Critical Infrastructure and Automated Control Systems Security: A Strategy for Securing Against Cyber Attacks Dr. Thomas L. Pigg Director of the Tennessee.

Critical Infrastructure and Automated Control Systems Security: A

Strategy for Securing Against Cyber Attacks

Dr. Thomas L. Pigg Dr. Thomas L. Pigg Director of the Tennessee CSECDirector of the Tennessee CSEC

CSECMission

• The Cyber Security Education Consortium is a National Science Foundation ATE Regional Center of Excellence dedicated to building an information security workforce who will play a critical role in implementing the national strategy to secure cyberspace.

CSEC Sites

Tennessee CSEC Mission

• Phase 1– Train the trainer

• Phase 2– Develop Student

Curriculum/Courses/Concentrations

• Phase 3 – Develop Partnerships with

Business, Industry and Government

Core Train the Core Train the Trainer Trainer

WorkshopsWorkshops

• Principles of Information Assurance

• Network Security• Enterprise Security

Management • Secure E-Commerce • Digital Forensics

New CSEC Courses

• Automation and Control Systems– Control Systems Architecture– Control Systems Software Applications– Control Systems Security I and II

• Mobile Communications Devices– Mobile Device Architecture– Mobile Device Programming – Mobile Device Hardware

• Secure Coding– Secure Programming I and II– Software Testing – Software Security

• SCADA(Supervisory Control and Data Acquisition)

• DCS (Distributed Control Systems)

• ICS (Industrial Control Systems)

• BAS (Building Automation Systems)

• PLC (Programmable Logic Controllers)

• Smart Grid

What are What are Control SystemsControl Systems

Critical Critical InfrastructuresInfrastructures

• Agriculture & Food

• Banking & Finance

• Chemical

• Commercial Facilities

• Communications

• Critical Manufacturing

Critical Critical InfrastructuresInfrastructures

• Dams

• Defense Industrial Base

• Emergency Services

• Energy

• Government Facilities

• Healthcare & Public Health

Critical Critical InfrastructuresInfrastructures

• Information Technology

• National Monuments & Icons

• Nuclear Reactors, Materials & Waste

• Postal & Shipping

• Transportation Systems

• Water

Key Critical Key Critical InfrastructuresInfrastructures

• Key Sectors for Control Systems Security

• Energy (Electricity, Oil, and Natural Gas)

• Water & Wastewater

• Nuclear

• Chemical

• Dams

• Transportation

• Critical Manufacturing

Current Trends Current Trends in Control in Control SystemsSystems

• Continued move to open protocols

• Continued move to more COTS operating systems & applications

• More remote control & management

• More network access to systems

• More widespread use of wireless

Current State of Current State of SecuritySecurity

• Control Systems protocols with little or no security

• Migration to TCP/IP networks with its inherent vulnerabilities

• Interconnection with enterprise networks

• Old operating systems & applications with poor patching practices

• Little monitoring of Control Systems for attacks being done

• Vendors not securing their product offerings adequately

Current State of Current State of SecuritySecurity

• Increased risk of insider attacks by outsourced IT services

• Experts seeing increased interest in Control Systems by terrorists & foreign governments

• Evidence that nation-states have been taking remote control of Control Systems

• Denial by some companies that there is a problem

• Some companies are now starting to see the need and address the issues

Real Control System Security

Breaches• Diamler-Chrysler Plant Shutdown

– Zotob worm – August 2005

• First Energy’s Nuclear Plant Infestation– Slammer worm – January 2003

• Maroochy Shire Sewage– Release of millions of gallons of

sewage - January 2000 – Perpetrator accessed system 46 times

Real Control System Security

Breaches• Hacking the Industrial Network

– http://www.isa.org/FileStore/Intech/WhitePaper/Hacking-the-industrial-network-USversion.pdf

• DHS Video – Idaho National Laboratory – AURORA Test– http://www.cnn.com/2007/US/09/2

6/power.at.risk/index.html#cnnSTCVideo

AURORA Test

Real Control System Security

Breaches• Stuxnet

– http://www.tofinosecurity.com/stuxnet-central

– http://www.exida.com/images/uploads/The_7_Things_Every_Plant_Manager_Should_Know_About_Control_System_Security.pdf

Current ThreatsCurrent Threats

• Internet Based Threats

• Worms

• Viruses

• Denial of Service Attacks

• Targeted Attacks

• Terrorist

• Foreign Nation

• Former Insider

Current ThreatsCurrent Threats

• Physical Threats

• Natural Disasters

• Man-made Disasters (War, Riots, etc.)

• Terrorist Attacks

Current ThreatsCurrent Threats

• Internal Threats

• Disgruntled employee

• On-site contractor

• Unintentional attack

• IT worker

• Curious Employee

Current ThreatsCurrent Threats

• Targeted Attacks

• Can use any threat & threat agent

• Internet

• Internal

• Physical

• Social Engineering

• Etc.

IT Security for IT Security for Control SystemsControl Systems

• CIA

• Confidentiality

• Integrity

• Availability

IT Security for IT Security for Control SystemsControl Systems

• Technical Controls

• Firewalls

• IDS

• Smart Cards

• Access Controls

IT Security for IT Security for Control SystemsControl Systems

• Administrative Controls

• Security Policies & Procedures

• Security Awareness

• People

IT Security for IT Security for Control SystemsControl Systems

• TCP/IP

• Patches & Updates

• Intrusion Detection Systems

• Control Systems Monitoring

• Signatures for Control Systems

• Anti-Virus Software

IT Security for IT Security for Control SystemsControl Systems

• Access Control Methods

• Passwords

• Multi-Factor

• Smart Cards

• RFID

• Proximity

• Biometric

IT Security for IT Security for Control SystemsControl Systems

• Authentication

• Active Directory

• Control Systems Integration

• Certificates

IT Security for IT Security for Control SystemsControl Systems

• Authorization

• Role Based

• Area of Responsibility

• Station Access Control

Using an IDS Using an IDS with a Control with a Control

SystemSystem• Network based

• Inspects all network traffic on that segment (incoming & outgoing)

• Uses pattern based signatures

• Anomaly based uses baseline

• Uses network tap or mirrored port

• Monitors multiple hosts

Using an IDS Using an IDS with a Control with a Control

SystemSystem• Host based

• Inspects network traffic for a specific host

• Better at protecting a machines specific function

• Misses LAN based attacks

Using an IDS Using an IDS with a Control with a Control

SystemSystem• Commercial

• Pre-configured fee based IDS

• CA eTrust

• McAfee IntruShield & Entercept

• SonicWall

• StillSecure Strata Guard

Using an IDS Using an IDS with a Control with a Control

SystemSystem• Open Source

• Snort

• Base

• Sguil – Real-time GUI interface

• OSSEC (Open Source Host-based Intrusion Detection System)

Using an IDS Using an IDS with a Control with a Control

SystemSystem• IPS

• Intrusion Prevention System

• Automated Response

• Dynamically change firewall ruleset

• NIST IDS Guide (SP800-94)

Security Security SolutionsSolutions

• Network Segmentation

• DMZ Design

• Can use ISA S99 standard as guide

• Design to protect each segment

• Allows for centralized services

Security Security SolutionsSolutions

• Network Segmentation

• Centralized Services

• Anti-Virus

• Updates & Patches

• Active Directory Services

• Data Historians

• System Management

Security Security SolutionsSolutions

• Secure Remote Access

• Secured VPN connections

• Escorted Access for vendors

• Require secured tokens

• Call in by vendor with request

• Issue 1-time code for access

Security Security SolutionsSolutions

• IDS/IPS for Control Systems

• Which one to use?

• Where to use?

• HIDS or Application Whitelisting?

• UTM – Unified Threat Management

Security Security SolutionsSolutions

• Security Event Monitoring & Logging

• Network Devices

• Switches, Routers, Firewalls, IDS

• Computing Devices

• Historians, Servers, Operator consoles

• Field Devices

• RTU, PLC, Telemetry Devices, Embedded Devices

Security Security SolutionsSolutions

• Security Framework

• NIPP

• NERC CIP

• CSSP DHS

• NIST

Security Security SolutionsSolutions

Security Security SolutionsSolutions

Control Systems Control Systems Security Security

InitiativesInitiatives• NIPP (

National Infrastructure Protection Plan)

• CIPAC (Critical Infrastructure Partnership Advisory Council)

• ICSJWG (Industrial Control Systems Joint Working Group)

• ICS-Cert (Industrial Control Systems Cyber Emergency Response Team)

• Strategy for Securing Control Systems

Control Systems Control Systems Security Security

InitiativesInitiatives• CSSP (Control Systems Security Program)

• Idaho National Laboratory

• National SCADA Test Bed Program

• SCADA & Control Systems Procurement Project

• Smart Grid Interoperability Standards Project

• UK NISCC - Now CPNI (Centre for the Protection of National Infrastructure)

• PCSF/SCySAG (SCADA Cyber Self Assessment Working Group) - Historical

Control Systems Control Systems RegulationsRegulations

• NERC (North American Electric Reliability Council)

• Develop & enforce reliability standards

• CIDX/ACC – Now ChemITC (American Chemistry Council)

• CFATS guidance & assessment tools

Control Systems Control Systems RegulationsRegulations

• ISA SP99 (Industrial Automation & Control System Security) – International Society of Automation

• Part 1 Standard: Concepts, Terminology & Models

• Part 2 Standard: Establishing an Industrial Automation & Control Systems Security Program

• Part 3 Standard: Technical Requirements for Industrial Control Systems (Currently in development

Control Systems Control Systems RegulationsRegulations

• AGA 12 – Discontinued and used in IEEE 1711 Trial Standard

• Encryption of Serial Communications

• Serial Encrypting Transceivers now available

• API Standard 1164 (American Petroleum Institute)

• Standard on SCADA security for pipelines

• NIST – National Institute of Standards and Technology

Control Systems Control Systems RegulationsRegulations

• SP800-82 – Guide to Industrial Control Systems (ICS) Security

• NIST initiative on Critical Infrastructure Protection (CIP)

• Uses ISO 15408 Common Criteria methodology

Control System Security

Takeaway• The 7 Things Every Plant Manager Should

Know About Control System Security – John Cusimano – Director of Security Solutions for exida– http://www.exida.com/images/uploads/

The_7_Things_Every_Plant_Manager_Should_Know_About_Control_System_Security.pdf

Contact Information

Dr. Thomas L. PiggProfessor of Computer Information

SystemsJackson State Community College2046 N. ParkwayJackson, TN 38305(731) 424-3520 Ext. [email protected]