Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants

on

  • 408 views

Hydroelectric generation plants possess a number of cyberterrorism risks, which could cause significant problems like interruptions in the power grid or water leaks from the reservoir, among others. ...

Hydroelectric generation plants possess a number of cyberterrorism risks, which could cause significant problems like interruptions in the power grid or water leaks from the reservoir, among others. This presentation will discuss the vulnerabilities in the infrastructure of hydroelectric generation plants, some tools to check for them and several remediation techniques to avoid materialization of problems.

Statistics

Views

Total Views
408
Views on SlideShare
408
Embed Views
0

Actions

Likes
0
Downloads
13
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants Presentation Transcript

  • 1. Avoiding CyberterrorismThreats Inside Hydraulic PowerGeneration PlantsManuel Humberto Santander Peláezmsantand@isc.sans.org
  • 2. Agenda• Introduction• Power Plant Generation SCADA• SCADA protocols• Cyber Terrorism Risks• Remediation
  • 3. SCADA• Supervisory Control and DataAcquisition• Platform used to monitor and control allthe variables of a real-time process• Several variables to monitor– Vibrations on the turbine rotor– Flow speed of oil inside a turbine rotor– Amount of electric charge passing inside anelectricity transmission line
  • 4. Electrical process• Three big steps– Generation– Transmission– Distribution• Energy is created using any of thefollowing methods– Thermoelectrical plans– Nuclear plants– Hydro electrical plants
  • 5. Electrical process (2)• SCADA platform is vital to performthe following when generation takesplace:– Ensure turbines are not havingrevolutions more than supported– Generators are not working overloaded– Energy being generated matches theamount of energy that the transmissionline can handle
  • 6. Electrical process (3)• Transmission– Energy being generated needs to bedistributed to reach the final users– 115 KV is the power used to transmit inthe wire lines– Final destination are the substationsthat handles energy of a specificamount of instalations– Large number of blocks in a city
  • 7. Electrical process (4)• SCADA platform is vital to performthe following when transmissiontakes place:– Monitoring of voltage in transmission lineslooking for high amount of electricityflowing– None of them can get overloaded becauseprotections get activated and a blackoutappears in all the installations that arecontrolled by the affected substations
  • 8. Electrical process (5)• Distribution– Energy being generated needs to bedistributed to reach the final users– 115 KV is the power used to transmit inthe wire lines– Final destination are the substationsthat handles energy of a specificamount of instalations– Large number of blocks in a city
  • 9. Electrical process (6)• SCADA platform is vital to performthe following when distribution takesplace:– Monitoring of voltage in transmissionlines looking for high amount ofelectricity flowing– Monitoring of voltage in user meterslooking for high amount of electricityflowing
  • 10. Electrical SystemSource:United StatesDepartment of Energy
  • 11. Hydroelectrical Plant ProcessSource: circuitmaniac.com
  • 12. Hydroelectrical TurbineSource:United States ArmyCorps of Engineers
  • 13. Agenda• Introduction• Power Plant Generation SCADA• SCADA protocols• Cyber Terrorism Risks• Remediation
  • 14. SCADA Network inside Power PlantUnit ControllerTurbine SpeedRegulatorVoltageRegulatorGeneratorProtection ControllerCooling and oil pumpcontrollerHMI ConsoleSubstationcontrollerSwitchControllerVoltage MeterReaderHMI ConsoleProtectionControllerSUBSTATIONSCADAGENERATION POWERSCADA
  • 15. SCADA Network inside Power Plant (2)• Generation Power Plant– Unit Controller: Controls all thesubsystems making the generator to beable to inject active power to theelectrical network– Voltage regulator: Controls thefrequency of the active power beingproduced by the generator. Must matchthe frequency in the electrical network
  • 16. SCADA Network inside Power Plant (3)• Generation Power Plant– Turbine speed regulator: Controls thespeed of the turbine– Cooling and oil pump controller:Controls refrigeration and lubrication ofthe rotor system of the turbine sothere’s no heat or friction– Generator protection controller:Controls excessive voltage changes inthe generator
  • 17. SCADA Network inside Power Plant (4)• Substation SCADA– Substation Controller: Controls all thesystems to make possible the energybeing transmitted all across theelectrical network– Switch controller: If there is too muchenergy on a line trying to overcome itscapacity, the switch opens the circuitand the energy stops flowing
  • 18. SCADA Network inside Power Plant (5)• Substation SCADA:– Voltage meter: Meters the amount ofelectricity flowing in the input andoutput lines so the Substation Controllercan tell if there is a problem regardingthe transmission line capacity beingovercome its capacity
  • 19. Agenda• Introduction• Power Plant Generation SCADA• SCADA protocols• Cyber Terrorism Risks• Remediation
  • 20. SCADA Protocols• Modbus• IEC 104• DNP3
  • 21. ModbusSource: Practical Industrial DataCommunications
  • 22. Modbus (2)• Client/server protocol which operates in arequest/response mode• Three variants:– Modbus serial RS-232/RS-485: Implemented onserial networks– Modbus TCP: Used for SCADA platforms wheredelay is not an issue (Water supply)– Modbus UDP: Used for SCADA platforms wheredelay is a big issue (Energy)
  • 23. Modbus (3)Source: Practical Industrial DataCommunications
  • 24. Modbus (4)• Modbus protocol structure– Address field:• Request frames: Address of the device being targetedby the request• Response frame: Address of the device responding torequest
  • 25. Modbus (5)• Modbus protocol structure– Function field• Function requested by the HMI to be performed by thefield devices• In response packets, when the function performed issucceeded, the field device echoes it. If some exceptionoccurred, the most significant bit of the field is set to 1
  • 26. Modbus (6)Function NameFunctionCodePhysical Discrete Inputs Read Discrete Inputs 2Read Coils 1Write Single Coil 5Write Multiple Coils 15Physical Input Registers Read Input Register 4Read Holding Registers 3Write Single Register 6Write Multiple Registers 16Read/Write MultipleRegisters23Mask Write Register 22Read FIFO Queue 24Read File Record 20Write File Record 21Type of accessData AccessBit access Internal Bits or PhysicalCoils16-bitaccessInternal Registers orPhysical Output RegistersFile Record Access
  • 27. Modbus (7)Function NameFunctionCodeRead Exception Status 7Diagnostic 8Get Com Event Counter 11Get Com Event Log 12Report Slave ID 17Read DeviceIdentification43Encapsulated InterfaceTransport43Type of accessDiagnosticsOther
  • 28. Modbus (8)• Modbus protocol structure– Data field• In request paquets, contains the information requiredto perform the specific function• In response packets, contains the informationrequested by the HMI
  • 29. Modbus (9)• Modbus protocol structure– Error check Field• CRC-16 on the message frame• If packet has errors, the field device does not process it• Timeout is assumed, so the master sends again thepacket to attempt again a function execution
  • 30. IEC 104• Standard for power system monitoring,control and communications for telecontroland teleprotection for electric power systems• Completely compatible with:– IEC 60870-5-1: Transmission frame formats forstandard 60870-5– IEC 60870-5-5: Basic application functions
  • 31. IEC 104 (2)• It has the following features:– Supports master initiated messages andmaster/slave initiated messages– Facility for time sinchronization– Possibility of classifying data being transmittedinto 16 different groups to get the data accordingto the group– Cyclic and spontaneous data updating schemesare provided.
  • 32. IEC 104 (3)Source: PracticalIndustrial DataCommunications
  • 33. IEC 104 (4)Source: PracticalIndustrial DataCommunications
  • 34. IEC 104 (5)Source: PracticalIndustrial DataCommunications
  • 35. IEC 104 (6)• Link levelLink serviceclass Function ExplanationS1 SEND / NO REPLYTransmit message.No ACK or answerrequiredS2 SEND / CONFIRMTransmit message.ACK requiredS3 REQUEST / RESPONDTransmit message.ACK and answerrequired
  • 36. IEC 104 (7)Source: PracticalIndustrial DataCommunications
  • 37. IEC 104 (8)Source: PracticalIndustrial DataCommunications• Control field for unbalanced transmissions
  • 38. IEC 104 (8)Source: PracticalIndustrial DataCommunications• Control field for balanced transmissions
  • 39. DNP3• Set of communication protocols used betweencomponents of a SCADA system• Used for communications between RTU andthe IED (field devices)• Implements the communication levelsestablished by the enhance performancearchitecture (EPA)
  • 40. DNP3 (2)• Enhance performance architecture (EPA)Source: PracticalIndustrial DataCommunications
  • 41. DNP3 (3)• Message exchangeSource: PracticalIndustrial DataCommunications
  • 42. DNP3 (4)• Frame formatSource: PracticalIndustrial DataCommunications
  • 43. DNP3 (5)• Control ByteSource: PracticalIndustrial DataCommunications
  • 44. Agenda• Introduction• Power Plant Generation SCADA• SCADA protocols• Cyber Terrorism Risks• Remediation
  • 45. Cyberterrorism Risks• Many awful thins can happen to apower plant– Stop generation because of partial ortotal damage to the generator– Stop generation because of partial ortotal damage to the transmissionsubstation– Stop generation because of partial ortotal damage to the turbine
  • 46. Cyberterrorism Risks (2)• Many awful thins can happen to apower plant– Transformer explosion because lack oftransmission line protection capacity– Massive water leakage because ofexplosion of the turbine container• All of them can happen because ofunauthorized manipulations of theHMI and after the configs areupdated
  • 47. Network technologies in SCADA Systems• Many SCADA networks still useRS232/RS485 bus to communicateall components– But also because of the need to accessdata in a fast way, we also have serial-to-ip gateways to access serial RTU and IED– Lots of hybrid SCADA networks havingserial and IP components– Access is open to anyone withconnectivity access
  • 48. Network technologies in SCADA Systems(2)• Many SCADA networks still useRS232/RS485 bus to communicateall components– Admin protocols is not being crypted, soanyone can sniff all the contents, performa MITM and send to client/server fakecontent to each other. Insecure serviceslike telnet are mandatory because lack ofsupport– Latency is an issue
  • 49. Lack of authentication in applicationprotocol• The SCADA protocols does notperform bi-directional authenticationto ensure that all parties are trusted– Only commands are sent– Data is sent to the IP addressconfigured as master– All the IP spoofing vulnerabilities workson any MTU or Field device– Any command can be sent
  • 50. Default configurations in HMI• Insecure services used– rlogin– rcp– rexec• OS Admin privileges used to operate• Trust perimeter created within HMIand external RTU and IED tomanipulate configuration parameters
  • 51. What could be done?• Reset a link state communication orsend Test Communication packetseveral times provoking temporalDoS to the IED controllers– Spoof the HMI IP address and send thefollowing using TCP:0x56405c00100020074e3– Spoof the HMI ip address and send thefollowing using TCP:0x56405f201000200b717
  • 52. What could be done? (2)• Send commands to the IEDcontrollers– Registers are linked to turn on and offspecific devices like oil and refrigerationpumps– A Modbus command to change registersis enough to disable any of those pumps– Command depends on the place wherethe pump is configured
  • 53. What could be done? (3)• Execute metasploit to the HMI andtry to find remote admin exploits– No patches are installed– Too much vulnerabilities around– The odds of finding remote privilegeescalation vulnerabilities are too high– Are passwords strong enough in theHMI software and OS?– Is there any password at all configured?
  • 54. What could be done? (3)• MITM attacks to the substationelements and generation plantelements– TCP sequence prediction on thiselements is pretty high– Prone to session hijacking(http://www.youtube.com/watch?v=s_XD8heYNrc)
  • 55. Agenda• Introduction• Power Plant Generation SCADA• SCADA protocols• Cyber Terrorism Risks• Remediation
  • 56. What you cannot do with SCADA• Protocol delay is usually a BIG issue inSCADA– Water supply and Oil SCADA tolerates bigdelays because it does not haveconsequences in the process– Power SCADA is critical. A delay higherthan 12 miliseconds could end in a massiveblackout because of failure to open abreaker in a substation– Be careful on what you do to protect yourSCADA
  • 57. SCADA Network inside Power PlantUnit ControllerTurbine SpeedRegulatorVoltageRegulatorGeneratorProtection ControllerCooling and oil pumpcontrollerHMI ConsoleSubstationcontrollerSwitchControllerVoltage MeterReaderHMI ConsoleProtectionControllerSUBSTATIONSCADAGENERATION POWERSCADA
  • 58. Monitor your network• Control Access from outsiders– SCADA Network needs to sendinformation for reports and statuschecking– You can establish a secure way to getinto the SCADA Network for remotesupport– If no commands need to be sent, one-way communications using waterfallworks pretty good.
  • 59. Monitor your network (2)Source: Waterfall Security
  • 60. Monitor your network (3)• Use Network Intrusion PreventionSystem– You definitely can use conventional IPS if theyare fast enough to avoid delays in yournetwork– Not all of them support SCADA protocols– If you have snort, you can write rules forModbus and DNP3. Otherwise, you need towrite your own rules– Industrial Defender Solution works pretty goodas it includes lots of SCADA signatures
  • 61. Monitor your network (4)• Control Access from outsiders– Energy market central regulators areable to control your power generationSCADA and make you generate whatyou won at the electricity market– Be able to override control from yourlocal market control center if for somereason you notice abnormal operationsthat put your generation infrastructurein risk
  • 62. Monitor your network (5)Source: FERC
  • 63. • SCADA platforms are designed tolast from 10 to 20 years– Too many technology changes happensin that time– Lots of security issues to deal with– Need a solution to avoid any changesinside computers, as intrusions performchanges in filesystem, configurationsand system processControl unauthorized changes to MasterTerminal Unit
  • 64. Control unauthorized changes to UnitControllers and IED controllers• Configuration and firmware changescan be done on-site and remotely• Can you tell all the times wherethose changes have been done for allthe IED and Unit controllers?• Can you tell if that change actuallycontains the valid firmware and/orconfiguration?• Check IndustrialDefender Manage
  • 65. Control unauthorized changes to MasterTerminal Unit (3)• Control any changes inside yourSCADA servers– Mcafee Integrity control works prettygood– Defines what can be changed by who– Lots of custom logs to choose from– Can send events to any SIEM configuredin the Network
  • 66. Monitor attacks to Master Unit• Host IPS is definitely needed as anyattack could change the integrity andstability of a process• Availability is critical to a SCADAsystem and cannot be altered• Conventional Host IPS performsextensive use of CPU and can affectperformance inside SCADA
  • 67. Monitor attacks to Master Unit (2)• Industrial Defender Protect workspretty good• Works seamless with SiemensSpectrum Platform• Does not load the machine or needsextensive bandwith to perform itschecks• Central console to performoperations inside the platform
  • 68. Questions? Comments?Manuel Humberto Santander Peláezhttp://manuel.santander.namehttp://twitter.com/manuelsantandermsantand@isc.sans.org / manuel@santander.name