Control Systems Under Attack !?

about the Cyber-Security

of modern Control Systems

Dr. Stefan Lders (CERN Computer Security Officer)

Openlab Summer Student Lectures
July 23rd 2012
 Security in a Nutshell
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Security is as good as the weakest link:

Attacker chooses the time, place, method
Defender needs to protect against all possible attacks
(currently known, and those yet to be discovered)

Security is a system property (not a feature)

Security is a permanent process (not a product)
Security cannot be proven (phase-space-problem)

Security is difficult to achieve, and only to 100%-.

At CERN, every single computing resource owner defines !!!

BTW:
Security is not a synonym for safety.
 Security in a Nutshell
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Security is as good as the weakest link:

Attacker chooses the time, place, method
Defender needs to protect against all possible attacks
(currently known, and those yet to be discovered)

Security is a system property (not a feature)

Security is a permanent process (not a product)
Security cannot be proven (phase-space-problem)

Security is difficult to achieve, and only to 100%-.

At CERN, every single computing resource owner defines !!!

BTW:
Security is not a synonym for safety.
 Warm-Up: A small quiz
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

What links to www.ebay.com?

http://www.ebay.com\cgi-bin\login?ds=1%204324@%31%33%37
%2e%31%33%38%2e%31%33%37%2e%31%37%37/p?uh3f223d

http://www.eba.com/ws/eBayISAPI.dll?SignIn

http://scgi.ebay.com/ws/eBayISAPI.dll?RegisterEnterInfo&siteid=0&
co_partnerid=2&usage=0&ru=https%3A%2F%2Ffanyv88.com%3A443%2Fhttp%2Fwww.ebay.com&rafId=0
&encRafId=default

http://secure-ebay.com
 Control Systems in a Nutshell
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Process Control System (PCS) Safety System

 Roadmap for Today
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007
Control Systems go IT...
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

In the past, PCS were

largely proprietary
stand-alone & interconnected using
proprietary networks only
accessed via modems, if at all
using own standards,
technologies & means

Today, PCS
base on custom-of-the-shelf
hardware and software (office IT)
are highly inter-connected
determine & impact widely
on our daily life
(R)Evolution: The Past
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007
 (R)Evolution: Today
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007
 Control Systems for Living
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

in the electricity sector COBB County Electric, Georgia

Middle European Raw Oil, Czech Republic
in the oil & gas sector
Athens Water Supply & Sewage
in the water & waste sector
Merck Sharp & Dohme, Ireland
in the chemical and CCTV Control Room, UK
pharmaceutical industry Reuters TV Master Control Room
in the transport sector CERN Control Centre
for production:
e.g. cars, planes, clothes, news
in supermarkets
e.g.claimed
The scales,No.
fridges
1 goal for cyber-security in the 21st century:
for facility management
electricity, water, C&V
for accelerator controls
 This is how PCS can look like
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Controller

Connections to
sensors & actuators

Controller

Sensors & actuators

PCS omitted security aspects!
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

In the past, PCS security was

hidden (security through obscurity)
never a real concern
a target for nerds

Today,
Same office IT-risks
inherent in PCS (TCP/IP, Windows
PCs, WWW & mail, C++, )
Same office IT-attackers
targeting PCS (viruses/worms,
saboteurs, attacker, stupidity, )
Why worry? The Risk Equation
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007
 Who is the threat?
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Attacks performed by
Disgruntled (ex-)employees or saboteurs
Attackers and terrorists, but also since Stuxnet: (Western) countries
(step-by-step instructions on BlackHat conferences;
freeware hacking tools for Script Kiddies)
Trojans, viruses, worms,

Lack of robustness & lots of stupidity

Mal-configured or broken devices flood the network
Developer / operator finger trouble

Lack of procedures
Flawed updates or patches provided by third parties
Inappropriate test & maintenance rules / procedures
 Damage by Insiders?
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007
 Damage by Attacker?
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007
Damage due to CI No-P?
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007
Natanz, we have a problem.
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007
 The Workings of Stuxnet (I)
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

An infected USB stick was infiltrated

into the plant either by malicious act
or through social engineering.
Once inserted into a Windows PC, the stick
tried to compromize the O/S with up to
4(!) zero-day exploits (worth >$100k).
There were 4-5 evolutions starting 6/2009.
Infected 100.000 PCs (60% Iran,10% Indonesia).
Using rootkit technologies and two stolen
certificates, it hid from being detected.
It tried to infect other hosts and
establish a P2P connection home.

So far, nothing new:

A standard,
but expensive virus!
 The Workings of Stuxnet (II)
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Stuxnet then checked the local configuration

looking for the presence of Siemens
PCS7/STEP7/WINCC SCADA software.
If so, it copied itself into the local
STEP7 project folder (to propagate further).
It replaced the S7 communication libraries
(DLLs) used for exchanging data with a PLC.
Stuxnet can now manipulate values to be
send to the PLC or displayed by the SCADA.

Stuxnet is now the

Man in the Middle
controlling the communication
between SCADA & PLC.

If not, Stuxnet got idle and would expire on 2012/06/24.

 The Workings of Stuxnet (III)
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Next, Stuxnet was

fingerprinting connected PLCs.
If right PLC configuration, it
downloaded/replaced code
between 17 and 32 FBs & DBs.

This code varied the

rotational speed of the
centrifuges over months
wearing them out and
inhibiting uranium
enrichment.
The Man in the Middle
made everything looked fine
at the SCADA level
Stuxnet was not the first one!
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007
Smart Meters: Nothing Learned?
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Use case:
Measuring your consumption at home
Online with the grid: Optimizing the power usage
Publicly accessible, off-the-shelf, open networks

Risks:
Exploitation of meter vulnerabilities:
registration process, firmware, data,
Loss of confidentiality:
customer data available to others
Loss of integrity:
manipulation of reading data
Loss of availability:
data not available in a timely manner
Misuse as attack platform
courtesy of M. Tritschler (KEMA)
Smart Meters: Nothing Learned?
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Use case:
Measuring your consumption at home
Online with the grid: Optimizing the power usage
Publicly accessible, off-the-shelf, open networks

Risks:
Exploitation of meter vulnerabilities:
registration process, firmware, data,
Loss of confidentiality:
customer data available to others
Loss of integrity:
manipulation of reading data
Loss of availability:
data not available in a timely manner
Misuse as attack platform
courtesy of M. Tritschler (KEMA)
 Why care?
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007
Mitigation: Todays Cacophony
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Using office-IT must also

mean using office-security
technology:
Apply same security measures
Inherent differences need to be
taken care of separately
Defence-in-Depth as a basis
Influence your vendor!!!

Too many stakeholders:

A cacophony in
standards & guidelines
A cacophony in interest
No real directions by legislators
Myths about Cyber-Security
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007
 Ground Rules for Cyber-Security
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Defence-in-Depth protection on every layer:

device/hardware/network firmware/operating systems/network protocols
software/applications user/integrator/developer/vendor

Segregate Patch,
networks patch,
patch!!!

Control Increase
(remote) robustness
access

Review Deepen
development collaboration
life-cycle & policies
 Ground Rules for Cyber-Security
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Defence-in-Depth protection on every layer:

device/hardware/network firmware/operating systems/network protocols
software/applications user/integrator/developer/vendor

Segregate Patch,
networks patch,
patch!!!

Control Increase
(remote) robustness
access

Review Deepen
development collaboration
life-cycle & policies
Damage due to Interconnectivity?
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007
 Network Segregation at CERN
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Different networks
for different purposes:
for accelerator operations
and for experiments
Campus network for office computing
Additional protective measures
where needed (VPNs, ACLs, )

Restrictions on Controls Networks:

Assignment of responsibilities and usage of authorization procedures
No Internet, no (GPRS) modems, no wireless access points or laptops
Controlled inter-communication between networks
Blocked incoming emails & control over visible web pages
Controlled remote access, e.g. for maintenance, development & testing
Traffic monitoring & intrusion detection at the gates
Damage by Viruses & Worms?
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007
 Patch, Patch, Patch!!!
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Prompt patching essential but problematic:

Compliance statement needed (vendor-side testing)
Integrator might decline responsibility if PCS is touched
PCS might need to be re-certified (e.g. SILx)
True impact on PCS unknown: thorough on-site testing!
Difficult (impossible?) to patch embedded devices!

CERN delegates patching:

Passing flexibility and responsibility to the experts
They decide when to install what on which control PC
NOT patching is NOT an option, but delays are tolerated
Running up-to-date anti-virus software and local firewalls is a must
However, processes are still not optimal:
Applications still depend too much on the O/S!
 Patch, Patch, Patch!!!
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Prompt patching essential but problematic:

Compliance statement needed (vendor-side testing)
Integrator might decline responsibility if PCS is touched
PCS might need to be re-certified (e.g. SILx)
True impact on PCS unknown: thorough on-site testing!
Difficult (impossible?) to patch embedded devices!

CERN delegates patching:

Passing flexibility and responsibility to the experts
They decide when to install what on which control PC
NOT patching is NOT an option, but delays are tolerated
Running up-to-date anti-virus software and local firewalls is a must
However, processes are still not optimal:
Applications still depend too much on the O/S!
Damage due to Openness?
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007
 Apply the Rule of Least Privilege
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Cant follow the Rule of Least Privilege:

Default passwords still widely used not incentive/force to change
Backdoors might be present not communicated to user
Still need for shared accounts instead of personal accounts
No modern access protection for PLCs and field devices like certificates,
challenge/response, granular access control,
(The RUN-P key switch disappeared again from Siemens S7-400 PLCs)
Difficult to integrate into standard IdM: OIM, FIM, LDAP/AD/Kerberos
Cacophony of different solutions for remote access:
Is this user or vendor driven???

CERN uses PVSS (ETM/Siemens):

Full integration with CERN SSO/AD/LDAP (i.e. central IdP)
Multi-factor to come (SmartChip certificates, mobile apps, Yubikeys)
More difficult with home-grown SCADA software
 Apply the Rule of Least Privilege
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Cant follow the Rule of Least Privilege:

Default passwords still widely used not incentive/force to change
Backdoors might be present not communicated to user
Still need for shared accounts instead of personal accounts
No modern access protection for PLCs and field devices like certificates,
challenge/response, granular access control,
(The RUN-P key switch disappeared again from Siemens S7-400 PLCs)
Difficult to integrate into standard IdM: OIM, FIM, LDAP/AD/Kerberos
Cacophony of different solutions for remote access:
Is this user or vendor driven???

CERN uses PVSS (ETM/Siemens):

Full integration with CERN SSO/AD/LDAP (i.e. central IdM)
Multi-factor to come (SmartChip certificates, mobile apps, Yubikeys)
More difficult with home-grown SCADA software
 Damage due to lack of resilience?
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Crashed
17%

Failed
15%
Passed
CERN 2007 68%
 Robustify!
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Many PLCs, etc. are completely unprotected:

Legacy & even todays systems fail basic security scans (nmap, Nessus).
No firewall, no anti-virus, nothing.
Wrong defaults: everything should be disabled, first.
Violating standards: They fulfill use-cases, but not abuse-cases.
No data sheets of default configuration, open ports, default accounts.
There is no certification. Nothing mandatory.
(INL & Wurldtech/Archilles procedures & results are proprietary to vendors)

Understanding is the key at CERN:

Building asset inventory & understanding dependencies
Running vulnerability tools on everything
Applying Security Baselines
i.e. a contract on security with recommendations
for configuration settings, protective means, procedures & training
 Robustify!
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Many PLCs, etc. are completely unprotected:

Legacy & even todays systems fail basic security scans (nmap, Nessus).
No firewall, no anti-virus, nothing.
Wrong defaults: everything should be disabled, first.
Violating standards: They fulfill use-cases, but not abuse-cases.
No data sheets of default configuration, open ports, default accounts.
There is no certification. Nothing mandatory.
(INL & Wurldtech/Archilles procedures & results are proprietary to vendors)

Understanding is the key at CERN:

Building asset inventory & understanding dependencies
Running vulnerability tools on everything
Applying Security Baselines
i.e. a contract on security with recommendations
for configuration settings, protective means, procedures & training
Damage due missing procedures?
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

A Boeing 777 uses similar technologies

to Process Control Systems
 Review Development Life-Cycle
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Reviewing procedures for

...development of
hardware & applications
...system testing
...deployment
...operations
...maintenance & bug fixing
Use of software versioning systems,
configuration management, and
integration frameworks (e.g. Git)

Protecting operations
Keeping development separated from operations
(eventually debugging might need access to full hardware)
Avoiding online changes for the sake of safe operations:
Online changes must be authorized
Damage due to Unawareness?
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007
 This is a People Problem! (I)
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Bringing together experts:

Control system experts know their systems
by heart but IT concepts?
IT people (should) know IT security
but dont know controls!
Synergy between both is often poorly/not
really exploited!

Openly discuss vulnerabilities:

Attackers are better networked than we are!
Attackers know of vulns probably long before we do.
Responsible disclosure also for PCS vulnerabilities.
Create SCADA_BugTraq (ideally join BugTraq, CVE, & Co.).
Deploy/train CERT/CSIRTs to understand PCS.
More activism of the vendors needed (outside standardization bodies)!
 This is a People Problem! (II)
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

CERN aims to for a change of culture & a new mind set

Basic awareness training to everyone, esp. newcomers

Every owner of a computer account must follow
an online security course every 3 years.
Provisioning of static code analyzers
Dedicated training on secure development
(Java, C/C++, Perl, Python, PHP, web, ...)
Baselines & consulting
The Security Team as facilitator and enabler:
Making security part of the overall.
 This is a People Problem! (II)
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

CERN aims to for a change of culture & a new mind set

Basic awareness training to everyone, esp. newcomers

Every owner of a computer account must follow
an online security course every 3 years.
Provisioning of static code analyzers
Dedicated training on secure development
(Java, C/C++, Perl, Python, PHP, web, ...)
Baselines & consulting
The Security Team as facilitator and enabler:
Making security part of the overall.
(Too) Many Standards...? (I)
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007
 (Too) Many Standards...? (II)
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Good Practice Guidelines Parts 1-7

U.K. Centre for the Protection of National Infrastructure (CPNI)
http://www.cpni.gov.uk/Products/guidelines.aspx
Manufacturing and Control Systems Security
ANSI/ISA SP99 TR99.00.01-04
http://www.isa.org/MSTemplate.cfm?MicrositeID=988&
CommitteeID=6821

Guide to SCADA and Industrial Control Systems Security

NIST SP800-82
http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf
Critical Infrastructure Protection CIP-002 to CIP-009
U.S. Federal Energy Regulatory Commission (FERC)
http://www.nerc.com/page.php?cid=2%7C20
Information Technology Security Techniques
ISO/IEC 27001:2005 and following

Plus standards of:

American Gas Association (AGA) Intl Society for Pharmaceutical Engineering (ISPE)
U.S. Chemical Industry (CIDX) Norwegian Oil Industry Association (OLF)
German Federal Association of the Gas and Water Industries ...
 (Too) Many Standards...? (II)
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Good Practice Guidelines Parts 1-7

U.K. Centre for the Protection of National Infrastructure (CPNI)
http://www.cpni.gov.uk/Products/guidelines.aspx
Manufacturing and Control Systems Security
ANSI/ISA SP99 TR99.00.01-04
http://www.isa.org/MSTemplate.cfm?MicrositeID=988&
CommitteeID=6821

Guide to SCADA and Industrial Control Systems Security

NIST SP800-82
http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf
Critical Infrastructure Protection CIP-002 to CIP-009
U.S. Federal Energy Regulatory Commission (FERC)
http://www.nerc.com/page.php?cid=2%7C20
Information Technology Security Techniques
ISO/IEC 27001:2005 and following

Plus standards of:

American Gas Association (AGA) Intl Society for Pharmaceutical Engineering (ISPE)
U.S. Chemical Industry (CIDX) Norwegian Oil Industry Association (OLF)
German Federal Association of the Gas and Water Industries ...
 Some keyplayers
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Government Initiatives:

Global Key Players:

Mixed Communities:
EuroSCSIE

(This list is not intended to be complete.)

 Stuxnet: Protective Measures (I)
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Deploy a Defense-in-Depth protection

Establish security cells on your network

Forbid usage of USB keys or use Epoxy ;
restrict usage of CDs, open shares & DFS
Teach your experts about Social Engineering
Screen your experts: alcohol/drugs,
financial, psychological/social/family,
Patch, patch, patch
and run up-to-date antivirus software
(wouldnt have helped here )

Apply Defense-in-Depth!!!
and follow a standard.
 Stuxnet: Protective Measures (II)
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

Scan you PLCs on

vulnerabilities & robustness
Lock down the PLC configuration:
Enable firewall, disable unneeded services

Enable PLC intrusion detection

Talk to your vendor!

Accept the residual risk.
 Summary
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007

PCS are (still) not designed to be secure.

They fulfill use-cases but not abuse cases.

Defence-in-Depth is the key.

Protective means must be applied on every layer.
Control System Cyber-Security should align with IT security.

Patch procedures, access protection, robustness,

security certification & documentation
need significant improvement.

Open communication, e.g. on vulns, is essential.

Get your vendors/integrators/IT people on board.

There was (is?) lots of hype on PCS security since Stuxnet.

Many vendors quickly rolled out security solutions.
Assess first. Choose a standard and apply.
 Thanks a lot !
Control Systems Under Attack !? Dr.
Dr. Stefan Stefan
Lders (CERN Lders July
IT/CO) DESY 20. 23 rd 2012
Februar 2007