Welcome address and conference introduction for the 2016 ICS Cyber Security Conference. – Michael Lennon, Founder and Managing Director, SecurityWeek, Chairman of ICS Cyber Security Conference
With new Drone technologies appearing in the consumer space daily, Industrial Site operators are being forced to rethink their most fundamental assumptions about Industrial Sites and Cyber-Physical security. This presentation will cover Electronic Threats, Electronic Defensive measures, Recent Electronic jamming incidents, Latest Drone Threats and capabilities, defensive planning, and Electronic Attack Threats with Drones as delivery platform.
This talk will present 2 drone attack scenarios with video [potentially live] demonstrations of drone attack capabilities on an industrial wireless flowmeter. The first attack will illustrate simple disruption of the flowmeters signal potently causing the non-report of a product spill (Hacktivist purposes). The second demonstration would take this a step further demonstrating the ability for a $1000 drone to autonomously turn a directional disrupter via image targeting of plat personnel (Hacktivist/Malicious Attack purposes).
Attendee Takeaways:
A better understanding how drones can now be the bridge that Hacktivists use to make attacks that were only possible in close proximity before.
Realization that large scale EW attacks to Industrial system that used to be possible with military grade equipment are now possible with hobby components.
An understand of what a defensive security person must consider when risk evaluating the threats to industrial wireless systems.
Using WiFi surveillance to track possible Drone use, scan of MACs associated with drones
Physical Defense and what to tell your guards if they see a Drone jump the fence.
Overview of Law and FAA regulations concerning drone use in and around plant infrastructure.
Much More
In this session we will demonstrate live cyberattacks against a Schweitzer SEL-751A feeder protection relay and the related impact to end devices and operator interfaces.
While the demonstration is not meant to single out any particular vendor or piece of equipment, it will highlight the lack of cyber security built into widely deployed intelligent electronic devices (IED), how these IEDs can be attacked and the physical impact they can have when compromised.
The cyberattack demonstration will highlight a loss of control of the relay, how such loss impacts an end device like a motor and how this can all be hidden from the operator. The attacks include an adversary gaining access to the relay, taking control, locking out administrators, and changing the relay’s configuration. In addition, the attacks will be masked to leave no trace, making it difficult for an operator to trouble shoot the disruption was caused by a cyberattack, let alone prevent it from happening again.
The SEL-751A is an important piece of equipment performing many critical functions, and such attacks could be repeated across the same or different relays from different manufacturers.
Imagine an attack on critical infrastructures that could evade virtually all existing security measures (network firewalls, AV, application whitelisting, etc.) and that would operate generically across a wide range of different SCADA implementations. Indegy researcher Avihay Kain has discovered a vulnerability that would enable just such an attack. We will unveil the vulnerability for the first time at the 2016 Industrial Control Systems (ICS) Cyber Security Conference.
The vulnerability allows for remote code execution in Schneider Electric’s flagship product - the UnityPro software platform. (The vulnerability applies to all versions of UnityPro, including the latest release of version 10.0.) Schneider Electric’s UnityPro software platform, which runs on Windows-based engineering workstations, is used for programing and managing Schneider Electric equipment in industrial control networks including those operating critical infrastructure. Regardless of the specific SCADA application in use, if Schneider Electric PLCs are in use, UnityPro software will be deployed for the engineering stations, making this attack relevant across virtually any process controlled by Schneider PLCs.
While we will show an exploit specific to Schneider, all PLC vendors have similar proprietary engineering protocols and we should expect many vulnerabilities like it that apply to other vendors. The result is that those concerned with ICS security should realize two key points:
1.) Attacks on ICS networks do not require exploitation of vulnerabilities in SCADA/HMI applications or the controllers themselves:
There is a misconception in the industrial cyber security space that securing these networks only requires monitoring of the SCADA/HMI application protocols, for instance - MODBUS and DNP3. However, there is an important distinction between the communication protocols used by HMI/SCADA applications, and the control-plane protocols which are used by the engineering station software. The less known engineering station protocols are not fully documented, and worse -- each vendor uses a different proprietary communication protocol, making it extremely difficult to monitor them. As a result, these protocols, which allow an attacker to access the controllers using the vulnerability described above, aren’t monitored and the engineering stations are mostly ignored.
2.) Combining security controls borrowed from IT Security with HMI/SCADA application monitoring is not enough to secure ICS.
It is commonly believed that with a combination of IT security technologies (secure network design, AV/anti-malware and application whitelisting) and monitoring the HMI/SCADA protocols mentioned in point 1, it is possible to prevent industrial network infiltration and device access. This exploit will look exactly like known good engineering work and will evade all of those controls, demonstrating that IT security plus HMI monitoring is not sufficient for ICS. Additional security controls for engineering network activity monitoring are needed.
Bill Cotter, Master System Engineering Specialist at 3M, will provide a Top 12 Checklist for Process Security, along withan overview of the ISA-TR62443-2-3 ICS Patch Standard.
The state of Indiana executed CRIT-EX 16.2 on the 18th and 19th of May, 2016, at the Muscatatuck Urban Training Center. This cyberattack readiness exercise aimed to improve the overall security and responsiveness of Indiana’s critical infrastructure in the face of an advanced cyber incident that disrupts essential water utility services and presents a public safety threat.
The Indiana Department of Homeland Security in conjunction with the Indiana National Guard, Indiana Office of Technology, Cyber Leadership Alliance, and over 16 other public and private partners developed this controlled functional cyberattack exercise to allow participants to deploy resources and communicate with response partners to mitigate adverse effects and expedite recovery. Additionally, CRIT-EX is the first joint public-private partnership simulating responses to cyberattacks on the Muscatatuck water treatment plant, with expert programming and cybersecurity teams acting as cyberterrorists who attack the facility’s Supervisory Control and Data Acquisition (SCADA) systems.
The exercise had three very important themes that differentiated Crit-Ex from other cyber exercises: First, participants had to agree on a common language. Second, privacy was at the center of the exercise. The third unique theme and what is considered to be the hallmark of Crit-Ex 16.2 was the complexity of the event.
This presentation will cover the importance of training cybersecurity for industrial control systems in a complex environment. While using lessons learned as examples, the presenter will provide a roadmap to plan and execute a complex cyber exercise.
View a detailed description of the talk here
Don Bartusiak, Chief Engineer, Process Control at ExxonMobil Research & Engineering, will present an exclusive talk about ExxonMobil's initiative regarding a standards-based, open, secure, interoperable process control architecture. Bartusiak will address the business problem that the world's largest publicly traded international oil and gas company is trying to solve and why ExxonMobil feels that existing ICS vendor approaches are not adequate to meet their needs.
He will also discuss the status of formulation of an end user, supplier, system integrator, and standards organization consortium that is underway with The Open Group.
Live Demo: Remote Attack That Can Permanently Disable a Fully Air-gapped System
Industrial control systems that claim to be fully air-gapped often aren't. In particular, elements of the ICS take electrical power from a local network, or UPS. Power supply engineers who work on power disturbances can demonstrate certain types of events -- as simple as turning the power off and on in a particular pattern -- that can permanently disable typical off-the-shelf power supplies. A technical discussion of this attack vector, with a follow-on live demonstration, will be provided.
The ICS threat landscape is expanding fast. With the rise of the Industrial IoT, and increased device connectivity, no mission-critical entity is safe. On one hand, the expansion of the Internet also makes ICS easier prey to attackers, with ICS components being available online. On the other hand, attackers can easily attain industrial products and technologies and reveal relevant vulnerabilities to exploit. Both aspects emphasize that it is getting increasingly simpler for attackers to exercise their will in industrial environments, having to invest less resources to do so.
In this session, we will provide an example which emphasizes this trend, where the CyberX research group was able to expose vulnerabilities within a leading vendor’s PLC, getting from complete obscurity to the desired end-game, while having to cope with diverse challenges. These include physical extraction of components and de-coding of the encoded firmware.
The aforementioned trend in the ICS Security eco-system leads to a flux in ICS vulnerabilities, which is part of the inevitable cat and mouse race between attackers and defenders in the ICS security domain. This race has peaked a new level, where every Industrial IoT environment is in harm's way. We will also outline the need for comprehensive threat analysis tools for the ICS industry required to mitigate the ever growing risks.
Attendee takeaways
When hearing the buzz-word “Internet of Things,” we typically think of the consumer world: smart toasters and connected fridges. However, there is a staggering number of networked embedded devices that perform life- and mission-critical tasks that our daily lives depend on. We haven’t thought of these new types of devices as miniature computers that need the same care in deployment, management and protection as our servers, computers and mobile phones. This is a HUGE blind spot. Embedded devices, such as ICS and SCADA systems, are the low-hanging fruit for potential attackers: They are fairly easy to compromise, are connected to high-value networks and detection often only happens after the fact.
This talk will share experiences exploiting embedded system used in industrial control environments and discuss the reasons why these insecure design patterns exist; including business drivers and technology factors. We will share stories and anecdotes based on 10 years of research, training and consulting. Attendees will get an inside view into how attackers operate and walk away knowing what to look for when future-proofing our industrial control systems.
This talk summarizes the state of IoT security, specifically as it relates to Industrial Control and Energy.
Could the U.S. nuclear or energy critical infrastructures be vulnerable to a cyber attack similar to the Ukrainian Power attack in 2015?
Marlene Ladendorff is a subject matter expert on Nuclear Cyber Security for the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
Using data from a few key research projects and primary interviews with a variety of industry practitioners, this session will provide insights to what practitioners are actually thinking and doing every day. What really are the perceived highest risks? What initiatives are gaining traction and which ones aren’t? Is the “C” level bought in? How is the ICS cyber security work force developing? Is OT and IT a divide that can’t be crossed or are organizations building bridges right now? Get the view from the trenches, and share yours as well.
Using computer gaming technology for industrial purposes is certainly not an obvious concept. However, as the technology has improved with advanced AI and seemingly realistic physics, one can see where using gaming engines for something beyond just an entertainment medium might actually make a lot of sense. The industrial community seems to finally be turning the corner in regards to industrial control systems (ICS) cyber security. The community now understands that there is a real and growing threat to these systems and preventative security measures need to be put in place. An area of contention however, remains the ability to determine a realistic threat level for each and every U.S. ICS-CERT advisory, flash report, and security vendor claim. Asset owners/operators find themselves at the mercy of speculation. After all, they can’t exactly simulate attacks that cause actual catastrophic results to industrial environments and systems. Or can they?
In this session, Clint Bodungen will demonstrate how several technologies once intended for completely different industries, such as computer gaming engines and engineering software/hardware, can be combined to simulate realistic consequences of cyber-attack scenarios on industrial systems. Powerful gaming engine physics and 3D animation, scientific data and simulation capabilities (i.e. Matlab and engineering applications), and real-life physical devices (i.e. PLCs) are all connected in this presentation in order to provide a cutting-edge look at the impact analysis capabilities with stunning realistic 3D visuals.
Key Takeaways:
Although developed countries such as the United States have shown the path in terms of Cyber Security in Critical Infrastructure, developing countries are falling behind due to socio-economic conditions. Lack of investment and difficulty in finding the necessary skills are the main reasons that make Cyber Security a challenge for these countries.
This presentation goes through LATAM’s critical infrastructure situation with Argentina as a case of study. On one hand, we provide the audience a brief overview of the actual cyber regulation and national initiatives. On the other, we describe the state of the main industries, common issues and what we are the next steps to be taken in the near future.
The industries most plagued by cyber-attacks are Oil and Gas businesses. Several attacks against the infrastructure of Oil firms like Aramco have been executed by the Anonymous operation #OpPetrol that targeted major Oil companies. The Oil and Gas sectors are also threatened by frauds where there is blatant theft of resources during upstream or downstream processes. SAP and Oracle systems are widely used in Oil and Gas industries, and there are even specific SAP modules for Oil and Gas such as SAP Upstream Operations Management (UOM) or SAP PRA (Production and Revenue Accounting), Oracle Field Service and Oracle Enterprise Asset Management.
Cyber-attacks on SAP systems belonging to Oil and Gas industries can be critical themselves, however they are even more lethal because of trust connections in systems responsible for asset management (such as SAP xMII and SAP Plant Connectivity) and systems responsible for OT (such as ICS, SCADA and Field Devices).
Moreover, SAP and Oracle serves business processes like Digital Oilfield Operations, Hydrocarbon Supply Chain and Operational Integrity that are extremely critical themselves and are vulnerable to attacks.
For example, hydrocarbon volumes, which are the basis for pricing, excise duty, and transportation fees, fluctuate depending on environmental temperature and pressure conditions. An attacker can easily modify these conditions. As it requires masses and weights for product valuation, and weighing is not possible, we must derive them from volumes at ambient temperature and pressure conditions, requiring complex conversion calculations of the observed volumes at each custody transfer point. These complex features put all infrastructure at high risk if an attacker can get access to these data.
This talk is based on a several case studies conducted during research and professional services will shed a light on this highly critical and very dark area. We will discuss specific attacks and vulnerabilities related to Oil and Gas companies as well as guidelines and processes on how to avoid them.
Takeaways
This presentation will describe the need to integrate approaches to the physical aspects of computer and network device security during design.
Even if steps are taken to make software attacks on a system impractical, it is possible to bypass these by attacking weaknesses in the physical implementation of systems. These attacks are much harder or even impossible to “patch” once systems are fielded, and include attacks on the physical implementation of memory (Row Hammer) and attacks on cryptographic systems using timing (cache timing attacks). Recently both of these have been demonstrated to be practical even without direct access to privileged instructions or native code; both have been accomplished from inside a browser’s Javascript “sandbox.” Dealing with these sort of attacks requires thinking about security at the physical device design stage.
Not so long ago, seasoned control engineers would laugh at the thought of having their industrial control and SCADA systems connected to the Internet. However, times have changed, and today the Industrial Internet of Things (IIoT) is interconnecting industrial control system (ICS) devices and critical infrastructure to the Internet at an unprecedented pace. This in turn is forcing a fast, large-scale convergence of old and new technologies that is reshaping the reliability, availability and security of industrial environments.
Cloud computing is a paradigm that will eventually come into play with Internet-connected industrial environments. Currently, a vast amount of research is being pursued that investigates cloud-computing's role within the industrial and manufacturing space, as well as other critical infrastructures such as the smart grid. Nonetheless, one major consequence of using cloud-based technologies within industrial environments is that of mitigating pervasive cybersecurity risks for industrial systems. This presentation will highlight the current trends and advancements of cloud-based technologies for industrial environments, both from a practical and research perspective. More importantly, however, the session will provide insight into how cloud-based technologies might be used to alleviate complex cybersecurity challenges within industrial environments.
Learning Objectives:
Attendees will get a glimpse into the advancements of Cloud computing based technologies and their integration within industrial environments. The material will provide a balance of advanced research that will impact near-future industrial systems along with real-world implementations and results that are currently in progress around the world.
In this talk, Bob Radvanovsky will introduce the "SCada Incident Database", or "SCID".
The concept of the project is to include critical infrastructure incidents that have transpired over the years, with a majority of the database made publicly-accessible at no cost.
The SCID repository will help:
The discussion will include screenshots of the repository, along with relevant field types being collected, and how the data is being ascertained. Part of the discussion is to engage the audience as part of the project's development, as this is supposed to be a community-based effort.
Additionally, this talk will address some of the controversial definitions, such as "incident", "cyber incident", "event", and "cyber event", and the reasoning behind the questions. For this part of the discussion, examples through existing documentation, will be provided.