Scribd
Upload
198 views

Using Open Source Intelligence To Improve ICS & SCADA Security

The document discusses using open source intelligence (OSINT) to improve industrial control systems (ICS) and SCADA security. It outlines sources of OSINT, including social media and publicly available information. It describes how OSINT could help adversaries by identifying physical vulnerabilities, engineering staff, and control system configurations. The document provides examples of threats and recommends mitigations like reducing online footprints, increasing security awareness, and establishing social media policies.

Uploaded by

Shumon Alam
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
198 views

Using Open Source Intelligence To Improve ICS & SCADA Security

The document discusses using open source intelligence (OSINT) to improve industrial control systems (ICS) and SCADA security. It outlines sources of OSINT, including social media and publicly available information. It describes how OSINT could help adversaries by identifying physical vulnerabilities, engineering staff, and control system configurations. The document provides examples of threats and recommends mitigations like reducing online footprints, increasing security awareness, and establishing social media policies.

Uploaded by

Shumon Alam
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 30

Using Open

Source
Intelligence to
Improve ICS &
SCADA Security
Richard Piggin

Agenda
1.
2.
3.

4.
5.

6.
7.
8.

Our expertise
Sources
Methodology
Physical Vulnerabilities
Social Media and Social Engineering
Control Systems Vulnerabilities
Threat Assessment
Key Points

Our
expertise

Atkins Capability

Sources

Mainstream
media

Academic
material

Methodology

Antagonist attack cycle

Physical
Vulnerabilities

MAPPING & IMAGERY

Mapping: Threats & Mitigation

THREATS

MITIGATION

Several semi-detailed internal


plans of the facility with
itemised locations that could
greatly assist any trespasser

Requirement to establish
sources for accuracy and to
investigate the potential to
reduce footprint and request
removal of some sources

Security
Infrastructure

Commercial in Confidence

Security
Infrastructure

Commercial in Confidence

Social Media &


Social
Engineering

Job Title

Social Media Platform

Notes

Lead Control and Instrumentation


Engineer

Facebook

Comments have shown that he has a


strong association with the companys ICS
infrastructure. Lives in .......

C&I Lead Engineer

LinkedIn, Facebook

Has given presentations on plant upgrades.


These include imagery of servers and
systems.

EC&I Engineer

LinkedIn, Facebook

EC&I Engineer
EC&I Section Head
Electrical Engineer
Former EC&I Team Leader

LinkedIn
N/A
LinkedIn
LinkedIn

Process Control Engineer


Project Engineer
Project Engineer
Project Engineer
Maintenance Technician
Operator Maintainer
Safety and Outage Section Head

LinkedIn
LinkedIn
N/A
LinkedIn
LinkedIn
Facebook
LinkedIn

Mechanical Engineer
Fire Alarm Engineer
Head of Mechanical Engineering

LinkedIn
LinkedIn
LinkedIn

Link

Link

Social Media: Threats & Mitigations

THREATS

MITIGATIONS

The personal information made


publicly available by employees
significantly increases the risk
of social engineering and/or
phishing attacks by hostile
actors

Raise awareness of security


risks and third party media

Provide guidance and policy on


posting company-related details
on social media

Control
Systems
Vulnerabilities

Publicly available information

Consequences
Understand
targets
Identify components

Gauge scope, scale


& effort required

SHODAN results
Interrogates connected devices and catalogues the response from
a device.
The response, known as a banner, provides information on the
particular service and details of the service.

Commercial in Confidence

Commercial in Confidence

OSINT control system


threat matrix
Industrial
control
Systems

OSINT
System
Identification

System
Context

Control
system A
Control
system B
Control
system C
Control
system D

Most significant

Moderate
Insignificant / None

Physical/Net
work Access

Engineering
Personnel
Identified

Third Party
Identified

SHODAN
Exploit

Vulnerability
/Exploit

Industrial Control Systems: Threats &


Mitigations
THREAT

MITIGATION

Photos of the installations


Reduce Open Source footprint
provide detailed insight into the
and request removal of
deployed hardware and software appropriate identified sources
configuration
Increase security awareness
with the marketing function

Establish guidelines for the


guidelines for the publication of
its information by third parties

Threat
Assessment

Industrial control system security


themes and challenges
Security Theme

Challenge

Anti-malware & malicious


code countermeasures

Systems may not support protection. Alternative measures are


required. Delays in adequate protection may result.

Application of patches

Inconsistent protection or delay in achieving suitable protection whilst


vendor patches are validated and tested on offline systems

Host systems

Security measures need to address different host systems, taking


longer to apply

Operating systems

Security measures must address operating system requirements,


particularly where systems are needed beyond end of life support

Networks

Security products often do not support industrial protocols and their


implementation cannot interfere with the real time operation of ICS

Applications

Application of security will need to be tailored and cannot interfere


with real time operation of ICS.

Time critical operation

Time constraints require security measures not to impact ICS


operation

...Continued
Security Theme

Challenge

Availability

Application of security maybe delayed due to production. There is


necessity to continue to operate in the presence of a security incident.
Non availability of systems is likely to impact production

Security goals

Contrasting goals and priorities reflect differing domain approaches,


highlighting potential diverse security strategies

IT security awareness

Control engineers do not tend to have cyber security education/training

ICS security awareness

Domain knowledge often limits understanding required to implement


effective security. Fragmented team working (demarcation/lack of
ownership) leads to potential security weaknesses

Security testing

Knowledge of ICS testing is required to prevent unintended downtime


and system outage. Testing should be performed on non-production
systems

Forensics

Implementation requires ICS and forensics knowledge and will be


limited to those systems supported

Technology lifetime and Integration can be a technically demanding over such long time frames.
support
Delay in technology adoption into ICS (typically 10 years) exacerbates
risk
Source: Development of industrial cyber security standards: IEC 62443 for SCADA and Industrial control systems, Piggin, R.

Key points

Identification of control systems

Staff a rich source: social media, control systems experience


and potential for social engineering

Link between internet footprint and spear-phishing

Third parties data leakage and access

Widely available vulnerabilities and exploit information for


specific control systems

ICS security cuts across the organisation its not just


Engineering or IT

You might also like