IoT & SCADA Cyber Security Services

Transcription

1 RIOT SOLUTIONS PTY LTD P.O. Box Adelaide St Brisbane QLD 4000 BRISBANE HEAD OFFICE Level 22, 144 Edward St Brisbane, QLD 4000 T:

2 Table of Contents 1 Overview Offer of Professional Services Skills and Experience Services IoT Cyber Security Assessment ICS/SCADA Cyber Security Assessment Pricing Page 2 of 12

3 1 Overview RIoT Solutions offers a range of cyber security services to meet clients digital technology needs. Specifically, these relate to IoT (Internet of Things) technologies and SCADA (Supervisory Control and Data Acquisition) systems. As technology solutions are designed and implemented for IoT projects, there is a requirements for security assessments that are performed by an independent 3 rd party organisation specialising in cyber security, with an appropriately qualified resources. The purpose of this document is to outline the approach and proposed services that RIoT Solutions recommends, and to assist organisations in understanding the scope of the work and effort required to achieve the desired business outcomes. 1.1 Offer of Professional Services RIoT Solutions offers the following key cyber security services to enable organisations to attain the desired outcomes listed in the previous section. The services are packaged and available on a fixed-scope fee basis. Further aspects of each service are listed in section 2: Services IoT Systems Service Description Deliverables IoT Cyber Security Assessment (High-level) IoT Cyber Security Assessment (Detailed) Review overall security against key IOT vulnerability categories in: OWASP IoT Top 10 Review overall security design and the elements of a Protection Architecture for IoT, utilising Cloud Security Alliance (CSA) reference: Security Guidance for Early Adopters of the IoT Provide a report with: - Identified vulnerabilities, and the resulting risks - Prioritised list of recommendations for risk mitigations Provide a report with: - Identified security architecture issues, vulnerabilities, and the resulting risks, plus rating against CSA s list of recommended security controls - Prioritised list of recommendations for addressing security architecture weaknesses IoT Security Vulnerability Testing Perform vulnerability testing of the supporting infrastructure (devices, hosts, networks and services) of the target IoT solution Identify, and where safe to do so, exploit vulnerabilities to confirm risk exposure Provide a report with: Table 1: Professional Services Security Assessments of IoT Systems - Identified technical vulnerabilities, sample attack / exploitation steps, and the resulting risks - Identified effective security controls - Prioritised list of recommendations for risk mitigations Page 3 of 12

4 SCADA Systems Service Description Deliverables SCADA Cyber Security Operations Review SCADA Security Vulnerability Assessment Review the current state of SCADA cyber security operations against industry best practice guidelines: NIST Framework for Improving Critical Infrastructure Cybersecurity Perform an independent testing of nominated SCADA network segments Provide a report showing: - How management of cyber security risks compares to best practice - Recommendations for addressing any identified gaps Provide a report with: Table 2: Professional Services Security Assessments of SCADA Systems - Identified technical vulnerabilities - Sample attack / exploitation steps (if permitted), and the resulting risks - Identified effective security controls - Prioritised list of recommendations for risk mitigations Note: the services above do not constitute a finite, locked service scope offering this initial service range had been put together without the known aspects of the scale and complexity of the targeted IoT or SCADA systems. RIoT Solutions can customise the services, or add additional ones, depending on specific requirements. 1.2 Skills and Experience Our experience covers all areas of cyber security and risk assessments of critical infrastructure consisting of potentially fragile network-connected systems such as Real-Time SCADA and other devices deployed within healthcare, transportation and energy supply industries. We are one of the few organisations that offer resources with ICS/SCADA security specific training and certification RIoT Solutions consultants have attained the Certified SCADA Security Architect (CSSA) qualification, attended a diverse range of ICS security focused training courses and conferences in Europe and USA, and have provided critical infrastructure security assessment services to many Queensland organisations that operate and/or build critical infrastructure systems. Our consultants had been involved in developing and executing successful Social Engineering campaigns, performing cyber-attack simulations, and also security research that led to identification of 0-day vulnerabilities and development of proof-of-concept exploits against Smart Meter infrastructure, SCADA power meter equipment, a national wireless BYOD rollout, and a biomedical infusion pump control unit. Page 4 of 12

5 2 Services The proposed cyber security services are specifically tailored to the unique characteristics of IoT and ICS/SCADA solutions. Sections 2.1 and 2.2 detail the approach and methodologies of each service offering. 2.1 IoT Cyber Security Assessment Assuring the security of each component within an IoT system is imperative in order to prevent malicious actors from gaining unauthorised access to, or the ability to tamper with, systems and data that form the IoT solution. Since a typical IoT solution will introduce large quantities of new devices and/or embedded components throughout an organization, it is highly likely that this will lead to an increase of potential cyber security risks within the IoT solution s deployment, and where connected to enterprise or ICS/SCADA systems it might also introduce additional risks of the IoT solution being used as an attack vector into an organisation s other critical assets. RIoT Solutions offers the following levels of cyber security assessment services, to allow organisations to select the most appropriate option for a particular requirement and budgeted funds for each unique solution requiring a security review: High-level Assessment Detailed Assessment Security Vulnerability Testing High-level Assessment Service scope: Review overall security of the target IoT solution against list of the 10 key vulnerability categories specified in the OWASP Internet of Things Top 10 Project The Open Web Application Security Project (OWASP) is not-for-profit organisation focused on improving the security of software. Since 2003, it has been providing applications security testing and design guidance, and in 2014, OWASP compiled an IoT dedicated list: IoT Top 10. Whilst it is intended only as a high-level guidance for reviewing IoT security, it was designed to cover all attack surface areas, in order to get a good, high-level assessment of overall security. The IoT Top 10 categories are: Rank Title I-1 Insecure Web Interface I-2 Insufficient Authentication/Authorization I-3 Insecure Network Services I-4 Lack of Transport Encryption Page 5 of 12

6 I-5 Privacy Concerns I-6 Insecure Cloud Interface I-7 Insecure Mobile Interface I-8 Insufficient Security Configurability I-9 Insecure Software/Firmware I-10 Poor Physical Security Table 3: Top 10 IoT Vulnerabilities (OWASP 2014) Objectives: Evaluate the target IoT solution for security weaknesses, map the main attack surface areas for any IoT device, communication network and back-end systems, in order to provide guidance on how to avoid or mitigate vulnerabilities within each component. Key benefits: Improve security of systems designed and implemented Identify and remediate key security vulnerabilities before solutions go live Demonstrate to clients that technology solutions are designed and delivered with systems & data security in mind Allow organisations to design and deploy (or at least recommend) compensating controls where vulnerabilities cannot be patches or removed, especially given the fact that many IoT devices have very little or no in-built security features. Deliverables: Provide a detailed report, clearly documenting any vulnerabilities and resulting risks, and showing the remediation recommendations. The report will also highlight all areas where best practice recommendations are already being met. Constraints: A comprehensive testing against every single category. For example, extended testing of the Insecure Web Interface of a complex IoT data analytics platform could involve an in-depth testing against OWASP Top 10 for web application security such engagements usually take more than five days Detailed Assessment Service Scope: Review overall security design and applicable details of the target IoT solution against guidance for the secure implementation of IoT-based systems, specified in Cloud Security Alliance (CSA) Security Guidance for Early Adopters of the Internet of Things Page 6 of 12

7 The CSA is an organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. It maintains Working Groups across 28 domains of Cloud Security. One of the groups is the Internet of Things Working Group that conducts research into best practices for securing IoT implementations. The Security Guidance for Early Adopters of the IoT outlines the current challenges to secure IoT deployments, and seeks to address them via suggested Recommended Security Controls, tailored to IoT-specific characteristics. The CSA key recommended security controls are: Analyse privacy impacts to stakeholders (e.g. data capture at points of collection, processing, transport and storage) Apply a Secure Systems Engineering approach to architecting and deploying a new IoT System (e.g. threat modelling, secure development, and secure supply chain) Implement layered security protections to defend IoT assets (at the Network, Application, Device, Physical and Human layers) Implement data protection best-practices to protect sensitive information (data identification, classification and security) Define lifecycle controls for IoT devices (plan, deploy, manage, monitor and detect, remediate) Define and implement an authentication/authorization framework for the organisation s IoT Deployments (the authentication method will depend on the constraints of the device) Define and implement a logging/audit framework for the organisation s IoT ecosystem (what events and metadata to log, and to where). CSA have tailored these controls to IoT-specific characteristics to allow early adopters of the IoT to mitigate many of the risks associated with this new technology. Objectives: Evaluate the target IoT solution for security architecture weaknesses, document resulting risks, and provide rating against CSA s list of recommended security controls. Provide guidance on how to avoid or mitigate vulnerabilities within each IoT architecture component. Key benefits: Improve security of systems designed and implemented Identify and remediate key security vulnerabilities and security architecture weaknesses before solutions go live Page 7 of 12

8 Demonstrate to clients that technology solutions are designed and delivered with systems & data security in mind Allow organisations to design and deploy (or at least recommend) compensating controls where vulnerabilities cannot be patches or removed. Deliverables: Provide a detailed report documenting the identified security architecture issues, vulnerabilities, the resulting risks, and rating against CSA s list of recommended security controls. Include a prioritised list of recommendations for addressing security architecture weaknesses. Constraints: As per the previously listed constraints for the High-level assessment service, extended review of all aspects of the IOT solution s application-layer, unless it is requested as an additional service focused on application security testing and design review Security Vulnerability Testing Service Scope: Perform an independent security testing of the supporting infrastructure (devices, hosts, networks and services) of the target IoT solution, in the context of an unauthenticated, anonymous user Where applicable, login with provided test user account with low privileges, to check for weak access restrictions to sensitive data, systems and management interfaces for authenticated users. Objectives: Identify and document any risks to the target IoT solution, posed by a potential attacker connected to any of the IoT solution components, and/or by an authenticated low-privilege user Provide guidance on how to avoid or mitigate vulnerabilities within each component. Key benefit: Identification and ensuing reduction of risks within designed and/or implemented IoT solution environment. Deliverables: Provide a detailed report documenting Identified technical vulnerabilities, sample attack / exploitation steps, and the resulting risks. Document any effective security controls where identified, and include a prioritised list of recommendations for risk mitigations. Page 8 of 12

9 Constraints: High-intensity automated vulnerability scanning and other aggressive testing methods (e.g. Denial of Service attacks, brute-force password guessing, etc.), due to potential impact on live environments. For any systems or components that are deemed too critical and potentially fragile, RIoT Solutions will work closely with the customer in order to come up with an alternative, safe testing approach, such as hands-off security review (e.g. an off-line review of system configuration files and documentation), or testing a spare system(s) in a LAB environment. 2.2 ICS/SCADA Cyber Security Assessment RIoT Solutions offers the following two types of cyber security assessment services, to allow organisations to select the most appropriate option for a particular requirement and budgeted funds for each unique SCADA environment requiring a security review: Cyber Security Operations Review Security Vulnerability Assessment. The Cyber Security Operations Review service utilises passive, off-line review methods for ascertaining the security posture of the target SCADA system, and such poses no risk to systems and data in production environments. The Security Vulnerability Assessment service includes testing activities that utilise network level connections to nominated (and approved) parts of the target SCADA system. Whilst RIoT Solutions takes appropriate precautions and our customised testing methodology takes inherent risks of testing time-critical systems operations of ICS/SCADA into consideration, some risks cannot be completely eliminated. Therefore, whenever possible, active cyber security testing should be performed on a backup or offline systems. If there are any components of the target SCADA system deemed critical and potentially fragile (e.g. a legacy system with known performance and/or stability issues), RIoT Solutions will work closely with customers in order to come up with an alternative, safe testing approach, such as hands-off security review (e.g. an off-line review of system configuration files and documentation), or testing a spare system in a LAB environment SCADA Cyber Security Operations Review Scope: Review the current state of the target SCADA systems cyber security operation against industry best practice guidelines RIoT Solutions proposes to utilise the following well established best practice framework that is appropriate for Industrial Control Systems / SCADA systems: NIST Framework for Improving Critical Infrastructure Cybersecurity Page 9 of 12

10 The National Institute of Standards and Technology (NIST) Framework is technology neutral and relies on a variety of existing standards, guidelines, and practices to enable critical infrastructure providers to achieve resilience. The Framework is a risk-based approach to managing cybersecurity risk, and its core consists of five concurrent and continuous functions: Identify, Protect, Detect, Respond and Recover. When considered together, these functions provide a high-level, strategic view of the lifecycle of an organization s management of cybersecurity risk. Objectives: Enable organisations to determine their current cyber security capabilities, set individual goals for a target state, and establish a plan for improving and maintaining cyber security programs. Identify and prioritize actions for reducing cyber security risk, and align policy, business, and technological approaches to managing that risk. Key benefits: Enable organisations to apply the principles and best practices of risk management to improving the security and resilience of their Operation Technology network(s). Deliverables: Provide a detailed report outlining how management of cyber security risks within the target SCADA system compares to best practice (NIST guidelines), and include recommendations for addressing any identified gaps. Constraints: A detailed compliance type audit, as this would have high cost and time implications, whilst providing limited benefits SCADA Security Vulnerability Assessment Scope: Perform an independent testing of nominated SCADA network segments, in the context of an unauthenticated, anonymous user. All testing is conditional on approval of an agreed testing plan and applicable restrictions and precautions, if any testing targets are in production environments. Login with provided test user account with low privileges, to check for weak access restrictions to SCADA management and monitoring systems for authenticated users (privilege escalation, overly permissive access to internal resources, etc.) Page 10 of 12

11 Objectives: Identify and document any risks to the target SCADA system, posed by an authenticated low-privilege user, and by a potential attacker connected to the SCADA network and/or identified external network connection entry points. Key benefit: Identification and ensuing reduction of risks within a SCADA environment Verification of restrictions applicable to configuration of role-based security controls, for non-administrative and non-privileged user accounts on the SCADA network. Deliverables: Provide a detailed report documenting Identified technical vulnerabilities, and the resulting risks. Document any effective security controls where identified, and include a prioritised list of recommendations for risk mitigations. Where SCADA components vulnerability confirmation testing was permitted, document the steps an attacker might take. Regarding evidence, ensure the approach does not put the target system at risk (e.g. use screen shots of accessible system administration interfaces, but do not alter any settings and/or data). Constraints: High-intensity automated vulnerability scanning and other aggressive testing methods (e.g. exhaustive network port scans, Denial of Service attacks, brute-force password guessing, etc.) due to potential impact on live environments. Page 11 of 12

12 3 Pricing The proposed services are offered at a fixed price, and can be consumed individually in any order that fits the organisation s requirements. Due to the unknown scale and complexity of the IoT or SCADA targets, the assessment effort estimates are based on our previous work on small to medium size sites. For example, SCADA Vulnerability Testing of one Control Centre and network connected devices on few remote field sites (where travel to sites was not required) usually takes a minimum of 7 days IoT Systems Service IoT Cyber Security Assessment (High-level) $ 8,250 IoT Cyber Security Assessment (Detailed) $ 11,550 IoT Security Vulnerability Testing $ 8,250 Table 4: Investment IoT Cyber Security Services SCADA Systems Service SCADA Cyber Security Operations Review $ 8,250 SCADA Security Vulnerability Testing $ 11,550 Table 5: Investment SCADA Cyber Security Services Price (excl. GST) Price (excl. GST) Page 12 of 12