Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
First SCADA LAB International Workshop
1. 1ST International ScadaLab Workshop
Madrid, 26th November 2013
SCADA Laboratory and testbed as a service for Critical Infrastructure protection
With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme.
European Commission - Directorate-General Home Affairs
3. WP2
Definition of Testing Methodology
Zanasi & Partners
SCADA Laboratory and testbed as a service for Critical Infrastructure protection
With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme.
European Commission - Directorate-General Home Affairs
5. WP2: Definition of Testing Methodology
• Aims: to assess the users’ needs, to define
the testing methodology to be adopted in the
SCADALAB environment, and to elaborate an
inventory of security tests to be performed
• Participants: Zanasi & Partners (WP leader),
AEI Seguridad, CNPIC, INTECO, Telvent
Energy, Theodore Puskas Foundation
• Time-frame:
(21/9/2012 – 18/12/2012)
M1-M3
6. WP2: List of Tasks
Three tasks:
• T2.1: Initial Survey
• T2.2: Develop Testing Methodology
• T2.3: Develop Security Tests Inventory
Three deliverables:
• D2.1: Survey Report: Analysis of
Questionnaires (+ annex: Questionnaire for
Stakeholders)
• D2.2: Testing Methodology
• D2.3: Security Tests
7. WP2 – T2.1: Initial Survey
• Aims: to identify users’ needs and to
assess stakeholders’ priorities for a
SCADALAB environment
• Contributors: AEI Seguridad, CNPIC,
INTECO, Telvent Energy, Theodore Puskas
Foundation, Zanasi & Partners
8. WP2 – T2.1: Initial Survey
11 stakeholders were interviewed via written questionnaires
The questionnaires aimed at collecting information on the profile of
the respondent organisation, on its awareness about cyber-security
risks, on its IT infrastructure and on its perceived security needs
The questionnaires were
Structured in 6 sections:
• Organisation profile
• Awareness
• Architecture
• Existing Threats
• Security Controls
• Identified Needs
8
9. WP2 – T2.1: Initial Survey
Main findings:
• Most of the respondents (91%) perceive the problem of securing
their ICS as sensitive
• 64% of the organisations use ICS directly or indirectly connected
to the public Internet. In 91% of cases the ICS are connected to
the corporate network
• Half the respondents use COTS within their ICS
• Nobody declared to be victim of cyber-attacks in the past (but
only 45% of respondents feels able to detect intrusions)
• There is a general lack of knowledge on ICS security standards
(64% of respondents do not know any, 83% do not adopt any)
• Only 36% of stakeholders interviewed regularly perform ICS
security tests (10% only can rely on a permanent testing
environment)
• Cryptography systems for front-end and field devices are hardly
used (30%)
10. WP2 – T2.2: Develop Testing Methodology
• Aims: to review the most widely used
security testing methodologies and to
develop a new one specific for the
SCADALAB environment
• Contributors: AEI Seguridad, INTECO,
Telvent Energy, Zanasi & Partners
11. WP2 – T2.2: Develop Testing Methodology
• At a preliminary stage, 11 existing testing
methodologies (CPNI, US-CERT, ANSI/ISA,
INL [2], DOE, NIST, LEET, CERT-CC, ISECOM,
CCRA) were thoroughly analysed and rated
based on their suitability for the SCADALAB
project
• Later on, the information gathered through
the above task has been used as a basis to
develop an entirely new testing methodology
specific for the SCADALAB environment
12. WP2 – T2.2: Develop Testing Methodology
The SCADA LAB environment is articulated in two
principal areas:
• Laboratory area (from where the security tests are
run and controlled)
• Test beds area (which physically contains the
components of the various ICS test beds)
The security requirements
for both the laboratory
area and the test beds
area have been identified
13. WP2 – T2.2: Develop Testing Methodology
Testing methodology - three phases:
• Planning
– Organisational level (set up the assessment team, sign NDAs, develop the
test plan, collect information on the organisation)
– Operational level (decide the proper type of assessment, establish a set of
initial attack vectors, identify the assessment targets, elaborate a detailed
plan of the testing)
– Technician level (demand to the manager of the test bed the
implementation of the needed technical requirements, identify/acquire
required HW/SW, develop the security test inventory)
• Assessment
– Set up the lab (according to the target to assess and based on the test
inventory available)
– Execution (performing the test, which may involve: information gathering,
network mapping, vulnerability identification, penetration testing)
• Reporting
– Calculating metrics (e.g., via Common Vulnerability Scoring Systems,
CVSS)
– Report of findings (technical report, executive report)
14. WP2 – T2.3: Develop Security Tests Inventory
• Aims: to develop an inventory of security
tests that can be performed during
security analysis on ICS environments in
the SCADALAB environment
• Contributors: INTECO, TPF
15. WP2 – T2.3: Develop Security Tests Inventory
Security tests (1/2):
•
Information gathering
•
Authentication mechanisms
•
Program logic flaws
•
Cryptographic flaws
•
Spoofing
–
–
–
Get information architecture
Fingerprint and enumeration of host information
Port scanning
–
–
Password testing
Session hijacking
–
–
–
–
SQL injection
Cross-Site Scripting (XSS)
Buffer overflow
Fuzz testing
–
Cold boot attacks on encryption keys
–
–
MAC address spoofing
IP address spoofing
17. Questions?
With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and
other Security-related Risks Programme.
European Commission - Directorate-General Home Affairs
18. WP 3
Design of Laboratory Architecture
INTECO
SCADA Laboratory and testbed as a service for Critical Infrastructure protection
With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme.
European Commission - Directorate-General Home Affairs
19. Content
1. Objectives / Aim of the activity
2. Expected results / outputs and
deliverables
Requirements
SCADA LAB Design
- Laboratory Area
- Test Bed Area
Security Assessment
3. Conclusions
21. Objectives / Aim of the activity
Goal
Carry out security assessments to remote Test Beds.
Design aligned with methodology.
Accomplish minimum set of requirements.
22. Objectives / Aim of the activity
Why?
Stakeholders having their own Test Beds…
… and carrying out their own security tests.
Company A
Company B
Company C
23. Objectives / Aim of the activity
Why?
Are these tests all you can do?
Has your staff needed knowledge?
Company A
More tests = more tools = more €
Contract expert security services = more €
24. Objectives / Aim of the activity
Aim
SCADA Laboratory and test bed as a service for Critical
Infrastructure protection.
We will have methodology and tools... You can use them.
25. Objectives / Aim of the activity
Base design
First design based on methodology
Test Beds Area
Laboratory
Area
Test bed 1
Test Plan 1
Test bed 2
Test Plan 2
Test Plan
N
…
26. Expected results / outputs and deliverables:
Requirements
Initial Requirements
8 HIGH-LEVEL requirements:
•
•
•
•
•
•
•
•
Production system.
Hardware interface or integration
Assessment system
Monitoring system
Results analysis system
Distributed tests
Isolated test beds
Testing methodology
57 LOW-LEVEL requirements.
•
•
•
•
Description.
Priority.
Area.
Implementation guidance.
REQUIREMENT
1.- ID
2.- Requirement name
REQUIREMENT
3.- Priority
4.- Area
1.- ID 2.- level of the name has an REQUIREMENT
3.- Priority
4.- Area
Each Requirement target
entry point from
R1.3
High
Test beds
where perform the tests.
1.- IDEach Requirement name
2.- level of the target has an REQUIREMENT
3.- Priority
4.- Area
entry point from
R1.3
High
Test beds
1.-where performof the target
ID
3.- Priority
4.- Area
5.- Description 2.- Requirement name has an REQUIREMENT
Each level the tests.
entry point from
R1.3
High
Test beds
where perform of the target
the tests.
1.- ID 2.- Requirement name has an REQUIREMENT
3.- Priority
4.- Area
Each level
entry point from
5.- Description
R1.3
High
Test beds
The laboratory should communicate with every level of the scheme in an independent way.
where2.- Requirement name
perform the tests.
REQUIREMENT
5.- Description
1.- ID
3.- Priority
4.- Area
Each level of the target has an entry point from
R1.3
High
Test
The laboratory should communicate with every level of the scheme in an independent way. beds
where perform
tests.
5.- DescriptionEach Requirement name
1.- ID 2.- level thethe target has an REQUIREMENT
3.- Priority
4.- Area
of
from
IMPLEMENTATION of entry point in an independent way.
The laboratory should communicate with every level the scheme
R1.3
High
Test beds
where perform the tests.
5.- Description 2.- level of the name has an entry point from
Each
1.- ID
3.- Priority
IMPLEMENTATION
The laboratory should Requirement target
6.- Implementation guidance communicate with every level of the scheme in an independent way. 4.- Area
R1.3
High
Test beds
where perform
tests.
5.- DescriptionEach level the the target has an entry point from
IMPLEMENTATION of or virtual networks (one for way.
of
The laboratory should
6.- Implementation guidance communicate with every level
The laboratory can connect to different networks, sub-networks, the scheme in an independent
R1.3
High
Test beds
5.- Description
IMPLEMENTATION
each level), from where carry where perform the tests. every level of the scheme in an independent way.
6.- Implementation guidance test to the target.
The laboratoryout the communicate with
should
The laboratory can connect to different networks, sub-networks, or virtual networks (one for
IMPLEMENTATION
each 6.- Implementation guidance different networks, sub-networks, the scheme in an independent
The5.- Description
laboratory out
7.- Otherlevel), from where carry should communicate with every level of or virtual networks (one for way.
Theconsiderations connect tothe test to the target.
laboratory can
IMPLEMENTATION
Theconsiderations carry out the communicate with
laboratory can
to
7.-each level), from whereconnectshouldtest to networks, sub-networks, or virtual networks (one for
Other6.- Implementation guidance different the target.
If an agent installed Thethe test bed is used then it has toevery level of the links to these independent way.
in laboratory
have sufficient scheme in an
each level), from where carry out the test to the target.
IMPLEMENTATION
7.- Other considerations connect to
The laboratory can
connections. 6.- Implementation guidancedifferent networks, sub-networks, or virtual networks (one for
If an agent installed in the test bed is used then it has to have sufficient links to these
target.
7.- each level), from where carry out the test to theIMPLEMENTATION
Other considerations
The Implementation guidance
connections. 6.-laboratory can test bed to different networks, to have sufficientvirtual to these (one for
If an agent installed in the connect is used then it has sub-networks, or links networks
each considerations connect to different the target.
7.- Otherlevel), from where carry out the test to networks, sub-networks, or virtual networks (one for
The laboratory the
connections. 6.- Implementation guidance used then it has to have sufficient links to these
If an agent installed in can test bed is
7.-each level), from where carry out the test to networks,
Other considerations
connections.The laboratory can connect to different the target. sub-networks, or virtual networks (one for
If an agent installed in the test bed is used then it has to have sufficient links to these
7.- Other considerations
each
connections. level), from where carry out the test to the target.
If an agent installed in the test bed is used then it has to have sufficient links to these
7.- Other
connections. installed in the test bed is used then it has to have sufficient links to these
If an agent considerations
connections.
If an agent installed in the test bed is used then it has to have sufficient links to these
connections.
27. Expected results / outputs and deliverables:
Requirements
LOW-LEVEL Requirements
ID
Description
R1
Priority
Production system
R1.1 The control system shall be composed by control devices and field devices.
R1.2 The architecture of the test bed shall be representative of a real ICS.
R1.3 Each level of the target has an entry point from where perform the tests.
R2
High
High
High
Hardware interface or integration
R2.1 The control devices shall communicate with usual control protocols.
R3
High
Assessment system
R3.1 Automatized tests
R3.2 Set of workstations physically accessible to the operators
And more…
High
High
28. Expected results / outputs and deliverables:
SCADA LAB Design
Global Design
29. Expected results / outputs and deliverables:
SCADA LAB Design
Laboratory Area
30. Expected results / outputs and deliverables:
SCADA LAB Design
Laboratory Area
31. Expected results / outputs and deliverables:
SCADA LAB Design
Laboratory Area
32. Expected results / outputs and deliverables:
SCADA LAB Design
Laboratory Area
33. Expected results / outputs and deliverables:
SCADA LAB Design
Laboratory Area
34. Expected results / outputs and deliverables:
SCADA LAB Design
Test Bed Area
Really?
36. Conclusions
1. Based in their own methodology
2. Service for Critical Infrastructure
Protection that:
1.
2.
3.
4.
Complements other security services/tools
Carries out remote tests (and local ones)
Can be adapted to any kind of Test bed
Is scalable
37. Questions?
With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and
other Security-related Risks Programme.
European Commission - Directorate-General Home Affairs
38. WP 4&5
Laboratory Implementation
Pilot Implementation and Experimentation
TELVENT ENERGÍA
SCADA Laboratory and testbed as a service for Critical Infrastructure protection
With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme.
European Commission - Directorate-General Home Affairs
41. WP4: Laboratory Implementation
• Goal: The objective of this WP is the implementation
of the SCADA LAB laboratory, according to the design
and requirements defined in WP3
• Participants: Telvent Energy (co-leader), Telvent
Global Services (co-leader), INTECO, CNPIC, AEI
Seguridad.
• Time-frame:
February 2013 (M6) – December 2013 (M16) (ongoing)
42. WP4: Tasks
• T4.1: Select infrastructures and
communications
Equipment selection
Software selection
Facilities selection
• T4.2: Integrate HW and SW in the facilities
– Implementation
43. WP4 – T4.1: Select infrastructures and
communications
• Laboratory Area:
Open Vulnerability Assessment System (OpenVAS)
Other Tools: NMAP, NIKTO, SNMP, etc.
• Test Bed Area:
Saitel DR Platform (RTU)
OASyS Platform (SCADA)
44. REMOTE CONECTION (VPN)
WP4 – T4.2: Integrate HW and SW in the
facilities
INTECO HEADQUARTERS (LEON)
SCADALAB LABORATORY
TESTBED IMPLEMENTATION
TELVENT ENERGY HEADQUARTERS (SEVILLE)
SCADALAB TESTBED
45. WP5: Pilot Implementation and Experimentation
• Goals: The objectives of this WP are:
The definition and implementation of the SCADA LAB pilot
The execution of the security tests
The analysis of the test results
• Participants: Telvent Energy (leader), INTECO,
CNPIC, Telvent Global Services.
• Time-frame:
October 2013 (M14) – April 2014 (M20) (ongoing)
46. WP5: Tasks
• Tasks:
o T5.1 Select the system to be analyzed as a
pilot
o T5.2 Pilot system installation
o T5.3 Carry on tests over pilot system
o T5.4 Analyze results
47. WP5 – T5.1 Select the system to be analyzed as
a pilot
48. WP5 – Next Activities
• Next Activities:
Pilot system installation
Carry on tests over pilot system
Analyze results
49. Questions?
With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and
other Security-related Risks Programme.
European Commission - Directorate-General Home Affairs
50. WP6
Results Sharing and Test Bed Saas
TELVENT GLOBAL SERVICES
SCADA Laboratory and testbed as a service for Critical Infrastructure protection
With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme.
European Commission - Directorate-General Home Affairs
52. Current Situation
We have the Testing Methodology
We have set up the Laboratory
We have built the SCADALAB Components
Server / Workstation / Agent
We have the stakeholders ready for security assessments…
What else do we need?
53. WP Objective and Description
SCADALAB WP6!!!
Objective!
Build up a framework to share
information and experiences
between stakeholders
Identify the information sharing and remote test requirements and needs.
Define and Implement an Information Sharing framework
Define and Develop a Front-End SaaS Framework and a Front-End service
54. WP Objective and Description
Work Package participants:
TGS
Energy
Time-frame:
February 2013 – December 2013
55. WP Activities Summary
Activity #1: Identify information and Requirements
Identify the information, requirements and all the real needs from the stakeholders
regarding a Remote Security Test platform and a Sharing information framework
Define a functional design according to the stakeholders needs
Activity #2: Define the Information sharing framework
Define the requirements for the Information Sharing framework
Looking for synergies in results sharing methods and procedures and Integration
between SCADALAB Front-End SaaS and other ICS security tools
Activity #3: Define & Develop Front-End SaaS Framework
Develop a Front-End which allows the management of the security assessments and integrate
it with the Information Sharing framework.
Implement the identified Front-End requirements and test the platform.
56. Activity 1: Identify information and Requirements
Objective: Identify the information which key users involved in ICS scenarios are ready
to share (stakeholder, vendors, operators…) and the requirements for the SCADALAB
Front-End.
Tasks performed:
Stakeholders identified and contacted (by the WP participants) coming from different
countries.
Survey Creation
More than 60 questions
Questions grouped in different categories
Current Situation
Security Assessment Requests
Assessments Results and Sharing
Needs Identified
Needs and Desires
57. Activity 1: Identify information and Requirements
Tasks performed:
5
7
Survey Creation: Developed in PDF format
(EC_SCADALAB_Security_Assessments_Questionnaire_Request.pdf)
58. Activity 1: Identify information and Requirements
Tasks performed:
Survey Creation: Developed by web-based survey
59. Activity 1: Identify information and Requirements
Tasks performed:
Organized sharing meetings and/or survey delivery to get the results
Analysis and conclusions of the gathered data.
Deliverables: based on the Survey results, “Requirements&Needs” documentation
Functional requirements
Technical requirements
Security requirements
Design requirements
(EC_SCADALAB_Identified_Requirements.xlsx)
(EC_SCADALAB_Security_Assessments_Questionnaire_Results_Evaluation.docx)
60. Activity 2: Define the Information sharing framework
Objective: Define the sharing information framework.
Based on the EU recommendations regarding the intend of complement existing
test bed initiatives for CI protection between UE related projects.
http://cloudcert.european-project.eu/project.php?lang=en
Evaluate the integration looking for
synergies in results sharing methods and
procedures
CloudCERT is a cloud testbed for the coordination of Europe Critical Infrastructure
Protection (CIP), which aim is to provide a testbed framework to integrate mechanisms
for coordinating partnerships and stakeholder efforts to effectively exchange information
related to CIP and their security aspects.
CloudCERT testbed ensure easy, simple information sharing for cooperation joint
exercises, as well as a rapid and risk-free implementation in a real operational and
collaborative environment.
CloudCERT test bed platform is an initiative coordinated by INTECO and some assets,
knowledge and infrastructure can be reused in an efficient manner. SCADA Lab will
complement the cooperation framework and will integrate the same exchange of
information mechanisms.
61. Activity 2: Define the Information sharing framework
http://cloudcert.european-project.eu/project.php?lang=en
62. Activity 2: Define the Information sharing framework
Expected Results:
Information Sharing Framework
Functional Definition, and
Integration Requirements with CloudCERT
Integration tests and functional documentation
CloudCERT is co-financiated by the European Union (EU) following the specific program named "Prevention, Preparedness and
Consequence Management of Terrorism and other Security-related risks", located within the "Security and Safeguarding
Liberties" program.
63. Activity 3: Define & Develop Front-End SaaS Framework
Objective: Develop a Front-End SaaS Framework and a Front-End service
Based and adapted to their real needs, with functionalities and processes
identified
Public and/or private access
Easy and secured results sharing methods
Useful tool for Stakeholders
Integrated with the defined Information Sharing framework
With the aim of…
…the management of the Security Evaluations and Results Information Sharing.
64. Activity 3: Define & Develop Front-End SaaS Framework
SCADALAB Front-End is being developed with best security practices in mind by itself
and leveraging on Drupal's experience avoiding security threats such as cross-side
scripting, SQL Injection, site impersonation and so on ....
Some of the functionalities and requirements that are being developed for the
SCADALAB Front-End are:
Web Interface Multiplatform / Multilingual
Secure Access / Access Control
Users Management / Passwords Policy
Workflows Management
Different types of Assessment
Selection of the Assessment Target
Status of the Assessment
List of existing Assessment Requests
67. Questions?
With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and
other Security-related Risks Programme.
European Commission - Directorate-General Home Affairs
68. WP7
Training and awareness
Europe for Business
SCADA Laboratory and testbed as a service for Critical Infrastructure protection
With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme.
European Commission - Directorate-General Home Affairs
70. 1. Objective (1)
What is the problem?
There is insufficient knowledge sharing on
SCADA security exercises, bringing
stakeholders together, providing user groups
forums and awareness sessions to potential
beneficiaries.
72. 2. Description of Work - Timetable
WP7 has started during month 15,
namely November 2013
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Training and Awareness
T7.1 / Design training strategy
T7.2 / Elaborate training materials
T7.3 / Carry on Pilot Project
T7.4 / Define awareness Plan
T7.5 / Create awareness materials
73. T7.1 Design training strategy
tasks
Aims: Identify the training needs of different
groups
Contributors: E4Business,
Seguridad, CNPIC
INTECO,
AEI
74. T7.2 Elaborate training materials
tasks
Aims: Create different training materials for
different groups
Contributors: E4Business, NISZ, INTECO,
AEI Seguridad
75. T7.3
Carry on pilot training
tasks
Aims: Test that training strategy
materials meet trainee needs
and
Contributors: E4Business, NISZ, INTECO,
AEI Seguridad
78. 2. Target groups
Security Research Centres
National Authorities
End users CI Operators
Methodology experts
Security training professionals
Independent security experts
Foundations specialized on security technologies
ICT security association of SMEs
Dissemination experts
Software integrators
SCADA Providers.
79. Expected Results
Through WP7 and WP8 SCADALAB results
should reach the largest possible audience.
D7.1 Training: Definition of a SCADA course, 90
hours of training for public officials, 5 training
manuals.
D7.2 Awareness: Holding a final conference, 3
research reports, 6 papers released.
80. Questions?
With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and
other Security-related Risks Programme.
European Commission - Directorate-General Home Affairs
81. WP 8
Dissemination
EVERIS
SCADA Laboratory and testbed as a service for Critical Infrastructure protection
With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme.
European Commission - Directorate-General Home Affairs
83. Objectives
To build awareness of the ScadaLab Project at both national
and European.
To inform the stakeholders of the research findings.
To promote the results of the Project and the possibilities of a
future exploitation.
84. Description of the Work
Dissemination Strategy
Audience
Message
- Primary: stakeholders
- User requirements stage
- Secondary: affected
- R&D stages
- Tertiary: influencers
- Testing stage
Market
- Policy makers
- Industries/SMEs
- End users
- EU R&D Community
Channels
- Oral communication
channels: Symposiums,
seminars, workshops.
- Written communication
channels: Website, newsletters,
contributions to professional
publications.
Dissemination Activities
86. Dissemination Outputs
Scadalab Social Network (I)
Twitter general overview
Linkedin general overview
• User: @ScadaLabProject
• User: ScadaLab Project
• Group: ScadaLab Project
– Open forum for stakeholders
discussions
87. Dissemination Outputs
Scadalab Social Network (II)
Social networks management tool: Hootsuit
–
–
–
–
Timeline
Interactions
Activity
Search: #SCADA #cybersecurity and “Critical Infrastructures”
88. Dissemination Outputs
ScadaLab events
Madrid: 1st International Workshop
- General Project Presentation
Sevilla: 2nd International Workshop
- Best Practices
Brussels: Final Conference
-
Final results
EU presentation
89. Questions?
With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and
other Security-related Risks Programme.
European Commission - Directorate-General Home Affairs
90. Thank you
With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and
other Security-related Risks Programme.
European Commission - Directorate-General Home Affairs