SlideShare a Scribd company logo

Control system including PLC cybersecurity

Download as PPT, PDF
Dr.Maged Mikhail, profile picture
Dr.Maged Mikhail

The document discusses cyber security challenges and solutions for industrial control systems (ICS), particularly focusing on the power grid. It highlights the need for improved security measures due to the increasing risks from COTS technologies and IP connectivity, which expose ICS to vulnerabilities such as unauthorized access and denial of service attacks. Strategies for securing these systems include implementing defense-in-depth strategies, strengthening authentication protocols, and improving logging and monitoring practices.

Engineering
1 of 73
Download to read offline
1
2
Most read
3
4
5
6
7
Most read
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
Most read
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
Cyber Security Solutions For <Client Name> Cyber Security Issues & Securing Control Systems
Power Grid Communications & Control Systems borrowed from NIST Smart Grid Twiki Internet Control Systems
Agenda • High-Level – Industrial Control Systems and Cyber Security Issues – Securing Control Systems such PLC • Detailed – Security Issues in Industrial Control Systems – Today’s Threats – Securing Control Systems
A Control System Sensor(s) + Actuator(s) + Controller(s)
Types of Industrial Control Systems (ICS) Supervisory Control And Data Acquisition (SCADA) Automation Programmable Logic controller (PLC) Distributed Control Systems (DCS)
Historical ICS • Proprietary • Complete vertical solutions • Customized • Specialized communications – Wired, fiber, microwave, dialup, serial, etc. – 100s of different protocols – Slow; e.g. 1200 baud • Long service lifetimes: 15–20 years • Not designed with security in mind
Third Party Controllers, Servers, etc. Serial, OPC or Fieldbus Engineering Workplace Device Network Firewall Services Network Third Party Application Server Application Server Historian Server Workplaces Enterprise Optimization Suite Mobile Operator Connectivity Server Control Network Redundant Enterprise Network Serial RS485 Modern ICS Trends IP Internet Enterprise Network
Technology Trends in ICS • COTS (Commercial-Off-The-Shelf) technologies – Operating systems—Windows, WinCE, embedded RTOSes – Applications—Databases, web servers, web browsers, etc. – IT protocols—HTTP, SMTP, FTP, DCOM, XML, SNMP, etc. – Networking equipment—switches, routers, firewalls, etc. • Connectivity of ICS to enterprise LAN – Improved business visibility, business process efficiency – Remote access to control center and field devices • IP Networking – Common in higher level networks, gaining in lower levels – Many legacy protocols wrapped in TCP or UDP – Most new industrial devices have Ethernet ports – Most new ICS architectures are IP-based
New IP-Based Industrial Control Systems • ODVA (Rockwell) • Profinet • Foundation Fieldbus HSE • Telvent • ABB 800xA • Honeywell Experion • Emerson DeltaV • Yokogawa VNET/IP • Invensys Infusion • Survalent • IP to the Control Network or even Device Network • Not all are fully compatible with “ordinary IP”
Security Risks to Modern ICS • COTS + IP + connectivity = many security risks • All of those of Enterprise networks and more Worms and Viruses Legacy OSes and applications DOS and DDOS impairing availability Inability to limit access Unauthorized access Inability to revoke access Unknown access Unexamined system logs Unpatched systems Accidental misconfiguration Little or no use of anti-virus Improperly secured devices Limited use of host-based firewalls Improperly secured wireless Improper use of ICS workstations Unencrypted links to remote sites Unauthorized applications Passwords sent in clear text Unnecessary applications Default passwords Open FTP, Telnet, SNMP, HTML ports Password management problems Fragile control devices Default OS security configurations Network scans by IT staff Unpatched routers / switches
When ICS Security Fails • Loss of production • Penalties • Lawsuits • Loss of public trust • Loss of market value • Physical damage • Environmental damage • Injury • Loss of life • USSR pipeline explosion, 1982 • Bellingham pipeline rupture, 1999 • Queensland sewage release, 2000 • Davis Besse nuclear plant infection, 2003 • Northeast USA blackout, 2003 • Browns Ferry nuclear plant scram, 2006 $$$.$$
ACM CCS Tutorial Nov. 2009 So How Do We Secure Industrial Control Systems?
Defense in Depth • Perimeter Protection – Firewall, IPS, VPN, AV – Host IDS, Host AV – DMZ • Interior Security – Firewall, IDS, VPN, AV – Host IDS, Host AV – IEEE P1711 (AGA 12) – NAC – Scanning • Monitoring • Management IDS Intrusion Detection System IPS Intrusion Prevention System DMZ DeMilitarized Zone VPN Virtual Private Network (cryptographic) AV Anti-Virus (anti-malware) NAC Network Admission Control
Internet Enterprise Network Control Network Field Site Field Site Field Site Partner Site VPN VPN FW FW IPS IDS IT Stuff Scan AV FW IPS P1711 FW AV Host IPS Host AV Proxy Host IDS Host AV IDS Scan NAC NAC 62351 Log Mgmt Event Mgmt Reporting 50000 Foot View IT Stuff VPN
ACM CCS Tutorial Nov. 2009 Security Issues in Industrial Control Systems
Availability, Integrity and Confidentiality • Enterprise networks require C-I-A – Confidentiality of intellectual property matters most • ICS requires A-I-C – Availability and integrity of control matters most – control data has low entropy—little need for confidentiality – Many ICS vendors provide six 9’s of availability • Ensuring availability is hard – Cryptography does not help (directly) – DOS protection, rate limiting, resource management, QoS, redundancy, robust hardware with high MTBF • Security must not reduce availability!
DoS and DDoS Attacks • Denial of Service (DoS) attack overwhelms a system with too many packets/requests – Exhausts TCP stack or application resources – Defenses include connection limits in firewall • Distributed Denial of Service (DDoS) attack coordinates a botnet to overwhelm a target system – No single point of attack – Requires sophisticated, coordinated defenses – Weapon of choice for hackers, hacktivists, cyber-extortionists • DoS, DDoS particularly effective when Availability is critical, i.e. against ICS
Fragile ICS Devices • Many IP stack implementations are fragile – Some devices lockup on ping sweep or NMAP scan – Numerous incidents of ICS shut down by uninformed IT staff running a well-intentioned vulnerability scan • Modern ICS devices are much more complex – Some IEDs include web server for configuration and status – More lines of code leads to more bugs – Modern IEDs require patching just like servers
Unpatched Systems • Many ICS systems are not patched current – Particularly Windows servers – No patches available for older versions of windows • OS and application patches can break ICS – OS patches are tested for enterprise apps • Uncertified patches can invalidate warranty • Patching often requires system reboot • Before installation of a patch: – Vendor certification—typically one week – Lab testing by operator – Staged deployment on less critical systems first – Avoid interrupting any critical process phases
Limited use of Host Anti-Virus • AV operations can cause significant system disruption at inopportune times – 3am is no better than any other time for a full disk scan on a system that operates 24x7x365 • ICS vendors only beginning to support anti-virus – Anti-virus is only as good as the signature set – Signatures may require testing just like patches • AV may be losing ground in enterprise deployments – impact on hosts, endpoint security not getting better – virus writers have learned to test against dominant AV • application whitelisting can be a good alternative – enumerate goodness rather than badness
Poor Authentication and Authorization • Machine-to-machine comms involve no “user” • Many ICS have poor authentication mechanisms and very limited authorization mechanisms • Many protocols use cleartext passwords • Many ICS devices lack crypto support • Sometimes passwords left at vendor default • Device passwords are hard to manage appropriately – Often one password is shared amongst all devices and all users and seldom if ever changed – This is happening AGAIN in Smart Meter deployments!
Poor Audit and Logging • Many ICS have poor or non-existent support for logging security-related actions – Attempted or successful intrusions may go unnoticed • Where IDS logs are kept, they are often not reviewed • Various regulatory requirements are driving some change in this area – NERC—North American Electric Reliability Corporation – FERC—Federal Energy Regulatory Commission – Sarbanes Oxley and PCAOB (Public Company Accounting Oversight Board) – FISMA—Federal Information Security Management Act
Unmanned Field Sites • Many unmanned field sites • Many with dialup access • Some with high-speed connectivity to control center • Most with poor authentication and authorization backdoor to the control center!
Legacy Equipment • Much legacy equipment • Usually impossible to update to add security features • Difficult to protect legacy communications – but see IEEE P1711 for serial encryption • Password protection is weak • Little or no audit and logging
Unauthorized Applications • Unauthorized apps installed on ICS systems can interfere with ICS operation • Many types of unauthorized apps have been found during security audits – Instant messaging – P2P file sharing – DVD and MPEG video players – Games, including Internet-based – Web browsers
Inappropriate Use of ICS Desktops • Web browsing from HMI can infect ICS – Browser vulnerabilities – Downloads – Cross-site scripting – Spyware • Email to/from control servers can infect ICS – Sendmail and outlook vulnerabilities • Disk storage exhaustion can crash OS – Storage of music, videos
Little or No Cyber Security Monitoring • internal monitoring is essential to detect low profile compromises – IDS – port scanning – vulnerability scanning – system audit • without internal monitoring don’t know whether systems have been compromised
Requirement for 3rd Party Access • Firmware updates and PLC, IED programming are sometimes done by vendor – Many ICS have open maintenance ports – Infected vendor laptops can bring down ICS • Partners may require continuous status information – Partner access is often poorly secured – Partner channels can serve as backdoors • 3rd parties may include: – ISO, transmission provider or grid neighbor, equipment vendor, emissions monitoring service or agency, water level monitoring agency, vibration monitoring service, etc.
People Issues • ICS network often managed by “Control Systems Department”, distinct from “IT Department” running enterprise network – ICS personnel are not IT or networking experts – IT personnel are not ICS experts • Majority of control systems workforce is older and nearing retirement – Few young people entering this field – Few academic programs
Harsh Environments • Temperature • Vibration • Dust • Humidity • Electrical Transients
Attack Vectors into Control Systems Includes Infected Laptops and Is Growing Source: 2003–2006 data from Eric Byres, BCIT
Security Assessments on ICS • Various groups perform security assessments and penetration tests on ICS (generally under NDA) – Idaho National Labs – Sandia National Labs – N-Dimension Solutions – Other private organizations • Vulnerability assessments always uncover problems • For penetration tests, we always get in – Not a question of “if”, but “how long”
Other Issues • Unusual physical topologies • Many special purpose, limited function devices • Static network configurations • Multicast • Long service lifetimes
For More Information ... • See Smart Grid Cyber Security Strategy and Requirements, NISTIR 7628, www.nist.gov/smartgrid – particularly Appendices C and D
ACM CCS Tutorial Nov. 2009 Today’s Threats
Hiroshima, 2.0 – Cyberspying of the US Electric Grid (April 09) Cyberspies penetrate electrical grid (April 09) 'Smart Grid' vulnerable to hackers (March 09) CIA: Hackers Have Attacked Foreign Utilities (Jan 2008) President Obama: securing the electric infrastructure is a national security priority (June 09) Smart Grid Security Frenzy: Cyber War Games, Worms and Spies in Smart Grid (June 09) earth2tech.com Intense Media Visibility on the Cyber Security Issue
Limited Information About Incidents • Little information sharing about actual attacks – BCIT incident database has about 30 incidents per year vs. 100s of thousands of incidents per year in CERT database – Few cyber attacks on ICS for which details are public • Little information sharing about actual vulnerabilities – some are not easily or rapidly fixed – assessments are done under NDA • Difficult to estimate risk – Difficult to demonstrate ROI for security spending • But… lots of data about significant financial losses in enterprise and e-commerce – Why would control systems be immune?
Accidents Happen ...
Attacks Can Cause Similar Results INL National Lab Aurora Demonstration, March 2007
Regulators provide Smart Grid Stimulus Funding criteria - cyber security is mandatory (June 09) FERC releases Smart Grid Policy - cyber security mandatory for Utility rate recovery (July 09) Strengthened Cyber Security Standards Approved for North American Utilities (May 09) AMI-SEC working group developed security requirements for AMI AMI-SEC Task Force NIST developing interoperability and security standards for Smart Grid Ontario Green Energy Act Drives Smart Grid With Security (May 09) Cyber Security Regulatory Requirements
ACM CCS Tutorial Nov. 2009 Securing Control Systems
Adversaries • Script kiddies • Hackers • Organized crime • Disgruntled insiders • Competitors • Terrorists • Hactivists • Eco-terrorists • Nation states
How an Attack Proceeds—Step #1 Internet Modem Pool Web Server Email Server Business Workstation Data Historian Engineering Workstation FEP RTU Control System Network Enterprise Network Database Server Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED IED Web Server Management Console HMI
How an Attack Proceeds—Step #2 Internet Modem Pool Web Server Business Workstation Data Historian Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED IED Web Server Management Console HMI Email Server Database Server
How an Attack Proceeds—Step #3 Internet Modem Pool Web Server Business Workstation Data Historian Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED IED Web Server Management Console HMI Email Server Database Server
How an Attack Proceeds—Step #4 Internet Modem Pool Web Server Web Server Business Workstation Data Historian Management Console HMI Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED IED Vendor Web Server Email Server Database Server
How an Attack Proceeds—Step #5 Internet Modem Pool Web Server Web Server Business Workstation Data Historian Management Console HMI Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED IED Vendor Web Server Email Server Database Server
How an Attack Proceeds—Step #6 Internet Modem Pool Web Server Web Server Business Workstation Data Historian Management Console HMI Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED IED Email Server Database Server
How an Attack Proceeds—Step #7 Internet Modem Pool Web Server Web Server Business Workstation Data Historian Management Console HMI Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED Email Server IED Database Server
Defending ICS • Separate control network from enterprise network – Harden connection to enterprise network – Protect all points of entry with strong authentication – Make reconnaissance difficult from outside • Harden interior of control network – Make reconnaissance difficult from inside – Avoid single points of vulnerability – Frustrate opportunities to expand a compromise • Harden field sites and partner connections – mutual distrust • Monitor both perimeter and inside events • Periodically scan for changes in security posture
Internet Enterprise Network Control Network Field Site Field Site Field Site Partner Site VPN VPN FW FW IPS IDS IT Stuff Scan AV FW IPS P1711 FW AV Host IPS Host AV Proxy Host IDS Host AV IDS Scan NAC NAC 62351 Log Mgmt Event Mgmt Reporting 50000 Foot View IT Stuff VPN
Logical Overlay on SP99 / Purdue Model of Control Site Business Planning and Logistics Network Batch Control Discrete Control Supervisory Control Hybrid Control Supervisory Control Enterprise Network Patch Mgmt Web Services Operations AV Server Application Server Email, Intranet, etc. Production Control Historian Optimizing Control Engineering Station Continuous Control Terminal Services Historian (Mirror) Site Operations and Control Area Supervisory Control Basic Control Process Control Zone Enterprise Zone DMZ Level 5 Level 3 Level 1 Level 0 Level 2 Level 4 HMI HMI
Logical Architecture • Enterprise Zone contains typical business systems – Email, web, office apps, etc. • DMZ provides business connectivity – Contains only non-critical systems that need access to both Control and Enterprise Zones – Enforces separation between Enterprise and Control Zones – Consists of multiple functional sub-zones • Separated by Firewall, IPS, Anti-Virus, etc. • Control Zone demarcates critical control systems – Consists of multiple functional sub-zones • Internally protected by Firewall, IDS, Anti-Virus, etc.
How NOT to connect Control / Enterprise • Dual-homed server • Dual-homed server with Host IPS / AV • Router with packet filter ACLs • Two-port Firewall • Router + Firewall combination • See NISCC Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks, NISCC and BCIT, Feb 2005
Web Services Operations Application Server Historian Mirror DMZ DMZ—Logical View Patch Mgmt AV Proxy Terminal Services No Direct Traffic Emergency Disconnect Emergency Disconnect Multiple Functional Sub-Zones VPN IPS Scan FW AV Host AV Proxy Host IPS IDS IDS
DMZ Design Principles • DMZ contains non-critical systems • Multiple functional security sub-zones • Traffic between sub-zones undergoes firewall (& IPS or IDS) • DMZ is only path in/out of Control Zone • Default deny for all firewall interfaces • No direct traffic across DMZ • No control traffic to outside • Limited outbound traffic from Control Zone • Very limited inbound traffic to Control Zone • No common ports between outside & inside • Emergency disconnect at inside or outside • No network management from outside • Cryptographic VPN and Firewall to all 3rd party connections
DMZ Implementation (1) DMZ LAN 3 DMZ LAN 4 DMZ LAN 2 NAT Routing FW IPS Security Appliance With Multiple Ports DMZ/Control Interconnect WAN/LAN Enterprise LAN Anti-Virus Proxy Host IPS / Anti-virus
DMZ Implementation (2) dot1q trunk DMZ VLAN 3 DMZ VLAN 4 DMZ VLAN 2 NAT Routing FW IPS VLAN Security Appliance VLAN-capable L2 switch DMZ/Control Interconnect WAN/LAN Enterprise LAN Anti-Virus Proxy Host IPS / Anti-virus NOT L3!
DMZ Implementation • Sub-zones implemented by physical LANs or VLANs – Physical LANs require multi-port Security Appliance – VLANs require: • VLAN-capable Security Appliance and Switch • anti-VLAN hopping protections on switch and FW • NO L3 (routing) on switch • FW implements policy between – DMZ LANs, Enterprise Zone, Control Zone • Anti-virus proxy controls outbound HTTP and/or FTP access to enterprise or Internet resources • Host IPS and/or Host Anti-virus protects DMZ servers
Remote Access DMZ AAA Server Certificate Authority Terminal Services DMZ/Control Interconnect WAN/LAN Enterprise LAN Remote Access Pool Remote Access VPN
Remote Access • Security Appliance terminates Host-to-site VPN into remote access pool – IPSEC VPN, SSL VPN, PPTP VPN • Authenticates user via: – AAA server, LDAP, Active Directory, etc. – Can enforce use of multi-factor hardware token • Time-varying password tokens for vendor access • Clients use VNC, Citrix, or Remote Desktop (RDP) to connect to Terminal Server • Then VNC, Citrix, RDP, or Control System Apps to Control System Servers
Control Zone—Logical View Batch Control Discrete Control Supervisory Control Hybrid Control Supervisory Control Production Control Historian Optimizing Control Engineering Station Continuous Control Site Operations and Control Area Supervisory Control Basic Control Process Control Zone Level 3 Level 1 Level 0 Level 2 HMI HMI DMZ
Control Zone Design Principles • Multiple functional security sub-zones • Firewall and IDS between sub-zones • Minimal number of connections to DMZ • Control Zone independent of DMZ, Enterprise – Separate Security Appliance from DMZ – Separate Time Server – Separate AAA – Allows emergency disconnect from DMZ • Cryptographic VPN and Firewall to all offsite IP connections (Field Site or Partner) • IEEE P1711 for all offsite serial ICS connections • Host IDS, Host AV, or app whitelisting where feasible • Management only from management zone
Control Zone Implementation—Hierarchical • Fast routing between VLANs via L3 switch • ACLs between VLANs but no Stateful Firewall Level 1 Level 2 Level 3 Control Zone dot1q Trunks L3 L3 L2 L2 QoS, Shaping, Policing Port Security Gigabit 10/100 DMZ/Control Interconnect WAN/LAN SPAN IDS Scan FW FW Host IDS Host AV
Control Zone Implementation—Ring • Ring reduces wiring for linear sites like power dams • but spanning tree can have problems with large rings Level 1 Level 2 Level 3 Control Zone dot1q Trunks L3 L3 L2 L2 QoS, Shaping, Policing Port Security Gigabit 10/100 DMZ/Control Interconnect WAN/LAN SPAN IDS Scan FW FW Host IDS Host AV
Firewall IDS/IPS Client VPN Proxy Network AV Host IDS/IPS NAC Site-to-site VPN DMZ Perimeter Protection in Utilities
IDS Port Scan Vuln Scan Firewall NAC SCADA VPN Firewall SCADA VPN Port Scan IDS Interior Protection in Utilities
Log Analyze Report Compliance Managed Security Monitor, Log, Analyze, Report
• Planning, processes, procedures, physical security, etc. are also important • NERC CIP Regulatory Requirements provide reasonably good guidance in this area: • CIP-001: Sabotage Reporting • CIP-002: Critical Cyber Asset Identification • CIP-003: Security Management Controls • CIP-004: Personnel & Training • CIP-005: Electronic Security Perimeters • CIP-006: Physical Security • CIP-007: Systems Security Management • CIP-008: Incident Reporting & Response Planning • CIP-009: Recovery Plans for Critical Cyber Assets See www.nerc.com -> Standards -> Reliability Standards -> CIP Beyond Network Security
Summary • Today’s ICS are mix of modern and legacy – vulnerabilities due to both lack of security design in legacy and security issues in newer equipment • Defense in depth is essential – both perimeter (DMZ) and interior security are crucial • Regulation and government action is driving change • Smart Grid must be designed with strong security
ACM CCS Tutorial Nov. 2009 Thanks! andrew.wright@n-dimension.com
Standards Efforts • NERC CIPs • NIST Smart Grid Interoperability Standards Project • NIST SP800-82 • NIST SP800-53 • NIST PCSRF Protection Profiles • AMI-SEC • ISA SP99 • ODVA • IEEE P1711 (AGA 12) -- serial SCADA encryption
A Few References • www.nist.gov/smartgrid • Securing Your SCADA and Industrial Control Systems, Version 1.0, DHS, ISBN 0-16-075115-8 • Guide to SCADA and Industrial Control System Security, NIST SP800-82 • ISA99 Industrial Automation and Control Systems Security, www.isa.org/MSTemplate.cfm? MicrositeID=988&CommitteeID=6821 • AGA 12/IEEE P1689 SCADA Encryption Standard, scadasafe.sf.net

More Related Content

PPT
Power Grid Communications & Control Systems
fajjarrehman
 
PPTX
640-554 IT Certification and Career Paths
hibaehed
 
PPT
intrusion detection system (IDS)
Aj Maurya
 
PPTX
Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha
Schneider Electric
 
PPT
Firewall in tell communication_Basics.ppt
MohammedAli580048
 
PDF
Track 5 session 1 - st dev con 2016 - need for security for iot
ST_World
 
PDF
Controlling Access to IBM i Systems and Data
Precisely
 
PDF
How we breach small and medium enterprises (SMEs)
NCC Group
 
Power Grid Communications & Control Systems
fajjarrehman
 
640-554 IT Certification and Career Paths
hibaehed
 
intrusion detection system (IDS)
Aj Maurya
 
Cybersecurity for Industrial Plants: Threats and Defense Approach - Dave Hreha
Schneider Electric
 
Firewall in tell communication_Basics.ppt
MohammedAli580048
 
Track 5 session 1 - st dev con 2016 - need for security for iot
ST_World
 
Controlling Access to IBM i Systems and Data
Precisely
 
How we breach small and medium enterprises (SMEs)
NCC Group
 

Similar to Control system including PLC cybersecurity (20)

PDF
Ch 9: Embedded Operating Systems: The Hidden Threat
Sam Bowne
 
PDF
Expand Your Control of Access to IBM i Systems and Data
Precisely
 
PPTX
Slide Deck CISSP Class Session 5
FRSecure
 
PDF
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PROIDEA
 
PDF
Ccna sec 01
EduclentMegasoftel
 
PDF
CNIT 123: 8: Desktop and Server OS Vulnerabilites
Sam Bowne
 
PDF
Ch 8: Desktop and Server OS Vulnerabilites
Sam Bowne
 
PDF
Secure IOT Gateway
LF Events
 
PPTX
501 ch 5 securing hosts and data
gocybersec
 
PPTX
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
Waqas Ahmed Nawaz
 
PPTX
Network security and firewalls
Murali Mohan
 
PPT
Information Security Audit and Analysis Module
AvinashAvuthu2
 
PPTX
IT Security: Eliminating threats with effective network & log analysis
ManageEngine, Zoho Corporation
 
PPTX
Design Like a Pro: SCADA Security Guidelines
Inductive Automation
 
PPTX
Design Like a Pro: SCADA Security Guidelines
Inductive Automation
 
PPTX
Science DMZ security
Jisc
 
PDF
network-security-arch Firewall Access Control.pdf
ssuser1f701f
 
PDF
PT-DTS SCADA Security using MaxPatrol
Shah Sheikh
 
PDF
CNIT 121: 3 Pre-Incident Preparation
Sam Bowne
 
PDF
ITN6_Instructor_Materials_Chapter11.pdf
ThangDang53
 
Ch 9: Embedded Operating Systems: The Hidden Threat
Sam Bowne
 
Expand Your Control of Access to IBM i Systems and Data
Precisely
 
Slide Deck CISSP Class Session 5
FRSecure
 
PLNOG 8: Merike Kaeo - Guide to Building Secure Infrastructures
PROIDEA
 
Ccna sec 01
EduclentMegasoftel
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
Sam Bowne
 
Ch 8: Desktop and Server OS Vulnerabilites
Sam Bowne
 
Secure IOT Gateway
LF Events
 
501 ch 5 securing hosts and data
gocybersec
 
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 11
Waqas Ahmed Nawaz
 
Network security and firewalls
Murali Mohan
 
Information Security Audit and Analysis Module
AvinashAvuthu2
 
IT Security: Eliminating threats with effective network & log analysis
ManageEngine, Zoho Corporation
 
Design Like a Pro: SCADA Security Guidelines
Inductive Automation
 
Design Like a Pro: SCADA Security Guidelines
Inductive Automation
 
Science DMZ security
Jisc
 
network-security-arch Firewall Access Control.pdf
ssuser1f701f
 
PT-DTS SCADA Security using MaxPatrol
Shah Sheikh
 
CNIT 121: 3 Pre-Incident Preparation
Sam Bowne
 
ITN6_Instructor_Materials_Chapter11.pdf
ThangDang53
 
Ad

Recently uploaded (20)

PDF
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
PPTX
Welding lecture in detail for understanding
sahilpoonia10
 
PDF
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
PPTX
Lesson 3_Tessellation.pptx finite Mathematics
quakeplayz54
 
PPTX
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
PDF
PPT on Performance Review to get promotions
prashant593122
 
PPTX
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
PDF
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 
PPTX
additive manufacturing of ss316l using mig welding
premcdr7799
 
PPTX
Construction Project Organization Group 2.pptx
vj5agdales
 
PDF
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
PDF
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
PPTX
Recipes for Real Time Voice AI WebRTC, SLMs and Open Source Software.pptx
Alberto González Trastoy
 
PPT
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
PDF
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
PDF
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
PPTX
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
PPTX
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
PPTX
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
PPTX
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
Welding lecture in detail for understanding
sahilpoonia10
 
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
Lesson 3_Tessellation.pptx finite Mathematics
quakeplayz54
 
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
PPT on Performance Review to get promotions
prashant593122
 
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 
additive manufacturing of ss316l using mig welding
premcdr7799
 
Construction Project Organization Group 2.pptx
vj5agdales
 
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
Recipes for Real Time Voice AI WebRTC, SLMs and Open Source Software.pptx
Alberto González Trastoy
 
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
Ad

Control system including PLC cybersecurity

  • 1. Cyber Security Solutions For <Client Name> Cyber Security Issues & Securing Control Systems
  • 2. Power Grid Communications & Control Systems borrowed from NIST Smart Grid Twiki Internet Control Systems
  • 3. Agenda • High-Level – Industrial Control Systems and Cyber Security Issues – Securing Control Systems such PLC • Detailed – Security Issues in Industrial Control Systems – Today’s Threats – Securing Control Systems
  • 4. A Control System Sensor(s) + Actuator(s) + Controller(s)
  • 5. Types of Industrial Control Systems (ICS) Supervisory Control And Data Acquisition (SCADA) Automation Programmable Logic controller (PLC) Distributed Control Systems (DCS)
  • 6. Historical ICS • Proprietary • Complete vertical solutions • Customized • Specialized communications – Wired, fiber, microwave, dialup, serial, etc. – 100s of different protocols – Slow; e.g. 1200 baud • Long service lifetimes: 15–20 years • Not designed with security in mind
  • 7. Third Party Controllers, Servers, etc. Serial, OPC or Fieldbus Engineering Workplace Device Network Firewall Services Network Third Party Application Server Application Server Historian Server Workplaces Enterprise Optimization Suite Mobile Operator Connectivity Server Control Network Redundant Enterprise Network Serial RS485 Modern ICS Trends IP Internet Enterprise Network
  • 8. Technology Trends in ICS • COTS (Commercial-Off-The-Shelf) technologies – Operating systems—Windows, WinCE, embedded RTOSes – Applications—Databases, web servers, web browsers, etc. – IT protocols—HTTP, SMTP, FTP, DCOM, XML, SNMP, etc. – Networking equipment—switches, routers, firewalls, etc. • Connectivity of ICS to enterprise LAN – Improved business visibility, business process efficiency – Remote access to control center and field devices • IP Networking – Common in higher level networks, gaining in lower levels – Many legacy protocols wrapped in TCP or UDP – Most new industrial devices have Ethernet ports – Most new ICS architectures are IP-based
  • 9. New IP-Based Industrial Control Systems • ODVA (Rockwell) • Profinet • Foundation Fieldbus HSE • Telvent • ABB 800xA • Honeywell Experion • Emerson DeltaV • Yokogawa VNET/IP • Invensys Infusion • Survalent • IP to the Control Network or even Device Network • Not all are fully compatible with “ordinary IP”
  • 10. Security Risks to Modern ICS • COTS + IP + connectivity = many security risks • All of those of Enterprise networks and more Worms and Viruses Legacy OSes and applications DOS and DDOS impairing availability Inability to limit access Unauthorized access Inability to revoke access Unknown access Unexamined system logs Unpatched systems Accidental misconfiguration Little or no use of anti-virus Improperly secured devices Limited use of host-based firewalls Improperly secured wireless Improper use of ICS workstations Unencrypted links to remote sites Unauthorized applications Passwords sent in clear text Unnecessary applications Default passwords Open FTP, Telnet, SNMP, HTML ports Password management problems Fragile control devices Default OS security configurations Network scans by IT staff Unpatched routers / switches
  • 11. When ICS Security Fails • Loss of production • Penalties • Lawsuits • Loss of public trust • Loss of market value • Physical damage • Environmental damage • Injury • Loss of life • USSR pipeline explosion, 1982 • Bellingham pipeline rupture, 1999 • Queensland sewage release, 2000 • Davis Besse nuclear plant infection, 2003 • Northeast USA blackout, 2003 • Browns Ferry nuclear plant scram, 2006 $$$.$$
  • 12. ACM CCS Tutorial Nov. 2009 So How Do We Secure Industrial Control Systems?
  • 13. Defense in Depth • Perimeter Protection – Firewall, IPS, VPN, AV – Host IDS, Host AV – DMZ • Interior Security – Firewall, IDS, VPN, AV – Host IDS, Host AV – IEEE P1711 (AGA 12) – NAC – Scanning • Monitoring • Management IDS Intrusion Detection System IPS Intrusion Prevention System DMZ DeMilitarized Zone VPN Virtual Private Network (cryptographic) AV Anti-Virus (anti-malware) NAC Network Admission Control
  • 14. Internet Enterprise Network Control Network Field Site Field Site Field Site Partner Site VPN VPN FW FW IPS IDS IT Stuff Scan AV FW IPS P1711 FW AV Host IPS Host AV Proxy Host IDS Host AV IDS Scan NAC NAC 62351 Log Mgmt Event Mgmt Reporting 50000 Foot View IT Stuff VPN
  • 15. ACM CCS Tutorial Nov. 2009 Security Issues in Industrial Control Systems
  • 16. Availability, Integrity and Confidentiality • Enterprise networks require C-I-A – Confidentiality of intellectual property matters most • ICS requires A-I-C – Availability and integrity of control matters most – control data has low entropy—little need for confidentiality – Many ICS vendors provide six 9’s of availability • Ensuring availability is hard – Cryptography does not help (directly) – DOS protection, rate limiting, resource management, QoS, redundancy, robust hardware with high MTBF • Security must not reduce availability!
  • 17. DoS and DDoS Attacks • Denial of Service (DoS) attack overwhelms a system with too many packets/requests – Exhausts TCP stack or application resources – Defenses include connection limits in firewall • Distributed Denial of Service (DDoS) attack coordinates a botnet to overwhelm a target system – No single point of attack – Requires sophisticated, coordinated defenses – Weapon of choice for hackers, hacktivists, cyber-extortionists • DoS, DDoS particularly effective when Availability is critical, i.e. against ICS
  • 18. Fragile ICS Devices • Many IP stack implementations are fragile – Some devices lockup on ping sweep or NMAP scan – Numerous incidents of ICS shut down by uninformed IT staff running a well-intentioned vulnerability scan • Modern ICS devices are much more complex – Some IEDs include web server for configuration and status – More lines of code leads to more bugs – Modern IEDs require patching just like servers
  • 19. Unpatched Systems • Many ICS systems are not patched current – Particularly Windows servers – No patches available for older versions of windows • OS and application patches can break ICS – OS patches are tested for enterprise apps • Uncertified patches can invalidate warranty • Patching often requires system reboot • Before installation of a patch: – Vendor certification—typically one week – Lab testing by operator – Staged deployment on less critical systems first – Avoid interrupting any critical process phases
  • 20. Limited use of Host Anti-Virus • AV operations can cause significant system disruption at inopportune times – 3am is no better than any other time for a full disk scan on a system that operates 24x7x365 • ICS vendors only beginning to support anti-virus – Anti-virus is only as good as the signature set – Signatures may require testing just like patches • AV may be losing ground in enterprise deployments – impact on hosts, endpoint security not getting better – virus writers have learned to test against dominant AV • application whitelisting can be a good alternative – enumerate goodness rather than badness
  • 21. Poor Authentication and Authorization • Machine-to-machine comms involve no “user” • Many ICS have poor authentication mechanisms and very limited authorization mechanisms • Many protocols use cleartext passwords • Many ICS devices lack crypto support • Sometimes passwords left at vendor default • Device passwords are hard to manage appropriately – Often one password is shared amongst all devices and all users and seldom if ever changed – This is happening AGAIN in Smart Meter deployments!
  • 22. Poor Audit and Logging • Many ICS have poor or non-existent support for logging security-related actions – Attempted or successful intrusions may go unnoticed • Where IDS logs are kept, they are often not reviewed • Various regulatory requirements are driving some change in this area – NERC—North American Electric Reliability Corporation – FERC—Federal Energy Regulatory Commission – Sarbanes Oxley and PCAOB (Public Company Accounting Oversight Board) – FISMA—Federal Information Security Management Act
  • 23. Unmanned Field Sites • Many unmanned field sites • Many with dialup access • Some with high-speed connectivity to control center • Most with poor authentication and authorization backdoor to the control center!
  • 24. Legacy Equipment • Much legacy equipment • Usually impossible to update to add security features • Difficult to protect legacy communications – but see IEEE P1711 for serial encryption • Password protection is weak • Little or no audit and logging
  • 25. Unauthorized Applications • Unauthorized apps installed on ICS systems can interfere with ICS operation • Many types of unauthorized apps have been found during security audits – Instant messaging – P2P file sharing – DVD and MPEG video players – Games, including Internet-based – Web browsers
  • 26. Inappropriate Use of ICS Desktops • Web browsing from HMI can infect ICS – Browser vulnerabilities – Downloads – Cross-site scripting – Spyware • Email to/from control servers can infect ICS – Sendmail and outlook vulnerabilities • Disk storage exhaustion can crash OS – Storage of music, videos
  • 27. Little or No Cyber Security Monitoring • internal monitoring is essential to detect low profile compromises – IDS – port scanning – vulnerability scanning – system audit • without internal monitoring don’t know whether systems have been compromised
  • 28. Requirement for 3rd Party Access • Firmware updates and PLC, IED programming are sometimes done by vendor – Many ICS have open maintenance ports – Infected vendor laptops can bring down ICS • Partners may require continuous status information – Partner access is often poorly secured – Partner channels can serve as backdoors • 3rd parties may include: – ISO, transmission provider or grid neighbor, equipment vendor, emissions monitoring service or agency, water level monitoring agency, vibration monitoring service, etc.
  • 29. People Issues • ICS network often managed by “Control Systems Department”, distinct from “IT Department” running enterprise network – ICS personnel are not IT or networking experts – IT personnel are not ICS experts • Majority of control systems workforce is older and nearing retirement – Few young people entering this field – Few academic programs
  • 30. Harsh Environments • Temperature • Vibration • Dust • Humidity • Electrical Transients
  • 31. Attack Vectors into Control Systems Includes Infected Laptops and Is Growing Source: 2003–2006 data from Eric Byres, BCIT
  • 32. Security Assessments on ICS • Various groups perform security assessments and penetration tests on ICS (generally under NDA) – Idaho National Labs – Sandia National Labs – N-Dimension Solutions – Other private organizations • Vulnerability assessments always uncover problems • For penetration tests, we always get in – Not a question of “if”, but “how long”
  • 33. Other Issues • Unusual physical topologies • Many special purpose, limited function devices • Static network configurations • Multicast • Long service lifetimes
  • 34. For More Information ... • See Smart Grid Cyber Security Strategy and Requirements, NISTIR 7628, www.nist.gov/smartgrid – particularly Appendices C and D
  • 35. ACM CCS Tutorial Nov. 2009 Today’s Threats
  • 36. Hiroshima, 2.0 – Cyberspying of the US Electric Grid (April 09) Cyberspies penetrate electrical grid (April 09) 'Smart Grid' vulnerable to hackers (March 09) CIA: Hackers Have Attacked Foreign Utilities (Jan 2008) President Obama: securing the electric infrastructure is a national security priority (June 09) Smart Grid Security Frenzy: Cyber War Games, Worms and Spies in Smart Grid (June 09) earth2tech.com Intense Media Visibility on the Cyber Security Issue
  • 37. Limited Information About Incidents • Little information sharing about actual attacks – BCIT incident database has about 30 incidents per year vs. 100s of thousands of incidents per year in CERT database – Few cyber attacks on ICS for which details are public • Little information sharing about actual vulnerabilities – some are not easily or rapidly fixed – assessments are done under NDA • Difficult to estimate risk – Difficult to demonstrate ROI for security spending • But… lots of data about significant financial losses in enterprise and e-commerce – Why would control systems be immune?
  • 39. Attacks Can Cause Similar Results INL National Lab Aurora Demonstration, March 2007
  • 40. Regulators provide Smart Grid Stimulus Funding criteria - cyber security is mandatory (June 09) FERC releases Smart Grid Policy - cyber security mandatory for Utility rate recovery (July 09) Strengthened Cyber Security Standards Approved for North American Utilities (May 09) AMI-SEC working group developed security requirements for AMI AMI-SEC Task Force NIST developing interoperability and security standards for Smart Grid Ontario Green Energy Act Drives Smart Grid With Security (May 09) Cyber Security Regulatory Requirements
  • 41. ACM CCS Tutorial Nov. 2009 Securing Control Systems
  • 42. Adversaries • Script kiddies • Hackers • Organized crime • Disgruntled insiders • Competitors • Terrorists • Hactivists • Eco-terrorists • Nation states
  • 43. How an Attack Proceeds—Step #1 Internet Modem Pool Web Server Email Server Business Workstation Data Historian Engineering Workstation FEP RTU Control System Network Enterprise Network Database Server Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED IED Web Server Management Console HMI
  • 44. How an Attack Proceeds—Step #2 Internet Modem Pool Web Server Business Workstation Data Historian Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED IED Web Server Management Console HMI Email Server Database Server
  • 45. How an Attack Proceeds—Step #3 Internet Modem Pool Web Server Business Workstation Data Historian Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED IED Web Server Management Console HMI Email Server Database Server
  • 46. How an Attack Proceeds—Step #4 Internet Modem Pool Web Server Web Server Business Workstation Data Historian Management Console HMI Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED IED Vendor Web Server Email Server Database Server
  • 47. How an Attack Proceeds—Step #5 Internet Modem Pool Web Server Web Server Business Workstation Data Historian Management Console HMI Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED IED Vendor Web Server Email Server Database Server
  • 48. How an Attack Proceeds—Step #6 Internet Modem Pool Web Server Web Server Business Workstation Data Historian Management Console HMI Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED IED Email Server Database Server
  • 49. How an Attack Proceeds—Step #7 Internet Modem Pool Web Server Web Server Business Workstation Data Historian Management Console HMI Engineering Workstation FEP RTU Control System Network Enterprise Network Domain Name Server (DNS) enterprise Firewall ICS Firewall Attacker IED Email Server IED Database Server
  • 50. Defending ICS • Separate control network from enterprise network – Harden connection to enterprise network – Protect all points of entry with strong authentication – Make reconnaissance difficult from outside • Harden interior of control network – Make reconnaissance difficult from inside – Avoid single points of vulnerability – Frustrate opportunities to expand a compromise • Harden field sites and partner connections – mutual distrust • Monitor both perimeter and inside events • Periodically scan for changes in security posture
  • 51. Internet Enterprise Network Control Network Field Site Field Site Field Site Partner Site VPN VPN FW FW IPS IDS IT Stuff Scan AV FW IPS P1711 FW AV Host IPS Host AV Proxy Host IDS Host AV IDS Scan NAC NAC 62351 Log Mgmt Event Mgmt Reporting 50000 Foot View IT Stuff VPN
  • 52. Logical Overlay on SP99 / Purdue Model of Control Site Business Planning and Logistics Network Batch Control Discrete Control Supervisory Control Hybrid Control Supervisory Control Enterprise Network Patch Mgmt Web Services Operations AV Server Application Server Email, Intranet, etc. Production Control Historian Optimizing Control Engineering Station Continuous Control Terminal Services Historian (Mirror) Site Operations and Control Area Supervisory Control Basic Control Process Control Zone Enterprise Zone DMZ Level 5 Level 3 Level 1 Level 0 Level 2 Level 4 HMI HMI
  • 53. Logical Architecture • Enterprise Zone contains typical business systems – Email, web, office apps, etc. • DMZ provides business connectivity – Contains only non-critical systems that need access to both Control and Enterprise Zones – Enforces separation between Enterprise and Control Zones – Consists of multiple functional sub-zones • Separated by Firewall, IPS, Anti-Virus, etc. • Control Zone demarcates critical control systems – Consists of multiple functional sub-zones • Internally protected by Firewall, IDS, Anti-Virus, etc.
  • 54. How NOT to connect Control / Enterprise • Dual-homed server • Dual-homed server with Host IPS / AV • Router with packet filter ACLs • Two-port Firewall • Router + Firewall combination • See NISCC Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks, NISCC and BCIT, Feb 2005
  • 56. DMZ Design Principles • DMZ contains non-critical systems • Multiple functional security sub-zones • Traffic between sub-zones undergoes firewall (& IPS or IDS) • DMZ is only path in/out of Control Zone • Default deny for all firewall interfaces • No direct traffic across DMZ • No control traffic to outside • Limited outbound traffic from Control Zone • Very limited inbound traffic to Control Zone • No common ports between outside & inside • Emergency disconnect at inside or outside • No network management from outside • Cryptographic VPN and Firewall to all 3rd party connections
  • 57. DMZ Implementation (1) DMZ LAN 3 DMZ LAN 4 DMZ LAN 2 NAT Routing FW IPS Security Appliance With Multiple Ports DMZ/Control Interconnect WAN/LAN Enterprise LAN Anti-Virus Proxy Host IPS / Anti-virus
  • 58. DMZ Implementation (2) dot1q trunk DMZ VLAN 3 DMZ VLAN 4 DMZ VLAN 2 NAT Routing FW IPS VLAN Security Appliance VLAN-capable L2 switch DMZ/Control Interconnect WAN/LAN Enterprise LAN Anti-Virus Proxy Host IPS / Anti-virus NOT L3!
  • 59. DMZ Implementation • Sub-zones implemented by physical LANs or VLANs – Physical LANs require multi-port Security Appliance – VLANs require: • VLAN-capable Security Appliance and Switch • anti-VLAN hopping protections on switch and FW • NO L3 (routing) on switch • FW implements policy between – DMZ LANs, Enterprise Zone, Control Zone • Anti-virus proxy controls outbound HTTP and/or FTP access to enterprise or Internet resources • Host IPS and/or Host Anti-virus protects DMZ servers
  • 61. Remote Access • Security Appliance terminates Host-to-site VPN into remote access pool – IPSEC VPN, SSL VPN, PPTP VPN • Authenticates user via: – AAA server, LDAP, Active Directory, etc. – Can enforce use of multi-factor hardware token • Time-varying password tokens for vendor access • Clients use VNC, Citrix, or Remote Desktop (RDP) to connect to Terminal Server • Then VNC, Citrix, RDP, or Control System Apps to Control System Servers
  • 63. Control Zone Design Principles • Multiple functional security sub-zones • Firewall and IDS between sub-zones • Minimal number of connections to DMZ • Control Zone independent of DMZ, Enterprise – Separate Security Appliance from DMZ – Separate Time Server – Separate AAA – Allows emergency disconnect from DMZ • Cryptographic VPN and Firewall to all offsite IP connections (Field Site or Partner) • IEEE P1711 for all offsite serial ICS connections • Host IDS, Host AV, or app whitelisting where feasible • Management only from management zone
  • 64. Control Zone Implementation—Hierarchical • Fast routing between VLANs via L3 switch • ACLs between VLANs but no Stateful Firewall Level 1 Level 2 Level 3 Control Zone dot1q Trunks L3 L3 L2 L2 QoS, Shaping, Policing Port Security Gigabit 10/100 DMZ/Control Interconnect WAN/LAN SPAN IDS Scan FW FW Host IDS Host AV
  • 65. Control Zone Implementation—Ring • Ring reduces wiring for linear sites like power dams • but spanning tree can have problems with large rings Level 1 Level 2 Level 3 Control Zone dot1q Trunks L3 L3 L2 L2 QoS, Shaping, Policing Port Security Gigabit 10/100 DMZ/Control Interconnect WAN/LAN SPAN IDS Scan FW FW Host IDS Host AV
  • 66. Firewall IDS/IPS Client VPN Proxy Network AV Host IDS/IPS NAC Site-to-site VPN DMZ Perimeter Protection in Utilities
  • 67. IDS Port Scan Vuln Scan Firewall NAC SCADA VPN Firewall SCADA VPN Port Scan IDS Interior Protection in Utilities
  • 69. • Planning, processes, procedures, physical security, etc. are also important • NERC CIP Regulatory Requirements provide reasonably good guidance in this area: • CIP-001: Sabotage Reporting • CIP-002: Critical Cyber Asset Identification • CIP-003: Security Management Controls • CIP-004: Personnel & Training • CIP-005: Electronic Security Perimeters • CIP-006: Physical Security • CIP-007: Systems Security Management • CIP-008: Incident Reporting & Response Planning • CIP-009: Recovery Plans for Critical Cyber Assets See www.nerc.com -> Standards -> Reliability Standards -> CIP Beyond Network Security
  • 70. Summary • Today’s ICS are mix of modern and legacy – vulnerabilities due to both lack of security design in legacy and security issues in newer equipment • Defense in depth is essential – both perimeter (DMZ) and interior security are crucial • Regulation and government action is driving change • Smart Grid must be designed with strong security
  • 71. ACM CCS Tutorial Nov. 2009 Thanks! andrew.wright@n-dimension.com
  • 72. Standards Efforts • NERC CIPs • NIST Smart Grid Interoperability Standards Project • NIST SP800-82 • NIST SP800-53 • NIST PCSRF Protection Profiles • AMI-SEC • ISA SP99 • ODVA • IEEE P1711 (AGA 12) -- serial SCADA encryption
  • 73. A Few References • www.nist.gov/smartgrid • Securing Your SCADA and Industrial Control Systems, Version 1.0, DHS, ISBN 0-16-075115-8 • Guide to SCADA and Industrial Control System Security, NIST SP800-82 • ISA99 Industrial Automation and Control Systems Security, www.isa.org/MSTemplate.cfm? MicrositeID=988&CommitteeID=6821 • AGA 12/IEEE P1689 SCADA Encryption Standard, scadasafe.sf.net

Editor's Notes

  • #2: These are functional groupings, not ownership groupings Internet (blue) has touch points with many power grid systems, but there are still significant communications and networks that are not the Internet I will look at various types of Industrial Control Systems (red) used in Generation, Transmission, and Distribution ...
  • #5: Supervisory Control and Data Acquisition (SCADA) Large distances, supervisory control, non-real-time (minutes) Used in power (transmission and distribution), gas, oil, water, wastewater, rail, etc. Process Control Systems (PCS) Closed loop, central control, near real-time (seconds) Used in refining, chemical, food, pharmaceutical, etc. Distributed Control Systems (DCS) Similar to PCS but multiple controllers physically close to processes Used in generation, manufacturing, refining, chemical, food, pharmaceutical, etc. Automation aka Discrete Control Similar to DCS, real-time (milliseconds)
  • #6: the slogan “tomorrow’s technology today” of high-tech industries is turned around in the control systems world to “yesterday’s technology tomorrow”. “security” in power usually means reliability of the grid there is a big difference between “robust to accidental events” and “robust to intentional engineered attacks”
  • #7: at the bottom, IEDs are usually connected to sensors and controllers by automation networks such as HART, Fieldbus, Profibus, or increasingly by Ethernet although one process control vendor already offering IPV6 wireless on battery-powered sensors next level of network consists of ICS master and systems used for operating and managing the ICS next level of network provides advanced applications, such as optimization and gateways to the enterprise network Adoption of COTS (Commercial-Off-The-Shelf) technologies Operating systems—Windows, WinCE, various embedded RTOSes Applications—Databases, web servers, web browsers, etc. IT protocols—HTTP, SMTP, FTP, DCOM, XML, SNMP, etc. COTS software and systems have more capabilities and are cheaper than proprietary systems, and do not leave vendors stranded on out-of-date technology Connectivity of ICS to enterprise LAN Improved business visibility, business process efficiency: eg. supply chain management, production scheduling, order tracking, and fault monitoring (optimize part and supply sourcing, schedule production to better meet business requirements and avoid contract penalties) Remote access to control center and field devices: eg. remote diagnosis and repair, reduction of personnel at remote sites Adoption of IP Networking Common in higher level networks, gaining in lower levels Many legacy protocols wrapped in TCP or UDP Most new industrial devices have Ethernet ports IP penetrating into lower levels of ICS networks due to greater performance, lower cost, more capabilities than proprietary networks Ease of connectivity to other systems Greater performance Lower cost Interoperability Future proofing rate at which these trends are progressing varies between ICS and process control and between control center, communications, and field devices
  • #8: trends relevant to networking and security rate at which these trends are progressing varies between ICS and process control and between control center, communications, and field devices connectivity improves business efficiency by better supply chain management, just-in-time production, order tracking, fault monitoring, etc. in addition to direct optimization of process itself IP networking: Ease of connectivity to other systems Greater performance Lower cost Interoperability Future proofing
  • #11: trojan code inserted by CIA into pipeline control software stolen by USSR caused largest non-nuclear explosion ever observed from space 16” gasoline pipeline ruptured and ignited due to combination of backhoe and non-responsive ICS system, causing fires for 1.5 miles along a creek, 3 deaths, $45M, water treatment plant seriously contaminated disgruntled employee used ICS to release 250,000 gals. sewage slammer worm infected David Besse nuclear plant via contractor’s T1 line, disabled safety systems, fortunately plant was offline blaster worm not primary cause but partly contributed to northeast blackout, economic cost $7-10 Billion, note 2% of US generation has blackstart capability Browns Ferry: root cause of the event was the malfunction of the VFD controller because of broadcast storm on the plant ICS network, possibly due to a malfunctioning, broadcasting PLC Browns Ferry: corrective actions included developing a network firewall device that limits the connections and traffic to any potentially susceptible devices on the plant ICS network
  • #13: There is no silver bullet! not crunchy on the outside, soft and chewy on the inside Scanning – port scanning, vulnerability scanning, arp scanning, wifi scanning
  • #16: importance of availability and integrity impacts security of ICS in a number of ways that we will look at shortly six 9’s means 99.9999% available Cisco IP telephony is five 9’s Bellingham security must not reduce availability – expiry of VPN tunnel certificates, forgotten password, etc.
  • #17: botnet is a collection of computers with backdoor, installed by virus or worm, that can be remotely and anonymously controlled botnets may consist of home PCs without proper firewall and antivirus, but many have also been found within the enterprise networks of large corporations explain e-commerce website extortion attack
  • #18: Browns Ferry
  • #19: No patches available for windows NT, 98, ME Windows 2000 supported only until 2010 Cisco and other released a patch for TCP support Sept 2009 (DOS prevention)
  • #21: Queensland extreme example: password limited to 3 uppercase characters
  • #22: SoX passed in response to scandals like Enron, relates to financial accounting, and the PCAOB auditing standard #2 states “IT Controls should be tested, including controls over relevant assertions related to all significant accounts and disclosures in the financial statements”
  • #26: especially browsing the seedier parts of the web
  • #28: Davis Besse
  • #29: IT department may not want ICS department to have a firewall as this will impede their visibility into and management of ICS network ICS personnel are not IT or networking experts not familiar with advanced networking issues IT personnel are not ICS experts not familiar with different requirements of ICS may not understand why enterprise security policies cannot be applied to ICS
  • #30: motor activated breaker that is not meant to be used when a line is energized, but was opened under a 100 amp load for this experiment. Normally this line carries 2000 amps.
  • #33: extreme environments: heat, cold, dust, vibration, moisture, explosive or flammable gas physical topologies: not building, but star, mesh, bus, and particularly ring, eg. hydro dam special purpose devices (IEDs) cannot run antivirus, NAC clients, etc. multicast is not one to many, but many to a few each long service lifetimes: SEL 10 year warranty
  • #36: <START> Media visibility on this issue started a couple of years ago with CNN coverage of a Homeland Security demonstration showing how easy it is to hack into the grid and destroy a generating plant. Since then the media has been increasing the visibility of the issue … First article described how a smart meter network can be easily hacked into (with $500 of equipment) to turn off power in entire communities and cities.
  • #37: BCIT database (British Columbia Institute of Technology, Eric Byres) requires contribution in order to obtain access business losses to cyber events number in the Billions of dollars annually financials estimate that 2% of incidents that occur are actually reported due to concern for reputation and stock price, and this is likely also true for ICS
  • #38: accidents happen and can have pretty severe consequences fault in a capacitor bank in a residential substation, protection relay fails to trip, overloads a transformer, which vents superheated and vaporized cooling oil, which ignites ...
  • #39: Cooper power systems makes a REID relay that prevents this specific attack
  • #40: <START> Based on: the report of the black-out of 2003 national security concerns recognition that today’s existing electric grid is vulnerable (1980’s level security) There have been extensive cyber security regulatory and standards development initiatives which are driving business opportunity for N-Dimension 1st point: We have just completed assisting Utilities in the US with their stimulus applications and for us this represented a total of $4M of product quotations N-Dimension is on the committees that is driving the standards for the industry (last 4 points)
  • #41: where were we (in the talk), where are we going questions
  • #42: ICS have been compromised by script kiddies and used to store digital music and movies - most likely the kiddies either did not realize or did not care what type of system they were into talks and hacking demonstrations of ICS are beginning to show up at conferences like Black Hat, Defcon organized crime has created a thriving market for zero-day vulnerabilities and botnets disgruntled insiders, whether fired or on strike, know best how to damage the ICS and have the necessary access competitors could use ICS information to manipulate spot markets - anybody remember ENRON? information about ICS systems found on Al Queda computers seized in Afghanistan renewed calls from Al-Queda for specific attacks on oil infrastructure to reduce oil flow to US industries that frequently attract the ire of eco-terrorists tend to be heavy users of ICS other nations have been mapping US infrastructure for over 10 years, and most nations, including the US, now have a cyberwar capability
  • #43: no security thru obscurity
  • #44: this is just one attack scenario of many possible
  • #53: DMZ is somewhat similar to enterprise DMZ but has rather different security properties purpose of DMZ is to provide STRONG separation between enterprise and control zones DMZ contains only non-critical systems that provide enterprise visibility and connectivity fully switched network
  • #54: this slide is in your packet
  • #56: firewall is still logical view NO direct traffic permitted between enterprise and control zone all inbound and outbound traffic must stop at a server in DMZ operations like patch installation must be two-stage process remote administration must go thru a terminal or application server different colored networks are different sub-zones traffic permitted between enterprise, DMZ, and control zones and between different sub-zones only as needed multiple functional sub-zones help contain spread of a worm infection, limit sniffing and scanning by attackers, and aid in management of firewall rules
  • #57: no direct traffic + no common ports stops worms like slammer sub-zones and limited communication slows infection spread and makes network mapping by attackers more difficult control, DMZ independence requires domain servers, AAA, etc. in both zones guest NAC since enterprise zone may not do NAC DMZ independent of Enterprise and Control Zones to allow remediation while disconnected
  • #58: Cisco ASA 5520 or 5540 with Advanced Inspection Module (IPS) Signatures for DNP3, Modbus, ICCP Sub-zones implemented by VLANs All inter-VLAN routing done by ASA L2 switch must be Cisco switch and properly configured to prevent VLAN hopping ACLs on ASA implement policy between DMZ VLANs, Enterprise Zone, Control Zone Cisco Security Agent (CSA) on DMZ servers Signature-less host-based IPS Optional active-standby redundancy DMZ servers can use dual NICs with teaming drivers Optional separate hardware firewall, IOS-based for different implementation, could be managed by IT
  • #59: Cisco ASA 5520 or 5540 with Advanced Inspection Module (IPS) Signatures for DNP3, Modbus, ICCP Sub-zones implemented by VLANs All inter-VLAN routing done by ASA L2 switch must be Cisco switch and properly configured to prevent VLAN hopping ACLs on ASA implement policy between DMZ VLANs, Enterprise Zone, Control Zone Cisco Security Agent (CSA) on DMZ servers Signature-less host-based IPS Optional active-standby redundancy DMZ servers can use dual NICs with teaming drivers Optional separate hardware firewall, IOS-based for different implementation, could be managed by IT
  • #60: implementing sub-zones with physically separate ports may require more expensive ASA and/or more L2 switches L2 switch must be Cisco switch to prevent VLAN hopping teaming drivers with dual DMZ switches for redundancy separate firewall defends against ASA misconfiguration, overload, vulnerabilities ASA 5520 or 5540 with AIM and at least 4 VLANs, one for management, 3 for DMZ sub-zones, or 6+ ports optional separate, different implementation firewall defends against ASA compromise or misconfiguration this slide is in your packet
  • #62: this slide is in your packet
  • #63: user-based ACLs to enforce RBAC on user
  • #64: this slide is in your packet
  • #65: multiple sub-zones, like in DMZ, grouping systems with related functionality optional firewall and IDS between sub-zones if used, IDS, not IPS, to ensure that false positives do not block critical control traffic security management (CSM) and security correlation (MARS) in control zone (these security-critical functions should be given maximum protection and thus NOT placed in DMZ)
  • #66: independence necessary to allow disconnection sub-zones and limited communication slows infection spread and makes network mapping more difficult control zone independence requires domain servers, AAA, etc. in zone port security prevents someone with physical access from connecting a rogue device QoS, traffic policing mitigate impact of worm or misbehaving control system device this slide is in your packet
  • #67: VLAN ACLs restrict traffic between different sub-zones to only that needed good for a small number of vlans as with too many the number of ACLs becomes large
  • #68: VLAN ACLs restrict traffic between different sub-zones to only that needed good for a small number of vlans as with too many the number of ACLs becomes large
  • #74: where we are, where we are going
  • #75: ISA - The Instrumentation, Systems, and Automation Society