Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie SCADA Cyber Sec | ISACA 2013 | Patricia Watson
Ähnlich wie SCADA Cyber Sec | ISACA 2013 | Patricia Watson (20)
Mehr von Patricia M Watson
Mehr von Patricia M Watson (9)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
SCADA Cyber Sec | ISACA 2013 | Patricia Watson
- 1. Supervisory Control and Data Acquisition (SCADA) & Industrial Control Systems (ICS) Cyber Security Patricia Watson, MBA, EnCE Boise Inc. Digital Forensics Program Manager PatriciaWatson@BoiseInc.com
- 2. Disclaimer Materials discussed in this presentation are the views of the author. The author does not claim to be a SCADA Security expert! This presentation is intended for discussion purposes, not to be relied upon as advice.
- 3. What we will cover Fundamentals of SCADA/ICS Over time SCADA/ICS “evolution” SCADA/ICS vulnerabilities SCADA/ICS security framework Good practices That’s a wrap! Appendix – a few resources
- 5. Definition From Wiki… Supervisory Control and Data Acquisition (SCADA) is a type of industrial control system (ICS) which are computer controlled devices that monitor and control real-time processes such as industrial, infrastructure, and facility-based processes. http://en.wikipedia.org/wiki/SCADA
- 6. Fundamentals of SCADA systems A few examples of SCADA/ICS systems: Process Control Networks (PCN) Distributed Control Systems (DCS) Energy Management Systems (EMS) Automated Meter Reading (AMR/AMI) Building Automation Systems (BAS)
- 7. Fundamentals of SCADA systems A few examples of SCADA subsystems: Human-machine Interface(HMIs) Programmable Logic Controllers (PLCs) Remote Terminal Units (RTUs) Engineering Work Stations (EWS) Intelligent Electronic Device (IED)
- 8. Fundamentals of SCADA systems A few examples of industries that have SCADA/ICS include: Agriculture Energy Food Manufacturing Water systems (drinking water & water treatment systems)
- 12. Example of HMI tag creation
- 15. Over time SCADA “evolution” SCADA networks were once composed of isolated workgroups containing proprietary systems that primarily communicated via serial ports. Input and output was traditionally hardwired to controllers using electrical signals and pulses. Original serial-based protocols were composed of one master station on the serial loop which initiated the poll of data from the controllers.
- 16. Over time SCADA “evolution” In 1968, Dick Morley designed and built the first operational PLC, which is credited for providing significant advancement in the practice of automation for the manufacturing industry. Automation is the use of machines, control systems & IT to optimize productivity, recognize economies of scale and achieve predictable quality levels. Source: http://en.wikipedia.org/wiki/Dick_Morley
- 17. Interconnection revolution! As automation began to address the need for greater innovation, cost reduction and lean manufacturing, other components of SCADA systems joined the “evolution”: Input/Output - analog to digital conversion Serial-to-bus “SMART” instrumentation (Modbus) TCP/IP (LAN/WAN) Data historians (OSIsoft PI) Wireless sensors Touch screens Tablets (dashboards)
- 18. Over time SCADA “evolution” As technological innovations were implemented into legacy SCADA environments to enhance efficiency and productivity, cyber security risks emerged: Dated operating systems such as Windows NT and Windows 2000 cannot be patched or upgraded. Applications such as Adobe Reader and Flash Player often remain unpatched through the life of the hosting device. Vendors often require persistent bi- directional remote access in maintenance contracts. Dual-homed environments and increased interconnectivity – data historians such as PI tend to straddle networks.
- 20. SCADA vulnerabilities In addition to the inherent challenges, other factors contributing to lagging security practices include: Because SCADA networks started out as “separate” segments, there is a persistent disconnect between SCADA users and network administrators. Legacy & proprietary systems make even routine system maintenance, such as patching and updating, difficult or impossible. There is a perception that SCADA devices are not compatible with anti-virus, monitoring and intrusion detection solutions. Vendors are often reluctant to provide security protocols.
- 21. SCADA Vulnerabilities Jonathan Pollet from RedTiger Security shared the following statistics at the 2013 SANS SCADA Security Summit: Over 38,000 SCADA/ICS vulnerabilities were recorded from 2000-2008 The maximum number of days between the time the vulnerability was discovered to the time it was disclosed was over three years. The average time SCADA/ICS had latent vulnerabilities was 331 days. Over 46% of the vulnerabilities discovered involved data historian applications, web servers and back-end databases. Examples of risky behavior: iTunes, BitTorrent, Anonymous FTP services, Windows NT, 2000 & Vista being used as host to HMIs.
- 23. Don’t be the low-hanging piñata
- 25. Security frameworks The 2009 National Infrastructure Protection Plan (NIPP) Standard for Industrial Automation and Control Systems Security (ISA 99), now referenced in NIST 800-53 The National Institute for Standards and Technology (NIST) SP800-82 Standard Chemical Facility Anti-Terrorism Standards (CFATS) The Enhanced Critical Infrastructure Protection (ECIP) initiative was created in 2007 by the Department of Homeland Security (DHS) The US based North American Electric Reliability Corporation (NERC) enforces the Critical Infrastructure Protection (CIP) framework
- 26. Risk Management Framework (ISO 31000) http://csrc.nist.gov/cyberframework/rfi_comments/040513_cgi.pdf
- 27. Good practices
- 28. Good practices Start with the “basics”: Network segmentation and DMZ AV, updates, patches, AD services, data historians and improved system management rolled out through the use of SCADA/ICS DMZ Secure remote access Deploying and managing IDS/IPS Security event monitoring and logging Build out of security framework Periodic security risk assessments (non-intrusive)
- 29. NERC: 13 Management Practices 1.Leadership commitment (buy-in from top down) 2.Analysis of threats, vulnerabilities, and consequences (risk assessments) 3.Implementation of security measures (controls) 4.Information and cybersecurity (awareness) 5.Documentation (procedures) 6.Training, drills & guidance (test controls) 7.Communication, dialogue & information exchange 8.Response to security threats (reporting) 9.Response to security incidents (forensics) 10.Audits 11.Third-party verification (leverage your vendors) 12.Management of change 13.Continuous improvement
- 30. Example of SCADA/ICS layers of controls Source: Red Tiger Security: http://www.redtigersecurity.com/
- 31. Source: Red Tiger Security: http://www.redtigersecurity.com/
- 33. That’s a wrap!
- 34. In summary… Key enabling technologies are only effective and valuable if they are strategically leveraged and applied through collaborative efforts, forward-thinking initiatives and practical solutions. A long-term cyber security roadmap requires continuous collaboration and proactive application of industry security standards to day-to-day decisions involving devices on the SCADA network. Because operational requirements for SCADA systems often conflict with cyber security requirements, solutions should be tested prior to implementation to avoid unintended disruptions.
- 35. Questions?
- 36. Appendix – A few handy Sources
- 37. A Few Handy Resources RedTiger Security – Consulting firm that specializes in SCADA/ICS penetration testing and vulnerability assessments. National Vulnerability Database – provides data enables automation of vulnerability management, security measurement, and compliance. INL SCADA Test Bed Program - This event provides intensive hands-on training for the protection and securing of control systems from cyber. Department of Homeland Security Cyber Security Evaluation Tool (CSET). Shodan – The scariest search engine on the Internet. Discloses SCADA systems with public IP addresses.