Professional Documents
Culture Documents
Vulnerabilities of ICS
5.1. Introduction
The analogy with the security of a building makes you realize this: to
ensure security, it is important to have good quality locks and to have secured
the windows; this is the technical aspect. The building use policy should
define rules related to closure, such as closing times. It is then necessary for
users to lock the door, this is the human aspect. They must therefore be made
aware of the importance of the procedure and, if necessary, trained in use of
the locking system. To complete the whole, it is then necessary to plan to
check that the rule is applied and, possibly, to plan a systemic lock when
shifts end by a member of security staff.
A review of the ICS architecture and feedback shows that an attack most
often takes place as follows:
Vulnerabilities of ICS 123
1) the first step consists of entering the industrial network (the one to
which the ICS equipment is connected:
i) from outside the industrial network (IT network, Internet, remote
access):
- after introducing a Trojan horse or a backdoor through social
engineering;
- through network protection vulnerability such as, for example,
lack of network separation, vulnerability of network equipment, etc.;
- via an external workstation used for remote maintenance, and on
which a Trojan horse has been installed;
ii) via a back door installed during manufacture or integration, with or
without the knowledge of the intervener or manufacturer;
iii) via removable media or contaminated mobile equipment (laptop,
tablet, mobile phone);
iv) from unsecured local wireless access;
v) via a wired network connection used by an internal attacker.
At the end of this step, the attacker has equipment connected to the
industrial network and able to discover other equipment, spy or corrupt
exchanges.
2) the second step is discovery of the network, using scanning software
from one of the workstations with access to the network;
3) the third, optional step consists of installing a Trojan horse or back
door on other equipment;
4) the last step is to perform malicious actions on Supervisory Control
And Data Acquisition programmable logic controller (SCADA PLCs),
servers and supervision stations (espionage, data corruption, stopping or
slowing down, direct dangerous actions on the physical process), directly or
through modification of programs, more particularly:
i) on servers and supervision stations, in displaying an incorrect view
(actual values are not displayed and/or actual commands are not sent to
PLCs);
ii) on PLCs, by modifying data or programs to create system
malfunctions or damage or to disconnect safety functions;
iii) on historian databases.
124 Cybersecurity of Industrial Systems
By-passing wireless
post or server
network
authenficaon programs
propagaon
Identy the
password test
The attack surface (Manadhata and Wing 2011) of a system is defined as:
– a description of all the points through which an attacker can enter;
– the list of security measures;
– the list of targets to be targeted.
Vulnerability
search
Component Support
Remote
With malicious Maintenance
Support
Phishing Malicious soware
USB key
MES
Plant Network
Engineering
Supervision staon SCADA server
Control Network
BPCS
SIS
Malicious
Insider
Support
Maintenance
Figure 5.3. Attack surface of an ICS. For a color version of this figure, see
www.iste.co.uk/flaus/cybersecurity.zip
126 Cybersecurity of Industrial Systems
For level 1, where the PLCs are located, the vulnerabilities concern, on
the one hand, aspects related to the equipment itself and, on the other hand,
the mechanism that allows users to communicate with the PLC and to use it.
From a technical point of view, a PLC has a central unit and a firmware or
operating system that ensures basic operation. This operating system has
vulnerabilities. A communication is made with the SCADA server and the
engineering stations in order to transfer:
– the user program (in one of the IEC 61131-3 languages, see Chapter 1);
– the configuration;
– commands to control the operating mode (stop, run, reset, etc.);
– control commands sent from the SCADA workstation;
– the sending of data from the PLC to the SCADA and historian servers.
The graph presented in Figure 5.4, obtained from a Kaspersky Labs study
in 2017, provides an idea of the distribution of vulnerabilities: network and
protocol aspects are important.
The NIST guide (Stouffer et al. 2015) or the ANSSI guides (ANSSI
2013b) provide examples of generic vulnerabilities to perform a checklist.
Figure 5.2 shows the most common ones. This checklist makes it possible to
carry out an initial identification of risks on an installation.
Answer
Choosing a SAL Diagram Analysis of
to
standard selecon creaon results
quesons
The first step consists of choosing a reference system from among those
proposed (Table 5.1). Second, the security assurance level (SAL) is
determined by the answers to questions about the potential consequences of a
successful cyber-attack. It can be selected or calculated and provides a
Vulnerabilities of ICS 131
CSET then generates questions using the network topology, the security
standard chosen and the level of SAL chosen. The analyst can select the best
answer to each question using the organization’s actual network
configuration and the security policies and procedures implemented (Figure
5.6). Each question can be combined with background information provided
by the analyst to support the answer.
The last step is the analysis of the results. CSET provides a dashboard and
various possibilities for filtering results.
ISO/IEC 15408 revision 3.1: Common Criteria for Information Technology Security
Evaluation, Revision 3.1
NRC Regulatory Guide 5.71 Cyber Security Programs for Nuclear Facilities,
January 2010
Figure 5.6. Answer to CSET questions screen. For a color version of this
figure, see www.iste.co.uk/flaus/cybersecurity.zip
Physical vulnerabilities
Organizational vulnerabilities
– No risk assessment
The ICS has not been the subject of a cybersecurity risk analysis.
– Lack of review or audit of the effectiveness of security measures deployed for the
ICS
Procedures and planning must exist to ensure that the measures are implemented
correctly.
134 Cybersecurity of Industrial Systems
User access
Human factor
– No inventory or mapping:
- No list of computer workstations
- No list of equipment
- No controls on connected laptops
- No list of network equipment and topology
- No list of allowed logical flows between applications and units
- No list of external connections (IT network or Internet)
The properties to be protected have not been identified, the perimeter is not known.
There are also search engines that scan the Internet for vulnerable
connected objects.
Shodan11 is the most popular specialized search engine in the search for
electronic devices connected to the Internet. Shodan searches the entire
Internet address space and captures information about each device it finds.