Critical Infrastructure & Supervisory Control and

Data Acquisition (SCADA)

CYBER PROTECTIONALBERTO “AL” HERNANDEZ, ARMY RESERVE OFFICER, SOFTWARE ENGINEER

PH.D. CANDIDATE, SYSTEMS ENGINEERING

PRESENTATION for ACT-IAC: JUNE 25, 2014

PRESIDENTIAL POLICY DIRECTIVE/PPD-21, February 12, 2013SUBJECT: Critical Infrastructure Security and Resilience

The Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience advances a national unity of effort to strengthen and maintain secure, functioning, and resilient critical infrastructure.

Three strategic imperatives shall drive the Federal approach to strengthen critical infrastructure security and resilience:

1) Refine and clarify functional relationships across the Federal Government to advance the national unity of effort to strengthen critical infrastructure security and resilience;

2) Enable effective information exchange by identifying baseline data and systems requirements for the Federal Government; and

3) Implement an integration and analysis function to inform planning and operations decisions regarding critical infrastructure.

The word “Cyber” is mentioned 18 times…

Example: Innovation, Research and Development “Facilitating initiatives to incentivize cybersecurity investments and the adoption of critical infrastructure design features that strengthen all-hazards security and resilience; ”

Resilience

PPD-21 defines resilience as the ability to prepare for and adapt to changing conditions, and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.

SCADA Supervisory control and data acquisition (SCADA) networks contain computers and software that

perform critical tasks and provide essential services within critical infrastructure. Used to monitor key parameters of production processes Used to operate controls to ensure proper provisioning of critical services. Designed to monitor processes without considering security requirements and protection from external

threats. Operate in a context totally different from the one the systems were designed for (many are decades

old). SCADA and the Internet are not a “happy marriage”. Security risks are abundant (definitely no pre-nuptial agreement !).

SCADA systems for the most part perform fairly well, except that they are not traditionally highly secured.

Impacts to SCADA can take a huge toll on mission critical services, processes, resources, etc. The ultimate impact is to people and infrastructure.

SCADA Structure

Human-machine interface (HMI) - interface between operator and the commands relevant to SCADA system

Master terminal unit (MTU) - client system that collects data locally and transmits it to remote terminal unit

Remote terminal unit (RTU) - server that gathers data remotely and sends control signals to field control systems

Field control systems - systems that have a direct interface to field data elements such as sensors, pumps, and switches

Why SCADA ? SCADA systems have operated behind the scenes for many years. SCADA is more visible now due to the Internet. Everybody wants to be “CONNECTED”. We all want to share information, but that opens the door for the bad guys wanting

the information that we share. SCADA is loaded with confidential data among other critically important information

that terrorist groups, hostile governments, business competitors, and malicious intruders will love access and control. Let’s not forget insider threat.

SCADA systems control critical infrastructure such as large physical assets, IT networks and associated services that are mission critical. Degradation or destruction will cause great impact to our financial, health, security, industrial, transportation, and other systems.

SCADA Exposure to ThreatsSCADA control systems are exposed because of : Availability of Technical Information — public information about infrastructure and

control systems is on the Internet and readily available to “professional” hackers and intruders. From design, production, maintenance, and physical layout, it’s all out there, and many times we are proud of having all that information exposed.“Have you checked out our website? It is awesome, full of information…”

Vulnerability Associated with Remote Connections — We want to be connected and not miss anything that is happening while we travel or work remotely. Often, remote and wireless connections are utilized to conduct maintenance, diagnostics, monitoring, testing, etc. Without strong measures of access and authentication, as we all know, our information is vulnerable.

SCADA and Cyber Strategy

There are many “solutions” available to protect SCADA systems. The biggest challenge for the government is including SCADA systems and Critical Infrastructure IT systems in the corresponding Cyber strategy.

Many government audits have been conducted and the results are alarming, with many systems around the world lacking cyber security and many don’t have robust physical security measures in place.

SCADA systems Cyber security status is not completely known. Then, there is the issue of the diversity of systems and their implementation, operation, and maintenance.

SCADA Scares Me ! SCADA systems traditionally have the programmable logic controllers (PLCs)

directly connected to infield sensors that provide data to control critical components. Many times, the passwords to access the system are hard-coded into the Ethernet cards the systems use. Those cards funnel commands into devices, allowing administrators to remotely log into the machinery.

Hard-coded passwords are a common weakness built into many industrial control systems. As we know, these are the systems that control machinery connected to dams, gasoline refineries, and water treatment plants, among other facilities. I’m sure we get the picture of the level of vulnerabilities and potential threats.

What can happen ?

US CERT has alerted in recent past to the continuous spear-phishing campaign that targeted the energy sector to gain remote access to control systems.

SCADA systems protection must be approached from a systems engineering perspective, where component inter-dependencies, as well as networks that serve the systems, undergo a thorough risk analysis process, to identify the protection required.

There is also the need to educate the workforce that manages, operates and maintains SCADA systems on Cyber threats and Cyber security measures and practices.

How to ProtectA layered approach is essential. Collaboration between government and the Cyber security industry is critical. This sometimes means collaboration with competitors as if they were partners. The goal is securing SCADA systems and Critical Infrastructure against the “Cyber Enemy”. National Security and our way of life is at stake.

In my opinion, we need to move away from becoming millionaires overnight and aim more towards a long lasting relationship with our customers, especially government. It can likely result in billion dollar deals over the course of many years. When it comes to Cyber security, is not necessarily a short sprint, it is a marathon because the enemy never sleeps. Preparation, Stamina and Resilience will carry us through.

Layers, we know what they are:

Perimeter Control

Employees, Policies, Procedures

Network Architecture and Operating Systems

SECURITY, layered of course !

ETC…..

SCADA Security Best Practices1 - Understand the Business Risk - risk is a function of threats, impacts and vulnerabilities.

2 - Implement Secure Architecture - it is important that the selection process ensures that the level of protection is commensurate with the business risk and does not rely on one single security measure.

3 - Establish Response Capabilities - obtaining management support, determining responsibilities, establishing communication channels, drafting policies, and procedures, identifying pre-defined actions, providing suitable training and exercising the whole process prior to incidents enables a quick, effective and appropriate response which can minimize the business impacts and their cost.

4 - Improve Awareness and Skills - Personnel need to know what to do to prevent attacks and what to do in the event of an incident.

5 - Manage Third Party Risk - the security of an organization's SCADA systems can be put at significant risk by third parties, e.g. vendors, support organization and other links in the supply chain.

6 - Engage Projects - there are often a number of SCADA systems related projects underway at any point in time, any of which could have security implications.

7 - Establish Ongoing Governance - governance for the management of SCADA systems Cyber security will ensure that a consistent and appropriate approach is followed. Without such governance the protection of SCADA systems can be ad-hoc or insufficient.

Conclusion SCADA systems are increasing in complexity, due to the integration of different

components (diverse manufacturers, supply chain).

Approach Cyber security from a component to a system level environment. This requires also an understanding of the supply chain.

Continues reporting of the security status of critical infrastructures and related SCADA systems.

The overall security of critical infrastructures must be audited during the entire lifecycle of its components. Think Systems Engineering, holistic approach.

Federal Bureau of Investigation (FBI), Department of Homeland Security, and National Counterterrorism Center understand that cyber attacks are the most likely form of terrorism against the United States in the coming years.

The World has become ONE neighborhood. There are no Cyber borders, only the ones we can create to protect SCADA systems and their corresponding supply chain.