slides

Cyber Security for
SCADA/ICS Networks
GANESH NARAYANAN
HEAD-CONSULTING
CYBER SECURITY SERVICES
www.thalesgroup.com
OPEN
Increasing Cyber Attacks on SCADA / ICS Systems
2
This document may not be reproduced, modified, adapted, published,
translated, in any way, in whole or in part or disclosed to a third party
without the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
What is SCADA
Supervisory Control And Data Acquisition
is a type of, computer controlled,
Industrial Control systems that monitor/
control industrial processes
▌ SCADA Cyber Issues
Complex & Digital
Connected – Industrial & External
Legacy-Not designed for Security
‘Internet’ed with inadequate protection
Poor encryption & Password protection
Ability to intrude & manipulate controls
3
This document may not be reproduced, modified, adapted, published,
translated, in any way, in whole or in part or disclosed to a third party
without the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
SCADA systems (vs) Enterprise Systems –Differences
Business IT –Cyber Issues





Intellectual Property theft
Financial or Strategic info theft
Denial of Services
Insider leakage
Financial & Reputational Risk
Industrial IT- Cyber Issues
 Loss of visualization of sensor readings
 Loss of control of the plant
 Human Safety + Operational Risk
4
This document may not be reproduced, modified, adapted, published,
translated, in any way, in whole or in part or disclosed to a third party
without the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
A holistic view of Security
▌ A holistic view of security
5
This document may not be reproduced, modified, adapted, published,
translated, in any way, in whole or in part or disclosed to a third party
without the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
▌ Digital Control of Critical National Infrastructure
6
This document may not be reproduced, modified, adapted, published,
translated, in any way, in whole or in part or disclosed to a third party
without the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Exploitation of SCADA systems
▌ SHODAN
pinpoints shoddy industrial controls.
the Google for hackers.
▌ METASPLOIT
Online vulnerability scanner
Exploit codes for Vulnerabilities
▌ TOR Services
free software for enabling anonymous
communication
conceal a user's location and usage from
anyone
7
This document may not be reproduced, modified, adapted, published,
translated, in any way, in whole or in part or disclosed to a third party
without the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
SCADA Scare !
▌ SCADA Exploitation
Use SHODAN indexing http headers to find routers, servers, traffic lights and other industrial
control equipment
1 Million SCDA/ICS connected, growing by 2000-8000/ day, many exploitable
Find out the device facing internet, revealing software version
Use Metasploit, to retrieve the relevant exploit code for that device
Use proxy connection like TOR to keep anonymity & exploit the remote system
▌ Legacy SCADA controls
Robustness to cyber attack is poor ( no FW, Data diodes, identity/ access mgnt.)
Presence of ActiveX, Back door admin accounts, hardcoded authentication
Fuzzing crash, buffer over flow, no password time out for login
Readymade plug-ins for Metasploit, Nessus to access real time systems
8
This document may not be reproduced, modified, adapted, published,
translated, in any way, in whole or in part or disclosed to a third party
without the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
SCADA Scare….
▌ The attack
Once “owned”, ladder logic of PLC , uploaded
Causing vital parameters to speed up/ down, pressure/ temperature/ interlocks
Attacks are rare, but honeypot proves attackers could manipulate
▌ Solutions
Robust SCADA/ICS products with Cyber security built-in ( if possible)
In most cases, we need to segregate critical network from risky internet/ business
network
Do not allow IP numbers for SCADA/ICS to be directly accessible from Internet
Careful routing of industrial protocol with additional layer of security/ control
9
This document may not be reproduced, modified, adapted, published,
translated, in any way, in whole or in part or disclosed to a third party
without the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Cyber Security for SCADA/ ICS Networks
Understanding Business Risk
10
Threat Sources
Representation of Threat
Criminals/ Organized crime
Financial gain
Corporate Intelligence
Competitors/ Intellectual property
Disgruntled staff
Compromising security, data leakage
Hackers
Website defacement, theft of data
Terrorists
Physical attack + Cyber to compromise
availability
Activists
Hacktivism – willful unauthorized penetration
to block facilities/ political mileage
Untrained/ unauthorized staff
Use of USB causing malware to enter, other
unauthorized, insecure actions
This document may not be reproduced, modified, adapted, published,
translated, in any way, in whole or in part or disclosed to a third party
without the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Know the Regulatory Compliance
▌ Modern Security Std for other industries
PCI-DSS, HIPPA not possible to adapt in legacy SCADA/ICS
Adapting old systems to the new framework is difficult
▌ USA- NIST 800-82
▌ ISA 99
▌ IEC62443
11
This document may not be reproduced, modified, adapted, published,
translated, in any way, in whole or in part or disclosed to a third party
without the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Zoning, Segregation & Protection of Industrial Metworks
▌ Access to data generated in real time
▌ Risk of intrusion & safety
▌ Protection from External threat :
Thorough Risk Assessment , Secure G/way,
Data diodes
Zoning of Architecture IEC62443, ISA99
Secure remote conduits like VPN, WAN
12
This document may not be reproduced, modified, adapted, published,
translated, in any way, in whole or in part or disclosed to a third party
without the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Situational Awareness Picture of an attack
▌ Real Time Cyber monitoring of Critical Info-com Infrastructure
High security environments vulnerable to sophisticated attacks
Many ICS directly controlled via host business networks
Attack vectors, attack surfaces, likelihood of attack increase
If ICS design/ configuration can’t be changed,
need full Situational Awareness of the nature of the attack, even if it can’t be
prevented
Incorporate pro-active monitoring technology, process, policies , with
experienced analysts to detect suspicious activity
24 x 7 security monitoring (or) CSoC as a Service
Full situational awareness picture of physical, environmental, logical and
personnel domains – effective, controlled and recorded response
13
This document may not be reproduced, modified, adapted, published,
translated, in any way, in whole or in part or disclosed to a third party
without the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Forensic Readiness
 Scrutiny on time taken to investigate and remediate / how the
incident is managed is monitored by agencies
 Various compliances may be mandated, including Forensic Readiness
 UK Govt Security policy framework in 20 areas, including risk treatment
section, that talks about Forensic Readiness
 Maximize the ability to preserve and analyze data generated by IT
systems for legal and management
 CESG ‘s Good Practice Guide (GPG) with Information Assurance
Implementation with Forensic Readiness Planning
 Scenario based approach to Forensics planning, with hypothetical risks
and real previous incidents
 Corresponding security response , documented and exercised
14
This document may not be reproduced, modified, adapted, published,
translated, in any way, in whole or in part or disclosed to a third party
without the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Incident Response
▌ Assured Cyber Incident Response
Key to successful investigation & remediation is :
- Assured Cyber Incident Response Provider
- Forensics Service Provider in advance of an accident
Entire enterprise network to be examined concurrently for malware / APT by
looking at suspicious applications
Once identified, forensics snapshot of data to be taken
All systems on network forensically searched, followed by remediation
Option is to stop those processes or to forensically wipe off, across all systems
15
This document may not be reproduced, modified, adapted, published,
translated, in any way, in whole or in part or disclosed to a third party
without the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Critical Infrastructure Cyber Security Services
16
This document may not be reproduced, modified, adapted, published,
translated, in any way, in whole or in part or disclosed to a third party
without the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Individual Components of a CSoC – Services
17
This document may not be reproduced, modified, adapted, published,
translated, in any way, in whole or in part or disclosed to a third party
without the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Individual Components of Integrated Cyber Security Ops Centre
▌
18
This document may not be reproduced, modified, adapted, published,
translated, in any way, in whole or in part or disclosed to a third party
without the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
19 /
Cyber Range – Simulation Solutions
THALES GROUP CONFIDENTIAL
Where does Thales fit in
▌ Thales in SCADA security
20
This document may not be reproduced, modified, adapted, published,
translated, in any way, in whole or in part or disclosed to a third party
without the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Conclusions
▌ SCADA threats are changing very fast
▌ Many misconceptions on the type of SCADA threat, extent of dmaage, or disruption, effort &
skills required for protection
▌ Significant consequences of ignoring/ inadequate controls on cyber security of SCADA/ICS
▌ Cyber & SCADA – Key concern for all industrial infrastructures
▌ Demands rapid, accurate and informed decisions to ensure safety, security & efectiveness
▌ A holistic approach to SCADA protection, using Cyber Security Operation Centres and Situation
Awareness monitoring solutions
▌ Inter-related cyber, physical and industrial IT Vulnerbilities must be managed
21
This document may not be reproduced, modified, adapted, published,
translated, in any way, in whole or in part or disclosed to a third party
without the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN
Thank You
In Heaven, we trust…rest all networks should have Cyber Security
Protection !!
▌ For some information on Cyber Security for Critical Infrastructure , please contact
Ganesh Narayanan,
Head- Consulting
Cyber Security
[email protected]
+65 9758 9646
22
This document may not be reproduced, modified, adapted, published,
translated, in any way, in whole or in part or disclosed to a third party
without the prior written consent of Thales - © Thales 2014 All rights reserved.
OPEN