Securing SCADA

3/10/2016
1
SCADA Security
Challenges & Strategies
Jeffrey Wang, P. Eng.
2016, Oshawa
Acronym
ICS: Industrial Control System
DCS: Distributed Control System
SCADA: Supervisory Control and Data Acquisition
PLC: Programmable Logic Controller
RTU: Remote Terminal Unit
HMI: Human Machine Interface
TCP/IP: Transmission Control Protocol/Internet Protocol
IDS: Intrusion Detection System
COTS: Commercial off-the-shelf
ACL: Access Control List
DMZ: Demilitarized Zone
WAN: Wide Area Network
LAN: Local Area Network
Page 2 Securing SCADA prepared by Jeffrey Wang

3/10/2016
2
Content
Overview
Cyber Threats and Vulnerabilities
Security Challenges
Mitigation Strategies
References
Overview
SCADA system
Overview
SCADA System Components
SCADA System Functionality

3/10/2016
3
SCADA System - Overview
SCADA is an acronym for Supervisory Control and Data Acquisition.
SCADA is an Industrial control system (ICS).
SCADA System - Components
Typically SCADA system include the following components:
RTU (Remote Terminal Unit)
PLC (Programmable Logic Controller)
HMI (Human Machine Interface)
Field devices (Actuators and Sensors)
WAN(Wide Area Network): Wireless/RF communication devices
LAN (Local Area Network): Router and Switches
Centralized Server
Database Server (Data Historian)

3/10/2016
4
SCADA System - Functionality
Major functions of SCADA system including:
Field devices control via local or remote working mode
Collect field data and transmit to central control server via WAN network
Monitor processing and/or control field devices via HMI
Manage database for tracking and management analysis
SCADA System - Critical infrastructure
SCADA systems are critical national infrastructures
Canadian Critical infrastructure within the 10 sectors listed below:
• Energy and utilities
• Finance
• Food
• Transportation
• Government
• Information and communication technology
• Health
• Water
• Safety
• Manufacturing

3/10/2016
5
SCADA System - Tasks
SCADA system simply performs four tasks:
Data Acquisition
Data Communication
Data Monitor and Control
Data Historian
Data
Communication
Data
Acquisition
Data
Monitor & Control
Why securing SCADA system ?
Why?
IP-based technologies
Internet of Thing (IoT)
Cloud computing
Mobile computing
Threats growing (Cyber threats source refers to From Homeland Security ICS-CERT)
Hostile governments
Terrorist groups
Disgruntled employees
Malicious intruders.
GAO Threat Table (Source: GAO-Government Accountability Office)
Vulnerabilities increasing
Alerts (From ICS-CERT for control system/Government /Home & Business)
Alerts provide timely notification to critical infrastructure owners and
operators concerning threats to critical infrastructure networks.
Be proactive for potential cyberattack to SCADA system

3/10/2016
6
Vulnerabilities
Physical Vulnerabilities
Cyber Vulnerabilities
Vulnerabilities –ICS-CERT Alerts
Industrial Control Systems Cyber Emergency Response Team(ICS-CERT )
Publish cyber security alerts to three categories:
• Control System Users
• Government Users
• Home and Business
Examples:
ICS-ALERT-15-225-02A : Rockwell Automation 1766-L32 Series Vulnerability (Update A)
ICS-ALERT-11-204-01B : Siemens S7-300_S7-400 Hardcoded Credentials (Update B)
ICS-ALERT-12-097-02A : 3S CoDeSys Improper Access Control (Update A)
ICS-ALERT-11-256-06 : Beckhoff TwinCAT Vulnerability
ICS-ALERT-12-020-07A : WAGO IO 750 Vulnerabilities (Update A)
ICS-ALERT-12-136-01 : Wonderware SuiteLink Unallocated Unicode String
ICS-ALERT-12-020-02A : Rockwell Automation ControlLogix PLC Vulnerabilities (Update A)
ICS-ALERT-11-332-02A : Siemens SIMATIC WinCC Flexible (Update A)
ICS-ALERT-11-256-05A : Rockwell Automation RSLogix Overflow Vulnerability (UPDATE A)
Source: ICS-CERT Alerts: https://ics-cert.us-cert.gov/alerts

3/10/2016
7
Physical Vulnerabilities
Common Physical Vulnerabilities:
Inadequate policies, procedures, and culture governing control system security
Inadequately designed networks with insufficient defense-in-depth
Remote access without appropriate access control
Separate auditable administration mechanisms
Inadequately secured wireless communication
Use of a non-dedicated communications channel for command and control
Lack of easy tools to detect/report anomalous activity
Installation of inappropriate applications on critical host computers
Inadequately scrutinized control system software
Unauthenticated command and control data.
Common Cyber Vulnerabilities including:
Operating System Vulnerabilities
Interconnections
Open Source / Public Information
Authentication
Remote access
Monitoring and Defenses
Wireless access
SCADA/SQL/PLC Software

3/10/2016
8
Cyber Vulnerabilities in details:
Un-patched published vulnerabilities
Web-based HMI vulnerabilities
Improper authentication
Improper access control (authorization)
Buffer overflow in SCADA services
SCADA data and command message manipulation and injection
SQL injection
insecure protocols
unprotected transport of SCADA application credentials
Standard IT protocols with pain-text authentication
Vulnerabilities – Allen-Bradly/Rockwell PLC
Web-based access with default user ID and password
AB SLC505
AB Micrologix PLC
AB CompactLogix

3/10/2016
9
Vulnerabilities – Unprotected Authentication
MicroLogix 1400, It is easy to access with administrator and default password
Vulnerabilities – Access with Default ID & Password
Intruder can change access permission once granted access control.
Default IDs( administrator, and default passwords

3/10/2016
10
Vulnerabilities – Supervisory Control
Supervisory control: Write/Read memory block or disable the device
Cyber Attack - STUXNET
STUXNET: the most famous cyber attack by United States and Israel.
STUXNET worm was at first identified by a Belarus company VirusBlokAda in mid-
June 2010.
Physical Impact:
Sabotaging 1000 centrifuges at Iran’s Natanz nuclear plant
Stuxnet worm – now every hacker in the world knows about PLCs, HMIs
and the opportunities to attack them.
The Windows operating system
Siemens SIMATIC Step 7 and WinCC
Siemens S7 – 300/400 PLCs
S7-315-2/S7-417
USB flash memory
Zero-Day via Windows OS
DB memory block in PLC

3/10/2016
11
Cyber Attack - Insider
Insider hacks into sewage treatment plant
Queensland, Australia (2000) Disgruntled employee Vitek Boden hacks into
sewage system via WiFi from the company’s Parking lot and releases over a
million liters of raw sewage into the coastal waters.
Physical Impact”
Intruder controlled about 150 pump stations near three months
Released about 1 million litre of raw sewage into nearby rivers and parks.
Tools: Laptop, radio and wireless access
Security Challenges

3/10/2016
12
SCADA Security Challenges
Vulnerable operating system (OS) and applications in SCADA system are from
commercial off-the –shelf (COTS) including Linux, Mac OS, Windows and
embedded PLC OS (VxWorks);
Most industrial control network connected to corporation network with Internet
access. Especially IP-based technologies. Such as Wireless, IoT (Internet of
Things), Cloud computing, Mobile computing and smart metering;
Unsecure legacy system and devices are still widely used in SCADA system. No
updated firmware available , no patching. They are transparent to control
professional;
Open source communication protocols (Modbus, DNP3, IEC 61850,Ethernet/IP)
were not designed with security in mind and lack basic authorization features;
There are numerous unpatched and unpatchable systems;
Lack of remote access authentication, weak or default password;
Lack of physical security protection
.
Security Standards
• Security Standards
• Cyber Security Objective

3/10/2016
13
Industrial Control System Security Standards
Good News! There are many security standards….
NIST SP-800-82 : Guide to Industrial Control Systems Security
National Institute of Standards and Technology(NIST)
ISA/IEC-62443 (formal ANSI/ISA99) : Security for Industrial Automation and
Control Systems Security
The International Society of Automation (ISA)
The International Electrotechnical Commission(IEC)
NERC CIP- 006 : Physical Security of Critical Cyber Assets
North American Reliability Corporation(NERC)
Critical Infrastructure Protection(CIP)
TR12-002 : Industrial Control System (ICS) Cyber Security: Recommended Best
Practices (combined with NIST and ISA99 standards)
• Canadian Cyber Incident Response Centre (CCIRC)
Cyber Security Objective- I.T. Security Perspective
Three fundamental goals per NIST SP800-82 standard
Confidentiality
Any important information you have — such as employee, client
or financial records — should be kept confidential. This
information should only be accessed by people (or systems)
that you have given permission to do so.
Integrity
You need to make sure to maintain the integrity of this
information and other assets (such as software) in order to keep
everything complete, intact and uncorrupted.
Availability
You should maintain the availability of systems (such as
networks), services and information when required by the
business or its clients.

3/10/2016
14
Cyber Security Objective- SCADA Security Perspective
Availability
Confidentiality
Integrity
Integrity
Confidentiality
Availability
Mitigation Strategies
Physical Assets Security
Cyber Security
Cyber
Security
Standards
Physical
Security

3/10/2016
15
Mitigation Strategies - Recommendations
My recommendation:
NERC CIP-006 standard is intended to ensure the implementation of a
physical security program for the protection of Critical Cyber Assets
Cyber Security
NIST SP800-82 standard is cybersecurity guidance for Industrial Control
Systems (ICS) Security
ISA/IEC-62443 (ISA99) standard
Canadian Cyber Incident Response Centre(CCIRC)
TR12-002 :Industrial Control System (ICS) Cyber Security: Recommended
Best Practices
Mitigation Strategies - Risk Assessment
Sources of threats
External
Internal
Accidental
Vulnerabilities
Risks = Threats x Vulnerabilities x Impact

3/10/2016
16
Mitigation Strategies - NERC CIP Standards
NERC CIP standards Include 9 standards and 45 requirements:
CIP-002-1: Critical Cyber Asset Identification
CIP-003-1: Security Management Controls
CIP-004-1: Personnel and Training
CIP-005-1: Electronic Security Perimeters
CIP-006-1: Physical Security of Critical Cyber Assets
CIP-007-1: Systems Security Management
CIP-008-1: Incident Reporting and Response Planning
CIP-009-1: Recovery Plans for Critical Cyber Assets
NERC: North American Electric Reliability Corporation
CIP: Critical Infrastructure Protection

3/10/2016
17
Mitigation Strategies - Physical Protection Guideline
Physical Access Controls
The Responsible Entity shall document and implement the operational and
procedural controls to manage physical access at all access points to the
Physical Security Perimeter(s) twenty-four hours a day, seven days a week.
Monitoring Physical Access
The Responsible Entity shall document and implement the technical and
procedural controls for monitoring physical access at all access points to the
Physical Security Perimeter(s) twenty-four hours a day, seven days a week.
Unauthorized access attempts shall be reviewed immediately and handled in
accordance with the procedures specified in Requirement CIP-008.
Logging Physical Access
• Logging shall record sufficient information to uniquely identify individuals and the
time of access twenty-four hours a day, seven days a week. The Responsible
Entity shall implement and document the technical and procedural mechanisms
for logging physical entry at all access points to the Physical Security
Perimeter(s).
Mitigation Strategies - Physical Security
Physical Security Purpose:
To assist you detect and identify threats and restrict access to sensitive area (server
room and important field equipment)
Detect
Be alerted to unauthorized entries or attempts
Be alerted to mechanical/electrical failures
Be alerted to remote site entry requests
Identify
Remotely view facility, people, equipment
View recorded information and events
Restrict and allow entry to facility
Create physical facility access logs
Prosecute offenders
Restrict
Keep the bad guys out

3/10/2016
18
Cyber Security
Mitigation Strategies - NIST SP 800-82 Standards
NIST SP 800-82 : Guide to Industrial Control Systems Security
Provide guidance for establishing secure ICS, including implementation
guidance for SP 800-53 controls
Content
Overview of ICS
ICS Characteristics, Threats and Vulnerabilities
ICS Security Program Development and Deployment
Network Architecture
ICS Security Controls
Appendixes
Current Activities in Industrial Control Systems Security
Emerging Security Capabilities
NIST: National Institute of Standards and Technology
SP: Special Publication

3/10/2016
19
Mitigation Strategies - Cyber Security Objective
Restricting logical access to the SCADA network and network activity
This includes using a demilitarized zone (DMZ) network architecture with
firewalls to prevent network traffic from passing directly between the corporate
and SCADA networks, and having separate authentication mechanisms and
credentials for users of the corporate and SCADA networks. The ICS should also
use a network topology that has multiple layers, with the most critical
communications occurring in the most secure and reliable layer.
Restricting physical access to the SCADA network and devices
Unauthorized physical access to components could cause serious disruption of
the SCADA’s functionality. A combination of physical access controls should be
used, such as locks, card readers, and/or guards.
Mitigation Strategies - Cyber Security Objective
Protecting individual SCADA components from exploitation
This includes deploying security patches in as expeditious a manner as possible,
after testing them under field conditions; disabling all unused ports and services;
restricting SCADA user privileges to only those that are required for each
person’s role; tracking and monitoring audit trails; and using security controls
such as antivirus software and file integrity checking software where technically
feasible to prevent, deter, detect, and mitigate malware.
Maintaining functionality during adverse conditions
This involves designing the SCADA so that each critical component has a
redundant counterpart. Additionally, if a component fails, it should fail in a manner
that does not generate unnecessary traffic on the SCADA or other networks, or
does not cause another problem elsewhere, such as a cascading event.

3/10/2016
20
Mitigation Strategies – ANSI/ISA99 Standard
Module 1: Defining Industrial Cybersecurity
Covers the concepts of physical, operational, and electronic security; and defines
Cybersecurity as it relates to industrial automation and control systems
Module 2: Risk Assessment
Covers the concept of risk and how safety plays a part in assessing possible
consequences from a cyberattack
Module 3: Threats and Vulnerabilities
Covers "social engineering" and how outsiders gather information to enable attacks
and to physically enter your secured areas
Module 4: Security Policies, Programs, and Procedures
Covers the creation and deployment of policies, standards, and procedures and how
they are a critical aspect of a security program
Mitigation Strategies – ANSI/ISA99 Standard
Module 5: Understanding TCP/IP, Hackers, and Malware
Covers the basics of the IP networking architecture and how computers are
addressed and how IP delivers information to computers and TCP/UDP to
complete the delivery to specified applications using port numbers
Module 6: Technical Countermeasures
Covers the technical countermeasures and technology that can be employed to
protect your systems, detect and remove malware, and block hacking attempts;
and explains the technologies such as firewalls, proxy servers, VPN, and
VLAN and how they relate to industrial automation systems
Module 7: Architectural & Operational Strategies
Covers ways to segment and isolate your process automation systems in order to
increase their reliability and Cyber security

3/10/2016
21
Mitigation Strategies -TR12-002 Recommendation
TR12-002 :Industrial Control System (ICS) Cyber Security: Recommended Best
Practices, by Canadian Cyber Incident Response Centre
1. Network Segmentation
2. Remote Access
3. Wireless Communications
4. Patch Management
5. Access Policies and Controls
6. Secure the Host (System Hardening)
7. Intrusion Detection
8. Physical and Environmental Security
9. Malware Protection and Detection
10. Awareness
11. Periodic Assessments and Audits
12. Change Control and Configuration Management
13. Incident Planning and Response
Useful software
Solarwinds Inc. URL: http://www.solarwinds.com/
Develops enterprise information technology (IT) infrastructure management
software for IT professionals.
Kaspersky - URL: http://www.kaspersky.com
Kaspersky Lab is an international software security group operating in almost
200 countries and territories worldwide.
Bitdefender- URL: http://www.bitdefender.com
Bitdefender products feature anti-virus and anti-spyware capabilities against
internet security threats such as viruses, Trojans, rootkits, rogues, aggressive
adware, spam and others.
McAFee - URL: http://www.mcafee.com
Intel Security Group (previously McAfee, Inc.) is an American global
computer security software
Symantec - URL: Http://www.symantec.com
Security, Antivirus and Backup Solutions provider

3/10/2016
22
References
NIST SP-800-82 Guide to Industrial Control Systems Security
http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf
ICS-CERT, ICS-TIP-12-146-01A—Targeted Cyber Intrusion Detection and Mitigation Strategies
http://www.us-cert.gov/control_systems/pdf/ICS-TIP-12-146-01A.pdf
CCIRC, TR11-002 Mitigation Guidelines for Advanced Persistent Threats
http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2011/tr11-002-eng.aspx
ICS-CERT, Incident Response Summary Report 2009 – 2011
http://www.us-cert.gov/control_systems/pdf/ICS-
CERT_Incident_Response_Summary_Report_09_11.pdf
US-CERT, Control Systems Security Program (CSSP)
http://www.us-cert.gov/control_systems/
US-CERT, Recommended Practice: Improving Industrial Control Systems Cybersecurity with
Defense-In-Depth Strategies
http://www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf
CPNI, CPNI Viewpoint: Securing the move to IP-based SCADA/PLC networks
http://www.cpni.gov.uk/Documents/Publications/2011/2011034-scada-
securing_the_move_to_ipbased_scada_plc_networks_gpg.pdf
International Society of Automation (ISA), ISA99, Industrial Automation and Control Systems
Security
http://www.isa.org/MSTemplate.cfm?MicrositeID=988&CommitteeID=6821
THANK YOU

Securing SCADA

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (7)

Similar to Securing SCADA

Similar to Securing SCADA (20)

Recently uploaded

Recently uploaded (20)

Securing SCADA