"Understanding Cyber Industrial Controls in the Manufacturing and Utilities Environment," By Dr. John Naber, Co-Founder & Partner in True Secure SCADA, which is KY-based and holds 2 key patents in this area. This was given at the TALK Cybersecurity Summit 2018 in Louisville, KY.
Scaling API-first – The story of a global engineering organization
Understanding Cyber Industrial Controls in the Manufacturing and Utilities Environment
1. Understanding Cyber-Industrial
Controls in the Manufacturing and
Utilities Environment
DR. JOHN NABER, DR. JIM GRAHAM AND DR. JEFF HIEB
OF
TRUE SECURE SCADA
6-14-18
Cybersecurity Summit
2. Background of True Secure – What we do
2
• Kentucky-based start-up incorporated in 2013 based on 10
years of research performed at UofL in cyber-security area
• $1.5M in Federal and state grants in cyber-security research
prior to 2013
• $200K in SBIR funding from DARPA and KY State Match
program to develop current prototypes of advanced ICS
firewalls for protecting manufacturing equipment and utilities
3. 3
Background of True Secure – Who we are
• Dr. Jeff Hieb » Software &
SCADA,
• 10 yrs running a manufacturing
plant
• Custom software for secure
microprocessors using seL4
• Full-time UofL Speed School
of Engineering School (SSoE)
• Dr. Jim Graham » Computers &
SCADA
• 4 yrs in industry working for GM
• 20 yrs doing research in advanced
cybersecurity using secure
microprocessors
• CEO, True Secure SCADA
• Dr. John Naber » hardware
• Founder of 6 startups,
• 10 yrs in industry as chip
designer
• Assenti, IntelliRod , GE
advanced projects, TSS …
• Full-time SSoE
4. Problem
Many active ICS and SCADA systems are vulnerable to cyber-attacks
Attacks are increasing1
• 110% increase in ICS attacks from 2015 to 2016
• 636% increase in SCADA systems from 2012 to 2014
Some companies use industrial firewalls like ones sold by Tofino
Most companies using ICS have serious cyber-security flaws2:
• 33% of industrial sites are connected to the public Internet
• 75% of ICS sites have legacy Windows boxes, which Microsoft is no longer providing security patches
• 60% have passwords traversing process and control networks in plain-text
• 50% of industrial sites aren’t running any antivirus protection
• 82% are running remote management protocols (RDP, VNC, SSH, etc.), making it easier to perform cyber
reconnaissance
1 David McMillan, IBM Managed Security Services, October 2015
2 SCADA Security Report from Cyberx-Labs, 2017
4
5. Control System Vulnerabilities
• Networks are no longer isolated
• Use of commercial hardware and software including TCP/IP,
Windows and Linux
• Especially unsupported OS’s like Windows XP
• SCADA protocols lack security
• Long deployment lifetime: Typical 10 to 30 year life cycle
• Little intrusion detection/prevention at the field device level
• Security patches not promptly applied if at all
• Poor authentication: No passwords on many ICS installs
6. Example #1: ICS Attacks on Electric Utilities
• On December 23, 2015 at around 5:00 P.M:
• More than 200,000 people in Ukraine experienced a
severe power blackout.
• 80,000 people went without power for at least 10 hrs
• The blackout was caused by a deliberate cyber attack on
the control systems of the Ukrainian power utilities.
• The malware used was called “Black Energy 3”.
• It gained access to the process network through
compromised credentials.
• It allowed the external hackers control of the generators,
which they then shut down.
7. Example #2: ICS Attacks on Dams
7
A Dam, Small and Unsung, Is Caught Up
in an Iranian Hacking Case
By JOSEPH BERGERMARCH 25, 2016
Reported March 25, 2016: 7 Iranians Charged in Dam Cyberattack of NY Dam
• Hackers used 1000s of computers infected with malware to attack the dam and financial
institutions with a Denial of Service (DoS) attack.
• Windows and Linux operating systems can be vulnerable to this type of attack.
8. Example #3: ICS Attacks on Water & Sewage Plants
8
Maroochy Shire Sewage Plant (Australia):
• Attack launched remotely in 2000 by disgruntled/fired technical
employee.
• Disabled SCADA control system and dumped untreated waste
water directly into fresh water supply.
Unidentified Water Plant in USA with 2,500,000 customers:
• March 28, 2016 report: Hackers tied to Syria infiltrated water utility’s
control system and changed chemicals used to treat water
• Spear-phishing attack allowed hackers to obtain login credentials
that were stored on the web server.
9. 9
Hacking of German Steel Mill (2014)
SCADA Server
Historian, Application servers
Engineering
Workstation
Internet
PLC
PLC
Operator Clients
Terminal server
Field communications
Corporate
External Firewall
Communication Links:
Leased Lines,
Cellular Network,
POTS, Radio
Control Center
Legacy Devices, 20-30 year lifespan
German Steel Mill
Corporate Network
Field Site
Communication Interface
Equipment
Tofino
Industrial
Firewal
Eventually the attackers were able to keep a furnace from
being shutdown properly, causing substantial Damage.
Hackers use social Engineering to gain access
to the corporate network, then worked their
way to the control network
Example #4: ICS Attacks on Manufacturing Plants (1)
By Kim Zetter 01.08.15
• A Cyberattack Caused Confirmed Physical
Damage for the Second Time Ever.
• Hackers used spear-phishing attack from
spoofed email to gain access to corporate
network.
• Once hackers were on the corporate
network they were then able to bridge to
the process or control network.
• Hackers then took control of a blast
furnace that caused significant damage.
10. 10
Example #5: ICS Attacks on Manufacturing Plants (2)
“Assassin” Virus was downloaded to the network of a large local manufacturing
company in 2017
Reported by WikiLeaks: Supposedly developed by the CIA and then stolen
1. Malware uses spoofed emails to trick users into connecting to a server
• IT Admin for local company did by clicking on a link that looked like it came
from the company’s own print server.
2. Server then gains access to all of the company’s data.
3. This particular version deleted all of the company configuration files for various
pieces of manufacturing equipment.
4. All of the equipment had back-ups except for 2 pieces
5. These 2 pieces of manufacturing equipment had to be reconfigured, which
brought the equipment off-line for 2 weeks.
11. 11
Stuxnet Disrupts Iranian Centrifuges
Communication Interface
Equipment
SCADA Server
Historian, Application servers
Internet
PLC
PLC
Operator Clients
Terminal server
Field communications
Corporate
External Firewall
Internal Corporate
Servers
External (exposed)
corporate
servers/service
Communication Links:
Leased Lines,
Cellular Network,
POTS, Radio
Control Center
Legacy Devices, 20-30 year lifespan
Centrifuges Controlled by
Siemens PLCs
Corporate Network
Field Site
Stuxnet arrives on jump drive,
compromises workstation with
Siemens software
Stuxnet reprograms the PLCs to degrade
centrifuge operation, and later to destroy the
centrifuges.
Example #6: ICS Attacks on Government Facilities
• Stuxnet Discovered 2010
• Attack on Iranian centrifuge facility
• Apparently from USB device
plugged into a Windows machine
• USB thumb drive placed in the
parking lot.
• Employee inadvertently loaded
virus by plugging into PC on control
network.
• Caused destructive velocity
deviations targeting specific PLCs
and centrifuges.
• Masked attack from central control
computers
12. 12
Background on Industrial Control Systems (ICS) & SCADA
SCADA: Supervisory Control and Data Acquisition
A control system architecture using computers,
networks and user interfaces to control industrial
equipment and processes [Ref: Wikipedia].
13. SCADA Components
• Human Machine Interface (HMI)
• Master Terminal Unit MTU(s)
• Connection Network
• Remote Terminal Unit RTU(s)
14. ICS Security Solutions
Best practices require security for the process network and the field devices
Traditional IT Measures:
◦Network segmentation, NIDS, encryption
◦System Hardening (patches)
◦Important but not sufficient
ICS specific security solutions:
◦Protocol enhancements
◦Field IDS
◦Security Hardened Field Devices
15. Current Industrial Firewalls rely primarily on a Linux-based OS
15
Firewalls with updated virus protection is the
primary tool used to protect manufacturing
and processing plants from cyber-attacks.
• Some legacy equipment is 20-30 yrs old
and doesn’t support a current OS
• Some firewalls are designed specific for ICS
(Tofino)
• Symantec identified in 2008 over 1,000,000
computer viruses. Most target Windows.
• Most ICS Firewalls are Linux-based
• Linux has over 15 million lines of code
and contains 37,000 files
• Only 139,000 lines for the kernel
16. Security Hardened Field Device (SHFD)
• Isolate security services and enforcement software from
Digital and Analog IO drivers and from network facing
software
• Prevent Network Interfacing code from being able to
directly access analog and digital I/O software or
hardware
• This is the focus of True Secure SCADA’s approach to ICS
security
18. ICS Secure Preprocessor Approach
18
TSS SCADA-Guard Secure Preprocessor using seL4
Control
Network
Port
PLC
Port
Configuration
Port
19. Advantage of using seL4 Microkernel
19
1. Provides only those primitives that must have privileged
access to memory and the processor.
2. Microkernel Primitives:
Address spaces
chunks of memory, isolated from each other
Threads (execution)
Inter-process communication (IPC)
3. seL4 provides 3 systems calls with 8700 lines of code
send, receive, and yield
4. Linux provides approximately 200 systems calls
Key advantage of fewer
system calls is to limit
what hackers can do to
create viruses
20. Water Treatment Protection Example using a SHFD
Untreated water reservoir
◦Assumptions: Always has water available
PLC controls the addition of treatment chemicals as water
flows from reservoir to holding tank
◦Assumptions
◦Flow in and out will be equal
◦Will always be equally mixed
◦Flow in will not be greater than set volume
22. Simulation and Testing at Louisville Water Co.
• Two main components of simulation
• Water System (simulated in LabView™)
• Water Treatment
• Water Distribution
• HMI/MTU – custom software
• Simulation is connected to the prototype
using a DAQ from National Instruments
Options for Design & Testing:
Laboratory SCADA systems
◦ Expensive and limited access
Live SCADA systems
◦ Physical consequences
Simulation approach
◦ Can realistically simulate field systems
23. Tested Prototype at Louisville Water Company*
Water SystemSensors and ActuatorsRTU & DAQ
TSS Device
Goes here
HMI/MTU Network
* Tested under non-critical processes & control
24. 24
Dam Control Protection using SHFD
Dam control center and
corporate intranet
SCADA RTU or PLC
Dam turbine & gate control
SCADA-GuardTM
Provides Solution
using secure seL4
from all 4 possible
hacker entry points
Firewall
corporate
network
SCADA
network
= Possible Hacker Entry Points
Firewall
25. 25
• Feb 2018 – Attack on safety computer in Middle East
nuclear reactor revealed
• March 2018 – NYT reports on attack on Saudia
Arabia petro-chemical plant
• March 2018 – DHS reveals concerns that Russians
could impact US Power Grid
Major ICS attacks in the first quarter of 2018
Current solutions focus on applying traditional IT security measures, firewall and intrusion detection to industrial control systems.
Common security solutions are industrial firewalls.
Most industrial firewall use Linux or derivation as the underlying operating system
Don’t directly protect legacy devices.