SCADA @ City of Raleigh · SCADA Security @ City of Raleigh Martin Petherbridge, CPA, CIA –...
Transcript of SCADA @ City of Raleigh · SCADA Security @ City of Raleigh Martin Petherbridge, CPA, CIA –...
SCADA Security @ City of Raleigh
Martin Petherbridge, CPA, CIA – Internal Audit Manager
Shirley McFadden, CPA, CIA – Senior Internal Auditor
Agenda
1. PLCs, SCADA and Stuxnet
2. Selecting Audit Standards
3. Audit Scope
4. Audit Report & Follow Up
Siemens PLC
PLC – Programmable
Logic Controller
Computer that receives
analog and digital inputs
and outputs. Designed
to withstand:
• Extreme temperatures
• electrical noise
• vibration and impact
PLCs are Everywhere…..
• Heating and air conditioning
• Elevators
• Traffic lights
• Railroad track switches
• Water production, waste water management
• Electricity generation
• Robots on assembly lines
• Ingredients in pharmaceutical manufacturing
• Temperatures in food production
SCADA System
SCADA –
Supervisory
Control And
Data
Acquisition
System
SCADA System
Northern Rockies Regional Municipality - Water Treatment Plant
STUXNET
What was STUXNET?
• a worm
• designed to sabotage centrifuges
• in the Bushehr nuclear facility in Natanz, Iran
Centrifuges
Iranian President Ahmadinijad walking between centrifuges in the
Fuel Enrichment Plant in Natanz, Iran
STUXNET
How did STUXNET sabotage the centrifuges?
Reprogrammed the PLCs
• Modified the frequency of their power supply, causing the
centrifuges to speed up and slow down
• One hour a day, once a month
• Man in the middle exploit – sent back normalized data to
avoid identification
STUXNET – Technical
• Infected network via USB flash drive
• Propagated through MS Windows operating systems
• Scanned for Siemens Step7 software controlling PLCs
• At least four zero day exploits
• Received updates and reported back to servers in
Denmark and Malaysia
• STUXNET was marginally successful – slowed Iranian
uranium enrichment process by two years, damaged 20%
of their centrifuges
Stuxnet – A Game Changer
Key Points:
• Very high level of sophistication
• Sabotage is now a hacking objective
• Internet and IT have become weaponized
• The term “cyberwar” enters the public lexicon
• 2013 Presidential order 13636 - corporate assets
are now part of national security
City of Raleigh - Public Utilities Department
• 500,000 customers (Raleigh, Wake Forest, Garner,
Knightdale, Wendell, Zebulon)
• Two Water Treatment Plants
• One Waste Water Treatment Plant
• Over $1.3bn in infrastructure – plants, pumps, pipes, lift
stations, water towers
Falls of the Neuse Waste Water Treatment Plant
E.M. Johnson Water Treatment Plant, Raleigh NC
SCADA Security Audit
In 2013 we initiated an audit of SCADA security. Why?
• 2012 - STUXNET story becomes public
• Extensive use of PLCs in water production and waste
water management
• PLCs are NOT designed with security in mind
• Minimal understanding of SCADA and PLCs in IT
department
• Potentially catastrophic impact if PLCs were compromised
http://www.threatgeek.com
Before the
Audit……
After the Audit……
Agenda
1. PLCs, SCADA and Stuxnet
2. Selecting Audit Standards
3. Audit Scope
4. Audit Report & Follow Up
Audit Objective
Is security over the SCADA system adequate?
Who Performed the Audit?
Internal Audit or Hire a Specialist
Why?
• Learning Curve
• Knowledge Transfer
• Control over Report Writing
The Challenge: Finding Someone with SCADA Audit
Experience
Defining Responsibility for SCADA
Defining Responsibility for SCADA
Does Public
Utilities
Department
have
IT Staff?
http://heroized.com/hero/cyber-
sentry/
Audit Subject – Public Utilities SCADA Network
Security
http://www.yokogawa.com/us/technical-library/application-notes/scada-cyber-security.htm
City of Raleigh -
Central Network
Public Utilities
Department –
SCADA Network
PLC’s at the Treatment
Plants
Audit Criteria
ISO 27001 /
ISO 27002
NERC CIP 002
& CIP 003
Framework for Cybersecurity
Policy
ISA - ANSI/ISA-62443
NIST 800-53 and
NIST SP 800-82
Audit Criteria
NIST -
Framework for
Improving
Critical
Infrastructure
Cybersecurity
AWWA: Process Control
System Security
Guidance for the Water
Sector & Cybersecurity
Tool
Executive Order 13636 –
Improving Critical Infrastructure
Cybersecurity
NIST - Framework for Improving Critical Infrastructure Cybersecurity
http://www.complianceforge.com/nist-cybersecurity-framework-compliance-policies-standards
http://www.nist.gov/cyberframework/
NIST - Framework for Improving Critical Infrastructure Cybersecurity –
Subcategory ID.AM-1
Function Category Subcategory Informative References
PROTECT (PR)
Awareness and
Training (PR.AT)
PR.AT-3: Third-party
stakeholders (e.g.,
suppliers, customers,
partners) understand
roles &
responsibilities
· CCS CSC 9
· COBIT 5 APO07.03,
APO10.04, APO10.05
· ISA 62443-2-1:2009
4.3.2.4.2
· ISO/IEC 27001:2013
A.6.1.1, A.7.2.2
· NIST SP 800-53 Rev.
4 PS-7, SA-9
SP 800-53 Rev. 4 Table D-2 (Partial): Security
Controls for Access Control (AC)
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
http://www.complianceforge.com/nist-cybersecurity-framework-compliance-policies-standards
Scope of the Audit
Audit Plan/Testing
PS-7 THIRD-PARTY PERSONNEL SECURITY
Control: The organization:
a. Establishes …security roles and responsibilities…
b. Requires third-party providers to comply with personnel security policies and procedures …;
c. Documents personnel security requirements;
d. Requires third-party providers to notify …of any personnel transfers or terminations …; and
e. Monitors provider compliance.
Preliminary Cybersecurity Framework - Framework Core AWWA NIST 800-53 - based
on alignment made in
the Cybersecurity
Framework
Functions
Categories
Subcategories
AWWA
Guidance
Control
Mitigating Control
Description
PR
Protect
AT Awareness and
Training
PR-AT-3: Third-party
stakeholders (suppliers,
customers, partners)
understand roles &
responsibilities
AT-2 PS-7, SA-9
Audit Plan/Testing
Logical Security
Monitoring Event Logs
Anti-virus and/or Anti-malware
Network Security
Remote Access
Network Connections
Physical Security
PLC’s
SCADA Servers & Workstations
Audit Plan/Testing
• Policies and procedures
• Training requirements;
• Documented roles and responsibilities;
• Periodic and documented risk assessments (i.e. monitoring firewalls, establishment of an insider threat program, and vulnerability scans)
Governance:
• Inventory;
• Event Logs and Monitoring;
• Security Alerts and follow up process;
• Firewall configurations;
• Change controls
• UPS (Uninterrupted Power Supply)
• USB ports
Traditional Areas:
Audit Report
Finding
Number
Cybersecurity
Framework
Sub-Category
Finding Risk Risk
Rating
Recommended
Corrective
Actions
• Table Presentation for Technical Findings:
• Report was written for non-technical audience
Audit Report
• All findings were aligned with a corresponding AWWA
Cybersecurity Guidance
• Communicated the Report to IT Department not just
Public Utilities
Current Status
• Collaboration with Central IT
• Several of the Technical Findings Corrected