Belden 2013
Security Zone Definition
• “Security zone: grouping of logical or physical
assets that share common security
requirements” [ANSI/ISA-62443.02.01–2009 -
3.2.116]
•A zone has a clearly defined border (either
logical or physical), which is the boundary
between included and excluded elements
PLC Zone HMI Zone
31
![Page 30: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/30.jpg)
Copyright Belden 2013
Conduits
•A conduit is a path for the flow of data
between two zones
•Can provide the security functions that allow
different zones to communicate securely
•Any communications between zones must
have a conduit
Conduit
PLC Zone HMI Zone
32
![Page 31: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/31.jpg)
Copyright Belden 2013
Using Zones: An Example Oil Refinery
33
![Page 32: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/32.jpg)
Copyright Belden 2013
Specifying the Zones
34
![Page 33: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/33.jpg)
Copyright Belden 2013
Defining the Conduits
35
![Page 34: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/34.jpg)
Copyright Belden 2013
Step 5 – Control Access to the System
•Next step is to control access to assets within
those zones
• Important to control both physical and logical
access
• Identifying who and what should have access to
what resources:
• What privileges?
• How that should be enforced?
• What technology should be used?
•This is the installation and commissioning phase
37
![Page 35: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/35.jpg)
Copyright Belden 2013 38
Conduit Deep Packet Inspection
![Page 36: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/36.jpg)
Copyright Belden 2013
Control
Network
External
NetworkPLCs
Office
Network
Servers
Internet
IT Firewall
Enterprise
Workstations
HMI Stations
Plant
Network
Contractor Wireless Dial-up
IT Firewall
Wireless
Engineering
StationsServers
PLCs Remote
Diagnostics
Enterprise
Servers
Zones and Conduits provide
Defense in Depth
Control
Network
External
NetworkPLCs
Office
Network
Servers
Internet
IT Firewall
Enterprise
Workstations
HMI Stations
Plant
Network
Contractor Wireless Dial-up
IT Firewall
Wireless
Engineering
StationsServers
PLCs Remote
Diagnostics
Enterprise
Servers
39
![Page 37: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/37.jpg)
Copyright Belden 2013
Control
Network
External
NetworkPLCs
Office
Network
Servers
Internet
IT Firewall
Enterprise
Workstations
HMI Stations
Plant
Network
Contractor Wireless Dial-up
IT Firewall
Wireless
Engineering
StationsServers
PLCs Remote
Diagnostics
Enterprise
Servers
Zones and Conduits provide
Defense in Depth
40
![Page 38: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/38.jpg)
Copyright Belden 2013
Control
Network
External
NetworkPLCs
Office
Network
Servers
Internet
IT Firewall
Enterprise
Workstations
HMI Stations
Plant
Network
Contractor Wireless Dial-up
IT Firewall
Wireless
Engineering
StationsServers
PLCs Remote
Diagnostics
Enterprise
Servers
Zones and Conduits provide
Defense in Depth
41
![Page 39: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/39.jpg)
Copyright Belden 2013
Step 6 – Harden the Components
of the System
•Hardening means locking down the
functionality of the various components in your
system to prevent unauthorized access or
changes, remove unnecessary functions or
features, and patch any known vulnerabilities.
•Especially important in modern ICS which
utilize commercial off-the-shelf (COTS)
technology.
• Includes patch management, AV deployment,
shutting down unneeded services
42
![Page 40: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/40.jpg)
Copyright Belden 2013
Step 7 – Monitor & Maintain
System Security
•Security is a lifestyle, not a goal
•Maintaining security involves activities
such as:
•Updating antivirus signatures and white lists
• Installing security patches
•Monitoring for suspicious activity
• Periodically testing and assessing the system
43
![Page 41: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/41.jpg)
Copyright Belden 2013
Expectations, responsibilities and
opportunities for the Control
Engineer and System Integrator
44
![Page 42: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/42.jpg)
Copyright Belden 2013
Expectations
•Not infecting the control system through bad
staff practices:
• Poor USB Key/CD/DVD handling
• Poor laptop security practices
• Poor remote access security practices
• Inadequate staff training
•Understanding and compliance to current
security standards like ISA/IEC 62443 and
NERC CIP
45
![Page 43: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/43.jpg)
Copyright Belden 2013
Responsibilities
•Not designing/installing an insecure system
•Not making a system less secure through
upgrades and changes
•Meeting security practice requirements as
defined in relevant standards
•Meeting record-keeping requirements as
defined in relevant standards
46
![Page 44: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/44.jpg)
Copyright Belden 2013
Opportunities – The Assessment Step
• Involves analyzing a new or existing system
to determine the security threats and risks
• Audits Risk and Threat Analysis
• Asset inventories
• Network and communications reviews
• Software/platform reviews
• Staff competency reviews
47
![Page 45: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/45.jpg)
Copyright Belden 2013
Opportunities – The Design Step
• Involves designing a system architecture
design
• Creating a zone and conduit strategy
• Network architecture design
• Network system and components selection
• Prioritization based on risk
48
![Page 46: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/46.jpg)
Copyright Belden 2013
Opportunities – The Implementation Steps
• Implementing the system architecture and
required security controls
• Restructuring of the network (if required)
• Security control technology deployment and
commissioning
•Equipment hardening
•Testing and validation
49
![Page 47: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/47.jpg)
Copyright Belden 2013
Opportunities – The Maintain Step
•Maintaining the security targets through
periodic assessments and effective
management processes.
• System reviews
• Threat landscape reviews
• Staff upgrading
• Change Management process reviews
• Continuous monitoring services
50
![Page 48: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/48.jpg)
Copyright Belden 2013
Summary
•The world of control systems has
changed since Stuxnet
• ISC/SCADA Security is not the same as
IT Security
•Asset owners need their SIs to support
their security programs
•Use ISA/IEC-62443 as a roadmap to
deploying a security program
51
![Page 49: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/49.jpg)
Copyright Belden 2013
New Standards and
Regulations in Control
System Security
52
![Page 50: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/50.jpg)
Copyright Belden 2013
Government Efforts and Regulations
•Department of Homeland Security (DHS)
• 6 CFR part 27: Chemical Facility Anti-Terrorism
Standards (CFATS)
• National Cyber Security Division
•Department of Energy
• Federal Energy Regulatory Commission (FERC)
– 18 CFR Part 40, Order 706 (mandates NERC CIPs 002-009)
•Nuclear Regulatory Commission (NRC)
• 10 CFR 73.54 Cyber Security Rule (2009)
• RG 5.71
•National Institute of Standards and Testing (NIST)
• SP800-82 Guide to Industrial Control Systems (ICS)
Security
53
![Page 51: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/51.jpg)
Copyright Belden 2013
New Standards in the ICS Environment
• International Society for Automation (ISA)
• ISA99/62443, Industrial Automation and Control System
(IACS) Security
• International Electrotechnical Commission (IEC)
• IEC 62443 standards (equivalent to ISA 99)
• International Instrument Users' Association (WIB)
• M 2784-X-10 Process Control Domain Security
Requirements for Vendors
• ISASecure
• Embedded Device Security Assurance Certification
54
![Page 52: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/52.jpg)
Copyright Belden 2013
Industry Specific Guidance
• American Petroleum Institute (API)
– API Standard 1164 - SCADA Security
• American Chemistry Council (ACC)
• ChemITC™ Chemical Sector Cyber Security Program
– Guidance for Addressing Cyber Security in the Chemical
Industry Version 3.0
• North-American Electric Reliability Council (NERC)
– Critical Infrastructure Protection (CIP) 002 – 009
• Department of Homeland Security
– Chemical Facility Anti-terrorism Standards (CFATS)
– Risk-based Performance Standards (RBPS) (RBPS 8)
55
![Page 53: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/53.jpg)
Copyright Belden 2013
Active Hardware
![Page 54: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/54.jpg)
Copyright Belden 2013
Product Overview in Short-form Catalog
57
![Page 55: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/55.jpg)
Copyright Belden 2013
Securing Physical
Access
58
![Page 56: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/56.jpg)
Copyright Belden 2013
Web Access
• By default, the web interface of the switch is enabled.
You have the option to either disable this access or to
configure it to use a more secure connection.
• HTTP (Hyper Text Transfer Protocol – TCP Port 80)
• HTTPS (Hyper Text Transfer Protocol Secure – TCP
Port 443) 59
![Page 57: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/57.jpg)
Copyright Belden 2013
HiDiscovery Access
• IP addressing tool
• Uses MAC addresses to ID
• Useful if installed assigned DHCP IP address
• The red pencil indicates Read-Write Access.
• The glasses indicates Read-Only access. 60
![Page 58: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/58.jpg)
Copyright Belden 2013
HiDiscovery Access
• In a secured environment, you may want to
designate the switch as being read-only or not
visible at all via the HiDiscovery program.
61
![Page 59: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/59.jpg)
Copyright Belden 2013
Securing Empty Ports
• Good security practices include the disabling of
unused ports to prevent unauthorized
connections to empty ports on the switch.
62
![Page 60: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/60.jpg)
Copyright Belden 2013
Monitoring Connected Ports
• You can also use a SNMP management
application such as Industrial HiVision to monitor
the connection status of your infrastructure ports
in your network
63
![Page 61: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/61.jpg)
Copyright Belden 2013
MAC Based Port Security
• MAC based filter on a per port basis allows only the
authorized MAC address to forward traffic from the
given port.
• Up to 10 MAC addresses listed per port or you can
use a range of MAC addresses that you wish to allow.
64
![Page 62: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/62.jpg)
Copyright Belden 2013
IP Based Port Security
• IP based filter on a per port basis.
• IP-Based Port Security internally relies on MAC-
Based Port Security. Principle of operation: When
you configure the function, the device translates
the entered source IP address into the respective
MAC address.
65
![Page 63: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/63.jpg)
Copyright Belden 2013 66
Placing Network Terminations in Your Hands
![Page 64: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/64.jpg)
Copyright Belden 2013
Modular design MIPP
6 SC-Duplex Module 12 LC-Duplex Double Module 4 RJ45 Keystone Module
Housing
Modules
67
![Page 65: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/65.jpg)
Copyright Belden 2013
Alarming and
Notification
68
![Page 66: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/66.jpg)
Copyright Belden 2013
Industrial HiVision Network Management
and Visualization Software
• Rapid deployment with multi-device config
• Graphical interface
• Network views incl. unmanaged and WLAN
• Auto-topology discovery
• Event log
• Event handling
• Asset management
• Client / Server
• ActiveX control
• SCADA/OPC server
• Flexible licensing
Network Management Software
69
![Page 67: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/67.jpg)
Copyright Belden 2013 70
![Page 68: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/68.jpg)
Copyright Belden 2013 71
![Page 69: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/69.jpg)
Copyright Belden 2013 72
![Page 70: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/70.jpg)
Copyright Belden 2013 73
![Page 71: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/71.jpg)
Copyright Belden 2013
Belden’s Unique Position
• End-to-end Network Solution • Wired and wireless
• Active networking products
• Cable and connectors
• Cable management
• Software
• Services
• One Face
• One Source
• All Globally
74
![Page 72: Hirschmann and Tofino · •Salt River Project SCADA Hack •Maroochy Shire Sewage Spill •Software Flaw Makes MA Water Undrinkable •Trojan/Keylogger on Ontario Water SCADA System](https://reader034.fdocuments.in/reader034/viewer/2022042321/5f0badd47e708231d431af70/html5/thumbnails/72.jpg)
Copyright Belden 2013
Thank you!
Merci beaucoup!
Obrigado !
Muchas gracias!
Toa chie!
Domo arigato!
Danke schön!
75