CS Fundamentals Course - TUV Presentation
CS Fundamentals Course - TUV Presentation
CS Fundamentals Course - TUV Presentation
FUNDAMENTALS
Cyber Security Fundamentals
Introductions
§ Your Name
§ A little background
§ Your key objective for this course
2
Domestic arrangements & etiquette
• Toilets - location
• Breaks – formal & feel free to stretch at any
time
Schedule
§ Duration
• 3-day course with homework
• Exam on fourth day
§ Exam
• Multiple Choice (Fundamentals) exam
§ Working day
• 09:00 – 17:00
• Lunch at 12:30 – 13:30
• Formal Breaks at 10:30 & 15:00
4
Objectives of the Course
Course Goals
• To be aware of the current security environment for ICS, including the threats, past incidents
and vulnerabilities.
• To understand the requirement for ICS Security and understand that there are a number of
standards and Cybersecurity Frameworks available to guide in achieving it.
• To understand the relevant network technology in use within an ICS network, including the
protocols relevant at the different levels of the Reference (Purdue) model.
• To understand the different technical controls are present and can be implemented within an
ICS network.
• To understand the different effective countermeasures that are available for use.
• To understand the different organisational controls that are present and can be used within an
ICS network, including management systems.
• To understand the relevant further aspects of cyber security that
should be considered when determining the security of an ICS
network.
6
Examination
Course Content
1. Networking Basics
2. Cryptography Basics
3. Cybersecurity Countermeasures
4. Industrial Protocols
5. Cybersecurity Management System (CSMS)
6. Conclusion
7. Exam Advice
8
Networking Cryptography Cybersecurity
Basics Basics Countermeasures
Cybersecurity
Industrial Conclusion and
Management
Protocols Exam Advice
System (CSMS)
Networking Basics
10
Industrial Networks
11
¡ While the protocols and devices in use are similar they do differ,
based upon the requirements of the network environments
Industrial Industrial
Networks Networks Business
Function (Low level – process and (High Level – supervisory
control) control) Networks
[Purdue Reference Model, levels [Purdue Reference Model,
0,1,2] level 3]
Reliability/
Critical High Best Effort
Resiliency
High
Low Medium
Bandwidth Sessions Many
Few, explicitly defined Few
Latency N/A, retransmissions
Low, Consistent Low, consistent
are acceptable
12
Network Types - LAN
13
14
ISO/OSI Reference Model
15
Send
to
network 7 HTTP, FTP, SMTP
Upper
JPEG, GIF, MPEG
Layers 6
Remote
from 1 Ethernet Token Ring
network
Hub,
“Please do not throw Sausage Pizza Away” repeater
16
OSI Layer 1: Physical Layer
§ The physical protocols define the physics of getting a message between devices,
i.e. getting the required bits to each device involved.
§ This layer specifies the voltage, wire speed, etc.
§ This is the most important area in terms of both troubleshooting and operations.
Frequencies Voltages Connectors
Modulation Topologies Cables
Application
Presentation
Session
Transport
Network
Data Link
Physical EIA-232/485, Ethernet
17
18
Common Topologies
19
20
Repeaters / Hubs
§ Hubs work only at the physical layer and connect all segments of the
network together in a star topology ethernet network.
- It is important to note that this device is not intelligent.
§ A hub is also called a repeater as any transmission received on one port
is sent out on all other ports, i.e. it broadcasts.
§ Repeaters extend the length of a network by repeating the signal:
- Connect LAN segments to form single network
- Allows conversion between cable types (e.g. UTP to fiber)
§ While correct addressing will ensure that only the intended recipient will
listen and process the message, all devices will be able to see the
message. As such this device is less common now.
21
22
Layer 2 Switches
§ Layer 2 Switches (a.k.a. multi-port bridge) work at physical and data-link layer
within a single LAN.
- Bridges are software based
§ Uses the MAC address to decide which device the packet should be forwarded to
and is therefore considered a layer 2 device.
- It records known MACs from transmitted frames and stores them within a
forwarding table.
§ It is a network device that connects to similar network segments together, by
breaking up collision domains.
§ It is considered more advanced than a hub because a switch will only send a
message to the device that needs or requests it
§ Bridges are also found at layer 2 device, which “bridges” two networks but are not
commonly used now and are not readily available to buy now.
23
Unmanaged Managed
§ Not configurable § Configurable locally (console port)
or remotely (e.g. Telnet, SSL)
§ Plug-and-play § Improved robustness (e.g.
§ Normally found in the home or redundant power)
small business § Typically support advanced
functions
- Spanning tree protocol
- Port configuration
- VLANS
- Port security (IP or MAC address
filtering, 802.1X authentication)
- Diagnostics (e.g. SNMP)
- IGMP Snooping
24
Virtual Local Area Network (VLAN)
25
Transport
Data Link
Physical
26
Layer 3: Network Layer
27
ARP Protocol
28
The Basics of IPv4 Addressing
29
§ Phone calls are passed to the area and then to the exchange, so a huge phone#
database isn’t needed.
IP addresses are similar:
30
Private IPv4 Address Spaces
§ Due to the finite number of possible IP addresses, it was decided that each
network address that needed to be connected to the internet would have a public
address, whereas addresses that did not need to be routable to public addresses
but was desirable to have a IP address for routing purposes was given a private
address.
§ Private IP addresses are simply a specified group of addresses that should
never be found on public networks, i.e. the internet, but just within internal
networks.
31
§ As such, any internal private addressed devices must undergo some form
of translation to forward packets onto the public network (internet).
§ This is done by the use of the Network Address Translation (NAT)
protocol.
§ NAT allows a single device, such as a router, to act as an agent between
the Internet (or "public network") and a local (or "private") network.
§ Originally designed in an attempt to help conserve IPv4 addresses NAT
modifies the IP address information in IPv4 headers while in transit across
a traffic routing device
§ This means that only a single,
unique public IP address is required
to represent an entire group of
computers.
32
IPv6 Addressing
§ To deal with the inevitable exhaustion of IPv4 addresses, IPv6 has been
introduced.
- Even with the introduction of NAT, the number of devices require public
addresses is ever-increasing, with public IPv4 addresses being sold.
§ An IPv6 address is a 128-bit address written in the form of
- 8 groups of four hexadecimal digits separated by colons:
2012:0a81:843f:0042:0303:49bc:0e70:73d4
- Over 340 trillion trillion trillion unique addresses!
- IPv6 is backward compatible with IPv4 addresses
- IPv6 version of the IPv4 address 147.10.24.16 is:
::ffff:147.10..24.16
§ Further IPv6 does not use broadcasts, but rather multicasts instead, which
means that devices no longer need to process every messaged broadcast.
33
DHCP
34
Layer 3 Networking Equipment
§ Routers
§ Layer 3 Switches
35
Routers
36
Layer 3 Switches
37
Data Link
Physical
38
Layer 4: Transport Layer
39
40
TCP – Connection Oriented Session
41
42
TCP/UDP Port Numbers
§ Both TCP and UDP must use port numbers to communicate with higher
layers, as these port numbers are used to differentiate between
conservations.
§ These port numbers are dynamically assigned.
- However, there are a number of well-known port numbers which are
commonly used.
43
Session
Transport
Network
Data Link
Physical
44
Layer 6: Presentation Layer
Session
Transport
Network
Data Link
Physical
45
Data Link
Physical
46
Problems with the OSI Model
47
Cybersecurity
Industrial Conclusion and
Management
Protocols Exam Advice
System (CSMS)
48
Cryptography Introduction
§ One of the most important and powerful security controls used for network
security is cryptography.
§ It provides us with a plethora of security services, which helps reduce our risk
profile.
§ In modern cryptography the main areas of focus are:
- Symmetric Cryptography
- Asymmetric Cryptography (Public Key cryptography)
- Including Digital Certificates
- Hashing Algorithms
- Message Authentication Codes (MACs)
§ Benefits of cryptography and the effects of its poor or missing use can be
seen within the ICS environment.
49
Security Services
50
Symmetric Key Cryptography (secret key)
51
Secret Key
Encryption Decryption
Encrypted
Plain Text Plain Text
Text
Sender Receiver
52
Pros vs cons
53
§ Makes use of two different keys a Public (can be shared) and a Private Key
(must never be shared).
§ Designed to enable the secure sharing of keys to enable encryption when a
trusted relationship has not yet been built, i.e. keys not previously shared and
a shared key is not desirable.
§ Public-key encryption makes use of a mathematical concept called a one-way
function, i.e. easy to compute but difficult/hard to reverse. These are also
known as Trap-Door Functions.
- ElGamal and ECC makes use of the Discrete Logarithm Problem, where
ECC are based on the use of elliptic curves.
§ Communication data is encrypted using the receiver's public key, with the data
decrypted by the receiver using their private key.
§ Examples: RSA, ElGamal and Elliptic Curve Cryptography (ECC).
54
Asymmetric Cryptography (public-key)
Receiver’s Receiver’s
Public Key Private Key
Key 1 Key 2
Encryption Decryption
Encrypted
Plain Text Plain Text
Text
Sender Receiver
55
Pros vs cons
56
Key management
57
Hybrid cryptography
Sender Receiver
Encryption Decryption
Plain Encrypted Plain
Text Text Text
Sender Receiver
58
Hashing Algorithms
§ While not a cipher, as it does not use a key, hash functions are a vital component
and are heavily used throughout technology.
§ Algorithm uses a one-way function to produce a fixed length hash regardless of
input length. Algorithm must be easy to compute but difficult to reverse to be
considered secure.
- As such, message is sent in plain text with a hash added, which the receiver
verifies to ensure message has not been modified.
§ Output hash is fully dependent on input, any change in input should produce a
different hash output.
§ Hashing algorithm requires collision resistance, no two inputs create the same hash
output.
§ As there is no key anyone can create a hash, meaning it protects only protects
against accidental modifications or simple manipulations by a low level threat actor.
§ Used as a checksum in many applications.
§ Examples: MD5 (Defeated), SHA1 (Defeated), SHA2, SHA3, RIPEMD, Whirlpool,
etc.
59
Hashing Algorithms
SHA-3-256
Hello d0e47486bbf4c16acac26f8b653592973c1362
Hash 909f90262877089f9c8a4536af
World!
Hello 8f2233bf3bcfbe13155d79dbc3e70fc94c19ec4
Hash 9bf48ab732b64053c1397cd5c
Wqrld!
60
Digital Signature
61
Signer Verifier
Verification
Signature algorithm Digital Signature
algorithm
Verification
62
Digital Signature
Signer Verifier
Hash
Message Message
Function
Digital
Signature
Signature
verification
Hash Signature algorithm
Function algorithm
Verification
63
64
General Message authentication code (mac) Process
MAC
Key
Sender Verifier
MAC MAC
Key Message Message
algorithm
MAC
MAC
MAC
algorithm
Verification
65
66
Security services provided
67
Secure Protocols
68
Networking Cryptography Cybersecurity
Basics Basics Countermeasures
Cybersecurity
Industrial Conclusion and
Management
Protocols Exam Advice
System (CSMS)
69
§ Topics:
- Identification and Authentication Control
- Use Control
- System Integrity
- Data Confidentiality
- Restricted Data Flow
- Timely Response to Events
- Resource Availability
70
Fundamental Issue
§ Until recently protocols and devices were not designed with the priority for
security but rather for functionality.
§ TCP & IP were not designed to be secure
- They were designed to ensure that communications work, i.e.
reliability
§ PLCs were designed to replace relays
- They were not designed to be secure; they were designed to fulfill the
requirements of the environment.
71
§ Storms/Floods
§ Known Vulnerabilities
- Smurf
- Eternal Blue
§ Spoofing
§ Man-in-the-Middle
§ Replay attacks
§ Sniffing
§ Session hijacking
§ Buffer or stack overflow
§ Brute force or dictionary
72
IACS Cyber security
73
Taken from “Pictures and theories may help, but data will set us free”
Blog available at: ics.sans.org
74
How Big is the Problem for IACS?
75
Security Objectives
- Integrity – is the assurance that data has not been altered in an unauthorised
manner, mainly revolving around detecting the alteration rather than preventing it.
- Availability – is the assurance that the asset will able to perform its function
when required.
§ In the ICS environment, parts of this triad will be more critical and a balance for
the facility must be found.
§ This includes the intended function of the facility, for example in general
terms, the objective could be to fulfil the functionality of the process while
not operating under unreasonable risk in terms of safety, environmental or
financial risk.
76
Cyber Kill Chain
§ For the sake of understanding possible attack paths, there are multiple
conceptual models of how an attack maybe carried out.
Delivery
Breach
Effect
https://www.ncsc.gov.uk/information
/reducing-your-exposure-to-cyber-
attack
https://www.sans.org/reading-
room/whitepapers/ICS/industrial-
https://www.lockheedmartin.com/en- control-system-cyber-kill-chain-36297
us/capabilities/cyber/cyber-kill-chain.html
77
CRASHOVERRIDE
78
CRASHOVERRIDE – Attack Flow
Payload •Connect to
Control Systems
Execution •Manipulate
State
• Leave
Post behind
Backdoor
Attack • DDoS
Siowik, ‘Evolution of ICS Attacks and the Prospects for Future
Disruptive Events’.
79
TRISIS
§ Malware which led to operational disruption at a Saudi Arabian oil and gas
facility in 2017.
§ Malware was a rootkit designed to give access to a model of Schneider
Electric’s Triconex Safety Instrumented System (SIS).
§ Through access an attacker could potentially change SIS parameters, with
various further implications from this.
§ Much like the CRASHOVERRIDE malware the TRISIS malware had an
additional event called XENOTIME, which captured credentials to move
through the network.
§ This allowed the malware to traverse from the IT environment to the ICS
network.
80
TRISIS – Attack Path
Establish Access
on SIS
Connecting
System
Transfer TRISIS
Package to
System
Tristation Program
Compromises SIS
Leverage Access
for ICS Disruption
via SIS.
81
Defence-In-Depth
82
Network Security Technologies
83
84
Multi-Factor Authentication (MFA)
85
What is a Firewall?
86
Hardware Firewalls
- Packet Filter
- Stateful Inspection
87
88
Firewall Policy
§ While it is simple to install a firewall, it will not be effective until it has been
correctly configured.
§ The configuration of firewalls requires both the competence of creating the
firewalls rules but also an understanding of the network environment.
- A poorly configured firewall not only poses a security threat, but can also
hinder effective and safe operation, vital in the ICS environment.
89
Firewall Policy
§ Access Control Lists (ACL) rules typically reside on routers and firewalls and use IP
addresses to determine which devices should be routed and in what direction.
§ ACLS are in essence lists of conditions that categorise packets, using such information
as:
- Source and destination IP address,
- Source and destination TCP or UDP
port numbers,
- State of the TCP “ACK" bit,
- Direction of packet flow
(i.e.. A- >B or B->A).
§ Building a good filter requires a
good understanding of the network and the likely device conservation that will occur
and what protocols may be in use.
§ A firewall can only be effective as the ACLs used and therefore require careful
consideration.
90
Business/Process Firewall Architectures
§ It is both common and considered best practice that the business and the
process (ICS) network will be kept as sperate as possible. This is commonly
done through the use of a Demilitarised Zone (DMZ).
§ The actual designs of DMZs will differ, for example one design may use a single
firewall that has three network cards.
§ This is done in an attempt to segment the ICS from the business network. A
recommended step for any site which contains both IT and ICS components.
Although more substantial segmentation maybe needed dependent on the
threats and risks.
91
92
ICS Firewall Configuration Best Practices
§ Should use a DENY all default approach. In practice this means that
ports and services between the ICS environment and an external
network should be enabled and permissions granted on a specific
case by case basis.
§ All rules shall restrict traffic to specific IP address or range of
addresses, in attempt to prevent IP spoofing attacks.;
§ Any “permit” rules should be both IP address and TCP/UDP port
specific, to restrict spoofing efforts;
§ Prevent traffic from direct transitions between the ICS network and the
enterprise network. In practice this means that all traffic should
terminate in the DMZ;
§ Any protocol allowed between the ICS and DMZ is explicitly NOT
allowed between DMZ and enterprise networks (and vice-versa);
§ ICS devices should not be allowed to access the Internet, this is an
effort to reduce possible attack vectors and entry points
to the ICS network.
§ All firewall management traffic be either via a separate,
secured management network (e.g. out of band) or over an encrypted
network with two-factor authentication. Traffic should also be restricted
by IP address to specific management stations.
93
94
Network Segmentation
95
96
De-Militarised Zone DMZ
§ Once the ICS network has been physically segmented where necessary, it is
likely that communication is still needed between these zones.
§ This communication is controlled through the use of a DMZ.
§ This is a physical or logical subnetwork which controls communication
between two zones at differing trust levels (Security Levels for IEC 62443).
§ There a different ways of implementing a DMZ, to of which are:
- Single Firewall DMZ – Uses a single firewall with 3+ network interfaces.
This way the firewall will not allow any communication between the two
zones but will instead forward to the DMZ.
- There is an issue with the firewall being a single point of failure.
- Dual Firewall DMZ – Uses two firewalls, meaning that there is no longer
the issue of the firewall being a single-point of failure.
97
VPN Applications
98
Site-to-Site VPNs
99
100
System Hardening
101
102
Structure
§ IACS Patching
§ Asset Owner Requirements
§ IACS Product Supplier Requirements
§ Exchanging Patch Information
§ Annex A – VPC XSD format
§ Annex B – IACS Asset Owner Guidance
103
Importance of Patching
§ IACS and the software it relies on is highly vulnerable to both errors and possible
attacks
§ New vulnerabilities are discovered and published often and not all are disclosed.
§ Malware authors take advantage of these vulnerabilities to exploit systems
§ Old malware still works on unpatched systems,
e.g Not Petya, Stuxnet, WannaCry
104
Challenges in Patching IACS
105
106
Asset Owner Requirements
§ Establish and maintain an inventory of all electronic devices associated with the
IACS and currently installed versions for each device
§ Determine on a regular schedule what upgrades and updates are available for
each device and are identified as compatible by the IACS product supplier
§ Test the deployment of patches in a manner that reflects the production
environment
§ Schedule qualified patches for installation at the next available opportunity within
the constraints of system design
§ Update records at a planned interval (e.g. quarterly)
§ Periodically (e.g. annually) identify security vulnerabilities
in company’s IACSs
§ Implement patches, or equivalent countermeasures to
mitigate security vulnerabilities that exist in the IACS
107
§ Provide documentation describing the software patching policy for the products
and systems they supply
§ Qualify in terms of applicability and compatibility of all relevant patches by
analyzing and verifying the patches, including patches that are released by the
supplier of the OS and third- party software used by the IACS products;
§ Provide a list of all patches and their approval status
including the information described in Annex A;
§ Inform the asset owners and update the list
of patches within 30 days after a patch is
released by the manufacturer of the OS
or third-party software
§ Provide adequate warning about the
components reaching ‘end of life’
108
Anti-Virus Management
§ Malware related incidents are the number one cause of cyber- related production
losses and upsets in process control systems.
§ Viruses are having a major impact on control systems and are likely to do so for
the foreseeable future.
§ Commonly believed that anti-virus software is incompatible with process control
systems and thus should not be used on the plant floor.
§ This is no longer true - All major
DCS and PLC vendors now support
anti-virus software on their
Windows-based platforms.
109
110
Logging / Monitoring
§ In order to get some form attribution and to enable investigations in the event
of an incident some form of logging should be in place.
§ This can be achieved through many methods including on the devices
themselves.
§ Two types of logging which can be done:
- Active – Logs the data and has some form of monitoring in place to detect
is a log has been created for an event which is not desired/expected, e.g.
password change.
- Passive – Logs the data and stores in a location. There is no monitoring in
place and it is only used for analysis should an incident occur.
§ Free Windows based service from the NCSC – LME
- Provides scripts to gather windows events and utilises the free tier of an
ELK stack to visualise the events.
111
§ Consideration should be given to take into account alarms, to limit false alarms,
both positive and
negative. It is also important to limit the possibility of alarm fatigue.
112
Intrusion Detection Systems (IDS)
§ They are network security appliance that will monitor networks and packets for
any malicious activity.
§ IDS acts as a monitor, while an Intrusion Prevention System (IPS) works to
actively stop threats as they occur.
§ By monitoring and recording any information about malicious activity, it allows
network admins to respond to any threat, or if prior to an incident perform
forensic activities.
§ Beyond the primary aims, IDS and IPS is that an IPS works in real time to
actively block intrusion attempts
or known malicious activity. This is
done by creating alarms, making
correlation rules, dropping
malicious packets and
reset the connection of any
malicious hosts.
113
114
IDS Issues
115
§ If using NIDS, implement the devices at entry points (interfaces) to the network.
As this is most likely to be able to record an intrusion attempt.
§ Where using IDS signatures use ICS specific signatures if possible, as this will
in theory reduce the possibility of false positives.
§ When using behavioral or IPS, extreme caution should be taken, including
ensuring that vendors know of its use.
116
Distributed Intrusion Detection Example
117
§ Unified Threat Management (UTM) devices are devices which have been
designed to perform several security functions within a single device. Examples
of the security functions are:
- Network firewalling
- Network intrusion prevention
- Gateway antivirus (AV)
- Gateway anti-spam
- VPN
- Content filtering
- Load balancing
- Data leak prevention
- On-appliance reporting
§ While a single device that perform multiple functions is useful, it does present a
single point of failure, as such it may be more prudent in some circumstances to
use multiple layers of devices.
118
Honeypots
119
Physical Security
§ Physical security issues arise where it is possible to introduce exploits due to removable
media or for example adding a unauthorised wireless access point or a keylogger. To
combat, this some form of physical security system, including site walkthroughs for
inspections is required.
§ Personnel security is important and some form of access control system and vetting
process should be put into place to restrict the ability of malicious personnel or persons to
attack the site.
120
Exercising and Backups
121
§ Due to the safety requirements put onto sites it is common that a site will
always revert to a safe state, in effect ceasing production.
§ This may not also be acceptable and with the introduction of NIS may have
impacts itself.
§ As such, there is a need for Business Continuity Planning to ensure the
continued functioning of the site.
§ This is done by first analysing the Business Impacts of the loss of certain
critical process, this is called a Business Impact Analysis (BIA).
§ Next the risk is assessed and the tolerance for these business risks
determined.
§ The site will then determine to what state they wish/need to return to and in
what timeframe.
- This is then communicated the relevant stakeholders through a Business
Continuity Plan (BCP).
§ It is this information which is used to determine what data is backed up how it
is backed up.
122 16/04/2021 TÜV Cyber Security Program
122
Networking Cryptography Cybersecurity
Basics Basics Countermeasures
Cybersecurity
Industrial Conclusion and
Management
Protocols Exam Advice
System (CSMS)
123
Industrial Protocols
124
Modbus
§ Serial-based communications protocol originally published in 1979 by Modicon (now
Schneider Electric) to be used with its Programmable Logic Controllers (PLCs)
§ Considered as the most common ICS protocol in use, due to it being very simple,
robust and open to use without royalties.
§ Since it was first implemented it has been modified to work on Ethernet networks.
This is accomplished by encapsulating the serial protocol inside a TCP header and
transmitted using TCP port 502 by default.
§ Basic functions support reading and writing of PLC registers and I/O
Master Master
Slave
125
Modbus
126
Modbus Alignment to OSI Model
Modbus on TCP
Transport
TCP Layer
Network
IP Layer
Data-link
Modbus+/HDLC Master/Slave Ethernet 802.3 Layer
EIA/TIA-232C Physical
Physical layer Ethernet physical layer
EIA/TIA-485 Layer
127
Slave Address
Function Code
Data
128
Modbus RTU
§ Modbus RTU is one iteration of the Modbus protocol, others including Modbus+,
Modbus, ASCII, Modbus TCP/IP, Modbus over TCP/IP, as well as other
iterations.
§ Modbus RTU and Modbus ASCII support binary and ASCII transmissions over
serial buses respectively.
§ They are considered the most simple implementations of the Modbus protocol.
129
Modbus TCP
- The most common way to transport Modbus over Ethernet using TCP is to
use Modbus TCP, which uses TCP over IP to issue commands over routable
networks. It does this by removing the old address and error checking, taking
only the PDU. This is then added to a MBAP header to create a new frame.
Error checking is performed as part of the Ethernet frame.
130
Modbus Specific Security Issues
131
132
PROFIBUS
- PROFISAFE
- PROFINET (PROFIBUS over Ethernet)
- PROFIDRIVE
133
Security Issues
134
Profibus - OSI Model Comparison
Presentation
Session
Transport
Network
135
§ Object Linking and Embedding (OLE) for Process Control is not a specific ICS
protocol but rather a series of standard specifications.
§ Communication standard developed in 1996 by an industrial automation industry
task force to provide a mechanism for a standardised way for systems to
exchange data over an Ethernet network using a core set of Microsoft
technology; OLE, COM, and DCOM.
§ The underlaying mechanism behind this communication was based upon inter-
process communication using the Remote
Procedure Call (RPC) protocol.
§ Specifies the communication of real-time
plant data between control devices from
different manufacturers
§ The OPC Foundation maintains the
standard
136
Security Issues of OPCs Use
§ Due to its use of DCOM and RPC, OPC is relatively highly vulnerable to a
multitude of attack vectors, including those of the more well used OLE.
§ As classic OPC is rooted in the Windows Operating System (OS) it is susceptible
to all of the vulnerabilities inherent in the OS.
§ As OPC makes use of the RPC protocol, it is susceptible to all RPC related
vulnerabilities.
137
138
EtherNet/Industrial Protocol (IP)
139
CIP Encapsulation
TCP | UDP
EtherNet/IP
Industrial Protocol
140
Distributed Network Protocol (DNP3)
141
Start
Length
Control
Data Link Layer
Destination
Source
CRC
Transport Control
Length
Application Units
CRC
Application Control
Function Code Application Layer
Internal Indicators
142
Building Automation and Control Networks (BACnet)
143
§ Concern revolving around the connecting of ICS devices to the internet, where
these protocols are encapsulated within TCP/IP packets.
§ When this occurs attackers can exploit the security vulnerabilities within the
industrial protocols to cause security incidents.
§ However, it is possible for these protocols to be implemented with additional
security features, such as IPsec, SSH, etc. to better protect these low level
devices where internet connection is required.
144
Networking Cryptography Cybersecurity
Basics Basics Countermeasures
Cybersecurity
Industrial Conclusion and
Management
Protocols Exam Advice
System (CSMS)
145
§ The person accountable for any security incidents is the head of the company,
typically the CEO.
§ However, the person responsible is normally someone else. It is known that
the CEO delegates the risk ownership to someone else will be ensure that the
risk is managed.
- However, the CEO remains accountable for the risk.
§ To manage this risk commonly there are Security Officers or Security
Managers who manage the risk within the boundaries defined from a risk
assessment.
§ Due to the complexity of responsibilities, it is important to formally define the
relevant roles and responsibilities and ensure that there are communicated to
the appropriate people.
146
Establishing an Industrial Automation and
Control Systems Security Program
§ IEC 62443-2-1 focuses on how to create a security program for control systems.
§ The program is integrated into a “Cyber Security Management System” (CSMS)
§ Currently under review, with the expectation for a new edition to be released
2020.
§ Details of the program are described by elements and requirements for each
element
§ The elements and requirements are organized into three main categories:
- Risk Analysis
- Addressing the Risk with CSMS
- Monitoring and Improving the CSMS
§ Each category is then divided further into elements or groups.
§ Each element then as a number of objectives with requirements to be fulfilled to
achieve the element.
147
148
NIST Cyber Security Framework (CSF)
149
150
CATEGORY – Risk Analysis
§ The first main category in the IEC62443-2-1 methodology for a CSMS is Risk
Analysis.
§ This category contains two elements:
- Business Rationale
- Risk identification, classification and assessment.
151
§ The objective of this element is to identify and document the needs of the
organisation to address cyber risks.
§ This is accomplished by developing a business rationale, which assesses the
possible consequences of cyber risk, this will be used to determine the correct
amount of investment needed.
152
CATEGORY – Risk Analysis
ELEMENT – Business Rationale
§ The first step in developing an effective cyber security program starts with:
- Gathering individuals who recognise the risks the organization is taking into a
team.
- Documenting and communicating these risks internally to the appropriate
stakeholders.
- Developing a compelling business case that captures the business concerns of
senior management, allowing the risks to be fully understood by senior
management.
§ Key Components of the Business Rationale:
- Prioritised Business Consequences, as well as a list of
potential consequences that senior management will find compelling.
- Prioritised Threats – a list of potential threats refined to those threats that are
considered credible.
- Estimated Annual Business Impact – High priority items in consequences list.
scrutinised to obtain an estimate of the annual business impact.
153
154
CATEGORY – Risk Analysis
ELEMENT – Risk Identification, Classification and Assessment
§ Before cyber risk controls are implemented the possible risks must be first
identified, analysed and assessed.
§ Risk Analysis in a security setting is a process that identifies:
- Assets
- Threats
- Vulnerabilities
- Consequences
- Likelihood
- Existing counter measures
§ To ensure that this process is effective and full, it should be performed in a
defined and systematic way.
155
Threat System
Source
156
Understanding Risk
§ We must first understand the risk; this will be done by:
- Identifying the critical assets
- Determining the realistic threats
- Identifying existing vulnerabilities
- Understanding the consequence of compromise
- Assessing effectiveness of current safeguards
§ Next we need to develop a plan to address unacceptable risk:
- Evaluate existing countermeasures
- Recommend additional countermeasures
- Recommend changes to current policies and procedures
- Prioritize recommendations (based upon relative risk)
- Evaluate cost / complexity versus effectiveness
157
158
A Fine Balance
§ It is not possible to achieve perfect security and can be cost prohibitive to try
to achieve it.
§ Therefore, risk reduction must be balanced against the cost of security
measures to mitigate the risk.
159
§ The second main category of the CSMS is Addressing Risk with the CSMS. This
category contains the bulk of the requirements and information contained in the
CSMS.
§ It is broken into three element groups:
- Security Policy, Organization, and Awareness
- Selected Security Countermeasures
- Implementation.
160
ELEMENT GROUP –
Security Policy, Organisation and Awareness
§ The first element group in the Addressing Risk with the CSMS category
contains five elements:
- CSMS Scope,
- Organisational Security
- Staff Training and Security Awareness,
- Business Continuity Plan,
- Security Policies and Procedures.
161
162
CATEGORY – Addressing Risk with CSMS
ELEMENT – Staff Training and Security Awareness
§ A security system is only as good as its weakest link, which is usually human.
This means that user awareness is vital.
- Most people believe that technical solutions take care of the security
concerns and that their actions have little impact.
- Policy violations and social engineering are significant contributing factors in
most security breaches.
- Usually because an employee or contractor did not understand the potential
impact of his or her actions.
163
164
CATEGORY – Addressing Risk with CSMS
ELEMENT – Business Continuity Plan (contd.)
§ No set of defenses can prevent all disruptions due to cyber security incidents.
§ A detailed Business Continuity Plan ensures that IACS information can be restored
and utilized as soon as possible after the occurrence of a significant disruption.
§ A business continuity plan should address:
- the recovery objectives for the
various systems and subsystems
involved based on typical
business needs
- a list of potential interruptions
and the recovery procedures for
each;
- a schedule to test part or all of
the recovery procedures.
165
166
CATEGORY – Addressing Risk with CSMS
ELEMENT – Security Policies and Procedures contd.
167
168
CATEGORY – Addressing Risk with CSMS
ELEMENT – Security Policies and Procedures contd.
Risk Remote
Personnel
Management Access
Wireless
Access Subcontractor
Devices and
Control Sensors Policy
Incident Portable
Auditing
Response Devices
169
170
Dividing Up the Control System into Zones
171
§ The third element group in this category is Implementation. The elements within
this group discusses issues related to implementing the CSMS.
§ There are four elements in this element group:
1. Risk Management and Implementation,
2. System Development and Maintenance,
3. Information and Document Management,
4. Incident Planning and Response.
172
Execute Cyber Security Risk Mitigation Projects
Project design
Project execution
173
§ A change management system that includes both the IT and IACS environments
needs to be developed and implemented.
§ Can be based on existing company change management procedures.
§ Important to assess all the risks of changing the IACS
§ Using clearly defined criteria, proposed changes to IACS should be reviewed for their
potential impact to HS&E risks and cyber security risks by individuals technically
knowledgeable about the process and the IACS system.
§ The security capabilities and design of a new system being installed in the IACS
environment shall meet the security
policies and procedures required for that
zone/environment
§ Similarly, maintenance upgrades or
changes shall meet the security
requirements for the zone.
174
Establish and Incident Response Program
An incident response program should be established and tested:
§ Classification of incidents – The various types of incidents should be identified
and classified as to the effects and likelihood, so that a proper response can be
formulated for each potential incident.
§ Contingency planning – Contingency plans cover the full range of failures or
problems that failures in the IACS cyber security program could cause.
§ Response actions – Acceptable
responses that can be taken in the
event of a security incident. These
range from doing nothing to having
a full system shutdown.
§ Recovery actions –Step-by-step recovery
actions should be documented so that the
system can be returned to normal operations
as quickly and safely as possible.
175
§ The third main category of the CSMS is titled Monitoring and Improving the
CSMS.
§ It involves both ensuring that the CSMS is being followed, as well as reviewing
the CSMS itself for effectiveness.
§ There are two elements in this category:
176
Security is a Continuous Process
177
178
Adopt Continuous Improvement Operational Measures
- Audit Results
- Incident Data
179
180
Establish, Refine and Implement Changes to the CSMS
181
182
Networking Cryptography Cybersecurity
Basics Basics Countermeasures
Cybersecurity
Industrial Conclusion and
Management
Protocols Exam Advice
System (CSMS)
183
Questions
184
Exam Advice
185