Transcript Implementing SCADA Security

Implementing SCADA
Security
Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
Kevin L. Finnan
Remote Automation Solutions, a
division of Emerson Process
Management
Presenter
Kevin L. Finnan
Remote Automation Solutions, a division of Emerson
Process Management
2
Topics
• Cyber security for PC’s and networks
• Cyber security for RTU’s/remote sites
• Using SCADA for infrastructure security
3
Focus of this Presentation
•
•
•
•
Implementation
Not addressing vulnerability assessments--use standards from your leading
industry organization and keep up security audits
SCADA systems in oil & gas, water & wastewater apps
Not addressing personnel issues/threats, we’re not “personnel experts”
4
So, have there been any hacks into
SCADA systems?
• Numerous - Demonstrations of Vulnerabilities by Security System
Suppliers
• Unknown - “Friendly Hacks” into Energy and Transportation Systems
by Federal Government Agencies to Assess Vulnerabilities
• Fewer than ten incidents in systems, which are related to or
connected to SCADA systems or have been in systems in other
industries, e.g. a railway SCADA system in Asia
• One, definite, and very well known hack into a wastewater SCADA
system…just enough to show that it can happen...
5
So, have there been any hacks into
SCADA systems?
'Sewage' hacker jailed
8th May 2002 - News.com.au
They found a variety of electronic equipment, including
a two-way radio and a computer with programs for
hacking into the council's sewerage pumping stations.
A COMPUTER hacker who avenged his rejection for
a council job by deliberately allowing sewage to run
into public parks and creeks on Queensland's
Sunshine Coast was jailed for two years today.
A copy of the hard disk on Boden's laptop showed that it
had been used at the same times as pump
malfunctions.
In March last year, up to one million litres of raw
sewage flowed into the grounds of the Hyatt Regency
Resort at Coolum and nearby Pacific Paradise, where
it ended up in a stormwater drain.
The Maroochydore District Court heard that 49-yearold Vitek Boden was a "disgruntled" former employee
of the company that installed a computerised
sewerage system for Maroochy Shire Council.
He applied for a job with the council but was rejected
and later hacked into the council's sewage control
computers, using radio transmissions to alter pump
station operations.
The court was told on April 23 last year, police pulled
Boden over in his car less than one hour after one of
the sabotage attempts on the system.
Environmental Protection Agency (EPA) investigations
manager Janelle Bryant today welcomed the court's
decision, saying that damaging the environment was a
criminal act and would be prosecuted accordingly.
"Vitek Boden's actions were premeditated and
systematic, causing significant harm to an area enjoyed
by young families and other members of the public," Ms
Bryant said.
"Marine life died, the creek water turned black and the
stench was unbearable for residents," she said.
Boden, of Springwood in Brisbane, was sentenced to
two years jail after being found guilty on 46 counts of
computer hacking and two counts of stealing.
He was also sentenced to 12 months jail to be served
concurrently for wilfully causing serious environmental
harm.
-AAP
6
Cyber Security Review - Computer
Systems & Networks - 1
•
?
•
Author’s favorite treatment of this
topic: “Cyber Attacks and Their
Potential Impacts on Infrastructure
Reliability” by FBI S.A. Martin
McBride at the Water Security
Summit, December 4, 2001 in
Hartford, CT.
Above event was organized by
Haestad Methods, Waterbury, CT
(proceedings are available from
Haestad Press, Waterbury, CT)
7
Cyber Security Review - Computer
Systems & Networks - 2
• Another favorite: “21 Steps to Improve Cyber Security of
SCADA Networks,” U.S. Department of Energy
• Available at www.ea.doe.gov/pdfs/21stepsbooklet.pdf
8
Cyber Security Review - Computer
Systems & Networks - 3
Cyber Threats:
• Viruses, Worms, Zombies,
Botnets, Trojan Horses,
Denial-of-service attacks
?
Best of McBride:
• Connect to the Internet?
• No = safest best
• If yes, you must keep control of
access! Limit connections to
one node!
• Fully configure firewalls.
• Use intrusion detection
software.
• Turn off all unused Internet
services (only enable the ones
you will use)
• Keep anti-virus updated!
9
Cyber Security Review - Computer
Systems & Networks - 4
?
More McBride & Other
Practices:
• Stay away from e-mail! Use
another service if you need to
move messages around your
system.
• Perform file maintenance,
system maintenance and
backups. These practices will
prove invaluable if your
system, or any portion of it,
crashes for whatever reason!
Timely recovery is the key!
• Plug all the access points
(term borrowed from wireless
networking & twisted for
SCADA)...
10
SCADA “Access Points”
Control Room PC’s
Network: Visibility outside
of your secured area
LAN, WAN,
Modem,
Internet/e-mail
RTU’s at Sites
Local port,
Modem
•
•
•
Our smallest system: one HMI
and one RTU
Our largest: 16 servers &
10,000 RTU’s
Access points are
fundamentally the same!
11
SCADA “Access Points”
?
INTERNET ?
Remote PC’s
?
Alternate
link or pager
IT LAN - ?
Control
Room Access
Control
“Submaster”
access outside
the Control Room
Servers/
Front Ends
Wide Area Network
Critical
Process
Controllers or RTU’s at Processes Access Control ?
12
General Recommendations beyond
those in the Cyber Security Review
Control Room PC’s
RTU’s at Sites
Network
•
•
•
•
Configure/maintain/update all security features - e.g. passwords
Use authentication wherever available.
Use encryption wherever available (FIPS 140-2 is recommended) e.g.
Ethernets, especially wireless nets.
Use Virtual Private Networks (VPN’s) rather than e-mail, Internet, dial-up for
remote communication.
13
Secure Wide Area Networks
Network is an insecure
section of the system!
(secure)
Control Room (secure)
•
•
RTU at Site
Do wide area networks allow
hackers to horn-in, that is,
view messages, learn what
they mean, access private
information and send
commands?
Remedy: message encryption
per AGA 12 - thanks, Bill
Rush et al at AGA and GTI
14
Secure Wide Area Networks - Further
Selected Points
Network is an insecure
section of the system!
•
•
•
RTU at Site
AGA 12 encryption technology for “low speed” SCADA networks is not quite
ready -- monitor its progress.
Review low speed net security anyway, e.g. protocol security/capabilities,
network monitoring/status/detection, functional abilities (download
parameters, programs)
Consider CBO or SCOC techniques with user-defined key code - run
scenarios to validate
15
Secure Wide Area Networks - Sensible
System Design
•
•
•
It is very important to follow rock solid system design practices and run the
system using rock solid operating procedures
Designing for system failures and for security breaches - fundamentals are
the same
Sensible system design practices keep the system working (reasonably) in
case of failure of the host, the network, the RTU and utilities (power,
provider network).
16
Redundant Wide Area Network
RTU at Site
Control Room
Redundancy can make
the difference before
and after a security
breach. Maintaining
communication is
urgent!
17
RTU Security - Serial Port
•
•
?
•
•
•
•
•
Serious cyber hole to plug
Best measure: Physical access
control
Primary risk: Remote access via
modem
Do without? McBride says it’s low
risk but you must assess and
decide
Detection & reporting to SCADA
operator
Limit functionality
Cryptographic protection and
authentication - promising
18
RTU Security - Location
•
•
•
•
•
Secure location with Access
control/restricted
Out of sight, not a high-traffic area
Location information not widely
available
Physical protection - keep doors
closed, locked
Protect from--and indicate alarms
for--flooding, water spray, chemical
spray, RFI (down the list but…)
19
RTU Security - Location
Control panels and keypads either the room must be secure
or these devices must be
behind a locked door (or, much
less preferably, a locked gate)
20
RTU Security
•
•
•
•
•
•
•
Door Lock & Alarm
Battery Backup
Low Power/Loss of Power
Alarm
Power Protection
Passwords for Keypads, PC
ports
Log Alarm (or Event) When
Local User Plugs PC in or
Signs On
Log Event when Local User
Changes Values
21
Alarming Best Practices for Vulnerable Areas
•
•
•
•
Define alarm points sparingly - otherwise
operators can be overloaded
Use alarm management e.g. sort by process
unit or zone to avoid overload
Eliminate nuisance alarms - the alarm system
should never lose credibility with operators!
Back up with local audit trail/alarm history in
the RTU
22
Alarming Best Practices for Vulnerable Areas
Operating Procedures must
include:
• Scheduling of site visits
• Requirement that site workers inform operators
when they arrive and leave.
• Logging of all site visits as events (record
keeping is very important!)
• Reactions to alarms including acknowledging,
disabling and resetting them.
23
Advanced Alarm Techniques
•
•
•
Rate of change e.g. pressure drop - sometimes,
limit alarms are too late or miss the actual
problem
Sanity check or process mismatch, e.g. influent
pumps are on but settling basin is full
Ratio alarm, e.g. chlorine feed rate vs. water
flow
24
Applications using
Security integrated
with SCADA
Standards
Certification
Education & Training
Publishing
Conferences & Exhibits
Video Security Application
 Implemented in a ControlWave RTU
 Camera images are stored securely in
ControlWave flash memory.
 Provides pre and post-event image storage to
capture full event.
 Supports one or multiple cameras for wide
vulnerable area coverage.
 Pre-configured User Defined Function Block
eliminates custom programming.
 Used in conjunction with process control logic.
 OpenBSI utility automatically recovers and
displays video images.
 Compatible with TCP/IP and existing BSAP
networks.
26
Typical Application
Contacts at doors and gates via DI’s
Access Control
via DI or Port
RTU
Motion Detector via DI
IP Camera via Ethernet
Pump
Control
Existing SCADA Wide
Area Network
Control
Room
Pump Station
with Tank
27
Video Sequence
•
•
•
Camera FTP’s image every x sec (e.g. every
five seconds) to RTU
JPEG images for each camera are stored in
folders in CW FLASH
Alarm will cause upload, to the PC, of pre
and post event folder
RTU at Site
Pump
Control
Better Bet for the Network:
Ethernet or Wireless Ethernet
Control
Room
Pump Station
with Tank
28
Function Block
A function block was
implemented as a
ControlWave Designer
add-in library allowing
the application to be
easily added to any
ControlWave program.
This function block
handles all folder and
file manipulation. It also
generates the event
alarm. One Security
Vision function block is
defined for each
camera connected to
ControlWave.
29
Utility at the PC
Upon receiving the time stamped event alarm notification, the entry will
be added to the event list in the Security Vision window in OpenBSI.
30
Utility at the PC
Selecting the event will initiate scrolling of the event file images.
31
Camera Considerations
•
•
•
•
Numerous IP cameras and web cams are available
Indoor or outdoor installation
Operating temperature range
Preferred file xfer and communication combination is
FTP via Ethernet/IP
• Our experience is with Axis cameras.
32
Installations
•
•
•
•
Access control and physical security for
pump station associated with elevated
tank in water distribution system
Access control for gate at wastewater
treatment plant
Physical security for chemical storage
Monitoring for chlorinator control
Any Questions?
33
Thank You!
Standards
Certification
Education & Training
Publishing
Conferences & Exhibits