IT vs. OT: ICS Cyber Security in TSOs
•
6 likes•5,556 views
by G. Caroti Corporate Security – Head of Information Security - TERNA
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to IT vs. OT: ICS Cyber Security in TSOs
Similar to IT vs. OT: ICS Cyber Security in TSOs (20)
More from Community Protection Forum
More from Community Protection Forum (20)
Recently uploaded
Recently uploaded (20)
IT vs. OT: ICS Cyber Security in TSOs
- 1. CP-EXPO - Genova, 30 Oct 2013 IT vs. OT: ICS cyber security in TSOs G. Caroti
- 2. “CI SYSTEM”: “Inter-dipendences” and domino effect … Critical Infrastructure … services essential for everyday life such as energy, food, water, transport, communications, health and banking and finance. Power System Railw H E Gas Helth Econ/Fin Social order L L E H M L L H L ICT Gas L ICT L H H E E Water Oil Power System Railw M M L L H L Water H H E Estimated degree of dependence of a "CI" (column) following significant interruption of service and extensive (> 24 h) of other "CI" (row) – Source:AIIC 2007 CP-EXPO - Genova, 30 October 2013 2
- 3. “CI SYSTEM”: “Inter-dipendences” and domino effect … CP-EXPO - Genova, 30 October 2013 3
- 4. CP-EXPO - Genova, 30 Oct 2013 Cyber threats, security breaches and impacts Unauthorised data disclosure Unauthorised access to systems Technologies Failures Malicious Attacks (Hackers) Sabotages Criminal activities ICT Systems Infrastructures Applications Services Natural disaster Human error inadequate procedures System maltreatment ICT Business&Operational Critical Unauthorised system alteration Data loss or corruption Economics losses Reputational losses Operational disruption to services PS and Grid continuity and safety reduction Public safety and Citizens’ and maintain an protection By the use of the Corporate and we characterise the systems that provide term “Resilient” business Information Systems acceptable level of service in face of faults (unintentional, intentional, or naturally caused) affecting Potential serious Threats their normal operation. The main aim of the resilience is for faults to be invisible to users (ENISA) implications 4
- 5. New risks … recently many warning messages! a. (EU) Work Programme FP7 2009-2010: “protection of critical information infrastructures” b. (IT) Report of COPASIR 2010 on cyber crime (july 2010) c. << … >> d. (US) Obama's executive order: "better protection of the country's critical infrastructure from cyber attacks"(feb 2013) e. (US) Warning of “CIA Director” on new scenarios on “cyberattack” (feb 2013) f. (EU) Commission: Cybersecurity Strategy of the European Union (feb 2013) g. (IT) Report of COPASIR 2013 on threats to national security (feb 2013) h. (IT) Reporting DIS 2012 (feb 2013) i. (IT) Monito Prime Minister Monti on cyber risk (mar 2013) j. (IT) DPCM 24/1/13 guidelines for cyber security and nationale information security (G.U. mar 2013) CP-EXPO - Genova, 30 October 2013 5
- 6. “Operational Technology“ IT vs. OT [1] … An independent world of "operational technology" (OT) is developing separately from IT groups … if IT organizations do not engage with OT environments to assess convergence, create alignment and seek potential areas of integration, they may be sidelined from major technology decisions - and place OT systems at risk. [Gartner - 2009] Convergence and Alignment? And Integration? [1] OT environment: defined as an independent world of physical-equipment-oriented computer technology (ICS) CP-EXPO - Genova, 30 October 2013 6
- 7. I(A)CS environment … IACS: “eterogeneus world” with several classifications For functional applications • • • • • • • • • Energy Management Systems (EMS) Substation control/protection systems Substation Automation Systems (SAS) Market Management Systems (MMS) Distributed Control Systems (DCS) Industrial Automation Safety Instrumented Systems (SIS) Process Control Systems Plant Control Systems For technologies o o o o o o Supervisory Control and Data Acquisition (SCADA) Remote Terminal Unit (RTU) Intelligent Electronic Device (IED) Programmable Logic Controller (PLC) Distributed Computer System (DCS) Process Control Network (PCN) CP-EXPO - Genova, 30 October 2013 7
- 8. IACS key-elements AGC controls the generation unit to ensure that the optimal load is managed with the criteria of economy … submit additional control signals to adjust to GU production based on forecasts of load, the availability, speed of response and exchanges planned. servers, data-gathering and control units (RTUs) and a set of standard applications and / or custom to monitor / control the elements remote. It can reach more than 50,000 data collection points and transmit information analog or digital, to send control signals, receive input state as feedback to the control operations. It can perform complex sequences of operations and ensure the collection of information with appropriate frequency EMS manage the data set … used by the operators to manage the state estimation, energy flows, analysis of contingency, the load forecasting and allocation of generating units EMS (Apps&DB) Scada systems collect from the field data characteristic of the system to be controlled, generates alarms to operators and executes the commands to the field by managing communications with the RTU ... one or more AGC SCADA systems LAN Control Center UI (MMI/HMI) UI UI allows operators to have an interactive interface … to monitor the performance of the PS, manage alarm conditions and to study the potential conditions that ensure system security policies on the network CP-EXPO - Genova, 30 October 2013 Field Field Field Data acquisition Control actions (call-up, data entry, ...) Processing historical data Conducting elements of a plant (remote controls) Management "limits" Defined calculations run time Statistics functioning network elements Calculating average P and E elementary Calculation of financial statements Load shedding Alarms and Events 8
- 9. SCADA data flows … S S S S S S S S S S Industrial process Domain Field Layer Plant Layer Process Network Enterprise Domain Ext. Centre Layer CP-EXPO - Genova, 30 October 2013 9
- 10. Link chain: Threats -> Contingencies Component Component / Component/ Component Device Vulnerability (exploitable) exploitable) Threats “IT” <> System Contingency “OT” APP APP HW/SW HW/SW Network Network Threats Threats Threats Threats Common Resources and Services C I A CP-EXPO - Genova, 30 October 2013 C I A 10
- 11. Why a protection program for ICS? N Enclave (“obscurity”) – – – – – – – Technological evolution (Change of scenario) Awareness (compensatory measures) Security “embedded” in the systems (tech & process) Proprietary (non-standard) protocols known to very few people No information published on the functioning of the systems Only point-to-point connection, often hosted in private telecommunication environment No interconnection with network management No interconnection with any external network (i.e. Internet) Operational environment inherently protected and segregated Low probability of unpredictable conditions of stress load – Migration (also "tacit") by the vendors to technologies "off-the-shelf” "off-the– Introduction of open standards and protocols (TCP / IP and wireless technologies), which exposes the system to its vulnerability without proper awareness – Interconnecting needs with other corporate networks and systems, making the systems potentially accessible to unwanted entities too – Transition from private communications networks or based on "leased lines" services of public infrastructure, which results in increased "addiction" to public telecommunications services operators – Remote “maintenance” needs Cyber Threats Cyber Vuln Y ‘80 ‘90 ‘00 ‘10 CP-EXPO - Genova, 30 October 2013 ‘20 11
- 12. Cyber incident on ICS by “human” attack!? Violation of availability Security Incidents show OT vulnerability System Security Network Security Violation of confidentiality/integrity Application Security Data Security User Profile Security APT Crackers Insiders Saboteurs Terrorists Attack for access (unauthorized) to the resources Attack to cause unavailability complete/partial Information Theft Financial Losses Inappropriate handling of components of the PS loss of production, outages, operational safety Difficulty of industrial operations Lower ability of control of the power system Difficulty of emergency management Increased risk of instability Domino effect on other CI Consequences for the community CP-EXPO - Genova, 30 October 2013 12
- 13. What do we have? … CIP 002 Identificazione delle IIC a supporto delle EPU AC Access Control Tech AT Awareness and Training Operational CIP 003 Controllo gestione sicurezza AU Audit & Accountability Tech CA Certification, Accreditation and Security Assessments Management CIP 004 Personale e formazione CM Access Control Operational CP Contingency Planning Operational CIP 005 Sicurezza degli accessi alle reti IA Identification & Authentication Tech CIP 006 Sicurezza fisica IR Incident Response Operational MA Maintenance Op CIP 007 Gestione della sicurezza di sistema MP Media Protection Op CIP 008 Incident Report PE Physical & Environmental Protection Op PL Planning Managem CIP 009 COMMON CRITERIA Piani di recupero e DR PS Personnel Security Op RA Risk Assessment Managem A5. Policy per la sicurezza delle informazioni SA System & Services Acquisition Managem Principi organizzativi per la gestione della IS SC System & Communications Protection Tech A6. SI System & Information Integrity Op A7. Gestione degli asset A8. Politiche del personale in materia di IS A9. Sicurezza fisica e ambientale A10. Gestione delle comunicazioni e delle operazioni A11. Controllo degli accessi A12. Gestione IS nell’acquisto, sviluppo e manut. sistemi RDF: Restrict Data Flow A13. Gestione incidenti di sicurezza TRE: Timely Response to Event A14. Gestione della continuità dei processi aziendali NRA: Network Resource Availability A15. Controlli di conformità AC: Access Control UC: Use Control DI: Data Integrity DC: Data Confidentiality CP-EXPO - Genova, 30 October 2013 13
- 14. The first “brick” … + Improved … + Kept … + Verified … + Implemented … + Documented … Selected … Structured FRAMEWORK … … as a key enabler, regardless of the source of the "controls" used as a reference (ISO, NIST or other Information Risk Management tools) CP-EXPO - Genova, 30 October 2013 14
- 15. “Secure-by-design” framework: “pipeline” for security Development / Acquisition Phase “Building” a secure system Operational Phase Disposal Phase Keep the system secure Secure disposal of the system Monitoring Access control (Phys/Log) Phys/Log) Incident Handling Patch management Periodic Security Assessm Training Awareness Change management Start System Life Cycle CP-EXPO - Genova, 30 October 2013 15
- 16. Unfortunately: IT Systems OT System (IACS) Antivirus Not compatible with many Available for all systems and applications !? regularly updated No level authentication protocols Functions always implemented & Aut and console Id - individual Account, unique, Accountability Group account, even with PW complex with PW, changed !? wired or weak cm ² policy Not in time, no automated tools In time, with automated tools Patching Often not supported in time As a rule always supported in !? (obsolescence) the life cycle of a system Centralized System Local delegated to figures Control Administ system engineer !? CP-EXPO - Genova, 30 October 2013 16
- 17. Unfortunately: IT Systems OT System (IACS) Antivirus Not compatible with many Available for all systems and applications !? regularly updated No level authentication protocols Functions always implemented & Aut and console Id - individual Account, unique, Accountability Group account, even with PW complex with PW, changed !? wired or weak cm ² Same controls policy but need of Not in time, no automated tools In time, with automated tools Patching compensatory Often not supported in time As a rule always supported in !? countermeasures (obsolescence) the life cycle of a system Centralized Special System Local delegated to figures Control Administ system engineer Physical & Logical Architectures !? CP-EXPO - Genova, 30 October 2013 17
- 18. The typical scenario … X Technicians on the road Vendors Outsourcers PSTN/ISDN GPRS/UMTS Internet Outsourcers (ex. TelCo) Remote Access CP-EXPO - Genova, 30 October 2013 Other TSO/Utility/Operator Outsourcers (ex. IT - TelCo) Third Parties (partners) Remote Access for staff Personal mobility 18
- 19. … must be adapted … Going towards a Defense-in-Depth approach X X Internet PSTN/ISDN GPRS/UMTS Technicians on the road Vendors Outsourcers Outsourcers (ex. TelCo) Remote Access CP-EXPO - Genova, 30 October 2013 Other TSO/Utility/Operator Outsourcers (ex. IT - TelCo) Third Parties (partners) Remote Access for staff Personal mobility 19
- 20. … for different security requirements! X Public networks (Internet) X CP-EXPO - Genova, 30 October 2013 20
- 21. … for different security requirements! Public networks (Internet) X DMZ for (management) Remote Access DMZ for Exposed IACS Services Services/Applications with replicated (mirrored) DBs (“one-way” mode) Remote Access Gateway IACS internal DBs (Typically real-time critical DBs) Not accessible from outside of process networks CP-EXPO - Genova, 30 October 2013 21
- 22. Conclusion … Convergence and Alignment? And Integration? CP-EXPO - Genova, 30 October 2013 22
- 23. Thank you for the attention! CP-EXPO - Genova, 30 October 2013 23