2016 ICS Cyber Security Conference

ICS cyber security is an increasingly complex pursuit that now extends well beyond basic perimeter protection and simple air-gap implementations. Today's ICS security and operations experts now seek to integrate sustained system uptime and human safety into their operational protocols.

ICS systems are automated by computers, sensors and software with little to no human intervention on a daily, 24/7 basis. When day-to-day automated routines seem to be spinning along, with no alarms, all is well as far as operators know. However, the most dangerous and destructive intrusions are those that ‘fly under the radar’ and use existing protocols so not to raise alarms and draw as little attention as possible, while the malware compromises as much as possible.

With ICS M2M communication, determining abnormal network operations in the absence of alarms need not be mysterious. This session will demonstrate typical and unusual scenarios, using common SCADA protocols, to depict a day in the life of control systems and their communications. Experts will present a battle of the defenses to highlight the absence of security at the endpoint level and then contrast traditional firewalls versus NGFW (next-generation firewalls) versus true protocol parsing and the risks/benefits of each. Attendees will come away equipped to better evaluate and weigh their options for protecting critical control systems.

KEY TOPICS & TAKE AWAYS

• Understand ICS commands and identify abnormal behavior
• Learn what is normal vs. abnormal activity relative to standard industrial protocols
• Define types of DPI and weigh their relevance to types of environment
• Pros and cons of blacklisting vs whitelisting

 

WirelessHART is a wireless sensor networking technology based on the Highway Addressable Remote Transducer Protocol (HART). In short WirelessHART is widely used in the SCADA/ICS field.

For this reason ensuring its deployment and implementation from a security point of view becomes critical. The main issue is that at the moment there are not tools to properly audit and/or challenge it from a security perspective. No detailed information is available which makes it challenging to conduct vulnerability development research against it.

Our presentation will cover the research it was required to build a WirelessHART fuzzing platform. From acquiring information, choosing targets, development platform (hardware and software), reverse engineering third party implementation and trial and error we went though while developing hour WirelssHART fuzzing platform.

Agenda

• Researching WirelessHART

• Understanding the protocol

• Reverse Engineering Third Party implementations

• Designing and Building a WirelessHART Fuzzing platform

• Hardware Platform

• Transmitter

• WH debugging (Sniffing and Dissecting)

• Triggering and Catching crashes

• Case study

• Demo 

What is Wireless WirelessHART? WikiPedia desribes WirelessHART as "a wireless sensor networking technology based on the Highway Addressable Remote Transducer Protocol (HART). The protocol utilizes a time synchronized, self-organizing, and self-healing mesh architecture. The protocol supports operation in the 2.4 GHz ISM band using IEEE 802.15.4 standard radios. Backward compatibility with the HART “user layer” allows transparent adaptation of HART compatible control systems and configuration tools to integrate new wireless networks and their devices, as well as continued use of proven configuration and system-integration work practices. It on the estimated 25 million HART field devices installed, and approximately 3 million new wired HART devices shipping each year. In September 2008, Emerson became the first process automation supplier to begin production shipments for its WirelessHART enabled products."

The senior management of this major oil and gas company was concerned about the growing threat landscape and limited compliance. Moreover, management was determined to reach a higher state of connected operation in order to enable informed, data driven decision and allow remote monitoring of field assets by 1st and 3rd party experts.

The enterprise strategy was based on three pillars:

• Top down approach for a standardizing plant-wide security practice
• Focus on security essential and automate their enforcement to save scarce engineering and IT personal time
• Outsource the ongoing monitoring of OT security and compliance to a specialized company

In less than two years this company deployed nearly 20 sites, reaching improved ICS security, better compliance and global standardization.

Key Takeaways:

• What is the aim to strengthen OT security posture and compliance maturity?
• What challenges are organizations with complex ICS networks facing when addressing OT security?
• Review of a global OT security project strategy, architecture and functionalities
• Outcome and recommendation for other industrial and critical infrastructure organizations

Disassembly and Hacking of Firmware Where You Least Expect It: In Your Tools- with live hacking demonstration

 In this session we'll cover:           

• Vulnerability and capability assessment of firmware attacks
• Physical ramifications of tool attacks
• Finding and verifying firmware
• Some instances where "less security" is better
• Safety / Security tips for firmware  

Take Aways:

• Better understanding of the location and use of firmware in unexpected places.
• Gain insight into the attack methodologies for and security of devices with firmware.

In this session, attendees with learn:

• To understand the similarities and differences between OT and IoT security
• How mission critical IoT has different standards
• Discover implications for the industrial internet
• Recommendations on how to build ultra-secure industrial ecosystems

 

Critical Infrastructure (CI) interdependencies are increasingly important as our society’s functions are more dependent on these CI sectors, such as energy, water, communications, transportation, finance, and information technology.  Organizations often conduct physical or cyber risk assessments on their facilities to ensure they identify and correct weaknesses that may be exploited by malicious actors.  However, these assessments are usually done independent of each other: when cyber vulnerabilities are discovered, there is no means to quantify the physical impact to that facility.  This runs the risk of preparing a cyber-mitigation that may not fully mitigate the physical risk, and vice versa.

A methodology is proposed to combine the cyber risk assessment process and a physical system interdependency model to show the connections and interdependencies of the entire eco-system.  An illustrative example is provided to highlight the cyber and physical risks, as well as the impact to the facility’s mission.  This methodology may allow the decision makers the ability to visualize the impacts of mitigation efforts, physical and/or cyber hardening of selected nodes, or changes to resource allocations.  The mission impact is quantified to enable informed decision making of the entire solution space.

This presentation will discuss the impact of globalization on supply chain management and its impact on cybersecurity. Globalization is a process driven by the international trade of nation states plus multi-national corporate investments. At its core lies big data in the form of data warehousing, encryption, and world-wide connectivity. Hypothetically, mature globalization, may result in a redistribution of wealth to multi-national corporations and reduce the importance of individual nation states (Orwell, George, 1984). For now, let’s put aside the debate about whether or not globalization is truly in the best interest of the United States or the World and investigate what it means to provide corporate cybersecurity in a world that demands more and faster connectivity.

In a world where nation states and multi-national corporations sometimes compete as equals, we should expect the worst: espionage, bribery, sabotage, hacking, collusion, and every possible manner of electronic eavesdropping.

Working independently, BorderHawk has found unmistakable evidence that some common Internet capable devices have been covertly modified to conceal malicious software in obscure code. Similar findings have been reported by Kaspersky and Reuters.  

The presentation revolves around the supply chain security of SCADA devices and other kinetic device risks, and will elaborate on BorderHawk’s findings and present options for remediation.  

Over the past year, BorderHawk has examined more than 200 different products, many of which are ICS/SCADA devices which some highlights (tailored toward SCADA side) will be covered in the presentation. 

The world’s industrial and critical infrastructure is now connected to the Internet -- and it’s completely unprotected against network-based attacks. There are many challenges ahead for securing the Industrial IoT. Organizations responsible for critical infrastructure are hesitant to enable Internet communications to industrial assets because of cybersecurity concerns. 

But integrating the “Industrial Internet” can lead to increased visibility into Operational Technology (OT) processes, applications and data. OT data such as Industrial Control Systems (ICS) can be leveraged to prevent disruptions and enhance operational efficiency and continuity.

In this presentation, Francis Cianfrocca will describe Industrial Internet security best practices that can move your organization from vulnerable to secure. The presentation will examine the challenges of IT/OT convergence with real-life stories from the field, describing actual Industrial Internet security projects and lessons learned. These use cases enable benefits such as reduced costs and improved efficiency; protection of field industrial devices from local and Internet-based attack; safe and secure third-party access to local OT/ICS devices and data; and aggregation and analysis of big data to create visibility and insight to operations such as:

• Data Centers
• Building Automation Systems
• Critical Infrastructure

Data Centers are particularly vulnerable to cyber-attacks on industry and infrastructure. Today's hackers can shut down businesses and threaten personal safety by remotely accessing building automation systems, HVAC, power generation, fire suppression, access card readers, and so on -- anything with a sensor can be compromised.

Learning objectives for attendees 

• Examination of the IT/OT convergence cyber security apertures
• Overview of Best Practices for Industrial IoT cyber security
• Operational policies that define how you manage your OT assets and processes
• Security policies that define how you protect your physical OT assets and business processes from being compromised
• Safety policies that define how you manage OT assets and processes to ensure the safety of your employees, your customers, the public, and the environment.