Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Power Grid Communications & Control Systems
1. Cyber Security Solutions
For <Client Name>
Cyber Security
for the Power Grid:
Cyber Security Issues &
Securing Control Systems
Andrew Wright CTO, N-Dimension
andrew.wright@n-dimension.com
ACM CCS Conference Tutorial
Nov. 2009
2. Power Grid Communications & Control Systems
borrowed
from
NIST
Smart
Grid
Twiki
Internet Control Systems
3. Agenda
• High-Level
– Industrial Control Systems and Cyber Security Issues
– Securing Control Systems
• Detailed
– Security Issues in Industrial Control Systems
– Today’s Threats
– Securing Control Systems
5. Types of Industrial Control Systems (ICS)
Supervisory Control And Data
Acquisition (SCADA)
Automation
Process Control
Systems (PCS)
Distributed Control
Systems (DCS)
6. Historical ICS
• Proprietary
• Complete vertical solutions
• Customized
• Specialized communications
– Wired, fiber, microwave, dialup, serial, etc.
– 100s of different protocols
– Slow; e.g. 1200 baud
• Long service lifetimes: 15–20 years
• Not designed with security in mind
7. Third Party
Controllers,
Servers, etc.
Serial, OPC
or Fieldbus
Engineering
Workplace
Device Network
Firewall
Services
Network
Third Party
Application
Server
Application
Server
Historian
Server
Workplaces
Enterprise
Optimization
Suite
Mobile
Operator
Connectivity
Server
Control
Network
Redundant
Enterprise Network
Serial RS485
Modern ICS Trends
IP
Internet
Enterprise
Network
8. Technology Trends in ICS
• COTS (Commercial-Off-The-Shelf) technologies
– Operating systems—Windows, WinCE, embedded RTOSes
– Applications—Databases, web servers, web browsers, etc.
– IT protocols—HTTP, SMTP, FTP, DCOM, XML, SNMP, etc.
– Networking equipment—switches, routers, firewalls, etc.
• Connectivity of ICS to enterprise LAN
– Improved business visibility, business process efficiency
– Remote access to control center and field devices
• IP Networking
– Common in higher level networks, gaining in lower levels
– Many legacy protocols wrapped in TCP or UDP
– Most new industrial devices have Ethernet ports
– Most new ICS architectures are IP-based
9. New IP-Based Industrial Control Systems
• ODVA (Rockwell)
• Profinet
• Foundation Fieldbus HSE
• Telvent
• ABB 800xA
• Honeywell Experion
• Emerson DeltaV
• Yokogawa VNET/IP
• Invensys Infusion
• Survalent
• IP to the Control Network or even Device Network
• Not all are fully compatible with “ordinary IP”
10. Security Risks to Modern ICS
• COTS + IP + connectivity = many security risks
• All of those of Enterprise networks and more
Worms and Viruses Legacy OSes and applications
DOS and DDOS impairing availability Inability to limit access
Unauthorized access Inability to revoke access
Unknown access Unexamined system logs
Unpatched systems Accidental misconfiguration
Little or no use of anti-virus Improperly secured devices
Limited use of host-based firewalls Improperly secured wireless
Improper use of ICS workstations Unencrypted links to remote sites
Unauthorized applications Passwords sent in clear text
Unnecessary applications Default passwords
Open FTP, Telnet, SNMP, HTML ports Password management problems
Fragile control devices Default OS security configurations
Network scans by IT staff Unpatched routers / switches
11. When ICS Security Fails
• Loss of production
• Penalties
• Lawsuits
• Loss of public trust
• Loss of market value
• Physical damage
• Environmental damage
• Injury
• Loss of life • USSR pipeline explosion, 1982
• Bellingham pipeline rupture, 1999
• Queensland sewage release, 2000
• Davis Besse nuclear plant infection, 2003
• Northeast USA blackout, 2003
• Browns Ferry nuclear plant scram, 2006
$$$.$$
14. Defense in Depth
• Perimeter Protection
– Firewall, IPS, VPN, AV
– Host IDS, Host AV
– DMZ
• Interior Security
– Firewall, IDS, VPN, AV
– Host IDS, Host AV
– IEEE P1711 (AGA 12)
– NAC
– Scanning
• Monitoring
• Management
IDS Intrusion Detection System
IPS Intrusion Prevention System
DMZ DeMilitarized Zone
VPN Virtual Private Network (cryptographic)
AV Anti-Virus (anti-malware)
NAC Network Admission Control
15. Internet
Enterprise Network
Control Network
Field Site Field Site
Field Site
Partner
Site
VPN
VPN
FW
FW
IPS
IDS
IT Stuff
Scan
AV
FW
IPS
P1711
FW
AV
Host IPS Host AV
Proxy
Host IDS Host AV
IDS
Scan NAC
NAC 62351
Log Mgmt
Event Mgmt
Reporting
50000 Foot View
IT Stuff
VPN
17. Availability, Integrity and Confidentiality
• Enterprise networks require C-I-A
– Confidentiality of intellectual property matters most
• ICS requires A-I-C
– Availability and integrity of control matters most
– control data has low entropy—little need for confidentiality
– Many ICS vendors provide six 9’s of availability
• Ensuring availability is hard
– Cryptography does not help (directly)
– DOS protection, rate limiting, resource management, QoS,
redundancy, robust hardware with high MTBF
• Security must not reduce availability!
18. DoS and DDoS Attacks
• Denial of Service (DoS) attack overwhelms a system
with too many packets/requests
– Exhausts TCP stack or application resources
– Defenses include connection limits in firewall
• Distributed Denial of Service (DDoS) attack
coordinates a botnet to overwhelm a target system
– No single point of attack
– Requires sophisticated, coordinated defenses
– Weapon of choice for hackers, hacktivists, cyber-extortionists
• DoS, DDoS particularly effective when Availability is
critical, i.e. against ICS
19. Fragile ICS Devices
• Many IP stack implementations are fragile
– Some devices lockup on ping sweep or NMAP scan
– Numerous incidents of ICS shut down by uninformed IT staff
running a well-intentioned vulnerability scan
• Modern ICS devices are much more complex
– Some IEDs include web server for configuration and status
– More lines of code leads to more bugs
– Modern IEDs require patching just like servers
20. Unpatched Systems
• Many ICS systems are not patched current
– Particularly Windows servers
– No patches available for older versions of windows
• OS and application patches can break ICS
– OS patches are tested for enterprise apps
• Uncertified patches can invalidate warranty
• Patching often requires system reboot
• Before installation of a patch:
– Vendor certification—typically one week
– Lab testing by operator
– Staged deployment on less critical systems first
– Avoid interrupting any critical process phases
21. Limited use of Host Anti-Virus
• AV operations can cause significant system
disruption at inopportune times
– 3am is no better than any other time for a full disk scan on a
system that operates 24x7x365
• ICS vendors only beginning to support anti-virus
– Anti-virus is only as good as the signature set
– Signatures may require testing just like patches
• AV may be losing ground in enterprise deployments
– impact on hosts, endpoint security not getting better
– virus writers have learned to test against dominant AV
• application whitelisting can be a good alternative
– enumerate goodness rather than badness
22. Poor Authentication and Authorization
• Machine-to-machine comms involve no “user”
• Many ICS have poor authentication mechanisms
and very limited authorization mechanisms
• Many protocols use cleartext passwords
• Many ICS devices lack crypto support
• Sometimes passwords left at vendor default
• Device passwords are hard to manage appropriately
– Often one password is shared amongst all devices
and all users and seldom if ever changed
– This is happening AGAIN in Smart Meter deployments!
23. Poor Audit and Logging
• Many ICS have poor or non-existent support for
logging security-related actions
– Attempted or successful intrusions may go unnoticed
• Where IDS logs are kept, they are often not reviewed
• Various regulatory requirements are driving some
change in this area
– NERC—North American Electric Reliability Corporation
– FERC—Federal Energy Regulatory Commission
– Sarbanes Oxley and PCAOB (Public Company Accounting
Oversight Board)
– FISMA—Federal Information Security Management Act
24. Unmanned Field Sites
• Many unmanned field sites
• Many with dialup access
• Some with high-speed connectivity to control center
• Most with poor authentication and authorization
backdoor to the
control center!
25. Legacy Equipment
• Much legacy equipment
• Usually impossible to update to add security features
• Difficult to protect legacy communications
– but see IEEE P1711 for serial encryption
• Password protection is weak
• Little or no audit and logging
26. Unauthorized Applications
• Unauthorized apps installed on ICS systems can
interfere with ICS operation
• Many types of unauthorized apps have been found
during security audits
– Instant messaging
– P2P file sharing
– DVD and MPEG video players
– Games, including Internet-based
– Web browsers
27. Inappropriate Use of ICS Desktops
• Web browsing from HMI can infect ICS
– Browser vulnerabilities
– Downloads
– Cross-site scripting
– Spyware
• Email to/from control servers can infect ICS
– Sendmail and outlook vulnerabilities
• Disk storage exhaustion can crash OS
– Storage of music, videos
28. Little or No Cyber Security Monitoring
• internal monitoring is essential to detect low profile
compromises
– IDS
– port scanning
– vulnerability scanning
– system audit
• without internal monitoring don’t know whether
systems have been compromised
29. Requirement for 3rd Party Access
• Firmware updates and PLC, IED programming are
sometimes done by vendor
– Many ICS have open maintenance ports
– Infected vendor laptops can bring down ICS
• Partners may require continuous status information
– Partner access is often poorly secured
– Partner channels can serve as backdoors
• 3rd parties may include:
– ISO, transmission provider or grid neighbor,
equipment vendor, emissions monitoring service or agency,
water level monitoring agency, vibration monitoring service,
etc.
30. People Issues
• ICS network often managed by “Control Systems
Department”, distinct from “IT Department” running
enterprise network
– ICS personnel are not IT or networking experts
– IT personnel are not ICS experts
• Majority of control systems workforce is
older and nearing retirement
– Few young people entering this field
– Few academic programs
32. Attack Vectors into Control Systems
Includes Infected
Laptops and Is Growing
Source: 2003–2006 data from Eric Byres, BCIT
33. Security Assessments on ICS
• Various groups perform security assessments and
penetration tests on ICS (generally under NDA)
– Idaho National Labs
– Sandia National Labs
– N-Dimension Solutions
– Other private organizations
• Vulnerability assessments always uncover problems
• For penetration tests, we always get in
– Not a question of “if”, but “how long”
34. Other Issues
• Unusual physical topologies
• Many special purpose, limited function devices
• Static network configurations
• Multicast
• Long service lifetimes
35. For More Information ...
• See Smart Grid Cyber Security Strategy and
Requirements, NISTIR 7628, www.nist.gov/smartgrid
– particularly Appendices C and D
37. Hiroshima, 2.0 – Cyberspying of the
US Electric Grid (April 09)
Cyberspies penetrate electrical grid (April 09)
'Smart Grid' vulnerable to hackers (March 09)
CIA: Hackers Have Attacked Foreign Utilities
(Jan 2008)
President Obama: securing the electric
infrastructure is a national security priority (June 09)
Smart Grid Security Frenzy: Cyber War Games,
Worms and Spies in Smart Grid (June 09)
earth2tech.com
Intense Media Visibility on the Cyber Security Issue
38. Limited Information About Incidents
• Little information sharing about actual attacks
– BCIT incident database has about 30 incidents per year vs.
100s of thousands of incidents per year in CERT database
– Few cyber attacks on ICS for which details are public
• Little information sharing about actual vulnerabilities
– some are not easily or rapidly fixed
– assessments are done under NDA
• Difficult to estimate risk
– Difficult to demonstrate ROI for security spending
• But… lots of data about significant financial losses in
enterprise and e-commerce
– Why would control systems be immune?
40. Attacks Can Cause Similar Results
INL National Lab Aurora Demonstration, March 2007
41. Regulators provide Smart Grid Stimulus Funding
criteria - cyber security is mandatory (June 09)
FERC releases Smart Grid Policy - cyber security
mandatory for Utility rate recovery (July 09)
Strengthened Cyber Security Standards Approved for
North American Utilities (May 09)
AMI-SEC working group developed security
requirements for AMI
AMI-SEC Task Force
NIST developing interoperability and security standards
for Smart Grid
Ontario Green Energy Act Drives Smart Grid With Security
(May 09)
Cyber Security Regulatory Requirements
44. How an Attack Proceeds—Step #1
Internet
Modem Pool
Web
Server
Email
Server
Business
Workstation
Data
Historian
Engineering
Workstation
FEP
RTU Control
System
Network
Enterprise
Network
Database Server
Domain Name
Server (DNS)
enterprise
Firewall
ICS
Firewall
Attacker
IED
IED
Web
Server
Management
Console HMI
45. How an Attack Proceeds—Step #2
Internet
Modem Pool
Web
Server
Business
Workstation
Data
Historian
Engineering
Workstation
FEP
RTU Control
System
Network
Enterprise
Network
Domain Name
Server (DNS)
enterprise
Firewall
ICS
Firewall
Attacker
IED
IED
Web
Server
Management
Console HMI
Email
Server
Database Server
46. How an Attack Proceeds—Step #3
Internet
Modem Pool
Web
Server
Business
Workstation
Data
Historian
Engineering
Workstation
FEP
RTU Control
System
Network
Enterprise
Network
Domain Name
Server (DNS)
enterprise
Firewall
ICS
Firewall
Attacker
IED
IED
Web
Server
Management
Console HMI
Email
Server
Database Server
47. How an Attack Proceeds—Step #4
Internet
Modem Pool
Web
Server
Web
Server
Business
Workstation
Data
Historian
Management
Console HMI
Engineering
Workstation
FEP
RTU Control
System
Network
Enterprise
Network
Domain Name
Server (DNS)
enterprise
Firewall
ICS
Firewall
Attacker
IED
IED
Vendor Web
Server
Email
Server
Database Server
48. How an Attack Proceeds—Step #5
Internet
Modem Pool
Web
Server
Web
Server
Business
Workstation
Data
Historian
Management
Console HMI
Engineering
Workstation
FEP
RTU Control
System
Network
Enterprise
Network
Domain Name
Server (DNS)
enterprise
Firewall
ICS
Firewall
Attacker
IED
IED
Vendor Web
Server
Email
Server
Database Server
49. How an Attack Proceeds—Step #6
Internet
Modem Pool
Web
Server
Web
Server
Business
Workstation
Data
Historian
Management
Console HMI
Engineering
Workstation
FEP
RTU Control
System
Network
Enterprise
Network
Domain Name
Server (DNS)
enterprise
Firewall
ICS
Firewall
Attacker
IED
IED
Email
Server
Database Server
50. How an Attack Proceeds—Step #7
Internet
Modem Pool
Web
Server
Web
Server
Business
Workstation
Data
Historian
Management
Console HMI
Engineering
Workstation
FEP
RTU Control
System
Network
Enterprise
Network
Domain Name
Server (DNS)
enterprise
Firewall
ICS
Firewall
Attacker
IED
Email
Server
IED
Database Server
51. Defending ICS
• Separate control network from enterprise network
– Harden connection to enterprise network
– Protect all points of entry with strong authentication
– Make reconnaissance difficult from outside
• Harden interior of control network
– Make reconnaissance difficult from inside
– Avoid single points of vulnerability
– Frustrate opportunities to expand a compromise
• Harden field sites and partner connections
– mutual distrust
• Monitor both perimeter and inside events
• Periodically scan for changes in security posture
52. Internet
Enterprise Network
Control Network
Field Site Field Site
Field Site
Partner
Site
VPN
VPN
FW
FW
IPS
IDS
IT Stuff
Scan
AV
FW
IPS
P1711
FW
AV
Host IPS Host AV
Proxy
Host IDS Host AV
IDS
Scan NAC
NAC 62351
Log Mgmt
Event Mgmt
Reporting
50000 Foot View
IT Stuff
VPN
53. Logical Overlay on SP99 / Purdue Model of Control
Site Business Planning and Logistics Network
Batch
Control
Discrete
Control
Supervisory
Control
Hybrid
Control
Supervisory
Control
Enterprise Network
Patch
Mgmt
Web Services
Operations
AV
Server
Application
Server
Email, Intranet, etc.
Production
Control
Historian
Optimizing
Control
Engineering
Station
Continuous
Control
Terminal
Services
Historian
(Mirror)
Site Operations
and Control
Area
Supervisory
Control
Basic
Control
Process
Control
Zone
Enterprise
Zone
DMZ
Level 5
Level 3
Level 1
Level 0
Level 2
Level 4
HMI HMI
54. Logical Architecture
• Enterprise Zone contains typical business systems
– Email, web, office apps, etc.
• DMZ provides business connectivity
– Contains only non-critical systems that need access to both
Control and Enterprise Zones
– Enforces separation between Enterprise and Control Zones
– Consists of multiple functional sub-zones
• Separated by Firewall, IPS, Anti-Virus, etc.
• Control Zone demarcates critical control systems
– Consists of multiple functional sub-zones
• Internally protected by Firewall, IDS, Anti-Virus, etc.
55. How NOT to connect Control / Enterprise
• Dual-homed server
• Dual-homed server with Host IPS / AV
• Router with packet filter ACLs
• Two-port Firewall
• Router + Firewall combination
• See NISCC Good Practice Guide on Firewall Deployment for
SCADA and Process Control Networks, NISCC and BCIT, Feb
2005
57. DMZ Design Principles
• DMZ contains non-critical systems
• Multiple functional security sub-zones
• Traffic between sub-zones undergoes firewall (& IPS or IDS)
• DMZ is only path in/out of Control Zone
• Default deny for all firewall interfaces
• No direct traffic across DMZ
• No control traffic to outside
• Limited outbound traffic from Control Zone
• Very limited inbound traffic to Control Zone
• No common ports between outside & inside
• Emergency disconnect at inside or outside
• No network management from outside
• Cryptographic VPN and Firewall to all 3rd party connections
58. DMZ Implementation (1)
DMZ LAN 3
DMZ LAN 4
DMZ LAN 2
NAT
Routing
FW
IPS
Security
Appliance
With
Multiple
Ports
DMZ/Control
Interconnect
WAN/LAN
Enterprise
LAN
Anti-Virus
Proxy
Host IPS / Anti-virus
62. Remote Access
• Security Appliance terminates Host-to-site VPN into
remote access pool
– IPSEC VPN, SSL VPN, PPTP VPN
• Authenticates user via:
– AAA server, LDAP, Active Directory, etc.
– Can enforce use of multi-factor hardware token
• Time-varying password tokens for vendor access
• Clients use VNC, Citrix, or Remote Desktop (RDP) to
connect to Terminal Server
• Then VNC, Citrix, RDP, or Control System Apps to
Control System Servers
64. Control Zone Design Principles
• Multiple functional security sub-zones
• Firewall and IDS between sub-zones
• Minimal number of connections to DMZ
• Control Zone independent of DMZ, Enterprise
– Separate Security Appliance from DMZ
– Separate Time Server
– Separate AAA
– Allows emergency disconnect from DMZ
• Cryptographic VPN and Firewall to all offsite IP connections
(Field Site or Partner)
• IEEE P1711 for all offsite serial ICS connections
• Host IDS, Host AV, or app whitelisting where feasible
• Management only from management zone
65. Control Zone Implementation—Hierarchical
• Fast routing between
VLANs via L3 switch
• ACLs between VLANs
but no Stateful Firewall
Level 1
Level 2
Level 3
Control
Zone
dot1q Trunks
L3
L3
L2 L2
QoS, Shaping, Policing
Port Security
Gigabit
10/100
DMZ/Control Interconnect WAN/LAN
SPAN
IDS
Scan
FW
FW
Host IDS Host AV
66. Control Zone Implementation—Ring
• Ring reduces wiring for linear
sites like power dams
• but spanning tree can have
problems with large rings
Level 1
Level 2
Level 3
Control
Zone
dot1q Trunks
L3
L3
L2 L2
QoS, Shaping, Policing
Port Security
Gigabit
10/100
DMZ/Control Interconnect WAN/LAN
SPAN
IDS
Scan
FW
FW
Host IDS Host AV
70. • Planning, processes, procedures, physical security, etc. are also
important
• NERC CIP Regulatory Requirements provide reasonably good
guidance in this area:
• CIP-001: Sabotage Reporting
• CIP-002: Critical Cyber Asset Identification
• CIP-003: Security Management Controls
• CIP-004: Personnel & Training
• CIP-005: Electronic Security Perimeters
• CIP-006: Physical Security
• CIP-007: Systems Security Management
• CIP-008: Incident Reporting & Response Planning
• CIP-009: Recovery Plans for Critical Cyber Assets
See www.nerc.com -> Standards -> Reliability Standards -> CIP
Beyond Network Security
71. Summary
• Today’s ICS are mix of
modern and legacy
– vulnerabilities due to both
lack of security design in
legacy and security issues
in newer equipment
• Defense in depth is essential
– both perimeter (DMZ) and
interior security are crucial
• Regulation and government
action is driving change
• Smart Grid must be
designed with strong security
74. A Few References
• www.nist.gov/smartgrid
• Securing Your SCADA and Industrial Control
Systems, Version 1.0, DHS, ISBN 0-16-075115-8
• Guide to SCADA and Industrial Control System
Security, NIST SP800-82
• ISA99 Industrial Automation and Control Systems
Security,
www.isa.org/MSTemplate.cfm?MicrositeID=988&Co
mmitteeID=6821
• AGA 12/IEEE P1689 SCADA Encryption Standard,
scadasafe.sf.net
Editor's Notes
These are functional groupings, not ownership groupings
Internet (blue) has touch points with many power grid systems, but there are still significant communications and networks that are not the Internet
I will look at various types of Industrial Control Systems (red) used in Generation, Transmission, and Distribution ...
Supervisory Control and Data Acquisition (SCADA)
Large distances, supervisory control, non-real-time (minutes)
Used in power (transmission and distribution), gas, oil, water, wastewater, rail, etc.
Process Control Systems (PCS)
Closed loop, central control, near real-time (seconds)
Used in refining, chemical, food, pharmaceutical, etc.
Distributed Control Systems (DCS)
Similar to PCS but multiple controllers physically close to processes
Used in generation, manufacturing, refining, chemical, food, pharmaceutical, etc.
Automation aka Discrete Control
Similar to DCS, real-time (milliseconds)
the slogan “tomorrow’s technology today” of high-tech industries is turned around in the control systems world to “yesterday’s technology tomorrow”.
“security” in power usually means reliability of the grid
there is a big difference between “robust to accidental events” and “robust to intentional engineered attacks”
at the bottom, IEDs are usually connected to sensors and controllers by automation networks such as HART, Fieldbus, Profibus, or increasingly by Ethernet
although one process control vendor already offering IPV6 wireless on battery-powered sensors
next level of network consists of ICS master and systems used for operating and managing the ICS
next level of network provides advanced applications, such as optimization and gateways to the enterprise network
Adoption of COTS (Commercial-Off-The-Shelf) technologies
Operating systems—Windows, WinCE, various embedded RTOSes
Applications—Databases, web servers, web browsers, etc.
IT protocols—HTTP, SMTP, FTP, DCOM, XML, SNMP, etc.
COTS software and systems have more capabilities and are cheaper than proprietary systems, and do not leave vendors stranded on out-of-date technology
Connectivity of ICS to enterprise LAN
Improved business visibility, business process efficiency: eg. supply chain management, production scheduling, order tracking, and fault monitoring
(optimize part and supply sourcing, schedule production to better meet business requirements and avoid contract penalties)
Remote access to control center and field devices: eg. remote diagnosis and repair, reduction of personnel at remote sites
Adoption of IP Networking
Common in higher level networks, gaining in lower levels
Many legacy protocols wrapped in TCP or UDP
Most new industrial devices have Ethernet ports
IP penetrating into lower levels of ICS networks due to greater performance, lower cost, more capabilities than proprietary networks
Ease of connectivity to other systems
Greater performance
Lower cost
Interoperability
Future proofing
rate at which these trends are progressing varies between ICS and process control and between control center, communications, and field devices
trends relevant to networking and security
rate at which these trends are progressing varies between ICS and process control and between control center, communications, and field devices
connectivity improves business efficiency by better supply chain management, just-in-time production, order tracking, fault monitoring, etc. in addition to direct optimization of process itself
IP networking:
Ease of connectivity to other systems
Greater performance
Lower cost
Interoperability
Future proofing
trojan code inserted by CIA into pipeline control software stolen by USSR caused largest non-nuclear explosion ever observed from space
16” gasoline pipeline ruptured and ignited due to combination of backhoe and non-responsive ICS system, causing fires for 1.5 miles along a creek, 3 deaths, $45M, water treatment plant seriously contaminated
disgruntled employee used ICS to release 250,000 gals. sewage
slammer worm infected David Besse nuclear plant via contractor’s T1 line, disabled safety systems, fortunately plant was offline
blaster worm not primary cause but partly contributed to northeast blackout, economic cost $7-10 Billion, note 2% of US generation has blackstart capability
Browns Ferry: root cause of the event was the malfunction of the VFD controller because of broadcast storm on the plant ICS network, possibly due to a malfunctioning, broadcasting PLC
Browns Ferry: corrective actions included developing a network firewall device that limits the connections and traffic to any potentially susceptible devices on the plant ICS network
There is no silver bullet!
not crunchy on the outside, soft and chewy on the inside
Scanning – port scanning, vulnerability scanning, arp scanning, wifi scanning
importance of availability and integrity impacts security of ICS in a number of ways that we will look at shortly
six 9’s means 99.9999% available
Cisco IP telephony is five 9’s
Bellingham
security must not reduce availability – expiry of VPN tunnel certificates, forgotten password, etc.
botnet is a collection of computers with backdoor, installed by virus or worm, that can be remotely and anonymously controlled
botnets may consist of home PCs without proper firewall and antivirus, but many have also been found within the enterprise networks of large corporations
explain e-commerce website extortion attack
Browns Ferry
No patches available for windows NT, 98, ME
Windows 2000 supported only until 2010
Cisco and other released a patch for TCP support Sept 2009 (DOS prevention)
Queensland
extreme example: password limited to 3 uppercase characters
SoX passed in response to scandals like Enron, relates to financial accounting, and the PCAOB auditing standard #2 states “IT Controls should be tested, including controls over relevant assertions related to all significant accounts and disclosures in the financial statements”
especially browsing the seedier parts of the web
Davis Besse
IT department may not want ICS department to have a firewall as this will impede their visibility into and management of ICS network
ICS personnel are not IT or networking experts
not familiar with advanced networking issues
IT personnel are not ICS experts
not familiar with different requirements of ICS
may not understand why enterprise security policies cannot be applied to ICS
motor activated breaker that is not meant to be used when a line is energized, but was opened under a 100 amp load for this experiment.
Normally this line carries 2000 amps.
extreme environments: heat, cold, dust, vibration, moisture, explosive or flammable gas
physical topologies: not building, but star, mesh, bus, and particularly ring, eg. hydro dam
special purpose devices (IEDs) cannot run antivirus, NAC clients, etc.
multicast is not one to many, but many to a few each
long service lifetimes: SEL 10 year warranty
<START> Media visibility on this issue started a couple of years ago with CNN coverage of a Homeland Security demonstration showing how easy it is to hack into the grid and destroy a generating plant.
Since then the media has been increasing the visibility of the issue …
First article described how a smart meter network can be easily hacked into (with $500 of equipment) to turn off power in entire communities and cities.
BCIT database (British Columbia Institute of Technology, Eric Byres) requires contribution in order to obtain access
business losses to cyber events number in the Billions of dollars annually
financials estimate that 2% of incidents that occur are actually reported due to concern for reputation and stock price, and this is likely also true for ICS
accidents happen and can have pretty severe consequences
fault in a capacitor bank in a residential substation, protection relay fails to trip, overloads a transformer, which vents superheated and vaporized cooling oil, which ignites ...
Cooper power systems makes a REID relay that prevents this specific attack
<START> Based on:
the report of the black-out of 2003
national security concerns
recognition that today’s existing electric grid is vulnerable (1980’s level security)
There have been extensive cyber security regulatory and standards development initiatives which are driving business opportunity for N-Dimension
1st point: We have just completed assisting Utilities in the US with their stimulus applications and for us this represented a total of $4M of product quotations
N-Dimension is on the committees that is driving the standards for the industry (last 4 points)
where were we (in the talk), where are we going
questions
ICS have been compromised by script kiddies and used to store digital music and movies - most likely the kiddies either did not realize or did not care what type of system they were into
talks and hacking demonstrations of ICS are beginning to show up at conferences like Black Hat, Defcon
organized crime has created a thriving market for zero-day vulnerabilities and botnets
disgruntled insiders, whether fired or on strike, know best how to damage the ICS and have the necessary access
competitors could use ICS information to manipulate spot markets - anybody remember ENRON?
information about ICS systems found on Al Queda computers seized in Afghanistan
renewed calls from Al-Queda for specific attacks on oil infrastructure to reduce oil flow to US
industries that frequently attract the ire of eco-terrorists tend to be heavy users of ICS
other nations have been mapping US infrastructure for over 10 years, and most nations, including the US, now have a cyberwar capability
no security thru obscurity
this is just one attack scenario of many possible
DMZ is somewhat similar to enterprise DMZ but has rather different security properties
purpose of DMZ is to provide STRONG separation between enterprise and control zones
DMZ contains only non-critical systems that provide enterprise visibility and connectivity
fully switched network
this slide is in your packet
firewall is still logical view
NO direct traffic permitted between enterprise and control zone
all inbound and outbound traffic must stop at a server in DMZ
operations like patch installation must be two-stage process
remote administration must go thru a terminal or application server
different colored networks are different sub-zones
traffic permitted between enterprise, DMZ, and control zones and between different sub-zones only as needed
multiple functional sub-zones help contain spread of a worm infection, limit sniffing and scanning by attackers, and aid in management of firewall rules
no direct traffic + no common ports stops worms like slammer
sub-zones and limited communication slows infection spread and makes network mapping by attackers more difficult
control, DMZ independence requires domain servers, AAA, etc. in both zones
guest NAC since enterprise zone may not do NAC
DMZ independent of Enterprise and Control Zones to allow remediation while disconnected
Cisco ASA 5520 or 5540 with Advanced Inspection Module (IPS)
Signatures for DNP3, Modbus, ICCP
Sub-zones implemented by VLANs
All inter-VLAN routing done by ASA
L2 switch must be Cisco switch and properly configured to prevent VLAN hopping
ACLs on ASA implement policy between
DMZ VLANs, Enterprise Zone, Control Zone
Cisco Security Agent (CSA) on DMZ servers
Signature-less host-based IPS
Optional active-standby redundancy
DMZ servers can use dual NICs with teaming drivers
Optional separate hardware firewall, IOS-based for different implementation, could be managed by IT
Cisco ASA 5520 or 5540 with Advanced Inspection Module (IPS)
Signatures for DNP3, Modbus, ICCP
Sub-zones implemented by VLANs
All inter-VLAN routing done by ASA
L2 switch must be Cisco switch and properly configured to prevent VLAN hopping
ACLs on ASA implement policy between
DMZ VLANs, Enterprise Zone, Control Zone
Cisco Security Agent (CSA) on DMZ servers
Signature-less host-based IPS
Optional active-standby redundancy
DMZ servers can use dual NICs with teaming drivers
Optional separate hardware firewall, IOS-based for different implementation, could be managed by IT
implementing sub-zones with physically separate ports may require more expensive ASA and/or more L2 switches
L2 switch must be Cisco switch to prevent VLAN hopping
teaming drivers with dual DMZ switches for redundancy
separate firewall defends against ASA misconfiguration, overload, vulnerabilities
ASA 5520 or 5540 with AIM and at least 4 VLANs, one for management, 3 for DMZ sub-zones, or 6+ ports
optional separate, different implementation firewall defends against ASA compromise or misconfiguration
this slide is in your packet
this slide is in your packet
user-based ACLs to enforce RBAC on user
this slide is in your packet
multiple sub-zones, like in DMZ, grouping systems with related functionality
optional firewall and IDS between sub-zones
if used, IDS, not IPS, to ensure that false positives do not block critical control traffic
security management (CSM) and security correlation (MARS) in control zone (these security-critical functions should be given maximum protection and thus NOT placed in DMZ)
independence necessary to allow disconnection
sub-zones and limited communication slows infection spread and makes network mapping more difficult
control zone independence requires domain servers, AAA, etc. in zone
port security prevents someone with physical access from connecting a rogue device
QoS, traffic policing mitigate impact of worm or misbehaving control system device
this slide is in your packet
VLAN ACLs restrict traffic between different sub-zones to only that needed
good for a small number of vlans as with too many the number of ACLs becomes large
VLAN ACLs restrict traffic between different sub-zones to only that needed
good for a small number of vlans as with too many the number of ACLs becomes large
where we are, where we are going
ISA - The Instrumentation, Systems, and Automation Society