AUDITING

INDUSTRIAL
CONTROL
SYSTEMS
Kamal Khan
Independent Consultant
Auditing ICS

■ Background
■ Why Audit ICS
■ Standards and Procedures
■ General Summary about the Audits
■ Tips and Advice
■ Conclusion

11/7/2015
 Background

1
3
11/7/2015
 BACKGROUND (1)
Nearly 30 years of IS Audit
experience

Qualifications

•Management/Systems Analysis

Certifications

•CISA/CISSP

4
11/7/2015
 BACKGROUND (2)

With Saudi Aramco ten years

ICS Audits

• Refineries
• Gas Operations
• Pipelines
• Terminals Department
• Oil Processing
• GOSPs
• Joint Ventures

5
11/7/2015
 Why Audit ICS?

2
6
11/7/2015
 WHY AUDIT ICS?

Not centralized – systems can be everywhere

In remote areas, far away from Corporate HQ.

•Operating In harsh environments, the middle of the desert or sea

Usage of dedicated/unsecure protocols

•E.g., telnet (and no SSH support), TFTP, RDP

Installation/interventions by third party

•Vendors
•Contractors, consultants
•Area IT

7
11/7/2015
 MALICIOUS ATTACK 1

Stuxnet

•Two attacks to damage centrifuge rotors

•To over-pressurize centrifuges by
Interfering with the cascade protection
system
•To over-speed centrifuge rotors and to
take them through their critical speeds
•From 63,000 rpm to 84,600 rpm and
then a sudden stop

8
11/7/2015
 MALICIOUS ATTACK 2
Maroochy Water Services,
Australia
•On at least 46 occasions issued radio
commands to the sewage equipment
•Caused 800,000 liters of raw sewage
to spill out into local parks, rivers and
a hotel
•Marine life died, the creek water
turned black and stench was
unbearable for residents

9
11/7/2015
 MALICIOUS ATTACK 3

Maroochy Water Services, Australia

• 1997-December 1999, Boden was employed by

a contractor, Hunter Watertech
• He resigned and sought City Council
employment, but was rejected
• Subsequently, the SCADA system experienced a
series of faults
• Logs indicated the system program had been
run at least 31 times
• Boden disabled alarms at four pumping stations
• Boden convicted and sent to prison

10
11/7/2015
 MALICIOUS ATTACK 4
Bellingham Control System Cyber
Security Case
• A central control center from which pipeline
controllers can remotely monitor key variables
and components
• The system administrator may have been
programming some new reports on a terminal in
the control center computer room
• The Pipeline was damaged by a contractor who
was installing water lines
• Pressure relief valves had been improperly
configured during construction. Corrective
actions by the company were ineffective

11
11/7/2015
 BELLINGHAM CONTROL
SYSTEMS

12
11/7/2015
 INCREASED RISKS (1)
Adoption of standardized protocols and
technologies with known vulnerabilities
•Transitioning from proprietary protocols to less expensive,
standardized technologies such as MS Windows.

Connectivity of the control systems to other

networks
•Remote access for monitoring and controlling the ICS systems.
•Connections between corporate networks and ICS networks to
allow access to critical data.

Insecure and rogue connections

•Uncontrolled access links such as dial-up modems open for

remote diagnostics, maintenance, and monitoring.

13
11/7/2015
 INCREASED RISKS (2)

Widespread availability of technical

information about control systems

• Public information regarding ICS design,

maintenance, interconnection, and
communication is readily available over the
Internet.
• Former employees, vendors, contractors, and
other end users of ICS equipment worldwide
who have inside knowledge about the
operation of control systems and processes.

14
11/7/2015
 Standards and Procedures

3
15
11/7/2015
ISA/IEC-62443: FORMERLY ISA-
99
Procedures covering:

•Process Automation Networks and Systems Security

•Process Automation Systems Obsolescence Evaluation
•Guideline for Disaster Recovery Plan Development for Process Automation Systems
•Control Buildings

General Instructions covering:

•Classification and Handling of Sensitive Information

•Remote Access to Computer Systems and Networks

Standards covering:

•Process Automation Networks

•Process Control Systems
•Supervisory Control and Data Acquisition (SCADA) Systems

16
11/7/2015
ISA/IEC-62443: FORMERLY ISA-
99
Contents

•General
•Policies and Procedures
•System
•Components
17
11/7/2015
 ISA COMPONENTS

18
11/7/2015
 NIST SPECIAL PUBLICATION
800-82
Guide to Industrial Control Systems
(ICS) Security Areas Covered
• Network Architecture
• Firewalls
• Logically Separated Control Network
• Network Segregation
• ICS Security Controls
• Security Assessment and Authorization
• Planning
• Risk Assessment
• System and Services Acquisition
• Program Management
• Personnel Security

19
11/7/2015
 General Summary about Audit Work

4
20
11/7/2015
 SCOPE OF AUDIT WORK
Risk-based, not only compliance

•Policies and Procedures may not address every situation

•New threats arise every day

Standards and procedures followed.

•Based on Industry best practices and experience

•Avoid unnecessary discussions

Areas covered:

•ICS Governance
•Systems Security
•Business Continuity
•Change Management & Obsolescence Management
•Physical and Environmental Controls
•Systems Monitoring

21
11/7/2015
 ICS AUDIT UNIVERSE

Gas Operations

Oil Operations

Pipelines

Power Systems

Refining and NGL Fractionation

Joint Ventures

22
11/7/2015
 ICS AREAS COVERED
The Process Automation Network (PAN)

Supervisory Control and Data Acquisition (SCADA)

Distributed Control Systems (DCS)

Emergency Shutdown Systems (ESD)

Vibration Monitoring Systems (VMS)

Smart Valve Monitoring Systems (SVMS)

Power Management Systems (PMS)

Other Process Control Systems (PCS)

23
11/7/2015
 AUDIT AREAS
Awareness /
Training

Patch Environmental
Access Control
Management Controls

Config / Change System User

Management Hardening Authentication

Securty Continuity /
Governance Network Access
Perimeters Resilience

24
11/7/2015
 Tips and Advice

5
25
11/7/2015
 TIPS AND ADVICE (1)
Risk Assessments to identify key areas to focus on

•Risk Assessments for Plants Networks and Systems should:

•Identify potential dangers (threats) to information and systems
•Identify system weaknesses (vulnerabilities) that could be
exploited
•Identify existing security controls to mitigate the risk of the threat
that exploits the vulnerability
•Determine the likelihood of occurrence of a threat exploiting a
related vulnerability given the existing controls
•Determine the severity of impact on the system by an exploited
vulnerability
•Determine the risk level for a threat/vulnerability pair given the
existing controls to determine the residual risk

26
11/7/2015
 RISK ASSESSMENT
Identify Threats

Identify
Determine Vulnerabilities that
Residual Risk could be exploited

Determine
Severity of Identify Controls
Impact
Determine
Likelihood of
Occurrence of
threat

27
11/7/2015
 TIPS AND ADVICE (2)
Defense in Depth

• Layering security mechanisms such that the impact of a failure in any one
mechanism is minimized. Should include:
• Policies, procedures and training
• Implementing a network topology with multiple layers
• Logical separation between corporate and ICS networks
• Employing a DMZ network architecture (prevent direct traffic between
Corporate and Plant Networks)
• Ensuring that critical components are redundant and on redundant
networks

Be proactive

• Gather industry recommended practices

• Engage in a collaborative effort between Management, the ICS engineers
and operators, the IT organization, and a trusted automation advisor

28
11/7/2015
 Business Supervisory Control

Internally isolated
functional groups

29
11/7/2015
 Human Element Awareness Training

Physical Layer Data Diode

Network Layer IDS IPS Firewall

Application Monitoring
Application Layer

Data Integrity File Integrity Monitoring

Data Data Diode

Data Access Permissions Control

Active
User Management Identity Mgt
Directory

NAC ACL
Network Access
Physical Access
Physical Access Biometrics Systems

30
11/7/2015
 Conclusion

6
31
11/7/2015
 CONCLUSION

Questions

Comments

32
11/7/2015