SCADA Security Presentation

38 %
62 %
Information about SCADA Security Presentation

Published on March 22, 2009

Author: fmaertens



Presentation on the growing challenge of information security in critical infrastructures.

Cyber threats to critical infrastructures. A summary on emerging contemporary national threats. ECSA Lecture – 15.06.2006

About. CYBER THREATS TO CRITICAL INFRASTRUCTURES Filip MAERTENS Partner Uniskill, Audit & Assessment Services CISA, CISSP ECSA Lecture – 15.06.2006

Agenda. • The Fear Factor • What are the components ? • Emerging threats and vulnerabilities • Risk mitigating practices ECSA Lecture – 15.06.2006

The Fear Factor. • Chevron (1992). Emergency system was sabotaged by disgruntled . employee in over 22 states. • Worchester Airport (1997). External hacker shut down the air and . ground traffic communication system for six hours. • Gazprom (1998). Foreign hackers seize control of the main EU gas . pipelines using trojan horse attacks. • Queensland, Australia (2000). Disgruntled employee hacks into . sewage system and releases over a million liters of raw sewage into the coastal waters. ECSA Lecture – 15.06.2006

The Fear Factor. (cont’d) • Venezuela Port (2002). Hackers disable PLC components during a . national unrest and general workers strike, disabled the country’s main port. • Ohio Davis-Besse Nuclear Plant (2003). Plant safety monitoring system Davis- . was shut down by the Slammer worm for over five hours. • Israel Electric Corporation (2003). Iran originating cyber attacks . penetrate IEC, but fail to shut down the power grid using DoS attacks. • DaimlerChrysler (2005). 13 U.S. manufacturing plants were shut down . due to multiple internet worm infections (Zotob, RBot, IRCBot). ECSA Lecture – 15.06.2006

Some first hand experiences. • International Energy Company (2005). Malware infected HMI system . disabled the emergency stop of equipment under heavy weather conditions. • Middle East Sea Port (2006). Intrusion test gone wrong. ARP spoofing . attacks shut down port signaling system. • International Petrochemical Company (2006). Extremist propaganda . was found together with text files containing usernames & passwords of control systems. ECSA Lecture – 15.06.2006

False stories. Yet… • U.S. East Coast blackout (2003). A worm did not cause the blackout, . yet the Blaster worm did significantly infect all systems that were related to the large scale power blackout. • Al Qaeda plans worldwide attacks on SCADA technology (2003). . Computers and manuals seized in Al Qaeda training camps did contain information on dams and related infrastructures, yet no clear evidence of near future attacks is present. • “Beware. Cyber terrorism is near !” (2003). IDC research publications !” . appears to be based on strong coffee rather than factual research ? ECSA Lecture – 15.06.2006

The US Blackout in pictures. ECSA Lecture – 15.06.2006

So far, so good ? • No human beings have been known to be killed by cyber attacks : – Dorothy Denning, “ Unless people are injured, there is less drama and emotional appeal “ • Operations personnel is highly trained for emergencies : – Safety is paramount. But do we know how to respond to cyber attacks ? • Cyber terrorism does not scare the public as much as 9/11 type of attacks : – Large scale ignorance and the main public remains oblivious for cyber threats to our critical infrastructure components ECSA Lecture – 15.06.2006

Agenda. • The Fear Factor • What are the components ? • Emerging threats and vulnerabilities • Risk mitigating practices ECSA Lecture – 15.06.2006

The NCI playground. • National Critical Infrastructures (NCI) include, amongst others, the following players : – Energy, Communications, Emergency Services, Finance, Government & Public Services, Water, Transportation, Food, Health services and Public Safety • These industries use Supervisory Control and Data Acquisition (SCADA) systems to monitor and control industrial processes through the collection and analysis of real time data. • National infrastructures depend on SCADA technologies / systems ! ECSA Lecture – 15.06.2006

Reliance on SCADA. • Advancements in control systems require less manual / operator interventions and allow more automated controls. • Master station software analyzes more internally and presents less to operator. • HMI / operator software must meet stringent safety requirements for some markets, but no specifics on security. ECSA Lecture – 15.06.2006

How does SCADA affect me ? • SCADA is a wide and generic term to indicate the whole of industrial control and monitoring systems that : – Provide power to your home – Bring water into your life – Control traffic lights onto the way to your office – Control the commuter train you are on every day – Handle the air conditioning in your office – Allow you to call your wife to tell her you’ll be late • I’d say it pretty much affects everyone of us, won’t you ? ECSA Lecture – 15.06.2006

The SCADA components. • Multi-tier SCADA terminology crash course : – Control endpoints, such as Remote Terminal Units (RTU and Programmable RTU) RTU Logic Controllers (PLC to measure voltage, adjust valve, flip switches, … PLC) PLC – Human Machine Interface or HMI (often windows based GUI’s) – Intermediate control systems (based on commercial 3rd party OS’s) • Extensive usage of open networking and data communication standards, such as MODBUS, Distributed Network Protocol (DNP) and Utility Communication Architecture (UCA). – Wide variety of communication carriers; serial, wireless, radio, analogue, … – Raw Data Transmission Protocols, e.g. MODBUS, DNP3, … • designed for radio serial/links but tunneled to read alerts and send commands – High Level Data Protocols, e.g. ICCP, OPC / DCOM, … • designed to provide information to humans and take commands ECSA Lecture – 15.06.2006

The SCADA components. (cont’d) • Building blocks of SCADA : – Operating & Monitoring Systems • open systems (microsoft, linux, solaris, …) • operating system vulnerabilities (e.g. vulndev, bugtraq, fulldisclosure, …) – Communication network • ethernet, fiber or wireless tcp/ip based transmissions • tcp/ip vulnerabilities (e.g. arp spoofing, tcp/isn generation, …) • opc / dcom / iccp / modbus / uca / dnp3 / … vulnerabilities – Instrumentation & Industrial systems • no authentication, … ECSA Lecture – 15.06.2006

Sample SCADA components. HMI : presenting data and pushing commands. Where is your human located ? OPC OPC : optimized for making it easy to program HMI applications ICCP ICCP : optimized for passing bulk data to systems, e.g. databases, trading or other systems DNP3 DNP3 : optimized for collecting data from simple devices ECSA Lecture – 15.06.2006

A simple network overview. ECSA Lecture – 15.06.2006

Some visuals. ECSA Lecture – 15.06.2006

Some visuals. ECSA Lecture – 15.06.2006

The SCADA requirements. • Determinism : – Quality of Service of data communication services – Precise Interrupt Timing – Reliability and latency are more important than throughput • Minimal computing resources : – Legacy equipment (pre 486 era) – Bandwidth issues including noise, accessibility, etc. – Little “extra features” possible, e.g. encryption, authentication, etc. • Real time operating systems : – Lacking encryption, authentication (AuthN, AuthZ) ECSA Lecture – 15.06.2006

General INFOSEC concepts. • Applied to modern SCADA environments : 1. Availability – easy to perform attacks & multiple attack vectors ! 2. Integrity – multiple attacks & high risks ! 3. Confidentiality – multiple attacks & medium risks. ECSA Lecture – 15.06.2006

Known attack motives. • Industrial sabotage : – Disgruntled employees – Black-hat Hackers & criminals for personal gain • Coordinated terrorism / eco – terrorists / “ hacktivism “ : – Joint physical and cyber attacks – Vendor compromise • Let’s not forget Operator error : Let’ forget. – Human errors (“forgetting procedures”) and operational failures ECSA Lecture – 15.06.2006

Agenda. • The Fear Factor • What are the components ? • Emerging threats and vulnerabilities • Risk mitigating practices ECSA Lecture – 15.06.2006

Emerging threats & vulnerabilities. • Convergence of technology equals convergence of risk : – Migration of proprietary systems to open systems (“security by obscurity”) – Usage of TCP/IP Ethernet networks – Traditionally built to be safe and reliable. But what about secure ? • Main drivers and trends : – Convergence of corporate IT with industrial operations – Migration towards open protocols, e.g. MODBUS, DNP3, … over Ethernet carriers – Wireless technology increasingly used – Remote access for maintenance and support facilities ECSA Lecture – 15.06.2006

Layers of cyber security attacks. ECSA Lecture – 15.06.2006

Layers of risk. • Network (Inter)Connectivity & General Access Risks : entry vectors – Local Area Network / Corporate Networks – Internet Connections – Direct access connections – Out of band access connections • Network Protocol Risks : attack vectors – Known TCP/IP Ethernet based vulnerabilities – Wireless connectivity problems – Open SCADA protocol vulnerabilities • Monitoring and Command Systems Risks : attack vectors – Known open system vulnerabilities (e.g. Microsoft, Linux, Solaris, …) ECSA Lecture – 15.06.2006

Connectivity & Access. • LAN & Corporate Network interconnectivity : – Using simple, or even non existent, packet filters – Threats from corporate environments (e.g. virusses, hackers, …) can easily jump to industrial networks => huge risk propagation factor. • A BCIT survey on incidents by internal entry points : ECSA Lecture – 15.06.2006

Connectivity & Access. (cont’d) • Internet connectivity => uncontrolled, a huge risk in its own – Major threat for HMI and other operator systems ! – Increasing number of external attacks over the Internet • A BCIT survey on incidents by external entry points : ECSA Lecture – 15.06.2006

Connectivity & Access. (cont’d) • Direct Access connections : – 3rd party vendor access often needed for remote support and maintenance – Remote access often preferred for “remote management” purposes – Direct Access connections : • dial-in • xDSL and direct cable connections with remote management software (cfr. Internet access) • wireless – Direct access often used with low or no identification and authentication controls in place. • Problems with third-party contractors, suppliers and vendors ECSA Lecture – 15.06.2006

Connectivity & Access. (cont’d) • Out of band connections : – All of the above, but … now without anyone knowing it ! – Common types of out of band connections : • rogue access points, • uncontrolled dial-up modems • uncontrolled connection tunnels (e.g. vpn, …) – Problem : Network traffic is bidirectional ! *sigh* ECSA Lecture – 15.06.2006

Protocol risks & vulnerabilities. • Supporting network protocols are Ethernet & TCP/IP Based : – Designed for reliable packet transport, but known for insecurity ! – Foremost threats and risks are : Denial of Service, ARP attacks, Manipulation of packet data, Man in the middle, Identity Theft • Technology and knowledge becomes very accessible : – Clear evidence that common hackers showing a growing interest in SCADA protocols and technology ! • Open SCADA protocols are designed for reliability and speed, but security ? ECSA Lecture – 15.06.2006

Protocol risks & vulnerabilities. (cont’d) • MODBUS(+) has known vulnerabilities : countermeasures are being put in place as we speak. – Reminder : MODBUS is used for … – Common attacks on MODBUS(+) protocols : • generates network broadcast storms => interruption of service • manipulating command data => reset system, disrupt component, reprogram • DNP3 has multiple vulnerabilities : no current countermeasures. – Reminder : DNP3 is used for … – Common attacks on DNP3 protocols : • degrade system performance (“IIN1.4 bit attack”) • manipulating command data => reset system, overwrite configuration file, • file manipulating on the industrial component ECSA Lecture – 15.06.2006

Protocol risks & vulnerabilities. (cont’d) • UCA / SMART GOOSE has vulnerabilities : more research is spent in investigating into new vulnerabilities. – Reminder : SMART GOOSE is used for high speed multi-device communications – Common attacks on UCA / SMART GOOSE protocols : • interception of devices during “mentoring phase” (identification phase) • ARP table manipulations resulting in Denial of Service condition ! • OPC has multiple vulnerabilities : authentication ? ECSA Lecture – 15.06.2006

Protocol risks & vulnerabilities. (cont’d) • Multiple wireless connections => multiple attacks ! – No longer physical presence required, attack zone depends on wireless range – Wireless in a real-time communication environment ? Beware ! • Bluetooth (IEEE 802.15.1). Insecure. – Known attacks to send AT commands, download address books and break pairing mechanisms • WLAN (IEEE 802.11). Insecure. – Multiple attacks including encryption key breaking (WEP/WPA), MAC bypass attacks, Access Point denial of service attacks ECSA Lecture – 15.06.2006

Protocol risks & vulnerabilities. (cont’d) • Zigbee (IEEE 802.15.4). Low power radio transmission. – Frequency disruption attacks => denial of service or alert mode • WiMAX (IEEE 802.16). Untested. – Huge area span (> 50 km coverage), equals your attack range :-) ECSA Lecture – 15.06.2006

Systems. • Most systems run COTS / 3rd party operating systems, including Microsoft Windows, Linux, VMS and Solaris. • Shift from proprietary systems to open systems has led to a widespread interest in underground research communities to investigate into SCADA component vulnerabilities. – No more security by obscurity • And… Where are they deployed ? What are they actually used for ? – Infested with malware, worm and virus infections ? – Backdoored using root kits ? – Member of botnets ? ECSA Lecture – 15.06.2006

Systems. (cont’d) • BCIT 2005 Findings on system attacks : ECSA Lecture – 15.06.2006

Summary of risks scenarios. • SCADA command systems can be hijacked, disrupted using widely available knowledge and open source tools. • SCADA protocols offer no authentication mechanisms. • SCADA protocols have no encryption capabilities. • SCADA systems have “ different ” patch cycles than IT systems : – Often is patching production SCADA systems simply out of the question ! • Uncontrolled connectivity of SCADA systems and related components to untrusted networks. ECSA Lecture – 15.06.2006

So, technically speaking… • Uncontrolled SCADA environments are easily prone to : – Disruption of services, bringing the industrial process to a halt; – Manipulation of data that might disrupt industrial processes or seriously sabotage the environment; – External intrusions using Internet, dial-in or remote management software; • Question. How does all this apply to your infrastructure ? – You do the math… ECSA Lecture – 15.06.2006

What did we see already ? • Frankly put. Too much : – Remote access software (Microsoft RDP) using one-letter passwords – Direct dial in for control of pumps without authentication – Corporate networks directly connected with industrial control network segments – Unprotected wireless access points “because its faster” – Lost PDA’s with service software for industrial food processing components – 0 day OPC/DNP3 exploit code circulating underground hacking networks – Malware infected HMI systems used for browsing “non work related” websites –… ECSA Lecture – 15.06.2006

Agenda. • The Fear Factor • What are the components ? • Emerging threats and vulnerabilities • Risk mitigating practices ECSA Lecture – 15.06.2006

Some risk mitigation practices. • Apply a layered security approach / Defense in Depth principle ! • Cyber security for process control : – Performance (real-time, critical response, no delay allowed) – Availability (outage is not acceptable, fault tolerant, pre-deployment testing) – Security scope (controllers, field devices, stations, servers, protocols) – Time critical interaction (response to human emergency action is crucial) – Communications (proprietary protocols, diverse communication carriers) – Software updates (strictly controlled updates) ECSA Lecture – 15.06.2006

Some risk mitigation practices. (cont’d) • Your control environment security mission : – CYBER SECURITY FOR INDUSTRIAL CONTROL SYSTEMS IS TO DESIGN, BUILD AND MAINTAIN SYSTEMS TO BE AVAILABLE, TO ASCERTAIN THAT OPERATORS ARE IN CONTROL AND THAT THE PROCESSES OF THE PLANT ARE SECURED. • Ensure that the plant’s requirements are met in terms of availability, integrity and confidentiality • Ensure that staff / operators are given proper security training and awareness • Embed security as an integral part in the life cycle process of your environment ECSA Lecture – 15.06.2006

Some risk mitigation practices. (cont’d) • Venues where INFOSEC principles apply : – Enforcement of Security Policies and procedures – Risk Management principles applied to process control environments – Security and Contingency planning – Incident response planning – Physical and Personnel security – Awareness and Training • Technology applied principles : – Access control mechanisms – Identification and strong authentication protocols – Auditing, IDS and logging mechanisms – Encryption technology – Specialized Firewall technologies ECSA Lecture – 15.06.2006

Some risk mitigation practices. (cont’d) • Where to start ? Guiding documents ? ECSA Lecture – 15.06.2006

Some risk mitigation practices. (cont’d) • Where to find more information and advisory : – NISCC / BCIT Good Practices Whitepaper • – US Department of Energy • – Multiple Industry Organizations involved with security best practices : SANDIA, NERC, AGA, API, CIGRE, IEC, ISA, IEEE, NIST, CIAO ECSA Lecture – 15.06.2006

Questions ? Debate. CYBER THREATS TO CRITICAL INFRASTRUCTURES Filip MAERTENS Partner Uniskill, Audit & Assessment Services CISA, CISSP ECSA Lecture – 15.06.2006

Corporate Information. For more information, please visit ECSA Lecture – 15.06.2006

Add a comment

Related pages

PPT – SCADA Security PowerPoint presentation | free to ...

My Interest In SCADA; This Talk ... My terminal degree is in Production and Operations ... But Don't Take My Word For It... – PowerPoint PPT presentation
Read more

SCADA - Security Assessment - Home

While there are many big problems to be solved with SCADA security, this field is in it’s infancy where IT security is comparatively ...
Read more

SCADA Security and Terrorism: We’re not crying wolf.

What is SCADA and control systems? The power your home The water in your home Where the water goes from your home The traffic lights on the way to
Read more

PPT - SCADA Security PowerPoint Presentation

SCADA Lesson. What is SCADA?Why is SCADA Security important?How SCADA Systems Evolved . SCADA systems. SCADA ? Supervisory Control and Data ...
Read more

Scada Security | LinkedIn

View 1666 Scada Security posts, presentations, experts, and more. Get the professional knowledge you need on LinkedIn.
Read more

Implementing SCADA Security - PowerPoint PPT Presentation

Title: Implementing SCADA Security 1 Implementing SCADA Security. Kevin L. Finnan ; Remote Automation Solutions, a division of Emerson Process Management
Read more

SCADA - Wikipedia, the free encyclopedia

Security of the SCADA installation was usually overlooked. Third generation: "Networked" Similar to a distributed architecture, any complex SCADA can be ...
Read more

SCADA System Network Security PPT ( 4.1 MB )

SCADA System Network Security PPT Presentation: SCADA: SCADA System Network security SCADA SCADA – Supervisory Control And Data Acquisition Used for ...
Read more

Complete SCADA System Replacement

Complete SCADA System Replacement Where do we go from here? WATERCON 2012 Conference John Mirabella, Engineering Manager Westin Engineering, Inc.
Read more