WELL SITE AUTOMATION 2017 Strategies to Protect SCADA Systems and Data Alex Barclay Chief Informa;on Security Officer eLynx Technologies Mauricio Papa, Ph. D. Associate Professor of Computer Science Director, Ins;tute for Informa;on Security
WELL S ITE AUTOMATION 2017
Strategies to Protect SCADA Systems and Data
Alex Barclay Chief Informa;on Security Officer
eLynx Technologies
Mauricio Papa, Ph. D. Associate Professor of Computer Science Director, Ins;tute for Informa;on Security
INTRODUCTION
Cri;cal Infrastructure Protec;on • PDD-‐63 (1998), Execu;ve Order 13228 (2001), HSPD-‐7 (2003)
Process Control Systems • Field equipment using standard protocols over a network • Opera;onal requirements favored over security • Networks physically or logically isolated (security)
Challenge • TCP/IP increasingly seen as the preferred mechanism to deliver data across diverse networks
• Modbus TCP and DNP3 • Increased connec;vity opens environment to untrusted external en;;es • Understanding interac;ons between a physical process, controllers and the network
PROBLEM
Cri6cal infrastructure and cyberspace Controlled by special devices that are connected to the network (open/close valves, control temperatures and flows, switch things on and off)
Someone could control it with a computer from very far away and cause harm
Programmable Logic Controller (PLC) Refinery (Gasoline) Natural Gas
INCIDENT 1: SCADA COMMAND ATTACK – POWER GENERATION
Aurora Test (2007): Electric power generator (provides electricity)
INCIDENT 2: INSIDER ATTACK -‐ WATER
Maroochy Water Services Queensland Australia (2000) Insider a_ack
• Had worked with a contractor to install control system • Radio controlled sewage system • Had access just siang in a car • Could not get a job with City’s council
Ac;ons • 200,000 gallons of raw sewage spilled • Marine life died • Creek water turned black • Stench unbearable
Consequences • A_acker pulled over by police with computer equipment in car • Convicted in trial (2 year sentence)
INCIDENT 3: PLC ATTACK
Iran (Symantec: 60% of affected system) Stuxnetworm (June 2010) • Spreads via MS Windows and targets Siemens ICS. • PLC Rootkit (3-‐step process)
Consequences • Shut down opera;ons • Uranium enrichment infrastructure in Iran
Siemens S7 PLC
INCIDENT 4: STATE HACKING
225,000 customers lost electric power Ukraine (December 2015) • Illegal access to SCADA systems
Consequences • Seven 110kV and 23 35kV substa;ons disconnected for three hours
• Ukrainian government claims Russian security services were responsible
• First publicly acknowledged incident resul;ng in power outages
CHALLENGES
Deployment • Components may be deployed in different loca;ons • Communica;on infrastructure is required • Modern SCADA protocols transport data over TCP/IP
Security issues • SCADA protocol designed with func;onality in mind
• No security func;onality • Use of TCP/IP as a transport carrier for SCADA protocols • Interconnec;on
• SCADA and IT networks • A_acks on IT networks could tunnel into SCADA network
• Forensics
WE ARE UNDER CONSTANT AND INCREASING ATTACK
ICS-‐CERT Monitor, December 2013 • 256 voluntarily reported incidents in 2013 • 79 organiza;ons were confirmed or believed to be compromised; 57 were determined “not compromised”
• The rest (120) are “unknown”! • “ICS-‐CERT assesses that many incidents are not detected due to a lack of sufficient detec;on or logging capabili;es.”
Shodan and Project SHINE find lots of stuff every day: • SCADA/ICS, PLCs, RTUs, sensors, HMI servers, and DCS • Medical devices, traffic management systems, automo;ve control systems, HVAC systems, power regulators, CCTV and webcams, serial port servers, and data radios.
SOLUTIONS
Awareness • Security standards • ISA SP-‐99
• Security Technologies for Manufacturing and Control Systems • Integra;ng Electronic Security into the Manufacturing and Control Systems Environment
• NIST • System Protec;on Profile – Industrial Control Systems • SP 800-‐82 – Guide to Industrial Control Systems Security
• API • API 1164 Pipeline SCADA security
Educa;on Research
• Tools specifically designed for the SCADA domain
THE UNIVERSITY OF TULSA: CYBER-‐SECURITY
NSA Center of Academic Excellence for Informa;on Assurance Educa;on • May 2000
NSA Centers for Academic Excellence for Informa;on Assurance Research • May 2009
NSA Na;onal Center of Academic Excellence in Cyber Opera;ons • May 2012
One of only four (4) schools in the USA to hold all three (3) designa;ons in the 2012-‐2013 academic year
RESEARCH AND TOOLS: STRATEGY
Message monitoring • Interpret and filter PCS protocol messages • All layers of the network protocol stack • Support stateful analysis • Repor;ng capabili;es (IDS, SCADA Firewall) (*)
Protocol-‐Based • Standard protocol messages with special codes • Modbus has unused func;on codes • DNP3 has data objects reserved for future expansion • Security module at applica;on/user layer
Tunneling Services • Communica;on wrapper around PCS protocols • Transparent to end devices
Honeynets (*) • Learn from poten;al intruders • Gather informa;on