As IT and Operational Technology (OT) environments continue to converge, managers of ICS have been faced with the challenge of protecting these crucial systems and data, in spite of inherent security weaknesses and the continual risk of insider threat. In many industrial processes, reliability of an ICS has a direct and immediate impact on the safety of human lives. Existing, legacy approaches have proven inadequate on their own, especially against insiders who, by definition, have authorized access.
There is an urgent need for a new approach to combat the next generation of cyber-threats, across both OT and IT environments. While total prevention of compromise is untenable, utilizing automated self-learning technologies to detect and respond to emerging threats within a network is an achievable cyber security goal, irrespective of whether the suspicious behavior originated on the corporate network or ICS.
Some of the world’s leading energy and manufacturing companies are using these technologies to detect early indicators of cyber-attacks or vulnerabilities across IT and OT environments, without reliance on pre-identified threat feeds, rules, or signatures. These technologies represent an innovative and fundamental step-change in automated cyber-defense.
In this session, attendees will learn:
This talk will go into detail about how drilling systems communicate and some of the attacks that could be performed on a drilling rig. This includes throwing off toolface information and burning out motors in BITs, Disabling H2S and sour gas detection systems, changing survey data to cause the drilling crew to drill out of zone causing sidetrack and time drilling operations that can cost millions of dollars to a drilling rig. And finally modifying chromatograph information and mud weight causing a blow out and potentially burning a rig to the ground. Infection methods include excel files used by directional drillers and MWD staff and 3rd party’s.
Research Background
Using a honeypot run as a disposable mail service on TOR, Weston Hecker came across custom tailored malware including several versions of SAMSAM and Cryptolocker. In early May he came across a sample that is targeting (WITS) information “Wellsite Information Transfer Specification” and (MWD) Measure while drilling systems associated with land based drilling platforms. This lead him to do research the attack surface of a drilling rig.
Protecting Critical Infrastructure and Key Resources (CIKR) of the United States emerged as a national priority [Oba13] and simple adaptation of Information Technology (IT) security solutions for Industrial Control System (ICS) applications presents certain technical challenges for the cybersecurity community.
Results here expand upon AFIT’s PHY-based Level 0 protection strategy that was first introduced by researchers in [LoT14, LTM15]. These early works demonstrated a promising proof-of- concept capability for a Level 0 (physical end-device) anomaly detection scheme that aims to improve cyber-physical system resilience using device fingerprints composed of Wired Signal Distinct Native Attribute (WS-DNA) features. The WS-DNA features were extracted from WS responses of differential pressure transmitters employing smart sensor technology to control and monitor an experimental automated control process.
AFIT’s WS-DNA exploitation capability has been expanded, with results here based on field devices from four different manufacturers (Siemens, Yokogawa, Honeywell and Endress+Hauser) implementing the Highway Addressable Remote Transducer (HART) protocol. The aim is on discovering discriminable PHY features from the Frequency Shift Keyed (FSK) signals used for closed-loop control. Discriminability is assessed for a multi-state problem using each of the manufacturer devices operating under two different conditions. Manufacturer and operating state discrimination results include percent correct classification of %C ≥ 90% for both manufacturer (cross-model) and serial number (like-model) assessments. Thus, Level 0 WS-DNA processing is promising for discriminating field device manufacturer/operating state and remains a viable alternative for securing ICS operations.
This presentation provides a view of a target cyber security architecture made for industrial control systems – for the Operations Technology (OT) of the oil and gas, power, chemicals and other industries.
It would seem a straightforward idea. There is a cyber risk to vulnerable OT systems so why not cyber-secure the process control networks (PCNs) by integrating layered security (a defense-in- depth security architecture) in the same manner as the IT enterprise is made secure? Sounds simple. Yet a deeper understanding of the OT - the technology, business and operational requirements – makes it clear that simply adding an IT defense-in-depth security is not so straightforward. In some cases, it can even run counter to the safe operation of the plant.
There is no question that OT systems need to be hardened against cyber adversaries. The threat is real. The vulnerabilities and lack of protections against cyber attacks is alarming. Incidents are cropping up in growing numbers, ever more consequential. But the PCNs in OT systems have significant differences from IT systems. The security architecture must fit to the purpose and conditions of OT systems currently deployed in plants and remote locations - systems that are not easily replaced, enhanced or patched.
This is the challenge – to achieve a suitable security architecture for OT systems that provides needed defense-in-depth protections against cyber attacks while still meeting business requirements and safety functions.
This presentation delivers an architectural overview – first to reconcile the differences between OT operational requirements of reliable, real-time operations and safety with the cyber security requirements for identity and access control, asset management, segmentation, configuration and network management – just to name a few. Second, the presentation will discuss ways to achieve a target security architecture – one that can work within the reality of legacy (installed) PCNs with limited resource capacity constraints for computing and network flows.
How it is currently relevant to the industry: There is increasing concern within ICS industries (including Oil and Gas) about cyber threats at the same time that the industry becomes more aware of the existing exposures / vulnerabilities in its process control networks. The industry needs the right security answers – the kind that would work within a security architecture that is fit-for purpose in an OT environment with its constraints and business demands.
What objectives will be covered?
Intended audience: Engineers and Architects charged with security for OT/ICS
Driven by business sustainability requirements, access to (near) real-time data within the automation industry has created a growing trend towards interconnectivity between control system and enterprise environments. A component of this trend is the movement away from proprietary control system platforms and technology, to a more open and interoperable Asset Control System. This development creates opportunities for businesses, but can also simultaneously increase their exposure to potential vulnerabilities. Due to the evolving, complex nature of control systems in the enterprise today, many asset owners simply do not know where to start when it comes to devising a security strategy. A lack of awareness about their current vulnerability state makes the effective application of security controls and /or processes difficult. Many customers lack experience in determining vulnerability levels, exposure, and possible impacts of threats to network and critical assets. They also face difficulty in effectively distributing and enforcing appropriate policies and procedures.
This presentation will describe how an external Cybersecurity Services team can provide valuable assessment, implementation, maintenance, and education services for businesses focused on minimizing Operational Technology (OT) cybersecurity risks within their ICS environment. It will also include an overview of how IT / OT environments are converging today, the challenges with managing that process and the sprawl of the Industrial IoT. Finally, we’ll discuss some best practices that have been assembled from lessons learned in Building Automation Systems, Water / Wastewater, Refineries, and other critical infrastructure.
Sponsored by: Schneider Electric
The hallmark of this year’s attack on the Ukrainian power grid was the extensive reconnaissance, performed by attackers on their target’s control networks, used to maximize system disruption. Situational awareness, incident response and recovery all depend on an accurate understanding of control system inventories, including normal process behavior. The Ukrainian attack has led our community to a key question; do we know our industrial control networks as well as our adversaries?
Despite the emergence of technologies that monitor data flows of industrial control networks, ICS operators consistently cite inadequate real-time views to control system the topology, devices, and behavior as a fundamental obstacle to securing their operations. Historically, gathering and maintaining this information has proven incredibly labor intensive and disruptive to economic operations of industrial operations.
Dr. Carcano’s talk will explore case studies in which emerging technology and process-centric analytics have facilitated more automated, passive methods of inventory collection, network monitoring and characterization of normal process behavior of industrial control systems. These emergent technologies have enabled operators to baseline normal operational processes and measure network loading. Dr. Carcano will discuss the operational and safety benefits of automated inventory technologies such as improved visibility to misconfigurations and early detection of zero-day attacks, device failures, and other anomalies. While improving operability, these technologies also hold the promise of expedited detection of adversaries’ reconnaissance activities and improved recovery times.
Wednesday's breakout sessions will conclude with a moderated discussion of the important cyber issues with safety and security.
Open to audience participation, topics will
