The Need for Process Control System and SCADA · PDF fileThe Need for Process Control System...

© 2008, Byres Security Inc. www.tofinosecurity.com

The Need for Process Control System and SCADA Security

John van Leeuwen - MTL Instruments B.V.

MTL’s Scope in the Digital Plant


Agenda

• Who turned out the lights?• Making the case for industrial security

• Plugging the holes• Security strategies for control systems


Who Turned Out the Lights?Making the case for industrial security


The Myths of Industrial Cyber Security

• Control Systems aren’t Vulnerable to Hackers or Viruses

• Nothing Much Has changed (so we are Safe)• The SCADA System is Safe Because We Don’t

Connect to the Internet• Hackers Don’t Understand SCADA/PLC/DCS


Myth #1: The Browns Ferry “Security” Incident

• August 19, 2006: Operators at Browns Ferry Nuclear plant had to “scram” the reactor due to a potentially dangerous ‘high power, low flow condition’. • Redundant drives controlling the recirculating water

system failed due to “excessive traffic" on the control network.

• Traffic between two different vendors’ control products was likely the cause.

• Facility remained offline for 2 days.


Myth #1: Zotob Worm Security Incident

• August 18, 2005: 13 US auto plants were shut down by a simple Internet worm. • Despite professionally installed firewalls between

the Internet the company network and the control network, the Zotob worm had made its way into the control system (probability via a laptop).

• Once in the control system, it was able to travel from plant to plant in seconds.

• 50,000 assembly line workers to cease work during the outages.

• Estimated $14 million loss.


Myth #1: Lodz Tram System Security Incident

• January 8, 2008 – Teenage boy ‘hacks’ into the track control system of the Lodz city tram system, derailing four vehicles.

• He had adapted a television remote control so it could change track switches.

• Notice that the “Internet” is not involved…


The Incident in Harrisburg, PA

• Oct 2006: A foreign-based hacker (via Internet) infiltrates the laptop of an employee at the Harrisburg water system.

• Uses the employee’s remote access as the entry point into the SCADA system.

• The hacker then installs malware and spyware in a SCADA HMI computer.


But It Won’t Happen to My System…

“Most public utilities rely on a highly customized SCADA system. No two are the same, so hacking them requires specific knowledge”.

Scott Berinato; “Debunking the Threat to Water Utilities” CIO Magazine March 15, 2002

© Byres Security Inc.

Security Incidents in the Water Industry

• Salt River Project SCADA Hack• Maroochy Shire Sewage Spill• Software Flaw Makes MA Water Undrinkable• Trojan/Keylogger on Ontario Water SCADA System• Viruses Found on Auzzie SCADA Laptops• Audit/Blaster Causes Water SCADA Crash• DoS attack on water system via Korean telecom • Penetration of California irrigation district wastewater

treatment plant SCADA. • SCADA system tagged with message, "I enter in your

server like you in Iraq."


Security Incidents in the Oil Industry

• Electronic Sabotage of Venezuela Oil Operations• CIA Trojan Causes Siberian Gas Pipeline Explosion• Anti-Virus Software Prevents Boiler Safety Shutdown• Slammer Infected Laptop Shuts Down DCS• Virus Infection of Operator Training Simulator• Electronic Sabotage of Gas Processing Plant• Slammer Impacts Offshore Platforms• SQL Slammer Impacts Drill Site• Code Red Worm Defaces Automation Web Pages• Penetration Test Locks-Up Gas SCADA System• Contractor Laptop Infects Control System


Security Incidents in the Chemical Industry

• IP Address Change Shuts Down Chemical Plant• Hacker Changes Chemical Plant Set Points via Modem• Nachi Worm on Advanced Process Control Servers• SCADA Attack on Plant of Chemical Company• Contractor Accidentally Connects to Remote PLC• Sasser Causes Loss of View in Chemical Plant• Infected New HMI Infects Chemical Plant DCS• Blaster Worm Infects Chemical Plant


Security Incidents in the Power Industry

• Slammer Infects Control Central LAN via VPN• Slammer Causes Loss of Comms to Substations • Slammer Infects Ohio Nuclear Plant SPDS• Iranian Hackers Attempt to Disrupt Israel Power System• Utility SCADA System Attacked• Virus Attacks a European Utility• Facility Cyber Attacks Reported by Asian Utility• E-Tag Forgery Incident in Power PSE• Power Plant Security Details Leaked on Internet


Where Do All These Come From?

• Byres Research Inc. maintains the Repository for Industrial Security Incidents (RISI) which tracks network security incidents that directly impact industrial operations.

• World’s largest collection of control system security incidents (over 140).

• Both malicious and accidental incidents are tracked.


Myth #2: “Nothing’s Changed, so We’re Safe”

199419951996199719981999200020012002200320042005

- 30

- 20

- 10Something Changes Here

• Incidents are primarily internally driven:• Inappropriate employee activity• Disgruntled employees• Accidental events


Inte rna l15%

Accidenta l58%

Externa l27%

Incident Drivers Before Q4/2001


Incident Drivers After Q4/2001

• Most incidents are externally driven:• Virus/Trojan/Worm• System Penetration• Denial of Service• Sabotage

Accidental32%

Internal2%External

61%

Audit or Other5%


Myth #3: “We’re Safe Because We Don’t Connect to the Internet”

Infected Laptops

Mis-Configured Firewalls

HIS

FCS

Control LAN

Plant Network

Office LAN

Internet

Unauthorized Connections

External PLC Networks

Infected Remote Support

RS-232 Links

Modems

http://www1.jp.dell.com/content/products/compare.aspx?c=jp&id=latit_d&l=jp&s=soho

http://www.selinc.com/sel-487b.htm


How the Bad Guys Get In…

• Corporate WANs & Business Networks

• Directly from the Internet

• Trusted third parties• Infected laptops being

connected to the PCN

Internet Directly17%

VPN Connection7%

Dial-up modem7%

Trusted 3rd Party Connection

10%

Telco Network7%

Wireless System3%

Via Corprate WAN & Business Network

49%


A Few Incorrectly Configured Firewalls…

• Study of 37 firewalls from financial, energy, telecommunications, media, automotive, and security firms...

“Almost 80 percent of firewalls allow both the "Any" service on inbound rules and insecure access to the firewalls. These are gross mistakes by any account.”

A quantitative study of firewall configuration errors“ Avishai Wool, " IEEE Computer Magazine, IEEE Computer Society, June 2004


Myth #4: “Hackers Don’t Understand SCADA”

• Brum2600 Blackhat Conference:“Things started to get a little more interesting… The talk was titled ‘How safe is a glass of water.’ It was a detailed breakdown of the RF systems that are used by water management authorities in the UK and how these systems can be abused, interfered with and generally messed.”

Source: The Register, October 20, 2003


The Hackers are Waking Up…

• Talk #16: SCADA Exposed “Cyber-attacks on these systems and subsystems can be targeted from remote locations to multiple locations simultaneously… This talk focuses on the assessment of the SCADA infrastructure and attack analysis of the more common SCADA protocols in use today.”

Source: Toorcon 2005 Website

TOORCON 7TOORCON 7


Plugging the Holes

Security strategies for control systems


Solutions

DON’T throw out all IT security technologies and practices and start from scratch.

DON’T ignore the whole cyber security problem and hope it goes away.


Solutions

DO borrow IT security technologies and practices but modify them and learn how to use them properly in our world.

DO develop clear understanding how industrial assumptions and needs differ from that of the IT world.


The Bastion Model of Security

• One possible solution is to install one big firewall between business and the control system.

• This is known as the Bastion Model since it depends on a single fixed point of security.

• Other examples of the bastion model:• The Great Wall of China• The Maginot Line


So Much for the Firewall…

• The Slammer Worm infiltrated a:• Nuclear plant via a contractor’s T1 line;• Power utility SCADA system via a VPN;• Petroleum control system via laptop;• Paper machine HMI via dial-up modem.

• Firewalls existed in at least three of these cases.


A Perimeter Defense is Not Enough

• We can’t just install a control system firewall and forget about security.

• The bad guys will eventually get in.• So we must harden the plant floor.• We need Defense in Depth.

Crunchy on the Outside - Soft in

the Middle

30

Defence-in-Depth Strategy

• “By Defence-in-depth strategy, we mean the protection measures composed of more than one security control to protect the property.”

• “By the use of this kind of multi-layer measures, another layer will protect the property even if one layer is destroyed, so the property is protected more firmly.”

Yokogawa Security Standard of SystemTI 33Y01B30-01E


Protecting the Edges

• The most important devices in a SCADA system are the edge devices like PLC, RTU, IED.

• They are very vulnerable to even simple attacks.• How do we protect them?


The Solution in the IT World

• Your desktop has flaws so you add security software:• Patches• Personal Firewalls (like ZoneAlarm)• Anti-Virus Software• Encryption (VPN Client or PGP)

• But you can’t add software to your PLC or RTU…


Distributed Security Appliances

• Add hardware instead - a micro-firewall designed to be placed in front of individual control devices.

• Protects the device from any unauthorized contact, probing, commands, etc.


Distributed Security Appliances

Distributed FW

DCS Controllers

Cluster of PLCsInfected HMI

Business/Control System Firewall

Business Network

Internet Firewall

InternetInfected Business PC

Internet Attacks

Distributed FW

Layer 5 Defense (Enterprise)

Layers 3/4 Defense (Control System)

Layers 1/2 Defense (Device)

DMZ

SCADA RTU

http://www.selinc.com/sel-487b.htm

What is Needed in Industrial Security?

• Extensive research at BCIT showed that a successful industrial security appliance requires:

• Industrial form factor and robustness • Electrician-friendly deployment• Control tech-friendly remote configuration and

monitoring• Global management capability• Control system functionality • Extensibility beyond just packet filtering

Industrial Form Factor and Robustness

• Hardware specifications:• Form factor similar to common I/O

or barriers• Temperature -40C to 70C• Dual power supply inputs, each with

digital status input• Zone 2 FM and ATEX approved

• MUSIC Security Certified

DIN Rail Mount

Ethernet Ports

Serial Port Option

(Q1 2009)

Dual 9-32 VDC

Dual Digital Inputs

Secure USB Ports

Electrician Friendly Deployment

• No IT knowledge required upon deployment• Zero-configuration in field• Attach the firewall to the DIN Rail• Attach instrument power• Plug in network cables• Walk away…

• Device should allow all traffic on startup

• Simple Override for troubleshooting

Remote Configuration & Global Management

• Ability to configure & manage devices centrally

• Scalable – from one to thousands as plant expands

• Simple – Plant expansion should not mean network security is compromised

• Intuitive – Environment operator’s are familiar with

• Alarm handling, pass off to SCADA

Control System Functionality

• Need to “filter” by control protocols, not numbers:

“acl 201 permit tcp any eq 80 10.20.30.0 0.0.0.255 gt 1023 established “(Cisco PIX)

“$IPT -A PCN_DMZ -p tcp --dport ! $DH_PORT -j LOG_PCN_DMZ” (Linux iptables)

• MODBUS/TCP• Ethernet/IP• GE-Fanuc• Siemens• Honeywell• Yokogawa• Emerson• Mitsubishi• DNP• PI• Etc…

More than a firewall?

• Flexibility – as the network changes, so does network security

• Protect from known vulnerabilities

• Firewall today, encryption tomorrow

• New requirements specific to Controls Industry (Deep Packet Inspection)

• Future-proof investment


Some Conclusions

• The landscape has changed – cyber security is a real concern.

• Process and SCADA owner/operators need to tailor any security solution to the risk or industry is wasting its resources.

• Defense in Depth is critical to secure control systems.

“As long as we turn of the computer,We’ll be protected from hackers”

Questions?

The Need for Process Control System and SCADA · PDF fileThe Need for Process Control System...

Documents

Transcript of The Need for Process Control System and SCADA · PDF fileThe Need for Process Control System...