Using Open
Source
Intelligence to
Improve ICS &
SCADA Security
Richard Piggin
�Agenda
1.
2.
3.
4.
5.
6.
7.
8.
Our expertise
Sources
Methodology
Physical Vulnerabilities
Social Media and Social Engineering
Control Systems Vulnerabilities
Threat Assessment
Key Points
�Our
expertise
�Atkins Capability
�Sources
�Mainstream
media
Academic
material
�Methodology
�Antagonist attack cycle
�Physical
Vulnerabilities
�MAPPING & IMAGERY
�Mapping: Threats & Mitigation
THREATS
MITIGATION
Several semi-detailed internal
plans of the facility with
itemised locations that could
greatly assist any trespasser
Requirement to establish
sources for accuracy and to
investigate the potential to
reduce footprint and request
removal of some sources
�Security
Infrastructure
Commercial in Confidence
�Security
Infrastructure
Commercial in Confidence
�Social Media &
Social
Engineering
�Job Title
Social Media Platform
Notes
Lead Control and Instrumentation
Engineer
Facebook
Comments have shown that he has a
strong association with the companys ICS
infrastructure. Lives in .......
C&I Lead Engineer
LinkedIn, Facebook
Has given presentations on plant upgrades.
These include imagery of servers and
systems.
EC&I Engineer
LinkedIn, Facebook
EC&I Engineer
EC&I Section Head
Electrical Engineer
Former EC&I Team Leader
LinkedIn
N/A
LinkedIn
LinkedIn
Process Control Engineer
Project Engineer
Project Engineer
Project Engineer
Maintenance Technician
Operator Maintainer
Safety and Outage Section Head
LinkedIn
LinkedIn
N/A
LinkedIn
LinkedIn
Facebook
LinkedIn
Mechanical Engineer
Fire Alarm Engineer
Head of Mechanical Engineering
LinkedIn
LinkedIn
LinkedIn
Link
Link
�Social Media: Threats & Mitigations
THREATS
MITIGATIONS
The personal information made
publicly available by employees
significantly increases the risk
of social engineering and/or
phishing attacks by hostile
actors
Raise awareness of security
risks and third party media
Provide guidance and policy on
posting company-related details
on social media
�Control
Systems
Vulnerabilities
�Publicly available information
�Consequences
Understand
targets
Identify components
Gauge scope, scale
& effort required
�SHODAN results
Interrogates connected devices and catalogues the response from
a device.
The response, known as a banner, provides information on the
particular service and details of the service.
�Commercial in Confidence
�Commercial in Confidence
��OSINT control system
threat matrix
Industrial
control
Systems
OSINT
System
Identification
System
Context
Control
system A
Control
system B
Control
system C
Control
system D
Most significant
Moderate
Insignificant / None
Physical/Net
work Access
Engineering
Personnel
Identified
Third Party
Identified
SHODAN
Exploit
Vulnerability
/Exploit
�Industrial Control Systems: Threats &
Mitigations
THREAT
MITIGATION
Photos of the installations
Reduce Open Source footprint
provide detailed insight into the
and request removal of
deployed hardware and software appropriate identified sources
configuration
Increase security awareness
with the marketing function
Establish guidelines for the
guidelines for the publication of
its information by third parties
�Threat
Assessment
�Industrial control system security
themes and challenges
Security Theme
Challenge
Anti-malware & malicious
code countermeasures
Systems may not support protection. Alternative measures are
required. Delays in adequate protection may result.
Application of patches
Inconsistent protection or delay in achieving suitable protection whilst
vendor patches are validated and tested on offline systems
Host systems
Security measures need to address different host systems, taking
longer to apply
Operating systems
Security measures must address operating system requirements,
particularly where systems are needed beyond end of life support
Networks
Security products often do not support industrial protocols and their
implementation cannot interfere with the real time operation of ICS
Applications
Application of security will need to be tailored and cannot interfere
with real time operation of ICS.
Time critical operation
Time constraints require security measures not to impact ICS
operation
�...Continued
Security Theme
Challenge
Availability
Application of security maybe delayed due to production. There is
necessity to continue to operate in the presence of a security incident.
Non availability of systems is likely to impact production
Security goals
Contrasting goals and priorities reflect differing domain approaches,
highlighting potential diverse security strategies
IT security awareness
Control engineers do not tend to have cyber security education/training
ICS security awareness
Domain knowledge often limits understanding required to implement
effective security. Fragmented team working (demarcation/lack of
ownership) leads to potential security weaknesses
Security testing
Knowledge of ICS testing is required to prevent unintended downtime
and system outage. Testing should be performed on non-production
systems
Forensics
Implementation requires ICS and forensics knowledge and will be
limited to those systems supported
Technology lifetime and Integration can be a technically demanding over such long time frames.
support
Delay in technology adoption into ICS (typically 10 years) exacerbates
risk
Source: Development of industrial cyber security standards: IEC 62443 for SCADA and Industrial control systems, Piggin, R.
�Key points
Identification of control systems
Staff a rich source: social media, control systems experience
and potential for social engineering
Link between internet footprint and spear-phishing
Third parties data leakage and access
Widely available vulnerabilities and exploit information for
specific control systems
ICS security cuts across the organisation its not just
Engineering or IT
