Uploaded byfajjarrehman
PPT, PDF73 views

Power Grid Communications & Control Systems

This document discusses cyber security issues related to industrial control systems (ICS) and securing control systems. It provides an overview of ICS types, historical context, technology trends incorporating more commercial off-the-shelf components and connectivity. This introduces security risks like worms, viruses, unauthorized access. Specific risks are examined like denial of service attacks, fragile devices, unpatched systems, poor authentication. The document outlines defense strategies like perimeter protection, interior security, monitoring and outlines how an attack could progress if not properly defended. It emphasizes separating control networks and hardening connections to frustrate opportunities for attackers.

Embed presentation

Download to read offline
Cyber Security Solutions For <Client Name> Cyber Security for the Power Grid: Cyber Security Issues & Securing Control Systems Andrew Wright CTO, N-Dimension andrew.wright@n-dimension.com ACM CCS Conference Tutorial Nov. 2009
Power Grid Communications & Control Systems borrowed from NIST Smart Grid Twiki Internet Control Systems
Agenda • High-Level – Industrial Control Systems and Cyber Security Issues – Securing Control Systems • Detailed – Security Issues in Industrial Control Systems – Today’s Threats – Securing Control Systems
A Control System Sensor(s) + Actuator(s) + Controller(s)
Types of Industrial Control Systems (ICS) Supervisory Control And Data Acquisition (SCADA) Automation Process Control Systems (PCS) Distributed Control Systems (DCS)
Historical ICS • Proprietary • Complete vertical solutions • Customized • Specialized communications – Wired, fiber, microwave, dialup, serial, etc. – 100s of different protocols – Slow; e.g. 1200 baud • Long service lifetimes: 15–20 years • Not designed with security in mind
Third Party Controllers, Servers, etc. Serial, OPC or Fieldbus Engineering Workplace Device Network Firewall Services Network Third Party Application Server Application Server Historian Server Workplaces Enterprise Optimization Suite Mobile Operator Connectivity Server Control Network Redundant Enterprise Network Serial RS485 Modern ICS Trends IP Internet Enterprise Network
Technology Trends in ICS • COTS (Commercial-Off-The-Shelf) technologies – Operating systems—Windows, WinCE, embedded RTOSes – Applications—Databases, web servers, web browsers, etc. – IT protocols—HTTP, SMTP, FTP, DCOM, XML, SNMP, etc. – Networking equipment—switches, routers, firewalls, etc. • Connectivity of ICS to enterprise LAN – Improved business visibility, business process efficiency – Remote access to control center and field devices • IP Networking – Common in higher level networks, gaining in lower levels – Many legacy protocols wrapped in TCP or UDP – Most new industrial devices have Ethernet ports – Most new ICS architectures are IP-based
New IP-Based Industrial Control Systems • ODVA (Rockwell) • Profinet • Foundation Fieldbus HSE • Telvent • ABB 800xA • Honeywell Experion • Emerson DeltaV • Yokogawa VNET/IP • Invensys Infusion • Survalent • IP to the Control Network or even Device Network • Not all are fully compatible with “ordinary IP”
Security Risks to Modern ICS • COTS + IP + connectivity = many security risks • All of those of Enterprise networks and more Worms and Viruses Legacy OSes and applications DOS and DDOS impairing availability Inability to limit access Unauthorized access Inability to revoke access Unknown access Unexamined system logs Unpatched systems Accidental misconfiguration Little or no use of anti-virus Improperly secured devices Limited use of host-based firewalls Improperly secured wireless Improper use of ICS workstations Unencrypted links to remote sites Unauthorized applications Passwords sent in clear text Unnecessary applications Default passwords Open FTP, Telnet, SNMP, HTML ports Password management problems Fragile control devices Default OS security configurations Network scans by IT staff Unpatched routers / switches
When ICS Security Fails • Loss of production • Penalties • Lawsuits • Loss of public trust • Loss of market value • Physical damage • Environmental damage • Injury • Loss of life • USSR pipeline explosion, 1982 • Bellingham pipeline rupture, 1999 • Queensland sewage release, 2000 • Davis Besse nuclear plant infection, 2003 • Northeast USA blackout, 2003 • Browns Ferry nuclear plant scram, 2006 $$$.$$
ACM CCS Tutorial Nov. 2009 So How Do We Secure Industrial Control Systems?
There is No Silver Bullet! No Silver Bullet!
Defense in Depth • Perimeter Protection – Firewall, IPS, VPN, AV – Host IDS, Host AV – DMZ • Interior Security – Firewall, IDS, VPN, AV – Host IDS, Host AV – IEEE P1711 (AGA 12) – NAC – Scanning • Monitoring • Management IDS Intrusion Detection System IPS Intrusion Prevention System DMZ DeMilitarized Zone VPN Virtual Private Network (cryptographic) AV Anti-Virus (anti-malware) NAC Network Admission Control
Internet Enterprise Network Control Network Field Site Field Site Field Site Partner Site VPN VPN FW FW IPS IDS IT Stuff Scan AV FW IPS P1711 FW AV Host IPS Host AV Proxy Host IDS Host AV IDS Scan NAC NAC 62351 Log Mgmt Event Mgmt Reporting 50000 Foot View IT Stuff VPN
ACM CCS Tutorial Nov. 2009 Security Issues in Industrial Control Systems
Availability, Integrity and Confidentiality • Enterprise networks require C-I-A – Confidentiality of intellectual property matters most • ICS requires A-I-C – Availability and integrity of control matters most – control data has low entropy—little need for confidentiality – Many ICS vendors provide six 9’s of availability • Ensuring availability is hard – Cryptography does not help (directly) – DOS protection, rate limiting, resource management, QoS, redundancy, robust hardware with high MTBF • Security must not reduce availability!
DoS and DDoS Attacks • Denial of Service (DoS) attack overwhelms a system with too many packets/requests – Exhausts TCP stack or application resources – Defenses include connection limits in firewall • Distributed Denial of Service (DDoS) attack coordinates a botnet to overwhelm a target system – No single point of attack – Requires sophisticated, coordinated defenses – Weapon of choice for hackers, hacktivists, cyber-extortionists • DoS, DDoS particularly effective when Availability is critical, i.e. against ICS
Fragile ICS Devices • Many IP stack implementations are fragile – Some devices lockup on ping sweep or NMAP scan – Numerous incidents of ICS shut down by uninformed IT staff running a well-intentioned vulnerability scan • Modern ICS devices are much more complex – Some IEDs include web server for configuration and status – More lines of code leads to more bugs – Modern IEDs require patching just like servers
Unpatched Systems • Many ICS systems are not patched current – Particularly Windows servers – No patches available for older versions of windows • OS and application patches can break ICS – OS patches are tested for enterprise apps • Uncertified patches can invalidate warranty • Patching often requires system reboot • Before installation of a patch: – Vendor certification—typically one week – Lab testing by operator – Staged deployment on less critical systems first – Avoid interrupting any critical process phases
Limited use of Host Anti-Virus • AV operations can cause significant system disruption at inopportune times – 3am is no better than any other time for a full disk scan on a system that operates 24x7x365 • ICS vendors only beginning to support anti-virus – Anti-virus is only as good as the signature set – Signatures may require testing just like patches • AV may be losing ground in enterprise deployments – impact on hosts, endpoint security not getting better – virus writers have learned to test against dominant AV • application whitelisting can be a good alternative – enumerate goodness rather than badness
Poor Authentication and Authorization • Machine-to-machine comms involve no “user” • Many ICS have poor authentication mechanisms and very limited authorization mechanisms • Many protocols use cleartext passwords • Many ICS devices lack crypto support • Sometimes passwords left at vendor default • Device passwords are hard to manage appropriately – Often one password is shared amongst all devices and all users and seldom if ever changed – This is happening AGAIN in Smart Meter deployments!
Poor Audit and Logging • Many ICS have poor or non-existent support for logging security-related actions – Attempted or successful intrusions may go unnoticed • Where IDS logs are kept, they are often not reviewed • Various regulatory requirements are driving some change in this area – NERC—North American Electric Reliability Corporation – FERC—Federal Energy Regulatory Commission – Sarbanes Oxley and PCAOB (Public Company Accounting Oversight Board) – FISMA—Federal Information Security Management Act
Unmanned Field Sites • Many unmanned field sites • Many with dialup access • Some with high-speed connectivity to control center • Most with poor authentication and authorization backdoor to the control center!
Legacy Equipment • Much legacy equipment • Usually impossible to update to add security features • Difficult to protect legacy communications – but see IEEE P1711 for serial encryption • Password protection is weak • Little or no audit and logging
Unauthorized Applications • Unauthorized apps installed on ICS systems can interfere with ICS operation • Many types of unauthorized apps have been found during security audits – Instant messaging – P2P file sharing – DVD and MPEG video players – Games, including Internet-based – Web browsers
Inappropriate Use of ICS Desktops • Web browsing from HMI can infect ICS – Browser vulnerabilities – Downloads – Cross-site scripting – Spyware • Email to/from control servers can infect ICS – Sendmail and outlook vulnerabilities • Disk storage exhaustion can crash OS – Storage of music, videos
Little or No Cyber Security Monitoring • internal monitoring is essential to detect low profile compromises – IDS – port scanning – vulnerability scanning – system audit • without internal monitoring don’t know whether systems have been compromised
Requirement for 3rd Party Access • Firmware updates and PLC, IED programming are sometimes done by vendor – Many ICS have open maintenance ports – Infected vendor laptops can bring down ICS • Partners may require continuous status information – Partner access is often poorly secured – Partner channels can serve as backdoors • 3rd parties may include: – ISO, transmission provider or grid neighbor, equipment vendor, emissions monitoring service or agency, water level monitoring agency, vibration monitoring service, etc.
People Issues • ICS network often managed by “Control Systems Department”, distinct from “IT Department” running enterprise network – ICS personnel are not IT or networking experts – IT personnel are not ICS experts • Majority of control systems workforce is older and nearing retirement – Few young people entering this field – Few academic programs
Harsh Environments • Temperature • Vibration • Dust • Humidity • Electrical Transients
Attack Vectors into Control Systems Includes Infected Laptops and Is Growing Source: 2003–2006 data from Eric Byres, BCIT
Security Assessments on ICS • Various groups perform security assessments and penetration tests on ICS (generally under NDA) – Idaho National Labs – Sandia National Labs – N-Dimension Solutions – Other private organizations • Vulnerability assessments always uncover problems • For penetration tests, we always get in – Not a question of “if”, but “how long”
Other Issues • Unusual physical topologies • Many special purpose, limited function devices • Static network configurations • Multicast • Long service lifetimes
For More Information ... • See Smart Grid Cyber Security Strategy and Requirements, NISTIR 7628, www.nist.gov/smartgrid – particularly Appendices C and D
ACM CCS Tutorial Nov. 2009 Today’s Threats
Hiroshima, 2.0 – Cyberspying of the US Electric Grid (April 09) Cyberspies penetrate electrical grid (April 09) 'Smart Grid' vulnerable to hackers (March 09) CIA: Hackers Have Attacked Foreign Utilities (Jan 2008) President Obama: securing the electric infrastructure is a national security priority (June 09) Smart Grid Security Frenzy: Cyber War Games, Worms and Spies in Smart Grid (June 09) earth2tech.com Intense Media Visibility on the Cyber Security Issue
Limited Information About Incidents • Little information sharing about actual attacks – BCIT incident database has about 30 incidents per year vs. 100s of thousands of incidents per year in CERT database – Few cyber attacks on ICS for which details are public • Little information sharing about actual vulnerabilities – some are not easily or rapidly fixed – assessments are done under NDA • Difficult to estimate risk – Difficult to demonstrate ROI for security spending • But… lots of data about significant financial losses in enterprise and e-commerce – Why would control systems be immune?
Accidents Happen ...
Attacks Can Cause Similar Results INL National Lab Aurora Demonstration, March 2007
Regulators provide Smart Grid Stimulus Funding criteria - cyber security is mandatory (June 09) FERC releases Smart Grid Policy - cyber security mandatory for Utility rate recovery (July 09) Strengthened Cyber Security Standards Approved for North American Utilities (May 09) AMI-SEC working group developed security requirements for AMI AMI-SEC Task Force NIST developing interoperability and security standards for Smart Grid Ontario Green Energy Act Drives Smart Grid With Security (May 09) Cyber Security Regulatory Requirements
ACM CCS Tutorial Nov. 2009 Securing Control Systems
Adversaries • Script kiddies • Hackers • Organized crime • Disgruntled insiders • Competitors • Terrorists • Hactivists • Eco-terrorists • Nation states
How an Attack Proceeds—Step #1 Internet Modem Pool Web Server Email Server Business Workstation Data Historian Engineering Workstation FEP RTU Control System Network Enterprise Network Database Server Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED IED Web Server Management Console HMI
How an Attack Proceeds—Step #2 Internet Modem Pool Web Server Business Workstation Data Historian Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED IED Web Server Management Console HMI Email Server Database Server
How an Attack Proceeds—Step #3 Internet Modem Pool Web Server Business Workstation Data Historian Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED IED Web Server Management Console HMI Email Server Database Server
How an Attack Proceeds—Step #4 Internet Modem Pool Web Server Web Server Business Workstation Data Historian Management Console HMI Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED IED Vendor Web Server Email Server Database Server
How an Attack Proceeds—Step #5 Internet Modem Pool Web Server Web Server Business Workstation Data Historian Management Console HMI Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED IED Vendor Web Server Email Server Database Server
How an Attack Proceeds—Step #6 Internet Modem Pool Web Server Web Server Business Workstation Data Historian Management Console HMI Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED IED Email Server Database Server
How an Attack Proceeds—Step #7 Internet Modem Pool Web Server Web Server Business Workstation Data Historian Management Console HMI Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED Email Server IED Database Server
Defending ICS • Separate control network from enterprise network – Harden connection to enterprise network – Protect all points of entry with strong authentication – Make reconnaissance difficult from outside • Harden interior of control network – Make reconnaissance difficult from inside – Avoid single points of vulnerability – Frustrate opportunities to expand a compromise • Harden field sites and partner connections – mutual distrust • Monitor both perimeter and inside events • Periodically scan for changes in security posture
Internet Enterprise Network Control Network Field Site Field Site Field Site Partner Site VPN VPN FW FW IPS IDS IT Stuff Scan AV FW IPS P1711 FW AV Host IPS Host AV Proxy Host IDS Host AV IDS Scan NAC NAC 62351 Log Mgmt Event Mgmt Reporting 50000 Foot View IT Stuff VPN
Logical Overlay on SP99 / Purdue Model of Control Site Business Planning and Logistics Network Batch Control Discrete Control Supervisory Control Hybrid Control Supervisory Control Enterprise Network Patch Mgmt Web Services Operations AV Server Application Server Email, Intranet, etc. Production Control Historian Optimizing Control Engineering Station Continuous Control Terminal Services Historian (Mirror) Site Operations and Control Area Supervisory Control Basic Control Process Control Zone Enterprise Zone DMZ Level 5 Level 3 Level 1 Level 0 Level 2 Level 4 HMI HMI
Logical Architecture • Enterprise Zone contains typical business systems – Email, web, office apps, etc. • DMZ provides business connectivity – Contains only non-critical systems that need access to both Control and Enterprise Zones – Enforces separation between Enterprise and Control Zones – Consists of multiple functional sub-zones • Separated by Firewall, IPS, Anti-Virus, etc. • Control Zone demarcates critical control systems – Consists of multiple functional sub-zones • Internally protected by Firewall, IDS, Anti-Virus, etc.
How NOT to connect Control / Enterprise • Dual-homed server • Dual-homed server with Host IPS / AV • Router with packet filter ACLs • Two-port Firewall • Router + Firewall combination • See NISCC Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks, NISCC and BCIT, Feb 2005
Web Services Operations Application Server Historian Mirror DMZ DMZ—Logical View Patch Mgmt AV Proxy Terminal Services No Direct Traffic Emergency Disconnect Emergency Disconnect Multiple Functional Sub-Zones VPN IPS Scan FW AV Host AV Proxy Host IPS IDS IDS
DMZ Design Principles • DMZ contains non-critical systems • Multiple functional security sub-zones • Traffic between sub-zones undergoes firewall (& IPS or IDS) • DMZ is only path in/out of Control Zone • Default deny for all firewall interfaces • No direct traffic across DMZ • No control traffic to outside • Limited outbound traffic from Control Zone • Very limited inbound traffic to Control Zone • No common ports between outside & inside • Emergency disconnect at inside or outside • No network management from outside • Cryptographic VPN and Firewall to all 3rd party connections
DMZ Implementation (1) DMZ LAN 3 DMZ LAN 4 DMZ LAN 2 NAT Routing FW IPS Security Appliance With Multiple Ports DMZ/Control Interconnect WAN/LAN Enterprise LAN Anti-Virus Proxy Host IPS / Anti-virus
DMZ Implementation (2) dot1q trunk DMZ VLAN 3 DMZ VLAN 4 DMZ VLAN 2 NAT Routing FW IPS VLAN Security Appliance VLAN-capable L2 switch DMZ/Control Interconnect WAN/LAN Enterprise LAN Anti-Virus Proxy Host IPS / Anti-virus NOT L3!
DMZ Implementation • Sub-zones implemented by physical LANs or VLANs – Physical LANs require multi-port Security Appliance – VLANs require: • VLAN-capable Security Appliance and Switch • anti-VLAN hopping protections on switch and FW • NO L3 (routing) on switch • FW implements policy between – DMZ LANs, Enterprise Zone, Control Zone • Anti-virus proxy controls outbound HTTP and/or FTP access to enterprise or Internet resources • Host IPS and/or Host Anti-virus protects DMZ servers
Remote Access DMZ AAA Server Certificate Authority Terminal Services DMZ/Control Interconnect WAN/LAN Enterprise LAN Remote Access Pool Remote Access VPN
Remote Access • Security Appliance terminates Host-to-site VPN into remote access pool – IPSEC VPN, SSL VPN, PPTP VPN • Authenticates user via: – AAA server, LDAP, Active Directory, etc. – Can enforce use of multi-factor hardware token • Time-varying password tokens for vendor access • Clients use VNC, Citrix, or Remote Desktop (RDP) to connect to Terminal Server • Then VNC, Citrix, RDP, or Control System Apps to Control System Servers
Control Zone—Logical View Batch Control Discrete Control Supervisory Control Hybrid Control Supervisory Control Production Control Historian Optimizing Control Engineering Station Continuous Control Site Operations and Control Area Supervisory Control Basic Control Process Control Zone Level 3 Level 1 Level 0 Level 2 HMI HMI DMZ
Control Zone Design Principles • Multiple functional security sub-zones • Firewall and IDS between sub-zones • Minimal number of connections to DMZ • Control Zone independent of DMZ, Enterprise – Separate Security Appliance from DMZ – Separate Time Server – Separate AAA – Allows emergency disconnect from DMZ • Cryptographic VPN and Firewall to all offsite IP connections (Field Site or Partner) • IEEE P1711 for all offsite serial ICS connections • Host IDS, Host AV, or app whitelisting where feasible • Management only from management zone
Control Zone Implementation—Hierarchical • Fast routing between VLANs via L3 switch • ACLs between VLANs but no Stateful Firewall Level 1 Level 2 Level 3 Control Zone dot1q Trunks L3 L3 L2 L2 QoS, Shaping, Policing Port Security Gigabit 10/100 DMZ/Control Interconnect WAN/LAN SPAN IDS Scan FW FW Host IDS Host AV
Control Zone Implementation—Ring • Ring reduces wiring for linear sites like power dams • but spanning tree can have problems with large rings Level 1 Level 2 Level 3 Control Zone dot1q Trunks L3 L3 L2 L2 QoS, Shaping, Policing Port Security Gigabit 10/100 DMZ/Control Interconnect WAN/LAN SPAN IDS Scan FW FW Host IDS Host AV
Firewall IDS/IPS Client VPN Proxy Network AV Host IDS/IPS NAC Site-to-site VPN DMZ Perimeter Protection in Utilities
IDS Port Scan Vuln Scan Firewall NAC SCADA VPN Firewall SCADA VPN Port Scan IDS Interior Protection in Utilities
Log Analyze Report Compliance Managed Security Monitor, Log, Analyze, Report
• Planning, processes, procedures, physical security, etc. are also important • NERC CIP Regulatory Requirements provide reasonably good guidance in this area: • CIP-001: Sabotage Reporting • CIP-002: Critical Cyber Asset Identification • CIP-003: Security Management Controls • CIP-004: Personnel & Training • CIP-005: Electronic Security Perimeters • CIP-006: Physical Security • CIP-007: Systems Security Management • CIP-008: Incident Reporting & Response Planning • CIP-009: Recovery Plans for Critical Cyber Assets See www.nerc.com -> Standards -> Reliability Standards -> CIP Beyond Network Security
Summary • Today’s ICS are mix of modern and legacy – vulnerabilities due to both lack of security design in legacy and security issues in newer equipment • Defense in depth is essential – both perimeter (DMZ) and interior security are crucial • Regulation and government action is driving change • Smart Grid must be designed with strong security
ACM CCS Tutorial Nov. 2009 Thanks! andrew.wright@n-dimension.com
Standards Efforts • NERC CIPs • NIST Smart Grid Interoperability Standards Project • NIST SP800-82 • NIST SP800-53 • NIST PCSRF Protection Profiles • AMI-SEC • ISA SP99 • ODVA • IEEE P1711 (AGA 12) -- serial SCADA encryption
A Few References • www.nist.gov/smartgrid • Securing Your SCADA and Industrial Control Systems, Version 1.0, DHS, ISBN 0-16-075115-8 • Guide to SCADA and Industrial Control System Security, NIST SP800-82 • ISA99 Industrial Automation and Control Systems Security, www.isa.org/MSTemplate.cfm?MicrositeID=988&Co mmitteeID=6821 • AGA 12/IEEE P1689 SCADA Encryption Standard, scadasafe.sf.net

More Related Content

PPT
Control system including PLC cybersecurity
byDr.Maged Mikhail
 
PDF
ICS security
byAhmed Shitta
 
PPT
Industrial control systems cybersecurity.ppt
byDelforChacnCornejo
 
PDF
Cyber Security: Differences between Industrial Control Systems and ICT Approach
byCommunity Protection Forum
 
PDF
Cybersecurity For Industrial Control Systems Scada Dcs Plc Hmi And Sis 1st Ed...
byjnjnoguu1594
 
PDF
How to Get into ICS Security byChris Sistrunk
byEC-Council
 
PDF
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
byShakeel Ali
 
PDF
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
byTI Safe
 
Control system including PLC cybersecurity
byDr.Maged Mikhail
 
ICS security
byAhmed Shitta
 
Industrial control systems cybersecurity.ppt
byDelforChacnCornejo
 
Cyber Security: Differences between Industrial Control Systems and ICT Approach
byCommunity Protection Forum
 
Cybersecurity For Industrial Control Systems Scada Dcs Plc Hmi And Sis 1st Ed...
byjnjnoguu1594
 
How to Get into ICS Security byChris Sistrunk
byEC-Council
 
Critical Infrastructure Assessment Techniques to Prevent Threats and Vulnerab...
byShakeel Ali
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
byTI Safe
 

Similar to Power Grid Communications & Control Systems

PDF
Nist 800 82
bymajolic
 
PDF
Securing Industrial Control System
byHemanth M
 
PPTX
Critical Infrastructure Security by Subodh Belgi
byClubHack
 
PDF
Cybersecurity Practices for Industrial Control Systems
byholloworangutanxjej
 
PDF
Cybersecurity for Industrial Control Systems SCADA DCS PLC HMI and SIS 1st Ed...
byhlpxqgnhw2011
 
PDF
Cybersecurity for Industrial Control Systems SCADA DCS PLC HMI and SIS 1st Ed...
bysoulefsunek
 
PPTX
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
byTripwire
 
PPTX
ICS_Security_Use_Case_Presentation (1).pptx
bySubhashriC
 
PPTX
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
byAbhishek Goel
 
PPT
Cybersecurity for Control Systems: Current State and Future Vision pt.1
byEnergySec
 
PDF
Cybersecurity for Industrial Control Systems SCADA DCS PLC HMI and SIS 1st Ed...
bypatenekernaf
 
PDF
Critical Infrastructure Protection from Terrorist Attacks
byBGA Cyber Security
 
PDF
Sb securing-industrial-control-systems-with-fortinet
byIvan Carmona
 
DOCX
Tonight, March 5th – Class 7 (last class) your test” on ICS.docx
byturveycharlyn
 
PDF
Cyber security colombo meetup
byEguardian Global Services
 
PPTX
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
byDawn Yankeelov
 
PDF
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...
byResilient Systems
 
PPTX
Hacker Halted 2016 - How to get into ICS security
byChris Sistrunk
 
PPTX
Tomas_Votruba_-_CP_ICS_Solution_for_CI_and_Industrial (1).pptx
byTefElbert
 
PDF
Lessons Learned: Protecting Critical Infrastructure from Cyber Attacks
byMighty Guides, Inc.
 
Nist 800 82
bymajolic
 
Securing Industrial Control System
byHemanth M
 
Critical Infrastructure Security by Subodh Belgi
byClubHack
 
Cybersecurity Practices for Industrial Control Systems
byholloworangutanxjej
 
Cybersecurity for Industrial Control Systems SCADA DCS PLC HMI and SIS 1st Ed...
byhlpxqgnhw2011
 
Cybersecurity for Industrial Control Systems SCADA DCS PLC HMI and SIS 1st Ed...
bysoulefsunek
 
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
byTripwire
 
ICS_Security_Use_Case_Presentation (1).pptx
bySubhashriC
 
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
byAbhishek Goel
 
Cybersecurity for Control Systems: Current State and Future Vision pt.1
byEnergySec
 
Cybersecurity for Industrial Control Systems SCADA DCS PLC HMI and SIS 1st Ed...
bypatenekernaf
 
Critical Infrastructure Protection from Terrorist Attacks
byBGA Cyber Security
 
Sb securing-industrial-control-systems-with-fortinet
byIvan Carmona
 
Tonight, March 5th – Class 7 (last class) your test” on ICS.docx
byturveycharlyn
 
Cyber security colombo meetup
byEguardian Global Services
 
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
byDawn Yankeelov
 
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...
byResilient Systems
 
Hacker Halted 2016 - How to get into ICS security
byChris Sistrunk
 
Tomas_Votruba_-_CP_ICS_Solution_for_CI_and_Industrial (1).pptx
byTefElbert
 
Lessons Learned: Protecting Critical Infrastructure from Cyber Attacks
byMighty Guides, Inc.
 

Recently uploaded

PPTX
Overview-of-Anti-DDoS-Solutions-On-Premise-vs-On-Cloud.pptx
bybunhongkruy
 
PPTX
Why-Enterprises-Should-Build-Their-Own-Core-Network-and-Own-Their-ASN-and-Pub...
bybunhongkruy
 
PPTX
Lesson 5 - Cyber attack Pt 3 - Matsuhashi.pptx
byOmar Fernandez
 
PPTX
Lesson 3 - Methodology of Green Computing - part2 - dela cruz.pptx
byOmar Fernandez
 
PPTX
tacacstrianingforwirelessnetworkengineers
byRaviTejaTammineni
 
PPTX
Artificial Intelligence (AI) Technology Project Proposal _ by Slidesgo.pptx
byadhyaadi804
 
PDF
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
PDF
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
PDF
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
PPTX
Number_Guessing_Game_Dsbsbssbzboc[1].pptx
byfbinsta3426
 
DOCX
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
PDF
Novi.LMS.Veseli.Cetvrtak.001 (1).pdfjjjj
byzoran radovic
 
PPTX
Dalhousie University Diploma
by文凭办理维多利亚大学购买毕业证学位认证知乎【Q微:1954292140】
 
PDF
LMS.Golconda.Vanredni.Broj.001.pdfjjjjjjj
byzoran radovic
 
PDF
Greetings All Students Update 3 by LDMMIA
by©LDMMIA, ©Reiki Yoga
 
Overview-of-Anti-DDoS-Solutions-On-Premise-vs-On-Cloud.pptx
bybunhongkruy
 
Why-Enterprises-Should-Build-Their-Own-Core-Network-and-Own-Their-ASN-and-Pub...
bybunhongkruy
 
Lesson 5 - Cyber attack Pt 3 - Matsuhashi.pptx
byOmar Fernandez
 
Lesson 3 - Methodology of Green Computing - part2 - dela cruz.pptx
byOmar Fernandez
 
tacacstrianingforwirelessnetworkengineers
byRaviTejaTammineni
 
Artificial Intelligence (AI) Technology Project Proposal _ by Slidesgo.pptx
byadhyaadi804
 
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
Number_Guessing_Game_Dsbsbssbzboc[1].pptx
byfbinsta3426
 
BestMaker.ai: The Complete Brand Story, Founder's Vision, and AI Creative Pla...
byssuser7381d6
 
Novi.LMS.Veseli.Cetvrtak.001 (1).pdfjjjj
byzoran radovic
 
Dalhousie University Diploma
by文凭办理维多利亚大学购买毕业证学位认证知乎【Q微:1954292140】
 
LMS.Golconda.Vanredni.Broj.001.pdfjjjjjjj
byzoran radovic
 
Greetings All Students Update 3 by LDMMIA
by©LDMMIA, ©Reiki Yoga
 

Power Grid Communications & Control Systems

  • 1.
    Cyber Security Solutions For<Client Name> Cyber Security for the Power Grid: Cyber Security Issues & Securing Control Systems Andrew Wright CTO, N-Dimension andrew.wright@n-dimension.com ACM CCS Conference Tutorial Nov. 2009
  • 2.
    Power Grid Communications& Control Systems borrowed from NIST Smart Grid Twiki Internet Control Systems
  • 3.
    Agenda • High-Level – IndustrialControl Systems and Cyber Security Issues – Securing Control Systems • Detailed – Security Issues in Industrial Control Systems – Today’s Threats – Securing Control Systems
  • 4.
    A Control System Sensor(s)+ Actuator(s) + Controller(s)
  • 5.
    Types of IndustrialControl Systems (ICS) Supervisory Control And Data Acquisition (SCADA) Automation Process Control Systems (PCS) Distributed Control Systems (DCS)
  • 6.
    Historical ICS • Proprietary •Complete vertical solutions • Customized • Specialized communications – Wired, fiber, microwave, dialup, serial, etc. – 100s of different protocols – Slow; e.g. 1200 baud • Long service lifetimes: 15–20 years • Not designed with security in mind
  • 7.
    Third Party Controllers, Servers, etc. Serial,OPC or Fieldbus Engineering Workplace Device Network Firewall Services Network Third Party Application Server Application Server Historian Server Workplaces Enterprise Optimization Suite Mobile Operator Connectivity Server Control Network Redundant Enterprise Network Serial RS485 Modern ICS Trends IP Internet Enterprise Network
  • 8.
    Technology Trends inICS • COTS (Commercial-Off-The-Shelf) technologies – Operating systems—Windows, WinCE, embedded RTOSes – Applications—Databases, web servers, web browsers, etc. – IT protocols—HTTP, SMTP, FTP, DCOM, XML, SNMP, etc. – Networking equipment—switches, routers, firewalls, etc. • Connectivity of ICS to enterprise LAN – Improved business visibility, business process efficiency – Remote access to control center and field devices • IP Networking – Common in higher level networks, gaining in lower levels – Many legacy protocols wrapped in TCP or UDP – Most new industrial devices have Ethernet ports – Most new ICS architectures are IP-based
  • 9.
    New IP-Based IndustrialControl Systems • ODVA (Rockwell) • Profinet • Foundation Fieldbus HSE • Telvent • ABB 800xA • Honeywell Experion • Emerson DeltaV • Yokogawa VNET/IP • Invensys Infusion • Survalent • IP to the Control Network or even Device Network • Not all are fully compatible with “ordinary IP”
  • 10.
    Security Risks toModern ICS • COTS + IP + connectivity = many security risks • All of those of Enterprise networks and more Worms and Viruses Legacy OSes and applications DOS and DDOS impairing availability Inability to limit access Unauthorized access Inability to revoke access Unknown access Unexamined system logs Unpatched systems Accidental misconfiguration Little or no use of anti-virus Improperly secured devices Limited use of host-based firewalls Improperly secured wireless Improper use of ICS workstations Unencrypted links to remote sites Unauthorized applications Passwords sent in clear text Unnecessary applications Default passwords Open FTP, Telnet, SNMP, HTML ports Password management problems Fragile control devices Default OS security configurations Network scans by IT staff Unpatched routers / switches
  • 11.
    When ICS SecurityFails • Loss of production • Penalties • Lawsuits • Loss of public trust • Loss of market value • Physical damage • Environmental damage • Injury • Loss of life • USSR pipeline explosion, 1982 • Bellingham pipeline rupture, 1999 • Queensland sewage release, 2000 • Davis Besse nuclear plant infection, 2003 • Northeast USA blackout, 2003 • Browns Ferry nuclear plant scram, 2006 $$$.$$
  • 12.
    ACM CCS Tutorial Nov.2009 So How Do We Secure Industrial Control Systems?
  • 13.
    There is NoSilver Bullet! No Silver Bullet!
  • 14.
    Defense in Depth •Perimeter Protection – Firewall, IPS, VPN, AV – Host IDS, Host AV – DMZ • Interior Security – Firewall, IDS, VPN, AV – Host IDS, Host AV – IEEE P1711 (AGA 12) – NAC – Scanning • Monitoring • Management IDS Intrusion Detection System IPS Intrusion Prevention System DMZ DeMilitarized Zone VPN Virtual Private Network (cryptographic) AV Anti-Virus (anti-malware) NAC Network Admission Control
  • 15.
    Internet Enterprise Network Control Network FieldSite Field Site Field Site Partner Site VPN VPN FW FW IPS IDS IT Stuff Scan AV FW IPS P1711 FW AV Host IPS Host AV Proxy Host IDS Host AV IDS Scan NAC NAC 62351 Log Mgmt Event Mgmt Reporting 50000 Foot View IT Stuff VPN
  • 16.
    ACM CCS Tutorial Nov.2009 Security Issues in Industrial Control Systems
  • 17.
    Availability, Integrity andConfidentiality • Enterprise networks require C-I-A – Confidentiality of intellectual property matters most • ICS requires A-I-C – Availability and integrity of control matters most – control data has low entropy—little need for confidentiality – Many ICS vendors provide six 9’s of availability • Ensuring availability is hard – Cryptography does not help (directly) – DOS protection, rate limiting, resource management, QoS, redundancy, robust hardware with high MTBF • Security must not reduce availability!
  • 18.
    DoS and DDoSAttacks • Denial of Service (DoS) attack overwhelms a system with too many packets/requests – Exhausts TCP stack or application resources – Defenses include connection limits in firewall • Distributed Denial of Service (DDoS) attack coordinates a botnet to overwhelm a target system – No single point of attack – Requires sophisticated, coordinated defenses – Weapon of choice for hackers, hacktivists, cyber-extortionists • DoS, DDoS particularly effective when Availability is critical, i.e. against ICS
  • 19.
    Fragile ICS Devices •Many IP stack implementations are fragile – Some devices lockup on ping sweep or NMAP scan – Numerous incidents of ICS shut down by uninformed IT staff running a well-intentioned vulnerability scan • Modern ICS devices are much more complex – Some IEDs include web server for configuration and status – More lines of code leads to more bugs – Modern IEDs require patching just like servers
  • 20.
    Unpatched Systems • ManyICS systems are not patched current – Particularly Windows servers – No patches available for older versions of windows • OS and application patches can break ICS – OS patches are tested for enterprise apps • Uncertified patches can invalidate warranty • Patching often requires system reboot • Before installation of a patch: – Vendor certification—typically one week – Lab testing by operator – Staged deployment on less critical systems first – Avoid interrupting any critical process phases
  • 21.
    Limited use ofHost Anti-Virus • AV operations can cause significant system disruption at inopportune times – 3am is no better than any other time for a full disk scan on a system that operates 24x7x365 • ICS vendors only beginning to support anti-virus – Anti-virus is only as good as the signature set – Signatures may require testing just like patches • AV may be losing ground in enterprise deployments – impact on hosts, endpoint security not getting better – virus writers have learned to test against dominant AV • application whitelisting can be a good alternative – enumerate goodness rather than badness
  • 22.
    Poor Authentication andAuthorization • Machine-to-machine comms involve no “user” • Many ICS have poor authentication mechanisms and very limited authorization mechanisms • Many protocols use cleartext passwords • Many ICS devices lack crypto support • Sometimes passwords left at vendor default • Device passwords are hard to manage appropriately – Often one password is shared amongst all devices and all users and seldom if ever changed – This is happening AGAIN in Smart Meter deployments!
  • 23.
    Poor Audit andLogging • Many ICS have poor or non-existent support for logging security-related actions – Attempted or successful intrusions may go unnoticed • Where IDS logs are kept, they are often not reviewed • Various regulatory requirements are driving some change in this area – NERC—North American Electric Reliability Corporation – FERC—Federal Energy Regulatory Commission – Sarbanes Oxley and PCAOB (Public Company Accounting Oversight Board) – FISMA—Federal Information Security Management Act
  • 24.
    Unmanned Field Sites •Many unmanned field sites • Many with dialup access • Some with high-speed connectivity to control center • Most with poor authentication and authorization backdoor to the control center!
  • 25.
    Legacy Equipment • Muchlegacy equipment • Usually impossible to update to add security features • Difficult to protect legacy communications – but see IEEE P1711 for serial encryption • Password protection is weak • Little or no audit and logging
  • 26.
    Unauthorized Applications • Unauthorizedapps installed on ICS systems can interfere with ICS operation • Many types of unauthorized apps have been found during security audits – Instant messaging – P2P file sharing – DVD and MPEG video players – Games, including Internet-based – Web browsers
  • 27.
    Inappropriate Use ofICS Desktops • Web browsing from HMI can infect ICS – Browser vulnerabilities – Downloads – Cross-site scripting – Spyware • Email to/from control servers can infect ICS – Sendmail and outlook vulnerabilities • Disk storage exhaustion can crash OS – Storage of music, videos
  • 28.
    Little or NoCyber Security Monitoring • internal monitoring is essential to detect low profile compromises – IDS – port scanning – vulnerability scanning – system audit • without internal monitoring don’t know whether systems have been compromised
  • 29.
    Requirement for 3rdParty Access • Firmware updates and PLC, IED programming are sometimes done by vendor – Many ICS have open maintenance ports – Infected vendor laptops can bring down ICS • Partners may require continuous status information – Partner access is often poorly secured – Partner channels can serve as backdoors • 3rd parties may include: – ISO, transmission provider or grid neighbor, equipment vendor, emissions monitoring service or agency, water level monitoring agency, vibration monitoring service, etc.
  • 30.
    People Issues • ICSnetwork often managed by “Control Systems Department”, distinct from “IT Department” running enterprise network – ICS personnel are not IT or networking experts – IT personnel are not ICS experts • Majority of control systems workforce is older and nearing retirement – Few young people entering this field – Few academic programs
  • 31.
    Harsh Environments • Temperature •Vibration • Dust • Humidity • Electrical Transients
  • 32.
    Attack Vectors intoControl Systems Includes Infected Laptops and Is Growing Source: 2003–2006 data from Eric Byres, BCIT
  • 33.
    Security Assessments onICS • Various groups perform security assessments and penetration tests on ICS (generally under NDA) – Idaho National Labs – Sandia National Labs – N-Dimension Solutions – Other private organizations • Vulnerability assessments always uncover problems • For penetration tests, we always get in – Not a question of “if”, but “how long”
  • 34.
    Other Issues • Unusualphysical topologies • Many special purpose, limited function devices • Static network configurations • Multicast • Long service lifetimes
  • 35.
    For More Information... • See Smart Grid Cyber Security Strategy and Requirements, NISTIR 7628, www.nist.gov/smartgrid – particularly Appendices C and D
  • 36.
    ACM CCS Tutorial Nov.2009 Today’s Threats
  • 37.
    Hiroshima, 2.0 –Cyberspying of the US Electric Grid (April 09) Cyberspies penetrate electrical grid (April 09) 'Smart Grid' vulnerable to hackers (March 09) CIA: Hackers Have Attacked Foreign Utilities (Jan 2008) President Obama: securing the electric infrastructure is a national security priority (June 09) Smart Grid Security Frenzy: Cyber War Games, Worms and Spies in Smart Grid (June 09) earth2tech.com Intense Media Visibility on the Cyber Security Issue
  • 38.
    Limited Information AboutIncidents • Little information sharing about actual attacks – BCIT incident database has about 30 incidents per year vs. 100s of thousands of incidents per year in CERT database – Few cyber attacks on ICS for which details are public • Little information sharing about actual vulnerabilities – some are not easily or rapidly fixed – assessments are done under NDA • Difficult to estimate risk – Difficult to demonstrate ROI for security spending • But… lots of data about significant financial losses in enterprise and e-commerce – Why would control systems be immune?
  • 39.
  • 40.
    Attacks Can CauseSimilar Results INL National Lab Aurora Demonstration, March 2007
  • 41.
    Regulators provide SmartGrid Stimulus Funding criteria - cyber security is mandatory (June 09) FERC releases Smart Grid Policy - cyber security mandatory for Utility rate recovery (July 09) Strengthened Cyber Security Standards Approved for North American Utilities (May 09) AMI-SEC working group developed security requirements for AMI AMI-SEC Task Force NIST developing interoperability and security standards for Smart Grid Ontario Green Energy Act Drives Smart Grid With Security (May 09) Cyber Security Regulatory Requirements
  • 42.
    ACM CCS Tutorial Nov.2009 Securing Control Systems
  • 43.
    Adversaries • Script kiddies •Hackers • Organized crime • Disgruntled insiders • Competitors • Terrorists • Hactivists • Eco-terrorists • Nation states
  • 44.
    How an AttackProceeds—Step #1 Internet Modem Pool Web Server Email Server Business Workstation Data Historian Engineering Workstation FEP RTU Control System Network Enterprise Network Database Server Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED IED Web Server Management Console HMI
  • 45.
    How an AttackProceeds—Step #2 Internet Modem Pool Web Server Business Workstation Data Historian Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED IED Web Server Management Console HMI Email Server Database Server
  • 46.
    How an AttackProceeds—Step #3 Internet Modem Pool Web Server Business Workstation Data Historian Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED IED Web Server Management Console HMI Email Server Database Server
  • 47.
    How an AttackProceeds—Step #4 Internet Modem Pool Web Server Web Server Business Workstation Data Historian Management Console HMI Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED IED Vendor Web Server Email Server Database Server
  • 48.
    How an AttackProceeds—Step #5 Internet Modem Pool Web Server Web Server Business Workstation Data Historian Management Console HMI Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED IED Vendor Web Server Email Server Database Server
  • 49.
    How an AttackProceeds—Step #6 Internet Modem Pool Web Server Web Server Business Workstation Data Historian Management Console HMI Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED IED Email Server Database Server
  • 50.
    How an AttackProceeds—Step #7 Internet Modem Pool Web Server Web Server Business Workstation Data Historian Management Console HMI Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED Email Server IED Database Server
  • 51.
    Defending ICS • Separatecontrol network from enterprise network – Harden connection to enterprise network – Protect all points of entry with strong authentication – Make reconnaissance difficult from outside • Harden interior of control network – Make reconnaissance difficult from inside – Avoid single points of vulnerability – Frustrate opportunities to expand a compromise • Harden field sites and partner connections – mutual distrust • Monitor both perimeter and inside events • Periodically scan for changes in security posture
  • 52.
    Internet Enterprise Network Control Network FieldSite Field Site Field Site Partner Site VPN VPN FW FW IPS IDS IT Stuff Scan AV FW IPS P1711 FW AV Host IPS Host AV Proxy Host IDS Host AV IDS Scan NAC NAC 62351 Log Mgmt Event Mgmt Reporting 50000 Foot View IT Stuff VPN
  • 53.
    Logical Overlay onSP99 / Purdue Model of Control Site Business Planning and Logistics Network Batch Control Discrete Control Supervisory Control Hybrid Control Supervisory Control Enterprise Network Patch Mgmt Web Services Operations AV Server Application Server Email, Intranet, etc. Production Control Historian Optimizing Control Engineering Station Continuous Control Terminal Services Historian (Mirror) Site Operations and Control Area Supervisory Control Basic Control Process Control Zone Enterprise Zone DMZ Level 5 Level 3 Level 1 Level 0 Level 2 Level 4 HMI HMI
  • 54.
    Logical Architecture • EnterpriseZone contains typical business systems – Email, web, office apps, etc. • DMZ provides business connectivity – Contains only non-critical systems that need access to both Control and Enterprise Zones – Enforces separation between Enterprise and Control Zones – Consists of multiple functional sub-zones • Separated by Firewall, IPS, Anti-Virus, etc. • Control Zone demarcates critical control systems – Consists of multiple functional sub-zones • Internally protected by Firewall, IDS, Anti-Virus, etc.
  • 55.
    How NOT toconnect Control / Enterprise • Dual-homed server • Dual-homed server with Host IPS / AV • Router with packet filter ACLs • Two-port Firewall • Router + Firewall combination • See NISCC Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks, NISCC and BCIT, Feb 2005
  • 56.
  • 57.
    DMZ Design Principles •DMZ contains non-critical systems • Multiple functional security sub-zones • Traffic between sub-zones undergoes firewall (& IPS or IDS) • DMZ is only path in/out of Control Zone • Default deny for all firewall interfaces • No direct traffic across DMZ • No control traffic to outside • Limited outbound traffic from Control Zone • Very limited inbound traffic to Control Zone • No common ports between outside & inside • Emergency disconnect at inside or outside • No network management from outside • Cryptographic VPN and Firewall to all 3rd party connections
  • 58.
    DMZ Implementation (1) DMZLAN 3 DMZ LAN 4 DMZ LAN 2 NAT Routing FW IPS Security Appliance With Multiple Ports DMZ/Control Interconnect WAN/LAN Enterprise LAN Anti-Virus Proxy Host IPS / Anti-virus
  • 59.
    DMZ Implementation (2) dot1q trunk DMZVLAN 3 DMZ VLAN 4 DMZ VLAN 2 NAT Routing FW IPS VLAN Security Appliance VLAN-capable L2 switch DMZ/Control Interconnect WAN/LAN Enterprise LAN Anti-Virus Proxy Host IPS / Anti-virus NOT L3!
  • 60.
    DMZ Implementation • Sub-zonesimplemented by physical LANs or VLANs – Physical LANs require multi-port Security Appliance – VLANs require: • VLAN-capable Security Appliance and Switch • anti-VLAN hopping protections on switch and FW • NO L3 (routing) on switch • FW implements policy between – DMZ LANs, Enterprise Zone, Control Zone • Anti-virus proxy controls outbound HTTP and/or FTP access to enterprise or Internet resources • Host IPS and/or Host Anti-virus protects DMZ servers
  • 61.
  • 62.
    Remote Access • SecurityAppliance terminates Host-to-site VPN into remote access pool – IPSEC VPN, SSL VPN, PPTP VPN • Authenticates user via: – AAA server, LDAP, Active Directory, etc. – Can enforce use of multi-factor hardware token • Time-varying password tokens for vendor access • Clients use VNC, Citrix, or Remote Desktop (RDP) to connect to Terminal Server • Then VNC, Citrix, RDP, or Control System Apps to Control System Servers
  • 63.
  • 64.
    Control Zone DesignPrinciples • Multiple functional security sub-zones • Firewall and IDS between sub-zones • Minimal number of connections to DMZ • Control Zone independent of DMZ, Enterprise – Separate Security Appliance from DMZ – Separate Time Server – Separate AAA – Allows emergency disconnect from DMZ • Cryptographic VPN and Firewall to all offsite IP connections (Field Site or Partner) • IEEE P1711 for all offsite serial ICS connections • Host IDS, Host AV, or app whitelisting where feasible • Management only from management zone
  • 65.
    Control Zone Implementation—Hierarchical •Fast routing between VLANs via L3 switch • ACLs between VLANs but no Stateful Firewall Level 1 Level 2 Level 3 Control Zone dot1q Trunks L3 L3 L2 L2 QoS, Shaping, Policing Port Security Gigabit 10/100 DMZ/Control Interconnect WAN/LAN SPAN IDS Scan FW FW Host IDS Host AV
  • 66.
    Control Zone Implementation—Ring •Ring reduces wiring for linear sites like power dams • but spanning tree can have problems with large rings Level 1 Level 2 Level 3 Control Zone dot1q Trunks L3 L3 L2 L2 QoS, Shaping, Policing Port Security Gigabit 10/100 DMZ/Control Interconnect WAN/LAN SPAN IDS Scan FW FW Host IDS Host AV
  • 67.
    Firewall IDS/IPS Client VPN Proxy Network AV HostIDS/IPS NAC Site-to-site VPN DMZ Perimeter Protection in Utilities
  • 68.
    IDS Port Scan Vuln Scan Firewall NAC SCADAVPN Firewall SCADA VPN Port Scan IDS Interior Protection in Utilities
  • 69.
  • 70.
    • Planning, processes,procedures, physical security, etc. are also important • NERC CIP Regulatory Requirements provide reasonably good guidance in this area: • CIP-001: Sabotage Reporting • CIP-002: Critical Cyber Asset Identification • CIP-003: Security Management Controls • CIP-004: Personnel & Training • CIP-005: Electronic Security Perimeters • CIP-006: Physical Security • CIP-007: Systems Security Management • CIP-008: Incident Reporting & Response Planning • CIP-009: Recovery Plans for Critical Cyber Assets See www.nerc.com -> Standards -> Reliability Standards -> CIP Beyond Network Security
  • 71.
    Summary • Today’s ICSare mix of modern and legacy – vulnerabilities due to both lack of security design in legacy and security issues in newer equipment • Defense in depth is essential – both perimeter (DMZ) and interior security are crucial • Regulation and government action is driving change • Smart Grid must be designed with strong security
  • 72.
    ACM CCS Tutorial Nov.2009 Thanks! andrew.wright@n-dimension.com
  • 73.
    Standards Efforts • NERCCIPs • NIST Smart Grid Interoperability Standards Project • NIST SP800-82 • NIST SP800-53 • NIST PCSRF Protection Profiles • AMI-SEC • ISA SP99 • ODVA • IEEE P1711 (AGA 12) -- serial SCADA encryption
  • 74.
    A Few References •www.nist.gov/smartgrid • Securing Your SCADA and Industrial Control Systems, Version 1.0, DHS, ISBN 0-16-075115-8 • Guide to SCADA and Industrial Control System Security, NIST SP800-82 • ISA99 Industrial Automation and Control Systems Security, www.isa.org/MSTemplate.cfm?MicrositeID=988&Co mmitteeID=6821 • AGA 12/IEEE P1689 SCADA Encryption Standard, scadasafe.sf.net

Editor's Notes

  • #3 These are functional groupings, not ownership groupings Internet (blue) has touch points with many power grid systems, but there are still significant communications and networks that are not the Internet I will look at various types of Industrial Control Systems (red) used in Generation, Transmission, and Distribution ...
  • #6 Supervisory Control and Data Acquisition (SCADA) Large distances, supervisory control, non-real-time (minutes) Used in power (transmission and distribution), gas, oil, water, wastewater, rail, etc. Process Control Systems (PCS) Closed loop, central control, near real-time (seconds) Used in refining, chemical, food, pharmaceutical, etc. Distributed Control Systems (DCS) Similar to PCS but multiple controllers physically close to processes Used in generation, manufacturing, refining, chemical, food, pharmaceutical, etc. Automation aka Discrete Control Similar to DCS, real-time (milliseconds)
  • #7 the slogan “tomorrow’s technology today” of high-tech industries is turned around in the control systems world to “yesterday’s technology tomorrow”. “security” in power usually means reliability of the grid there is a big difference between “robust to accidental events” and “robust to intentional engineered attacks”
  • #8 at the bottom, IEDs are usually connected to sensors and controllers by automation networks such as HART, Fieldbus, Profibus, or increasingly by Ethernet although one process control vendor already offering IPV6 wireless on battery-powered sensors next level of network consists of ICS master and systems used for operating and managing the ICS next level of network provides advanced applications, such as optimization and gateways to the enterprise network Adoption of COTS (Commercial-Off-The-Shelf) technologies Operating systems—Windows, WinCE, various embedded RTOSes Applications—Databases, web servers, web browsers, etc. IT protocols—HTTP, SMTP, FTP, DCOM, XML, SNMP, etc. COTS software and systems have more capabilities and are cheaper than proprietary systems, and do not leave vendors stranded on out-of-date technology Connectivity of ICS to enterprise LAN Improved business visibility, business process efficiency: eg. supply chain management, production scheduling, order tracking, and fault monitoring (optimize part and supply sourcing, schedule production to better meet business requirements and avoid contract penalties) Remote access to control center and field devices: eg. remote diagnosis and repair, reduction of personnel at remote sites Adoption of IP Networking Common in higher level networks, gaining in lower levels Many legacy protocols wrapped in TCP or UDP Most new industrial devices have Ethernet ports IP penetrating into lower levels of ICS networks due to greater performance, lower cost, more capabilities than proprietary networks Ease of connectivity to other systems Greater performance Lower cost Interoperability Future proofing rate at which these trends are progressing varies between ICS and process control and between control center, communications, and field devices
  • #9 trends relevant to networking and security rate at which these trends are progressing varies between ICS and process control and between control center, communications, and field devices connectivity improves business efficiency by better supply chain management, just-in-time production, order tracking, fault monitoring, etc. in addition to direct optimization of process itself IP networking: Ease of connectivity to other systems Greater performance Lower cost Interoperability Future proofing
  • #12 trojan code inserted by CIA into pipeline control software stolen by USSR caused largest non-nuclear explosion ever observed from space 16” gasoline pipeline ruptured and ignited due to combination of backhoe and non-responsive ICS system, causing fires for 1.5 miles along a creek, 3 deaths, $45M, water treatment plant seriously contaminated disgruntled employee used ICS to release 250,000 gals. sewage slammer worm infected David Besse nuclear plant via contractor’s T1 line, disabled safety systems, fortunately plant was offline blaster worm not primary cause but partly contributed to northeast blackout, economic cost $7-10 Billion, note 2% of US generation has blackstart capability Browns Ferry: root cause of the event was the malfunction of the VFD controller because of broadcast storm on the plant ICS network, possibly due to a malfunctioning, broadcasting PLC Browns Ferry: corrective actions included developing a network firewall device that limits the connections and traffic to any potentially susceptible devices on the plant ICS network
  • #15 There is no silver bullet! not crunchy on the outside, soft and chewy on the inside Scanning – port scanning, vulnerability scanning, arp scanning, wifi scanning
  • #18 importance of availability and integrity impacts security of ICS in a number of ways that we will look at shortly six 9’s means 99.9999% available Cisco IP telephony is five 9’s Bellingham security must not reduce availability – expiry of VPN tunnel certificates, forgotten password, etc.
  • #19 botnet is a collection of computers with backdoor, installed by virus or worm, that can be remotely and anonymously controlled botnets may consist of home PCs without proper firewall and antivirus, but many have also been found within the enterprise networks of large corporations explain e-commerce website extortion attack
  • #20 Browns Ferry
  • #21 No patches available for windows NT, 98, ME Windows 2000 supported only until 2010 Cisco and other released a patch for TCP support Sept 2009 (DOS prevention)
  • #23 Queensland extreme example: password limited to 3 uppercase characters
  • #24 SoX passed in response to scandals like Enron, relates to financial accounting, and the PCAOB auditing standard #2 states “IT Controls should be tested, including controls over relevant assertions related to all significant accounts and disclosures in the financial statements”
  • #28 especially browsing the seedier parts of the web
  • #30 Davis Besse
  • #31 IT department may not want ICS department to have a firewall as this will impede their visibility into and management of ICS network ICS personnel are not IT or networking experts not familiar with advanced networking issues IT personnel are not ICS experts not familiar with different requirements of ICS may not understand why enterprise security policies cannot be applied to ICS
  • #32 motor activated breaker that is not meant to be used when a line is energized, but was opened under a 100 amp load for this experiment. Normally this line carries 2000 amps.
  • #35 extreme environments: heat, cold, dust, vibration, moisture, explosive or flammable gas physical topologies: not building, but star, mesh, bus, and particularly ring, eg. hydro dam special purpose devices (IEDs) cannot run antivirus, NAC clients, etc. multicast is not one to many, but many to a few each long service lifetimes: SEL 10 year warranty
  • #38 <START> Media visibility on this issue started a couple of years ago with CNN coverage of a Homeland Security demonstration showing how easy it is to hack into the grid and destroy a generating plant. Since then the media has been increasing the visibility of the issue … First article described how a smart meter network can be easily hacked into (with $500 of equipment) to turn off power in entire communities and cities.
  • #39 BCIT database (British Columbia Institute of Technology, Eric Byres) requires contribution in order to obtain access business losses to cyber events number in the Billions of dollars annually financials estimate that 2% of incidents that occur are actually reported due to concern for reputation and stock price, and this is likely also true for ICS
  • #40 accidents happen and can have pretty severe consequences fault in a capacitor bank in a residential substation, protection relay fails to trip, overloads a transformer, which vents superheated and vaporized cooling oil, which ignites ...
  • #41 Cooper power systems makes a REID relay that prevents this specific attack
  • #42 <START> Based on: the report of the black-out of 2003 national security concerns recognition that today’s existing electric grid is vulnerable (1980’s level security) There have been extensive cyber security regulatory and standards development initiatives which are driving business opportunity for N-Dimension 1st point: We have just completed assisting Utilities in the US with their stimulus applications and for us this represented a total of $4M of product quotations N-Dimension is on the committees that is driving the standards for the industry (last 4 points)
  • #43 where were we (in the talk), where are we going questions
  • #44 ICS have been compromised by script kiddies and used to store digital music and movies - most likely the kiddies either did not realize or did not care what type of system they were into talks and hacking demonstrations of ICS are beginning to show up at conferences like Black Hat, Defcon organized crime has created a thriving market for zero-day vulnerabilities and botnets disgruntled insiders, whether fired or on strike, know best how to damage the ICS and have the necessary access competitors could use ICS information to manipulate spot markets - anybody remember ENRON? information about ICS systems found on Al Queda computers seized in Afghanistan renewed calls from Al-Queda for specific attacks on oil infrastructure to reduce oil flow to US industries that frequently attract the ire of eco-terrorists tend to be heavy users of ICS other nations have been mapping US infrastructure for over 10 years, and most nations, including the US, now have a cyberwar capability
  • #45 no security thru obscurity
  • #46 this is just one attack scenario of many possible
  • #55 DMZ is somewhat similar to enterprise DMZ but has rather different security properties purpose of DMZ is to provide STRONG separation between enterprise and control zones DMZ contains only non-critical systems that provide enterprise visibility and connectivity fully switched network
  • #56 this slide is in your packet
  • #58 firewall is still logical view NO direct traffic permitted between enterprise and control zone all inbound and outbound traffic must stop at a server in DMZ operations like patch installation must be two-stage process remote administration must go thru a terminal or application server different colored networks are different sub-zones traffic permitted between enterprise, DMZ, and control zones and between different sub-zones only as needed multiple functional sub-zones help contain spread of a worm infection, limit sniffing and scanning by attackers, and aid in management of firewall rules
  • #59 no direct traffic + no common ports stops worms like slammer sub-zones and limited communication slows infection spread and makes network mapping by attackers more difficult control, DMZ independence requires domain servers, AAA, etc. in both zones guest NAC since enterprise zone may not do NAC DMZ independent of Enterprise and Control Zones to allow remediation while disconnected
  • #60 Cisco ASA 5520 or 5540 with Advanced Inspection Module (IPS) Signatures for DNP3, Modbus, ICCP Sub-zones implemented by VLANs All inter-VLAN routing done by ASA L2 switch must be Cisco switch and properly configured to prevent VLAN hopping ACLs on ASA implement policy between DMZ VLANs, Enterprise Zone, Control Zone Cisco Security Agent (CSA) on DMZ servers Signature-less host-based IPS Optional active-standby redundancy DMZ servers can use dual NICs with teaming drivers Optional separate hardware firewall, IOS-based for different implementation, could be managed by IT
  • #61 Cisco ASA 5520 or 5540 with Advanced Inspection Module (IPS) Signatures for DNP3, Modbus, ICCP Sub-zones implemented by VLANs All inter-VLAN routing done by ASA L2 switch must be Cisco switch and properly configured to prevent VLAN hopping ACLs on ASA implement policy between DMZ VLANs, Enterprise Zone, Control Zone Cisco Security Agent (CSA) on DMZ servers Signature-less host-based IPS Optional active-standby redundancy DMZ servers can use dual NICs with teaming drivers Optional separate hardware firewall, IOS-based for different implementation, could be managed by IT
  • #62 implementing sub-zones with physically separate ports may require more expensive ASA and/or more L2 switches L2 switch must be Cisco switch to prevent VLAN hopping teaming drivers with dual DMZ switches for redundancy separate firewall defends against ASA misconfiguration, overload, vulnerabilities ASA 5520 or 5540 with AIM and at least 4 VLANs, one for management, 3 for DMZ sub-zones, or 6+ ports optional separate, different implementation firewall defends against ASA compromise or misconfiguration this slide is in your packet
  • #64 this slide is in your packet
  • #65 user-based ACLs to enforce RBAC on user
  • #66 this slide is in your packet
  • #67 multiple sub-zones, like in DMZ, grouping systems with related functionality optional firewall and IDS between sub-zones if used, IDS, not IPS, to ensure that false positives do not block critical control traffic security management (CSM) and security correlation (MARS) in control zone (these security-critical functions should be given maximum protection and thus NOT placed in DMZ)
  • #68 independence necessary to allow disconnection sub-zones and limited communication slows infection spread and makes network mapping more difficult control zone independence requires domain servers, AAA, etc. in zone port security prevents someone with physical access from connecting a rogue device QoS, traffic policing mitigate impact of worm or misbehaving control system device this slide is in your packet
  • #69 VLAN ACLs restrict traffic between different sub-zones to only that needed good for a small number of vlans as with too many the number of ACLs becomes large
  • #70 VLAN ACLs restrict traffic between different sub-zones to only that needed good for a small number of vlans as with too many the number of ACLs becomes large
  • #76 where we are, where we are going
  • #77 ISA - The Instrumentation, Systems, and Automation Society