Singapore ICS Cyber Security Conference | 2018

Welcome address and conference introduction for SecurityWeek's 2018 ICS Cyber Security Conference.

Industrial Control Systems (ICS) have become increasingly attractive targets for cyber-attacks, as successful attacks can have disastrous consequences in the physical world. Unlike attacks on traditional Information Technology (IT) systems, attacks on ICS can disrupt essential services and even result in loss in lives. In response to the new threat of cyber, ICS operators need to augment operational resiliency with cyber resiliency. Furthermore, when planning for cyber resilience, operators need to do it holistically and not limit the scope to just the crown jewels, the ICS. The speaker will also give a flavour on Singapore’s efforts in building a cyber-resilient nation.

Safety Controllers (Safety Instrumented Systems) have always been considered immune to attacks as last barrier of plant safety, and claimed to be designed to ensure safe and reliable operation for Industrial Control Systems (ICS) and Supervisory Control and DataAcquisition (SCADA) environments. Unfortunately, the recent research and in-the-field experience indicate misplaced confidence (based on SIL) and overall weak security practices since these devices themselves form another attack surface for the determined adversaries.

This presentation discusses vulnerabilities found by Applied Risk research team across various state of the art safety controllers, which are commonly used in industrial environments. Advanced attack vectors will be discussed where attackers could exploit the discovered vulnerabilities to gain control over the device, including connected industrial assets.In addition to the discovered vulnerabilities, the process we followed during our research will be discussed.
Examples will be given for topics including: 

• From research to exploitation (a la basecamp)
• Manipulate the safety logic
• Live Demo

Inside look at TRITON ICS Malware
Can you imagine what happens when the industrial safety controllers (SIS) at the one of the world’s largest oil company are being hacked? What if hackers could penetrate, take control and/or disable all nuclear plants and other critical infrastructure systems? Damage from the 2017 Triton attack could have reached epic proportions as the first malware of its kind to specifically target industrial safety controllers. Yet, as recent discoveries indicate, the world experienced the first-ever "evil twin" attack on both SIS and Industrial Control Systems (ICS) simultaneously. Learn what steps Schneider is taking to avoid escalation to grave consequences from these types of attacks.

Session Detail

If this was just a PLC then maybe we would not have been quite so enthralled.  In this case it was a triply redundant safety controller whose entire purpose is to protect people, equipment and the environment from disaster.  There is only one reason anyone would want to compromise such a device – to enable serious harm.  Yes, you could imagine that a plant shutdown would cause an economic outcome, but if that was the intent, this could have been accomplished with only a few lines of Python script and the elaborate manipulation of processor memory would have been a total waste of time.  No, the intent was much more than that.  It was a grave one.  
This session will discuss the issues and practical solutions to these three intriguing questions:

1. What & Why do we need to know about the "Evil Twins" TRITON/TRISIS attack?
2. Why do we need to change?
3. Lessons Learned & Solutions

Session Objectives 

• Bring clarity to the details of this attack
• Highlight the way the much larger scope behind the Triton/Trisis Attack
• Discuss how our industry should move forward from this state

There is much still to be said about the Triton attack and practitioners in our industry need to be fully aware of these details if they are to be effective in defending against this type of attack in the critical infrastructure.

Background
In late December 2016, at least 3 Ukrainian power utilities came under a sophisticated, multi-stage, cyber attack that brought down power transmission to at least 200,000 households for 6 hours. Shift operators on that fateful day were caught off guard as their control systems were hijacked and remotely controlled by the attackers. Due to the multi-stage attack, the operators were literally isolated from escalating the incident, and could only watched helplessly as the attackers opened the protective relays to each sub-station one at a time…ushering in the first ever power outages created by human hackers.

The speaker will share some highlights on his previous experiences on:

• Applying automation engineering mindset in industrial cyber security in different energy sectors.
• Adopting industrial cyber security designs that bring value to your organization.
• Implementing innovative techniques to resolving cyber security concerns
• Making industrial cyber security a value-driven approach

Dr. Marlene Ladendorff will share insights on the cybersecurity initiatives under way to secure protect digital APR1400 nuclear power reactors in the United Arab Emirates. Ladendorff, who was responsible for building cybersecurity procedures, processes, and programs during the construction and start-up phases of the plants, will give an exclusive look inside the current program at Emirates Nuclear Energy Corporation.

APR1400 Digital Nuclear Reactor Cyber Security

As new builds of the APR1400 digital nuclear power reactors continue construction around the world, applying appropriate cyber security controls to protect them presents a new challenge for nuclear cyber security specialists.  Cyber attacks continue to grow more complex and are increasingly focusing on critical infrastructure equipment.  Additionally, the cyber security defense industry is seeing an upsurge in combined attacks that blend cyber and physical security, resulting in complex incidents that require new security techniques in order to mount an effective defense.  Further complicating the issue, nuclear cyber security may not have the same definition and requirements in different countries around the world.  An ideal situation would be to build cyber security in to the plants as they are being constructed rather than “bolting it on” at a later date. However cyber security is implemented, the goal remains the same: protection against cyber attacks for the plant, the community, and the environment.

This session covers key security essentials for embracing Industry 4.0:

• Industry 4. 0 cyber security strategies for mitigating operational risks arising from connected smart factories and digital supply chains.
• Maintaining trust in process, technology and organization.
• Validating security, interoperability and reliability in operations   

Most important for an ICS is to secure operational technology (OT). OT-failure can be caused by many reasons: equipment failure, cyber-attack or even physical attack. In modern connected world having just ESD (emergency shutdown system) and control-logic rules are simply not enough. These means can be compared to signature-based protection in cyber world, where also other advanced technics like heuristics, whitelisting and ML are used. ICS environment can rapidly change and personnel has no possibility to change rules so fast.

ML/DL technologies today are matured enough to deal with extreme amount of ICS telemetry. Different signals (sensors and actuators values) are correlated by physical laws and control logic. With ML, it is possible to learn these correlations under normal operational condition and establish something like white-listed behaviour. Any failure or attack that changes some signal will cause relevant changes in other signals. ML-model detects such situation as an anomaly.

In this presentation, we will show how this idea is implemented in the Machine Learning for Anomaly Detection (MLAD) system, and how it works with Secure Water Treatment (SWaT) realistic plant simulation that was made publicly available by Singapore University of Technology and Design (SUTD).  We will provide description of an important benefits of the MLAD – how it allows to find the cause of detected anomalous behavior, do that fast and effectively.
 

Today with topics like Digitalization, Smart Cities and Clouds etc. the ideas we know about Industrial Control Systems are rapidly changing. With all the new functionalities and ease of access and monitoring operational data using a cell phone, the threat landscape is increasing. This result in extreme needs for cyber security additional solutions not only from OT Vendors themselves but also from external security vendors. Questions like hat are the challenges facing End Users when deciding integrating a security solution? Who needs to decide and based on what decisions needs to be taken? What should be considered after the integration? And other will be briefly answered during this session. The topics cover the difficulties faced by security solution provider and end users during Integration Phase and after operation during security patches update and based on what to get these update.

SecurityWeek's 2018 Singapore ICS Cyber Security Conference is winding down, but there is still time for some great discussions! Please join us for closing remarks and an open discussion where anyone can make comments, share insights, ask questions and engage in a lively discussion.

Conclusion of SecurityWeek's 2018 ICS Cyber Security Conference. Thank You!