StrategiestoProtect!! SCADA!Systems!and!Data · 2017. 1. 25. · WELLSITEAUTOMATION2017 StrategiestoProtect!! SCADA!Systems!and!Data Alex%Barclay% Chief$Informaon$Security$Officer$

WELL  S ITE  AUTOMATION  2017  

 Strategies  to  Protect    SCADA  Systems  and  Data

Alex  Barclay  Chief  Informa;on  Security  Officer  

eLynx  Technologies  

Mauricio  Papa,  Ph.  D.  Associate  Professor  of  Computer  Science  Director,  Ins;tute  for  Informa;on  Security  

INTRODUCTION

  Cri;cal  Infrastructure  Protec;on  •  PDD-­‐63  (1998),  Execu;ve  Order  13228  (2001),  HSPD-­‐7  (2003)  

  Process  Control  Systems  •  Field  equipment  using  standard  protocols  over  a  network  •  Opera;onal  requirements  favored  over  security  •  Networks  physically  or  logically  isolated  (security)  

  Challenge  •  TCP/IP  increasingly  seen  as  the  preferred  mechanism  to  deliver  data  across  diverse  networks  

•  Modbus  TCP  and  DNP3  •  Increased  connec;vity  opens  environment  to  untrusted  external  en;;es  •  Understanding  interac;ons  between  a  physical  process,  controllers  and  the  network  

PROBLEM

Cri6cal  infrastructure  and  cyberspace    Controlled  by  special  devices  that  are  connected  to  the  network  (open/close  valves,  control  temperatures  and  flows,  switch  things  on  and  off)  

  Someone  could  control  it  with  a  computer  from  very  far  away  and  cause  harm  

Programmable  Logic  Controller  (PLC)   Refinery  (Gasoline)   Natural  Gas  

INCIDENT  1:  SCADA  COMMAND  ATTACK  –  POWER  GENERATION

Aurora  Test  (2007):  Electric  power  generator  (provides  electricity)  

INCIDENT  2:  INSIDER  ATTACK  -­‐  WATER

Maroochy  Water  Services  Queensland  Australia  (2000)    Insider  a_ack  

•  Had  worked  with  a  contractor  to  install  control  system  •  Radio  controlled  sewage  system  •  Had  access  just  siang  in  a  car  •  Could  not  get  a  job  with  City’s  council  

  Ac;ons  •  200,000  gallons  of  raw  sewage  spilled  •  Marine  life  died  •  Creek  water  turned  black  •  Stench  unbearable  

  Consequences  •  A_acker  pulled  over  by  police  with  computer  equipment  in  car  •  Convicted  in  trial  (2  year  sentence)  

INCIDENT  3:  PLC  ATTACK

Iran  (Symantec:  60%  of  affected  system)    Stuxnetworm  (June  2010)  •  Spreads  via  MS  Windows  and  targets  Siemens  ICS.  •  PLC  Rootkit  (3-­‐step  process)  

  Consequences  •  Shut  down  opera;ons  •  Uranium  enrichment    infrastructure  in  Iran  

Siemens  S7  PLC  

INCIDENT  4:  STATE  HACKING

225,000  customers  lost  electric  power   Ukraine  (December  2015)  •  Illegal  access  to  SCADA  systems  

  Consequences  •  Seven  110kV  and  23  35kV  substa;ons  disconnected  for  three  hours  

•  Ukrainian  government  claims  Russian  security  services  were  responsible  

•  First  publicly  acknowledged  incident  resul;ng  in  power  outages  

CHALLENGES

  Deployment  •  Components  may  be  deployed  in  different  loca;ons  •  Communica;on  infrastructure  is  required  •  Modern  SCADA  protocols  transport  data  over  TCP/IP  

  Security  issues  •  SCADA  protocol  designed  with  func;onality  in  mind  

•  No  security  func;onality  •  Use  of  TCP/IP  as  a  transport  carrier  for  SCADA  protocols  •  Interconnec;on  

•  SCADA  and  IT  networks  •  A_acks  on  IT  networks  could  tunnel  into  SCADA  network  

•  Forensics  

WE  ARE  UNDER  CONSTANT  AND  INCREASING  ATTACK

  ICS-­‐CERT  Monitor,  December  2013  •  256  voluntarily  reported  incidents  in  2013  •  79  organiza;ons  were  confirmed  or  believed  to  be  compromised;  57  were  determined  “not  compromised”  

•  The  rest  (120)  are  “unknown”!  •  “ICS-­‐CERT  assesses  that  many  incidents  are  not  detected  due  to  a  lack  of  sufficient  detec;on  or  logging  capabili;es.”  

  Shodan  and  Project  SHINE  find  lots  of  stuff  every  day:  •  SCADA/ICS,  PLCs,  RTUs,  sensors,  HMI  servers,  and  DCS  •  Medical  devices,  traffic  management  systems,  automo;ve  control  systems,  HVAC  systems,  power  regulators,  CCTV  and  webcams,  serial  port  servers,  and  data  radios.  

SOLUTIONS

  Awareness  •  Security  standards  •  ISA  SP-­‐99  

•  Security  Technologies  for  Manufacturing  and  Control  Systems  •  Integra;ng  Electronic  Security  into  the  Manufacturing  and  Control  Systems  Environment  

•  NIST  •  System  Protec;on  Profile  –  Industrial  Control  Systems  •  SP  800-­‐82  –  Guide  to  Industrial  Control  Systems  Security  

•  API  •  API  1164  Pipeline  SCADA  security  

  Educa;on    Research  

•  Tools  specifically  designed  for  the  SCADA  domain  

THE  UNIVERSITY  OF  TULSA:  CYBER-­‐SECURITY

 NSA  Center  of  Academic  Excellence  for  Informa;on  Assurance  Educa;on  •  May  2000  

 NSA  Centers  for  Academic  Excellence  for  Informa;on  Assurance  Research  •  May  2009  

 NSA  Na;onal  Center  of  Academic  Excellence  in  Cyber  Opera;ons  •  May  2012  

 One  of  only  four  (4)  schools  in  the  USA  to  hold  all  three  (3)  designa;ons  in  the  2012-­‐2013  academic  year  

RESEARCH  AND  TOOLS:  STRATEGY

  Message  monitoring  •  Interpret  and  filter  PCS  protocol  messages    •  All  layers  of  the  network  protocol  stack  •  Support  stateful  analysis  •  Repor;ng  capabili;es  (IDS,  SCADA  Firewall)  (*)  

  Protocol-­‐Based  •  Standard  protocol  messages  with  special  codes  •  Modbus  has  unused  func;on  codes  •  DNP3  has  data  objects  reserved  for  future  expansion  •  Security  module  at  applica;on/user  layer  

  Tunneling  Services  •  Communica;on  wrapper  around  PCS  protocols  •  Transparent  to  end  devices  

  Honeynets  (*)  •  Learn  from  poten;al  intruders  •  Gather  informa;on