Creating Realistic Cybersecurity Policies David Blanco SCADA Security Adviser AUTOSOL Inc

https://autosoln.com/news-events/cshm-2017/ Materials White Paper & Presentation available for download: https://autosoln.com/news-events/cshm-2017/

Agenda Attacks against SCADA SCADA Security Challenges Separate SCADA & IT Cyber Policies SCADA Cybersecurity Policymaking Questions

What kind of attacks are SCADA systems facing?

Attacks against SCADA Increasing trends of attacks North America has most SCADA on Internet ICS-CERT reported 189 new equipment vulnerabilities ICS-CERT responded to 295 incidents in 2015 True attack numbers are underreported

Attacks against SCADA Unencrypted Encrypted Field Office Internet Corporate Office Field Office Firewall & VPN Concentrator SCADA Server Field Office Unencrypted Encrypted

Attacks against SCADA MIT & Kyle Wilhoit Honeypot 28 Days 39 Attacks 11 Countries

Attacks against SCADA MIT & Kyle Wilhoit Honeypot Death of security by obscurity Actively hunting Flank IT

Attacks against SCADA Unencrypted Encrypted Field Office Internet Random User Internet Corporate Office Field Office Firewall & VPN Concentrator SCADA Server Field Office Unencrypted Encrypted

Attacks against SCADA German Steel Mill IT to OT Blocked controllers Caused Explosion

Attacks against SCADA German Steel Mill Accidental access very dangerous Safety logic failed

Attacks against SCADA Unencrypted Encrypted Field Office Internet Corporate Office Field Office Firewall & VPN Concentrator SCADA Server Field Office Unencrypted Encrypted

Attacks against SCADA Turkish Pipeline Explosion Valve control Pipeline over pressurized Suppressed alarms to controllers Deleted logs $460 million

Attacks against SCADA Turkish Pipeline Explosion Targeting Field equipment Destruction is goal Control is key

Attacks against SCADA Unencrypted Encrypted Field Office Internet Corporate Office Field Office Firewall & VPN Concentrator SCADA Server Field Office Unencrypted Encrypted

Attacks against SCADA PLC Blaster Targeting Field equipment Spread directly between PLC’s Exploits features of equipment NOT exploiting a vulnerability

Attacks against SCADA What’s the difference between a hack and an accident? Not the results. Can you prove the difference? 1000+ deaths from SCADA hacking SCADA hacking is a strategic weapon

Why are SCADA attacks able to succeed?

SCADA Security Challenges

SCADA Security Challenges Availability Confidentiality SCADA IT Pg. 5 Integrity Confidentiality Availability Integrity

SCADA Security Challenges Availability Confidentiality SCADA IT Pg. 5 Integrity Confidentiality Availability Integrity

SCADA Security Challenges Availability Confidentiality SCADA IT Pg. 5 Integrity Confidentiality Availability Integrity

SCADA Security Challenges Legacy Equipment Issues Older than attacks Static defenses against elements Not security devices Vendors are not cyber experts Features become vulnerabilities

SCADA Security Challenges Safety Logic Here to protect against automation Not a cyber defense Air Gapping 2 million public SCADA IP’s 94,000 Modbus devices “…in no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network.”

How does all this affect cybersecurity policies?

Separate SCADA & IT Cyber Policies

Separate SCADA & IT Cyber Policies IT policy: Regularly apply updates to all servers SCADA Implementation: Hold off on applying updates until test is run Schedule downtime/backup server for update

Separate SCADA & IT Cyber Policies IT policy: Uniformity in hardware & software SCADA Implementation: Assets in field for over 30 years Diverse because of acquisitions

Separate SCADA & IT Cyber Policies IT policy: Physically restrict access to network equipment SCADA Implementation: Assets geographically diverse Physical security applicable only at some sites.

Separate SCADA & IT Cyber Policies Focus on actionable to achieve the doable Security comes from good implementation Do what can implemented on what can be protected Cybersecurity policy is an enterprise wide opportunity

Separate SCADA & IT Cyber Policies SCADA needs to craft its own cyber security policies Understands business Understand how policies will impact business Knows the ROI for assets Understands the capabilities of equipment Knows the risks of hacks None IT SCADA Vulnerable Secure

What should a SCADA cybersecurity policy do?

SCADA Cybersecurity Policymaking Blueprints for security NIST Framework for Improving Critical Infrastructure No technology specifics ISA-99 / ISA 62443 1-4 Use Cases “Planning” phase 4-4 Implementation “Planning” phase Move us forward Ideas to take to the test lab

SCADA Cybersecurity Policymaking Identify strategically important assets Protect the field equipment Hackers target the field Focus on prevention Can stop damage No backups Controlling access = safety

SCADA Cybersecurity Policymaking Deploy Security to the Field Target of Hackers Rabbit Fence Analogy

SCADA Cybersecurity Policymaking Identify the correct security technology Design security into the process Avoid “bolt-on” solutions Easy to implement Hard to defend How it affects the process is what matters

SCADA Cybersecurity Policymaking Encryption Process of securely encoding a message Scales both functionally and technologically Open sourced is secured source Public Key Infrastructure Data only valuable if correct

SCADA Cybersecurity Policymaking

SCADA Cybersecurity Policymaking Defense in Depth Firewalls and virus scans Strategic Chokepoint Deeper OT Security Two Factor Authentication Networking Logs at device level Extend life of legacy equipment Unauthorized PLC-to-PLC communication Defend against hidden ports Defend against Zero Days

SCADA Cybersecurity Policymaking FIPS 140-2 National Institute of Standards and Technology Communications Security Establishment Canada Required for “critical” communications by USG Documented process for security Certified compliance by third party TRANSITION:

SCADA Cybersecurity Policymaking Multi-user tier Officer and User levels Encryption AES 256, RSA 2048 Public Key Infrastructure Create Security boundary No backdoors Clearly Enable FIPS Mode No Default Passwords New PKI TRANSITION:

SCADA Cybersecurity Policymaking TRANSITION:

SCADA Cybersecurity Policymaking FIPS 140-2 criticisms Inhibits development FIPS prohibits changes to certified models Restricts innovation Long development cycles

SCADA Cybersecurity Policymaking FIPS 140-2 enhances SCADA’s security lasts 5 years before renewal SCADA equipment has no schedule Validation process changes every year

SCADA Cybersecurity Policymaking FIPS 140-2 enhances SCADA’s security Market forces push innovation Voluntary compliance Patch vulnerabilities for market access Stuxnet Transmitter Example Committed vendor market

SCADA Cybersecurity Policymaking FIPS 140-2 enhances SCADA’s legacy security FIPS market is also a legacy market

Conclusion SCADA needs its own Cybersecurity Policy Focus on Prevention Defend the field Encryption enhances security with low impact FIPS 140-2 has test lab ready devices

Please complete your course evaluation online: www.cshmsurvey.com

Supplemental Talking Points for Q&A Link between Geopolitics and SCADA Hacking