digital marketing , introduction of digital marketing
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
1. Supervisory Control and Data
Acquisition (SCADA) &
Industrial Control Systems
(ICS)
Cyber Security
Patricia Watson, MBA, EnCE
Boise Inc.
Digital Forensics Program Manager
PatriciaWatson@BoiseInc.com
2. Disclaimer
Materials discussed in this
presentation are the views
of the author.
The author does not claim to
be a SCADA Security expert!
This presentation is
intended for discussion
purposes, not to be relied
upon as advice.
3. What we will cover
Fundamentals of SCADA/ICS
Over time SCADA/ICS
“evolution”
SCADA/ICS vulnerabilities
SCADA/ICS security
framework
Good practices
That’s a wrap!
Appendix – a few
resources
5. Definition
From Wiki…
Supervisory Control and Data
Acquisition (SCADA) is a type of
industrial control system (ICS)
which are computer controlled
devices that monitor and control
real-time processes such as
industrial, infrastructure, and
facility-based processes.
http://en.wikipedia.org/wiki/SCADA
6. Fundamentals of SCADA systems
A few examples of SCADA/ICS
systems:
Process Control Networks
(PCN)
Distributed Control
Systems (DCS)
Energy Management Systems
(EMS)
Automated Meter Reading
(AMR/AMI)
Building Automation
Systems (BAS)
7. Fundamentals of SCADA systems
A few examples of SCADA
subsystems:
Human-machine Interface(HMIs)
Programmable Logic
Controllers (PLCs)
Remote Terminal Units (RTUs)
Engineering Work Stations
(EWS)
Intelligent Electronic Device
(IED)
8. Fundamentals of SCADA systems
A few examples of industries
that have SCADA/ICS include:
Agriculture
Energy
Food
Manufacturing
Water systems (drinking
water & water treatment
systems)
15. Over time SCADA “evolution”
SCADA networks were once
composed of isolated workgroups
containing proprietary systems
that primarily communicated via
serial ports.
Input and output was
traditionally hardwired to
controllers using electrical
signals and pulses.
Original serial-based protocols
were composed of one master
station on the serial loop which
initiated the poll of data from
the controllers.
16. Over time SCADA “evolution”
In 1968, Dick Morley designed
and built the first operational
PLC, which is credited for
providing significant
advancement in the practice of
automation for the
manufacturing industry.
Automation is the use of
machines, control systems & IT
to optimize productivity,
recognize economies of scale
and achieve predictable quality
levels.
Source: http://en.wikipedia.org/wiki/Dick_Morley
17. Interconnection revolution!
As automation began to address the need
for greater innovation, cost reduction
and lean manufacturing, other components
of SCADA systems joined the “evolution”:
Input/Output - analog to digital
conversion
Serial-to-bus
“SMART” instrumentation (Modbus)
TCP/IP (LAN/WAN)
Data historians (OSIsoft PI)
Wireless sensors
Touch screens
Tablets (dashboards)
18. Over time SCADA “evolution”
As technological innovations were implemented
into legacy SCADA environments to enhance
efficiency and productivity, cyber security
risks emerged:
Dated operating systems such as Windows NT
and Windows 2000 cannot be patched or
upgraded.
Applications such as Adobe Reader and Flash
Player often remain unpatched through the
life of the hosting device.
Vendors often require persistent bi-
directional remote access in maintenance
contracts.
Dual-homed environments and increased
interconnectivity – data historians such as
PI tend to straddle networks.
20. SCADA vulnerabilities
In addition to the inherent challenges, other
factors contributing to lagging security
practices include:
Because SCADA networks started out as
“separate” segments, there is a persistent
disconnect between SCADA users and network
administrators.
Legacy & proprietary systems make even routine
system maintenance, such as patching and
updating, difficult or impossible.
There is a perception that SCADA devices are
not compatible with anti-virus, monitoring and
intrusion detection solutions.
Vendors are often reluctant to provide
security protocols.
21. SCADA Vulnerabilities
Jonathan Pollet from RedTiger Security shared the
following statistics at the 2013 SANS SCADA
Security Summit:
Over 38,000 SCADA/ICS vulnerabilities were
recorded from 2000-2008
The maximum number of days between the time the
vulnerability was discovered to the time it was
disclosed was over three years.
The average time SCADA/ICS had latent
vulnerabilities was 331 days.
Over 46% of the vulnerabilities discovered
involved data historian applications, web
servers and back-end databases.
Examples of risky behavior: iTunes, BitTorrent,
Anonymous FTP services, Windows NT, 2000 &
Vista being used as host to HMIs.
25. Security frameworks
The 2009 National Infrastructure
Protection Plan (NIPP)
Standard for Industrial Automation and
Control Systems Security (ISA 99), now
referenced in NIST 800-53
The National Institute for Standards and
Technology (NIST) SP800-82 Standard
Chemical Facility Anti-Terrorism
Standards (CFATS)
The Enhanced Critical Infrastructure
Protection (ECIP) initiative was created
in 2007 by the Department of Homeland
Security (DHS)
The US based North American Electric
Reliability Corporation (NERC) enforces
the Critical Infrastructure Protection
(CIP) framework
26. Risk Management Framework (ISO 31000)
http://csrc.nist.gov/cyberframework/rfi_comments/040513_cgi.pdf
28. Good practices
Start with the “basics”:
Network segmentation and DMZ
AV, updates, patches, AD services,
data historians and improved system
management rolled out through the use
of SCADA/ICS DMZ
Secure remote access
Deploying and managing IDS/IPS
Security event monitoring and logging
Build out of security framework
Periodic security risk assessments
(non-intrusive)
29. NERC: 13 Management Practices
1.Leadership commitment (buy-in from top down)
2.Analysis of threats, vulnerabilities, and
consequences (risk assessments)
3.Implementation of security measures (controls)
4.Information and cybersecurity (awareness)
5.Documentation (procedures)
6.Training, drills & guidance (test controls)
7.Communication, dialogue & information exchange
8.Response to security threats (reporting)
9.Response to security incidents (forensics)
10.Audits
11.Third-party verification (leverage your
vendors)
12.Management of change
13.Continuous improvement
30. Example of SCADA/ICS layers of controls
Source: Red Tiger Security: http://www.redtigersecurity.com/
34. In summary…
Key enabling technologies are only effective
and valuable if they are strategically
leveraged and applied through collaborative
efforts, forward-thinking initiatives and
practical solutions.
A long-term cyber security roadmap requires
continuous collaboration and proactive
application of industry security standards to
day-to-day decisions involving devices on the
SCADA network.
Because operational requirements for SCADA
systems often conflict with cyber security
requirements, solutions should be tested
prior to implementation to avoid unintended
disruptions.
37. A Few Handy Resources
RedTiger Security – Consulting firm that
specializes in SCADA/ICS penetration testing
and vulnerability assessments.
National Vulnerability Database – provides
data enables automation of vulnerability
management, security measurement, and
compliance.
INL SCADA Test Bed Program - This event
provides intensive hands-on training for the
protection and securing of control systems
from cyber.
Department of Homeland Security Cyber Security
Evaluation Tool (CSET).
Shodan – The scariest search engine on the
Internet. Discloses SCADA systems with public
IP addresses.