Improving Control System Security

by Chaiyakorn ApiwathanokulCISSP, GCFA, IRCA:ISMS

Chief Security Officer

PTT ICT Solutions Co., Ltd.A Company of PTT Group

July 2010

About Speaker

• Contribute to Thailand Cyber Crime Act B.E.2550• Security Sub-commission under Thailand Electronic Transaction Commission

(ET Act B.E. 2544)• Workgroup for CA service standard development• Committee of national standard adoption of ISO27001/ISO27002• Committee of Thailand Information Security Association (TISA)• Committee of Cybersecurity taskforce development, Division of Skill

Development, Ministry of Labour

Name:

Title:

Company:

Certificates:

Chaiyakorn Apiwathanokul

ไชยกร อภิวัฒโนกุลChief Security Officer (CSO)

PTT ICT Solutions Company Limited

A Company of PTT GroupISC2:CISSP, IRCA:ISMS (ISO27001), SANS:GCFA

Sub Topic:

Examining current security trends and their impact for SCADA systems

Increasing the security and usability of SCADA systems

Understanding tools and techniques to mitigate SCADA security risk

See Videos

1. DHS experiment on hacking to destroy a generator

2. US Power Grid under attack - Clarke

has Manufacture

PlantOperationControl

Systems

National Critical

Infrastructure

Adversary/Disgruntled employee

Government

Malicious code/Virus/Worm

Vulnerabilities/Weaknesses

Terrorist/Hacker

Law/Compliance/

Standard/Guideline

Industry-specific

Regulator

Simplification

Someone hate

someone

Someone develop a weapon

Not only someone

but someone else got trouble

Someone (and someone

else)

has to do something

Is the system integratorhas security in mind?

• Is all possible condition properly handled?

• Is the program running in the controller a security-aware by design?

• The more security, the harder for UAT and commissioning, thus it may cause the delay of project payment. Guess what!!! They don’t do it only unless explicitly required or asked for.

• Is it in the TOR?

Is the system integrator has security in mind? (cont.)

“None of the industrial control systems used to monitor and operate the nation's utilities and factories were designed with security in mind. Moreover, their very nature makes them difficult to secure. Linking them to networks and the public Internet only makes them harder to protect.”

Said by Joseph Weiss, executive consultant for KEMA Consulting

http://www.memagazine.org/backissues/dec02/features/scadavs/scadavs.html

For your TOR/RFP

Educating the Engineering Department

Normal Operation

HMI Web & DB ServerPLC

Operator WorkstationOperator

Hacking on Operator workstation

Hacker knows local admin password

Connect to Remote desktop

Remotely control GUI Add new user Open Share folder

Connected GUI‘s Server

Scenario #1.1 Known local admin password

HMI Web & DB ServerPLC

Operator Workstation Operator

Summary Scenario #1.1 Known local admin password

Required condition:

Local admin password is known (default password)

Remote Desktop is openedConsequence:

Attacker can take over the system Attacker can take over GUI Attacker can add new user Attacker can open share folder

Remediation: Change default password Restrict access to Remote Desktop

Hacking on Operator workstation

Hacker attack on vulnerability’s server

Unpatched

Exploited server

Remotely control GUI Add new user Open Share folder

GUI‘s Server

Scenario #1.2 unpatched

HMI Web & DB ServerPLC

Operator Workstation

Operator

Hacking on Operator workstation

Summary Scenario #1.2 unpatched

Required condition: Operator workstation is not patched

Consequence:Attacker can take over the system Attacker can take over GUI Attacker can add new user Attacker can open share folder

Remediation: Regularly update the workstation Monitor the system integrity Consider intrusion detection system Consider security perimeter

Hacking on Operator workstation

Operator Work stationPLC HMI Web & DB Server Operator

Sniff password in the network

password

Scenario #1.3 Password Sniffing

Hacking on Operator workstation

Summary Scenario #1.3 Password Sniffing

Required condition:Web-based HMI Operator sends login password via HTTP

Consequence: Password is known to hacker Hacker can login to Web-based HMI

Remediation: Use HTTPS instead of HTTP Consider detection measure

Hacking on Operator workstation

Operator Work stationPLC HMI Web & DB Server Operator

Remember password

Dump “remember password” Plug USB U3 Thumb drive

Scenario #1.4 Remember password

Hacking on Operator workstation

Summary Scenario #1.4 Remember password

Required condition:

Physically access to system Autorun enabled

Consequence: Password is stolen

Remediation: Limit physical access to system Disable Autorun (all drive) Don’t use remember password feature

Hacking on Operator workstation

Operator Work station

PLC HMI Web & DB Server Operator

SQL Injection

Injection flaw!

Delete table Modify data in table

Insert, Delete, Update

Scenario #2 SQL Injection

Hacking on HMI Web & DB server

Summary Scenario #2 SQL Injection

Required condition:Web-based HMI SQL Injection flaw

Consequence: Direct database manipulation

Remediation: Input validation Web Application security assessment Web Application Firewall (WAF)

Hacking on HMI Web & DB Server

Operator Work stationPLC

Open port 2222/TCP!HMI Web & DB Server Operator

Take control of PLC Modify PLC data Disrupt PLC operation

Scenario #3 Direct PLC Manipulation

Control valve/pump Change PLC Mode system halt

Hacking on PLC

Summary Scenario #3 Direct PLC Manipulation

Required condition: Port 2222/TCP is opened (Allen Bradley) No authentication Network routable

Consequence:

Access PLC’s data tableRemediation:

Enable authentication where possible Routing control/ Network isolation (verify)

Hacking on PLC

Qualified professional undersupply

IT Professional

InfosecProf.

Control System

Prof.

Control System Cybersecurity Prof.

The Implication

• Only small number of professional with right competency to help you out

• Collaboration and support from professional community is highly needed

• 21 Steps to Improve Cyber Security of SCADA Networks, US-DOE

• Roadmap to Secure Control Systems in the Chemical Sector, US-DHS

• Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, API

• ISA99 - Control Systems Security Model

• ISO27001, ISO27002 (ISO17799)

Available Guidelines

12. Clearly define cyber security roles, responsibilities, and authorities for managers, system administrators, and users

13. Document network architecture and identify systems that serve critical functions or contain sensitive information that require additional levels of protection

14. Establish a rigorous, ongoing risk management process

15. Establish a network protection strategy based on the principle of defense-in-depth

16. Clearly identify cyber security requirements

17. Establish effective configuration management processes

18. Conduct routine self-assessments

19. Establish system backups and disaster recovery plans

20. Senior organizational leadership should establish expectations for cyber security

• performance and hold individuals accountable for their performance

21. Establish policies and conduct training to minimize the likelihood that organizational personnel will inadvertently disclose sensitive information regarding SCADA system design, operations, or security controls.

1. Identify all connections to SCADA networks

2. Disconnect unnecessary connections to the SCADA network

3. Evaluate and strengthen the security of any remaining connections to the SCADA network

4. Harden SCADA networks by removing or disabling unnecessary services

5. Do not rely on proprietary protocols to protect your system

6. Implement the security features provided by device and system vendors

7. Establish strong controls over any medium that is used as a backdoor into the SCADA network

8. Implement internal and external intrusion detection systems and establish 24-hour-a-day incident monitoring.

9. Perform technical audits of SCADA devices and networks, and any other connected networks, to identify security concerns

10. Conduct physical security surveys and assess all remote sites connected to the SCADA network to evaluate their security

11. Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios

21 Steps to Improve Cyber Securityof SCADA Networks, US-DOE

NIST SP800-82

Executive Summary

1. Introduction

2. Overview of Industrial Control Systems

3. ICS Characteristics, Threats and Vulnerabilities

4. ICS Security Program Development and Deployment

5. Network Architecture

ICS Security Controls

NIST Special Publication 800-82: Guide to Industrial Control Systems (ICS) Security

http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf

What is Industrial Control Systems (ICS),SCADA and DCS?

Industrial Control Systems are computer-based

systems that are used by many infrastructures and industries to monitor and control sensitive processes and physical functions. Typically, control systems collect sensor measurements and operational data from the field, process and display this information, and relay control commands to local or remote equipment.

There are two primary types of Control Systems.

– Distributed Control Systems (DCS) typically are used within a single processing or generating plant or over a small geographic area.

– Supervisory Control and Data Acquisition (SCADA)systems typically are used for large, geographically dispersed distribution operations.

NIST SP800-82 Final Public DRAFT (Sep. 2008)

http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf

Major ICS Security Objectives

• Restricting logical access to the ICS network and network activity– This includes using a demilitarized zone (DMZ) network architecture

with firewalls to prevent network traffic from passing directly between the corporate and ICS networks, and having separate authentication mechanisms and credentials for users of the corporate and ICS networks. The ICS should also use a network topology that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.

• Restricting physical access to the ICS network and devices– Unauthorized physical access to components could cause serious

disruption of the ICS’s functionality. A combination of physical access controls should be used, such as locks, card readers, and/or guards.

Key Take Away to Securing ICS

The most successful method for securing an ICS is to:

• Gather industry recommended practices

• Engage in a proactive, collaborative effort between management, the controls engineer and operator, the IT department, the physical security department, and a trusted automation advisor

• Draw upon the wealth of information available from ongoing federal government, industry group, vendor and standards organizational activities.

ISA 99

Scope - A Broad View• ISA has taken a broad view:

– Based on function, not industry, type of control or other limited views

• Includes– SCADA/EMS– DCS– PLCs– RTUs/IEDs– Transmitters, meters, control valves, to enterprise wide HMIs, … – Enterprise applications, to the extent they can affect control

• Not limited to one or a few industries or technologies– In other words, a very broad encompassing definition

ISA SP-99 – Manufacturing and Control Systems Security

33

Scope of Security Standards

Company Management

Data Presentation

Company Management

Information

Company Production

Assignment Scheduling

Supervision

Company Production

Scheduling Assignment

Operational & Production

Supervision

Production Scheduling

& Operational

Management

Supervisor’s Console Inter-Area Coordination

Supervisor’s Console Supervisory Control

Operator’s Console Direct Digital Control

Level 5

Level 4

Level 3

Level 2

Level 1

Controllers

Process

IT S

ecuri

ty P

olicie

s a

nd P

ractices

(IS

O 1

7799)

Mfg

Se

cu

rity

Po

lic

ies

an

d P

rac

tic

es

(IS

A 9

9)

Pro

cess S

afe

ty

(IS

A 8

4,

IEC

61508,

IEC

61511)

Pur

due

refe

renc

e M

odel

Lev

els

34

ISA SP-99 Part 1

• What is included in SP-99 Part 1:– Definitions of Manufacturing and Control Systems

security terms– Description of the terminology used in security as it

applies to Manufacturing and Control Systems– A Common Model for specifying security requirements

for Manufacturing and Control Systems program– Covers reference architecture for describing the

security environment– The standard is not specific to vendors, customers, or

any particular aspect of Manufacturing and Control Systems security

• First ballot expected by Q1 2006

35

ISA SP-99 Part 2

• What is included in SP-99 Part 2:

– Activity 1 – Develop a Business Case

– Activity 2 – Obtain Leadership Commitment, Support, and Funding

– Activity 3 – Define the Charter and Scope of M&CS Security for Your Company

– Activity 4 – Form a Team of Stakeholders

– Activity 5 – Raise Staff Cyber Security Capability Through Training

– Activity 6 – Characterize the Key M&CS Risks

– Activity 7 – Define the Corporate Risk Tolerance Level

– Activity 8 – Establish High-Level Cyber Security Policies that Support the Risk Tolerance Level

– Activity 9 – Perform a Screening Assessment

– Activity 10 – Organize for Security

– Activity 11 – Prioritize Systems and Conduct a Detailed Security Assessment

36

ISA SP-99 Part 2, continued

• What is included in SP-99 Part 2, continued:– Activity 12 – Develop Detailed M&CS Cyber Security Policies

& Procedures– Activity 13 – Define Standard Set of M&CS Security Risk

Mitigation Controls– Activity 14 – Develop Integrated Cyber Security

Management System Plan– Activity 15 – Quick Fix– Activity 16 – Charter, Design, & Execute Cyber Security Risk

Mitigation Projects– Activity 17 – Refine and Implement Cyber Security

Management System– Activity 18 – Adopt Continuous Improvement Operational

Measures

• First ballot is expected by Q3 2006

37

TR99.00.01 - Technology Areas

• Authentication and Authorization

• Filtering/Blocking/Access Control

• Encryption and Data Validation

• Audit, Measurement, Monitoring and Detection Tools

• Operating Systems

• Physical Security

38

TR99.00.01 Authentication and Authorization

• Role Based Authorization Tools• Password Authentication• Challenge Response Authentication• Physical/Token Authentication• Smart Card Authentication• Biometric Authentication• Location Based Authentication• Password Distribution and Management

Technologies• Device to Device Authentication

39

TR99.00.01 Filtering/Blocking/Access Control

• Dedicated Firewalls (Hardware Based)

• Host-based Firewalls (Software Based)

• Virtual Local Area Networks (VLANs)

40

TR99.00.01 Encryption Technologies and Data Validation

• Symmetric (Private) Key Encryption

• Public Key Encryption and Key Distribution

• Virtual Private Networks (VPNs)

• Digital Certificates

41

TR99.00.01 Audit, Measurement,and Monitoring and Detection Tools

• Log Auditing Utilities

• Virus/Malicious Code Detection

• Intrusion Detection Systems

• Network Vulnerability Scanners

• Network Forensics and Analysis Tools

• Host Configuration Management Tools

• Automated Software Management Tools

42

TR99.00.01 Computer Software

• Server and Workstation Operating Systems

• Real-time and Embedded Operating Systems

• Web and Internet Technologies

Summary

• Guidelines and best practices are available

• Study and apply those related to your specific requirement and circumstances

• Keep update

44