Transcription
Approaching OT/ICS SecurityCybersecurity from the Attacker’s point of viewwww.versivo.it
VERSIVO: Active Cyber DefenceVERSIVO operates in order to make Cyberspace a SAFE place wherecompanies and their people can integrate, interconnect and usetechnology without worry.VERSIVO, moreover, tends to upset cost/benefit advantages of cyberthreats, depriving them naturally and implicitly of any advantage.The vision that guides the future of VERSIVO is to create a culturefor the correct handling of Cyber Risk as a competitiveadvantage in the business market and civic value in boostingsensitivity to built-in/by design Cybersecurity in the consumer market,thus triggering a virtuous and self-powered process.
# whoamiAndrea Dainese – vCISO Senior Network & Security Architect with 15 years’ experience insecuring complex IT infrastructures Focused on cyber security strategies, GDPR/ISO27001 compliance andAutomation VERSIVO Incident Response Team Cisco (CCIE), VMware, Red Hat. certified Privacy and digital security evangelist – expert counselor-mediator inCyberbullying (https://adainese.it)andrea.dainese@versivo.it
# whoamiRocco Sicilia – Ethical Hacker Senior Cloud & Security Architect with 15 years’ experience inmanagement of complex IT infrastructures Focused on offensive security strategies and system hacking VERSIVO Red Team Cyber Security Researcher (https://roccosicilia.com)rocco.sicilia@versivo.it
AGENDA
Agenda Cybercrime and Industry 4.0Peculiarities of OT/ICS devicesRisk Analysis and ManagementSupply ChainWhere to start from: a security roadmap
AgendaSolutionsIssues Shadow OTWeak protocolsSensitive communicationsCertified environmentRemote maintenanceRemovable storage Asset discovery & inventorySecure programmingIndustrial networksavailabilityMalware prevention,patching, virtual patchingand backupIsolation and secure access
OBJECTIVES
ObjectivesKnowledge: Threat actors, business models and attackvectors. Current Cyber attacks targeting IT and OT. OT and IT peculiarities. Regulations, standard and guidelines. Security measures, tools and strategies. Approaching Cybersecurity with a continuousimprovement risk based approach.
CYBERCRIME
Working atus/1405632693874823168
Threat actor examplesActorGoalTargetBudgetState-Sponsored ActorsEspionage, theft,sabotagePeople, Corporations,critical servicesVery HighCyber TerroristsSabotageCritical servicesHighCybercriminals(organized)Financial gain (extortion)People, CorporationsMedium to HighHacktivistsSabotage, exposing dataAnyone/anythingLow to MediumInsidersSabotage, financial gainSame organizationLow with privilegedaccess
Cybercrime revenue2019 Companies and Cybercrime annual revenue in billions USDRansomware atradingTrade secret, Illegal onlineIP theftmarkets
Famous Cyber Attacks Exploit SMBv1 vulnerability (Ethernalblue) Data encryption Spread out to other systems (worm)
Famous Cyber Attacks Disabled 50 substations (135MW) Destroyed SCADA Hard Drives, battery backups andaccess to controllers Exploit 4 Zero DayVulnerabilities Developed for Air Gappedtargets Supply Chain attack Alterates centrifuges spin Provides false feedback tomonitors Attack framework (development kit) Reprogram the SIS to allow an unsafe state Reprogram the SIS to allow an unsafe state – whileusing the DCS to create an unsafe state or hazard Compromised Wordpresswebsite Lateral movement to OTnetwork Manual control HMI viaTeamViewer Raise NaOH from 100 to1100ppm
Famous Cyber Attacks Databreach Password reuseKnown vulnerable VPN (CVE-2021-20016)Ransomware attack typeOT shutted down for precautionsKick back w-a-new-team-of-feds-hacked. Tens of thousands of terminals are offline Impact on civil satellite network (neithermaritime nor aviation) Misconfiguration in the "management section“ Hackers remote access into the modems Affected devices need to be manuallyreprogrammed
Attack VectorsHow ransomware happens andhow to stop it: This diagram shows thecommon attack paths of ahuman-operated ransomwareincident based on examplesCERT NZ has seen. Thediagram is split into threephases. Get initial access via phishing,vulnerable systems, credentialtheft, supply chain. Lateral movement tointeresting networks. uides/how-ransomware-happens-and-how-to-stop-it/
WHY
Cyberspace Provides tools, methods and interactions to get moreopportunitiesIt is considered the fifth theater of warfareThe remedy Find the correct proportion between freedom, evenunconscious, and security
PECULIARITIES OF OT/ICS DEVICES
Peculiarities of OT/ICS devicesWeaknesses of OT/ICS devices: Designed for «availability»Extremely sensitive to Ethernet disruptions and overloads.Communications do not guarantee confidentiality, integrity, andavailability (unauthenticated clear text protocols).Long term lifeNot subject to the same life cycle as IT components (outdatedvulnerable and unpatchable software)
Peculiarities of OT/ICS devicesCommon issues: Shadow OT Weak protocols Sensitive communications Long term life devices Certified environment Remote maintenance Removable storage
Common issues: shadow OTUnknownKnown (maybe) PLC & HMIIoT & sensorsSCADA NetworksMaintenance links Network communicationsField networkEmbedded Wifi featuresUndeclared remoteaccess devices (4G,Dialup, Internet VPN)Cloud based telemetryForgotten devicesPasswords (weak/default)Vulnerabilities Risk (unmanaged)
Common issues: weak and sensitive protocolsDesigned for “Availability” Real Timecommunications Long term lifeWeakness Sensible to networkdisruptions Expose sensitive data(registry) Unauthenticated No data integrity check Well known vulnerabilities Unexpected behaviours
Common issues: long term lifeITOT/ICSCheap (relatively)3-7 years life spanFrequent OS updates 30 years of experiencein attacking and securing Reliable and secure Expensive 10-20 years life span “do-not-touch” policy(certified installation) IT attacks can be reused Legacy, weak andharmful
Common issues: remote maintenanceBlackbox VPN devices Remote maintenance Uncontrolled access Supply chain attack
Common issues: home made remote maintenance Remote assistance (TeamViewer) Exposed (vulnerable) HMI(RDP, VNC)https://www.youtube.com/watch?v hMtu7vV HmY
Finding OT/ICS devicesSiemens S7 devicesModbus devicesport:102 country:"IT"port:502 country:"IT"
Common issues: removable storageUSB storage: Infected devices Unauthorized devices Malicious devices
Risks for OT/ICS devicesRisks Espionage: theft of information, patents, production methods, recipes.Sabotage: systems tampering, damage to people or things,modification to the production cycle.Estorsion: theft and seizure of data and systems.Compliance: Cyber-Insurance exclusion, law violation.Physical security: disruptions and attacks can lead to physicaldamages.Threat Actors Governments/Terrorists: financing through extortion, espionage, andsabotage.Cyber criminals: business models based on commissioned theft, extortion.
SUPPLY CHAIN RISKS
Supply Chain RisksSupply Chain Attacks: Connected suppliers: attackers can move from a compromisedsupplier to the Organization (information theft, lateral movement)Material supplier: attacks targeting suppliers can impact thebusiness of the Organization (reflected attack).Outsourcing: attacks targeting partners can impact the businessof the Organization (reflected attack).Examples: Attackers can use the remote assistance connections to spread outinto the Organization. Attacks targeting the material supplier con stop the supply of rawmaterials. Attacks targeting the outsourced warehouse can stop sales.
HOW
« he who knows his enemy and knows himself can facea hundred battles without fear »Sun Tzu, The Art of War
STANDARDS, FRAMEWORKS ANDREGULATIONS
Standards and FrameworksFramework for Improving CriticalInfrastructure Cybersecurity (NIST)CIS ControlsUNI ISO 31000:2018 Riskmanagement — GuidelinesProtecting Controlled UnclassifiedInformation in Nonfederal Systemsand Organizations (800-171 & 172)Secure Architecture for IndustrialControl Systems (Purdue Model)
Regulations NIS Directive significantly affects digitalservice providers (DSPs) and operatorsof essential services (OESs). (Nis Dir.)Cybersecurity Act lays down aframework for the establishment ofEuropean cybersecurity certificationschemes for the purpose of ensuringan adequate level of cybersecurity forICT. (Cyb. A.)Directive (UE) 2016/1148 (NIS Directive)Regulation (EU) 2019/881 (EU Cybersecurity Act)NIS2 Directive (in progress)MSC-FAL.1/Circ.3 Guidelines (IMO)Resolution MSC.428(98) (IMO)The ISO/IEC 15408/18045 Common criteria andevaluation methods, IEC 62443-4-2 Security forindustrial automation and control systems Part 4-2:Technical security requirements for IACS components,EN 303-645 cybersecurity for consumer IOT canconstitute the basis for all cybersecurity evaluation. Cybersecurity Maturity Model Certification (CMMC)
IEC62443 Standard
IEC62443 StandardIEC 62443 is a set of securitystandards for the secure developmentof Industrial Automation and ControlSystems (IACS).It provides a thorough and systematicset of cybersecurity recommendations.It's used to defend industrial networksagainst cybersecurity threats.Security Levels 0: No specific requirements orsecurity protection are necessary. 1: Protection against unintentional oraccidental misuse. 2: Protection against intentionalviolation using simple means. 3: Protection against intentionalviolation using sophisticated means. 4: Protection against intentionalattacks with sophisticated means withextended resources.Requirements (controls depends on SL) 1. Identification and AuthenticationControl: Identify and authenticate allusers. 2. Use Control: Enforce the assignedprivileges of an authenticated user toperform the requested action. 3. System Integrity: Ensure theintegrity of the IACS to preventunauthorized manipulation. 4. Data Confidentiality: Ensure theconfidentiality of information oncommunication channels and in datarepositories. 5. Restricted Data Flow: Segment thecontrol system via zones and conduitsto limit the unnecessary flow data. 6. Timely Response to Events:Respond to security violations. 7. Resource Availability: Ensure theavailability of the control systemagainst the degradation or denial ofessential services.Additional guidelines: CWE SEI CERT OWASP DISA STIG PLC Security
WHAT
Security measuresOrganizational measures Physical and logical audit Risk based thinking Awareness & Education Subcontractor requirements (i.e. ISO27001) Subcontractor audit (GDPR Art.28)Technical measures Asset discovery & inventory Secure programming Industrial networks availability Malware prevention, patching, virtual patching and backup Isolation and secure access
OT/ICS Assessment Physical and logical audit Asset discovery & inventory Network communication assessment1.2.3.4.Identify devices (name, version, vulnerabilities )Identify running network protocolsRisk assessment (define impact and likelihood)Automate the process
OT/ICS Awareness Awareness & Education1.2.3.4.One to one interviewIdentify risky behaviour (include physical risk)Define policies, procedures and guidelinesEducate
Subcontractors and suppliers Subcontractor requirements (i.e. ISO27001) Subcontractor audit (GDPR Art.28)1. Regularly audit subcontractors and suppliers2. Analyze risk3. Include them in the business continuity plan
Technical measures and caveats Secure programming: https://plc-security.com/ Ethernet networks: fail by design (STP convergence) Protect industrial networks: Anti malware solutions (for Windows based HMI) Virtual patching (industrial firewall) Network segregation and isolation (firewall and hostbased firewall) Secure and monitor remote access (firewall IPS) The Purdue Model for Control Hierarchy (ISA-99) The Air Gap myth
WHERE TO START FROM
IT/OT ConvergenceIT: the CIA triageOT: the SRP C triad Confidentiality: onlyauthorized people canaccess data Integrity: data istrustworthy and freefrom tampering Availability: data isavailable toauthorized users Safety: ensure safetyfor people, facilities,operations. Reliability: consistentresults, maintainingoperations. Productivity: optimaluse Customization: thereis no one size fits all
IT/OT ConvergenceIT: the CIA triage Confidentiality: onlyConvergence Pointauthorized people canSafety Firstaccess data Risk Appetite Integrity: data isdetermines thetrustworthy and freeneeded actionsfrom tampering Understand Availability: data is stakeholder needsavailable toand expectations authorized usersOT: the SRP C triadSafety: ensure safetyfor people, facilities,operations.Reliability: consistentresults, maintainingoperations.Productivity: optimaluseCustomization: thereis no one size fits all
Risk Based ThinkingRisk management is the identification,evaluation, and prioritization of risks(defined in ISO 31000 as the effect ofuncertainty on objectives) followed bycoordinated and economical applicationof resources to minimize, monitor, andcontrol the probability or impact ofunfortunate events or to maximize therealization of opportunities.Risk management
Cybersecurity GovernanceCybersecurity Governance: Security posture measure (asset discovery,vulnerability assessment )Risk Analysis (Risk Management)Define a strategy (procedures, guidelines, standard,security controls and KPI)Implement and Govern1Analyze(ACT)KPIMetricsAssessmentRisk ManagementRisk AppetiteRisk Analysis4 Companies changeThe geopolitical context changesThe regulations changeMarket perception and requirements changeUnplanned one-shot activities quickly lose their effectiveness2Measure(CHECK)ImplementControls (DO)3Define Objectives(PLAN)KPI, Policies, Guidelines,Standards, Controls
« Find the correct proportion between freedom andsecurity. »« Make the attack anti-economic. »
« Security is a process, not a product »Bruce Schneier, Information Security (2000)
Q&A
VERSIVOActive Cyber DefenseVia Giovanni Felisati, 6130171 Mestre-Venezia (VE) Italiainfo@versivo.itwww.versivo.it
TeamViewer Raise NaOH from 100 to 1100ppm Disabled 50 substations (135MW) Destroyed SCADA Hard Drives, battery backups and access to controllers Attack framework (development kit) Reprogram the SIS to allow an unsafe state Reprogram the SIS to allow an unsafe state - while using the DCS to create an unsafe state or hazard
