You are on page 1of 22

Cyber Security

ISA 99 / IEC 62443

Standards 2017
Education & Training
Conferences & Exhibits
Where Policy Meets Technology

Mayur Mehta
City Next 2017

Manager - ICS security


My Professional Journey

Over 9.5 years of experience in ICS/SCADA domain and an expert in determining

threats and risk exposure on ICS products & plants, Interoperability and FAT test.
City Next 2017

Currently an ICS/ SCADA Risk Assessor with the Cyber Security practice of Big 4
Advisory function, based in Bengaluru.
Member of ISA99/IEC62443 standards committee and leading ISA99 standard in ISA
Bangalore chapter.
Certified on Global Industrial Cyber Security Professional (GICSP) from GIAC.
Certified Scrum Master (CSM), CTFL (ISTQB), Security+ (Cybrary), OPSEC(ICS
CERT), ATD (Advanced threat detection in ICS/ SCADA - Concise courses).
Experience includes leading projects on Vulnerability analysis and penetration testing,
Secure Conduit design. Risk framework development and assessment, and cyber
reviews based on industry standards such as NERC-CIP, NIST800-82, IEC62443,
NCIIPC, ISO2700x, SANS Top20 Critical Control and OWASP Top10.
Have also worked with Schneider Electric and SIEMENS.
M.Tech from BITS Pilani in Software Systems (Networks and Networked Systems)
B.E. from JNCT/RGPV Bhopal in Electronics and Communications Engineering

CIA triad

CIA or AIC triad

City Next 2017

- System are available and operational
when needed
- Data is consistent, accurate and trustworthy Availability
- Protection against from disclosure to
untheorized individuals
Confidentiality Integrity
OT has two more requirements
- System performs intended functions
- Physical and environmental safety is
Why are we here

Commercial Chemical
Facilities 1% Communications
1% 4%

City Next 2017

Information Technology 33%


Government Facilities
Food & Agriculture 2%
Financial Nuclear Reactors Energy Defense
2% 16% 1%

Source: ICS CERT

Top10 ICS Cyber Threats

1. Social Engineering and Phishing (3)

2. Infiltration of Malware via Removable Media and External Hardware (2)
City Next 2017

3. Malware Infection via Internet and Intranet (1)

4. Intrusion via Remote Access (5)
5. Human Error and Sabotage (4)
6. Control Components Connected to the Internet (6)
7. Technical Malfunctions and Force Majeure (7)
8. Compromising of Extranet and Cloud Components (9)
9. (D)DoS Attacks (10)
10. Compromising of Smartphones in the Production Environment (8)

Source: BSI Publications on Cyber-Security report

Case#1: WannaCry

Step 1: 12 May 2017: WannaCry ransomware infections surge Step 2: Initial infection vector is unknown
Preliminary analysis identifies self-propagating exploit Once on host, malware launches process to:
Targets MS17-010, SMBv1 Critical Vulnerability - Shadow Scan for TCP Port 445 (SMB)
Brokers If open port identified, exploit attempted
City Next 2017

Exploit modeled after ErernalBlue

Malware also drops implant DoublePulsar
Step 3: WannaCry encrypts data files and ask users to pay a
US$300 ransom in bitcoins. The ransom note indicates that the Step 4: It also drops a file named ! Please Read Me!.txt which
payment amount will be doubled after three days. If payment is contains the text explaining what has happened and how to pay
not made after seven days, the encrypted files will be deleted. the ransom

Step 6: It propagates to other computers by exploiting a known

Step 5: WannaCry encrypts files with the following
SMBv2 remote code execution vulnerability in Microsoft
extensions, appending .WCRY to the end of the file name
Windows computers: MS17-010
Case#1: WannaCry
Need for Timely Patch Management

ICS community actions

City Next 2017

Testing of Publishing of Asset owner

Organizations Needs patch with patches for download Patch
to work together to applications applications or and test the deployment Protection
by ICS approval for OS patch in test in from cyber
reduce the response vendors patch environment downtime attack
time. 3 4 5 6 7

~ >150 days
1 2
~ < 30 days
Vulnerability identification Patch Release
and patch development By OS vendor

3 4 5 6

Download of Exploit Testing and Successful

Hackers are one step patch and development deployment of attack
ahead in the game of reverse exploit
engineering for
security. vulnerability

Black hat actions

Case#1: WannaCry
City Next 2017
Case#1: WannaCry

Communications were observed to the below Antivirus Signatures

IP addresses from the compromised systems Put a filter on the AV for the detection of following signatures
City Next 2017

197[.]231[.]221[.]211 Ransom.CryptXXX
128[.]31[.]0[.]39:9191 Trojan.Gen.8!Cloud
AV signatures to be updated with latest definitions (DAT)

Need to have strong Incident response and DR plan.

Domains/Remote IPs (Firewalls/IPS/IDS/Proxy)
57g7spgrzlojinas.onion, 76jdd2ir2embyv47.onion File Hash Values (AV/Sandboxing Tool)
cwwnhwhlz52maqm7.onion, gx7ekbenv2riucmf.onion Available, can be shared offline (SHA-256, MD5, .
sqjolphimrr7jqw6.onion, xxlvbrloxvriy2c5.onion (To put a filter on the email gateway/end-point to detect the
--,,,, following hash values),,,,,, Count measures In the Event of An Attack,, Isolate the system from the network to counter any
--,, spread of the ransomware,,, Decryption is not available now.,, Format the system if needed.,, Block 445 on AD, if thats feasible,,,
Infiltration of Malware via Removable Media and External Hardware
City Next 2017

Sophisticated attack destroyed up to 1,000 uranium

enrichment centrifuges at a high-security Iranian
nuclear facility
Multi-stage attack
Social engineering techniques used to penetrate plant
Replicated worm in PCs and infected LAN
PLCs located; looked for centrifuges
Once located spun them up to eventually fail
Masked control room monitors
Key security compromises: Integrity & Availability
Infiltration of Malware via Removable Media and External Hardware
City Next 2017

Source: Symantec
City Next 2017

ISA 99 / IEC 62443

Few ICS Security Standards

ISA 99 / IEC 62443 NIST 800-82 NERC

City Next 2017

ISO 27001/2 enisa ICS-CERT

History of ISA99 / IEC62443

ISA/IEC 62443 is a series of standards being developed by two groups:

ISA99 ANSI/ISA-62443
City Next 2017

IEC TC65/WG10 IEC 62443

In consultation with:
International in scope
Requirement contributions come from other standards like NERC-CIP, NIST etc
Flexible framework which serves a basis for Country and Local standards as well as
Manufacturing guidelines.
ISA 99 / IEC 62443 Standards

ISA99/IEC-62443 standard is a family of standards with a large scope of use for ICS / OT / SCADA
environments. Some guidelines are rather general, while others are precise, specific and focussed. Many
of those guidelines are still in the process of being defined or upgraded.
City Next 2017

1.3 System
The first (top) category includes common or 1.1 Terminology, 1.2 Master

security 1.4 IACS security
foundational information such as concepts, models concepts and glossary of terms
compliance lifecycle/use cases
and terminology. Also included are work products models and abbreviations
that describe security metrics and security life
cycles for IACS.
The second category of work products targets the 2.1 Requirements 2.2 Implementation 2.3 Patch

Policies &
2.4 Installation and
Asset Owner. These address various aspects of for IACS security guidance for management in
creating and maintaining an effective IACS management security system the IACS
security program. system management environment

The third category includes work products that 3.2 Security 3.3 System
3.1 Security

describe system design guidance and assurance levels security

technologies for
requirements for the secure integration of for zones and requirements and
control systems. Core in this is the zone and conduits security levels
conduit design model.
The fourth category includes work products that

describe the specific product development and 4.2 Technical

4.1 Product
secure technical requirements of control security
system products. This is primarily intended for requirements for
control product vendors, but can be used by IACS components
integrator and asset owners for to assist in the
procurement of secure products
A holistic security concept is context
ISA99 reference

Onsite Industrial Automation and Control System (IACS)

City Next 2017

Asset Owner Operational policies and procedures review

Operates and and creation and risk management.
Service Provider Maintenance policies and procedures,
patch and vendor management

Automation solution deployment

Basic Process
Safety Instrumented Complementary
Control System
System (SIS) review HW/SW
2-4 (BPCS) assessment
Designs and and design
and design implementation
System Integrator 3-2
Secure architecture design, zones and conduits.

Vendor scope
Develops control 4-1 Secure product and system development.
Product Supplier
systems 4-2 CFAT
Zones and Conduits

Management level
Level 5 Harden handheld devices and Database
Enterprise Resource Planning, IT & servers
Mobile devices
City Next 2017

Level 4 Unidirectional gateway/Data Diode,

IT-OT separation zone
DMZ Network monitoring, Log management
& Auditing
Mirror Historian, Patch Mgmt, AV Server

Plat management level Level 3 System Hardening, Active Directory

(AD), App whitelisting, Secure design
Engineering station, Historian, OPC implementation, Patch Management,
Configuration management, Password
Management, Change Management,
Level 2 Backup & Restoration and User
Operation level specific access control

SCADA/DCS, Operators,
HMIs Next-gen Firewalls
Control level Level 1
Harden automation
PLC /Controllers/ controllers, Disable
unwanted ports
Level 0
Field level automation field
devices, CCTVs,
Sensors, Pre physical
Actuators protection
& Actuators.
Need of the hour
City Next 2017

Ensure proactively
OT Security Governance implementing appropriate OT
OT planning & Project security controls to support
securitys mission in a cost-
Governance Audit of the important security processes effective manner while
OT Cyber Security Team managing evolving OT
security risks.

Ensure a safe setup of

Vulnerability and patch management infrastructure by
implementing appropriate
Security incident management security controls following a
Operations OT Physical Controls Area Security defence in depth design
concept in the network

Continuously monitor
performance of systems to
OT Security Infrastructure System Architecture ensure that it is consistent
Review with agreed security
Infrastructure Vulnerability assessment and penetration testing requirements, and needed
system modifications are
End user environment audit incorporated.
Lots to be done by vendors

City Next 2017

Secure by design approach

Identify product
level in ICS layer

SL based Test cases

ICS Secure Levels Security requirement Secure Feature implementation

ISA99 Standard Security Test Plan Security Test Cases
ISA/IEC 62443 Cybersecurity Certification

Certificate 1: ISA/IEC 62443 Cybersecurity Fundamentals Specialist

City Next 2017

Certificate 2: ISA/IEC 62443 Cybersecurity Risk Assessment Specialist

Certificate 3: ISA/IEC 62443 Cybersecurity Design Specialist
Certificate 4: ISA/IEC 62443 Cybersecurity Maintenance Specialist
ISA/IEC 62443 Cybersecurity Expert: Individuals who achieve Certificates 1,
2, 3, and 4
Certificate Steps:
Complete a designated training program
Pass a multiple choice exam through the Prometric testing center
City Next 2017