Industrial Control Systems cyber Security

Prepared by: Ahmed Shitta

Industrial Control Systems cyber Security
What is Industrial Control Systems ?
•Industrial Control System (ICS) is a general term that encompasses several types
of control systems used in industrial process control for production and
manufacture, including SCADA, DCS and PLC systems

•ICS’s are typically used in industries such as oil & gas production, power
generation and nuclear installations. ICS’s are specifically designed and
manufactured for the industrial environment, they are designed to be installed
for offshore and onshore applications.

Typical examples of ICS

Industrial Control Systems cyber Security
What is Cyber security ?

Cyber-security is the body of technologies, processes and practices designed to protect

networks, computers, programs and data from attack, damage or unauthorized access. In
a computing context, security includes both cyber-security and physical security.

Do we really need this in the industrial process control network ? ?

 Do we really need this in the industrial process control network ?

To simply answer this question, history says it all !!

Incident Description
2000 Maroochy Water A disgruntled former
Treatment ,Australia employee hacked into the
( SCADA system) system, took control of 150
pumping stations and released
1 million liters of raw sewage
into local parks, rivers and
even the grounds of a Hyatt
Regency hotel over a 3 month
period.
Observations •Radio communications commonly used in SCADA systems are often
insecure or improperly configured
•SCADA devices and software should be secured to the extent possible using
physical and logical controls
•Difficult to differentiate attacks from malfunctions
•Also recommended : Anti-virus , Firewall protection, Appropriate use of
encryption , Upgrade-able SCADA systems (from a security perspective) ,
Proper staff training and Security auditing and control.
2000 Maroochy Water Treatment

•There was no active protection not even a properly configured firewall .

 Famous ICS cyber attacks !!
Incident Description
2003 PDVSA Oil Terminal , Venezuela Details of the cyber attacks on PDVSA’s systems
( PLC Controller) were slow to emerge, but it seemed that
hackers were able to penetrate the SCADA
system responsible for tanker loading at a
marine terminal in eastern Venezuela. Once
inside, the hackers erased the programs in the
programmable logic controllers (PLCs)
operating the facility, preventing tanker
loading for eight hours. Fortunately for PDVSA,
the tactics of attackers were unsophisticated,
making detection of the problem relatively
easy, and backups of the PLC programs were
unaffected, making recovery straightforward.
Observations •Internal surveys at several major oil companies indicated that managers
often misunderstand the situation they face when it comes to SCADA
security. First, many believe that the Information Technology (IT) group
automatically looks after SCADA security
•While IT departments are very good at providing security for systems they
understand, such as Windows® servers and accounting databases, the
critical control systems that run the pipelines and refineries day in and day
out are forbidding beasts to the IT professional .
 Famous ICS cyber attacks !!
Incident Description
2006 Brown’s Ferry Nuclear •Unit 3 was manually shutdown after the failure of both reactor
Plant , USA recirculation pumps and the condensate demineralizer controller.
( PLC Controller and VFD) The condensate demineralizer used a programmable logic
controller (PLC); the recirculation pumps depend on variable
frequency drives (VFD) to modulate motor speed.
• Both kinds of devices have embedded microprocessors that can
communicate data over the Ethernet LAN. However, both devices
are prone to failure in high traffic environments. A device using
Ethernet broadcasts data packets to every other device
connected to the network. Receiving devices must examine each
packet to determine which ones are addressed to them and to
ignore those that are not.
• It appears the Browns Ferry control network produced more
traffic than the PLC and VFD controllers could handle; it is also
possible that the PLC malfunctioned and flooded the Ethernet
with spurious traffic, disabling the VFD controllers; tests
conducted after the incident were inconclusive.
 Famous ICS cyber attacks !!
Incident Description
2010 Iran Nuclear •Stuxnet specifically targets programmable logic controllers
Processing, Iran ( PLC (PLCs), which allow the automation of electromechanical
Controller and DCS) processes such as those used to control machinery on factory
assembly lines, amusement rides, or centrifuges for separating
nuclear material. Exploiting four zero-day flaws, Stuxnet
functions by targeting machines using the Microsoft
Windows operating system and networks, then seeking
out Siemens Step7 software.
•Stuxnet is typically introduced to the target environment via an
infected USB flash drive. The worm then propagates across the
network, scanning for Siemens Step7 software on computers
controlling a PLC. In the absence of either criterion, Stuxnet
becomes dormant inside the computer. If both the conditions are
fulfilled, Stuxnet introduces the infected rootkit onto the PLC and
Step7 software, modifying the codes and giving unexpected
commands to the PLC while returning a loop of normal
operations system values feedback to the users
2010 Iran Nuclear Processing Stuxnet
 IT system Vs ICS system
•Managers often misunderstand the situation they face when it comes to ICS security.
First, many believe that the Information Technology (IT) group automatically looks
after ICS security
Category Information Technology System Industrial Control System
Performance Requirements •Non-real-time •Real-time
•Response must be consistent •Response is time-critical
•Tightly restricted access control •Access to ICS should be
can be implemented to the strictly controlled, but should
degree necessary for security not hamper or interfere with
human-machine interaction
System Operation •Systems are designed for use •Differing and possibly
with typical operating systems proprietary operating systems,
•Upgrades are straightforward often without security
with the availability of capabilities built in
automated deployment tools •Software changes must be
carefully made, usually by
software vendors, because of
the specialized control
algorithms and perhaps
modified hardware and
software involved
 IT system Vs ICS system
Category Information Technology System Industrial Control System
Communications •Standard communications •Many proprietary and standard
protocols communication protocols.
•Primarily wired networks with •Several types of communications
some localized wireless capabilities media used including dedicated
•Typical IT networking practices wire and wireless (radio and
satellite)
•Networks are complex and
sometimes require the expertise
of control engineers
Managed Support •Allow for diversified support styles •Service support is usually via a
single vendor
Component Lifetime •Lifetime on the order of 3 to 5 •Lifetime on the order of 10 to 15
years years
Conclusion :
•The operational and risk differences between ICS and IT systems create the need for increased
sophistication in applying cybersecurity and operational strategies.
• A cross-functional team of control engineers, control system operators and IT security
professionals needs to work closely to understand the possible implications of the installation,
operation, and maintenance of security solutions
Identifying Possible hazards and Vulnerable points
 Identifying Possible hazards and Vulnerable points
Vulnerability Description
Inadequate Incorporating security into the ICS architecture, design must start with
incorporation of budget, and schedule of the ICS. The security architecture is part of
security into the Enterprise Architecture. The architectures must address the
architecture and identification and authorization of users, access control mechanism,
design. network topologies, and system configuration and integrity
mechanisms.
Hardware, firmware, The organization doesn’t know what it has, what versions it has, where
and software not they are, or what their patch status is, resulting in an inconsistent, and
under configuration ineffective defense posture. A process for controlling modifications to
management. hardware, firmware, software, and documentation should be
implemented to ensure an ICS is protected against inadequate or
improper modifications before, during, and after system
implementation. A lack of configuration change management
procedures can lead to security oversights, exposures, and risks. To
properly secure an ICS, there should be an accurate listing of the
assets in the system and their current configurations. These
procedures are critical to executing business continuity and disaster
recovery plans.
 Identifying Possible hazards and Vulnerable points
Vulnerability Description
OS and application Out-of-date OSs and applications may contain newly discovered
security patches are vulnerabilities that could be exploited. Documented procedures should
not maintained or be developed for how security patches will be maintained. Security
vendor declines to patch support may not even be available for ICS that use outdated OSs,
patch vulnerability so procedures should include contingency plans for mitigating
vulnerabilities where patches may never be available.
Inadequate testing of Modifications to hardware, firmware, and software deployed without
security changes testing could compromise normal operation of the ICS. Documented
procedures should be developed for testing all changes for security
impact. The live operational systems should never be used for testing.
The testing of system modifications may need to be coordinated with
system vendors and integrators
Poor remote access There are many reasons why an ICS may need to be remotely
controls accessed, including vendors and system integrators performing system
maintenance functions, and also ICS engineers accessing
geographically remote system components. Remote access capabilities
must be adequately controlled to prevent unauthorized individuals
from gaining access to the ICS.
 Identifying Possible hazards and Vulnerable points
Vulnerability Description
Critical configurations Procedures should be available for restoring ICS configuration settings
are not stored or in the event of accidental or adversary-initiated configuration changes
backed up to maintain system availability and prevent loss of data. Documented
procedures should be developed for maintaining ICS configuration
settings.
Improper data linking ICS data storage systems may be linked with non-ICS data sources. An
example of this is database links, which allow data from one database
to be automatically replicated to others. Data linkage may create a
vulnerability if it is not properly configured and may allow
unauthorized data access or manipulation
Malware protection Installation of malicious software, or malware, is a common attack.
not installed or up to Malware protection software, such as antivirus software, must be kept
date current in a very dynamic environment. Outdated malware protection
software and definitions leave the system open to new malware
threats.
 Identifying Possible hazards and Vulnerable points
Vulnerability Description
Denial of service (DoS) ICS software could be vulnerable to DoS attacks, resulting in the
prevention of authorized access to a system resource or delaying
system operations and functions.
Logs not maintained Without proper and accurate logs, it might be impossible to determine
what caused a security event to occur
Unauthorized Physical access to ICS equipment should be restricted to only the
personnel have necessary personnel, taking into account safety requirements, such as
physical access to emergency shutdown or restarts. Improper access to ICS equipment
equipment can lead to any of the following:
 Physical theft of data and hardware
 Physical damage or destruction of data and hardware
 Unauthorized changes to the functional environment (e.g., data
connections, unauthorized use of removable media, adding/removing
resources)
 Disconnection of physical data links
 Undetectable interception of data (keystroke and other input
logging)
 Identifying Possible hazards and Vulnerable points
Vulnerability Description
Radio frequency, The hardware used for control systems is vulnerable to radio frequency
electromagnetic pulse and electro-magnetic pulses (EMP), static discharge, brownouts and
(EMP), static discharge, voltage spikes.. The impact can range from temporary disruption of
brownouts and voltage command and control to permanent damage to circuit boards. Proper
spikes shielding, grounding, power conditioning, and/or surge suppression is
recommended
Lack of backup power Without backup power to critical assets, a general loss of power will
shut down the ICS and could create an unsafe situation. Loss of power
could also lead to insecure default settings.
Unsecured physical Unsecured universal serial bus (USB) and PS/2 ports could allow
ports unauthorized connection of thumb drives, keystroke loggers, etc.
Inadequate Unauthorized access to configuration and programming software could
authentication, provide the ability to corrupt a device.
privileges, and access
control in software
Firewalls nonexistent A lack of properly configured firewalls could permit unnecessary data
or improperly to pass between networks, such as control and corporate networks,
configured allowing attacks and malware to spread between networks, making
sensitive data susceptible to monitoring/eavesdropping, and providing
individuals with unauthorized access to systems
 Security means access control

To secure the ICS network we must

•Control data flow and access
Between each two layers
•Control direct access to the hardware
In the control network layer We need
Control
Who and
What will
Pass through
But how ? Also we
must
control
who gets
access
 Security means access control
Firewalls

•What is a Firewall?
•Types of Firewalls
•Classes of Firewalls
•Overall Security Goals of ICS network Firewalls
•Common ICS network Segregation Architectures
 Security means access control
Firewalls
•What is a Firewall?

A firewall is a mechanism used to control and monitor traffic to and from a network
for the purpose of protecting devices on the network. It compares the traffic passing
through it to a predefined security criteria or policy, discarding messages that do not
meet the policy’s
 Security means access control
Firewalls
•Types of Firewalls
A firewall can come in many different designs and configurations
1. It can be a separate hardware device
physically connected to a network
(such as the Cisco ASA® or
the Symantec Security Gateway® firewalls)

2. a completely host-based software solution

installed directly on the workstation
to be protected
(such as Norton Personal Firewall® or Sygate Personal Firewall®).
 Security means access control
Firewalls
•Classes of Firewalls
•Packet Filter Firewalls
•Stateful Firewalls
•Application Proxy Firewalls
•Deep Packet Inspection Firewalls

As an Automation engineer all you need to know

Network traffic is sent in discrete groups of bits, called a packet. Each packet
typically contains a number of separate pieces of information, including (but
not limited to) items such as the:
• Sender's identity (Source Address).
• Recipient's identity (Destination Address).
• Service to which the packet pertains (Port Number).
• Network operation and status flags.
• Actual payload of data to be delivered to the service.
A firewall, determines what action to take with the packet, These decisions are
based on a series of rules commonly referred to as Access Control Lists (ACLs).
 Security means access control
Firewalls
•Overall Security Goals of ICS network Firewalls

Ideally, a process control or SCADA network would be a closed system, accessible only
by trusted internal components such as the Human Machine Interface (HMI) stations
and data historians.

But
the need for external access from both corporate users and selected 3rd parties
exists
•production and maintenance management information needs to be relayed to
computers and users outside of the plant floor for management purposes
•vendors may need to access controllers for support purposes. Implicitly this means
that some network paths exist from the outside
 Security means access control
Firewalls
•Overall Security Goals of ICS network Firewalls

The goal of the firewall, simply stated, is to minimize the risk of unauthorized access
(or network traffic) to internal components on the ICS systems. Such a risk
minimization strategy will typically include the following general objectives.

1. No direct connections from the Internet to the PCN/SCADA network and viceversa.
2. Restricted access from the enterprise network to the control network.
3. Unrestricted (but only authorized) access from the enterprise network to shared
PCN/enterprise servers
4. Secure methods for authorized remote support of control systems.
5. Secure connectivity for wireless devices (if used).
6. Monitoring of traffic attempting to enter and on the PCN.
 Security means access control
Firewalls
•Common ICS network Segregation Architectures.

1. Dual-Homed Computers .
2. Dual-Homed Server with Personal Firewall Software .
3. Packet Filtering Router/Layer-3 Switch between PCN and EN.
4. Two-Port Firewall between PCN and EN.
5. Router/Firewall Combination between PCN and EN .
6. Firewall with Demilitarized Zones between PCN and EN .
7. Paired Firewalls between PCN and EN .
 Common ICS network Segregation Architectures

1.Dual-Homed Computers.

Observations •A computer without proper security controls could pose additional threats
•All connections between the control network and the corporate network
should be through a firewall. This configuration provides no security
improvement and should not be used to bridge networks (e.g., ICS and
corporate networks).
 Common ICS network Segregation Architectures

2.Dual-Homed Server with Personal Firewall Software .

Observations •The first issue with this solution is that it will only provide a mechanism to
allow the sharing of server data. If there is any other traffic that needs to
traverse the PCN to EN boundary (such as remote maintenance access to a
controller) then this architecture will either completely block that traffic or
leave the PCN poorly secured.
 Common ICS network Segregation Architectures

3. Packet Filtering Router/Layer-3 Switch between PCN and EN.

Observations •This type of packet filter design is only secure if the enterprise network is
known to be highly secure in its own right and is not generally subject to
attacks.
Common ICS network Segregation Architectures
4.Two-Port Firewall between PCN and EN.
 Common ICS network Segregation Architectures
4.Two-Port Firewall between PCN and EN.

Observations •this communication occurs at the application layer as Structured Query

Language (SQL) or Hypertext Transfer Protocol (HTTP) requests. Flaws in the
historian’s application layer code could result in a compromised historian

•if HTTP packets are allowed through the firewall, then Trojan horse
software accidentally introduced on an HMI or control network laptop could
be controlled by a remote entity and send data .

•while this architecture is a significant improvement over a non-segregated

network, it requires the use of firewall rules that allow direct
communications between the corporate network and control network
devices. This can result in possible security breaches if not very carefully
designed and monitored
Common ICS network Segregation Architectures
5.Router/Firewall Combination between PCN and EN .
 Common ICS network Segregation Architectures
5.Router/Firewall Combination between PCN and EN .

Observations •The use of a router/firewall combination. The router sits in front of the
firewall and offers basic packet filtering services, while the firewall handles
the more complex issues using either stateful inspection or proxy
techniques. This type of design is very popular in Internet-facing firewalls
because it allows the faster router to handle the bulk of the incoming
packets, especially in the case of DoS attacks, and reduces the load on the
firewall. It also offers improved defense-in-depth because there are two
different devices an adversary must bypass
Common ICS network Segregation Architectures
6.Firewall with Demilitarized Zones between PCN and EN .
 Common ICS network Segregation Architectures
6.Firewall with Demilitarized Zones between PCN and EN .

Observations •By placing corporate-accessible components in the DMZ, no direct

communication paths are required from the corporate network to the
control network; each path effectively ends in the DMZ. Most firewalls can
allow for multiple DMZs, and can specify what type of traffic may be
forwarded between zones.

•If a patch management server, an antivirus server, or other security server

is to be used for the control network, it should be located directly on the
DMZ. Both functions could reside on a single server. Having patch
management and antivirus management

•The primary security risk in this type of architecture is that if a computer in

the DMZ is compromised, then it can be used to launch an attack against
the control network via application traffic permitted from the DMZ to the
control network
Common ICS network Segregation Architectures
7.Paired Firewalls between PCN and EN .
 Common ICS network Segregation Architectures
7.Paired Firewalls between PCN and EN .

Observations •If firewalls from two different manufacturers are used, then this solution
may offer a “defence in depth” advantage. It also allows process control
groups and the IT groups to have clearly separated device responsibility
since each can manage a firewall on its own. In fact it is the study team’s
understanding that this design is recommended in the Federal Energy
Regulatory Commission (FERC) Proposal for Security Standards for this
reason
Industrial Control Systems cyber Security
summary
Industrial Control Systems cyber Security
references
1. "NRC Information Notice 2003-14: Potential Vulnerability of Plant Computer
Network to Worm Infection", United States Nuclear Regulatory Commission,
Washington, DC, August 29, 2003

2. “Process Control Network Reference Architecture v 1.0”, Invensys Inc., January

2004, pg. 2, 5

3. “Experion PKS Network and Security Planning Guide EP-DSX173, Release 210”,
Honeywell Limited Australia, October 2004

4. “Presentation: Securing SIMATIC PCS7 and SIMATIC IT in Networks”, Siemens,

2003
 Industrial Control Systems cyber Security

Prepared by: Ahmed Shitta

Automation Section Head at Egyptian Projects Operation and
Maintenance (EPROM)
Email: ahmedshitta@gmail.com