scada security in cdic 2009
TRANSCRIPT
© 2009 PTT ICT Solutions All Rights Reserved
Cyber Attack ThreatensPlant Control System
(SCADA/DCS)
IC ICT PEOPLE EXCELLENCE
Name:
Title:Company:
Certificates:
Chaiyakorn Apiwathanokul
ไชยกร อภิวั�ฒโนก�ลChief Security Officer (CSO)PTT ICT Solutions Company LimitedA Company of PTT GroupISC2:CISSP, IRCA:ISMS (ISO27001), SANS:GCFA
Experience:
CHAIYAKORN APIWATHANOKUL
• กรรมการสมาคมความม�นคงปลอดภั�ยระบบสารสนเทศ Thailand Information Security Association (TISA)
• กรรมการการว�ชาการมาตฐานการร�กษาความม�นคงปลอดภั�ยในการประกอบธุ�รกรรมอ�เล กทรอน�กส! (ISO27001)
• กรรมการผู้��ทรงคุ�ณวั�ฒในคุณะกรรมการปร�บปร�งหล�กสู�ตรบรหารธุ�รกจบ�ณฑิต วัชาสูาขาวัชาธุ�รกจเทคุโนโลย&สูารสูนเทศ มหาวัทยาล�ยสูงขลานคุรนทร(
• กรรมการร)างหล�กสู�ตร MBA in Information Security Management มหาวัทยาล�ยอ�สูสู�มช�ญ• คุณะท+างานศ,กษาวัเคุราะห(ข�อม�ลเพื่/0อเสูนอแนะการจ�ดท+าแผู้นการด+าเนนงานของคุณะกรรมการธุ�รกรรมทาง
อเล3กทรอนกสู( พื่.ศ. 2551-2553, NECTEC• คุณะท+างานศ,กษาร�ปแบบและมาตรฐานเก&0ยวัก�บการให�บรการออกใบร�บรองอเล3กทรอนกสู( และการร�บรองคุวัาม
น)าเช/0อถื/อโดยผู้��ตรวัจสูอบอสูระหร/อองคุ(กรก+าก�บด�แล (Certified or Regulated Body), NECTEC
ว�ทยากรบรรยาย• กองบ�ญชาการกองท�พไทย• หล�กส&ตรหล�กประจำ(าโรงเร*ยน
เสนาธุ�การทหารบก สถาบ�นว�ชาการทหารบกช�,นส&ง
• ธุนาคารแห.งประเทศไทย• ส(าน�กงานปล�ดกระทรวง
พาณิ�ชย!• ส(าน�กงานปล�ดกระทรวง
กลาโหม• ชมรมเทคโนโลย*สารสนเทศ
ร�ฐว�สาหก�จำแห.งประเทศไทย• สมาคมเวชสารสนเทศไทย
Thai Medical Informatics Association
• หล�กส&ตร Strategic IT Governance, Software Park 2007-2009
• ITU ASP COE : Training Workshop on Information Management Framework for CIOs
• CIO Conference 2007• Information Security Asia 2007• 2nd Annual ASIA IT Congress
2007• Cyber Defence Initiative
Conference (CDIC) 2008• SCADA Asia Summit 2009• Mini-MBA Program,
Thammasat University• Micro-MBA Program,
Thammasat University• MIS Program, Thammasat
University• มหาว�ทยาล�ยเทคโนโลย*พระจำอมเกล0าธุนบ�ร*
Protecting your
SCADA system against cyber
security threats
17 June 2009
Agenda
• The real threats revealed• Case studies of global incidents• Cyber threats and Control System
• What we can do to handle this challenge?
• Q&A
See the movie
Italian Traffic Lights
Event: Feb, 2009 Italian authorities investigating unauthorized changes to traffic enforcement system
Impact: Rise of over 1,400 traffic tickets costing > 250K Euros in two month period
Specifics: Engineer accused of conspiring with local authorities to rig traffic lights to have shorter yellow light causing spike in camera enforced traffic tickets
Lessons learned: Do not underestimate the
insider threat Ensure separation of
duties and auditing
Transportation – Road Signs
8
Lessons learned: Use robust physical access
controls
Change all default passwords
Work with manufacturers to identify and protect password reset procedures
Event: Jan 2009, Texas road signs compromised
Impact: Motorists distracted and provided false information
Specifics: Some commercial road signs can be easily altered because their instrument panels are frequently left unlocked and their default passwords are not changed. "Programming is as simple as scrolling down the menu selection," a blog reports. "Type whatever you want to display … In all likelihood, the crew will not have changed [the password]."
Chaiyakorn Apiwathanokul
Remarkable Incidents
• Siberia,1982CIA’s hacker attacked USSR’s pipeline operation software caused a massive explosion during the summer of 1982 in the controversial pipeline delivering Siberian natural gas to Western Europe.from book At the Abyss:An Insider's History of the Cold War
(Ballantine, 2004, ISBN 0-89141-821-0)
• 2002: FBI traced foundthe visitors routedthrough telecommunicationnetwork of Saudi Arabia,
Indonesia and Pakistan studied
emergency telephone
systems,electricgeneration,
and transmission, water storage and
distribution, nuclear power plants and gas facilities.
http://www.washingtonpost.com/ac2/wp-dyn/A50765-2002Jun26
Key word: The Farewell Dossier Gus W. Weiss
Chaiyakorn Apiwathanokul
1988 Case• Allen-Bradley DH+ environment• Disgruntled Employee• Modify password of other
department’s PLC-5• Blocking all maintenance access to
the system• The previous password of the
system was believed to be found on a post-it note
Global Incidents (cont.)• Based on evidence collected in Afghanistan, Al
Qaeda had a “high level of interest” in DCS and SCADA devices.(AFI Intelligence Briefing - 28th June 2002)– Terrorism looks for new methods of attack– 'Bombs and Bytes' The next Al Qa'ida terrorist threat– US faces an 'electronic Pearl Harbour'
2003: Slammer Worm crashed Ohio nuke plant
network, Davis-Besse
According to a document released by the North American Electric Reliability Council in June, Slammer downed one utility's critical SCADA network after moving from a corporate network, through a remote computer to a VPN connection to the control center LAN.
(http://www.securityfocus.com/news/6767)
Recovery time: SPDS – 4hours 50 minutes PPC – 6 hours 9 minutes
Global Incidents (cont.)
Virus Found On Computer In Space Station NASA confirmed on Wednesday that a computer virus was identified on a laptop computer aboard the International Space Station, which carries about 50 computers. The virus was stopped with virus protection software and posed no threat to ISS systems or operations, said NASA spokesperson Kelly Humphries. …
The SpaceRef report suggested that a flash card or USB drive brought on board by an astronaut may have been the source of the laptop infection.
InformationWeek August 27, 2008
U.S. Critical Infrastructure SectorsHomeland Security Presidential Directive 7 (HSPD-7) along with the National Infrastructure Protection Plan (NIPP) identified and categorized U.S. critical infrastructure into the following 18 CIKR sectors
•Agriculture and Food •Banking and Finance •Chemical •Commercial Facilities •Critical Manufacturing•Dams •Defense Industrial Base
•Emergency Services •Energy •Government Facilities• Information Technology
•National Monuments and Icons
•Nuclear Reactors, Materials, and Waste
•Postal and Shipping •Public Health and Healthcare
•Telecommunications •Transportation •Water and Water Treatment
Many of the processes controlled by computerized control systems have advanced to the point that they can no longer be operated without the control system.
issues
regulateprot
ect
develop/use
has ManufacturePlant
OperationControl Systems
National Critical
Infrastructure
Adversary/Disgruntled employee
Government
att
ack
Malicious code/Virus/Worm
utilize utilize
exploit
Vulnerabilities/Weaknesses
Terrorist/Hacker
issues
use
Law/Compliance/
Standard/Guideline
Industry-specific
Regulator
practice/comply topractice/comply to
research/exploit
inte
rfere
/di
srup
t/fr
aud
rese
arch
/ex
ploi
t
Security Issues Causing Process Disruption
Security incidents in
OIL industry
• Electronic sabotage of Venezuela Oil operations• CIA Trojan causes Siberian gas pipeline explosion• Anti-Virus software prevents boiler safety shutdown• Slammer infected Laptop, shuts down DCS• Virus infection of operator training simulator• Electronic sabotage of gas processing plant• Slammer impacts offshore platforms• SQL Slammer impacts drill site• Code Red worm defaces automation web pages• Penetration test locks-up gas control system• Contractor laptop infects control system
Security incidents in
Chemical industry
• IP address change shuts down chemical plant• Hacker changes chemical plant setpoints via modem• Nachi worm on advanced process control servers• Attack on plant of chemical company DCS• Contractor accidentally connects to remote PLC• Sasser causes loss of HMI in chemical plant• Infected new HMI infects chemical plant DCS• Blaster worm infects chemical plant
Security incidents in
Power industry
• Slammer infects control central LAN via VPN• Slammer causes loss of comms, to substations• Slammer infects Ohio nuclear plant SPDS
“The Slammer worm penetrated a private computer network at Ohio’s Davis-Besse nuclear power plant in January and disabled a safety monitoring system for nearly five hours, despite a belief by plant personnel that the network was protected by a firewall”
Security incidents in
Power industry
• Iranian hackers attempt to disrupt Israel power system
• Utility control system attacked• Virus attacks a European utility• Facility cyber attacks reported by Asian utility• Power plant security details leaded on
Internet
Security incidents in
Water industry
• Salt River Project SCADA Hack• Maroochy Shire Sewage Spill• Software Flaw Makes MA Water Undrinkable• Trojan/Keylogger on Ontario Water SCADA System• Viruses Found on Auzzie SCADA Laptops• Audit/Blaster Causes Water SCADA Crash• DoS attack on water system via Korean telecom • Penetration of California irrigation district wastewater
treatment plant SCADA. • SCADA system tagged with message,
"I enter in your server like you in Iraq."
Chaiyakorn Apiwathanokul
What is Industrial Control Systems (ICS),SCADA and DCS?
Industrial Control Systems are computer-based systems that are used by many infrastructures and industries to monitor and control sensitive processes and physical functions. Typically, control systems collect sensor measurements and operational data from the field, process and display this information, and relay control commands to local or remote equipment.
There are two primary types of Control Systems.
– Distributed Control Systems (DCS) typically are used within a single processing or generating plant or over a small geographic area.
– Supervisory Control and Data Acquisition (SCADA) systems typically are used for large, geographically dispersed distribution operations.
NIST SP800-82 Final Public DRAFT (Sep. 2008)
The term Industrial Control System (ICS)refers to a broad set of control systems,
which include:
SCADA (Supervisory Control and Data Acquisition) DCS (Distributed Control System) PCS (Process Control System) EMS (Energy Management System) AS (Automation System) SIS (Safety Instrumented System) Any other automated control system
Basic Control Systems Components
Risk Drivers: Modernization and Globalization
Connections between Information Technology and Control System networks (inheriting vulnerabilities)
Shift from isolated systems to open protocols
Access to remote sites through the use of modems, wireless, private, and public networks
Shared or joint use systems for e-commerce
General Findings
Default vendor accounts and passwords still in use Some systems unable to be changed!
Guest accounts still available Unused software and services still on systems No security-level agreement with peer sites No security-level agreement with vendors Poor patch management (or patch programs) Extensive auto-logon capability
General Findings continued
Typical IT protections not widely used (firewalls, IDS, etc.). This has been improving in the last 6 months
Little emphasis on reviewing security logs (Change management)
Common use of dynamic ARP tables with no ARP monitoring
Control system use of enterprise services (DNS, etc.) Shared passwords Writeable shares between hosts
User permissions allow for admin level access Direct VPN from offsite to control systems Web enabled field devices
Gap of Coordination
• Different vocabulary– ICT: “I know TCP/IP, NetBIOS, MSSQL, SAP and
etc.”– Operation: “I know Profibus, FieldBus, MODBUS,
Solenoid valve, Turbine, Hydraulic, Pneumatic and etc.”
• SCADA/DCS could be somewhat frighteningly exciting to ICT people. Inadequate knowledge and experience on the system lowers the confident to provide appropriate support.
• Operation people should work with IT Security Professionals from ICT Department or consultants
• Educating IT Department about Process Control & SCADA operations
Unsynchronized Technology Lifecycle
Unsynchronized Technology Lifecycle (cont.)
• ICT technology keep changing while Control System is here to stay.
• Production processes are rarely changed.• “We can operate as we always do.
So, WHY UPGRADE ???” • ICT equipment life is ~3-5 years• Control equipment life is ~10+ years• SCADA Security today is where enterprise security
was 5-10 years ago
Different Expectation
Sharing the SAME CHALLENGES
• The information or data from devices or controllers shall be sent or processed at a server of that system which could expose many possibility to attack as follow:– Communication Media
• Radio : Jammer• Protocol Anomaly
– Operating System running on the server• Microsoft Windows• Unix
– Database• MS-SQL• Oracle
• System running standard Operating System is vulnerable to standard attacks– Malware/Virus/Worm/SpyWare
They are Connected
• The operation network is somehow connected to the corporate network or even able to access the Internet.Without properprotection and control,the operationenvironment is truelyin high risk.
Is the system integratorhas security in mind?
• Is all possible condition properly handled?• Is the program running in the controller a security-
aware by design?• The more security, the harder for UAT and
commissioning, thus it may cause the delay of project payment. Guess what!!! They don’t do it only unless explicitly required or asked for.
• Is it in the TOR?
Is the system integrator has security in mind? (cont.)
“None of the industrial control systems used to monitor and operate the nation's utilities and factories were designed with security in mind. Moreover, their very nature makes them difficult to secure. Linking them to networks and the public Internet only makes them harder to protect.”
Said by Joseph Weiss, executive consultant for KEMA Consulting
http://www.memagazine.org/backissues/dec02/features/scadavs/scadavs.html
Policy Enforcement
• People + Process + Technologyare needed to work in harmony. Sometime we need certain technology or tool to ensure that the defined process or policy is in good shape.
• The most vulnerable entity is “PEOPLE”. So keep them aware of what they are doing and risk they are fronting, plus the consequent damages and responsibility if they are not complied with the policy.
Available Guidelines
• 21 Steps to Improve Cyber Security of SCADA Networks, US-DOE
• Roadmap to Secure Control Systems in the Chemical Sector, US-DHS
• Security Vulnerability Assessment Methodology for the Petroleum and Petrochemical Industries, API
• ISA99 - Control Systems Security Model• ISO27001, ISO27002 (ISO17799)
12. Clearly define cyber security roles, responsibilities, and authorities for managers, system administrators, and users
13. Document network architecture and identify systems that serve critical functions or contain sensitive information that require additional levels of protection
14. Establish a rigorous, ongoing risk management process
15. Establish a network protection strategy based on the principle of defense-in-depth
16. Clearly identify cyber security requirements
17. Establish effective configuration management processes
18. Conduct routine self-assessments
19. Establish system backups and disaster recovery plans
20. Senior organizational leadership should establish expectations for cyber security
• performance and hold individuals accountable for their performance
21. Establish policies and conduct training to minimize the likelihood that organizational personnel will inadvertently disclose sensitive information regarding SCADA system design, operations, or security controls.
21 Steps to Improve Cyber Securityof SCADA Networks, US-DOE
1. Identify all connections to SCADA networks
2. Disconnect unnecessary connections to the SCADA network
3. Evaluate and strengthen the security of any remaining connections to the SCADA network
4. Harden SCADA networks by removing or disabling unnecessary services
5. Do not rely on proprietary protocols to protect your system
6. Implement the security features provided by device and system vendors
7. Establish strong controls over any medium that is used as a backdoor into the SCADA network
8. Implement internal and external intrusion detection systems and establish 24-hour-a-day incident monitoring.
9. Perform technical audits of SCADA devices and networks, and any other connected networks, to identify security concerns
10. Conduct physical security surveys and assess all remote sites connected to the SCADA network to evaluate their security
11. Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios
Petrochemical Segment
Petroleum, Oil & Gas
Energy Segment
For your TOR/RFP
Value Delivery from PTTICT
• The weakness should be tackled internally• What we can do?
– Educate/Awareness– Architecture Review– Security Assessment– Attack Simulation– Help fixing the problem together– Investigation/Forensic (of what went wrong)
• As TEAM … we CAN
Professional Approach
• Methodic• Standard-oriented• Industrial specific• Qualified specialists
Summary
• The threat is real• Insider threat is more frightening• Securing perimeter is not enough DiD• Need secure by design (for new systems)• Assessment and improvement (for existing)• Need collaboration and sharing• Guideline and good practices are available• People need to be (cross) trained
