Industrial Control Systems

CCTC - Networking

Operational Technology

What is it and why do you care?

A year ago, a wormable RAT caused a blackout in the Ukraine.
Five years ago, a worm broke the Iranian nuclear centrifuges.
This is the world of Industrial Control Systems.

OT vs IT

CategoryInformation TechnologyOperational Technology
PerformanceNon-real-timeReal-Time
AvailabilityRebooting and interupts routine and authorizedRebooting may not be acceptable. Up time at least 99.999%
SafetyNo personnel or environmental concernsPersonnel and Environmental Hazards
ManipulatesDataPhysical Environment
Upgrades & PatchesSimple and routineSeldom if even possible
SecurityPatch SystemIsolate System
Life Cycle3 to 5 years15 to 20 years

Outcomes

Skill 15: Identify ICS security incidents
  1. Identify types of attackers to an ICS
  2. Discuss ICS Vulnerabilities

ICS Security Incidents


Maroochy Sewage Sump


In 2000, Vitek Boden, a disgruntled employee of Hunter Watertech, dumped 800,000 liters of raw sewage into the river and coastal waterways of Maroochydore, Queensland, Australia.

Aurora Generator Test


Idaho National Laboratory (2007)

Stuxnet

Malware that destroyed centrifuges in Iran, setting back their nuclear enrichment program by 5 years.

Black Energy

A multipurpose RAT that allowed access for malicious actors to access the Ukrainian Power Grid. It has been seen on US systems as well.

Industroyer/CrashOverride

Caused a blackout in the Ukrainian Power Grid without requiring real time command and control.

Who attacks Industrial Control Systems?

Attackers

  • State Actors
  • Organized Crime
  • Hacktivists
  • Terrorists

Motivations

  • Cripple Adversary Critical Infrastructure
  • Blackmail
  • Spreading Fear
  • Destabilizing Governments
  • Profit

Outcomes

Skill 14: Define Industrial Control System (ICS) fundamentals
  1. Describe industry processes
  2. Describe basic operations of ICS
  3. Identify ICS components
  4. Discuss industries where ICS is most utilized
  5. Describe ICS hardware
  6. Describe ICS software

Industrial Automation

Why Automate?

It costs less to maintain robots than to hire American workers

Industrial Control Hardware Components

Human Machine Interface

Controllers


Analog Relays


Programmable Logic Controller


Microcontroller


Remote Terminal Unit


Intelligent Electronic Device

Controlled Process

Sensors

Data Historians

Engineering Workstations

Supervisory Workstations

Control System Operation

Control Theory

Open Loop Control

Closed Loop Control

PID Controller

Sum of:

Proportional (current value)
Integral (average of all past values)
Differential (current rate of change in value)

ICS Role Playing Game

ICS Role Playing Game

Get the plant from Start to Point A, to Point B, and back to start

ICS Software & Programming

Controllers often do not have an Operating System

Controllers run single programs written for the specific application. The program is uploaded from the engineering workstation to the controller.

ICS Programming Languages

  • Ladder Diagram
  • Function Block Diagrams
  • Sequential Flow Chart
  • Structured Text
  • Instruction List
  • C
  • Assembly

ICS Programming


Development Process


Ladder Diagrams


Function Block Diagrams


Sequential Function Chart

Used mostly in Europe

Structured Text

This is very similar to C

Instruction Lists

This is very similar to Assembly

C

Many microcontrollers
just use C

Real Time Operating Systems

More powerful controllers use Real Time Operating Systems, (RTOS). RTOS are lightweight OSs optimized to handle real time and deterministic functions

Real Time Operating Systems


Windows Embedded

Look and feel of Windows for controllers

Blackberry QNX

Blackberry's solution HMI + Controller

VxWorks

Provides an integrated HMI and controller

Industrial Control Applications

  • Distributed Control Systems (DCS)
  • Supervisory Control And Data Acquisition
  • Process Control Systems
  • Building Management System
  • Energy Management System
  • Industrial Internet of Things

ICS Applications


Distributed Control Systems (DCS)

Multilevel Control across a LAN
  • Automotive Manufacturing
  • Printing Plants
  • Chemical Plants
  • Water Treatment facilities

Supervisory Control And Data Acquisition (SCADA)

Multilevel control and monitoring across a WAN - typically polls slaves 2 - 10 sec interval
  • Electrical Grid
  • Pipelines
  • Railroad Systems
  • Traffic Lights

Process Control Systems

A subset of DCS
  • Refineries
  • Chemical Treatment Plants

Building Management System

  • Access Control Systems
  • Backup Power
  • Fire Suppression
  • Heating, ventilation, and air conditioning (HVAC)

Energy Management System


Industrial Internet of Things

  • Mesh connected devices
  • Often Wireless

Common ICS Protocols

Industrial Control Network Protocols

ICS supervisory systems communicate to the subordinate controllers via a mix of proprietary and open standard protocols. The protocols are designed to carry deterministic control and status signals between the systems. Security controls were added after the protocols were already mature.


MODBUS

Old (1979) and insecure, but very widely used across hundreds of vendors and many industries. Open protocol since early 2000's. No security provided.

OPC

OPC and OPC UA are used to bridge between IT and OT networks. OPC is an insecure protocol, primarily designed to provide access, not to restrict it.

DNP3

Used in the electrical grid. Modern implementations include authentication and integrity controls.

EtherNet/IP and Common Industrial Protocol

EtherNet/IP (EIP), Stands for Ethernet/Industrial Processes. This is an application layer protocol that implements the Common Industrial Protocol (CIP) over TCP and UDP. It is used primarily Distributed Control Systems. CIP is an open standard that can be implemented over serial or packet networks. EIP uses UDP for time critical messages, and TCP for non time critical messages.

Profibus/ProfiNet

Layer 2 protocol used between Controllers, Sensors, and Actuators

ICS Security

ICS Engineering Design Priorities

  1. Functionality
  2. Profit
  3. Legal Compliance
  4. Personnel Safety
  5. Environmental Impact
  6. Security

ICS Security Priorities

  1. Safety
  2. Availability
  3. Integrity
  4. Confidentiality

ICS Zones

Skill 16

ICS Functional Zones


Purdue Model


Enterprise IT Zone

Normal IT infrastructure used for data and information processing. Usually connected to the Internet.


Supervisory Manufacturing/OT Zone

Has Supervisory workstations, Data Historians, and Engineering Workstations, with unrestricted network access to controllers.


Field, Plant or Cell Zone

Connects controllers to sensors, end point actuators, or remote terminals. This can be over LAN, WAN, Serial, or even Pneumatic networks.


Safety Instrumented Systems Zone

Independent safety controls, relief valves and other systems that prevent catastrophic failures with ensuing loss of life and property