Professional Documents
Culture Documents
INDUSTRIAL
CONTROL
SYSTEMS
Kamal Khan
Independent Consultant
Auditing ICS
■ Background
■ Why Audit ICS
■ Standards and Procedures
■ General Summary about the Audits
■ Tips and Advice
■ Conclusion
11/7/2015
Background
1
3
11/7/2015
BACKGROUND (1)
Nearly 30 years of IS Audit
experience
Qualifications
•Management/Systems Analysis
Certifications
•CISA/CISSP
4
11/7/2015
BACKGROUND (2)
ICS Audits
• Refineries
• Gas Operations
• Pipelines
• Terminals Department
• Oil Processing
• GOSPs
• Joint Ventures
5
11/7/2015
Why Audit ICS?
2
6
11/7/2015
WHY AUDIT ICS?
•Vendors
•Contractors, consultants
•Area IT
7
11/7/2015
MALICIOUS ATTACK 1
Stuxnet
8
11/7/2015
MALICIOUS ATTACK 2
Maroochy Water Services,
Australia
•On at least 46 occasions issued radio
commands to the sewage equipment
•Caused 800,000 liters of raw sewage
to spill out into local parks, rivers and
a hotel
•Marine life died, the creek water
turned black and stench was
unbearable for residents
9
11/7/2015
MALICIOUS ATTACK 3
10
11/7/2015
MALICIOUS ATTACK 4
Bellingham Control System Cyber
Security Case
• A central control center from which pipeline
controllers can remotely monitor key variables
and components
• The system administrator may have been
programming some new reports on a terminal in
the control center computer room
• The Pipeline was damaged by a contractor who
was installing water lines
• Pressure relief valves had been improperly
configured during construction. Corrective
actions by the company were ineffective
11
11/7/2015
BELLINGHAM CONTROL
SYSTEMS
12
11/7/2015
INCREASED RISKS (1)
Adoption of standardized protocols and
technologies with known vulnerabilities
•Transitioning from proprietary protocols to less expensive,
standardized technologies such as MS Windows.
13
11/7/2015
INCREASED RISKS (2)
14
11/7/2015
Standards and Procedures
3
15
11/7/2015
ISA/IEC-62443: FORMERLY ISA-
99
Procedures covering:
Standards covering:
16
11/7/2015
ISA/IEC-62443: FORMERLY ISA-
99
Contents
•General
•Policies and Procedures
•System
•Components
17
11/7/2015
ISA COMPONENTS
18
11/7/2015
NIST SPECIAL PUBLICATION
800-82
Guide to Industrial Control Systems
(ICS) Security Areas Covered
• Network Architecture
• Firewalls
• Logically Separated Control Network
• Network Segregation
• ICS Security Controls
• Security Assessment and Authorization
• Planning
• Risk Assessment
• System and Services Acquisition
• Program Management
• Personnel Security
19
11/7/2015
General Summary about Audit Work
4
20
11/7/2015
SCOPE OF AUDIT WORK
Risk-based, not only compliance
Areas covered:
•ICS Governance
•Systems Security
•Business Continuity
•Change Management & Obsolescence Management
•Physical and Environmental Controls
•Systems Monitoring
21
11/7/2015
ICS AUDIT UNIVERSE
Gas Operations
Oil Operations
Pipelines
Power Systems
Joint Ventures
22
11/7/2015
ICS AREAS COVERED
The Process Automation Network (PAN)
23
11/7/2015
AUDIT AREAS
Awareness /
Training
Patch Environmental
Access Control
Management Controls
Securty Continuity /
Governance Network Access
Perimeters Resilience
24
11/7/2015
Tips and Advice
5
25
11/7/2015
TIPS AND ADVICE (1)
Risk Assessments to identify key areas to focus on
26
11/7/2015
RISK ASSESSMENT
Identify Threats
Identify
Determine Vulnerabilities that
Residual Risk could be exploited
Determine
Severity of Identify Controls
Impact
Determine
Likelihood of
Occurrence of
threat
27
11/7/2015
TIPS AND ADVICE (2)
Defense in Depth
• Layering security mechanisms such that the impact of a failure in any one
mechanism is minimized. Should include:
• Policies, procedures and training
• Implementing a network topology with multiple layers
• Logical separation between corporate and ICS networks
• Employing a DMZ network architecture (prevent direct traffic between
Corporate and Plant Networks)
• Ensuring that critical components are redundant and on redundant
networks
Be proactive
28
11/7/2015
Business Supervisory Control
Internally isolated
functional groups
29
11/7/2015
Human Element Awareness Training
Application Monitoring
Application Layer
Active
User Management Identity Mgt
Directory
NAC ACL
Network Access
Physical Access
Physical Access Biometrics Systems
30
11/7/2015
Conclusion
6
31
11/7/2015
CONCLUSION
Questions
Comments
32
11/7/2015