Industrial Automation Systems Cybersecurity Pentest & Audit
Tamimi August 07, 2015 [Professional] #Pentesting #Cybersecurity #IIoT #SCADA #PLC #red team #NERC CIP #NIST #ISO27001Introduction
After the project Industrial Automation SCADA System completion, the client wanted a full security audit on the installed system, and while the security by design concept was already considered when implementing the architecture, a dedicated assessment and audit was required. As a cybersecurity professional, I have worked on various projects and tasks related to the cybersecurity including the industrial control systems (ICS) or IoT. ICS are essential for the operation and management of critical infrastructure, such as power grids, water treatment plants, oil and gas pipelines, and manufacturing facilities. However, these systems also face increasing cybersecurity threats from various actors, such as nation-states, cybercriminals, hacktivists, and even insiders. These threats can compromise the availability, integrity, and confidentiality of ICS data and processes, leading to severe consequences for public safety, national security, and economic stability, since those threats can cause physical harm, unlike the usual cyberattacks, where in most cases it is a password reset or at worse, a financial loss.
Scope
Conducting Cybersecurity Assessments and Planning for ICS
One of the key steps for improving the cybersecurity posture of ICS is to conduct regular and comprehensive assessments and planning. These activities aim to identify and prioritize the cyber risks and vulnerabilities that affect ICS, and to establish and implement appropriate countermeasures and controls to reduce them.
Some of the main types of cybersecurity assessments and planning that I performed for the system are:
-
Vulnerability detection and risk assessment: I scanned and tested the ICS components, such as hardware, software, firmware, protocols, and configurations, to discover and evaluate the potential security flaws and weaknesses that could be exploited by attackers. Using several tools such as Nmap, Nessus, Metasploit, and Wireshark to perform network and system scans (By the way, some of the tools I usually use are listed in my Tech Stack in Cyberseurity section), port and service enumeration, vulnerability identification, and even exploit testing. I even used frameworks such as CVSS and OCTAVE to estimate the likelihood and impact of cyberattacks, and to rank the risks according to their severity and urgency.
-
Penetration testing: By simulating realistic and targeted cyberattacks on the ICS environment (red team activities), using the same techniques and tools as the adversaries, to evaluate the effectiveness and resilience of the existing security measures and defenses. Some of the tools used are SQLmap, sixnet RTU, PLCInject, ICSFuzz, and Mimikatz to perform web application testing, SQL injection, privilege escalation, and credential dumping. I also used tools such as Cobalt Strike, Empire, CrackMapExec, and Meterpreter to create and manage remote shells and payloads.
-
Data protection: Data protection was crucial, several methods used were encryption, authentication, authorization, and backup mechanisms to protect the confidentiality, integrity, and availability of the ICS data, both in transit and at rest. some of the tools used are OpenSSL, GPG, and VeraCrypt to encrypt and decrypt the ICS data, and to generate and manage digital certificates and keys. Kerberos, LDAP, and RADIUS to authenticate and authorize the ICS users and devices, and to enforce access control policies and roles. rsync, Bacula, and Veeam to backup and restore the ICS data, and to ensure its recovery and restoration in case of incidents or disasters, additionally, a physical token (Yobico) was used by anyone to access the system, including the operators.
-
Continuity planning: Buisness Continuity and disaster recover were part of the assessments, I developed and maintained contingency plans and procedures to ensure the continuity and recovery of the ICS operations and functions in the event of cyberattacks or other disruptions. From defining and documenting the business continuity objectives, strategies, and requirements, to conducting business impact analysis and risk assessment. I also used tools such as RTO, RPO, and MTD to determine and measure the recovery time objective, recovery point objective, and maximum tolerable downtime for the ICS. Additionally, several simulations were done to validate the continuity plans and procedures, and to train and educate the system operators and engineers.
System and Industrial Networks compliance with standars
NERC CIP Cybersecurity Requirements
One of the crucial steps for securing the ICS is to ensure the cybersecurity of the industrial networks that connect the ICS components, such as SCADA, PLC, and related systems. These networks are often exposed to external and internal threats, such as unauthorized access, data tampering, denial of service, and malware infection. Therefore, it is essential to apply security standards and best practices to protect the industrial networks from cyberattacks, and to comply with the regulatory requirements that apply to the power industry. These are mandatory and enforceable regulations that apply to the North American power industry, and aim to ensure the reliability and security. They specify the minimum security requirements for the identification and protection of critical cyber assets, such as the ICS components that support the operation of the power grid. I used these requirements to comply with the NERC CIP standards and audits, and to report and respond to the cyber incidents that affect the ICS. Also to implement security measures and controls to prevent, detect, and mitigate the cyberattacks that could compromise or disrupt the reliable operation of SCADA system.
PLC and related systems (ISA99/IEC)
These are specific standards and technical reports that define the requirements for cybersecurity robustness and resilience at each stage of the ICS lifecycle. They apply to all types of industrial automation and control systems, including PLC, SCADA, DCS, and other control system configurations. These standards were used to design, implement, and operate secure industrial networks for the ICS, and to address and mitigate the current and future security vulnerabilities in the ICS components. And also to apply security policies, standards, and guidelines to govern the ICS environment, and to enforce access control and encryption mechanisms to protect the ICS data and processes.
NIST, ISO27001, and SANS standards
These are general frameworks and guidelines that provide a comprehensive and flexible approach to manage and improve the cybersecurity of information systems and organizations. They cover various aspects of cybersecurity, such as risk management, security controls, governance, awareness, and incident response. I used these standards to establish and maintain a cybersecurity program for the ICS environment, and to align the security objectives and strategies with the business goals and needs. I also used these standards to benchmark and measure the cybersecurity performance and maturity of the ICS, and to identify and address the gaps and weaknesses, although the system was not connected to external services, it was still beneficial to use these standards in the assessments.
The work was rewarding, after several years I heard some news from a previous colleague that the client internal organization network was breached and hit with a ransomware, thankfully, the system was fully protected and operational when the whole company network was down!
Note: The comment section is powered by Cactus/Matrix. If you use the official Matrix server, you are good to go. However, if you use your personal Matrix server, make sure to log in with the first button and use your own client. This is because my CSP only allows Cactus/Matrix domains to connect from this site, and most likely, your profile picture will be broken!