Why “Back to basics” regarding security testing?
Well… during several previous security assessments that I have performed, I have run into a lot of the issues mentioned within the presentation I have given on this years CS3STHLM conference in Stockholm.
Sometimes I also have the feeling that too much attention is given to technical and logical protection measures and adversaries performing attacks through the Internet. Although it is important to keep an eye out for those, I am convinced that local based adversaries are equally, if not more important to keep an eye on. That was also one of the reasons I have given a presentation on Insider threats at the same conference in 2017.
A decent #ICS security program should focus on all three layers (physical, logical and human), make sure that the bigger picture is looked at and that the basics is never neglected.
I am pretty sure you all have heard or read one or more of the following statements regarding #ICS Security:
- “Urgently patch because vulnerability xyz …”
- “Critical flaw in PLC abc …”
- “Security testing can not be done …”
These type of statements can cause a form of media panic, panic within the IT teams and stakeholders. However, the real questions behind all of this is how do you really know you are at risk and how much time do you have to patch or mitigate the issue?
This is where security testing comes into play, however most testing currently performed within ICS environment is either (very) limited in scope, is IT focused or does not include all possible layers of your environment. These layers are the logical, human and physical layers.
The ultimate goal of all security testing should be to determine the accessibility of your environment. So, to be able to do so, you should assume a certain viewpoint and try to find all possible weak points that can be abused from that particular viewpoint. Possible viewpoints are for example: an external person, a visitor, an authorized visitor (so with a badge), an employee, guards … and of course also not to forget the cleaning staff …
Human level testing
This is the easiest layer to (ab)use and test as all those nice helpful people do not like to challenge other people or it is not within their job description to notice security issues. This means that USB stick dropping, Phishing, procedure bypass or bypassing other technical measures will always work…
Physical level testing
During physical level testing, the physical access to all potential logical access paths into the environment need to be investigated and verified. This can be done through (regular) physical walk-through of your environment where you should lookout for the following:
- Perimeter security, location security, camera detection, motion detection, door “gaps”, …
- Laptops/Desktops, (smart) TV screens
- Badge readers, scanners/printers
- Server racks (especially things laying on top or cable throughput), …
- Physical ports: Ethernet, Serial, USB … ( put in several USB dongles to see how the system reacts. .. you might be able to create a new network interface to a system…)
- (Unlocked) operator screens you run into for operator jail breakouts
Logical level testing
During logical testing, the level of logical access necessary to access the network environment should be determined and to what extent you are connected and what techniques you need to use to get access.
Mainly port access security verification is what you are after. This will either be none, mac address filtered or 802.1x authenticated connections. The obvious ones can easily be bypassed while the .1x connections require some more work and equipment. But each port access security type is bypass-able.
What can you do?
Preventing breaches of security because of this basic stuff is certainly possible, but might require some effort to implement, both financial and time wise.
On the human level
- Perform operational technology related awareness exercises
- Train people to challenge people they do not know or that do not have badges
- Train people to challenge people that act out of the ordinary
On the physical level
- Implement detection of presence (motion detectors or other)
- Install (rack) door alarms
- Close all cable throughputs where possible
- Physically lock down racks and system enclosures
On the logical level
- Perform security testing on ALL new/upgraded systems/devices : Include security within FAT/SAT testing cycles
- Build your own “dirty” USB stick containing real malware samples to verify antivirus and USB scanning devices.
- Follow packets all the way through your environment: Consolidated firewall rules review
On vendor and integrator level
And yes, your vendors and integrators … Trust these but verify to make sure what has been promised on security level is actually implemented and correctly functioning…
To summarize, a decent #ICS security program should focus on all three layers (physical, logical and human), make sure that the bigger picture is looked at and that the basics is never neglected.
More can be found in the PDF version of the presentation