Avoiding CyberterrorismThreats Inside Hydraulic PowerGeneration PlantsManuel Humberto Santander Peláezmsantand@isc.sans.org
Agenda• Introduction• Power Plant Generation SCADA• SCADA protocols• Cyber Terrorism Risks• Remediation
SCADA• Supervisory Control and DataAcquisition• Platform used to monitor and control allthe variables of a real-time proce...
Electrical process• Three big steps– Generation– Transmission– Distribution• Energy is created using any of thefollowing m...
Electrical process (2)• SCADA platform is vital to performthe following when generation takesplace:– Ensure turbines are n...
Electrical process (3)• Transmission– Energy being generated needs to bedistributed to reach the final users– 115 KV is th...
Electrical process (4)• SCADA platform is vital to performthe following when transmissiontakes place:– Monitoring of volta...
Electrical process (5)• Distribution– Energy being generated needs to bedistributed to reach the final users– 115 KV is th...
Electrical process (6)• SCADA platform is vital to performthe following when distribution takesplace:– Monitoring of volta...
Electrical SystemSource:United StatesDepartment of Energy
Hydroelectrical Plant ProcessSource: circuitmaniac.com
Hydroelectrical TurbineSource:United States ArmyCorps of Engineers
Agenda• Introduction• Power Plant Generation SCADA• SCADA protocols• Cyber Terrorism Risks• Remediation
SCADA Network inside Power PlantUnit ControllerTurbine SpeedRegulatorVoltageRegulatorGeneratorProtection ControllerCooling...
SCADA Network inside Power Plant (2)• Generation Power Plant– Unit Controller: Controls all thesubsystems making the gener...
SCADA Network inside Power Plant (3)• Generation Power Plant– Turbine speed regulator: Controls thespeed of the turbine– C...
SCADA Network inside Power Plant (4)• Substation SCADA– Substation Controller: Controls all thesystems to make possible th...
SCADA Network inside Power Plant (5)• Substation SCADA:– Voltage meter: Meters the amount ofelectricity flowing in the inp...
Agenda• Introduction• Power Plant Generation SCADA• SCADA protocols• Cyber Terrorism Risks• Remediation
SCADA Protocols• Modbus• IEC 104• DNP3
ModbusSource: Practical Industrial DataCommunications
Modbus (2)• Client/server protocol which operates in arequest/response mode• Three variants:– Modbus serial RS-232/RS-485:...
Modbus (3)Source: Practical Industrial DataCommunications
Modbus (4)• Modbus protocol structure– Address field:• Request frames: Address of the device being targetedby the request•...
Modbus (5)• Modbus protocol structure– Function field• Function requested by the HMI to be performed by thefield devices• ...
Modbus (6)Function NameFunctionCodePhysical Discrete Inputs Read Discrete Inputs 2Read Coils 1Write Single Coil 5Write Mul...
Modbus (7)Function NameFunctionCodeRead Exception Status 7Diagnostic 8Get Com Event Counter 11Get Com Event Log 12Report S...
Modbus (8)• Modbus protocol structure– Data field• In request paquets, contains the information requiredto perform the spe...
Modbus (9)• Modbus protocol structure– Error check Field• CRC-16 on the message frame• If packet has errors, the field dev...
IEC 104• Standard for power system monitoring,control and communications for telecontroland teleprotection for electric po...
IEC 104 (2)• It has the following features:– Supports master initiated messages andmaster/slave initiated messages– Facili...
IEC 104 (3)Source: PracticalIndustrial DataCommunications
IEC 104 (4)Source: PracticalIndustrial DataCommunications
IEC 104 (5)Source: PracticalIndustrial DataCommunications
IEC 104 (6)• Link levelLink serviceclass Function ExplanationS1 SEND / NO REPLYTransmit message.No ACK or answerrequiredS2...
IEC 104 (7)Source: PracticalIndustrial DataCommunications
IEC 104 (8)Source: PracticalIndustrial DataCommunications• Control field for unbalanced transmissions
IEC 104 (8)Source: PracticalIndustrial DataCommunications• Control field for balanced transmissions
DNP3• Set of communication protocols used betweencomponents of a SCADA system• Used for communications between RTU andthe ...
DNP3 (2)• Enhance performance architecture (EPA)Source: PracticalIndustrial DataCommunications
DNP3 (3)• Message exchangeSource: PracticalIndustrial DataCommunications
DNP3 (4)• Frame formatSource: PracticalIndustrial DataCommunications
DNP3 (5)• Control ByteSource: PracticalIndustrial DataCommunications
Agenda• Introduction• Power Plant Generation SCADA• SCADA protocols• Cyber Terrorism Risks• Remediation
Cyberterrorism Risks• Many awful thins can happen to apower plant– Stop generation because of partial ortotal damage to th...
Cyberterrorism Risks (2)• Many awful thins can happen to apower plant– Transformer explosion because lack oftransmission l...
Network technologies in SCADA Systems• Many SCADA networks still useRS232/RS485 bus to communicateall components– But also...
Network technologies in SCADA Systems(2)• Many SCADA networks still useRS232/RS485 bus to communicateall components– Admin...
Lack of authentication in applicationprotocol• The SCADA protocols does notperform bi-directional authenticationto ensure ...
Default configurations in HMI• Insecure services used– rlogin– rcp– rexec• OS Admin privileges used to operate• Trust peri...
What could be done?• Reset a link state communication orsend Test Communication packetseveral times provoking temporalDoS ...
What could be done? (2)• Send commands to the IEDcontrollers– Registers are linked to turn on and offspecific devices like...
What could be done? (3)• Execute metasploit to the HMI andtry to find remote admin exploits– No patches are installed– Too...
What could be done? (3)• MITM attacks to the substationelements and generation plantelements– TCP sequence prediction on t...
Agenda• Introduction• Power Plant Generation SCADA• SCADA protocols• Cyber Terrorism Risks• Remediation
What you cannot do with SCADA• Protocol delay is usually a BIG issue inSCADA– Water supply and Oil SCADA tolerates bigdela...
SCADA Network inside Power PlantUnit ControllerTurbine SpeedRegulatorVoltageRegulatorGeneratorProtection ControllerCooling...
Monitor your network• Control Access from outsiders– SCADA Network needs to sendinformation for reports and statuschecking...
Monitor your network (2)Source: Waterfall Security
Monitor your network (3)• Use Network Intrusion PreventionSystem– You definitely can use conventional IPS if theyare fast ...
Monitor your network (4)• Control Access from outsiders– Energy market central regulators areable to control your power ge...
Monitor your network (5)Source: FERC
• SCADA platforms are designed tolast from 10 to 20 years– Too many technology changes happensin that time– Lots of securi...
Control unauthorized changes to UnitControllers and IED controllers• Configuration and firmware changescan be done on-site...
Control unauthorized changes to MasterTerminal Unit (3)• Control any changes inside yourSCADA servers– Mcafee Integrity co...
Monitor attacks to Master Unit• Host IPS is definitely needed as anyattack could change the integrity andstability of a pr...
Monitor attacks to Master Unit (2)• Industrial Defender Protect workspretty good• Works seamless with SiemensSpectrum Plat...
Questions? Comments?Manuel Humberto Santander Peláezhttp://manuel.santander.namehttp://twitter.com/manuelsantandermsantand...
Upcoming SlideShare
Loading in...5
×

Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants

308

Published on

Hydroelectric generation plants possess a number of cyberterrorism risks, which could cause significant problems like interruptions in the power grid or water leaks from the reservoir, among others. This presentation will discuss the vulnerabilities in the infrastructure of hydroelectric generation plants, some tools to check for them and several remediation techniques to avoid materialization of problems.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
308
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants

  1. 1. Avoiding CyberterrorismThreats Inside Hydraulic PowerGeneration PlantsManuel Humberto Santander Peláezmsantand@isc.sans.org
  2. 2. Agenda• Introduction• Power Plant Generation SCADA• SCADA protocols• Cyber Terrorism Risks• Remediation
  3. 3. SCADA• Supervisory Control and DataAcquisition• Platform used to monitor and control allthe variables of a real-time process• Several variables to monitor– Vibrations on the turbine rotor– Flow speed of oil inside a turbine rotor– Amount of electric charge passing inside anelectricity transmission line
  4. 4. Electrical process• Three big steps– Generation– Transmission– Distribution• Energy is created using any of thefollowing methods– Thermoelectrical plans– Nuclear plants– Hydro electrical plants
  5. 5. Electrical process (2)• SCADA platform is vital to performthe following when generation takesplace:– Ensure turbines are not havingrevolutions more than supported– Generators are not working overloaded– Energy being generated matches theamount of energy that the transmissionline can handle
  6. 6. Electrical process (3)• Transmission– Energy being generated needs to bedistributed to reach the final users– 115 KV is the power used to transmit inthe wire lines– Final destination are the substationsthat handles energy of a specificamount of instalations– Large number of blocks in a city
  7. 7. Electrical process (4)• SCADA platform is vital to performthe following when transmissiontakes place:– Monitoring of voltage in transmission lineslooking for high amount of electricityflowing– None of them can get overloaded becauseprotections get activated and a blackoutappears in all the installations that arecontrolled by the affected substations
  8. 8. Electrical process (5)• Distribution– Energy being generated needs to bedistributed to reach the final users– 115 KV is the power used to transmit inthe wire lines– Final destination are the substationsthat handles energy of a specificamount of instalations– Large number of blocks in a city
  9. 9. Electrical process (6)• SCADA platform is vital to performthe following when distribution takesplace:– Monitoring of voltage in transmissionlines looking for high amount ofelectricity flowing– Monitoring of voltage in user meterslooking for high amount of electricityflowing
  10. 10. Electrical SystemSource:United StatesDepartment of Energy
  11. 11. Hydroelectrical Plant ProcessSource: circuitmaniac.com
  12. 12. Hydroelectrical TurbineSource:United States ArmyCorps of Engineers
  13. 13. Agenda• Introduction• Power Plant Generation SCADA• SCADA protocols• Cyber Terrorism Risks• Remediation
  14. 14. SCADA Network inside Power PlantUnit ControllerTurbine SpeedRegulatorVoltageRegulatorGeneratorProtection ControllerCooling and oil pumpcontrollerHMI ConsoleSubstationcontrollerSwitchControllerVoltage MeterReaderHMI ConsoleProtectionControllerSUBSTATIONSCADAGENERATION POWERSCADA
  15. 15. SCADA Network inside Power Plant (2)• Generation Power Plant– Unit Controller: Controls all thesubsystems making the generator to beable to inject active power to theelectrical network– Voltage regulator: Controls thefrequency of the active power beingproduced by the generator. Must matchthe frequency in the electrical network
  16. 16. SCADA Network inside Power Plant (3)• Generation Power Plant– Turbine speed regulator: Controls thespeed of the turbine– Cooling and oil pump controller:Controls refrigeration and lubrication ofthe rotor system of the turbine sothere’s no heat or friction– Generator protection controller:Controls excessive voltage changes inthe generator
  17. 17. SCADA Network inside Power Plant (4)• Substation SCADA– Substation Controller: Controls all thesystems to make possible the energybeing transmitted all across theelectrical network– Switch controller: If there is too muchenergy on a line trying to overcome itscapacity, the switch opens the circuitand the energy stops flowing
  18. 18. SCADA Network inside Power Plant (5)• Substation SCADA:– Voltage meter: Meters the amount ofelectricity flowing in the input andoutput lines so the Substation Controllercan tell if there is a problem regardingthe transmission line capacity beingovercome its capacity
  19. 19. Agenda• Introduction• Power Plant Generation SCADA• SCADA protocols• Cyber Terrorism Risks• Remediation
  20. 20. SCADA Protocols• Modbus• IEC 104• DNP3
  21. 21. ModbusSource: Practical Industrial DataCommunications
  22. 22. Modbus (2)• Client/server protocol which operates in arequest/response mode• Three variants:– Modbus serial RS-232/RS-485: Implemented onserial networks– Modbus TCP: Used for SCADA platforms wheredelay is not an issue (Water supply)– Modbus UDP: Used for SCADA platforms wheredelay is a big issue (Energy)
  23. 23. Modbus (3)Source: Practical Industrial DataCommunications
  24. 24. Modbus (4)• Modbus protocol structure– Address field:• Request frames: Address of the device being targetedby the request• Response frame: Address of the device responding torequest
  25. 25. Modbus (5)• Modbus protocol structure– Function field• Function requested by the HMI to be performed by thefield devices• In response packets, when the function performed issucceeded, the field device echoes it. If some exceptionoccurred, the most significant bit of the field is set to 1
  26. 26. Modbus (6)Function NameFunctionCodePhysical Discrete Inputs Read Discrete Inputs 2Read Coils 1Write Single Coil 5Write Multiple Coils 15Physical Input Registers Read Input Register 4Read Holding Registers 3Write Single Register 6Write Multiple Registers 16Read/Write MultipleRegisters23Mask Write Register 22Read FIFO Queue 24Read File Record 20Write File Record 21Type of accessData AccessBit access Internal Bits or PhysicalCoils16-bitaccessInternal Registers orPhysical Output RegistersFile Record Access
  27. 27. Modbus (7)Function NameFunctionCodeRead Exception Status 7Diagnostic 8Get Com Event Counter 11Get Com Event Log 12Report Slave ID 17Read DeviceIdentification43Encapsulated InterfaceTransport43Type of accessDiagnosticsOther
  28. 28. Modbus (8)• Modbus protocol structure– Data field• In request paquets, contains the information requiredto perform the specific function• In response packets, contains the informationrequested by the HMI
  29. 29. Modbus (9)• Modbus protocol structure– Error check Field• CRC-16 on the message frame• If packet has errors, the field device does not process it• Timeout is assumed, so the master sends again thepacket to attempt again a function execution
  30. 30. IEC 104• Standard for power system monitoring,control and communications for telecontroland teleprotection for electric power systems• Completely compatible with:– IEC 60870-5-1: Transmission frame formats forstandard 60870-5– IEC 60870-5-5: Basic application functions
  31. 31. IEC 104 (2)• It has the following features:– Supports master initiated messages andmaster/slave initiated messages– Facility for time sinchronization– Possibility of classifying data being transmittedinto 16 different groups to get the data accordingto the group– Cyclic and spontaneous data updating schemesare provided.
  32. 32. IEC 104 (3)Source: PracticalIndustrial DataCommunications
  33. 33. IEC 104 (4)Source: PracticalIndustrial DataCommunications
  34. 34. IEC 104 (5)Source: PracticalIndustrial DataCommunications
  35. 35. IEC 104 (6)• Link levelLink serviceclass Function ExplanationS1 SEND / NO REPLYTransmit message.No ACK or answerrequiredS2 SEND / CONFIRMTransmit message.ACK requiredS3 REQUEST / RESPONDTransmit message.ACK and answerrequired
  36. 36. IEC 104 (7)Source: PracticalIndustrial DataCommunications
  37. 37. IEC 104 (8)Source: PracticalIndustrial DataCommunications• Control field for unbalanced transmissions
  38. 38. IEC 104 (8)Source: PracticalIndustrial DataCommunications• Control field for balanced transmissions
  39. 39. DNP3• Set of communication protocols used betweencomponents of a SCADA system• Used for communications between RTU andthe IED (field devices)• Implements the communication levelsestablished by the enhance performancearchitecture (EPA)
  40. 40. DNP3 (2)• Enhance performance architecture (EPA)Source: PracticalIndustrial DataCommunications
  41. 41. DNP3 (3)• Message exchangeSource: PracticalIndustrial DataCommunications
  42. 42. DNP3 (4)• Frame formatSource: PracticalIndustrial DataCommunications
  43. 43. DNP3 (5)• Control ByteSource: PracticalIndustrial DataCommunications
  44. 44. Agenda• Introduction• Power Plant Generation SCADA• SCADA protocols• Cyber Terrorism Risks• Remediation
  45. 45. Cyberterrorism Risks• Many awful thins can happen to apower plant– Stop generation because of partial ortotal damage to the generator– Stop generation because of partial ortotal damage to the transmissionsubstation– Stop generation because of partial ortotal damage to the turbine
  46. 46. Cyberterrorism Risks (2)• Many awful thins can happen to apower plant– Transformer explosion because lack oftransmission line protection capacity– Massive water leakage because ofexplosion of the turbine container• All of them can happen because ofunauthorized manipulations of theHMI and after the configs areupdated
  47. 47. Network technologies in SCADA Systems• Many SCADA networks still useRS232/RS485 bus to communicateall components– But also because of the need to accessdata in a fast way, we also have serial-to-ip gateways to access serial RTU and IED– Lots of hybrid SCADA networks havingserial and IP components– Access is open to anyone withconnectivity access
  48. 48. Network technologies in SCADA Systems(2)• Many SCADA networks still useRS232/RS485 bus to communicateall components– Admin protocols is not being crypted, soanyone can sniff all the contents, performa MITM and send to client/server fakecontent to each other. Insecure serviceslike telnet are mandatory because lack ofsupport– Latency is an issue
  49. 49. Lack of authentication in applicationprotocol• The SCADA protocols does notperform bi-directional authenticationto ensure that all parties are trusted– Only commands are sent– Data is sent to the IP addressconfigured as master– All the IP spoofing vulnerabilities workson any MTU or Field device– Any command can be sent
  50. 50. Default configurations in HMI• Insecure services used– rlogin– rcp– rexec• OS Admin privileges used to operate• Trust perimeter created within HMIand external RTU and IED tomanipulate configuration parameters
  51. 51. What could be done?• Reset a link state communication orsend Test Communication packetseveral times provoking temporalDoS to the IED controllers– Spoof the HMI IP address and send thefollowing using TCP:0x56405c00100020074e3– Spoof the HMI ip address and send thefollowing using TCP:0x56405f201000200b717
  52. 52. What could be done? (2)• Send commands to the IEDcontrollers– Registers are linked to turn on and offspecific devices like oil and refrigerationpumps– A Modbus command to change registersis enough to disable any of those pumps– Command depends on the place wherethe pump is configured
  53. 53. What could be done? (3)• Execute metasploit to the HMI andtry to find remote admin exploits– No patches are installed– Too much vulnerabilities around– The odds of finding remote privilegeescalation vulnerabilities are too high– Are passwords strong enough in theHMI software and OS?– Is there any password at all configured?
  54. 54. What could be done? (3)• MITM attacks to the substationelements and generation plantelements– TCP sequence prediction on thiselements is pretty high– Prone to session hijacking(http://www.youtube.com/watch?v=s_XD8heYNrc)
  55. 55. Agenda• Introduction• Power Plant Generation SCADA• SCADA protocols• Cyber Terrorism Risks• Remediation
  56. 56. What you cannot do with SCADA• Protocol delay is usually a BIG issue inSCADA– Water supply and Oil SCADA tolerates bigdelays because it does not haveconsequences in the process– Power SCADA is critical. A delay higherthan 12 miliseconds could end in a massiveblackout because of failure to open abreaker in a substation– Be careful on what you do to protect yourSCADA
  57. 57. SCADA Network inside Power PlantUnit ControllerTurbine SpeedRegulatorVoltageRegulatorGeneratorProtection ControllerCooling and oil pumpcontrollerHMI ConsoleSubstationcontrollerSwitchControllerVoltage MeterReaderHMI ConsoleProtectionControllerSUBSTATIONSCADAGENERATION POWERSCADA
  58. 58. Monitor your network• Control Access from outsiders– SCADA Network needs to sendinformation for reports and statuschecking– You can establish a secure way to getinto the SCADA Network for remotesupport– If no commands need to be sent, one-way communications using waterfallworks pretty good.
  59. 59. Monitor your network (2)Source: Waterfall Security
  60. 60. Monitor your network (3)• Use Network Intrusion PreventionSystem– You definitely can use conventional IPS if theyare fast enough to avoid delays in yournetwork– Not all of them support SCADA protocols– If you have snort, you can write rules forModbus and DNP3. Otherwise, you need towrite your own rules– Industrial Defender Solution works pretty goodas it includes lots of SCADA signatures
  61. 61. Monitor your network (4)• Control Access from outsiders– Energy market central regulators areable to control your power generationSCADA and make you generate whatyou won at the electricity market– Be able to override control from yourlocal market control center if for somereason you notice abnormal operationsthat put your generation infrastructurein risk
  62. 62. Monitor your network (5)Source: FERC
  63. 63. • SCADA platforms are designed tolast from 10 to 20 years– Too many technology changes happensin that time– Lots of security issues to deal with– Need a solution to avoid any changesinside computers, as intrusions performchanges in filesystem, configurationsand system processControl unauthorized changes to MasterTerminal Unit
  64. 64. Control unauthorized changes to UnitControllers and IED controllers• Configuration and firmware changescan be done on-site and remotely• Can you tell all the times wherethose changes have been done for allthe IED and Unit controllers?• Can you tell if that change actuallycontains the valid firmware and/orconfiguration?• Check IndustrialDefender Manage
  65. 65. Control unauthorized changes to MasterTerminal Unit (3)• Control any changes inside yourSCADA servers– Mcafee Integrity control works prettygood– Defines what can be changed by who– Lots of custom logs to choose from– Can send events to any SIEM configuredin the Network
  66. 66. Monitor attacks to Master Unit• Host IPS is definitely needed as anyattack could change the integrity andstability of a process• Availability is critical to a SCADAsystem and cannot be altered• Conventional Host IPS performsextensive use of CPU and can affectperformance inside SCADA
  67. 67. Monitor attacks to Master Unit (2)• Industrial Defender Protect workspretty good• Works seamless with SiemensSpectrum Platform• Does not load the machine or needsextensive bandwith to perform itschecks• Central console to performoperations inside the platform
  68. 68. Questions? Comments?Manuel Humberto Santander Peláezhttp://manuel.santander.namehttp://twitter.com/manuelsantandermsantand@isc.sans.org / manuel@santander.name
  1. Gostou de algum slide específico?

    Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.

×