Activity 3 - Complete partnership with New Mexico Tech computer science department chair (Dr. Lorie Liebrock), Department of Homeland Security (DHS) and Idaho Labs (Eric Cornelius) DHS Technical Director at the labs and an ENMU-Ruidoso and NMTech alumni. This partnership has the potential funding for SCADA Forensic LAB equipment and internships. STATUS: In progress working with Eric on project scope for SCADA Forensics lab and certification program. Developing dual-credit program with Eric providing training to high school teachers. Awarded $120k SCADA software from Indosoft.
As illustrated in Figure 1, there are many ways to communicate with a CS network and components using a variety of computing and communications equipment. A person who is knowledgeable in process equipment, networks, operating systems and software applications can use these and other electronic means to gain access to the CS. Wireless access points that allow unauthorized connection to system components and networks present vulnerabilities.
Controller units connect to the process devices and sensors to gather status data and provide operational control of the devices. The controller unit communicates to a CS data acquisition server using various communications protocols (structured formats for data packaging for transmission). Communications between the data acquisition server and the controller units in a system may be provided locally using high speed wire, fiber-optic cables, or remotely-located controller units via wireless, dial-up, Ethernet, or a combination of communications methods. The operator or dispatcher monitors and controls the system through the Human-Machine Interface (HMI) subsystem. The HMI provides graphical displays for presentation of status of devices, alarms and events, system health, and other information relevant to the system. The operator can interact with the system through the HMI displays to remotely operate system equipment, troubleshoot problems, develop and initiate reports, and perform other operations. System data is collected, processed and stored in a master database server. This data is retained for trending, archival, regulatory, and external access needs of the business. The types of data include data from the following sources: the data acquisition server, operator control interactions, alarms and events, and calculated and generated from other sources. Most control systems utilize specialized applications for performing operational and business related data processing. These tasks are typically performed on advanced applications servers pulling data from various sources on the control system network. These applications can result in real-time operational control adjustments, reports, alarms and events, calculated data source for the master database server archival, or support of real-time analysis work being performed from the engineering workstation or other interface computers. An engineering workstation provides a means to monitor and troubleshoot various aspects of the system operation, install and update program elements, recover from failures, and miscellaneous tasks associated with system administration. A mission-critical control system is typically configured in a fully-redundant architecture allowing quick recovery from loss of various components in the system. A backup control center is used in more critical applications to provide a secondary control system if there is a catastrophic loss of the main system. The control system network is often connected to the business office network to provide real-time transfer of data from the control network to various elements of the corporate office. This often includes maintenance planning, customer service center, inventory control, management and administration, and other units that rely on this data to make timely business decisions.
There are three common architectures found in most control systems. Every business has its own minor variations dictated by their environment. All three are securable if the proper firewalls, intrusion detection systems, and application level privileges are in place. By far the most common architecture is the two-firewall architecture (see Figure 3 ). The business LAN is protected from the Internet by a firewall and the control system LAN is protected from the business LAN by a separate firewall. The business firewall is administered by the corporate IT staff and the control system firewall is administered by the control system staff. Large DCS often need to use portions of the business network as a route between multiple control system LANs (see Figure 5 ). Each control system LAN typically has its own firewall protecting it from the business network and encryption protects the process communication as it travels across the business LAN. Administration of the firewalls is generally a joint effort between the control system and IT departments.
Scada security presentation by Stephen Miller
Topics Covered• Introduction of Cyber Security Center of Excellence• Control Systems Security Program Overview – Overview of Cyber Vulnerabilities – Understanding Control System Cyber Vulnerabilities – Access to the Control System LAN – Discovery of the Process – Control of the Process• Q&AContent from Eric Cornelius, Director SCADA Cyber Forensics, Department of Homeland Security, Idaho National Labs and USCERT 2
Introduction of Cyber Security Center of Excellence Provide unique online Evergreen Education and Training Programs in IT/SCADA Cyber Security. Build on the current online programs: Computer and Network Certification Credit Hour. Professional Education Self-Paced Cyber Security Program. Professional Education CompTIA Security+ Certification Program. Conduct research, development , and training in the field of IT Cyber Security. Centered on meeting the private and public sectors’ needs for infrastructure monitoring, controlling, and training to protect the security of the United States from enemy cyber attacks. Supercomputer Decision Support and Counter Attack Measures Cyber Operations System. Utilizing SCADA, Decision Support, Artificial Intelligence, and Knowledge Based processes in a lab environment . Serve as a National Clearinghouse on Cyber Security. Focus on education/training based on INFOSEC standards. Research/Development in Best Practices, process reengineering, and technology. Provide Specialized Professional Services to the private and public sectors through conferences/summits, workshops, publications, and speaking engagements. 3
Control Systems Security Program Recommended Practices Overview• Addresses the issues encountered in developing and maintaining a cyber forensics plan for control systems environments.• Supports forensic practitioners in creating a control systems forensics plan.• Assumes evidentiary data collection and preservation using forensic best practices.• The goal is not to reinvent proven methods, but to leverage them in the best possible way.• The material in this recommended program provides users with the appropriate foundation to allow these best practices to be effective in a control systems domain.• The program is organized into three major sections: – Section 1, Traditional Forensics and Challenges to Control Systems. – Section 2, Creating a Cyber Forensics Program for Control Systems Environments. – Section 3, Activating and Sustaining a Cyber Forensics Program.• Link to White Paper: http://www.uscert.gov/control_systems/practices/documents/Forensics_RP.pdf Content from Eric Cornelius, Director SCADA Cyber Forensics, Department of Homeland Security, Idaho National Labs and USCERT 4
Overview of Cyber Vulnerabilities• Control systems are vulnerable to cyber attack from inside and outside the control system network.• To understand the vulnerabilities associated with control systems you must know: – Types of communications. – Operations associated with the control system. – An understanding of the how attackers are using the system vulnerabilities to their advantage.• This discussion provides a high level overview of these topics but does not discuss detailed exploits used by attackers to accomplish intrusion.Content from Eric Cornelius, Director SCADA Cyber Forensics, Department of Homeland Security, Idaho National Labs and USCERT 5
Understanding Control System Cyber Vulnerabilities• To understand the vulnerabilities Figure 1: Communications access to control systems associated with control systems (CS), you must first know all of the possible communications paths into and out of the CS.• Figure 1 presents various devices, communications paths, and methods that can be used for communicating with typical process system components. Content from Eric Cornelius, Director SCADA Cyber Forensics, Department of Homeland Security, Idaho National Labs and USCERT 6
Understanding Control System Cyber Vulnerabilities• In a typical large-scale production system utilizing SCADA or Distributed Control System (DCS) configuration there are many computer, controller and network communications components integrated to provide the operational needs of the system. A typical network architecture is shown in Figure 2. Figure 2: Typical two-firewall network architecture Content from Eric Cornelius, Director SCADA Cyber Forensics, Department of Homeland Security, Idaho National Labs and USCERT 7
Understanding Control System Cyber Vulnerabilities• An attacker who wishes to assume control of a control system is faced with three challenges: 1. Gain access to the control system LAN. 2. Through discovery, gain understanding of the process. 3. Gain control of the process.Content from Eric Cornelius, Director SCADA Cyber Forensics, Department of Homeland Security, Idaho National Labs and USCERT 8
Access to the Control System LAN • Common Network Architectures • Corporate VPNs • Dial-up (wireless) Access to the RTUs • Database Links • Vendor Support • Poorly Configured Firewalls • IT Controlled Communication Gear • Peer Utility Links• The first thing an attacker needs to accomplish is to bypass the perimeter defenses and gain access to the control system LAN. – Most control system networks are no longer directly accessible remotely from the Internet. – Common practice in most industries has a firewall separating the business LAN from the control system LAN. • This not only helps keep hackers out, it isolates the control system network from outages, worms, and other afflictions that occur on the business LAN. – Most of the attackers off-the-shelf hacking tools can be directly applied to the problem. • There are a number of common ways an attacker can gain access, but the miscellaneous pathways outnumber the common pathways.• The second most common architecture is the control system network as a Demilitarized Zone (DMZ) off the business LAN. – A single firewall is administered by the corporate IT staff that protects the control system LAN from both the corporate LAN and the Internet.Content from Eric Cornelius, Director SCADA Cyber Forensics, Department of Homeland Security, Idaho National Labs andUSCERT 9
Discovery of the Process• An attacker that gains a foothold on the control system LAN must discover the details of how the process is implemented to surgically attack it. – An attacker that wants to be surgical needs the specifics in order to be effective. An attacker that just wants to shut down a process needs very little discovery.• The two most valuable items to an attacker are 1. Points in the data acquisition server database • Each control system vendor calls the database something different, but nearly every control system assigns each sensor, pump, breaker, etc., a unique number. On the communications protocol level, the devices are simply referred to by number. • A surgical attacker needs a list of the point reference numbers in use and the information required to assign meaning to each of those numbers. 2. Human-Machine Interface (HMI) display screens. • The operator HMI screens generally provide the easiest method for understanding the process and assignment of meaning to each of the point reference numbers. • Each control system vendor is unique in where it stores the operator HMI screens and the points database. • Rules added to the Intrusion Detection System (IDS) looking for those files are effective in spotting attackers. Content from Eric Cornelius, Director SCADA Cyber Forensics, Department of Homeland Security, Idaho National Labs and USCERT 10
Control of the Process Sending Commands Directly to the Data Acquisition Equipment• The easiest way to control the process is to send commands directly to the data acquisition equipment. – Most PLCs, protocol converters, or data acquisition servers lack even basic authentication. – They generally accept any properly formatted command. – An attacker wishing control simply establishes a connection with the data acquisition equipment and issues the appropriate commands.• An effective attack is to export the screen of the operators HMI console back to the attacker. – Off-the-shelf tools can perform this function in both Microsoft Windows and Unix environments. – The attacker is also limited to the commands allowed for the currently logged-in operator.• Man-in-the-middle attacks can be performed on control system protocols if the attacker knows the protocol he/she is manipulating. – An attacker can modify packets in transit, providing both a full spoof of the operator HMI displays and full control of the control system. – By inserting commands into the command stream the attacker can issue arbitrary or targeted commands. – By modifying replies, the operator can be presented with a modified picture of the process. – Direct controls from wireless hand-held devices. 11 Content from Eric Cornelius, Director SCADA Cyber Forensics, Department of Homeland Security, Idaho National Labs and USCERT