Cyber Securing Control Systems

What are Industrial Control Systems /Operational Technology? Computer based systems (Digital, Analog, Digital to Analog) Integrated with traditional Info Systems Routinely for remote operations Examples: Railway and transit Chemical processing Water treatment Power generation Buildings / Facilities Hazardous Materials storage/filteringAdversary Intelligence to ICS/OT Can Enable Asymmetric Advantage

ICS / OT Security DifferencesSECURITY TOPICAnti-virus & Mobile CodeINFORMATION TECHNOLOGYCommon & widely usedCONTROL SYSTEMSUncommon and can be difficult to deployCountermeasuresSupport TechnologyLifetimeOutsourcing3-5 yearsCommon/widely usedApplication of PatchesRegular/scheduledChange ManagementRegular/scheduledTime Critical ContentAvailabilitySecurity AwarenessSecurity Testing/AuditPhysical SecurityUp to 20 yearsRarely used (vendor only)Slow (vendor specific)Legacy based – unsuitable for modernsecurityDelays are usually acceptedCritical due to safetyDelays are usually accepted24 x 7 x 365 x foreverGood in both private and public sectorScheduled and mandatedSecureGenerally poor regarding cyber securityOccasional testing for outages/ audit for event recreationVery good but often remote andunmanned PA Knowledge 2002

Critical Infrastructure (CIKR) Agriculture and Food Banking and Finance Chemical Commercial Facilities Critical Manufacturing Dams Defense Industrial Base Emergency Services Energy Government Facilities Information Technology National Monuments & Icons Nuclear Reactors,Materials, and Waste Postal and Shipping Public Health andHealthcare Telecommunications Transportation Water and Water TreatmentBuildingsWeapon PlatformsOperational EnergyPumps and MotorsElectrical and HVACVehicles/ChargingNuclearControllerMedical EquipmentManufacturingMost Processes Are Networked; Not Able to Operate w/o ICS/OT

System & Terminal Unit Controllers, ActuatorsJACEVAVValve ActuatorField ServerL-switchValve ActuatorPressure SensoriLon Smart ServerBAS Remote ServerTemperature SensorAnalog voltage, resistance, current signal is converted to digital and then IP

ICS / OT System TopologyRoutinely Lacks Significant Cybersecurity to Prevent Adversary Exploitation

ICS ProtocolsInternet Protocols IPv4 and IPv6 Transmission Control Protocol (TCP) User Datagram Protocol (UDP) Hypertext Transfer Protocol (HTTP) - Port 80 Hypertext Transfer Protocol Secure (HTTPS) - Port 443Open Control Systems Protocols Modbus: Master/Slave - Port 502 BACnet: Master/Slave or Peer - Port 47808 LonWorks/LonTalk: Peer to Peer - Port 1628/9 DNP3: Master/Slave - Port 20000 IEEE 802.x - Peer to Peer Zigbee - Peer to Peer Bluetooth – Master/SlaveProprietary ControlSystems Protocols Tridium NiagraAX/Fox Johnson Metasys N2 OSISoft Pi System Many others

Building Control System ProtocolsControl systems are fundamentally differentthan IT Can be based on Master and Slaves or Peerto Peer Slaves have Registers and Coils Devices use several different programminglanguages to perform operations Not originally designed for security orencryptionMaster Client : sends requests for values inthe addressSlave Server : replies with dataRegisters and Coils memory locationsTypical file X*.plcproject*.PRJ*.PRT*.RSP*.QXD*.SCD

DoD Scope of Platform IT &Control Systems (CS)FY15 36 BITCyberPIT / CSDoD IT & Cyber Strategies, InvestmentsProgressing to Incorporate PIT / CS

Separate Roles: DHS & DoDInformation Technologies y ControlCenterControl Systems (CS)15,700 stations Trans.642,000 miles Subst.140,000 stations Distr.6,300,000 miles Subst.Utility fiberInternetPowerSource: eia.govWholesale powerCyber vulnerabilitiesMarket vulnerabilitiesmarketConventional network ternet-connected devicesDHSVulnerable protocolsBuilding automationMicro -gridsExpandingExploitation SurfaceDoD

Who Cybersecures ‘Smart’ Building Networks?DoD Resource / Skill Lead Systems Owner, CIO or Vendor ?

System & Device Ownership 250,000IntrusionAttemptsPer / hrWhich Do you Use? Which Do you Own?,000IntrusionAttemptsPer / hr

What’s in Your Building?“Smart” / High Performance Green Buildings Fire SprinklerSystem Interior LightingControl Intrusion Detection Land MobileRadios Renewable EnergyPhoto VoltaicSystems Shade ControlSystem Smoke and Purge Physical AccessControl Vertical TransportSystem (Elevatorsand Escalators) Advanced MeteringInfrastructure Building Automation System Building ManagementControl CCTV Surveillance System CO2 Monitoring Digital Signage Systems Electronic Security System Emergency ManagementSystem Energy Management System Exterior Lighting ControlSystems Fire Alarm nformationSystemsOT10,00003 Networks Managed & Respond to Alerts Independently

Common Vendors & Integration SystemsAcuity Brands Roam Advantage Controls ALC Alerton AIE Alerton BACtalk Alerton BCM-WEBAmerican Auto-Matrix Auto Pilot American Auto-Matrix Andover Controls Continuum Asicontrols Auto Matrix Sage Automated Logic WebCTRL Automated Logic Barber ColemanNetwork 8000 Bristol Babcock CAPRON Carrier Carrier Comfort Network Carrier Com-TrolControl Microsystems SCADAPack Cylon Unitron UC32 Daikin Data Aire Dell Vostro DeltaControls ORCA Distech Echelon i.Lon Emerson-Liebert EXHAUSTO Flygt ITT Industries APP700 General Electric WESDAC General Electric Honeywell Excel 5000 Honeywell WEBs-AXHSQ Technology Invensys I/A Series Invensys Micronet Invensys Network 8000 JohnsonControls Facility Explorer Johnson Controls Metasys Johnson Controls M-Series KMC LANDISLandis & Staefa Integral MS2000 Landis & Staefa Liebert SiteGate LOYTEC Electronics L-VISLynxspring JENEsys Merlin Gerin PowerLogic Microwave Data Systems Mitsubishi MotorolaSCADA Systems Odessa Engineering OmniaPRO Orion Controls Paragon EC7000 Series RacoReliable Controls MACH-ProWebSys Richards-Zeta Robert Shaw DMS RUGID Schneider ElectricI/A Series Schneider Electric PowerLogic Siebe Network 8000 Siemens ACCESS Siemens ApogeeSiemens Desigo PX Siemens Synco 700 Staefa Staefa/Siemens STULZ Air Technologies TACI/A Series TAC Network 8000 TAC Xenta TAC Vista Telvent Smart Grid Solution Trane TracerTrane Tracer Summit Trane Varitrac TREND Trend Control Systems IQ2 Tridium Vykon

Operating Software DiversityAxon CAT SARL Desigo Insight KNX STANDARD ABB Symphony Plus OptimaxRev 4 ABB Symphony Plus 800xA SV 5.1 ABB Symphony Plus Composer 6.0 ABB Symphony PlusS Operations 1.1 Alerton BACTalk Envision 2.0 Alerton BACTalk Envision 2.6 Alerton VisualLogic Allen-Bradley RSLogix 500 Allen-Bradley RSLogix 500, RSView32 AutomatedLogic ExecB 6.0 Automated Logic SuperVision WebCTRL 5.5 Automated Logic WebCTRL WebCTRL 3 Automated Logic WebCTRL WebCTRL 3.0 Automated Logic WebCTRL WebCTRL5 Automated Logic WebCTRL WebCTRL 5.2 Automated Logic WebCTRL WebCTRL 4.1 SP1 Automated Logic WebCTRL WebCTRL Automated Logic ExecB 4.1 SP1 Automated LogicExecB drv lge 4-02-175 Automated Logic ExecB drv melgr vanilla 4-02-175 Automated Logic ExecB Automated Logic Supervision 2.6b Automated Logic WebCTRL 4 SP1BAutomated Logic WebCTRL 4.1 SP1 Automated Logic WebCTRL 4.1 SP1b Automated Logic WebCTRL SVR 5.5 Calsense Command Center Carrier Comfort NetworkComfort Network 3.0 Control Microsystems ClearSCADA 2009 Ed. R2.2 Data flow Systems HyperTAC 2 Data flow Systems HyperTAC HT3 Delta Controls ORCA ORCAview 3.30Delta Controls ORCA ORCAview 3.40 Delta Controls Orcaview 3.22 Delta Controls Orcaview 3.30 Delta Controls OrcaView 3.3 Delta Controls Orcaview 3.33 Delta ControlsOrcaview Delta Controls, TAC ORCA, I/NET ORCAview, Seven Rel 2.15 EFACAC Prism ERI Siemens Insight 3.6 GE, Intellution Proficy, iFIX, FIX Desktop , ,4.0, General ElectricCimplicity Plant Edition 6.1 General Electric Multilin Config Pro 5.03 General Electric Proficy Cimplicity 7.0 General Electric Proficy iFIX 4.0 Honeywell Symmetre Station 3.5Symmetre 3.5 Honeywell Webstation-AX Niagara Niagara HSQ Miser 6.06 HSQ Miser HSQ, Sun Microsystems Miser, Xview 6.06 Iconics Genesis32 Genesis32 8.3 IconicsGenesis32 Genesis32 9.13 Iconics HMI SCADA Solutions Genesis 32 3.12.005 InduSoft Web Studio Intellution 7 Intellution FIX32 3.5 Intellution FIX32 Intellution iFIX 3.5Intellution IFIX Intellution iFIX Reporter ITT Flygt AquaView AquaView 1.50 Johnson Controls Metasys Johnson Controls Metasys GX9100 7.05A Johnson ControlsMetasys Metasys 5 Johnson Controls Metasys Metasys 5.1 Johnson Controls Metasys Project Builder 5:1 Johnson Controls Metasys Project Builder 3 Johnson Controls Metasys 5Johnson Controls Metasys 12.04 Johnson Controls Metasys Johnson Controls Metasys Johnson Controls Metasys Johnson Controls M-Graphics 5.3Microsoft Explorer N/A N/A N/A N/A Pneu-Logic Pneu-Logic RACO RACO 3.14 Rainbird MAXICOM2 Central Control 4.3 ReLab Software ClearView-SCADA 7.2.8 ReliableControls MACH ProWebSys RC-Studio 2.0 Robert Shaw Digital Management System Operator Interface 11.0 Rockwell FactoryTalk Service Platform 2.30 Rockwell FactoryTalk View,Rsview Site Editiion, Supervisory 6.0, 6.0 Rockwell Factory Talk 6.0 Rockwell Automation FactoryTalk View Machine Edition 5.1 Rockwell Automation FactoryTalk View Site Edition4.0 Rockwell Automation FactoryTalk View Site Edition 5.1 Rockwell Automation FactoryTalk View Site Edition Rockwell Automation RSView Supervisory Edition 4.0 RockwellAutomation RSView Supervisory Edition Rockwell Automation RSView32 7.600.00 ScadaTEC SCADASIS Schneider Electric PowerLogic ION Enterprise 5.6 SchneiderElectric PowerLogic ION Enterprise Siebe Network 8000 Signal 4.4.1 Siemens S7 300 STEP 7 Siemens Apogee Insight Siemens Desigo Insight Siemens Insight Desigo Insight 2.31Siemens Insight Desigo Insight 2.35.021 Siemens WinPM.Net 3.2 SP3 SUBNET Solutions SubSTATION Explorer 1.3.0 SUBNET Solutions SubSTATION Explorer 1.5.7 SunMicrosystems Xview 3.2 Symantec Backup Exec 2011? TAC 1/A Series WorkPlace Tech 5.7 TAC I/A Series Workbench TAC I/A Series WorkPlace Tech 5.7.2 TAC 4.1 TAC Signal,XPSI & ZPSIPC Teletrol eBuilding Telvent OaSys DNA 7.4.* Trane Tracer SC Tracer 3.5 Trane Tracer Summit Tracer 11 Trane Tracer Summit Tracer 16 Trane Tracer Summit Tracer17 Trane Tracer Summit V14 Tracer 14 Trane Tracer Summit V16 Tracer 16 Trane Tracer Summit V17 Tracer 17 Tridium Vykon Niagara 2.301.428 Tridium Vykon Niagara2.301.430.v1 Tridium Vykon Niagara 2.301.431.v1 Tridium Vykon Niagara 2.301.514 Tridium Vykon Niagara 2.301.514.v1 Tridium Vykon Niagara 2.301.522 Tridium Vykon Niagara2.301.522.v1 Tridium Vykon Niagara 2.301.522.v2 Tridium Vykon Niagara 2.301.522V1 Tridium Vykon Niagara 2.301.527.v1 Tridium Vykon Niagara 2.301.529 Tridium VykonNiagara 2.301.532 Tridium Vykon Niagara 2.301.532.v1 Tridium Vykon Niagara 3.3.31 Tridium Vykon Niagara 3.5.34 Tridium Vykon Niagara Workbench 3.6.31 Tridium VykonNiagara Tridium Vykon Niagara AX Tridium Vykon Niagara AX "Tridium Vykon Niagara AX" "Tridium Vykon Niagara AX"Tridium Vykon Niagara AX Tridium Vykon Niagara AX Tridium Vykon Niagara AX Tridium Vykon Niagara AX Tridium Vykon Niagara AX Vykon Niagara AX Tridium Vykon Niagara AX Tridium Vykon Niagara AX Tridium Vykon Niagara AX 3.6.47 Tridium Vykon Niagara AX Vykon Niagara AX Tridium Vykon Niagara R2 2.301.522 Tridium Vykon Niagara R2 2.301.522.v1 Tridium Vykon Niagara R2 2.301.529.v1 Tridium Vykon Niagara R22.301.532.v1 Tridium Vykon Niagara R2 R2.301.529 Tridium Vykon Niagara R2 Tridium Vykon Niagra Tridium Vykon Workplace Pro 2.301.428 Tridium Vykon WorkplacePro 2.301.514 Tridium Vykon WorkPlace Pro 2.301.522 v2 Tridium Vykon Workplace Pro 2.301.532 Wonderware Intouch WindowViewer 10.1.200 Yokogawa Exaquantum EXAOPCR3.21 Yokogawa Exaquantum Exaquantum Server R2.60 Yokogawa DAQOPC for DARWIN R3.01 2 6.0 ACS Alerton 3.5.34 Alerton Apogee 2.8 BACnet CSIView 11.5.0build 121 DAQ Works V1.03 Delta-V 7.4 Delta-V DOS 6.2 ERI Excel add -in I/Net 1.02 I/Net 5.1.3-57 I/Net 5.1.4-59 I/Net INET 2000 1.11 build 170 InsightMetasys Power Xpert Software PR970 Prism Protech Siemens 11 SteamEye Symmetre Station 3.5 Tracer Summit 15.0 Versaterm, Crystal Reports VMwareWEStation WIN UPM2 Workbench 2.301.522 Workbench 2.310.514

Device Level ControllersAAEON Electronics AAON SS1016 ABB ACH550-UH-045A-4 ABB ACH550-UH-04A1-4 ABB ACH550-UH-246A-4 Acuity Brands Roam Gateway ADDER ADDERLink INFINITY ALIF 1000R-US ADDER ADDERLink INFINITY ALIF 1000T-US Advantech Touch Panel Computer TCP1770H-C2BE Advantech Touch Panel Computer TPC-1780H Advantech Touch Panel Computer TPC-650H AEG BLR-CX 04R AEG Schneider Automation Modicon Micro 612 Alerton VLC-1188 Alerton VLC-444 Alerton VLC-550 Alerton VLC-853 Alerton BACtalk BCM-PWSAlerton BACtalk VAV-SD Alerton BACtalk VLC-1180 Alerton BACtalk VLC-1188 Alerton BACtalk VLC-444 Alerton BACtalk VLC-550 Alerton BACtalk VLC-651R Alerton BACtalk VLC-660R Alerton BACtalk VLC-853 Allen-Bradley Allen-Bradley CompactLogix L23E AllenBradley CompactLogix L32E Allen-Bradley ControlLogix 1756-A10 Allen-Bradley ControlLogix 1756-L61 Allen-Bradley ControlLogix OEM Allen-Bradley FlexLogix 1794-L34 Allen-Bradley FlexLogix 5433 Allen-Bradley FlexLogix FLEX I/O Allen-Bradley Integrated DisplayComputers 6181P Allen-Bradley MicroLogix 1000 1761 Allen-Bradley MicroLogix 1000 1761-L16BWB Allen-Bradley MicroLogix 1100 1763 Allen-Bradley MicroLogix 1100 1763-L16AWA Allen-Bradley MicroLogix 1100 1763-L16BWA Allen-Bradley MicroLogix 1400 AllenBradley Micrologix 1400 1766-L32AWAA 8/10.00 Allen-Bradley MicroLogix 1500 1764-24AWA Allen-Bradley MicroLogix 1761-NET-ENI Allen-Bradley PanelView Plus 1000 Allen-Bradley PanelView Plus 2711P-KM420D Allen-Bradley PanelView Plus 600 Allen-BradleyPanelView Plus 700 Allen-Bradley PowerMonitor 3000 Allen-Bradley PowerMonitor 3000 1404-DM A Allen-Bradley PowerMonitor 3000 1404-M405A-ENT B Allen-Bradley SLC 500 DH-485 Allen-Bradley SLC 500 SLC 5/00 Allen-Bradley SLC 500 SLC 5/02 Allen-Bradley SLC500 SLC 5/03 Allen-Bradley SLC 500 SLC 5/04 Allen-Bradley SLC 500 SLC 5/05 Allen-Bradley VersaView 1500P Andover Controls Continuum Infinet II i2810 Andover Controls Infinity SCX 920 APC AP7960 APC PNET 1 APC Back-UPS BE350R APC Back-UPS BE750G APCBack-UPS BX900R APC Back-UPS ES550 APC Back-UPS Pro 1000 APC Back-UPS RS800 APC Back-UPS XS1500 APC Smart-UPS 1000XL APC Smart-UPS 2200 APC Smart-UPS 2200XL APC Smart-UPS 750 APC Smart-UPS AP5719 APC Smart-UPS SMT3000RM2U APC Smart-UPSSU2200NET APC Smart-UPS SU220RMXL APC Smart-UPS SU3000RMXL APC Smart-UPS SU3000XLM APC Smart-UPS SUA1000RM1U APC Smart-UPS SUA1500 APC Symettra APC Symmetra AP9617 / Symmetra 40K Arena EX III Arista ARP-2217AP Armstrong SteamEyeGateway 3000M Autoflame DTI MK6DTI Automated Logic LGR1000 Automated Logic LGR25 Automated Logic M line M0100 Automated Logic M line M220nx Automated Logic M line M4106 Automated Logic M line M8102 Automated Logic M line M8102nxAutomated Logic M line Mcpu Automated Logic ME812u line ME812u Automated Logic S line S6104 Automated Logic U line UNI/32 AutomationDirect DL06 AutomationDirect DL205 AutomationDirect EA7-T10C AutomationDirect EA-T10C AutomationDirect C-MoreEA7-T6CL AVG EZ-T10C-F AVG EZ-T15C-FSU Axiomtek DIN-rail Embedded System rBOX201-4COM-FL Axis 214 PTZ Axis 2400PTZ Axis 241Q Axis P5512 B&B Electronics MES1B Badger Meter Disc Series 120 Badger Meter Disc Series 170 Badger Meter Disc Series 35Badger Meter Disc Series 70 Badger Meter M Series 4000 Badger Meter Turbo Series 2000 Badger Meter Turbo Series 450 Barber Coleman Network 8000 MZ2A Basler Electric BE1-25 Basler Electric BE1-700V Basler Electric BE1-CDS220 Basler Electric BE1-GPS100E3N2R0U Bay Controls BayNet Belkin F6C1100-AVR Belkin F6C750-AVR Bitronics PowerPlex MTWIN3 Black Box ME838A-R2 Black Box ME838A-R3 BOCA Bristol Babcock DPC 3335 Brother HL-2270DW Brother HL-4040CDN Brother HLYOC Buffalo TS-H0.0TGL\RGBuffalo TeraStation Pro TS-H03TGL-R5 CalAmp VIPER SC Campbell Scientific CR1000 Carel pCO3 Carrier 30RRB06052 00 3 Carrier 30XAB50062-03X93 Carrier Comfort Network Comfort Controller 6400 Cohen OEM Computrol 32X Control Microsystems 5000 Series5302 Control Microsystems SCADAPack 100 Control Microsystems SCADAPack 334 Cooper Power Systems CL-6A Cooper Power Systems CL-6A WA366B67G6AR Cooper Power Systems CL-6A WE383F44K6XR CyberPower 1500ADR CyberPower CPS1500AVR CylonUnitron UC32 Daikin McQuay MicroTech II WMC Danfoss OEM Danfoss BACLink VLT DEC LA400-A2 Dell 3000CN Dell 71PXP Dell UPS1000W Dell Color Laser Printer 1320C Dell Laser Printer 1110 Dell Laser Printer 2330dn Dell Laser Printer 3100CN Dell PowerValutMD3000i Dell PowerValut TL2000 Delta Controls ORCA DSC-1212E Delta Controls ORCA DSC-1616E Delta Controls ORCA DSC-633E Deltak OEM Digi AccelePort C/X (1P) 50000598-01 Digital Loggers Web Power Switch III Dolch ORCA-19 Dolch ORCA-19PM DROBO 90200001-001 Eason Technology 950 Eaton RO LIC-100 HMI Eaton Power Xpert PX4000 Eaton Powerware 3105 Eaton Powerware 5125 Eaton Powerware 9125 Eaton Powerware FE2.1KVA Eaton Powerware PW9130L1500T-XL Electro Industries Nexus 1262 ElectroIndustries Nexus 1270-S-SWB2-20-60-4IPO-SE Electro Industries Nexus 1272 Electro Industries Shark 100S elo Touch Solutions Touch systems Elo Touch Solutions Touchmonitor ET1739L Elo TouchSystems Elster American Meter 3.5M Elster American Meter AL-425Elster American Meter AL-800 Elster American Meter GT-3 Elster American Meter RPM Series 1.5M Elster American Meter RPM Series 2M Elster American Meter RPM Series 3.5M EMC CLARiiON CX4-120 Emerson M-Series MD Plus Encorp KWS GDU EncorpKWS2222501 Encorp UPC GDU Endress Hausser Promass 80 Endress Hausser Prowirl 72W EPSON FX 2190 Fireye Nexus NX6100 Flygt ITT Industries APP 700 APP700F Fuji HDC 500 Fuji Micrex-F F120S F120S Fuji Micrex-SX SPH3000MM Gamewell 1033502501VDGeneral Electric 16SB1BB339SSS2V General Electric 16SB1CB201SDM2Y General Electric 510-0183-01A General Electric 526-2006 General Electric IC695ETM001 General Electric Fanuc 90-30 IC693CPU311 General Electric Fanuc 90-30 IC693CPU311-AD GeneralElectric Fanuc 90-30 IC693CPU311-AE General Electric Fanuc 90-30 IC693CPU311-BE General Electric Fanuc 90-30 IC693CPU311N General Electric Fanuc 90-30 IC693CPU311T General Electric Fanuc 90-30 IC693CPU311W General Electric Fanuc 90-30 IC693CPU311-XXGeneral Electric Fanuc 90-30 IC693CPU311Y General Electric Fanuc 90-30 IC693CPU350 General Electric Fanuc 90-30 IC693CPU352 General Electric Fanuc 90-30 IC693CPU360 General Electric Fanuc 90-30 IC693CPU363 General Electric Multilin 469 General ElectricMultilin 750P5G5S5HIA20R General Electric Multilin SR489-P5-HI-A20 General Electric Multilin SR74555HI485 General Electric PACSystems RX3i General Electric PQMII PQMII General Electric RRTD RRTD General Electric Rx3i PacSystem IC694MDL240 General ElectricRx3i PacSystem IC694MDL940 General Electric Rx3i PacSystem IC695ALG112 General Electric Smart Meter kV2c General Electric SR 745 General Electric SR 750 General Electric Versamax IC200CPUE05 Genicom 3850 Hach SC100 Hadax Series 6000 Heliodyne Delta-TPro Honeywell HC900 Honeywell XL50-MMI Honeywell Excel 5000 Q7055A BNA- Honeywell Excel 5000 Q7750A-2003 Honeywell Excel 5000 XC5010 Honeywell Excel 5000 XCL5010 Honeywell Excel 5000 XL100 Honeywell Excel 5000 XL100C Honeywell Excel 5000 XL20Honeywell Excel 5000 XL50 Honeywell Excel 5000 XL5010 Honeywell Excel 5000 XL5010C Honeywell Excel 5000 XL50-MMI Honeywell Excel 5000 XL80 Honeywell Excel 5000 XLC50 Honeywell Excel 5000 XLC5010 Honeywell Excel 5000 XLC50-MMI Honeywell Excel 5000XLC8010 Honeywell Excel 5000 XLC8010A HP HP 700/43 HP 8100 ELITE HP Color LaserJet 4500 HP Color LaserJet CP2025 HP Deskjet 6122 HP InkJet BC354A HP Jetdirect 170x J3258B HP LaserJet HP LaserJet 02461A HP LaserJet 4 HP LaserJet 4600n HP LaserJet 4MV HPLaserJet 5 C3916A HP LaserJet 5200tn HP LaserJet C3980A HP LaserJet CB94A HP LaserJet CP2025 HP LaserJet CP2025DN HP LaserJet CP5225DN HP LaserJet P1102W HP LaserJet P2015 HP LaserJet P4014dn HP OfficeJet 7000 E809a HP Officejet CM755A/8500A HPStorageWorks Tape Array 5300 HSQ Technology HSQ Technology 22501 HSQ Technology 86004862 HSQ Technology 8600-4862 HSQ Technology 8600-6135L HSQ Technology 8602 HSQ Technology 8602-080 HSQ Technology 8602-080A Rev E HSQ Technology8602-RTU-080-A Rev E HSQ Technology HSQ9588T HSQ Technology V86VR-R030 iEi Technology AFOLUX LX AFL-12A Infinias Intelli-M eIDC Invensys Invensys I/A Series FCM 10E Invensys I/A Series UNC-520-2 ITRON IX100X Johnson Controls Johnson Controls FacilityExplorer FX-PCG2611 Johnson Controls M Series MS-N30 Supervisory Controller Kiltech Embedded Field Controllers SX-CPU/RS-485 190715 Koyo DL205 Koyo DL206 Koyo DL207 Koyo DL250 CPU Landis & Staefa Integral MS2000 NRK16-NICO Landis & Staefa IntegralRSA NRK16/A Lantronix Lantronix Universal Device Server UDS100 Lexmark Optra E312L LG V-NET PQNFB17B0 Liebert StieLink 12 Liebert StieLink 4 LOYTEC Electronics LINX LINX-101 LOYTEC Electronics L-VIS LVIS-3E100 LOYTEC Electronics L-VIS ME215 Maple SystemsOIT3175 Maple Systems OIT3250-B00 Maple Systems PC217B Mcquay H62PY McQuay Maverick I OM 1077 MCS MCS-R010 MechoShade Systems SunDialer I-Con Meidensha ADC5000 Meidensha T01E-E01A Meidensha T01E-E01A-A Meidensha Uniseque RC500MGE UPS SYS UPS 1500 MGE UPS SYS UPS 800 Mitsubishi Mitsubishi AG-150A Mitsubishi MP-22-AF Mitsubishi MP-22-AR Mitsubishi MP-22-CB Mitsubishi CITY MULTI BAC-HD150 Mitsubishi CITY MULTI GB-50ADA Mitsubishi MELSEC Q63P Mitsubishi Q Series FX2NModicon Micro Modicon Momentum 170ADM39030 Modicon Quantum Automation Series 140CPU113 MODICON TSX Quantum Modicon TSX Series TSX3705028 Modicon TSX TSX3705028 Motion Control Engineering Motion Control Engineering 24-10-0012Motorola MOSCAD-L Motorola SCADA Systems ACE3600 Moxa MGate IMC-101-M-SC Nalco Switch 2226 3D Trasar NETGEAR ReadyNAS 3200 NETGEAR ReadyNAS Pro NOVAR NL INC B541200039 NovaTech Orion5r Obvius Holdings AcquiSuite A8812 OdessaEngineering DiaLog Plug Okidata MicroLine 321 Turbo Okidata MICROLINE ML420 OMNTEC OEL8000II OEL8000IIP Opto 22 Opto Brian Panasonic BB-HCM531 Panasonic GN 15 Panasonic i-Pro WV-NP244 Panasonic i-Pro WV-NS202A Panasonic i-Pro WV-NW964 PattonCopper Link 2156 Perle IOLAN SCS PML ION7350 PML PowerLogic ION7300 PML PowerLogic ION7330 PML PowerLogic ION7350 PML PowerLogic ION7500 PML PowerLogic ION7550 PML PowerLogic ION7600 PML PowerLogic ION7650 PML PowerLogic ION7700 PMLPowerLogic ION8600 Pneu-Logic 10A22646 Pneu-Logic PL4000 DCM Powerlynx OEM Preferred Instruments PCC-III Preferred Instruments PCC-III-0000 Preferred Instruments PCC-III-F000 Preferred Instruments PCC-III-FZ00 Pro-Face GP577R-TC11-OY ProSoft MVI46MNET Qualitrol ITM 509 ITM RACO VERBATIM DFP RACO VERBATIM SFP Raritan CompuSwitch CS4R Raritan Dominion KX II 216 Raritan Dominion KX II DKX2-216 Raritan Dominion KX II DKX2-432 Red Lion G308 Red Lion G310C Ricoh Aficio MP C2050 RUGID RUG6DRUGID RUG7D RUGID RUG9 RUGID RUG9B RUGID RUG9D Sanyo Denki SANUPS A11H Schneider Electric 170INT11000 Schneider Electric 171CCS76000 Schneider Electric HMIPSCIDE03 Schneider Electric Modicon M340 Schneider Electric I/A Series MNB-1000Schneider Electric Magelis XBT GT 2330 Schneider Electric Momentum Processor 171CCC96020 Schneider Electric Momentum Processor 171CCS78000 Schneider Electric Powerlogic CM2000 Schneider Electric Powerlogic CM3000 Schneider Electric Powerlogic CM4000Schneider Electric Powerlogic ECC Schneider Electric Powerlogic EGX 100 Schneider Electric Powerlogic EGX 200 Schneider Electric Powerlogic EGX 400 Schneider Electric Powerlogic enercept Meter Schneider Electric Powerlogic Energy Meter Schneider ElectricPowerLogic ION7330 Schneider Electric PowerLogic ION7350 Schneider Electric PowerLogic ION7500 Schneider Electric PowerLogic ION7600 Schneider Electric PowerLogic ION7650 Schneider Electric PowerLogic ION8300 Schneider Electric PowerLogic PM710Schneider Electric PowerLogic PM850 Schneider Electric Powerlogic Power Meter Schneider Electric TSX Momentum Schneider Electric TSX Momentum 171CCC9803 Schneider Electric TSX Quantum 170-ENT-110-00 Schneider Electric Xenta 280 282 Schneider ElectricXenta 300 301 Schweitzer Engineering Laboratories SEL-2020 Schweitzer Engineering Laboratories SEL-2032 Schweitzer Engineering Laboratories SEL-2407 Schweitzer Engineering Laboratories SEL-2411 Schweitzer Engineering Laboratories SEL-2440 SchweitzerEngineering Laboratories SEL-3332 Schweitzer Engineering Laboratories SEL-351S-7 Schweitzer Engineering Laboratories SEL-3530 Schweitzer Engineering Laboratories SEL-451 Schweitzer Engineering Laboratories SEL-487E Schweitzer Engineering Laboratories SEL587Z Schweitzer Engineering Laboratories SEL-700G Schweitzer Engineering Laboratories SEL-751A Schweitzer Engineering Laboratories smart-UPS SEL-3332 Seiko TS-2540 Siebe Siebe CP-8161-333-3 Siebe DMS-3501 Siebe MSC-P1502 Siebe MSC-P1504-D SiemensMP277 10 TOUCH Siemens PXC36 Siemens ACCESS 9510 Siemens Apogee Series 200 MEC Siemens Apogee 545-793 Siemens Apogee AEM200 Siemens Apogee Power MEC Siemens Apogee Power MEC 1200 Siemens Apogee Power MEC 1210 Siemens Apogee Power

Potential Exploitation Paths Initial Compromise Spear phishing / whaling Installing Backdoor Capture / Create Credentials Access Control System network Increase compromised hosts Enable multiple remote connections Advance Objectives ReconnaissanceManipulationDisruptionDestruction

Control Systems Cyber Security(CS2) Challenge Create a virtual trusted testing environment for afacility-related DoD Control System Provide detailed understanding of existing cybersecurity vulnerabilities within facility-related controlsystem Demonstrate a modular, sound environment buildprocess to eventually create full Utility MonitoringControl System environment Allow “apples to apples” assessments of industry,government and academia solutions to secure facilityrelated control systems18

Continuous Monitoring and Attack SurfacesHost BasedSecurity SystemsScanning (Active)McAfeeNessusRetinaWindows, LinuxHTTP, TCP, UDPClient Side AttacksServer Side AttacksNetwork AttacksIntrusion DetectionSystems (Passive)PLC, RTU, SensorModbus, LonTalk,BACnet, DNP3Nessus Passive Vulnerability ScannerSophiaGrassMarlinOthers?Hardware Attacks

Expanded “Key Terrain” Needs to IncludeControl System NetworksInformation SystemsControl SystemsWho’s Role? Detect, Mitigate & Recover Control System Network from Cyber Exploit

US Chamber ofCommerceDec ‘11CIO / IA TechsFacility Mgr / Eng Not mine Not Mine Not funded Not funded Not trained Not trainedWhich Group Best to Cyber Protect Control Systems?

Locating Connected Devices“default password” or “port 502”

Never Attribute Evil When Stupid is Still Available


Tridium Architecture

Shodan – Tridium Searchhttp port 80 clear text connection

Distech Controls

Shodan – Distech SearchHTTP/1.0 401 UnauthorizedWWW-Authenticate: Digest realm "Niagara-Admin", qop "auth", algorithm "MD5",nonce Content-Length: 56Content-Type: text/htmlNiagara-Platform: QNXNiagara-Started: 2013-8-3-4-11-32Baja-Station-Brand: distechNiagara-HostId: Qnx-NPM2-0000-12EA-FDCCServer: Niagara Web Server/3.0

Exploit Database

Exploit DB Honeywell Search

NIST SP 800-82R2Final PublicDraft ReleaseSection 2.5 added per DoD request to address ‘other-than-industrial’ controlsystems

NIST SP 800-82 R2 Key Security ControlsInventory CM-8 Information System Component InventoryPM-5 Information System InventoryPL-7 Security Concept of OperationsPL-8 Information Security ArchitectureSC-41 Port and I/O Device AccessPM-5 Information System InventoryCentral Monitoring AU-6 Audit Review, Analysis, and ReportingCA -7 Continuous MonitoringIR-5 Incident MonitoringIR-6 Incident ReportingPE-6 Monitoring Physical AccessPM-14 Testing, Training and MonitoringRA-5 Vulnerability ScanningSC-7 Boundary ProtectionSI-4 Information System MonitoringSI-5 Security Alerts, Advisories, and DirectivesTest and Development Environment CA-8 Penetration TestingCM-4 Security Impact AnalysisCP-3 Contingency TrainingCP-4 Contingency Plan Testing and ExercisesPM-14 Testing, Training and MonitoringCritical Infrastructure CP-2 Contingency PlanCP-6 Alternate Storage SiteCP-7 Alternate Processing SiteCP-10 Information System Recovery andReconstitutionPE-3 Physical Access ControlPE-10 Emergency ShutoffPE-11 Emergency PowerPE-12 Emergency LightingPE-13 Fire ProtectionPE-14 Temperature and Humidity ControlsPE-17 Alternate Work SitePM-8 Critical Infrastructure PlanAcquisition and Contracts AU-6 Audit Review, Analysis, and ReportingCA -7 Continuous MonitoringSA-4 AcquisitionsPM-3 Information System ResourcesPM-14 Testing, Training and MonitoringInbound Protection,Outbound Detection

“My Control Systems are Secure ”Kaspersky Lab report: “Industrial Control Systems and Their Online Availability,”discovered 188,019 hosts with ICS components, spread across 170 119142/

ICS / OT Accountability Obstacles Not considered / managed likeInformation Systems Cyber Tech buy, refresh unplanned &unfunded Neither CIO nor Engineers are trainedor staffed to manage cyber security Enterprise-wide vulnerability alerts /patch management procedures TBD Many vendors emerging - need sensorstrategy for networks"We can't solve problems by using the same kind of thinkingwe used when we created them." A Ein

JACE L-switch Field Server iLon Smart Server BAS Remote Server Analog voltage, resistance, current signal is converted to digital and then IP . Network 8000 Bristol Babcock CAPRON Carrier Carrier Comfort Network Carrier Com-Trol . Tridium Vykon Niagara AX Tridium Vykon Niagara AX Tridi