This course aims to teach learners about ICS SCADA defense strategies and techniques. The learning outcomes include understanding the risks associated with compromised devices, implementing defense mechanisms for unsecured protocols, and deploying mitigations for vulnerabilities in SCADA systems. The course covers skills such as software patching, robust device configurations, network segmentation, protocol-aware network monitoring, and physical security measures. The teaching method involves a combination of theoretical concepts, practical examples, and real-world case studies. The intended audience for this course includes SCADA engineers, cybersecurity professionals, network administrators, and individuals responsible for securing industrial control systems.
Overview
Syllabus
Intro
Chris Sistrunk, PE @chrissistrunk Electrical Engineer Mandiant, Entergy (11 years) SCADA Expert Loves Security DNP3 User Group Button Pusher but I like Blue
Project Robus Latin for "bulwark" @adamcrain and started in April 2013 26 advisories / 32 tickets 24 DNP3, 1 Modbus, 1 Telegyr 8979 Aegis ICS Fuzzing Framework - OSS
Now What? Let's take a step back and ask some questions: What's the risk if this device is compromised? Probability * Impact - Risk Check out my RTU risk score pres from S4x13 What is the ICS device talking to? Does it uses serial or IP protocols...or both? How do we defend unsecured protocols? Is the physical security sufficient? Will you be called at 2AM?
Anticipate...Mitigate! The answers to the questions tell you that you have to do something to protect the device(s) What types of mitigations exist? Which ones will you use? Defense in depth - more than one! Belt and suspenders! When will they be deployed? The sooner the better!
ICS Vulnerability Mitigation Software/firmware patches/device upgrades Robust RTU/PLC and master configurations Robust IP network configurations ICS Protocol-aware network tools Proper physical security Employee awareness
Get The Bug Fix! If there is a software or firmware patch or hardware upgrade that's out there that fixes a known vulnerability (such as DNP3, modbus) ...GO GET IT Properly test it before you roll it out If you're not used to patching your SCADA system, please work with your vendors to do this to minimize downtime
Robust Device/Master Configuration USE DNP3-SA! (application layer security) Correct master only talks to the correct RTU But it won't protect against all "bugs" Disable unused serial and network ports Use a possible workaround (ex: auto restart) Check the default settings DNP3 or other protocols may be factory configured
Robust Device/Master Configuration When possible, DISABLE functions that aren't required in your production systems DNP3 function code examples Cold and/or Warm Restarts (FC 13 & 14)
Robust IP Networks Segment your ICS/SCADA WAN Routers, Firewalls, DMZS, & VLANS This can help isolate the network when needed Understand your network! The bad guys sure will Use encryption and authentication Use DNP3-SA and TLS Remote access VPNs, radios, etc Look at IEC 62351 standard (dovetails with SA) No ICS protocols on Corporate WAN
ICS-Aware Network Tools Examples of SCADA tools and Enterprise networks that understand ICS Protocol analyzers such as Wireshark, ASE & TMW RTU Test Sets IDS/IPS such as SNORT, Bro, CyberX SilentDefense ICS, McAfee ADM, Bayshore Networks, and Checkpoint Routers such as the Cisco CGR 2010 Field firewall w/ICS Deep Packet Inspection Secure Crossing and Tofino
Network Security Monitoring Newer enterprise security technologies can be used to help detect, respond, and contain threats on your SCADA network Security Operations Center Security Analyst(s) using a SIEM Log aggregation Anomaly and intrusion detection Indicators of Compromise (IOC) Security Onion (Linux distro) www.securityonion.net Security nion
21 person who really cares! Security Onion (or other NSM) ICS Honeypot (Conpot, etc) Full Packet Capture (even serial)
Proper Physical Security What is the proper amount of physical security? It depends... If your Critical SCADA master has top physical security, but the serially-connected tiny distribution RTU does not, is that okay? Use a lock that meets or exceeds: UL 437, ANSI 156.30 Grade A, or ASTM F883 Grade 6 Harden your external barriers The better the defenses, the more time it buys you to respond
Employee Awareness Train your folks on ICS/SCADA security Security Conferences, several training classes available ICS-CERT GICSP Certification Security awareness is important Have a questioning attitude Report suspicious computer or personal activity/incidents Who do you call? Internal hotline, supervisor, SOC, etc ICS-CERT (877-776-7585)
DNP3 Will Be Here A While Ask your vendors for DNP3-SA if they don't have it or are already working on it Require in the bids for new SCADA systems or upgrades to be tested by a 3rd party, including the DNP3 protocol stack Positive Tests: FAT/SAT Negative Tests: Fuzzing (it's not new folks!)
DNP3 isn't a special case. Other ICS protocols will see the same fate Modbus, IEC 60870, IEC 61850, ICCP, EtherNet/IP... You can defend your SCADA. Early testing both slave/server AND master/client sides of the protocol are important! Compliance != Security, but the culture is important Don't count on the government to protect your critical systems...it's your job.
