Kaspersky Industrial Cyber Security

Chapter 1. Introduction to Industrial Control System Security

Technical training KL 138.27

Technical training 038.25
Kaspersky Industrial
Kaspersky Lab Cyber Security
Chapter 1. Introduction to Industrial Control System Security
• What Is an Industrial Control System?
• The Main Elements of Modern Industrial Control Systems
• SCADA Systems
• Specifics of Industrial Networks and Security Threats
• Capabilities and Limitations of Classic Protection Tools
• Kaspersky Industrial Cyber Security Overview

Chapter 2. Kaspersky Industrial Cyber Security for Nodes

Chapter 3. Kaspersky Industrial Cyber Security for Networks
 What Is an Industrial Control System?
• An Industrial Control System is a complex solution that automates the main
technological procedures of the whole manufacture or its constituent part

• The main objective of an industrial control system is to improve efficiency of object

management, and hence production efficiency

• Each industrial control system project is unique to varying degrees and is closely related
to the respective technological process
 An Example of a Production Process
— Industrial object: wind turbine
— Process: power generation

1. Turbine
Converts the wind energy to rotational shaft
energy
2. Brake system 1 2 3
Controls overspeed, and provides parking and
emergency braking 4
3. Generator
Converts the rotational shaft energy into
electrical power
4. Yaw system
Turns the turbine to follow the wind direction

Manual control is inefficient, it must be computerized

 An Example of Process Automation
— FIELD EQUIPMENT
Field equipment implements the industrial process

— PLC
HMI
The programmable logic controller (PLC) automatically
regulates the process by maintaining the preset
technological parameters FIELD EQUIPMENT

— NETWORK
NETWORK
Network infrastructure provides data exchange between
the PLC and the workstation of the industrial process
operator

— HMI
PLC
The interface that visualizes the industrial process and
enables the operator to adjust its parameters
Chapter 1. Introduction to Industrial Control System Security
• What Is an Industrial Control System?
• The Main Elements of Modern Industrial Control Systems
• SCADA Systems
• Specifics of Industrial Networks and Security Threats
• Capabilities and Limitations of Classic Protection Tools
• Kaspersky Industrial Cyber Security Overview

Chapter 2. Kaspersky Industrial Cyber Security for Nodes

Chapter 3. Kaspersky Industrial Cyber Security for Networks
 FIELD EQUIPMENT
— Field (terminal) equipment performs
the industrial process
— Electromechanical drives HMI

— Measuring devices FIELD EQUIPMENT

— Can be connected to PLC using various NETWORK

technologies
— Direct I/O
PLC
— Serial interfaces RS-232, RS-485
— Ethernet, ProfiBUS, CAN bus, etc.

— Can support management over various

manufacturer-specific application
protocols
 PLC
— Programmable logic controller (PLC)
— Helps to automate a part of the industrial HMI
process
FIELD EQUIPMENT
— Is manufactured separately from
NETWORK
the controlled equipment
— Is designed for long-term unattended
operation under unfavorable PLC

environmental conditions
— Major PLC components
— Processor module
— Input module
— Output module

— Special programming languages are used

(LD, FBD, SFC, IL, etc.)
 PLC
— Programmable logic controller (PLC)
— Helps to automate a part of the industrial HMI
process
FIELD EQUIPMENT
— Is manufactured separately from
NETWORK
the controlled equipment
— Is designed for long-term unattended
operation under unfavorable PLC

environmental conditions
— Major PLC components
— Processor module
— Input module
— Output module

— Special programming languages are used

(LD, FBD, SFC, IL, etc.)
 NETWORK
— Industrial Ethernet
— Extends the standard Ethernet
— Supports real-time data exchange HMI

— Provides additional manufacturer- FIELD EQUIPMENT

specific fail-safety features
NETWORK
— Imposes high requirements for
the reliability of equipment and cable
infrastructure
PLC

— Industrial communication protocols

— Ensure efficient data exchange in
an industrial environment
— The most popular ones have versions
that can work over TCP/IP
— Examples: PROFINET, Modbus,
S7Comm, EtherCAT, EtherNet/IP, CAN,
PRP, HSR, HSRP, and others
 HMI
Human-Machine Interface
— Enables the operator to access
HMI
the industrial process status data
(telemetry) FIELD EQUIPMENT

— Enables the operator to change NETWORK

the process parameters (control actions)

— HMI can be implemented as hardware or PLC
software
 Personnel
Personnel is an integral part of an industrial control
system, because
— It is not always possible or economical to
HMI
automate the whole industrial process
— Supervisory control is necessary to monitor FIELD EQUIPMENT
the process and adjust the technological
parameters if necessary, and prevent emergencies NETWORK

PLC
Chapter 1. Introduction to Industrial Control System Security
• What Is an Industrial Control System?
• The Main Elements of Modern Industrial Control Systems
• SCADA Systems
• Specifics of Industrial Networks and Security Threats
• Capabilities and Limitations of Classic Protection Tools
• Kaspersky Industrial Cyber Security Overview

Chapter 2. Kaspersky Industrial Cyber Security for Nodes

Chapter 3. Kaspersky Industrial Cyber Security for Networks
 Types of Management Systems
• DCS, Distributed Control System
— Is technology-oriented
— The architecture involves a direct and permanent
connection to the data sources
• SCADA, Supervisory Control And Data Acquisition
— Is designed for gathering and processing industrial data;
may include a few DCS components
— The architecture allows the system to endure
communication outages

Essentially, both are monitoring and control systems that include

hardware and software responsible for communicating with the
field equipment
 Major SCADA Components
— Control server
Supplies the clients with process and log
data, alarms, screens, and reports

— Historian Historian Control Server HMI

Accumulates time-stamped data about

the industrial process parameters, which
is necessary for operational analysis and
planning

— HMI
Provides the control and monitoring PLC PLC PLC
capabilities

Major manufacturers of SCADA systems

Siemens, ABB, GE, SEL, COPA-DATA,
Schneider Electric, Wonderware,
Rockwell, ARC Informatique, etc.
FIELD EQUIPMENT
 A SCADA Project
— A SCADA project stores software
configuration for a specific component
(HMI, Historian, ...) or the whole
system
— While developing a project,
an industrial control system engineer
describes the technological process and
interconnects the software
components to the equipment
— An interactive graphic schema of
the industrial process (a mimic
diagram) is an important part of
a SCADA project
 Data Exchange Within a SCADA System
— A SCADA Tag
A variable specified in the settings of
the SCADA system that defines
an industrial process parameter

— A tag can be bound to a variable in

the PLC program
— The main tag properties are:
— A unique char name within
the SCADA system
— Data type
— The address of the respective variable
in the PLC memory
 Data Exchange Within a SCADA System
— A tag value changes when the PLC
executes its program
— System components (for example, HMI)
Historian Control Server HMI
regularly read tag values from the PLC
memory and calculate the industrial
process status
— The system operator can adjust
the process parameters through HMI Tag_01 Tag_06 Tag_11
by changing the tag values remotely Tag_02 Tag_07 Tag_12
Tag_03 Tag_08 Tag_13
PLC PLC PLC
— The tags make up a distributed Tag_04 Tag_09 Tag_14
database for the SCADA system Tag_05 Tag_10 Tag_15

FIELD EQUIPMENT
Chapter 1. Introduction to Industrial Control System Security
• What Is an Industrial Control System?
• The Main Elements of Modern Industrial Control Systems
• SCADA Systems
• Specifics of Industrial Networks and Security Threats
• Capabilities and Limitations of Classic Protection Tools
• Kaspersky Industrial Cyber Security Overview

Chapter 2. Kaspersky Industrial Cyber Security for Nodes

Chapter 3. Kaspersky Industrial Cyber Security for Networks
 Office and Industrial Control Networks
— Modern businesses require deep
integration of office and industrial
networks DB Server E-Mail Server Application Server Workstations Laptops Smartphones

— Historically, industrial networks have

the following specifics: Corporate Network

— Outdated operating systems have to Internet

be used
— Trusted communications between
the devices Historian Control Server HMI Laptops
Industrial Network
— Weak protection of industrial
protocols
— Updates cannot be installed
automatically
PLC PLC PLC
— Office information security practices
are not applicable to an industrial
network
 Security Threats in a Modern Industrial Network
What are the top three threat vectors you are most concerned with?
— In general, the threat landscape is
similar to that of a corporate
environment
— Mutual integration of an industrial
network and office infrastructure is
considered to be a threat by itself,
similar to malware
— The majority of respondents (61%)
ranked external threats as the top
threat vector with which they were
concerned (73% in 2015)

*SANS 2016 State of ICS Security Survey

 Vulnerabilities and Potential Attack Vectors
— Hacking through the integrated office
network

DB Server E-Mail Server Application Server Workstations Laptops Smartphones

Corporate Network

— Uncontrolled use of removable drives by Internet

employees
— Outsourced industrial network
maintenance, which is sometimes Historian Control Server HMI Laptops
performed through trusted remote Industrial Network
connections over the Internet
— Unauthorized connections to
the industrial network
— Weak protection mechanisms of PLC PLC PLC
communication protocols within
the industrial network
— Absent authentication settings on
the industrial equipment
 Vulnerabilities and Potential Attack Vectors
— Hacking through the integrated office
network

DB Server E-Mail Server Application Server Workstations Laptops Smartphones

Corporate Network

— Uncontrolled use of removable drives by Internet

employees
— Outsourced industrial network
maintenance, which is sometimes Historian Control Server HMI Laptops
performed through trusted remote Industrial Network
connections over the Internet
— Unauthorized connections to
the industrial network
— Weak protection mechanisms of PLC PLC PLC
communication protocols within
the industrial network
— Absent authentication settings on
the industrial equipment
 Statistics
— 1797 vulnerabilities and 1463 incidents
over 7 years
— 48% of the reported incidents are
related to energy and critical
manufacturing
— For 37% of the incidents, the attack
vector cannot be defined for certain
— Publishing information about industrial
486
cyber incidents is not yet a common
practice
290

185

59

2010 2011 2012 2013 2014 2015 2016

Vulnerabilities Total Reported incidents

Energy incidents Energy Vulnerabilities

*US ICS CERT Team, Fiscal Year 2010-2016 Reviews

 Grid: it is Affected the Most

Leased Lines
59 incidents on energy sector in FY2016 Private Fiber Network
Microwave
Electric Power
Control
Center
Private
Microwave
Network

Public
Generating Plant Networks
Transmission
Substation

Distribution Substation

Residential Loads Industrial Loads

Commercial Loads

• ICS-CERT FY 2010-2016 statistics

** https://www.eia.gov/todayinenergy/detail.php?id=27152
 KL CTF 15

KL CTF 15

Kaspersky Lab | The Power of Protection

 KL CTF 16

KL CTF 15

Kaspersky Lab | The Power of Protection

Chapter 1. Introduction to Industrial Control System Security
• What Is an Industrial Control System?
• The Main Elements of Modern Industrial Control Systems
• SCADA Systems
• Specifics of Industrial Networks and Security Threats
• Capabilities and Limitations of Classic Protection Tools
• Kaspersky Industrial Cyber Security Overview

Chapter 2. Kaspersky Industrial Cyber Security for Nodes

Chapter 3. Kaspersky Industrial Cyber Security for Networks
 Classic Protection
— Technical protection tools for office
networks are well-known and widely
used DB Server E-Mail Server Application Server Workstations Laptops Smartphones

— These tools can also be used on

the nodes of an industrial network, but Corporate Network
with the following stipulations Internet
— Require additional fine-tuning for
a particular environment
— Critical computational burden Historian Control Server HMI Laptops
Industrial Network
— Include components redundant for
an industrial node
— May have hidden incompatibilities
— Outdated operating systems are not
supported PLC PLC PLC
 Is Classic Protection Enough?
— Standard protection tools do not
possess adequate capabilities to
protect an industrial network DB Server E-Mail Server Application Server Workstations Laptops Smartphones
— Cannot be installed on a PLC
— Cannot control industrial software
Corporate Network
— Cannot control the industrial network
Internet
outside the host node
— Cannot recognize activities aimed at
breaking down the technological
Historian Control Server HMI Laptops
process Industrial Network

PLC PLC PLC

 Conclusion
• Due to industrial network specifics
— Most of the malicious objects pose an immediate threat
— Criminals have a wide choice of attack vectors
— Risk of a successful attack, either accidental or targeted, is extremely high
— Classic protection tools are inadequate, sometimes inapplicable, and might even be dangerous
— Malware can operate unnoticed within an industrial network for a long time
— Analysis of security incidents is complicated
• A hacked network or infected nodes are fraught with partial or complete loss of control over
the industrial process
• A specialized solution is required
Chapter 1. Introduction to Industrial Control System Security
• What Is an Industrial Control System?
• The Main Elements of Modern Industrial Control Systems
• SCADA Systems
• Specifics of Industrial Networks and Security Threats
• Capabilities and Limitations of Classic Protection Tools
• Kaspersky Industrial Cyber Security Overview

Chapter 2. Kaspersky Industrial Cyber Security for Nodes

Chapter 3. Kaspersky Industrial Cyber Security for Networks
 The Range of Products and Solutions by Kaspersky Lab
LEVEL 4

Kaspersky Industrial Kaspersky Security for

Professional Services Professional Services

— The Kaspersky Industrial
Business planning and Business process, asset, human resource, financial management (ERP)
Cyber Security solution is

Business +
logistics
designed to protect
manufacturing information LEVEL 3
Production Coordination, analysis, and optimization of production (MES)
systems at the first and management
second levels of the ISA95
model LEVEL 2, 1
Industrial process management (SCADA)

Security +
— Upper levels of information Process control and
automation
systems should be protected Direct maintenance of the main production operations and cycles
with the corresponding (PLC)
Kaspersky Security for

Embedded
Business products

security
LEVEL 0
Physical devices and field bus sensors
Data capture
 Kaspersky Industrial Cyber Security
— The solution is developed considering
the specifics of industrial control systems
and its settings are optimized for
industrial networks DB Server E-Mail Server Application Server Workstations Laptops Smartphones

— Protection for industrial network nodes

against classic security threats (malware,
vulnerabilities, etc.) Corporate Network

— Control of applications and connected Internet

devices
— Protection against unauthorized device
connections to the industrial network Historian Control Server HMI Laptops
Industrial Network
— PLC protection: Integrity check for
software and commands
— Support for industrial communication
protocols and protection for critical
industrial process parameters PLC PLC PLC

— Integration with SCADA and SIEM

— Centralized management