Computing | Computer Security | Linux Security | Industrial Control Systems Security | Penetration Testing

Securing Industrial Control Systems

SCADA

The GENERATIONS of Scada

Scada has evolved over the years.

• First Generation – Monolith
• Second Generation – Distributed
• Third Generation – Networked
• Fourth Generation – Internet of Things

Primary Scada Services

• C - confidentiality - encryption (travelling, stored, action) - stack level encryption
• I - integrity - intact - hashing
• A - availability - redundancy

Secondary Scada Services

• A - Authentification - identification (know, are, have)
• A - Authorisation - Privaledge - (role, rule, discretionary)
• A - Accounting - Logging
• A - Accountability - Auditing function
• A - Assurance - Testing & Examination

Achieving Security - Guides and Standards

• National Institute of Standards and Technology
  
  NIST-SP-800-82
• Open Source Security Testing Methodology Manual (OSSTMM)
• OWASP
• PTES

5 Phases of Security Testing

1. Reconaissance, Footing, Information Gathering
   • Wappalyser
   • web.nvd.nist.gov
   • exploit-db
   • Maltego - paterva.com (get the community version)
   • Shodan
   • Dorks
   • hackersforcharity.org
   • traceroute
   • ping host -l 1000 -f
   • email footprinting
   • readnotify
   • ip2location
   • email tracking services
2. Scanning - Port Scanning - Getting the Socket
   • Ports can be considered:
     • Open
     • Closed
     • Filtered (ACL)
   • nmap, winpcap, zenmap
   • Vunerability scanning
     • Nessus - checks webapps for malware, missing patches, misconfigs, use of defaults, zero day vulnerabilities, mobile platform weaknesses, PCI DSS Complianse
     • openVAS the Freesoftware scanner
     • Acunetix - Windows & Cloud Only
     • Zed Attack Proxy
     • Websecurify
     • Arachni
     • Nikto
     • Burp Suite
     • Virusdie
     • IronWASP
     • SecApps
     • skipfish
     • wapiti
     • w3af
     • Tamper Data
3. Enumeration
4. Exploitation
5. Maintaining Access
6. Clearing Your Tracks

Geting to Know Types of Threats

• Black Hat Hackers
• State Sponsered Hackers
• Hactivist
• Social Engineers
• Cyber Terrorist

Policies & Procedures

• Need dedicated Policies
• Adequate Train (training - how, education - why, awarness - what)
• Security Architecture
• Documented Procedures
• Guidlines - is a modification of a Baseline - diveloped by IGSS (main player) for e.g.
• RACI
  Responsible - Accountable - Consulted - Informed - Targets
• Regular Audits
• Counter Measures - Honeypots
• Safeguards
• Disaster Recovery Plan - Backups - Business Continuity
• Change Approval Board

Platform Vunerabilities

• Patches not developed
• Patches not installed
• due care, due diligence
• Depedencies
• Default used
• Backups of Critical info
• Passwords
• Physical Protection
• Dual Network interface card (NIC)
• Daisy Chaining
• Radio & Emp - FBI - Tempest

SIEM @ SCADA

SIEM - Security Incident and Event Management

Transforms Machine Data into the Operational Intelligence giving Proactive Anticipation of Attacks by Event Corrolation of Indicators of Compromise

Players in the Market

• HP: Arcsight
• FREE: Alien Vault
• Famous: SPLUNK - splunkbase

The systems work by installing a forwarder that then forwards machine logs to an Indexer

          Forwarder [collect logs from various machines]
             |
             V
          Indexer [to identify + label fields of the logs]
             |
             V
        Search-Head [event corrolation happens here]

http://thevikidtruth.com/wiki/?icssecurity

10dec16

admin