Industrial Control Systems Cyber Security

Proven Risk to Supply Chain Operations

Mark Fabro

Chief Security Scientist, Lofty Perch Inc.

Wednesday June 7, 2017

6/20/2017 1

Overview

• The role of industrial control systems (ICS) in supply chain

• Cyber Risk and ICS

• ICS attacks and trends

• Mitigation considerations

6/20/2017 2

The Main Points

• Industrial Control Systems (ICS), SCADA, DCS, OT are the heart of manufacturing and industry

• The suppliers you depend on use ICS to make/move/fix the materials you need

• Those systems can be vulnerable to attack, have been attacked and attacks are increasing

• Attacks impact availability of products, integrity of products, movement of products, timely delivery, health and well-being of people and ultimately effectiveness of force

6/20/2017 3

ICS in the Supply Chain – Everywhere…

• Manufacturing and Repair

• Road, Rail, Airfield Operations

• Seaways

• Ports

• Water/Wastewater

• Refineries

• Pipelines (oil, gas, other)

• Grid operations

• Energy Generation

• Healthcare

• Building Environmental Control

6/20/2017 4

Why is This Important to You?

• Your supply chain uses ICS

• Compromising ICS can result in:• Unavailable systems

• Compromise of sensitive production data

• Impact delivery of materials/parts/weapons

• Impact integrity of the part being produced/repaired

• ICS security is rarely part of a governed cyber security program

6/20/2017 5

Kinetic Impacts

6/20/2017 6

• As earlier as 1982 (Gazprom)

• Worchester Airfield

• 1994 (Salt River Project)

Cyber Incidents and Infrastructure

• 2003 ‘Slammer’ disables Davis-Besse safety mechanism• May 2001 Cal-ISO attack

• Undetected for 17 days from Californian and China (last source)• Compromise almost penetrated into energy provisioning systems

• August 2003 Blackout• Malfunction in Alarm and Event Processing (AEPR) due to race condition

• 2004 ‘Sasser’ disables connected oil platforms for several days• Sept 2004 SOCAL air traffic control failure

• Windows bug forced server to auto-reboot after 49.7 days• 800 planes in the air w/o contact for 3 hours• 400 delays, 600 cancellations

• 2005 ‘Zotob’ attacks Daimler-Chrysler• 2009 Brazilian Power Grid

More Interesting Cyber Events

Know Incidents Since 1982 (lots)

6/20/2017 9

EDIST 2010 © Lofty Perch, Inc.

DoD

Vulnerability Discovered by Year

• Research community gone wild

• Evolution of new techniques

• Looking for ‘zero days’

6/20/2017 11

Kapersky Lab

Disclosure by Year

6/20/2017 12

2016 FireEye

Zero Days in the Wild

• All well before Shadow Brokers

• Libraries part of larger suite?

6/20/2017 13

2016 FireEye

Going Unfixed

• Of 1,552 ICS vulnerabilities 516 did not have a patch at time of disclosure

• That means 33% are ‘0 days’

6/20/2017 14

2016 FireEye

Incidents by Sector and Vector 2015

6/20/2017 15

U.S. DHS ICS-CERT

By end of 2016

• Look at the top 3

• How will they affect operations?

6/20/2017 16

Kapersky Lab

Mitigation Activities

• Expand security assessment to the control systems of private sector partners

• Code analysis

• Develop attack trees and use cases to model the kill chain of the adversary

• Consider blended cyber/physical attacks• Exploit SME experience from around the globe

• Customization of COTS IT security to fit ICS/SCADA

• Learn from work done across sector

6/20/2017 17

6/20/2017 18

Thank You

Mark Fabro

fabro@loftyperch.com