Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Presentation 1

InduSoft Cybersecurity Webinar: Overview of Current Events and General Cybersecurity Guidance,

Protection and Remediation Techniques, and Advanced InduSoft Web

Studio Data Protection and Encryption

Presenters: Richard Clark and Fabio Terezinho

June 24, 2015

Speakers Today (in order of presentation)

Richard Clark

– Technical Marketing, Process and Controls Engineer, Cybersecurity

Engineer

Richard H Clark

Cybersecurity Background

Mr. Clark has been in Mechatronics, Automation, Process Control,

Industrial Control System Cybersecurity, and automation implementation for

more than 15 years. He was employed by Wonderware where he

developed a non-proprietary means of using IP-Sec for securing current

and legacy Automation, SCADA, and Process Control Systems, and

developed non-proprietary IT security techniques. Industry expert by peer

review and spokesperson on IT security; consultant, analyst and voting

member of ISA/IEC 62443 (SP99). Contributor to PCSF Vendor Forum.

Consultant to NIST and other government labs and NSA during the

development of NIST Special Publications 800-53/82. Published

engineering white papers, manuals, and instruction documents, developed

and given classes and lectures on the topic of ICS/SCADA Security.

– Participated in forming the NIST Cybersecurity Framework during the

workshops last year.

Speakers Today (in order of presentation)

Richard Clark

– Technical Marketing, Process and Controls Engineer, Cybersecurity

Engineer

Fabio Terezinho

– Director of Engineering and Consulting Services for InduSoft

Fabio Terezinho

Engineering and Cybersecurity Background

VP/Director of Engineering and Consulting Services

InduSoft/InduSoft-Wonderware

January 1999 – Present (16 years 6 months)

Application Engineer

Altus Sistemas de Informatica SA

January 1995 – March 1998 (3 years 3 months)

Selected Publications:

Remote access, any time, any place

InTech Magazine

October 2012

Designing New SCADA Systems

Plant Engineering

January 2012

Secure Against Process Automation Errors

Control Design Magazine

November 2011

Honors & Awards:

Beta Gamma Sigma

Beta Gamma Sigma (AACSB International - The

Association to Advance Collegiate Schools of Business)

March 2011

Patent:

Method and system for communicating between an

embedded device and relational databases

United States 11/243,780

Education:

Baylor University - Hankamer School of Business

Executive Master of Business Administration (EMBA)

2010 – 2011

Escola de Engenharia Maua

Electrical Engineering, Automation and Control

1999 – 2003

Mr. Terezinho has been in Mechatronics, Automation, Process Control, Industrial Control System Cybersecurity,

automation implementation, and product development at InduSoft/InduSoft-Wonderware for more than 16 years.

Announcements

This is an audio broadcast-only WebEx, so we can’t

hear you speaking.

– If you want to give us a comment or question, please type it into

the Q&A or Chat Field in the WebEx presentation interface. We

will answer your questions at the end in the Q&A section of the

broadcast.

Announcements

This is an audio broadcast-only WebEx, so we can’t

hear you speaking.

– If you want to give us a comment or question, please type it into

the Q&A or Chat Field in the WebEx presentation interface. We

will answer your questions at the end in the Q&A section of the

broadcast.

Fill out the InduSoft webinar survey that we will send

you at the email address that you used to sign in,

and get a free famous InduSoft webinar series Tee-

Shirt!

Services On Demand is Available Now!

Engineering assistance is available when designing

projects and implementing project security

SCADA Cybersecurity eBooks

InduSoft Security Guide NIST Cybersecurity Framework

ISBN 978-1311-49042-1 ISBN 978-1310-30996-0

Available at Smashwords.com and other major booksellers

Available to you as “Name Your Price”


ISBN 978-1311-49042-1 ISBN 978-1310-30996-0

Download at Smashwords.com to “Name Your Price”

All eBook Proceeds Benefit the Eastern New Mexico University-Ruidoso Foundation

Announcements

How to get Product Update Announcements

Webinar Agenda

Webinar Agenda

Introductions

Webinar Agenda

Introductions

Our Cybersecurity Guidance eBooks and Engineering

Services available from InduSoft

Webinar Agenda

Introductions



Current events that are relevant to Control Systems

Webinar Agenda

Introductions




Discussion of the current state of Cybersecurity for

Control Systems

Webinar Agenda

Introductions





Control Systems

Remediation and System Protection

Webinar Agenda

Introductions





Control Systems

Remediation and System Protection

Fabio: Advanced InduSoft Web Studio configurations

for Data Protection and Encryption

Where do we start?

Where do we start?

There have been an unprecedented number of

Cybersecurity incidents

Where do we start?



There have been a lot of business-centered cyber-

events, but we are interested in ICS and SCADA events

Where do we start?



There have been a lot of business-centered cyber-

events, but we are interested in ICS and SCADA events

Therefore, the best place to start is the state of the

industry and current knowledge of known cyber-events

Stuxnet was the most infamous breach


A lot of noise has been made about Stuxnet, and for

good reason…



good reason…

Stuxnet really scared a lot of Cybersecurity

professionals and antivirus/anti-malware companies,

along with ICS-CERT organizations around the globe.



good reason…




– it was heretofore unprecedented in its sophistication and differing

methods of attack and intrusion.



good reason…






After a quick War Room analysis, it was quickly

determined that the attack was specifically targeted

Theorized Stuxnet Analyses and Findings

Theorized Stuxnet Analyses and Findings

1) the sophistication of the programming could only have

been done with a large, coordinated team of professional

developers

Theorized Stuxnet Analyses and Findings1) the sophistication of the programming of the malware-- some of which was uncovered by reverse-engineering, and could only have been done with a large, coordinated team of professional developers

2) the specificity and required intimate insider knowledge


2) the specificity and required intimate insider knowledge of the control systems, and their networks and configurations

3) the Zero Day exploits of the unpatched Siemens PLCs



3) the Zero Day exploits of the unpatched Siemens PLCs they were using, and the insider knowledge that they were unpatched

4) the differing vectors of infection and spread, which

initially was likely a USB drive…




4) the differing vectors of infection and spread, which initially was likely a USB drive, then appeared to spread through network connectivity and printer ports to other computers using administrator credentials…

5) the fact that it stayed dormant and surreptitious for a

long time …





5) the fact that it stayed dormant and surreptitious for a long time before becoming active, apparently reporting to some home base ( C&C or, Command and Control Center) with findings at various intervals…

6) …and then apparently receiving updated instructions

from a C&C (Command and Control center)






6) …and then apparently receiving updated instructions from a C&C (Command and Control center) before proceeding with machine infiltration and attack vectors

7) the apparent social engineering that had to have been

used…







7) the apparent social engineering that had to have been used to gain such intimate access to the systems…

8) …which ultimately led to attacking and reprogramming

the PLCs








8) …which ultimately led to attacking and reprogramming the PLCs to control the centrifuge Variable Frequency Drives (or VFD’s) in a completely different way than originally intended and programmed

9) and to operate surreptitiously in order to prematurely wear out the equipment…








8) …which ultimately led to attacking and reprogramming the PLCs to control the centrifuge Variable Frequency Drives (or VFD’s) in a completely different way than originally intended and programmed

9) and to operate slowly and surreptitiously over weeks or months in order to prematurely wear out or severely damage the equipment, ultimately limiting and destroying the production lines

…the conclusion was that Stuxnet was a deliberate, single, targeted attack by one or more Nation-States.



good reason…








Is Stuxnet, because of all these factors, a danger to

your facility?



good reason…





methods of attack and intrusion



Is Stuxnet, because of all these factors, a danger to

your facility?

– yes and no

So is Stuxnet a danger to your system?


Stuxnet, as it was used, could only work on the one

targeted system



targeted system

Some bits of the Stuxnet code has been found in other

types of malware in the wild



targeted system



Malware/antivirus companies have updated their

databases to protect against Stuxnet-like code in other

malware



targeted system





malware

Additionally, the Zero Day exploits used in the Siemens

PLC’s have been patched



targeted system





malware

Additionally, the Zero Day exploits used in the Siemens

PLC’s have been patched

Stuxnet employed a very sophisticated Man-in-the-

Middle scheme requiring PLC reprogramming

So moving forward in time…


2012: Shamoon malware infiltrates Aramco and

damages data on more than 30,000 computers…




Also in 2012, were Duku and Flame (sKyWIper) which

utilized Stuxnet modules and did not need to report

home



Also, was Duku and Flame (sKyWIper) which utilized

Stuxnet modules and did not need to report home







Next in 2013 and 2014 were Dragonfly and RAT (Remote

Access Trojans or Tools) malware that did target

Industrial Control Systems






Next in 2013 and 2014 were Dragonfly and Havex or RAT

(Remote Access Trojans or Tools) malware that did

target Industrial Control Systems









During the various End-of-Year news sometime during

December 2014 was an attack at a German steel mill,

doing a substantial amount of physical damage…












– The attack was a result of “Spearfishing” or sending emails

containing a malware payload that gave access to the plant’s

Industrial Control System.

2012: Shamoon malware infiltrates Aramco and damages data on more than 30,000 computers…

Also, was Duku and Flame (sKyWIper) which utilized Stuxnet modules and did not need to report home

Next in 2013 and 2014 were Dragonfly and RAT (Remote Access Trojans or Tools) malware that did target Industrial Control Systems

During the various End-of-Year news sometime during December 2014 was an attack at a German steel mill, doing a substantial amount of physical damage…– The attack was a result of “Spearfishing” or sending emails

containing a malware payload that gave access to the plant’s Industrial Control System.


The Dell Annual Security Report (April 13, 2015)


Shows that in 2014, attacks more than doubled from the

previous year to 675,186




“Whereas the motive behind data-focused attacks is

typically financial, SCADA attacks tend to be political in

nature, since they target operational capabilities within

power plants, factories, and refineries, rather than credit

card information.”, Dell said.




“Whereas the motive behind data-focused attacks is

typically financial, SCADA attacks tend to be political in

nature, since they target operational capabilities within

power plants, factories, and refineries, rather than credit

card information.”, Dell said.

Buffer overflow vulnerabilities were the primary point of

attack against SCADA systems, which control remote

equipment and collect data on equipment performance,

accounting for 25% of the attacks witnessed by Dell.

Other interesting items in April and May

Article Comments by Shawn McConnon

“These emerging attacks are now being waged against

a much wider variety of hardware, including mobile

devices”, he explains..

– "There is no perimeter anymore," he says.

– "There are many more touch-points in a company today," which, in

turn, has made it easier for hackers penetrate networks.


Hackers, especially nation-state actors, know that most

organizations fail to adequately address risks posed to

their networks by third parties, McConnon says.

– "Businesses today outsource everything ... and it's very hard to

ensure security when you're outsourcing."


Hackers are increasingly targeting less- secure third

parties to ultimately gain access to organizations'

primary networks, McConnon explains.

– "You can't prevent hacks. But you should focus on the information,"

he says.

– "You've got to be able to look at your third-party risk and have

somebody on your team who's looking at that risk regularly."

Other interesting items in April and May

And just in the past 3 weeks…

What are the takeaways?


That cybercrime is on the increase, with more than

double the number of attacks since last year.




That criminals involved are everything from amateurs to

Nation States with deep pockets and many resources




The criminals involved are everything from amateurs to


The trend is that SCADA and control system attacks will

only increase using online tools that have been

continually evolving









People still use insufficient security to protect

themselves and/or their systems









People still use insufficient security to protect

themselves and/or their systems

– Everything from poor password enforcement to inadequate perimeter

defense, relying on 3rd parties with no in-house checking or reviews

What steps need to be taken?


First and foremost, understand your assets, and how

they are configured together




– This step initially requires a complete hardware and software

inventory





inventory

– Understanding their configuration will provide information about how

they may be either secure or vulnerable within their current states





inventory



Next, categorize and classify your assets





inventory




– Asset categories might include: critical, essential, supporting role,

etc.





inventory





etc.

– Further classifications might include: production, business,

administrative, analysis, infrastructure backbone, executive, etc.





inventory





etc.

– Further classifications might include: production, business,

administrative, analysis, infrastructure backbone, executive, etc.

– Understanding these classifications will help when creating your Gap

Analysis and Risk Assessment for the whole system:

• http://www.belden.com/blog/industrialsecurity/Industrial-Networking-

Easy-Security-Risk-Assessment.cfm

http://www.belden.com/blog/industrialsecurity/Industrial-Networking-Easy-Security-Risk-Assessment.cfm


Once a Gap Analysis is complete, you will have an

understanding of what is missing in terms of security




– A Gap Analysis is crucial before an understanding of the elements

that need to be addressed can take place






– Each deficiency that is uncovered can be addressed with a Risk

Assessment, which is a cost to address it vs the risk to leave it alone








– As the cybersecurity landscape changes, each risk can be reviewed

and recalculated as the protection costs or technologies change










– This approach is called a Business Process Management (BPM)

Approach to managing your assets and the system security












– Ad hoc approaches to security finally disappear and an organized

methodology to asset management will come into focus.












– Ad hoc approaches to security finally disappear and an organized

methodology to asset management will come into focus.

– Note that it is not necessary to “do everything at once”, since

implementing various security phases or changes can be expensive

Analysis tools that can help you


The NIST Cybersecurity Framework is a good place to

start



start

– Using the methodology described within the Framework

documentation can help you get started, even though you may not

end up using it.



start



end up using it.

– The Framework was contributed to by a wide variety of industry

professionals, to make it extremely flexible.



start



end up using it.



Another tool that can be extremely useful is the ICS-

CERT CSET Tool



start



end up using it.



Another tool that can be extremely useful is the ICS-

CERT CSET Tool

– This tool allows you to plug in any set of standards that you want to

and it will start asking you questions based on those standards and

the inventory/gap analysis that you performed

• https://ics-cert.us-cert.gov/Downloading-and-Installing-CSET

https://ics-cert.us-cert.gov/Downloading-and-Installing-CSET

SCADA Cybersecurity eBooks


ISBN 978-1311-49042-1 ISBN 978-1310-30996-0

Available at Smashwords.com and other major booksellers

The cybersecurity webinars detail the steps

InduSoft’s Cybersecurity Webinars from January 28th

and February 17th of 2015 discussing guidance and the

eBooks will also help you in moving forward

– http://www.indusoft.com/Marketing/Article/ArticleID/555/ArtMID/684

– http://www.indusoft.com/Marketing/Article/ArticleID/562/ArtMID/684

– Professor Miller discusses the new changes to the CSET Tool

http://www.indusoft.com/Marketing/Article/ArticleID/555/ArtMID/684






Due to your various system differences…


It is not possible to give specific guidance for the

process, platform, or enterprise.


It is not possible to give specific guidance for the

process, platform, or enterprise.

Specific guidance for one type of system may be

entirely inappropriate for a different configuration

Control System Generalities include:

Control System Generalities include:Network Segregation


– Simple firewalls don’t work



– VLANs don’t work

• https://www.tofinosecurity.com/blog/why-vlan-security-isnt-scada-security-all

https://www.tofinosecurity.com/blog/why-vlan-security-isnt-scada-security-all





– DMZ needed for Historian







– Firewalls should have Stateful Packet inspection

• http://www.belden.com/blog/industrialsecurity/Why-SCADA-Firewalls-Need-to-be-Stateful-Part-1-of-3.cfm


http://www.belden.com/blog/industrialsecurity/Why-SCADA-Firewalls-Need-to-be-Stateful-Part-1-of-3.cfm








Electronic Access Point Controls











– Device Authentication may be appropriate












– Control ingress and egress points of Control System













System Hardening













System Hardening– Remove unused software and

other items














other items

– Turn off unused services/ports to reduce attack surfaces














other items


Role Based Access Controls














other items


Role Based Access Controls– Use Active Directory or LDAP

for Centralized Management














other items




– Use of minimum needed privileges














other items





– Device Control such as USB controls in place














other items






Patching Server installed














other items







Centralized Backups














other items







Centralized Backups

Logging Server














other items







Centralized Backups

Logging Server

Performance Server














other items







Centralized Backups

Logging Server

Performance Server

-or-

Centralized Management Server or System



FABIO TEREZINHO

Q&A (use the Q&A or Chat fields to ask a question)

THANKS FOR ATTENDING…

HOW TO CONTACT INDUSOFT

Email(US) [email protected](Brazil) [email protected](Germany) [email protected]

Support [email protected] site

(English) www.indusoft.com(Portuguese) www.indusoft.com.br(German) www.indusoft.com.de

Phone (512) 349-0334 (US)+55-11-3293-9139 (Brazil)+49 (0) 6227-732510 (Germany)

Toll-Free 877-INDUSOFT (877-463-8763)Fax (512) 349-0375

Germany

USA

Brazil

Contact InduSoft Today

mailto:[email protected]




http://www.indusoft.com/

http://www.indusoft.com.br/

http://www.indusoft.com.de/

Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Presentation 1

Technology

Transcript of Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Presentation 1