CYBER SECURITY TRANDS FOR FUTURE SMART GRID SYSTEMS
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
1.
2. • THE INFRASTRUCTURE, WHAT IS IT AND WHY IS IT
CRITICAL?
• CYBER ATTACKS ON ICS INFRASTRUCTURES
• TYPICAL DCS AND SCADA NETWORK
• Live SCADA Hacking Demonstration
• POSSIBLE SECURITY THREATS AND IMPACTS ON ICS
• COMMON ICS VULNERABILITIES
• RISK, WHAT IS IT AND HOW TO CALCULATED?
• SECURITY STRATEGIES
• ISO27001
12/03/2012 Protecting DCS and SCADA 2
3. • It is the basic physical and organizational
structures needed for the operation of a society
or enterprise (Wikipedia)
• What makes the infrastructure
– Electricity
– Oil and gas plants
– Telecommunications
– Water treatment plants
– Food productions
– Medical and Health
– Transportation
– Traffic control
– Banks
– Government security
• Why is it critical?
– The national security and economy
depends on it
– Supports the modern human life
– Sustains inhabitable environment
– Hard to replace
– Expensive repairs
– Catastrophic impacts
12/03/2012 Protecting DCS and SCADA 3
4. • Obviously it is not new
• Why it is becoming a pressing issue?
– It impacts the whole nation, resulting
in loss of life, environment, and
billions of dollars.
– Why fighting battles while you can
from a single computer do more
damage?
– Structured cyber attacks are becoming
easier as automated tools are
emerging (backtrack, malware).
– Becoming more exposed to threats.
– Designed with poor security
Incident events by date from 1982 to June 1, 2006
THE INDUSTRIAL ETHERNETBOOK, May 2007
12/03/2012 Protecting DCS and SCADA 4
5. 2010
Stuxnet
worm The worm attacks windows machines and replaces a DLL file
used by Siemens systems with a modified DLL file that provides
the same functions but executes additional code which enables
the attacker to spy on databases and projects and alter data
sent to PLCs.
The affected countries are Iran (58.85%), Indonesia (18.22%),
India (8.31%), Azerbaijan (2.57%), United States (1.56%),
Pakistan (1.28%), Others (9.2%)
http://en.wikipedia.org/wiki/Stuxnet
http://threatinfo.trendmicro.com/vinfo/web_attacks/Stuxnet%
20Malware%20Targeting%20SCADA%20Systems.html
12/03/2012 Protecting DCS and SCADA 5
6. 2009
Disgruntled
Employee
Former IT consultant intentionally tampered with California’s oil
and gas company computer systems, one of them is the system
used to detect gas leaks
http://www.theregister.co.uk/2009/09/24/scada_tampering_gu
ilty_plea/
12/03/2012 Protecting DCS and SCADA 6
7. 2008
Network
design
After pushing software update from business network to
SCADA network, the SCADA safety system forced an emergency
shutdown causing Hatch nuclear power plant in Georgia
millions of dollars and substantial expense of repair and
restoration. The business network was in two-way
communication with the plant's SCADA network and the update
synchronized information on both systems which caused
missing some data related to the cooling system.
http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf
12/03/2012 Protecting DCS and SCADA 7
8. 2006
Hacker
The hacker exploited Pennsylvania’s water treatment plant and
injected virus and spyware into the computer systems and used
them to distribute emails and pirated software which affected
water treatment operations
http://www.gao.gov/assets/270/268137.pdf
12/03/2012 Protecting DCS and SCADA 8
9. 2005
Zotob
worm
13 DaimlerChrysler’s U.S. automobile manufacturing plant was
knocked offline for almost an hour
Computer outages at heavy-equipment maker Caterpillar Inc.
Computer outages at aircraft maker Boeing
http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf
12/03/2012 Protecting DCS and SCADA 9
10. 2003
Slammer
worm Crashed the network and disabled the safety monitoring system
of Davis-Besse nuclear power plant in Oak Harbor, Ohio for
nearly 5 hours
13,000 ATMs knocked offline in U.S.
11,000 Postal knocked office offline in Italy
911 service stopped in Seattle
SCADA of two U.S. utilities stopped
Flights delayed or canceled at Huston
http://virus.wikia.com/wiki/Slammer
http://www.securityfocus.com/news/6767
12/03/2012 Protecting DCS and SCADA 10
11. 2003
Sobig email
virus
Knocked out the train signaling systems throughout the east
coast of the U.S.
http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf
12/03/2012 Protecting DCS and SCADA 11
12. 2000
Disgruntled
contractor
Through wireless link he broke into Maroochy’s Water Services
SCADA system in Australia, and released 800,000 liters of raw
sewage into local parks, rivers and even the grounds of a Hyatt
Regency hotel.
http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Marooc
hy-Water-Services-Case-Study_report.pdf
12/03/2012 Protecting DCS and SCADA 12
13. 1999
Hacker
Controlled the gas flows running in the pipelines of the Russian
energy company, Gazprom, for a short time
http://ciip.wordpress.com/tag/scada-incidents/
12/03/2012 Protecting DCS and SCADA 13
14. 1997
Hacker Broke into the Bell Atlantic computer system in Worcester,
Massachusetts, and disabled part of the public switched
telephone network using a dial-up modem connected to the
system. This attack disabled phone service at the control tower,
airport security, the airport fire department, the weather
service, and carriers that use the airport. The tower’s main
radio transmitter and another transmitter that activates runway
lights were shut down, as well as a printer that controllers use
to monitor flight progress. The attack also knocked out phone
service to 600 homes and businesses in the nearby town of
Rutland
http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf
12/03/2012 Protecting DCS and SCADA 14
15. Either
• We are doing a better job than 1st and 2nd world countries who
invented these technologies.
• Every body is happy and we don’t have any enemies.
• We don’t care about losses and we are good at covering up.
12/03/2012 Protecting DCS and SCADA 15
16. • Different networks Internet
– Field Network DMZ
Extranet
– Control Network Internet
Security Control
– Corporate network Intranet
– WAN
• Three-tier architecture Em Ad En De
• Challenges
– Management Cor. Con. Corporate
Servers
– Security Server Server
– Resources
– Support Cor. DB Con. DB
– Vendor
– Budget
• Trends Control Control Center
Corporate Field
– Cut cost Center
– Integration Business
Control and
Automation Field Services
– Centralization Services
– Consolidation Corporate Service
Production
Production
Information
– Virtualization and Could Computing
– Shared Services IT Services
Control
Control Data
Information
– Outsourcing
• Different Security Zones Field
Gaining Maintainin Covering Have
Reconnaissance Scanning
Access g Access Tracks FUN
Network Penetration
12/03/2012 Protecting DCS and SCADA 16
18. Possible Threats Possible Impacts
• Humans, always the weakest link in the chain • Loss
• Natural disasters and extreme conditions. • Life
• Cyber warfare • Money
• Foreign intelligence services. • Trust
• Identity theft. • Reputation
• Malicious code. • Competition
• Data and information leakage • Disruption
• Denial of service. • Destruction
• Criminals, Hacktivists, terrorists. • Disclosure
• Industrial spies. • Violation
Natural Impact Areas
Human/Political • Life
Environmental/Physical • Environment
Logical/Technical
• Technology
You
• Business
12/03/2012 Protecting DCS and SCADA 18
19. • Weak security controls (design, configuration)
• Poor network design
• Improper input validation
– Buffer overflow
– Injections (SQL injection)
– Cross-site encryption
– Path traversal
• Poor access and identity control
• Weak communication protocols
• Poor authentication
• Code flaws
• Poor patch and change management
• Weak encryption
US National Vulnerability Database
Open Source Vulnerability Database
SecurityFocus Vulnerability Database
Exploit-DB
12/03/2012 Protecting DCS and SCADA 19
20. Consequences
Catastrophic
Insignificant
Moderate
•
Minor
Major
Follow a proven approach to risk management (AS/NZ 4360, OCTAVE, NIST SP 800-30,
ISO27005)
Likelihood 1 2 3 4 5
• Qualitative Risk analysis: Scenario based that describes the likelihood of threat/event and
A (almost certain) H H E E E
its impact on the business. B (likely) M H H E E
• Qualitative Risk analysis: calculation of ALE, very difficult to put monetary value on C (possible) L M H E E
unquantifiable variables such as reputation. D (unlikely) L L M H E
E (rare) L L M H H
Annual Loss Expectancy = Annual Rate of Occurrence X (Asset Value X Percent of Loss) E Extreme Risk, immediate action
High Risk, action should be taken to
H
Identify Identify and
compensate
Select
vulnerabiliti evaluate Moderate Risk, action should be taken
Identify Identify the Analyse and control
es that options for M
Identify Assets threats to impacts on evaluate objectives
assets
might be
the assets the risks.
the
and to monitor
exploited by treatment
controls
the threats of risks L Low Risk, routine acceptance of risk
Risk
Weakness/ Counter Technical Business
Threat Source Vulnerability Safeguards Assets
Measures Impact Impact
Threat Agent
Attack / Exploit Exposure Compromised
Asset Controls
Threat
Based OWSAP Model CC Risk Management Concept Flow
12/03/2012 Protecting DCS and SCADA 20
21. Board
• National ICS Security Strategy
– Establish Saudi ICS Cyber Emergency Response Team (Saudi ICS-CERT) based on US-
CERT example, the ICS-CERT
• Respond to and analyze control systems related incidents Steering
Committee
• Conduct vulnerability and malware analysis
• Provide onsite support for incident response and forensic analysis
SE
• Provide situational awareness in the form of actionable intelligence
• Coordinate the responsible disclosure of vulnerabilities/mitigations GM GM
• Share and coordinate vulnerability information and threat analysis through GM GM
information products and alerts
– Coordinate with Saudi CERT (cert.gov.sa)
Enterprise strategy
• Corporate Security Strategy
Part of enterprise governance
– Establish security governance, read the Information Security Governance Guidance Executives’ responsibility
for Boards of Directors and Executive Management, 2nd Edition Business requirement
– Establish Audit Program (ISO 19011), Vulnerability Management, Pen-Tests Support commitment
– Design with security in mind (Security Zones) Roles and responsibilities are defined
– Follow a proven security framework (ISO27001) and carefully design the scope and Based on risk
objectives. Enforced
Awareness
– Choose certified ICS vendors.
Continuous review and enhancement
12/03/2012 Protecting DCS and SCADA 21
22. • Why the ISO27001?
• It is applicable on any business or system.
1. Establish the ISMS
1. Get management support.
2. Define scope and objectives
3. Define ISMS policy
4. Define the risk assessment approach
5. Identify the risks
6. Analyse and evaluate the risks
7. Identify and evaluate options for the treatment of risks
8. Select control objectives and controls for the treatment
of risks
9. Obtain management approval of the proposed residual
risks
10. Prepare a Statement of Applicability
2. Implement and operate the ISMS
3. Monitor and review the ISMS
4. Maintain and improve the ISMS
12/03/2012 Protecting DCS and SCADA 22