SCADA: A Deeper Look - Public Intelligence
Transcript of SCADA: A Deeper Look - Public Intelligence
SCADA: A Deeper LookSCADA: A Deeper LookSCADA: A Deeper LookSCADA: A Deeper Look
Jeff Dagle
P ifi N th t N ti l L b tPacific Northwest National LaboratoryP.O. Box 999, M/S K5-20; Richland WA 99352
509-375-3629; Fax: 509-375-3614; jeff dagle@pnl [email protected]
OutlineOutlineOutlineOutlineOutlineOutlineOutlineOutline
VendorsVendorsProtocolsDNP 3.0 Protocol ExampleDNP 3.0 Protocol ExampleDemonstration
2
SCADA Principles of OperationSCADA Principles of OperationSCADA Principles of OperationSCADA Principles of OperationSCADA Principles of OperationSCADA Principles of OperationSCADA Principles of OperationSCADA Principles of Operation
Interface with Physical DevicesInterface with Physical DevicesRemote terminal unit (RTU)Intelligent electronic device (IED)Programmable logic controller (PLC)
CommunicationsDirectly wiredPower line carrierMicrowaveMicrowaveRadio (spread spectrum)Fiber optic
3
p
Typical SCADA ArchitectureTypical SCADA ArchitectureTypical SCADA ArchitectureTypical SCADA ArchitectureTypical SCADA ArchitectureTypical SCADA ArchitectureTypical SCADA ArchitectureTypical SCADA Architecture
MainA li ti
PrimaryServer
CentralApplicationProcessing
SecondaryServer
ProcessingLAN
TelemetryServer 1
TelemetryServer n
…
Telemetry
Inter-siteGateway
TelemetryLAN
IndependentControl
Center A
RTU CommServer
RTU CommServer
SerialLi kLeased
Bridge ModemModem Bridge ModemModem
RTU RTU
Bridge ModemModem
RTU
Links
Phone LineRadio
Fiber Optic
IndependentControl
Center B
LeasedLines
RTUx
RTUy
RTUz
RTUx
RTUy
RTUz
……RTU
xRTU
y… RTU
z
p
Redundant Paths
4
Paths
IED PLC…
IED
Major SCADA/EMS VendorsMajor SCADA/EMS VendorsMajor SCADA/EMS VendorsMajor SCADA/EMS VendorsMajor SCADA/EMS VendorsMajor SCADA/EMS VendorsMajor SCADA/EMS VendorsMajor SCADA/EMS Vendors
Asea Brown Boveri (ABB)Asea Brown Boveri (ABB)SiemensAlstom ESCAAlstom ESCATelegyr SystemsAdvanced Control Systems (ACS)Advanced Control Systems (ACS)HarrisBaileyBailey
5
SCADA Protocols (Partial List!)SCADA Protocols (Partial List!)SCADA Protocols (Partial List!)SCADA Protocols (Partial List!)SCADA Protocols (Partial List!)SCADA Protocols (Partial List!)SCADA Protocols (Partial List!)SCADA Protocols (Partial List!)
ANSI X3.28 PertBBC 7200CDC Types 1 and 2
PG&EQEI Micro II
Conitel 2020/2000/3000DCP 1DNP 3 0
Redac 70HRockwellSES 91DNP 3.0
Gedac 7020IBM 3707
SES 91Tejas 3 and 5TRW 9550
Landis & Gyr 8979 Vancomm
6
Protocol BackgroundProtocol BackgroundProtocol BackgroundProtocol BackgroundInternational Standards Organization Open System Interconnection Reference ModelISO OSI Reference Model (protocol stack)
Protocol BackgroundProtocol BackgroundProtocol BackgroundProtocol Background
7 Application Provides interface to application services
6 Presentation
5 Session
Data representation
Starts, maintains, and ends each logical session
4 Transport
3 Network
End-to-end reliable communications stream
Routing and segmentation/reassembly of packets
2 Data Link
1 Physical
Transmit chunks of information across a link
Transmit unstructured bits across a link
7
y
Intermediate NodesIntermediate NodesIntermediate NodesIntermediate Nodes
Application Application
Intermediate NodesIntermediate NodesIntermediate NodesIntermediate Nodes
Presentation
Session
Presentation
Session
Transport
Network Network
Transport
NetworkNetwork
Data Link
Ph sical Ph sical
Network
Data Link
Ph sical
Network
Data Link
Ph sical
Data Link
Ph sicalPhysical Physical Physical PhysicalPhysical
8
REPEATER BRIDGE ROUTER
Simplified Protocol StackSimplified Protocol StackSimplified Protocol StackSimplified Protocol StackInternational Electrotechnical Commission (IEC)Enhanced Performance Architecture (EPA)
Simplified Protocol StackSimplified Protocol StackSimplified Protocol StackSimplified Protocol Stack
3 Application
( )
Provides interface to application services
2 Data Link Routing and segmentation/reassembly of packets
1 Physical Transmit bits of information across a link
9
SCADA Protocol ExampleSCADA Protocol ExampleSCADA Protocol ExampleSCADA Protocol ExampleSCADA Protocol ExampleSCADA Protocol ExampleSCADA Protocol ExampleSCADA Protocol Example
Distributed Network Protocol (DNP) 3.0Distributed Network Protocol (DNP) 3.0SCADA/EMS applications
RTU to IED communicationsMaster to remote communicationsPeer-to-peer instances and network applications
Object-based application layer protocolEmerging open architecture standard
10
DNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link Layer
Interface with the physical layerInterface with the physical layerPacking data into the defined frame format and transmitting the data to the physical layerU ki f i d f h i l lUnpacking frames received from physical layerControlling all aspects of the physical layer
Data validity and integrityData validity and integrityCollision avoidance/detectionPerform message retriesg
Establish connection, disconnection in dial-up environment
11
DNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link LayerDNP 3.0 Data Link Layer
CRC CRCCRC USERDATA
USERDATA
BLOCK 0 BLOCK 1 BLOCK n
...SOUREDESTINATIONCONTROLLENGTHSTART
FIXED LENGTH HEADER (10 OCTETS) BODY
START 2 starting octets of the headerSTART 2 starting octets of the header
LENGTH 1 octet count of USER DATA in the header and body
CONTROL 1 octet Frame Control
DESTINATION 2 octet destination address
SOURCE 2 octet source address
CRC 2 octet Cyclic Redundancy Check
USER DATA Each block following the header has 16 octets of User defined data
12
DNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport Function
Supports advanced RTU functions and messagesSupports advanced RTU functions and messages larger than the maximum frame length in the data link layerAdditi l d t i t it ifi tiAdditional data integrity verificationPacks user data into multiple frames of the data link frame format for transmitting the datalink frame format for transmitting the dataUnpacks multiple frames that are received from the data link layeryControls data link layer
13
DNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport FunctionDNP 3.0 Transport Function
USER DATATRANSPORT HEADER
1 OCTET 1 to 249 OCTETS IN LENGTH
FIN FIR SEQUENCE
FIN 0 = More frames follow
1 = Final frame of a sequence
FIR 1 = First frame of a sequence
0 = Not the first frame of a sequenceq
SEQUENCE Number between 0 and 63 to ensure frames are being received in sequence
14
DNP 3.0 Application LayerDNP 3.0 Application LayerDNP 3.0 Application LayerDNP 3.0 Application LayerDNP 3.0 Application LayerDNP 3.0 Application LayerDNP 3.0 Application LayerDNP 3.0 Application Layer
Communications Interface with ApplicationCommunications Interface with Application SoftwareDesigned for SCADA and Distributed Automation S tSystemsSupported functions include
d tsend requestaccept responseconfirmation time-outs error recovery etcconfirmation, time outs, error recovery, etc.
15
SCADA TrendsSCADA TrendsSCADA TrendsSCADA TrendsSCADA TrendsSCADA TrendsSCADA TrendsSCADA Trends
Open protocolsOpen protocolsOpen industry standard protocols are replacing vendor-specific proprietary communication protocols
I t t d t th tInterconnected to other systemsConnections to business and administrative networks to obtain productivity improvements and mandated openobtain productivity improvements and mandated open access information sharing
Reliance on public information systemsIncreasing use of public telecommunication systems and the internet for portions of the control system
16
Vulnerability ConcernsVulnerability ConcernsVulnerability ConcernsVulnerability ConcernsVulnerability ConcernsVulnerability ConcernsVulnerability ConcernsVulnerability Concerns
ConfidentialityConfidentialityProtecting information from unauthorized accessImportant for deregulation, competitive intelligence
IntegrityAssuring valid data and control actionsMost critical for real-time control applications
AvailabilityContin it of operationsContinuity of operationsImportant for real-time control applicationsHistorically addressed with redundancy
17
Historically addressed with redundancy
Laboratory SCADA Laboratory SCADA Vulnerability DemonstrationVulnerability Demonstration
Laboratory SCADA Laboratory SCADA Vulnerability DemonstrationVulnerability Demonstration
SCADA Protocol (DNP 3 0)SCADA Protocol (DNP 3.0)
Operator Interface
Field Device•Remote Terminal Unit (RTU)Protocol Analyzer
Scenarios•Denial of service
•Intelligent Electronic Device (IED)•Programmable Logic Controller (PLC)
y(Intruder)•Operator spoofing
•Direct manipulation of field devices
•Combinations of above Vulnerability implications vary significantly
18
Combinations of abovedepending on the scenario and application
SCADA Message StringsSCADA Message StringsSCADA Message StringsSCADA Message StringsSCADA Message StringsSCADA Message StringsSCADA Message StringsSCADA Message Strings
R ti il
Captured by
Repeating easilydecipherable format
p yRTU test set
19
Mitigation StrategiesMitigation StrategiesMitigation StrategiesMitigation StrategiesMitigation StrategiesMitigation StrategiesMitigation StrategiesMitigation Strategies
Security through obscuritySecurity through obscurityPoor defense against “structured adversary”
Isolated networkCommunication encryption
Concerns over latency, reliability, interoperabilityVendors waiting for customer demand
Signal authenticationMay provide good defense without the concerns associated with full signal encryption
20
IEEE Standard 1402IEEE Standard 1402--20002000IEEE Standard 1402IEEE Standard 1402--20002000IEEE Standard 1402IEEE Standard 1402 20002000IEEE Standard 1402IEEE Standard 1402 20002000
IEEE Guide for Electric Power Substation Physical and Electronic SecurityProvides definitions, parameters that influence threat of intrusions and gives a criteria forthreat of intrusions, and gives a criteria for substation securityCyber methods considered:
passwordsdial-back verificationselective accessselective accessvirus scansencryption and encoding
21
Additional Countermeasures to ConsiderAdditional Countermeasures to ConsiderAdditional Countermeasures to ConsiderAdditional Countermeasures to ConsiderAdditional Countermeasures to ConsiderAdditional Countermeasures to ConsiderAdditional Countermeasures to ConsiderAdditional Countermeasures to Consider
Implement access control with strong passwordsImplement a tomatic reporting/intr sion detection feat resImplement automatic reporting/intrusion detection featuresCreate a multi-tiered access hierarchyImplement application level authentication and packet level data encryptiondata encryptionConsider implementing public key infrastructure (PKI)
When properly implemented, PKI certificates enable authentication, encryption, and non-repudiation of data t i itransmissions
Implement properly configured firewalls and intrusion detection systemsHave a defined Enterprise-level computer network securityHave a defined Enterprise level computer network security policy
Ref: Concerns About Intrusion into Remotely Accessible Substation Controllers and SCADA Systems, Schweitzer Engineering Laboratories, www.selinc.com
22
Steps for Enhancing SCADA SecuritySteps for Enhancing SCADA SecuritySteps for Enhancing SCADA SecuritySteps for Enhancing SCADA SecuritySteps for Enhancing SCADA SecuritySteps for Enhancing SCADA SecuritySteps for Enhancing SCADA SecuritySteps for Enhancing SCADA Security
Establish a robust network architectureEstablish a robust network architectureEliminate trusted remote access points of entryEvaluate and deploy technology and approachesEvaluate and deploy technology and approaches to enhance confidentiality, availability, and integrityImplement rigorous configuration managementProvide adequate support and trainingNever become complacent!
23
ConclusionsConclusionsConclusionsConclusionsConclusionsConclusionsConclusionsConclusions
VendorsVendorsRelatively fewMostly foreign
ProtocolsSeveral protocols being usedTrend toward open protocols
DNP 3.0 Protocol ExampleEmerging standard in the electric SCADA ind strEmerging standard in the electric SCADA industry
24