Transcript Document 7441849

Control Systems Security Education
for the Federal Information Systems Security Professional
• What is a Control System (CS)?
• Why are they of concern:
– Generally?
– To me as a Educator?
• How can we help our agencies in this arena?
Dr. John Saunders
National Defense University
The views expressed herein are personal ones and do not reflect the official policy or position of the National Defense University, The
Department of Defense, or the U.S. Government.
1
2
3
4
- Control System
- Sensors, Switches
- Valves, Pumps, Transformers
- Resource
4
1
2
3
Control System – brains of a electronic and/or electromechanical system with sensors used to monitor & change
levels or direct: air, water/fluid, electricity, traffic, fuel, etc.
Courtesy NIST Manufacturing Engineering Lab, Intelligent Systems
Simplified Control System (CS)
What is a CS?
U.S. Government Facility
SOURCE: Vendor Site
Other frequently used terms for this arena include Distributed Control
Systems or Supervisory Control and Data Acquisition (SCADA)
What is a CS?
Local Infrastructure possibly using CSs
• Electrical distribution, &
UPS
• Natural gas distribution
• Fuel Oil storage & flow
• Water storage & flow
• Lighting
• Heating, cooling,
ventilation
• Fire alarms &
suppression
• Elevators & escalators
• Gates & doors, alarms
• Video security cameras
• Traffic signals
• Process Line Control
What is a CS?
Who Controls the Controls?
Agency Head
Operations
Physical Plant
CIO
Functional Areas
Computer Network
Technicians
Administrators
& Contractors?
Who educates the controllers? especially about security?
What are the concerns?
The Cultures
Physical Plant
Network Operations
• Focus
• Focus
–
–
–
–
–
–
–
–
Safety
100% Availability
Electro-mechanical
No updating, Aged equipment
• The Language
–
–
–
–
RTUs, PLCs, IEDs
DNP, Modbus
Low Bandwidth
Analog & Digital
• The Vendors
– Allen Bradley(AB)/Rockwell,
Honeywell, Siemens, Johnson
Controls
Security
99.5% Availability
Electronic
Continuous Updating, New
• The Language
–
–
–
–
Routers, Switches, Servers
IP, Ethernet
High Bandwidth
All Digital
• The Vendors
– IBM, Microsoft, CISCO, Dell
What are the concerns?
So what? …the Changing Landscape
What are the concerns?
The Changing Landscape
1.
2.
3.
4.
Remote connectivity/control of
CS devices
Standardization of CS Protocols
Connection of CS & Business
LANs
“Windowing” of CS & SCADA
Control
4.
3.
1.
2.
IP
What are the concerns?
REMOTE
ACCESS
SOURCE: GAO Report 04-140T Critical Infrastructure Protection: Challenges in Securing Control Systems. October 2003.
What are the concerns?
Access Airport Lighting Controls
From your PDA
SOURCE: Vendor’s web site
What are the concerns?
Facility Electrical Grid Access
via your cell phone
SOURCE: Vendor’s web site
What are the concerns?
Natural Gas Well Access
via your browser
SOURCE: Vendor’s web site
What are the concerns?
Cost Justification
WAYNE, Pa., Oct. 24, 2002 -- Energy information systems and wind-powered generation will emerge as the two most critical energy technologies in the next
five years, according to a majority of energy entrepreneurs and investors surveyed at the EnerTech Forum in Phoenix last week. Scott Ungerer, Managing
Director of EnerTech Capital, said respondents believed energy information systems, which allow companies to better manage their energy use, would
continue to grow, particularly given the current economic climate. "With corporate America's increased focus on the bottom line, monitoring and managing
energy use is receiving more attention than ever by corporate users." On the telecommunications front, respondents predicted the following communications
technologies would be in widespread use in the next five years: broadband wireless (named by 68 percent) and optical networks (named by 51 percent). When
asked why utilities have been so slow to adopt energy management solutions like sophisticated monitoring, data collection, and equipment control and
dispatch, 49 percent said the economics of the technology is not yet compelling enough for utilities. The same percentage predicted that the energy
management market sector would remain fragmented for many years, with no clear and pronounced trend.
What are the concerns?
Operational Security
What are the concerns?
Operational Security
Partial List – Online Federal Government Installation DCS Network descriptions
SOURCE: Vendor’s web site
What can we do?
As Educators what can we do?
1. Raise Awareness
a) Of your building engineers in Computer Networks
b) Of your IT security engineers in Building Engineering
2. Encourage Inventory, Audit, Assessment of CS
3. Encourage application of easy, yet high payoff,
countermeasures
4. Publicize the DOE 21 steps
5. Follow along with Process Control Security
Requirements Forum & ISA’s SP99 progress
6. Learn the terminology
What can we do?
Raise Awareness
Improve Understanding & Connections between Computer/IT & Building Engineers
• IT Security Worker
– Electronic
• Equipment settings
• Switch settings
• Access Control
• Building/Campus
Engineer
– Supply & Discharge
Educate
– Computer
Programming & Data
• Creation
• Execution
• Storage
• Electricity
• Water
• Fuel
– Circuit Settings
– Valve Settings
– Electro-Mechanical
Equipment
– Physical Plant Safety
Education Opportunities
•
SANDIA National Labs
–
–
•
•
NIST IEL Lab, Gaithersburg
Instrumentation Systems & Automation Society
(ISA)
–
–
•
–
Cybersecurity for Process Control Systems in Chemical
Plants and Refineries
http://www.aiche.org/education/cecrsdtl.asp?Number=553
KEMA
–
–
•
IC32C - Cyber Security for Automation, Control, and
SCADA Systems
http://www.isa.org
AIChE
–
•
Assessment of SCADA systems; 2.5 days
Best Practices for SCADA Security & Design; 2 days
http://www.sandia.gov/scada/training_courses.htm
Annual SCADA Cyber Security Conference
http://www.kemaseminars.com/
Infosec Institute
–
–
SCADA Security: Protecting our Homeland Security
http://www.infosecinstitute.com/courses/scada_security_trai
ning.html
What can we do?
Encourage CS Inventory,
Audit, & Vulnerability Assessment
System
CS Vendor
Operational Software /
Firmware & Versions /
Dates
Communications
Protocols &
Versions
Connection(s)
Contact
Campus Security
Cameras
APC Cam System
Control Workstation
W2K SP 2.3
SNMPv 2.0; IPv4
Ethernet / IP
122.23.34.1-5; 122.23.35.15; 122.22.6.1-10
Mary O’Connor
(301) 555-3276
Campus Electric
Power
Schneider
PowerLogic
Modbus
Remote Dial-in
(301) 555-2525
Harry McDuff
(301) 555-3244
Bldg 12 Elevator Bank
Allen-Bradley
(Rockwell)
none
Bldg Ops
(301) 555-2300
Wireless RM9600
Meets ETS 300 220-3 400 470MHz operating frequency
25KHz channel spacing
16Kbaud over air
Harry McGullicuty
(202) 555-2304
Ethernet / IP
122.22.16.11
Joe Horvath
(301) 555-1244
RAS Dial-in
(301)555-2536
Joe Horvath
(301) 555-1244
DH-485; IPv4
RSLinx Gateway to
122.22.16.64
Mary O’Connor
(301) 555-3276
Modbus
HADAX Serial
Communications controller;
12 RTUs
Mary O’Connor
(301) 555-3276
Campus Water Tower
A
Bldg B
HVAC
Bldg 4-6 HVAC
Honeywell Excel 500
Controller
LonWorks
FT 3120 and FT
3150 Free
Topology Smart
Transceivers;
EIA-709.1
Honeywell EXCEL
5000®
Bldg 12 Fire Alarm
Allen Bradley
Bldg 5 Fire
Suppression System
Johnson Controls
Metasys ® Intelligent
Fire Network
410-584-1160
RSLinxTM OPC Data
Access 2.0
Assessment Methodologies
•
•
•
•
•
Sandia National Labs
– RAM-T;RAM-D;RAM-W
– http://www.sandia.gov/media/NewsRel/NR2001/ramdramt.htm
ISS X-Force
– http://documents.iss.net/whitepapers/SCADA.pdf
Asset Based Vulnerability Checklist for Waste Water Utilities, AMSA, 2002.
– http://www.vsatusers.net/pubs.html
FERC Cyber Security Guidelines
– http://www.nerc.com/~filez/cipfiles.html
Energy Infrastructure Vulnerability Survey Checklists. Office of Energy Assurance,
U.S. Department of Energy
– http://www.esisac.com/publicdocs/assessment_methods/VS_Checklist_Attachment.pdf
– http://www.esisac.com/publicdocs/assessment_methods/Risk_Management_Ch
ecklist_Small_Facilities.pdf
What can we do?
Promote High Profile CS Protection Measures
• Authentication - 2 factor preferred
– Tokens
– Dial Back
•
•
•
•
Telephony Firewalls (see securelogix.com)
Operations Security
Physical Security
Failure Mode
– Redundancy – dual, triple
– Disconnect with
• Ability to Bypass / Backup / Manually Operate
• Penetration Testing
What can we do?
21 Steps to Improve Cyber Security of SCADA Networks
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
Identify all connections to SCADA networks.
Disconnect unnecessary connections to the SCADA network.
Evaluate and strengthen the security of any remaining connections to the SCADA network.
Harden SCADA networks by removing or disabling unnecessary services.
Do not rely on proprietary protocols to protect your system.
Implement the security features provided by device and system vendors.
Establish strong controls over any medium that is used as a backdoor into the SCADA network.
Implement internal and external intrusion detection systems and establish 24-hour-a-day incident monitoring.
Perform technical audits of SCADA devices and networks, and any other connected networks, to identify security
concerns.
Conduct physical security surveys and assess all remote sites connected to the SCADA network to evaluate their
security.
Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios.
Clearly define cyber security roles, responsibilities, and authorities for managers, system administrators, and users.
Document network architecture and identify systems that serve critical functions or contain sensitive information that
require additional levels of protection.
Establish a rigorous, ongoing risk management process.
Establish a network protection strategy based on the principle of defense-in-depth.
Clearly identify cyber security requirements.
Establish effective configuration management processes.
Conduct routine self-assessments.
Establish system backups and disaster recovery plans.
Senior organizational leadership should establish expectations for cyber security performance and hold individuals
accountable for their performance.
Establish policies and conduct training to minimize the likelihood that organizational personnel will inadvertently
disclose sensitive information regarding SCADA system design, operations, or security controls.
SOURCE: Office of Energy Assurance, U.S. Department of Energy.
CS/SCADA Security Guidance
•
Security Standards Efforts
– ISA’s SP99 Committee
•
http://www.isa.org/MSTemplate.cfm?Site=SP99,_Manufacturing_and_Control_Systems_Security1
– NIST’s Process Control Security Requirements Forum (PCSRF) & IEL Lab
• http://www.isd.mel.nist.gov/projects/processcontrol/
•
SCADA Security Test Beds
– Sandia http://www.sandia.gov/
– INEEL http://www.inel.gov
•
•
•
•
•
Industry Specific Guidance NERC, EPRI, AGA, CIDX
Matthew Franz’s links: http://scadasec.net/
Critical Infrastructure Protection: Challenges in Securing Control Systems.
GAO Report 04-140T. October 2003.
IT Security for Industrial Control Systems Joe Falco, Keith Stouffer, Albert
Wavering, Frederick Proctor, NIST. 2003.
Other Documents/Guidance from Sandia
http://www.sandia.gov/scada/documents.htm
Quiz Answers
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Programmable Logic Controller
Terminal or Telemetry
d. Treasury Building, 15th & Penn Ave
a. Army
c. Three
d. All the Above
c. Protocol Analyzer
d. All the above
b. PCSRF
T, True