Completed
Chris Sistrunk, PE @chrissistrunk Electrical Engineer Mandiant, Entergy (11 years) SCADA Expert Loves Security DNP3 User Group Button Pusher but I like Blue
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
ICS SCADA Defense
Automatically move to the next video in the Classroom when playback concludes
- 1 Intro
- 2 Chris Sistrunk, PE @chrissistrunk Electrical Engineer Mandiant, Entergy (11 years) SCADA Expert Loves Security DNP3 User Group Button Pusher but I like Blue
- 3 Project Robus Latin for "bulwark" @adamcrain and started in April 2013 26 advisories / 32 tickets 24 DNP3, 1 Modbus, 1 Telegyr 8979 Aegis ICS Fuzzing Framework - OSS
- 4 Now What? Let's take a step back and ask some questions: What's the risk if this device is compromised? Probability * Impact - Risk Check out my RTU risk score pres from S4x13 What is the ICS device …
- 5 Anticipate...Mitigate! The answers to the questions tell you that you have to do something to protect the device(s) What types of mitigations exist? Which ones will you use? Defense in depth - more t…
- 6 ICS Vulnerability Mitigation Software/firmware patches/device upgrades Robust RTU/PLC and master configurations Robust IP network configurations ICS Protocol-aware network tools Proper physical secur…
- 7 Get The Bug Fix! If there is a software or firmware patch or hardware upgrade that's out there that fixes a known vulnerability (such as DNP3, modbus) ...GO GET IT Properly test it before you roll it…
- 8 Robust Device/Master Configuration USE DNP3-SA! (application layer security) Correct master only talks to the correct RTU But it won't protect against all "bugs" Disable unused serial and network por…
- 9 Robust Device/Master Configuration When possible, DISABLE functions that aren't required in your production systems DNP3 function code examples Cold and/or Warm Restarts (FC 13 & 14)
- 10 Robust IP Networks Segment your ICS/SCADA WAN Routers, Firewalls, DMZS, & VLANS This can help isolate the network when needed Understand your network! The bad guys sure will Use encryption and authen…
- 11 ICS-Aware Network Tools Examples of SCADA tools and Enterprise networks that understand ICS Protocol analyzers such as Wireshark, ASE & TMW RTU Test Sets IDS/IPS such as SNORT, Bro, CyberX SilentDefe…
- 12 Network Security Monitoring Newer enterprise security technologies can be used to help detect, respond, and contain threats on your SCADA network Security Operations Center Security Analyst(s) using …
- 13 21 person who really cares! Security Onion (or other NSM) ICS Honeypot (Conpot, etc) Full Packet Capture (even serial)
- 14 Proper Physical Security What is the proper amount of physical security? It depends... If your Critical SCADA master has top physical security, but the serially-connected tiny distribution RTU does n…
- 15 Employee Awareness Train your folks on ICS/SCADA security Security Conferences, several training classes available ICS-CERT GICSP Certification Security awareness is important Have a questioning atti…
- 16 DNP3 Will Be Here A While Ask your vendors for DNP3-SA if they don't have it or are already working on it Require in the bids for new SCADA systems or upgrades to be tested by a 3rd party, including …
- 17 DNP3 isn't a special case. Other ICS protocols will see the same fate Modbus, IEC 60870, IEC 61850, ICCP, EtherNet/IP... You can defend your SCADA. Early testing both slave/server AND master/client s…