Introduction to control system security

ISA/IEC 62443 industrial security framework Taxanomies

What is control system cybersecurity?

• Electronic security: actions required toprotect critical systems or informational assetsfrom unauthorized use, denial of servicemodifications, disclosure, loss of revenue, destruction SOURCE:ISA/IEC 62443-1-1-2007
• Control system: hardware and software components ofan Industrial Automation andControl System (IACS) SOURCE:ISA/IEC 62443-2-4-2018
• Cybersecurity: measures taken to protect acomputer or computer system against unauthorized access or attack SOURCE:ISA/IEC 62443-3-2-2020

Trends in control system cybersecurity?

• Increased Internet Protocols expose control systems
• Increased commercial off the shelf (equipment you can go and buy, plug and play. Issues: configuration not clear, supply chain attack)
• Increased remote monitoring andaccess
• Increased malicious codeattacks
• Increased unauthorized attempts
• Increased automated attack tools

Implications

1. COTS components, increased connectivity and common protocols => Potential adversaries are familiar with the technology & Common risks.
2. Remote access => Broadens systems “attack surface”
3. Network separation can be difficult or impossible

Potential consequences

Data: Disclosure, Alteration, Denial Physical: Physical damage, Personnel injury Legal: Vioulation of legal and regulatory requirements

Key take-away from national cybersecurity reports

1. National Security Agency (United States): Look at your value vs. risk vs. cost for IT to OT connectivity.
2. European Union Agency for Cybersecurity: Threat landscape
3. Cybersecurity and Infrastructure Security Agency (United States): Encourage asset owner to review the contents of the alert for the threat actor techniques and ensure the mitigations + Commodity ransomware (Ransomware as a Service).
4. Canadian Centre for Cyber Security (Canada): 5 cyber threat narratives that are considered the most dynamic and impactful.

Malware events

1. Stuxnet
2. Shamoon
3. OS Agnostic

Common myths regarding IACS security

Myth #1 Control system are not connected to the Internet

Fact: We can use SHODAN to search the internated connected services: Sample of typical applications BACnet- Building Automation DNP3- Electric/Water EtherNet/IP_ Common Industrial ProtocolM odbus- Open source SCADA Niagara Fox- Building automation Niagara Fox with SSL- Building automation Siemens S7- Ethernet S7 PLC

Myth #2 The industrial control systems are behind a firewall

Fact: Firewalls are insufficient network boundary protection. According to Gartner, through 2023, 99% of firewall breaches will be caused by firewall misconfigurations, not firewall flaws.

Myth #3 Hackers don’t understand control systems

Fact: Hacking as a service has hit the mainstreamm. SCADA and process control systems are common topics in Devcon or Black Hat conferences. Here is a list of known exploited vulnerabilities for control systems.

Myth #4 Safety systems can protect the system

Fact: The safety systems are based on micro-processor programmed on Windows PC, and are using Ehternet communications with open and insecure protocols (Modbus TCP, OCP, etc.). TRITON is a malware targeting the safety system of chemical plants.