JC
Uploaded byJames Collinge, CISSP
1,541 views

SCADA White Paper March2012

Stuxnet was a sophisticated cyber attack targeting Iran's nuclear facilities that changed perceptions of threats to critical infrastructure systems like SCADA. It exploited vulnerabilities in both Windows and Siemens control software to sabotage centrifuges without detection for nearly a year. This highlighted that SCADA/ICS are vulnerable targets due to their use of outdated protocols and legacy systems not originally designed with security in mind. Common security issues with SCADA include lack of access controls, unpatched systems, integration with corporate networks, and human/contractor oversight. Best practices like the NERC standards and updates to protocols like DNP3 can help mitigate risks if properly implemented throughout the SCADA lifecycle.

Embed presentation

Download to read offline
HP TIPPINGPOINT Securing SCADA: Overview, Risks, and Mitigation HP Enterprise Security Business White Paper Table of contents Overview: SCADA in a changing threat landscape .............................2 SCADA and the lessons learned from Stuxnet......................................2 What makes SCADA vulnerable?.......................................................4 Common SCADA security challenges.................................................5 Mitigating SCADA security exposures.................................................6 Introducing HP TippingPoint and other HP security................................7 Getting started with HP....................................................................7
2 Overview: SCADA in a changing threat landscape In June 2009, a sophisticated and destructive digital worm was unleashed with a single-minded purpose—to cripple the industrial control infrastructure instrumental to Iran’s uranium enrichment program. The Stuxnet virus not only became known as one of the most potent “zero- day” attacks on a critical infrastructure that included a Supervisory Control and Data Acquisition (SCADA) system, but it is regarded as an act of cyber sabotage that would forever change the threat landscape.1 The intent of this white paper is to update CISOs, network security managers, and as well as line of business executives on how Stuxnet has significantly changed thinking on how a nation’s critical infrastructure is to be protected. A disturbing realization from Stuxnet is that industrial control systems (ICS) and SCADA systems are fair game for such cyber attacks, which means critical industries such as energy, chemicals, agriculture, discrete manufacturing, and others could be in harm’s way in the future. This paper will separate the fact from fiction on the threats and vulnerabilities to SCADA systems and networks. It will outline how SCADA systems have inherent vulnerabilities that can be best resolved by adhering to security best practices. Considering that security tools have long secured corporate networks, this paper will offer how these same solutions can be used to mitigate the risks to SCADA systems. SCADA and the lessons learned from Stuxnet Unlike previous “zero-day” attacks, Stuxnet was designed to sabotage a highly unlikely target— programmable logic controllers (PLCs) and other computers of a SCADA system used to control centrifuges within a nuclear facility. The Stuxnet virus was designed to not only debilitate the SCADA controls, but to do so in ultra-stealth mode. So covert was this cyber attack that it took nearly a year before the infected machines were discovered, and even then, by accident. Researchers were surprised to discover that Stuxnet targeted vulnerabilities in both Windows® and Siemens Simatic WinCC Step7 software, the ICS managing the PLCs that normally drive motors, valves, and switches in everything from food factories and automobile assembly lines to gas pipelines and water treatment plants. A malicious Stuxnet DLL file intercepted commands and replaced them with its own destructive commands. To prevent detection, it disabled automated alarms and masked what was happening to the PLCs by intercepting communications between computers. It literally stripped away any signs of an infection, so workers monitoring the SCADA system could only see legitimate commands and operation. Amazingly, rather than using email or the Internet to spread itself, the Stuxnet virus spread via infected USB sticks and a vulnerability in Windows Explorer to implant malicious code on computers. 1 “How Digital Detectives Deciphered Stuxnet, the most menacing malware in history,” by Kim Zetter, July 11, 2011, Wired. 2 “The 2011 Mid-Year Top Cyber Security Risks Report,” September 2011. 3 “Cost of a data breach climbs higher,” by Larry Ponemon, March 8, 2011, Ponemon Institute. Since 2000, application vulnerabilities are on the rise with over 8,000 new vulnerabilities discovered annually. Of this number, half are now Web related.2 Per a Ponemon Institute report in March 2011, costs have reached $214 per compromised record, and $7.2M per data breach event.3
3 Zero-day attacks are rare compared to more common network denial of service or Web application-based SQL injection attacks. But, a zero-day attack can be more targeted and with potentially more lethal results such as loss of life and economic disaster. Figure 1 shows how the threat landscape has changed in terms of attack vector, types of virus payload, and cyber attacker motivation that now includes cyber sabotage. Early attacks were designed to impact networks and large numbers of computers. In recent years, threats have been more targeted using Web applications. Attacks launched by disgruntled insiders remains a constant threat. With Stuxnet, the world needs to come to grips with the harsh realities and ramifications of politically charged cyber warfare. Attacks that prey on vulnerabilities with software upgrades or patches are not new to information security professionals who have had to contend in past years with the destruction from such viruses as Aurora, Ghostnet, and Confiker. Figure 2 shows how Stuxnet differs from previous exploits across seven stages of an attack. Of interest is how Stuxnet differs in how its payload was introduced, its command and control structure, attack vector, and its self- upgrading capability and stealth presence. Like with most viruses, payloads are usually variants or strains from previous exploits. Such hacker code and/or scripts are traded freely over the Internet. Stuxnet differed, however, as it had components that virus researchers had not seen before. In October 2011, Duqu, the first known variant of Stuxnet was detected in the wild.4 Duqu contained Stuxnet code; but unlike Stuxnet, this Trojan virus did not have sabotage in mind, but rather to gain data from ICS manufacturers, thus making a future attack more effective. Over the last several years, botnets have been launched to compromise computers in order to steal data for profit or espionage. Hacktivist groups have targeted their attacks against well-known corporate and government entities. In response to these changing threats, including allegations that the Anonymous hacktivist group attempted to infiltrate French power plants, security experts from 20 EU nations and the U.S. convened at Cyber Atlantic 2011. The goal was to explore how the EU’s Network and Information Security Agency (ENISA) and the U.S. Department of Homeland Security would cooperate and engage each other in the event of a cyber attack on a critical infrastructure.5 A key exercise was held to simulate an attack that disrupts a SCADA system in a power-generation infrastructure. The results of the exercise will be used to formulate national contingency plans with good practice guides and seminars.6 4 “First came Stuxnet computer virus: now there’s Duqu,” by Tabassum Zakaris, October 18, 2011, Reuters. 5 “Simulated Cyberattacks Unites EU and US Security Experts,” by Jennifer Baker, November 3, 2011, PC World. 6 “First Joint EU-US Cyber Security Exercise Conducted Today, 3rd Nov. 2011,” Brussels, Belgium, PRNewswire. Figure 1. Changing threat landscape from 2002 to present Ever changing threat landscape Angry employee/ Contactor Unethical advertisers Terrorist, political hacktivist Rival corporation Organized crime Outsourced firm or contractor Virus TrojanWorm OS-specific attacks P2P SQL injection XSSPhishing PHP file include PHP SpywareAdware WhalingDDos Amateur hacker/ Criminal 2002–2004 2004–2007 2007–2011+ Network/Server downtime attacks Tracking and masquerading attacks Web application attacks
4 Figure 2. Differences in focus with Stuxnet and other zero-day attacks What makes SCADA vulnerable? SCADA systems are used widely for control automation and by discrete manufacturers including energy (hydro, nuclear), oil and gas, water, mining, automotive, and other manufacturers. Importantly, most systems are derived from legacy technologies found in pilot wire systems of the 1940s and earlier; relay and tone systems based on Visicode in the 1950s–60s; and modern-day systems beginning in the 1970s up through 2000. With analog telemetric roots, ICS and SCADA systems used leased phone lines for communications between central and field stations. If an alarm went off, an engineer drove to the suspect field station to make repairs. By the mid-1970s, with the advancements in space program and microprocessor technologies, data could be multiplexed and collected from field stations and transmitted to a central location. Radio and leased lines were incorporated, resulting in the adoption of unattended monitoring and control capabilities for pipelines, water, waste water, and utility grids. But, the design of these industrial control and SCADA systems, like many legacy systems at the time, did not consider security. A modern SCADA network is considered critical to business operations using the next generation of intelligent and intuitive real-time applications. However, paradoxically, the advancements in technology have only increased the vulnerabilities that can be exploited and used for an attack. Today, SCADA systems have transitioned from separate and proprietary networks to take advantage of modern technologies such as the Internet and wireless systems. SCADA networks are also integrated into the corporate computer systems housing network and asset management, procurement, billing, and operations management applications. According to SCADAhacker.com, Italian “security researcher” Luigi Auriemma publicly disclosed vulnerabilities with six different industrial control systems7 , including: • AzeoTech DAQFacstory (stack overflow) • Beckhoff TwinCAT ‘TCATSysSrv.exe’ (network packet denial of service) • Cogent DataHub (multiple vulnerabilities) • Measuresoft ScadaPro (multiple vulnerabilities) • Progea Movicon (multiple vulnerabilities) • Rockwell RSLogix (overflow vulnerability) Auriemma also provided proof-of-concept code that could be used by others to exploit the suspect vulnerability. Additionally, threat researchers from a major security vendor have identified a buffer overflow with the RSLogix 5000 programming software that can be used to crash the application and deny service to legitimate users.8 7 Posted by Joe Langill, SCADAhacker, September 14, 2011. 8 “Attack: Rockwell RSLogix RsvcHost.exe CVE-2011-3489,” Symantec and CVE-2011-3489, MITRE Corporation. Stuxnet Conficker Ghostnet Strategic target-based Operational Planning recon Payload intro Command and control Footprint expansion Target identification Attack launch Retreat and removal Internet malware Fire and forget Opportunistic Vulnerable host IP endpoint Weak deletion Tight control Targeted expansion Host function and value Layered custom attack vector Self upgrade and stealth Internet physical and external Recent attacks and focus
5 SCADA protocols are also composed of vulnerable legacy technology. To demonstrate this, a man-in-the- middle attack simulation was offered by the Pacific Northwest National Laboratory (PNNL) in Richland, Washington, USA. A commercially available protocol analyzer was used as a man-in-the-middle attack device against a typical intelligent electronic device (IED). Based on the DNP3 protocol, the most common in North America, the SCADA software was spoofed and unaware that the IED was issued commands from the attack device. Such deliberate or unintentional issuing of commands within complex critical infrastructure systems could explain the FirstEnergy power failure of August 2003, which cut power to southeastern Canada and eight northeastern U.S. states. Fifty million people lost power for up to two days in North America’s biggest blackout.9 Other such staged cyber attack exercises and research reveal vulnerabilities in power grids despite the influx of modern technology and tools as well as heavy government intervention in the form of regulation. Common SCADA security challenges As previously discussed, most ICS and SCADA systems are connected to the corporate IT network. Figure 3 shows a hybrid SCADA architecture with the key computers and devices. Here is a list of the security issues tied to this architecture: • Access controls to human-machine interface (HMI) and other equipment with either no or weak authentication; a lack of separation of duties for operator, administrator, and auditor; and inconsistent password management • Physical segmentation of the SCADA network • Rogue wireless access points without encryption • Unauthenticated command execution • Older Windows operating system that can serve as a weak link and be the most vulnerable, especially at the field station level • Systems were built for the long term but outdated operating systems go unpatched • Software updates can require new hardware investments that go unbudgeted • Insufficient controls on contractors have weak policies governing access, use of laptops, and mobile devices • Humans write SCADA system software that can be weak on security • Attack surface that has been simplified 9 “The 2003 Northeast Blackout – Five Years Later,” by JR Minkel, August 13, 2008, Scientific American. 10 “The 2003 Northeast Blackout – Five Years Later,” by JR Minkel, August 13, 2008, Scientific American. Figure 3. Hybrid SCADA network One of the realizations since 2003 is that “you can’t just look at your system. You’ve got to look at how your system affects your neighbors and vice versa,” says Arshad Mansoor, vice president of power delivery and utilization with the Electric Power Research Institute of Palo Alto, California.10 Back-office mainframes and servers (ERP, MES, CAPP, PDM, etc.) Corporate IT network Hybrid SCADA network Office applications, internetworking, data servers, storage PC-based controllers Motors, drives, actuators Sensors and other input/output devices Programmable Logic Controllers (PLC) Robotics Device-level network Ethernet
6 There are also other related factors that must be considered when reviewing security challenges with SCADA systems. These include: • Differing priorities between those with SCADA, networking, and security experience • Primary protocols in use were designed to work in a secure, segmented environment • Backup and alternate systems are difficult to come by for testing purposes • Current IT security tools are not built to work on SCADA networks • Scale of critical infrastructure equipment means costs are magnified SCADA systems have also failed due to accidental causes. The Olympic Pipeline Company gasoline pipeline rupture in 1999 caused an explosion that killed three people. A buildup of pressure in the pipeline went undetected, in part, because the controllers that the SCADA system used became unresponsive. The failure of these controllers made it difficult to analyze pipeline conditions and to make timely responses to operational problems. The U.S. National Transportation Safety Board (NTSB) report found cyber security issues before, during, and shortly after the pipeline ruptured. The report identified the following issues that led to abnormal SCADA operation or precluded an ability to determine the cause of the event: • Unsecured remote access • Lack of network separation • Lack of security technologies, including virus protection or access monitoring • Lack of security policies or a cyber security program • Lack of training with operating system and SCADA applications • Lack of audit, diagnostic, and forensic capabilities to replicate the system slowdown and eventual failure • This is still the model of many SCADA systems—an accident waiting to happen, or a deliberate attack to exploit the vulnerabilities Mitigating SCADA security exposures It has been a dozen years since the NTSB report was issued, and SCADA systems are still not secure. What is clear is SCADA needs to be secured throughout its entire lifecycle, and there are best practices, initiatives and guidelines, and solutions that can help mitigate SCADA security exposures. Sharing information within industry, levels of government, and other nations as well as between security professionals and SCADA engineers is an essential start and a critical practice. NERC, the North American Electric Reliability Corporation, publishes reliability standards for the planning and operation of the North American bulk power system. This is a positive step forward toward the goal of defining standards that will provide guidance to security administrators to help them mitigate risks and threats. In yet another response to the rise and intensity of cyber attacks, IEEE, the world’s largest professional association advancing technology for humanity, announced work has begun to revise Secure Authentication (SA) protocols contained in its IEEE 1815 Distributed Network Protocol (DNP3) standard.11 The SA Version 5 revisions will help bolster overall security for data information gathering, exchange, and use in applications like supervisory control and data acquisition (SCADA) systems. SA Version 5 aims to address and help mitigate digital security hazards to essential infrastructures across the power and energy, water, Smart Grid, and other process automation industries. 11 “IEEE Addresses Evolving Smart Grid Security Challenges with Revisions to Critical IEEE 1815 Standard,” by Shuang Yu, November 2011, IEEE Standards Association. 12 “IEEE Addresses Evolving Smart Grid Security Challenges with Revisions to Critical IEEE 1815 Standard,” by Shuang Yu, November 2011, IEEE Standards Association. “As the rate of bolder, more sophisticated cyber attacks continues to spiral upward, ensuring data integrity and security has become increasingly challenging. By necessity, preventing unauthorized intrusion into critical systems has become a top priority,” said H. Lee Smith, chair, IEEE 1815 Working Group and president, DNP Users Group. “By delivering robust security protocols that are attuned to both existing and emerging threats, SA Version 5 will help minimize risk while ensuring the continued efficient and safe operation of vital infrastructures.”12 NERC has a number of important documents on cyber security, policy, information and asset protection, compliance monitoring, auditing, and data retention. These include: • CIP-002: Critical Cyber Asset Identification • CIP-003: Security Management Controls • CIP-004: Personnel and Training • CIP-005: Electronic Security Perimeter(s) • CIP-006: Physical Security of Critical Cyber Assets • CIP-007: Systems Security Management • CIP-008: Incident Reporting and Response Planning • CIP-009: Recovery Plans for Critical Cyber Assets
7 In order to fully mitigate the risks to SCADA systems, HP security specialists created the following best-practice checklist: • Apply your defense-in-depth security strategy to create a trusted SCADA network. Know what to protect, know the threats and vulnerabilities, and identify misconfigured network security products. • Define and implement security policies when internal systems are accessed by contractors (password requirements, system anti-x, etc.). • Leverage common industry practices: −− Segmentation and topology hiding (firewalls) −− Block real-time threats and patch virtually (intrusion prevention systems) −− Ensure HMIs are patched with the latest available service packs −− Provide password policy and enforcement on all nodes (modems, devices, servers) −− Know the role of SCADA and Smart Grid distribution automation, and leverage SCADA system authentication −− Run regular scans of the network to determine visibility and what has changed (wired and wireless) −− Leverage free tools to understand your level of vulnerability to network topology discover (recon), wireless scanning and password crackers, vulnerability scanners, and Web server scanners Introducing HP TippingPoint and other HP security To best protect your SCADA systems, HP offers a wide selection of security solutions. HP TippingPoint is the pioneer of Intrusion Prevention System (IPS) technology and the market leader in providing network security to over 30% of the Fortune 1000. HP DVLabs is the premier research organization for vulnerability analysis and discovery to make sure TippingPoint customers have the ideal preemptive protection for vulnerabilities and zero- day issues. The team consists of over 1,500 industry- recognized security researchers who apply cutting-edge engineering, reverse engineering, and analysis talents that fuel the creation of vulnerability filters that are automatically delivered to our customers’ intrusion prevention systems through the Digital Vaccine® service. Since 2005, over 2,800 zero-day vulnerabilities have been submitted. Further, HP TippingPoint has been acknowledged 119 times on 20% of all Microsoft® Bulletins.13 HP DVLabs also offers comprehensive Web App Scan and DV Filter services to effectively protect against attacks with vulnerabilities that are moving up the stack. Figure 4 highlights how HP TippingPoint Next Generation Intrusion Prevention System not only prevents advanced, targeted attacks, but also helps clean network traffic and provide optimum visibility and control over your users, applications, and data. 13 Overview of HP TippingPoint Intrusion Prevention System. Figure 4. Overview of HP TippingPoint Intrusion Prevention System Dirty Traffic Intrusion prevention overview Clean Traffic • Appliances, software • Network, cloud, virtual Users, apps, data Intelligence updates Digital Vaccine® Visibility and control Automatic protection Attacks • Network/Server/Applications • Trojans, worms, bots • Network events • Real-time protection • Application control • Cyber reputation • Network performance • Global intelligence • Integrated solutions
Get connected www.hp.com/go/getconnected Get the insider view on tech trends, alerts, and HP solutions for better business outcomes Figure 5. HP TippingPoint coverage of SCADA applications Unauthorized client/server command execution Unauthorized activity stopping applications Denial of service (DoS) attacks Exploits targeted at OS vulnerabilities Broad coverage for different SCADA protocols IPS coverage adapted to SCADA applications SCADAprotocols: Modbus,DNP3,ICCP SCADAfiltersfromDVLabs Protocol anomaly Unauthorized client/server communication Ex. Attempt to control SCADA from the Internet Changing the role of a device Ex. Causing device to listen and not respond causes DoS Unauthorized activity to re-boot devices Clean traffic Share with colleagues © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation. 4AA3-9452ENW, Created February 2012; Updated March 2012, Rev. 1 The HP TippingPoint Next Generation Intrusion Prevention System (NGIPS) S Series is optimized for performance and reliability at 20, 100, and 300 Mbps with flexible deployment options. For perimeter protection, the solutions can be deployed in front of or behind a router/firewall to immediately protect the network and applications from inbound threats. Deployment between network zones provides isolation and protects sensitive zones from internal attacks. HP IPS solutions are designed to preserve availability, performance, and security for enterprises and service providers alike. They give service providers more flexibility for general or dedicated protection for their customers’ assets. The series also has integrated Zero Power High Availability (ZPHA) so that a simple power failure does not cause a network outage. This series complements other HP NGIPS solutions, which provide network protection in high-bandwidth locations such as the core network and data center. Figure 5 shows how HP TippingPoint solutions protect SCADA applications by integrating with a broad selection of SCADA protocols. HP TippingPoint solutions offer a number of clear benefits to those organizations with industrial control and SCADA systems. HP TippingPoint systems stop threats faster through a proactive security model that provides exceptional inline enforcement, backed by a host of security services provided by HP TippingPoint’s DVLabs Research organization. HP TippingPoint discovers more vulnerabilities than any competitor in its class and releases patches sooner than most software vendors. On average, TippingPoint protects Microsoft users from vulnerabilities 26 days before Microsoft delivers a patch. HP TippingPoint solutions scale to protect the highest bandwidth data centers, providing IPS solutions that offer inspected throughput ranging from 20 Mbps to 300 Mbps, effectively protecting layers 2–7, while also providing deployment solutions for virtual data centers. HP TippingPoint systems offer immediate, always up-to- date data protection that is crucial to protecting against zero-day attacks. TippingPoint solutions are quick to install and administer. HP also offers other policy enforcement and security solutions, including security management systems that manage enterprise-wide IPS event and profile change views. Getting started with HP For more information on HP TippingPoint solutions, go to www.hpenterprisesecurity.com

More Related Content

PDF
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
byMuhammad FAHAD
 
PDF
The Top 20 Cyberattacks on Industrial Control Systems
byMuhammad FAHAD
 
PPTX
Industrial cyber threat landscape
bybayshorenet
 
PPTX
RSAC 2021 Spelunking Through the Steps of a Control System Hack
byDan Gunter
 
PPTX
Stuxnet
byshiva_sathish
 
PDF
David Blanco ISHM 8280-2016
byDavid Blanco
 
PPTX
Industrial Cyber Security - EVF 2019 Alexandre Darcherif
byAlexandre Darcherif
 
PDF
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
byqqlan
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
byMuhammad FAHAD
 
The Top 20 Cyberattacks on Industrial Control Systems
byMuhammad FAHAD
 
Industrial cyber threat landscape
bybayshorenet
 
RSAC 2021 Spelunking Through the Steps of a Control System Hack
byDan Gunter
 
Stuxnet
byshiva_sathish
 
David Blanco ISHM 8280-2016
byDavid Blanco
 
Industrial Cyber Security - EVF 2019 Alexandre Darcherif
byAlexandre Darcherif
 
G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...
byqqlan
 

What's hot

PDF
Stuxnet
bySymantec
 
PDF
Cyber security colombo meetup
byEguardian Global Services
 
PDF
[Hitcon 2019] Some things about recent Internet IoT/ICS attacks - a perspecti...
byCanaan Kao
 
PDF
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
byBriskinfosec Technology and Consulting
 
PDF
Sb securing-industrial-control-systems-with-fortinet
byIvan Carmona
 
PPTX
Defending against industrial malware
byAyed Al Qartah
 
PDF
The Duqu 2.0: Technical Details
byKaspersky
 
PDF
10th SANS ICS Security Summit Project SHINE Presentation
byBob Radvanovsky
 
PDF
2019 State of Cyber Security Report
byMohamed Zaheer Husain
 
PPTX
SCADA Presentation
byEric Favetta
 
PDF
Insecure magazine - 52
byFelipe Prado
 
PDF
Securing SCADA
byJeffrey Wang , P.Eng
 
DOC
Project RUGGEDTRAX Findings Report (28-Nov-2015)
byBob Radvanovsky
 
PDF
The stuxnet computer worm. harbinger of an emerging warfare capability
byYury Chemerkin
 
PDF
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
byTI Safe
 
PDF
Iaona handbook for network security - draft rfc 0.4
byIvan Carmona
 
PDF
CSIRS ICS BCS 2.2
byDavid Spinks
 
PDF
Panda Adaptive Defense - The evolution of malware
byPanda Security
 
PPTX
2019 NCLGISA Spring Cybersecurity Threats & Trends: Blended Threats and Smart...
byInternetwork Engineering (IE)
 
Stuxnet
bySymantec
 
Cyber security colombo meetup
byEguardian Global Services
 
[Hitcon 2019] Some things about recent Internet IoT/ICS attacks - a perspecti...
byCanaan Kao
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
byBriskinfosec Technology and Consulting
 
Sb securing-industrial-control-systems-with-fortinet
byIvan Carmona
 
Defending against industrial malware
byAyed Al Qartah
 
The Duqu 2.0: Technical Details
byKaspersky
 
10th SANS ICS Security Summit Project SHINE Presentation
byBob Radvanovsky
 
2019 State of Cyber Security Report
byMohamed Zaheer Husain
 
SCADA Presentation
byEric Favetta
 
Insecure magazine - 52
byFelipe Prado
 
Securing SCADA
byJeffrey Wang , P.Eng
 
Project RUGGEDTRAX Findings Report (28-Nov-2015)
byBob Radvanovsky
 
The stuxnet computer worm. harbinger of an emerging warfare capability
byYury Chemerkin
 
[CLASS2014] Palestra Técnica - Franzvitor Fiorim
byTI Safe
 
Iaona handbook for network security - draft rfc 0.4
byIvan Carmona
 
CSIRS ICS BCS 2.2
byDavid Spinks
 
Panda Adaptive Defense - The evolution of malware
byPanda Security
 
2019 NCLGISA Spring Cybersecurity Threats & Trends: Blended Threats and Smart...
byInternetwork Engineering (IE)
 

Viewers also liked

PDF
Effect on Substation Engineering Costs of IEC61850 & System Configuration Tools
bySchneider Electric
 
PDF
Excell shortcuts
byproser tech
 
PDF
IEC61850: Use of IEC61850 to telecontrol MV grids (Presentation)
byiGrid T&D
 
PDF
Conceptual Model of Real Time Infrastructure Within Cloud Computing Environment
byCSCJournals
 
PDF
מפרט שריון
byAmi6
 
PDF
Revita ingeneria nformatica forene
bydansilentwarrior
 
PPTX
30c3 lightning talks - phdays labyrinth
byarbitrarycode
 
Effect on Substation Engineering Costs of IEC61850 & System Configuration Tools
bySchneider Electric
 
Excell shortcuts
byproser tech
 
IEC61850: Use of IEC61850 to telecontrol MV grids (Presentation)
byiGrid T&D
 
Conceptual Model of Real Time Infrastructure Within Cloud Computing Environment
byCSCJournals
 
מפרט שריון
byAmi6
 
Revita ingeneria nformatica forene
bydansilentwarrior
 
30c3 lightning talks - phdays labyrinth
byarbitrarycode
 

Similar to SCADA White Paper March2012

PDF
Optional Reading - Symantec Stuxnet Dossier
byAlireza Ghahrood
 
PPTX
10-5-202510-5-202510-5-202510-5-2025.pptx
byFutureTechnologies3
 
PPTX
2012 02 14 Afcom Presentation
byEric Gallant
 
PPTX
13-hamedHanymohamedHany-date-2025 5 10.pptx
byFutureTechnologies3
 
PPTX
Stuxnet worm
bysommerville-videos
 
PDF
How stuxnet spreads – a study of infection paths in best practice systems
byYury Chemerkin
 
PPTX
Infrastructure Attacks - The Next generation, ESET LLC
byInfosec Europe
 
PDF
Symantec Intelligence Quarterly Report - October - December 2010
bySymantec
 
DOCX
Spanish1.jpgSpanish2.jpgSpanish3.jpgSpanish4.jpg.docx
byrafbolet0
 
DOCX
Cyber
byjarajana
 
PDF
Securing SCADA
byJeffrey Wang , P.Eng
 
PDF
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
byPatricia M Watson
 
PPTX
Power station monitoring and cyber security
byThames Global Consultants
 
PPTX
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
byDawn Yankeelov
 
PDF
Digital danger zone tackling cyber security
byiFluidsEng
 
PDF
Digital danger zone tackling cyber security
byJohn Kingsley
 
PDF
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
byAhmed Al Enizi
 
PDF
Null Feb 13
bySundar N
 
PDF
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
bynull The Open Security Community
 
PDF
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
byAVEVA
 
Optional Reading - Symantec Stuxnet Dossier
byAlireza Ghahrood
 
10-5-202510-5-202510-5-202510-5-2025.pptx
byFutureTechnologies3
 
2012 02 14 Afcom Presentation
byEric Gallant
 
13-hamedHanymohamedHany-date-2025 5 10.pptx
byFutureTechnologies3
 
Stuxnet worm
bysommerville-videos
 
How stuxnet spreads – a study of infection paths in best practice systems
byYury Chemerkin
 
Infrastructure Attacks - The Next generation, ESET LLC
byInfosec Europe
 
Symantec Intelligence Quarterly Report - October - December 2010
bySymantec
 
Spanish1.jpgSpanish2.jpgSpanish3.jpgSpanish4.jpg.docx
byrafbolet0
 
Cyber
byjarajana
 
Securing SCADA
byJeffrey Wang , P.Eng
 
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
byPatricia M Watson
 
Power station monitoring and cyber security
byThames Global Consultants
 
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
byDawn Yankeelov
 
Digital danger zone tackling cyber security
byiFluidsEng
 
Digital danger zone tackling cyber security
byJohn Kingsley
 
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
byAhmed Al Enizi
 
Null Feb 13
bySundar N
 
Critical Infrastructure Security Talk At Null Bangalore 13 Feb 2010 Sundar N
bynull The Open Security Community
 
Recent Cybersecurity Concerns and How to Protect SCADA/HMI Applications Prese...
byAVEVA
 

SCADA White Paper March2012

  • 1.
    HP TIPPINGPOINT Securing SCADA:Overview, Risks, and Mitigation HP Enterprise Security Business White Paper Table of contents Overview: SCADA in a changing threat landscape .............................2 SCADA and the lessons learned from Stuxnet......................................2 What makes SCADA vulnerable?.......................................................4 Common SCADA security challenges.................................................5 Mitigating SCADA security exposures.................................................6 Introducing HP TippingPoint and other HP security................................7 Getting started with HP....................................................................7
  • 2.
    2 Overview: SCADA ina changing threat landscape In June 2009, a sophisticated and destructive digital worm was unleashed with a single-minded purpose—to cripple the industrial control infrastructure instrumental to Iran’s uranium enrichment program. The Stuxnet virus not only became known as one of the most potent “zero- day” attacks on a critical infrastructure that included a Supervisory Control and Data Acquisition (SCADA) system, but it is regarded as an act of cyber sabotage that would forever change the threat landscape.1 The intent of this white paper is to update CISOs, network security managers, and as well as line of business executives on how Stuxnet has significantly changed thinking on how a nation’s critical infrastructure is to be protected. A disturbing realization from Stuxnet is that industrial control systems (ICS) and SCADA systems are fair game for such cyber attacks, which means critical industries such as energy, chemicals, agriculture, discrete manufacturing, and others could be in harm’s way in the future. This paper will separate the fact from fiction on the threats and vulnerabilities to SCADA systems and networks. It will outline how SCADA systems have inherent vulnerabilities that can be best resolved by adhering to security best practices. Considering that security tools have long secured corporate networks, this paper will offer how these same solutions can be used to mitigate the risks to SCADA systems. SCADA and the lessons learned from Stuxnet Unlike previous “zero-day” attacks, Stuxnet was designed to sabotage a highly unlikely target— programmable logic controllers (PLCs) and other computers of a SCADA system used to control centrifuges within a nuclear facility. The Stuxnet virus was designed to not only debilitate the SCADA controls, but to do so in ultra-stealth mode. So covert was this cyber attack that it took nearly a year before the infected machines were discovered, and even then, by accident. Researchers were surprised to discover that Stuxnet targeted vulnerabilities in both Windows® and Siemens Simatic WinCC Step7 software, the ICS managing the PLCs that normally drive motors, valves, and switches in everything from food factories and automobile assembly lines to gas pipelines and water treatment plants. A malicious Stuxnet DLL file intercepted commands and replaced them with its own destructive commands. To prevent detection, it disabled automated alarms and masked what was happening to the PLCs by intercepting communications between computers. It literally stripped away any signs of an infection, so workers monitoring the SCADA system could only see legitimate commands and operation. Amazingly, rather than using email or the Internet to spread itself, the Stuxnet virus spread via infected USB sticks and a vulnerability in Windows Explorer to implant malicious code on computers. 1 “How Digital Detectives Deciphered Stuxnet, the most menacing malware in history,” by Kim Zetter, July 11, 2011, Wired. 2 “The 2011 Mid-Year Top Cyber Security Risks Report,” September 2011. 3 “Cost of a data breach climbs higher,” by Larry Ponemon, March 8, 2011, Ponemon Institute. Since 2000, application vulnerabilities are on the rise with over 8,000 new vulnerabilities discovered annually. Of this number, half are now Web related.2 Per a Ponemon Institute report in March 2011, costs have reached $214 per compromised record, and $7.2M per data breach event.3
  • 3.
    3 Zero-day attacks arerare compared to more common network denial of service or Web application-based SQL injection attacks. But, a zero-day attack can be more targeted and with potentially more lethal results such as loss of life and economic disaster. Figure 1 shows how the threat landscape has changed in terms of attack vector, types of virus payload, and cyber attacker motivation that now includes cyber sabotage. Early attacks were designed to impact networks and large numbers of computers. In recent years, threats have been more targeted using Web applications. Attacks launched by disgruntled insiders remains a constant threat. With Stuxnet, the world needs to come to grips with the harsh realities and ramifications of politically charged cyber warfare. Attacks that prey on vulnerabilities with software upgrades or patches are not new to information security professionals who have had to contend in past years with the destruction from such viruses as Aurora, Ghostnet, and Confiker. Figure 2 shows how Stuxnet differs from previous exploits across seven stages of an attack. Of interest is how Stuxnet differs in how its payload was introduced, its command and control structure, attack vector, and its self- upgrading capability and stealth presence. Like with most viruses, payloads are usually variants or strains from previous exploits. Such hacker code and/or scripts are traded freely over the Internet. Stuxnet differed, however, as it had components that virus researchers had not seen before. In October 2011, Duqu, the first known variant of Stuxnet was detected in the wild.4 Duqu contained Stuxnet code; but unlike Stuxnet, this Trojan virus did not have sabotage in mind, but rather to gain data from ICS manufacturers, thus making a future attack more effective. Over the last several years, botnets have been launched to compromise computers in order to steal data for profit or espionage. Hacktivist groups have targeted their attacks against well-known corporate and government entities. In response to these changing threats, including allegations that the Anonymous hacktivist group attempted to infiltrate French power plants, security experts from 20 EU nations and the U.S. convened at Cyber Atlantic 2011. The goal was to explore how the EU’s Network and Information Security Agency (ENISA) and the U.S. Department of Homeland Security would cooperate and engage each other in the event of a cyber attack on a critical infrastructure.5 A key exercise was held to simulate an attack that disrupts a SCADA system in a power-generation infrastructure. The results of the exercise will be used to formulate national contingency plans with good practice guides and seminars.6 4 “First came Stuxnet computer virus: now there’s Duqu,” by Tabassum Zakaris, October 18, 2011, Reuters. 5 “Simulated Cyberattacks Unites EU and US Security Experts,” by Jennifer Baker, November 3, 2011, PC World. 6 “First Joint EU-US Cyber Security Exercise Conducted Today, 3rd Nov. 2011,” Brussels, Belgium, PRNewswire. Figure 1. Changing threat landscape from 2002 to present Ever changing threat landscape Angry employee/ Contactor Unethical advertisers Terrorist, political hacktivist Rival corporation Organized crime Outsourced firm or contractor Virus TrojanWorm OS-specific attacks P2P SQL injection XSSPhishing PHP file include PHP SpywareAdware WhalingDDos Amateur hacker/ Criminal 2002–2004 2004–2007 2007–2011+ Network/Server downtime attacks Tracking and masquerading attacks Web application attacks
  • 4.
    4 Figure 2. Differencesin focus with Stuxnet and other zero-day attacks What makes SCADA vulnerable? SCADA systems are used widely for control automation and by discrete manufacturers including energy (hydro, nuclear), oil and gas, water, mining, automotive, and other manufacturers. Importantly, most systems are derived from legacy technologies found in pilot wire systems of the 1940s and earlier; relay and tone systems based on Visicode in the 1950s–60s; and modern-day systems beginning in the 1970s up through 2000. With analog telemetric roots, ICS and SCADA systems used leased phone lines for communications between central and field stations. If an alarm went off, an engineer drove to the suspect field station to make repairs. By the mid-1970s, with the advancements in space program and microprocessor technologies, data could be multiplexed and collected from field stations and transmitted to a central location. Radio and leased lines were incorporated, resulting in the adoption of unattended monitoring and control capabilities for pipelines, water, waste water, and utility grids. But, the design of these industrial control and SCADA systems, like many legacy systems at the time, did not consider security. A modern SCADA network is considered critical to business operations using the next generation of intelligent and intuitive real-time applications. However, paradoxically, the advancements in technology have only increased the vulnerabilities that can be exploited and used for an attack. Today, SCADA systems have transitioned from separate and proprietary networks to take advantage of modern technologies such as the Internet and wireless systems. SCADA networks are also integrated into the corporate computer systems housing network and asset management, procurement, billing, and operations management applications. According to SCADAhacker.com, Italian “security researcher” Luigi Auriemma publicly disclosed vulnerabilities with six different industrial control systems7 , including: • AzeoTech DAQFacstory (stack overflow) • Beckhoff TwinCAT ‘TCATSysSrv.exe’ (network packet denial of service) • Cogent DataHub (multiple vulnerabilities) • Measuresoft ScadaPro (multiple vulnerabilities) • Progea Movicon (multiple vulnerabilities) • Rockwell RSLogix (overflow vulnerability) Auriemma also provided proof-of-concept code that could be used by others to exploit the suspect vulnerability. Additionally, threat researchers from a major security vendor have identified a buffer overflow with the RSLogix 5000 programming software that can be used to crash the application and deny service to legitimate users.8 7 Posted by Joe Langill, SCADAhacker, September 14, 2011. 8 “Attack: Rockwell RSLogix RsvcHost.exe CVE-2011-3489,” Symantec and CVE-2011-3489, MITRE Corporation. Stuxnet Conficker Ghostnet Strategic target-based Operational Planning recon Payload intro Command and control Footprint expansion Target identification Attack launch Retreat and removal Internet malware Fire and forget Opportunistic Vulnerable host IP endpoint Weak deletion Tight control Targeted expansion Host function and value Layered custom attack vector Self upgrade and stealth Internet physical and external Recent attacks and focus
  • 5.
    5 SCADA protocols arealso composed of vulnerable legacy technology. To demonstrate this, a man-in-the- middle attack simulation was offered by the Pacific Northwest National Laboratory (PNNL) in Richland, Washington, USA. A commercially available protocol analyzer was used as a man-in-the-middle attack device against a typical intelligent electronic device (IED). Based on the DNP3 protocol, the most common in North America, the SCADA software was spoofed and unaware that the IED was issued commands from the attack device. Such deliberate or unintentional issuing of commands within complex critical infrastructure systems could explain the FirstEnergy power failure of August 2003, which cut power to southeastern Canada and eight northeastern U.S. states. Fifty million people lost power for up to two days in North America’s biggest blackout.9 Other such staged cyber attack exercises and research reveal vulnerabilities in power grids despite the influx of modern technology and tools as well as heavy government intervention in the form of regulation. Common SCADA security challenges As previously discussed, most ICS and SCADA systems are connected to the corporate IT network. Figure 3 shows a hybrid SCADA architecture with the key computers and devices. Here is a list of the security issues tied to this architecture: • Access controls to human-machine interface (HMI) and other equipment with either no or weak authentication; a lack of separation of duties for operator, administrator, and auditor; and inconsistent password management • Physical segmentation of the SCADA network • Rogue wireless access points without encryption • Unauthenticated command execution • Older Windows operating system that can serve as a weak link and be the most vulnerable, especially at the field station level • Systems were built for the long term but outdated operating systems go unpatched • Software updates can require new hardware investments that go unbudgeted • Insufficient controls on contractors have weak policies governing access, use of laptops, and mobile devices • Humans write SCADA system software that can be weak on security • Attack surface that has been simplified 9 “The 2003 Northeast Blackout – Five Years Later,” by JR Minkel, August 13, 2008, Scientific American. 10 “The 2003 Northeast Blackout – Five Years Later,” by JR Minkel, August 13, 2008, Scientific American. Figure 3. Hybrid SCADA network One of the realizations since 2003 is that “you can’t just look at your system. You’ve got to look at how your system affects your neighbors and vice versa,” says Arshad Mansoor, vice president of power delivery and utilization with the Electric Power Research Institute of Palo Alto, California.10 Back-office mainframes and servers (ERP, MES, CAPP, PDM, etc.) Corporate IT network Hybrid SCADA network Office applications, internetworking, data servers, storage PC-based controllers Motors, drives, actuators Sensors and other input/output devices Programmable Logic Controllers (PLC) Robotics Device-level network Ethernet
  • 6.
    6 There are alsoother related factors that must be considered when reviewing security challenges with SCADA systems. These include: • Differing priorities between those with SCADA, networking, and security experience • Primary protocols in use were designed to work in a secure, segmented environment • Backup and alternate systems are difficult to come by for testing purposes • Current IT security tools are not built to work on SCADA networks • Scale of critical infrastructure equipment means costs are magnified SCADA systems have also failed due to accidental causes. The Olympic Pipeline Company gasoline pipeline rupture in 1999 caused an explosion that killed three people. A buildup of pressure in the pipeline went undetected, in part, because the controllers that the SCADA system used became unresponsive. The failure of these controllers made it difficult to analyze pipeline conditions and to make timely responses to operational problems. The U.S. National Transportation Safety Board (NTSB) report found cyber security issues before, during, and shortly after the pipeline ruptured. The report identified the following issues that led to abnormal SCADA operation or precluded an ability to determine the cause of the event: • Unsecured remote access • Lack of network separation • Lack of security technologies, including virus protection or access monitoring • Lack of security policies or a cyber security program • Lack of training with operating system and SCADA applications • Lack of audit, diagnostic, and forensic capabilities to replicate the system slowdown and eventual failure • This is still the model of many SCADA systems—an accident waiting to happen, or a deliberate attack to exploit the vulnerabilities Mitigating SCADA security exposures It has been a dozen years since the NTSB report was issued, and SCADA systems are still not secure. What is clear is SCADA needs to be secured throughout its entire lifecycle, and there are best practices, initiatives and guidelines, and solutions that can help mitigate SCADA security exposures. Sharing information within industry, levels of government, and other nations as well as between security professionals and SCADA engineers is an essential start and a critical practice. NERC, the North American Electric Reliability Corporation, publishes reliability standards for the planning and operation of the North American bulk power system. This is a positive step forward toward the goal of defining standards that will provide guidance to security administrators to help them mitigate risks and threats. In yet another response to the rise and intensity of cyber attacks, IEEE, the world’s largest professional association advancing technology for humanity, announced work has begun to revise Secure Authentication (SA) protocols contained in its IEEE 1815 Distributed Network Protocol (DNP3) standard.11 The SA Version 5 revisions will help bolster overall security for data information gathering, exchange, and use in applications like supervisory control and data acquisition (SCADA) systems. SA Version 5 aims to address and help mitigate digital security hazards to essential infrastructures across the power and energy, water, Smart Grid, and other process automation industries. 11 “IEEE Addresses Evolving Smart Grid Security Challenges with Revisions to Critical IEEE 1815 Standard,” by Shuang Yu, November 2011, IEEE Standards Association. 12 “IEEE Addresses Evolving Smart Grid Security Challenges with Revisions to Critical IEEE 1815 Standard,” by Shuang Yu, November 2011, IEEE Standards Association. “As the rate of bolder, more sophisticated cyber attacks continues to spiral upward, ensuring data integrity and security has become increasingly challenging. By necessity, preventing unauthorized intrusion into critical systems has become a top priority,” said H. Lee Smith, chair, IEEE 1815 Working Group and president, DNP Users Group. “By delivering robust security protocols that are attuned to both existing and emerging threats, SA Version 5 will help minimize risk while ensuring the continued efficient and safe operation of vital infrastructures.”12 NERC has a number of important documents on cyber security, policy, information and asset protection, compliance monitoring, auditing, and data retention. These include: • CIP-002: Critical Cyber Asset Identification • CIP-003: Security Management Controls • CIP-004: Personnel and Training • CIP-005: Electronic Security Perimeter(s) • CIP-006: Physical Security of Critical Cyber Assets • CIP-007: Systems Security Management • CIP-008: Incident Reporting and Response Planning • CIP-009: Recovery Plans for Critical Cyber Assets
  • 7.
    7 In order tofully mitigate the risks to SCADA systems, HP security specialists created the following best-practice checklist: • Apply your defense-in-depth security strategy to create a trusted SCADA network. Know what to protect, know the threats and vulnerabilities, and identify misconfigured network security products. • Define and implement security policies when internal systems are accessed by contractors (password requirements, system anti-x, etc.). • Leverage common industry practices: −− Segmentation and topology hiding (firewalls) −− Block real-time threats and patch virtually (intrusion prevention systems) −− Ensure HMIs are patched with the latest available service packs −− Provide password policy and enforcement on all nodes (modems, devices, servers) −− Know the role of SCADA and Smart Grid distribution automation, and leverage SCADA system authentication −− Run regular scans of the network to determine visibility and what has changed (wired and wireless) −− Leverage free tools to understand your level of vulnerability to network topology discover (recon), wireless scanning and password crackers, vulnerability scanners, and Web server scanners Introducing HP TippingPoint and other HP security To best protect your SCADA systems, HP offers a wide selection of security solutions. HP TippingPoint is the pioneer of Intrusion Prevention System (IPS) technology and the market leader in providing network security to over 30% of the Fortune 1000. HP DVLabs is the premier research organization for vulnerability analysis and discovery to make sure TippingPoint customers have the ideal preemptive protection for vulnerabilities and zero- day issues. The team consists of over 1,500 industry- recognized security researchers who apply cutting-edge engineering, reverse engineering, and analysis talents that fuel the creation of vulnerability filters that are automatically delivered to our customers’ intrusion prevention systems through the Digital Vaccine® service. Since 2005, over 2,800 zero-day vulnerabilities have been submitted. Further, HP TippingPoint has been acknowledged 119 times on 20% of all Microsoft® Bulletins.13 HP DVLabs also offers comprehensive Web App Scan and DV Filter services to effectively protect against attacks with vulnerabilities that are moving up the stack. Figure 4 highlights how HP TippingPoint Next Generation Intrusion Prevention System not only prevents advanced, targeted attacks, but also helps clean network traffic and provide optimum visibility and control over your users, applications, and data. 13 Overview of HP TippingPoint Intrusion Prevention System. Figure 4. Overview of HP TippingPoint Intrusion Prevention System Dirty Traffic Intrusion prevention overview Clean Traffic • Appliances, software • Network, cloud, virtual Users, apps, data Intelligence updates Digital Vaccine® Visibility and control Automatic protection Attacks • Network/Server/Applications • Trojans, worms, bots • Network events • Real-time protection • Application control • Cyber reputation • Network performance • Global intelligence • Integrated solutions
  • 8.
    Get connected www.hp.com/go/getconnected Get theinsider view on tech trends, alerts, and HP solutions for better business outcomes Figure 5. HP TippingPoint coverage of SCADA applications Unauthorized client/server command execution Unauthorized activity stopping applications Denial of service (DoS) attacks Exploits targeted at OS vulnerabilities Broad coverage for different SCADA protocols IPS coverage adapted to SCADA applications SCADAprotocols: Modbus,DNP3,ICCP SCADAfiltersfromDVLabs Protocol anomaly Unauthorized client/server communication Ex. Attempt to control SCADA from the Internet Changing the role of a device Ex. Causing device to listen and not respond causes DoS Unauthorized activity to re-boot devices Clean traffic Share with colleagues © Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation. 4AA3-9452ENW, Created February 2012; Updated March 2012, Rev. 1 The HP TippingPoint Next Generation Intrusion Prevention System (NGIPS) S Series is optimized for performance and reliability at 20, 100, and 300 Mbps with flexible deployment options. For perimeter protection, the solutions can be deployed in front of or behind a router/firewall to immediately protect the network and applications from inbound threats. Deployment between network zones provides isolation and protects sensitive zones from internal attacks. HP IPS solutions are designed to preserve availability, performance, and security for enterprises and service providers alike. They give service providers more flexibility for general or dedicated protection for their customers’ assets. The series also has integrated Zero Power High Availability (ZPHA) so that a simple power failure does not cause a network outage. This series complements other HP NGIPS solutions, which provide network protection in high-bandwidth locations such as the core network and data center. Figure 5 shows how HP TippingPoint solutions protect SCADA applications by integrating with a broad selection of SCADA protocols. HP TippingPoint solutions offer a number of clear benefits to those organizations with industrial control and SCADA systems. HP TippingPoint systems stop threats faster through a proactive security model that provides exceptional inline enforcement, backed by a host of security services provided by HP TippingPoint’s DVLabs Research organization. HP TippingPoint discovers more vulnerabilities than any competitor in its class and releases patches sooner than most software vendors. On average, TippingPoint protects Microsoft users from vulnerabilities 26 days before Microsoft delivers a patch. HP TippingPoint solutions scale to protect the highest bandwidth data centers, providing IPS solutions that offer inspected throughput ranging from 20 Mbps to 300 Mbps, effectively protecting layers 2–7, while also providing deployment solutions for virtual data centers. HP TippingPoint systems offer immediate, always up-to- date data protection that is crucial to protecting against zero-day attacks. TippingPoint solutions are quick to install and administer. HP also offers other policy enforcement and security solutions, including security management systems that manage enterprise-wide IPS event and profile change views. Getting started with HP For more information on HP TippingPoint solutions, go to www.hpenterprisesecurity.com