CS Fundamentals Course - TUV Presentation

Download as pdf or txt
Download as pdf or txt
You are on page 1of 94

CYBER SECURITY

FUNDAMENTALS
Cyber Security Fundamentals

1 16/04/2021 TÜV Cyber Security Program

Introductions

§ Welcome to the workshop!

§ My background and experience


§ Tell us something about you?

§ Your Name

§ A little background
§ Your key objective for this course

2
Domestic arrangements & etiquette

• In case of an emergency – exits and alarms

• Toilets - location
• Breaks – formal & feel free to stretch at any
time

• Tea & Coffee – help yourselves at any time

• Feel free to ask questions at anytime


• Please set mobile phones to silent so that
it doesn’t affect your colleagues

Schedule

§ Duration
• 3-day course with homework
• Exam on fourth day

§ Exam
• Multiple Choice (Fundamentals) exam

§ Working day
• 09:00 – 17:00
• Lunch at 12:30 – 13:30
• Formal Breaks at 10:30 & 15:00

4
Objectives of the Course

• To provide attendees with the fundamental knowledge to successfully handle the


Cyber Security challenges in the context of architecture, specification, operation,
management and maintenance of ICS according to IEC 62443:
• Understand the principles of security and cyber security management and the
key features of relevant Industry standards.
• Understand the fundamentals of industrial communication networks and
relevant technology.
• Understand the requirements for communication protocols, routing and
segmentation.
• Appreciate the key requirements for countermeasures, design operations &
maintenance regarding cyber security lifecycle phases, roles and
responsibilities.
• Understand the requirements for organisational security, business impact,
planning and recovery in terms of policy, procedures, guidelines and
competency requirements.
• Understand the requirements for proper inspection, operation, maintenance
and modification of installed cyber security measures as required by safety
and security standards.
• To assess the competency of the attendees by examination

Course Goals

• To be aware of the current security environment for ICS, including the threats, past incidents
and vulnerabilities.
• To understand the requirement for ICS Security and understand that there are a number of
standards and Cybersecurity Frameworks available to guide in achieving it.
• To understand the relevant network technology in use within an ICS network, including the
protocols relevant at the different levels of the Reference (Purdue) model.
• To understand the different technical controls are present and can be implemented within an
ICS network.
• To understand the different effective countermeasures that are available for use.
• To understand the different organisational controls that are present and can be used within an
ICS network, including management systems.
• To understand the relevant further aspects of cyber security that
should be considered when determining the security of an ICS
network.

6
Examination

§ Multiple Choice (Fundamentals) Exam:

• 60 multiple choice question exam on the TÜV


Rheinland CybSec fundamentals

§ TÜV Rheinland CybSec Specialist Certification

• Participants who attend the training course and exam


and pass the exam will receive a “Fundamentals of
Cyber Security” certificate issued by TUV Rheinland.

• For award of the TÜV Rheinland CybSec Specialist


Certificate both exams must be passed with minimum
pass grade of 75% on each exam.

Course Content

1. Networking Basics
2. Cryptography Basics
3. Cybersecurity Countermeasures
4. Industrial Protocols
5. Cybersecurity Management System (CSMS)
6. Conclusion
7. Exam Advice

8
Networking Cryptography Cybersecurity
Basics Basics Countermeasures

Cybersecurity
Industrial Conclusion and
Management
Protocols Exam Advice
System (CSMS)

Cyber Security for Automation,


Control, & SCADA Systems
Fundamentals – Networking Basics

TÜV Cyber Security Program

Networking Basics

§ Content of Network basics


- Network types
- ISO / OSI Reference Model
- Network protocols

10 16/04/2021 TÜV Cyber Security Program

10
Industrial Networks

§ An ‘industrial network’ is any network that supports and enables the


interconnectivity of communication between devices that either support
or make up an Industrial Control System (ICS).
§ While it is either believed or is desirable that the ICS network is isolated
from the business network, this is not always the case.
- This can be for data gathering or
for ease of use.

11 16/04/2021 TÜV Cyber Security Program

11

Industrial Networks vs. Business Networks

¡ While the protocols and devices in use are similar they do differ,
based upon the requirements of the network environments
Industrial Industrial
Networks Networks Business
Function (Low level – process and (High Level – supervisory
control) control) Networks
[Purdue Reference Model, levels [Purdue Reference Model,
0,1,2] level 3]

Real-time operation Critical High Best Effort

Reliability/
Critical High Best Effort
Resiliency

High
Low Medium
Bandwidth Sessions Many
Few, explicitly defined Few
Latency N/A, retransmissions
Low, Consistent Low, consistent
are acceptable

Serial, Ethernet Ethernet Ethernet


Network Protocols
Real-time, Proprietary Near real-time, Open Non real-time, Open
Knapp, E.D. & Langill, J.T. (2015) Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA,
and Other Industrial Control Systems. Second. Raj Samani (ed.). Elsevier.

12 16/04/2021 TÜV Cyber Security Program

12
Network Types - LAN

§ A local area network( LAN) is a communications system that is designed


to cover a specific geographical area, e.g. a building or department.
§ As the distance covered by LANs is less restricted due to technological
advancements, it is considered best practice to split LANs into smaller
zones.
§ LAN technologies are used in the industrial network under many names:
- Supervisory Networks
- PLC Highways
- Fieldbuses
- Device Networks

13 16/04/2021 TÜV Cyber Security Program

13

Network Types - WAN


§ A wide area network (WAN) is a communications system that covers a large
geographic area.
§ Traditionally joined mainframes distributed across the country or world. Now
usually joins two or more LANs.
§ A key difference between LANs and WANs, is that WANs make use of routers
and public links.
§ Often uses public networks, such as the telephone system. Can also
use private lines, leased lines or satellites.
§ The most well-known WAN is the internet, short
for the term internetwork. This is in simple terms a
large number of networks that
are connected to create a WAN.

14 16/04/2021 TÜV Cyber Security Program

14
ISO/OSI Reference Model

§ In 1977, International Organization for Standardization


(ISO) developed a seven-layer model for organizing
data communications protocols into layers
§ It is called the Open Systems Interconnect Reference
Model (OSI/RM)
§ Each layer in the OSI model has a specific function in
an ideal network and groups similar protocols together
§ It details how a computing system interacts with a
network.
§ In this model each of the seven layers is dependent
and outputs to the layers above and below it, i.e it is
hierarchical.
§ The model is useful for it use as a concept when
troubleshooting networks.
§ Model can be used regardless of Operating Systems
(OS) – Unix, Windows or Mac based

15 16/04/2021 TÜV Cyber Security Program

15

ISO/OSI Reference Model

Send
to
network 7 HTTP, FTP, SMTP

Upper
JPEG, GIF, MPEG
Layers 6

Session Layer 5 Apple Talk, WinSock

4 TCP, UDP, SPX

3 IP, ICMP, IPX router


Lower
Layers Switch,
2 Ethernet, ATM bridge

Remote
from 1 Ethernet Token Ring
network
Hub,
“Please do not throw Sausage Pizza Away” repeater

Or “All People Seem To Need Data Processing”

16 16/04/2021 TÜV Cyber Security Program

16
OSI Layer 1: Physical Layer

§ The physical protocols define the physics of getting a message between devices,
i.e. getting the required bits to each device involved.
§ This layer specifies the voltage, wire speed, etc.
§ This is the most important area in terms of both troubleshooting and operations.
Frequencies Voltages Connectors
Modulation Topologies Cables

Application
Presentation
Session
Transport
Network
Data Link
Physical EIA-232/485, Ethernet

17 16/04/2021 TÜV Cyber Security Program

17

OSI Layer 1: Physical

§ Common Network Topologies

¡ The topology is important as it will impact how the network will be


segmented, or how effective network segmentation will be.

18 16/04/2021 TÜV Cyber Security Program

18
Common Topologies

§ Within industrial networks it is common to see topologies, which are no longer


seen in business networks, including bus and ring topologies.
§ Rings are used as they provide redundancy, which is needed in industrial
networks.
- Issues include, it being difficult to add to as the network must be broken to
add devices and requires a large volume of media to connect devices, i.e.
cables.
§ Bus topology is used to share a message domain, useful when using a limited
bandwidth network.
- UDP is well-suited for this type of topology.
- Big issue relates to fault tolerance, as the loss of the communication
medium, i.e. cable will bring the entire network down.
§ It may be seen that many industrial switches are connected using a ring
configuration while end devices are connected via a star topology.
§ The higher the industrial network segment is in the Purdue reference model,
the more likely it is that more common IT designs will be seen.

19 16/04/2021 TÜV Cyber Security Program

19

Dual-Homed and Multihoming

§ Is the connection of a single node (device) on two or more networks.


§ This can be done to ensure redundancy, for example to ensure that the
two networks have a device to communicate over.
§ This has serious security implications, as any successful attack against
this node (device), will give the attacker a method for transitioning
between networks.
- In some cases this can provide an attack vector for external networks
to connect to the control zone from a public network, e.g. the internet.

20 16/04/2021 TÜV Cyber Security Program

20
Repeaters / Hubs

§ Hubs work only at the physical layer and connect all segments of the
network together in a star topology ethernet network.
- It is important to note that this device is not intelligent.
§ A hub is also called a repeater as any transmission received on one port
is sent out on all other ports, i.e. it broadcasts.
§ Repeaters extend the length of a network by repeating the signal:
- Connect LAN segments to form single network
- Allows conversion between cable types (e.g. UTP to fiber)
§ While correct addressing will ensure that only the intended recipient will
listen and process the message, all devices will be able to see the
message. As such this device is less common now.

21 16/04/2021 TÜV Cyber Security Program

21

Layer 2: Data Link Layer


§ Provides the rules for framing (converting
packets into bytes and bytes into frames), Key Role:
• Ensure correct device receives the message.
error checking (notification), physical • Translates message from Network Layer (3) to
addressing and Media Access Control bits to allow transmission at the Physical
Layer (1)
(MAC).
§ This layers ensures that messages are
received by the correct device on the LAN
Application
using the devices hardware (MAC)
address. Presentation
- It does this by creating a packet of data Session
containing the source and destination
Transport
MAC addresses followed by the
message data to be transmitted. Network
§ Every communications network needs Data Link HDLC, S50.1, Ethernet
some data link protocols.
Physical

22 16/04/2021 TÜV Cyber Security Program

22
Layer 2 Switches

§ Layer 2 Switches (a.k.a. multi-port bridge) work at physical and data-link layer
within a single LAN.
- Bridges are software based
§ Uses the MAC address to decide which device the packet should be forwarded to
and is therefore considered a layer 2 device.
- It records known MACs from transmitted frames and stores them within a
forwarding table.
§ It is a network device that connects to similar network segments together, by
breaking up collision domains.
§ It is considered more advanced than a hub because a switch will only send a
message to the device that needs or requests it
§ Bridges are also found at layer 2 device, which “bridges” two networks but are not
commonly used now and are not readily available to buy now.

23 16/04/2021 TÜV Cyber Security Program

23

Managed vs. Unmanaged Switches

Unmanaged Managed
§ Not configurable § Configurable locally (console port)
or remotely (e.g. Telnet, SSL)
§ Plug-and-play § Improved robustness (e.g.
§ Normally found in the home or redundant power)
small business § Typically support advanced
functions
- Spanning tree protocol
- Port configuration
- VLANS
- Port security (IP or MAC address
filtering, 802.1X authentication)
- Diagnostics (e.g. SNMP)
- IGMP Snooping

Traditional for unmanaged switches to be used, there is now,


however, a big push to now use managed switches for the security benefits.

24 16/04/2021 TÜV Cyber Security Program

24
Virtual Local Area Network (VLAN)

§ A VLAN partitions a Layer 2 network (LAN) into multiple distinct segments


(a.k.a. broadcast domains).
- As such a VLAN is treated as its own subnet or broadcast domain.
§ Enables grouping of hosts with a common requirements regardless of
their physical location.
§ It should be noted that by default hosts cannot communicate to hosts on
other VLANs, instead requiring to pass through a layer 3 device, i.e. a
router.

25 16/04/2021 TÜV Cyber Security Program

25

Layer 3: Network Layer

§ The protocols at the Network layer deal with routing of


messages through a complex network
§ Key focus is to provide logical addressing, to allow
routers to use for path determination.
- This is to allow traffic to be transported between Application
devices that are not locally connected (attached).
Presentation
§ IP of TCP/IP fame is one example of a network layer
protocol Session

Transport

Network IP, IPX

Data Link

Physical

26 16/04/2021 TÜV Cyber Security Program

26
Layer 3: Network Layer

27 16/04/2021 TÜV Cyber Security Program

27

ARP Protocol

§ Address Resolution Protocol


§ Resolve Network Layer (3) addresses to Data Link Layer addresses (2), i.e. it
finds the hardware address of the host from a known IP.
§ Ethernet networks converts an IP address to a MAC address.
§ There is also the Reverse Address Resolution Protocol to find the IP address
from the MAC address.

28 16/04/2021 TÜV Cyber Security Program

28
The Basics of IPv4 Addressing

§ Every device in an IP network needs a unique IP address. This address is


different from the Ethernet physical address (MAC).
§ In IPv4 it is a 32-bit address written in the form:
147.10.24.16
where each number is the decimal coding for 8 bits (0-255)

29 16/04/2021 TÜV Cyber Security Program

29

The Basics of IP Addressing

§ IP address is a routable address. This means there is location information in the


address to help routing.
§ As with a phone number each section of the address is used to further describe
the logical location of the device:

§ Phone calls are passed to the area and then to the exchange, so a huge phone#
database isn’t needed.
IP addresses are similar:

30 16/04/2021 TÜV Cyber Security Program

30
Private IPv4 Address Spaces

§ Due to the finite number of possible IP addresses, it was decided that each
network address that needed to be connected to the internet would have a public
address, whereas addresses that did not need to be routable to public addresses
but was desirable to have a IP address for routing purposes was given a private
address.
§ Private IP addresses are simply a specified group of addresses that should
never be found on public networks, i.e. the internet, but just within internal
networks.

31 16/04/2021 TÜV Cyber Security Program

31

Network Address Translation (NAT)

§ As such, any internal private addressed devices must undergo some form
of translation to forward packets onto the public network (internet).
§ This is done by the use of the Network Address Translation (NAT)
protocol.
§ NAT allows a single device, such as a router, to act as an agent between
the Internet (or "public network") and a local (or "private") network.
§ Originally designed in an attempt to help conserve IPv4 addresses NAT
modifies the IP address information in IPv4 headers while in transit across
a traffic routing device
§ This means that only a single,
unique public IP address is required
to represent an entire group of
computers.

32 16/04/2021 TÜV Cyber Security Program

32
IPv6 Addressing

§ To deal with the inevitable exhaustion of IPv4 addresses, IPv6 has been
introduced.
- Even with the introduction of NAT, the number of devices require public
addresses is ever-increasing, with public IPv4 addresses being sold.
§ An IPv6 address is a 128-bit address written in the form of
- 8 groups of four hexadecimal digits separated by colons:
2012:0a81:843f:0042:0303:49bc:0e70:73d4
- Over 340 trillion trillion trillion unique addresses!
- IPv6 is backward compatible with IPv4 addresses
- IPv6 version of the IPv4 address 147.10.24.16 is:

::ffff:147.10..24.16
§ Further IPv6 does not use broadcasts, but rather multicasts instead, which
means that devices no longer need to process every messaged broadcast.

33 16/04/2021 TÜV Cyber Security Program

33

DHCP

§ The Dynamic Host Configuration Protocol (DHCP), in essence is a


protocol used to assign IP addresses to hosts.
§ This is done automatically in an attempt to making IP addressing much
easier to administrate.
§ The use of this protocol differs to assigning each device an IP by hand,
which is commonly referred to as a static IP.
§ It should be noted that if using DHCP, the assigned address will change
after a given period of time, requiring the new address to be documented,
commonly done using a network device, e.g. a switch.

34 16/04/2021 TÜV Cyber Security Program

34
Layer 3 Networking Equipment

§ Routers
§ Layer 3 Switches

35 16/04/2021 TÜV Cyber Security Program

35

Routers

§ A Router is a Layer 3 device that connects a WAN to a LAN, i.e. it allows


networks to be interconnected to create the WAN.
- It does this by breaking broadcast domains, to create a new separate
network, with the router acting as an interface.
§ It can also be said that it divides a big network (WAN) into logical sub-networks
(LAN)
- To differentiate between networks an identifier is needed, an example of
this identifier is an IP address.
§ Therefore, routers need to be configured with an IP routing table (static or
dynamic) to forward
packets to the correct
logical sub-network.

36 16/04/2021 TÜV Cyber Security Program

36
Layer 3 Switches

§ Layer 3 Switches are switches which connect multiple segments of networks


together like a hub, however, it does differ:
- A switch recognises MAC addresses as well as switch port numbers. Each
port on the switch will be a singular collision domain.
- If the destination is outside of the current collision domain, the switch will
then forward it to the correct network segment and then use the MAC
address to find the device.
§ Will act like a switch when it is connecting devices on the same LAN (subnet)
§ Will act like a router to route traffic between different subnets, it does this by
breaking up collision domains.

37 16/04/2021 TÜV Cyber Security Program

37

Layer 4: Transport Layer

§ Transport Layer protocols establishes an "end to


end" connection between two nodes
- For example, the transport layer will number
packets to keep them in order
§ TCP and UDP are well known example of transport
layer protocols
Application
§ Depending on whether the UDP or the TCP
protocol is used this layer provides guaranteed Presentation
message delivery.
Session
§ Before transmission is continued this layer
Transport TCP, SPX, UDP
performs error correction
Network

Data Link

Physical

38 16/04/2021 TÜV Cyber Security Program

38
Layer 4: Transport Layer

§ Transport Layer Functions – Flow Control


- Multiplexing
- –Virtual Circuit Management
- Error Checking and Recovery
§ Transport Layer Protocols

39 16/04/2021 TÜV Cyber Security Program

39

Transport Control Protocol (TCP)

§ TCP and UDP are transport protocols on top of IP.


§ TCP is known as a connection-oriented protocol because it sets up a
connection between the two hosts and checks to see if every packet gets
through.
§ Most common Internet applications use TCP.

40 16/04/2021 TÜV Cyber Security Program

40
TCP – Connection Oriented Session

¡ Before two devices transfer data


using TCP a connection is first
established. This is done to ensure
that the connection is reliable, i.e. all
data transferred is received as
intended and, in the order, intended.
¡ This connection is done through the
completion of a three-way
handshake. SYN
¡ The first packet (SYN) is to request a Sender Receiver
synchronisation. SYN-ACK
¡ The second packet (SYN-ACK) is an
acknowledgment of this request. ACK
¡ The third, final packet (ACK) is to
acknowledge the completion and the
handshake, meaning data transfer can Connection
begin. Established

41 16/04/2021 TÜV Cyber Security Program

41

User Datagram Protocol (UDP)

§ UDP can be considered as a connection-less oriented protocol.


§ Can be considered as a stripped-down network layer protocol, useful for
low bandwidth networks.
- This is especially useful when a large volume of messages will be sent
that do not need confirmation of delivery.
§ UDP sends the packet and forgets about it, as such it is typically used
when reliability is not a key requirement as it exposes the message to any
unreliability of the network.
§ It is up to the application layer to check and retransmit packets if
necessary.
§ Many industrial protocols use UDP.

42 16/04/2021 TÜV Cyber Security Program

42
TCP/UDP Port Numbers

§ Both TCP and UDP must use port numbers to communicate with higher
layers, as these port numbers are used to differentiate between
conservations.
§ These port numbers are dynamically assigned.
- However, there are a number of well-known port numbers which are
commonly used.

43 16/04/2021 TÜV Cyber Security Program

43

Layer 5: Session Layer

§ The session layer provides the mechanism for opening,


closing and managing a session between presentation layer
entities, e.g. provides dialog control between end-devices.
§ It also ensures that different applications data is kept
separate.
- For example the session layer allows multiple we browser Application
sessions to be run at the same time.
Presentation

Session

Transport

Network

Data Link

Physical

44 16/04/2021 TÜV Cyber Security Program

44
Layer 6: Presentation Layer

§ Responsible for the delivery and formatting of information to the


application layer for further processing or display.
- In essence this involves adapting data into a standard format
before transmission.
- The format of this data relies on the protocol used.
§ It also handles processing such as encryption, decryption, Application
compression and decompression.
Presentation

Session

Transport

Network

Data Link

Physical

45 16/04/2021 TÜV Cyber Security Program

45

Layer 7: Application Layer

§ Interacts with software applications that


implement a communicating component
§ Protocols specific to network applications
such as email, file transfer and reading
data registers in a PLC
§ Does not include user
applications like Application SMTP, HTTP, MBAP, PCCC

word processing or operating


Presentation
systems like Windows 10.
§ Provides a user interface, where Session
user can communicate or interact Transport
with the computer.
Network

Data Link

Physical

46 16/04/2021 TÜV Cyber Security Program

46
Problems with the OSI Model

§ OSI layer specifications are designed to explain how communication is done


and what the process should be, but it does not describe how this will be
implemented in practice.
§ It is too complex for many applications and their
implementations, as such layers are commonly
missed out.
§ However, it is useful for understanding the
process of how a device or application talks to
another device or application.

47 16/04/2021 TÜV Cyber Security Program

47

Networking Cryptography Cybersecurity


Basics Basics Countermeasures

Cybersecurity
Industrial Conclusion and
Management
Protocols Exam Advice
System (CSMS)

Cyber Security for Automation,


Control, & SCADA Systems
Fundamentals – Cryptography Basics

TÜV Cyber Security Program

48
Cryptography Introduction

§ One of the most important and powerful security controls used for network
security is cryptography.
§ It provides us with a plethora of security services, which helps reduce our risk
profile.
§ In modern cryptography the main areas of focus are:
- Symmetric Cryptography
- Asymmetric Cryptography (Public Key cryptography)
- Including Digital Certificates
- Hashing Algorithms
- Message Authentication Codes (MACs)
§ Benefits of cryptography and the effects of its poor or missing use can be
seen within the ICS environment.

49

Security Services

§ Confidentiality – Assurance that data cannot be viewed by unauthorised


persons. Historically the most important, but now common place that
confidentiality is no longer a priority.
§ Data Integrity – Assurance that data has not been modified, whether
accidentally or intentionally. This provides a detection service not a prevention
service.
§ Data Origin Authentication – Assurance that a given entity was the original
source of the data in question. Also known as message authentication, as it
authenticates the data not the person.
§ Non-Repudiation – Assurance that an entity cannot deny a previous
commitment or action.
§ Entity Authentication – Assurance that a given entity is who they say they are
and are currently engaged in the current session.

50
Symmetric Key Cryptography (secret key)

§ Encryption key and decryption key are the same.


§ Historically, the most common type of
cryptography.
§ All parties share the same key.
- Loss or sharing of key makes crypt system
redundant and all protection lost.
- Secrecy of algorithm should not be considered
a requirement and knowledge of algorithm by
attacker should be assumed. (see Kerckhoff’s
Principle)
§ Two main types Stream (Bit by Bit encryption) and
Block (Block of Bits encryption)
§ Examples: RC4 (Stream), DES (Block), 3DES
(Block), AES (Block), Blowfish (Block), Twofish
(Block), One-Time Pad (Historic/Concept) etc.

51

Symmetric key cryptography (secret key)

Secret Key

Encryption Decryption
Encrypted
Plain Text Plain Text
Text

Sender Receiver

Are there any issues / difficulties?

52
Pros vs cons

§ Pro – Encryption and decryption is fast in


comparison to public key cryptography.
§ Pro – Smaller overhead in key management
(one key vs multiple keys for public key).
§ Pro – Conceptually more easily understood by
users.
§ Con – Need to determine a way of sharing and
the secret key.
§ Con – Cryptography inherently adds a
processing overhead.

53

Asymmetric Cryptography (public-key)

§ Makes use of two different keys a Public (can be shared) and a Private Key
(must never be shared).
§ Designed to enable the secure sharing of keys to enable encryption when a
trusted relationship has not yet been built, i.e. keys not previously shared and
a shared key is not desirable.
§ Public-key encryption makes use of a mathematical concept called a one-way
function, i.e. easy to compute but difficult/hard to reverse. These are also
known as Trap-Door Functions.
- ElGamal and ECC makes use of the Discrete Logarithm Problem, where
ECC are based on the use of elliptic curves.
§ Communication data is encrypted using the receiver's public key, with the data
decrypted by the receiver using their private key.
§ Examples: RSA, ElGamal and Elliptic Curve Cryptography (ECC).

54
Asymmetric Cryptography (public-key)

Receiver’s Receiver’s
Public Key Private Key

Key 1 Key 2

Encryption Decryption
Encrypted
Plain Text Plain Text
Text

Sender Receiver

Are there any issues / difficulties?

55

Pros vs cons

§ Pro – Possible to use cryptography even when


we do not trust the other party, which prevents
us sharing a secret key.
§ Pro – Allows sharing of encryption keys, even
when plain text or public networks must be
used.
§ Con – Large overhead, even in comparison to
symmetric key cryptography. Leading to hybrid
encryption being used.
§ Con – Key management is vital and complex,
as we must ensure public key is correctly
attributed and expired keys are correctly
revoking.

56
Key management

§ As discussed, the loss or inappropriate sharing of a key breaks the crypt


system making it redundant as a security control.
§ There is therefore a need to manage the keys in use and ensure they are not
misused.
§ The lifecycle of a key is as follows.
- Key Generation – Creation of keys
- Key Establishment – Sharing of relevant keys to relevant parties, including
communicating correct public key to parties.
- Key Storage – Secure storage of keys, including the back up of the key
and the archival key when keys may be needed beyond their life.
- Key Usage – Ensuring keys are only used where desired and only by
those authorised.

57

Hybrid cryptography

Sender Receiver

Secret (Symmetric) Encrypted Secret (Symmetric)


Key Key Key

Encryption Decryption
Plain Encrypted Plain
Text Text Text

Sender Receiver

58
Hashing Algorithms

§ While not a cipher, as it does not use a key, hash functions are a vital component
and are heavily used throughout technology.
§ Algorithm uses a one-way function to produce a fixed length hash regardless of
input length. Algorithm must be easy to compute but difficult to reverse to be
considered secure.
- As such, message is sent in plain text with a hash added, which the receiver
verifies to ensure message has not been modified.
§ Output hash is fully dependent on input, any change in input should produce a
different hash output.
§ Hashing algorithm requires collision resistance, no two inputs create the same hash
output.
§ As there is no key anyone can create a hash, meaning it protects only protects
against accidental modifications or simple manipulations by a low level threat actor.
§ Used as a checksum in many applications.
§ Examples: MD5 (Defeated), SHA1 (Defeated), SHA2, SHA3, RIPEMD, Whirlpool,
etc.

59

Hashing Algorithms

SHA-3-256

Hello d0e47486bbf4c16acac26f8b653592973c1362
Hash 909f90262877089f9c8a4536af
World!

Hello 8f2233bf3bcfbe13155d79dbc3e70fc94c19ec4
Hash 9bf48ab732b64053c1397cd5c
Wqrld!

Hashes created using http://icyberchef.com/

60
Digital Signature

§ Main aim is to provide non-repudiation and data-origin authentication.


§ Can be provided using symmetric key encryption, but requires a third party to
act as arbitrator.
§ As such, in asymmetric relationships (most relationships) asymmetric key
encryption is used, in the form of digital signatures.
§ Two ways of providing digital signature, sign the message and send it, or hash
the message and sign that, with it sent with the message (known as digital
signature with appendix).

61

Simple Digital Signature Algorithm

Signer Verifier

Signature key Verification key


Message

Verification
Signature algorithm Digital Signature
algorithm

Verification

62
Digital Signature

Signer Verifier

Hash
Message Message
Function
Digital
Signature
Signature
verification
Hash Signature algorithm
Function algorithm

Verification

63

Message authentication codes (mac)

§ Adds to the security of a hash function by adding a key to the hashing


process.
§ Provides data origin authentication, beyond the simple data integrity offered
by Hash functions.
§ In essence is a cryptographic checksum sent along with the message to
provide assurance of data origin authentication.
§ Makes use of symmetric keys.
§ Both parties will need to have the MAC (Symmetric Key)
§ NOT the same thing as the Media Access Control (MAC) address.
§ Examples: CBC-MAC, HMAC

64
General Message authentication code (mac) Process

MAC
Key

Sender Verifier

MAC MAC
Key Message Message
algorithm

MAC

MAC
MAC
algorithm

Verification

65

Practical applications in the ICS Environment

§ Protection of the confidentiality/integrity of a critical file/folder/drive. Likely to


use symmetric key cryptography due to processing overhead and speed.
§ Used as part of a VPN solution to protect communication channels for remote
access. Attacks against end points still viable.
§ Used when transporting critical information outside of the network, as well as
determining the origin of data coming in, e.g. vendor patch downloads.
§ Encrypting communication between end points, to prevent against sniffing, low
level packet injection and credential theft.
§ WARNING – As discussed the inclusion of encryption does introduce
processing overhead and requires technical expertise to implement correctly.
As such, it should be carefully considered and planned for introduction.

66
Security services provided

Confidentiality Data Integrity Data origin Non- Entity


Authentication Repudiation Authentication
Encryption Yes No No No No
Hash Function No Sometimes No No No
MAC No Yes Yes Sometimes No
Digital No Yes Yes Yes No
Signature
Source: Martin, K 2017, Everyday Cryptography: Fundamental Principles & Applications. 2nd edn, Oxford
University Press.

67

Secure Protocols

§ Common Internet security protocols, that make use of encryption:


- SSL (Secure Sockets Layer)
- TLS (Transport Layer Security)
- S-HTTP (Secure Hypertext Transfer Protocol)
- IPSec (Internet Protocol Security)
- SSH-2 (secure Shell)
- WTLS (Wireless Transport Layer
Security)

68 16/04/2021 TÜV Cyber Security Program

68
Networking Cryptography Cybersecurity
Basics Basics Countermeasures

Cybersecurity
Industrial Conclusion and
Management
Protocols Exam Advice
System (CSMS)

Cyber Security for Automation,


Control, & SCADA Systems
Fundamentals – Cybersecurity Countermeasures

TÜV Cyber Security Program

69

Cyber Security Countermeasures

§ Topics:
- Identification and Authentication Control
- Use Control
- System Integrity
- Data Confidentiality
- Restricted Data Flow
- Timely Response to Events
- Resource Availability

70 16/04/2021 TÜV Cyber Security Program

70
Fundamental Issue
§ Until recently protocols and devices were not designed with the priority for
security but rather for functionality.
§ TCP & IP were not designed to be secure
- They were designed to ensure that communications work, i.e.
reliability
§ PLCs were designed to replace relays
- They were not designed to be secure; they were designed to fulfill the
requirements of the environment.

71 16/04/2021 TÜV Cyber Security Program

71

Network Attack Methods (Threats)

§ Storms/Floods
§ Known Vulnerabilities
- Smurf
- Eternal Blue
§ Spoofing
§ Man-in-the-Middle
§ Replay attacks
§ Sniffing
§ Session hijacking
§ Buffer or stack overflow
§ Brute force or dictionary

72 16/04/2021 TÜV Cyber Security Program

72
IACS Cyber security

§ Industrial Automation Control Systems (IACS) operate industrial plant


equipment and critical processes .
§ The number of recorded incidents related to IACS have increased.
§ Tampering with IACS can lead to:

• Death, Injury, or Sickness;


• Environmental releases;
• Equipment damage;
• Production loss / service interruption;
• Off-spec / dangerous product;
• Loss of trade secrets.

§ IACS cyber security is about preventing intentional or unintentional


Interference with the proper operation of plant.

73

How Big is the Problem for IACS?

§ Data from the Repository of Industrial Security Incidents (www.risidata.com)


suggests there have been injuries and deaths as a result of IACS security
incidents, but not all companies are publishing data. This will change with the
introduction of the EU Directive on Network & Information Security (NIS).

§ Not all threats originate from the internet –


maintenance activities, software upgrades /
patches, remote access, wireless, physical
security & unauthorised access are
just as big an issue for SIS.

Taken from “Pictures and theories may help, but data will set us free”
Blog available at: ics.sans.org

74
How Big is the Problem for IACS?

• Presence of IACS assets/devices on Shodan. A sign that there are a large


number of IACS devices connected to public networks, i.e. the internet.
• Presence of a number of IACS assets/devices when using VNC keyhole.
Signifying that VNC software has been installed on these devices allowing
outside parties to view the operation and left installed.

• While limited in their detection to specific vendors or honeypots and commonly


only detect unsophisticated automatic attacks, threat maps such as the threat
map by Checkpoint available at; https://threatmap.checkpoint.com/

75

Security Objectives

§ A useful basis for security objectives is the C.I.A. triad.

- Confidentiality – is the assurance that data cannot be viewed by an unauthorised person.

- Integrity – is the assurance that data has not been altered in an unauthorised
manner, mainly revolving around detecting the alteration rather than preventing it.

- Availability – is the assurance that the asset will able to perform its function
when required.

§ In the ICS environment, parts of this triad will be more critical and a balance for
the facility must be found.

§ Company-specific security objectives must be considered and documented.

§ This includes the intended function of the facility, for example in general
terms, the objective could be to fulfil the functionality of the process while
not operating under unreasonable risk in terms of safety, environmental or
financial risk.

76
Cyber Kill Chain

§ For the sake of understanding possible attack paths, there are multiple
conceptual models of how an attack maybe carried out.

Cyber Kill Chain – Lockheed Martin ICS Cyber Kill Chain


NCSC
Survey

Delivery

Breach

Effect
https://www.ncsc.gov.uk/information
/reducing-your-exposure-to-cyber-
attack

https://www.sans.org/reading-
room/whitepapers/ICS/industrial-
https://www.lockheedmartin.com/en- control-system-cyber-kill-chain-36297

us/capabilities/cyber/cyber-kill-chain.html

77

CRASHOVERRIDE

§ Malware designed to disrupt industrial processes, with a initial focus towards


electric distribution operations.
§ Consequence of a brief outage, through the opening of breakers with the
intent of interrupting electricity delivery.
§ While not the most impactful, it help to codify the knowledge for attacking the
ICS environment.
§ In practice the malware exploited weak data in transit by capturing credentials
and targeting credential reuse in the ICS network.
§ It did so through the use of a standard and widely available process, such as
the process used in Mimikatz.

78 16/04/2021 TÜV Cyber Security Program

78
CRASHOVERRIDE – Attack Flow

Launcher •Select Payload


•Initiate ICS
Start Impact

Payload •Connect to
Control Systems

Execution •Manipulate
State

•Wait for Timer


•Delete Files,
Wiper Remap
Services,
Reboot System

• Leave
Post behind
Backdoor
Attack • DDoS
Siowik, ‘Evolution of ICS Attacks and the Prospects for Future
Disruptive Events’.

79 16/04/2021 TÜV Cyber Security Program

79

TRISIS

§ Malware which led to operational disruption at a Saudi Arabian oil and gas
facility in 2017.
§ Malware was a rootkit designed to give access to a model of Schneider
Electric’s Triconex Safety Instrumented System (SIS).
§ Through access an attacker could potentially change SIS parameters, with
various further implications from this.
§ Much like the CRASHOVERRIDE malware the TRISIS malware had an
additional event called XENOTIME, which captured credentials to move
through the network.
§ This allowed the malware to traverse from the IT environment to the ICS
network.

80 16/04/2021 TÜV Cyber Security Program

80
TRISIS – Attack Path

Establish Access
on SIS
Connecting
System

Transfer TRISIS
Package to
System

Use TRISIS Base


Exe to Upload
Tristation Program

Tristation Program
Compromises SIS

Leverage Access
for ICS Disruption
via SIS.

81 16/04/2021 TÜV Cyber Security Program

81

Defence-In-Depth

¡ Regardless to the control set adopted, it is expected


that Defence-in-Depth approach will be taken.
¡ The concept of defence-in-depth is that any single
layer may fail.
¡ As such multiple layer are needed with a wide variety
of independent controls to give the required
protection.
¡ This includes mitigative, preventive and detection
counter measures.
¡ Some may recognise the similarity to the ‘Onion’
method approach.

82
Network Security Technologies

§ Network Security Devices


- Firewalls
- Unidirectional Gateways (aka Data Diodes)
§ Cryptography and secure protocols
- VPN
- Secure protocols
- Certificates
§ Network Architectures
§ Authentication, Authorisation and Accounting (AAA)
§ Intrusion Detection Systems
§ Host Protection
§ Logging and Monitoring
§ Policy and Management
§ Using a mixture of all of these technologies, provide
a ‘Defense in Depth’ approach.

83 16/04/2021 TÜV Cyber Security Program

83

Identification and Authentication

§ In order to prevent unauthorised access int the ICS environment identification


and authentication must be used.
§ This can only be done by uniquely identifying, authenticating and authorised
users before access is given.
§ The principle of least privilege should be used to only grant users sufficient
rights to carry their defined roles and responsibilities.
§ As such, users should be assigned unique user IDs and passwords.
- Historically a very difficult concept to implement within ICS networks due
to conflicting requirements.
§ Increased security can be gained through multi-factor authentication, which
prevents credential reuse and password guessing.
- This is requirement for zones which have been assessed at higher security
levels, meaning they need additional security measures.

84 16/04/2021 TÜV Cyber Security Program

84
Multi-Factor Authentication (MFA)

To be considered MFA, a user must be authenticated using multiple factors.


These factors can be:

Authentication Factor Examples


Something you have Security tokens, e.g. a YubiKey
Something you know Password, PIN, etc.
Something you are Biometrics (fingerprint, eye, voice, etc.)
Somewhere you are GPS signal

85 16/04/2021 TÜV Cyber Security Program

85

What is a Firewall?

§ A firewall is a piece of hardware or a software program


which filters network traffic entering and leaving a
network segment. In essence, they are network security
guards.
§ They are perhaps the most commonly used network
security device.
§ You should have a hardware firewall to protect your
network, but you should also use a software firewall on
each computer(host) to help prevent the spread of a
virus in your network if one of the computers becomes
infected.
- i.e. use a defense-in-depth approach.

86 16/04/2021 TÜV Cyber Security Program

86
Hardware Firewalls

§ Normally firewalls are a combination of hardware and software. Where the


hardware acts as a router and the software is configured to control how the
firewall operates by inspecting each incoming and outgoing packet, with any
unwanted dropped and blocked.
§ When using a properly configured hardware firewall, it will act as a gateway at
the entry points to specified network segments.
§ Three general classes of :

- Packet Filter

- Stateful Inspection

- Application (layer 7) Proxy

87 16/04/2021 TÜV Cyber Security Program

87

Device Decision Basis

88 16/04/2021 TÜV Cyber Security Program

88
Firewall Policy

§ While it is simple to install a firewall, it will not be effective until it has been
correctly configured.
§ The configuration of firewalls requires both the competence of creating the
firewalls rules but also an understanding of the network environment.
- A poorly configured firewall not only poses a security threat, but can also
hinder effective and safe operation, vital in the ICS environment.

89 16/04/2021 TÜV Cyber Security Program

89

Firewall Policy

§ Access Control Lists (ACL) rules typically reside on routers and firewalls and use IP
addresses to determine which devices should be routed and in what direction.
§ ACLS are in essence lists of conditions that categorise packets, using such information
as:
- Source and destination IP address,
- Source and destination TCP or UDP
port numbers,
- State of the TCP “ACK" bit,
- Direction of packet flow
(i.e.. A- >B or B->A).
§ Building a good filter requires a
good understanding of the network and the likely device conservation that will occur
and what protocols may be in use.
§ A firewall can only be effective as the ACLs used and therefore require careful
consideration.

90 16/04/2021 TÜV Cyber Security Program

90
Business/Process Firewall Architectures

§ It is both common and considered best practice that the business and the
process (ICS) network will be kept as sperate as possible. This is commonly
done through the use of a Demilitarised Zone (DMZ).
§ The actual designs of DMZs will differ, for example one design may use a single
firewall that has three network cards.

§ This is done in an attempt to segment the ICS from the business network. A
recommended step for any site which contains both IT and ICS components.
Although more substantial segmentation maybe needed dependent on the
threats and risks.

91 16/04/2021 TÜV Cyber Security Program

91

Defence-in-Depth Firewall Architectures


§ As discussed, the best method for ensuring security is to use a Defence-in-
Depth approach, i.e. use multiple layers of security.

92 16/04/2021 TÜV Cyber Security Program

92
ICS Firewall Configuration Best Practices
§ Should use a DENY all default approach. In practice this means that
ports and services between the ICS environment and an external
network should be enabled and permissions granted on a specific
case by case basis.
§ All rules shall restrict traffic to specific IP address or range of
addresses, in attempt to prevent IP spoofing attacks.;
§ Any “permit” rules should be both IP address and TCP/UDP port
specific, to restrict spoofing efforts;
§ Prevent traffic from direct transitions between the ICS network and the
enterprise network. In practice this means that all traffic should
terminate in the DMZ;
§ Any protocol allowed between the ICS and DMZ is explicitly NOT
allowed between DMZ and enterprise networks (and vice-versa);
§ ICS devices should not be allowed to access the Internet, this is an
effort to reduce possible attack vectors and entry points
to the ICS network.
§ All firewall management traffic be either via a separate,
secured management network (e.g. out of band) or over an encrypted
network with two-factor authentication. Traffic should also be restricted
by IP address to specific management stations.

93 16/04/2021 TÜV Cyber Security Program

93

Unidirectional Gateway (aka Data Diode)

§ Is a highly specialised network architecture or device which only allows


data to travel in one direction.
§ Originally a military technique and is now used in both defense and the
nuclear industry.

94 16/04/2021 TÜV Cyber Security Program

94
Network Segmentation

§ As introduced with the Purdue (Reference) model it is possible to segregate


an ICS network based upon the technology used as well as the intended
function of that level.
§ This has additional security benefits, as each level has its own security
characteristics and requirements.
§ This is first done by logically segregating the network in zones and conduits,
with these then used to control where data and other communications can and
cannot be sent.
§ After this the network is segmented physically. This is one of the most
important and effective security controls.
§ Typically this is done by physically splitting the IT network from the ICS
network.
- Additionally, the safety zone should be segmented from the rest of the ISC
network.

95 16/04/2021 TÜV Cyber Security Program

95

Zones and Conduits

§ Assets can be grouped based on their logical and


geographical relationship. These groups should then contain
assets with similar security requirements allowing common
security measures to be implemented.

§ The purpose of placing the assets into zones and conduits is


so that a security level can be applied to the zone or conduit.

§ The security level as well as consideration to trust boundaries,


will allow the cyber security of the site to be maintained to the
level required from the risks that the site faces, it will also be
used to describe the security requirements of that zone.

§ Security Conduits or conduits are a type of zone that groups


communications between zones into logical groups. They
may be based around physical or logical communications
channels. As such all entry points to the zone are considered
a conduit, including those on air gapped systems.

96
De-Militarised Zone DMZ

§ Once the ICS network has been physically segmented where necessary, it is
likely that communication is still needed between these zones.
§ This communication is controlled through the use of a DMZ.
§ This is a physical or logical subnetwork which controls communication
between two zones at differing trust levels (Security Levels for IEC 62443).
§ There a different ways of implementing a DMZ, to of which are:
- Single Firewall DMZ – Uses a single firewall with 3+ network interfaces.
This way the firewall will not allow any communication between the two
zones but will instead forward to the DMZ.
- There is an issue with the firewall being a single point of failure.
- Dual Firewall DMZ – Uses two firewalls, meaning that there is no longer
the issue of the firewall being a single-point of failure.

97 16/04/2021 TÜV Cyber Security Program

97

VPN Applications

§ A VPN (virtual private network) is a network that uses a public


telecommunication infrastructure such as the Internet to provide remote offices or
individual users with secure access to their proprietary data.
§ A VPN is used to make the local host part of the remote network using the WAN
link to connect to the remote LAN.
§ VPNs are used to securely connect to the LAN, rather than opening the LAN to
everyone on the internet or another WAN service, i.e. it ensures better security.
§ VPNs employ the following for security:
- IPSec - Internet Protocol Security
- SSL/TLS Transport Layer Security
- MPPE Microsoft Point to Point Encryption
- SSH Secure Shell

98 16/04/2021 TÜV Cyber Security Program

98
Site-to-Site VPNs

§ Site-to-Site VPNs or intranet VPNs allow a company to connect to remote sites.


§ The two endpoints of the VPN are intermediary devices (VPN gateways) that
pass traffic from a trusted network to another trusted network while relying on the
VPN technology to secure the traffic on the untrusted transport network.
§ Commonly called site-to-site or LAN-to-LAN VPNs.

99 16/04/2021 TÜV Cyber Security Program

99

Remote Access VPNs

§ Client-to-Site VPNs or Remote access VPNs allow remote users to securely


access the company network.
§ One endpoint is a local host, and the other endpoint is an intermediate device
(VPN gateway) that passes traffic from the host to the trusted network behind
the security gateway while relying on the VPN technology to secure the traffic on
the untrusted network.
§ Commonly called remote access (RAS) VPNs.

100 16/04/2021 TÜV Cyber Security Program

100
System Hardening

§ The aim of system hardening is to reduce capability of assets/devices to only


what is needed to carry out its function.
§ This is done to reduce the potential attack surface of the asset/device, in turn
reducing the likelihood of compromise.
§ Examples of system hardening activities include:
- Changing of all default passwords, including vendor passwords,
- Disabling of unneeded services and application, with uninstalling where
possible.
- Removal of all unneeded and unused user accounts.
- Securing of BIOS setting where appropriate.
- Blocking of physical ports, e.g. USB, both physically and logically.

101 16/04/2021 TÜV Cyber Security Program

101

ISA-TR62443-2-3 Patch Management in the IACS Environment

102 16/04/2021 TÜV Cyber Security Program

102
Structure

§ IACS Patching
§ Asset Owner Requirements
§ IACS Product Supplier Requirements
§ Exchanging Patch Information
§ Annex A – VPC XSD format
§ Annex B – IACS Asset Owner Guidance

103 16/04/2021 TÜV Cyber Security Program

103

Importance of Patching

§ IACS and the software it relies on is highly vulnerable to both errors and possible
attacks
§ New vulnerabilities are discovered and published often and not all are disclosed.
§ Malware authors take advantage of these vulnerabilities to exploit systems
§ Old malware still works on unpatched systems,
e.g Not Petya, Stuxnet, WannaCry

104 16/04/2021 TÜV Cyber Security Program

104
Challenges in Patching IACS

§ Patches are changes – and changes can impact


safety, reliability and performance and such
require the completion of a number of activities
before the change can occur.
§ Patching is very resource intensive and must be
performed with a large amount of care.
§ To ensure correct and safe operation, patching
is often only done during outages, limiting when
patches can be done and meaning systems with
be vulnerable for a extended period of time.

105 16/04/2021 TÜV Cyber Security Program

105

IACS Patch Management Lifecycle


• Inventory
• Supplier relationships
• Supportability
Information • Assess existing environment
• Verification Gathering • Categorize and classify assets
• Training
• Documentation

Verification Monitoring & • Monitor & ID Patches


& Reporting Evaluation
• Determine applicability
• Risk Assessment
• Decision

• Notification • File authenticity


• Preparation • Review changes
• Scheduling Patch Patch
Deployment Testing • Install procedures
• Deployment • Qualification & verification
• Removal procedure
• Risk mitigation

106 16/04/2021 TÜV Cyber Security Program

106
Asset Owner Requirements

§ Establish and maintain an inventory of all electronic devices associated with the
IACS and currently installed versions for each device
§ Determine on a regular schedule what upgrades and updates are available for
each device and are identified as compatible by the IACS product supplier
§ Test the deployment of patches in a manner that reflects the production
environment
§ Schedule qualified patches for installation at the next available opportunity within
the constraints of system design
§ Update records at a planned interval (e.g. quarterly)
§ Periodically (e.g. annually) identify security vulnerabilities
in company’s IACSs
§ Implement patches, or equivalent countermeasures to
mitigate security vulnerabilities that exist in the IACS

107 16/04/2021 TÜV Cyber Security Program

107

IACS Product Supplier Requirements

§ Provide documentation describing the software patching policy for the products
and systems they supply
§ Qualify in terms of applicability and compatibility of all relevant patches by
analyzing and verifying the patches, including patches that are released by the
supplier of the OS and third- party software used by the IACS products;
§ Provide a list of all patches and their approval status
including the information described in Annex A;
§ Inform the asset owners and update the list
of patches within 30 days after a patch is
released by the manufacturer of the OS
or third-party software
§ Provide adequate warning about the
components reaching ‘end of life’

108 16/04/2021 TÜV Cyber Security Program

108
Anti-Virus Management

§ Malware related incidents are the number one cause of cyber- related production
losses and upsets in process control systems.
§ Viruses are having a major impact on control systems and are likely to do so for
the foreseeable future.
§ Commonly believed that anti-virus software is incompatible with process control
systems and thus should not be used on the plant floor.
§ This is no longer true - All major
DCS and PLC vendors now support
anti-virus software on their
Windows-based platforms.

109 16/04/2021 TÜV Cyber Security Program

109

Anti-Virus Management contd.

§ Use a mixed deployment systems:

- Anti-virus scanning at the control system firewall.


- Automatic updating for non-critical systems or systems with vendor
approved update schemes.

- Manual scheduled updates for more difficult systems.


§ Focus on anti-virus signatures in all computers located in the DMZ.
§ A dedicated anti-virus server can be
located in a common network zone.

110 16/04/2021 TÜV Cyber Security Program

110
Logging / Monitoring

§ In order to get some form attribution and to enable investigations in the event
of an incident some form of logging should be in place.
§ This can be achieved through many methods including on the devices
themselves.
§ Two types of logging which can be done:
- Active – Logs the data and has some form of monitoring in place to detect
is a log has been created for an event which is not desired/expected, e.g.
password change.
- Passive – Logs the data and stores in a location. There is no monitoring in
place and it is only used for analysis should an incident occur.
§ Free Windows based service from the NCSC – LME
- Provides scripts to gather windows events and utilises the free tier of an
ELK stack to visualise the events.

111 16/04/2021 TÜV Cyber Security Program

111

Security Information and Event Management Systems


(SIEMs)
§ Some form of log management system should be in place. This can be achieved
by implementing a SIEM.
§ This process is aided by effective zones and conduits, that can be monitored for
intrusion and analysed at a later date.

§ Consideration should be given to take into account alarms, to limit false alarms,
both positive and
negative. It is also important to limit the possibility of alarm fatigue.

112
Intrusion Detection Systems (IDS)

§ They are network security appliance that will monitor networks and packets for
any malicious activity.
§ IDS acts as a monitor, while an Intrusion Prevention System (IPS) works to
actively stop threats as they occur.
§ By monitoring and recording any information about malicious activity, it allows
network admins to respond to any threat, or if prior to an incident perform
forensic activities.
§ Beyond the primary aims, IDS and IPS is that an IPS works in real time to
actively block intrusion attempts
or known malicious activity. This is
done by creating alarms, making
correlation rules, dropping
malicious packets and
reset the connection of any
malicious hosts.

113 16/04/2021 TÜV Cyber Security Program

113

Main Two Types of IDS

§ Network Intrusion Detection (NIDS)


- The most common implementation of an IDS.
- NIDS is a sperate device attached to the
network (Inline Deployment).
- Two main types of IDS configuration:
- Pre-defined rules (signature-based)
- Behaviors (heuristics-based)
§ Host Intrusion Detection (HIDS)
- Is typically software which runs on a host
(computer) to detect abnormalities on that
host.
- This is commonly done my monitoring
applications, system logs and event logs,
rather than by monitoring network traffic.

114 16/04/2021 TÜV Cyber Security Program

114
IDS Issues

§ Does not replace a firewall, as it is more of an auditing tool, while a firewall


filters (block) malicious traffic.
§ Big issue with false positives, depending on the sensitivity of the IDS. Which
itself brings u issues of alarm fatigue.
§ Large deployment and operational costs, especially with consideration to
behavioral implementation, as it requires an accurate representation of
normal (baseline) behavior.
§ Only effective against known vulnerabilities, i.e. known malicious
applications or malicious activity.
§ As a relatively new implementation of network security, IDS signature for the
ICS environment are not yet extensive.

115 16/04/2021 TÜV Cyber Security Program

115

IDS Best Practices

§ If using NIDS, implement the devices at entry points (interfaces) to the network.
As this is most likely to be able to record an intrusion attempt.
§ Where using IDS signatures use ICS specific signatures if possible, as this will
in theory reduce the possibility of false positives.
§ When using behavioral or IPS, extreme caution should be taken, including
ensuring that vendors know of its use.

116 16/04/2021 TÜV Cyber Security Program

116
Distributed Intrusion Detection Example

117 16/04/2021 TÜV Cyber Security Program

117

United Threat Management (UTM)

§ Unified Threat Management (UTM) devices are devices which have been
designed to perform several security functions within a single device. Examples
of the security functions are:
- Network firewalling
- Network intrusion prevention
- Gateway antivirus (AV)
- Gateway anti-spam
- VPN
- Content filtering
- Load balancing
- Data leak prevention
- On-appliance reporting
§ While a single device that perform multiple functions is useful, it does present a
single point of failure, as such it may be more prudent in some circumstances to
use multiple layers of devices.

118 16/04/2021 TÜV Cyber Security Program

118
Honeypots

§ Another network countermeasure is the implementation of a honey pot, designed to


be the focus of attackers.
§ A honeypot is asset, whether virtual or not, which has no physical outputs, and is
intended to be the focus of attacks.
§ For the honeypot to be effective, it is important that:
- There is no activity on the honeypot. Allows a clear view of
undesired activity.
- The honeypot contains the same security as a legitimate asset.
§This second point is important due to liability.
If the honeypot is used by an attacker on any
other facility, which, the organisation has a duty
of care towards then the organisation can be
liable for facilitating the attack.

119

Physical Security

§ Physical threats must also be considered.


This includes three elements, which are:

• Physical environment concerns

• Physical security concerns

• Personnel Security Concerns

§ Physical environment concerns a loss of operability, availability or


protection due to the environmental events. This may be due to
flooding, raining, lightening etc.

§ Physical security issues arise where it is possible to introduce exploits due to removable
media or for example adding a unauthorised wireless access point or a keylogger. To
combat, this some form of physical security system, including site walkthroughs for
inspections is required.

§ Personnel security is important and some form of access control system and vetting
process should be put into place to restrict the ability of malicious personnel or persons to
attack the site.

120
Exercising and Backups

§ There will always remain a risk of a security incident occurring.


§ As such, how your company responds needs to be determined.
- This includes exercising how different teams and groups will react in the
event of an incident.
- NCSC Service – Exercise in a Box
- Additionally a play book detailing contacts and actions to take in the event
of an incident can be created.
- It may be necessary to contract with a Cyber Incident Response (CIR)
company, depending on the risks involved.
§ Additionally, how the company can recover post incident should be
determined as part of a Business Continuity Plan / Disaster Recovery.
- Part of this will be determining critical data and then backing up this data.
- Any back up should be tested to ensure its effectiveness.

121 16/04/2021 TÜV Cyber Security Program

121

Business Continuity Management

§ Due to the safety requirements put onto sites it is common that a site will
always revert to a safe state, in effect ceasing production.
§ This may not also be acceptable and with the introduction of NIS may have
impacts itself.
§ As such, there is a need for Business Continuity Planning to ensure the
continued functioning of the site.
§ This is done by first analysing the Business Impacts of the loss of certain
critical process, this is called a Business Impact Analysis (BIA).
§ Next the risk is assessed and the tolerance for these business risks
determined.
§ The site will then determine to what state they wish/need to return to and in
what timeframe.
- This is then communicated the relevant stakeholders through a Business
Continuity Plan (BCP).
§ It is this information which is used to determine what data is backed up how it
is backed up.
122 16/04/2021 TÜV Cyber Security Program

122
Networking Cryptography Cybersecurity
Basics Basics Countermeasures

Cybersecurity
Industrial Conclusion and
Management
Protocols Exam Advice
System (CSMS)

Cyber Security for Automation,


Control, & SCADA Systems
Fundamentals – Industrial Protocols

TÜV Cyber Security Program

123

Industrial Protocols

§ Common protocols that are likely to be seen in the


ICS environment.
- Modbus
- Profibus
- OPC
- CIP - EtherNet/IP
- DNP3
- BACnet
§ Number of other ICS protocols, including
the IEC 61158/6 Communication Profile Families
(CPF)

124 16/04/2021 TÜV Cyber Security Program

124
Modbus
§ Serial-based communications protocol originally published in 1979 by Modicon (now
Schneider Electric) to be used with its Programmable Logic Controllers (PLCs)
§ Considered as the most common ICS protocol in use, due to it being very simple,
robust and open to use without royalties.
§ Since it was first implemented it has been modified to work on Ethernet networks.
This is accomplished by encapsulating the serial protocol inside a TCP header and
transmitted using TCP port 502 by default.
§ Basic functions support reading and writing of PLC registers and I/O

Master Master

Remote I/O Remote I/O


(Slave) (Slave)

Slave

Remote I/O PLC


(Slave) (Slave)

125 16/04/2021 TÜV Cyber Security Program

125

Modbus

§ With concern to the OSI model, Modbus is an application layer messaging


protocol, i.e. it operates at layer 7 of the OSI model.
- As such it operates independent of network protocols operating at layer 3,
meaning it can be adapted for both serial and routable networks.
§ Modbus uses a simple request/reply methodology for communications. This
makes it effective for use when a simple device needs to communicate with a
more powerful computer.
§ Given its simplicity Modbus has little processing overhead, useful for use in an
ICS network.

126 16/04/2021 TÜV Cyber Security Program

126
Modbus Alignment to OSI Model

Modbus application layer


Application
Layer

Modbus on TCP

Transport
TCP Layer

Network
IP Layer

Data-link
Modbus+/HDLC Master/Slave Ethernet 802.3 Layer

EIA/TIA-232C Physical
Physical layer Ethernet physical layer
EIA/TIA-485 Layer

127 16/04/2021 TÜV Cyber Security Program

127

Modbus Packet Frame

§ Modbus packet frame can split into two sections:


- Application Data Unit (ADU) – Consists of the Address, the PDU and an
implemented error checking method.
- Protocol Data Unit (PDU) – Consists of function code and the data sections.

Slave Address

Function Code

Data

128 16/04/2021 TÜV Cyber Security Program

128
Modbus RTU

§ Modbus RTU is one iteration of the Modbus protocol, others including Modbus+,
Modbus, ASCII, Modbus TCP/IP, Modbus over TCP/IP, as well as other
iterations.
§ Modbus RTU and Modbus ASCII support binary and ASCII transmissions over
serial buses respectively.
§ They are considered the most simple implementations of the Modbus protocol.

Application data unit (ADU)

Start Address Function code Data CRC End

>28 bits 1 byte 1 byte n * 1 byte – max 2 bytes >28 bits


252 bytes

Protocol data unit (PDU)

129 16/04/2021 TÜV Cyber Security Program

129

Modbus TCP
- The most common way to transport Modbus over Ethernet using TCP is to
use Modbus TCP, which uses TCP over IP to issue commands over routable
networks. It does this by removing the old address and error checking, taking
only the PDU. This is then added to a MBAP header to create a new frame.
Error checking is performed as part of the Ethernet frame.

MBAP header PDU


Transaction Protocol
Length Unit ID Function Code Data
ID ID

Modbus TCP/IP ADU

130 16/04/2021 TÜV Cyber Security Program

130
Modbus Specific Security Issues

§ Authentication – Modbus sessions require a valid Modbus address, function


code and associated data, as well as knowledge of the address of register and
coil. Beyond this there is no verification of the origin of the message, allowing
Man-in-the-Middle (MitM) and replat attacks.
§ Encryption – Commands and address are transmitted in plain text allowing easy
capture and analysis. This allows an attack to perform spoofing and replat
attacks.
§ Message Checksum – As there is no inherent message checksum a command
maybe spoofed.
§ Broadcast – All serially connected devices will receive all messages sent over
the network, making it possible to perform a Denial-of-Service (DoS) by
broadcasting unknown address.

131 16/04/2021 TÜV Cyber Security Program

131

Basic Modbus Security Controls

§ Communication should only be allowed between known devices, using expected


function codes. This can be done by monitoring defined network zones and
baselining communication.
- This baseline can then be used to design a access control strategy, between
zones in conduits that likely involves some element of protocol inspecting and
filtering, i.e. a firewall.
§ If possible, whitelisting can be implemented, which uses the baselines and
prevents abnormal behaviour.

132 16/04/2021 TÜV Cyber Security Program

132
PROFIBUS

§ PROFIBUS (PROcess FIeldBus) is a fieldbus protocol originally developed in


Germany by a group of 21 companies and institutions known as the Central
Association for the Electrical Industry (ZVEI).
§ Its was designed to allow PLCs to communicate with host computers.
§ Supported by PROFIBUS Nutzer-organisation e.V. (PROFIBUS User
Organization, or PNO), who maintain the specifications, ensures device
compliance and certification.
§ Many specialised variations available which use a master/slave protocol that
support multiple master nodes, including:

- PROFIBUS Decentralised Periphery (DP) [DP-V0, DP-V1 and DP-V2]


- PROFIBUS Process Automation (PA)

- PROFISAFE
- PROFINET (PROFIBUS over Ethernet)

- PROFIDRIVE

133 16/04/2021 TÜV Cyber Security Program

133

Security Issues

§ Profibus lacks authentication by default in many of its functions, allowing a


spoofed node to impersonate a master node, granting it control along with the
capability to perform configuration changes and possible DoS attacks.
§ Further, if using Profinet, the master device must be attached to a Ethernet
network and is, therefore, susceptible to the vulnerabilities of IP.
§ It should be noted that the (in)famous example of Stuxnet involved a Profibus
exploitation, which involved compromising PLCs acting as Profibus DP master
nodes, via an attack on an engineering workstation or HMI.

134 16/04/2021 TÜV Cyber Security Program

134
Profibus - OSI Model Comparison

OSI Model Profibus


Application DPv0 DPv1 DPv2

Presentation

Session

Transport

Network

Data-Link Fieldbus Data Link (FBL)

Physical EIA-485 Optical MBP

135 16/04/2021 TÜV Cyber Security Program

135

Open Processing Communications (OPC)

§ Object Linking and Embedding (OLE) for Process Control is not a specific ICS
protocol but rather a series of standard specifications.
§ Communication standard developed in 1996 by an industrial automation industry
task force to provide a mechanism for a standardised way for systems to
exchange data over an Ethernet network using a core set of Microsoft
technology; OLE, COM, and DCOM.
§ The underlaying mechanism behind this communication was based upon inter-
process communication using the Remote
Procedure Call (RPC) protocol.
§ Specifies the communication of real-time
plant data between control devices from
different manufacturers
§ The OPC Foundation maintains the
standard

136 16/04/2021 TÜV Cyber Security Program

136
Security Issues of OPCs Use

§ Due to its use of DCOM and RPC, OPC is relatively highly vulnerable to a
multitude of attack vectors, including those of the more well used OLE.
§ As classic OPC is rooted in the Windows Operating System (OS) it is susceptible
to all of the vulnerabilities inherent in the OS.
§ As OPC makes use of the RPC protocol, it is susceptible to all RPC related
vulnerabilities.

137 16/04/2021 TÜV Cyber Security Program

137

Common Industrial Protocol (CIP)

§ The Common Industrial Protocol (CIP) is an industrial protocol for industrial


automation applications (formerly Control & Information Protocol)
§ Developed by Rockwell Automation
§ Supported by Open DeviceNet Vendors Association (ODVA)
§ CIP is an application layer protocol that can be implemented in a variety of ways
on different networks and link layer technologies. Variations include:
- Ethernet/IP (CIP on Ethernet)
- DeviceNet (CIP on CAN)
- CompoNet and ControlNet (CIP and CTDMA)

138 16/04/2021 TÜV Cyber Security Program

138
EtherNet/Industrial Protocol (IP)

§ Ethernet/IP is built upon the Common Industrial Protocol (CIP).


§ Ethernet/IP is an encapsulation of the CIP protocol for use on ethernet
networks.
§ This protocol is typically found running
over TCP and UDP port 44818, otherwise
it may use TCP and UDP port 2222.

139 16/04/2021 TÜV Cyber Security Program

139

EtherNet/IP Packet Structure

Motor Starter | Pneumatic Valves | AC Drives | Position Controller |


Other Profiles

CIP Application Layer Application Object Library


CIP
CIP Data Management Services Explicit Messages, I/O Messages

CIP Message Routing, Connection Management

CIP Encapsulation
TCP | UDP
EtherNet/IP
Industrial Protocol

Ethernet (IEEE 802.3)

140 16/04/2021 TÜV Cyber Security Program

140
Distributed Network Protocol (DNP3)

§ As with Modbus, DNP3 is a serial-based protocol which utilises a master/slave


configurations.
§ Was first introduced in 1990 by Westronic (now GE-Harris Canada), and was
based around an early draft of the IEC 60870-5 standard.
§ This protocol is primarily used in the power and water utilities sector in North
America.
§ Designed to provide reliable communication in environments which are likely to
have large amounts of electromagnetic interference (EFI) and poor transmission
media.
§ It has since been modified to function over IP via encapsulation in TCP and UDP
packets.

141 16/04/2021 TÜV Cyber Security Program

141

DNP3 Packet Structure

Start
Length
Control
Data Link Layer
Destination
Source
CRC
Transport Control
Length
Application Units
CRC
Application Control
Function Code Application Layer
Internal Indicators

142 16/04/2021 TÜV Cyber Security Program

142
Building Automation and Control Networks (BACnet)

§ BACnet is one of the largest building automation protocols.


§ BACnet is an ASHARE standard, and is maintained by ASHARE.
§ Practical implementations of this protocol include HVAC, control of generation
units, elevators, lighting controls, fire suppression, alarm systems and access
control systems.
§ As with most ICS protocols, it was no designed with security in mind and lacks
many basic security services. As such it can and has been used during attacks.

143 16/04/2021 TÜV Cyber Security Program

143

General ICS Protocol Security Issues

§ Concern revolving around the connecting of ICS devices to the internet, where
these protocols are encapsulated within TCP/IP packets.
§ When this occurs attackers can exploit the security vulnerabilities within the
industrial protocols to cause security incidents.
§ However, it is possible for these protocols to be implemented with additional
security features, such as IPsec, SSH, etc. to better protect these low level
devices where internet connection is required.

144 16/04/2021 TÜV Cyber Security Program

144
Networking Cryptography Cybersecurity
Basics Basics Countermeasures

Cybersecurity
Industrial Conclusion and
Management
Protocols Exam Advice
System (CSMS)

Cyber Security for Automation,


Control, & SCADA Systems
Fundamentals – Cybersecurity Management System (CSMS)

TÜV Cyber Security Program

145

Governance – Roles & Responsibilities

§ The person accountable for any security incidents is the head of the company,
typically the CEO.
§ However, the person responsible is normally someone else. It is known that
the CEO delegates the risk ownership to someone else will be ensure that the
risk is managed.
- However, the CEO remains accountable for the risk.
§ To manage this risk commonly there are Security Officers or Security
Managers who manage the risk within the boundaries defined from a risk
assessment.
§ Due to the complexity of responsibilities, it is important to formally define the
relevant roles and responsibilities and ensure that there are communicated to
the appropriate people.

146 16/04/2021 TÜV Cyber Security Program

146
Establishing an Industrial Automation and
Control Systems Security Program

§ IEC 62443-2-1 focuses on how to create a security program for control systems.
§ The program is integrated into a “Cyber Security Management System” (CSMS)
§ Currently under review, with the expectation for a new edition to be released
2020.
§ Details of the program are described by elements and requirements for each
element
§ The elements and requirements are organized into three main categories:
- Risk Analysis
- Addressing the Risk with CSMS
- Monitoring and Improving the CSMS
§ Each category is then divided further into elements or groups.
§ Each element then as a number of objectives with requirements to be fulfilled to
achieve the element.

147 16/04/2021 TÜV Cyber Security Program

147

IEC 62443 Framework

148 16/04/2021 TÜV Cyber Security Program

148
NIST Cyber Security Framework (CSF)

149 16/04/2021 TÜV Cyber Security Program

149

NIST CSF Mapping to ISA 62443

150 16/04/2021 TÜV Cyber Security Program

150
CATEGORY – Risk Analysis

§ The first main category in the IEC62443-2-1 methodology for a CSMS is Risk
Analysis.
§ This category contains two elements:
- Business Rationale
- Risk identification, classification and assessment.

151 16/04/2021 TÜV Cyber Security Program

151

CATEGORY – Risk Analysis


Element – Business Rationale

§ The objective of this element is to identify and document the needs of the
organisation to address cyber risks.
§ This is accomplished by developing a business rationale, which assesses the
possible consequences of cyber risk, this will be used to determine the correct
amount of investment needed.

152 16/04/2021 TÜV Cyber Security Program

152
CATEGORY – Risk Analysis
ELEMENT – Business Rationale
§ The first step in developing an effective cyber security program starts with:
- Gathering individuals who recognise the risks the organization is taking into a
team.
- Documenting and communicating these risks internally to the appropriate
stakeholders.
- Developing a compelling business case that captures the business concerns of
senior management, allowing the risks to be fully understood by senior
management.
§ Key Components of the Business Rationale:
- Prioritised Business Consequences, as well as a list of
potential consequences that senior management will find compelling.
- Prioritised Threats – a list of potential threats refined to those threats that are
considered credible.
- Estimated Annual Business Impact – High priority items in consequences list.
scrutinised to obtain an estimate of the annual business impact.

153 16/04/2021 TÜV Cyber Security Program

153

External Resources for Business


Rationale Information

§ Sector/Trade Organizations - (e.g. Chemical Sector Cyber Security


Program) provide info on factors most strongly influenced other company's
management.
§ Government Studies and Programs - (e.g. US-CERT Control Systems
Security Program) provide treat/risk data.
§ Incident Tracking Organizations -
(e.g. Industrial Security Incident Database,
US-CERT) provide trend and impact data.
§ Equipment Vendors - provide history data and
economic models.

154 16/04/2021 TÜV Cyber Security Program

154
CATEGORY – Risk Analysis
ELEMENT – Risk Identification, Classification and Assessment

§ Before cyber risk controls are implemented the possible risks must be first
identified, analysed and assessed.
§ Risk Analysis in a security setting is a process that identifies:
- Assets
- Threats
- Vulnerabilities
- Consequences
- Likelihood
- Existing counter measures
§ To ensure that this process is effective and full, it should be performed in a
defined and systematic way.

155 16/04/2021 TÜV Cyber Security Program

155

What is a Security Risk?

- Security Definition: “Risk is an expression of the likelihood


that a defined Threat will exploit a specific Vulnerability”

Threat Vector The mechanism through


which the threat source exploits the target
system via the exposed vulnerability.

Threat System
Source

Vulnerability Can be either:


- Known (by design or by error/omission)
- Unknown (present but undetected)

156
Understanding Risk
§ We must first understand the risk; this will be done by:
- Identifying the critical assets
- Determining the realistic threats
- Identifying existing vulnerabilities
- Understanding the consequence of compromise
- Assessing effectiveness of current safeguards
§ Next we need to develop a plan to address unacceptable risk:
- Evaluate existing countermeasures
- Recommend additional countermeasures
- Recommend changes to current policies and procedures
- Prioritize recommendations (based upon relative risk)
- Evaluate cost / complexity versus effectiveness

Cybersecurity is all about RISK MANAGEMENT!!!

157 16/04/2021 TÜV Cyber Security Program

157

Key Benefits of Cyber Risk Assessments

§ Determine what plants or parts of a plant need to be addressed first


§ Understand the legitimate threats and vulnerabilities
§ Effectively design and apply countermeasures (e.g. network segmentation,
access controls, hardening, detection, etc.) to reduce risk
§ Prioritise activities and resources to be dedicated for risk management
§ Evaluate countermeasures based upon their effectiveness in comparison to
their cost/complexity, i.e. perform a cost-benefit analysis.

158 16/04/2021 TÜV Cyber Security Program

158
A Fine Balance

§ It is not possible to achieve perfect security and can be cost prohibitive to try
to achieve it.
§ Therefore, risk reduction must be balanced against the cost of security
measures to mitigate the risk.

159 16/04/2021 TÜV Cyber Security Program

159

CATEGORY – Addressing Risk with the CSMS

§ The second main category of the CSMS is Addressing Risk with the CSMS. This
category contains the bulk of the requirements and information contained in the
CSMS.
§ It is broken into three element groups:
- Security Policy, Organization, and Awareness
- Selected Security Countermeasures
- Implementation.

160 16/04/2021 TÜV Cyber Security Program

160
ELEMENT GROUP –
Security Policy, Organisation and Awareness

§ The first element group in the Addressing Risk with the CSMS category
contains five elements:
- CSMS Scope,
- Organisational Security
- Staff Training and Security Awareness,
- Business Continuity Plan,
- Security Policies and Procedures.

161 16/04/2021 TÜV Cyber Security Program

161

CATEGORY – Addressing Risk with CSMS


ELEMENT – Organisational Security

§ Senior management must demonstrate a clear commitment to cyber security, or


the process will likely fail.
§ The five primary activities in this requirement:

- Identify Appropriate Senior Managers

- Identify Gatekeepers and Persuade, If necessary

- Revise the Business Case, If Necessary

- Present the Case to the Senior Managers


- Obtain written senior management
support and base funding for a cyber
security program.

162 16/04/2021 TÜV Cyber Security Program

162
CATEGORY – Addressing Risk with CSMS
ELEMENT – Staff Training and Security Awareness

§ A security system is only as good as its weakest link, which is usually human.
This means that user awareness is vital.
- Most people believe that technical solutions take care of the security
concerns and that their actions have little impact.
- Policy violations and social engineering are significant contributing factors in
most security breaches.
- Usually because an employee or contractor did not understand the potential
impact of his or her actions.

163 16/04/2021 TÜV Cyber Security Program

163

CATEGORY – Addressing Risk with CSMS


ELEMENT – Staff Training and Security Awareness

§ Effective training programs and communication vehicles help employees understand:


- Why new or updated security controls are required,
- Ideas they can use to reduce risks,
- Impact on the company if security methods are not incorporated.
§ Train users about:
- The reasons behind specific security policies.
- Acceptable procedures and practices.
- Social engineering ploys.
§ Ensure that all stakeholders are appropriately trained including:
- Managers,
- Engineers
- Operators
- Contractors
- Vendors

164 16/04/2021 TÜV Cyber Security Program

164
CATEGORY – Addressing Risk with CSMS
ELEMENT – Business Continuity Plan (contd.)
§ No set of defenses can prevent all disruptions due to cyber security incidents.
§ A detailed Business Continuity Plan ensures that IACS information can be restored
and utilized as soon as possible after the occurrence of a significant disruption.
§ A business continuity plan should address:
- the recovery objectives for the
various systems and subsystems
involved based on typical
business needs
- a list of potential interruptions
and the recovery procedures for
each;
- a schedule to test part or all of
the recovery procedures.

165 16/04/2021 TÜV Cyber Security Program

165

Establishing Risk Tolerance

§ Tolerable risk are established by executive management and must be


communicated to the relevant parties.
§ Often communicated via a Risk Matrix

166 16/04/2021 TÜV Cyber Security Program

166
CATEGORY – Addressing Risk with CSMS
ELEMENT – Security Policies and Procedures contd.

Policy is a statement of intent and guidance by senior management regarding the


commitment, ownership and requirements of security
§ Should clearly state what is mandatory and what is expected of personnel.
§ Should be auditable
§ Should be independent of the present technology and architecture.
§ References procedures and mandate their use
§ The security policy is concerned with what not how.

167 16/04/2021 TÜV Cyber Security Program

167

What Should a Security Policy Cover?

Responsibility – Who is responsible for maintaining the security, for


monitoring the policy for problems, reacting when
something happens and enforcing policy?
Enforcement – How are policies enforced?
Evolution – How do policies change with time?
Exception Management – How are exceptions to the policy handled?

168 16/04/2021 TÜV Cyber Security Program

168
CATEGORY – Addressing Risk with CSMS
ELEMENT – Security Policies and Procedures contd.

IACS Cybersecurity policy topics include:

Risk Remote
Personnel
Management Access

Wireless
Access Subcontractor
Devices and
Control Sensors Policy

Incident Portable
Auditing
Response Devices

Physical Network Security Policy


Training
Security Segmentation Updating

169 16/04/2021 TÜV Cyber Security Program

169

CATEGORY – Addressing Risk with CSMS


ELEMENT – Selected Security Countermeasures

§ The second element group within Addressing Risk category is Selected


Security Countermeasures.
§ The elements within this group discuss some of the main types of security
controls that are part of a well designed CSMS.
§ There are six elements in the element group:
1 Personnel Security,
2 Physical and Environmental Security
3 Network Segmentation,
4 Access Control: Account Administration,
5 Access Control: Authentication, and
6 Access Control: Authorization.

170 16/04/2021 TÜV Cyber Security Program

170
Dividing Up the Control System into Zones

§ It is critical to separate the control system from the outside world


§ It is also important to offer a level of segmentation and traffic control inside the
control system
§ Control networks are should be divided into
layers or zones based on control function
§ Multiple separated layers help to provide
defense in depth
§ Requirements for defining zones and conduits
are provided in ISA-62443-3-2

171 16/04/2021 TÜV Cyber Security Program

171

ELEMENT GROUP – Implementation

§ The third element group in this category is Implementation. The elements within
this group discusses issues related to implementing the CSMS.
§ There are four elements in this element group:
1. Risk Management and Implementation,
2. System Development and Maintenance,
3. Information and Document Management,
4. Incident Planning and Response.

172 16/04/2021 TÜV Cyber Security Program

172
Execute Cyber Security Risk Mitigation Projects

Charter the cyber security risk mitigation project

Plan the project

Project design

Project execution

Separation of development and test environments

Planning and conducting a test/validation program

Final acceptance/installation of integrated system components

173 16/04/2021 TÜV Cyber Security Program

173

Develop and Implement a Security Change Management


System

§ A change management system that includes both the IT and IACS environments
needs to be developed and implemented.
§ Can be based on existing company change management procedures.
§ Important to assess all the risks of changing the IACS
§ Using clearly defined criteria, proposed changes to IACS should be reviewed for their
potential impact to HS&E risks and cyber security risks by individuals technically
knowledgeable about the process and the IACS system.
§ The security capabilities and design of a new system being installed in the IACS
environment shall meet the security
policies and procedures required for that
zone/environment
§ Similarly, maintenance upgrades or
changes shall meet the security
requirements for the zone.

174 16/04/2021 TÜV Cyber Security Program

174
Establish and Incident Response Program
An incident response program should be established and tested:
§ Classification of incidents – The various types of incidents should be identified
and classified as to the effects and likelihood, so that a proper response can be
formulated for each potential incident.
§ Contingency planning – Contingency plans cover the full range of failures or
problems that failures in the IACS cyber security program could cause.
§ Response actions – Acceptable
responses that can be taken in the
event of a security incident. These
range from doing nothing to having
a full system shutdown.
§ Recovery actions –Step-by-step recovery
actions should be documented so that the
system can be returned to normal operations
as quickly and safely as possible.

175 16/04/2021 TÜV Cyber Security Program

175

CATEGORY – Monitoring and Improving and CSMS

§ The third main category of the CSMS is titled Monitoring and Improving the
CSMS.
§ It involves both ensuring that the CSMS is being followed, as well as reviewing
the CSMS itself for effectiveness.
§ There are two elements in this category:

- Compliance and Review,

- Improve and Maintain the CSMS.

176 16/04/2021 TÜV Cyber Security Program

176
Security is a Continuous Process

A successful program must:


§ Make sure the organisation is remains compliant with both the
program policies and national regulations
§ Prepare for security incidents.
§ Provide change management procedures
§ Monitor and assess the security preparedness of the
environment.
§ Monitor and review the organisation’s Cyber Security
Management System.
§ Review and adjust security policy.

177 16/04/2021 TÜV Cyber Security Program

177

Conduct Periodic System Audits

§ Periodic audits of the IACS shall be implemented to


validate that the security measures and security
management practices are performing as intended and
meet the security objectives.
§ The results from each periodic audit should be
expressed in the form of performance against a set of
predefined and appropriate metrics to
display security performance and security trends.

178 16/04/2021 TÜV Cyber Security Program

178
Adopt Continuous Improvement Operational Measures

§ A series of self-assessments and independent audits to measure and review


the performance of the CSMS and evaluate its performance against the
program’s policies and objectives.
§ Types of operational measures:

- Audit Results
- Incident Data

- Organizational Capability Data

179 16/04/2021 TÜV Cyber Security Program

179

Establish, Refine and Implement Changes to the CSMS

§ After implementing the first cyber security risk mitigation projects, it is


important to begin putting in place the management procedures to sustain the
security gains.
§ Changes in technology, threats, and process
control system operations will necessitate
changes to the CSMS.
§ A team should be assigned to manage and coordinate the refinement and
implementation of the CSMS changes.

180 16/04/2021 TÜV Cyber Security Program

180
Establish, Refine and Implement Changes to the CSMS

Written procedures should be developed to manage changes to the CSMS. This


process might include:
§ Defining the current management system.
§ Defining the procedures for proposing and assessing changes to the CSMS
§ Proposing and evaluating changes to the CSMS
§ Implementing CSMS changes.
§ Monitoring CSMS changes

181 16/04/2021 TÜV Cyber Security Program

181

Cyber Security Standards


§ IEC 62443 standard series
- Industrial communication networks – Network and system security
§ ISO/IEC 27000 standard series
- Information technology - Security techniques - Information security management systems.
§ ANSI/API 780:2013
- Security Risk Assessment Methodology for the Petroleum and
Petrochemical Industries
§ NERC CIP 007-6
- Cyber Security – Systems Security Management
§ ISO/IEC 15408:2009
- Information Technology - Security Techniques – Evaluation Criteria
for IT Security (Common Criteria)
§ ISO/IEC 21827:2008
- Information Technology - Security Techniques – Systems Security
Engineering - - Capability Maturity Model® (SSE-CMM®)

182
Networking Cryptography Cybersecurity
Basics Basics Countermeasures

Cybersecurity
Industrial Conclusion and
Management
Protocols Exam Advice
System (CSMS)

Cyber Security for Automation,


Control, & SCADA Systems
Fundamentals – Conclusion and Exam Advice

TÜV Cyber Security Program

183

Thank you for your attendance

Questions

184 16/04/2021 TÜV Cyber Security Program

184
Exam Advice

185

You might also like