Transcript Slide 1
SCADA and Security Issues
Beyond the Hacker Threat
Revision 1.5 4/7/2008
By: Jeff Whitney & Chris Paul
2008, BRC and J&P
1
Introduction
SCADA systems have evolved from being “secure
by isolation,” to seeking and sometimes achieving
security through the implementation of physical
barriers, technology barriers (cyber), and policies
and procedures.
•
SCADA operators are now confronted with securing
infrastructure that addresses emerging threats,
enterprise connectivity, commercially off the shelf
software, public communication paths, and existing
and emerging regulatory requirements.
2008, BRC and J&P
2
Introduction (cont.)
•
This paper will discuss SCADA Security Compliance
(regulatory and legal), addressing both the physical
and cyber security components.
•
The paper will also address solutions to assist
operators with compliance.
2008, BRC and J&P
3
Background
Oil and gas pipelines are a major component of the
energy and transportation industries of the United
States. There are “[two] million miles of oil and gas
pipelines in the U.S.”1 That is over 80 times the
circumference of the Earth at the equator.2
1 Jay Inslee, Issues – Pipeline Safety,
http://www.house.gov/inslee/issues/pipeline/factsheet.html (last visited Oct.
16, 2007).
2 About.com, Geography – Circumference of the Earth,
http://geography.about.com/library/faq/blqzcircumference.htm (last visited
Oct. 26, 2007).
2008, BRC and J&P
4
Oil pipelines are responsible for “delivering more
than 14 billion barrels [of oil] . . . per year,” or “17%
of all domestic freight moved nationwide.”3
3 American Petroleum Institute, Pipeline Security Preparedness,
http://www.api.org/aboutoilgas/sectors/pipeline/securitypreparednes
s.cfm (last visited Oct. 26, 2007).
2008, BRC and J&P
5
Natural gas “meets 23[%] of U.S. energy
requirements” and is responsible for “heat[ing]
57[%] of U.S. households.”
2008, BRC and J&P
6
Pipelines are the safest method for transporting
oil and natural gas. Oil pipelines are safer than
trucks, trains, and tank barges and ships, in
terms of injuries, deaths, and fires or explosions.
“Relative to pipelines, the safety performance of
trucks has been dramatically inferior: death
rates 103 times higher, injury rates 32 times
higher, and fire/explosion rates 46 times
higher.”4 The numbers were less dramatic for
trains and waterborne transportations.
4 Allegro Energy Consulting, The U.S. Oil Pipeline Industry’s Safety
Performance p. 36 (2008), available at http://www.pipeline101.org/
HSSE/safety.html
2008, BRC and J&P
7
Pipelines are also the “most efficient and economical”
means of transporting oil.5 Natural gas pipelines are
also one of the safest modes of energy transportation.
“According to the Department of Transportation . . .
pipelines are the safest method of transporting . . .
natural gas.”6 This is due in large part “to the fact that the
infrastructure is fixed, and buried underground.”
5 Pipeline 101, Pipelines – Overview, http://www.pipeline101.org/Overview/
index.html (last visited Oct. 26, 2007).
6 NaturalGas.org, The Transportation of Natural Gas,
http://www.naturalgas.org/naturalgas/transport.asp (last visited Oct. 26, 2007).
2008, BRC and J&P
8
The effects of a failure in the pipeline system could be
quite far-reaching. A shutdown of certain pipeline
operations could impact people, public water, energy,
and national defense.7 A shutdown of operations could
also impact other forms of transportation, as well as
other critical infrastructures.
7 American Petroleum Institute, supra note 3.
2008, BRC and J&P
9
But with all of the positives, the petroleum and
transportation industries account for 44% of the
industrial control system attacks from 2002-2004. 8
8 Department of Energy & Department of Homeland Security,
Roadmap to Secure Control Systems in the Energy Sector, p. 11
(2006), available at
http://www.controlsystemsroadmap.net/pdfs/roadmap.pdf.
2008, BRC and J&P
10
The Current Environment
Despite the obvious importance of the U.S.
pipeline system, and the realistic threats faced,
there remains a relatively limited amount of black
letter law pertaining to pipeline security. Pipeline
facility operators are often left with nothing but
their own good judgment to guide them when
implementing security measures.
And whether judgment was “good” may be
determined in hindsight.
2008, BRC and J&P
11
There are several studies and sources of guidance
available. Multiple organizations, including the
Department of Homeland Security (DHS) and
Department of Transportation (DOT), have issued
documents that address the security issue. These two
agencies have stated that they will work together to
develop “standards, regulations, guidelines or directives
affecting transportation security.”9
9 Department of Transportation & Department of Homeland Security, Annex
to Memorandum of Understanding Concerning Transportation Security
Administration and Pipeline and Hazardous Materials Safety Administration
Cooperation on Pipeline and Hazardous Materials Transportation Security,
p. 3 (2006).
2008, BRC and J&P
12
In a Memorandum of Understanding between the DHS
and DOT, the Transportation Safety Administration (TSA)
and the Pipeline and Hazardous Materials Safety
Administration (PHMSA) outlined each party’s roles and
responsibilities concerning pipeline and hazardous
materials security. The TSA, acting under the authority
of DHS, will “act[] as the lead Federal entity for
transportation security, including hazardous materials
and pipeline security.” Under DOT, “PHMSA is
responsible for . . . identifying pipeline safety concerns
and developing uniform safety standards.”
2008, BRC and J&P
13
TSA has issued the “Pipeline Modal Annex.”10 This document “was
developed to ensure the security and resiliency of the pipeline
sector.”
Provides a nationwide plan for securing pipeline facilities.
Discusses the type of threats to pipelines.
Discusses the “Federal Agencies Responsible for Pipelines.”
Discusses its goals and objectives:
• prevention of terrorist threats to the transportation system,
• enhancing the transportation system’s resiliency, and
• improvements in the area of cost-effective use of transportation security
resources.
Includes a section describing the way in which “TSA will use riskbased programs to achieve the overarching Transportation Sector
goals.”
10 Transportation Security Administration, Pipeline Modal Annex (2007) available at
http://www.tsa.gov/assets/pdf/modal_annex_pipeline.pdf.
2008, BRC and J&P
14
The DHS “Catalog of Control Systems Security
Requirements” offers more detailed guidance.11 This
was prepared for the DHS by the Department of
Energy’s Idaho Operations Office. The word
“requirements,” however, is misleading since the
information in the document consists of
recommendations for increasing control system security,
and is not actually law that must be implemented.
Further, the document is not specifically aimed at the
pipeline industry, but rather at any industry that uses
control systems. It provides “various industry sectors the
framework needed to develop sound security standards,
guidelines, and best practices.” In doing so it draws on
“various industry standards” to “explain recommended
security controls and mechanisms.”
11 Department of Homeland Security, Catalog of Control Systems Security
Requirements (DRAFT) (2007).
2008, BRC and J&P
15
The document recognizes that not all of the information
will be “appropriate for all applications, so it will be
necessary [for the operator] to determine the level of
protection needed and only apply the guidance as
appropriate.” This guidance pertains to, among other
things, management policies and accountability,
mitigating threats, and access control.12
12 Catalog of Control Systems Security Requirements, supra, note 23.
2008, BRC and J&P
16
A follow-up was published by the DHS in January 2008.
The document is titled “Catalog of Control Systems
Security: Recommendations for Standards
Developers.”13 “The term ‘Control systems’ . . . includes
Supervisory Control and Data Acquisition Systems
[SCADA], Process Control Systems, Distributed Control
Systems, and other control systems specific to any of the
critical infrastructure industry sections.” The document
states that “[d]ecisions regarding when, where, and how
these standards should be used are best determined by
the specific industry sectors.”
13
Department of Homeland Security, Catalog of Control Systems Security:
Recommendations for Standards Developers, 2008.
2008, BRC and J&P
17
Issues addressed, among many others, are:
“Management Accountability,”
“Physical and Environmental Security,” and
“Security Awareness and Training.”
2008, BRC and J&P
18
The DOT has also offered useful information to
pipeline operators in the form of a document titled
“Pipeline Security Contingency Planning
Guidance.”14 This document is somewhat
narrowly tailored in that it is specifically concerned
with terrorist threats to pipelines. It was developed
to “ensure that pipeline owners and operators are
able to discourage attacks and respond quickly
and effectively if attacks occur.”
14 Department of Transportation, Pipeline Security Contingency
Planning Guidance (2002).
2008, BRC and J&P
19
It was a joint collaboration, with input from industry
representatives, the Department of Energy (DOE), and
state pipeline security agencies, in addition to DOT.
Consensus guidance on industry security practices
recommends that each pipeline operator follow three
steps:
assess the terrorist threats to its system;
assess the vulnerabilities of its system to these threats;
and
develop and implement security, response, and recovery
plans that address terrorism.
2008, BRC and J&P
20
The document goes on to list ways in which operators
can determine which facilities are “critical” and then lists
appropriate security measures for such facilities,
depending upon the then current terror threat level.15
15 The threat levels used “mirror the Homeland Security Advisory System
(HSAS). Under the HSAS, there are five levels of threat conditions, each
identified by a description and corresponding color.”
2008, BRC and J&P
21
The DOT’s “Pipeline Security Contingency
Planning Guidance” is another resource to
which pipeline operators may turn for guidance
when determining the appropriate measures
needed to secure their facilities.
2008, BRC and J&P
22
The “National Strategy for the Physical Protection of
Critical Infrastructures and Key Assets” further illustrates
the effort to secure critical facilities against potential
attacks.16 This is the result of consultation between
numerous groups including federal agencies, public and
private infrastructure owners, state and local
governments, and the scientific community. The
document is very broad in scope, but it specifically
addresses both the energy and transportation sectors.
In particular, it addresses security challenges facing
pipelines and strategies for protecting them.
16 United States White House, National Strategy for the Physical Protection
of Critical Infrastructures and Key Assets (2003).
2008, BRC and J&P
23
The DOT has continued its effort to provide
security guidance to pipeline operators by
issuing the “Pipeline Security Information
Circular.”17 This circular provides a
definition for critical facilities and offers
information useful when developing and
implementing security measures for critical
facilities.
17 Department of Transportation, Pipeline Security
Information Circular (2002).
2008, BRC and J&P
24
The American Chemistry Council, Chlorine Institute, Inc.,
and the National Association of Chemical Distributors
issued a document titled “Transportation Security
Guidelines for the U.S. Chemical Industry.”18 This was
“written for transportation specialists, plant managers,
and others who have been given responsibility for the
safe and secure transportation of their products and raw
materials.” It addresses security risks associated with
the transportation of hazardous materials. It is rather
broad in scope, addressing all modes of transportation
and all types of hazardous materials. Pipelines are
specifically mentioned.
18 American Chemistry Council, Chlorine Institute, Inc., and National
Association of Chemical Distributors, Transportation Security Guidelines for
the U.S. Chemical Industry (2001).
2008, BRC and J&P
25
In 2006, the North American Electric Reliability Council
published a document titled “Top 10 Vulnerabilities of
Control Systems and their Associated Mitigations.”19
While the document is designed specifically for the
electricity sector, it consists of security measures
applicable to any sector using a computerized control
system. This document “provides a non-prioritized list of
the top 10 most common vulnerabilities to control
systems.” The document recommends mitigation
strategies for each of the vulnerabilities. The mitigation
strategies are categorized as either “foundational,
intermediate, [or] advanced.”
19 North American Electric Reliability Council, Top 10 Vulnerabilities of
Control Systems and their Associated Mitigations (2006).
2008, BRC and J&P
26
The American Petroleum Institute published
“Security Guidelines for the Petroleum Industry.”
The document was issued in 2003 and again in
2005.20 The 2003 document is more sector
specific and contains sections that pertain
directly to pipelines, refineries, and marine
transport, as well as other areas. The 2005
version applies more generally and does not
contain individual sections for different areas of
the petroleum industry.
20 American Petroleum Institute, Security Guidelines for the Petroleum
Institute (2003) & (2005).
2008, BRC and J&P
27
This is not an exhaustive list. There are
other materials available for pipeline
operators seeking security guidance.
Therefore, despite a limited amount of
black letter law, there are numerous
sources of recommendations and
expectations for pipeline system operators.
2008, BRC and J&P
28
While recommendations are not required,
they should not be casually disregarded.
When comparing these standards and
recommendations to the factors considered
when prosecuting corporations, a striking
similarity emerges.
2008, BRC and J&P
29
The Department of Justice has also issued a document
titled the “Hazardous Materials Transportation Initiative”
(Hazmat Initiative). The Hazmat Initiative is in place to
reduce the threat posed by terrorists to the transportation
of hazardous materials and to further ensure that those
businesses regulated by hazardous materials laws are
more secure against potential risks. One of the Hazmat
Initiative’s stated purposes is the “development of
criminal prosecutions.”21 This reiterates the nexus
between an adequate security policy and the possibility
of a pipeline owner or operator being subject to criminal
sanctions.
21 Statement of Assistant Attorney General Thomas L. Sansonetti Before
the United States House of Representatives Committee on the Judiciary
Subcommittee on Commercial and Administrative Law (2004), available at
http://judiciary.house.gov/OversightTestimony.aspx?ID=145.
2008, BRC and J&P
30
The Challenge to Operators
Ignoring the recommendations and guidance
could lead to a corporation being charged with
criminal negligence if an incident were to occur.
For example, if an accident resulting in death
occurred and an operator had not developed,
implemented, and educated employees
regarding proper security policies and
procedures, the operator could be charged with
criminal negligence.
2008, BRC and J&P
31
The Challenge to Operators (cont.)
It is in the best interests of pipeline operators to
develop and implement security policies and
procedures for all aspects of their operations. It
is also necessary that they ensure that all
employees are properly aware of the security
policies and procedures. By taking these
important steps regarding security, an operator
can prevent accidents from occurring and
receive greater deference during an
investigation if an accident does occur.
2008, BRC and J&P
32
Compliance Process – Typical Approach
1.
2.
3.
4.
SCADA Technical Support Group evaluates.
current infrastructure to define exposures by
performing an Cyber Security SVA.
Develop a remediation plan.
Implement.
Repeat #1 annually.
2008, BRC and J&P
33
Pitfalls
SVA does not typically include physical security,
corporate policies and procedures, current
regulatory requirements, or industry best
practices.
SVA is subjective.
Evaluations and audits can create issues.
Hindsight – “You should have known.”
Records.
2008, BRC and J&P
34
Solutions – Achieving Compliance in the
Current Environment
SCADA operators should begin to create a process
to bring the SCADA environment into compliance.
Management, Corporate, Security, Facilities, the IT
Department, I&E and any other stakeholders should
be consulted to assist with the process.
Both physical and cyber security must be
addressed.
The compliance process should include a time frame
to re-address the SCADA environment on an annual
basis (Regulatory, Industry, Corporate), as the
environment is not static.
2008, BRC and J&P
35
The Holistic Model – C. Bodungen, BRC and CIDG
2008, BRC and J&P
36
Compliance Process – Holistic Model Detail
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Create a process to bring the SCADA environment into compliance.
Identify security compliance requirements (physical and cyber).
Include regulatory requirements, industry best practices and
corporate policies and procedures.
Create a matrix of requirements that are applicable to the SCADA
environment.
Audit the existing SCADA environment (identify facilities, systems,
communication infrastructure, etc.).
Define and perform a Security Vulnerability Analysis (SVA).***
Define and perform a GAP analysis utilizing the SVA results.***
Define a mitigation strategy (prioritizing vulnerabilities).
Remediate vulnerabilities where possible, using prioritized list
(budgets,*** manpower, timing, etc. may impact remediation
schedule).
Define an interval to update the matrix of requirements addressing
changes in the environment.
Repeat steps 4 through 7.
2008, BRC and J&P
37
Measuring Compliance in the Current
Environment
The real standard which pipelines need to
meet in achieving compliance is a
combination of Corporate Policies and
Procedures, Regulatory Requirements, and
Industry Best Practices.
2008, BRC and J&P
38
Managing Records and Communications
throughout the Compliance Process
Records – 6 Cs to Avoid 7th
1.
Creation
2.
Content
3.
Context
4.
Control
5.
Compliance
6.
CYA
All Records are Evidence!
2008, BRC and J&P
39
Creation - Do You Need to Make a Record? (Why
am I really writing this down?)
Does what I write capture the facts?
Have I ensured that employee and community safety issues,
if any, can be clearly identified by what I wrote down?
Have I overstated ("made a mountain out of a molehill") or
understated ("hidden a needle in a haystack") an event?
Can you explain, without embarrassment, what was written –
to a regulator? – to a lawyer? – to your boss? – to a judge
and jury? – to the community?
Would you want what you wrote to be printed in the
newspaper or reported as a television sound bite, without an
opportunity for you to explain the meaning and context?
2008, BRC and J&P
40
Content and Context
•
•
Avoid words which give legal opinions, legal
conclusions, or characterize conduct (“The person
in charge of the NDT was negligent.").
Do not guess, especially on cause. Don't use
phrases such as: "I feel that . . ."; "I think that . . .";
"I believe . . ."; "I suppose . . ."; or "appears to be
. . .". If you do not know, investigate.
2008, BRC and J&P
41
Records – Hypothetical
I arrived just after dawn to conduct the security audit;
Sam was with me. It was a nightmare (both the audit and
being with Sam). We got with a Control Room operator
who showed us the SCADA system since the supervisor
was taking a smoke break. The door to the porch was
unlatched. The operator showed us how he rigged his
screens so he could watch the basketball tournament.
The system seems to have more problems than a beta
version of Vista. We're lucky we didn't have a huge major
security breach as this was a problem waiting to happen.
And any breach could have caused the line to blow up
and cause death and major environmental damage. If our
personnel would do their job we wouldn't keep having
these problems or keep creating these situations – looks
like we're out of compliance all over. I think the only way
to fix this is to trash the system and start over again.
2008, BRC and J&P
42
Control – New Legal Standards
Sarbanes-Oxley – Beyond Securities
Obstruction provision: new liabilities
affecting records retention policies.
18 U.S.C. § 1519. If destroyed “in
contemplation” of an “official
proceeding” in the future, even if
documents are destroyed in accordance
with document retention program, may
be considered criminal. Twenty-year
maximum.
2008, BRC and J&P
43
Compliance
Revise compliance programs to reflect records
management issues.
• Develop strong records creation, retention and
recovery programs.
• Create effective means for employees to
communicate compliance concerns.
2008, BRC and J&P
44
Solutions
Train on how to write.
Develop written policies.
Follow statutory document retention
requirements.
Manage e-mail.
Manage “memos to file” and files “at home.”
2008, BRC and J&P
45
6 Cs to Avoid 7th
Create
Content
Context
Control
Compliance
CYA
2008, BRC and J&P
46
CYA
We all know what this means.
2008, BRC and J&P
47
Conclusion
The approach to SCADA security must incorporate a
holistic approach, incorporating both the physical and
cyber components to achieve compliance. Taking this
holistic approach will help maximize operational efficiency,
help maintain a secure operating environment and
minimize the risk of regulatory scrutiny and/or action, while
achieving business objectives.
2008, BRC and J&P
48