improving scada security
DESCRIPTION
Presented in SCADA Asia Summit @ KL, Malaysia July 2010TRANSCRIPT
Improving Control System Security
by Chaiyakorn ApiwathanokulCISSP, GCFA, IRCA:ISMS
Chief Security Officer
PTT ICT Solutions Co., Ltd.A Company of PTT Group
July 2010
About Speaker
• Contribute to Thailand Cyber Crime Act B.E.2550• Security Sub-commission under Thailand Electronic Transaction Commission
(ET Act B.E. 2544)• Workgroup for CA service standard development• Committee of national standard adoption of ISO27001/ISO27002• Committee of Thailand Information Security Association (TISA)• Committee of Cybersecurity taskforce development, Division of Skill
Development, Ministry of Labour
Name:
Title:
Company:
Certificates:
Chaiyakorn Apiwathanokul
ไชยกร อภิวัฒโนกุลChief Security Officer (CSO)
PTT ICT Solutions Company Limited
A Company of PTT GroupISC2:CISSP, IRCA:ISMS (ISO27001), SANS:GCFA
Sub Topic:
Examining current security trends and their impact for SCADA systems
Increasing the security and usability of SCADA systems
Understanding tools and techniques to mitigate SCADA security risk
See Videos
1. DHS experiment on hacking to destroy a generator
2. US Power Grid under attack - Clarke
has Manufacture
PlantOperationControl
Systems
National Critical
Infrastructure
Adversary/Disgruntled employee
Government
Malicious code/Virus/Worm
Vulnerabilities/Weaknesses
Terrorist/Hacker
Law/Compliance/
Standard/Guideline
Industry-specific
Regulator
Simplification
Someone hate
someone
Someone develop a weapon
Not only someone
but someone else got trouble
Someone (and someone
else)
has to do something
Is the system integratorhas security in mind?
• Is all possible condition properly handled?
• Is the program running in the controller a security-aware by design?
• The more security, the harder for UAT and commissioning, thus it may cause the delay of project payment. Guess what!!! They don’t do it only unless explicitly required or asked for.
• Is it in the TOR?
Is the system integrator has security in mind? (cont.)
“None of the industrial control systems used to monitor and operate the nation's utilities and factories were designed with security in mind. Moreover, their very nature makes them difficult to secure. Linking them to networks and the public Internet only makes them harder to protect.”
Said by Joseph Weiss, executive consultant for KEMA Consulting
http://www.memagazine.org/backissues/dec02/features/scadavs/scadavs.html
For your TOR/RFP
Educating the Engineering Department
Normal Operation
HMI Web & DB ServerPLC
Operator WorkstationOperator
Hacking on Operator workstation
Hacker knows local admin password
Connect to Remote desktop
Remotely control GUI Add new user Open Share folder
Connected GUI‘s Server
Scenario #1.1 Known local admin password
HMI Web & DB ServerPLC
Operator Workstation Operator
Summary Scenario #1.1 Known local admin password
Required condition:
Local admin password is known (default password)
Remote Desktop is openedConsequence:
Attacker can take over the system Attacker can take over GUI Attacker can add new user Attacker can open share folder
Remediation: Change default password Restrict access to Remote Desktop
Hacking on Operator workstation
Hacker attack on vulnerability’s server
Unpatched
Exploited server
Remotely control GUI Add new user Open Share folder
GUI‘s Server
Scenario #1.2 unpatched
HMI Web & DB ServerPLC
Operator Workstation
Operator
Hacking on Operator workstation
Summary Scenario #1.2 unpatched
Required condition: Operator workstation is not patched
Consequence:Attacker can take over the system Attacker can take over GUI Attacker can add new user Attacker can open share folder
Remediation: Regularly update the workstation Monitor the system integrity Consider intrusion detection system Consider security perimeter
Hacking on Operator workstation
Operator Work stationPLC HMI Web & DB Server Operator
Sniff password in the network
password
Scenario #1.3 Password Sniffing
Hacking on Operator workstation
Summary Scenario #1.3 Password Sniffing
Required condition:Web-based HMI Operator sends login password via HTTP
Consequence: Password is known to hacker Hacker can login to Web-based HMI
Remediation: Use HTTPS instead of HTTP Consider detection measure
Hacking on Operator workstation
Operator Work stationPLC HMI Web & DB Server Operator
Remember password
Dump “remember password” Plug USB U3 Thumb drive
Scenario #1.4 Remember password
Hacking on Operator workstation
Summary Scenario #1.4 Remember password
Required condition:
Physically access to system Autorun enabled
Consequence: Password is stolen
Remediation: Limit physical access to system Disable Autorun (all drive) Don’t use remember password feature
Hacking on Operator workstation
Operator Work station
PLC HMI Web & DB Server Operator
SQL Injection
Injection flaw!
Delete table Modify data in table
Insert, Delete, Update
Scenario #2 SQL Injection
Hacking on HMI Web & DB server
Summary Scenario #2 SQL Injection
Required condition:Web-based HMI SQL Injection flaw
Consequence: Direct database manipulation
Remediation: Input validation Web Application security assessment Web Application Firewall (WAF)
Hacking on HMI Web & DB Server
Operator Work stationPLC
Open port 2222/TCP!HMI Web & DB Server Operator
Take control of PLC Modify PLC data Disrupt PLC operation
Scenario #3 Direct PLC Manipulation
Control valve/pump Change PLC Mode system halt
Hacking on PLC
Summary Scenario #3 Direct PLC Manipulation
Required condition: Port 2222/TCP is opened (Allen Bradley) No authentication Network routable
Consequence:
Access PLC’s data tableRemediation:
Enable authentication where possible Routing control/ Network isolation (verify)
Hacking on PLC
Qualified professional undersupply
IT Professional
InfosecProf.
Control System
Prof.
Control System Cybersecurity Prof.
The Implication
• Only small number of professional with right competency to help you out
• Collaboration and support from professional community is highly needed
• 21 Steps to Improve Cyber Security of SCADA Networks, US-DOE
• Roadmap to Secure Control Systems in the Chemical Sector, US-DHS
• Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, API
• ISA99 - Control Systems Security Model
• ISO27001, ISO27002 (ISO17799)
Available Guidelines
12. Clearly define cyber security roles, responsibilities, and authorities for managers, system administrators, and users
13. Document network architecture and identify systems that serve critical functions or contain sensitive information that require additional levels of protection
14. Establish a rigorous, ongoing risk management process
15. Establish a network protection strategy based on the principle of defense-in-depth
16. Clearly identify cyber security requirements
17. Establish effective configuration management processes
18. Conduct routine self-assessments
19. Establish system backups and disaster recovery plans
20. Senior organizational leadership should establish expectations for cyber security
• performance and hold individuals accountable for their performance
21. Establish policies and conduct training to minimize the likelihood that organizational personnel will inadvertently disclose sensitive information regarding SCADA system design, operations, or security controls.
1. Identify all connections to SCADA networks
2. Disconnect unnecessary connections to the SCADA network
3. Evaluate and strengthen the security of any remaining connections to the SCADA network
4. Harden SCADA networks by removing or disabling unnecessary services
5. Do not rely on proprietary protocols to protect your system
6. Implement the security features provided by device and system vendors
7. Establish strong controls over any medium that is used as a backdoor into the SCADA network
8. Implement internal and external intrusion detection systems and establish 24-hour-a-day incident monitoring.
9. Perform technical audits of SCADA devices and networks, and any other connected networks, to identify security concerns
10. Conduct physical security surveys and assess all remote sites connected to the SCADA network to evaluate their security
11. Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios
21 Steps to Improve Cyber Securityof SCADA Networks, US-DOE
NIST SP800-82
Executive Summary
1. Introduction
2. Overview of Industrial Control Systems
3. ICS Characteristics, Threats and Vulnerabilities
4. ICS Security Program Development and Deployment
5. Network Architecture
ICS Security Controls
NIST Special Publication 800-82: Guide to Industrial Control Systems (ICS) Security
http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf
What is Industrial Control Systems (ICS),SCADA and DCS?
Industrial Control Systems are computer-based
systems that are used by many infrastructures and industries to monitor and control sensitive processes and physical functions. Typically, control systems collect sensor measurements and operational data from the field, process and display this information, and relay control commands to local or remote equipment.
There are two primary types of Control Systems.
– Distributed Control Systems (DCS) typically are used within a single processing or generating plant or over a small geographic area.
– Supervisory Control and Data Acquisition (SCADA)systems typically are used for large, geographically dispersed distribution operations.
NIST SP800-82 Final Public DRAFT (Sep. 2008)
http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf
Major ICS Security Objectives
• Restricting logical access to the ICS network and network activity– This includes using a demilitarized zone (DMZ) network architecture
with firewalls to prevent network traffic from passing directly between the corporate and ICS networks, and having separate authentication mechanisms and credentials for users of the corporate and ICS networks. The ICS should also use a network topology that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.
• Restricting physical access to the ICS network and devices– Unauthorized physical access to components could cause serious
disruption of the ICS’s functionality. A combination of physical access controls should be used, such as locks, card readers, and/or guards.
Key Take Away to Securing ICS
The most successful method for securing an ICS is to:
• Gather industry recommended practices
• Engage in a proactive, collaborative effort between management, the controls engineer and operator, the IT department, the physical security department, and a trusted automation advisor
• Draw upon the wealth of information available from ongoing federal government, industry group, vendor and standards organizational activities.
ISA 99
Scope - A Broad View• ISA has taken a broad view:
– Based on function, not industry, type of control or other limited views
• Includes– SCADA/EMS– DCS– PLCs– RTUs/IEDs– Transmitters, meters, control valves, to enterprise wide HMIs, … – Enterprise applications, to the extent they can affect control
• Not limited to one or a few industries or technologies– In other words, a very broad encompassing definition
ISA SP-99 – Manufacturing and Control Systems Security
33
Scope of Security Standards
Company Management
Data Presentation
Company Management
Information
Company Production
Assignment Scheduling
Supervision
Company Production
Scheduling Assignment
Operational & Production
Supervision
Production Scheduling
& Operational
Management
Supervisor’s Console Inter-Area Coordination
Supervisor’s Console Supervisory Control
Operator’s Console Direct Digital Control
Level 5
Level 4
Level 3
Level 2
Level 1
Controllers
Process
IT S
ecuri
ty P
olicie
s a
nd P
ractices
(IS
O 1
7799)
Mfg
Se
cu
rity
Po
lic
ies
an
d P
rac
tic
es
(IS
A 9
9)
Pro
cess S
afe
ty
(IS
A 8
4,
IEC
61508,
IEC
61511)
Pur
due
refe
renc
e M
odel
Lev
els
34
ISA SP-99 Part 1
• What is included in SP-99 Part 1:– Definitions of Manufacturing and Control Systems
security terms– Description of the terminology used in security as it
applies to Manufacturing and Control Systems– A Common Model for specifying security requirements
for Manufacturing and Control Systems program– Covers reference architecture for describing the
security environment– The standard is not specific to vendors, customers, or
any particular aspect of Manufacturing and Control Systems security
• First ballot expected by Q1 2006
35
ISA SP-99 Part 2
• What is included in SP-99 Part 2:
– Activity 1 – Develop a Business Case
– Activity 2 – Obtain Leadership Commitment, Support, and Funding
– Activity 3 – Define the Charter and Scope of M&CS Security for Your Company
– Activity 4 – Form a Team of Stakeholders
– Activity 5 – Raise Staff Cyber Security Capability Through Training
– Activity 6 – Characterize the Key M&CS Risks
– Activity 7 – Define the Corporate Risk Tolerance Level
– Activity 8 – Establish High-Level Cyber Security Policies that Support the Risk Tolerance Level
– Activity 9 – Perform a Screening Assessment
– Activity 10 – Organize for Security
– Activity 11 – Prioritize Systems and Conduct a Detailed Security Assessment
36
ISA SP-99 Part 2, continued
• What is included in SP-99 Part 2, continued:– Activity 12 – Develop Detailed M&CS Cyber Security Policies
& Procedures– Activity 13 – Define Standard Set of M&CS Security Risk
Mitigation Controls– Activity 14 – Develop Integrated Cyber Security
Management System Plan– Activity 15 – Quick Fix– Activity 16 – Charter, Design, & Execute Cyber Security Risk
Mitigation Projects– Activity 17 – Refine and Implement Cyber Security
Management System– Activity 18 – Adopt Continuous Improvement Operational
Measures
• First ballot is expected by Q3 2006
37
TR99.00.01 - Technology Areas
• Authentication and Authorization
• Filtering/Blocking/Access Control
• Encryption and Data Validation
• Audit, Measurement, Monitoring and Detection Tools
• Operating Systems
• Physical Security
38
TR99.00.01 Authentication and Authorization
• Role Based Authorization Tools• Password Authentication• Challenge Response Authentication• Physical/Token Authentication• Smart Card Authentication• Biometric Authentication• Location Based Authentication• Password Distribution and Management
Technologies• Device to Device Authentication
39
TR99.00.01 Filtering/Blocking/Access Control
• Dedicated Firewalls (Hardware Based)
• Host-based Firewalls (Software Based)
• Virtual Local Area Networks (VLANs)
40
TR99.00.01 Encryption Technologies and Data Validation
• Symmetric (Private) Key Encryption
• Public Key Encryption and Key Distribution
• Virtual Private Networks (VPNs)
• Digital Certificates
41
TR99.00.01 Audit, Measurement,and Monitoring and Detection Tools
• Log Auditing Utilities
• Virus/Malicious Code Detection
• Intrusion Detection Systems
• Network Vulnerability Scanners
• Network Forensics and Analysis Tools
• Host Configuration Management Tools
• Automated Software Management Tools
42
TR99.00.01 Computer Software
• Server and Workstation Operating Systems
• Real-time and Embedded Operating Systems
• Web and Internet Technologies
Summary
• Guidelines and best practices are available
• Study and apply those related to your specific requirement and circumstances
• Keep update
44