IEC 62443

Cyber Security ISA 99 / IEC 62443 Where Policy Meets ... ISA/IEC 62443 Cybersecurity Certification ... – Pass a multiple choice exam through the Prome...

3 downloads 55 Views 2MB Size
Cyber Security ISA 99 / IEC 62443 2017

Standards Certification Education & Training Publishing Conferences & Exhibits

Where Policy Meets Technology

City Next 2017

Presenter

Mayur Mehta Manager - ICS security PwC

2

My Professional Journey

City Next 2017

• • • •



• • •

Over 9.5 years of experience in ICS/SCADA domain and an expert in determining threats and risk exposure on ICS products & plants, Interoperability and FAT test. Currently an ICS/ SCADA Risk Assessor with the Cyber Security practice of Big 4 Advisory function, based in Bengaluru. Member of ISA99/IEC62443 standards committee and leading ISA99 standard in ISA Bangalore chapter. Certified on “Global Industrial Cyber Security Professional” (GICSP) from GIAC. Certified Scrum Master (CSM), CTFL (ISTQB), Security+ (Cybrary), OPSEC(ICS CERT), ATD (Advanced threat detection in ICS/ SCADA - Concise courses). Experience includes leading projects on Vulnerability analysis and penetration testing, Secure Conduit design. Risk framework development and assessment, and cyber reviews based on industry standards such as NERC-CIP, NIST800-82, IEC62443, NCIIPC, ISO2700x, SANS Top20 Critical Control and OWASP Top10. Have also worked with Schneider Electric and SIEMENS. M.Tech from “BITS Pilani” in Software Systems (Networks and Networked Systems) B.E. from “JNCT/RGPV Bhopal” in “Electronics and Communications Engineering”

3

City Next 2017

CIA triad

• CIA or AIC triad  Availability - System are available and operational when needed  Integrity - Data is consistent, accurate and trustworthy  Confidentiality - Protection against from disclosure to untheorized individuals

• OT has two more requirements  Reliability - System performs intended functions  Safety - Physical and environmental safety is ensured

Availability

Confidentiality

Integrity

Why are we here

City Next 2017

Commercial Facilities 1%

Chemical 1%

Communications 4%

Unknown 9% Water 8% Transportation 8%

Critical Manufacturing 33%

Information Technology 2% Halthcare 5% Government Facilities 6% Food & Agriculture 1% Nuclear Reactors Financial… 2%

Source: ICS CERT

Dams 2% Energy 16%

Defense 1%

City Next 2017

Top10 ICS Cyber Threats 1. Social Engineering and Phishing (3) 2. Infiltration of Malware via Removable Media and External Hardware (2) 3. Malware Infection via Internet and Intranet (1) 4. Intrusion via Remote Access (5) 5. Human Error and Sabotage (4) 6. Control Components Connected to the Internet (6) 7. Technical Malfunctions and Force Majeure (7) 8. Compromising of Extranet and Cloud Components (9) 9. (D)DoS Attacks (10) 10. Compromising of Smartphones in the Production Environment (8)

Source: BSI Publications on Cyber-Security report

City Next 2017

Case#1: WannaCry Step 1: 12 May 2017: WannaCry ransomware infections surge • Preliminary analysis identifies self-propagating exploit • Targets MS17-010, SMBv1 Critical Vulnerability - Shadow Brokers

Step 3: WannaCry encrypts data files and ask users to pay a US$300 ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted.

Step 5: WannaCry encrypts files with the following extensions, appending .WCRY to the end of the file name

Step 2: Initial infection vector is unknown • Once on host, malware launches process to: • Scan for TCP Port 445 (SMB) • If open port identified, exploit attempted • Exploit modeled after ‘ErernalBlue’ • Malware also drops implant ‘DoublePulsar’ Step 4: It also drops a file named ! Please Read Me!.txt which contains the text explaining what has happened and how to pay the ransom

Step 6: It propagates to other computers by exploiting a known SMBv2 remote code execution vulnerability in Microsoft Windows computers: MS17-010

Case#1: WannaCry Need for Timely Patch Management

City Next 2017

ICS community actions

Organizations Needs to work together to reduce the response time.

Testing of patch with applications by ICS vendors

Publishing of patches for applications or approval for OS patch

3

4

Asset owner download and test the patch in test environment 5

Patch deployment in downtime 6

~ >150 days 1

2

Vulnerability identification and patch development

Patch Release By OS vendor

~ < 30 days

3

Hackers are one step ahead in the game of security.

4

5

Download of Exploit Testing and patch and development deployment of reverse exploit engineering for vulnerability identification

Black hat actions

6 Successful attack

Protection from cyber attack 7

City Next 2017

Case#1: WannaCry

City Next 2017

Case#1: WannaCry

Communications were observed to the below IP addresses from the compromised systems • 197[.]231[.]221[.]211 • 128[.]31[.]0[.]39:9191 • 149[.]202[.]160[.]69 • 46[.]101[.]166[.]19 • 91[.]121[.]65[.]179

Domains/Remote IPs (Firewalls/IPS/IDS/Proxy) -- www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 57g7spgrzlojinas.onion, 76jdd2ir2embyv47.onion cwwnhwhlz52maqm7.onion, gx7ekbenv2riucmf.onion sqjolphimrr7jqw6.onion, xxlvbrloxvriy2c5.onion -- 128.31.0.39, 144.76.92.176, 148.244.38.101, 149.202.160.69, 163.172.149.155, 171.25.193.9, 195.22.26.248, 197.231.221.221 198.96.155.3, 213.61.66.117, 46.101.142.174, 46.101.166.19 62.210.124.124, 91.121.65.179, 91.219.237.229 -- www.bancomer.com.mx, graficagbin.com.br, dyc5m6xx36kxj.net gurj5i6cvyi.net, bcbnprjwry2.net, bqmvdaew.net, sxdcmua5ae7saa2.net rbacrbyq2czpwnl5.net, ow24dxhmuhwx6uj.net, fa3e7yyp7slwb2.com wwld4ztvwurz4.com, bqkv73uv72t.com, xanznp2kq.com chy4j2eqieccuk.com, lkry2vwbd.com, ju2ymymh4zlsk.com 43bwabxrduicndiocpo.net, sdhjjekfp4k.com iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Antivirus Signatures Put a filter on the AV for the detection of following signatures  Ransom.CryptXXX  Trojan.Gen.8!Cloud  Trojan.Gen.2  Ransom.Wannacry

AV signatures to be updated with latest definitions (DAT) Need to have strong Incident response and DR plan.

File Hash Values (AV/Sandboxing Tool) Available, can be shared offline (SHA-256, MD5, . (To put a filter on the email gateway/end-point to detect the following hash values)

Count measures In the Event of An Attack    

Isolate the system from the network to counter any spread of the ransomware Decryption is not available now. Format the system if needed. Block 445 on AD, if that’s feasible

Case#2: STUXNET

City Next 2017

Infiltration of Malware via Removable Media and External Hardware



      

Sophisticated attack destroyed up to 1,000 uranium enrichment centrifuges at a high-security Iranian nuclear facility Multi-stage attack Social engineering techniques used to penetrate plant defenses Replicated worm in PCs and infected LAN PLCs located; looked for centrifuges Once located spun them up to eventually fail Masked control room monitors Key security compromises: Integrity & Availability

Case#2: STUXNET

City Next 2017

Infiltration of Malware via Removable Media and External Hardware

Source: Symantec

City Next 2017

ISA 99 / IEC 62443

Few ICS Security Standards NIST 800-82

NERC

City Next 2017

ISA 99 / IEC 62443

ISO 27001/2

enisa

ICS-CERT

History of ISA99 / IEC62443

City Next 2017



• • • •

ISA/IEC 62443 is a series of standards being developed by two groups: – ISA99  ANSI/ISA-62443 – IEC TC65/WG10  IEC 62443 In consultation with: – ISO/IEC JTC1/SC27  ISO/IEC 2700x International in scope Requirement contributions come from other standards like NERC-CIP, NIST etc Flexible framework which serves a basis for Country and Local standards as well as Manufacturing guidelines.

The third category includes work products that describe system design guidance and requirements for the secure integration of control systems. Core in this is the zone and conduit design model. The fourth category includes work products that describe the specific product development and secure technical requirements of control system products. This is primarily intended for control product vendors, but can be used by integrator and asset owners for to assist in the procurement of secure products

Policies & Procedure

The second category of work products targets the Asset Owner. These address various aspects of creating and maintaining an effective IACS security program.

1.1 Terminology, concepts and models

1.2 Master glossary of terms and abbreviations

2.1 Requirements 2.2 Implementation for IACS security guidance for security system management management system

System

The first (top) category includes common or foundational information such as concepts, models and terminology. Also included are work products that describe security metrics and security life cycles for IACS.

General

ISA99/IEC-62443 standard is a family of standards with a large scope of use for ICS / OT / SCADA environments. Some guidelines are rather general, while others are precise, specific and focussed. Many of those guidelines are still in the process of being defined or upgraded.

3.1 Security technologies for IACS

3.2 Security assurance levels for zones and conduits

Components

City Next 2017

ISA 99 / IEC 62443 Standards

4.1 Product development requirements

4.2 Technical security requirements for IACS components

1.3 System security compliance metrics

1.4 IACS security lifecycle/use cases

2.3 Patch management in the IACS environment

2.4 Installation and maintenance requirement

3.3 System security requirements and security levels

A holistic security concept is context dependent ISA99 reference

City Next 2017

Onsite

Industrial Automation and Control System (IACS)

Asset Owner Operates and Maintains

2-1 2-3

Operational policies and procedures review and creation and risk management.

2-4

Service Provider

Maintenance policies and procedures, patch and vendor management

Automation solution deployment

System Integrator

Designs and Deploys

2-4 3-2 3-3

Basic Process Control System (BPCS) assessment and design

Safety Instrumented System (SIS) review and design

Complementary HW/SW implementation

Secure architecture design, zones and conduits. CSAT

Offsite Vendor scope 3-3 Product Supplier

Develops control systems

4-1 4-2

Secure product and system development. CFAT

Zones and Conduits

City Next 2017

Management level

Level 5

Harden handheld devices and Database servers

Enterprise Resource Planning, IT & Mobile devices Level 4

IT-OT separation zone Mirror Historian, Patch Mgmt, AV Server

Level 3

Plat management level

Engineering station, Historian, OPC Level 2

Operation level SCADA/DCS, Operators, HMIs Control level

Level 1

PLC /Controllers/ LHMIs Field level Sensors, Pre Actuators & Actuators.

Level 0

DMZ

Unidirectional gateway/Data Diode, Network monitoring, Log management & Auditing

System Hardening, Active Directory (AD), App whitelisting, Secure design implementation, Patch Management, Configuration management, Password Management, Change Management, Backup & Restoration and User specific access control

Next-gen Firewalls Harden automation controllers, Disable unwanted ports Harden automation field devices, CCTVs, physical protection

City Next 2017

Need of the hour

Governance

Operations

Infrastructure



OT Security Governance



OT planning & Project



Audit of the important security processes



OT Cyber Security Team



Vulnerability and patch management



Security incident management



OT Physical Controls Area Security



OT Security Infrastructure – System Architecture Review



Vulnerability assessment and penetration testing



End user environment audit

Ensure proactively implementing appropriate OT security controls to support security’s mission in a costeffective manner while managing evolving OT security risks. Ensure a safe setup of infrastructure by implementing appropriate security controls following a defence in depth design concept in the network infrastructure. Continuously monitor performance of systems to ensure that it is consistent with agreed security requirements, and needed system modifications are incorporated.

Lots to be done by vendors

City Next 2017

SDL

Secure by design approach

Identify product level in ICS layer SL based Test cases

ICS Secure Levels

ISA99 Standard

Security requirement Security Test Plan

Secure Feature implementation Security Test Cases

City Next 2017

ISA/IEC 62443 Cybersecurity Certification Programs • • • • • •

Certificate 1: ISA/IEC 62443 Cybersecurity Fundamentals Specialist Certificate 2: ISA/IEC 62443 Cybersecurity Risk Assessment Specialist Certificate 3: ISA/IEC 62443 Cybersecurity Design Specialist Certificate 4: ISA/IEC 62443 Cybersecurity Maintenance Specialist ISA/IEC 62443 Cybersecurity Expert: Individuals who achieve Certificates 1, 2, 3, and 4 Certificate Steps: – Complete a designated training program – Pass a multiple choice exam through the Prometric testing center

City Next 2017

Q&A