Académique Documents
Professionnel Documents
Culture Documents
2009
Cyber Security for the Power Grid: Cyber Security Issues & Securing Control Systems
Andrew Wright
Cyber Security Solutions For <Client Name>
CTO, N-Dimension
andrew.wright@n-dimension.com
Internet
Control Systems
Agenda
High-Level
Industrial Control Systems and Cyber Security Issues Securing Control Systems
Detailed
Security Issues in Industrial Control Systems Todays Threats Securing Control Systems
A Control System
Sensor(s) + Actuator(s) + Controller(s)
Automation
Historical ICS
Proprietary Complete vertical solutions Customized Specialized communications
Wired, fiber, microwave, dialup, serial, etc. 100s of different protocols Slow; e.g. 1200 baud
Long service lifetimes: 1520 years Not designed with security in mind
Internet
IP
Enterprise Network
Third Party Application Server
Mobile Operator
Services Network
Connectivity Server Historian Server Application Server Engineering Workplace
Control Network
Serial, OPC or Fieldbus
Redundant
Device Network
Third Party Controllers, Servers, etc.
Serial
RS485
IP Networking
Common in higher level networks, gaining in lower levels Many legacy protocols wrapped in TCP or UDP Most new industrial devices have Ethernet ports Most new ICS architectures are IP-based
IP to the Control Network or even Device Network Not all are fully compatible with ordinary IP
USSR pipeline explosion, 1982 Bellingham pipeline rupture, 1999 Queensland sewage release, 2000 Davis Besse nuclear plant infection, 2003 Northeast USA blackout, 2003 Browns Ferry nuclear plant scram, 2006
$$$.$$
No Silver Bullet!
Defense in Depth
Perimeter Protection
Firewall, IPS, VPN, AV Host IDS, Host AV DMZ
Interior Security
Firewall, IDS, VPN, AV Host IDS, Host AV IEEE P1711 (AGA 12) NAC IDS IPS Scanning
DMZ VPN AV NAC
Monitoring Management
Intrusion Detection System Intrusion Prevention System DeMilitarized Zone Virtual Private Network (cryptographic) Anti-Virus (anti-malware) Network Admission Control
Enterprise Network
IT Stuff
Control Network
VPN AV
FW
IPS
P1711
Field Site
Field Site
Distributed Denial of Service (DDoS) attack coordinates a botnet to overwhelm a target system
No single point of attack Requires sophisticated, coordinated defenses Weapon of choice for hackers, hacktivists, cyber-extortionists
DoS, DDoS particularly effective when Availability is critical, i.e. against ICS
Unpatched Systems
Many ICS systems are not patched current
Particularly Windows servers No patches available for older versions of windows
Uncertified patches can invalidate warranty Patching often requires system reboot Before installation of a patch:
Vendor certificationtypically one week Lab testing by operator Staged deployment on less critical systems first Avoid interrupting any critical process phases
Where IDS logs are kept, they are often not reviewed Various regulatory requirements are driving some change in this area
NERCNorth American Electric Reliability Corporation FERCFederal Energy Regulatory Commission Sarbanes Oxley and PCAOB (Public Company Accounting Oversight Board) FISMAFederal Information Security Management Act
Legacy Equipment
Much legacy equipment Usually impossible to update to add security features Difficult to protect legacy communications
but see IEEE P1711 for serial encryption
Unauthorized Applications
Unauthorized apps installed on ICS systems can interfere with ICS operation Many types of unauthorized apps have been found during security audits
Instant messaging P2P file sharing DVD and MPEG video players Games, including Internet-based Web browsers
without internal monitoring dont know whether systems have been compromised
People Issues
ICS network often managed by Control Systems Department, distinct from IT Department running enterprise network
ICS personnel are not IT or networking experts IT personnel are not ICS experts
Harsh Environments
Vulnerability assessments always uncover problems For penetration tests, we always get in
Not a question of if, but how long
Other Issues
Unusual physical topologies Many special purpose, limited function devices Static network configurations Multicast Long service lifetimes
Todays Threats
earth2tech.com
'Smart Grid' vulnerable to hackers (March 09) CIA: Hackers Have Attacked Foreign Utilities (Jan 2008)
But lots of data about significant financial losses in enterprise and e-commerce
Why would control systems be immune?
Adversaries
Script kiddies Hackers Organized crime Disgruntled insiders Competitors Terrorists Hactivists Eco-terrorists Nation states
Threat Model
Targeted and untargeted threats
Targeted: terrorist, specifically crafted worm/virus, botnet Untargeted: generic worm/virus, script kiddy
Enterprise Network
Internet
Business Workstation
Enterprise Network
Internet
Business Workstation
Enterprise Network
Internet
Business Workstation
Enterprise Network
Internet
Business Workstation
Enterprise Network
Internet
Business Workstation
Enterprise Network
Internet
Business Workstation
Enterprise Network
Internet
Business Workstation
Defending ICS
Separate control network from enterprise network
Harden connection to enterprise network Protect all points of entry with strong authentication Make reconnaissance difficult from outside
Monitor both perimeter and inside events Periodically scan for changes in security posture
Enterprise Network
IT Stuff
Control Network
VPN AV
FW
IPS
P1711
Field Site
Field Site
Enterprise Zone
Terminal Services
Patch Mgmt
AV Server
DMZ
Historian (Mirror) Web Services Operations Application Server
Level 3
Production Control
Optimizing Control
Historian
Engineering Station
Level 2
Supervisory Control
HMI
Supervisory Control
HMI
Control Zone
Level 1 Level 0
Batch Control
Discrete Control
Continuous Control
Hybrid Control
Basic Control
Process
Logical Architecture
Enterprise Zone contains typical business systems
Email, web, office apps, etc.
See NISCC Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks, NISCC and BCIT, Feb 2005
DMZLogical View
AV
Terminal Services Patch Mgmt
Emergency Disconnect
Proxy
AV Proxy
VPN
IDS FW IPS
Scan IDS
DMZ
Historian Mirror
Application Server
Enterprise LAN
NAT DMZ LAN 2 DMZ LAN 3 DMZ LAN 4 Anti-Virus Proxy Host IPS / Anti-virus
Enterprise LAN
VLAN-capable L2 switch DMZ VLAN 2 DMZ VLAN 3 DMZ VLAN 4 Anti-Virus Proxy Host IPS / Anti-virus dot1q trunk
NOT L3!
DMZ Implementation
Sub-zones implemented by physical LANs or VLANs
Physical LANs require multi-port Security Appliance VLANs require: VLAN-capable Security Appliance and Switch anti-VLAN hopping protections on switch and FW NO L3 (routing) on switch
Anti-virus proxy controls outbound HTTP and/or FTP access to enterprise or Internet resources Host IPS and/or Host Anti-virus protects DMZ servers
Remote Access
Enterprise LAN
Terminal Services
AAA Server
Certificate Authority
Remote Access
Security Appliance terminates Host-to-site VPN into remote access pool
IPSEC VPN, SSL VPN, PPTP VPN
Clients use VNC, Citrix, or Remote Desktop (RDP) to connect to Terminal Server Then VNC, Citrix, RDP, or Control System Apps to Control System Servers
AAA Server
Certificate Authority
Host-toLAN VPN
Endpoint Posture Assessment
DMZ
BUT
Security Appliance enforces Authorization via User and/or Group ACLs
Role-Based Access Control
DMZ
Level 3
Production Control
Optimizing Control
Historian
Engineering Station
Level 2
Supervisory Control
HMI
Supervisory Control
HMI
Control Zone
Level 1 Level 0
Batch Control
Discrete Control
Continuous Control
Hybrid Control
Basic Control
Process
Cryptographic VPN and Firewall to all offsite IP connections (Field Site or Partner) IEEE P1711 for all offsite serial ICS connections Host IDS, Host AV, or app whitelisting where feasible Management only from management zone
FW
L3
FW
L3 Gigabit dot1q Trunks L2 QoS, Shaping, Policing Port Security
Control Zone
10/100
FW
L3
FW
L3 Gigabit dot1q Trunks L2 QoS, Shaping, Policing Port Security
Control Zone
10/100
DMZ
IDS Port Scan Vuln Scan Firewall NAC Firewall SCADA VPN Port Scan IDS
SCADA VPN
Managed Security
Summary
Todays ICS are mix of modern and legacy
vulnerabilities due to both lack of security design in legacy and security issues in newer equipment
Regulation and government action is driving change Smart Grid must be designed with strong security
Thanks!
andrew.wright@n-dimension.com
Standards Efforts
NERC CIPs NIST Smart Grid Interoperability Standards Project NIST SP800-82 NIST SP800-53 NIST PCSRF Protection Profiles AMI-SEC ISA SP99 ODVA
A Few References
www.nist.gov/smartgrid Securing Your SCADA and Industrial Control Systems, Version 1.0, DHS, ISBN 0-16-075115-8 Guide to SCADA and Industrial Control System Security, NIST SP800-82 ISA99 Industrial Automation and Control Systems Security, www.isa.org/MSTemplate.cfm? MicrositeID=988&CommitteeID=6821 AGA 12/IEEE P1689 SCADA Encryption Standard, scadasafe.sf.net