CONTROL SYSTEM CYBER SECURITY
What can Operators do to keep their control system safe
Presented by:
Bart Nelissen Proud of Our Past… Building the Future
❑ Introduction
❑ Control System Components
❑ Statistics
❑ Myths
❑ Threats
❑ Examples
❑ Recommendations
❑ Bart Nelissen
❑ MPE Engineering
❑ Cyber Security
❑ NIST
❑ Public Safety Canada
❑ US Department of Homeland Security
❑ Cyber Warfare
❑ Over 50 new Cyber Security Threats reported… DAILY
❑ Over 80% of vulnerabilities involved outdated software
❑ Water & Wastewater is one of the hardest hit sectors – 122% increase in attacks in one year
❑ Over 50% of companies realize the need for more resources for OT / ICS Cyber Security
❑ 15% of companies are increasing operator awareness training
❑ 99% of firewall breaches are result of misconfiguration
Based on Claroty BiAnnual ICS Risk & Vulnerability Report and 2019 Kaspersky ICS report
Based on 2021 ISA GCA International Society of Automation Global Cybersecurity Alliance) report
❑ Isolation from the internet keeps the control system safe
❑ IF implemented and maintained, air gap is effective
❑ Not practical
❑ Restricts alarm callouts from SCADA
❑ Restricts remote access
❑ Restricts report generation
❑ Restricts technology advancement
❑ Memory sticks – Major risk !
Myths based on 2021 ISA GCA International Society of Automation Global Cybersecurity Alliance) report
❑ Hackers don’t understand ICS components, networks and communication
❑ 96% of applications use open-source components
❑ Modern control systems use common IT infrastructure
❑ EtherNet
❑ Remote Access ; Remote Desktop Protocol (RDP), Secure Socket Layer (SSL), etc.
❑ The ICS network will be protected by our firewall
❑ Need to be configured properly (rules)
❑ Requires monitoring and maintenance
❑ Firewall is only as good as the device itself
❑ Firewalls do not protect against allowed protocols or access (e.g. open ports)
❑ Serial Communication provide immunity from Cyber Attacks
❑ Serial communication is known to hackers
❑ Many serial communication links are over EtherNet or use converters
❑ No protection from inside hacks
❑ Hackers are only after financial gains, not ICS
Based on Canadian Centre for Cyber Security
❑ Internal Threats
❑ Internal unrestricted access
❑ Deliberate or undeliberate
❑ External Threats
❑ Disruption
❑ Damage
❑ Human Error
❑ Incorrect configuration
❑ Ransomware
❑ Malicious software
❑ Infects a computer
❑ Restricts access
❑ Ransom paid will unlock access
❑ Denial of Service
❑ Floods traffic
❑ Makes computer unavailable
❑ Distributed Denial of Service
❑ Hits several computers
❑ Man in the Middle
❑ “Eavesdropping attack”
❑ Attacker inserts themselves in between 2 parties
❑ Steals and / or filters data
❑ Zero Day Exploit
❑ Attack on known vulnerability
❑ Identified by vendor
❑ Patch not deployed yet
❑ Phishing
❑ Faking a reputable source
❑ Steal data
❑ Install malware
❑ Most known to steal credit card info
What is a hacker’s favorite season ?
Phishing season
❑ Oldsmar, FL WTP
❑ February 2021
❑ 14,000 Residents
❑ Compromised Remote Access
❑ Windows 7 and TeamViewer
❑ Poor user credential requirements
❑ Poor architecture
❑ Stuxnet
❑ 2010 – “world’s first digital weapon”
❑ Malware - USB drives
❑ Estimated 5 years to develop
❑ Target Siemens STEP7 PLCs
❑ Override setpoints in PLC & values on HMI
❑ Nuclear Power Plant centrifuge damage; close to 1000 / 20% of Iran’s centrifuges
❑ Kansas WTP
❑ March 2019
❑ 1,500 households
❑ Poor User Credentials – ex-employee
❑ Unauthorized access – files removed related to disinfect cycle
❑ San Francisco Bay WTP
❑ January 2021
❑ Poor User Credentials
❑ Poor Architecture
❑ Boston Water and Sewer Commission 2020
❑ Harrisburg, PA WTP 2006
❑ Camrosa, CA WTP 2020
❑ No details disclosed
Based on real world experience by Bart…
❑ Back up
❑ Applications
❑ Data
❑ Second backup Off Site
❑ Office
❑ Cloud
❑ User Credentials
❑ Keep current – only active users
❑ Integrate with IT / HR if possible
❑ Unique per user
❑ Unique Passwords
❑ Do not allow multiple users the same password
❑ Set criteria
❑ Remove default passwords of equipment
❑ ‘Backdoors’
❑ Access that’s typically undocumented
❑ operations
❑ maintenance
❑ Close backdoors
❑ Investigate
❑ Anti-Virus Software
❑ Ensure software is supported
❑ By organization
❑ For all software
❑ For architecture (ICS)
❑ Is proven
❑ Updates frequently
❑ Updates and Patches
❑ Schedule regular updates
❑ Critical Updates immediately
❑ Supported updates and patches only – for all software
❑ Test updates and patches
❑ Test environment
❑ Production environment
❑ Secure Physical Access
❑ Lock gates
❑ Doors
❑ Log out of PCs
❑ Inactivity timeout
❑ Consider cameras
❑ Firewalls
❑ Device to block unauthorized access
❑ Network or device
❑ Configure firewalls
❑ Maintain firewalls
❑ Whitelisting
❑ Opposite of Blacklisting
❑ All traffic is accepted
❑ Requires unique access to be blocked
❑ All traffic is denied by default
❑ Only allow authorized access
❑ Requires maintenance
❑ Monitor Network Activity
❑ Detects strange behaviour
❑ Detects unauthorized access
❑ Detects new devices on network
❑ Set up rules to alarm
❑ Alarm require action
❑ Secure Remote Access
❑ Modern technology
❑ Not TeamViewer
❑ VPN (Virtual Private Network)
❑ SSL (Secure Socket Layer)
❑ External devices
❑ USB sticks / thumb drives / external hard drives
❑ Laptops
❑ Vendors
❑ Scan
❑ Training
❑ ICS: Operators
❑ Recognize
❑ Intrusion Detection
❑ Action response
❑ Tender Documents
❑ Remove Specifics
❑ IP Addresses
❑ Server names
❑ ICS / SCADA use
❑ Process control only
❑ No internet
❑ No report
❑ No e-mail
❑ No games
❑ Establish ICS Cyber Security Policy
❑ Incorporate all recommendations
❑ Incorporate IT practises
❑ User credentials
❑ Tie to HR
❑ Violation
❑ Use experts
Bart Nelissen
MPE Engineering [email protected] 250-268-5008