Solved by verified expert:Need comments for each part.. atleast 1 para for each part.’PART 1A patch can be described as a update or modification to the system’s software to patch-up a software failure or a vulnerability and improve the performance of the software. The patching and updating the ICS system should be dealt with the principles like less software requiring patches, patching impact on the system. (Radvanovsky & Brodsky, 2016) The traditional IT systems are hard to patch, the ICS systems are more difficult to patch compared to the traditional IT systems. A patch, practically can crash the entire system in the ICS/SCADA environment and it is the first critical aspect to deal with. To report the patch management procedures for the traditional IT systems and the ICS systems, a solution doesn’t exist for both. Because the IT systems need to organize the critical patches within the downtime, any unexpected downtime in the ICS systems can lead to operational disruptions. So, there is a requirement for the patching before the implementation in ICS systems. (Recommended Practice for Patch Management of Control Systems, 2008)The patching is different between the industrial control systems and the enterprise network systems. They also could impact negatively the operations of the systems and it is necessary to patch the system before the installation. The three fundamentals for patching the industrial control system is be well versed like performing the complete backup before the installation of patches to the ICS systems. Identifying the files that are changed by the patches and the impacts of them. Removing all the files that are not needed by the ICS systems. Following the three fundamentals, the problems or the risks associated with patching can be minimized and reduces the risks and systems security is improved. (Radvanovsky & Brodsky, 2016)The legacy systems in the ICS network are applied late or not even applied for some of them. That is typically due to their proprietary nature, service age or may be the patches are not available. (Recommended Practice for Patch Management of Control Systems, 2008) The patches apply generally deal with the stability and functionality issues and accordingly to enhance stability. The industrial control system patching need risk vs reward analysis which can address that the system is properly operating, there is risk to patch the system than reward to update the system. The other factors are to determine the risk by the operating system type, the threats involved, the ability of the personnel. (Radvanovsky & Brodsky, 2016)ReferencesRadvanovsky , R., & Brodsky, J. (2016). SCADA/ Control Systems Security. CRC Press.Recommended Practice for Patch Management of Control Systems. (2008). DHS National Cyber Security Division Control Systems Security Program. Homeland Security. Retrieved from https://ics-cert.us-cert.gov/sites/default/files/r…PART 2ICS/SCADA Patching A systematic update or necessary change to a software is called patching. The handbook says, the patching should ensure that the SCADA system is not negatively impacted by any means. The patching requires risk and reward analysis. By this analysis, if we found that there are no problems in the ICS operating system then it is a risk of patching (Radvanovsky & Brodsky, 2016).The ICS systems are designed to run continuously for years but the patching requires a system restart which is critical for ICS systems. It is recommended to follow the instructions of manufacturer in patching the ICS systems. Manufacturers will provide the guidelines for patching all the major components like PLC’s, controllers, input modules, output modules, data converters and switches (Radvanovsky & Brodsky, 2016).Performing a full back up of ICS systems before patching is necessary and rolling back patches are not always helpful in fixing the ICS systems. We must run a batch file create all the folders, files with sizes for the entire system, after the patching if any file size has changed then that file is affected by a patch. Virtual test environment before testing is recommended (Radvanovsky & Brodsky, 2016).After all this, experts think patching data base is risky and difficult but more than that patching a utility (Power plant) or other organizations ICS systems is dangerous after the post-Stuxnet affect. The Stuxnet created a panic environment for the vendors like Siemens and pressuring them to regularly check or updating for the vulnerability issues (Higgins, 2013). The vulnerability research is looking more closely at ICS world because of the affects created by a Stuxnet, even the small malware can shake the ICS to the core is a demonstration for the future (Higgins, 2013).The vendors like Siemens and Rockwell systems security are sending the necessary updates and changes required on a regular basis but the organizations thinking that responding to the vendors is fixing the system which is not. Only about 10-20 % of organizations are installing the necessary patches. Experts say Utilities and ICS organizations face power shutdown if patching goes wrong which is a major risk (Higgins, 2013).According to Andres Andreu, chief architect and vice president for engineering at Bayshore networks says, “Some plant equipment is so old that no one dares to disturb it” (Higgins, 2013). He also says, people who run the old systems or equipment will not perform the patching aggressively. So many controllers which are from 1960-1970’s will not bear the security created by the new patches. He also stated, “To actually patch that level is unrealistic, there’s legacy code written 30 years back and no one wants to touch that” (Higgins, 2013).Eric Byres, CTO of Belden’s Tofino Security informed that, one of the PLC vendor which the Tofino Security works with said that 10 percent of his customers actually download the patches. He also stated strongly that it’s only download and installing them is imaginary (Higgins, 2013).According to Dale Peterson the CEO of Digital Bond, most of the companies install the patches on a quarterly basis and they are mainly happen at workstations and servers. Always patching outside or exposed networks is recommended and necessary. One municipal water authority is patching monthly by the help of virtualization test prior to the patching (Higgins, 2013).ReferencesHiggins, J. K. (2013, January 15). The SCADA patch problem. Retrieved from https://www.darkreading.com/vulnerabilities—threats/the-scada-patch-problem/d/d-id/1138979?Radvanovsky, R., & Brodsky, J. (2016). Obsolescene and procurement of SCADA.PART 3atching for SCADA and ICS Security: The Good, the Bad and the UglyThe Impact of Patching for SCADA and ICS SecurityIn a landmark study of the patches for post-release bugs in OS software, Yin et al showed that between 14.8% and 24.4% of all fixes are incorrect and directly impact the end user. And if that’s not bad enough, 43% of these faulty ‘fixes’ resulted in crashes, hangs, data corruption or additional security problems.What’s more, patches don’t always solve the security issues they were designed to address. According to Kevin Hemsley, a member of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), in 2011, ICS-CERT saw a 60% failure rate in patches fixing the reported vulnerability in control system products.Even Good Security Patches Can Cause IssuesMost patches require the shutdown and restart of the manufacturing process. Some can also break or remove functionality previously relied on by the control system. For example, one of the vulnerabilities the Stuxnet worm exploited was a hardcoded password in Siemens’ WinCC SQL database.At the time, Siemens were widely criticized for not quickly releasing a patch to remove the password. However, customers who took it upon themselves to manually change the password soon discovered that many critical control functions depended on this password to access accounts. In this case, the ‘cure’ was even worse than the disease.Patching Often Requires the Presence of ExpertsAnother ugly truth about patching is that the process itself often requires staff with special skills to be present.For example, the vulnerability exploited by the Slammer worm in January 2003 actually did have a patch (MS02-039) that was released in 2002. Unfortunately, this didn’t help an oil company with numerous production platforms in the Gulf of Mexico. The company started rolling out the patch in the summer of 2002, but issues with server restarts required Windows experts to be present during patching. Since very few of these experts were safety certified for platform access, most platforms were still not patched when Slammer hit six months later.When There Are No PatchesOf course, you can only use patches to fix vulnerabilities if the vendor has created a patch. Unfortunately, this is the exception rather than the rule. At the SCADA Security Scientific Symposium (S4) in January 2012, Sean McBride noted that less than half of the 364 public vulnerabilities recorded at ICS-CERT had patches available at that time.Some accuse the vendors of indifference or laziness, but there are many factors that prevent the quick release of a patch.In 2010, a major ICS vendor told me that internal testing of a mission critical product had revealed security issues. Unfortunately, these vulnerabilities were part of an embedded OS supplied by a 3rd party. Now the OS supplier refused to address the vulnerabilities, and so the ICS vendor (and its customers) faced a situation where patching was not possible.In a 2011 case involving another ICS vendor, vulnerable backdoors were found in a PLC by an independent security researcher, who publically exposed them. The vendor designed a patch to remove backdoors, but then learned that these backdoors were widely used by troubleshooting teams for customer support. To complicate matters, the company’s quality assurance (QA) process for product changes required four months to complete. This meant that even if customers were willing to sacrifice support for security, they were faced with a four month window of exposure while they waited for the proper testing of patches to be completed.When it comes to patching for SCADA and ICS system security, the cure may well be worse than the disease itself. Image Credit: www.time.comMany SCADA/ICS Users Choose Not to PatchMy last example highlights a core problem with a patch-based strategy for control system security. Many customers simply don’t want to run the risk of degrading service and increasing downtime. The vendor noted in the previous example privately told me that they have a 10% patch download rate for released patches.My own experience with an ICS security product confirms the reality of low patch acceptance in the field.In September 2010, we released Tofino Industrial Security System version 1.6. This upgrade addressed a number of security and performance issues and was offered to all registered users at no charge – if downloaded within 30 days. Initial acceptance was low, so we repeated the offer for an additional 30 days. After two months, only 30% of users had downloaded the free upgrade. And that doesn’t necessarily mean they all installed it!Planned Patching is Good. Reactive Patching is Bad. Rushed Patching is UglyLet’s be clear – patching bugs is an important process for any control system. And patching for vulnerabilities is critical for good security. But the IT strategy of reactive, continuous patching on a monthly or weekly basis just won’t work for SCADA and ICS systems. Patching in a hurry is just plain dangerous.SCADA/ICS vendors face multiple issues when trying to create “quick” patches – they have to consider both safety and QA requirements that often delay patch releases. In other cases, a reasonable and safe patch just isn’t possible.SCADA/ICS customers face similar concerns. And quite frankly, who can blame them for not wanting to increase downtime or expose their critical controller or server systems to safety risks?Patch support for legacy products is also an issue – many expect a control product to operate for 20 years, putting it well outside the typical IT support window. Finally, as noted in the Slammer worm example, patches can require significant staff resources to install safely.So create a patching plan that works for your process environment. Make sure that it includes processes for proper tests and change management controls.Just don’t expect patches to be a quick fix for your control system’s security problems. If you do, you may discover new problems that are worse than the bugs the patches cure.Do you have stories to support or contradict the opinions expressed here? Let me know your thoughts.In my next blog, I’ll share some secrets on how to successfully use patching in SCADA and control systems.https://www.tofinosecurity.com/blog/patching-scada…OWN WORK PLEASENO PLAGIARISM
ch_12___15__1_.pptx
Unformatted Attachment Preview
Most new ICS systems are obsolete by
traditional IT standards.
Enterprise computer: 3 – 5 year life.
ICS system: 15 – 30 year life.
Many ICS systems are running
unsupported versions of Windows or
antiquated versions of Linux.
Philosophy of “If it ain’t broke, don’t fix
it.”
Chapter 12 – Obsolescence and
Procurement of SCADA
Common for repair parts to no longer be
manufactured.
When system reliability is questioned
replacement becomes part of the
conversation.
Chapter 12 – Cont.
Obsolescence Determination
◦ Software to make industrial system manipulate
plant or facility is highest cost.
◦ ICS systems operate continuously.
◦ Reviewing logs can identify off-normal
operating patterns and provide indications of
imminent failure:
Network communication errors.
Operational parameters failing high or low.
Chapter 12 – Cont.
Replacement Determination
Factors:
◦ 1. Regulatory requirements change.
◦ 2. Does control system remain capable?
◦ 3. Need for production data in real-time to
support process improvements?
◦ 4. Reliability in question?
◦ 5. Future capabilities: Facility changes?
Chapter 12 – Cont.
Selecting a Vendor
◦ Supply vendor stability is critical because
ICS system may last 15 – 30 years.
◦ A vendor with high failure rate equipment
should be cautiously considered.
◦ Be aware of vendors with short life cycles
for parts and frequent upgrades.
Chapter 12 – Cont.
Functional Testing
◦ The ICS requires validation testing.
◦ Individual components require testing of
configuration settings.
◦ Network equipment requires testing to see if
traffic flows as intended.
◦ Verification of signals from field devices.
◦ Software has to operate devices within
parameters identified.
◦ Can take many months or years.
◦ May require field devices be tuned because
computer equipment is now faster.
May require a maintenance outage.
Chapter 12 – Cont.
Patch – A change to the software on a
computer to repair a bug, remediate a
vulnerability, or improve minor aspects of the
software.
Patching ICS systems requires significant
effort to ensure the ICS system is not
negatively impacted.
Some facilities determine the risk of patching
is too great and employ alternative methods
to the protect the ICS system.
Chapter 13 – Patching and Change
Management
Patching Analysis
◦ Patching requires a risk vs. reward analysis.
If the ICS system is operating properly then there
is a risk to patching it.
◦ If the ICS system operates where there is no
physical monitoring then it is critical to patch to
avoid external tampering.
Chapter 13 – Cont.
Regulatory Patching
◦ Many industries have cyber security regulations
that require patching.
◦ Most patches require a system restart but ICS
systems are designed to run continuously for
years.
◦ Conducting an outage is costly for most
industries. (Patch Tues)
◦ Security is enhanced by placing the ICS behind
a firewall, in a DMZ.
Chapter 13 – Cont.
Equipment
◦ The HMI is often patched. It usually runs off a
version of Microsoft Windows.
◦ Other major components are controllers, input
modules, output modules, PLCs, switches, data
converters, etc.
◦ Manufacturers will provide specific patching
instructions for particular equipment.
Chapter 13 – Cont.
Patching Modern Equipment
◦ Use a surrogate or test system.
◦ Only use validated patches recommended by
the manufacturer.
◦ Always test the patch on the test ICS prior to
patching the production system.
Chapter 13 – Cont.
Patch Testing
◦ Perform a full backup or image of the ICS
system prior to patching.
◦ Rolling back patches doesn’t always fix ICS
systems.
◦ Run a utility or batch file to create a list of all
folders, files and file size for the entire system
when possible.
If the file size changed then that file was effected
by the patch.
◦ If test ICS system is available try creating a
virtual test environment.
Chapter 13 – Cont.
Patching Minimization
◦ Remove an unnecessary software – software
not responsible for ICS operation.
◦ Remove email, web browser, painting
programs, etc.
Remove all files and programs not needed by the
ICS OS.
Chapter 13 – Cont.
Physical Security Defined
◦ Physical security is adapting to a technology
enabled world.
◦ Involves the tangible efforts to deter, delay,
detect, deny, and sometimes detain those who
would cause injury or disruption to personnel,
assets, or operations.
◦ Enforced through the implementation of
administrative, physical, procedural, or
technical controls.
Guards, fences, gates, locks, barriers.
Chapter 14 – Physical Security
Management
The role of physical security is to ensure
that sensitive assets are protected so the
organization can count on them.
Important during incident command and
control during crisis management.
Chapter 14 – Cont.
Applying the Physical Security
Concept
◦ The time it takes to detect and respond to an
attack must take less time then it does for an
attacker to cause harm.
◦ Protection, detection, response, recovery.
◦ Deter, detect, delay, deny, detain.
◦ The physical security practitioner must
understand the threat’s knowledge, skills,
abilities, resources, intent, commitment, and
modus operandi.
Chapter 14 – Cont.
Security, Compliance, Cost
◦ One approach – See security in terms of
investigation, assessment, response.
Problem: Talent costs $.
◦ Another approach – Compliance with best
practices and standards.
Problem: A snapshot in time, entire security can
be reverse engineered.
Chapter 14 – Cont.
Note on the Physical Security
Practitioner
◦ Needs to possess a detailed understanding of
the organization’s operations and how to
manage those risks.
◦ Needs to be able to integrate his/her priorities
with the needs of parallel programs.
For example: One building access point with a xray machine, biometrics, and badge swipe will
congest floor and prevent employees from
arriving on time.
Chapter 14 – Cont.
Network Dimension of Physical
Security
◦ Servers would be housed in a high-security
zone.
◦ Individual would pass through 3 security
checks before gaining physical access to the
server.
◦ We also have to look at how the individual
could remote in and bypass all physical
security.
◦ Need a consistent security posture that crosses
the physical and logical divide.
Chapter 14 – Cont.
Considering Availability
◦ 3 Factors:
Who has access to the ICS and are they
trustworthy?
Is the method of protection adequate given the
KSAs, resources, intent, and commitment of the
adversary?
What is the balance between the need to operate
in a protection-detection-response-recovery and a
robust-resilient, redundant model?
Chapter 14 – Cont.
Clark-Wilson Model
◦ Another integrity model.
◦ Intends to prevent the corruption of data through
trustworthy or well-formed transactions.
◦ Data entered into process-handled by
transformation procedures-produces trustworthy
data handled only in certain ways (constrained data
items).
Example high availability system:
◦ Can tolerate 101mL where 100mL are called for. You
purchase valves that won’t stay open past 100mL.
◦ The role of physical security extends to the supply chain be
ensuring trying to introduce unauthorized values is
detected. Values are given tamper proof packaging and
stored in controlled areas.
Chapter 14 – Cont.
Integrating Physical Security
*Automate all of this if possible.
◦
◦
◦
◦
◦
◦
◦
◦
◦
Separation of duties.
Biometrics.
Encrypting server data so if it is physically stolen…
Hardening USB ports.
The server case is hardened against prying.
Cabling is sheilded against emissions.
Peripherals are protected.
The entire system is caged.
Detection mechanisms. – Detecting a drop in pressure of
gasses within conduit holding cables.
◦ Have a camera turn on if/when certain remote valves are
accessed.
◦ Blast loud music or sirens if attackers are present.
◦ Have alternate routes for pipelines if compromised.
Chapter 14 – Cont.
What is a Tabletop Exercise?
◦ Planning for real life partial or total
infrastructure operations failure.
◦ Helps identify weaknesses or gaps in
procedural steps, training, staff development,
and incident response.
◦ Supplements penetration testing and validation
testing and auditing.
Chapter 15 – Tabletop/Red-Blue
Exercises
Tabletop Exercise
◦ All stakeholders, run through one or more
scenarios and identify if their org can handle
the emergency and if business operations
remain operational.
◦ Grade the exercise and compare to similar orgs
in industry.
◦ You want the decision makers to be in a stress
free environment.
◦ Conducted by a facilitator.
◦ Solve problems as a group.
Chapter 15 – Cont.
Advantages of Tabletop Exercise
◦ Small commitment of time, cost, and
resources.
◦ Effective method for reviewing configurations,
procedures, and policies.
◦ Acquaints personnel with their emergency
responsibilities and procedures.
Chapter 15 – Cont.
Disadvantages of Tabletop Exercise
◦ Not a realistic outcome.
◦ Not a practical way to demonstrate a
dysfunctional/non-operational system.
◦ Superficial exercise based on stated
configurations, procedures, and personnel
capabilities.
Chapter 15 – Cont.
How a Tabletop Exercise Works
◦ Recommend using an EOC or alternative
operations center.
◦ Provide a way to notify of event injects.
◦ Utilize reference material such as:
Emergency documentation, configurations,
designs, maps, and other reference materials.
Chapter 15 – Cont.
Facilitating a Tabletop Exercise
◦ Facilitator responsibilities:
Providing and introducing the narrative.
Facilitating problem solving activities.
Controlling speed and direction of exercise.
Distributing messages to the participants.
Stimulating discussion and possible answers.
Chapter 15 – Cont.
Setting and Configuring the Tabletop
Exercise
◦
◦
◦
◦
Facilitator provides welcoming introduction.
Participants are briefed.
Narrative statement about the exercise.
“The Ice Breaker” – General questions, “What
if?” scenarios.
Chapter 15 – Cont.
Tips for Involving Everyone
◦ Organize the scenarios, statements, messages
so that everyone must deal with them.
◦ Assign work to “departments”.
◦ Avoid jumping in during choke points in
problem solving.
◦ Model and encourage behaviors you want from
participants. – Avoid negative feedback.
Chapter 15 – Cont.
Controlling and Sustaining Action
◦
◦
◦
◦
◦
Use multiple event stages.
Vary the pace.
Maintain a balance through the exercise.
Observe for signs of frustration or conflict.
Keep the exercise “low key”.
Chapter 15 – Cont.
Designing a Tabletop Exercise
◦
◦
◦
◦
Document expected or anticipated outcomes.
Define the scope of the exercise.
Write a purpose statement.
Define objectives to accomplish goals of
purpose statement.
◦ Compose a narrative.
◦ Write significant and detailed events leading to
the problem scenario.
◦ Prepare statements or messages used
throughout the exercise.
Chapter 15 – Cont.
What is a Red-Blue Team Exercise?
◦ Offensive team: Red team.
◦ Defensive team: Blue team.
DHS’s Cyber Security Division’s Control
Systems Security Program (CSSP) –
Advanced red-blue exercise method for
critical infrastructure asset/owners.
Provides advanced hands-on training on
protecting actual control systems.
Chapter 15 – Cont.
Lessons Learned from Tabletops and
Red-Blue Team Exercises
◦ Test team members understanding of policies
and procedures for incident handling.
◦ Review effectiveness and suitability of policies
and procedures.
◦ Evaluate coordination with federal, state, and
local government.
◦ Identify any gaps and mitigate them.
◦ Educate all involved.
Chapter 15 – Cont.
…
Purchase answer to see full
attachment
