Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Securing SCADA
1. 3/10/2016
1
SCADA Security
Challenges & Strategies
Jeffrey Wang, P. Eng.
2016, Oshawa
Acronym
ICS: Industrial Control System
DCS: Distributed Control System
SCADA: Supervisory Control and Data Acquisition
PLC: Programmable Logic Controller
RTU: Remote Terminal Unit
HMI: Human Machine Interface
TCP/IP: Transmission Control Protocol/Internet Protocol
IDS: Intrusion Detection System
COTS: Commercial off-the-shelf
ACL: Access Control List
DMZ: Demilitarized Zone
WAN: Wide Area Network
LAN: Local Area Network
Page 2 Securing SCADA prepared by Jeffrey Wang
2. 3/10/2016
2
Content
Overview
Cyber Threats and Vulnerabilities
Security Challenges
Mitigation Strategies
References
Page 3 Securing SCADA prepared by Jeffrey Wang
Overview
SCADA system
Overview
SCADA System Components
SCADA System Functionality
Page 4 Securing SCADA prepared by Jeffrey Wang
3. 3/10/2016
3
SCADA System - Overview
SCADA is an acronym for Supervisory Control and Data Acquisition.
SCADA is an Industrial control system (ICS).
Page 5 Securing SCADA prepared by Jeffrey Wang
SCADA System - Components
Typically SCADA system include the following components:
RTU (Remote Terminal Unit)
PLC (Programmable Logic Controller)
HMI (Human Machine Interface)
Field devices (Actuators and Sensors)
WAN(Wide Area Network): Wireless/RF communication devices
LAN (Local Area Network): Router and Switches
Centralized Server
Database Server (Data Historian)
Page 6 Securing SCADA prepared by Jeffrey Wang
4. 3/10/2016
4
SCADA System - Functionality
Major functions of SCADA system including:
Field devices control via local or remote working mode
Collect field data and transmit to central control server via WAN network
Monitor processing and/or control field devices via HMI
Manage database for tracking and management analysis
Page 7 Securing SCADA prepared by Jeffrey Wang
SCADA System - Critical infrastructure
SCADA systems are critical national infrastructures
Canadian Critical infrastructure within the 10 sectors listed below:
• Energy and utilities
• Finance
• Food
• Transportation
• Government
• Information and communication technology
• Health
• Water
• Safety
• Manufacturing
Page 8 Securing SCADA prepared by Jeffrey Wang
5. 3/10/2016
5
SCADA System - Tasks
SCADA system simply performs four tasks:
Data Acquisition
Data Communication
Data Monitor and Control
Data Historian
Page 9 Securing SCADA prepared by Jeffrey Wang
Data
Communication
Data
Acquisition
Data
Monitor & Control
Why securing SCADA system ?
Why?
IP-based technologies
Internet of Thing (IoT)
Cloud computing
Mobile computing
Threats growing (Cyber threats source refers to From Homeland Security ICS-CERT)
Hostile governments
Terrorist groups
Disgruntled employees
Malicious intruders.
GAO Threat Table (Source: GAO-Government Accountability Office)
Vulnerabilities increasing
Alerts (From ICS-CERT for control system/Government /Home & Business)
Alerts provide timely notification to critical infrastructure owners and
operators concerning threats to critical infrastructure networks.
Be proactive for potential cyber- attack to SCADA system
Page 10 Securing SCADA prepared by Jeffrey Wang
6. 3/10/2016
6
Vulnerabilities
Physical Vulnerabilities
Cyber Vulnerabilities
Page 11 Securing SCADA prepared by Jeffrey Wang
Vulnerabilities –ICS-CERT Alerts
Industrial Control Systems Cyber Emergency Response Team(ICS-CERT )
Publish cyber security alerts to three categories:
• Control System Users
• Government Users
• Home and Business
Examples:
ICS-ALERT-15-225-02A : Rockwell Automation 1766-L32 Series Vulnerability (Update A)
ICS-ALERT-11-204-01B : Siemens S7-300_S7-400 Hardcoded Credentials (Update B)
ICS-ALERT-12-097-02A : 3S CoDeSys Improper Access Control (Update A)
ICS-ALERT-11-256-06 : Beckhoff TwinCAT Vulnerability
ICS-ALERT-12-020-07A : WAGO IO 750 Vulnerabilities (Update A)
ICS-ALERT-12-136-01 : Wonderware SuiteLink Unallocated Unicode String
ICS-ALERT-12-020-02A : Rockwell Automation ControlLogix PLC Vulnerabilities (Update A)
ICS-ALERT-11-332-02A : Siemens SIMATIC WinCC Flexible (Update A)
ICS-ALERT-11-256-05A : Rockwell Automation RSLogix Overflow Vulnerability (UPDATE A)
Source: ICS-CERT Alerts: https://ics-cert.us-cert.gov/alerts
Page 12 Securing SCADA prepared by Jeffrey Wang
7. 3/10/2016
7
Physical Vulnerabilities
Common Physical Vulnerabilities:
Inadequate policies, procedures, and culture governing control system security
Inadequately designed networks with insufficient defense-in-depth
Remote access without appropriate access control
Separate auditable administration mechanisms
Inadequately secured wireless communication
Use of a non-dedicated communications channel for command and control
Lack of easy tools to detect/report anomalous activity
Installation of inappropriate applications on critical host computers
Inadequately scrutinized control system software
Unauthenticated command and control data.
Page 13 Securing SCADA prepared by Jeffrey Wang
Cyber Vulnerabilities
Common Cyber Vulnerabilities including:
Operating System Vulnerabilities
Interconnections
Open Source / Public Information
Authentication
Remote access
Monitoring and Defenses
Wireless access
SCADA/SQL/PLC Software
Page 14 Securing SCADA prepared by Jeffrey Wang
8. 3/10/2016
8
Cyber Vulnerabilities
Cyber Vulnerabilities in details:
Un-patched published vulnerabilities
Web-based HMI vulnerabilities
Improper authentication
Improper access control (authorization)
Buffer overflow in SCADA services
SCADA data and command message manipulation and injection
SQL injection
insecure protocols
unprotected transport of SCADA application credentials
Standard IT protocols with pain-text authentication
Page 15 Securing SCADA prepared by Jeffrey Wang
Vulnerabilities – Allen-Bradly/Rockwell PLC
Web-based access with default user ID and password
AB SLC505
AB Micrologix PLC
AB CompactLogix
Page 16 Securing SCADA prepared by Jeffrey Wang
9. 3/10/2016
9
Vulnerabilities – Unprotected Authentication
MicroLogix 1400, It is easy to access with administrator and default password
Page 17 Securing SCADA prepared by Jeffrey Wang
Vulnerabilities – Access with Default ID & Password
Intruder can change access permission once granted access control.
Default IDs( administrator, and default passwords
Page 18 Securing SCADA prepared by Jeffrey Wang
10. 3/10/2016
10
Vulnerabilities – Supervisory Control
Supervisory control: Write/Read memory block or disable the device
Page 19 Securing SCADA prepared by Jeffrey Wang
Cyber Attack - STUXNET
STUXNET: the most famous cyber attack by United States and Israel.
STUXNET worm was at first identified by a Belarus company VirusBlokAda in mid-
June 2010.
Physical Impact:
Sabotaging 1000 centrifuges at Iran’s Natanz nuclear plant
Stuxnet worm – now every hacker in the world knows about PLCs, HMIs
and the opportunities to attack them.
The Windows operating system
Siemens SIMATIC Step 7 and WinCC
Siemens S7 – 300/400 PLCs
S7-315-2/S7-417
USB flash memory
Zero-Day via Windows OS
DB memory block in PLC
Page 20 Securing SCADA prepared by Jeffrey Wang
11. 3/10/2016
11
Cyber Attack - Insider
Insider hacks into sewage treatment plant
Queensland, Australia (2000) Disgruntled employee Vitek Boden hacks into
sewage system via WiFi from the company’s Parking lot and releases over a
million liters of raw sewage into the coastal waters.
Physical Impact”
Intruder controlled about 150 pump stations near three months
Released about 1 million litre of raw sewage into nearby rivers and parks.
Tools: Laptop, radio and wireless access
Page 21 Securing SCADA prepared by Jeffrey Wang
Security Challenges
Page 23 Securing SCADA prepared by Jeffrey Wang
12. 3/10/2016
12
SCADA Security Challenges
Vulnerable operating system (OS) and applications in SCADA system are from
commercial off-the –shelf (COTS) including Linux, Mac OS, Windows and
embedded PLC OS (VxWorks);
Most industrial control network connected to corporation network with Internet
access. Especially IP-based technologies. Such as Wireless, IoT (Internet of
Things), Cloud computing, Mobile computing and smart metering;
Unsecure legacy system and devices are still widely used in SCADA system. No
updated firmware available , no patching. They are transparent to control
professional;
Open source communication protocols (Modbus, DNP3, IEC 61850,Ethernet/IP)
were not designed with security in mind and lack basic authorization features;
There are numerous unpatched and unpatchable systems;
Lack of remote access authentication, weak or default password;
Lack of physical security protection
.
Page 23 Securing SCADA prepared by Jeffrey Wang
Security Standards
• Security Standards
• Cyber Security Objective
Page 25 Securing SCADA prepared by Jeffrey Wang
13. 3/10/2016
13
Industrial Control System Security Standards
Good News! There are many security standards….
NIST SP-800-82 : Guide to Industrial Control Systems Security
National Institute of Standards and Technology(NIST)
ISA/IEC-62443 (formal ANSI/ISA99) : Security for Industrial Automation and
Control Systems Security
The International Society of Automation (ISA)
The International Electrotechnical Commission(IEC)
NERC CIP- 006 : Physical Security of Critical Cyber Assets
North American Reliability Corporation(NERC)
Critical Infrastructure Protection(CIP)
TR12-002 : Industrial Control System (ICS) Cyber Security: Recommended Best
Practices (combined with NIST and ISA99 standards)
• Canadian Cyber Incident Response Centre (CCIRC)
Page 25 Securing SCADA prepared by Jeffrey Wang
Cyber Security Objective- I.T. Security Perspective
Three fundamental goals per NIST SP800-82 standard
Confidentiality
Any important information you have — such as employee, client
or financial records — should be kept confidential. This
information should only be accessed by people (or systems)
that you have given permission to do so.
Integrity
You need to make sure to maintain the integrity of this
information and other assets (such as software) in order to keep
everything complete, intact and uncorrupted.
Availability
You should maintain the availability of systems (such as
networks), services and information when required by the
business or its clients.
Page 26 Securing SCADA prepared by Jeffrey Wang
15. 3/10/2016
15
Mitigation Strategies - Recommendations
My recommendation:
Physical Assets Security
NERC CIP-006 standard is intended to ensure the implementation of a
physical security program for the protection of Critical Cyber Assets
Cyber Security
NIST SP800-82 standard is cybersecurity guidance for Industrial Control
Systems (ICS) Security
ISA/IEC-62443 (ISA99) standard
Canadian Cyber Incident Response Centre(CCIRC)
TR12-002 :Industrial Control System (ICS) Cyber Security: Recommended
Best Practices
Page 29 Securing SCADA prepared by Jeffrey Wang
Mitigation Strategies - Risk Assessment
Sources of threats
External
Internal
Accidental
Vulnerabilities
Risks = Threats x Vulnerabilities x Impact
Page 30 Securing SCADA prepared by Jeffrey Wang
16. 3/10/2016
16
Physical Assets Security
Page 32 Securing SCADA prepared by Jeffrey Wang
Mitigation Strategies - NERC CIP Standards
NERC CIP standards Include 9 standards and 45 requirements:
CIP-002-1: Critical Cyber Asset Identification
CIP-003-1: Security Management Controls
CIP-004-1: Personnel and Training
CIP-005-1: Electronic Security Perimeters
CIP-006-1: Physical Security of Critical Cyber Assets
CIP-007-1: Systems Security Management
CIP-008-1: Incident Reporting and Response Planning
CIP-009-1: Recovery Plans for Critical Cyber Assets
NERC: North American Electric Reliability Corporation
CIP: Critical Infrastructure Protection
Page 32 Securing SCADA prepared by Jeffrey Wang
17. 3/10/2016
17
Mitigation Strategies - Physical Protection Guideline
Physical Access Controls
The Responsible Entity shall document and implement the operational and
procedural controls to manage physical access at all access points to the
Physical Security Perimeter(s) twenty-four hours a day, seven days a week.
Monitoring Physical Access
The Responsible Entity shall document and implement the technical and
procedural controls for monitoring physical access at all access points to the
Physical Security Perimeter(s) twenty-four hours a day, seven days a week.
Unauthorized access attempts shall be reviewed immediately and handled in
accordance with the procedures specified in Requirement CIP-008.
Logging Physical Access
• Logging shall record sufficient information to uniquely identify individuals and the
time of access twenty-four hours a day, seven days a week. The Responsible
Entity shall implement and document the technical and procedural mechanisms
for logging physical entry at all access points to the Physical Security
Perimeter(s).
Page 33 Securing SCADA prepared by Jeffrey Wang
Mitigation Strategies - Physical Security
Physical Security Purpose:
To assist you detect and identify threats and restrict access to sensitive area (server
room and important field equipment)
Detect
Be alerted to unauthorized entries or attempts
Be alerted to mechanical/electrical failures
Be alerted to remote site entry requests
Identify
Remotely view facility, people, equipment
View recorded information and events
Restrict and allow entry to facility
Create physical facility access logs
Prosecute offenders
Restrict
Keep the bad guys out
Page 34 Securing SCADA prepared by Jeffrey Wang
18. 3/10/2016
18
Cyber Security
Mitigation Strategies - NIST SP 800-82 Standards
NIST SP 800-82 : Guide to Industrial Control Systems Security
Provide guidance for establishing secure ICS, including implementation
guidance for SP 800-53 controls
Content
Overview of ICS
ICS Characteristics, Threats and Vulnerabilities
ICS Security Program Development and Deployment
Network Architecture
ICS Security Controls
Appendixes
Current Activities in Industrial Control Systems Security
Emerging Security Capabilities
NIST: National Institute of Standards and Technology
SP: Special Publication
Page 36 Securing SCADA prepared by Jeffrey Wang
19. 3/10/2016
19
Mitigation Strategies - Cyber Security Objective
Restricting logical access to the SCADA network and network activity
This includes using a demilitarized zone (DMZ) network architecture with
firewalls to prevent network traffic from passing directly between the corporate
and SCADA networks, and having separate authentication mechanisms and
credentials for users of the corporate and SCADA networks. The ICS should also
use a network topology that has multiple layers, with the most critical
communications occurring in the most secure and reliable layer.
Restricting physical access to the SCADA network and devices
Unauthorized physical access to components could cause serious disruption of
the SCADA’s functionality. A combination of physical access controls should be
used, such as locks, card readers, and/or guards.
Page 37 Securing SCADA prepared by Jeffrey Wang
Mitigation Strategies - Cyber Security Objective
Protecting individual SCADA components from exploitation
This includes deploying security patches in as expeditious a manner as possible,
after testing them under field conditions; disabling all unused ports and services;
restricting SCADA user privileges to only those that are required for each
person’s role; tracking and monitoring audit trails; and using security controls
such as antivirus software and file integrity checking software where technically
feasible to prevent, deter, detect, and mitigate malware.
Maintaining functionality during adverse conditions
This involves designing the SCADA so that each critical component has a
redundant counterpart. Additionally, if a component fails, it should fail in a manner
that does not generate unnecessary traffic on the SCADA or other networks, or
does not cause another problem elsewhere, such as a cascading event.
Page 38 Securing SCADA prepared by Jeffrey Wang
20. 3/10/2016
20
Mitigation Strategies – ANSI/ISA99 Standard
Module 1: Defining Industrial Cybersecurity
Covers the concepts of physical, operational, and electronic security; and defines
Cybersecurity as it relates to industrial automation and control systems
Module 2: Risk Assessment
Covers the concept of risk and how safety plays a part in assessing possible
consequences from a cyberattack
Module 3: Threats and Vulnerabilities
Covers "social engineering" and how outsiders gather information to enable attacks
and to physically enter your secured areas
Module 4: Security Policies, Programs, and Procedures
Covers the creation and deployment of policies, standards, and procedures and how
they are a critical aspect of a security program
Page 39 Securing SCADA prepared by Jeffrey Wang
Mitigation Strategies – ANSI/ISA99 Standard
Module 5: Understanding TCP/IP, Hackers, and Malware
Covers the basics of the IP networking architecture and how computers are
addressed and how IP delivers information to computers and TCP/UDP to
complete the delivery to specified applications using port numbers
Module 6: Technical Countermeasures
Covers the technical countermeasures and technology that can be employed to
protect your systems, detect and remove malware, and block hacking attempts;
and explains the technologies such as firewalls, proxy servers, VPN, and
VLAN and how they relate to industrial automation systems
Module 7: Architectural & Operational Strategies
Covers ways to segment and isolate your process automation systems in order to
increase their reliability and Cyber security
Page 40 Securing SCADA prepared by Jeffrey Wang
21. 3/10/2016
21
Mitigation Strategies -TR12-002 Recommendation
TR12-002 :Industrial Control System (ICS) Cyber Security: Recommended Best
Practices, by Canadian Cyber Incident Response Centre
1. Network Segmentation
2. Remote Access
3. Wireless Communications
4. Patch Management
5. Access Policies and Controls
6. Secure the Host (System Hardening)
7. Intrusion Detection
8. Physical and Environmental Security
9. Malware Protection and Detection
10. Awareness
11. Periodic Assessments and Audits
12. Change Control and Configuration Management
13. Incident Planning and Response
Page 41 Securing SCADA prepared by Jeffrey Wang
Useful software
Solarwinds Inc. URL: http://www.solarwinds.com/
Develops enterprise information technology (IT) infrastructure management
software for IT professionals.
Kaspersky - URL: http://www.kaspersky.com
Kaspersky Lab is an international software security group operating in almost
200 countries and territories worldwide.
Bitdefender- URL: http://www.bitdefender.com
Bitdefender products feature anti-virus and anti-spyware capabilities against
internet security threats such as viruses, Trojans, rootkits, rogues, aggressive
adware, spam and others.
McAFee - URL: http://www.mcafee.com
Intel Security Group (previously McAfee, Inc.) is an American global
computer security software
Symantec - URL: Http://www.symantec.com
Security, Antivirus and Backup Solutions provider
Page 42 Securing SCADA prepared by Jeffrey Wang
22. 3/10/2016
22
References
NIST SP-800-82 Guide to Industrial Control Systems Security
http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf
ICS-CERT, ICS-TIP-12-146-01A—Targeted Cyber Intrusion Detection and Mitigation Strategies
http://www.us-cert.gov/control_systems/pdf/ICS-TIP-12-146-01A.pdf
CCIRC, TR11-002 Mitigation Guidelines for Advanced Persistent Threats
http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2011/tr11-002-eng.aspx
ICS-CERT, Incident Response Summary Report 2009 – 2011
http://www.us-cert.gov/control_systems/pdf/ICS-
CERT_Incident_Response_Summary_Report_09_11.pdf
US-CERT, Control Systems Security Program (CSSP)
http://www.us-cert.gov/control_systems/
US-CERT, Recommended Practice: Improving Industrial Control Systems Cybersecurity with
Defense-In-Depth Strategies
http://www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf
CPNI, CPNI Viewpoint: Securing the move to IP-based SCADA/PLC networks
http://www.cpni.gov.uk/Documents/Publications/2011/2011034-scada-
securing_the_move_to_ipbased_scada_plc_networks_gpg.pdf
International Society of Automation (ISA), ISA99, Industrial Automation and Control Systems
Security
http://www.isa.org/MSTemplate.cfm?MicrositeID=988&CommitteeID=6821
Page 43 Securing SCADA prepared by Jeffrey Wang
THANK YOU
Page 44 Securing SCADA prepared by Jeffrey Wang