Supervisory Control and Data
Acquisition (SCADA) &
Industrial Control Systems
(ICS)
Cyber Security
Patricia Watson, MBA, E...
Disclaimer
 Materials discussed in this
presentation are the views
of the author.
 The author does not claim to
be a SCA...
What we will cover
 Fundamentals of SCADA/ICS
 Over time SCADA/ICS
“evolution”
 SCADA/ICS vulnerabilities
 SCADA/ICS s...
Fundamentals of SCADA/ICS
systems
Definition
From Wiki…
Supervisory Control and Data
Acquisition (SCADA) is a type of
industrial control system (ICS)
which ...
Fundamentals of SCADA systems
A few examples of SCADA/ICS
systems:
 Process Control Networks
(PCN)
 Distributed Control
...
Fundamentals of SCADA systems
A few examples of SCADA
subsystems:
 Human-machine Interface(HMIs)
 Programmable Logic
Con...
Fundamentals of SCADA systems
A few examples of industries
that have SCADA/ICS include:
 Agriculture
 Energy
 Food
 Ma...
http://ics-cert.us-cert.gov/sites/default/files/Cyber_Security_Assessments_of_Industrial_Control_Systems.pdf
Example of HMI tag creation
http://www.jbisa.nl/download/?id=16249370
Over time SCADA/ICS
“evolution”
Over time SCADA “evolution”
SCADA networks were once
composed of isolated workgroups
containing proprietary systems
that p...
Over time SCADA “evolution”
 In 1968, Dick Morley designed
and built the first operational
PLC, which is credited for
pro...
Interconnection revolution!
As automation began to address the need
for greater innovation, cost reduction
and lean manufa...
Over time SCADA “evolution”
As technological innovations were implemented
into legacy SCADA environments to enhance
effici...
SCADA/ICS
vulnerabilities
SCADA vulnerabilities
In addition to the inherent challenges, other
factors contributing to lagging security
practices inc...
SCADA Vulnerabilities
Jonathan Pollet from RedTiger Security shared the
following statistics at the 2013 SANS SCADA
Securi...
http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/Introduction_to_SCADA_Security_for_Managers_and_Operators.pdf
Don’t be the low-hanging piñata
SCADA/ICS security
framework
Security frameworks
 The 2009 National Infrastructure
Protection Plan (NIPP)
 Standard for Industrial Automation and
Con...
Risk Management Framework (ISO 31000)
http://csrc.nist.gov/cyberframework/rfi_comments/040513_cgi.pdf
Good practices
Good practices
Start with the “basics”:
 Network segmentation and DMZ
 AV, updates, patches, AD services,
data historian...
NERC: 13 Management Practices
1.Leadership commitment (buy-in from top down)
2.Analysis of threats, vulnerabilities, and
c...
Example of SCADA/ICS layers of controls
Source: Red Tiger Security: http://www.redtigersecurity.com/
Source: Red Tiger Security: http://www.redtigersecurity.com/
That’s a wrap!
In summary…
 Key enabling technologies are only effective
and valuable if they are strategically
leveraged and applied th...
Questions?
Appendix – A few handy
Sources
A Few Handy Resources
 RedTiger Security – Consulting firm that
specializes in SCADA/ICS penetration testing
and vulnerab...
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
Upcoming SlideShare
Loading in …5
×

SCADA Cyber Sec | ISACA 2013 | Patricia Watson

2,312 views

Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

SCADA Cyber Sec | ISACA 2013 | Patricia Watson

  1. 1. Supervisory Control and Data Acquisition (SCADA) & Industrial Control Systems (ICS) Cyber Security Patricia Watson, MBA, EnCE Boise Inc. Digital Forensics Program Manager PatriciaWatson@BoiseInc.com
  2. 2. Disclaimer  Materials discussed in this presentation are the views of the author.  The author does not claim to be a SCADA Security expert!  This presentation is intended for discussion purposes, not to be relied upon as advice.
  3. 3. What we will cover  Fundamentals of SCADA/ICS  Over time SCADA/ICS “evolution”  SCADA/ICS vulnerabilities  SCADA/ICS security framework  Good practices  That’s a wrap!  Appendix – a few resources
  4. 4. Fundamentals of SCADA/ICS systems
  5. 5. Definition From Wiki… Supervisory Control and Data Acquisition (SCADA) is a type of industrial control system (ICS) which are computer controlled devices that monitor and control real-time processes such as industrial, infrastructure, and facility-based processes. http://en.wikipedia.org/wiki/SCADA
  6. 6. Fundamentals of SCADA systems A few examples of SCADA/ICS systems:  Process Control Networks (PCN)  Distributed Control Systems (DCS)  Energy Management Systems (EMS)  Automated Meter Reading (AMR/AMI)  Building Automation Systems (BAS)
  7. 7. Fundamentals of SCADA systems A few examples of SCADA subsystems:  Human-machine Interface(HMIs)  Programmable Logic Controllers (PLCs)  Remote Terminal Units (RTUs)  Engineering Work Stations (EWS)  Intelligent Electronic Device (IED)
  8. 8. Fundamentals of SCADA systems A few examples of industries that have SCADA/ICS include:  Agriculture  Energy  Food  Manufacturing  Water systems (drinking water & water treatment systems)
  9. 9. http://ics-cert.us-cert.gov/sites/default/files/Cyber_Security_Assessments_of_Industrial_Control_Systems.pdf
  10. 10. Example of HMI tag creation
  11. 11. http://www.jbisa.nl/download/?id=16249370
  12. 12. Over time SCADA/ICS “evolution”
  13. 13. Over time SCADA “evolution” SCADA networks were once composed of isolated workgroups containing proprietary systems that primarily communicated via serial ports. Input and output was traditionally hardwired to controllers using electrical signals and pulses. Original serial-based protocols were composed of one master station on the serial loop which initiated the poll of data from the controllers.
  14. 14. Over time SCADA “evolution”  In 1968, Dick Morley designed and built the first operational PLC, which is credited for providing significant advancement in the practice of automation for the manufacturing industry.  Automation is the use of machines, control systems & IT to optimize productivity, recognize economies of scale and achieve predictable quality levels. Source: http://en.wikipedia.org/wiki/Dick_Morley
  15. 15. Interconnection revolution! As automation began to address the need for greater innovation, cost reduction and lean manufacturing, other components of SCADA systems joined the “evolution”:  Input/Output - analog to digital conversion  Serial-to-bus  “SMART” instrumentation (Modbus)  TCP/IP (LAN/WAN)  Data historians (OSIsoft PI)  Wireless sensors  Touch screens  Tablets (dashboards)
  16. 16. Over time SCADA “evolution” As technological innovations were implemented into legacy SCADA environments to enhance efficiency and productivity, cyber security risks emerged:  Dated operating systems such as Windows NT and Windows 2000 cannot be patched or upgraded.  Applications such as Adobe Reader and Flash Player often remain unpatched through the life of the hosting device.  Vendors often require persistent bi- directional remote access in maintenance contracts.  Dual-homed environments and increased interconnectivity – data historians such as PI tend to straddle networks.
  17. 17. SCADA/ICS vulnerabilities
  18. 18. SCADA vulnerabilities In addition to the inherent challenges, other factors contributing to lagging security practices include:  Because SCADA networks started out as “separate” segments, there is a persistent disconnect between SCADA users and network administrators.  Legacy & proprietary systems make even routine system maintenance, such as patching and updating, difficult or impossible.  There is a perception that SCADA devices are not compatible with anti-virus, monitoring and intrusion detection solutions.  Vendors are often reluctant to provide security protocols.
  19. 19. SCADA Vulnerabilities Jonathan Pollet from RedTiger Security shared the following statistics at the 2013 SANS SCADA Security Summit:  Over 38,000 SCADA/ICS vulnerabilities were recorded from 2000-2008  The maximum number of days between the time the vulnerability was discovered to the time it was disclosed was over three years.  The average time SCADA/ICS had latent vulnerabilities was 331 days.  Over 46% of the vulnerabilities discovered involved data historian applications, web servers and back-end databases.  Examples of risky behavior: iTunes, BitTorrent, Anonymous FTP services, Windows NT, 2000 & Vista being used as host to HMIs.
  20. 20. http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/Introduction_to_SCADA_Security_for_Managers_and_Operators.pdf
  21. 21. Don’t be the low-hanging piñata
  22. 22. SCADA/ICS security framework
  23. 23. Security frameworks  The 2009 National Infrastructure Protection Plan (NIPP)  Standard for Industrial Automation and Control Systems Security (ISA 99), now referenced in NIST 800-53  The National Institute for Standards and Technology (NIST) SP800-82 Standard  Chemical Facility Anti-Terrorism Standards (CFATS)  The Enhanced Critical Infrastructure Protection (ECIP) initiative was created in 2007 by the Department of Homeland Security (DHS)  The US based North American Electric Reliability Corporation (NERC) enforces the Critical Infrastructure Protection (CIP) framework
  24. 24. Risk Management Framework (ISO 31000) http://csrc.nist.gov/cyberframework/rfi_comments/040513_cgi.pdf
  25. 25. Good practices
  26. 26. Good practices Start with the “basics”:  Network segmentation and DMZ  AV, updates, patches, AD services, data historians and improved system management rolled out through the use of SCADA/ICS DMZ  Secure remote access  Deploying and managing IDS/IPS  Security event monitoring and logging  Build out of security framework  Periodic security risk assessments (non-intrusive)
  27. 27. NERC: 13 Management Practices 1.Leadership commitment (buy-in from top down) 2.Analysis of threats, vulnerabilities, and consequences (risk assessments) 3.Implementation of security measures (controls) 4.Information and cybersecurity (awareness) 5.Documentation (procedures) 6.Training, drills & guidance (test controls) 7.Communication, dialogue & information exchange 8.Response to security threats (reporting) 9.Response to security incidents (forensics) 10.Audits 11.Third-party verification (leverage your vendors) 12.Management of change 13.Continuous improvement
  28. 28. Example of SCADA/ICS layers of controls Source: Red Tiger Security: http://www.redtigersecurity.com/
  29. 29. Source: Red Tiger Security: http://www.redtigersecurity.com/
  30. 30. That’s a wrap!
  31. 31. In summary…  Key enabling technologies are only effective and valuable if they are strategically leveraged and applied through collaborative efforts, forward-thinking initiatives and practical solutions.  A long-term cyber security roadmap requires continuous collaboration and proactive application of industry security standards to day-to-day decisions involving devices on the SCADA network.  Because operational requirements for SCADA systems often conflict with cyber security requirements, solutions should be tested prior to implementation to avoid unintended disruptions.
  32. 32. Questions?
  33. 33. Appendix – A few handy Sources
  34. 34. A Few Handy Resources  RedTiger Security – Consulting firm that specializes in SCADA/ICS penetration testing and vulnerability assessments.  National Vulnerability Database – provides data enables automation of vulnerability management, security measurement, and compliance.  INL SCADA Test Bed Program - This event provides intensive hands-on training for the protection and securing of control systems from cyber.  Department of Homeland Security Cyber Security Evaluation Tool (CSET).  Shodan – The scariest search engine on the Internet. Discloses SCADA systems with public IP addresses.

×