Protecting your SCADA system against cyber security threats against cyber security threats 17 June 2009
Nov 12, 2014
Protecting your SCADA system against cyber security threatsagainst cyber security threats
17 June 2009
CCHAIYAKORN AAP IWATHANOKUL
CISSP, IRCA:ISMS, SANS GCFACISSP, IRCA:ISMS, SANS GCFA
Chief Security OfficerPTT ICT Solutions
A Company of PTT Group
CCHAIYAKORN AAP IWATHANOKUL
SCADA SecuritySCADA SecuritySCADA SecuritySCADA Security
National Critical InfrastructureNational Critical Infrastructure
Cyber TerroristCyber Terrorist
Now that the Hollywood is knocking
on your door
CCCCCCCChaiyakorn AAAAAAAApiwathanokul
Transportation System
CCCCCCCChaiyakorn AAAAAAAApiwathanokul
Building Automation System (BAS)
CCCCCCCChaiyakorn AAAAAAAApiwathanokul
Recent in the News
CCCCCCCChaiyakorn AAAAAAAApiwathanokul
24th May 2009
http://www.us-cert.gov
CCCCCCCChaiyakorn AAAAAAAApiwathanokul
What is Industrial Control Systems (ICS),
SCADA and DCS?
Industrial Control Systems are computer-based
systems that are used by many infrastructures and industries to monitor
and control sensitive processes and physical functions. Typically, control
systems collect sensor measurements and operational data from the
field, process and display this information, and relay control commands
to local or remote equipment.
There are two primary types of Control Systems.
CCCCCCCChaiyakorn AAAAAAAApiwathanokul
There are two primary types of Control Systems.
– Distributed Control Systems (DCS) typically are used within a single processing or generating plant or over a small geographic area.
– Supervisory Control and Data Acquisition (SCADA)systems typically are used for large, geographically dispersed distribution operations.
NIST SP800-82 Final Public DRAFT (Sep. 2008)
Industrial Control SystemThe term Industrial Control System (ICS) refers to a
broad set of control systems, which include:
� SCADA (Supervisory Control and Data Acquisition)
� DCS (Distributed Control System)
� PCS (Process Control System)
� EMS (Energy Management System)
� AS (Automation System)
� SIS (Safety Instrumented System)
� Any other automated control system
Global Incidents
• Siberia,1982CIA’s hacker attacked USSR’s pipeline operation software caused a massive explosion during the summer of 1982 in the
• 2002: FBI traced found
the visitors routedthrough telecommunicationnetwork of Saudi Arabia,
Indonesia and
CCCCCCCChaiyakorn AAAAAAAApiwathanokul
summer of 1982 in the controversial pipeline delivering Siberian natural gas to Western Europe.from book At the Abyss:An Insider's History of the Cold War
(Ballantine, 2004, ISBN 0-89141-821-0)
Indonesia and Pakistan studied emergency telephone systems,
electric
generation, and transmission, water storage and distribution, nuclear power plants and gas facilities.
http://www.washingtonpost.com/ac2/wp-dyn/A50765-2002Jun26Key word: The Farewell Dossier
Gus W. Weiss
Global Incidents (cont.)
• Based on evidence collected in Afghanistan, Al Qaeda had a “high level of interest” in DCS and SCADA devices.(AFI Intelligence Briefing - 28th June 2002)
– Islamic terrorism looks for new methods of attack
– 'Bombs and Bytes' The next Al Qa'ida terrorist threat
– US faces an 'electronic Pearl Harbour'
2003� 2003: Slammer Worm crashed Ohio nuke plant
network, Davis-Besse
According to a document released by the North American Electric Reliability Council in June, Slammer downed one utility's critical SCADA network after moving from a corporate network, through a remote computer to a VPN connection to the control center LAN.
(http://www.securityfocus.com/news/6767)
Recovery time:
� SPDS – 4hours 50 minutes
� PPC – 6 hours 9 minutes
Cyber Incidents and Consequences
CCCCCCCChaiyakorn AAAAAAAApiwathanokul
Italian Traffic Lights
Event: Feb, 2009 Italian
authorities investigating
unauthorized changes to traffic
enforcement system
Impact: Rise of over 1,400
traffic tickets costing > 250K Lessons learned:
traffic tickets costing > 250K
Euros in two month period
Specifics: Engineer accused of
conspiring with local authorities
to rig traffic lights to have
shorter yellow light causing
spike in camera enforced traffic
tickets
� Do not underestimate the insider threat
� Ensure separation of duties and auditing
Transportation – Road SignsEvent: Jan 2009, Texas road
signs compromised
Impact: Motorists distracted and
provided false information
Specifics: Some commercial road
signs, can be easily altered
because their instrument panels
15
Lessons learned:
� Use robust physical access controls
� Change all default passwords
� Work with manufacturers to identify and protect password reset procedures
because their instrument panels
are frequently left unlocked and
their default passwords are not
changed. "Programming is as
simple as scrolling down the menu
selection," a blog reports. "Type
whatever you want to display … In
all likelihood, the crew will not have
changed [the password]."
Activity Timeline of U.S.Critical Infrastructure Protection
CCCCCCCChaiyakorn AAAAAAAApiwathanokul
U.S. Critical Infrastructure SectorsHomeland Security Presidential Directive 7 (HSPD-7) along with the National Infrastructure Protection Plan (NIPP) identified and categorized U.S. critical infrastructure into the following 18 CIKR sectors
•Agriculture and Food
•Banking and Finance
•Chemical
•Commercial Facilities
•Critical Manufacturing
•National Monuments and
Icons
•Nuclear Reactors,
Materials, and Waste
•Postal and Shipping •Critical Manufacturing
•Dams
•Defense Industrial
Base
•Emergency Services
•Energy
•Government Facilities
• Information
Technology
•Postal and Shipping
•Public Health and
Healthcare
• Telecommunications
• Transportation
•Water and Water
Treatment
Many of the processes controlled by computerized control systems have advanced to the point that they can no longer be operated without the control system.
Obama elevates the priority of
Cybersecurity concerns
May 29, 2009U.S. President Barack Obama will appoint a government-wide cybersecurity coordinator and elevate cybersecurity concerns to a top management priority for the
CCCCCCCChaiyakorn AAAAAAAApiwathanokul
top management priority for the U.S. government, he announced Friday. The White House will also develop a new, comprehensive national cybersecurity strategy, with help from private experts, and it will invest in "cutting edge" cybersecurity research and development, Obama said in a short speech.
Risk Drivers: Modernization and
Globalization� Connections between
Information Technology and Control System networks (inheriting vulnerabilities)
� Shift from isolated systems to � Shift from isolated systems to open protocols
� Access to remote sites through the use of modems, wireless, private, and public networks
� Shared or joint use systems for e-commerce
General Findings� Default vendor accounts and passwords still in use
� Some systems unable to be changed!
� Guest accounts still available
� Unused software and services still on systems
� No security-level agreement with peer sites� No security-level agreement with peer sites
� No security-level agreement with vendors
� Poor patch management (or patch programs)
� Extensive auto-logon capability
General Findings continued
� Typical IT protections not widely used (firewalls, IDS, etc.). This
has been improving in the last 6 months
� Little emphasis on reviewing security logs (Change
management)
� Common use of dynamic ARP tables with no ARP monitoring
� Control system use of enterprise services (DNS, etc.)
� Shared passwords
� Writeable shares between hosts
� User permissions allow for admin level access
� Direct VPN from offsite to control systems
� Web enabled field devices
Issue #1:
Lo Chance – Hi Impact Incident is focused more
after 9/11 incident
Impact
H High
• What’s never happened, may happen.
• 0.0001% = POSSIBLE
• RISK = Likelihood x Impact
Probability
L
L H
Low Medium
P1P2P3P4P5P6P7
Issue #1: (cont.)
Lo Chance – Hi Impact Incident is focused more
after 9/11 incident
• National Critical Infrastructure"critical infrastructure" -- industrial sectors that are "essential to the minimum operations of the economy and
government." – PDD63, 1998
CCCCCCCChaiyakorn AAAAAAAApiwathanokul
– Telecommunications
– Energy
– Banking and Finance
– Transportation
– Water Systems
– Emergency Services
P1P2P3P4P5P6P7
Issue #2:
A Gap of Coordination
• Different vocabulary
– ICT: “I know TCP/IP, NetBIOS, MSSQL, SAP and etc.”
– Operation: “I know Profibus, FieldBus, MODBUS, Solenoid valve, Turbine, Hydraulic, Pneumatic and etc.”
• SCADA/DCS could be somewhat frighteningly exciting to
CCCCCCCChaiyakorn AAAAAAAApiwathanokul
• SCADA/DCS could be somewhat frighteningly exciting to ICT people. Inadequate knowledge and experience on the system lowers the confident to provide appropriate support.
• Operation people should work with IT Security Professionals from ICT Department or consultancies
• Educating IT Department about Process Control & SCADA operations
P1P2P3P4P5P6P7
Issue #3:
Unsynchronized Technology Lifecycle
CCCCCCCChaiyakorn AAAAAAAApiwathanokul
P1P2P3P4P5P6P7
Issue #3: (cont.)
Unsynchronized Technology Lifecycle
• ICT technology keep changing while Control System is here to stay.
• Production processes are rarely changed.
• “We can operate as we always do.
CCCCCCCChaiyakorn AAAAAAAApiwathanokul
• “We can operate as we always do.So, WHY UPGRADE ???”
• ICT equipment life is ~3-5 years
• Control equipment life is ~10+ years
• SCADA Security today is where enterprise security was 5-10 years ago
P1P2P3P4P5P6P7
Issue #4:
Sharing the SAME CHALLENGES • The information or data from devices or controllers
shall be sent or processed at a server of that system which could expose many possibility to attack as follow:– Communication Media
• Radio : Jammer
• Protocol Anomaly
CCCCCCCChaiyakorn AAAAAAAApiwathanokul
• Protocol Anomaly
– Operating System running on the server• Microsoft Windows
• Unix
– Database• MS-SQL
• Oracle
• System running standard Operating System is vulnerable to standard attacks– Malware/Virus/Worm/SpyWare
P1P2P3P4P5P6P7
Issue #5:
We are Connected
• The operation network is somehow connected
to the corporate network or even able to
access the Internet.
Without proper
CCCCCCCChaiyakorn AAAAAAAApiwathanokul
Without proper
protection and control,
the operation
environment is truely
in high risk.
P1P2P3P4P5P6P7
Issue #6:
Is the system integrator have security in mind when
engineering the system?
• Is all possible condition properly handled?
• Ex. The engineer may knows that the reading
equipment would never yield a negative value, so
he wrote program to only handle the > 0 value.
CCCCCCCChaiyakorn AAAAAAAApiwathanokul
he wrote program to only handle the > 0 value.
WHAT IF…someone injects a negative value to that
variable by tapping the media or at the database
level? Can you tell what will happen?
• Is the program running in the controller a security-
aware by design?
P1P2P3P4P5P6P7
Issue #6: cont.
• “None of the industrial control systems used to monitor and operate the nation's utilities and factories were designed with security in mind. Moreover, their very nature makes them difficult to secure. Linking them to networks and the
CCCCCCCChaiyakorn AAAAAAAApiwathanokul
to secure. Linking them to networks and the public Internet only makes them harder to protect.”
Said by Joseph Weiss, executive consultant for KEMA Consulting
http://www.memagazine.org/backissues/dec02/features/scadavs/scadavs.html
P1P2P3P4P5P6P7
Issue #7:
Policy Enforcement
• People + Process + Technology
are needed to work in harmony. Sometime we
need certain technology or tool to ensure that the
defined process or policy is in good shape.
CCCCCCCChaiyakorn AAAAAAAApiwathanokul
defined process or policy is in good shape.
• The most vulnerable entity is “PEOPLE”. So keep
them aware of what they are doing and risk they
are fronting, plus the consequent damages and
responsibility if they are not complied with the
policy.
P1P2P3P4P5P6P7
Summary• The journey began
• Collaboration matters
– Division / Department
– Public / Private
– Country / Country
– Regional / Global
• Something to start with
• NIST SP800-82
• ISA99ANSI/ISA-99.00.01-2007
Security for Industrial Automation
and Control Systems Part 1:
Terminology, Concepts, and
Models
CCCCCCCChaiyakorn AAAAAAAApiwathanokul
– Regional / Global
• The clock is ticking
• You don’t want to say “Gossh…, I didn’t even think
it would happen to me.”
Models
• ANSI/ISA-99.02.01-2009 Security
for Industrial Automation and
Control Systems: Establishing an
Industrial Automation and Control
Systems Security Program
• ISO27001,
ISO27002 (ISO17799)
Resources
• Guide to Industrial Control Systems (ICS) Security
http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-
82-fpd.pdf
• Control System Security Program at US-CERT
http://www.us-cert.gov/control_systems
• Control System Security Resource and Podcast
CCCCCCCChaiyakorn AAAAAAAApiwathanokul
http://www.digitalbond.com/
• http://www.tswg.gov/subgroups/ps/infrastructure-
protection/documents/21_Steps_SCADA.pdf
CCCCCCCChaiyakorn AAAAAAAApiwathanokul
34