Mayur Mehta
City Next 2017
PwC
2
My Professional Journey
Currently an ICS/ SCADA Risk Assessor with the Cyber Security practice of Big 4
Advisory function, based in Bengaluru.
Member of ISA99/IEC62443 standards committee and leading ISA99 standard in ISA
Bangalore chapter.
Certified on Global Industrial Cyber Security Professional (GICSP) from GIAC.
Certified Scrum Master (CSM), CTFL (ISTQB), Security+ (Cybrary), OPSEC(ICS
CERT), ATD (Advanced threat detection in ICS/ SCADA - Concise courses).
Experience includes leading projects on Vulnerability analysis and penetration testing,
Secure Conduit design. Risk framework development and assessment, and cyber
reviews based on industry standards such as NERC-CIP, NIST800-82, IEC62443,
NCIIPC, ISO2700x, SANS Top20 Critical Control and OWASP Top10.
Have also worked with Schneider Electric and SIEMENS.
M.Tech from BITS Pilani in Software Systems (Networks and Networked Systems)
B.E. from JNCT/RGPV Bhopal in Electronics and Communications Engineering
3
CIA triad
Availability
- System are available and operational
when needed
Integrity
- Data is consistent, accurate and trustworthy Availability
Confidentiality
- Protection against from disclosure to
untheorized individuals
Confidentiality Integrity
OT has two more requirements
Reliability
- System performs intended functions
Safety
- Physical and environmental safety is
ensured
Why are we here
Commercial Chemical
Facilities 1% Communications
1% 4%
Unknown
9%
City Next 2017
Water
8%
Transportation
8%
Critical
Manufacturing
Information Technology 33%
2%
Halthcare
5%
Government Facilities
6%
Dams
Food & Agriculture 2%
1%
Financial Nuclear Reactors Energy Defense
2% 16% 1%
Step 1: 12 May 2017: WannaCry ransomware infections surge Step 2: Initial infection vector is unknown
Preliminary analysis identifies self-propagating exploit Once on host, malware launches process to:
Targets MS17-010, SMBv1 Critical Vulnerability - Shadow Scan for TCP Port 445 (SMB)
Brokers If open port identified, exploit attempted
City Next 2017
~ >150 days
1 2
~ < 30 days
Vulnerability identification Patch Release
and patch development By OS vendor
3 4 5 6
197[.]231[.]221[.]211 Ransom.CryptXXX
128[.]31[.]0[.]39:9191 Trojan.Gen.8!Cloud
Trojan.Gen.2
149[.]202[.]160[.]69
Ransom.Wannacry
46[.]101[.]166[.]19
91[.]121[.]65[.]179
AV signatures to be updated with latest definitions (DAT)
Source: Symantec
City Next 2017
ISA99/IEC-62443 standard is a family of standards with a large scope of use for ICS / OT / SCADA
environments. Some guidelines are rather general, while others are precise, specific and focussed. Many
of those guidelines are still in the process of being defined or upgraded.
City Next 2017
1.3 System
The first (top) category includes common or 1.1 Terminology, 1.2 Master
General
security 1.4 IACS security
foundational information such as concepts, models concepts and glossary of terms
compliance lifecycle/use cases
and terminology. Also included are work products models and abbreviations
metrics
that describe security metrics and security life
cycles for IACS.
The second category of work products targets the 2.1 Requirements 2.2 Implementation 2.3 Patch
Procedure
Policies &
2.4 Installation and
Asset Owner. These address various aspects of for IACS security guidance for management in
maintenance
creating and maintaining an effective IACS management security system the IACS
requirement
security program. system management environment
The third category includes work products that 3.2 Security 3.3 System
3.1 Security
System
Offsite
Vendor scope
3-3
Develops control 4-1 Secure product and system development.
Product Supplier
systems 4-2 CFAT
Zones and Conduits
Management level
Level 5 Harden handheld devices and Database
Enterprise Resource Planning, IT & servers
Mobile devices
City Next 2017
SCADA/DCS, Operators,
HMIs Next-gen Firewalls
Control level Level 1
Harden automation
PLC /Controllers/ controllers, Disable
unwanted ports
LHMIs
Harden
Level 0
Field level automation field
devices, CCTVs,
Sensors, Pre physical
Actuators protection
& Actuators.
Need of the hour
City Next 2017
Ensure proactively
OT Security Governance implementing appropriate OT
OT planning & Project security controls to support
securitys mission in a cost-
Governance Audit of the important security processes effective manner while
OT Cyber Security Team managing evolving OT
security risks.
Continuously monitor
performance of systems to
OT Security Infrastructure System Architecture ensure that it is consistent
Review with agreed security
Infrastructure Vulnerability assessment and penetration testing requirements, and needed
system modifications are
End user environment audit incorporated.
Lots to be done by vendors
SDL
City Next 2017
Identify product
level in ICS layer