ISA62443 IC32 Test Preparation

OPC

- Object Linking and Embedding (OLE) for Process Control
- 1996 by Industrial Automation Task Force
- Based on Microsoft DCOM, OLE, COM technologies
- OPC Foundation (https://opcfoundation.org)

OSI Layer 5 Protocols

Protocols:
- NetBIOS
- Network File System (NFS)
- Remote Procedure Call (RPC)
- Secure Shell (SSH, SSH-2)
- Session Initiation Protocol (SIP)
- Structured Query Language (SQL)

Software Development Security Assurance Activities

1) SDLA - Security Development Lifecycle Assessment
2) FSA - Functional Security Assessment
3) SRT - System Robustness Testing (e.g., Pen Test, Scan for Virus, etc.)

What is Detection in Depth?

- Alarms
- Logs
- Detection Methods (e.g, IDS, IPS, Firewalls, Patch mgmt, AV)
- Detect missing devices

445

Active Directory / File Shares Port

Business Continuity Program should include:

- Recovery Objectives
- Potential interruptions & the Recovery procedures
- Schedule or Test part or all of recovery procedures

Environmental Conditions that can affect IACS integrity

- Particulates
- Liquids
- Vibration
- Gases
- Radiation
- EMI (Electromagnetic interference)

External Connections

All external connections (e.g., power, communications, etc.) shall be adequately protected from tampering or damage.

Firewall Policy ACL Rule

- Source IP
- Destination IP
- Source Port (TCP or UDP)-
Destination Port (TCP or UDP)
- State of TCP "ACK" Bit
- Direction of Packet Flow

FR-6 Timely Response to Events (TRE)

> Audit log accessibility
> Continuous monitoring

Internet Assigned Numbers Authority (www.iana.org)

IANA

Industrial Automation & Control System

Collection of:
- personnel
- hardware
- software
- policies
Involved in operations of industrial processes ... affect or influence safe, secure reliable operations.

IPv4 Private Addresses

- 10.0.0.0 to 10.255.255.255 (16,777,216 addresses)
- 172.16.0.0 to 172.31.255.255 (1,048,576 addresses)
- 192.168.0.0 to 192.168.255.255 (65,536 addresses)

IPv4 vs IPv6 sizes

IPv4 = 32 bits
IPv6 = 128 bits

OPC Classic

- Aka OPC DA, OPC DCOM
- Dynamically assigns TCP Ports (Firewall problem)
- Don't know in advance of ports
- Can't define firewall rules

OSI Layer 3

- Network Layer
- Routable Protocols = IPv4, IPv6, IPX (Novelle), ICMP, IGMP, IPSec
- Routing Protocols = RIP(Router Info Protocol), OSPF, BGP

Port 2222

Ethernet/IP, Implicit Messaging, UDP

RCMP Harmonized Threat & Risk Assessment

TRA-1

Types of Assets

- Physical Assets
- Logical Assets
- Human Assets

Define Methodology for Identifying Risks

What is the first step in the High-Level Risk Assessment?

Chain of custody

Maintaining a high degree of confidence regarding the integrity of evidence requires a(n):

Business needs

Business continuity plans (BCPs) associated with organizational information systems should be developed primarily on the basis of:

Address Resolution Protocol

Resolves IP Addresses to MAC Addresses

Asymmetric key encryption is used to securely obtain symmetric keys

In practical applications:

At the perimeter, to allow for effective internal monitoring

Where should an organization's network terminate virtual private network (VPN) tunnels?

Attack Vectors

- Software Bugs- Malware/Malicious Software
- Unauthorized Physical Access
- Unauthorized Network Access
- Abuse (e.g., Disgruntled Employee)
- Misuse (i.e, human error)

Authenticator

Required to prove identity:
- tokens
- symmetric keys
- private keys
- biometrics
- passwords
- physical keys
- key cards

Basic Risk Assessment Process

1. Assess initial risk
2. Implement risk mitigation measures
3. Assess residual risk

Boundary Protection Devices

- Proxies
- Gateways
- Routers
- Firewalls
- Data Diodes
- Guards
- Encrypted
- Tunnels

Channels

Specific communication links established within a communications conduit.Can be trusted or untrusted.

Classes of Cryptography

- Block
- Stream

Classes of Firewalls

- Packet Filter
- Stateful Inspection
- Application Proxy

Common Criteria

IEC 15408

Common Forms of Threats

- Accidental
- Non-validated changes

Common Industrial Protocol (CIP)

- Formerly Control & Information Protocol
- Rockwell Automation (IEC-16658)
- OpenDevice Net Vendors Association (ODVA)

Common Industrial Protocols (CIPs)

- DeviceNet
- ControlNet
- Ethernet/IP (IP = Industrial protocol)

Compensating Countermeasures

- Component Level - Physical
- Component Level - Logical
- Control System/Zone Level

Conduit

Logical grouping of communications channels connecting 2 or more zones - share common security requirements.

Conduit Characteristics

- Security Policies
- Asset Inventory
- Access Requirements & Controls
- Threats & Vulnerabilities
- Consequences of Security Breach
- Authorized Technologies
- Change Management
- Connected Zones ** (Distinguish between Conduit and Zone)

Consists of two or more security zones

A segmented network:

Core business functions

Outsourcing poses the greatest risk to an organization when it involves:

CSMS

Cyber Security Management System

CSMS Scope Includes...

- Business Perspective (Corporations, Business Units, Geographical Regions, Sites)
- Archtectural Perspective (Connections to suppliers, customers, etc.)

Definition of Conduit

A particular type of security zone that groups communications that can be logically organized into a grouping of information flows WITHIN and EXTERNAL to a Zone.
- Can be trusted or untrustedCan be physical or logical
- No such thing as "subconduits"

Detailed procedures

A business continuity plan (BCP) is not complete unless it includes:

Device Decision Basis

- Switch = MAC Addresses
- Router = IP Addresses
- Firewall = Port #
- Application Proxy
== Stateful Inspection
== Deep Inspection
== Application Protocols (FTP, HTTP, etc.)
== Data Payload

DOD Model (aka TCP/IP Model)

> Application == (Application, Presentation, Session of OSI)
> Transport == (Transport of OSI)
> Internet == (Network of OSI)
> Network Access (or Link) == (Data Link and Physical of OSI)
> TCP/IP Comes in A TIN (Mnemonic)

EAL

Evaluation Assurance Level (Common Criteria)

Elements of a CSMS

1) Risk Analysis
2) Addressing Risk with CSMS
3) Monitoring and Improving the CSMS

Emergent

An interoperability error is what type of vulnerability?

Eradication

During which phase of the six-phase incident response model is the root cause determined?

Essential Function Definition

Function or capability that is required to maintain health, safety, environment, availability for equipment under control.

Ethernet/IP

- Implicit Messaging - UDP - Port 2222
- Explicit Messaging - TCP - Port 44818

Examples of compensating countermeasures

- User ID
- Password Strength Enforcement
- Signature Validity Checking
- Security Event Correlation
- Device Decommissioning

External Time Sources

GPS
GLONASS - Global Navigation Satellite System
Galileo

File Transfer Protocol (FTP) Ports

20 - Default Data
21 - Control

Firecall

Method to provide emergency access to a secure control system (e.g., onetime password or onetime user ID)

Firewall Architecture by Security Level

#1 - Paired Firewalls
#2 - Firewall with DMZ
#3 - Firewall
#4 - Router or Layer 3 Switch with ACLs
#5 - Dual-Homed Computer

Firewall Can and Cannot Do:

Can Do:
- Manage Traffic
- Prevent Unwanted Access
Cannot Do:
- Inspect Traffic that doe1s NOT pass through them

Foundational Requirements (FR)

1) Identification and Authentication Control (IAC)
2) Use Control (UC)
3) System Integrity (SI)
4) Data Confidentiality (DC)
5) Restricted Data Flow (RDF)
6) Timely Response to Events (TRE)
7) Resource Availability (RA)

FR-1 Identification and Authentication Control (IAC)

> Human user identification and authentication
> S/W processes and device identification and authentication
> Account management
> Identified management
> Authenticator management
> Wireless access management
> Password strength
> PKI certificates
> Strength of Public Key authentication Authenticator feedback Unsuccessful login attempts System use notification Access via untrusted networks

FR-2 Use Control (UC)

> Authentication enforcement
> Wireless use control
> Use control for portable and mobile devices
> Mobile code (Java, PDF, etc.)
> Session lock
> Remote session termination
> Concurrent session control
> Auditable events
> Audit storage capacity
> Response to audit processing failures
> Timestamps
> Non-repudiation

FR-3 System Integrity (SI)

> Communication integrity
> Malicious code protection
> Security functionality verification
> S/W and information integrity
> Input validation
> Deterministic output
> Error handling
> Session integrity
> Protection of audit information

FR-4 Data Confidentiality (DC)

> Information confidentiality
> Information persistence (purge shared memory)
> Use of cryptography

FR-5 Restricted Data Flow (RDF)

> Network segmentation
> Zone boundary protection* General purpose person-to-person communication restrictions (e.g., email, facebook, etc.)
> Application partitioning

FR-7 - Resource Availability includes:

> DoS Protection
> Resource Management (Prevent Resource Exhaustion)
> Control System Backup
> Control System Recovery & Reconstitution
> Emergency Power
> Network and Security Config Settings
> Least Functionality
> Control system component inventory

FSA

Functional Security Assessment

Gateways

- Layer 7 Device
- Connect two completely different network systems
- Protocol Converter = Gateway

Heuristic

What kind of anti-malware program evaluates system processes based on their observed behaviors?

High Level Data Link Control (HLDC)

- High-Level Data Link Control (HDLC) is a bit-oriented code-transparent synchronous data link layer protocol developed by the International Organization for Standardization (ISO).
- Connection and Conectionless orientations

Homogeneous

Updates in cloud-computing environments can be rolled out quickly because the environment is:

HSE

Health, Safety, Environmental

IACS includes:

Control systems used in manufacturing and processing plants and facilities, building environmental control systems, geographically dispersed operations such as utilities (i.e., electricity, gas and water), pipelines and petroleum production and distribution facilities, and other industries and applications such as transportation networks, that use automated or remotely controlled or monitored assets.

ICS Firewall Vendors

- Tofino/Belden
- Hirschman Eagle/Belden*
- Phoenix Contact mGuard*
- Moxa EDR-8xx and 9xx Switches
- Secure Crossing Zenwall Line
- Siemens Scalance S*
= same software

ICS Threat-Based Risk Assessment Model

1) Characterize the Product or System
2) Identify Critical Assets and Consequences
3) Identify Threats
4) Analyze Threats

IEC 15408

Common Criteria

IEC 61508

SAFETY (SIL)"Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems"

IGMP

Internet Group Management Protocol(OSI Layer 3)

Incident Response Program

> Classification of Incidents
> Contingency Planning
> Response Actions (Do Nothing to System Shutdown)
> Recovery Actions

Insecure protocols could result in a compromise of privileged user credentials

Virtual systems should be managed using a dedicated virtual local area network (VLAN) because:

Internal Threats

- 80% of events
- Inappropriate Behavior
- Security Accident (e.g., NMAP scan)
- Disgruntled employee

Intrusion Detection Issues

- False Positives
- Deployment & Ops Costs
- Only Effective Against Known Vulnerabilities
- Limited Signatures for ICS
- Don't work with encrypted services

IPSec

- Tunnel Mode (Payload and header encrypted)
- Encapsulation or Transport Mode (only payload is encrypted)
Protocols = Authentication Header (AH) and Encapsulating Security Payload (ESP)
Resides at Network Layer (Layer 3 next to IP)

IPv4 Address Dissection

147.10.24.16
147.10 = Network
.24 = Subnet
.16 = Host

IPv4 Loopback

127.xxx.xxx.xxx

ISA 99 Four Layers

1. General
2. Policies & Procedures
3. Systems
4. Components

ISASecure Supplier Device Approval Process

Includes Integrated Threat Analysis (ITA)
1) Functional Security Assessment (FSA)
2) Communication Robustness Test (CRT)
3) Software Development Security Assurance (SDSA) Audit

ISMS

Information Security Management System(ISO 27001)

Key Components of Business Rationale

- Prioritized Business Consequences
- Prioritized Threats
- Estimated Annual Business Impact
- Cost of Human Effort & Consequences

Local Area Network (LAN)

> Limited distance <10 KM
> Usually within single facility
> Names: Supervisory Networks, DCS Highways, PLC Highways, Fieldbuses, Device Networks

Linking the Oil and Gas Industry to Improve Cybersecurity

LOGIIC

LOGIIC SIS Project

- Greater integration may introduce greater risk
- Default configurations are not secure
- Defense in Depth reduces risk
- Clear guidance is needed

Loss of Essential Functions

- Loss of protection
- Loss of control
- Loss of view

Malicious code

Under the US-CERT model for incident categorization, a CAT-3 incident refers to which of the following?

Malicious Code Protection Techniques

- Black/white lists- Removable media control
- Sandbox techniques- No Execute (NX) bit
- Data Execution Prevention
- ASLR - Address Space Layout Randomization
- Stack corruption detection
- Mandatory Access Control (MAC)

Mobile Code

- Java
- Java Script
- Active X
- PDF (Portable Document Format)
- Postscript
- Shockwave movies
- Flash
- VBScript

Modbus

- 1979 by Modicon (Now Schneider)
- Open Standard / Royalty Free
- Most widely used protocol (>7 M nodes)
- Modbus Org since 2004 (www.modbus.org)
- Master-Slave Architecture

Modbus TCP Port

502 port

MSUS

Microsoft Server Update Service

Network Security Technologies

- Devices (Switch, Router, Firewall, Data Diodes)
- Architectures (Segmentation)
- Cryptography (VPN, Hashes, Secure Passwords)
- IDS (Network and Host)- IPS