CEATI BurnabyBC 2017Oct31 JBaugh Final - … · • Microsol!patch![MS10[61]!was!available!in!September!2010;! updated!patch![MS16[087]!in!July!2016!! ... of!the!CIP!Standards!to!the!RTU!plaorms.!

IEC 61850 Deployment: Security, Reliability and CIP Compliance Considera@ons

Dr. Joseph B. Baugh Senior Compliance Auditor, Cyber Security

SEAM Fall 2017 MeeCng: CEATI Conference Burnaby, BriCsh Columbia – October 31, 2017

Slide 2

Speaker CredenCals •  Electrical UClity Experience (44 years) –  Senior Compliance Auditor, Cyber Security –  IT Manager & Power Trading/Scheduling Manager –  IT Program Manager & Project Manager –  NERC CerCfied System Operator –  Barehand Qualified Transmission Lineman

•  EducaConal Experience –  Degrees earned: Ph.D., MBA, BS-‐Computer Science –  CerCficaCons: PMP, CISSP, CISA, CRISC, CISM, PSP, NSA-‐IAM/IEM –  Academic & Technical Course Teaching Experience (20+ years)

•  Business Strategy, Leadership, and Management •  InformaCon Technology, IT Security, and Project Management •  PMP, CISA, CISSP, CISM, ITIL, & Cisco exam preparaCon •  CIP Compliance workshops and other outreach sessions

October 31, 2017 2017 CEATI -‐ Burnaby BC

Slide 3

Agenda

1.  EvoluCon of threats to and aâcks on Industrial Control Systems [ICS] within the electrical grid

2.  Topics on the IEC 61850 protocol 3.  Developing Power Grid Reliability &

Resiliency [PGRR] 4.  QuesCons?


Slide 4

Agenda Topic One: ICS Threats & Aâcks

EvoluCon of threats to and aâcks on Industrial Control Systems [ICS]

within the electrical grid


Slide 5

Recent Electrical System Threats •  The 2015 & 2016 cyber aâcks on the Ukrainian power grid signaled a new era in vulnerability for electrical and other Industrial Control Systems [ICS]: –  Stuxnet –  BlackEnergy – Havex –  Crashoverride Framework –  Industroyer –  Palmeô Fusion – Dragonfly 2.0

•  However, some of the vulnerabiliCes exploited by these aâcks have been known since 2009

•  What does this say about electrical cybersecurity posture? October 31, 2017 2017 CEATI -‐ Burnaby BC

Slide 6

Stuxnet (Zeêr, 2014) •  First known ICS-‐specific malware was idenCfied in 2010, used known Windows print spooler and three zero-‐day OS vulnerabiliCes to target Siemens PLC solware at Iranian nuclear facility and modify Programmable Logic Controllers [PLC]

•  IniCally spread with infected USB drives •  Has since infected ICS in other countries, including the U.S. (Kushner, 2013)

•  Cyber espionage variants include Flame (idenCfied in 2012, but may predate Stuxnet), Gauss (2011), and Duqu (2011); designed to steal ICS and other informaCon

•  Exploit on print spooler vulnerability was published in April 2009, which included source code for exploit

•  Microsol patch [MS10-‐61] was available in September 2010; updated patch [MS16-‐087] in July 2016


Slide 7

BlackEnergy [E-‐ISAC & SANS, 2016) •  Implicated in the 2015 Ukrainian power grid aâck by the

Sandworm team •  Primary infecCon used spear phishing aâcks to key engineers and

IT administrators with infected Word and Excel documents •  Coordinated aâcks across three power companies •  Targeted distribuCon SCADA ICS, but characterized as a test run

–  Demonstrated capability to gain a foothold to harvest credenCals and informaCon to gain access to ICS networks

–  Demonstrated capability to target Cyber Assets at substaCons, write custom malicious firmware (KillDisk) to render field devices inoperable and unrecoverable

–  BlackEnergy and KillDisk were used to enable the aâck and delay restoraCon efforts, but were not capable of opening field devices

–  Outages caused by aâckers operaCng HMIs manually •  Remote admin access capabiliCes, poor VPN pracCces, and failure

to monitor ICS networks contributed to aâck reconnaissance months (and perhaps years) before the actual aâck October 31, 2017 2017 CEATI -‐ Burnaby BC

Slide 8

Havex (Nelson, 2016) •  A Remote Access Trojan [RAT] malware used in 2012-‐2013 aâcks against energy sector companies, also aimed at other ICS users (ConstanCn, 2014)

•  Used by Dragonfly group in spear phishing aâcks to gain remote access control over infected ICS computers

•  Scans LANs for devices that respond to OPC requests

•  Extracts informaCon on network details and harvest Outlook emails, sends data to Dragonfly servers

•  Acts as a conduit for other malware October 31, 2017 2017 CEATI -‐ Burnaby BC

Slide 9

Crashoverride Framework (Dragos, 2017) •  Fourth ICS tailored malware (aler Stuxnet, BlackEnergy 2, and Havex)

•  Serves no cyberespionage purpose, first malware framework specifically designed and deployed to automaCcally aâck electrical control systems

•  Suspected in December 2016 Ukrainian aâck and may be linked to Sandworm team, perhaps deployed as a proof of concept due to limited impact of aâck

•  Not unique to specific vendors or configuraCons •  Purpose built to impact electrical grid operaCons and facilitate aâcks in other countries

•  Uses various Layer 2 and Layer 3 routable and serial protocols to carry out aâcks, including Ethernet, DNP3, IEC 104, IEC 101, and IEC 61850 used to control field devices October 31, 2017 2017 CEATI -‐ Burnaby BC

Slide 10

Industroyer (Cherepanov & Lipovsky, 2017) •  ESET researchers published a paper on Industroyer and called it “a par@cularly dangerous threat, since it is capable of controlling electricity substa@on switches and circuit breakers directly” (p. 1)

•  ESET believes it is highly probable Industroyer was used in the December 2016 Ukrainian power grid aâck

•  Industroyer targets common industrial control system communicaCon protocols, including IEC 61850, which were specifically exempted from electronic access control protecCons included in CIP Standards for many electrical FaciliCes [see also CIP-‐012-‐1 slides below]

•  Can also target vendor-‐specific industrial power control products October 31, 2017 2017 CEATI -‐ Burnaby BC

Slide 11

Palmeô Fusion (Perlroth, 2017) •  Palmeô Fusion suspected in Wolf Creek Nuclear staCon aâck in Kansas (2017 May): – No indicaCon of compromise of operaConal systems – OperaConal network is air-‐gapped from corporate network, but may be suscepCble to infected USB drive

– May have been a mapping aâck, but invesCgators have not been able to analyze the payload

–  Introduced as highly targeted email messages with fake infected resumes to senior industrial control engineers

– Techniques mimicked the Sandworm Russian hacking group that has been Ced to energy sector aâcks since 2012


Slide 12

Dragonfly 2.0 (Greenberg, 2017) •  Symantec recently reported a new series of aâcks beginning in 2015 on non-‐nuclear electrical companies by a group idenCfied as Dragonfly 2.0: – Aâcks leveraged phishing aâcks to introduce malware into operaConal networks

– Aâcks were compared to Ukrainian aâcks (2015, 2016) by Sandworm that resulted in widespread power outages

–  2017 targets included dozens of energy companies, with more than 20 successful breaches of target networks

– Of these breaches, several gained successful operaConal access to control interfaces for electrical equipment such as circuit breakers and took screenshots of control panels

– No control acCons were commiêd by aâckers, but Symantec reported this may be a pilot test for a larger aâck at some strategic Cme in conjuncCon with geopoliCcal events


Slide 13

Aâck Vectors •  NaCon-‐state actors – Future power grid disrupCons considered likely in conjuncCon with geopoliCcal events

– Likely to be automated cyber aâcks to open grid elements and prevent recovery by wiping OS and firmware

•  Terrorist/acCvist aâckers – Physical aâcks on electrical faciliCes, and/or – Cyber aâcks on ICS and associated field devices


Slide 14

NaCon-‐State Actors (BAE, 2017a) •  Provided a “license to hack” by their governments: – Most likely culprits for electrical grid aâcks are Russia, China, Eastern European bloc countries

– Other authors have blamed Stuxnet release on U.S. and Israeli state organizaCons

– No fear of legal retribuCon by target countries – Olen closely linked to military and intelligence control – Have a high level of technical experCse –  Tasked with stealing industrial secrets, disrupCng criCcal infrastructure, eavesdropping on poliCcal discussions, conducCng propaganda and disinformaCon campaigns

– Use social engineering, such as highly targeted spear phishing aâcks, to deliver malware to target systems


Slide 15

Terrorist/AcCvist Aâckers (BAE, 2017b) •  MoCvated by ideological, religious, or personal beliefs •  Individuals or small groups that are difficult to defend against •  Primary goal to disrupt target’s acCviCes, discredit operaCons, and steal sensiCve data to further their goals

•  Physical Aâcks –  Bombing remote electrical faciliCes –  Sabotaging transmission lines –  ShooCng electrical equipment, such as transformers (e.g., Metcalf substaCon in April 2013)

–  CIP-‐014-‐2 developed to enhance physical security measures •  Cyber Aâcks – May use readily available malware source code developed by naCon-‐state actors

–  Infect ICS using similar techniques –  Require similar protecCve cybersecurity countermeasures October 31, 2017 2017 CEATI -‐ Burnaby BC

Slide 16

Agenda Topic Two: IEC 61850


Slide 17

Comm Processor

IED IED IED

What is IEC 61850? •  Developed in cooperaCon with manufacturers

and users to create a uniform, future-‐proof basis for the protecCon, communicaCon and control of substaCons (Siemens, n.d.)

•  Typically uses Ethernet as its Layer 2 framing protocol to facilitate communicaCons between Intelligent Electronic Devices [IED] (Dolezilek, 2010, p. 2), but Ethernet was not designed for use in criCcal ICS operaCons (INL, 2016, p. 13)

•  Supports IEDs from mulCple vendors, but local configuraCon files must be installed with vendor-‐specific solware (Dolezilek, p. 8)

•  Can support non-‐IEC capable legacy IEDs over serial links through the use of communicaCons processors (Dolezilek, p. 7)

•  Remember the serial exempCon from CIPv3, there are many legacy relays and other Cyber Assets in the grid that are now subject to cyber aâcks specific to serial connected devices


Ethernet Switch

IED IED

Slide 18

Uses of IEC 61850 in the Grid •  Remote Terminal Units [RTUs] –  RTUs tend to be legacy non-‐digital equipment, which is not in scope for CIP, or

– Newer RTUs consist of modern programmable electronic devices [PEDs], which are in scope.

–  RTUs generally support a wide variety of communicaCons protocols, including Ethernet, serial, Modbus, DNP3, and several flavors of the IEC standard protocols (i.e., IEC 60870-‐5-‐101/103/104, IEC 60870-‐6-‐ICCP, IEC 61850 etc.).

–  The impact raCng of the host Facility and specific communicaCon protocols in use will dictate the applicability of the CIP Standards to the RTU plavorms.

•  Electrical Grid Field Devices –  Typically used for Cme-‐sensiCve communicaCons between digital relays (e.g., transfer trip schemes)


Slide 19

Uses of IEC 61850 in the Grid •  IEC-‐61850-‐9-‐2 Processor Units – Also known as Merging Units – Generally aâched to layer 2 “Process Bus” networks, but have layer 3 “StaCon Bus” interfaces for management purposes

–  Typically located out in the switchyard •  In circuit breaker panels or in transformer control panels •  Could be aâched to structural steel (e.g., for a bus)

–  Physical Security •  Standalone PSP around the control cabinet with the applicable Physical Security protecCons, or

•  Switchyard perimeter (fence line) declared as the PSP –  Electronic controls for the processor units are generally incorporated within the larger substaCon BCS ESP, where applicable


Slide 20

IEC 61850 and the CIP Standards •  Standards and Requirements directly addressing Low impact BES Assets containing Low impact BCS [LIBCS]: –  BCUC: CIP-‐003-‐5 [R2] –  NERC: CIP-‐003-‐6 [R1.2, R2] –  NERC: CIP-‐003-‐7 [R1.2, R2]


Slide 21

IEC 61850 in BCUC CIP-‐003-‐5 •  Current approved version in the BCUC footprint – Becomes effecCve on October 1, 2018 – Does NOT directly address IEC 61850 communicaCons links

– R2 currently requires cyber security policies and processes for Low impact BES Assets covering: •  Electronic access controls for external routable protocol connecCons and Dial-‐up connecCvity (R2.3, p. 5)

•  Will BCUC adopt a more recent version of the CIP-‐003 Standard that integrates addiConal physical security and electronic access controls for Low impact BES Assets before October 1, 2018? October 31, 2017 2017 CEATI -‐ Burnaby BC

Slide 22

IEC 61850 in NERC CIP-‐003-‐6 •  Current effecCve version in the NERC footprint •  Contained within the Glossary definiCon of Low Impact External Routable ConnecCvity (LERC) DefiniCon –  Bi-‐direc@onal routable communica@ons between low impact BES Cyber System(s) and Cyber Assets outside the asset containing those low impact BES Cyber System(s). Communica@on protocols created for Intelligent Electronic Device (IED) to IED communica@on for protec@on and/or control func@ons from assets containing low impact BES Cyber Systems are excluded (examples of this communica@on include, but are not limited to, IEC 61850 GOOSE or vendor proprietary protocols). (e.g., NERC, 2014, DefiniCons of Terms, p. 1)


Slide 23

IEC 61850 in NERC CIP-‐003-‐6 •  Applied within R2 (Aâchment 1 – SecCon 3) –  SecCon 3 -‐ Electronic Access Controls: Examples of evidence for SecCon 3 may include, but are not limited to: •  DocumentaCon showing that inbound and outbound connecCons for any LEAP(s) are confined to only those the Responsible EnCty deems necessary (e.g., by restricCng IP addresses, ports, or services);

•  LEAPs are required for Low impact BES Assets containing LIBCS using LERC

•  The definiCons specifically exclude “point-‐to-‐point communica@ons between intelligent electronic devices that use routable communica@on protocols for @me-‐sensi@ve protec@on or control func@ons between Transmission sta@on or substa@on assets containing low impact BES Cyber Systems,” such as IEC 61850 messaging (G&TB secCon, p. 28)

•  The LERC and LEAP Glossary terms will be reCred on the effecCve date of CIP-‐003-‐7 October 31, 2017 2017 CEATI -‐ Burnaby BC

Slide 24

IEC 61850 in NERC CIP-‐003-‐7 •  Proposed revision in the NERC footprint •  Contained within R2 (Aâchment 1 – SecCon 3) •  SecCon 3. Electronic Access Controls: For each asset containing low impact BES Cyber System(s) idenCfied pursuant to CIP-‐002, the Responsible EnCty shall implement electronic access controls to: –  3.1 Permit only necessary inbound and outbound electronic access as determined by the Responsible EnCty for any communicaCons that are: i.  between a low impact BES Cyber System(s) and a Cyber Asset(s)

outside the asset containing low impact BES Cyber System(s); ii.  using a routable protocol when entering or leaving the asset

containing the low impact BES Cyber System(s); and, iii.  not used for Cme-‐sensiCve protecCon or control funcCons

between intelligent electronic devices (e.g. communicaCons using protocol IEC TR-‐61850-‐90-‐5 R-‐GOOSE).


Slide 25

IEC 61850 & CIP ProtecCons •  Protect local IEC 61850 installaCons by applying required CIP protecCons to the periphery of your IEC enabled installaCons

•  Protect the electronic access control points, as applicable – CIP-‐005-‐5: EACMS for Medium BCS w/ ERC

– CIP-‐003-‐7 R2 SecCon 3: electronic access controls for LIBCS


Ethernet Switch

IED IED

Comm Processor

IED IED IED

Electronic Access Control Point

BES Control

Center(s)

SCADA Link

Protected by CIP Standards

Slide 26

TT

TT

IEC 61850 & CIP ProtecCons •  What about the transfer-‐trip [TT] communicaCons links that are exempted from CIP-‐003-‐7 SecCon 3 controls?

•  Ensure TT links are point-‐to-‐point direct connecCons.

•  Protect TT links physically and with CIP electronic access control protecCons on both ends.

•  What about the SCADA links? October 31, 2017 2017 CEATI -‐ Burnaby BC

Protected by CIP Standards Protected by CIP Standards

Ethernet Switch

IED IED

Comm Processor

IED IED IED


BES Control

Center(s)

SCADA Link

Ethernet Switch

IED IED

Comm Processor

IED IED IED


SCADA Link

Slide 27

CIP-‐012-‐1 – Future Standard •  Addresses cybersecurity protecCons for data in transit between

key Control Centers •  Proposed modificaCons to Control Center definiCon •  [R1] Requires documented plans to mi@gate the risk of

unauthorized disclosure or modifica@on of data used for Opera@onal Planning Analysis, Real-‐@me Assessments, and Real-‐@me monitoring while being transmiVed between Control Centers –  Excludes oral communicaCons between Control Centers –  [R1.1] Risk mi@ga@on shall be accomplished by one or more of the following ac@ons: •  Physically protec@ng the communica@on links transmiWng the data; •  Logically protec@ng the data during transmission; or •  Using an equally effec@ve method to mi@gate the risk of unauthorized disclosure or modifica@on of the data.

•  [R2] The Responsible En@ty shall implement the plan(s) specified in Requirement R1, except under CIP Excep@onal Circumstances


Slide 28

Scope of CIP-‐012-‐1


(NERC, 2017 Aug 11, Technical Ra@onale for CIP-‐012-‐1, p. 5)

•  Extends cyber security protecCons to communicaCons networks between key Control Centers with High and Medium BCS Not addressed in

CIP-‐012-‐1, but consider SCADA links to substaCons and TT links

TT

Slide 29

Agenda Topic Three [PGRR]

Developing Power Grid Resiliency & Reliability

(in terms of IEC 61850 and similar protocols)


Slide 30

PrevenCng Aâcks to the Grid •  Companies have been

slow to invest capital funds necessary to update and protect Cyber Assets, with some devices running 30-‐year-‐old OperaCng Systems on criCcal infrastructure ICS (Kushner, 2013)

•  Electric industry parCcipants must step up pace to improve and enhance overall cybersecurity posture

•  Federal, provincial, and regional efforts are currently in place to support cybersecurity October 31, 2017 2017 CEATI -‐ Burnaby BC

Slide 31

PrevenCng Aâcks to the Grid


•  SupporCng cybersecurity measures in the North American electrical grid is a massive undertaking, given its size and complexity, as well as the number and variety of electrical industry parCcipants

Slide 32

Recent Cybersecurity Developments •  Regulatory Developments [CIPv5 Standards] –  Current CIP Standards, including those that directly address cyber or physical aâcks •  CIP-‐007-‐6 [System Security Management for Cyber Assets] •  CIP-‐014-‐2 [Physical Security for Transmission FaciliCes]

–  Changes to exisCng CIPv5 Standards to promote beêr defenses against automated aâcks (pending FERC approval) •  CIP-‐003-‐7 [Security Management Controls] •  CIP-‐005-‐6 [Electronic Security Perimeters] •  CIP-‐010-‐3 [ConfiguraCon Change Management & Vulnerability Assessment]

– New CIP Standards (pending NERC/FERC approval) •  CIP-‐012-‐1 [Control Center CommunicaCon Networks] •  CIP-‐013-‐1 [Supply Chain Risk Management]


Slide 33

Power Grid Resilience •  KPMG (2017) published a white paper that recognized the threats posed by cybersecurity aâcks on the BES to U.S. naConal security and summarized key points for developing countermeasures and resiliency, including (pp. 2-‐3): –  Build success through business transformaCon –  Do not assume technology is the “silver bullet” –  Drive transformaCon through senior leaders – Maintain a risk management approach –  ConCnually monitor risks and results –  Embed good cybersecurity pracCces in rouCne management of criCcal assets and infrastructure

–  Align cybersecurity with business prioriCes and iniCaCves –  Adopt best pracCces in cybersecurity –  Build a first-‐class cyber workforce October 31, 2017 2017 CEATI -‐ Burnaby BC

Slide 34

Power Grid Resilience •  A recent Department of Energy Report (DOE, 2017) discussed

electrical infrastructure resiliency in terms of hardening against and recovery from cyber aâcks and severe natural events (p. 63): –  Hardening refers to physically changing infrastructure to make it less suscep@ble to damage.

–  Recovery refers to the ability of an energy facility to recover quickly from damage to any of its components or to any of the external systems on which it depends – typically through storage and redundancy.

•  Recovery measures do not prevent damage, but enable conCnued operaCons despite damage and a more rapid return to normal operaCons.

•  Electrical enCCes should consider advance planning for conCngencies, interagency coordinaCon, and training exercises to develop an effecCve restoraCon process. [See also CIP-‐008-‐5: R1-‐R3]


Slide 35

ICS Specific Aâcks •  Industroyer (Cherepanov & Lipovsky, 2017) and Crashoverride (Dragos, 2017, pp. 15-‐25) have general and protocol specific modules that aâck ICS components to manipulate device controls, deny visibility and control to system operators, and wipe valid configuraCons

•  Launcher Module –  Loads payload modules to manipulate the ICS and destroy device capability via the wiper funcCon

•  Wiper Module –  Clears registry keys associated with system services – Overwrites all ICS config files – Overwrites generic Windows files –  Renders the system unusable October 31, 2017 2017 CEATI -‐ Burnaby BC

Slide 36

ICS Specific Aâcks: IEC 104 •  The Crashoverride IEC 104 module is a complete implementaCon of IEC 104 to serve as a Master role

•  Provies substaCon automaCon manipulaCon, but can be tailored for specific funcConality

•  Exposed funcCons are only limed by configuraCon opCons for a specific target (e.g., RTU or relay)

•  Reads config file defining the target and desired acCons •  Kills legiCmate master process on target host •  Masquerades as new master process in various modes –  Sequence mode conCnuously sets RTU InformaCon Object Address [IOAs] to open

–  Range mode •  Interrogates each RTU for valid IOAs •  Toggles each IOA between open and closed states


Slide 37

ICS Specific Aâcks: IEC 101 •  The IEC 101 module has similar capabiliCes as the IEC 104 module, but operates over serial connecCons, instead of Ethernet.


Comm Processor

IED IED IED

Ethernet Switch

IED IED

Slide 38

ICS Specific Aâcks: IEC 61850 •  The IEC 61850 module leverages available configuraCon files to idenCfy targets

•  Absent a configuraCon file, the module enumerates the local network to idenCfy potenCal targets

•  Communicates with the targets to idenCfy whether or not the target has control capability for circuit breakers

•  Can change the state of some variables while generaCng an acCon log


Slide 39

ICS Specific Aâcks: OPC DA Module •  Aâcks the OLE for Process Control Data Access [OPC DA] funcCon that defines how real-‐Cme data can be transferred between a data source and data sink (i.e., a PLC and an HMI) without the need to understand each device’s naCve protocol

•  Does not require a configuraCon file •  Enumerates all OPC servers and associated items looking for subset with “ctl” string

•  Overwrites the string with 0x01 twice, which gives a primary value out of limits device status, effecCvely disabling the device


Slide 40

ICS Specific Aâcks: DoS Module •  Denial of Service [DoS] aâck mode •  Specific to Siemens SIPROTEC relays using the EN100 module for enabling IEC 61850 communicaCons

•  Sends UDP packets to port 50000 exploiCng CVE-‐2015-‐5374 vulnerability to fall into an unresponsive state

•  Siemens released a patch for this vulnerability in July 2015 (Siemens Advisory SSA-‐732541) –  Should have been installed under CIP-‐007-‐6 R2 for Medium BCS, including transmission protecCon systems

– May not have been installed under current CIP Requirements applicable to LIBCS

•  Has this module been adapted for other vendor devices using similar communicaCons characterisCcs? October 31, 2017 2017 CEATI -‐ Burnaby BC

Slide 41

ICS Aâck Outcomes •  All of these modules can result in various systems that perform acCons on the wrong informaCon, report incorrect informaCon to system operators, and/or render the target device unusable and unrecoverable by system operators.

•  Hampering protecCve schemes by disabling relays can expand an islanding event and may trigger larger events such as uncontrolled separaCon or cascading outages.

•  Denial of visibility into system status amplifies confusion during the outage recovery phase as operator system views may show breakers as closed when they are actually open.

•  Outages may be extended due to need for local repairs to firmware and configuraCon files for each affected device.


Slide 42

ICS Defense RecommendaCons •  A prudent enCty will implement the required CIP protecCons for transmission protecCon systems, but look beyond the Standards to ensure the reliability of the BES.

•  Always observe basic physical and cybersecurity pracCces, including ports and services security [CIP-‐007-‐6 R1], security patch management [CIP-‐007-‐6 R2], malicious code detecCon [CIP-‐007-‐6 R3], remote access controls [CIP-‐007-‐6 R5], Transient Cyber Asset [TCA], and Removable Media [RM] precauCons [CIP-‐010-‐2, R4; CIP-‐003-‐7, R1.2.5 (see also Aâchment 1 – SecCon 5)]. October 31, 2017 2017 CEATI -‐ Burnaby BC

Slide 43

ICS Defense RecommendaCons •  Dragos (2017) provided recommendaCons for ICS protecCons (pp. 26-‐27): –  Have a clear understanding of how DNP3, IEC 104, IEC 61850, and OPC protocols are used within your ICS and do not rely on the use of protocols, such as DNP3, as a protecCon mechanism

– Maintain robust backups of project logic, IED configuraCon files, and ICS applicaCon installers offsite and tested (CIP-‐009-‐6: R1-‐R3; CIP-‐010-‐2: R1-‐R2)

–  Prepare incident response plans and perform regular tests to include the need for manual operaCons in field locaCons while recovering the SCADA system and gathering forensic data (CIP-‐008-‐5)

–  Consider the use of tools like YARA to search for possible infecCons

–  Air-‐gapped networks, unidirecConal firewalls, anC-‐virus in the ICS, and other passive and architectural defenses may not be effecCve against an aggressive adversary. Train and deploy human defenders


Slide 44

ICS Defense RecommendaCons •  KPMG (2017) cited a February 2017 report from the Defense Science Board Task Force on Cyber Deterrence in the Aerospace and Defense sector that idenCfied the need for “a more proac@ve and systema@c approach to U.S. cyber deterrence” (p. 15)

•  KPMG also idenCfied three major areas to build deterrence to cyber aâcks in the criCcal infrastructure (p. 15): – Heightened standards –  Improved data governance – Deeper industry cooperaCon


Slide 45

ICS Defense RecommendaCons •  KPMG (2017, p. 16) recognized leading organizaCons: – Emphasize deterrence and prevenCon, – Develop strategies that idenCfy and implement best pracCces in advance to understand risks and ensure resilience through miCgaCon strategies,

– Enhance detecCon and response capabiliCes to minimize the impact of cyber aâcks on ICS,

–  IdenCfy the “root cause” of the intrusion to prevent future aâcks, and

– Address audit findings in a Cmely manner.


Slide 46

Speaker Contact InformaCon

Joseph B. Baugh, Ph.D., MBA, PMP, CISA, CISSP, CRISC, CISM, PSP

Senior Compliance Auditor -‐ Cyber Security

Western Electricity CoordinaCng Council (WECC)

jbaugh (at) wecc (dot) biz (C) 520.331.6351 (O) 360.600.6631


Slide 47

References •  BAE Systems. (2017a). The na@on state actor: Cyber threats, methods, and mo@va@ons. Retrieved from h^p://www.baesystems.com/en/cybersecurity/feature/the-‐naCon-‐state-‐actor

•  BAE Systems. (2017b). The ac@vist: Cyber threats, methods, and mo@va@ons. Retrieved from h^p://www.baesystems.com/en/cybersecurity/feature/the-‐acCvist

•  Cherepanov, A., & Lipovsky, R. (2017 June 12). Industroyer: Biggest threat to industrial control systems since Stuxnet. Retrieved from h^ps://www.welivesecurity.com/2017/06/12/industroyer-‐biggest-‐threat-‐industrial-‐control-‐systems-‐since-‐stuxnet/ October 31, 2017 2017 CEATI -‐ Burnaby BC

Slide 48

References •  ConstanCn, L. (2014 June 24). New Havex malware variant targets

industrial control system and SCADA users. PC World. Retrieved from h^ps://www.pcworld.com/arCcle/2367240/new-‐havex-‐malware-‐variants-‐target-‐industrial-‐control-‐system-‐and-‐scada-‐users.html

•  Department of Energy [DOE]. (2017 August). Staff report to the Secretary on electricity markets and reliability. Retrieved from h^ps://energy.gov/sites/prod/files/2017/08/f36/Staff%20Report%20on%20Electricity%20Markets%20and%20Reliability_0.pdf

•  Dolezilek, D. J. (2010, October). IEC 61850: What you need to know about func@onality and prac@cal implementa@on. SEL Journal of Reliable Power, 1(2), 1-‐17. Retrieved from h^ps://cdn.selinc.com/assets/Literature/PublicaCons/Technical%20Papers/6170_IEC61850WhatYouNeed_20050304_Web.pdf?v=20151125-‐081713


Slide 49

References •  Dragos Inc. (2017 June 12). Crashoverride: Analysis of the threat to electric grid opera@ons [v2.20170613]. Retrieved from h^ps://dragos.com/blog/crashoverride/CrashOverride-‐01.pdf

•  E-‐ISAC & SANS. (2016 March 18). Analysis of the cyber aVack on the Ukrainian power grid: Defense use case. Retrieved from h^p://www.nerc.com/pa/CI/ESISAC/Documents/E-‐ISAC_SANS_Ukraine_DUC_18Mar2016.pdf

•  Greenberg, A. (2017 Sept 6). Hackers gain direct access to US power controls. Wired. Retrieved from h^ps://www-‐wired-‐com.cdn.ampproject.org/c/s/www.wired.com/story/hackers-‐gain-‐switch-‐flipping-‐access-‐to-‐us-‐power-‐systems/amp October 31, 2017 2017 CEATI -‐ Burnaby BC

Slide 50

References •  Idaho NaConal Laboratory [INL]. (2016 August). Cyber threat and

vulnerability analysis of the U.S. electric sector: Mission Support Center analysis report. Retrieved from h^ps://energy.gov/epsa/downloads/cyber-‐threat-‐and-‐vulnerability-‐analysis-‐us-‐electric-‐sector

•  KPMG. (2017 August). Strengthening cybersecurity of federal networks and cri@cal infrastructure: Perspec@ves on implementa@on challenges and leading prac@ces. Retrieved from h^p://www.kpmg-‐insCtutes.com/content/dam/kpmg/governmenCnsCtute/pdf/2017/presidenCal-‐execuCveorder-‐whitepaper.pdf

•  Kushner, D. (2013 Feb 26). The real story of Stuxnet: How Kaspersky Labs tracked down the malware that stymied Iran’s nuclear-‐fuel enrichment program. IEEE Spectrum. Retrieved from h^ps://spectrum.ieee.org/telecom/security/the-‐real-‐story-‐of-‐stuxnet


Slide 51

References •  NERC. (2017 Aug 11). Technical ra@onale and jus@fica@on for

Reliability Standard CIP-‐012-‐1. Retrieved from h^p://www.nerc.com/pa/Stand/Project%20201602%20ModificaCons%20to%20CIP%20Standards%20DL/2016-‐02_Technical_RaConale_and_JusCficaCon_CIP-‐012-‐1_08142017.pdf

•  Nelson, N. (2016 Jan 18). The impact of Dragonfly malware on industrial control systems. SANS InsCtute InfoSec Reading Room. Retrieved from h^ps://www.sans.org/reading-‐room/whitepapers/ICS/impact-‐dragonfly-‐malware-‐industrial-‐control-‐systems-‐36672

•  Zeêr, K. (2014 Nov 3). An unprecedented look at Stuxnet, the world’s first digital weapon. Wired. Retrieved from h^ps://www.wired.com/2014/11/countdown-‐to-‐zero-‐day-‐stuxnet/
