SCADA Security in CDIC 2009


Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • © 2009 Chaiyakorn Apiwathanokul, CISSP, PTT ICT Solutions
  • SCADA Security in CDIC 2009

    1. 1. © 2009 PTT ICT Solutions All Rights Reserved Cyber Attack Threatens Plant Control System (SCADA/DCS)
    2. 2. IC ICT PEOPLE EXCELLENCE Name: Title: Company: Certificates: Chaiyakorn Apiwathanokul ไชยกร อภิวัฒโนกุล Chief Security Officer (CSO) PTT ICT Solutions Company Limited A Company of PTT Group ISC2:CISSP, IRCA:ISMS (ISO27001), SANS:GCFA Experience: CHAIYAKORN APIWATHANOKUL • กรรมการสมาคมความมั่นคงปลอดภัยระบบสารสนเทศ Thailand Information Security Association (TISA) • กรรมการการวิชาการมาตฐานการรักษาความมั่นคงปลอดภัยในการประกอบธุรกรรมอิเล็กทรอนิกส์ (ISO27001) • กรรมการผู้ทรงคุณวุฒิในคณะกรรมการปรับปรุงหลักสูตรบริหารธุรกิจบัณฑิต วิชาสาขาวิชาธุรกิจเทคโนโลยีสารสนเทศ มหาวิทยาลัยสงขลานครินทร์ • กรรมการร่างหลักสูตร MBA in Information Security Management มหาวิทยาลัยอัสสัมชัญ • คณะทางานศึกษาวิเคราะห์ข้อมูลเพื่อเสนอแนะการจัดทาแผนการดาเนินงานของคณะกรรมการธุรกรรมทางอิเล็กทรอนิกส์ พ.ศ. 2551-2553, NECTEC • คณะทางานศึกษารูปแบบและมาตรฐานเกี่ยวกับการให้บริการออกใบรับรองอิเล็กทรอนิกส์ และการรับรองความน่าเชื่อถือ โดยผู้ตรวจสอบอิสระหรือองค์กรกากับดูแล (Certified or Regulated Body), NECTEC
    3. 3. วิทยากรบรรยาย • กองบัญชาการกองทัพไทย • หลักสูตรหลักประจาโรงเรียนเสนาธิการ ทหารบก สถาบันวิชาการทหารบกชั้นสูง • ธนาคารแห่งประเทศไทย • สานักงานปลัดกระทรวงพาณิชย์ • สานักงานปลัดกระทรวงกลาโหม • ชมรมเทคโนโลยีสารสนเทศรัฐวิสาหกิจแห่ง ประเทศไทย • สมาคมเวชสารสนเทศไทย Thai Medical Informatics Association • หลักสูตร Strategic IT Governance, Software Park 2007-2009 • ITU ASP COE : Training Workshop on Information Management Framework for CIOs • CIO Conference 2007 • Information Security Asia 2007 • 2nd Annual ASIA IT Congress 2007 • Cyber Defence Initiative Conference (CDIC) 2008 • SCADA Asia Summit 2009 • Mini-MBA Program, Thammasat University • Micro-MBA Program, Thammasat University • MIS Program, Thammasat University • มหาวิทยาลัยเทคโนโลยีพระจอมเกล้า ธนบุรี
    4. 4. Protecting your SCADA system against cyber security threats 17 June 2009
    5. 5. Agenda • The real threats revealed • Case studies of global incidents • Cyber threats and Control System • What we can do to handle this challenge? • Q&A
    6. 6. See the movie
    7. 7. Italian Traffic Lights Event: Feb, 2009Italian authorities investigating unauthorized changes to traffic enforcement system Impact: Rise of over 1,400 traffic tickets costing > 250K Euros in two month period Specifics: Engineer accused of conspiring with local authorities to rig traffic lights to have shorter yellow light causing spike in camera enforced traffic tickets Lessons learned:  Do not underestimate the insider threat  Ensure separation of duties and auditing
    8. 8. Transportation – Road Signs 8 Lessons learned:  Use robust physical access controls  Change all default passwords  Work with manufacturers to identify and protect password reset procedures Event: Jan 2009, Texas road signs compromised Impact: Motorists distracted and provided false information Specifics: Some commercial road signs can be easily altered because their instrument panels are frequently left unlocked and their default passwords are not changed. "Programming is as simple as scrolling down the menu selection," a blog reports. "Type whatever you want to display … In all likelihood, the crew will not have changed [the password]."
    9. 9. Chaiyakorn Apiwathanokul Remarkable Incidents • Siberia,1982 CIA’s hacker attacked USSR’s pipeline operation software caused a massive explosion during the summer of 1982 in the controversial pipeline delivering Siberian natural gas to Western Europe. from book At the Abyss: An Insider's History of the Cold War (Ballantine, 2004, ISBN 0-89141-821-0) • 2002: FBI traced found the visitors routed through telecommunication network of Saudi Arabia, Indonesia and Pakistan studied emergency telephone systems, electric generation, and transmission, water storage and distribution, nuclear power plants and gas facilities. Key word: The Farewell Dossier Gus W. Weiss
    10. 10. Chaiyakorn Apiwathanokul 1988 Case • Allen-Bradley DH+ environment • Disgruntled Employee • Modify password of other department’s PLC-5 • Blocking all maintenance access to the system • The previous password of the system was believed to be found on a post-it note
    11. 11. Global Incidents (cont.) • Based on evidence collected in Afghanistan, Al Qaeda had a “high level of interest” in DCS and SCADA devices. (AFI Intelligence Briefing - 28th June 2002) – Terrorism looks for new methods of attack – 'Bombs and Bytes' The next Al Qa'ida terrorist threat – US faces an 'electronic Pearl Harbour'  2003: Slammer Worm crashed Ohio nuke plant network, Davis-Besse According to a document released by the North American Electric Reliability Council in June, Slammer downed one utility's critical SCADA network after moving from a corporate network, through a remote computer to a VPN connection to the control center LAN. ( Recovery time:  SPDS – 4hours 50 minutes  PPC – 6 hours 9 minutes
    12. 12. Global Incidents (cont.) Virus Found On Computer In Space Station NASA confirmed on Wednesday that a computer virus was identified on a laptop computer aboard the International Space Station, which carries about 50 computers. The virus was stopped with virus protection software and posed no threat to ISS systems or operations, said NASA spokesperson Kelly Humphries. … The SpaceRef report suggested that a flash card or USB drive brought on board by an astronaut may have been the source of the laptop infection. InformationWeek August 27, 2008
    13. 13. U.S. Critical Infrastructure Sectors Homeland Security Presidential Directive 7 (HSPD-7) along with the National Infrastructure Protection Plan (NIPP) identified and categorized U.S. critical infrastructure into the following 18 CIKR sectors •Agriculture and Food •Banking and Finance •Chemical •Commercial Facilities •Critical Manufacturing •Dams •Defense Industrial Base •Emergency Services •Energy •Government Facilities •Information Technology •National Monuments and Icons •Nuclear Reactors, Materials, and Waste •Postal and Shipping •Public Health and Healthcare •Telecommunications •Transportation •Water and Water Treatment Many of the processes controlled by computerized control systems have advanced to the point that they can no longer be operated without the control system.
    14. 14. has Manufacture Plant OperationControl Systems National Critical Infrastructure Adversary/ Disgruntled employee Government Malicious code/ Virus/Worm Vulnerabilities/ Weaknesses Terrorist/ Hacker Law/ Compliance/ Standard/ Guideline Industry- specific Regulator
    15. 15. Security Issues Causing Process Disruption
    16. 16. Security incidents in OIL industry • Electronic sabotage of Venezuela Oil operations • CIA Trojan causes Siberian gas pipeline explosion • Anti-Virus software prevents boiler safety shutdown • Slammer infected Laptop, shuts down DCS • Virus infection of operator training simulator • Electronic sabotage of gas processing plant • Slammer impacts offshore platforms • SQL Slammer impacts drill site • Code Red worm defaces automation web pages • Penetration test locks-up gas control system • Contractor laptop infects control system
    17. 17. Security incidents in Chemical industry • IP address change shuts down chemical plant • Hacker changes chemical plant setpoints via modem • Nachi worm on advanced process control servers • Attack on plant of chemical company DCS • Contractor accidentally connects to remote PLC • Sasser causes loss of HMI in chemical plant • Infected new HMI infects chemical plant DCS • Blaster worm infects chemical plant
    18. 18. Security incidents in Power industry • Slammer infects control central LAN via VPN • Slammer causes loss of comms, to substations • Slammer infects Ohio nuclear plant SPDS “The Slammer worm penetrated a private computer network at Ohio’s Davis-Besse nuclear power plant in January and disabled a safety monitoring system for nearly five hours, despite a belief by plant personnel that the network was protected by a firewall”
    19. 19. Security incidents in Power industry • Iranian hackers attempt to disrupt Israel power system • Utility control system attacked • Virus attacks a European utility • Facility cyber attacks reported by Asian utility • Power plant security details leaded on Internet
    20. 20. Security incidents in Water industry • Salt River Project SCADA Hack • Maroochy Shire Sewage Spill • Software Flaw Makes MA Water Undrinkable • Trojan/Keylogger on Ontario Water SCADA System • Viruses Found on Auzzie SCADA Laptops • Audit/Blaster Causes Water SCADA Crash • DoS attack on water system via Korean telecom • Penetration of California irrigation district wastewater treatment plant SCADA. • SCADA system tagged with message, "I enter in your server like you in Iraq."
    21. 21. Chaiyakorn Apiwathanokul What is Industrial Control Systems (ICS), SCADA and DCS? Industrial Control Systems are computer-based systems that are used by many infrastructures and industries to monitor and control sensitive processes and physical functions. Typically, control systems collect sensor measurements and operational data from the field, process and display this information, and relay control commands to local or remote equipment. There are two primary types of Control Systems. – Distributed Control Systems (DCS) typically are used within a single processing or generating plant or over a small geographic area. – Supervisory Control and Data Acquisition (SCADA) systems typically are used for large, geographically dispersed distribution operations. NIST SP800-82 Final Public DRAFT (Sep. 2008)
    22. 22. The term Industrial Control System (ICS) refers to a broad set of control systems, which include:  SCADA (Supervisory Control and Data Acquisition)  DCS (Distributed Control System)  PCS (Process Control System)  EMS (Energy Management System)  AS (Automation System)  SIS (Safety Instrumented System)  Any other automated control system
    23. 23. Basic Control Systems Components
    24. 24. Risk Drivers: Modernization and Globalization  Connections between Information Technology and Control System networks (inheriting vulnerabilities)  Shift from isolated systems to open protocols  Access to remote sites through the use of modems, wireless, private, and public networks  Shared or joint use systems for e-commerce
    25. 25. General Findings  Default vendor accounts and passwords still in use  Some systems unable to be changed!  Guest accounts still available  Unused software and services still on systems  No security-level agreement with peer sites  No security-level agreement with vendors  Poor patch management (or patch programs)  Extensive auto-logon capability
    26. 26. General Findings continued  Typical IT protections not widely used (firewalls, IDS, etc.). This has been improving in the last 6 months  Little emphasis on reviewing security logs (Change management)  Common use of dynamic ARP tables with no ARP monitoring  Control system use of enterprise services (DNS, etc.)  Shared passwords  Writeable shares between hosts  User permissions allow for admin level access  Direct VPN from offsite to control systems  Web enabled field devices
    27. 27. Gap of Coordination • Different vocabulary – ICT: “I know TCP/IP, NetBIOS, MSSQL, SAP and etc.” – Operation: “I know Profibus, FieldBus, MODBUS, Solenoid valve, Turbine, Hydraulic, Pneumatic and etc.” • SCADA/DCS could be somewhat frighteningly exciting to ICT people. Inadequate knowledge and experience on the system lowers the confident to provide appropriate support. • Operation people should work with IT Security Professionals from ICT Department or consultants • Educating IT Department about Process Control & SCADA operations
    28. 28. Unsynchronized Technology Lifecycle
    29. 29. Unsynchronized Technology Lifecycle (cont.) • ICT technology keep changing while Control System is here to stay. • Production processes are rarely changed. • “We can operate as we always do. So, WHY UPGRADE ???” • ICT equipment life is ~3-5 years • Control equipment life is ~10+ years • SCADA Security today is where enterprise security was 5-10 years ago
    30. 30. Different Expectation
    31. 31. Sharing the SAME CHALLENGES • The information or data from devices or controllers shall be sent or processed at a server of that system which could expose many possibility to attack as follow: – Communication Media • Radio : Jammer • Protocol Anomaly – Operating System running on the server • Microsoft Windows • Unix – Database • MS-SQL • Oracle • System running standard Operating System is vulnerable to standard attacks – Malware/Virus/Worm/SpyWare
    32. 32. They are Connected • The operation network is somehow connected to the corporate network or even able to access the Internet. Without proper protection and control, the operation environment is truely in high risk.
    33. 33. Is the system integrator has security in mind? • Is all possible condition properly handled? • Is the program running in the controller a security- aware by design? • The more security, the harder for UAT and commissioning, thus it may cause the delay of project payment. Guess what!!! They don’t do it only unless explicitly required or asked for. • Is it in the TOR?
    34. 34. Is the system integrator has security in mind? (cont.) “None of the industrial control systems used to monitor and operate the nation's utilities and factories were designed with security in mind. Moreover, their very nature makes them difficult to secure. Linking them to networks and the public Internet only makes them harder to protect.” Said by Joseph Weiss, executive consultant for KEMA Consulting
    35. 35. Policy Enforcement • People + Process + Technology are needed to work in harmony. Sometime we need certain technology or tool to ensure that the defined process or policy is in good shape. • The most vulnerable entity is “PEOPLE”. So keep them aware of what they are doing and risk they are fronting, plus the consequent damages and responsibility if they are not complied with the policy.
    36. 36. Available Guidelines • 21 Steps to Improve Cyber Security of SCADA Networks, US-DOE • Roadmap to Secure Control Systems in the Chemical Sector, US-DHS • Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, API • ISA99 - Control Systems Security Model • ISO27001, ISO27002 (ISO17799)
    37. 37. 12. Clearly define cyber security roles, responsibilities, and authorities for managers, system administrators, and users 13. Document network architecture and identify systems that serve critical functions or contain sensitive information that require additional levels of protection 14. Establish a rigorous, ongoing risk management process 15. Establish a network protection strategy based on the principle of defense-in-depth 16. Clearly identify cyber security requirements 17. Establish effective configuration management processes 18. Conduct routine self-assessments 19. Establish system backups and disaster recovery plans 20. Senior organizational leadership should establish expectations for cyber security • performance and hold individuals accountable for their performance 21. Establish policies and conduct training to minimize the likelihood that organizational personnel will inadvertently disclose sensitive information regarding SCADA system design, operations, or security controls. 21 Steps to Improve Cyber Security of SCADA Networks, US-DOE 1. Identify all connections to SCADA networks 2. Disconnect unnecessary connections to the SCADA network 3. Evaluate and strengthen the security of any remaining connections to the SCADA network 4. Harden SCADA networks by removing or disabling unnecessary services 5. Do not rely on proprietary protocols to protect your system 6. Implement the security features provided by device and system vendors 7. Establish strong controls over any medium that is used as a backdoor into the SCADA network 8. Implement internal and external intrusion detection systems and establish 24-hour-a-day incident monitoring. 9. Perform technical audits of SCADA devices and networks, and any other connected networks, to identify security concerns 10. Conduct physical security surveys and assess all remote sites connected to the SCADA network to evaluate their security 11. Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios
    38. 38. Petrochemical Segment
    39. 39. Petroleum, Oil & Gas
    40. 40. Energy Segment
    41. 41. For your TOR/RFP
    42. 42. Value Delivery from PTTICT • The weakness should be tackled internally • What we can do? – Educate/Awareness – Architecture Review – Security Assessment – Attack Simulation – Help fixing the problem together – Investigation/Forensic (of what went wrong) • As TEAM … we CAN
    43. 43. Professional Approach • Methodic • Standard-oriented • Industrial specific • Qualified specialists
    44. 44. Summary • The threat is real • Insider threat is more frightening • Securing perimeter is not enough  DiD • Need secure by design (for new systems) • Assessment and improvement (for existing) • Need collaboration and sharing • Guideline and good practices are available • People need to be (cross) trained
    45. 45. © 2009 PTT ICT Solutions All Rights Reserved Question ?
    46. 46. © 2009 PTT ICT Solutions All Rights Reserved THANK YOU ขอบคุณครับ