INDUSTRIAL CONTROL SYSTEMS IN A NUTSHELL ๏ A large scale management system to control equipment remotely and to process a very large number of measures in real time ๏ In general, it consists of: -
Field data interface devices (RTUs, PLCs) which interface to field sensing devices
-
A central host computer server or servers
-
A communication system to transfer data from field data interface devices to the central host computer
-
A Human Machine Interface (HMI)
๏ Long life cycles ๏ Legacy serial protocols (DNP3, Modbus) were adapted to be used on IP-based ICS networks Workshop SEIDO - December 11, 2015 | 3
INDUSTRIAL CONTROL SYSTEMS DISCLOSED VULNERABILITIES 250!
50%!
200!
45%!
Improper Input Validation!
40%!
ICS Security Configuration and Maintenance! Credentials Management!
35%! 150!
Improper Authentication!
30%!
Permissions, Privileges, and Access Controls!
25%! 100!
20%! 15%!
50!
10%! 5%!
0! 2001!
2002!
2003!
2004!
2005!
2006!
2007!
2008!
2009!
2010!
2011!
ICS Specific Vulnerabilities in the Public 2001-2011
0%! ICS-CERT Published Vulnerabilities!
2009-2010 CSSP ICS Product Assessments!
2004-2008 CSSP ICS Product Assessments!
Comparison of ICS software security weaknesses*
*Source: Common Cybersecurity Vulnerabilities in Industrial Control Systems, DHS 2011.
Common Vulnerability Scoring System (CVSS) Severity of ICS related vulnerabilities in 2013
Workshop SEIDO - December 11, 2015 | 5
ICS SECURITY INTRODUCTION
๏ Use of off-the-shelf operating systems increases the attack surface ๏ Unsupported legacy software ๏ Number of equipment that can be accessed remotely has significantly increased ๏ Fixed maintenance schedules prevents quick preemptive actions to secure the system ๏ Sometimes, 99.999% or greater ICS uptime is required (