Securing SCADA

3/10/2016

1

SCADA Security

Challenges & Strategies

Jeffrey Wang, P. Eng.

2016, Oshawa

Acronym

� ICS: Industrial Control System

� DCS: Distributed Control System

� SCADA: Supervisory Control and Data Acquisition

� PLC: Programmable Logic Controller

� RTU: Remote Terminal Unit

� HMI: Human Machine Interface

� TCP/IP: Transmission Control Protocol/Internet Protocol

� IDS: Intrusion Detection System

� COTS: Commercial off-the-shelf

� ACL: Access Control List

� DMZ: Demilitarized Zone

� WAN: Wide Area Network

� LAN: Local Area Network

Page 2 Securing SCADA prepared by Jeffrey Wang

3/10/2016

2

Content

� Overview

� Cyber Threats and Vulnerabilities

� Security Challenges

� Mitigation Strategies

� References


Overview

� SCADA system

� Overview

� SCADA System Components

� SCADA System Functionality


3/10/2016

3

SCADA System - Overview

� SCADA is an acronym for Supervisory Control and Data Acquisition.

� SCADA is an Industrial control system (ICS).


SCADA System - Components

Typically SCADA system include the following components:

� RTU (Remote Terminal Unit)

� PLC (Programmable Logic Controller)

� HMI (Human Machine Interface)

� Field devices (Actuators and Sensors)

� WAN(Wide Area Network): Wireless/RF communication devices

� LAN (Local Area Network): Router and Switches

� Centralized Server

� Database Server (Data Historian)


3/10/2016

4

SCADA System - Functionality

Major functions of SCADA system including:

� Field devices control via local or remote working mode

� Collect field data and transmit to central control server via WAN network

� Monitor processing and/or control field devices via HMI

� Manage database for tracking and management analysis


SCADA System - Critical infrastructure

SCADA systems are critical national infrastructures

Canadian Critical infrastructure within the 10 sectors listed below:

• Energy and utilities• Finance• Food• Transportation• Government• Information and communication technology• Health• Water• Safety• Manufacturing


3/10/2016

5

SCADA System - Tasks

SCADA system simply performs four tasks:

� Data Acquisition

� Data Communication

� Data Monitor and Control

� Data Historian


Data

Communication

Data

Acquisition

Data

Monitor & Control

Why securing SCADA system ?

Why?

� IP-based technologies � Internet of Thing (IoT) � Cloud computing� Mobile computing

� Threats growing (Cyber threats source refers to From Homeland Security ICS-CERT)

� Hostile governments� Terrorist groups� Disgruntled employees� Malicious intruders.� GAO Threat Table (Source: GAO-Government Accountability Office)

� Vulnerabilities increasing� Alerts (From ICS-CERT for control system/Government /Home & Business)

Alerts provide timely notification to critical infrastructure owners and operators concerning threats to critical infrastructure networks.

� Be proactive for potential cyber- attack to SCADA system


3/10/2016

6

Vulnerabilities

� Physical Vulnerabilities

� Cyber Vulnerabilities


Vulnerabilities –ICS-CERT Alerts

Industrial Control Systems Cyber Emergency Response Team(ICS-CERT )

Publish cyber security alerts to three categories:

• Control System Users

• Government Users

• Home and Business

Examples:

� ICS-ALERT-15-225-02A : Rockwell Automation 1766-L32 Series Vulnerability (Update A)

� ICS-ALERT-11-204-01B : Siemens S7-300_S7-400 Hardcoded Credentials (Update B)

� ICS-ALERT-12-097-02A : 3S CoDeSys Improper Access Control (Update A)

� ICS-ALERT-11-256-06 : Beckhoff TwinCAT Vulnerability

� ICS-ALERT-12-020-07A : WAGO IO 750 Vulnerabilities (Update A)

� ICS-ALERT-12-136-01 : Wonderware SuiteLink Unallocated Unicode String

� ICS-ALERT-12-020-02A : Rockwell Automation ControlLogix PLC Vulnerabilities (Update A)

� ICS-ALERT-11-332-02A : Siemens SIMATIC WinCC Flexible (Update A)

� ICS-ALERT-11-256-05A : Rockwell Automation RSLogix Overflow Vulnerability (UPDATE A)

Source: ICS-CERT Alerts: https://ics-cert.us-cert.gov/alerts


3/10/2016

7

Physical Vulnerabilities

Common Physical Vulnerabilities:

� Inadequate policies, procedures, and culture governing control system security

� Inadequately designed networks with insufficient defense-in-depth

� Remote access without appropriate access control

� Separate auditable administration mechanisms

� Inadequately secured wireless communication

� Use of a non-dedicated communications channel for command and control

� Lack of easy tools to detect/report anomalous activity

� Installation of inappropriate applications on critical host computers

� Inadequately scrutinized control system software

� Unauthenticated command and control data.


Cyber Vulnerabilities

Common Cyber Vulnerabilities including:

� Operating System Vulnerabilities

� Interconnections

� Open Source / Public Information

� Authentication

� Remote access

� Monitoring and Defenses

� Wireless access

� SCADA/SQL/PLC Software


3/10/2016

8

Cyber Vulnerabilities

Cyber Vulnerabilities in details:

� Un-patched published vulnerabilities� Web-based HMI vulnerabilities� Improper authentication� Improper access control (authorization)� Buffer overflow in SCADA services� SCADA data and command message manipulation and injection� SQL injection� insecure protocols� unprotected transport of SCADA application credentials� Standard IT protocols with pain-text authentication


Vulnerabilities – Allen-Bradly/Rockwell PLC

Web-based access with default user ID and password

� AB SLC505

� AB Micrologix PLC

� AB CompactLogix


3/10/2016

9

Vulnerabilities – Unprotected Authentication

� MicroLogix 1400, It is easy to access with administrator and default password


Vulnerabilities – Access with Default ID & Password

� Intruder can change access permission once granted access control.

� Default IDs( administrator, and default passwords


3/10/2016

10

Vulnerabilities – Supervisory Control

� Supervisory control: Write/Read memory block or disable the device


Cyber Attack - STUXNET

� STUXNET: the most famous cyber attack by United States and Israel.

� STUXNET worm was at first identified by a Belarus company VirusBlokAda in mid-June 2010.

� Physical Impact:

� Sabotaging 1000 centrifuges at Iran’s Natanz nuclear plant

� Stuxnet worm – now every hacker in the world knows about PLCs, HMIs and the opportunities to attack them.

� The Windows operating system

� Siemens SIMATIC Step 7 and WinCC

� Siemens S7 – 300/400 PLCs

� S7-315-2/S7-417

� USB flash memory

� Zero-Day via Windows OS

� DB memory block in PLC


3/10/2016

11

Cyber Attack - Insider

� Insider hacks into sewage treatment plant

� Queensland, Australia (2000) Disgruntled employee Vitek Boden hacks into sewage system via WiFi from the company’s Parking lot and releases over a million liters of raw sewage into the coastal waters.

� Physical Impact”

� Intruder controlled about 150 pump stations near three months

� Released about 1 million litre of raw sewage into nearby rivers and parks.

� Tools: Laptop, radio and wireless access


Security Challenges


3/10/2016

12

SCADA Security Challenges

� Vulnerable operating system (OS) and applications in SCADA system are from commercial off-the –shelf (COTS) including Linux, Mac OS, Windows and embedded PLC OS (VxWorks);

� Most industrial control network connected to corporation network with Internet access. Especially IP-based technologies. Such as Wireless, IoT (Internet of Things), Cloud computing, Mobile computing and smart metering;

� Unsecure legacy system and devices are still widely used in SCADA system. No updated firmware available , no patching. They are transparent to control professional;

� Open source communication protocols (Modbus, DNP3, IEC 61850,Ethernet/IP) were not designed with security in mind and lack basic authorization features;

� There are numerous unpatched and unpatchable systems;� Lack of remote access authentication, weak or default password;� Lack of physical security protection

.


Security Standards

• Security Standards

• Cyber Security Objective


3/10/2016

13

Industrial Control System Security Standards

Good News! There are many security standards….

� NIST SP-800-82 : Guide to Industrial Control Systems Security � National Institute of Standards and Technology(NIST)

� ISA/IEC-62443 (formal ANSI/ISA99) : Security for Industrial Automation and Control Systems Security � The International Society of Automation (ISA)� The International Electrotechnical Commission(IEC)

� NERC CIP- 006 : Physical Security of Critical Cyber Assets� North American Reliability Corporation(NERC)� Critical Infrastructure Protection(CIP)

� TR12-002 : Industrial Control System (ICS) Cyber Security: Recommended Best Practices (combined with NIST and ISA99 standards)• Canadian Cyber Incident Response Centre (CCIRC)


Cyber Security Objective- I.T. Security Perspective

Three fundamental goals per NIST SP800-82 standard

� Confidentiality� Any important information you have — such as employee, client

or financial records — should be kept confidential. This

information should only be accessed by people (or systems)

that you have given permission to do so.

� Integrity

� You need to make sure to maintain the integrity of this

information and other assets (such as software) in order to keep

everything complete, intact and uncorrupted.

� Availability� You should maintain the availability of systems (such as

networks), services and information when required by the

business or its clients.


3/10/2016

14

Cyber Security Objective- SCADA Security Perspective

� Availability� Confidentiality� Integrity


Integrity

Confidentiality

Availability

Mitigation Strategies

� Physical Assets Security

� Cyber Security


Cyber

Security

Standards

Physical

Security

3/10/2016

15

Mitigation Strategies - Recommendations

My recommendation:

� Physical Assets Security

� NERC CIP-006 standard is intended to ensure the implementation of a physical security program for the protection of Critical Cyber Assets

� Cyber Security

� NIST SP800-82 standard is cybersecurity guidance for Industrial Control Systems (ICS) Security

� ISA/IEC-62443 (ISA99) standard

� Canadian Cyber Incident Response Centre(CCIRC)

� TR12-002 :Industrial Control System (ICS) Cyber Security: Recommended Best Practices


Mitigation Strategies - Risk Assessment

� Sources of threats� External

� Internal

� Accidental

� Vulnerabilities

Risks = Threats x Vulnerabilities x Impact


3/10/2016

16

Physical Assets Security


Mitigation Strategies - NERC CIP Standards

NERC CIP standards Include 9 standards and 45 requirements:

CIP-002-1: Critical Cyber Asset Identification

CIP-003-1: Security Management Controls

CIP-004-1: Personnel and Training

CIP-005-1: Electronic Security Perimeters

CIP-006-1: Physical Security of Critical Cyber Assets

CIP-007-1: Systems Security Management

CIP-008-1: Incident Reporting and Response Planning

CIP-009-1: Recovery Plans for Critical Cyber Assets

NERC: North American Electric Reliability Corporation

CIP: Critical Infrastructure Protection


3/10/2016

17

Mitigation Strategies - Physical Protection Guideline

Physical Access Controls� The Responsible Entity shall document and implement the operational and

procedural controls to manage physical access at all access points to the Physical Security Perimeter(s) twenty-four hours a day, seven days a week.

Monitoring Physical Access� The Responsible Entity shall document and implement the technical and

procedural controls for monitoring physical access at all access points to the Physical Security Perimeter(s) twenty-four hours a day, seven days a week. Unauthorized access attempts shall be reviewed immediately and handled in accordance with the procedures specified in Requirement CIP-008.

Logging Physical Access• Logging shall record sufficient information to uniquely identify individuals and the

time of access twenty-four hours a day, seven days a week. The Responsible Entity shall implement and document the technical and procedural mechanisms for logging physical entry at all access points to the Physical Security Perimeter(s).


Mitigation Strategies - Physical Security

Physical Security Purpose:To assist you detect and identify threats and restrict access to sensitive area (server

room and important field equipment)

� Detect� Be alerted to unauthorized entries or attempts� Be alerted to mechanical/electrical failures� Be alerted to remote site entry requests

� Identify� Remotely view facility, people, equipment� View recorded information and events� Restrict and allow entry to facility� Create physical facility access logs� Prosecute offenders

� Restrict� Keep the bad guys out


3/10/2016

18

Cyber Security

Mitigation Strategies - NIST SP 800-82 Standards

NIST SP 800-82 : Guide to Industrial Control Systems Security

� Provide guidance for establishing secure ICS, including implementation

guidance for SP 800-53 controls

� Content

� Overview of ICS

� ICS Characteristics, Threats and Vulnerabilities

� ICS Security Program Development and Deployment

� Network Architecture

� ICS Security Controls

� Appendixes

� Current Activities in Industrial Control Systems Security

� Emerging Security Capabilities

NIST: National Institute of Standards and Technology

SP: Special Publication


3/10/2016

19

Mitigation Strategies - Cyber Security Objective

Restricting logical access to the SCADA network and network activity � This includes using a demilitarized zone (DMZ) network architecture with

firewalls to prevent network traffic from passing directly between the corporate and SCADA networks, and having separate authentication mechanisms and credentials for users of the corporate and SCADA networks. The ICS should also use a network topology that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.

Restricting physical access to the SCADA network and devices � Unauthorized physical access to components could cause serious disruption of

the SCADA’s functionality. A combination of physical access controls should be used, such as locks, card readers, and/or guards.


Mitigation Strategies - Cyber Security Objective

Protecting individual SCADA components from exploitation� This includes deploying security patches in as expeditious a manner as possible,

after testing them under field conditions; disabling all unused ports and services; restricting SCADA user privileges to only those that are required for each person’s role; tracking and monitoring audit trails; and using security controls such as antivirus software and file integrity checking software where technically feasible to prevent, deter, detect, and mitigate malware.

Maintaining functionality during adverse conditions� This involves designing the SCADA so that each critical component has a

redundant counterpart. Additionally, if a component fails, it should fail in a manner that does not generate unnecessary traffic on the SCADA or other networks, or does not cause another problem elsewhere, such as a cascading event.


3/10/2016

20

Mitigation Strategies – ANSI/ISA99 Standard

Module 1: Defining Industrial CybersecurityCovers the concepts of physical, operational, and electronic security; and defines

Cybersecurity as it relates to industrial automation and control systemsModule 2: Risk AssessmentCovers the concept of risk and how safety plays a part in assessing possible

consequences from a cyberattackModule 3: Threats and VulnerabilitiesCovers "social engineering" and how outsiders gather information to enable attacks

and to physically enter your secured areasModule 4: Security Policies, Programs, and ProceduresCovers the creation and deployment of policies, standards, and procedures and how

they are a critical aspect of a security program


Mitigation Strategies – ANSI/ISA99 Standard

Module 5: Understanding TCP/IP, Hackers, and MalwareCovers the basics of the IP networking architecture and how computers are

addressed and how IP delivers information to computers and TCP/UDP to complete the delivery to specified applications using port numbers

Module 6: Technical CountermeasuresCovers the technical countermeasures and technology that can be employed to

protect your systems, detect and remove malware, and block hacking attempts; and explains the technologies such as firewalls, proxy servers, VPN, and VLAN and how they relate to industrial automation systems

Module 7: Architectural & Operational StrategiesCovers ways to segment and isolate your process automation systems in order to

increase their reliability and Cyber security


3/10/2016

21

Mitigation Strategies -TR12-002 Recommendation

TR12-002 :Industrial Control System (ICS) Cyber Security: Recommended Best Practices, by Canadian Cyber Incident Response Centre

1. Network Segmentation2. Remote Access3. Wireless Communications4. Patch Management5. Access Policies and Controls6. Secure the Host (System Hardening)7. Intrusion Detection8. Physical and Environmental Security9. Malware Protection and Detection10. Awareness11. Periodic Assessments and Audits12. Change Control and Configuration Management13. Incident Planning and Response


Useful software

� Solarwinds Inc. URL: http://www.solarwinds.com/

� Develops enterprise information technology (IT) infrastructure management software for IT professionals.

� Kaspersky - URL: http://www.kaspersky.com

� Kaspersky Lab is an international software security group operating in almost 200 countries and territories worldwide.

� Bitdefender- URL: http://www.bitdefender.com

� Bitdefender products feature anti-virus and anti-spyware capabilities against internet security threats such as viruses, Trojans, rootkits, rogues, aggressive adware, spam and others.

� McAFee - URL: http://www.mcafee.com

� Intel Security Group (previously McAfee, Inc.) is an American global computer security software

� Symantec - URL: Http://www.symantec.com

� Security, Antivirus and Backup Solutions provider


3/10/2016

22

References

NIST SP-800-82 Guide to Industrial Control Systems Security

http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf

ICS-CERT, ICS-TIP-12-146-01A—Targeted Cyber Intrusion Detection and Mitigation Strategies

http://www.us-cert.gov/control_systems/pdf/ICS-TIP-12-146-01A.pdf

CCIRC, TR11-002 Mitigation Guidelines for Advanced Persistent Threats

http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2011/tr11-002-eng.aspx

ICS-CERT, Incident Response Summary Report 2009 – 2011

http://www.us-cert.gov/control_systems/pdf/ICS-

CERT_Incident_Response_Summary_Report_09_11.pdf

US-CERT, Control Systems Security Program (CSSP)

http://www.us-cert.gov/control_systems/

US-CERT, Recommended Practice: Improving Industrial Control Systems Cybersecurity with

Defense-In-Depth Strategies

http://www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf

CPNI, CPNI Viewpoint: Securing the move to IP-based SCADA/PLC networks

http://www.cpni.gov.uk/Documents/Publications/2011/2011034-scada-

securing_the_move_to_ipbased_scada_plc_networks_gpg.pdf

International Society of Automation (ISA), ISA99, Industrial Automation and Control Systems

Security

http://www.isa.org/MSTemplate.cfm?MicrositeID=988&CommitteeID=6821


THANK YOU


Engineering

Securing SCADA