Cybersecurity Diagnosis in Industrial Environments

30 July 2014 ISACA Professional Guidance Webinar
EMEA Series

Cybersecurity Diagnosis in Industrial Environments

Attendee Questions & Answers

On 30 July 2014, ISACA presented a 60-minute webinar on Cybersecurity Diagnosis in Industrial Environments. It will be available on archive until July 2015; please visit http://www.isaca.org/Education/Online-Learning/Pages/Webinar-Cybersecurity-Diagnosis-in-Industrial-Environments.aspx to access.

Our Speaker, Ignacio Paredes, CISA, CISM, CRISC, Security Consultant has been able to respond to the many of questions that were asked by attendees. Below is a recap:

# / QUESTION / ANSWER
1 / Do you have any other favorite tool sets such as Kali Linux? / I use lots of different tools, many of them included in distros like Kali, but the important point about using a tool is to know how it works on a low level and how to use it in each environment.
2 / If a contract is signed before work starts and there is a clause in the contract on confidentiality, Is it necessary to still sign a Non-Disclosure Agreement? / In that case you already have the NDA. The important thing is to have it signed before starting the work.
3 / Could you please give an example of a regulation mandating industrial cyber security measures? / NERC CIP for North America electric system, CFATS for chemical facilities, and in general every Critical Infrastructure Protection law.
4 / Aren't there systems (e.g. those delivering a Safety function) for which Integrity is more significant than availability? / Of course. Think about the systems to do the mixing of ingredients in the right proportion for a medicine. The main issue here is the integrity of the process (you don't want a wrong mix). But, in general, the main cybersecurity dimension in industrial environments is availability. The same happens on corporate IT where the main dimension is confidentiality, but of course, here you also have systems whose availability is paramount.
5 / What is the best way to do the patching in the operation environment / There is no silver bullet here. You must rely on different components such as a proper change management process and testing on advance in non-production systems. But manufacturers have a lot to say here. They must take their responsibility on this issue and provide suitable solutions for patching their systems timely and securely. It is usual that manufacturers have their support service for end users systems associated to a given patching level that isn't necessarily the optimal one. You can find more info about patching ICS in the DHS paper "Recommended Practice for Patch Management of Control Systems"
6 / Could you recommend any books, publications or research documents? / A good introduction to ICS cybersecurity is NIST Special Publication 800-82 "Guide to ICS Security". We at the Industrial Cybersecurity Center have also developed some good documents on the topic. In addition we have a weekly newsletter with a section dedicated to documents specific to industrial cybersecurity. If you want to subscribe just let me know.
7 / Does an IT auditor require to review the sensor calibration to ensure that the right data is fed into the Level1 / Nope, there are people in the facility whose work is precisely that, but related to this, the cybersecurity auditor should be aware of possible ways of tampering with the sensors.
8 / How does a non-OT IT personnel learn about the complex OT technologies deployed by the client in the stipulated deadlines? / This is a very complex environment, so gathering all the needed knowledge requires a lot of effort and time. A way to obtain that knowledge is to offer to your industrial customers a free-diagnostic of their industrial environments. You will not earn money, but you will gain a lot of valuable knowledge.
9 / What other controls for security of ICS could be deployed that would enhance the security of these systems like SIEM, IDS/IPS, etc. Please provide some examples which would be helpful to enhance security measures / Having an IDS (detection mode) in the industrial network is a big advance on cybersecurity. This environments have very deterministic traffic (it is very well defined which systems should communicate) so the IDS is easy to setup and can give very valuable information about possible threats. Other important technical measures are industrial firewalls able to understand the context of industrial protocols.
10 / Could you elaborate more on passive scanning? For example, is using programs such as nmap ok for scanning industrial systems, or does this constitute automated scanning?" / Nmap is definitely active. Every tool that injects traffic on the network is active and therefore potentially could damage the ICS.
11 / What framework can be used as a reference for your security diagnosis? / There is not a single framework that can address all the aspects of the diagnosis. You should use a combination of standards and frameworks depending on your environment. ISA-99/ISA-62443, ISO 2700X, NERC CIP, CFATS, and DHS provides a handy tool called CSET that can help you to assess the cybersecurity of an industrial facility against different frameworks.
12 / What kind of extra training do you recommend for a CISA qualified auditor / Currently there is not so much training specific to industrial cybersecurity: The Global Industrial Cyber Security Professional (GICSP) is a new certification focused on this topic. Scadahacker.com has very good training on industrial cybersecurity, the ICS-CERT offers good courses on the topic (some of them online) and we, the Industrial Cybersecurity Center have also training on industrial cybersecurity.
13 / Who is the person who would typically ask for this kind of diagnosis? IT person or industrial person? / Both. I have had petitions for this service coming from IT, OT, security and general management, as in many organizations this responsibility is not clearly defined.
14 / Which is an estimation of the duration of this kind of audit to a complex/big plant? / Difficult to say. Assuming a single consultant, as a reference you could take a couple of days of previous work (studying general information), 3-5 days of field work, and probably 3-5 days more for development of the report
15 / What are the most important skills to be mastered for someone who will run Cybersecurity Diagnosis? / Good knowledge of: information security, communications, industrial control systems. The more the better. But in my experience I have found that being able to understand and communicate with people from different backgrounds is equally important. Also to be professional and rigorous. You must be prepared to justify with evidences every assertion you have made in the final report.
16 / Do you have any specific engagements with the oil and gas industry? What are the specific areas of focus? / After the Aramco incident, Oil&Gas industry has been one of the biggest boosters of industrial cybersecurity. Right now, this sector is developing very exciting initiatives such as the Smart Oil Fields (taking the smart grid concepts to the oil fields)
17 / Could you name some of your clients for this kind of service? / Nope, but I have made this type of work in energy production facilities, energy distribution infrastructures, chemical plants, EPC firms, …
18 / Is page 38 taken from some official documentation (e.g. NIST?) / It is a network architecture reference provided by vendor Industrial Defender
19 / What is the usefulness of Shodan 8? / Shodan allows searching of devices connected to the Internet. Many of these devices are industrial control systems. Using advanced search operators Shodan can help in the identification of ICS directly connected to the Internet in a given facility.
20 / Just a quick note, the ISA-99 series were renamed to ISA-62443 (slide 33). / Right. The reference is from the copy I own that still was ISA-99
21
22
23
24
25

1