BASICS OF ICS

CYBER SECURITY
AGENDA

● Introduction
● Concepts & Standards
● Defense In Depth
● IT Practices in an ICS Network
● Way Forward

2
 GLOBAL CYBER STATISTICS

of businesses experienced of business leaders feel their records exposed in data

62% phishing and social engineering 68% cybersecurity risks are 4.1B breaches in the first half of
attacks in 2018 increasing 2019

Hackers attack every 39

of malware was delivered by of data breaches involved
39s seconds, on average 2,244 94% 34%
email internal actors
times a day

of organizations have are the average number of of companies had over 1,000
61% experienced an IoT security 5200 attacks per month on IoT 53% sensitive files open to every
incident devices employee

Source: financesonline, csoonline

 TYPICAL CYBER INTRUSION

1 Remote Access Connection Established HACKER

2
- By-Pass Firewall
- Steal EWS Credentials

3 Deploy PC Malware 4 Install RAT in PLC 5 4

- Disable safety PLC
- Disrupt process functions
OT SYSTEM TO BE AS SECURE AS IT SYSTEMS

CONNECTIVITY FROM FIELD TO

DIGITALIZATION IN INDUSTRIES
CLOUD (IOT, IIOT)

CONVERGENCE
OF IT & OT

INCREASED USE OF A Cyber Attack on an OT System INTRODUCTION OF ARTIFICAL

AUTOMATION & DATA has a direct impact on the lives INTELLIGENCE
of people and the environment. 5
AGENDA

● Introduction
● Concepts & Standards
● Defense In Depth
● IT Practices in an ICS Network
● Way Forward

6
 IEC 62443

Source: ISA99
TYPICAL GUIDELINES FOR
THREAT IDENTIFICATION AS PER IEC-62443
• Remote maintenance and
diagnostics connections through
internet & insecure modems.
• In Secure serial
connections/Vulnerable protocols
with no security like Modbus,
HTTP, OPC DA SNMP etc.
• Wireless systems/Hotspots,
Mobile, Laptop
• Portable drives & USB devices
for backup.
• Data files (documents /SCADA
Backup or PLC project files,
Database, etc.)
• Infected System Devices like
Engineering Laptop.
8
TYPICAL GUIDELINES FOR
THREAT MITIGATION AS PER IEC-62443
• Selection of Application that
supports TLS or other security
mechanism.
• Remote Access Management
with Token based Authentication
• Upgrade/Select protocols with
security features like OPC-UA,
DNP-3-SA,IEC, HTTPS, SSH etc.
• Define access control measure
in SCADA/DCS.
• System Hardening of all devices
in ICS network.
• Create Dataflow rule in an OT
IPS system.
• Centralized backup and
document management. 9
AGENDA

● Introduction
● Concepts & Standards
● Defense In Depth
● IT Practices in an ICS Network
● Way Forward

10
 DEFENSE IN DEPTH
Fence, Gates, Turnstiles,
Entry/Exits, CCR, CR,
ECR, Technical Rooms
Policies &
Intl. Standards, Country &
Procedures Organization Governance
Physical Security

Firewalls, Routers,
PLC, RTU, DCS, Other Network
Switches, Hubs, Serial
Controllers, Intelligent Networks, Terminal
Field Instruments, Servers, Protocol /
Devices
Servers, Workstations, Media Convertors
IOT Devices, Cameras
Application
PLC Programs,
Configurations,
Turbines, Generators, CRITICAL Historians, SCADA,
Pumps, Valves, Well- ASSETS
OPC, Connectors
Head, Compressors. 11

CONTROL & MONITORING

 PHYSICAL SECURITY i-Visionmax - Secure
Perimeter Intrusion Detection System

Building Intrusion Detection System

Surveillance Systems - Cameras, VMS

Integrated Platforms – PSIM, ISMS, Analytics

Public Address System, Intercom, Hotline

Access Control System

Fire Alarm System

Network Infrastructure – Active & Passive

How will this add value?

• Forensic Analysis of physical sabotage • Suspicious behavior and profiling
• Securing the equipment using ACS • Integrated or multi-level authentication
12
 NETWORK
SEGREGATION
● Create zones and conduits
– A zone is defined as a grouping
of logical or physical assets that
share common security
requirements based on factors
such as criticality & consequence
● The different types of zones
should be
– Internet zone
– Enterprise zone
– Process/ Plant zone
– Demilitarized zone (DMZ)
– Wireless zone
– Cell /Area Process/ Plant zone
– Controller zone
Wireless
● Conduits will be created only Zone

between zones that require to

13
communicate.
 NETWORK
ADMISSION
CONTROL
● Access Philosophy by defining
various Access Levels, Users,
Groups, etc. based on
authorization
● Additional elements to achieve
SAL 2 Backup
Server

– Intrusion Detection Systems

– Change Management Application Syslog /
Event
– Event Server Server

– Network Monitoring System

NMS/
– Backup Servers NIDS
Console

– Syslog Server(s)
– Unified Access Management
Wireless
Zone

14
 NETWORK
MONITORING
● Integrated monitoring of
electronic and physical security
along with cybersecurity.
● The event server must be
upgraded to a SIEM (Security SIEM GPS
Server
Information and Event
Management) solution.
Backup
● A GPS time sources must be Server

introduced for synchronized

and unified time management. Syslog /
Event
Server

NMS/
NIDS
Console

Wireless
Zone

15
DEVICE CYBERSECURITY COMPLIANCE
Some features that should be available for cyber compliance
● Password protected
● Modification requires
authentication
● Restrict Access to
source code

● Executable only can be uploaded

● Access control to prevent unauthorized access
● Memory protection through authentication
● Connectivity limited through authorized IP
● Prevents run/stop relay (MiTM)
● HTTP, FTP, TFTP disabled
● Runtime protection against illegal read / write Features that are being incorporated in the end-devices
such as CCTV cameras to achieve cybersecurity
● IPSEC secure comms
compliance.
● Event logging (syslog)
16
 i-Visionmax- TAMS CENTRALIZED NMS & CUSTOMIZED IPS
Diagnostics NMS Diagnostics NMS

TAMS Application

NIDS NIDS
HIDS HIDS

Switches IPS
Switches IPS

After TAMS
Routers Before TAMS Firewall Routers Firewall

Key Features
● Receive alerts and information from IDS or other diagnostic ● Status information from devices such PLC, system diagnostics
equipment and accordingly take IPS actions based on SOPs. software used as inputs for anomaly detection.
● Integrate with multiple makes of L2/L3 switches, typical in a ● Centralized system status and alarm information from Telecom,
process plant. Automation and IT subsystems, Cabinet status and other alarm
conditions. 17
● Interface different equipment like IPS, IDS, Firewall in a plant.
APPLICATION PROTECTION
This is typical example of Microsoft Secure Development Lifecycle (SDL)

● Select COTS (Commercial Off-The Shelf) software, example SCADA, Historian, Asset Management, etc., that is
compliant to IEC 62443-4-1 and specifically following secure development lifecycle.
● While developing the application software, example SCADA Applications, PLC/DCS Programs, etc., programmers
shall use an approach equivalent to MS SDL guidelines.
● The programs shall be interleaved with interlocks to prevent any mis-programming that could cause a process to
collapse or dangerous.
18
AGENDA

● Introduction
● Concepts & Standards
● Defense In Depth
● CS IT Best Practices for ICS Network
● Way Forward

19
CYBERSECURITY BEST PRACTICES
Best Practices of IT Cybersecurity to be used in OT Networks
● Active Directory
● Centralized End-point Protection
● Centralized Backup System
● Patch Management System
● Syslog Server
● Identity & Access Management
● Network Management
● System Hardening
● Application Whilelisting

20
IT SECURITY PRACTICES , contd.
● Active Directory – Centralized user management with rights and
privileges are set using an AD profile. Should AD for IT and OT
be same or separate??

● End-Point Protection – To secure the end-devices such as servers,

workstations from malicious attacks.

● Patch Management – Required to ensure all the software and

application are protected from CVEs.

21
IT SECURITY PRACTICES , contd.
● Centralized Backup System – To maintain copies/images of the
servers/workstations in the event of a hardware failure, cyber
attack or rollbacks are required.

● Syslog Server – To collect logs from different equipment in the

network.

● Identity & Access Management – Required to manage, automate

and scale the date stored in the directory for efficiency.

22
BUSINESS CONTINUITY PLAN
Even after all the counter-measures, in case there is an attack.
● Have a Disaster Recovery (DR) system
● Mock-Test Disaster Recovery system regularly
● Identifying operationally critical systems
● Have a DR location away from the operational sites
● SOP should be in place for backup recovery
● Standalone operations philosophy during a disaster (manual/local)
● Well defined O&M plan for spares, RMA, etc.

23
AGENDA

● Introduction
● Concepts & Standards
● Defense In Depth
● CS IT Best Practices for ICS Network
● Way Forward

24
ENGAGE US FOR VULNERABILITY ASSESSMENT

25
 VULNERABILITY ASSESSMENT – RESULTS SUMMARY
Information gathered during assessment &
penetration testing

ATTACK VECTOR
Assessment Focus Areas ATTACK
TARGET
- Device Security
- Network Security Risks
Exposed AP Outdated OS Known CVE Remote
- Network Operations Access
- Mitigation
26
THANK YOU
Krishna Dixit
Business Development - Cybersecurity

[email protected]