Embed Size (px)
Citation preview
Supervisory Control and Data
Acquisition (SCADA) &
Industrial Control Systems
(ICS)
Cyber Security
Patricia Watson, MBA, EnCE
Boise Inc.
Digital Forensics Program Manager [email protected]
Disclaimer
Materials discussed in this
presentation are the views
of the author.
The author does not claim to
be a SCADA Security expert!
This presentation is
intended for discussion
purposes, not to be relied
upon as advice.
What we will cover
Fundamentals of SCADA/ICS
Over time SCADA/ICS
“evolution”
SCADA/ICS vulnerabilities
SCADA/ICS security
framework
Good practices
That’s a wrap!
Appendix – a few
resources
Fundamentals of SCADA/ICS
systems
Definition
From Wiki…
Supervisory Control and Data
Acquisition (SCADA) is a type of
industrial control system (ICS)
which are computer controlled
devices that monitor and control
real-time processes such as
industrial, infrastructure, and
facility-based processes.
http://en.wikipedia.org/wiki/SCADA
Fundamentals of SCADA systems
A few examples of SCADA/ICS systems:
Process Control Networks (PCN)
Distributed Control Systems (DCS)
Energy Management Systems (EMS)
Automated Meter Reading (AMR/AMI)
Building Automation Systems (BAS)
Fundamentals of SCADA systems
A few examples of SCADA
subsystems:
Human-machine Interface(HMIs)
Programmable Logic
Controllers (PLCs)
Remote Terminal Units (RTUs)
Engineering Work Stations
(EWS)
Intelligent Electronic Device
(IED)
Fundamentals of SCADA systems
A few examples of industries
that have SCADA/ICS include:
Agriculture
Energy
Food
Manufacturing
Water systems (drinking
water & water treatment
systems)
http://ics-cert.us-cert.gov/sites/default/files/Cyber_Security_Assessments_of_Industrial_Control_Systems.pdf
Example of HMI tag creation
Over time SCADA/ICS
“evolution”
Over time SCADA “evolution”
SCADA networks were once composed of isolated workgroups containing proprietary systems that primarily communicated via serial ports.
Input and output was traditionally hardwired to controllers using electrical signals and pulses.
Original serial-based protocols were composed of one master station on the serial loop which initiated the poll of data from the controllers.
Over time SCADA “evolution”
In 1968, Dick Morley designed and built the first operational PLC, which is credited for providing significant advancement in the practice of automation for the manufacturing industry.
Automation is the use of machines, control systems & IT to optimize productivity, recognize economies of scale and achieve predictable quality levels.
Source: http://en.wikipedia.org/wiki/Dick_Morley
Interconnection revolution!
As automation began to address the need
for greater innovation, cost reduction
and lean manufacturing, other components
of SCADA systems joined the “evolution”:
Input/Output - analog to digital
conversion
Serial-to-bus
“SMART” instrumentation (Modbus)
TCP/IP (LAN/WAN)
Data historians (OSIsoft PI)
Wireless sensors
Touch screens
Tablets (dashboards)
Over time SCADA “evolution”
As technological innovations were implemented
into legacy SCADA environments to enhance
efficiency and productivity, cyber security
risks emerged:
Dated operating systems such as Windows NT
and Windows 2000 cannot be patched or
upgraded.
Applications such as Adobe Reader and Flash
Player often remain unpatched through the
life of the hosting device.
Vendors often require persistent bi-
directional remote access in maintenance
contracts.
Dual-homed environments and increased
interconnectivity – data historians such as
PI tend to straddle networks.
SCADA/ICS
vulnerabilities
SCADA vulnerabilities
In addition to the inherent challenges, other
factors contributing to lagging security
practices include:
Because SCADA networks started out as
“separate” segments, there is a persistent
disconnect between SCADA users and network
administrators.
Legacy & proprietary systems make even routine
system maintenance, such as patching and
updating, difficult or impossible.
There is a perception that SCADA devices are
not compatible with anti-virus, monitoring and
intrusion detection solutions.
Vendors are often reluctant to provide
security protocols.
SCADA Vulnerabilities
Jonathan Pollet from RedTiger Security shared the
following statistics at the 2013 SANS SCADA
Security Summit:
Over 38,000 SCADA/ICS vulnerabilities were
recorded from 2000-2008
The maximum number of days between the time the
vulnerability was discovered to the time it was
disclosed was over three years.
The average time SCADA/ICS had latent
vulnerabilities was 331 days.
Over 46% of the vulnerabilities discovered
involved data historian applications, web
servers and back-end databases.
Examples of risky behavior: iTunes, BitTorrent,
Anonymous FTP services, Windows NT, 2000 &
Vista being used as host to HMIs.
http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/Introduction_to_SCADA_Security_for_Managers_and_Operators.pdf
Don’t be the low-hanging piñata
SCADA/ICS security
framework
Security frameworks
The 2009 National Infrastructure Protection Plan (NIPP)
Standard for Industrial Automation and Control Systems Security (ISA 99), now referenced in NIST 800-53
The National Institute for Standards and Technology (NIST) SP800-82 Standard
Chemical Facility Anti-Terrorism Standards (CFATS)
The Enhanced Critical Infrastructure Protection (ECIP) initiative was created in 2007 by the Department of Homeland Security (DHS)
The US based North American Electric Reliability Corporation (NERC) enforces the Critical Infrastructure Protection (CIP) framework
Risk Management Framework (ISO 31000)
http://csrc.nist.gov/cyberframework/rfi_comments/040513_cgi.pdf
Good practices
Good practices
Start with the “basics”:
Network segmentation and DMZ
AV, updates, patches, AD services,
data historians and improved system
management rolled out through the use
of SCADA/ICS DMZ
Secure remote access
Deploying and managing IDS/IPS
Security event monitoring and logging
Build out of security framework
Periodic security risk assessments
(non-intrusive)
NERC: 13 Management Practices
1.Leadership commitment (buy-in from top down)
2.Analysis of threats, vulnerabilities, and
consequences (risk assessments)
3.Implementation of security measures (controls)
4.Information and cybersecurity (awareness)
5.Documentation (procedures)
6.Training, drills & guidance (test controls)
7.Communication, dialogue & information exchange
8.Response to security threats (reporting)
9.Response to security incidents (forensics)
10.Audits
11.Third-party verification (leverage your
vendors)
12.Management of change
13.Continuous improvement
Example of SCADA/ICS layers of controls
Source: Red Tiger Security: http://www.redtigersecurity.com/
Source: Red Tiger Security: http://www.redtigersecurity.com/
That’s a wrap!
In summary…
Key enabling technologies are only effective
and valuable if they are strategically
leveraged and applied through collaborative
efforts, forward-thinking initiatives and
practical solutions.
A long-term cyber security roadmap requires
continuous collaboration and proactive
application of industry security standards to
day-to-day decisions involving devices on the
SCADA network.
Because operational requirements for SCADA
systems often conflict with cyber security
requirements, solutions should be tested
prior to implementation to avoid unintended
disruptions.
Questions?
Appendix – A few handy
Sources
A Few Handy Resources
RedTiger Security – Consulting firm that
specializes in SCADA/ICS penetration testing
and vulnerability assessments.
National Vulnerability Database – provides
data enables automation of vulnerability
management, security measurement, and
compliance.
INL SCADA Test Bed Program - This event
provides intensive hands-on training for the
protection and securing of control systems
from cyber.
Department of Homeland Security Cyber Security
Evaluation Tool (CSET).
Shodan – The scariest search engine on the
Internet. Discloses SCADA systems with public
IP addresses.
