The Hole in Control System Security · –Scope is to identify IEC62443 standards that address, or...
Transcript of The Hole in Control System Security · –Scope is to identify IEC62443 standards that address, or...
The Hole in Control System SecurityPresented by: Mr. Joe Weiss PE CISM CRISC ISA Fellow
HACKNYC When: May 8th 2018Where: Times Square, New York CityWebsite:www.hacknyc.com Todays Webinar Co-Sponsored by:
The Critical Infrastructure Association of America, Inc. is a 501(c)6 Not for Profit. The mission of Critical Infrastructure Association of America is to create a membership-based, trade association of like-minded cybersecurity and closely related industry professionals that work in the field of cybersecurity. The goal is to share best practices, establish and maintain high operational standards and to educate and interact with those in the cybersecurity community within public, private and governmental sectors.
Joe Weiss PE, CISM, CRISC, ISA Fellow
Managing PartnerApplied Control Solutions, LLC
©Applied Control Solutions, LLC 2
Joe Weiss• >40 years experience• Managing Director ISA67, 77, 99, ISA S&P
Board, ISA Fellow• Database of >1,000 actual ICS cyber
incidents• Patents on control systems• Author – Protecting Industrial Control
Systems from Electronic Threats• Featured in Chapter 14 of Richard Clarke’s
book: Warnings Finding Casandra’s to Stop Catastrophes
©Applied Control Solutions 3
3-Legged Stool of Security
• Physical security – Guns, gates, and guards
• IT security– Windows, networks, etc.
• Control system security– Sensors, actuators, drives, controllers,
analyzers, intelligent electronic devices, etc.
©Applied Control Solutions 4
Physical Security
IT Security
Control System Security
Confusing Definitions• Security• Cyber Incident• Edge Device• SCADA• Risk• End-to-End Security
©Applied Control Solutions 5
Why Care About Control System Cyber Security
• Primary focus is reliability, availability, productivity, and safety– Cyber is simply another threat to these requirements– Process sensors, actuators, and drives directly affect all 4, have no security,
and can be hacked with minimal forensics
• Adequately maintaining these requirements also maintains security; however, the converse may not be true
• If cyber can’t impact the 4 key requirements, cyber is not important for control system cyber security!
©Applied Control Solutions 6
Physical Processes can be Dangerous
©Applied Control Solutions 7
What we don’t worry about
What we worry about
©Applied Control Solutions, LLC
Control System Security Expertise Lacking
IT Security
Control System Security Experts
Control SystemEngineering
8
Comparison of IT and Control Systems
©Applied Control Solutions 9
Attribute IT Control Systems
Confidentiality (Privacy) Very High Low
Message Integrity Low-Medium Very High
System Availability Low-Medium Very High
Authentication Medium-High High
Non-Repudiation High Low-Medium
Safety Low Very High
Determinism (Timing) Low Very High
System Downtime Tolerated Not Acceptable
Security Skills/Awareness Usually Good Usually Poor
Network Monitoring Most Important Important
Patching Expeditious, Generic Patch Deferred, ICS Vendor Patch
Field Devices (Process Sensors) Not Important Very Important
System Knowledge Usually Poor Very Good
System Lifecycle 3-5 Years 15-25 Years
Interoperability Not Critical Critical
Computing Resources “Unlimited” Very Limited
Applicable Standards ISO27000 ISA/IEC62443
©Applied Control Solutions 10
SIS 3
Safety Instrumented System (SIS)PT 1
PC 1
PT 2
PI 2
PT 3
RV
Feed
Heat
“Boiling Oil”
Transmitter
BPCS
SIS
CV 1
CV 2
Per David Bennett
©Applied Control Solutions 11
Cyber Attack Impact on Failure Rates (MTBF Applies)
• Unintentional Failure
• CV1 1/10 years• CV2 1/10 years• RV1 1/10 years• Total 1/1000 years• Assuming 100 tanks - 1/100 years
• Cyber Attack Against DCS• CV1 And CV2 1/10 years• RV1 1/10 years
• Total 1/100 years• Assuming 100 tanks – 1/year
Honeypots Detecting Attempts to do Kinetic Damage
• TrendMicro - small rural water facility– “Rural water system” hacked in December 2012– Between March and June 2013, 12 honeypots deployed across eight different countries – 74 intentional attacks, 10 wrested complete control of the dummy control system– Attacks came from 16 different countries. Most of the noncritical attacks, 67 percent, originated in Russia, and a
handful came from the U.S. – About half the critical attacks originated in China, and the rest came from Germany, U.K., France, Palestine, and
Japan
• Water pump to a wellhead for a local municipality– Device placed online 14-Oct-2014 and taken out of service 27-Dec-2014 – 140,000 hits with ~90% from China
• PwC - Rail– In 2015, Koramis GmbH and Sophos created a simulated rail infrastructure called “Project HoneyTrain” – The project was online for six weeks - 2,745,267 attacks were recorded– Approximately 10% reached industrial components
.
©Applied Control Solutions 12
Control System Cyber Incidents Are Real
• >1,000 incidents to date
• Impacts ranged from significant discharges to significant equipment damage to major electric outages to deaths
>1,000 deaths to date
>$60 Billion in direct impacts
• Very few ICS-specific cyber security technologies, training, and policies
• >2 million ICS devices directly connected to the Internet (and counting)
– Many are gateways
• Resilience and recovery need to be addressed
Proprietary Information©Applied Control Solutions, LLC 13
Control Systems Basics
Support Systems
ERPMESData Ware house
Internet
Internet
©Applied Control Solutions, LLC 14
Serial-to-Ethernet Convertor Network Monitoring
PROCESS
What Are ICS-Unique Cyber Threats?• Cyber-physical, Not just the network• Persistent Design Vulnerabilities, Not just Advanced Persistent Threats• Want undetected control of the process, not denial-of-service
Gap in protection of the process (Level 0)– eg, Aurora
Compromise of the measurement (Level 1)– eg, HART vulnerability
Compromise design features of the controller (Level 2)– eg, Stuxnet
©Applied Control Solutions, LLC 15
ICS Cyber Security Culture Issues • Level 1 viewed as engineering systems – no security• IT views cyber security as the network – not looking at the sensor
and field devices before becoming packets• IOT/IIOT generally ignoring “edge ICS” (Level 1) devices• Vulnerability assessments assume there is some level of security
– Gap analysis – infinite for Level 1• ICS CERT 2016 ICS Cyber Incidents
– 290 ICS Incidents• Spear phishing (26%), • Network scanning and probing (12%)
– No mention of Level 1 issues
©Applied Control Solutions 21
Level 1 Cyber Security Issues• Communications are not native IP• I/O (remote communications) allows the instruments to communicate
bidirectionally– Engineers can no longer simply measure the output analog signal – they need to
be able to communicate with the transmitter and read the digital signal• Obviously no air-gap
• Level 1 devices have minimal cyber security, forensics, or authentication
• Sensor protocols, networks, and sensor collection devices are cyber vulnerable– Wired/wireless HART, Profibus, Fieldbus, serial Modbus, asset managers, RTUs
• Iran publicly knows
©Applied Control Solutions 22
Serial Gateway Vulnerability Disclosures
©Applied Control Solutions 23
• Serial-to-Ethernet Convertors (gateways) convert analog sensor measurements to Ethernet for Windows HMIs– Large number of gateways connected to Internet– Path into Level 1 devices
• Gateways have been compromised– Gateways used to compromise US grids in 2014 -
May/June 2015 ICS Monitor– Moxa gateways compromised and “bricked” in the
2015 Ukrainian cyber attack– Other vendors’ serial gateways with ICS CERT
vulnerability disclosures
©Applied Control Solutions 24
Olympic Pipeline Rupture
• Broadcast storm shutdown SCADA and Delayed Leak Detection– Loss of View, Loss of Control
• All sensors set to average values and safety systems didn’t actuate – Loss of Safety
• Requires revisiting cyber security and safety standards
Sample Sensor-Related Incidents• RPM sensor on hydro turbine hacked preventing turbine from operating.• Dam failure when sensors pulled away from wall providing erroneous low readings
resulting in pumps overfilling the reservoir• A sensor on a valve malfunctioned and resulted in the release of 10 million gallons
of untreated wastewater • A pressure transmitter sensing line clogged causing a plant trip in a fossil power
plant.• A safety relief valve in a nuclear plant did not lift because the pressure sensor
never reached its setpoint.• PLC automatically opened the reject bin chute door based on faulty sensor data
dropping10 tons of material on the truck cab resulting in a fatality.• The level sensor in a tank failed resulting in 250 000 litres of gasoline spilling
injuring more than 40. The ensuing fire engulfed over 20 fuel tanks on the tank farm and adjacent sites and burned for several days.
©Applied Control Solutions 25
Sensor/Process Noise(Back to the Future)
©Applied Control Solutions 26
- Process noise indicates process and sensor performance - Process noise filtered out before the serial-to-Ethernet convertor- Consequently, the information about the nuances of the processes and the sensors are not available for network anomaly detection- Therefore, the network anomaly detection ASSUMES the sensor packets are correct and cannot tell if the sensor has already been compromised!
What is Being Done
• Demonstrations of hacking process sensors – it’s real• Proof-of-concept testing of sensor monitoring technology and its benefits • ISA99 has established new Task Group to address Level 1 devices –
ISA99WG4TG7– Scope is to identify IEC62443 standards that address, or should address, Level 1
devices for adequacy – Also looking at the definition of “Level 0,1” , “sensors”, etc.
©Applied Control Solutions 27
©Applied Control Solutions 28
WATER TREATMENTEarly detection of pending fault unseen by SCADA system
Solution:Sensor monitoring identifies changes in real time in electric signals directly from the reservoir pumps and related sensors
Challenge:The Water Authority’s SCADA system filters electric signals as they are converted from analog to digital, thus missing importantinformation about process health and equipment status
Location: Main pumps in large water reservoir
Productivity Results:Signal spikes in (in blue) are not visible to the SCADA system (in orange) indicating a pending fault with a pump
Use Case 1 – Resilience and Redundancy
Security Results:Sensor monitoring continued even when Windows-based SCADA was unavailable providing resilience and redundancy
©Applied Control Solutions 29
Use Case 2 – Improved Maintenance ELECTRICITY GENERATIONAccurate location of fault avoids turbine downtime
Results:Sensor monitoring precisely identified the exact location and character of the fault by cross-correlating sensor readings enabled an immediate resolution and the successful activation of the turbine, avoiding costly downtime
Solution:The Chief Engineer examined the readout from sensor monitoring, which showed an activation cross-fire that was not visible in theSCADA system
Challenge:During activation attempts, the turbine failed to stabilize and deactivated upon fuel feed. Even after replacing a control card on the main controller, the situation could not be remedied
Location: Gas turbine at power station
Applied Control Solutions 30
PETROCHEMICAL PROCESSImmediate identification of production anomaly
Results:Early identification of the pH process failure enabled immediate correction, avoiding the waste of raw materialsand saving vital process time
Solution:Sensor monitoring deployed inside the reactor quickly identified a previously unidentified and unreported anomaly at the source, showing that a critical process exceeded the norm, changing pH values and decreasing production parameters
Challenge:Bromide manufacturing reactor processes are characterized by regular production doses; anomalies in pH values have a direct impact on production quality and volumes
Location: Bromide manufacturing reactor
Use Case 3 - Improved Productivity
The Holy Grail – Correlating Malware to Physical Impacts
©Applied Control Solutions 31
Process anomaly detection Network anomaly detection
What Needs to be Done
• Get the engineers involved! • Take reliability and safety at least as seriously as confidentiality• Address supply chain issues for Level 1 • Need cyber risk methodology for Level 1• Need ICS cyber security training for Level 1• Have vendors address cyber security of Level 1 devices• Coordinate process anomaly detection with network anomaly detection
©Applied Control Solutions 32