SCADA: A Deeper Look SCADA: A Deeper Look SCADA: A Deeper Look SCADA: A Deeper Look Jeff Dagle P ifi N th tN ti lLb t Pacific Northwest National Laboratory P.O. Box 999, M/S K5-20; Richland WA 99352 509-375-3629; Fax: 509-375-3614; jeff dagle@pnl gov jeff.dagle@pnl.gov
24
Embed
SCADA: A Deeper Look - Public Intelligence · SCADA: A Deeper Look ... zRemote terminal unit (RTU) ... Asea Brown Boveri (ABB)Asea Brown Boveri (ABB) Siemens Alstom ESCAAlstom ESCA
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
SCADA: A Deeper LookSCADA: A Deeper LookSCADA: A Deeper LookSCADA: A Deeper Look
Jeff Dagle
P ifi N th t N ti l L b tPacific Northwest National LaboratoryP.O. Box 999, M/S K5-20; Richland WA 99352
SCADA Principles of OperationSCADA Principles of OperationSCADA Principles of OperationSCADA Principles of OperationSCADA Principles of OperationSCADA Principles of OperationSCADA Principles of OperationSCADA Principles of Operation
Interface with Physical DevicesInterface with Physical DevicesRemote terminal unit (RTU)Intelligent electronic device (IED)Programmable logic controller (PLC)
CommunicationsDirectly wiredPower line carrierMicrowaveMicrowaveRadio (spread spectrum)Fiber optic
Asea Brown Boveri (ABB)Asea Brown Boveri (ABB)SiemensAlstom ESCAAlstom ESCATelegyr SystemsAdvanced Control Systems (ACS)Advanced Control Systems (ACS)HarrisBaileyBailey
Protocol BackgroundProtocol BackgroundProtocol BackgroundProtocol BackgroundInternational Standards Organization Open System Interconnection Reference ModelISO OSI Reference Model (protocol stack)
RTU to IED communicationsMaster to remote communicationsPeer-to-peer instances and network applications
Object-based application layer protocolEmerging open architecture standard
10
DNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link Layer
Interface with the physical layerInterface with the physical layerPacking data into the defined frame format and transmitting the data to the physical layerU ki f i d f h i l lUnpacking frames received from physical layerControlling all aspects of the physical layer
Data validity and integrityData validity and integrityCollision avoidance/detectionPerform message retriesg
Establish connection, disconnection in dial-up environment
11
DNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link Layer
CRC CRCCRC USERDATA
USERDATA
BLOCK 0 BLOCK 1 BLOCK n
...SOUREDESTINATIONCONTROLLENGTHSTART
FIXED LENGTH HEADER (10 OCTETS) BODY
START 2 starting octets of the headerSTART 2 starting octets of the header
LENGTH 1 octet count of USER DATA in the header and body
CONTROL 1 octet Frame Control
DESTINATION 2 octet destination address
SOURCE 2 octet source address
CRC 2 octet Cyclic Redundancy Check
USER DATA Each block following the header has 16 octets of User defined data
12
DNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport Function
Supports advanced RTU functions and messagesSupports advanced RTU functions and messages larger than the maximum frame length in the data link layerAdditi l d t i t it ifi tiAdditional data integrity verificationPacks user data into multiple frames of the data link frame format for transmitting the datalink frame format for transmitting the dataUnpacks multiple frames that are received from the data link layeryControls data link layer
13
DNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport Function
USER DATATRANSPORT HEADER
1 OCTET 1 to 249 OCTETS IN LENGTH
FIN FIR SEQUENCE
FIN 0 = More frames follow
1 = Final frame of a sequence
FIR 1 = First frame of a sequence
0 = Not the first frame of a sequenceq
SEQUENCE Number between 0 and 63 to ensure frames are being received in sequence
Communications Interface with ApplicationCommunications Interface with Application SoftwareDesigned for SCADA and Distributed Automation S tSystemsSupported functions include
d tsend requestaccept responseconfirmation time-outs error recovery etcconfirmation, time outs, error recovery, etc.
Open protocolsOpen protocolsOpen industry standard protocols are replacing vendor-specific proprietary communication protocols
I t t d t th tInterconnected to other systemsConnections to business and administrative networks to obtain productivity improvements and mandated openobtain productivity improvements and mandated open access information sharing
Reliance on public information systemsIncreasing use of public telecommunication systems and the internet for portions of the control system
Security through obscuritySecurity through obscurityPoor defense against “structured adversary”
Isolated networkCommunication encryption
Concerns over latency, reliability, interoperabilityVendors waiting for customer demand
Signal authenticationMay provide good defense without the concerns associated with full signal encryption
20
IEEE Standard 1402IEEE Standard 1402--20002000IEEE Standard 1402IEEE Standard 1402--20002000IEEE Standard 1402IEEE Standard 1402 20002000IEEE Standard 1402IEEE Standard 1402 20002000
IEEE Guide for Electric Power Substation Physical and Electronic SecurityProvides definitions, parameters that influence threat of intrusions and gives a criteria forthreat of intrusions, and gives a criteria for substation securityCyber methods considered:
passwordsdial-back verificationselective accessselective accessvirus scansencryption and encoding
21
Additional Countermeasures to ConsiderAdditional Countermeasures to ConsiderAdditional Countermeasures to ConsiderAdditional Countermeasures to ConsiderAdditional Countermeasures to ConsiderAdditional Countermeasures to ConsiderAdditional Countermeasures to ConsiderAdditional Countermeasures to Consider
Implement access control with strong passwordsImplement a tomatic reporting/intr sion detection feat resImplement automatic reporting/intrusion detection featuresCreate a multi-tiered access hierarchyImplement application level authentication and packet level data encryptiondata encryptionConsider implementing public key infrastructure (PKI)
When properly implemented, PKI certificates enable authentication, encryption, and non-repudiation of data t i itransmissions
Implement properly configured firewalls and intrusion detection systemsHave a defined Enterprise-level computer network securityHave a defined Enterprise level computer network security policy
Ref: Concerns About Intrusion into Remotely Accessible Substation Controllers and SCADA Systems, Schweitzer Engineering Laboratories, www.selinc.com
22
Steps for Enhancing SCADA SecuritySteps for Enhancing SCADA SecuritySteps for Enhancing SCADA SecuritySteps for Enhancing SCADA SecuritySteps for Enhancing SCADA SecuritySteps for Enhancing SCADA SecuritySteps for Enhancing SCADA SecuritySteps for Enhancing SCADA Security
Establish a robust network architectureEstablish a robust network architectureEliminate trusted remote access points of entryEvaluate and deploy technology and approachesEvaluate and deploy technology and approaches to enhance confidentiality, availability, and integrityImplement rigorous configuration managementProvide adequate support and trainingNever become complacent!