ISA IC32 Flashcards
What is Control System?
CS is hardware and software components of an Industrial Automation and Control System IACS
What is IACS stand for?
Industrial Automation and Control System
What is Cybersecurity?
Defined as measures taken to protect a computer or computer system against unauthorized access or attack.
Name 5 Trends of Control System Cybersecurity?
- Businesses have reported more unauthorized attempts andmarked increase in malicious code attacks
- Controls systems use more commercial off the shelf (COTS) software and hardware
- Implementing Internet Protocols (IP) exposes control systems to same vulnerabilities as business systems
- Increased use of remote monitoring and access
- Tools to automate attacks are commonly available
6 Potential Impacts of Cybersecurity issues in Control Systems
- Unauthorized access, theft or misuse of data
- Loss of integrity or reliability of the control system
- Loss of control system availability
- Equipment damage
- Personnel injury
- Violation of legal and regulatory requirements
Name 4 Services that are currently availble for Cybersecurity missuse
- Malware as a Service (MaaS)
- Hacking as a Service (HaaS)
- Crimeware as a Service (CaaS)
- Fraud as a Service (FaaS)
Name 5 old but goodies for Malware?
- Stuxnet
- Shamoon I & II
- HAVEX
- Malware is Operating System (OS) agnostic
- Shellshock (Bashdoor) Unix/Linux/MacOSX variant
What are the 5 Myths in Regard of IACS Security?
- Myth 1 “We Don’t Connect to the Internet…”
- Myth 2 Control Systems Are Behind a Firewall
- Myth 3 Hackers Don’t Understand Control Systems
- Myth 4 Our Facility is Not a Target
- Myth 5 Our Safety Systems Will Protect Us
Myth 1 “We Don’t Connect to the Internet…” why it is not true?
You don’t need to connect to the internet to get infected. USB Sticks, Jump Server, Remote Services
Myth 2 “Control Systems Are Behind a Firewall” why it is not true?
Firewalls are still badly misconfigured
Modern configuration software doesn’t help admins make fewer mistakes
Myth 3 “Hackers Don’t Understand Control Systems” why it is not true?
- Many people think that hackers don’t understand control systems – this is no longer true
- Hacking is no longer just for fun – hackers now sell zero-day exploits to organized crime
- Hacking as a Service Hit the Mainstream
- SCADA and process control systems are now common topics at “DEFCON” and “Blackhat” conferences
Myth 5 “Our Safety Systems Will Protect Us” is not true
• Modern safety systems are micro-processor based,
programmable systems configured with a Windows PC
• Now commonplace to integrate control and safety systems using Ethernet communications with open and insecure protocols (Modbus TCP, OPC, etc.)
• Many safety system communication interface modules run embedded operating systems and Ethernet stacks that have known vulnerabilities
• IEC 61508 Certification (i.e. Safety Integrity Level (SIL)
certification) doesn’t evaluate security,
What is the characteristic of a Regulation?
Regulations are mandatory.
Name 3 Regulations
- Department of Homeland Security - Chemical Facility Anti-Terrorism Standards (CFATS)
- Department of Energy Federal Energy Regulatory Commission (FERC)
- Nuclear Regulatory Commission - Cyber Security Rule
Name 5 facts about regulations
• Limited number enforced cyber and physical security
regulations — no teeth
• National cyber security strategies may or may not be in place
• Public-private partnerships lacking
• Sector-specific cybersecurity plans may or may not exist
• General agreement that no country or government can address cybersecurity risk in isolation
Name 2 characteristics of Standards (Norms)
- Standards are voluntary documents (Consensus driven)
* There is no requirement on anyone to use them unless….. (agreed in contract or reffered regulations)
When can courts use Standards (4)?
• Courts may decide in the absence of relevant regulation
– Non-compliance with a standard
– Using a “what would a reasonable man on the street do” test
– Sufficient grounds to determine liability
– EUROPEAN COMMISSION Standards and Standardization Handbook
What does standard exist of (2)?
Standards contain both normative and informative elements
What are normative Elements?
Normative elements are those parts that shall be (mandatory) complied with in order to demonstrate compliance with the standard
Normative elements are indicated by the use of the word ‘shall‘
What are informative elements?
Informative elements provide clarification or additional
information
– Informative elements may not contain requirements
– The word ‘shall‘ is not used
What global initiatives in the works for Standards (3)?
• Collaborative approach preferred
• ENISA (European Union Agency for Network and Information Security) has analyzed the current maturity level of ICS/SCADA cybersecurity in Europe
– Provided recommendations for improvement
• Australia Cyber Security Strategy
• Japan (new agency) ICPA (Industrial Cybersecurity Promotion Agency)
What does ISA stand for?
The International Society of Automation (ISA)
What Norm ISA creates and for what?
Committee on Security for Industrial Automation & Control Systems (ISA99)
Which Sectors ISA represents (7)
Representing companies across all sectors, including: – Chemical Processing – Petroleum Refining – Food and Beverage – Energy – Pharmaceuticals – Water – Manufacturing