DHS ICS Security Presentation

10,484 views

Published on

DHS finding on the changing security landscape of ICS (Industry Control Systems).

Published in: Technology
1 Comment
7 Likes
Statistics
Notes
No Downloads
Views
Total views
10,484
On SlideShare
0
From Embeds
0
Number of Embeds
68
Actions
Shares
0
Downloads
390
Comments
1
Likes
7
Embeds 0
No embeds

No notes for slide
  • <number>
  • What are the critical infrastructure sectors?Homeland Security Presidential Directive 7 (HSPD-7) along with the National Infrastructure Protection Plan (NIPP) identified and categorized U.S. critical infrastructure into the following 18 critical infrastructure sectors and key resources, referred to as CI/KR.Agriculture and Food Banking and Finance Chemical Commercial FacilitiesCritical Manufacturing Dams Defense Industrial Base Emergency Services Energy Government Facilities Information Technology National Monuments and Icons Nuclear Reactors, Materials, and Waste Postal and Shipping Public Health and Healthcare Telecommunications Transportation Water Many are fully automated and cannot function when the control system is not operational.
  • Increasing Threat PrevalenceThe risk of successful attacks on control systems from cyber means is increasing due to several factors:Industry pressure to downsize, streamline, automate, and cut costs to maintain profit margins, resulting in connections between IT and SCADA networks. In the electric power industry, for example, deregulation led to more interconnectedness as executives sought more information from control systems to help make output and pricing decisions. Manufacturing executives wanted real-time information from assembly lines, for instance, to monitor how efficiently their factories were running. Ultimately, this meant many control systems were connected to the Internet. The shift from proprietary mainframe-based computer control systems to distributed systems using open protocols and standards, and the expanded use of public protocols to interconnect previously isolated networks. Trending towards web-based SCADA management platforms and network-enabled field devices and the reliance on the Internet rather than installing expensive private telecommunications links to carry SCADA messages.Increased access and interconnectivity to remote sites through the use of the Internet.Shared or Joint Use Systems - Numerous corporations have created shared or joint use systems for e-commerce. Failure of even one of these systems not only has a negative impact on a member of the shared service, but also can percolate throughout the entire infrastructure, creating a sizeable vulnerability.
  • Vulnerabilities by Location in the ISA99 Model%Level 5 - Internet DMZ zone16.90%Level 4 - Enterprise LAN zone24.70%25%Level 3 - Operations DMZ46.30%48%Level 2 - Supervisory HMI LAN11.80%Level 1 - Controller LAN0.30%Level 0 - Instrumentations bus network0.00%Further Breakdown of Host and Application Vulnerabilities - Level 3%Email Server Applications5.50%Web Server Platforms (Apache and IIS)41.40%48%Business Applications15.30%Shopping Cart Applications1.10%Applications written on PHP platform1.50%Applications written on ASP or .NET platform2.30%Database Servers (MS SQL, mySQL, and Oracle)19.80%20%FTP Servers3.80%Portal Servers (Blogs and Forums)3.30%Workstation (client) vulnerabilities6.00%
  • Notice that there were still a large number of vulnerabilities discovered in the Internet facing systems and on the Enterprise LAN, which can provide an entry point into the lower levels of the SCADA or Control System.The data contained in the above tables and charts makes sense and exposes some issues that we would expect to see. For example, the number of email application vulnerabilities is highest at the network area closest to the Internet, and as you get deeper into the network, these email vulnerabilities drop off. <number>
  • Note that the majority of the vulnerabilities are due to miss configured WEB Server applications and Database Servers<number>
  • Major issue is the migration to Windows platforms without proper patch management procedures within the ICS domains.<number>
  • Field Visit General Findings:Default vendor accounts and passwords do exist in the real world! User and Password management is definitely a task. However, having an organized approach can lessen the pain and frustration.SCADA systems should not use the corporate services. Probably should not be using dynamic services (DHCP, dynamic ARP, dynamic routes) at all. If A is the only guy who talks to B, why does the rest of the network even know that B exists?We have seen architectures where a wire goes directly from one SCADA system to their peer (backup) site. What is the backup site’s posture? You have a right to know. Remember, you are running from a bear! You want to be faster and less tasty than the guy behind you!!Poor software patch management. The message from vendors sometimes seems to be: Patch at your own peril. Part of the problem is that it's difficult to test patches (or any other security technology) in an actual control system environment because of the requirement for 100 percent availability and predictable performance. Another issue is that vendors sometimes approve patches for only certain versions of software. Patches can interrupt the real-time functioning of the operating system with negative consequences, so often not applied. Control systems cannot be easily brought down for the endless operating system patches that seem to abound these days. It would be like changing a tire at 70mph.Limited device processing power. Unlike a typical corporate IT network in which hundreds (or thousands) of PCs, servers, and other devices are packed with processing power and memory – which allow cyber security professionals to apply the latest security technologies without much adverse effect on the network – many legacy control systems still run on Intel 8088, 286 and 386 processors. These processors are adequate for the functions they have, but may not be able to support the additional burden imposed by authentication and encryption techniques.
  • More General Findings:The goals of availability, reliability, and safety in control systems conflict with IT security practices of confidentiality, availability, and integrity. Developing security policies is not something control systems staff are familiar with. Control system and IT staff frequently do not work together to establish appropriate security policies.Sharing passwords is common. Difficulty of using two-factor authentication due to working conditions (e.g., dirty hands impede fingerprint technology, use of safety goggles impedes iris scanning techniques.), safety concerns prevent authentication lock-out schemes. Shared passwords are common due in part to the difficulty of managing password policy over the large number of remote devices and also the need for operators to be able to access control screens quickly (without having to think about what the latest password is) in emergency circumstances.>Antivirus software and firewalls are not always used; intrusion detection software is used even less. Trend toward higher efficiency results in staff cutbacks and often little emphasis on reviewing security logs.Use of dynamic ARP tables with no ARP monitoring (leaves systems open to ARP cache poisoning and Man-In-The-Middle attacks). ARP – The address resolution protocol is a protocol used by the Internet Protocol (IP) to map IP network addresses to the hardware addresses used by a data link protocol.Unused software still on systems. Any software on a system adds increased threat of exploitation of that software. If the software is not being actively used, it is probably not being kept patched or otherwise up to date, increasing the chance that vulnerabilities could be exploited.Unused services still active. Services or protocols typically used on the internet are likely to have exploits that can be carried out against them. Hardening the system by disabling or removing them closes down one more avenue of attack.Writeable shares between hosts.Direct VPN from off site allowed to control system network.Web enabled field devices
  • According to several published reports, in August 2006, two Los Angeles city employees hacked into computers controlling the city’s traffic lights and disrupted signal lights at four intersections, causing substantial backups and delays. The attacks were launched prior to an anticipated labor protest by the employees. The illegal access occurred hours before a job action in August 2006 by members of the Engineers and Architects Assn., which represents the engineers who run and maintain the city’s traffic center. It took four days to get the traffic control system fully operational afterward and underscored the vulnerability of L.A.’s the complex system.The breach, reported on Aug. 21, 2006 between 9:10 and 9:30 p.m., involved sending computer commands that disconnected four signal control boxes at critical intersections: Sky Way and World Way at LAX; Coldwater Canyon Avenue and Riverside Drive in the San Fernando Valley; Alvarado Street and Glendale Boulevard at Berkeley Avenue in Echo Park; and 1st and Alameda streets
  • In August 2005, a round of Internet worm infections knocked 13 of DaimlerChrysler’s U.S. automobile manufacturing plants offline for almost an hour, leaving workers idle as infected Microsoft Windows systems were patched. Zotob and its variations also caused computer outages at heavy-equipment maker Caterpillar Inc., aircraft maker Boeing, and several large U.S. news organizations. The latest worm attacks, exploiting holes in the Windows Plug and Play service, are causing grief to major corporations.A round of Internet worm infections knocked 13 of DaimlerChryslers U.S. auto manufacturing plants offline for almost an hour this week, stranding some 50,000 auto workers as infected Microsoft Windows systems were patched, a company spokesperson told eWEEK. Plants in Illinois, Indiana, Wisconsin, Ohio, Delaware and Michigan were knocked offline at around 3:00 PM on Tuesday, stopping vehicle production at those plants for up to 50 minutes, according to spokesperson Dave Elshoff. The company has patched the affected Windows 2000 systems, but is still mopping up after the attack and doesnt know whether deliveries from parts suppliers, who were also affected, might be delayed, he said.
  • A Polish teenager allegedly turned the tram system in the city of Lodz into his own personal train set, triggering chaos and derailing four vehicles in the process. Twelve people were injured in one of the incidents.The 14-year-old modified a TV remote control so that it could be used to change track points, The Telegraph reports. Local police said the youngster trespassed in tram depots to gather information needed to build the device. The teenager told police that he modified track setting for a prank.\"He studied the trams and the tracks for a long time and then built a device that looked like a TV remote control and used it to manoeuvre the trams and the tracks,\" said Miroslaw Micor, a spokesman for Lodz police.\"He had converted the television control into a device capable of controlling all the junctions on the line and wrote in the pages of a school exercise book where the best junctions were to move trams around and what signals to change.\"He treated it like any other schoolboy might a giant train set, but it was lucky nobody was killed. Four trams were derailed, and others had to make emergency stops that left passengers hurt. He clearly did not think about the consequences of his actions,\" Micor added.Transport command and control systems are commonly designed by engineers with little exposure or knowledge about security using commodity electronics and a little native wit. The apparent ease with which Lodz's tram network was hacked, even by these low standards, is still a bit of an eye opener.Problems with the signalling system on Lodz's tram network became apparent on Tuesday when a driver attempting to steer his vehicle to the right was involuntarily taken to the left. As a result the rear wagon of the train jumped the rails and collided with another passing tram. Transport staff immediately suspected outside interference.The youth, described by his teachers as an electronics buff and exemplary student, faces charges at a special juvenile court of endangering public safety.
  • Case 2: Maroochy Waste Water AttackEvent:In March 2000, a man named Vitek Boden, a former employee of the company that produced the plant’s remote control and telemetry equipment, remotely attacked the SCADA system in order to release hundreds of thousands of gallons of untreated sewage along Australia’s Sunshine Coast, where it contaminated parks, rivers and the grounds of a hotel.Industry: Water Treatment Location: Maroochy Shire, Queensland, AustraliaEvent: Hundreds of thousands of gallons of untreated sewage intentionally released into parks, rivers, and hotel grounds.Impact: Loss of marine life, public health jeopardized, $200,000 in cleanup and monitoring costs.
  • In August 2006, two circulation pumps at Unit 3 of the Browns Ferry, Alabama, nuclear power plant failed, forcing the unit to be shut down manually. The failure of the pumps was traced to excessive traffic on the control system network, possibly caused by the failure of another control system device. As control systems become increasingly interconnected with other networks and the Internet, and as the system capabilities continue to increase, so do the threats, potential vulnerabilities, types of attacks, and consequences of compromising these critical systems.
  • A nuclear power plant shutdown for 48 hours after a software update was installed on a single computer. The incident occurred at Unit 2 of the Hatch nuclear power plant near Baxley, Georgia. An engineer from Southern Company, which manages the technology operations for the plant, installed a software update on a computer operating on the plant's business network. The computer in question was used to monitor chemical and diagnostic data from one of the facility's primary control systems, and the software update was designed to synchronize data on both systems. According to the report filed with the Nuclear Regulatory Commission, when the updated computer rebooted, it reset the data on the control system, causing safety systems to errantly interpret the lack of data as a drop in water reservoirs that cool the plant's radioactive nuclear fuel rods. As a result, automated safety systems at the plant triggered a shutdown. Southern Company spokeswoman Carrie Phillips said the nuclear plant's emergency systems performed as designed, and that at no time did the malfunction endanger the security or safety of the nuclear facility. Phillips explained that company technicians were aware that there was full two-way communication between certain computers on the plant's corporate and control networks. But she said the engineer who installed the update was not aware that that the software was designed to synchronize data between machines on both networks, or that a reboot in the business system computer would force a similar reset in the control system machine.
  • The Slammer worm entered the Davis-Besse plant through a circuitous route. It began by penetrating the unsecured network of an unnamed Davis-Besse contractor, then squirmed through a T1 line bridging that network and Davis-Besse's corporate network. The T1 line, investigators later found, was one of multiple ingresses into Davis-Besse's business network that completely bypassed the plant's firewall, which was programmed to block the port Slammer used to spread.\"This is in essence a backdoor from the Internet to the Corporate internal network that was not monitored by Corporate personnel,\" reads the April NRC filing by FirstEnergy's Dale Wuokko. \"[S]ome people in Corporate's Network Services department were aware of this T1 connection and some were not.\"Users noticed slow performance on Davis-Besse's business network at 9:00 a.m., Saturday, January 25th, at the same time Slammer began hitting networks around the world. From the business network, the worm spread to the plant network, where it found purchase in at least one unpatched Windows server. According to the reports, plant computer engineers hadn't installed the patch for the MS-SQL vulnerability that Slammer exploited. In fact, they didn't know there was a patch, which Microsoft released six months before Slammer struck.By 4:00 p.m., power plant workers noticed a slowdown on the plant network. At 4:50 p.m., the congestion created by the worm's scanning crashed the plant's computerized display panel, called the Safety Parameter Display System.An SPDS monitors the most crucial safety indicators at a plant, like coolant systems, core temperature sensors, and external radiation sensors. Many of those continue to require careful monitoring even while a plant is offline, says one expert. An SPDS outage lasting eight hours or more requires that the NRC be notified.At 5:13 p.m., another, less critical, monitoring system called the \"Plant Process Computer\" crashed. Both systems had redundant analog backups that were unaffected by the worm, but, \"The unavailability of the SPDS and the PPC was burdensome on the operators,\" notes the March advisory.It took four hours and fifty minutes to restore the SPDS, six hours and nine minutes to get the PPC working again.
  • Case 1: Olympic Pipeline ExplosionEvent:About 3:28 p.m., Pacific daylight time, on June 10, 1999, a 16-inch-diameter steel pipeline owned by Olympic Pipe Line Company ruptured and released about 237,000 gallons of gasoline into a creek that flowed through Whatcom Falls Park in Bellingham, Washington. About 1-1/2 hours after the rupture, the gasoline ignited and burned approximately 1 1/2 miles along the creek. Two 10-year-old boys and an 18-year-old young man died as a result of the accident. Eight additional injuries were documented. A single-family residence and the city of Bellingham’s water treatment plant were severely damaged. As of January 2002, Olympic estimated that total property damages were at least $45 million..Industry: Gasoline Pipeline Location: Bellingham, WA, USAEvent: 16-inch gasoline pipeline explosion and fire, exacerbated by inability of SCADA system to perform control and monitoring functions.Impact: 3 fatalities, property damage >$45M, matching fines, of $7.86 million each, to Olympic Pipeline Company and Shell Pipeline Co. (formerly Equilon Pipeline Company, LLC) handed out, along with jail time served.Sequence of Events:Inlet block valve on pipeline had unexpectedly closed 41 times previous to the accident – caused by fluctuating pressures and resulting in upstream pressure spikes with each eventPrior to the accident, controllers had used SCADA system commands to open the block valve and stabilize the pressureOn the day of the accident, system administrators were making alterations to the historical database while the system was on-lineWhen the block valve unexpectedly closed during the fuel transfer operation – the SCADA system was non-responsive.The pipe over pressurized and ruptured, but went undetected for 61 minutes while the system was being cleared
  • In 1994, a 27-yr old hacker gained unauthorized access into the computer network of the Salt River Project (SRP) in Arizona. This incident has been widely misreported as a 12-yr old hacker who broke into the computer network for the Roosevelt Dam in Arizona in 1998. The actual incident involved a programmer and software developer named Lane Jarrett Davis, who using a dial-up modem, was able to break into the SRP network with the intention of retrieving billing information. According to reports, Mr. Davis dialed into the server that monitored the water levels of canals in the Phoenix area. At the time of the incident, the SRP water SCADA system operated a 131-mile canal system which was used to deliver water to customers.The type of data vulnerable during the intrusions included monitoring and delivery information for water and power processes, in addition to financial and customer data. The data actually taken or altered included login and password files, in addition to computer system log files. SRP estimated losses at $40,000, not including lost productivity due to the compromise.At the time of the incident, Mr. Davis had an associate’s degree in computer science and believed that he had the right to pursue his intellectual freedom through his hacking activities.
  • A technician navigates the nearly 17-mile tunnel that houses the Large Hadron ColliderWhile the SRP incident occurred nearly 14 years ago, more recent incidents have occurred, demonstrating an increased interest in cyber attacks on control systems. Earlier this month on September 12, computer hackers broke into the Large Hadron Collider, a gigantic particle accelerator located 330 feet underground along the French-Swiss border. Considered one of the world’s largest physics experiments to date, it was built by the European Organization for Nuclear Research (also known as CERN) to recreate conditions just after the Big Bang occurred. The hackers targeted the Compact Muon Solenoid Experiment, or CMS, one of the experiments at facility that will be analyzing the fallout of the Big Bang. Reports indicate that they posted a message on the facility's website which read “GSI – Greek Security Team.” “There seems to be no harm done. From what they can tell, it was someone making the point that CMS was hackable,\" said James Gillies, spokesman for CERN. He further indicated that the attack was quickly detected and mitigated.While the damage has been downplayed to what appears to be a harmless web defacement, scientists working at CERN expressed concerned over what the hackers could do as they were “one step away” from the computer control system of one of the huge detectors of the machine, a huge solenoid magnet weighing 12,500 tons[1]. According to CERN, this magnet takes the form of a cylindrical coil of superconducting cable that generates a magnetic field of 4 teslas, about 100,000 times that of the Earth. CERN, like many organizations, employs a vast number of control systems to monitor and run their vital processes and infrastructure. While this attack resulted in little more than embarrassment, a successful attack into these systems could have more far-reaching consequences. These incidents underscore the important mission that exists to increase awareness of the security issues affecting process control systems and provide mitigation strategies for securing critical infrastructure. [1] http://www.telegraph.co.uk/earth/main.jhtml?view=DETAILS&grid=&xml=/earth/2008/09/12/scicern212.xml
  • Virus Infects Space Station Laptops (Again)By Ryan Singel August 26, 2008 | 1:22:55 PMCategories: Hacks and Cracks
  • Control systems are currently changing course. Mitigations are needed to protect them along the way.Control system security can no longer hide behind proprietary configurations and special training.Control systems are no longer isolated systems that require special skills. Open systems and protocol have changed that. Control systems are no longer isolated from corporate and other networks. Hackers are smart and the prevalence of information available via the Internet makes attacks similar to IT attacks.Control systems are migrating away from their traditional shared and unrestricted configurations, to more secure ones.
  • Examples of products and tools that have been developed and made available for industry are listed here.CS2SATThe Self-Assessment Tool helps owners and operators to evaluate the security posture of their control system, and it provides recommendations of how the security can be improved.Recommended PracticesCurrent information
  • CSSP utilizes the expertise and facilities at our National Laboratories to evaluate vendor control systems and components.The Cyber Security Test Beds are capable of being setup with all of the input and output requirements and of running a small SCADA or process control system.The CSSP has teamed with SCADA and Control System vendors through Non-Disclosure Agreements (NDA) and Cooperative Research and Development Agreements to test their systems.A team of control system engineers and cyber researchers work within an agreed test plan to identify vulnerabilities. Those vulnerabilities are then reported back to the vendor, who (if possible) develop patches and mitigations for those vulnerabilities. As the vendors provides their customers patches and “new and improved” control systems, the security of the critical infrastructure is improved.The government is benefited as well by having a better understanding of the strengths and weaknesses of the control systems.
  • <number>
  • The SCADA Procurement Project, established in March 2006, is a joint effort among public and private sectors focused on development of common procurement language that can be used by everyone. The goal is for federal, state and local asset owners and regulators to come together using these procurement requirements and to maximize the collective buying power to help ensure that security is integrated into SCADA systems. Control system security vulnerabilities are often inadvertently introduced due to the customer not specifying appropriate security attributes in the procurement process. By using the Cyber Security Procurement Language for Control Systems guidance when a control system is purchased or upgraded many cyber security vulnerabilities will be addressed and possibly prevented. The Cyber Security Procurement Language for Control Systems document enables asset owners to request security \"built-in\" rather than \"bolted on.”The Cyber Security Procurement Language for Control Systems has been developed with the assistance and review of over 170 control system asset owners and vendor representatives. DHS worked closely with the MS-ISAC, the SANS Institute, the Department of Energy, INL, and other government and industry officials on the Project, which has received positive feedback from users averaging more than 450 downloads per month from the MS-ISAC website since it was posted in January 2007. <number>
  • The SCADA Procurement Project, established in March 2006, is a joint effort among public and private sectors focused on development of common procurement language that can be used by everyone. The goal is for federal, state and local asset owners and regulators to come together using these procurement requirements and to maximize the collective buying power to help ensure that security is integrated into SCADA systems. Control system security vulnerabilities are often inadvertently introduced due to the customer not specifying appropriate security attributes in the procurement process. By using the Cyber Security Procurement Language for Control Systems guidance when a control system is purchased or upgraded many cyber security vulnerabilities will be addressed and possibly prevented. The Cyber Security Procurement Language for Control Systems document enables asset owners to request security \"built-in\" rather than \"bolted on.”The Cyber Security Procurement Language for Control Systems has been developed with the assistance and review of over 170 control system asset owners and vendor representatives. DHS worked closely with the MS-ISAC, the SANS Institute, the Department of Energy, INL, and other government and industry officials on the Project, which has received positive feedback from users averaging more than 450 downloads per month from the MS-ISAC website since it was posted in January 2007.
  • NTSB Standards Improvement task http://www.inl.gov/scada/standards/index.shtmlWhile cyber security standards are available to address cyber security of Information Technology (IT) systems, there are few technical Control System cyber security standards that have been released at this time. NSTB work includes supporting the development of industry standards covering cyber security of control systems. The NSTB program participated in the formal review of the following standards: IEC 62443, Security for Industrial Process Measurement and Control, DRAFT ISA-99.00.01, Security for Industrial Automation and Control Systems, Part 1: Concepts, Terminology and Models, DRAFT ISA-99.00.02, Security for Industrial Automation and Control Systems, Part 2: Establishing an Industrial Automation and Control System Security Program, DRAFT NERC Standard CIP-002 through -009, Cyber Security, June 2006 NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, RELEASED February 2005, Revision 1 DRAFT NIST Special Publication 800-82, Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control System Security, DRAFT Work to date includes the identification and comparison of standards that are appropriate repositories of relevant guidance. The results of that study are available in two reports: A Comparison of Cross-Sector Cyber Security Standards (http://www.inl.gov/scada/publications/d/a_comparison_of_cross-sector_cyber_security_standards.pdf) and A Summary of Control System Security Standards Activities in the Energy Sector (http://www.inl.gov/scada/publications/d/a_summary_of_control_system_security_standards_activities_in_the_energy_sector.pdf). Ongoing efforts in the standards area also include a detailed analysis of the topics and level of coverage contained in the standards identified in the reports. The following standards are applicable to Control System cyber security: AGA Report No. 12, Cryptographic Protection of SCADA Communications, Part 1: Background, Policies and Test Plan, American Gas Association, March 2006 http://www.aga.org/Content/ContentGroups/Operations_and_Engineering2/Infrastructure_Security1/AGA12.pdfAPI Standard 1164, Pipeline SCADA Security, September 2004 http://www.techstreet.com/cgi-bin/detail?product_id=1175186Guidance for Addressing Cybersecurity in the Chemical Industry, Version 3.0, May 2006 (The CIDX Cyber Security Initiative was consolidated into the Chemical Sector Cyber Security Program under the Chemical Information Technology Council in 2006.) http://www.chemicalcybersecurity.com/cybersecurity_tools/guidance_docs.cfm IEC 61850-SER, Communication Networks and Systems in Substations http://webstore.ansi.org/ansidocstore/product.asp?sku=IEC+61850%2DSER+Ed%2E+1%2E0+en%3A2005IEC 60870-6, Telecontrol Equipment and Systems Part 6: Telecontrol protocols compatible with ISO standards and ITU-T recommendations (Also referred to as IEC standard TASE.2) http://webstore.iec.ch/webstore/webstore.nsf/searchview/?searchView=&SearchOrder=4&SearchWV=TRUE&SearchMax=1000&Submit=OK&Query=TASE.2IEC 62351-1, Data and Communications Security, Introduction, DRAFT http://www.iec.ch/cgi-bin/procgi.pl/www/iecwww.p?wwwlang=E&wwwprog=sea22.p&search=iecnumber&header=IEC&pubno=62351&part=1&se=&submit=SubmitIEC 62443, Security for Industrial Process Measurement and Control, DRAFT http://www.iec.ch/cgi-bin/procgi.pl/www/iecwww.p?wwwlang=E&wwwprog=sea22.p&search=iecnumber&header=IEC&pubno=62443&part=&se=&submit=SubmitIEC TR 62210, Power system control and associated communications - Data and communication security, May 2003 http://webstore.iec.ch/webstore/webstore.nsf/searchview/?searchView=&SearchOrder=4&SearchWV=TRUE&SearchMax=1000&Submit=OK&Query=(%5BHead_Number%5D=%221%22)%20AND%20(%5BDocument_Name%5D%20CONTAINS%20%22TR%2062210%22)IEEE Std 1402-2000, IEEE Guide for Electric Power Substation Physical and Electronic Security, January 2000 http://shop.ieee.org/ieeestore/Product.aspx?product_no=SS94822ISA-99.00.01, Security for Industrial Automation and Control Systems, Part 1: Concepts, Terminology and Models, DRAFT ISA-99.00.02, Security for Industrial Automation and Control Systems, Part 2: Establishing an Industrial Automation and Control System Security Program, DRAFT ISA-TR99.00.01-2004, Security Technologies for Manufacturing and Control Systems, March 2004 http://www.isa.org/Template.cfm?Section=Find_Standards&Template=/Ecommerce/ProductDisplay.cfm&Productid=7372ISA-TR99.00.02-2004, Integrating Electronic Security into the Manufacturing and Control Systems Environment, April 2004 http://www.isa.org/Template.cfm?Section=Shop_ISA&Template=/Ecommerce/ProductDisplay.cfm&Productid=7380ISO/IEC 17799, Information technology - Code of practice for information security management, June 2005 http://webstore.iec.ch/webstore/webstore.nsf/searchview/?searchView=&SearchOrder=4&SearchWV=TRUE&SearchMax=1000&Submit=OK&Query=(%5BHead_Number%5D=%227%22)%20AND%20(%5BDocument_Name%5D%20CONTAINS%20%2217799%22)ISO/IEC 27001, Information technology - Security techniques - Information security management systems - Requirements, October 2005 http://webstore.iec.ch/webstore/webstore.nsf/searchview/?searchView=&SearchOrder=4&SearchWV=TRUE&SearchMax=1000&Submit=OK&Query=(%5BHead_Number%5D=%227%22)%20AND%20(%5BDocument_Name%5D%20CONTAINS%20%2227001%22)NERC Standard CIP-002 through -009, Cyber Security, June 2006 http://www.nerc.com/~filez/standards/Reliability_Standards.htmlNERC Security Guidelines for the Electricity Sector: Control System - Business Network Electronic Connectivity, May 2005 http://www.esisac.com/publicdocs/Guides/SecGuide_ElectronicSec_BOTapprvd3may05.pdfNERC Security Guidelines for the Electricity Sector: Vulnerability and Risk Assessment, June 2002 http://www.esisac.com/publicdocs/Guides/V1-VulnerabilityAssessment.pdfNIST System Protection Profile - Industrial Control Systems, April 2004 http://www.isd.mel.nist.gov/projects/processcontrol/SPP-ICSv1.0.pdfNIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, RELEASED February 2005, Revision 1, DRAFT http://csrc.nist.gov/publications/nistpubs/NIST Special Publication 800-82, Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control System Security, DRAFT
  • Two web based training courses have been developed by NCSD CSSP are available – through the Control Systems Security web site located at US-CERT. Over 1500 people have taken our web based training since April 2007.The Cyber Security for Control Systems Engineers and Operators consists of five lessons covering threats, risks, cyber attacks, risk assessments and mitigations for control systems. It can be completed in less than an hour. Since it became available in March 2007, Over a thousand people have taken the course. Several companies and government organizations are asking their employees to take the training as a requirement in their personal training plan.The OPSEC for Control Systems web based course introduces control system employees to the basic concepts of operations security (OPSEC) and applies these concepts to the control system environment. There are interactive exercises where you explore different environments to discover problems, such as the office, at home, and on travel. You even have the opportunity to play the “bad guy” and try to disrupt a competitor’s manufacturing process.<number>
  • The resources of the various federal agencies and private partners have enabled us to address vulnerabilities associated with Industrial Control Systems across the critical infrastructure and key resources sectors.From the partnership programs between our local Protective Security Advisors and Asset owners/operators to the information sharing and analysis that is conducted by various organizations we are looking to leverage all available assets in order to ensure we address cyber security and the industrial control environment.
  • The CSSP facilitates and coordinates the Control Systems Cyber Security Vendor’s Forum monthly conference calls and periodic meetings. The vendors represent a majority of the control systems community within the US infrastructure and have global facilities and operations.This forum allows for:Vendors sharing security concerns and challengesVendors sharing and implementing security globallyVendors understanding the importance of security and reaching out to the private sectorVendors developing a unified message related to control systems security
  • According to several published reports, in August 2006, two Los Angeles city employees hacked into computers controlling the city’s traffic lights and disrupted signal lights at four intersections, causing substantial backups and delays. The attacks were launched prior to an anticipated labor protest by the employees. The illegal access occurred hours before a job action in August 2006 by members of the Engineers and Architects Assn., which represents the engineers who run and maintain the city’s traffic center. It took four days to get the traffic control system fully operational afterward and underscored the vulnerability of L.A.’s the complex system.The breach, reported on Aug. 21, 2006 between 9:10 and 9:30 p.m., involved sending computer commands that disconnected four signal control boxes at critical intersections: Sky Way and World Way at LAX; Coldwater Canyon Avenue and Riverside Drive in the San Fernando Valley; Alvarado Street and Glendale Boulevard at Berkeley Avenue in Echo Park; and 1st and Alameda streets
  • Gauge-in-error assumed correctAccurate-gauge assumed wrong.15 dead, 170 injured, economic losses in excess of $1.5 billion, $50 Million Fine(Chemical Safety Board)
  • In August 2003, the Sobig computer virus was blamed for shutting down train signaling systems throughout the East Coast of the United States. The virus infected the computer system at CSX Corporation’s Jacksonville, Florida, headquarters, shutting down signaling, dispatching, and other systems. According to an Amtrak spokesman, 10 Amtrak trains were affected. Train service was either shut down or delayed up to 6 hours.
  • In December 2005, the Taum Sauk Water Storage Dam, approximately 100 miles south of St. Louis, Missouri, suffered a catastrophic failure, releasing a billion gallons of water. According to the dam’s operator, the incident may have occurred because the gauges at the dam read differently than the gauges at the dam’s remote monitoring station.
  • Systems include tank filling, coke conveyor systems, tanker loading and unloading.
  • According to an ABC News report and InfoWorld, hackers gained unauthorized access to the computer systems at a Harrisburg, Pennsylvania, water treatment plant in early October. An employee's laptop was compromised via the Internet and used as an entry point by hackers to access administrative systems and installed viruses and spyware.The U.S. Federal Bureau of Investigation is investigating the incident and believes the attackers were working outside the U.S. As of this writing, no arrests have been made. Initial reports indicate that the hackers were not directly targeting the treatment plant, but instead used the compromised system to generate e-mail spam. Regardless, the intrusion could have interfered with the plant's operations.While a no security measure can stop a determined attacker with enough skill, time, and the right resources, properly implemented security practices and policies could have prevented this attack. Industries and organizations that manage far less critical systems do so every day.
  • DHS ICS Security Presentation

    1. 1. Department of Homeland Security Control Systems Security Program Seán Paul McGurk Director, Control Systems Security National Cyber Security Division U.S. Department of Homeland Security
    2. 2. Overview of Control Systems
    3. 3. U.S. Critical Infrastructure Sectors Homeland Security Presidential Directive 7 (HSPD-7) along with the National Infrastructure Protection Plan (NIPP) identified and categorized U.S. critical infrastructure into the following 18 CIKR sectors • Agriculture and Food • National Monuments and • Banking and Finance Icons • Chemical • Nuclear Reactors, Materials, • Commercial Facilities and Waste • Critical Manufacturing • Postal and Shipping • Dams • Public Health and • Defense Industrial Base Healthcare • Emergency Services • Telecommunications • Energy • Transportation • Government Facilities • Water and Water Treatment • Information Technology Many of the processes controlled by computerized control systems have advanced to the point that they can no longer be operated without the control system.
    4. 4. Risk Drivers: Modernization and Globalization  Connections between Information Technology and Control System networks (inheriting vulnerabilities)  Shift from isolated systems to open protocols  Access to remote sites through the use of modems, wireless, private, and public networks  Shared or joint use systems for e-commerce
    5. 5. Vulnerability Lifecycle January 2008, Core Security Technologies discovers a vulnerability in the CitectSCADA product, and works with Citect and US-CERT June 2008, Citect releases patches for affected products June 11, 2008, US-CERT publishes Vulnerability Note regarding Citect buffer overflow
    6. 6. Vulnerability Lifecycle September 5, 2008, Metasploit exploit code posted September 6, 2008, Traffic increases for specified port
    7. 7. Control Systems Site Assessments ISA 99 Control Systems Security Model  Since 2002 over 100 site assessments conducted  Electric, Oil and Natural Gas, Chemical, Water, and Transportation (pipeline)  Over 38,000 vulnerabilities were identified and categorized
    8. 8. ICS Vulnerabilities categorized by ISA99 Security Zones Level 0-5 Data provided by
    9. 9. ICS Security Zones of Interest  Level 3 - Operational Zone  Network Device vulnerabilities 9.3% (1677 vulnerabilities)  Host based/application system vulnerabilities 90.7% (16288 vulnerabilities)  Primary security issue with:  Web Server Applications  Database Servers (MS SQL, mySQL, Oracle)  Business Applications Data provided by
    10. 10. ICS Security Zones of Interest  Level 2 – Supervisory HMI LAN  Network Device vulnerabilities 35.4% (1614 vulnerabilities)  Host based/application system vulnerabilities 64.6% (2914 vulnerabilities)  Primary security issue with:  Microsoft-based Operating System (migration)  Sun Solaris Operating Systems
    11. 11. General Findings  Default vendor accounts and passwords still in use  Some systems unable to be changed!  Guest accounts still available  Unused software and services still on systems  No security-level agreement with peer sites  No security-level agreement with vendors  Poor patch management (or patch programs)  Extensive auto-logon capability
    12. 12. General Findings continued  Typical IT protections not widely used (firewalls, IDS, etc.). This has been improving in the last 6 months  Little emphasis on reviewing security logs (Change management)  Common use of dynamic ARP tables with no ARP monitoring  Control system use of enterprise services (DNS, etc.)  Shared passwords  Writeable shares between hosts  User permissions allow for admin level access  Direct VPN from offsite to control systems  Web enabled field devices
    13. 13. Cyber Incidents and Consequences
    14. 14. Italian Traffic Lights Event: Feb, 2009 Italian authorities investigating unauthorized changes to traffic enforcement system Impact: Rise of over 1,400 traffic tickets costing > 250K Euros in two month period Specifics: Engineer accused of Lessons learned: conspiring with local authorities to rig traffic lights to have shorter yellow light  Do not underestimate the causing spike in camera enforced insider threat traffic tickets  Ensure separation of duties and auditing
    15. 15. Transportation – Road Signs Event: Jan 2009, Texas road signs compromised Impact: Motorists distracted and provided false information Specifics: Some commercial road signs, can be easily altered because their instrument panels are frequently left unlocked and their default passwords are not changed. Lessons learned: quot;Programming is as simple as scrolling  Use robust physical access down the menu selection,quot; a blog controls reports. quot;Type whatever you want to  Change all default passwords display … In all likelihood, the crew will not have changed [the password].quot;  Work with manufacturers to identify and protect password reset procedures 15
    16. 16. DaimlerChrysler Event: Aug, 2005 Internet worms infect DaimlerChrysler’s systems Impact: Workers were idle as infected Microsoft Windows systems were patched Specifics: A round of Internet worms Recovery time: knocked 13 of DaimlerChrysler’s U.S.  Took manufacturing plants offline automobile manufacturing plants offline for one hour Lessons learned:  Critical patches need to be applied  Provide adequate network segmentation between control and business networks  Place controls between segments to limit congestion and cascading effects
    17. 17. Polish Trains Event: A Polish teenager modifies a TV remote and hacks Lodz Tram system Impact: 12 people injured, 4 derailments Specifics: The 14-year-old modified a TV remote control so that it could be used to change track points. Local police said the youngster trespassed in tram depots to gather information needed to build the device. The Lessons learned: teenager told police that he modified  Do not rely on protocol track setting for a prank. obscurity for security  Apply appropriate access controls to all field devices
    18. 18. Maroochy Waste Water Event: More than 750,000 gallons of untreated sewage intentionally released into parks, rivers, and hotel grounds Impact: Loss of marine life, public health jeopardized, $200,000 in cleanup and monitoring costs Specifics: SCADA system had 300 nodes (142 pumping stations) governing sewage and drinking water  Used OPC ActiveX controls, DNP3, and ModBus protocols Lessons learned:  Suspend all access after  Used packet radio communications to RTUs terminations  Investigate anomalous system Used commercially available radios and stolen SCADA software to make behavior laptop appear as a pumping station  Secure radio and wireless transmissions  Caused as many as 46 different incidents over a 3-month period (Feb 9 to April 23)
    19. 19. Browns Ferry Power Plant Event: Aug, 2006 Two circulation pumps at Unit 3 of the nuclear power plant failed Impact: The unit had to be shut down manually Specifics: The failure of the pumps Recovery time: was traced to excessive traffic on the  SPDS – 4hours 50 minutes control system network, possibly  PPC – 6 hours 9 minutes caused by the failure of another control system device Lessons learned:  Provide adequate network segmentation  Place controls on multiple segments to limit congestion and cascading effects  Provide active network monitoring tools
    20. 20. Hatch Nuclear Power Plant Event: A software update caused control system to initiate plant shutdown. Impact: The Plant was shutdown for 48 hours Specifics: . An engineer installed a software update on a computer Recovery time: 48 Hours operating on the plant's business network. When the updated computer Lessons learned: rebooted, it reset the data on the  Patch management policy control system, causing safety systems must address testing to errantly interpret the lack of data as requirements before a drop in coolant water reservoirs integration in production environment  IT and ICS must be aware of connectivity …there was full two-way communication between certain computers on the plant's corporate and control networks. 20
    21. 21. Davis Besse Nuclear Power Plant Event: Aug 20, 2003 Slammer worm infects plant Impact: Complete shutdown of digital portion of Safety Parameter Display System (SPDS) and Plant Process Computer (PPC) Recovery time: Specifics: Worm started at contractors  SPDS – 4hours 50 minutes site  PPC – 6 hours 9 minutes  Worm jumped from corporate to plant Lessons learned: network and found an unpatched server  Secure remote (trusted) access channels Patch had been available for 6  Ensure Defense-in-depth months strategies with appropriate procurement requirements  Critical patches need to be applied
    22. 22. Olympic Pipeline Explosion Event: 16-inch gasoline pipeline explosion and fire, exacerbated by inability of SCADA system to perform control and monitoring functions. Impact: 3 fatalities, property damage >$45M, matching fines of $7.86M against two companies. Specifics: Erroneous changes to live photo by David Willoughby copyright Bellingham Herald historical database caused critical slowdown in system responsiveness (evidenced by sensor scan rate changing Lessons learned: from 3 second poll to over 6 minutes!)  Identify controls to Critical Assets  Communication link between main  Do not use administrative controls computer, field sensors, and controllers to solve system anomalies was a combination of leased phone lines and frame relay.  Do not perform database updates on live systems  Apply appropriate security to remote access
    23. 23. Arizona Salt River Project Event: 1994 - Unauthorized access into network of the Salt River Project Water Utility Impact: Estimated losses of $40,000, and lost productivity due to the compromise Specifics: A programmer and software developer, using a dial-up modem, was able to break into the SRP network with the intention of retrieving billing information. Compromised server monitored the water levels of canals in Lessons learned: the Phoenix area.  Provide adequate network Accessed data included monitoring and segmentation delivery information for water and  Place controls on another power processes, in addition to segment with no direct outside financial and customer data. Data access exfiltrated or altered included login/ password files and system log files.  Provide active network monitoring tools  Ensure defense-in-depth strategies, firewalls & Intrusion Detection Systems
    24. 24. Big Bang Experiment is Hacked Event: Sept, 2008 - Computer hackers broke into the Large Hadron Collider and defaced one of the project websites. Impact: “There seems to be no harm done. From what they can tell, it was someone making the point that CMS was hackable,quot; said James Gillies, spokesman for European Organization for Nuclear Research (also known as CERN) Specifics: Hackers targeted the Lessons learned: Compact Muon Solenoid Experiment, or  Provide adequate network CMS, one of the experiments at facility that will be analyzing the fallout of the Big segmentation Bang  Place controls on another segment with no direct outside CERN expressed concerned over what the hackers could do as they were “one access step away” from the computer control  Provide active network system monitoring tools  Ensure defense-in-depth strategies, firewalls & Intrusion Detection Systems
    25. 25. Space Station – Air Gap Bridged Event: Aug. 2008, Viruses intended to steal passwords and send them to a remote server infected laptops in the International Space Station (again). Impact: Created a “nuisance” to non- critical space station laptops Specifics:The virus did make it onto more than one laptop -- suggesting that it spread via some sort of intranet on the space station or via a thumb drive. Lessons learned:  Due to the human factor – there is no true airgap, for example, thumb drives, laptop connection, modems, VPN, CD/ DVD, etc. 25
    26. 26. Highlights  Control system security can no longer hide behind proprietary configurations and special training (Security by Obscurity)  Control systems are no longer isolated systems that require special skills; open systems and protocols  Control systems are no longer isolated from corporate and other networks  Hackers are smart, and the prevalence of information available via the Internet makes attacking control systems easier  Control systems are migrating away from their traditional shared and unrestricted configurations to more secure ones
    27. 27. Functional Areas  ICS Analysis and informational products  Training – Instructor and web base  Subject Matter Expertise support  Standards support  ICS Assessments  On site / Control Systems Analysis Center (CSAC)  Interviewing control system operators, engineers, and IT staff on configuration and use  “Table top” review of network and security (firewalls, IDS/IPS, etc.)  R&D gap analysis  Sector Agency Support  Government Coordinating Council  Sector Coordinating Council
    28. 28. ICS - CERT  CSAC analysis shared across all sectors through products and trainings  Mitigate vulnerability in partnership with vendors  Vulnerabilities patched by vendors  CSSP web site links US-CERT control systems “Vulnerability Notes”  Vulnerability reports submitted via US-CERT web site and entered into National Vulnerability Database (NVD)  PCII is an information-protection tool that facilitates private sector information sharing with the government
    29. 29. Cyber Security Self Assessment Tools  Assessment Covers Policy, Plans and Procedures in 10 Categories  Creates baseline security posture  Provides recommended solutions to improve security posture  Standards specific reports (e.g. NERC CIP, DOD 8500.2, NIST SP800-53)
    30. 30. Recommended Practices for Cyber Forensics for Control Systems Control Systems Forensics Addresses the issues encountered in developing and maintaining a cyber forensics plan Supports forensic practitioners in creating a control systems forensics plan Assumes evidentiary data collection and preservation using forensic best practices. Provides users with the appropriate foundation
    31. 31. Control Systems Security Publications Procurement language  New SCADA / control systems  Legacy systems  Maintenance contracts Patch Management  Network integration of Control Systems  Differences in patch deployment  Reliable patch information  Embedded commercial off-the-shelf packages
    32. 32. Standards Improvement Collaborations to evolve national and international standards for control system security  DHS Control System Security Program (CSSP)  DOE National SCADA Test Bed (NSTB)  Instrumentation, Systems, and Automation (ISA)  National Institute of Standards and Technology (NIST)  International Electrotechnical Commission (IEC) 32
    33. 33. Education & Training Web Based Training  “Cyber Security for Control Systems Engineers and Operators”  “Operational Security (OPSEC) for Control Systems”* Instructor Led Courses  Cyber Security Who Needs It?  Control Systems Security for Managers  Solutions for Process Control Security  Introduction to Control Systems Security for the Information Technology Professionals  Intermediate Control Systems Security  Cyber Security Advanced Training and Workshop *IOSS first place award
    34. 34. Industrial Control Systems Partnerships  Industrial Control Systems Joint Working Group (ICS- JWG) formed under the National Infrastructure Protection Plan framework to engage government and private sector control systems stakeholders  Private Sector Council  Government Council  Vendor Council  International Community
    35. 35. Cyber Security is a Shared Responsibility Report cyber incidents and vulnerabilities www.us-cert.gov Or send email to: soc@us-cert.gov, ics.cert@dhs.gov Or call: 888-282-0870 Get more information at: www.us-cert.gov/control_systems
    36. 36. Partnerships – Industry 37
    37. 37. Definition - Industrial Control System The term Industrial Control System (ICS) refers to a broad set of control systems, which include:  SCADA (Supervisory Control and Data Acquisition)  DCS (Distributed Control System)  PCS (Process Control System)  EMS (Energy Management System)  AS (Automation System)  SIS (Safety Instrumented System)  Any other automated control system
    38. 38. Los Angles Traffic Lights Event: Aug 21, 2006 Disgruntled traffic engineer hacked into the city's traffic control computer Impact: Shut down traffic signals at four critical points in the road network, causing crippling delays Recovery time: Specifics: Thought to have been part  Four days until return to normal of a pay-bargaining procedure between operations employers and the Engineers and Architects Association Lessons learned:  Do not underestimate the insider threat  Ensure separation of duties and auditing  Change passwords regularly
    39. 39. Texas City Explosion 3/23/05 Event: An explosion occurred during the restart of a hydrocarbon isomerization unit. Impact: 15 workers Killed, 180 Injured Specifics: At approximately 1:20 p.m. on March 23, 2005, a series of explosions occurred at the BP Texas City refinery during the restarting of a hydrocarbon isomerization unit. Fifteen workers were killed and 180 others were injured. The explosions occurred when a distillation tower flooded with Lessons learned: hydrocarbons and was over • Key alarms, indicators, and control pressurized, causing a geyser-like logic must be protected from cyber release from the vent stack. subversion
    40. 40. CSX Train Signaling System Event: Aug, 2003 Sobig computer virus was blamed for shutting down train signaling systems Impact: The virus infected the computer system at CSX Corporation’s Jacksonville, Florida, headquarters, shutting down signaling, dispatching, Recovery time: and other systems  Train service was shut down or delayed for six hours Specifics: Ten Amtrak trains were affected Lessons learned:  Critical patches and Anti-Virus needs to be applied and updated regularly  Defense-in-depth strategies, Firewalls  Isolate control networks from corporate networks
    41. 41. Taum Sauk Water Storage Dam Failure Event: Dec, 2005 Dam suffered a catastrophic failure Impact: Billion gallons of water was released 100 miles south of St. Louis, Missouri Specifics: Malfunction in gauges affected automated monitoring system Recovery time:  Replacement Dam scheduled for completion in the Fall of 2009 Lessons learned:  Calibrate instrumentation regularly  Add fail safe redundancy to critical safety systems.  Update contingency plans
    42. 42. Recommended Practices  Control Systems Cyber Security Defense in Depth Strategies  Creating Cyber Forensics Plans for Control Systems  Good Practice Guide on Firewall Deployment  Hardening Guidelines for OPC Hosts  Mitigations for Security Vulnerabilities Found in Control System Networks  Recommended Practice for Patch Management of Control Systems  Securing Control System Modems  Securing WLANs Using 802.11i  Securing ZigBee Wireless Networks in Process Control System Environments  Using Operational Security (OPSEC) to Support a Cyber Security Culture in Control Systems Environments http://csrp.inl.gov/Recommended_Practices.html 43
    43. 43. Significance of ICS  Many of the processes controlled by computerized control systems have advanced to the point that they can no longer be operated without the control system.  Control systems are migrating away from their traditional shared and unrestricted configurations to more secure ones  Currently, a cyber attack on Industrial Control Systems is one of the only ways to induce real-world physical actions from the cyber realm
    44. 44. Industrial Control Systems  Programmable Logic Controller (PLC) based systems  Ties back to integrated systems  Can control critical systems  Usually remote systems  Example systems  Railcar loading/unloading  Chemical loading/unloading  Water treatment  Conveyer/shipping  Hazardous Materials storage/filtering
    45. 45. Harrisburg Pennsylvania Water System Event: Oct, 2006 Foreign hacker penetrated security at a water filtering plant Impact: The intruder planted malicious software that was capable of affecting the plant’s water treatment operations Specifics: The infection occurred through the Internet and did not seem to be an attack that directly targeted the control system Lessons learned:  Secure remote computers  Defense-in-depth strategies, Firewalls & Intrusion Detection Systems  Critical patches and Anti-virus needs to be applied and updated regularly

    ×