Industrial Control Systems Security Optimizing Security Policies

Ziad Ismail Jean Leneutre Alia Fourati December 11, 2015

SMART GRID DEMAND&RESPONSE! ADVANCED&METERING! Two&way!communica'on! between!the!customer!and! the!u'lity!company!

Real&'me!pricing!informa'on!to! consumers!to!manage!power! consump'on!

STORAGE!

PLUG4IN&HUBRID!

Energy!generated!at!off& peak!'mes!is!stored!for! later!use!

Enable!smart!charging!for! plug&in!electric!vehicles!

POWER&SYSTEM&AUTOMATION! Outage!isola'on!and!restora'on!

DISTRIBUTED&ENERGY&RESOURCES! Small!power!sources!that!can!be! aggregated!to!provide!power! necessary!to!meet!regular! demand!

Workshop SEIDO - December 11, 2015 | 2

INDUSTRIAL CONTROL SYSTEMS IN A NUTSHELL ๏ A large scale management system to control equipment remotely and to process a very large number of measures in real time ๏ In general, it consists of: -

Field data interface devices (RTUs, PLCs) which interface to field sensing devices

-

A central host computer server or servers

-

A communication system to transfer data from field data interface devices to the central host computer

-

A Human Machine Interface (HMI)

๏ Long life cycles ๏ Legacy serial protocols (DNP3, Modbus) were adapted to be used on IP-based ICS networks Workshop SEIDO - December 11, 2015 | 3

INDUSTRIAL CONTROL SYSTEMS DISCLOSED VULNERABILITIES 250!

50%!

200!

45%!

Improper Input Validation!

40%!

ICS Security Configuration and Maintenance! Credentials Management!

35%! 150!

Improper Authentication!

30%!

Permissions, Privileges, and Access Controls!

25%! 100!

20%! 15%!

50!

10%! 5%!

0! 2001!

2002!

2003!

2004!

2005!

2006!

2007!

2008!

2009!

2010!

2011!

ICS Specific Vulnerabilities in the Public 2001-2011

0%! ICS-CERT Published Vulnerabilities!

2009-2010 CSSP ICS Product Assessments!

2004-2008 CSSP ICS Product Assessments!

Comparison of ICS software security weaknesses*

*Source: Common Cybersecurity Vulnerabilities in Industrial Control Systems, DHS 2011.

Workshop SEIDO - December 11, 2015 | 4

INDUSTRIAL CONTROL SYSTEMS CYBER INCIDENTS

Other! 12%! Nuclear! 3%! Medium! 35%!

Transportation! 5%! Water! 4%! Communications! 5%!

Energy! 54%!

Hign! 65%! Critical Manufacturing! 16%!

Cyber Incidents reported to ICS-CERT 2013

Common Vulnerability Scoring System (CVSS) Severity of ICS related vulnerabilities in 2013

Workshop SEIDO - December 11, 2015 | 5

ICS SECURITY INTRODUCTION

๏ Use of off-the-shelf operating systems increases the attack surface ๏ Unsupported legacy software ๏ Number of equipment that can be accessed remotely has significantly increased ๏ Fixed maintenance schedules prevents quick preemptive actions to secure the system ๏ Sometimes, 99.999% or greater ICS uptime is required (