Cyber attacks on industrial control systems pose a serious threat. Several incidents around the world have shown that critical infrastructure systems controlling functions like power grids and water treatment have been hacked, in some cases shutting down safety monitoring systems. These control systems were not designed with security in mind and connecting them to corporate networks and the internet has increased vulnerabilities. Stronger security measures are needed to protect against growing cyber threats.

1. © 2009 PTT ICT Solutions All Rights Reserved
Cyber Attack Threatens
Plant Control System
(SCADA/DCS)

2. IC ICT PEOPLE EXCELLENCE
Name:
Title:
Company:
Certificates:
Chaiyakorn Apiwathanokul
ไชยกร อภิวัฒโนกุล
Chief Security Officer (CSO)
PTT ICT Solutions Company Limited
A Company of PTT Group
ISC2:CISSP, IRCA:ISMS (ISO27001), SANS:GCFA
Experience:
CHAIYAKORN APIWATHANOKUL
• กรรมการสมาคมความมั่นคงปลอดภัยระบบสารสนเทศ Thailand Information Security Association (TISA)
• กรรมการการวิชาการมาตฐานการรักษาความมั่นคงปลอดภัยในการประกอบธุรกรรมอิเล็กทรอนิกส์ (ISO27001)
• กรรมการผู้ทรงคุณวุฒิในคณะกรรมการปรับปรุงหลักสูตรบริหารธุรกิจบัณฑิต วิชาสาขาวิชาธุรกิจเทคโนโลยีสารสนเทศ มหาวิทยาลัยสงขลานครินทร์
• กรรมการร่างหลักสูตร MBA in Information Security Management มหาวิทยาลัยอัสสัมชัญ
• คณะทางานศึกษาวิเคราะห์ข้อมูลเพื่อเสนอแนะการจัดทาแผนการดาเนินงานของคณะกรรมการธุรกรรมทางอิเล็กทรอนิกส์ พ.ศ. 2551-2553, NECTEC
• คณะทางานศึกษารูปแบบและมาตรฐานเกี่ยวกับการให้บริการออกใบรับรองอิเล็กทรอนิกส์ และการรับรองความน่าเชื่อถือ
โดยผู้ตรวจสอบอิสระหรือองค์กรกากับดูแล (Certified or Regulated Body), NECTEC

3. วิทยากรบรรยาย
• กองบัญชาการกองทัพไทย
• หลักสูตรหลักประจาโรงเรียนเสนาธิการ
ทหารบก สถาบันวิชาการทหารบกชั้นสูง
• ธนาคารแห่งประเทศไทย
• สานักงานปลัดกระทรวงพาณิชย์
• สานักงานปลัดกระทรวงกลาโหม
• ชมรมเทคโนโลยีสารสนเทศรัฐวิสาหกิจแห่ง
ประเทศไทย
• สมาคมเวชสารสนเทศไทย Thai Medical
Informatics Association
• หลักสูตร Strategic IT Governance, Software
Park 2007-2009
• ITU ASP COE : Training Workshop
on Information Management
Framework for CIOs
• CIO Conference 2007
• Information Security Asia 2007
• 2nd Annual ASIA IT Congress 2007
• Cyber Defence Initiative
Conference (CDIC) 2008
• SCADA Asia Summit 2009
• Mini-MBA Program, Thammasat
University
• Micro-MBA Program, Thammasat
University
• MIS Program, Thammasat
University
• มหาวิทยาลัยเทคโนโลยีพระจอมเกล้า
ธนบุรี

4. Protecting
your
SCADA
system
against
cyber
security
threats
17 June 2009

5. Agenda
• The real threats revealed
• Case studies of global incidents
• Cyber threats and Control System
• What we can do to handle this
challenge?
• Q&A

6. See the movie

7. Italian Traffic Lights
Event: Feb, 2009Italian
authorities investigating
unauthorized changes to traffic
enforcement system
Impact: Rise of over 1,400 traffic
tickets costing > 250K Euros in two
month period
Specifics: Engineer accused of
conspiring with local authorities to
rig traffic lights to have shorter
yellow light causing spike in camera
enforced traffic tickets
Lessons learned:
 Do not underestimate the
insider threat
 Ensure separation of
duties and auditing

8. Transportation – Road Signs
8
Lessons learned:
 Use robust physical access
controls
 Change all default passwords
 Work with manufacturers to
identify and protect password
reset procedures
Event: Jan 2009, Texas road
signs compromised
Impact: Motorists distracted and
provided false information
Specifics: Some commercial road
signs can be easily altered because
their instrument panels are frequently
left unlocked and their default
passwords are not changed.
"Programming is as simple as
scrolling down the menu selection," a
blog reports. "Type whatever you want
to display … In all likelihood, the crew
will not have changed [the password]."

9. Chaiyakorn Apiwathanokul
Remarkable Incidents
• Siberia,1982
CIA’s hacker attacked
USSR’s pipeline operation
software caused a massive
explosion during the
summer of 1982 in the
controversial pipeline
delivering Siberian natural
gas to Western Europe.
from book At the Abyss:
An Insider's History of the Cold War
(Ballantine, 2004, ISBN 0-89141-821-0)
• 2002: FBI traced found
the visitors routed
through telecommunication
network of Saudi Arabia,
Indonesia and
Pakistan studied
emergency
telephone systems,
electric
generation, and
transmission,
water storage and
distribution, nuclear power
plants and gas facilities.
http://www.washingtonpost.com/ac2/wp-dyn/A50765-2002Jun26
Key word: The Farewell Dossier
Gus W. Weiss

10. Chaiyakorn Apiwathanokul
1988 Case
• Allen-Bradley DH+ environment
• Disgruntled Employee
• Modify password of other
department’s PLC-5
• Blocking all maintenance access
to the system
• The previous password of the
system was believed to be found
on a post-it note

11. Global Incidents (cont.)
• Based on evidence collected in Afghanistan, Al
Qaeda had a “high level of interest” in DCS and
SCADA devices.
(AFI Intelligence Briefing - 28th June 2002)
– Terrorism looks for new methods of attack
– 'Bombs and Bytes' The next Al Qa'ida terrorist threat
– US faces an 'electronic Pearl Harbour'
 2003: Slammer Worm crashed Ohio nuke plant
network, Davis-Besse
According to a document released by the North
American Electric Reliability Council in June,
Slammer downed one utility's critical SCADA
network after moving from a corporate network,
through a remote computer to a VPN connection
to the control center LAN.
(http://www.securityfocus.com/news/6767)
Recovery time:
 SPDS – 4hours 50 minutes
 PPC – 6 hours 9 minutes

12. Global Incidents (cont.)
Virus Found On Computer In Space Station
NASA confirmed on Wednesday that a
computer virus was identified on a laptop
computer aboard the International Space
Station, which carries about 50 computers. The
virus was stopped with virus protection
software and posed no threat to ISS systems or
operations, said NASA spokesperson Kelly
Humphries. …
The SpaceRef report suggested that a flash card or USB drive brought
on board by an astronaut may have been the source of the laptop
infection.
InformationWeek August 27, 2008

13. U.S. Critical Infrastructure Sectors
Homeland Security Presidential Directive 7 (HSPD-7) along with the National
Infrastructure Protection Plan (NIPP) identified and categorized U.S. critical
infrastructure into the following 18 CIKR sectors
•Agriculture and Food
•Banking and Finance
•Chemical
•Commercial Facilities
•Critical Manufacturing
•Dams
•Defense Industrial
Base
•Emergency Services
•Energy
•Government Facilities
•Information
Technology
•National Monuments and
Icons
•Nuclear Reactors,
Materials, and Waste
•Postal and Shipping
•Public Health and
Healthcare
•Telecommunications
•Transportation
•Water and Water
Treatment
Many of the processes controlled by computerized control systems
have advanced to the point that they can no longer be operated
without the control system.

14. has Manufacture
Plant
OperationControl
Systems
National
Critical
Infrastructure
Adversary/
Disgruntled
employee
Government
Malicious code/
Virus/Worm
Vulnerabilities/
Weaknesses
Terrorist/
Hacker
Law/
Compliance/
Standard/
Guideline
Industry-
specific
Regulator

15. Security Issues Causing
Process Disruption

16. Security incidents in
OIL industry
• Electronic sabotage of Venezuela Oil operations
• CIA Trojan causes Siberian gas pipeline explosion
• Anti-Virus software prevents boiler safety shutdown
• Slammer infected Laptop, shuts down DCS
• Virus infection of operator training simulator
• Electronic sabotage of gas processing plant
• Slammer impacts offshore platforms
• SQL Slammer impacts drill site
• Code Red worm defaces automation web pages
• Penetration test locks-up gas control system
• Contractor laptop infects control system

17. Security incidents in
Chemical industry
• IP address change shuts down chemical plant
• Hacker changes chemical plant setpoints via modem
• Nachi worm on advanced process control servers
• Attack on plant of chemical company DCS
• Contractor accidentally connects to remote PLC
• Sasser causes loss of HMI in chemical plant
• Infected new HMI infects chemical plant DCS
• Blaster worm infects chemical plant

18. Security incidents in
Power industry
• Slammer infects control central LAN via VPN
• Slammer causes loss of comms, to substations
• Slammer infects Ohio nuclear plant SPDS
“The Slammer worm penetrated a private computer
network at Ohio’s Davis-Besse nuclear power plant in
January and disabled a safety monitoring system for
nearly five hours, despite a belief by plant personnel
that the network was protected by a firewall”

19. Security incidents in
Power industry
• Iranian hackers attempt to disrupt Israel power
system
• Utility control system attacked
• Virus attacks a European utility
• Facility cyber attacks reported by Asian utility
• Power plant security details leaded on
Internet

20. Security incidents in
Water industry
• Salt River Project SCADA Hack
• Maroochy Shire Sewage Spill
• Software Flaw Makes MA Water Undrinkable
• Trojan/Keylogger on Ontario Water SCADA System
• Viruses Found on Auzzie SCADA Laptops
• Audit/Blaster Causes Water SCADA Crash
• DoS attack on water system via Korean telecom
• Penetration of California irrigation district wastewater
treatment plant SCADA.
• SCADA system tagged with message,
"I enter in your server like you in Iraq."

21. Chaiyakorn Apiwathanokul
What is Industrial Control Systems (ICS),
SCADA and DCS?
Industrial Control Systems are computer-based
systems that are used by many infrastructures and industries to monitor
and control sensitive processes and physical functions. Typically, control
systems collect sensor measurements and operational data from the
field, process and display this information, and relay control commands
to local or remote equipment.
There are two primary types of Control Systems.
– Distributed Control Systems (DCS) typically are used
within a single processing or generating plant or over a
small geographic area.
– Supervisory Control and Data Acquisition (SCADA)
systems typically are used for large, geographically
dispersed distribution operations.
NIST SP800-82 Final Public DRAFT (Sep. 2008)

22. The term Industrial Control System (ICS)
refers to a broad set of control systems,
which include:
 SCADA (Supervisory Control and Data Acquisition)
 DCS (Distributed Control System)
 PCS (Process Control System)
 EMS (Energy Management System)
 AS (Automation System)
 SIS (Safety Instrumented System)
 Any other automated control system

23. Basic Control Systems Components

24. Risk Drivers:
Modernization and Globalization
 Connections between
Information Technology and
Control System networks
(inheriting vulnerabilities)
 Shift from isolated systems to
open protocols
 Access to remote sites
through the use of modems,
wireless, private, and public
networks
 Shared or joint use systems
for e-commerce

25. General Findings
 Default vendor accounts and passwords still in
use
 Some systems unable to be changed!
 Guest accounts still available
 Unused software and services still on systems
 No security-level agreement with peer sites
 No security-level agreement with vendors
 Poor patch management (or patch programs)
 Extensive auto-logon capability

26. General Findings
continued
 Typical IT protections not widely used (firewalls, IDS, etc.).
This has been improving in the last 6 months
 Little emphasis on reviewing security logs (Change
management)
 Common use of dynamic ARP tables with no ARP
monitoring
 Control system use of enterprise services (DNS, etc.)
 Shared passwords
 Writeable shares between hosts
 User permissions allow for admin level access
 Direct VPN from offsite to control systems
 Web enabled field devices

27. Gap of Coordination
• Different vocabulary
– ICT: “I know TCP/IP, NetBIOS, MSSQL, SAP and
etc.”
– Operation: “I know Profibus, FieldBus, MODBUS,
Solenoid valve, Turbine, Hydraulic, Pneumatic and
etc.”
• SCADA/DCS could be somewhat frighteningly exciting to
ICT people. Inadequate knowledge and experience on
the system lowers the confident to provide appropriate
support.
• Operation people should work with IT Security
Professionals from ICT Department or consultants
• Educating IT Department about Process Control &
SCADA operations

28. Unsynchronized
Technology Lifecycle

29. Unsynchronized
Technology Lifecycle (cont.)
• ICT technology keep changing while Control
System is here to stay.
• Production processes are rarely changed.
• “We can operate as we always do.
So, WHY UPGRADE ???”
• ICT equipment life is ~3-5 years
• Control equipment life is ~10+ years
• SCADA Security today is where enterprise security
was 5-10 years ago

30. Different Expectation

31. Sharing the SAME CHALLENGES
• The information or data from devices or
controllers shall be sent or processed at a
server of that system which could expose many
possibility to attack as follow:
– Communication Media
• Radio : Jammer
• Protocol Anomaly
– Operating System running on the server
• Microsoft Windows
• Unix
– Database
• MS-SQL
• Oracle
• System running standard Operating System is
vulnerable to standard attacks
– Malware/Virus/Worm/SpyWare

32. They are Connected
• The operation network is somehow
connected to the corporate network or
even able to access the Internet.
Without proper
protection and control,
the operation
environment is truely
in high risk.

33. Is the system integrator
has security in mind?
• Is all possible condition properly handled?
• Is the program running in the controller a security-
aware by design?
• The more security, the harder for UAT and
commissioning, thus it may cause the delay of
project payment. Guess what!!! They don’t do it
only unless explicitly required or asked for.
• Is it in the TOR?

34. Is the system integrator
has security in mind? (cont.)
“None of the industrial control systems used to
monitor and operate the nation's utilities and
factories were designed with security in mind.
Moreover, their very nature makes them difficult to
secure. Linking them to networks and the public
Internet only makes them harder to protect.”
Said by Joseph Weiss, executive consultant for
KEMA Consulting
http://www.memagazine.org/backissues/dec02/features/scadavs/scadavs.html

35. Policy Enforcement
• People + Process + Technology
are needed to work in harmony. Sometime we
need certain technology or tool to ensure that the
defined process or policy is in good shape.
• The most vulnerable entity is “PEOPLE”. So
keep them aware of what they are doing and risk
they are fronting, plus the consequent damages
and responsibility if they are not complied with the
policy.

36. Available Guidelines
• 21 Steps to Improve Cyber Security of SCADA
Networks, US-DOE
• Roadmap to Secure Control Systems in the
Chemical Sector, US-DHS
• Security Vulnerability Assessment Methodology
for the Petroleum and Petrochemical Industries,
API
• ISA99 - Control Systems Security Model
• ISO27001, ISO27002 (ISO17799)

37. 12. Clearly define cyber security roles, responsibilities,
and authorities for managers, system administrators,
and users
13. Document network architecture and identify systems
that serve critical functions or contain sensitive
information that require additional levels of protection
14. Establish a rigorous, ongoing risk management
process
15. Establish a network protection strategy based on the
principle of defense-in-depth
16. Clearly identify cyber security requirements
17. Establish effective configuration management
processes
18. Conduct routine self-assessments
19. Establish system backups and disaster recovery
plans
20. Senior organizational leadership should establish
expectations for cyber security
• performance and hold individuals accountable for
their performance
21. Establish policies and conduct training to minimize
the likelihood that organizational personnel will
inadvertently disclose sensitive information regarding
SCADA system design, operations, or security
controls.
21 Steps to Improve Cyber Security
of SCADA Networks, US-DOE
1. Identify all connections to SCADA networks
2. Disconnect unnecessary connections to the
SCADA network
3. Evaluate and strengthen the security of any
remaining connections to the SCADA network
4. Harden SCADA networks by removing or disabling
unnecessary services
5. Do not rely on proprietary protocols to protect your
system
6. Implement the security features provided by device
and system vendors
7. Establish strong controls over any medium that is
used as a backdoor into the SCADA network
8. Implement internal and external intrusion detection
systems and establish 24-hour-a-day incident
monitoring.
9. Perform technical audits of SCADA devices and
networks, and any other connected networks, to
identify security concerns
10. Conduct physical security surveys and assess all
remote sites connected to the SCADA network to
evaluate their security
11. Establish SCADA “Red Teams” to identify and
evaluate possible attack scenarios

38. Petrochemical Segment

39. Petroleum, Oil & Gas

40. Energy Segment

41. For your TOR/RFP

42. Value Delivery from PTTICT
• The weakness should be tackled internally
• What we can do?
– Educate/Awareness
– Architecture Review
– Security Assessment
– Attack Simulation
– Help fixing the problem together
– Investigation/Forensic (of what went wrong)
• As TEAM … we CAN

43. Professional Approach
• Methodic
• Standard-oriented
• Industrial specific
• Qualified specialists

44. Summary
• The threat is real
• Insider threat is more frightening
• Securing perimeter is not enough  DiD
• Need secure by design (for new systems)
• Assessment and improvement (for existing)
• Need collaboration and sharing
• Guideline and good practices are available
• People need to be (cross) trained

45. © 2009 PTT ICT Solutions All Rights Reserved
Question ?
security@pttict.com

46. © 2009 PTT ICT Solutions All Rights Reserved
THANK YOU
ขอบคุณครับ
security@pttict.com