Your SlideShare is downloading. ×
Improving SCADA Security
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Improving SCADA Security


Published on

Presented in SCADA Asia Summit @ KL, Malaysia July 2010

Presented in SCADA Asia Summit @ KL, Malaysia July 2010

  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Improving Control System Security by Chaiyakorn Apiwathanokul CISSP, GCFA, IRCA:ISMS Chief Security Officer PTT ICT Solutions Co., Ltd. A Company of PTT Group July 2010
  • 2. About Speaker Name: Chaiyakorn Apiwathanokul ไชยกร อภิวัฒโนกุล Title: Chief Security Officer (CSO) Company: PTT ICT Solutions Company Limited A Company of PTT Group Certificates: ISC2:CISSP, IRCA:ISMS (ISO27001), SANS:GCFA • Contribute to Thailand Cyber Crime Act B.E.2550 • Security Sub-commission under Thailand Electronic Transaction Commission (ET Act B.E. 2544) • Workgroup for CA service standard development • Committee of national standard adoption of ISO27001/ISO27002 • Committee of Thailand Information Security Association (TISA) • Committee of Cybersecurity taskforce development, Division of Skill Development, Ministry of Labour
  • 3. Sub Topic:  Examining current security trends and their impact for SCADA systems  Increasing the security and usability of SCADA systems  Understanding tools and techniques to mitigate SCADA security risk
  • 4. See Videos 1. DHS experiment on hacking to destroy a generator 2. US Power Grid under attack - Clarke
  • 5. Malicious code/ Virus/Worm Adversary/ Terrorist/ Disgruntled Hacker employee Vulnerabilities/ Weaknesses has Manufacture National Critical Plant Infrastructure Control Operation Systems Law/ Industry- Government Compliance/ specific Standard/ Regulator Guideline
  • 6. Simplification Not only someone Someone Someone Someone (and someone but else) hate develop a someone has to do someone weapon else got something trouble
  • 7. Is the system integrator has security in mind? • Is all possible condition properly handled? • Is the program running in the controller a security- aware by design? • The more security, the harder for UAT and commissioning, thus it may cause the delay of project payment. Guess what!!! They don’t do it only unless explicitly required or asked for. • Is it in the TOR?
  • 8. Is the system integrator has security in mind? (cont.) “None of the industrial control systems used to monitor and operate the nation's utilities and factories were designed with security in mind. Moreover, their very nature makes them difficult to secure. Linking them to networks and the public Internet only makes them harder to protect.” Said by Joseph Weiss, executive consultant for KEMA Consulting
  • 9. For your TOR/RFP
  • 10. Educating the Engineering Department
  • 11. Normal Operation HMI Web & DB Operator Operator Workstation PLC Server
  • 12. Hacking on Operator workstation Scenario #1.1 Known local admin password HMI Web & DB Operator Workstation Operator PLC Server Connected Connect to GUI‘s Server Remote desktop  Remotely control GUI  Add new user  Open Share folder Hacker knows local admin password
  • 13. Hacking on Operator workstation Summary Scenario #1.1 Known local admin password Required condition:  Local admin password is known (default password)  Remote Desktop is opened Consequence: Attacker can take over the system  Attacker can take over GUI  Attacker can add new user  Attacker can open share folder Remediation:  Change default password  Restrict access to Remote Desktop
  • 14. Hacking on Operator workstation Scenario #1.2 unpatched HMI Web & DB Operator PLC Operator Server Workstation Unpatched GUI‘s Server Exploited server  Remotely control GUI  Add new user  Open Share folder Hacker attack on vulnerability’s server
  • 15. Hacking on Operator workstation Summary Scenario #1.2 unpatched Required condition:  Operator workstation is not patched Consequence: Attacker can take over the system  Attacker can take over GUI  Attacker can add new user  Attacker can open share folder Remediation:  Regularly update the workstation  Monitor the system integrity  Consider intrusion detection system  Consider security perimeter
  • 16. Hacking on Operator workstation Scenario #1.3 Password Sniffing password PLC HMI Web & DB Server Operator Work station Operator Sniff password in the network
  • 17. Hacking on Operator workstation Summary Scenario #1.3 Password Sniffing Required condition:  Web-based HMI  Operator sends login password via HTTP Consequence:  Password is known to hacker  Hacker can login to Web-based HMI Remediation:  Use HTTPS instead of HTTP  Consider detection measure
  • 18. Hacking on Operator workstation Scenario #1.4 Remember password PLC HMI Web & DB Server Operator Work station Operator Remember password Dump “remember password” Plug USB U3 Thumb drive
  • 19. Hacking on Operator workstation Summary Scenario #1.4 Remember password Required condition:  Physically access to system  Autorun enabled Consequence:  Password is stolen Remediation:  Limit physical access to system  Disable Autorun (all drive)  Don’t use remember password feature
  • 20. Hacking on HMI Web & DB server Scenario #2 SQL Injection HMI Web & DB Server Operator Work Operator PLC Injection flaw! station SQL Injection  Delete table  Modify data in table  Insert, Delete, Update
  • 21. Hacking on HMI Web & DB Server Summary Scenario #2 SQL Injection Required condition:  Web-based HMI  SQL Injection flaw Consequence:  Direct database manipulation Remediation:  Input validation  Web Application security assessment  Web Application Firewall (WAF)
  • 22. Hacking on PLC Scenario #3 Direct PLC Manipulation PLC HMI Web & DB Server Operator Work station Operator Open port 2222/TCP !  Control valve/pump  Change PLC Mode  system halt  Take control of PLC  Modify PLC data  Disrupt PLC operation
  • 23. Hacking on PLC Summary Scenario #3 Direct PLC Manipulation Required condition:  Port 2222/TCP is opened (Allen Bradley)  No authentication  Network routable Consequence:  Access PLC’s data table Remediation:  Enable authentication where possible  Routing control/ Network isolation (verify)
  • 24. Qualified professional undersupply IT Professional Control Infosec System Prof. Prof. Control System Cybersecurity Prof.
  • 25. The Implication • Only small number of professional with right competency to help you out • Collaboration and support from professional community is highly needed
  • 26. Available Guidelines • 21 Steps to Improve Cyber Security of SCADA Networks, US-DOE • Roadmap to Secure Control Systems in the Chemical Sector, US-DHS • Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, API • ISA99 - Control Systems Security Model • ISO27001, ISO27002 (ISO17799)
  • 27. 21 Steps to Improve Cyber Security of SCADA Networks, US-DOE 1. Identify all connections to SCADA networks 12. Clearly define cyber security roles, responsibilities, and 2. Disconnect unnecessary connections to the SCADA authorities for managers, system administrators, and network users 3. Evaluate and strengthen the security of any remaining 13. Document network architecture and identify systems that connections to the SCADA network serve critical functions or contain sensitive information 4. Harden SCADA networks by removing or disabling that require additional levels of protection unnecessary services 14. Establish a rigorous, ongoing risk management process 5. Do not rely on proprietary protocols to protect your 15. Establish a network protection strategy based on the system principle of defense-in-depth 6. Implement the security features provided by device 16. Clearly identify cyber security requirements and system vendors 17. Establish effective configuration management processes 7. Establish strong controls over any medium that is used 18. Conduct routine self-assessments as a backdoor into the SCADA network 19. Establish system backups and disaster recovery plans 8. Implement internal and external intrusion detection 20. Senior organizational leadership should establish systems and establish 24-hour-a-day incident expectations for cyber security monitoring. • performance and hold individuals accountable for their 9. Perform technical audits of SCADA devices and performance networks, and any other connected networks, to 21. Establish policies and conduct training to minimize the identify security concerns likelihood that organizational personnel will inadvertently 10. Conduct physical security surveys and assess all disclose sensitive information regarding SCADA system remote sites connected to the SCADA network to design, operations, or security controls. evaluate their security 11. Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios
  • 28. NIST SP800-82 NIST Special Publication 800-82: Guide to Industrial Control Systems (ICS) Security Executive Summary 1. Introduction 2. Overview of Industrial Control Systems 3. ICS Characteristics, Threats and Vulnerabilities 4. ICS Security Program Development and Deployment 5. Network Architecture ICS Security Controls
  • 29. What is Industrial Control Systems (ICS), SCADA and DCS? Industrial Control Systems are computer-based systems that are used by many infrastructures and industries to monitor and control sensitive processes and physical functions. Typically, control systems collect sensor measurements and operational data from the field, process and display this information, and relay control commands to local or remote equipment. There are two primary types of Control Systems. – Distributed Control Systems (DCS) typically are used within a single processing or generating plant or over a small geographic area. – Supervisory Control and Data Acquisition (SCADA) systems typically are used for large, geographically dispersed distribution operations. NIST SP800-82 Final Public DRAFT (Sep. 2008)
  • 30. Major ICS Security Objectives • Restricting logical access to the ICS network and network activity – This includes using a demilitarized zone (DMZ) network architecture with firewalls to prevent network traffic from passing directly between the corporate and ICS networks, and having separate authentication mechanisms and credentials for users of the corporate and ICS networks. The ICS should also use a network topology that has multiple layers, with the most critical communications occurring in the most secure and reliable layer. • Restricting physical access to the ICS network and devices – Unauthorized physical access to components could cause serious disruption of the ICS’s functionality. A combination of physical access controls should be used, such as locks, card readers, and/or guards.
  • 31. Key Take Away to Securing ICS The most successful method for securing an ICS is to: • Gather industry recommended practices • Engage in a proactive, collaborative effort between management, the controls engineer and operator, the IT department, the physical security department, and a trusted automation advisor • Draw upon the wealth of information available from ongoing federal government, industry group, vendor and standards organizational activities.
  • 32. ISA 99 ISA SP-99 – Manufacturing and Control Systems Security Scope - A Broad View • ISA has taken a broad view: – Based on function, not industry, type of control or other limited views • Includes – SCADA/EMS – DCS – PLCs – RTUs/IEDs – Transmitters, meters, control valves, to enterprise wide HMIs, … – Enterprise applications, to the extent they can affect control • Not limited to one or a few industries or technologies – In other words, a very broad encompassing definition
  • 33. Scope of Security Standards Company Management Company Management IT Security Policies and Practices Data Presentation Information Level 5 (ISO 17799) Company Production Company Production Assignment Scheduling Scheduling Assignment Supervision Purdue reference Model Levels Production Scheduling Level 4 Operational & Production & Operational Supervision Management Level 3 Supervisor’s Console Inter-Area Coordination Mfg Security Policies Supervisor’s Console and Practices Level 2 Supervisory Control (ISA 99) Level 1 Operator’s Console Direct Digital Control Process Safety IEC 61511) IEC 61508, (ISA 84, Controllers Process 33
  • 34. ISA SP-99 Part 1 • What is included in SP-99 Part 1: – Definitions of Manufacturing and Control Systems security terms – Description of the terminology used in security as it applies to Manufacturing and Control Systems – A Common Model for specifying security requirements for Manufacturing and Control Systems program – Covers reference architecture for describing the security environment – The standard is not specific to vendors, customers, or any particular aspect of Manufacturing and Control Systems security • First ballot expected by Q1 2006 34
  • 35. ISA SP-99 Part 2 • What is included in SP-99 Part 2: – Activity 1 – Develop a Business Case – Activity 2 – Obtain Leadership Commitment, Support, and Funding – Activity 3 – Define the Charter and Scope of M&CS Security for Your Company – Activity 4 – Form a Team of Stakeholders – Activity 5 – Raise Staff Cyber Security Capability Through Training – Activity 6 – Characterize the Key M&CS Risks – Activity 7 – Define the Corporate Risk Tolerance Level – Activity 8 – Establish High-Level Cyber Security Policies that Support the Risk Tolerance Level – Activity 9 – Perform a Screening Assessment – Activity 10 – Organize for Security – Activity 11 – Prioritize Systems and Conduct a Detailed Security Assessment 35
  • 36. ISA SP-99 Part 2, continued • What is included in SP-99 Part 2, continued: – Activity 12 – Develop Detailed M&CS Cyber Security Policies & Procedures – Activity 13 – Define Standard Set of M&CS Security Risk Mitigation Controls – Activity 14 – Develop Integrated Cyber Security Management System Plan – Activity 15 – Quick Fix – Activity 16 – Charter, Design, & Execute Cyber Security Risk Mitigation Projects – Activity 17 – Refine and Implement Cyber Security Management System – Activity 18 – Adopt Continuous Improvement Operational Measures • First ballot is expected by Q3 2006 36
  • 37. TR99.00.01 - Technology Areas • Authentication and Authorization • Filtering/Blocking/Access Control • Encryption and Data Validation • Audit, Measurement, Monitoring and Detection Tools • Operating Systems • Physical Security 37
  • 38. TR99.00.01 Authentication and Authorization • Role Based Authorization Tools • Password Authentication • Challenge Response Authentication • Physical/Token Authentication • Smart Card Authentication • Biometric Authentication • Location Based Authentication • Password Distribution and Management Technologies • Device to Device Authentication 38
  • 39. TR99.00.01 Filtering/Blocking/Access Control • Dedicated Firewalls (Hardware Based) • Host-based Firewalls (Software Based) • Virtual Local Area Networks (VLANs) 39
  • 40. TR99.00.01 Encryption Technologies and Data Validation • Symmetric (Private) Key Encryption • Public Key Encryption and Key Distribution • Virtual Private Networks (VPNs) • Digital Certificates 40
  • 41. TR99.00.01 Audit, Measurement, and Monitoring and Detection Tools • Log Auditing Utilities • Virus/Malicious Code Detection • Intrusion Detection Systems • Network Vulnerability Scanners • Network Forensics and Analysis Tools • Host Configuration Management Tools • Automated Software Management Tools 41
  • 42. TR99.00.01 Computer Software • Server and Workstation Operating Systems • Real-time and Embedded Operating Systems • Web and Internet Technologies 42
  • 43. Summary • Guidelines and best practices are available • Study and apply those related to your specific requirement and circumstances • Keep update
  • 44. 44