First SCADA LAB International Workshop

1ST International ScadaLab Workshop

Madrid, 26th November 2013

SCADA Laboratory and testbed as a service for Critical Infrastructure protection

With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme.
European Commission - Directorate-General Home Affairs

Agenda

10.00h: Registration & Welcome
10.30h: ScadaLab Project Presentation

11.30h: Coffee break
12.00h: ScadaLab Validation Exercise

12.45h: Related Projects Presentation
13.30h: Lunch

14.30h: Training Session
16.30h: Closure

WP2
Definition of Testing Methodology
Zanasi & Partners



Content

1. WP 2 Introduction
2. Development of Work

WP2: Definition of Testing Methodology

• Aims: to assess the users’ needs, to define
the testing methodology to be adopted in the
SCADALAB environment, and to elaborate an
inventory of security tests to be performed
• Participants: Zanasi & Partners (WP leader),
AEI Seguridad, CNPIC, INTECO, Telvent
Energy, Theodore Puskas Foundation
• Time-frame:
(21/9/2012 – 18/12/2012)

M1-M3

WP2: List of Tasks

Three tasks:
• T2.1: Initial Survey
• T2.2: Develop Testing Methodology
• T2.3: Develop Security Tests Inventory
Three deliverables:
• D2.1: Survey Report: Analysis of
Questionnaires (+ annex: Questionnaire for
Stakeholders)
• D2.2: Testing Methodology
• D2.3: Security Tests

WP2 – T2.1: Initial Survey

• Aims: to identify users’ needs and to
assess stakeholders’ priorities for a
SCADALAB environment
• Contributors: AEI Seguridad, CNPIC,
INTECO, Telvent Energy, Theodore Puskas
Foundation, Zanasi & Partners


11 stakeholders were interviewed via written questionnaires
The questionnaires aimed at collecting information on the profile of
the respondent organisation, on its awareness about cyber-security
risks, on its IT infrastructure and on its perceived security needs
The questionnaires were
Structured in 6 sections:
• Organisation profile
• Awareness
• Architecture
• Existing Threats
• Security Controls
• Identified Needs
8


Main findings:
• Most of the respondents (91%) perceive the problem of securing
their ICS as sensitive
• 64% of the organisations use ICS directly or indirectly connected
to the public Internet. In 91% of cases the ICS are connected to
the corporate network
• Half the respondents use COTS within their ICS
• Nobody declared to be victim of cyber-attacks in the past (but
only 45% of respondents feels able to detect intrusions)
• There is a general lack of knowledge on ICS security standards
(64% of respondents do not know any, 83% do not adopt any)
• Only 36% of stakeholders interviewed regularly perform ICS
security tests (10% only can rely on a permanent testing
environment)
• Cryptography systems for front-end and field devices are hardly
used (30%)

WP2 – T2.2: Develop Testing Methodology

• Aims: to review the most widely used
security testing methodologies and to
develop a new one specific for the
SCADALAB environment
• Contributors: AEI Seguridad, INTECO,
Telvent Energy, Zanasi & Partners


• At a preliminary stage, 11 existing testing
methodologies (CPNI, US-CERT, ANSI/ISA,
INL [2], DOE, NIST, LEET, CERT-CC, ISECOM,
CCRA) were thoroughly analysed and rated
based on their suitability for the SCADALAB
project
• Later on, the information gathered through
the above task has been used as a basis to
develop an entirely new testing methodology
specific for the SCADALAB environment


The SCADA LAB environment is articulated in two
principal areas:
• Laboratory area (from where the security tests are
run and controlled)
• Test beds area (which physically contains the
components of the various ICS test beds)

The security requirements
for both the laboratory
area and the test beds
area have been identified


Testing methodology - three phases:
• Planning

– Organisational level (set up the assessment team, sign NDAs, develop the
test plan, collect information on the organisation)
– Operational level (decide the proper type of assessment, establish a set of
initial attack vectors, identify the assessment targets, elaborate a detailed
plan of the testing)
– Technician level (demand to the manager of the test bed the
implementation of the needed technical requirements, identify/acquire
required HW/SW, develop the security test inventory)

• Assessment

– Set up the lab (according to the target to assess and based on the test
inventory available)
– Execution (performing the test, which may involve: information gathering,
network mapping, vulnerability identification, penetration testing)

• Reporting

– Calculating metrics (e.g., via Common Vulnerability Scoring Systems,
CVSS)
– Report of findings (technical report, executive report)

WP2 – T2.3: Develop Security Tests Inventory

• Aims: to develop an inventory of security
tests that can be performed during
security analysis on ICS environments in
the SCADALAB environment
• Contributors: INTECO, TPF


Security tests (1/2):
•

Information gathering

•

Authentication mechanisms

•

Program logic flaws

•

Cryptographic flaws

•

Spoofing

–
–
–

Get information architecture
Fingerprint and enumeration of host information
Port scanning

–
–

Password testing
Session hijacking

–
–
–
–

SQL injection
Cross-Site Scripting (XSS)
Buffer overflow
Fuzz testing

–

Cold boot attacks on encryption keys

–
–

MAC address spoofing
IP address spoofing


Security tests (2/2):
• Sniffing

– Sniffing

• Denial of service
–
–
–
–

ICMP flood
SYN flood
Teardrop attacks
Application DoS

–
–
–
–
–
–

CAM table overflow
VLAN hopping
Private VLAN attacks
Spanning tree manipulation
DHCP starvation
CISCO discovery protocol

• Routing

• IPv6 testing
– IPv6 fake router
advertisement
– IPv6 gather information
– IPv6 MITM attack
– IPv6 address duplicate
– IPv6 false CGA
– IPv6 network saturation
– Mobile IPv6 route
spoofing

Questions?

With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and
other Security-related Risks Programme.

WP 3
Design of Laboratory Architecture
INTECO



Content

1. Objectives / Aim of the activity
2. Expected results / outputs and
deliverables


Requirements



SCADA LAB Design
- Laboratory Area

- Test Bed Area


Security Assessment

3. Conclusions

WP3/ Design of Laboratory Architecture

• Participants:

INTECO

ZANASI &
PARTNERS

• Tasks:

Summary

TELVENT
GLOBAL
SERVICES

TELVENT
ENERGY

– T3.1 / Identify requirements
– T3.2 / Analyze requirements
– T3.3 / Prepare high level design

• Deliverables:
– D3.1 System architectural design document
– D3.2 Security Assessments

• Time-frame: M4-M10

CNPIC

Objectives / Aim of the activity

Goal



Carry out security assessments to remote Test Beds.



Design aligned with methodology.



Accomplish minimum set of requirements.





Why?

Stakeholders having their own Test Beds…
… and carrying out their own security tests.

Company A

Company B

Company C


Why?



Are these tests all you can do?




Has your staff needed knowledge?


Company A

More tests = more tools = more €

Contract expert security services = more €


Aim



SCADA Laboratory and test bed as a service for Critical
Infrastructure protection.



We will have methodology and tools... You can use them.


Base design



First design based on methodology

Test Beds Area
Laboratory
Area

Test bed 1

Test Plan 1
Test bed 2
Test Plan 2
Test Plan
N

…

Expected results / outputs and deliverables:
Requirements

Initial Requirements

8 HIGH-LEVEL requirements:
•
•
•
•
•
•
•
•

Production system.
Hardware interface or integration
Assessment system
Monitoring system
Results analysis system
Distributed tests
Isolated test beds
Testing methodology

57 LOW-LEVEL requirements.
•
•
•
•

Description.
Priority.
Area.
Implementation guidance.

REQUIREMENT
1.- ID

2.- Requirement name

REQUIREMENT

3.- Priority
4.- Area
1.- ID 2.- level of the name has an REQUIREMENT
3.- Priority
4.- Area
Each Requirement target
entry point from
R1.3
High
Test beds
where perform the tests.
1.- IDEach Requirement name
2.- level of the target has an REQUIREMENT
3.- Priority
4.- Area
entry point from
R1.3
High
Test beds
1.-where performof the target
ID
3.- Priority
4.- Area
5.- Description 2.- Requirement name has an REQUIREMENT
Each level the tests.
entry point from
R1.3
High
Test beds
where perform of the target
the tests.
1.- ID 2.- Requirement name has an REQUIREMENT
3.- Priority
4.- Area
Each level
entry point from
5.- Description
R1.3
High
Test beds
The laboratory should communicate with every level of the scheme in an independent way.
where2.- Requirement name
perform the tests.
REQUIREMENT
5.- Description
1.- ID
3.- Priority
4.- Area
Each level of the target has an entry point from
R1.3
High
Test
The laboratory should communicate with every level of the scheme in an independent way. beds
where perform
tests.
5.- DescriptionEach Requirement name
1.- ID 2.- level thethe target has an REQUIREMENT
3.- Priority
4.- Area
of
from
IMPLEMENTATION of entry point in an independent way.
The laboratory should communicate with every level the scheme
R1.3
High
Test beds
where perform the tests.
5.- Description 2.- level of the name has an entry point from
Each
1.- ID
3.- Priority
IMPLEMENTATION
The laboratory should Requirement target
6.- Implementation guidance communicate with every level of the scheme in an independent way. 4.- Area
R1.3
High
Test beds
where perform
tests.
5.- DescriptionEach level the the target has an entry point from
IMPLEMENTATION of or virtual networks (one for way.
of
The laboratory should
6.- Implementation guidance communicate with every level
The laboratory can connect to different networks, sub-networks, the scheme in an independent
R1.3
High
Test beds
5.- Description
IMPLEMENTATION
each level), from where carry where perform the tests. every level of the scheme in an independent way.
6.- Implementation guidance test to the target.
The laboratoryout the communicate with
should
The laboratory can connect to different networks, sub-networks, or virtual networks (one for
IMPLEMENTATION
each 6.- Implementation guidance different networks, sub-networks, the scheme in an independent
The5.- Description
laboratory out
7.- Otherlevel), from where carry should communicate with every level of or virtual networks (one for way.
Theconsiderations connect tothe test to the target.
laboratory can
IMPLEMENTATION
Theconsiderations carry out the communicate with
laboratory can
to
7.-each level), from whereconnectshouldtest to networks, sub-networks, or virtual networks (one for
Other6.- Implementation guidance different the target.
If an agent installed Thethe test bed is used then it has toevery level of the links to these independent way.
in laboratory
have sufficient scheme in an
each level), from where carry out the test to the target.
IMPLEMENTATION
7.- Other considerations connect to
The laboratory can
connections. 6.- Implementation guidancedifferent networks, sub-networks, or virtual networks (one for
If an agent installed in the test bed is used then it has to have sufficient links to these
target.
7.- each level), from where carry out the test to theIMPLEMENTATION
Other considerations
The Implementation guidance
connections. 6.-laboratory can test bed to different networks, to have sufficientvirtual to these (one for
If an agent installed in the connect is used then it has sub-networks, or links networks
each considerations connect to different the target.
7.- Otherlevel), from where carry out the test to networks, sub-networks, or virtual networks (one for
The laboratory the
connections. 6.- Implementation guidance used then it has to have sufficient links to these
If an agent installed in can test bed is
7.-each level), from where carry out the test to networks,
Other considerations
connections.The laboratory can connect to different the target. sub-networks, or virtual networks (one for
7.- Other considerations
each
connections. level), from where carry out the test to the target.
7.- Other
connections. installed in the test bed is used then it has to have sufficient links to these
If an agent considerations
connections.
connections.

Requirements

LOW-LEVEL Requirements

ID

Description

R1

Priority

Production system

R1.1 The control system shall be composed by control devices and field devices.
R1.2 The architecture of the test bed shall be representative of a real ICS.
R1.3 Each level of the target has an entry point from where perform the tests.

R2

High
High
High

Hardware interface or integration

R2.1 The control devices shall communicate with usual control protocols.

R3

High

Assessment system

R3.1 Automatized tests
R3.2 Set of workstations physically accessible to the operators



And more…

High
High

SCADA LAB Design

Global Design

SCADA LAB Design

Laboratory Area

SCADA LAB Design

Test Bed Area

Really?

Security Assessment
Security Assessment
Sponsor

35

Conclusions

1. Based in their own methodology
2. Service for Critical Infrastructure
Protection that:
1.
2.
3.
4.

Complements other security services/tools
Carries out remote tests (and local ones)
Can be adapted to any kind of Test bed
Is scalable

WP 4&5
Laboratory Implementation
Pilot Implementation and Experimentation
TELVENT ENERGÍA



Content

1. WP 4


Objectives

•

Development of work and outputs

2. WP 5


Objectives



Development of work and outputs



Next activities

WP4&WP5

WP3 DESIGN

WP4 IMPLEMENTATION

WP5 EXPERIMENTATION

WP4: Laboratory Implementation

• Goal: The objective of this WP is the implementation
of the SCADA LAB laboratory, according to the design
and requirements defined in WP3
• Participants: Telvent Energy (co-leader), Telvent
Global Services (co-leader), INTECO, CNPIC, AEI
Seguridad.
• Time-frame:
February 2013 (M6) – December 2013 (M16) (ongoing)

WP4: Tasks

• T4.1: Select infrastructures and
communications
 Equipment selection
 Software selection
 Facilities selection
• T4.2: Integrate HW and SW in the facilities
– Implementation

WP4 – T4.1: Select infrastructures and
communications

• Laboratory Area:
 Open Vulnerability Assessment System (OpenVAS)
 Other Tools: NMAP, NIKTO, SNMP, etc.

• Test Bed Area:
 Saitel DR Platform (RTU)
 OASyS Platform (SCADA)

REMOTE CONECTION (VPN)

WP4 – T4.2: Integrate HW and SW in the
facilities

INTECO HEADQUARTERS (LEON)
SCADALAB LABORATORY

TESTBED IMPLEMENTATION
TELVENT ENERGY HEADQUARTERS (SEVILLE)
SCADALAB TESTBED

WP5: Pilot Implementation and Experimentation

• Goals: The objectives of this WP are:
 The definition and implementation of the SCADA LAB pilot
 The execution of the security tests
 The analysis of the test results

• Participants: Telvent Energy (leader), INTECO,
CNPIC, Telvent Global Services.
• Time-frame:
October 2013 (M14) – April 2014 (M20) (ongoing)

WP5: Tasks

• Tasks:
o T5.1 Select the system to be analyzed as a
pilot
o T5.2 Pilot system installation
o T5.3 Carry on tests over pilot system
o T5.4 Analyze results

WP5 – T5.1 Select the system to be analyzed as
a pilot

WP5 – Next Activities

• Next Activities:
 Pilot system installation
 Carry on tests over pilot system
 Analyze results

WP6
Results Sharing and Test Bed Saas
TELVENT GLOBAL SERVICES



Content

1. Current situation
2. WP Objectives
4. Conclusions

Current Situation



We have the Testing Methodology



We have set up the Laboratory



We have built the SCADALAB Components



Server / Workstation / Agent



We have the stakeholders ready for security assessments…



What else do we need?

WP Objective and Description

SCADALAB WP6!!!
Objective!

Build up a framework to share
information and experiences
between stakeholders



Identify the information sharing and remote test requirements and needs.



Define and Implement an Information Sharing framework



Define and Develop a Front-End SaaS Framework and a Front-End service

WP Objective and Description

 Work Package participants:
TGS
Energy

 Time-frame:
February 2013 – December 2013

WP Activities Summary

Activity #1: Identify information and Requirements
Identify the information, requirements and all the real needs from the stakeholders
regarding a Remote Security Test platform and a Sharing information framework
Define a functional design according to the stakeholders needs
Activity #2: Define the Information sharing framework
Define the requirements for the Information Sharing framework

Looking for synergies in results sharing methods and procedures and Integration
between SCADALAB Front-End SaaS and other ICS security tools

Activity #3: Define & Develop Front-End SaaS Framework
Develop a Front-End which allows the management of the security assessments and integrate
it with the Information Sharing framework.
Implement the identified Front-End requirements and test the platform.

Activity 1: Identify information and Requirements

 Objective: Identify the information which key users involved in ICS scenarios are ready
to share (stakeholder, vendors, operators…) and the requirements for the SCADALAB
Front-End.



Tasks performed:



Stakeholders identified and contacted (by the WP participants) coming from different
countries.



Survey Creation



More than 60 questions



Questions grouped in different categories



Current Situation



Security Assessment Requests



Assessments Results and Sharing



Needs Identified



Needs and Desires




Tasks performed:



5
7

Survey Creation: Developed in PDF format

(EC_SCADALAB_Security_Assessments_Questionnaire_Request.pdf)




Tasks performed:



Survey Creation: Developed by web-based survey




Tasks performed:



Organized sharing meetings and/or survey delivery to get the results



Analysis and conclusions of the gathered data.



Deliverables: based on the Survey results, “Requirements&Needs” documentation



Functional requirements



Technical requirements



Security requirements



Design requirements

(EC_SCADALAB_Identified_Requirements.xlsx)

(EC_SCADALAB_Security_Assessments_Questionnaire_Results_Evaluation.docx)

Activity 2: Define the Information sharing framework

 Objective: Define the sharing information framework.


Based on the EU recommendations regarding the intend of complement existing
test bed initiatives for CI protection between UE related projects.

http://cloudcert.european-project.eu/project.php?lang=en

Evaluate the integration looking for
synergies in results sharing methods and
procedures



CloudCERT is a cloud testbed for the coordination of Europe Critical Infrastructure
Protection (CIP), which aim is to provide a testbed framework to integrate mechanisms
for coordinating partnerships and stakeholder efforts to effectively exchange information
related to CIP and their security aspects.



CloudCERT testbed ensure easy, simple information sharing for cooperation joint
exercises, as well as a rapid and risk-free implementation in a real operational and
collaborative environment.



CloudCERT test bed platform is an initiative coordinated by INTECO and some assets,
knowledge and infrastructure can be reused in an efficient manner. SCADA Lab will
complement the cooperation framework and will integrate the same exchange of
information mechanisms.


http://cloudcert.european-project.eu/project.php?lang=en


 Expected Results:


Information Sharing Framework





Functional Definition, and
Integration Requirements with CloudCERT

Integration tests and functional documentation

CloudCERT is co-financiated by the European Union (EU) following the specific program named "Prevention, Preparedness and
Consequence Management of Terrorism and other Security-related risks", located within the "Security and Safeguarding
Liberties" program.

Activity 3: Define & Develop Front-End SaaS Framework

 Objective: Develop a Front-End SaaS Framework and a Front-End service




Based and adapted to their real needs, with functionalities and processes
identified



Public and/or private access



Easy and secured results sharing methods




Useful tool for Stakeholders

Integrated with the defined Information Sharing framework

With the aim of…



…the management of the Security Evaluations and Results Information Sharing.




SCADALAB Front-End is being developed with best security practices in mind by itself
and leveraging on Drupal's experience avoiding security threats such as cross-side
scripting, SQL Injection, site impersonation and so on ....



Some of the functionalities and requirements that are being developed for the
SCADALAB Front-End are:



Web Interface Multiplatform / Multilingual



Secure Access / Access Control



Users Management / Passwords Policy



Workflows Management



Different types of Assessment



Selection of the Assessment Target



Status of the Assessment



List of existing Assessment Requests

WP7
Training and awareness
Europe for Business



Content

1. WP Objectives
2. Description of work

3. Expected Results

1. Objective (1)

What is the problem?

There is insufficient knowledge sharing on
SCADA security exercises, bringing
stakeholders together, providing user groups
forums and awareness sessions to potential
beneficiaries.

1. Objective (2)

Contribute to create a strong culture of
security around SCADA systems.

2. Description of Work - Timetable

WP7 has started during month 15,
namely November 2013
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Training and Awareness
T7.1 / Design training strategy
T7.2 / Elaborate training materials
T7.3 / Carry on Pilot Project
T7.4 / Define awareness Plan
T7.5 / Create awareness materials

T7.1 Design training strategy

tasks

Aims: Identify the training needs of different
groups

Contributors: E4Business,
Seguridad, CNPIC

INTECO,

AEI

T7.2 Elaborate training materials

tasks

Aims: Create different training materials for
different groups

Contributors: E4Business, NISZ, INTECO,
AEI Seguridad

T7.3

Carry on pilot training

tasks

Aims: Test that training strategy
materials meet trainee needs

and

AEI Seguridad

T7.4

Define awareness plan

tasks

Aims: Identify the
different groups

awareness

needs

of

AEI Seguridad, CNPIC

T7.5

Create awareness materials

tasks

Aims: Create different awareness materials
for different groups

AEI Seguridad

2. Target groups













Security Research Centres
National Authorities
End users CI Operators
Methodology experts
Security training professionals
Independent security experts
Foundations specialized on security technologies
ICT security association of SMEs
Dissemination experts
Software integrators
SCADA Providers.

Expected Results

Through WP7 and WP8 SCADALAB results
should reach the largest possible audience.

 D7.1 Training: Definition of a SCADA course, 90
hours of training for public officials, 5 training
manuals.
 D7.2 Awareness: Holding a final conference, 3
research reports, 6 papers released.

WP 8
Dissemination
EVERIS



Content

1. WP Objectives
3. Dissemination outputs

Objectives



To build awareness of the ScadaLab Project at both national
and European.



To inform the stakeholders of the research findings.



To promote the results of the Project and the possibilities of a
future exploitation.

Description of the Work
Dissemination Strategy

Audience

Message

- Primary: stakeholders

- User requirements stage

- Secondary: affected

- R&D stages

- Tertiary: influencers

- Testing stage

Market
- Policy makers
- Industries/SMEs
- End users
- EU R&D Community

Channels
- Oral communication
channels: Symposiums,
seminars, workshops.
- Written communication
channels: Website, newsletters,
contributions to professional
publications.

Dissemination Activities

Dissemination Outputs
Scadalab Website

www.scadalab.eu

Scadalab Social Network (I)
Twitter general overview

Linkedin general overview

• User: @ScadaLabProject

• User: ScadaLab Project
• Group: ScadaLab Project
– Open forum for stakeholders
discussions

Scadalab Social Network (II)
Social networks management tool: Hootsuit

–
–
–
–

Timeline
Interactions
Activity
Search: #SCADA #cybersecurity and “Critical Infrastructures”

ScadaLab events
Madrid: 1st International Workshop
- General Project Presentation

Sevilla: 2nd International Workshop
- Best Practices

Brussels: Final Conference
-

Final results
EU presentation

Thank you

With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and
other Security-related Risks Programme.

First SCADA LAB International Workshop

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to First SCADA LAB International Workshop

Similar to First SCADA LAB International Workshop (20)

Recently uploaded

Recently uploaded (20)

First SCADA LAB International Workshop