Cyber Security for SCADA/ICS Networks GANESH NARAYANAN HEAD-CONSULTING CYBER SECURITY SERVICES www.thalesgroup.com OPEN Increasing Cyber Attacks on SCADA / ICS Systems 2 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved. OPEN What is SCADA Supervisory Control And Data Acquisition is a type of, computer controlled, Industrial Control systems that monitor/ control industrial processes ▌ SCADA Cyber Issues Complex & Digital Connected – Industrial & External Legacy-Not designed for Security ‘Internet’ed with inadequate protection Poor encryption & Password protection Ability to intrude & manipulate controls 3 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved. OPEN SCADA systems (vs) Enterprise Systems –Differences Business IT –Cyber Issues Intellectual Property theft Financial or Strategic info theft Denial of Services Insider leakage Financial & Reputational Risk Industrial IT- Cyber Issues Loss of visualization of sensor readings Loss of control of the plant Human Safety + Operational Risk 4 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved. OPEN A holistic view of Security ▌ A holistic view of security 5 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved. OPEN ▌ Digital Control of Critical National Infrastructure 6 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved. OPEN Exploitation of SCADA systems ▌ SHODAN pinpoints shoddy industrial controls. the Google for hackers. ▌ METASPLOIT Online vulnerability scanner Exploit codes for Vulnerabilities ▌ TOR Services free software for enabling anonymous communication conceal a user's location and usage from anyone 7 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved. OPEN SCADA Scare ! ▌ SCADA Exploitation Use SHODAN indexing http headers to find routers, servers, traffic lights and other industrial control equipment 1 Million SCDA/ICS connected, growing by 2000-8000/ day, many exploitable Find out the device facing internet, revealing software version Use Metasploit, to retrieve the relevant exploit code for that device Use proxy connection like TOR to keep anonymity & exploit the remote system ▌ Legacy SCADA controls Robustness to cyber attack is poor ( no FW, Data diodes, identity/ access mgnt.) Presence of ActiveX, Back door admin accounts, hardcoded authentication Fuzzing crash, buffer over flow, no password time out for login Readymade plug-ins for Metasploit, Nessus to access real time systems 8 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved. OPEN SCADA Scare…. ▌ The attack Once “owned”, ladder logic of PLC , uploaded Causing vital parameters to speed up/ down, pressure/ temperature/ interlocks Attacks are rare, but honeypot proves attackers could manipulate ▌ Solutions Robust SCADA/ICS products with Cyber security built-in ( if possible) In most cases, we need to segregate critical network from risky internet/ business network Do not allow IP numbers for SCADA/ICS to be directly accessible from Internet Careful routing of industrial protocol with additional layer of security/ control 9 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved. OPEN Cyber Security for SCADA/ ICS Networks Understanding Business Risk 10 Threat Sources Representation of Threat Criminals/ Organized crime Financial gain Corporate Intelligence Competitors/ Intellectual property Disgruntled staff Compromising security, data leakage Hackers Website defacement, theft of data Terrorists Physical attack + Cyber to compromise availability Activists Hacktivism – willful unauthorized penetration to block facilities/ political mileage Untrained/ unauthorized staff Use of USB causing malware to enter, other unauthorized, insecure actions This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved. OPEN Know the Regulatory Compliance ▌ Modern Security Std for other industries PCI-DSS, HIPPA not possible to adapt in legacy SCADA/ICS Adapting old systems to the new framework is difficult ▌ USA- NIST 800-82 ▌ ISA 99 ▌ IEC62443 11 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved. OPEN Zoning, Segregation & Protection of Industrial Metworks ▌ Access to data generated in real time ▌ Risk of intrusion & safety ▌ Protection from External threat : Thorough Risk Assessment , Secure G/way, Data diodes Zoning of Architecture IEC62443, ISA99 Secure remote conduits like VPN, WAN 12 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved. OPEN Situational Awareness Picture of an attack ▌ Real Time Cyber monitoring of Critical Info-com Infrastructure High security environments vulnerable to sophisticated attacks Many ICS directly controlled via host business networks Attack vectors, attack surfaces, likelihood of attack increase If ICS design/ configuration can’t be changed, need full Situational Awareness of the nature of the attack, even if it can’t be prevented Incorporate pro-active monitoring technology, process, policies , with experienced analysts to detect suspicious activity 24 x 7 security monitoring (or) CSoC as a Service Full situational awareness picture of physical, environmental, logical and personnel domains – effective, controlled and recorded response 13 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved. OPEN Forensic Readiness Scrutiny on time taken to investigate and remediate / how the incident is managed is monitored by agencies Various compliances may be mandated, including Forensic Readiness UK Govt Security policy framework in 20 areas, including risk treatment section, that talks about Forensic Readiness Maximize the ability to preserve and analyze data generated by IT systems for legal and management CESG ‘s Good Practice Guide (GPG) with Information Assurance Implementation with Forensic Readiness Planning Scenario based approach to Forensics planning, with hypothetical risks and real previous incidents Corresponding security response , documented and exercised 14 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved. OPEN Incident Response ▌ Assured Cyber Incident Response Key to successful investigation & remediation is : - Assured Cyber Incident Response Provider - Forensics Service Provider in advance of an accident Entire enterprise network to be examined concurrently for malware / APT by looking at suspicious applications Once identified, forensics snapshot of data to be taken All systems on network forensically searched, followed by remediation Option is to stop those processes or to forensically wipe off, across all systems 15 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved. OPEN Critical Infrastructure Cyber Security Services 16 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved. OPEN Individual Components of a CSoC – Services 17 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved. OPEN Individual Components of Integrated Cyber Security Ops Centre ▌ 18 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved. OPEN 19 / Cyber Range – Simulation Solutions THALES GROUP CONFIDENTIAL Where does Thales fit in ▌ Thales in SCADA security 20 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved. OPEN Conclusions ▌ SCADA threats are changing very fast ▌ Many misconceptions on the type of SCADA threat, extent of dmaage, or disruption, effort & skills required for protection ▌ Significant consequences of ignoring/ inadequate controls on cyber security of SCADA/ICS ▌ Cyber & SCADA – Key concern for all industrial infrastructures ▌ Demands rapid, accurate and informed decisions to ensure safety, security & efectiveness ▌ A holistic approach to SCADA protection, using Cyber Security Operation Centres and Situation Awareness monitoring solutions ▌ Inter-related cyber, physical and industrial IT Vulnerbilities must be managed 21 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved. OPEN Thank You In Heaven, we trust…rest all networks should have Cyber Security Protection !! ▌ For some information on Cyber Security for Critical Infrastructure , please contact Ganesh Narayanan, Head- Consulting Cyber Security [email protected] +65 9758 9646 22 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in part or disclosed to a third party without the prior written consent of Thales - © Thales 2014 All rights reserved. OPEN
© Copyright 2024