Securing SCADA
-
Upload
jeffrey-wang-peng -
Category
Engineering
-
view
86 -
download
0
Transcript of Securing SCADA
3/10/2016
1
SCADA Security
Challenges & Strategies
Jeffrey Wang, P. Eng.
2016, Oshawa
Acronym
� ICS: Industrial Control System
� DCS: Distributed Control System
� SCADA: Supervisory Control and Data Acquisition
� PLC: Programmable Logic Controller
� RTU: Remote Terminal Unit
� HMI: Human Machine Interface
� TCP/IP: Transmission Control Protocol/Internet Protocol
� IDS: Intrusion Detection System
� COTS: Commercial off-the-shelf
� ACL: Access Control List
� DMZ: Demilitarized Zone
� WAN: Wide Area Network
� LAN: Local Area Network
Page 2 Securing SCADA prepared by Jeffrey Wang
3/10/2016
2
Content
� Overview
� Cyber Threats and Vulnerabilities
� Security Challenges
� Mitigation Strategies
� References
Page 3 Securing SCADA prepared by Jeffrey Wang
Overview
� SCADA system
� Overview
� SCADA System Components
� SCADA System Functionality
Page 4 Securing SCADA prepared by Jeffrey Wang
3/10/2016
3
SCADA System - Overview
� SCADA is an acronym for Supervisory Control and Data Acquisition.
� SCADA is an Industrial control system (ICS).
Page 5 Securing SCADA prepared by Jeffrey Wang
SCADA System - Components
Typically SCADA system include the following components:
� RTU (Remote Terminal Unit)
� PLC (Programmable Logic Controller)
� HMI (Human Machine Interface)
� Field devices (Actuators and Sensors)
� WAN(Wide Area Network): Wireless/RF communication devices
� LAN (Local Area Network): Router and Switches
� Centralized Server
� Database Server (Data Historian)
Page 6 Securing SCADA prepared by Jeffrey Wang
3/10/2016
4
SCADA System - Functionality
Major functions of SCADA system including:
� Field devices control via local or remote working mode
� Collect field data and transmit to central control server via WAN network
� Monitor processing and/or control field devices via HMI
� Manage database for tracking and management analysis
Page 7 Securing SCADA prepared by Jeffrey Wang
SCADA System - Critical infrastructure
SCADA systems are critical national infrastructures
Canadian Critical infrastructure within the 10 sectors listed below:
• Energy and utilities• Finance• Food• Transportation• Government• Information and communication technology• Health• Water• Safety• Manufacturing
Page 8 Securing SCADA prepared by Jeffrey Wang
3/10/2016
5
SCADA System - Tasks
SCADA system simply performs four tasks:
� Data Acquisition
� Data Communication
� Data Monitor and Control
� Data Historian
Page 9 Securing SCADA prepared by Jeffrey Wang
Data
Communication
Data
Acquisition
Data
Monitor & Control
Why securing SCADA system ?
Why?
� IP-based technologies � Internet of Thing (IoT) � Cloud computing� Mobile computing
� Threats growing (Cyber threats source refers to From Homeland Security ICS-CERT)
� Hostile governments� Terrorist groups� Disgruntled employees� Malicious intruders.� GAO Threat Table (Source: GAO-Government Accountability Office)
� Vulnerabilities increasing� Alerts (From ICS-CERT for control system/Government /Home & Business)
Alerts provide timely notification to critical infrastructure owners and operators concerning threats to critical infrastructure networks.
� Be proactive for potential cyber- attack to SCADA system
Page 10 Securing SCADA prepared by Jeffrey Wang
3/10/2016
6
Vulnerabilities
� Physical Vulnerabilities
� Cyber Vulnerabilities
Page 11 Securing SCADA prepared by Jeffrey Wang
Vulnerabilities –ICS-CERT Alerts
Industrial Control Systems Cyber Emergency Response Team(ICS-CERT )
Publish cyber security alerts to three categories:
• Control System Users
• Government Users
• Home and Business
Examples:
� ICS-ALERT-15-225-02A : Rockwell Automation 1766-L32 Series Vulnerability (Update A)
� ICS-ALERT-11-204-01B : Siemens S7-300_S7-400 Hardcoded Credentials (Update B)
� ICS-ALERT-12-097-02A : 3S CoDeSys Improper Access Control (Update A)
� ICS-ALERT-11-256-06 : Beckhoff TwinCAT Vulnerability
� ICS-ALERT-12-020-07A : WAGO IO 750 Vulnerabilities (Update A)
� ICS-ALERT-12-136-01 : Wonderware SuiteLink Unallocated Unicode String
� ICS-ALERT-12-020-02A : Rockwell Automation ControlLogix PLC Vulnerabilities (Update A)
� ICS-ALERT-11-332-02A : Siemens SIMATIC WinCC Flexible (Update A)
� ICS-ALERT-11-256-05A : Rockwell Automation RSLogix Overflow Vulnerability (UPDATE A)
Source: ICS-CERT Alerts: https://ics-cert.us-cert.gov/alerts
Page 12 Securing SCADA prepared by Jeffrey Wang
3/10/2016
7
Physical Vulnerabilities
Common Physical Vulnerabilities:
� Inadequate policies, procedures, and culture governing control system security
� Inadequately designed networks with insufficient defense-in-depth
� Remote access without appropriate access control
� Separate auditable administration mechanisms
� Inadequately secured wireless communication
� Use of a non-dedicated communications channel for command and control
� Lack of easy tools to detect/report anomalous activity
� Installation of inappropriate applications on critical host computers
� Inadequately scrutinized control system software
� Unauthenticated command and control data.
Page 13 Securing SCADA prepared by Jeffrey Wang
Cyber Vulnerabilities
Common Cyber Vulnerabilities including:
� Operating System Vulnerabilities
� Interconnections
� Open Source / Public Information
� Authentication
� Remote access
� Monitoring and Defenses
� Wireless access
� SCADA/SQL/PLC Software
Page 14 Securing SCADA prepared by Jeffrey Wang
3/10/2016
8
Cyber Vulnerabilities
Cyber Vulnerabilities in details:
� Un-patched published vulnerabilities� Web-based HMI vulnerabilities� Improper authentication� Improper access control (authorization)� Buffer overflow in SCADA services� SCADA data and command message manipulation and injection� SQL injection� insecure protocols� unprotected transport of SCADA application credentials� Standard IT protocols with pain-text authentication
Page 15 Securing SCADA prepared by Jeffrey Wang
Vulnerabilities – Allen-Bradly/Rockwell PLC
Web-based access with default user ID and password
� AB SLC505
� AB Micrologix PLC
� AB CompactLogix
Page 16 Securing SCADA prepared by Jeffrey Wang
3/10/2016
9
Vulnerabilities – Unprotected Authentication
� MicroLogix 1400, It is easy to access with administrator and default password
Page 17 Securing SCADA prepared by Jeffrey Wang
Vulnerabilities – Access with Default ID & Password
� Intruder can change access permission once granted access control.
� Default IDs( administrator, and default passwords
Page 18 Securing SCADA prepared by Jeffrey Wang
3/10/2016
10
Vulnerabilities – Supervisory Control
� Supervisory control: Write/Read memory block or disable the device
Page 19 Securing SCADA prepared by Jeffrey Wang
Cyber Attack - STUXNET
� STUXNET: the most famous cyber attack by United States and Israel.
� STUXNET worm was at first identified by a Belarus company VirusBlokAda in mid-June 2010.
� Physical Impact:
� Sabotaging 1000 centrifuges at Iran’s Natanz nuclear plant
� Stuxnet worm – now every hacker in the world knows about PLCs, HMIs and the opportunities to attack them.
� The Windows operating system
� Siemens SIMATIC Step 7 and WinCC
� Siemens S7 – 300/400 PLCs
� S7-315-2/S7-417
� USB flash memory
� Zero-Day via Windows OS
� DB memory block in PLC
Page 20 Securing SCADA prepared by Jeffrey Wang
3/10/2016
11
Cyber Attack - Insider
� Insider hacks into sewage treatment plant
� Queensland, Australia (2000) Disgruntled employee Vitek Boden hacks into sewage system via WiFi from the company’s Parking lot and releases over a million liters of raw sewage into the coastal waters.
� Physical Impact”
� Intruder controlled about 150 pump stations near three months
� Released about 1 million litre of raw sewage into nearby rivers and parks.
� Tools: Laptop, radio and wireless access
Page 21 Securing SCADA prepared by Jeffrey Wang
Security Challenges
Page 23 Securing SCADA prepared by Jeffrey Wang
3/10/2016
12
SCADA Security Challenges
� Vulnerable operating system (OS) and applications in SCADA system are from commercial off-the –shelf (COTS) including Linux, Mac OS, Windows and embedded PLC OS (VxWorks);
� Most industrial control network connected to corporation network with Internet access. Especially IP-based technologies. Such as Wireless, IoT (Internet of Things), Cloud computing, Mobile computing and smart metering;
� Unsecure legacy system and devices are still widely used in SCADA system. No updated firmware available , no patching. They are transparent to control professional;
� Open source communication protocols (Modbus, DNP3, IEC 61850,Ethernet/IP) were not designed with security in mind and lack basic authorization features;
� There are numerous unpatched and unpatchable systems;� Lack of remote access authentication, weak or default password;� Lack of physical security protection
.
Page 23 Securing SCADA prepared by Jeffrey Wang
Security Standards
• Security Standards
• Cyber Security Objective
Page 25 Securing SCADA prepared by Jeffrey Wang
3/10/2016
13
Industrial Control System Security Standards
Good News! There are many security standards….
� NIST SP-800-82 : Guide to Industrial Control Systems Security � National Institute of Standards and Technology(NIST)
� ISA/IEC-62443 (formal ANSI/ISA99) : Security for Industrial Automation and Control Systems Security � The International Society of Automation (ISA)� The International Electrotechnical Commission(IEC)
� NERC CIP- 006 : Physical Security of Critical Cyber Assets� North American Reliability Corporation(NERC)� Critical Infrastructure Protection(CIP)
� TR12-002 : Industrial Control System (ICS) Cyber Security: Recommended Best Practices (combined with NIST and ISA99 standards)• Canadian Cyber Incident Response Centre (CCIRC)
Page 25 Securing SCADA prepared by Jeffrey Wang
Cyber Security Objective- I.T. Security Perspective
Three fundamental goals per NIST SP800-82 standard
� Confidentiality� Any important information you have — such as employee, client
or financial records — should be kept confidential. This
information should only be accessed by people (or systems)
that you have given permission to do so.
� Integrity
� You need to make sure to maintain the integrity of this
information and other assets (such as software) in order to keep
everything complete, intact and uncorrupted.
� Availability� You should maintain the availability of systems (such as
networks), services and information when required by the
business or its clients.
Page 26 Securing SCADA prepared by Jeffrey Wang
3/10/2016
14
Cyber Security Objective- SCADA Security Perspective
� Availability� Confidentiality� Integrity
Page 27 Securing SCADA prepared by Jeffrey Wang
Integrity
Confidentiality
Availability
Mitigation Strategies
� Physical Assets Security
� Cyber Security
Page 28 Securing SCADA prepared by Jeffrey Wang
Cyber
Security
Standards
Physical
Security
3/10/2016
15
Mitigation Strategies - Recommendations
My recommendation:
� Physical Assets Security
� NERC CIP-006 standard is intended to ensure the implementation of a physical security program for the protection of Critical Cyber Assets
� Cyber Security
� NIST SP800-82 standard is cybersecurity guidance for Industrial Control Systems (ICS) Security
� ISA/IEC-62443 (ISA99) standard
� Canadian Cyber Incident Response Centre(CCIRC)
� TR12-002 :Industrial Control System (ICS) Cyber Security: Recommended Best Practices
Page 29 Securing SCADA prepared by Jeffrey Wang
Mitigation Strategies - Risk Assessment
� Sources of threats� External
� Internal
� Accidental
� Vulnerabilities
Risks = Threats x Vulnerabilities x Impact
Page 30 Securing SCADA prepared by Jeffrey Wang
3/10/2016
16
Physical Assets Security
Page 32 Securing SCADA prepared by Jeffrey Wang
Mitigation Strategies - NERC CIP Standards
NERC CIP standards Include 9 standards and 45 requirements:
CIP-002-1: Critical Cyber Asset Identification
CIP-003-1: Security Management Controls
CIP-004-1: Personnel and Training
CIP-005-1: Electronic Security Perimeters
CIP-006-1: Physical Security of Critical Cyber Assets
CIP-007-1: Systems Security Management
CIP-008-1: Incident Reporting and Response Planning
CIP-009-1: Recovery Plans for Critical Cyber Assets
NERC: North American Electric Reliability Corporation
CIP: Critical Infrastructure Protection
Page 32 Securing SCADA prepared by Jeffrey Wang
3/10/2016
17
Mitigation Strategies - Physical Protection Guideline
Physical Access Controls� The Responsible Entity shall document and implement the operational and
procedural controls to manage physical access at all access points to the Physical Security Perimeter(s) twenty-four hours a day, seven days a week.
Monitoring Physical Access� The Responsible Entity shall document and implement the technical and
procedural controls for monitoring physical access at all access points to the Physical Security Perimeter(s) twenty-four hours a day, seven days a week. Unauthorized access attempts shall be reviewed immediately and handled in accordance with the procedures specified in Requirement CIP-008.
Logging Physical Access• Logging shall record sufficient information to uniquely identify individuals and the
time of access twenty-four hours a day, seven days a week. The Responsible Entity shall implement and document the technical and procedural mechanisms for logging physical entry at all access points to the Physical Security Perimeter(s).
Page 33 Securing SCADA prepared by Jeffrey Wang
Mitigation Strategies - Physical Security
Physical Security Purpose:To assist you detect and identify threats and restrict access to sensitive area (server
room and important field equipment)
� Detect� Be alerted to unauthorized entries or attempts� Be alerted to mechanical/electrical failures� Be alerted to remote site entry requests
� Identify� Remotely view facility, people, equipment� View recorded information and events� Restrict and allow entry to facility� Create physical facility access logs� Prosecute offenders
� Restrict� Keep the bad guys out
Page 34 Securing SCADA prepared by Jeffrey Wang
3/10/2016
18
Cyber Security
Mitigation Strategies - NIST SP 800-82 Standards
NIST SP 800-82 : Guide to Industrial Control Systems Security
� Provide guidance for establishing secure ICS, including implementation
guidance for SP 800-53 controls
� Content
� Overview of ICS
� ICS Characteristics, Threats and Vulnerabilities
� ICS Security Program Development and Deployment
� Network Architecture
� ICS Security Controls
� Appendixes
� Current Activities in Industrial Control Systems Security
� Emerging Security Capabilities
NIST: National Institute of Standards and Technology
SP: Special Publication
Page 36 Securing SCADA prepared by Jeffrey Wang
3/10/2016
19
Mitigation Strategies - Cyber Security Objective
Restricting logical access to the SCADA network and network activity � This includes using a demilitarized zone (DMZ) network architecture with
firewalls to prevent network traffic from passing directly between the corporate and SCADA networks, and having separate authentication mechanisms and credentials for users of the corporate and SCADA networks. The ICS should also use a network topology that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.
Restricting physical access to the SCADA network and devices � Unauthorized physical access to components could cause serious disruption of
the SCADA’s functionality. A combination of physical access controls should be used, such as locks, card readers, and/or guards.
Page 37 Securing SCADA prepared by Jeffrey Wang
Mitigation Strategies - Cyber Security Objective
Protecting individual SCADA components from exploitation� This includes deploying security patches in as expeditious a manner as possible,
after testing them under field conditions; disabling all unused ports and services; restricting SCADA user privileges to only those that are required for each person’s role; tracking and monitoring audit trails; and using security controls such as antivirus software and file integrity checking software where technically feasible to prevent, deter, detect, and mitigate malware.
Maintaining functionality during adverse conditions� This involves designing the SCADA so that each critical component has a
redundant counterpart. Additionally, if a component fails, it should fail in a manner that does not generate unnecessary traffic on the SCADA or other networks, or does not cause another problem elsewhere, such as a cascading event.
Page 38 Securing SCADA prepared by Jeffrey Wang
3/10/2016
20
Mitigation Strategies – ANSI/ISA99 Standard
Module 1: Defining Industrial CybersecurityCovers the concepts of physical, operational, and electronic security; and defines
Cybersecurity as it relates to industrial automation and control systemsModule 2: Risk AssessmentCovers the concept of risk and how safety plays a part in assessing possible
consequences from a cyberattackModule 3: Threats and VulnerabilitiesCovers "social engineering" and how outsiders gather information to enable attacks
and to physically enter your secured areasModule 4: Security Policies, Programs, and ProceduresCovers the creation and deployment of policies, standards, and procedures and how
they are a critical aspect of a security program
Page 39 Securing SCADA prepared by Jeffrey Wang
Mitigation Strategies – ANSI/ISA99 Standard
Module 5: Understanding TCP/IP, Hackers, and MalwareCovers the basics of the IP networking architecture and how computers are
addressed and how IP delivers information to computers and TCP/UDP to complete the delivery to specified applications using port numbers
Module 6: Technical CountermeasuresCovers the technical countermeasures and technology that can be employed to
protect your systems, detect and remove malware, and block hacking attempts; and explains the technologies such as firewalls, proxy servers, VPN, and VLAN and how they relate to industrial automation systems
Module 7: Architectural & Operational StrategiesCovers ways to segment and isolate your process automation systems in order to
increase their reliability and Cyber security
Page 40 Securing SCADA prepared by Jeffrey Wang
3/10/2016
21
Mitigation Strategies -TR12-002 Recommendation
TR12-002 :Industrial Control System (ICS) Cyber Security: Recommended Best Practices, by Canadian Cyber Incident Response Centre
1. Network Segmentation2. Remote Access3. Wireless Communications4. Patch Management5. Access Policies and Controls6. Secure the Host (System Hardening)7. Intrusion Detection8. Physical and Environmental Security9. Malware Protection and Detection10. Awareness11. Periodic Assessments and Audits12. Change Control and Configuration Management13. Incident Planning and Response
Page 41 Securing SCADA prepared by Jeffrey Wang
Useful software
� Solarwinds Inc. URL: http://www.solarwinds.com/
� Develops enterprise information technology (IT) infrastructure management software for IT professionals.
� Kaspersky - URL: http://www.kaspersky.com
� Kaspersky Lab is an international software security group operating in almost 200 countries and territories worldwide.
� Bitdefender- URL: http://www.bitdefender.com
� Bitdefender products feature anti-virus and anti-spyware capabilities against internet security threats such as viruses, Trojans, rootkits, rogues, aggressive adware, spam and others.
� McAFee - URL: http://www.mcafee.com
� Intel Security Group (previously McAfee, Inc.) is an American global computer security software
� Symantec - URL: Http://www.symantec.com
� Security, Antivirus and Backup Solutions provider
Page 42 Securing SCADA prepared by Jeffrey Wang
3/10/2016
22
References
NIST SP-800-82 Guide to Industrial Control Systems Security
http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf
ICS-CERT, ICS-TIP-12-146-01A—Targeted Cyber Intrusion Detection and Mitigation Strategies
http://www.us-cert.gov/control_systems/pdf/ICS-TIP-12-146-01A.pdf
CCIRC, TR11-002 Mitigation Guidelines for Advanced Persistent Threats
http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2011/tr11-002-eng.aspx
ICS-CERT, Incident Response Summary Report 2009 – 2011
http://www.us-cert.gov/control_systems/pdf/ICS-
CERT_Incident_Response_Summary_Report_09_11.pdf
US-CERT, Control Systems Security Program (CSSP)
http://www.us-cert.gov/control_systems/
US-CERT, Recommended Practice: Improving Industrial Control Systems Cybersecurity with
Defense-In-Depth Strategies
http://www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf
CPNI, CPNI Viewpoint: Securing the move to IP-based SCADA/PLC networks
http://www.cpni.gov.uk/Documents/Publications/2011/2011034-scada-
securing_the_move_to_ipbased_scada_plc_networks_gpg.pdf
International Society of Automation (ISA), ISA99, Industrial Automation and Control Systems
Security
http://www.isa.org/MSTemplate.cfm?MicrositeID=988&CommitteeID=6821
Page 43 Securing SCADA prepared by Jeffrey Wang
THANK YOU
Page 44 Securing SCADA prepared by Jeffrey Wang