Transcript SCADA System Security Training

Risks and Benefits
of SCADA Security
Kevin Henson
Cyber Defense Labs / InfraGard
1
Information Runs the World
“The world isn't run by weapons anymore, or
energy, or money. It's run by little ones and zeroes,
little bits of data. It's all just electrons.”
-Sneekers
Everyone isdependent on one or more SCADA systems.
2
WHAT IS SCADA?
SCADA stands for Supervisory Control and Data
Acquisition. SCADA networks are literally the
underpinnings of our modern world and daily life;
they run:
• Gas Distribution systems
• Power Grids
• Water Supplies
• Refinery Processes
• Traffic Control
3
What can a cyber attack do to a SCADA
network?
It can also cost money.
4
Cyber Attacks Can Destroy Physical Assets.
Cyber attack on a generator, at INL, NSTB.
5
Cyber Attacks Can Destroy Physical Assets.
It is possible to destroy large pumps by repeatable
cycling them on an off quickly. This attack takes
advantage of the inertia lag on pumps and the
initial torque moment of electric motors.
A similar attack can be made against generators
and other heavy rotating equipment .
6
Cyber Attacks Can Destroy Physical Assets.
This attack was first postulated in 2002, and
demonstrated in a lab in 2006. By 2008 this attack
was used in the STUXNET virus and destroyed
centrifuges used in the Iranian Nuclear Program.
Now it is in the Du-Que virus that has been found
in many infrastructure elements (water, gas, and
electric utilities as well as refineries.
7
Cyber Attacks Can Destroy Physical Assets.
This virus is spread by EMAIL, WEB-CONTACT, and
contractor’s USB DRIVES.
This is one of the main reason it is important to
enforce isolation between SCADA and Buisness
Systems, and that SCADA device should not access
the internet in most circumstances.
8
DHS on SCADA networks
“ SCADA networks controlling our energy
infrastructures could represent the next prime
target for a terrorist attack in America. If the
attacks of 9/11 cost the American economy a
trillion dollars in lost value in our stock markets,
then disrupting our energy or financial distribution
systems could cause greater havoc. At the very
least, a disruption of an American energy delivery
system would undermine the confidence
Americans have in these systems.”
9
ATTACKS ON SCADAS
This year (January and Feb 2014)
There have been attacks on Gas Pipeline, by
Chinese and Iranian Hackers.
Attacks on water networks by Syrian hackers and
attacks on electric utilities by domestic hackers.
10
What We Will Cover
• NIST / DOE requirements for SCADA security?
• What are the effects of a compromise?
• What Vulnerabilities exist, in most systems?
• Who would want to attack my SCADA Network?
• What can be done to Increase SCADA security?
• How does improving SCADA security improve the bottom-line?
11
NIST REQUIREMENTS
• Identify all connections to SCADA networks.
• Disconnect unnecessary connections to the SCADA network.
• Evaluate and strengthen the security of any remaining connections
to the SCADA network
• Harden SCADA networks by removing or disabling unnecessary
services.
• Implement the security features provided by device and system
vendors.
• Establish strong controls over any medium that is used as a
backdoor into the SCADA network
12
NIST REQUIREMENTS
• Implement internal and external intrusion detection systems and
establish 24-hour-a-day incident monitoring
• Perform technical audits of SCADA devices and networks, and any
other connected networks, to identify security concerns.
• Conduct physical security surveys and assess all remote sites
connected to the SCADA network to evaluate their security.
• Clearly define cyber security roles, responsibilities, and authorities
for managers, system administrators, and users.
• Document network architecture and identify systems that serve
critical functions or contain sensitive information that require
additional levels of protection.
13
NIST REQUIREMENTS
• Establish a rigorous, ongoing risk management process.
• Establish a network protection strategy based on the principle of
defense-in-depth.
• Clearly identify cyber security requirements.
• Establish effective configuration management processes.
• Conduct routine self-assessments.
• Establish system backups and disaster recovery plans.
• Senior organizational leadership should establish expectations for
cyber security performance and hold individuals accountable for
their performance.
14
NIST REQUIREMENTS
• Establish policies and conduct training to minimize the likelihood
that organizational personnel will inadvertently disclose sensitive
information regarding SCADA system design, operations, or
security controls.
15
The 3 Parts of a SCADA that get attacked
HMI
High Level, Control room
with Human Machine
Interface (HMI)
Typically Windows Based
Mid Level,
Communications
Network (unsecured)
Low Level, end-point
control of physical assets
by Remote Terminal Units
(RTUs), or Programmable
Logic Controllers (PLCs)
Dial UP
Modem
900 MHz
Radio
Serial RTU
Z-80 Based
16
How many serious penetrations of SCADA networks have
occurred? It depends on your definition…
• If the answer was one that caused a power failure, then
only a few instances have been reported to NERC.
• If the answer is any penetration that prevented the
operators from monitoring or controlling networks, then
there have been hundreds of such events.
• If the answer is one that caused economic loss, there is
no data available and companies are not required to
report these events.
17
SCADA operators are not required to report anomalies unless it
causes a disruption in service to the customers
Literally thousands of minor incidents go unreported
every day.
These range from the temporary inability to poll some
particular device on the network, to the unexpected
switch-over from one circuit or device to its backup.
Large numbers of hostile port scans are detected but
ignored since they do not cause an interruption in
service.
18
Reporting, HOW WE FIX THIS
Starting NOW, we are rolling out a comprehensive
security reporting program to track anomalies in
the system
Many time an attack strongly resembles a mechanical
or control systems failure. By looking at the pattern of
incidents we can better track the cause.
19
Types of Attacks, Low Level
• The first is a direct (low-level) attack on the
end-effecting hardware - RTU, PLU, and PLC
etc. This kind of attack takes advantage of
the weakness in the communication
channel, or just plugging into the device via
serial.
• While limited in scope this kind of attack can disable critical
pieces of equipment that affect the overall operation of a
network
20
Low-Level Attacks, continued
These attacks work from vulnerabilities in network
devices, like RTUs and sensors, that were designed
for reliability not security.
Low level attacks also take advantage of
vulnerabilities in the protocols and architecture
that supports networks.
21
How We Mitigate, Low Level Attacks
• Exercising good control of physical assets,
locks, gates, facilities etc.
• Establish Strong version control over what
gets loaded on endpoint devices
• We ensure that portable media (CDs, USBs,
Laptops) used to service endpoint devices are
clear of infection and do not make
unnecessary contact with the internet.
22
Mid-Level Attacks
These attacks are usually against the
communication infrastructure, radio, or phone
23
How We Mitigate, Mid Level Attacks
• Secure (encrypted) communication path to
end point devices.
• Good documentation and network / device
mapping
24
Types of Attacks, High Level
• The other form of attack would be the subversion of a control
system. This would take place by crossing from the corporate
side of an IT network to the SCADA control network.
• This kind of attack is relatively easy to perpetrate with todays
hacking tools, and can give total control of a network to an
outside party on the other side of the world.
25
High-Level Attacks, continued
Security on the HMI (Human Machine Interface) relies on the
security inherent in the Windows Operating System for
authentication and attack prevention. This is not strong enough to
protect a home computer, let alone the networks that control our
nation’s critical infrastructures.
Some of the SCADA control systems
now have a web-based interface.
This adds a whole new set of
vulnerabilities to the system
because of the potential access to
the system from anywhere on the
web.
26
Procedural Vulnerability
Many HMI system’s operators do not logout of their
terminal when their shift ends. The next shift simply
takes over the terminal without having to login.
Therefore, the connection session between an HMI
and the system it controls could be weeks or old.
Use of default IDs and passwords is endemic. The
highly repetitive nature of SCADA commands and the
persistence of passwords and keys encourage highlevel attacks such as session hijacking, key theft, and
operator compromise.
27
How We Mitigate, High Level Attacks
• Good log in and log out procedures,
• No email, or web on ANY machine that
contacts the SCADA network
• Good Isolation between, SCADA and Business
Networks
• Good Patch management Process of HMI
• Good Backup Processs
28
Modes of compromise
Today, someone can impact SCADA in many ways:
•Interception: Listen to device messages
•Fabrication: Create forged messages
•Alteration: Change valid messages
•Replay: Copy message, send later
•Corruption: Change values in SCADA database
29
Interception
The interception of SCADA messages is trivial.
Messages are generally sent over an open
communication line; vulnerable types are:
•Leased Line
•900 MHz Radio
•Microwave link
•Wireless IP
•Satellite
•IP Network
•POTS
•Licensed Spectrum
•Spread Spectrum
•Broadband over power line
•Cellular
30
Interception
Intercepting wireless packets is so trivial that “War
Driving” networks has become a competition sport
amongst a certain sub-culture. Maps of wireless
infrastructure and connection information are freely
traded on the Internet.
31
Threat Models
Threat models are essential for security planning.
All security is designed around some form of cost
vs. risk decision. This is why convenient stores
don’t have vault doors and banks do.
The main thing to look at is likely opponents and
specific risk factors.
32
Threat Models
The two broad categories are internal and external.
Internal threats are typically from disgruntled
employees.
External treats are everything else. In general the
more money or influence a company has the
greater the external threat will be.
33
Internal Threats
Many attacks are perpetrated by disgruntled
employees who seek to cause embarrassment or
expense to their employer.
In this new world of radical extremism and people
willing to crash airplanes into buildings, this could
change rapidly. One can see people getting a job with a
particular company for the sole purpose of harming
the company and/or a large civilian population.
34
External Threats
For years, the industry has said, “outsiders could
not find my network, and even if they did they
would not understand it.”
With the publication of protocols and control
system specifications on the Internet, this is
wishful thinking.
35
External Threats
External threats can generally be broken down into
the following categories and motivations:
•Amateur – Problem with authority, Attention, Money
•Professional – Money, business / Market Advantage
•Terrorist -- Economic / Social Disruption, Money
•Nation State -- Economic / Social Disruption
36
What are the effects of a compromise?
SCADA operators generally think of cyber attacks as
“weapons of mass annoyance”.
THEY ARE WRONG
Confining ourselves to just SCADA networks, we must
consider:
•Economic attacks
•Disruptive (or damaging) attacks
•Societal paralysis
•Casualty producing attacks
37
Famous Sewer Disruption
•In Australia a disgruntled employee took over the water and
wastewater network he formally worked for.
•Using COTS Wireless technology he controlled the network on 46
separate occasions, from his car.
•At one point he caused the system to back up many tons of raw
sewage into the grounds of a golf course. This lead to a very
expensive clean up.
•While not life threatening, this clearly annoyed a great many
people. He could just as easily have decided to contaminate all of
the drinking water carried by that network.
38
Startling Disruption of Electrical Equipment
•DHS has demonstrated that a substation’s
transformers could be forced to explode due to a
cyber attack.
•Without going into detail, it is possible to bypass
the safeties and overload a transformer. The
resulting combustion is spectacular and expensive.
39
Impact of a Damage Producing Cyber Attack
• This is an economic nightmare from both a disruption of
service and a restoration perspective even though it did not
produce mass casualties.
• Power companies keep a few spare transformers around in
case of failure. They do not contemplate the possibility of a
large number failing in a short period of time.
• Most of these devices are built overseas due to the expense
and environmental regulations associated with their
materials. A concerted cyber-attack on them could cripple a
power network for a significant length of time .
40
Ways to Improve Security
• Create and follow a regularly tested security plan
• Enforce accountability for machines and people
• Digitally sign records to ensure they are not altered
• Secure open communications lines
• Force separation of duties, devices, and networks
• Don’t PUBLISH a map of your assets on the internet
41
Improve security, Have a Plan
• Decide who is in charge of security and your networks
• Evaluate the threat model/ level, budget accordingly
• What can you afford to protect ? and what can you afford to lose?
• Protect what you can, insure the rest
• Audit regularly to ensure your plan is carried out
42
Improve security, Enforce Accountability
Separation of duties - it is important that no one person should have
total control of your network
Develop and test changes on an isolated system, not your SCADA
control environment.
Separate portions of your network; your HR department does not
need to see into the details of the control network
Someone must be responsible for what happens on various parts of
your network
43
Improve security, Enforce Accountability
Use firewalls both internally and externally to separate network
segments
44
Improve Security, Digitally Sign Records
• The data coming from a SCADA network, IS your product.
• Billing and trading is done based on what the numbers say is the
amount of product you produced or moved.
• This means that the safeguarding of the data is as important as
the security of the product itself.
• Some form of digital signature to prove the data was not altered
is generally accepted as a good means to prevent fraud.
45
Improve Security, Encrypt Communications
In order to maintain the essential elements of
information assurance:
•Confidentiality
•Integrity
•Availability
Some attention needs to be paid to the security of
the data that is transmitted across networks.
46
Rewards of Improved Security
• Reduction in Waste, Fraud, and Abuse
• Reduction in overall risk to network and business
• Reduction in operational down time, by having better management
of the network
• Reduced insurance premiums for business insurance
• Reduced difficulty in following increasingly stringent compliance
requirements
47