ICS410 ICS/SCADA Security Essentials PDF
Document Details
Uploaded by FrugalPurple
null
Justin Searle
Tags
Summary
This document is courseware for the ICS410 course on ICS/SCADA security essentials. It covers ICS concepts, architectures, communications, supervisory systems, and security governance. The course is for professionals in IT, OT, and cybersecurity hoping to bridge these different areas.
Full Transcript
ICS410 | ICS/SCADA SECURITY ESSENTIALS GIAC Global Industrial Cyber Security Professional (GICSP) 410.1...
ICS410 | ICS/SCADA SECURITY ESSENTIALS GIAC Global Industrial Cyber Security Professional (GICSP) 410.1 ICS Overview.ir 01 de hi THE MOST TRUSTED SOURCE FOR INFORMATION SECURITY TRAINING, CERTIFICATION, AND RESEARCH | sans.org Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit © 2023 Justin Searle. All rights reserved to Justin Searle and/or SANS Institute. PLEASE READ THE TERMS AND CONDITIONS OF THIS COURSEWARE LICENSE AGREEMENT ("CLA") CAREFULLY BEFORE USING ANY OF THE COURSEWARE (DEFINED BELOW) ASSOCIATED WITH THE SANS INSTITUTE COURSE. THIS IS A LEGAL AND ENFORCEABLE CONTRACT BETWEEN YOU (THE “USER”) AND THE ESCAL INSTITUTE OF ADVANCED TECHNOLOGIES, INC. /DBA SANS INSTITUTE (“SANS INSTITUTE”) FOR THE COURSEWARE. BY ACCESSING THE COURSEWARE, USER AGREES TO BE BOUND BY THE TERMS OF THIS CLA. With this CLA, SANS Institute hereby grants User a personal, non-exclusive license to use the Courseware subject to the terms of this agreement. Courseware means all printed materials, including course books and lab workbooks, slides or notes, as well as any digital or other media, audio and video recordings, virtual machines, software, technology, or data sets distributed by SANS Institute to User for use in the SANS Institute course associated with the Courseware. User agrees that the CLA is the complete and exclusive statement of agreement between SANS Institute and you and that this CLA supersedes any oral or written proposal, agreement or other communication relating to the subject matter of this CLA. BY ACCESSING THE COURSEWARE, USER AGREES TO BE BOUND BY THE TERMS OF THIS CLA. USER FURTHER AGREES THAT ANY BREACH OF THE TERMS OF THIS CLA MAY CAUSE IRREPARABLE HARM AND SIGNIFICANT INJURY TO SANS INSTITUTE, AND THAT SANS INSTITUTE MAY ENFORCE THESE PROVISIONS BY INJUNCTION (WITHOUT THE NECESSITY OF POSTING BOND) SPECIFIC PERFORMANCE, OR OTHER EQUITABLE RELIEF. If User does not agree to the terms of this CLA, User should not access the Courseware. User may return the Courseware to SANS Institute for a refund, if applicable. User may not copy, reproduce, re-publish, distribute, display, modify or create derivative works based upon all or any portion of the Courseware, in any medium whether printed, electronic or otherwise, for any purpose, without the express prior written consent of SANS Institute. Additionally, User may not sell, rent, lease, trade, or otherwise transfer the Courseware in any way, shape, or form to any person or entity without the express written consent of SANS Institute. If any provision of this CLA is declared unenforceable in any jurisdiction, then such provision shall be deemed to be severable from this CLA and shall not affect the remainder thereof. An amendment or addendum to this CLA may accompany this Courseware..ir SANS Institute may suspend and/or terminate User’s access to and require immediate return of any Courseware in connection with any (i) material breaches or material violation of this CLA or general terms and conditions of use agreed to by User; (ii) 01 technical or security issues or problems caused by User that materially impact the business operations of SANS Institute or other SANS Institute customers, or (iii) requests by law enforcement or government agencies. de SANS Institute acknowledges that any and all software and/or tools, graphics, images, tables, charts or graphs presented in this Courseware are the sole property of their respective trademark/registered/copyright owners, including: hi AirDrop, AirPort, AirPort Time Capsule, Apple, Apple Remote Desktop, Apple TV, App Nap, Back to My Mac, Boot Camp, Cocoa, FaceTime, FileVault, Finder, FireWire, FireWire logo, iCal, iChat, iLife, iMac, iMessage, iPad, iPad Air, iPad Mini, iPhone, iPhoto, iPod, iPod classic, iPod shuffle, iPod nano, iPod touch, iTunes, iTunes logo, iWork, Keychain, Keynote, Mac, Mac Logo, MacBook, MacBook Air, MacBook Pro, Macintosh, Mac OS, Mac Pro, Numbers, OS X, Pages, Passbook, Retina, Safari, Siri, Spaces, Spotlight, There’s an app for that, Time Capsule, Time Machine, Touch ID, Xcode, Xserve, App Store, and iCloud are registered trademarks of Apple Inc. PMP® and PMBOK® are registered trademarks of PMI. SOF-ELK® is a registered trademark of Lewes Technology Consulting, LLC. Used with permission. SIFT® is a registered trademark of Harbingers, LLC. Used with permission. REMnux® is a registered trademark of Zeltser Security Crop. Used with permission. VMware Workstation Pro®, VMWare Workstation Player®, VMWare Fusion®, and VMware Fusion Pro® are registered trademarks of VMware, Inc. Used with permission. Governing Law: This Agreement shall be governed by the laws of the State of Maryland, USA. Courseware licensed to User under this Agreement may be subject to export laws and regulations of the United States of America and other jurisdictions. User warrants he or she is not listed (i) on any sanction programs list maintained by the U.S. Office of Foreign Assets Control within the U.S. Treasury Department (“OFAC”), or (ii) denied party list maintained by the U.S. Bureau of Industry and Security within the U.S. Department of Commerce (“BIS”). User agrees to not allow access to any Courseware to any person or entity in a U.S. embargoed country or in violation of a U.S. export control law or regulations. User agrees to cooperate with SANS Institute as necessary for SANS Institute to comply with export requirements and recordkeeping required by OFAC, BIS or other governmental agency. All reference links are operational in the browser-based delivery of the electronic workbook. ICS410_1_I01_02 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410.1 ICS Overview ICS/SCADA SECURITY ESSENTIALS.ir This area intentionally left blank. 01 de hi 1 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 2 Table of Contents Course Agenda 3 Lab 1.1: Learning from Peers 4 GICSP Overview 5 ICS Concepts 9 Controllers and Field Devices 21 Lab 1.2: Programming a PLC 33 Supervisory Levels 35 Lab 1.3: Programming an HMI 51 IT and OT Differences 53 Physical and Cybersecurity 62 Contacts and Resources 73.ir This area intentionally left blank. 01 de hi 2 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit Section 1: ICS Overview Section 2: Architectures & Processes Course Section 3: Communications & Protocols Agenda Section 4: Supervisory Systems Section 5: ICS Security Governance Section 6: Capstone CTF.ir This area intentionally left blank. 01 de hi 3 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit Lab 1.1 Learning From Peers If you still need to complete the Lab Setup Instructions to configure the ICS410 virtual machines on your laptop, please do so now. This document was emailed to you in advance. If your virtual machines are configured, please complete Lab 1.1 in your ICS410 Lab Workbook while you wait for class to begin. Refer to the lab workbook for instructions..ir This area intentionally left blank. 01 de hi 4 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 5 Course Roadmap Lab 1.1: Learning from Peers GICSP Overview Section 1: ICS Overview ICS Concepts Controllers and Field Devices Section 2: Architectures and Lab 1.2: Programming a PLC Processes Supervisory Levels Lab 1.3: Programming an HMI Section 3: Communications and IT and OT Differences Protocols Physical and Cybersecurity Section 4: Supervisory Systems Section 5: ICS Security Governance Section 6: Capstone CTF.ir This area intentionally left blank. 01 de hi 5 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 6 ICS410 and GICSP Goals Goals of the ICS410 and the GICSP − Bridge efforts of IT, OT, and cybersecurity professionals − Focus on OT foundational knowledge − Define architecture, design, management, risks, and controls − Apply to a diverse set of OT industry sectors and applications Global Industrial Cyber Security Professional (GICSP) − Demonstrates a globally recognized level of competence − Keep the operational environment safe, reliable, and resilient − Achieve cybersecurity from ICS design through retirement − Assure a level of security for critical infrastructure.ir The ICS410 courseware has been developed to equip security professionals and control system engineers with the knowledge and skills to safeguard our critical infrastructures. This course gives students the 01 essentials for conducting security work in industrial control system (ICS) environments. Students will learn the language, the underlying theory, and the essential tools for ICS security in industrial settings de across a diverse set of industry sectors and applications. This course will introduce students to ICS and provide the necessary information and learning to secure control systems while keeping the operational hi environment safe, reliable, and resilient. 6 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 7 History of ICS410 and GICSP Original Steering Committee Original Objections Provided to SANS − Shell − Architecture − ABB − Assessments − Configuration and Change Management − Emerson − Log Collection and Management − British Petroleum − Business Continuity − KPMG − Incident Management − Wurldtech (now GE) − Information Risk and Security Management − Chevron − Physical Security − Saudi Aramco − Industrial Control Systems − Invensys (now Schneider) − System Hardening − Pacific Gas and Electric − Cybersecurity Essentials − SANS-GIAC − Access Management − Rockwell Automation.ir This area intentionally left blank. 01 de hi 7 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 8 GICSP Details The Test − 75 multiple-choice, 7 CyberLive items − Open book, open notes, no electronics − 3-hour exam, ~71% score is passing − 2 practice tests included with the exam Preparation − Official ICS410 index file in DOCX format − YouTube Playlist (https://ics410.org/giac-prep) Scheduling − Registration details emailed 7–10 days after end of course − Must take within 120 days − In person at Pearson VUE test centers or online with ProctorU Maintenance − Renewal fee every 4 years, includes latest copy of course books − Retake test or spend CPEs.ir For more information on GICSP certification, please visit: 01 https://www.giac.org/certification/global-industrial-cyber-security-professional-gicsp Test delivery is computer-based and proctored by Pearson VUE at over 3,400 global testing centers. de Certification is valid for 4 years; continuing professional education requirements are consistent with hi GIAC standards. References: https://www.giac.org/certifications/renewal https://ics410.org/giac-prep 8 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 9 Course Roadmap Lab 1.1: Learning from Peers GICSP Overview Section 1: ICS Overview ICS Concepts Controllers and Field Devices Section 2: Architectures and Lab 1.2: Programming a PLC Processes Supervisory Levels Lab 1.3: Programming an HMI Section 3: Communications and IT and OT Differences Protocols Physical and Cybersecurity Section 4: Supervisory Systems Section 5: ICS Security Governance Section 6: Capstone CTF.ir This area intentionally left blank. 01 de hi 9 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 10 ICS Concepts Control systems and their processes, professions, and industries.ir This area intentionally left blank. 01 de hi 10 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 11 What Is a Control System? A device, or set of devices, that manages, commands, directs, or regulates the behavior of other devices or systems − A device that can influence the "real world" − A system that bridges cyber-to-physical Simple example: Thermostats in our homes − Keep temperatures at desired temperatures − Turn on/off furnace and air conditioners − What can an attacker do if he gains control of this? Industrial control systems (ICS) − Exponentially larger − More complex − More dangerous.ir Control systems are defined here as "a device, or set of devices, that manages, commands, directs, or regulates the behavior of other devices or systems." This can take a variety of shapes, from a large 01 chemical processing plant to the system controlling your gas furnace at home. The system takes a set of input data from its devices (such as a thermostat), performs logic on that data (the temperature is 70⁰F de when it should be 72⁰F), and activates components to affect that sensor data (I'll turn on the fireplace, so it heats back up to 72⁰F). hi This is a gross simplification, but for example, what kind of logic is required to be energy efficient, so the heat of the house isn't constantly bouncing between 72⁰F and 68⁰F as the furnace kicks on and off again? Or, what if the temperature sensor fails and reports the room to be 0⁰F when it is really 78⁰F? What kind of mechanisms are in place to handle this? What happens if the thermostat is IP-based, and an attacker manages to fool the system into thinking it's 70⁰F when it's really 5⁰F? Simply put, a control system gathers information and then performs a function based on established parameters and/or information it received. ICS can vary in size and complexity based upon the process it is responsible for monitoring and controlling. ICS can be found in very specific applications (e.g., found on a small skid-mounted system) or manage something as large as a multiple-unit generation facility or oil refinery. By the end of this course, you'll be familiar with the concepts that drive these questions and the mechanisms by which they are answered. You will understand the common drivers for ICS technology: Reliability, efficiency, safety, and ease of use. Reference: ISA-62443.01.01 definitions, https://std.iec.ch/glossary 11 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 12 Functional Roles of Control Systems Dealing with Complexity Simplify system to basic functions All control systems and ICS map to this basic model Which systems/devices map to these functional roles? Which functions have inputs that can be attacked? A single malicious packet to the controller....ir The logic diagram shown displays typical inputs and outputs to the various control system components as well as typical operations that are performed by the various components. Industrial control systems can 01 be very complex, so it is always best to first try mapping each system and device to its basic functional role in the process. The diagram above shows these basic functional roles, and how they interact with de each other. hi Control systems can be very difficult and costly to replace and adjust. This is one of the reasons why security in this space is lagging behind. Refreshing a control system is something done very rarely. It is not unusual for a system to remain in place for 20+ years without many changes. General size of points monitored or controlled: Small: 1–2 Workstations, 1–2 Controllers, 0–599 points Medium: 3–8 Workstations, 3–8 Controllers, 600–1,499 points Large: 8+ Workstations, 8+ Controllers, 1,500+ points 12 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 13 Basic ICS Process Models Discrete Processes − Specified quantity of material moves as a unit between stations − Each unit maintains its unique identity − Robotic assembly can be characterized as discrete process control − Picture: stamping license plates and metal components Batch Process − Specific quantities of raw materials are combined in specific ways − Produce an intermediate or end result − Production of food, beverages, and medicine are batch processes − Picture: production of adhesives and glues Continuous Processes − Variables that are smooth and uninterrupted in time − Production of fuels, chemicals, and plastics are continuous processes − Picture: chlorine chemical and fuel production.ir We will review the four main ICS process models (discrete, batch, continuous, and hybrid). These models have general definitions and are the basic precept for the type of process to be instrumented, monitored, 01 and controlled by an ICS. de hi 13 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 14 ICS Hybrid Processes Many ICS process are a combination of these basic types − We call these hybrid processes − Tend to be hierarchical − Can have multiple controllers − Often seen in manufacturing lines/cells We usually defend at this level − Most ICS processes are a collection of smaller processes − Easiest to wrap security around collections of inter-dependent processes Adding defenses inside of processes is difficult − More likely to cause latency or jitter − Can create additional failure points − Can usually only be done when first purchased/created.ir Hybrid systems are generally understood as reactive systems that intermix discrete and continuous components. Hybrid control systems are typically found when continuous processes interact with or are 01 supervised by sequential machines. A hybrid process model allows the controller to optimize the process based on many variables that may change the efficiency of the process at any given moment. Examples of de such systems include flexible manufacturing and chemical process control systems, interconnected power systems, intelligent vehicle highway systems, and air traffic management systems. hi 14 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 15 Purdue Enterprise Reference Architecture (PERA) One of the first reference architectures for industrial control networks − 4: Business network (not a control network) − 3: Plant-wide control network − 2: Individual process/cell/line supervisory − 1: Individual process/cell/line controllers − 0: Individual process/cell/line sensors and actuators Original source for many later reference architectures − ISA-95 − ISA-99 which became ISA/IEC 62443 − ICS410 Reference Model.ir The Purdue Enterprise Reference Architecture (PERA) was one of the first reference architectures for ICS networks. It was designed by a public/private consortium made up of individuals from the industry and 01 Purdue University. This effort was led by Theodore J. Williams, a professor of chemical and electrical engineering programs at Purdue. This model has become very popular for designing ICS networks and has de been adopted and expanded by later reference models. hi The Purdue model suggests dividing your systems into five different levels, numbered zero through four. There will be separate groupings of level 0-2 for each process, manufacturing cell, or manufacturing line. Level 0 is the lowest level, representing the physical process and containing the immediate sensors and actuators that make up that grouping’s process. Level 1 contains the controllers for that grouping’s process. Level 2 contains the local supervisory systems specific to each groupings process. Above the process groupings will be a plant-wide or region-wide Level 3, which contains supervisory systems that direct all process groupings for that site or that region. Level 3 also contains the operations support, containing systems that support operations but that are not directly involved with the real-time execution of the process. And finally, Level 4 represents the business side of the organization related to ICS. As we will see later, the modern evolution of the Purdue model often contains a Level 5 that, while not shown above, represents the enterprise support for all enterprise business units. Image Source: https://en.wikipedia.org/wiki/Purdue_Enterprise_Reference_Architecture 15 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 16 ISA/IEC 62443 Published and Proposed Standards.ir Industrial Automation and Control Systems (IACS) is the ISA's preferred term for ICS. 01 Buying a PDF copy of all the published ISA/IEC 62443 standards can be a very expensive experience with each selling for $200-350 for a single copy per person. However, by becoming a student member of de ISA for ~$10/yr. or a professional member of ISA for ~$130/yr., you can gain browser-only access to all the ISA standards for free, including ISA/IED 62443. Once you pay your annual membership fee, visit hi the following link and search for "62443" to access the standards. https://www.isa.org/standards-and-publications/isa-standards/member-access-to-standards/ Reference: https://www.isa.org/isa99/ 16 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 17 Roles Used Throughout the Course Individual roles − Process Engineer: Designs and optimizes − Field Technician: Maintains and repairs − Programmer: Writes control logic and other software − Operator: Manages and controls process Organizational roles − Owner/Operators: Purchase and use the system Bear primary responsibility for safe operation and meeting regulations − Vendors: Manufacture equipment and software ABB, Alstom, Areva, Emerson, GE, Hitachi, Honeywell, Mitsubishi, Rockwell Automation, Schneider Electric, SEL, Siemens, Yokogawa, etc. − Integrators: Design, configure, test, train, and refresh Often provided by vendors or partners of vendors − Government: Implement guidance and regulation Primary goal is to safeguard the public good Examples: NERC CIP, NIST, ENISA In some instances, are owner/operators as well.ir People are used to filling in parts of the process that cannot be automated. From a security perspective, people provide an excellent attack surface. We will cover this deeper as the course continues. These 01 traditional roles must be empowered and equipped to integrate with information technology and cybersecurity roles to tackle the challenges of complexity, change, and cyber threats. de Asset owner/operators use control systems as a part of their business. Owner/operators come in many hi shapes and sizes, from small mom-and-pop shops to large multinational corporations. Asset owners and operators must work with vendors and integrators to design and build systems that are efficient and meet government regulations. In recent years, security has become more prominent in the public eye and has received increased scrutiny from government regulators. Asset owners and operators currently bear the burden of making sure security is built into the systems they operate. Vendors design and build the components used in control systems, such as Programmable Logic Controllers (PLCs) and HMIs. Many vendors work with specific hardware platforms and often will certify products to run on specific models, with specific configurations, and with firmware. Many vendors have several different product lines and have millions upon millions of lines in their codebases. Integrators have the job of selecting, creating, and configuring control systems: This can be a long and arduous process involving many hours. Integrators also provide training and support, ongoing control, integration, and automation collaboration, and handle legacy migration and replacement. Legacy migration can take as much time as the rest of them. The government is itself an asset owner/operator, as it uses a great number of control systems that do everything from printing money to controlling weapons systems. The government is also responsible for creating and enforcing regulations regarding the safe and continued operation of critical facilities. 17 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 18 Industries Reliant on ICS Factory automation segments: Process industry segments: − Aerospace and defense − Cement and glass − Automotive − Chemical and petrochemical − Electrical electronics and semiconductors − Food and beverage − Machinery − Metals (production) − Fabricated metals − Pharmaceuticals − Furniture and wood products − Pulp and paper − Plastics and rubber − Textiles − Medical products − Waste and water Energy industry segments: Service industry segments: − Electric power − Retail Generation − Wholesale Transmission − Transportation Distribution Trains and train yards − Oil and gas Ships and ports Exploration and production Aviation and airports Pipeline − Logistics Refining.ir There are many types of industries that rely on ICS, including: 01 Factory automation segments: Aerospace and defense, automotive, electrical electronics and semiconductors, machinery, fabricated metals, furniture and wood products, plastics and rubber, and de medical products. Process industry segments: Cement and glass, chemical and petrochemical, food and beverage, metals hi (production), pharmaceuticals, pulp and paper, textiles, and waste and water. Energy sector: Most nations describe an energy sector that includes all elements: Oil, gas, electricity, and nuclear. Other nations break them into electric power and oil and gas. The European Union defines energy sector with an exclusion of nuclear assets. The US has a very complex definition that combines oil, gas, and electric but excludes commercial nuclear power plants and hydro facilities and dams. Newer definitions are beginning to call out renewable energy technologies as its own subcategory in Energy (e.g., wind farms, solar plants, etc.) Energy sector components are typically highly dependent on other energy sector infrastructure components for the transportation of primary fuels (oil, gas, coal) or for the transportation and storage of energy products being delivered to users. Oil and gas infrastructures are highly dependent on global shipping infrastructure. Service industry segments: Retail, wholesale (e.g., Walmart), transportation (trains, ships, airports, etc.), and logistics. 18 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 19 Critical Infrastructure Many ICS industries are often labeled as critical infrastructure − Increased responsibility − Increased regulation − Also means you face nation-state actors... Definitions vary around the world but include: − Physical and electronic assets of infrastructure − Communications that enable infrastructure − Consequences that could impact public safety, economic security, and defense European Union, India, and US definitions in notes.ir European Union: "Critical infrastructure is an asset or system which is essential for the maintenance of vital societal functions. The damage to a critical infrastructure, its destruction or disruption by natural 01 disasters, terrorism, criminal activity or malicious behaviour, may have a significant negative impact for the security of the EU and the well-being of its citizens." The European Commission – Office of Home de Affairs further says: "The European Programme for Critical Infrastructure Protection (EPCIP) sets the overall framework for activities aimed at improving the protection of critical infrastructure in Europe, hi across all EU States, and in all relevant sectors of economic activity. The threats to which the programme aims to respond are not only confined to terrorism, but also include criminal activities, natural disasters, and other causes of accidents. In short, it seeks to provide an all-hazards cross-sectoral approach. The EPCIP is supported by regular exchanges of information between EU States in the frame of the CIP Contact Points meetings." The government of India has designated the National Critical Information Infrastructure Protection Centre (NCIIPC) of the National Technical Research Organisation (NTRO) as the nodal agency. The US Department of Homeland Security: "Critical infrastructure consists of the assets, systems, and networks—whether physical or virtual—so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, public health or safety, or any combination thereof." This is further defined by Presidential Policy Directive 21 (PPD-21). References: https://www.dhs.gov/cisa/critical-infrastructure-sectors https://ec.europa.eu/home-affairs/what-we-do/policies/counter-terrorism/protection_en https://www.homeaffairs.gov.au/about-us/our-portfolios/national-security/security- coordination/security-of-critical-infrastructure-act-2018 https://sso.agc.gov.sg/Acts-Supp/9-2018/Published/20180312?DocDate=20180312 19 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 20 Summary Module takeaways − The Purdue levels are incredibly important to memorize Purdue Level 4: Business network (not a control network) Purdue Level 3: Plant-wide control network Purdue Level 2: Individual process/cell/line supervisory Purdue Level 1: Individual process/cell/line controllers Purdue Level 0: Individual process/cell/line sensors and actuators − Overcome complexity by mapping components to function model − Look for the cyber communication inputs That is where attackers attack That is where we need to place defenses.ir This area intentionally left blank. 01 de hi 20 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 21 Course Roadmap Lab 1.1: Learning from Peers GICSP Overview Section 1: ICS Overview ICS Concepts Controllers and Field Devices Section 2: Architectures and Lab 1.2: Programming a PLC Processes Supervisory Levels Lab 1.3: Programming an HMI Section 3: Communications and IT and OT Differences Protocols Physical and Cybersecurity Section 4: Supervisory Systems Section 5: ICS Security Governance Section 6: Capstone CTF.ir This area intentionally left blank. 01 de hi 21 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 22 Controllers and Field Devices Controllers, the field devices they connect to, and everything in between. Understanding processes and programming controllers..ir This area intentionally left blank. 01 de hi 22 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 23 DCS Controller The Distributed Control System (DCS) was introduced in 1975 − Pre-engineered complete solutions − Cooperatively control complex processes within a large site or plant − Customizable using standards and templates − Often leverages proprietary interconnects and protocols DCS is usually used in complex processes that are common among many owner/operators − Oil and gas − Electricity generation − Chemicals and pharmaceuticals − Food and beverage − Steel, cement, and paper production.ir The DCS was introduced in 1975 and largely came about due to the increased availability of computers and the proliferation of microprocessors in the world of process control. A typical DCS consists of 01 functionally and/or geographically distributed digital controllers. de A DCS typically uses custom-designed controllers, proprietary interconnection protocols, and communication protocols. The DCS units are found in Purdue level 1 and can connect directly to physical hi equipment, such as switches, pumps, and valves in Purdue level 0, and to an HMI in Purdue level 2. DCSs are dedicated systems typically used to control manufacturing processes that are continuous or batch-oriented, such as oil refining, petrochemicals, central station power generation, fertilizers, pharmaceuticals, food and beverage manufacturing, cement production, steelmaking, and papermaking. DCSs are connected to sensors and actuators to control the flow of materials through the plant. Modern DCSs also support neural networks and fuzzy applications. DCSs are usually designed with redundant processors to enhance the reliability of the control system. Most systems come with canned displays and configuration software that enables the end user to set up the control system without a lot of low-level programming. This allows the user to better focus on the application rather than the equipment, although a lot of system knowledge and skill is still required to support the hardware and software as well as the applications. Energy extraction, production, and delivery relies upon various types of ICS to extract, collect, transport, and produce petroleum-based products. An oil refinery, for example, will use large-site DCS and specific field control and SIS to monitor and manage individual units and stages in the process of refining petroleum. 23 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 24 Programmable Logic Controller (PLC) PLCs were created as a competing solution to DCS − Increase flexibility and customization, decrease proprietary lock-in − https://ics410.org/plc-vs-dcs − Today, many vendors offer both DCS solutions and standalone PLCs General-purpose controller for real-time mechanical processes − Programmable by the engineer − Resistant to physical stress − Expandable I/O for customizable sensors and actuators − Deterministic logic, often built using state machine models.ir The picture shows an Allen-Bradley PLC. You can see the multiple modules that we'll discuss next. 01 As we discussed, the logic for running an automated process isn't present on the HMI. That's left up to the PLC to do. PLCs are physically hardened real-time computers. That means a couple of things. First, these de components are tested against extreme physical conditions such as very high temperatures, very low temperatures, physical vibrations, electromagnetic interference, or all of the above, plus more. This is one hi of the reasons the equipment is expensive relative to the processing capabilities. Second, a PLC has to read inputs and respond by adjusting outputs directly. This process has to be real-time or unintended behavior may occur, resulting in a problem or, in the worst case, personal injury. Considering ICS security, an attack that causes a PLC to be unable to respond in real-time can be very effective. We'll go into more detail on this later. A PLC will take a given set of inputs that it uses to calculate what state to set its outputs in. Modular PLCs have expansion modules to allow for more I/O connections. The processor in the PLC will scan through the set of inputs (sometimes called an "I/O Image Table") and use the programmed logic to set the necessary outputs. A practical example: In a chemical process, a PLC may be used to automate the task of mixing chemical batches. At one stage in the process, the PLC needs to pump two chemicals into a mixer. Sensors indicating the tank level, temperature, or other sensors are used as inputs. Actuators (in this case, our chemical pumps) are the outputs, which are turned on in order to pump chemicals into the mixing tank until the inputs indicate the tank level is high enough. For more information on how modern PLCs and DCS controllers differ, see: https://ics410.org/plc-vs-dcs 24 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 25 Basics of Controller Logic Variables (called tags) refer to inputs, outputs, internal states − Setpoint (SP): desired state or input measurement to maintain − Process Value (PV): controller input or sensor value − Error (E): difference between SP and PV − Manipulated Variable (MV): controller outputs or actuator value Example of water faucet with both hot and cold water valves − 2 setpoints: SP for temperature and SP for flow − 2 sensors: PV for temperature and PV for current flow − 2 actuators: MV for cold water valve and MV for hot water valve − 2 error conditions: E for temperature and E for flow.ir Control loop theory is used for calculating and controlling an environment or process based on feedback. PID (Proportional, Integral, and Derivative) controller theory is used to optimize tuning. We'll use the 01 classic water faucet example: de An example control loop is used to control the water temperature from a faucet. The hot and cold faucet valves are adjusted, and a person touches the water to measure the temperature. Based on the error, he hi continues to adjust it until the process settles on the desired value. In control loop terms: Process Variable (PV): Water temperature Manipulated Variable (MV): Valve position for each faucet, two total Setpoint (SP): The desired temperature (lukewarm, hot, cold, etc.) Error (E): The temperature difference between PV and SP The process seems simple at first, but a lot of room exists for tuning. 25 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 26 Measuring Error Conditions Errors need to incorporate time for optimal performance − Measure integral (duration of error) as PV changes − Predict derivative (rate of change) as PV approaches SP Proportional (size of error) Integral (duration of error) Derivative (rate of change).ir This is a broad topic in itself, but we'll broach it here. The three parts to the PID algorithm: 01 Proportional Term: Proportional to the current error value. This is the part that most reflects change based on error. If this is cranked up too high, there will be large adjustments in response to small errors. de The reverse is also true. Think of this as the current error. This contributes most of the output change based on error. hi Integral Term: Duration of the error, not just how far off it is. Think of this as the historic error. Derivative Term: Slope of error over time multiplied by the derivative gain. The point is to slow the rate of change of output and to reduce the overshoot. Think of this as the future error. Loop tuning is the discovery and experimentation of optimal parameters for a given loop. Manipulation of the three terms and their weights is done to discover the ideal process control. PID tuning is a non-trivial problem but results in important gains for a process. You don't want your home furnace oscillating constantly between hot and cold. It would be much preferred if the furnace sat in a 1– 2-degree range constantly, at least while you are awake and at home. Further tuning exists in time slices: Your house could let itself get colder while you are away at work and warm up when you are expected to return. Reference: https://benrobotics.wordpress.com 26 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 27 Starting to Define Your Logic Fuzzy logic cares about degrees of truth − Truth value between 0 and 1 for various factors − Fuzzy logic used to determine final logic − Similar to pseudocode in IT Consider the following cold/hot faucet logic: − IF flow is too low (PV < SP), THEN increase hot AND cold water valves − IF flow is too high (PV > SP), THEN decrease hot AND cold water valves − IF temperature is too low (PV < SP) THEN increase hot water valve AND decrease cold water valve − IF temperature is too high (PV > SP), THEN decrease hot water valve AND increase cold water valve.ir Fuzzy logic is a term for taking logic statements and distilling them down in order to control machinery. Fuzzy logic can also use linguistic variables for configuring a system. 01 The logic is easy for a person to read and identify what the system is supposed to do. These logic de statements are translated into fuzzy logic for mathematical evaluation. In doing so, values may have a degree of truth that may be between 0 and 1, rather than simply true (1) or hi false (0). For instance, referring to the temperature of a room, the assessment of the statement, "The room is too hot," might vary. If the expected temperature is 70⁰F and the current temperature is 71⁰F, that's a small degree of truth for the statement, as opposed to the room temperature being 92⁰F, which is very true. 27 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 28 Programming Final Logic PLCs use visual programming methods − Engineers are experts in many fields − PLCs are one of many tools they use IEC61131-3 defines five programming approaches for controllers: − Ladder Logic Diagram (LL or LD) − Function Block Diagram (FBD) − Sequential Function Chart (SFC) − Instruction List (IL) note: deprecated in version 3 − Structured Text (ST or STX).ir Since PLCs are general-purpose controllers, they can use several programming methods. Many of these are highly visual and are borrowed from other professions. The IEC61131-3 standard recommends that 01 PLCs support the following programming methods: de Ladder Logic Diagram (LL or LD): This method comes from the electrical engineering profession and is based on electrical relay logic diagrams. It is one of the most commonly used methods to program hi PLCs but is limited in the complexity it can represent. Function Block Diagram (FBD): This method comes from the electronics engineering profession and is based on boolean logic operators such as AND, OR, and XOR commonly found in diagrams describing embedded circuit boards. Sequential Function Chart (SFC): This method comes from the process automation world and uses sequences of functions stringed together to create a flow of chained events. It can leverage multiple decision points to form complex branches of events for execution. Structured Text (ST or STX): This method comes from the computer programming profession and is the same method used by IT to program software and firmware for computer systems. In PLCs, the language used is often based on C or similar. Many non-PLC controllers are programmed this way by the vendor and do not let engineers change the logic and only allow engineers to modify the configurations and calibrations. Instruction List (IL): This method also comes from the computer programming profession and leverages a lower-level language similar to assembly. This method has been deprecated from version 3 of IEC 61131 and is not considered a type of ST. Each PLC will have different options based on the programming software provided by the PLC’s vendor. Some vendors support all five methods, while others only support one or two. 28 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 29 Field Devices Controllers are wired to various instrumented devices − Sensors: Temperature, humidity, vibration, sound, pressure, etc. − Actuators: Valves, solenoids, pumps, agitators, burners, compressors, etc. Communication to these devices is referred to as I/O (input/output) − Basic I/O: Single digital or analog lines − Smart I/O: Fieldbus protocols over specialized networks Lines can blur between controllers and field devices − Smart sensors and actuators have built-in logic − They may have their own basic field device below them.ir Instrumented devices are all of the devices that are ultimately responsible for monitoring, measuring, or controlling the bits and pieces of an industrial system or process. 01 Sensors can be important pieces of a control system. Many ICS configurations will either directly control de these types of environmental qualities or otherwise depend on them being at a certain level. An HVAC, for example, exists to control the temperature, humidity, and other factors for a given spatial hi area. Having a sensor network collecting data and making it available to the controller is needed to complete that task. Other types of ICS may depend on an environmental factor being at a certain level. For example, a chemical process may require a room temperature between 60⁰F and 70⁰F. The HVAC (a separate control system) is responsible for controlling that temperature, but the chemical process also requires sensors to identify if the proper conditions for execution are met. Among the actuators, these devices could be valves, switches, level monitors, pumps, compressors, levers, pressure sensors, thermocouples, etc. Communication with a hardware device is generally referred to as I/O. The I/O could be digital or analog, and its physical connectivity could be one of many options—we'll discuss this in a few minutes. 29 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 30 Basic I/O Basic Discrete (digital) I/O − Voltage present or not present on a wire − Sensors: Switches, object positioning, state, etc... − Actuators: Alarms, stepper motors, relays, pumps, lights, etc... − Represented in logic as single binary bit (0/1) or Boolean values (True/False) Basic Analog I/O − Value is a range of voltage (0–5 V, 0–24 V) or current (4–20 mA) of a signal − Sensors: dials, temperature, pressure, flow, speed, etc... − Actuators: valves, variable speed motors, mixers, burners, etc... − Represented in logic as 8/16/32/64-bit integers (410) or floating points (4.10).ir Digital I/O is an input or output where the specified value is communicated as simple on-or-off signals. Common examples of digital I/O include relays, switches, and status reporting. 01 Analog I/O is an input or output where the specified value is communicated by varying the voltage or de current of a signal. Common examples of analog I/O include temperature, pressure, flow, or speed measurements. hi 30 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 31 Smart I/O with Fieldbus Protocols Sometimes our controllers are connected to other controllers, or to smart sensors and actuators − Smart I/O is often performed through protocols classified as fieldbus − Fieldbus protocols like HART can use traditional 4-20mA analog lines − Most fieldbus protocols use standard or proprietary serial buses The RS standards are very common, now maintained by TIA − TIA-232: Point-to-point serial for 2 devices/systems − TIA-422: Multi-device bus, with single transmitter device/system − TIA-485: Multi-device bus, with multiple transmitter devices/systems Modern fieldbus protocols can also be − Directly on top of Ethernet − Integrated into TCP/IP − Fieldbus protocols will be discussed in more detail later in the course.ir References: 01 HART Protocol – https://en.wikipedia.org/wiki/Highway_Addressable_Remote_Transducer_Protocol TIA – https://en.wikipedia.org/wiki/Telecommunications_Industry_Association de TIA-232 – https://en.wikipedia.org/wiki/RS-232 TIA-422 – https://en.wikipedia.org/wiki/RS-422 hi TIA-485 – https://en.wikipedia.org/wiki/RS-485 31 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 32 Smart Field Devices Smart field devices have various names − Intelligent Electronic Devices (IED) − Industrial Internet of Things (IIoT) Examples − Digital protective relay (DPR) − Phasor measurement unit (PMU) − Smart meters Smart field devices compared to controllers − More limited purpose and function − Usually microcontroller-based − Contains its own control logic that cannot be changed.ir Smart field devices (also known as IEDs or IIoTs in some industries) are special field devices that are primarily used in the electric power industry. They usually are limited in their purpose or function, unlike 01 the general-purpose PLCs and RTUs. Smart field devices contain their own control logic and are usually microcontroller-based. Examples from the electric power industry include digital protective relays (DRPs) de and phasor measurement units (PMUs). hi A digital protective relay (DPR) is a device containing a microcontroller with the specific purpose of measuring voltages and currents to determine whether a fault in the system exists. A DPR is an example of an IED, which is any end device that has that kind of capability. RTUs may be configured to communicate with end devices to collect status information for reporting back to the supervisory system. Synchrophasors measure voltages and currents at principal intersecting locations (critical substations) on a power grid and can output accurately timestamped voltage and current phasors. Because these phasors are truly synchronized, a synchronized comparison of two quantities is possible in real-time. These comparisons can be used to assess system conditions, such as frequency changes, MWs, MVARs, kVolts, etc. The monitored points are preselected through various studies to make extremely accurate phase angle measurements to indicate shifts in the system (grid) stability. In North America, the phasor data is collected either on-site or at centralized locations using Phasor Data Concentrator technologies. The data is then transmitted to a regional monitoring system that is maintained by the local independent system operator (ISO). These ISOs will monitor phasor data from individual PMUs or from as many as 150 PMUs—this monitoring provides an accurate means of establishing controls for power flow from multiple energy generation sources (nuclear, coal, wind, etc.). Industrial Internet of Things (IIoT) is more of a marketing term than a concrete category of devices. But some common features usually (but not always) seen in products labeled IIoT are a large number of simple devices, usually relatively inexpensive, often using wireless communications, and probably controlled centrally from a management server or cloud solution. An example of IIoT devices in the Electricity sector are Smart Meters. 32 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit Lab 1.2 Programming a PLC Using your ICS410 Windows 10 Enterprise VM, we will be programming our Velocio Ace 11 PLC to control a chemical mixing process. Refer to the lab workbook for instructions..ir This area intentionally left blank. 01 de hi 33 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 34 Summary Module takeaways − There are many types of controllers, not always clearly defined DCSs are custom designed for a plant PLCs, can be programmed and reprogrammed with different process logic by the engineer Smart field devices can also be considered controllers, but not reprogrammable IIoT and IED are types of smart field devices − Controllers talk to field devices via basic I/O or fieldbus protocols Sensors allow controllers to measure elements of the process Actuators provide a means for controllers to change the process When controllers receive input and make decisions is often critical.ir This area intentionally left blank. 01 de hi 34 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 35 Course Roadmap Lab 1.1: Learning from Peers GICSP Overview Section 1: ICS Overview ICS Concepts Controllers and Field Devices Section 2: Architectures and Lab 1.2: Programming a PLC Processes Supervisory Levels Lab 1.3: Programming an HMI Section 3: Communications and IT and OT Differences Protocols Physical and Cybersecurity Section 4: Supervisory Systems Section 5: ICS Security Governance Section 6: Capstone CTF.ir This area intentionally left blank. 01 de hi 35 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 36 Supervisory Levels Supervisory via HMIs, Historians, and Alarm Servers Specialized applications for special purposes Management servers provide control system management.ir This area intentionally left blank. 01 de hi 36 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 37 Supervisory Systems at Level 2 and 3 Several different systems can be used to monitor and control the ICS processes. − Human Machine Interfaces (HMIs) − Historians − Alarm Servers − Engineering Workstations These supervisor systems may exist in both Purdue Levels 2 and 3. − Purdue Level 2 for supervisory systems for each process, manufacturing line, or manufacturing cell − Purdue Level 3 for plant-wide or regional-wide supervisory.ir This area intentionally left blank. 01 de hi 37 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 38 Human Machine Interfaces (HMIs) Presents process data to human operator − Visual model created by integrator − Displays alerts for operators − Manual control of the process Despite the seeming importance, this is an optional component − Control systems can be designed without HMIs − Some control systems can function for limited amounts of time − Can be a great defense to disconnect compromised HMIs − Disconnection can impact safety and reliability if Engineer doesn't design the system for this.ir The Human Machine Interface is what most people think of first when considering a control system (much like your grandmother who brings her flat-screen monitor in to get a virus removed and leaves the tower at 01 home). This is the GUI for the process, and yes, most of them look that old (it's a recurring theme you'll see throughout the class). de The HMI is usually organized as a model diagram of the process. If you are looking at a chemical system, hi the screen is going to contain pump icons, tanks and levels, flow indicators, and agitator indicators to let the operator know what's happening with the process. This diagram was created by the process integrator or operator when the system was being assembled. Additionally, an HMI is responsible for displaying important information to the operator. If a chemical tank is about to overflow, for example, the operator probably knew about that immediately (in addition to the system exacting safety logic and automatically shutting down pumps). By the description, one would think the HMI is a primary component of a control system, but that's not necessarily true. The HMI is an optional component that just makes things easier. We'll discuss where later, but the logic for the automated process itself (such as which pumps to turn on when, how long to mix the chemicals, etc.) is located elsewhere in other components. The HMI exists to collect data from other components and display it to the operator. This way, if the HMI fails, the process can continue. What the HMI may be indispensable for, however, is for manual control of the process. Manual controls may exist on individual components, but it is not uncommon for ICSs to be very large or to have components in remote locations that make actually visiting the devices problematic. Reference: https://www.aveva.com/en/solutions/operations/wonderware/ 38 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 39 Historians Servers that store event logs and history of controller tag values − Useful for engineers to troubleshoot and optimize processes − Could have traditional GUIs, web interfaces, and API access − Underlying technology can be based on No-SQL databases Graphing databases Relational database (SQL) Basic file servers and almost anything else you can imagine Business often needs access to historian data for financial purposes − A significant driver of connectivity between the business and control networks − Businesses use data for billing, sales, regulation, metrics, etc.….ir Most of the vendors that create controllers also offer their own historians. These historians can be based on a large number of different underlying technologies, so don't make assumptions here. In complex 01 control systems like the electric grid, higher-level aggregate historians are used to gather all the information from lower-level historians and systems. Of these higher-level historians, PI Historian, from de OSI Soft, is one of the most popular. hi Data in a historian can usually be displayed and analyzed through a GUI, web interface, or set of APIs. The data in the historian may be displayed as a simple, time-ordered log or as a trend graph. 39 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 40 Alarm Servers An alarm informs operators of an abnormal event or condition Alarms may be visual, audible, or digital Annunciator panels aid in locating problem.ir An alarm is how an operator is informed of any event or condition that must be brought to their attention. Alarms might be communicated to an operator with an audible noise or by a visual indication on either an 01 HMI or a dedicated annunciator panel. de In most ICS environments, alarms will occur regularly and could indicate something that is a significant error, or they could simply indicate that something has a small issue or has been disabled for maintenance. hi Most ICSs will categorize and prioritize alarms so that operators can easily tell which alarms should be reviewed first. 40 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 41 Engineering / Operator / Technician Workstations Workstations and/or laptops with software for the specific job function Engineering workstations are the largest target − Primarily used for making changes − Often have greater access to ICS than operator or technician workstations Workstations often contain − Device management software − Project files for those devices − Runtime libraries that software uses.ir An engineering workstation is a computer used to make changes or perform maintenance on industrial control systems. The engineering workstation is usually dedicated to the task; however, it could also be 01 used as an operator workstation. de In many environments, due to the tasks that must be performed (reconfiguration of ICS as opposed to monitor and control), the engineering workstation may have greater application or network rights than hi other devices in an ICS network. It's imperative that the engineering workstation be protected equally to other ICS assets on a control network. "The engineering workstation is usually a high-end very reliable computing platform designed for configuration, maintenance and diagnostics of the control system applications and other control system equipment. The system is usually made up of redundant hard disk drives, high speed network interface, reliable CPUs, performance graphics hardware, and applications that provide configuration and monitoring tools to perform control system application development, compilation and distribution of system modifications." – US DHS ICS-CERT 41 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 42 Project Files Project files contain − Details of control system − Network architectures − Configurations − Logic and parameters − Tag to I/O associations These are major targets for attackers − Example: It is believed Stuxnet was created from Iranian project files.ir Telvent, which is owned by Schneider Electric, told customers in a letter that on September 10, it learned of the breach into its network. The attackers installed malicious software on the network and also accessed 01 project files for its OASyS SCADA system, according to KrebsOnSecurity, which first reported the breach. de References: hi https://www.wired.com/2012/09/scada-vendor-telvent-hacked/ https://krebsonsecurity.com/2012/09/chinese-hackers-blamed-for-intrusion-at-energy-industry-giant- telvent/ 42 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 43 Management Servers Most large and complex ICSes are systems of systems − Management server monitoring and controller lower controllers − Usually sit in Purdue Level 3 Each industry has specialized names for these systems − Manufacturing: Manufacturing Execution System (MES) − Electricity industry: Energy Management System (EMS) − Building Automation: Building Management System (BMS) − Train Control & Management System (TCMS) − Turbine Control Systems (TCS).ir An energy management system (EMS) is a computer-based system used to monitor, control, and optimize the performance of the generation, transmission, and distribution systems. Energy management systems 01 are also often commonly used by individual commercial entities to monitor, measure, and control their electrical building loads. Energy management systems can be used to centrally control devices like HVAC de units and lighting systems across multiple locations, such as retail, grocery, and restaurant sites. Energy management systems can also provide metering, submetering, and monitoring functions that allow the hi facility and building managers to gather data and insight that allows them to make more informed decisions about energy activities across their sites. A Building Management System (BMS) is a computer-based control system installed in buildings. It controls and monitors the building's mechanical and electrical equipment, such as ventilation, lighting, power systems, fire systems, and security systems. A BMS consists of software and hardware. The software program can be proprietary using such protocols as C-bus, Profibus, and so on. Vendors are also producing BMSs that integrate using internet protocols and open standards such as DeviceNet, SOAP, XML, BACnet, LonWorks, and Modbus. Building Management Systems are most commonly implemented in large projects with extensive mechanical, electrical, and plumbing systems. Systems linked to a BMS typically represent 40% of a building's energy usage; if lighting is included, this number approaches 70%. BMSs are a critical component to managing energy demand. Improperly configured BMSs are believed to account for 20% of building energy usage, or approximately 8% of total energy usage in the US. In addition to controlling the building's internal environment, BMSs are sometimes linked to access control (turnstiles and access doors controlling who is allowed access and egress to the building) or other security systems, such as closed-circuit television (CCTV) and motion detectors. Fire alarm systems and elevators are also sometimes linked to a BMS for monitoring. In case a fire is detected, then only the fire alarm panel could shut off dampers in the ventilation system to stop smoke spreading and send all the elevators to the ground floor and park them to prevent people from using them in the event of a fire. 43 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 44 Analytic Applications Many ICS industries generate analytics from process datasets − Some sold as a commercial solution by various vendors − Some custom created in-house Example: Contingency analysis applications − Identify potentially harmful parts of the process − Monitor events, thresholds, configurations − Take actions such as tripping breakers, opening/closing valves, and sounding alarms − Example: State estimators in power industry.ir Contingency analysis is the process where potentially harmful events, thresholds, or configurations are identified so that contingent actions may be taken if the criteria are met. 01 Actions that may be taken could include: de Tripping breakers Opening/closing valves hi Sounding alarms 44 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 45 Putting It All Together Purdue Level 3 Purdue Level 2 Purdue Level 1 Purdue Level 0.ir NIST definition: DCSs are used to control industrial processes such as electric power generation, oil refineries, water, and wastewater treatment, as well as chemical, food, and automotive production. DCSs 01 are integrated as a control architecture containing a supervisory level of control overseeing multiple, integrated subsystems that are responsible for controlling the details of a localized process. Product and de process control are usually achieved by deploying feedback or feed-forward control loops whereby key product and/or process conditions are automatically maintained around a desired setpoint. hi To accomplish the desired product and/or process tolerance around a specified setpoint, specific PLCs are employed in the field and proportional, integral, and/or derivative settings on the PLC are tuned to provide the desired tolerance as well as the rate of self-correction during process upsets. DCSs are used extensively in process-based industries. The slide shows example DCS architecture and components. Note the logical groupings of field-level components, supervisory-level components, and corporate or business devices. Image Source: NIST SP800-82 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf 45 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 46 Site SCADA vs. Regional SCADA SCADA is a term that varies in use between different ICS industries − Site SCADA: Manufacturing industries often use the term for their site-wide supervisory systems that sit in Purdue level 3 − Regional SCADA: Electricity, oil, gas, and water industries use the term for regional supervisory and control that typically span large geographic distances − The same vendors often sell the same solutions to both groups Standard features of both Site SCADA and Regional SCADA − SCADA technologies are usually TCP/IP based − SCADA solutions tend to be more vendor neutral with standardized protocols − Both are usually considered Purdue level 3.ir Regional SCADA systems historically distinguish themselves from other ICSs by being large-scale processes that can include multiple sites and large distances. These processes include industrial, 01 infrastructure, and facility-based processes, as described below: de Industrial processes include those of manufacturing, production, power generation, fabrication, and refining, and may run in continuous, batch, repetitive, or discrete modes. hi Infrastructure processes may be public or private and include water treatment and distribution, wastewater collection and treatment, oil and gas pipelines, electrical power transmission and distribution, wind farms, civil defense siren systems, and large communication systems. 46 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 47 Example of Regional SCADA Scalability Midcontinent Independent System Operator, Inc. (MISO) − Non-profit, member-based organization − Administer wholesale electricity markets − Does not own any generation, transmission, or distribution assets − Reliability Coordinator for their members − Provides wide-area reliability over their region MISO coordinates electric utilities − 15 states and 1 Canadian province − Serving 45 million customers − 190 GW of generation − 68,000 miles of transmission lines − 296,915 SCADA data points.ir The Midcontinent Independent System Operator, Inc. (MISO) is a not-for-profit, member-based organization administering wholesale electricity markets that provide their customers with valued service, 01 reliable, cost-effective systems and operations, dependable and transparent prices, open access to markets, and planning for long-term efficiency. From a Bulk Electric System perspective, MISO does not own any de generation, transmission, or distribution assets. MISO acts as the Reliability Coordinator for their members and provides the wide-area reliability view over their region. To perform this task MISO has hi connectivity and receives real-time data points from member electric system networks. This data is used in contingency analysis, state estimation, simulation studies, outage scheduling, and transmission planning activities. Communications from member companies to MISO typically occur over ICCP Inter-Control Center Communications Protocol, which will be discussed later in the course. References: https://www.misoenergy.org https://www.misoenergy.org/markets-and-operations/real-time--market-data/real-time-displays 47 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 48 Remote Terminal Unit (RTU) Embedded devices that pass data between the management server (MTU) and field devices, acting as a − Router: passing TCP/IP traffic − Gateway: converting protocols − Controller: managing local processes RTUs different from PLCs in some ways − Usually only found in Regional SCADA − Runs more simplistic logic than PLCs − Differences are decreasing each day.ir Above is an image of a remote terminal unit (RTU). RTUs come in a variety of sizes and capabilities. Most RTUs are cabinet mounted with hardwired points to interface with field devices. 01 An RTU is installed to report local system information and otherwise communicate with the upstream de supervisory system. In a Distributed Control System, you may have many separate automated process areas. For example, a typical power company will have a central supervisory system where operators sit hi on an HMI and each substation will be connected to the central system by utilizing RTUs. RTUs need to communicate with the central system and potentially with Intelligent Electronic Devices (IEDs). This communication is typically done via serial (RS-232 or RS-485), fiber, or wireless comms like cellular networks. Communications are covered in more detail in another module. Like a PLC, an RTU has an array of input/output connections. These could be digital inputs (like a sensor detecting the closed/open state of a container), analog inputs (such as temperature data), or digital outputs (like an electric relay). Though generally "dumber" than a PLC, RTUs usually run simple autonomous programs to provide redundancy and safety. For example, an RTU at a power substation will have logic to change the behavior when a technician is working on a particular line and has manually disabled a line. This prevents someone at the operator console from closing a relay while technicians are performing maintenance, thus avoiding injury. RTUs are more suitable for large geographical areas. They utilize wireless communications (e.g., cellular networks) to communicate back to the supervisory system. PLCs are generally more suited for a local control system that exists all in one location and uses physical media for communications. More recently, however, the line has been blurring. The extreme drop in microcontroller prices has caused the two devices to share more and more qualities. Image Source: goo.gl/DeuMkv 48 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 49 Regional SCADA Connectivity.ir Regional SCADA can span large geographic areas. RTUs may send telemetry data over various communication channels, including cellular, telephone/modem, microwave, serial, Ethernet, or other radio 01 communications. These communications may have to travel over many miles (such as equipment on an oil pipeline, disparate power substations, or ocean drilling operations). This communication may be disrupted de or sporadic. If you wish to communicate with a field device that uses a modem to dial into the main system, for instance, you may have to wait for it to initiate the communications, resulting in limited hi windows of opportunity, or you may consider implementing a modem with call back or dial back security features that allow for initiated requests and some security benefits. Weather may also affect communication ability, causing temporary disruption or a long-term outage requiring a technician to travel out to the equipment site. Image Source: NIST SP800-82 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf 49 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 50 Timing/Cycles and System Size Describing a specific control system at a high level can be misleading. − Most are a system of systems with multiple levels of control − Each layer has different expectations for data updates − Knowing this information can help you determine appropriate security controls ICS Component Common Tag Update Rates Regional SCADA 1 second to 1 minute Site SCADA 50ms to 1 second Controllers 1ms to 50ms Field Devices sub-1ms.ir It is difficult to compare and generalize industrial systems, but we can consider key attributes such as the timing cycle, scan rate, or SCADA polling rate that is acceptable or the number of components or I/O 01 points to provide a general description. Systems will be configured to collect a signal at some scan/polling rate; the system could store the results of every scan/poll and perform necessary calculations and monitor de state, value, and/or trends. For example, a control engineer will select an appropriate sampling rate for a control loop to give proper control. hi Timing/cycles describe the control system application and give someone an immediate idea of what type of process is being monitored and controlled. Regional SCADA systems describe control systems that span over wide geographic areas. SCADA systems need to acquire data by having the RTUs or PLCs scan or poll the connected field inputs of wide-area networks. The data collected is completed during an acceptable time cycle and can be configured based on the number of points, the amount of data, and the communication rates available across channels. The SCADA engineer will select an appropriate polling rate for the system. It is very common for electric power SCADA systems to select a 1- to 3-second polling rate. Distributed Control Systems (DCS) can cover a complex or plant facility and can typically take advantage of higher-speed communications and local networks. They can achieve much faster scan/polling rates. Some control applications, such as motor controls, can require very fast cycles (e.g., in the millisecond range). Scan rates for instrument readings need to be supported by the hardware and are determined by the application of what is being monitored and controlled. Hardware will often determine the maximum allowable scan rate, and the process will require a desired scan rate or acceptable range. Warning: We don't like generalizations, but they are made to provide descriptions of things. Not all systems will fit general definitions. It is important to note that reliable distinctions between RTUs, PLCs, and terms to describe control systems have faded. Newer technologies have blurred the lines of existing terminology. 50 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit Lab 1.3 Programming an HMI Using your ICS410 Windows 10 Enterprise VM, we will create an HMI for the PLC process we created in the last lab. But before we do that, we will reprogram our Velocio Ace 11 PLC with a slightly modified version of our program to ensure all of our PLCs are running the same logic. Refer to the lab workbook for instructions..ir This area intentionally left blank. 01 de hi 51 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 52 Summary Module takeaways: − Most ICSs have several layers of control: From management server, to supervisory, to controllers, to field devices − Difference between Site SCADA and Regional SCADA It is usually considered Purdue Level 3 in both scenarios It is usually TCP/IP based using industry standard protocols − From a cybersecurity perspective, SCADA is more exposed In Site SCADA, it is the first system attackers usually access In Regional SCADA, weak points are WAN providers and unmanned stations Network defenses can aid us in both.ir This area intentionally left blank. 01 de hi 52 Join us now -> hide01.ir | donate.hide01.ir | t.me/Hide01 | t.me/RedBlueHit ICS410 | ICS/SCADA Security Essentials 53 Course Roadmap Lab 1.1: Learning from Peers GICSP Overview Section 1: ICS Overview ICS Concepts Controllers and Field Devices Section 2: Architectures and Lab 1.2: Programming a PLC Processes Supervisory Levels