Cyber Security for the Power Grid: Cyber Security Issues & Securing Control Systems Andrew Wright CTO, N-Dimension [email_...
Power Grid Communications & Control Systems borrowed from NIST Smart Grid Twiki Internet Control Systems
Agenda <ul><li>High-Level </li></ul><ul><ul><li>Industrial Control Systems and Cyber Security Issues </li></ul></ul><ul><u...
A Control System Sensor(s) + Actuator(s) + Controller(s)
Types of Industrial Control Systems (ICS) Supervisory Control And Data Acquisition (SCADA) Automation Process Control Syst...
Historical ICS <ul><li>Proprietary </li></ul><ul><li>Complete vertical solutions </li></ul><ul><li>Customized </li></ul><u...
Modern ICS Trends Device Network Firewall  Services  Network Third Party Application Server Application Server Historian S...
Technology Trends in ICS <ul><li>COTS (Commercial-Off-The-Shelf) technologies </li></ul><ul><ul><li>Operating systems—Wind...
New IP-Based Industrial Control Systems <ul><li>ODVA (Rockwell) </li></ul><ul><li>Profinet </li></ul><ul><li>Foundation Fi...
Security Risks to Modern ICS <ul><li>COTS + IP + connectivity  =  many security risks </li></ul><ul><li>All of those of En...
When ICS Security Fails <ul><li>Loss of production </li></ul><ul><li>Penalties </li></ul><ul><li>Lawsuits </li></ul><ul><l...
So How Do We Secure Industrial Control Systems?
There is No Silver Bullet! No Silver Bullet!
Defense in Depth <ul><li>Perimeter Protection </li></ul><ul><ul><li>Firewall, IPS, VPN, AV </li></ul></ul><ul><ul><li>Host...
50000 Foot View Internet Enterprise Network Control Network Field Site Field Site Field Site Partner Site VPN VPN FW FW IP...
Security Issues in Industrial Control Systems
Availability, Integrity and Confidentiality <ul><li>Enterprise networks require C-I-A </li></ul><ul><ul><li>Confidentialit...
DoS and DDoS Attacks <ul><li>Denial of Service (DoS) attack overwhelms a system with too many packets/requests </li></ul><...
Fragile ICS Devices <ul><li>Many IP stack implementations are fragile </li></ul><ul><ul><li>Some devices lockup on ping sw...
Unpatched Systems <ul><li>Many ICS systems are not patched current </li></ul><ul><ul><li>Particularly Windows servers </li...
Limited use of Host Anti-Virus <ul><li>AV operations can cause significant system disruption at inopportune times </li></u...
Poor Authentication and Authorization <ul><li>Machine-to-machine comms involve no “user” </li></ul><ul><li>Many ICS have p...
Poor Audit and Logging <ul><li>Many ICS have poor or non-existent support for logging security-related actions </li></ul><...
Unmanned Field Sites <ul><li>Many unmanned field sites </li></ul><ul><li>Many with dialup access </li></ul><ul><li>Some wi...
Legacy Equipment <ul><li>Much legacy equipment </li></ul><ul><li>Usually impossible to update to add security features </l...
Unauthorized Applications <ul><li>Unauthorized apps installed on ICS systems can interfere with ICS operation </li></ul><u...
Inappropriate Use of ICS Desktops <ul><li>Web browsing from HMI can infect ICS  </li></ul><ul><ul><li>Browser vulnerabilit...
Little or No Cyber Security Monitoring <ul><li>internal monitoring is essential to detect low profile compromises </li></u...
Requirement for 3rd Party Access <ul><li>Firmware updates and PLC, IED programming are sometimes done by vendor </li></ul>...
People Issues <ul><li>ICS network often managed by “Control Systems Department”, distinct from “IT Department” running ent...
Harsh Environments <ul><li>Temperature </li></ul><ul><li>Vibration </li></ul><ul><li>Dust </li></ul><ul><li>Humidity </li>...
Attack Vectors into Control Systems Includes Infected Laptops and Is Growing Source: 2003–2006 data from Eric Byres, BCIT
Security Assessments on ICS <ul><li>Various groups perform security assessments and penetration tests on ICS (generally un...
Other Issues <ul><li>Unusual physical topologies </li></ul><ul><li>Many special purpose, limited function devices </li></u...
For More Information ... <ul><li>See Smart Grid Cyber Security Strategy and Requirements, NISTIR 7628,  www.nist.gov/smart...
Today’s Threats
Intense Media Visibility on the Cyber Security Issue Hiroshima, 2.0 – Cyberspying of the US Electric Grid (April 09) Cyber...
Limited Information About Incidents  <ul><li>Little information sharing about actual attacks </li></ul><ul><ul><li>BCIT in...
Accidents Happen ...
Attacks Can Cause Similar Results  INL National Lab Aurora Demonstration, March 2007
Cyber Security Regulatory Requirements Strengthened Cyber Security Standards Approved for North American Utilities (May 09...
Securing Control Systems
Adversaries <ul><li>Script kiddies </li></ul><ul><li>Hackers </li></ul><ul><li>Organized crime </li></ul><ul><li>Disgruntl...
Threat Model <ul><li>Targeted and untargeted threats </li></ul><ul><ul><li>Targeted: terrorist, specifically crafted worm/...
How an Attack Proceeds—Step #1 Internet Modem Pool Web Server Email Server Business Workstation Data Historian Engineering...
How an Attack Proceeds—Step #2  Internet Modem Pool Web Server Business Workstation Data Historian Engineering Workstation...
How an Attack Proceeds—Step #3  Internet Modem Pool Web Server Business Workstation Data Historian Engineering Workstation...
How an Attack Proceeds—Step #4  Internet Modem Pool Web Server Web Server Business Workstation Data Historian Management C...
How an Attack Proceeds—Step #5 Internet Modem Pool Web Server Web Server Business Workstation Data Historian Management Co...
How an Attack Proceeds—Step #6  Internet Modem Pool Web Server Web Server Business Workstation Data Historian Management C...
How an Attack Proceeds—Step #7  Internet Modem Pool Web Server Web Server Business Workstation Data Historian Management C...
Defending ICS <ul><li>Separate control network from enterprise network </li></ul><ul><ul><li>Harden connection to enterpri...
50000 Foot View Internet Enterprise Network Control Network Field Site Field Site Field Site Partner Site VPN VPN FW FW IP...
Logical Overlay on SP99 / Purdue Model of Control Site Business Planning and Logistics Network Batch Control Discrete Cont...
Logical Architecture <ul><li>Enterprise Zone contains typical business systems </li></ul><ul><ul><li>Email, web, office ap...
How NOT to connect Control / Enterprise <ul><li>Dual-homed server </li></ul><ul><li>Dual-homed server with Host IPS / AV <...
DMZ—Logical View Web Services Operations  Application Server Historian Mirror DMZ Patch Mgmt AV Proxy Terminal  Services N...
DMZ Design Principles <ul><li>DMZ contains non-critical systems </li></ul><ul><li>Multiple functional security sub-zones <...
DMZ Implementation (1) DMZ LAN 3 DMZ LAN 4 DMZ LAN 2 NAT Routing FW IPS Security Appliance With Multiple Ports DMZ/Control...
DMZ Implementation (2) dot1q trunk DMZ VLAN 3 DMZ VLAN 4 DMZ VLAN 2 NAT Routing FW IPS VLAN Security Appliance VLAN-capabl...
DMZ Implementation <ul><li>Sub-zones implemented by physical LANs or VLANs </li></ul><ul><ul><li>Physical LANs require mul...
Remote Access DMZ AAA Server Certificate Authority Terminal  Services DMZ/Control Interconnect WAN/LAN  Enterprise LAN Rem...
Remote Access <ul><li>Security Appliance terminates Host-to-site VPN into remote access pool </li></ul><ul><ul><li>IPSEC V...
Direct Remote Access DMZ AAA Server Certificate Authority DMZ/Control Interconnect WAN/LAN  Enterprise LAN Remote Access P...
Direct Remote Access <ul><li>Security Appliance terminates Host-to-site VPN into remote access pool </li></ul><ul><li>Secu...
Control Zone—Logical View Batch Control Discrete Control Supervisory Control Hybrid Control Supervisory Control Production...
Control Zone Design Principles <ul><li>Multiple functional security sub-zones </li></ul><ul><li>Firewall and IDS between s...
Control Zone Implementation—Hierarchical <ul><li>Fast routing between  VLANs via L3 switch </li></ul><ul><li>ACLs between ...
Control Zone Implementation—Ring <ul><li>Ring reduces wiring for linear sites like power dams </li></ul><ul><li>but spanni...
Perimeter Protection in Utilities Firewall IDS/IPS Client VPN Proxy Network AV Host IDS/IPS NAC Site-to-site VPN DMZ
Interior Protection in Utilities IDS Port Scan Vuln Scan Firewall NAC SCADA VPN Firewall SCADA VPN Port Scan IDS
Monitor, Log, Analyze, Report Log Analyze Report Compliance Managed Security
<ul><li>Planning, processes, procedures, physical security, etc. are also important </li></ul><ul><li>NERC CIP Regulatory ...
Summary <ul><li>Today’s ICS are mix of modern and legacy </li></ul><ul><ul><li>vulnerabilities due to both lack of securit...
? Thanks! [email_address]
Standards Efforts <ul><li>NERC CIPs </li></ul><ul><li>NIST Smart Grid Interoperability Standards Project </li></ul><ul><li...
A Few References <ul><li>www.nist.gov/smartgrid </li></ul><ul><li>Securing Your SCADA and Industrial Control Systems, Vers...
Upcoming SlideShare
Loading in...5
×

Cyber Security for the Power Grid:

2,691

Published on

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,691
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
207
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • These are functional groupings, not ownership groupings Internet (blue) has touch points with many power grid systems, but there are still significant communications and networks that are not the Internet I will look at various types of Industrial Control Systems (red) used in Generation, Transmission, and Distribution ...
  • Supervisory Control and Data Acquisition (SCADA) Large distances, supervisory control, non-real-time (minutes) Used in power (transmission and distribution), gas, oil, water, wastewater, rail, etc. Process Control Systems (PCS) Closed loop, central control, near real-time (seconds) Used in refining, chemical, food, pharmaceutical, etc. Distributed Control Systems (DCS) Similar to PCS but multiple controllers physically close to processes Used in generation, manufacturing, refining, chemical, food, pharmaceutical, etc. Automation aka Discrete Control Similar to DCS, real-time (milliseconds)
  • the slogan “tomorrow’s technology today” of high-tech industries is turned around in the control systems world to “yesterday’s technology tomorrow”. “ security” in power usually means reliability of the grid there is a big difference between “robust to accidental events” and “robust to intentional engineered attacks”
  • at the bottom, IEDs are usually connected to sensors and controllers by automation networks such as HART, Fieldbus, Profibus, or increasingly by Ethernet although one process control vendor already offering IPV6 wireless on battery-powered sensors next level of network consists of ICS master and systems used for operating and managing the ICS next level of network provides advanced applications, such as optimization and gateways to the enterprise network Adoption of COTS (Commercial-Off-The-Shelf) technologies Operating systems—Windows, WinCE, various embedded RTOSes Applications—Databases, web servers, web browsers, etc. IT protocols—HTTP, SMTP, FTP, DCOM, XML, SNMP, etc. COTS software and systems have more capabilities and are cheaper than proprietary systems, and do not leave vendors stranded on out-of-date technology Connectivity of ICS to enterprise LAN Improved business visibility, business process efficiency: eg. supply chain management, production scheduling, order tracking, and fault monitoring ( optimize part and supply sourcing, schedule production to better meet business requirements and avoid contract penalties) Remote access to control center and field devices: eg. remote diagnosis and repair, reduction of personnel at remote sites Adoption of IP Networking Common in higher level networks, gaining in lower levels Many legacy protocols wrapped in TCP or UDP Most new industrial devices have Ethernet ports IP penetrating into lower levels of ICS networks due to greater performance, lower cost, more capabilities than proprietary networks Ease of connectivity to other systems Greater performance Lower cost Interoperability Future proofing rate at which these trends are progressing varies between ICS and process control and between control center, communications, and field devices
  • trends relevant to networking and security rate at which these trends are progressing varies between ICS and process control and between control center, communications, and field devices connectivity improves business efficiency by better supply chain management, just-in-time production, order tracking, fault monitoring, etc. in addition to direct optimization of process itself IP networking: Ease of connectivity to other systems Greater performance Lower cost Interoperability Future proofing
  • trojan code inserted by CIA into pipeline control software stolen by USSR caused largest non-nuclear explosion ever observed from space 16” gasoline pipeline ruptured and ignited due to combination of backhoe and non-responsive ICS system, causing fires for 1.5 miles along a creek, 3 deaths, $45M, water treatment plant seriously contaminated disgruntled employee used ICS to release 250,000 gals. sewage slammer worm infected David Besse nuclear plant via contractor’s T1 line, disabled safety systems, fortunately plant was offline blaster worm not primary cause but partly contributed to northeast blackout, economic cost $7-10 Billion, note 2% of US generation has blackstart capability Browns Ferry: root cause of the event was the malfunction of the VFD controller because of broadcast storm on the plant ICS network, possibly due to a malfunctioning, broadcasting PLC Browns Ferry: corrective actions included developing a network firewall device that limits the connections and traffic to any potentially susceptible devices on the plant ICS network
  • There is no silver bullet! not crunchy on the outside, soft and chewy on the inside Scanning – port scanning, vulnerability scanning, arp scanning, wifi scanning
  • importance of availability and integrity impacts security of ICS in a number of ways that we will look at shortly six 9’s means 99.9999% available Cisco IP telephony is five 9’s Bellingham security must not reduce availability – expiry of VPN tunnel certificates, forgotten password, etc.
  • botnet is a collection of computers with backdoor, installed by virus or worm, that can be remotely and anonymously controlled botnets may consist of home PCs without proper firewall and antivirus, but many have also been found within the enterprise networks of large corporations explain e-commerce website extortion attack
  • Browns Ferry
  • No patches available for windows NT, 98, ME Windows 2000 supported only until 2010 Cisco and other released a patch for TCP support Sept 2009 (DOS prevention)
  • Queensland extreme example: password limited to 3 uppercase characters
  • SoX passed in response to scandals like Enron, relates to financial accounting, and the PCAOB auditing standard #2 states “IT Controls should be tested, including controls over relevant assertions related to all significant accounts and disclosures in the financial statements”
  • especially browsing the seedier parts of the web
  • Davis Besse
  • IT department may not want ICS department to have a firewall as this will impede their visibility into and management of ICS network ICS personnel are not IT or networking experts not familiar with advanced networking issues IT personnel are not ICS experts not familiar with different requirements of ICS may not understand why enterprise security policies cannot be applied to ICS
  • motor activated breaker that is not meant to be used when a line is energized, but was opened under a 100 amp load for this experiment. Normally this line carries 2000 amps.
  • extreme environments: heat, cold, dust, vibration, moisture, explosive or flammable gas physical topologies: not building, but star, mesh, bus, and particularly ring, eg. hydro dam special purpose devices (IEDs) cannot run antivirus, NAC clients, etc. multicast is not one to many, but many to a few each long service lifetimes: SEL 10 year warranty
  • &lt;START&gt; Media visibility on this issue started a couple of years ago with CNN coverage of a Homeland Security demonstration showing how easy it is to hack into the grid and destroy a generating plant. Since then the media has been increasing the visibility of the issue … First article described how a smart meter network can be easily hacked into (with $500 of equipment) to turn off power in entire communities and cities.
  • BCIT database (British Columbia Institute of Technology, Eric Byres) requires contribution in order to obtain access business losses to cyber events number in the Billions of dollars annually financials estimate that 2% of incidents that occur are actually reported due to concern for reputation and stock price, and this is likely also true for ICS
  • accidents happen and can have pretty severe consequences fault in a capacitor bank in a residential substation, protection relay fails to trip, overloads a transformer, which vents superheated and vaporized cooling oil, which ignites ...
  • Cooper power systems makes a REID relay that prevents this specific attack
  • &lt;START&gt; Based on: the report of the black-out of 2003 national security concerns recognition that today’s existing electric grid is vulnerable (1980’s level security) There have been extensive cyber security regulatory and standards development initiatives which are driving business opportunity for N-Dimension 1 st point: We have just completed assisting Utilities in the US with their stimulus applications and for us this represented a total of $4M of product quotations N-Dimension is on the committees that is driving the standards for the industry (last 4 points)
  • where were we (in the talk), where are we going questions
  • ICS have been compromised by script kiddies and used to store digital music and movies - most likely the kiddies either did not realize or did not care what type of system they were into talks and hacking demonstrations of ICS are beginning to show up at conferences like Black Hat, Defcon organized crime has created a thriving market for zero-day vulnerabilities and botnets disgruntled insiders, whether fired or on strike, know best how to damage the ICS and have the necessary access competitors could use ICS information to manipulate spot markets - anybody remember ENRON? information about ICS systems found on Al Queda computers seized in Afghanistan renewed calls from Al-Queda for specific attacks on oil infrastructure to reduce oil flow to US industries that frequently attract the ire of eco-terrorists tend to be heavy users of ICS other nations have been mapping US infrastructure for over 10 years, and most nations, including the US, now have a cyberwar capability
  • no security thru obscurity
  • this is just one attack scenario of many possible
  • DMZ is somewhat similar to enterprise DMZ but has rather different security properties purpose of DMZ is to provide STRONG separation between enterprise and control zones DMZ contains only non-critical systems that provide enterprise visibility and connectivity fully switched network
  • this slide is in your packet
  • firewall is still logical view NO direct traffic permitted between enterprise and control zone all inbound and outbound traffic must stop at a server in DMZ operations like patch installation must be two-stage process remote administration must go thru a terminal or application server different colored networks are different sub-zones traffic permitted between enterprise, DMZ, and control zones and between different sub-zones only as needed multiple functional sub-zones help contain spread of a worm infection, limit sniffing and scanning by attackers, and aid in management of firewall rules
  • no direct traffic + no common ports stops worms like slammer sub-zones and limited communication slows infection spread and makes network mapping by attackers more difficult control, DMZ independence requires domain servers, AAA, etc. in both zones guest NAC since enterprise zone may not do NAC DMZ independent of Enterprise and Control Zones to allow remediation while disconnected
  • Cisco ASA 5520 or 5540 with Advanced Inspection Module (IPS) Signatures for DNP3, Modbus, ICCP Sub-zones implemented by VLANs All inter-VLAN routing done by ASA L2 switch must be Cisco switch and properly configured to prevent VLAN hopping ACLs on ASA implement policy between DMZ VLANs, Enterprise Zone, Control Zone Cisco Security Agent (CSA) on DMZ servers Signature-less host-based IPS Optional active-standby redundancy DMZ servers can use dual NICs with teaming drivers Optional separate hardware firewall, IOS-based for different implementation, could be managed by IT
  • Cisco ASA 5520 or 5540 with Advanced Inspection Module (IPS) Signatures for DNP3, Modbus, ICCP Sub-zones implemented by VLANs All inter-VLAN routing done by ASA L2 switch must be Cisco switch and properly configured to prevent VLAN hopping ACLs on ASA implement policy between DMZ VLANs, Enterprise Zone, Control Zone Cisco Security Agent (CSA) on DMZ servers Signature-less host-based IPS Optional active-standby redundancy DMZ servers can use dual NICs with teaming drivers Optional separate hardware firewall, IOS-based for different implementation, could be managed by IT
  • implementing sub-zones with physically separate ports may require more expensive ASA and/or more L2 switches L2 switch must be Cisco switch to prevent VLAN hopping teaming drivers with dual DMZ switches for redundancy separate firewall defends against ASA misconfiguration, overload, vulnerabilities ASA 5520 or 5540 with AIM and at least 4 VLANs, one for management, 3 for DMZ sub-zones, or 6+ ports optional separate, different implementation firewall defends against ASA compromise or misconfiguration this slide is in your packet
  • this slide is in your packet
  • user-based ACLs to enforce RBAC on user
  • this slide is in your packet
  • multiple sub-zones, like in DMZ, grouping systems with related functionality optional firewall and IDS between sub-zones if used, IDS, not IPS, to ensure that false positives do not block critical control traffic security management (CSM) and security correlation (MARS) in control zone (these security-critical functions should be given maximum protection and thus NOT placed in DMZ)
  • independence necessary to allow disconnection sub-zones and limited communication slows infection spread and makes network mapping more difficult control zone independence requires domain servers, AAA, etc. in zone port security prevents someone with physical access from connecting a rogue device QoS, traffic policing mitigate impact of worm or misbehaving control system device this slide is in your packet
  • VLAN ACLs restrict traffic between different sub-zones to only that needed good for a small number of vlans as with too many the number of ACLs becomes large
  • VLAN ACLs restrict traffic between different sub-zones to only that needed good for a small number of vlans as with too many the number of ACLs becomes large
  • where we are, where we are going
  • ISA - The Instrumentation, Systems, and Automation Society
  • Cyber Security for the Power Grid:

    1. 1. Cyber Security for the Power Grid: Cyber Security Issues & Securing Control Systems Andrew Wright CTO, N-Dimension [email_address] ACM CCS Conference Tutorial Nov. 2009
    2. 2. Power Grid Communications & Control Systems borrowed from NIST Smart Grid Twiki Internet Control Systems
    3. 3. Agenda <ul><li>High-Level </li></ul><ul><ul><li>Industrial Control Systems and Cyber Security Issues </li></ul></ul><ul><ul><li>Securing Control Systems </li></ul></ul><ul><li>Detailed </li></ul><ul><ul><li>Security Issues in Industrial Control Systems </li></ul></ul><ul><ul><li>Today’s Threats </li></ul></ul><ul><ul><li>Securing Control Systems </li></ul></ul>
    4. 4. A Control System Sensor(s) + Actuator(s) + Controller(s)
    5. 5. Types of Industrial Control Systems (ICS) Supervisory Control And Data Acquisition (SCADA) Automation Process Control Systems (PCS) Distributed Control Systems (DCS)
    6. 6. Historical ICS <ul><li>Proprietary </li></ul><ul><li>Complete vertical solutions </li></ul><ul><li>Customized </li></ul><ul><li>Specialized communications </li></ul><ul><ul><li>Wired, fiber, microwave, dialup, serial, etc. </li></ul></ul><ul><ul><li>100s of different protocols </li></ul></ul><ul><ul><li>Slow; e.g. 1200 baud </li></ul></ul><ul><li>Long service lifetimes: 15–20 years </li></ul><ul><li>Not designed with security in mind </li></ul>
    7. 7. Modern ICS Trends Device Network Firewall Services Network Third Party Application Server Application Server Historian Server Workplaces Enterprise Optimization Suite Control Network Redundant Enterprise Network Serial RS485 Internet Enterprise Network Third Party Controllers, Servers, etc. Serial, OPC or Fieldbus Engineering Workplace Mobile Operator Connectivity Server IP
    8. 8. Technology Trends in ICS <ul><li>COTS (Commercial-Off-The-Shelf) technologies </li></ul><ul><ul><li>Operating systems—Windows, WinCE, embedded RTOSes </li></ul></ul><ul><ul><li>Applications—Databases, web servers, web browsers, etc. </li></ul></ul><ul><ul><li>IT protocols—HTTP, SMTP, FTP, DCOM, XML, SNMP, etc. </li></ul></ul><ul><ul><li>Networking equipment—switches, routers, firewalls, etc. </li></ul></ul><ul><li>Connectivity of ICS to enterprise LAN </li></ul><ul><ul><li>Improved business visibility, business process efficiency </li></ul></ul><ul><ul><li>Remote access to control center and field devices </li></ul></ul><ul><li>IP Networking </li></ul><ul><ul><li>Common in higher level networks, gaining in lower levels </li></ul></ul><ul><ul><li>Many legacy protocols wrapped in TCP or UDP </li></ul></ul><ul><ul><li>Most new industrial devices have Ethernet ports </li></ul></ul><ul><ul><li>Most new ICS architectures are IP-based </li></ul></ul>
    9. 9. New IP-Based Industrial Control Systems <ul><li>ODVA (Rockwell) </li></ul><ul><li>Profinet </li></ul><ul><li>Foundation Fieldbus HSE </li></ul><ul><li>Telvent </li></ul><ul><li>ABB 800xA </li></ul><ul><li>Honeywell Experion </li></ul><ul><li>Emerson DeltaV </li></ul><ul><li>Yokogawa VNET/IP </li></ul><ul><li>Invensys Infusion </li></ul><ul><li>Survalent </li></ul><ul><li>IP to the Control Network or even Device Network </li></ul><ul><li>Not all are fully compatible with “ordinary IP” </li></ul>
    10. 10. Security Risks to Modern ICS <ul><li>COTS + IP + connectivity = many security risks </li></ul><ul><li>All of those of Enterprise networks and more </li></ul>Worms and Viruses Legacy OSes and applications DOS and DDOS impairing availability Inability to limit access Unauthorized access Inability to revoke access Unknown access Unexamined system logs Unpatched systems Accidental misconfiguration Little or no use of anti-virus Improperly secured devices Limited use of host-based firewalls Improperly secured wireless Improper use of ICS workstations Unencrypted links to remote sites Unauthorized applications Passwords sent in clear text Unnecessary applications Default passwords Open FTP, Telnet, SNMP, HTML ports Password management problems Fragile control devices Default OS security configurations Network scans by IT staff Unpatched routers / switches
    11. 11. When ICS Security Fails <ul><li>Loss of production </li></ul><ul><li>Penalties </li></ul><ul><li>Lawsuits </li></ul><ul><li>Loss of public trust </li></ul><ul><li>Loss of market value </li></ul><ul><li>Physical damage </li></ul><ul><li>Environmental damage </li></ul><ul><li>Injury </li></ul><ul><li>Loss of life </li></ul><ul><li>USSR pipeline explosion, 1982 </li></ul><ul><li>Bellingham pipeline rupture, 1999 </li></ul><ul><li>Queensland sewage release, 2000 </li></ul><ul><li>Davis Besse nuclear plant infection, 2003 </li></ul><ul><li>Northeast USA blackout, 2003 </li></ul><ul><li>Browns Ferry nuclear plant scram, 2006 </li></ul>$$$.$$
    12. 12. So How Do We Secure Industrial Control Systems?
    13. 13. There is No Silver Bullet! No Silver Bullet!
    14. 14. Defense in Depth <ul><li>Perimeter Protection </li></ul><ul><ul><li>Firewall, IPS, VPN, AV </li></ul></ul><ul><ul><li>Host IDS, Host AV </li></ul></ul><ul><ul><li>DMZ </li></ul></ul><ul><li>Interior Security </li></ul><ul><ul><li>Firewall, IDS, VPN, AV </li></ul></ul><ul><ul><li>Host IDS, Host AV </li></ul></ul><ul><ul><li>IEEE P1711 (AGA 12) </li></ul></ul><ul><ul><li>NAC </li></ul></ul><ul><ul><li>Scanning </li></ul></ul><ul><li>Monitoring </li></ul><ul><li>Management </li></ul>IDS Intrusion Detection System IPS Intrusion Prevention System DMZ DeMilitarized Zone VPN Virtual Private Network (cryptographic) AV Anti-Virus (anti-malware) NAC Network Admission Control
    15. 15. 50000 Foot View Internet Enterprise Network Control Network Field Site Field Site Field Site Partner Site VPN VPN FW FW IPS IDS IT Stuff Scan AV FW IPS P1711 FW AV Host IPS Host AV Proxy Host IDS Host AV IDS Scan NAC NAC 62351 Log Mgmt Event Mgmt Reporting IT Stuff VPN
    16. 16. Security Issues in Industrial Control Systems
    17. 17. Availability, Integrity and Confidentiality <ul><li>Enterprise networks require C-I-A </li></ul><ul><ul><li>Confidentiality of intellectual property matters most </li></ul></ul><ul><li>ICS requires A-I-C </li></ul><ul><ul><li>Availability and integrity of control matters most </li></ul></ul><ul><ul><li>control data has low entropy—little need for confidentiality </li></ul></ul><ul><ul><li>Many ICS vendors provide six 9’s of availability </li></ul></ul><ul><li>Ensuring availability is hard </li></ul><ul><ul><li>Cryptography does not help (directly) </li></ul></ul><ul><ul><li>DOS protection, rate limiting, resource management, QoS, redundancy, robust hardware with high MTBF </li></ul></ul><ul><li>Security must not reduce availability! </li></ul>
    18. 18. DoS and DDoS Attacks <ul><li>Denial of Service (DoS) attack overwhelms a system with too many packets/requests </li></ul><ul><ul><li>Exhausts TCP stack or application resources </li></ul></ul><ul><ul><li>Defenses include connection limits in firewall </li></ul></ul><ul><li>Distributed Denial of Service (DDoS) attack coordinates a botnet to overwhelm a target system </li></ul><ul><ul><li>No single point of attack </li></ul></ul><ul><ul><li>Requires sophisticated, coordinated defenses </li></ul></ul><ul><ul><li>Weapon of choice for hackers, hacktivists, cyber-extortionists </li></ul></ul><ul><li>DoS, DDoS particularly effective when Availability is critical, i.e. against ICS </li></ul>
    19. 19. Fragile ICS Devices <ul><li>Many IP stack implementations are fragile </li></ul><ul><ul><li>Some devices lockup on ping sweep or NMAP scan </li></ul></ul><ul><ul><li>Numerous incidents of ICS shut down by uninformed IT staff running a well-intentioned vulnerability scan </li></ul></ul><ul><li>Modern ICS devices are much more complex </li></ul><ul><ul><li>Some IEDs include web server for configuration and status </li></ul></ul><ul><ul><li>More lines of code leads to more bugs </li></ul></ul><ul><ul><li>Modern IEDs require patching just like servers </li></ul></ul>
    20. 20. Unpatched Systems <ul><li>Many ICS systems are not patched current </li></ul><ul><ul><li>Particularly Windows servers </li></ul></ul><ul><ul><li>No patches available for older versions of windows </li></ul></ul><ul><li>OS and application patches can break ICS </li></ul><ul><ul><li>OS patches are tested for enterprise apps </li></ul></ul><ul><li>Uncertified patches can invalidate warranty </li></ul><ul><li>Patching often requires system reboot </li></ul><ul><li>Before installation of a patch: </li></ul><ul><ul><li>Vendor certification—typically one week </li></ul></ul><ul><ul><li>Lab testing by operator </li></ul></ul><ul><ul><li>Staged deployment on less critical systems first </li></ul></ul><ul><ul><li>Avoid interrupting any critical process phases </li></ul></ul>
    21. 21. Limited use of Host Anti-Virus <ul><li>AV operations can cause significant system disruption at inopportune times </li></ul><ul><ul><li>3am is no better than any other time for a full disk scan on a system that operates 24x7x365 </li></ul></ul><ul><li>ICS vendors only beginning to support anti-virus </li></ul><ul><ul><li>Anti-virus is only as good as the signature set </li></ul></ul><ul><ul><li>Signatures may require testing just like patches </li></ul></ul><ul><li>AV may be losing ground in enterprise deployments </li></ul><ul><ul><li>impact on hosts, endpoint security not getting better </li></ul></ul><ul><ul><li>virus writers have learned to test against dominant AV </li></ul></ul><ul><li>application whitelisting can be a good alternative </li></ul><ul><ul><li>enumerate goodness rather than badness </li></ul></ul>
    22. 22. Poor Authentication and Authorization <ul><li>Machine-to-machine comms involve no “user” </li></ul><ul><li>Many ICS have poor authentication mechanisms and very limited authorization mechanisms </li></ul><ul><li>Many protocols use cleartext passwords </li></ul><ul><li>Many ICS devices lack crypto support </li></ul><ul><li>Sometimes passwords left at vendor default </li></ul><ul><li>Device passwords are hard to manage appropriately </li></ul><ul><ul><li>Often one password is shared amongst all devices and all users and seldom if ever changed </li></ul></ul><ul><ul><li>This is happening AGAIN in Smart Meter deployments! </li></ul></ul>
    23. 23. Poor Audit and Logging <ul><li>Many ICS have poor or non-existent support for logging security-related actions </li></ul><ul><ul><li>Attempted or successful intrusions may go unnoticed </li></ul></ul><ul><li>Where IDS logs are kept, they are often not reviewed </li></ul><ul><li>Various regulatory requirements are driving some change in this area </li></ul><ul><ul><li>NERC—North American Electric Reliability Corporation </li></ul></ul><ul><ul><li>FERC—Federal Energy Regulatory Commission </li></ul></ul><ul><ul><li>Sarbanes Oxley and PCAOB (Public Company Accounting Oversight Board) </li></ul></ul><ul><ul><li>FISMA—Federal Information Security Management Act </li></ul></ul>
    24. 24. Unmanned Field Sites <ul><li>Many unmanned field sites </li></ul><ul><li>Many with dialup access </li></ul><ul><li>Some with high-speed connectivity to control center </li></ul><ul><li>Most with poor authentication and authorization </li></ul>backdoor to the control center!
    25. 25. Legacy Equipment <ul><li>Much legacy equipment </li></ul><ul><li>Usually impossible to update to add security features </li></ul><ul><li>Difficult to protect legacy communications </li></ul><ul><ul><li>but see IEEE P1711 for serial encryption </li></ul></ul><ul><li>Password protection is weak </li></ul><ul><li>Little or no audit and logging </li></ul>
    26. 26. Unauthorized Applications <ul><li>Unauthorized apps installed on ICS systems can interfere with ICS operation </li></ul><ul><li>Many types of unauthorized apps have been found during security audits </li></ul><ul><ul><li>Instant messaging </li></ul></ul><ul><ul><li>P2P file sharing </li></ul></ul><ul><ul><li>DVD and MPEG video players </li></ul></ul><ul><ul><li>Games, including Internet-based </li></ul></ul><ul><ul><li>Web browsers </li></ul></ul>
    27. 27. Inappropriate Use of ICS Desktops <ul><li>Web browsing from HMI can infect ICS </li></ul><ul><ul><li>Browser vulnerabilities </li></ul></ul><ul><ul><li>Downloads </li></ul></ul><ul><ul><li>Cross-site scripting </li></ul></ul><ul><ul><li>Spyware </li></ul></ul><ul><li>Email to/from control servers can infect ICS </li></ul><ul><ul><li>Sendmail and outlook vulnerabilities </li></ul></ul><ul><li>Disk storage exhaustion can crash OS </li></ul><ul><ul><li>Storage of music, videos </li></ul></ul>
    28. 28. Little or No Cyber Security Monitoring <ul><li>internal monitoring is essential to detect low profile compromises </li></ul><ul><ul><li>IDS </li></ul></ul><ul><ul><li>port scanning </li></ul></ul><ul><ul><li>vulnerability scanning </li></ul></ul><ul><ul><li>system audit </li></ul></ul><ul><li>without internal monitoring don’t know whether systems have been compromised </li></ul>
    29. 29. Requirement for 3rd Party Access <ul><li>Firmware updates and PLC, IED programming are sometimes done by vendor </li></ul><ul><ul><li>Many ICS have open maintenance ports </li></ul></ul><ul><ul><li>Infected vendor laptops can bring down ICS </li></ul></ul><ul><li>Partners may require continuous status information </li></ul><ul><ul><li>Partner access is often poorly secured </li></ul></ul><ul><ul><li>Partner channels can serve as backdoors </li></ul></ul><ul><li>3 rd parties may include: </li></ul><ul><ul><li>ISO, transmission provider or grid neighbor, equipment vendor, emissions monitoring service or agency, water level monitoring agency, vibration monitoring service, etc. </li></ul></ul>
    30. 30. People Issues <ul><li>ICS network often managed by “Control Systems Department”, distinct from “IT Department” running enterprise network </li></ul><ul><ul><li>ICS personnel are not IT or networking experts </li></ul></ul><ul><ul><li>IT personnel are not ICS experts </li></ul></ul><ul><li>Majority of control systems workforce is older and nearing retirement </li></ul><ul><ul><li>Few young people entering this field </li></ul></ul><ul><ul><li>Few academic programs </li></ul></ul>
    31. 31. Harsh Environments <ul><li>Temperature </li></ul><ul><li>Vibration </li></ul><ul><li>Dust </li></ul><ul><li>Humidity </li></ul><ul><li>Electrical Transients </li></ul>
    32. 32. Attack Vectors into Control Systems Includes Infected Laptops and Is Growing Source: 2003–2006 data from Eric Byres, BCIT
    33. 33. Security Assessments on ICS <ul><li>Various groups perform security assessments and penetration tests on ICS (generally under NDA) </li></ul><ul><ul><li>Idaho National Labs </li></ul></ul><ul><ul><li>Sandia National Labs </li></ul></ul><ul><ul><li>N-Dimension Solutions </li></ul></ul><ul><ul><li>Other private organizations </li></ul></ul><ul><li>Vulnerability assessments always uncover problems </li></ul><ul><li>For penetration tests, we always get in </li></ul><ul><ul><li>Not a question of “if”, but “how long” </li></ul></ul>
    34. 34. Other Issues <ul><li>Unusual physical topologies </li></ul><ul><li>Many special purpose, limited function devices </li></ul><ul><li>Static network configurations </li></ul><ul><li>Multicast </li></ul><ul><li>Long service lifetimes </li></ul>
    35. 35. For More Information ... <ul><li>See Smart Grid Cyber Security Strategy and Requirements, NISTIR 7628, www.nist.gov/smartgrid </li></ul><ul><ul><li>particularly Appendices C and D </li></ul></ul>
    36. 36. Today’s Threats
    37. 37. Intense Media Visibility on the Cyber Security Issue Hiroshima, 2.0 – Cyberspying of the US Electric Grid (April 09) Cyberspies penetrate electrical grid (April 09) 'Smart Grid' vulnerable to hackers (March 09) CIA: Hackers Have Attacked Foreign Utilities (Jan 2008) President Obama: securing the electric infrastructure is a national security priority (June 09) Smart Grid Security Frenzy: Cyber War Games, Worms and Spies in Smart Grid (June 09) earth2tech.com
    38. 38. Limited Information About Incidents <ul><li>Little information sharing about actual attacks </li></ul><ul><ul><li>BCIT incident database has about 30 incidents per year vs. 100s of thousands of incidents per year in CERT database </li></ul></ul><ul><ul><li>Few cyber attacks on ICS for which details are public </li></ul></ul><ul><li>Little information sharing about actual vulnerabilities </li></ul><ul><ul><li>some are not easily or rapidly fixed </li></ul></ul><ul><ul><li>assessments are done under NDA </li></ul></ul><ul><li>Difficult to estimate risk </li></ul><ul><ul><li>Difficult to demonstrate ROI for security spending </li></ul></ul><ul><li>But… lots of data about significant financial losses in enterprise and e-commerce </li></ul><ul><ul><li>Why would control systems be immune? </li></ul></ul>
    39. 39. Accidents Happen ...
    40. 40. Attacks Can Cause Similar Results INL National Lab Aurora Demonstration, March 2007
    41. 41. Cyber Security Regulatory Requirements Strengthened Cyber Security Standards Approved for North American Utilities (May 09) Ontario Green Energy Act Drives Smart Grid With Security (May 09) Regulators provide Smart Grid Stimulus Funding criteria - cyber security is mandatory (June 09) FERC releases Smart Grid Policy - cyber security mandatory for Utility rate recovery (July 09) AMI-SEC working group developed security requirements for AMI AMI-SEC Task Force NIST developing interoperability and security standards for Smart Grid
    42. 42. Securing Control Systems
    43. 43. Adversaries <ul><li>Script kiddies </li></ul><ul><li>Hackers </li></ul><ul><li>Organized crime </li></ul><ul><li>Disgruntled insiders </li></ul><ul><li>Competitors </li></ul><ul><li>Terrorists </li></ul><ul><li>Hactivists </li></ul><ul><li>Eco-terrorists </li></ul><ul><li>Nation states </li></ul>
    44. 44. Threat Model <ul><li>Targeted and untargeted threats </li></ul><ul><ul><li>Targeted: terrorist, specifically crafted worm/virus, botnet </li></ul></ul><ul><ul><li>Untargeted: generic worm/virus, script kiddy </li></ul></ul><ul><li>Assume adversary has: </li></ul><ul><ul><li>Complete knowledge of network </li></ul></ul><ul><ul><li>Beachhead in enterprise network </li></ul></ul><ul><ul><li>Limited access to control network </li></ul></ul><ul><ul><li>But no valid credentials </li></ul></ul>
    45. 45. How an Attack Proceeds—Step #1 Internet Modem Pool Web Server Email Server Business Workstation Data Historian Engineering Workstation FEP RTU Control System Network Enterprise Network Database Server Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker Web Server Management Console HMI IED IED
    46. 46. How an Attack Proceeds—Step #2 Internet Modem Pool Web Server Business Workstation Data Historian Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker Web Server Management Console HMI Email Server Database Server IED IED
    47. 47. How an Attack Proceeds—Step #3 Internet Modem Pool Web Server Business Workstation Data Historian Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker Web Server Management Console HMI Email Server Database Server IED IED
    48. 48. How an Attack Proceeds—Step #4 Internet Modem Pool Web Server Web Server Business Workstation Data Historian Management Console HMI Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker Vendor Web Server Email Server Database Server IED IED
    49. 49. How an Attack Proceeds—Step #5 Internet Modem Pool Web Server Web Server Business Workstation Data Historian Management Console HMI Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker Vendor Web Server Email Server Database Server IED IED
    50. 50. How an Attack Proceeds—Step #6 Internet Modem Pool Web Server Web Server Business Workstation Data Historian Management Console HMI Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker Email Server Database Server IED IED
    51. 51. How an Attack Proceeds—Step #7 Internet Modem Pool Web Server Web Server Business Workstation Data Historian Management Console HMI Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker Email Server Database Server IED IED
    52. 52. Defending ICS <ul><li>Separate control network from enterprise network </li></ul><ul><ul><li>Harden connection to enterprise network </li></ul></ul><ul><ul><li>Protect all points of entry with strong authentication </li></ul></ul><ul><ul><li>Make reconnaissance difficult from outside </li></ul></ul><ul><li>Harden interior of control network </li></ul><ul><ul><li>Make reconnaissance difficult from inside </li></ul></ul><ul><ul><li>Avoid single points of vulnerability </li></ul></ul><ul><ul><li>Frustrate opportunities to expand a compromise </li></ul></ul><ul><li>Harden field sites and partner connections </li></ul><ul><ul><li>mutual distrust </li></ul></ul><ul><li>Monitor both perimeter and inside events </li></ul><ul><li>Periodically scan for changes in security posture </li></ul>
    53. 53. 50000 Foot View Internet Enterprise Network Control Network Field Site Field Site Field Site Partner Site VPN VPN FW FW IPS IDS IT Stuff Scan AV FW IPS P1711 FW AV Host IPS Host AV Proxy Host IDS Host AV IDS Scan NAC NAC 62351 Log Mgmt Event Mgmt Reporting IT Stuff VPN
    54. 54. Logical Overlay on SP99 / Purdue Model of Control Site Business Planning and Logistics Network Batch Control Discrete Control Supervisory Control Hybrid Control Supervisory Control Enterprise Network Patch Mgmt Web Services Operations AV Server Application Server Email, Intranet, etc. Production Control Historian Optimizing Control Engineering Station Continuous Control Terminal Services Historian (Mirror) Site Operations and Control Area Supervisory Control Basic Control Process Control Zone Enterprise Zone DMZ Level 5 Level 3 Level 1 Level 0 Level 2 Level 4 HMI HMI
    55. 55. Logical Architecture <ul><li>Enterprise Zone contains typical business systems </li></ul><ul><ul><li>Email, web, office apps, etc. </li></ul></ul><ul><li>DMZ provides business connectivity </li></ul><ul><ul><li>Contains only non-critical systems that need access to both Control and Enterprise Zones </li></ul></ul><ul><ul><li>Enforces separation between Enterprise and Control Zones </li></ul></ul><ul><ul><li>Consists of multiple functional sub-zones </li></ul></ul><ul><ul><ul><li>Separated by Firewall, IPS, Anti-Virus, etc. </li></ul></ul></ul><ul><li>Control Zone demarcates critical control systems </li></ul><ul><ul><li>Consists of multiple functional sub-zones </li></ul></ul><ul><ul><ul><li>Internally protected by Firewall, IDS, Anti-Virus, etc. </li></ul></ul></ul>
    56. 56. How NOT to connect Control / Enterprise <ul><li>Dual-homed server </li></ul><ul><li>Dual-homed server with Host IPS / AV </li></ul><ul><li>Router with packet filter ACLs </li></ul><ul><li>Two-port Firewall </li></ul><ul><li>Router + Firewall combination </li></ul><ul><li>See NISCC Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks, NISCC and BCIT, Feb 2005 </li></ul>
    57. 57. DMZ—Logical View Web Services Operations Application Server Historian Mirror DMZ Patch Mgmt AV Proxy Terminal Services No Direct Traffic Emergency Disconnect Emergency Disconnect Multiple Functional Sub-Zones VPN IPS Scan FW AV Host AV Proxy Host IPS IDS IDS
    58. 58. DMZ Design Principles <ul><li>DMZ contains non-critical systems </li></ul><ul><li>Multiple functional security sub-zones </li></ul><ul><li>Traffic between sub-zones undergoes firewall (& IPS or IDS) </li></ul><ul><li>DMZ is only path in/out of Control Zone </li></ul><ul><li>Default deny for all firewall interfaces </li></ul><ul><li>No direct traffic across DMZ </li></ul><ul><li>No control traffic to outside </li></ul><ul><li>Limited outbound traffic from Control Zone </li></ul><ul><li>Very limited inbound traffic to Control Zone </li></ul><ul><li>No common ports between outside & inside </li></ul><ul><li>Emergency disconnect at inside or outside </li></ul><ul><li>No network management from outside </li></ul><ul><li>Cryptographic VPN and Firewall to all 3 rd party connections </li></ul>
    59. 59. DMZ Implementation (1) DMZ LAN 3 DMZ LAN 4 DMZ LAN 2 NAT Routing FW IPS Security Appliance With Multiple Ports DMZ/Control Interconnect WAN/LAN Enterprise LAN Anti-Virus Proxy Host IPS / Anti-virus
    60. 60. DMZ Implementation (2) dot1q trunk DMZ VLAN 3 DMZ VLAN 4 DMZ VLAN 2 NAT Routing FW IPS VLAN Security Appliance VLAN-capable L2 switch DMZ/Control Interconnect WAN/LAN Enterprise LAN Anti-Virus Proxy Host IPS / Anti-virus NOT L3!
    61. 61. DMZ Implementation <ul><li>Sub-zones implemented by physical LANs or VLANs </li></ul><ul><ul><li>Physical LANs require multi-port Security Appliance </li></ul></ul><ul><ul><li>VLANs require: </li></ul></ul><ul><ul><ul><li>VLAN-capable Security Appliance and Switch </li></ul></ul></ul><ul><ul><ul><li>anti-VLAN hopping protections on switch and FW </li></ul></ul></ul><ul><ul><ul><li>NO L3 (routing) on switch </li></ul></ul></ul><ul><li>FW implements policy between </li></ul><ul><ul><li>DMZ LANs, Enterprise Zone, Control Zone </li></ul></ul><ul><li>Anti-virus proxy controls outbound HTTP and/or FTP access to enterprise or Internet resources </li></ul><ul><li>Host IPS and/or Host Anti-virus protects DMZ servers </li></ul>
    62. 62. Remote Access DMZ AAA Server Certificate Authority Terminal Services DMZ/Control Interconnect WAN/LAN Enterprise LAN Remote Access Pool Remote Access VPN
    63. 63. Remote Access <ul><li>Security Appliance terminates Host-to-site VPN into remote access pool </li></ul><ul><ul><li>IPSEC VPN, SSL VPN, PPTP VPN </li></ul></ul><ul><li>Authenticates user via: </li></ul><ul><ul><li>AAA server, LDAP, Active Directory, etc. </li></ul></ul><ul><ul><li>Can enforce use of multi-factor hardware token </li></ul></ul><ul><ul><ul><li>Time-varying password tokens for vendor access </li></ul></ul></ul><ul><li>Clients use VNC, Citrix, or Remote Desktop (RDP) to connect to Terminal Server </li></ul><ul><li>Then VNC, Citrix, RDP, or Control System Apps to Control System Servers </li></ul>
    64. 64. Direct Remote Access DMZ AAA Server Certificate Authority DMZ/Control Interconnect WAN/LAN Enterprise LAN Remote Access Pool Host-to-LAN VPN Role–Based ACLs constrain network access within Control Network Endpoint Posture Assessment
    65. 65. Direct Remote Access <ul><li>Security Appliance terminates Host-to-site VPN into remote access pool </li></ul><ul><li>Security Appliance assesses endpoint security posture </li></ul><ul><li>Authenticates user via AAA, LDAP, AD, etc. </li></ul><ul><li>Clients use VNC, Citrix, or RDP to connect directly to Control System </li></ul><ul><ul><li>BUT </li></ul></ul><ul><li>Security Appliance enforces Authorization via User and/or Group ACLs </li></ul><ul><ul><li>Role-Based Access Control </li></ul></ul>
    66. 66. Control Zone—Logical View Batch Control Discrete Control Supervisory Control Hybrid Control Supervisory Control Production Control Historian Optimizing Control Engineering Station Continuous Control Site Operations and Control Area Supervisory Control Basic Control Process Control Zone Level 3 Level 1 Level 0 Level 2 DMZ HMI HMI
    67. 67. Control Zone Design Principles <ul><li>Multiple functional security sub-zones </li></ul><ul><li>Firewall and IDS between sub-zones </li></ul><ul><li>Minimal number of connections to DMZ </li></ul><ul><li>Control Zone independent of DMZ, Enterprise </li></ul><ul><ul><li>Separate Security Appliance from DMZ </li></ul></ul><ul><ul><li>Separate Time Server </li></ul></ul><ul><ul><li>Separate AAA </li></ul></ul><ul><ul><li>Allows emergency disconnect from DMZ </li></ul></ul><ul><li>Cryptographic VPN and Firewall to all offsite IP connections (Field Site or Partner) </li></ul><ul><li>IEEE P1711 for all offsite serial ICS connections </li></ul><ul><li>Host IDS, Host AV, or app whitelisting where feasible </li></ul><ul><li>Management only from management zone </li></ul>
    68. 68. Control Zone Implementation—Hierarchical <ul><li>Fast routing between VLANs via L3 switch </li></ul><ul><li>ACLs between VLANs but no Stateful Firewall </li></ul>Level 1 Level 2 Level 3 Control Zone dot1q Trunks L3 L3 L2 L2 QoS, Shaping, Policing Port Security Gigabit 10/100 DMZ/Control Interconnect WAN/LAN SPAN IDS Scan FW FW Host IDS Host AV
    69. 69. Control Zone Implementation—Ring <ul><li>Ring reduces wiring for linear sites like power dams </li></ul><ul><li>but spanning tree can have problems with large rings </li></ul>Level 1 Level 2 Level 3 Control Zone dot1q Trunks L3 L3 L2 L2 QoS, Shaping, Policing Port Security Gigabit 10/100 DMZ/Control Interconnect WAN/LAN SPAN IDS Scan FW FW Host IDS Host AV
    70. 70. Perimeter Protection in Utilities Firewall IDS/IPS Client VPN Proxy Network AV Host IDS/IPS NAC Site-to-site VPN DMZ
    71. 71. Interior Protection in Utilities IDS Port Scan Vuln Scan Firewall NAC SCADA VPN Firewall SCADA VPN Port Scan IDS
    72. 72. Monitor, Log, Analyze, Report Log Analyze Report Compliance Managed Security
    73. 73. <ul><li>Planning, processes, procedures, physical security, etc. are also important </li></ul><ul><li>NERC CIP Regulatory Requirements provide reasonably good guidance in this area: </li></ul><ul><ul><li>CIP-001: Sabotage Reporting </li></ul></ul><ul><ul><li>CIP-002: Critical Cyber Asset Identification </li></ul></ul><ul><ul><li>CIP-003: Security Management Controls </li></ul></ul><ul><ul><li>CIP-004: Personnel & Training </li></ul></ul><ul><ul><li>CIP-005: Electronic Security Perimeters </li></ul></ul><ul><ul><li>CIP-006: Physical Security </li></ul></ul><ul><ul><li>CIP-007: Systems Security Management </li></ul></ul><ul><ul><li>CIP-008: Incident Reporting & Response Planning </li></ul></ul><ul><ul><li>CIP-009: Recovery Plans for Critical Cyber Assets </li></ul></ul><ul><li>See www.nerc.com -> Standards -> Reliability Standards -> CIP </li></ul>Beyond Network Security
    74. 74. Summary <ul><li>Today’s ICS are mix of modern and legacy </li></ul><ul><ul><li>vulnerabilities due to both lack of security design in legacy and security issues in newer equipment </li></ul></ul><ul><li>Defense in depth is essential </li></ul><ul><ul><li>both perimeter (DMZ) and interior security are crucial </li></ul></ul><ul><li>Regulation and government action is driving change </li></ul><ul><li>Smart Grid must be designed with strong security </li></ul>
    75. 75. ? Thanks! [email_address]
    76. 76. Standards Efforts <ul><li>NERC CIPs </li></ul><ul><li>NIST Smart Grid Interoperability Standards Project </li></ul><ul><li>NIST SP800-82 </li></ul><ul><li>NIST SP800-53 </li></ul><ul><li>NIST PCSRF Protection Profiles </li></ul><ul><li>AMI-SEC </li></ul><ul><li>ISA SP99 </li></ul><ul><li>ODVA </li></ul><ul><li>IEEE P1711 (AGA 12) -- serial SCADA encryption </li></ul>
    77. 77. A Few References <ul><li>www.nist.gov/smartgrid </li></ul><ul><li>Securing Your SCADA and Industrial Control Systems, Version 1.0, DHS, ISBN 0-16-075115-8 </li></ul><ul><li>Guide to SCADA and Industrial Control System Security, NIST SP800-82 </li></ul><ul><li>ISA99 Industrial Automation and Control Systems Security, www.isa.org/MSTemplate.cfm?MicrositeID=988&CommitteeID=6821 </li></ul><ul><li>AGA 12/IEEE P1689 SCADA Encryption Standard, scadasafe.sf.net </li></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×