PG - The Journey to ICS - Larry Vandenaweele

[Music]

only

whatever

Happ this I got it I got it okay folks we're going to go ahead and get started now uh let me introduce you to Larry and he's going to be talking about the journey to ISC thank you IC ICS excuse

me okay uh can everybody hear me okay so everybody I'm Larry uh come from Belgium uh today is my presentation about the journey to ICS uh but first just a brief disclaimer sa I'm my employer uh therefore I'm employed in information security industry but I'm not authorized to speak on behalf of my employer or clients so everything I say from a personal point of view um about me I've been in the security I've been into the security indry for over 5 years I work for PC Belgium and I've been active in industrial security for over two years in addition I like to travel food and beer uh I'm not an expert yet but I'm eager to

learn uh special thanks to my mentor Chris who's sitting here in front of me uh for assisting me during the creation of this stock so about this presentation um two years ago I got a question from one of my managers if I would be up for this challenge challenge to transfer myself from a normal it security pen tester more towards industrial security um I knew that the the IC hype was was starting to rise up with all the activists and targets uh nation state targeting critical critical control systems uh so it was an easy decision for me to make uh however this talk is going to be about the very very Basics uh share some experience experiences

that I made during this transition and I hope that this will be a starting starting point for other people that want to make the transfer as well just like I did before so work can you find operation technology or OT basically you can find in many different areas such as food processing plants chemical plants nuclear plants uh power grid oil rigs and many more however uh all these systems we think it's normal we take it for granted that we switch home the light and there's light we flip the switch and there's light but nevertheless there are many systems that control that so some of these risks that we're talking about can endanger human safety but also

environmental effects material damage and of course high impact events like a few months ago there was in Turkey Nationwide blackout for a few hours so that had quite some consequences in the beginning of my journey I saw a number of characteristics which I like to call cliches because if you look at it systems you tend to replace them after 2 three years or maybe 5 years but within industrial Control Systems they literally they're built for decades 10 20 even 30 years and also when when they're running they're running for 24/7 35 365 days a year uh with Harding and maintenance also the most important thing with Within These systems is availability security as an information

security it's something extra because the systems need to be running production has to be live all the time however nowadays more and more Protocols are migrating to have authentication and Security in place but nevertheless the Legacy systems are still present and they will be present until the next upgrade also at some point there are uh operators that actually maintain the Grid or maintain the control systems to ensure that everything is running smoothly if there's suddenly a peak or if there's suddenly a attack but in the end it's not all about control systems it's also about all the network components that are in place and all the other applications such as data historians and servers so here's some vocabulary I'm

going to skip it for now because time is limited but of the most common terms that you will see is DCs and scada because everybody loves to say scada it's a misused term because when you go to firms like yeah we have scada in place and in the end it's just a small control plant having one DCS or something when you look at scada we talk about the big things spread across the nation and in the end when you look at the term scada supervisor control and data acquisition the term supervisory is is one of the key words here because it supervises all the outstation that are in place while in contrast DCS systems or distributed control systems are a bit

smaller such as a nuclear or chemical plant and and their Standalone systems however the first time I saw a control system was actually in in a flight case so there you can call it you can call it like an engineer for uh you could say it's like a Happy Meal for engineers uh you can carry it around you can play with it but if you look at the overall architecture it's a bit bigger than that it has a number of zones we can Define the business Zone the DMZ uh operations process control safety and of course enforcement Zone when you look at the enforcement Zone typical devices that you see are dat data diodes um industrial switches industrial

firewalls routers as well that have specifically been designed for handling those uh exotic protocols what is very important and what you hardly see um but they're coming right now is monitoring because having a up toate AVS in place is not already not always a good idea because the control systems are running and any glitch can have a serious impact so when we look at the safety zone which is the next Zone it's actually one of the most important zones a separate Network to ensure human safety because if something goes wrong uh people lives can be at stake so we're talking about safety valve and safety plcs and what those actually do is monitoring the current values if there's

PE or if there's a some issue with with current metering values they will go into a safe state which is most of the case shutdown now we arrive more at the control Zone process control Zone where we have three different levels namely the first level is a control Network the PCN or process control Network here we typically find all the motors sensors actuators and other physical devices however when you look on the right you're going to see the sensor here but also you see manual valves that's in the event something goes wrong with the sensor and the engineers can go through the to this place itself and close it manually however when you close it

manually you need to open it manually again so it doesn't open on itself own so one level up is actually the control devices so here we're talking about the PLC Rus but also dedicated work stations that can be placed in a remot sub station and those devices actually send commands and retrieve values to those uh lower level components if go one level up we see typically this is where you're going to do some attacks or where USB sticks get plugged in because we're talking about the HMI panels the local control rooms and also the data historian the data historian records all the uh the dataor records and collects all processed data from in the field

and transer it to a gooy so you see nice graphical interface for The Operators so level three is more more for operation support here you can find here can you find uh scheduling resources but also modeling tools simulation tools uh historian replication and many more the two other zones are maybe a bit less important for this talk but for the over for the overall concept that's pretty important because we're talking about DMZ which can contain jump host environments for hopping between different zones um but also the plant Network and Enterprise Network depending on which size of organization we're dealing with so this is the overall picture one of one of the M most fascinating things I heard during my

journey was actually uh air gaps everything is aired like physically or using data di um so on the picture you can see uh using a data diode and on the other side you can see a physical air air gap however nowadays you tend to see unidirectional gateways that are actually being bypassed and firewalls being in place ensuring a logical air gap however you tend to see a lot of the times you tend to see any any rules in the firewall so they're actually completely useless in a way um because they allow all traffic so what languages do these components actually speak well you can the vitamin in two large protocol types such as raw data raw data protocols and

high level data protocols while the raw data while the raw data protocol such as hard or modbus uh reads and send reads data and sends commands to the devices such as read measurement data and send send commands such as start bumps or stop bumps or whatever however um most of these protocols don't have Security in place they they're being transferred in clear text and have no authentication at all um nowadays more and more Protocols are having authentication but it's not being implemented yet because the Legacy systems are still in place and it's very costly to upgrade them when you look at high level data protocols such as OPC iccp and MMS they provide the the the bridge between different

applications and are often also the connection between the different zones such as between corporate and plant Network because the office environment tends to tends to need that data for financial processing for sap Etc however um looking at the attack landscape I assume some of you know showan showan has a pro project ICS radar when I created this presentation I took a screenshot and as you can see it's almost 14,000 interconnected devices that speak modus all over the world um knowing that this protocol is has no authentication is in clear text every everybody can do some damage however uh keep in mind that most of the time or normally there's an operator sitting behind the control room and

monitors everything so if you change values the operator might see it and adjust it so there's not going to be any issue um types of attacks they're they're pretty much common to normal it infrastructure as well however here we're dealing with insecure protocols hardcoded credentials such as vendors that Implement hidden accounts or or hardcoded accounts that you cannot delete um but also physical insecurities such as on the picture you can see on the bottom there's a rogue modem in place and on the right hand side there's a I was actually during an assignment you could see the control room which was secured with badge reader access however behind the control room there was a meeting room with a sliding window that

wasn't secure with the badge reader access so you can easily hop in some other common weaknesses that you tend to find because we're running 24/7 are unpatched system typically they deploy the system and leave it there for 10 20 years until the next upgrade but although also vendor vendors are a bit at stake because V this is from a vendor that has published a patch list online with all the approved batches and attacker can use it as a toolbox to develop customized payloads for targeting a specific plant or targeting a specific type of system also some people tend to use postes as a password safe to put everything uh to put their credentials on it they also

tend to change once a year or once a decade depending on which company you're dealing with ineffective phys physical security uh might be fun as well uh also some pictures during an assignment there was a control room uh with B access but it was located at the ground floor and and had a window open so it was perfect entry also yeah broken Dome cameras and emergency exit door that you cannot close I tried closing them from inside it didn't work so you can just Sprite them open and follow out your inside uh things you you might see in ID environments are row access points uh are necessary software um the picture on the left hand side is from control room

as well they have power DVD installed I don't know when operators need to build DVDs but tends to happen apparently and also diesel generators that can act as a storage facility for putting your network device boxes and Lawn M and other stuff that was there so how can you actually assess those systems and how can you protect yourself against it well preferably test during the the factory acceptance or side acceptance testing because things will break if you want to use scanners things will definitely Break um know what you're doing don't use point and click but do do some passive traffic uh uh sniffing across different levels across the architecture and and of course one of

the most important parts is communication uh a lot of people don't communicate enough with the operators and it's actually more beneficial when you talk to them because they can let you know what things are going wrong so in the end we have to do like many organizations Implement events in depth to ensure the safety of our control systems so we have to ensure that the the system is secure by hardening um the system that it's up to date uh ensuring that the network is secure enough by implementing firewalls ipss ids's and Etc and of course physical security um ensuring that the policies that are in place uh also apply to control systems because most of the time

it is responsible for the devices that are located in the control rooms but they're unaware of it so building a team uh is a first step that you can do ensure that operation security maintenance and it work together and communicate together to ensure a good security G so once you establish that you can you can get some insight on the current situation on how mature your control system is by creating an inventory determining the different security levels ensuring that you have policies and procedures in place um if you're in certain countries that require Regulatory Compliance Ure that you're compliant to those and talk to people while while creating awareness you can do that by exercises tabletop

exercises or USB dropping or whatever however things will take time because management will be involved the union might be involved it's not always that easy to make quick changes it's almost impossible to make with changes so when you're dealing with architecture changes you need to ensure that the asset owner syst integrator and the vendor all work together to have a common understanding of what you want to do and work together by community communicating with each other for a decent architecture some some common PFS that I've experienced during my brief my brief years within the industry is that compliance and Effectiveness uh they they Collide they don't really work well together nor is an unflexible approach or throwing money

at the problem and salling firewalls is a good thing but not configurate them is another and of course yeah lack of communication is most of the time the the biggest issue because if operators don't talk to management or management doesn't say anything to operators you don't know about each other and you don't know the issues on how you can further collaborate um finally some standards there's a link to the IC sear page which going to be filled with with many other regulations that you can use um so if you have any questions feel free to ask okay [Applause] thanks