Cause: A software defect in a control room.
Restoration: Some customers after 6 hours, some after 2 days, some remote places after nearly a week.
Consequences (among other):
•45M people in 8 US states
•10M people in Canada
•Healthcare facilities experienced $100M lost revenue
•6 hospitals bankrupt one year after
RS Khurmi Machine Design Clutch and Brake Exercise Numerical Solutions
Cyber Security in Power Systems
1. KTH ROYAL INSTITUTE
OF TECHNOLOGY
Matus Korman
Industrial information and
control systems, KTH
<matusk@ics.kth.se>
www.ics.kth.se
Image source: zdnet.com
Cyber Security
in Power Systems
3. Cause: A software defect in a control
room.
Restoration: Some customers after
6 hours, some after 2 days, some
remote places after nearly a week.
Consequences (among other):
• 45M people in 8 US states
• 10M people in Canada
• Healthcare facilities experienced
$100M lost revenue
• 6 hospitals bankrupt one year
after
Example consequences:
US Northeast blackout (2003)
Source: Wikipedia
4.
5.
6. Outline
1. Background (IT-security)
2. Attackers, threats
3. Vulnerabilities in power systems
4. Solutions for securing power systems
5. Standards & guidelines, where to look further
8. Actually more than that…
Requirements identification and
specification
Design and analysis
Development and verification (testing)
Operation and maintenance
(changing, upgrading etc.)
Disposal
It takes
the whole
lifecycle
… of technical systems
… of organizations
(socio-technical systems,
work systems)
9. What parts does cyber security relate to?
Smart Grid Architecture Model.
CEN-CENELEC-ETSI Smart Grid Coordination Group:
Smart Grid Information Security
…
pretty much
all these layers,
domains and zones:
To ensure security of the
power delivery – that’s on
the business layer and that
is dependent on roughly
everything else in the
picture.
12. Outline
1. Background (IT-security)
2. Attackers, threats
3. Vulnerabilities in power systems
4. Solutions for securing power systems
5. Standards & guidelines, where to look further
14. Outline
1. Background (IT-security)
2. Attackers, threats
3. Vulnerabilities in power systems
4. Solutions for securing power systems
5. Standards & guidelines, where to look further
15. In information technology…
… vulnerabilities are all around
• Due to complexity… multiple layers, interdependencies:
• From physical signals and processing in hardware
(the chips, processors with all their registers and
how they work)
• Through operating system level
(e.g., Windows/Linux/VxWorks/… kernel)
• Through numerous levels of libraries/APIs
+ networking (distributed computing)
(e.g., system libraries like libc… all the way up)
• To user/application level
(e.g., file transfer, bus protection logic, …)
• Additional considerations: virtualization, cloud… coming in to ICS, too.
16. Why ICS are vulnerable
Systems are traditionally designed and tested to:
– Work in ideal conditions (functionality)
– Work even under different expected variation in the
process environment (field-robustness – ”rugged”)
– To some extent work under cyber-noise
(e.g., higher network load, patching of systems,
network scanning etc.)
However, they increasingly need to:
– Resist sophisticated attacks from intelligent and
capable threat agents (cyber-security)
17. Why ICS are vulnerable… cont’d
Convergence between ICS and general IT:
• General IT-technology is increasingly used in ICS
(IP-networks, Windows, Linux, wireless, web-based
systems … all well-known, well-compromised)
• Connections between the process network and other
networks tend to lack securement
• A variety of data flows between networks, using
various protocols (including old, proprietary, insecure
ones)
• Sometimes unprotected control system components
(IEDs, RTUs, etc.) – for flexible access for technical
personnel, consultants/contractors…
Physically and logically distributed environments
=> more difficult to secure
18. Different levels of vulnerabilities
System/component design:
• SCADA-software, HMI and workstation operating systems
(Windows, Linux), other systems;
• PLC, RTU, IED, switches, routers…
Network design:
• ICS-network (process network) + its connection to the office
network (and other networks);
• Application services running on machines in the ICS-network;
• Configuration of IT-security protection in the network
(firewalls, IDS/IPS, configuration of operating systems)…
Organization, people and operations:
• Security policy and security culture in the organization;
• How people carry out different technical operations;
• What devices one can use in the ICS-network
(own computers on which one surfs in private, USB-sticks etc.);
19. Documentation and processes:
• Lack of formal documentation
• Lacking change management process
• Lacking security policy and security culture(awareness, attitudes etc.)
Access control:
• Lacking access control (which user/role has access where, when, how, etc.)
• Vulnerable handling of authentication data (e.g., passwords)
• Over-privileged access accounts, old accounts, etc.
Network design and state of systems hosted there:
• Vulnerable network design, insufficient protection of networks
(e.g., unnecessarily broad exposure of systems and data traffic in a network,
insufficient separation between process networks, office networks, outside Internet…)
• Outdated systems, active modems/VPNs with poor authentication...
Security countermeasures
(e.g., firewalls, IDS/IPS, configuration, security operations):
• Weak network protection (firewall restrictions such as what ports, what IP ranges,
what intensity of communication, etc.)
• Lacking security reviews and accountability
• Vulnerable configuration of system such as unnecessary services and software
installed and even running
Common vulnerabilities in ICS
20. How an attack can take place…
A network can be penetrated e.g.:
• Directly: An attacker manages to get into a network from outside (e.g., by obtaining
an own IP-address in there, ARP-spoofing some other machine, …)
• Indirectly: An attacker exploits that personnel surfs on Internet, reads e-mail, etc… in
order to infect the personnel’s machine(s), and then attack further and deeper
• Social engineering: An attacker tricks personnel to do something compromising (e.g.,
give away a username, password etc.) – through pretending to be a legitimate
person, commonly in an urgent situation (e.g., a technician who quickly needs some
non-standard help to prevent a major failure/incident from happening…)
A software can be infected through (a single data flow can be enough) e.g.:
• Known vulnerabilities (on outdated systems) – statistically frequent and often
unnecessary vulnerability. Whoever can get exploits and shoot them at a system.
• Zero-day vulnerabilities (0-days, yet publicly unknown) – majority is not captured
even by advanced, expensive, collaborative security solutions (NGIPS). Luckily,
0-days are very expensive to buy usable exploits for (e.g., black market) and very
demanding to identify and develop on own for a generic software.
There are different types of attacks, e.g.:
• DoS (Denial of Service), DDoS (distributed DoS) – sabotage that blocks, saturates,
locks in or takes down systems/functions so that they no longer are available
(temporarily or permanently)
• MITM (Man-In-The-Middle) – hidden manipulation of data communication…
• Intrusion – leads to illegitimate control over a system or a part of it, which then can
lead to modifications/sabotage, mapping/espionage, etc…
21. Identifying potential victim devices…
Shodan – it’s like Google, just for devices with public access:
https://www.shodan.io/
It’s a computer search engine. Partially free of charge.
Helps people to find webcams, fridges, RTUs, etc…
… according to country, ports/services,
organizations, operating systems,
installed software packages…
22. Outline
1. Background (IT-security)
2. Attackers, threats
3. Vulnerabilities in power systems
4. Solutions for securing power systems
5. Standards & guidelines, where to look further
23.
24. How to secure ICS environments?
Identify and eliminate greatest security holes
Harden systems and networks
(get rid of unused functionality, unused software installed on machines,
unnecessarily open ports; harden your systems configuration, etc. etc.)
The goal of all this is to:
Constrain the possibilities and maneuvering space of the attacker(s),
and so make their work as difficult, expensive and risky as possible.
Scan for vulnerabilities, do penetration tests as applicable
(e.g., ICS test beds, typically not on-site, as things could break…)
… to measure security
Establish a systematic, formal work with IT security
– Risk analyses and risk treatment – there are risk analysis methods
– Reviews and log analyses
– Analysis of in- and outgoing network traffic (e.g. Netflow)
– Updates + other security maintenance
– Education and training of personnel
… etc.
25. Example countermeasures… just a few
• Network segmentation and DMZs between networks
• Firewalls
• Access control to systems, plus:
• Reasonably strong passwords
• Smart cards (eventually)
• Connection tracking and network access control
• Blacklisting
• Whitelisting
• Intrusion detection
(both based on signatures and models of normal behavior)
• Honeypots / honeynets
The following document gives a very good overview of the different realistic security
controls to consider – ”The Critical Security Controls for Effective Cyber Defense” by
Council on Cyber Security:
https://www.sans.org/critical-security-controls
BASIC
MORE
ADVANCED
26. Outline
1. Background (IT-security)
2. Attackers, threats
3. Vulnerabilities in power systems
4. Solutions for securing power systems
5. Standards & guidelines, where to look further
27. Cyber security standards and guidelines
General IT security:
• ISO/IEC 27000-series (27001, 27002, 27005…)
Security in industrial control systems:
• NIST SP 800-82 (rev. 2):
Guide to Industrial Control Systems (ICS) Security
• IEC 62351 – for communication protocols
• NIST Framework for Improving Critical Infrastructure
Cybersecurity
• NERC CIP (Critical Infrastructure Protection)
Security in power systems (specifically):
• NISTIR 7628 (rev. 1): Guidelines for Smart Grid Cyber
Security
28. Where to look further
• Industrial Control Systems
Computer Emergency Response Team (ICS-CERT):
https://ics-cert.us-cert.gov/
https://ics-cert.us-cert.gov/Standards-and-References
• EU Agency for Network and Information Security (ENISA):
https://www.enisa.europa.eu/
https://www.enisa.europa.eu/topics/critical-information-
infrastructures-and-services/scada
• Critical Security Controls (by Center for Internet Security):
https://www.cisecurity.org/critical-controls.cfm
• SCADAHacker forum (by Joel Langill):
https://scadahacker.com/
29. Great books
Highly topic-relevant:
Eric D. Knapp & Joel Thomas Langill (2015):
Industrial Network Security:
Securing Critical Infrastructure, Network for Smart Grid,
SCADA, and other Industrial Control Systems
A good book about information security (general):
John R. Vacca (2013):
Computer and Information Security Handbook
(second edition)
30. Books with highly applied, practical focus
Tyson Macaulay & Bryan Singer (2012):
Cybersecurity for Industrial Control Systems
Ralph Langner (2012):
Robust Control System Networks