Cyber Security

ISA 99 / IEC 62443

Standards 2017
Certification
Education & Training
Publishing
Conferences & Exhibits
Where Policy Meets Technology
 Presenter

Mayur Mehta
City Next 2017

Manager - ICS security

PwC

2
 My Professional Journey

Over 9.5 years of experience in ICS/SCADA domain and an expert in determining

threats and risk exposure on ICS products & plants, Interoperability and FAT test.
City Next 2017

Currently an ICS/ SCADA Risk Assessor with the Cyber Security practice of Big 4
Advisory function, based in Bengaluru.
Member of ISA99/IEC62443 standards committee and leading ISA99 standard in ISA
Bangalore chapter.
Certified on Global Industrial Cyber Security Professional (GICSP) from GIAC.
Certified Scrum Master (CSM), CTFL (ISTQB), Security+ (Cybrary), OPSEC(ICS
CERT), ATD (Advanced threat detection in ICS/ SCADA - Concise courses).
Experience includes leading projects on Vulnerability analysis and penetration testing,
Secure Conduit design. Risk framework development and assessment, and cyber
reviews based on industry standards such as NERC-CIP, NIST800-82, IEC62443,
NCIIPC, ISO2700x, SANS Top20 Critical Control and OWASP Top10.
Have also worked with Schneider Electric and SIEMENS.
M.Tech from BITS Pilani in Software Systems (Networks and Networked Systems)
B.E. from JNCT/RGPV Bhopal in Electronics and Communications Engineering

3
 CIA triad

CIA or AIC triad

City Next 2017

Availability
- System are available and operational
when needed
Integrity
- Data is consistent, accurate and trustworthy Availability
Confidentiality
- Protection against from disclosure to
untheorized individuals
Confidentiality Integrity
OT has two more requirements
Reliability
- System performs intended functions
Safety
- Physical and environmental safety is
ensured
 Why are we here

Commercial Chemical
Facilities 1% Communications
1% 4%

Unknown
9%
City Next 2017

Water
8%
Transportation
8%
Critical
Manufacturing
Information Technology 33%
2%

Halthcare
5%

Government Facilities
6%
Dams
Food & Agriculture 2%
1%
Financial Nuclear Reactors Energy Defense
2% 16% 1%

Source: ICS CERT

 Top10 ICS Cyber Threats

1. Social Engineering and Phishing (3)

2. Infiltration of Malware via Removable Media and External Hardware (2)
City Next 2017

3. Malware Infection via Internet and Intranet (1)

4. Intrusion via Remote Access (5)
5. Human Error and Sabotage (4)
6. Control Components Connected to the Internet (6)
7. Technical Malfunctions and Force Majeure (7)
8. Compromising of Extranet and Cloud Components (9)
9. (D)DoS Attacks (10)
10. Compromising of Smartphones in the Production Environment (8)

Source: BSI Publications on Cyber-Security report

 Case#1: WannaCry
Step 1: 12 May 2017: WannaCry ransomware infections surge
Preliminary analysis identifies self-propagating exploit
Targets MS17-010, SMBv1 Critical Vulnerability - Shadow
Brokers
City Next 2017
Step 3: WannaCry encrypts data files and ask users to pay a
US$300 ransom in bitcoins. The ransom note indicates that the
payment amount will be doubled after three days. If payment is
not made after seven days, the encrypted files will be deleted.
Step 5: WannaCry encrypts files with the following
extensions, appending .WCRY to the end of the file name
Step 2: Initial infection vector is unknown
Once on host, malware launches process to:
Scan for TCP Port 445 (SMB)
If open port identified, exploit attempted
Exploit modeled after ErernalBlue
Malware also drops implant DoublePulsar
Step 4: It also drops a file named ! Please Read Me!.txt which
contains the text explaining what has happened and how to pay
the ransom
Step 6: It propagates to other computers by exploiting a known
SMBv2 remote code execution vulnerability in Microsoft
Windows computers: MS17-010
 Case#1: WannaCry
Need for Timely Patch Management

ICS community actions

City Next 2017

Testing of Publishing of Asset owner

Organizations Needs patch with patches for download Patch
to work together to applications applications or and test the deployment Protection
by ICS approval for OS patch in test in from cyber
reduce the response vendors patch environment downtime attack
time. 3 4 5 6 7

~ >150 days
1 2
~ < 30 days
Vulnerability identification Patch Release
and patch development By OS vendor

3 4 5 6

Download of Exploit Testing and Successful

Hackers are one step patch and development deployment of attack
ahead in the game of reverse exploit
engineering for
security. vulnerability
identification

Black hat actions

 Case#1: WannaCry
City Next 2017
 Case#1: WannaCry

Communications were observed to the below Antivirus Signatures

IP addresses from the compromised systems Put a filter on the AV for the detection of following signatures
City Next 2017

197[.]231[.]221[.]211 Ransom.CryptXXX
128[.]31[.]0[.]39:9191 Trojan.Gen.8!Cloud
Trojan.Gen.2
149[.]202[.]160[.]69
Ransom.Wannacry
46[.]101[.]166[.]19
91[.]121[.]65[.]179
AV signatures to be updated with latest definitions (DAT)

Need to have strong Incident response and DR plan.

Domains/Remote IPs (Firewalls/IPS/IDS/Proxy)
-- www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
57g7spgrzlojinas.onion, 76jdd2ir2embyv47.onion
cwwnhwhlz52maqm7.onion, gx7ekbenv2riucmf.onion
sqjolphimrr7jqw6.onion, xxlvbrloxvriy2c5.onion
-- 128.31.0.39, 144.76.92.176, 148.244.38.101, 149.202.160.69,
163.172.149.155, 171.25.193.9, 195.22.26.248, 197.231.221.221
198.96.155.3, 213.61.66.117, 46.101.142.174, 46.101.166.19
62.210.124.124, 91.121.65.179, 91.219.237.229
-- www.bancomer.com.mx, graficagbin.com.br, dyc5m6xx36kxj.net
gurj5i6cvyi.net, bcbnprjwry2.net, bqmvdaew.net, sxdcmua5ae7saa2.net
rbacrbyq2czpwnl5.net, ow24dxhmuhwx6uj.net, fa3e7yyp7slwb2.com
wwld4ztvwurz4.com, bqkv73uv72t.com, xanznp2kq.com
chy4j2eqieccuk.com, lkry2vwbd.com, ju2ymymh4zlsk.com
43bwabxrduicndiocpo.net, sdhjjekfp4k.com
iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
File Hash Values (AV/Sandboxing Tool)
Available, can be shared offline (SHA-256, MD5, .
(To put a filter on the email gateway/end-point to detect the
following hash values)
Count measures In the Event of An Attack
Isolate the system from the network to counter any
spread of the ransomware
Decryption is not available now.
Format the system if needed.
Block 445 on AD, if thats feasible
 Case#2: STUXNET
Infiltration of Malware via Removable Media and External Hardware
City Next 2017

Sophisticated attack destroyed up to 1,000 uranium

enrichment centrifuges at a high-security Iranian
nuclear facility
Multi-stage attack
Social engineering techniques used to penetrate plant
defenses
Replicated worm in PCs and infected LAN
PLCs located; looked for centrifuges
Once located spun them up to eventually fail
Masked control room monitors
Key security compromises: Integrity & Availability
 Case#2: STUXNET
Infiltration of Malware via Removable Media and External Hardware
City Next 2017

Source: Symantec
City Next 2017

ISA 99 / IEC 62443

 Few ICS Security Standards

ISA 99 / IEC 62443 NIST 800-82 NERC

City Next 2017

ISO 27001/2 enisa ICS-CERT

 History of ISA99 / IEC62443

ISA/IEC 62443 is a series of standards being developed by two groups:

ISA99 ANSI/ISA-62443
City Next 2017

IEC TC65/WG10 IEC 62443

In consultation with:
ISO/IEC JTC1/SC27 ISO/IEC 2700x
International in scope
Requirement contributions come from other standards like NERC-CIP, NIST etc
Flexible framework which serves a basis for Country and Local standards as well as
Manufacturing guidelines.
 ISA 99 / IEC 62443 Standards

ISA99/IEC-62443 standard is a family of standards with a large scope of use for ICS / OT / SCADA
environments. Some guidelines are rather general, while others are precise, specific and focussed. Many
of those guidelines are still in the process of being defined or upgraded.
City Next 2017

1.3 System
The first (top) category includes common or 1.1 Terminology, 1.2 Master

General
security 1.4 IACS security
foundational information such as concepts, models concepts and glossary of terms
compliance lifecycle/use cases
and terminology. Also included are work products models and abbreviations
metrics
that describe security metrics and security life
cycles for IACS.
The second category of work products targets the 2.1 Requirements 2.2 Implementation 2.3 Patch

Procedure
Policies &
2.4 Installation and
Asset Owner. These address various aspects of for IACS security guidance for management in
maintenance
creating and maintaining an effective IACS management security system the IACS
requirement
security program. system management environment

The third category includes work products that 3.2 Security 3.3 System
3.1 Security
System

describe system design guidance and assurance levels security

technologies for
requirements for the secure integration of for zones and requirements and
IACS
control systems. Core in this is the zone and conduits security levels
conduit design model.
The fourth category includes work products that
Components

describe the specific product development and 4.2 Technical

4.1 Product
secure technical requirements of control security
development
system products. This is primarily intended for requirements for
requirements
control product vendors, but can be used by IACS components
integrator and asset owners for to assist in the
procurement of secure products
 A holistic security concept is context
dependent
ISA99 reference

Onsite Industrial Automation and Control System (IACS)

City Next 2017

Asset Owner Operational policies and procedures review

2-1
Operates and and creation and risk management.
2-3
Maintains
2-4
Service Provider Maintenance policies and procedures,
patch and vendor management

Automation solution deployment

Basic Process
Safety Instrumented Complementary
Control System
System (SIS) review HW/SW
2-4 (BPCS) assessment
Designs and and design
and design implementation
System Integrator 3-2
Deploys
3-3
Secure architecture design, zones and conduits.
CSAT

Offsite
Vendor scope
3-3
Develops control 4-1 Secure product and system development.
Product Supplier
systems 4-2 CFAT
 Zones and Conduits

Management level
Level 5 Harden handheld devices and Database
Enterprise Resource Planning, IT & servers
Mobile devices
City Next 2017

Level 4 Unidirectional gateway/Data Diode,

IT-OT separation zone
DMZ Network monitoring, Log management
& Auditing
Mirror Historian, Patch Mgmt, AV Server

Plat management level Level 3 System Hardening, Active Directory

(AD), App whitelisting, Secure design
Engineering station, Historian, OPC implementation, Patch Management,
Configuration management, Password
Management, Change Management,
Level 2 Backup & Restoration and User
Operation level specific access control

SCADA/DCS, Operators,
HMIs Next-gen Firewalls
Control level Level 1
Harden automation
PLC /Controllers/ controllers, Disable
unwanted ports
LHMIs
Harden
Level 0
Field level automation field
devices, CCTVs,
Sensors, Pre physical
Actuators protection
& Actuators.
 Need of the hour
City Next 2017

Ensure proactively
OT Security Governance implementing appropriate OT
OT planning & Project security controls to support
securitys mission in a cost-
Governance Audit of the important security processes effective manner while
OT Cyber Security Team managing evolving OT
security risks.

Ensure a safe setup of

Vulnerability and patch management infrastructure by
implementing appropriate
Security incident management security controls following a
Operations OT Physical Controls Area Security defence in depth design
concept in the network
infrastructure.

Continuously monitor
performance of systems to
OT Security Infrastructure System Architecture ensure that it is consistent
Review with agreed security
Infrastructure Vulnerability assessment and penetration testing requirements, and needed
system modifications are
End user environment audit incorporated.
 Lots to be done by vendors

SDL
City Next 2017

Secure by design approach

Identify product
level in ICS layer

SL based Test cases

ICS Secure Levels Security requirement Secure Feature implementation

ISA99 Standard Security Test Plan Security Test Cases
 ISA/IEC 62443 Cybersecurity Certification
Programs

Certificate 1: ISA/IEC 62443 Cybersecurity Fundamentals Specialist

City Next 2017

Certificate 2: ISA/IEC 62443 Cybersecurity Risk Assessment Specialist

Certificate 3: ISA/IEC 62443 Cybersecurity Design Specialist
Certificate 4: ISA/IEC 62443 Cybersecurity Maintenance Specialist
ISA/IEC 62443 Cybersecurity Expert: Individuals who achieve Certificates 1,
2, 3, and 4
Certificate Steps:
Complete a designated training program
Pass a multiple choice exam through the Prometric testing center
City Next 2017
Q&A