PureLand Wastewater Treatment Cyber Security Case Study Company Summary PureLand Wastewater Treatment Inc. (est. 2001) is a company providing years of experience in all aspects of Wastewater Treatment with special emphasis on the Chemical Manufacturing and Biological Fermentation industries. We are a flexible, responsive organization with a network of resources to handle any size project. Each project is approached by utilizing our strong sterilization and engineering skills while drawing on our background in Operations, Service, Validation, and Quality to provide solutions for all of your Wastewater Treatment needs. We provide personal attention to ensure customer satisfaction in all services and equipment we supply. Security Concerns PureLand has special security concerns due to the highly toxic nature of some of the chemicals they use to sterilize and treat wastewater streams for their customers. Although Physical Security has always been on their radar and relatively strong, Cyber Security has not been something that they were particularly concerned about. After all, the chemicals they use to do their work were not proprietary so they had little concern about theft of intellectual property or trade secrets being compromised. All this changed recently when PureLand executives and operations folks were contacted by the Department of Homeland Security (DHS) in regard to a particularly toxic chemical they use to sanitize Wastewater in biologically hazardous processes-Chlorine Dioxide. DHS officials were aware of their use of the chemical because of publicly available waste treatment permits provided to PureLand by the EPA. As it turns out, Chlorine Dioxide is on the DHS Chemical Facility Anti-Terrorism Standards (CFATS) list of chemicals of interest because of the risks associated with chemical release or sabotage using this chemical. PureLand was aware Chlorine Dioxide was a very dangerous chemical, but they had never considered Cyber Terrorism or theft of the chemical for sabotage when completing prior risk assessments. The implications of this were quite serious for PureLand, as they now are required by Federal law to comply with both Physical and Cyber Security regulations related to their use of this chemical of interest. DHS officials made PureLand aware of their obligations and informed them that they would be subject to an audit by DHS within eighteen months that would assess their compliance with CFATS regulations. If compliance was not achieved within 12 months of the initial audit, PureLand would be subject to huge fines and penalties that could include closure of their facility. PureLand Reaction The PureLand Executives were quite alarmed by the news and immediately formed an internal team to create a Cyber Security improvement and compliance plan. The team researched the issue and reviewed the information provided by DHS around security standards. The first objective was to use a tool provided by DHS to perform a Cyber Security Self Evaluation on their computing systems. The hope was that by using this free tool, they could get some insight on the most critical Cyber Security gaps that existed and potentially provide a road map on where to focus their security improvement plan. A team of system administrators, security professionals, and management representatives worked on the Cyber Security Self Evaluation over a period of two days. Cyber Security Self Evaluation Results The results of the Self Evaluation were very disturbing for the entire team. The evaluation reported varying levels of compliance from 0% to 100%, but it was very clear that they had their work cut out for them. The leadership team met with the IT staff and their IT Security Analyst, and it was decided that they didn’t have the internal staffing or appropriate skillset to implement the needed security improvements within one year. The decision was made to hire an outside consultant to help devise and implement a Cyber Security improvement plan that would achieve these critical objectives: 1. Reduce their risk from Cyber Security incidents to an acceptable level 2. Achieve compliance with CFATS regulations 3. Minimize negative impacts to production and safety Path Forward As the outside consultant, it’s your job to lead the effort to create the Cyber Security improvement plan per the objectives laid out in the accompanying document: Developing Cyber Security Improvement Plan for Industrial Control System - Case Study. You’ll focus your efforts by studying the PureLand Cyber Security Assessment which includes various tables and charts indicating the areas of most concern. PureLand has contracted you to provide two major deliverables for this contract: 1. Industrial Control System Cyber Security Improvement Plan (Detailed requirements included in document – ICS security improvement case description) 2. Presentation to key stakeholders one week prior to formal plan presentation PureLand Wastewater Compliance Audit Objective This assignment requires the students to answer questions as might be encountered while undergoing a compliance audit regarding Department of Homeland Security Chemical Facility Anti-Terrorism Standards (CFATS) regulations. The students will play the role of a Cyber Security consultant being audited by a DHS compliance inspector. Instructions for assignment 1. Find your assigned question from the table below Student Name Assigned Question Name 1 2.1 Name 2 2.2 Name 3 2.3 Name 4 2.4 Name 5 2.5 Name 6 2.6 Name 7 2.7 2. Using the Risk-Based Performance Standards Guidance Chemical Facility Anti-Terrorism Standards document for reference, research and write an answer for one of the following questions (assigned to you based on a random draw) from a DHS inspector conducting a site inspection. Consult your team members if you need help. After the team has compiled all their answers, get ready to be audited by the instructor. You’ll have 20 minutes to research and write your answer. 2.1. What systems listed on your PureLand Network Diagram do you consider to be the most critical systems? Why did you pick these systems as most critical? 2.2. What do you feel are the most important elements of a successful change management process? How will you ensure that changes made to the Cyber systems at PureLand Wastewater won’t lead to Cyber Security Incidents? 2.3. Is there currently any segregation of systems at PureLand based on criticality of the systems? If yes, please explain the segregation strategy. If not, please explain what plans are being developed to segregate assets on the network based on risk. 2.4. What methods are used or planned for implementation to manage passwords? Is there any differentiation in how end user and privileged (e.g., system administrator) accounts are managed? 2.5. Is there currently any Cyber Security awareness and training program in place at PureLand? If yes, please explain the frequency and method of documenting completion. If not, please explain what topics will be included in your awareness program and how you plan to document and track compliance. 2.6. What kinds of technical controls are being used at PureLand to prevent malware attacks? What additional controls are planned for implementation within the next 24 months? 2.7. If PureLand was aware of a Cyber Security incident taking place at their facility, what is the protocol for responding to and reporting the incident? 2.8. What measures does PureLand take (or plan to take) to secure Safety Instrumented Systems to prevent Cyber Security incidents from causing a catastrophic event? 2.9. Does PureLand have an up to date inventory of hardware connected to their network? What is included in the inventory? Is PureLand aware of new devices being added to the network? What technology is used to gain awareness of what devices are connected to the network? 2.10.What do you feel is the greater risk driver for PureLand Chemical theft or diversion or release of the Chemical of Interest and why? 2.11.Provide some examples of areas you feel have physical security concerns related to cyber assets along with brief explanations of why they have higher risk. 2.12.What are the requirements you will have for the person who will manage your cyber security program? 2.13.Does PureLand use shared accounts for accessing computer systems? What are the risks associated with use of shared accounts and how might you mitigate these risks? 2.14.Does PureLand use separation of duties as a security practice? What duties are separated or planned to be separated and why? 2.15.What kinds of controls are in place to ensure access to devices or information is managed appropriately? What processes are used or planned to manage changes to the workforce? 2.16.If PureLand had a Cyber Security Incident take place (for example, an APT penetration), who would PureLand IT folks report the incident to internally and externally? How would they notify the Department of Homeland Security? PureLand Cyber Secrity Assessment 1/1/2014 Assessor: Luke Reissman Disclaimer This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. In no event shall the United States Government or its contractors or subcontractors be liable for any damages, including but not limited to, direct, indirect, special or consequential damages and including damages based on any negligence of the United States Government or its contractors or subcontractors, arising out of, resulting from, or in any way connected with this report, whether or not based upon warranty, contract, tort, or otherwise, whether or not injury was sustained from, or arose out of the results of, or reliance upon the report. The DHS does not endorse any commercial product or service, including the subject of the assessment or evaluation in this report. Any reference to specific commercial products, processes, or services by trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by DHS. The display of the DHS official seal or other DHS visual identities on this report shall not be interpreted to provide the recipient organization authorization to use the official seal, insignia or other visual identities of the Department of Homeland Security. The DHS seal, insignia, or other visual identities shall not be used in any manner to imply endorsement of any commercial product or activity by DHS or the United States Government. Use of the DHS seal without proper authorization violates federal law (e.g., 18 U.S.C. §§ 506, 701, 1017), and is against DHS’s policies governing usage of the seal. The report is prepared and intended for internal use by the organization that made the request. The contents of this report may be subject to government or private intellectual property rights. To request distribution of this report outside the organization for which it was prepared, contact the CSET® Program Office. The contents of this report may be reproduced or incorporated into other reports, but may not be modified without the prior express written permission of the CSET® Program Office. PureLand Cyber Secrity Assessment Page 2 Advisory CSET is only one component of the overall cyber security picture and should be complemented with a robust cyber security program within the organization. A self-assessment with CSET cannot reveal all types of security weaknesses, and should not be the sole means of determining an organization’s security posture. The tool will not provide an architectural analysis of the network or a detailed network hardware/software configuration review. It is not a risk analysis tool so it will not generate a complex risk assessment. CSET is not intended as a substitute for in depth analysis of control system vulnerabilities as performed by trained professionals. Periodic onsite reviews and inspections must still be conducted using a holistic approach including facility walk downs, interviews, and observation and examination of facility practices. Consideration should also be given to additional steps including scanning, penetration testing, and exercises on surrogate, training, or non-production systems, or systems where failures, unexpected faults, or other unexpected results will not compromise production or safety. CSET assessments cannot be completed effectively by any one individual. A cross-functional team consisting of representatives from operational, maintenance, information technology, business, and security areas is essential. The representatives must be subject matter experts with significant expertise in their respective areas. No one individual has the span of responsibility or knowledge to effectively answer all the questions. Data and reports generated by the tool should be managed securely and marked, stored, and distributed in a manner appropriate to their sensitivity. PureLand Cyber Secrity Assessment Page 3 TABLE OF CONTENTS Table Of Contents .................................................................................................................. 4 Assessment Information ......................................................................................................... 5 Description Of Assessment .................................................................................................... 6 Executive Summary ............................................................................................................... 6 Standards Compliance .......................................................................................................... 7 Network Diagram ................................................................................................................... 8 Ranked Subject Areas ........................................................................................................... 9 PureLand Cyber Secrity Assessment Page 4 ASSESSMENT INFORMATION Assessment Name: PureLand Cyber Secrity Assessment Assessment Date, (MM/DD/YYYY): 1/1/2014 Facility Name: PureLand Wastewater Treatment Plant City or Site Name: Kalamazoo State, Province or Region: MI Principal Assessor Name: Luke Reissman Assessor E-mail: luke.x.reissman@wilmu.edu Assessor Telephone: 302-555-1212 Additional Notes and Comments: Contact(s): PureLand Cyber Secrity Assessment Page 5 DESCRIPTION OF ASSESSMENT Ficticious Cyber Security Self Evaluation EXECUTIVE SUMMARY Cyber terrorism is a real and growing threat. Standards and guides have been developed, vetted, and widely accepted to assist with protection from cyber attacks. The Cyber Security Evaluation Tool (CSET) includes a selectable array of these standards for a tailored assessment of cyber vulnerabilities. Once the standards were selected and the resulting question sets answered, the CSET created a compliance summary, compiled variance statistics, ranked top areas of concern, and generated security recommendations. PureLand Cyber Secrity Assessment Page 6 STANDARDS COMPLIANCE PureLand Cyber Secrity Assessment Page 7 NETWORK DIAGRAM PureLand Cyber Secrity Assessment Page 8 RANKED SUBJECT AREAS This chart shows subject areas needing the most attention. Each bar represents the labeled subject area’s weighted contribution so that the combined total always equals 100%. The weighted contribution includes the importance of both the question and the subject area, as well as the percentage of missed questions in that subject area. PureLand Cyber Secrity Assessment Page 9 PureLand Cyber Secrity Assessment Page 10 Industrial Network Security Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems Second Edition Page left intentionally blank Industrial Network Security Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems Second Edition Eric D. Knapp Joel Thomas Langill Technical Editor Raj Samani AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEW YORK • OXFORD • PARIS • SAN DIEGO SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO Syngress is an Imprint of Elsevier Acquiring Editor: Chris Katsaropoulos Editorial Project Manager: Benjamin Rearick Project Manager: Surya Narayanan Jayachandran Cover Designer: Maria Ines Cruz Syngress is an imprint of Elsevier 225 Wyman Street, Waltham, MA 02451, USA © 2015 Elsevier Inc. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions. This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein). Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein. Library of Congress Cataloging-in-Publication Data Application Submitted British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library ISBN: 978-0-12-420114-9 For information on all Syngress publications visit our website at www.syngress.com. Contents About the Authors..................................................................................................... xv Preface.....................................................................................................................xvii Acknowledgments....................................................................................................xix CHAPTER 1 Introduction.................................................................................. 1 Book Overview and Key Learning Points.............................................. 1 Book Audience........................................................................................ 2 Diagrams and Figures............................................................................. 2 The Smart Grid....................................................................................... 3 How This Book is Organized.................................................................. 3 Chapter 2: About Industrial Networks............................................. 3 Chapter 3: Industrial Cyber Security, History, and Trends............. 4 Chapter 4: Introduction to ICS and Operations............................... 4 Chapter 5: ICS Network Design and Architecture.......................... 4 Chapter 6: Industrial Network Protocols......................................... 4 Chapter 7: Hacking Industrial Systems........................................... 5 Chapter 8: Risk and Vulnerability Assessments.............................. 5 Chapter 9: Establishing Zones and Conduits................................... 5 Chapter 10: Implementing Security and Access Controls............... 5 Chapter 11: Exception, Anomaly, and Threat Detection................. 5 Chapter 12: Security Monitoring of Industrial Control Systems............................................................................................ 6 Chapter 13: Standards and Regulations........................................... 6 Changes Made to the Second Edition.............................................. 6 Conclusion.............................................................................................. 7 CHAPTER 2 About Industrial Networks......................................................9 The Use of Terminology Within This Book........................................... 9 Attacks, Breaches, and Incidents: Malware, Exploits, and APTs........................................................ 11 Assets, Critical Assets, Cyber Assets, and Critical Cyber Assets.............................................................. 11 Security Controls and Security Countermeasures......................... 12 Firewalls and Intrusion Prevention Systems.................................. 12 Industrial Control System.............................................................. 13 DCS or SCADA?........................................................................... 15 Industrial Networks....................................................................... 15 v vi Contents Industrial Protocols........................................................................ 15 Networks, Routable Networks, and Nonroutable Networks......... 18 Enterprise or Business Networks................................................... 20 Zones and Enclaves....................................................................... 22 Network Perimeters or “Electronic Security Perimeters”............. 24 Critical Infrastructure..................................................................... 26 Common Industrial Security Recommendations.................................. 29 Identification of Critical Systems.................................................. 29 Network Segmentation/Isolation of Systems................................. 31 Defense in Depth........................................................................... 33 Access Control............................................................................... 34 Advanced Industrial Security Recommendations................................. 35 Security Monitoring....................................................................... 36 Policy Whitelisting........................................................................ 36 Application Whitelisting................................................................ 36 Common Misperceptions About Industrial Network Security.................................................................. 37 Assumptions Made in This Book.................................................. 38 Summary............................................................................................... 39 Endnotes................................................................................................ 39 CHAPTER 3 Industrial Cyber Security History and Trends..................................................................................41 Importance of Securing Industrial Networks........................................ 41 The Evolution of the Cyber Threat....................................................... 44 APTs and Weaponized Malware................................................... 47 Still to Come.................................................................................. 50 Defending Against Modern Cyber Threats.................................... 51 Insider Threats...................................................................................... 52 Hacktivism, Cyber Crime, Cyber Terrorism, and Cyber War.............. 53 Summary............................................................................................... 55 Endnotes................................................................................................ 55 CHAPTER 4 Introduction to Industrial Control Systems and Operations..........................................................................59 System Assets....................................................................................... 59 Programmable Logic Controller.................................................... 59 Remote Terminal Unit................................................................... 63 Intelligent Electronic Device......................................................... 64 Human–Machine Interface............................................................ 64 Contents Supervisory Workstations.............................................................. 67 Data Historian................................................................................ 67 Business Information Consoles and Dashboards........................... 68 Other Assets................................................................................... 69 System Operations................................................................................ 70 Control Loops................................................................................ 70 Control Processes........................................................................... 72 Feedback Loops............................................................................. 73 Production Information Management............................................ 73 Business Information Management............................................... 74 Process Management............................................................................ 76 Safety Instrumented Systems................................................................ 78 The Smart Grid..................................................................................... 80 Network Architectures.......................................................................... 82 Summary............................................................................................... 82 Endnotes................................................................................................ 83 CHAPTER 5 Industrial Network Design and Architecture.................. 85 Introduction to Industrial Networking.................................................. 87 Common Topologies............................................................................. 92 Network Segmentation.......................................................................... 96 Higher Layer Segmentation........................................................... 99 Physical vs. Logical Segmentation.............................................. 104 Network Services................................................................................ 106 Wireless Networks.............................................................................. 107 Remote Access.................................................................................... 108 Performance Considerations............................................................... 111 Latency and Jitter......................................................................... 111 Bandwidth and Throughput......................................................... 112 Type of Service, Class of Service, and Quality of Service.......... 112 Network Hops.............................................................................. 113 Network Security Controls.......................................................... 113 Safety Instrumented Systems.............................................................. 114 Special Considerations........................................................................ 115 Wide Area Connectivity.............................................................. 115 Smart Grid Network Considerations........................................... 116 Advanced Metering Infrastructure............................................... 118 Summary............................................................................................. 119 Endnotes.............................................................................................. 119 vii viii Contents CHAPTER 6 Industrial Network Protocols............................................. 121 Overview of Industrial Network Protocols......................................... 121 Fieldbus Protocols............................................................................... 123 Modicon Communication Bus..................................................... 123 Distributed Network Protocol...................................................... 130 Process Fieldbus.......................................................................... 139 Industrial Ethernet Protocols....................................................... 141 Ethernet Industrial Protocol......................................................... 142 PROFINET.................................................................................. 146 EtherCAT..................................................................................... 147 Ethernet POWERLINK............................................................... 148 SERCOS III................................................................................. 149 Backend Protocols.............................................................................. 150 Open Process Communications................................................... 150 Inter-Control Center Communications Protocol ......................... 157 Advanced Metering Infrastructure and the Smart Grid...................... 162 Security Concerns........................................................................ 164 Security Recommendations......................................................... 164 Industrial Protocol Simulators............................................................ 164 Modbus........................................................................................ 165 DNP3 / IEC 60870-5................................................................... 165 OPC.............................................................................................. 165 ICCP / IEC 60870-6 (TASE.2).................................................... 165 Physical Hardware....................................................................... 166 Summary............................................................................................. 166 Endnotes.............................................................................................. 166 CHAPTER 7 Hacking Industrial Control Systems................................ 171 Motives and Consequences................................................................. 171 Consequences of a Successful Cyber Incident............................ 171 Cyber Security and Safety........................................................... 172 Common Industrial Targets................................................................ 174 Common Attack Methods................................................................... 186 Man-in-the-Middle Attacks......................................................... 186 Denial-of-Service Attacks........................................................... 187 Replay Attacks............................................................................. 188 Compromising the Human–Machine Interface........................... 189 Compromising the Engineering Workstation.............................. 189 Blended Attacks........................................................................... 190 Contents Examples of Weaponized Industrial Cyber Threats........................... 190 Stuxnet......................................................................................... 191 Shamoon/DistTrack..................................................................... 195 Flame/Flamer/Skywiper.............................................................. 195 Attack Trends...................................................................................... 196 Evolving Vulnerabilities: The Adobe Exploits............................ 197 Industrial Application Layer Attacks........................................... 198 Antisocial Networks: A New Playground for Malware.............. 200 Dealing with an Infection.................................................................... 203 Summary............................................................................................. 205 Endnotes.............................................................................................. 206 CHAPTER 8 Risk and Vulnerability Assessments............................... 209 Cyber Security and Risk Management............................................... 210 Why Risk Management is the Foundation of Cyber Security......................................................................... 210 What is Risk?............................................................................... 211 Standards and Best Practices for Risk Management................... 213 Methodologies for Assessing Risk Within Industrial Control Systems.................................................................................. 216 Security Tests............................................................................... 216 Establishing a Testing and Assessment Methodology................. 219 System Characterization..................................................................... 223 Data Collection............................................................................ 227 Scanning of Industrial Networks................................................. 228 Threat Identification............................................................................ 241 Threat Actors/Sources................................................................. 241 Threat Vectors............................................................................. 243 Threat Events............................................................................... 243 Identification of Threats During Security Assessments............... 244 Vulnerability Identification................................................................. 246 Vulnerability Scanning................................................................ 248 Configuration Auditing................................................................ 250 Vulnerability Prioritization.......................................................... 251 Risk Classification and Ranking......................................................... 253 Consequences and Impact............................................................ 253 How to Estimate Consequences and Likelihood......................... 254 Risk Ranking............................................................................... 256 Risk Reduction and Mitigation........................................................... 257 Summary............................................................................................. 258 Endnotes.............................................................................................. 259 ix x Contents CHAPTER 9 Establishing Zones and Conduits..................................... 261 Security Zones and Conduits Explained............................................. 263 Identifying and Classifying Security Zones and Conduits................. 264 Recommended Security Zone Separation........................................... 265 Network Connectivity.................................................................. 266 Control Loops.............................................................................. 267 Supervisory Controls................................................................... 268 Plant Level Control Processes..................................................... 268 Control Data Storage................................................................... 270 Trading Communications............................................................ 271 Remote Access............................................................................. 272 Users and Roles........................................................................... 272 Protocols...................................................................................... 274 Criticality..................................................................................... 275 Establishing Security Zones and Conduits......................................... 277 Summary............................................................................................. 279 Endnotes.............................................................................................. 280 CHAPTER 10 Implementing Security and Access Controls............................................................. 283 Network Segmentation........................................................................ 287 Zones and Security Policy Development..................................... 288 Using Zones within Security Device Configurations.................. 288 Implementing Network Security Controls.......................................... 290 Selecting Network Security Devices........................................... 290 Implementing Network Security Devices.................................... 293 Implementing Host Security and Access Controls............................. 309 Selecting Host Cyber Security Systems...................................... 311 External Controls......................................................................... 316 Patch Management....................................................................... 316 How Much Security is Enough?......................................................... 320 Summary............................................................................................. 321 Endnotes.............................................................................................. 321 CHAPTER 11 Exception, Anomaly, and Threat Detection................... 323 Exception Reporting........................................................................... 324 Behavioral Anomaly Detection........................................................... 326 Measuring Baselines.................................................................... 327 Anomaly Detection...................................................................... 330 Behavioral Whitelisting...................................................................... 333 User Whitelists............................................................................. 334 Contents Asset Whitelists........................................................................... 335 Application Behavior Whitelists.................................................. 337 Threat Detection.................................................................................. 340 Event Correlation......................................................................... 341 Correlating Between IT and OT Systems.................................... 347 Summary............................................................................................. 349 Endnotes.............................................................................................. 349 CHAPTER 12 Security Monitoring of Industrial Control Systems......................................................................351 Determining what to Monitor............................................................. 352 Security Events............................................................................ 353 Assets........................................................................................... 356 Configurations.............................................................................. 358 Applications................................................................................. 360 Networks...................................................................................... 361 User Identities and Authentication.............................................. 362 Additional Context....................................................................... 365 Behavior....................................................................................... 365 Successfully Monitoring Security Zones............................................ 367 Log Collection............................................................................. 368 Direct Monitoring........................................................................ 368 Inferred Monitoring..................................................................... 369 Information Collection and Management Tools.......................... 372 Monitoring Across Secure Boundaries........................................ 376 Information Management.................................................................... 376 Queries......................................................................................... 377 Reports......................................................................................... 379 Alerts............................................................................................ 381 Incident Investigation and Response........................................... 381 Log Storage and Retention.................................................................. 382 Nonrepudiation............................................................................ 382 Data Retention/Storage................................................................ 382 Data Availability.......................................................................... 384 Summary............................................................................................. 385 Endnotes.............................................................................................. 385 CHAPTER 13 Standards and Regulations................................................387 Common Standards and Regulations.................................................. 388 NERC CIP................................................................................... 389 CFATS......................................................................................... 389 xi xii Contents ISO/IEC 27002............................................................................ 390 NRC Regulation 5.71................................................................... 390 NIST SP 800-82........................................................................... 392 ISA/IEC-62443................................................................................... 392 ISA 62443 Group 1: “General”................................................... 392 ISA 62443 Group 2: “Policies and Procedures”.......................... 393 ISA 62443 Group 3: “System”.................................................... 393 ISA 62443 Group 4: “Component”............................................. 394 Mapping Industrial Network Security to Compliance........................ 395 Industry Best Practices for Conducting ICS Assessments.................. 395 Department of Homeland Security (USA) / Centre for Protection of National Infrastructure (UK)................ 396 National Security Agency (USA)................................................ 397 American Petroleum Institute (USA) / National Petrochemical and Refiners Association (USA).......................... 397 Institute for Security and Open Methodologies (Spain).............. 398 Common Criteria and FIPS Standards................................................ 398 Common Criteria......................................................................... 398 FIPS 140-2................................................................................... 400 Summary............................................................................................. 400 Endnotes.............................................................................................. 406 Appendix A Protocol Resources............................................................... 409 Modbus Organization.......................................................................... 409 DNP3 Users Group............................................................................. 409 OPC Foundation.................................................................................410 Common Industrial Protocol (CIP) / Open Device Vendor Association (ODVA)............................................................. 410 PROFIBUS & PROFINET International (PI)������������������������������������ 410 Appendix B Standards Organizations..................................................... 411 North American Reliability Corporation (NERC).............................. 411 The United States Nuclear Regulatory Commission (NRC)............................................................................ 411 NRC Title 10 CFR 73.54............................................................. 412 NRC RG 5.71............................................................................... 412 United States Department of Homeland Security............................... 412 Chemical Facilities Anti-Terrorism Standard (CFATS).............. 412 CFATS Risk-Based Performance Standards (RBPS).................. 412 International Society of Automation (ISA)......................................... 413 International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC)....................... 413 Contents Appendix C NIST Security Guidelines.................................................... 415 National Institute of Standards and Technology, Special Publications 800 Series.......................................................... 415 Glossary����������������������������������������������������������������������������������� 417 Endnotes.............................................................................................. 424 Index���������������������������������������������������������������������������������������� 425 xiii Page left intentionally blank About the Authors Eric D. Knapp is a recognized expert in industrial control systems (ICS) cyber security. He is the original author of “Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems (First Edition)” and the coauthor of “Applied Cyber Security for Smart Grids.” Eric has held senior technology positions at NitroSecurity, McAfee, Wurldtech, and Honeywell, where he has consistently focused on the advancement of end-to-end ICS cyber security in order to promote safer and more reliable automation infrastructures. Eric has over 20 years of experience in Information Technology, specializing in cyber security analytics, threat, and risk management techniques and applied Ethernet protocols in both enterprise and industrial networks. In addition to his work in information security, Eric is an award-winning fiction author. He studied English and Writing at the University of New Hampshire and the University of London, and holds a degree in communications. Joel Thomas Langill brings a unique perspective to operational security with decades of experience in industrial automation and control. He has deployed ICS solutions covering most major industry sectors globally encompassing most generations of automated control. He has been directly involved in automation solutions spanning feasibility, budgeting, front-end engineering design, detailed design, system integration, commissioning, support and legacy system migration. Joel is currently an independent consultant providing services to ICS suppliers, end-users, system integrators, and governmental agencies worldwide. Joel founded the popular ICS security website SCADAhacker.com offering visitors resources in understanding, evaluating, and securing control systems. He developed a specialized training curriculum that focuses on applied cyber security and defenses for industrial systems. His website and social networks extends to readers in over 100 countries globally. Joel serves on the Board of Advisors for Scada Fence Ltd., and is an ICS research focal point to corporations and CERT organizations around the world. He is a voting member of the ISA99 committee, and has published numerous reports on ICS-related campaigns including Heartbleed, Dragonfly, and Black Energy. He is a graduate of the University of Illinois–Champaign with a BS (University Honors/ Bronze Tablet) in Electrical Engineering. He can be found on Twitter @SCADAhacker xv Page left intentionally blank Preface I would like to thank you for purchasing the second edition of “Industrial Network Security,” especially if you are one of the many supporters of the first edition. When the second edition was announced, many people asked me, “why a second edition?” and even more followed that up with, “and why a coauthor?” These questions are harder to answer than you would think. When I wrote the first edition, I set a very high standard for myself and did everything that I could do at the time to create the best book possible. While the first edition was well received, I’ve gained more experience and knowledge since then, and the industry has advanced. The threat is now better understood, thanks to an increasing trend in industrial cyber security research. Unfortunately, there has also been an increase in the development of new exploits, and there have been an increasing number of large-scale incidents. In short, there is a lot more to talk about. However, I did not want to just update the first edition. One of the biggest problems with industrial cyber security is that it spans two domains of specialized knowledge: Information Technology (IT) and Operational Technology (OT). Some things that come naturally to an IT veteran are hard for an OT person to grasp. Some things that an OT guru takes for granted seem odd to an IT pro. There are two separate perspectives, two separate lifetimes of experience, and two separate lexicons of “tech speak.” A new breed of industrial cyber security professional is slowly emerging, but even among this minority there are clear factions—we know who we are—who have strong opinions about disclosures, or regulations, or particular methods or technologies, and take hard stances against those with opposing beliefs. What I have seen, however, is that when our differences materialize as conflict, it becomes a barrier to good cyber security. When people come together and work cooperatively, the incongruences and misperceptions quickly fade. Everything becomes easier, and good cyber security is almost inevitable. In the second edition, I wanted to address this fundamental challenge. Not easy. My background is in IT, and although I’ve worked in industrial cyber security for a long time, it is impossible to alter my core perspectives. The only way I could get an additional perspective into the book was to put my manuscript where my mouth is, and write the second edition in cooperation with another author. Enter Joel Thomas Langill. Joel, aka the SCADA Hacker, brought a lot of extremely valuable perspective to the second edition. Where my background is mostly in IT, his is mostly in OT; where my research tends to focus on emerging technology and countermeasures, Joel is more grounded in the real world, and has refined cyber security planning, assessment, and mitigation techniques over years in the field. We had a common goal, and a lot of common beliefs, but very different perspectives. Joel and I kept each other honest, and shared new ways of looking at very common issues. It resulted in the refinement of the original text, and the addition of over xvii xviii Preface 40,000 words of new material, including several new chapters (for those who are not familiar with publishing, that is almost enough to make a whole new book). It was not always easy. Just as IT and OT clash within industry, our perspectives sometimes turned discussions into arguments. However, we almost always came to the conclusion that we were actually saying the same things. We simply used terminology differently, and we saw certain problems through different lenses. Neither of us was wrong, but our idea of what was “right” did not always match up 100%. But we worked through it. Through compromise and cooperation, what is left on the pages of this book should be more beneficial to more people—IT or OT, Technologist or Policy Maker, Security Researcher or CISO. Our hope is that the second edition of Industrial Network Security will provide a common frame of reference that will help bring the industry a little bit closer together. And if you read something that you do not agree with, we welcome you to give us your unique perspective. Joel Thomas ­Langill, Eric D. Knapp, and Raj Samani can be reached on twitter at @scadahacker, @ericdknapp, and @Raj_Samani, respectively, and we look forward to continuing the discussion online. Best Regards, Eric D. Knapp Acknowledgments We, the authors, would like to thank our technical editor Raj Samani and the good folks at Syngress, Chris Katsaropoulos, and Ben Rearick, and to all of you who contributed feedback and guidance along the way. We would also like to acknowledge those who created the wealth of standards, guidelines and reference materials from both industry and governments, as well as the growing list of security researchers, analysts, technicians, scholars, vendors, operators, integrators, instigators, consultants, spooks, and hackers who have helped to improve industrial cyber security in their own way – without an active industry of smart and dedicated people, we would have little to write about. We would like to thank our online supporters who follow @CyberGridBook, @EricDKnapp, @SCADAhacker, and @Raj_Samani. Of course, some people need to be acknowledged personally: Joel would like to acknowledge his life partner and soul mate Terri Luckett who has never left his side, and who has supported his passion and devotion to helping users protect their manufacturing assets from cyber threats. He would also like to acknowledge his first coach and mentor Keatron Evans who saw the fire in his eyes and helped him get started in the field of operational security, and Eric Byres who continues to be not only a friend, but one whom I depend on as a trusted colleague and advisor. He also would like to acknowledge all those that have supported his efforts and have helped him realize a vision that one person can make a positive impact on so many others. Eric would like to acknowledge his wife Maureen, and the dogs, cats, horse, donkeys, sheep, etc. on “the farm” that keep him grounded and sane … not to mention self-sustaining should the lights ever go out. In an industry that is inseparably tied to malicious intent, he has found that having a home full of love, understanding, and patience is truly the best medicine. He would also like to thank his dear friends Ayman Al-Issa, Raj Samani, Jennifer Byrne, Mohan Ramanathan, and so many others who have helped him so much along the way. And finally, we would both like to thank all of our readers; without the success of the first edition, the second edition would never have been possible. xix Page left intentionally blank CHAPTER Introduction 1 INFORMATION IN THIS CHAPTER • Book Overview and Key Learning Points • Book Audience • Diagrams and Figures • The Smart Grid • How This Book Is Organized • Changes Made to the Second Addition BOOK OVERVIEW AND KEY LEARNING POINTS This book attempts to define an approach to industrial network security that considers the unique network, protocol, and application characteristics of an Industrial Control System (ICS), while also taking into consideration a variety of common compliance controls. For the purposes of this book, a common definition of ICS will be used in lieu of the more specific Supervisory Control and Data Acquisition (SCADA) or Distributed Control System (DCS) terms. Note that these and many other specialized terms are used extensively throughout the book. While we have made an effort to define them all, an extensive glossary has also been included to provide a quick reference if needed. If a term is included in the glossary, it will be printed in bold type the first time that it is used. Although many of the techniques described herein—and much of the general guidance provided by regulatory standards organizations—are built upon common enterprise security methods, references and readily available information security tools, there is little information available about how these apply to an industrial network. This book attempts to rectify this by providing deployment and configuration guidance where possible, and by identifying why security controls should be implemented, where they should be implemented, how they should be implemented, and how they should be used. 1 2 CHAPTER 1 Introduction BOOK AUDIENCE To adequately discuss industrial network security, the basics of two very different systems need to be understood: the Ethernet and Internet Protocol (IP) networking communications used ubiquitously in the enterprise, and the control and fieldbus protocols used to manage and/or operate automation systems. As a result, this book possesses a bifurcated audience. For the plant operator with an advanced engineering degree and decades of programming experience for process controllers, the basics of industrial network protocols in Chapter 4 have been presented within the context of security in an attempt to not only provide value to such a reader, but also to get that reader thinking about the subtle implications of cyber security. For the information security analyst with a Certified Information Systems Security Professional (CISSP) certification, basic information security practices have been provided within the new context of an ICS. There is an interesting dichotomy between the two that provides a further challenge. Enterprise security typically strives to protect digital information by securing the users and hosts on a network, while at the same time enabling the broad range of open communication services required within modern business. Industrial control systems, on the other hand, strive for the efficiency and reliability of a single, often fine-tuned system, while always addressing the safety of the personnel, plant, and environment in which they operate. Only by giving the necessary consideration to both sides can the true objective be achieved—a secure industrial network architecture that supports safe and reliable operation while also providing business value to the larger enterprise. This latter concept is referred to as “operational integrity.” To further complicate matters, there is a third audience—the compliance officer who is mandated with meeting either certain regulatory standards or internal policies and procedures in order to survive an audit with minimal penalties and/or fines. Compliance continues to drive information security budgets, and therefore the broader scope of industrial networks must also be narrowed on occasion to the energy industries, where (at least in the United States) electrical energy, nuclear energy, oil and gas, and chemical are tightly regulated. Compliance controls are discussed in this book solely within the context of implementing cyber security controls. The recommendations given are intended to improve security and should not be interpreted as advice concerning successful compliance management. DIAGRAMS AND FIGURES The network diagrams used throughout this book have been intentionally simplified and have been designed to be as generic as possible while adequately representing ICS architectures and their industrial networks across a very wide range of systems and suppliers. As a result, the diagrams will undoubtedly differ from real ICS designs and may exclude details specific to one particular industry while How this book is organized including details that are specific to another. Their purpose is to provide a high-level understanding of the specific industrial network security controls being discussed. THE SMART GRID Although the smart grid is of major concern and interest, for the most part it is treated as any other industrial network within this book, with specific considerations being made only when necessary (such as when considering available attack vectors). As a result, there are many security considerations specific to the smart grid that are unfortunately not included. This is partly to maintain focus on the more ubiquitous ICS security requirements; partly due to the relative immaturity of smart grid security and partly due to the specialized and complex nature of these systems. Although this means that specific measures for securing synchrophasers, meters, and so on, are not provided, the guidance and overall approach to security that is provided herein is certainly applicable to smart grid networks. For more in-depth reading on smart grid network security, consider Applied Cyber Security and the Smart Grid by Eric D. Knapp and Raj Samani (ISBN: 978-1-59749-998-9, Syngress). HOW THIS BOOK IS ORGANIZED This book is divided into a total of 13 chapters, followed by three appendices guiding the reader where to find additional information and resources about industrial protocols, standards and regulations, and relevant security guidelines and best practices (such as NIST, ChemITC, and ISA). The chapters begin with an introduction to industrial networking, and what a cyber-attack against an industrial control systems might represent in terms of potential risks and consequences, followed by details of how industrial networks can be assessed, secured, and monitored in order to obtain the strongest possible security, and conclude with a detailed discussion of various compliance controls and how those specific controls map back to network security practices. It is not necessary to read this book cover to cover, in order. The book is intended to offer insight and recommendations that relate to both specific security goals as well as the cyclical nature of the security process. That is, if faced with performing a security assessment on an industrial network, begin with Chapter 8; every effort has been made to refer the reader to other relevant chapters where additional knowledge may be necessary. CHAPTER 2: ABOUT INDUSTRIAL NETWORKS In this chapter, there is a brief primer of industrial control systems, industrial networks, critical infrastructure, common cyber security guidelines, and other terminology specific to the lexicon of industrial cyber security. The goal of this chapter is to 3 4 CHAPTER 1 Introduction provide a baseline of information from which topics can be explored in more detail in the following chapters (there is also an extensive Glossary included to cover the abundance of new acronyms and terms used in industrial control networks). Chapter 2 also covers some of the basic misperceptions about industrial cyber security, in an attempt to rectify any misunderstandings prior to the more detailed discussions that will follow. CHAPTER 3: INDUSTRIAL CYBER SECURITY, HISTORY, AND TRENDS Chapter 3 is a primer for industrial cyber security. It introduces industrial network cyber security in terms of its history and evolution, by examining the interrelations between “general” networking, industrial networking, and potentially critical infrastructures. Chapter 3 covers the importance of securing industrial networks, discusses the impact of a successful industrial attack, and provides examples of real historical incidents—including a discussion of the Advanced Persistent Threat and the implications of cyber war. CHAPTER 4: INTRODUCTION TO ICS AND OPERATIONS It is impossible to understand how to adequately secure an industrial control environment without first understanding the fundamentals of ICSs and operations. These systems use specialized devices, applications, and protocols because they perform functions that are different than enterprise networks, with different requirements, operational priorities, and security considerations. Chapter 4 discusses control system assets, operations, protocol basics, how control processes are managed, and common systems and applications with special emphasis on smart grid operations. CHAPTER 5: ICS NETWORK DESIGN AND ARCHITECTURE Industrial networks are built from a combination of Ethernet and IP networks (to interconnect general computing systems and servers) and at least one real-time network or fieldbus (to connect devices and process systems). These networks are typically nested deep within the enterprise architecture, offering some implied layers of protection against external threats. In recent years, the deployment of remote access and wireless networks within industrial systems have offered new entry points into these internal networks. Chapter 5 provides an overview of some of the more common industrial network designs and architectures, the potential risk they present, and some of the methods that can be used to select appropriate technologies and strengthen these critical industrial systems. CHAPTER 6: INDUSTRIAL NETWORK PROTOCOLS This chapter focuses on industrial network protocols, including Modbus, DNP3, OPC, ICCP, CIP, Foundation Fieldbus HSE, Wireless HART, Profinet and Profibus, and others. This chapter will also introduce vendor-proprietary industrial protocols, and the implications they have in securing industrial networks. The basics How this book is organized of protocol operation, frame format, and security considerations are provided for each, with security recommendations being made where applicable. Where properly disclosed vulnerabilities or exploits are available, examples are provided to illustrate the importance of securing industrial communications. CHAPTER 7: HACKING INDUSTRIAL SYSTEMS Understanding effective cyber security requires a basic understanding of the threats that exist. Chapter 7 provides a high-level overview of common attack methodologies, and how industrial networks present a unique attack surface with common attack vectors to many critical areas. CHAPTER 8: RISK AND VULNERABILITY ASSESSMENTS Industrial control systems are often more susceptible to a cyber-attack, yet they are also more difficult to patch due to the extreme uptime and reliability requirements of operational systems. Chapter 8 focuses on risk and vulnerability assessment strategies that specifically address the unique challenges of assessing risk in industrial networks, in order to better understand—and therefore reduce—the vulnerabilities and threats facing these real-time systems. CHAPTER 9: ESTABLISHING ZONES AND CONDUITS A strong cyber security strategy requires the isolation of devices into securable groups. Chapter 9 looks at how to separate functional groups and where functional boundaries should be implemented, using the Zone and Conduit model originated by the Purdue Research Foundation in 1989 and later adapted by ISA 99 (now known as ISA/IEC 62443). CHAPTER 10: IMPLEMENTING SECURITY AND ACCESS CONTROLS Once the industrial architecture has been appropriately divided into defined zones and the associated communication conduits between these zones, it is necessary to deploy appropriate security controls to enforce network security. Chapter 10 discusses the vital activity of network segmentation and how network- and host-based security controls are implemented. CHAPTER 11: EXCEPTION, ANOMALY, AND THREAT DETECTION Awareness is the prerequisite of action, according to the common definition of situational awareness. Awareness in turn requires an ability to monitor for and detect threats. In this chapter, several contributing factors to obtaining situational awareness are discussed, including how to use anomaly detection, exception reporting, and information correlation for the purposes of threat detection and risk management. 5 6 CHAPTER 1 Introduction CHAPTER 12: SECURITY MONITORING OF INDUSTRIAL CONTROL SYSTEMS Completing the cycle of situational awareness requires further understanding and analysis of the threat indicators that you have learned how to detect in Chapter 11. Chapter 12 discusses how obtaining and analyzing broader sets of information can help you better understand what is happening, and make better decisions. This includes recommendations of what to monitor, why, and how. Information management strategies—including log and event collection, direct monitoring, and correlation using security information and event management (SIEM)—are discussed, including guidance on data collection, retention, and management. CHAPTER 13: STANDARDS AND REGULATIONS There are many regulatory compliance standards applicable to industrial network security, and most consist of a wide range of procedural controls that are not easily resolved using information technology. On top of this, there is an emergence of a large number of industrial standards that attempt to tailor many of the general-purpose IT standards to the uniqueness of ICS architectures. There are common cyber security controls (with often subtle but important variations), however, which reinforce the recommendations put forth in this book. Chapter 13 attempts to map those cyber security–related controls from some common standards—including NERC CIP, CFATS, NIST 800-53, ISO/IEC 27002:2005, ISA 62443, NRC RG 5.71, and NIST 800-82—to the security recommendations made within this book, making it easier for security analysts to understand the motivations of compliance officers, while compliance officers are able to see the security concerns behind individual controls. CHANGES MADE TO THE SECOND EDITION For readers of the Industrial Network Security, Securing Critical Infrastructure Networks for Smart grid, SCADA and Other Industrial Control Systems, First Edition, you will find new and updated content throughout the book. However, the largest changes that have been made include the following: • • • • Revised diagrams, designed to provide a more accurate representation of industrial systems so that the lessons within the book can be more easily applied in real life. Better organization of topics, including major revisions to introductory chapters that are intended to provide a more effective introduction of topics. The separation of “hacking methodologies” and “risk and vulnerability assessment” into two chapters, expanding each to provide significantly more detail to each very important subject. The inclusion of wireless networking technologies and how they are applied to industrial networks, including important differences between general-purpose IT and specific ICS technology requirements. How this book is organized • • Much greater depth on the subjects of industrial firewall implementation and industrial protocol filtering—important technologies that were in their infancy during the first edition but are now commercially available. The inclusion of real-life vulnerabilities, exploits, and defensive techniques throughout the book to provide a more realistic context around each topic, while also proving the reality of the threat against critical infrastructure. CONCLUSION Writing the first edition of this book was an education, an experience, and a challenge. In the months of research and writing, several historic moments occurred concerning ICS security, including the first ICS-targeted cyber weapon—Stuxnet. At the time, Stuxnet was the most sophisticated cyber-attack to date. Since then, its complexity and sophistication have been surpassed more than once, and the frequency of new threats continues to rise. There is a growing number of attacks, more relevant cyber security research (from both blackhats and whitehats), and new evidence of Advanced Persistent Threats, cyber espionage, nation-based cyber privacy concerns, and other socio-political concerns on what seems like a daily basis. It is for this reason that Eric D. Knapp (the original author) joined forces with Joel Langill, aka “SCADAhacker,” for the second edition. Hopefully, this book will be both informative and enjoyable, and it will facilitate the increasingly urgent need to strengthen the security of our industrial networks and automation systems. Even though the attacks themselves will continue to evolve, the methods provided herein should help to prepare against the inevitable advancement of industrial network threat. A Note from Author Eric D. Knapp. Those readers who are familiar with my works will know that I have an ongoing agreement with Raj Samani, the technical editor of this book—if either of us mention a certain well-known cyber-attack by name we must donate $5 as a penance. While this is a rule that I try to live by, this book predates that agreement and it did not seem fair or appropriate to remove all mention of that incident. So, the pages herein are exempt. In fact, the incident-thatshall-not-be-named is mentioned twice in this chapter alone; sadly, no one will be getting $10. 7 Page left intentionally blank CHAPTER About Industrial Networks 2 INFORMATION IN THIS CHAPTER • The Use of Terminology Within This Book • Common Industrial Security Recommendations • Advanced Industrial Security Recommendations • Common Misperceptions About Industrial Network Security It is important to understand some of the terms used when discussing industrial networking and industrial control systems, as well as the basics of how industrial net­ works are architected and how they operate before attempting to secure an industrial network and its interconnected systems. It is also important to understand some of the common security recommendations deployed in business networks, and why they may or may not be truly suitable for effective industrial network cyber security. What is an industrial network? Because of a rapidly evolving socio-political landscape, the terminology of industrial networking has become blurred. Terms such as “critical infrastructure,” “APT,” “SCADA,” and “Smart Grid” are used freely and often incorrectly. It can be confusing to discuss them in general terms not only because of the diversity of the industrial networks themselves, but also the markets they serve. Many regulatory agencies and commissions have also been formed to help secure different industrial networks for different industry sectors—each introducing their own specific nomenclatures and terminology. This chapter will attempt to provide a baseline for industrial network cyber security, introducing the reader to some of the common terminology, issues, and security recommendations that will be discussed throughout the remainder of this book. THE USE OF TERMINOLOGY WITHIN THIS BOOK The authors have witnessed many discussions on industrial cyber security fall apart due to disagreements over terminology. There is a good deal of terminology specific to both cyber security and to industrial control systems that will be used throughout this book. Some readers may be cyber security experts who are unfamiliar with industrial control systems, while others may be industrial system professionals who are unfamiliar with cyber security. For this reason, a conscientious effort has been 9 10 CHAPTER 2 About industrial networks made by the authors to convey the basics of both disciplines, and to accommodate both types of readers. Some of the terms that will be used extensively include the following: • • • • • • • • Assets (including whether they are physical or logical assets, and if they are classified as cyber assets, critical assets, and critical cyber assets) Enclaves, Zones, and Conduits Enterprise or Business Networks Industrial Control Systems: DCS, PCS, SIS, SCADA Industrial Networks Industrial Protocols Network Perimeter or Electronic Security Perimeter (ESP) Critical Infrastructure. Some cyber security terms that will be addressed include the following: • • • • • • Attacks Breaches Incidents and Exploits Vulnerabilities Risk Security Measures, Security Controls, or Countermeasures. These will be given some cursory attention here, as a foundation for the following chapters. There are many more specialized terms that will be used, and so an extensive glossary has been provided at the back of this book. The first time a term is used, it will be printed in bold to indicate that it is available in the glossary. NOTE The book title “Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems” was chosen because this text discusses all of these terms to some extent. “Industrial cyber security” is a topic relevant to many industries, each of which differ significantly in terms of design, architecture, and operation. An effective discussion of cyber security must acknowledge these differences; however, it is impossible to cover every nuance of DCS, SCADA, Smart Grids, critical manufacturing, and so on. This book will focus on the commonalities among these industries, providing a basic understanding of industrial automation, and the constituent systems, subsystems, and devices that are used. Every effort will also be made to refer to all industrial automation and control systems (DCS, PCS, SCADA, etc.) as simply industrial control systems or just ICS. It is also important to understand that industrial networks are one link in a much larger chain comprising fieldbus networks, process control networks, supervisory networks, business networks, remote access networks, and any number of specialized applications, services and communications infrastructures that may all be interconnected and therefore must be assessed and secured within the context of cyber security. A Smart Grid, a petroleum refinery, and a city skyscraper may all utilize ICS, yet each represents unique variations in terms of size, complexity, and risk. All are built using the same technologies and principles making the cyber security concerns of each similar and the fundamentals of industrial cyber security equally applicable. The use of terminology within this book NOTE This book does not go into extensive detail on the architecture of Smart Grids due to the complexity of these systems. Please consult the book “Applied Cyber Security and the Smart Grid”1 if more detail on Smart Grid architecture and its associated cyber security is desired. ATTACKS, BREACHES, AND INCIDENTS: MALWARE, EXPLOITS, AND APTs The reason that you are reading a book titled “Industrial Network Security” is likely because you are interested in, if not concerned about, unauthorized access to and potentially hazardous or mischievous usage of equipment connected to an industrial network. This could be a deliberate action by an individual or organization, a government-backed act of cyber war, the side effect of a computer virus that just happened to spread from a business network to an ICS server, the unintended consequence of a faulty network card or—for all we know—the result of some astrological alignment of the sun, planets, and stars (aka “solar flares”). While there are subtle differences in the terms “incident” and “attack”—mostly to do with intent, motivation, and attribution—this book does not intend to dwell on these subtleties. The focus in this book is how an attack (or breach, or exploit, or incident) might occur, and subsequently how to best protect the industrial network and the connected ICS components against undesirable consequences that result from this action. Did the action result in some outcome—operational, health, safety or environment—that must be reported to a federal agency according to some regulatory legislation? Did it originate from another country? Was it a simple virus or a persistent rootkit? Could it be achieved with free tools available on the Internet, or did it require the resources of a state-backed cyber espionage group? Do such groups even exist? The authors of this book think that these are all great questions, but ones best served by some other book. These terms may therefore be used rather interchangeably herein. ASSETS, CRITICAL ASSETS, CYBER ASSETS, AND CRITICAL CYBER ASSETS An asset is simply a term for a component that is used within an industrial control system. Assets are often “physical,” such as a workstation, server, network switch, or PLC. Physical assets also include the large quantity of sensors and actuators used to control an industrial process or plant. There are also “logical” assets that represent what is contained within the physical asset, such as a process graphic, a database, a logic program, a firewall rule set, or firmware. When you think about it, cyber security is usually focused on the protection of “logical” assets and not the “physical” assets that contain them. Physical security is that which tends to focus more on the protection of a physical asset. Security from a general point-of-view can therefore effectively protect a “logical” asset, a “physical” asset, or both. This will become more obvious as we develop the concept of security controls or countermeasures later in this book. 11 12 CHAPTER 2 About industrial networks The Critical Infrastructure Protection (CIP) standard by the North American Electric Reliability Corporation (NERC) through version 4 has defined a “critical cyber asset” or “CCA” as any device that uses a routable protocol to communicate outside the electronic security perimeter (ESP), uses a routable protocol within a control center, or is dial-up accessible.2 This changed in version 5 of the standard by shifting from an individual asset approach, to one that addresses groupings of CCAs called bulk electric system (BES) cyber “systems.”3 This approach represents a fundamental shift from addressing security at the component or asset level, to a more holistic or system-based one. A broad and more generic definition of “asset” is used in this book, where any component—physical or logical; critical or otherwise—is simply referred to as an “asset.” This is because most ICS components today, even those designed for extremely basic functionality, are likely to contain a commercial microprocessor with both embedded and user-programmable code that most likely contains some inherent communication capability. History has proven that even single-purpose, fixed-function devices can be the targets, or even the source of a cyber-attack, by specifically exploiting weaknesses in a single component within the device (See Chapter 3, “Industrial Cyber Security History and Trends”). Many devices ranging from ICS servers to PLCs to motor drives have been impacted in complex cyber-attacks—as was the case during the 2010 outbreak of Stuxnet (see “Examples of Advanced Industrial Cyber Threats” in Chapter 7, “Hacking Industrial Control Systems”). Regardless of whether a device is classified as an “asset” for regulatory purposes or not, they will all be considered accordingly in the context of cyber security. SECURITY CONTROLS AND SECURITY COUNTERMEASURES The term “security controls” and “security countermeasures” are often used, especially when discussing compliance controls, guidelines, or recommendations. They simply refer to a method of enforcing cyber security—either through the use of a specific product or technology, a security plan or policy, or other mechanism for establishing and enforcing cyber security—in order to reduce risk. FIREWALLS AND INTRUSION PREVENTION SYSTEMS While there are many other security products available—some of which are highly relevant to industrial networks—none have been so broadly used to describe products with such highly differing sets of capabilities. The most basic “firewall” must be able to filter network traffic in at least one direction, based on at least one criterion, such as IP address or communication service port. A firewall may or may not also be able to track the “state” of a particular communication session, understanding what is a new “request” versus what is a “response” to a prior request. A “deep packet inspection” (DPI) system is a device that can decode network traffic and look at the contents or payload of that traffic. Deep packet inspection is The use of terminology within this book typically used by intrusion detection systems (IDS), intrusion prevention systems (IPS), advanced firewalls and many other specialized cyber security products to detect signs of attack. Intrusion Detection Systems can detect and alert, but do not block or reject bad traffic. Intrusion Prevention Systems can block traffic. Industrial networks support high availability making most general IPS appliances less common on critical networks; IPS is more often applied at upper-level networks where high availability (typically >99.99%) is not such a high priority. The result is that good advice can lead to inadequate results, simply through the use of overused terms when making recommendations. NOTE Most modern intrusion prevention systems can be used as intrusion detection systems by configuring the IPS to alert on threat detection, but not to drop traffic. Because of this the term “IPS” is now commonly used to refer to both IDS and IPS. One way to think about IDS and IPS is that an IPS device that is deployed in-line (a “bump in the wire”) is more capable of “preventing” an intrusion by dropping suspect packets, while an IPS deployed out-of-band (e.g. on a span port) can be thought of as an IDS, because it is monitoring mirrored network traffic, and can detect threats but is less able to prevent them. It may be the same make and model of network security device, but the way it is configured and deployed indicates whether it is a “passive” IDS or an “active” IPS. Consider that the most basic definition of a firewall, given earlier, fails to provide the basic functionality recommended by NIST and other organizations, which advise filtering traffic on both the source and destination IP address and the associated service port, bidirectionally. At the same time, many modern firewalls are able to do much more—looking at whole application sessions rather than isolated network packets, by filtering application contents, and then enforcing filter rules that are sometimes highly complex. These unified threat management (UTM) appliances are becoming more common in protecting both industrial and business networks from today’s advanced threats. Deploying a “firewall” may be inadequate for some installations while highly capable at others, depending upon the specific capabilities of the “firewall” and the particular threat that it is designed to protect the underlying system against. The various network-based cyber security controls that are available and relevant to industrial networks are examined in detail in Chapter 10, “Implementing Security and Access Controls” and Chapter 11, “Exception, Anomaly and Threat Detection.” INDUSTRIAL CONTROL SYSTEM An industrial control system (ICS) is a broad class of automation systems used to provide control and monitoring functionality in manufacturing and industrial facilities. An ICS actually is the aggregate of a variety of system types including process control systems (PCS), distributed control systems (DCS), supervisory control and data acquisition (SCADA) systems, safety instrumented systems (SIS), and many others. A more detailed definition will be provided in Chapter 4, “Introduction to Industrial Control Systems and Operations.” 13 14 CHAPTER 2 About industrial networks Figure 2.1 is a simplified representation of an ICS consisting of two controllers and a series of inputs and outputs connecting to burners, valves, gauges, motors, and so on that all work in a tightly integrated manner to perform an automated task. The task is controlled by an application or logic running inside the controller, with local panels or human–machine interfaces (HMIs) used to provide a “view” into the controller allowing the operator to see values and make changes to how the controller is operating. The ICS typically includes toolkits for creating the process logic that defines the task, as well as toolkits for building custom operator interfaces or graphical user interfaces (GUIs) implemented on the HMI. As the task executes, the results are recorded in a database called an Historian (see Chapter 4, “Introduction to Industrial control Systems and Operations” for more information and detail on how such a system operates). FIGURE 2.1 Sample industrial automation and control system. The use of terminology within this book DCS OR SCADA? Originally, there were significant differences between the architectures of a DCS versus that of a SCADA system. As technology evolved, these differences have diminished, and there can often be a blur between whether a particular ICS is in fact classified as DCS or SCADA. Both systems are designed to monitor (reading data and presenting it to a human operator and possibly to other applications, such as historians and advanced control applications) and to control (defining parameters and executing instructions) manufacturing or industrial equipment. These system architectures vary by vendor, but all typically include the applications and tools necessary to generate, test, deploy, monitor, and control an automated process. These systems are multifaceted tools, meaning that a workstation might be used for purely supervisory (read only) purposes by a quality inspector, while another may be used to optimize process logic and write new programs for a controller, while yet a third may be used as a centralized user interface to control a process that requires more human intervention, effectively giving the workstation the role of the HMI. It should be noted that ICSs are often referred to in the media simply as “SCADA,” which is both inaccurate and misleading. Looking at this another way, a SCADA system is in fact an ICS, but not all ICSs are SCADA! The authors hope to help clarify this confusion in Chapter 4, “Introduction to Industrial Control Systems and Operations.” INDUSTRIAL NETWORKS The various assets that comprise an ICS are interconnected over an Industrial Network. While the ICS represented in Figure 2.1 is accurate, in a real deployment the management and supervision of the ICS will be separated from the controls and the automation system itself. Figure 2.2 shows how an ICS is actually part of a much larger architecture, consisting of plant areas that contain common and shared applications, area-specific control devices, and associated field equipment, all interconnected via a variety of network devices and servers. In large or distributed architectures, there will be a degree of local and remote monitoring and control that is required (i.e. in the plant), as well as centralized monitoring and control (i.e. in the control room). This is covered in detail in Chapter 5, “Industrial Network Design and Architecture.” For now it is sufficient to understand that the specialized systems that comprise an ICS are interconnected, and this connectivity is what we refer to as an Industrial Network. INDUSTRIAL PROTOCOLS Most ICS architectures utilize one or more specialized protocols that may include vendor-specific proprietary protocols (such as Honeywell CDA, General Electric SRTP or Siemens S7, and many others) or nonproprietary and/or licensed protocols including OPC, Modbus, DNP3, ICCP, CIP, PROFIBUS, and others. Many of these were originally designed for serial communications, but have been adapted to operate over standard Ethernet link layer using the Internet Protocol with both UDP and 15 16 CHAPTER 2 About industrial networks FIGURE 2.2 Sample network connectivity of an industrial control system. TCP transports, and are now widely deployed over a variety of common network infrastructures. Because most of these protocols operate at the application layer, they can be accurately (and often are) referred to as applications. They are referred to as protocols in this book to separate them from the software applications that utilize them—such as DCS, SCADA, EMS, historians, and other systems. The use of terminology within this book THE OPEN SYSTEMS INTERCONNECTION (OSI) MODEL The OSI model defines and standardizes the function of how a computing system interacts with a network. Each of seven layers is dependent upon and also serves the layers above and below it, so that information from an Application (defined at the topmost or Application Layer) can be consistently packaged and delivered over a variety of physical networks (defined by the bottommost or Physical Layer). When one computer wants to talk to another on a network, it must step through each layer: Data obtained from applications (Layer 7) are presented to the network (Layer 6) in defined sessions (Layer 5), using an established transport method (Layer 4), which in turn uses a networking protocol to address and route the data (Layer 3) over an established link (Layer 2) using a physical transmission mechanism (Layer 1). At the destination, the process is reversed in order to deliver the data to the receiving application. With the ubiquity of the Internet Protocol, a similar model called the TCP/IP Model is often used to simplify these layers. In the TCP/IP model, layers 5 through 7 (which all involve the representation and management of application data), and layers 1 and 2 (which define the interface with the physical network) are consolidated into a single Application Layer and Network Interface Layer. In this book we will reference the OSI model in order to provide a more specific indication of what step of the network communication process we are referring to (Figure 2.3). Because these protocols were not designed for use in broadly accessible or public networks, cyber security was seen as compensating control and not an inherent requirement. Now, many years later, this translates to a lack of robustness that makes the protocols easily accessed—and in turn they can be easily broken, manipulated, or otherwise exploited. Some are proprietary protocols (or open protocols with many proprietary extensions, such as Modbus-PEMEX), and as such they have benefited for some time by the phenomena of “security by obscurity.” This is clearly no longer FIGURE 2.3 The OSI and TCP/IP models. 17 18 CHAPTER 2 About industrial networks the case with the broader availability of information on the World Wide Web, combined with an increasing trend of industry-focused cyber security research. Many of the concerns about industrial systems and critical infrastructure stem from the growing number of disclosed vulnerabilities within these protocols. One disturbing observation is that in the few years following the Stuxnet attack, many researchers have found numerous vulnerabilities with open protocol standards and the systems that utilize them. Little attention has been given to the potential problem of vulnerabilities in the proprietary products that are often times too cost prohibitive for traditional researchers to procure and analyze. These proprietary systems and protocols are at the core of most critical industry, and represent the greatest risk should they be compromised. See Chapter 6, “Industrial Network Protocols” and Chapter 7, “Hacking Industrial Systems” for more detail on these protocols, how they function, and how they can/have been compromised. NETWORKS, ROUTABLE NETWORKS, AND NONROUTABLE NETWORKS The differentiation between Routable and Nonroutable networks is becoming less common as industrial communications become more ubiquitously deployed over IP. A “nonroutable” network refers to those serial, bus, and point-to-point communication links that utilize Modbus/RTU, DNP3, fieldbus, and other networks. They are still networks—they interconnect devices and provide a communication path between digital devices, and in many cases are designed for remote command and control. A “routable” network typically means a network utilizing the Internet Protocol (TCP/IP or UDP/IP), although other routable protocols, such as AppleTalk, DECnet, Novell IPX, and other legacy networking protocols certainly apply. “Routable” networks also include routable variants of early “nonroutable” ICS protocols that have been modified to operate over TCP/IP, such as Modbus over TCP/IP, Modbus/ TCP, and DNP3 over TCP/UDP. ICCP represents a unique case in that it is a relatively new protocol developed in the early 1990s, which allows both a point-to-point version and a wide-area routed configuration. Routable and nonroutable networks would generally interconnect at the demarcation between the Control and Supervisory Control networks, although in some cases (depending upon the specific industrial network protocols used) the two networks overlap. This is illustrated in Figure 2.4 and is discussed in more depth in Chapter 5, “Industrial Control System Network Design and Architecture” and Chapter 6, “Industrial Network Protocols.” These terms were popularized through NERC CIP regulations, which implies that a routable interface can be easily accessed by the network either locally or remotely (via adjacent or public networks) and therefore requires special cyber security consideration; and inversely that nonroutable networks are “safer” from a network-based cyber-attack. This is misleading and can prevent the development of a strong cyber security posture. Today, it should be assumed that all industrial systems are connected either directly or indirectly to a “routable” network, whether or not they are connected via a routable protocol. Although areas of industrial The use of terminology within this book FIGURE 2.4 Routable and Nonroutable areas within an industrial control system. networks may still be connected using serial or bus networks that operate via specific proprietary protocols, these areas can be accessed via other interconnected systems that reside on a larger IP network. For example, a PLC may connect to discrete I/O over legacy fieldbus connections. If considered in isolation, this would be a nonroutable network. However, if the PLC also contains an Ethernet uplink to connect to a centralized ICS system, the PLC can be accessed via that network and then manipulated to alter communications on the “nonroutable” connections. To further complicate things, many devices have remote access capabilities, such 19 20 CHAPTER 2 About industrial networks as modems, infrared receivers, radio or other connectivity options that may not be considered “routable�...
Purchase answer to see full attachment