Practical SCADA Cyber Security Lifecycle Steps Standards Certification Jim McGlone CMO, Kenexis Education & Training Publishing Conferences & Exhibits
Bio Jim McGlone, CMO, Kenexis GICSP ISA Safety & Security Division Director Tridium (Honeywell) Rockwell Automation US Navy Submarine Nuclear Reactor Operator
Introduction Slight changes to process lifecycle to incorporate cybersecurity Improve the ICS ability to withstand a cyber security problem Improve overall network performance and reliability Specific attention will be paid to Factory Acceptance Testing (FAT) portion of the lifecycle, recognizing the challenges of connecting new equipment into an existing process
Hackers Who Owns The Problem On average, our cybersecurity screening programs block more than 70 million emails, 140 million Internet access attempts and 150,000 other potentially malicious actions each month. EXXONMOBIL 2014 CORPORATE CITIZEN REPORT Few publicized ICS incidents, news is about money We process at my facility, it is not critical infrastructure, and the IT department is protecting the perimeter anyway. Meanwhile, HMI station in your facility cannot get the data to refresh on one of the processes in the plant, you are not sure why, but you cannot let IT just scan your network to look for the problem
Embedded Microprocessors Built to Run a Very Long Time ICS were built to run a process in an isolated environment Built to run for many years very reliably Often running from commissioning until decommissioning without a code change or reboot Now we connected them Even directly to the Internet SHOWDAN, HTTPS://WWW.SHODAN.IO
Embedded Microprocessors Everywhere Embedded microprocessor can be found on virtually every asset Even simple auxiliary systems have a PLC because it is easier than using relays Vendor wants to monitor it as a service to keep it running well HVAC industry is monitoring units over the Internet for efficiency, maintenance, and energy programs These programs add great value, but they also increase the threat vector for the bad guys PURDUE REFERENCE MODEL FOR CONTROL HIERARCHY Who has access to your ICS systems?
ICS Protocols Industrial protocols are different from the IT focused protocols Developed to run originally on serial connections direct from a 9-pin D shell on the programming terminal and later a computer connected directly to the device Developed long before you had a web-browser ICS protocols are proprietary by design to support interprocess communications Now they are layered on Ethernet Communication standard is published on the Internet Commonly lack authentication or integrity checking and are vulnerable
The Problem Skid-based process arrives from a trusted vendor It was checked out and connected into the network Skid checked out clean, but the vendor s laptop had malware on it Laptop was connected to the controller for final setup Ransomware broadcast itself onto most of the machines in manufacturing and the business network before IT caught it Unfortunately, this is a common problem Similar to the Target breach, the Iranian centrifuge Stuxnet attack, and at least one nuclear power plant Easy to accidently let bad stuff in Fastest way inside your company is by dropping an expensive new looking USB memory stick in the employee parking lot It is easy to overlook connecting a piece of industrial equipment to the network on the factory floor
ICS Cybersecurity Lifecycle Cyber lifecycle should line up logically and support the organization until the process is shutdown and decommissioned These are all projects that have finite budgets with start and stop time limits
ICS Cybersecurity Lifecycle Policy Step One Establishes Requirements & Responsibility, and Governance Dictates the vendor s laptop and the incoming equipment scanned prior to connecting Executive Sponsorship Facilitate Budgeting Drives Training & Awareness Solid behaviors so mistakes are infrequent Response to incidents is planned and appropriate
ICS Cybersecurity Lifecycle Cyber Design Before & During Design Cybersecurity design phase Insure policy is met Reducing the risk to the process from cyber threats with a properly designed network Design cyber SAT and FAT
ICS Cybersecurity Lifecycle Acceptance Testing Don t Plug It In SAT should be run on new equipment, process, systems or the facility to insure you will not introduced a problem An improper connection to your business network, and engineering computer, or remote access could cause a network performance problem right from the beginning
ICS Cybersecurity Lifecycle Compliance Audit Are We Good Verify periodically, that staff are aware of policy and compliant Determining short comings and needed training Audits based on regulation are very different and I am going to skip it in this discussion because most of us do not need to do them yet
ICS Cybersecurity Lifecycle Vulnerability Assessment Required periodically by standards, or policy, or some impetuous has inspired you to get budget and have an expert evaluate your status Documents the security posture of control systems Identifying vulnerabilities that might result in security incidents Evaluating operational and change management processes Provides an actionable list of recommendations for improving security
ICS Cybersecurity Lifecycle Vulnerability Assessment Vulnerability Assessment includes: Design review Data flow analysis Traffic analysis Procedure and policy review Focuses on the devices and connections that would allow an attacker to access ICS knowledge is critical Running IT tools to evaluate the ICS network can be hazardous
ICS Cybersecurity Lifecycle Vulnerability Assessment During the walk down Observations are noted Ethernet communications packet traffic data is collected at key switch locations Packet traffic is analyzed extensively for patterns, signatures, and traffic problems Configuration of devices and systems are evaluated Best practices from the industry Recommendations from each equipment manufacturer Patch levels and patch management Common misconfigurations Default or common user names / passwords Remote access controls Segmentation of business and control system networks will also be evaluated
ICS Cybersecurity Lifecycle Vulnerability Assessment Penetration Testing Non-Destructive Vulnerability Assessment teams document what is found, but in a penetration test we pursue what we find to see how far we can get and what your ultimate vulnerability exposure looks like Agreed to prior to performance Non-Destructive
ICS Cybersecurity Lifecycle Incident Response You want someone that knows the path to your door so that they can get to work as soon as possible Designed the system and kept it safe all along Otherwise, you are starting from zero and probably do not have time to properly evaluate all options You need to know if the expert team in incident response are going to build a forensic case for you or are you hiring them to just kill the bad stuff and remove it from your networks
The Solution Earlier, a skid-based process arrived from a trusted vendor It was checked out according to policy and the acceptance test agreed on including an anti-virus / anti-malware scan, and a cybersecurity check for versions, default passwords, and all configurations prior to connecting it into the network When the vendor arrived with a laptop, the IT team assigned the vendor a remote access connection into the corporate VPN and a remote desktop connection on one of their verified computer stations, preventing the malware from propagating onto your networks and allowing the vendor to finish It might seem like a little extra work and thought, but it will be far less expensive and stressful than dealing with what can happen if you don t make the effort
Conclusion Process Lifecycle is ongoing, cybersecurity is too Projects kickoff based on impetuous Impetuous varies based on lifecycle and events Stale or missing data in an HMI screen or historian Incident, IT catches message traffic to unknown external site Policy violation, incorrect remote access New process equipment, refurbished
Thank you Jim McGlone Columbus, Ohio USA james.mcglone@kenexis.com www.kenexis.com +1-614-975-6783 INDUSTRIAL AUTOMATION AND CONTROL SYSTEM SECURITY PRINCIPLES Author: Ronald L. Krutz, Ph.D., P.E. CYBERSECURITY FOR INDUSTRIAL CONTROL SYSTEMS: SCADA, DCS, PLC, HMI, and SIS 1st Edition by Tyson Macaulay (Author), Bryan L. Singer (Author)