Improving SCADA Security


Published on

Presented in SCADA Asia Summit @ KL, Malaysia July 2010

1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Improving SCADA Security

  1. 1. Improving Control System Security by Chaiyakorn Apiwathanokul CISSP, GCFA, IRCA:ISMS Chief Security Officer PTT ICT Solutions Co., Ltd. A Company of PTT Group July 2010
  2. 2. About Speaker Name: Chaiyakorn Apiwathanokul ไชยกร อภิวัฒโนกุล Title: Chief Security Officer (CSO) Company: PTT ICT Solutions Company Limited A Company of PTT Group Certificates: ISC2:CISSP, IRCA:ISMS (ISO27001), SANS:GCFA • Contribute to Thailand Cyber Crime Act B.E.2550 • Security Sub-commission under Thailand Electronic Transaction Commission (ET Act B.E. 2544) • Workgroup for CA service standard development • Committee of national standard adoption of ISO27001/ISO27002 • Committee of Thailand Information Security Association (TISA) • Committee of Cybersecurity taskforce development, Division of Skill Development, Ministry of Labour
  3. 3. Sub Topic:  Examining current security trends and their impact for SCADA systems  Increasing the security and usability of SCADA systems  Understanding tools and techniques to mitigate SCADA security risk
  4. 4. See Videos 1. DHS experiment on hacking to destroy a generator 2. US Power Grid under attack - Clarke
  5. 5. Malicious code/ Virus/Worm Adversary/ Terrorist/ Disgruntled Hacker employee Vulnerabilities/ Weaknesses has Manufacture National Critical Plant Infrastructure Control Operation Systems Law/ Industry- Government Compliance/ specific Standard/ Regulator Guideline
  6. 6. Simplification Not only someone Someone Someone Someone (and someone but else) hate develop a someone has to do someone weapon else got something trouble
  7. 7. Is the system integrator has security in mind? • Is all possible condition properly handled? • Is the program running in the controller a security- aware by design? • The more security, the harder for UAT and commissioning, thus it may cause the delay of project payment. Guess what!!! They don’t do it only unless explicitly required or asked for. • Is it in the TOR?
  8. 8. Is the system integrator has security in mind? (cont.) “None of the industrial control systems used to monitor and operate the nation's utilities and factories were designed with security in mind. Moreover, their very nature makes them difficult to secure. Linking them to networks and the public Internet only makes them harder to protect.” Said by Joseph Weiss, executive consultant for KEMA Consulting
  9. 9. For your TOR/RFP
  10. 10. Educating the Engineering Department
  11. 11. Normal Operation HMI Web & DB Operator Operator Workstation PLC Server
  12. 12. Hacking on Operator workstation Scenario #1.1 Known local admin password HMI Web & DB Operator Workstation Operator PLC Server Connected Connect to GUI‘s Server Remote desktop  Remotely control GUI  Add new user  Open Share folder Hacker knows local admin password
  13. 13. Hacking on Operator workstation Summary Scenario #1.1 Known local admin password Required condition:  Local admin password is known (default password)  Remote Desktop is opened Consequence: Attacker can take over the system  Attacker can take over GUI  Attacker can add new user  Attacker can open share folder Remediation:  Change default password  Restrict access to Remote Desktop
  14. 14. Hacking on Operator workstation Scenario #1.2 unpatched HMI Web & DB Operator PLC Operator Server Workstation Unpatched GUI‘s Server Exploited server  Remotely control GUI  Add new user  Open Share folder Hacker attack on vulnerability’s server
  15. 15. Hacking on Operator workstation Summary Scenario #1.2 unpatched Required condition:  Operator workstation is not patched Consequence: Attacker can take over the system  Attacker can take over GUI  Attacker can add new user  Attacker can open share folder Remediation:  Regularly update the workstation  Monitor the system integrity  Consider intrusion detection system  Consider security perimeter
  16. 16. Hacking on Operator workstation Scenario #1.3 Password Sniffing password PLC HMI Web & DB Server Operator Work station Operator Sniff password in the network
  17. 17. Hacking on Operator workstation Summary Scenario #1.3 Password Sniffing Required condition:  Web-based HMI  Operator sends login password via HTTP Consequence:  Password is known to hacker  Hacker can login to Web-based HMI Remediation:  Use HTTPS instead of HTTP  Consider detection measure
  18. 18. Hacking on Operator workstation Scenario #1.4 Remember password PLC HMI Web & DB Server Operator Work station Operator Remember password Dump “remember password” Plug USB U3 Thumb drive
  19. 19. Hacking on Operator workstation Summary Scenario #1.4 Remember password Required condition:  Physically access to system  Autorun enabled Consequence:  Password is stolen Remediation:  Limit physical access to system  Disable Autorun (all drive)  Don’t use remember password feature
  20. 20. Hacking on HMI Web & DB server Scenario #2 SQL Injection HMI Web & DB Server Operator Work Operator PLC Injection flaw! station SQL Injection  Delete table  Modify data in table  Insert, Delete, Update
  21. 21. Hacking on HMI Web & DB Server Summary Scenario #2 SQL Injection Required condition:  Web-based HMI  SQL Injection flaw Consequence:  Direct database manipulation Remediation:  Input validation  Web Application security assessment  Web Application Firewall (WAF)
  22. 22. Hacking on PLC Scenario #3 Direct PLC Manipulation PLC HMI Web & DB Server Operator Work station Operator Open port 2222/TCP !  Control valve/pump  Change PLC Mode  system halt  Take control of PLC  Modify PLC data  Disrupt PLC operation
  23. 23. Hacking on PLC Summary Scenario #3 Direct PLC Manipulation Required condition:  Port 2222/TCP is opened (Allen Bradley)  No authentication  Network routable Consequence:  Access PLC’s data table Remediation:  Enable authentication where possible  Routing control/ Network isolation (verify)
  24. 24. Qualified professional undersupply IT Professional Control Infosec System Prof. Prof. Control System Cybersecurity Prof.
  25. 25. The Implication • Only small number of professional with right competency to help you out • Collaboration and support from professional community is highly needed
  26. 26. Available Guidelines • 21 Steps to Improve Cyber Security of SCADA Networks, US-DOE • Roadmap to Secure Control Systems in the Chemical Sector, US-DHS • Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, API • ISA99 - Control Systems Security Model • ISO27001, ISO27002 (ISO17799)
  27. 27. 21 Steps to Improve Cyber Security of SCADA Networks, US-DOE 1. Identify all connections to SCADA networks 12. Clearly define cyber security roles, responsibilities, and 2. Disconnect unnecessary connections to the SCADA authorities for managers, system administrators, and network users 3. Evaluate and strengthen the security of any remaining 13. Document network architecture and identify systems that connections to the SCADA network serve critical functions or contain sensitive information 4. Harden SCADA networks by removing or disabling that require additional levels of protection unnecessary services 14. Establish a rigorous, ongoing risk management process 5. Do not rely on proprietary protocols to protect your 15. Establish a network protection strategy based on the system principle of defense-in-depth 6. Implement the security features provided by device 16. Clearly identify cyber security requirements and system vendors 17. Establish effective configuration management processes 7. Establish strong controls over any medium that is used 18. Conduct routine self-assessments as a backdoor into the SCADA network 19. Establish system backups and disaster recovery plans 8. Implement internal and external intrusion detection 20. Senior organizational leadership should establish systems and establish 24-hour-a-day incident expectations for cyber security monitoring. • performance and hold individuals accountable for their 9. Perform technical audits of SCADA devices and performance networks, and any other connected networks, to 21. Establish policies and conduct training to minimize the identify security concerns likelihood that organizational personnel will inadvertently 10. Conduct physical security surveys and assess all disclose sensitive information regarding SCADA system remote sites connected to the SCADA network to design, operations, or security controls. evaluate their security 11. Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios
  28. 28. NIST SP800-82 NIST Special Publication 800-82: Guide to Industrial Control Systems (ICS) Security Executive Summary 1. Introduction 2. Overview of Industrial Control Systems 3. ICS Characteristics, Threats and Vulnerabilities 4. ICS Security Program Development and Deployment 5. Network Architecture ICS Security Controls
  29. 29. What is Industrial Control Systems (ICS), SCADA and DCS? Industrial Control Systems are computer-based systems that are used by many infrastructures and industries to monitor and control sensitive processes and physical functions. Typically, control systems collect sensor measurements and operational data from the field, process and display this information, and relay control commands to local or remote equipment. There are two primary types of Control Systems. – Distributed Control Systems (DCS) typically are used within a single processing or generating plant or over a small geographic area. – Supervisory Control and Data Acquisition (SCADA) systems typically are used for large, geographically dispersed distribution operations. NIST SP800-82 Final Public DRAFT (Sep. 2008)
  30. 30. Major ICS Security Objectives • Restricting logical access to the ICS network and network activity – This includes using a demilitarized zone (DMZ) network architecture with firewalls to prevent network traffic from passing directly between the corporate and ICS networks, and having separate authentication mechanisms and credentials for users of the corporate and ICS networks. The ICS should also use a network topology that has multiple layers, with the most critical communications occurring in the most secure and reliable layer. • Restricting physical access to the ICS network and devices – Unauthorized physical access to components could cause serious disruption of the ICS’s functionality. A combination of physical access controls should be used, such as locks, card readers, and/or guards.
  31. 31. Key Take Away to Securing ICS The most successful method for securing an ICS is to: • Gather industry recommended practices • Engage in a proactive, collaborative effort between management, the controls engineer and operator, the IT department, the physical security department, and a trusted automation advisor • Draw upon the wealth of information available from ongoing federal government, industry group, vendor and standards organizational activities.
  32. 32. ISA 99 ISA SP-99 – Manufacturing and Control Systems Security Scope - A Broad View • ISA has taken a broad view: – Based on function, not industry, type of control or other limited views • Includes – SCADA/EMS – DCS – PLCs – RTUs/IEDs – Transmitters, meters, control valves, to enterprise wide HMIs, … – Enterprise applications, to the extent they can affect control • Not limited to one or a few industries or technologies – In other words, a very broad encompassing definition
  33. 33. Scope of Security Standards Company Management Company Management IT Security Policies and Practices Data Presentation Information Level 5 (ISO 17799) Company Production Company Production Assignment Scheduling Scheduling Assignment Supervision Purdue reference Model Levels Production Scheduling Level 4 Operational & Production & Operational Supervision Management Level 3 Supervisor’s Console Inter-Area Coordination Mfg Security Policies Supervisor’s Console and Practices Level 2 Supervisory Control (ISA 99) Level 1 Operator’s Console Direct Digital Control Process Safety IEC 61511) IEC 61508, (ISA 84, Controllers Process 33
  34. 34. ISA SP-99 Part 1 • What is included in SP-99 Part 1: – Definitions of Manufacturing and Control Systems security terms – Description of the terminology used in security as it applies to Manufacturing and Control Systems – A Common Model for specifying security requirements for Manufacturing and Control Systems program – Covers reference architecture for describing the security environment – The standard is not specific to vendors, customers, or any particular aspect of Manufacturing and Control Systems security • First ballot expected by Q1 2006 34
  35. 35. ISA SP-99 Part 2 • What is included in SP-99 Part 2: – Activity 1 – Develop a Business Case – Activity 2 – Obtain Leadership Commitment, Support, and Funding – Activity 3 – Define the Charter and Scope of M&CS Security for Your Company – Activity 4 – Form a Team of Stakeholders – Activity 5 – Raise Staff Cyber Security Capability Through Training – Activity 6 – Characterize the Key M&CS Risks – Activity 7 – Define the Corporate Risk Tolerance Level – Activity 8 – Establish High-Level Cyber Security Policies that Support the Risk Tolerance Level – Activity 9 – Perform a Screening Assessment – Activity 10 – Organize for Security – Activity 11 – Prioritize Systems and Conduct a Detailed Security Assessment 35
  36. 36. ISA SP-99 Part 2, continued • What is included in SP-99 Part 2, continued: – Activity 12 – Develop Detailed M&CS Cyber Security Policies & Procedures – Activity 13 – Define Standard Set of M&CS Security Risk Mitigation Controls – Activity 14 – Develop Integrated Cyber Security Management System Plan – Activity 15 – Quick Fix – Activity 16 – Charter, Design, & Execute Cyber Security Risk Mitigation Projects – Activity 17 – Refine and Implement Cyber Security Management System – Activity 18 – Adopt Continuous Improvement Operational Measures • First ballot is expected by Q3 2006 36
  37. 37. TR99.00.01 - Technology Areas • Authentication and Authorization • Filtering/Blocking/Access Control • Encryption and Data Validation • Audit, Measurement, Monitoring and Detection Tools • Operating Systems • Physical Security 37
  38. 38. TR99.00.01 Authentication and Authorization • Role Based Authorization Tools • Password Authentication • Challenge Response Authentication • Physical/Token Authentication • Smart Card Authentication • Biometric Authentication • Location Based Authentication • Password Distribution and Management Technologies • Device to Device Authentication 38
  39. 39. TR99.00.01 Filtering/Blocking/Access Control • Dedicated Firewalls (Hardware Based) • Host-based Firewalls (Software Based) • Virtual Local Area Networks (VLANs) 39
  40. 40. TR99.00.01 Encryption Technologies and Data Validation • Symmetric (Private) Key Encryption • Public Key Encryption and Key Distribution • Virtual Private Networks (VPNs) • Digital Certificates 40
  41. 41. TR99.00.01 Audit, Measurement, and Monitoring and Detection Tools • Log Auditing Utilities • Virus/Malicious Code Detection • Intrusion Detection Systems • Network Vulnerability Scanners • Network Forensics and Analysis Tools • Host Configuration Management Tools • Automated Software Management Tools 41
  42. 42. TR99.00.01 Computer Software • Server and Workstation Operating Systems • Real-time and Embedded Operating Systems • Web and Internet Technologies 42
  43. 43. Summary • Guidelines and best practices are available • Study and apply those related to your specific requirement and circumstances • Keep update
  44. 44. 44