1© 2003, Cisco Systems, Inc. All rights reserved.

A Future of SCADA and A Future of SCADA and Control System SecurityControl System Security

API Industry Security Forum (24 April ’03)API Industry Security Forum (24 April ’03)Matthew Franz (Matthew Franz (mfranz@cisco.commfranz@cisco.com))

Critical Infrastructure Assurance Group (CIAG)Critical Infrastructure Assurance Group (CIAG)

http://www.cisco.com/go/ciag/http://www.cisco.com/go/ciag/

22© 2003, Cisco Systems, Inc. All rights reserved. 2

AgendaAgenda

• Introduction

• Cisco and control system security

• Review of cyber threats, vulnerabilities, and countermeasures

• Addressing the need for secure SCADAA sampling of cyber security initiative standards

Assessment of security products

Need for testing industrial-network devices

SCADA protocol enhancement

• Conclusion

33© 2003, Cisco Systems, Inc. All rights reserved. 3

Critical Infrastructure Assurance Group (CIAG)Critical Infrastructure Assurance Group (CIAG)

http://www.cisco.com/go/ciag/

44© 2003, Cisco Systems, Inc. All rights reserved. 4

CIAG Control System Research InitiativeCIAG Control System Research Initiative

Vulnerability research – analysis and testing of design/implementation flaws in industrial products and protocols

Feature enhancement – identify new features in security and communication devices to reduce vulnerabilities and mitigate threats to control systems and networks

Architecture development – secure deployment and configuration of communication and security devices

Collaboration/advisory – participation in control system security forums and initiatives, leverage expertise in network and product security testing and evaluation

55© 2003, Cisco Systems, Inc. All rights reserved. 5

CIAG Research InitiativesCIAG Research Initiatives

• Internal Research ProjectsBGP Security Analysis & Testing

TCP/IP Stack Evaluation

Protocol Implementation Testing

Mobile/Wireless Security

BIND/DNS Security

Control System Security

• Coordination & AdvisoryInterface with Government Cyber Security Organizations

Industry Working Groups (AGA-12, SP99, IETF, etc.)

• Research Sponsorship

66© 2003, Cisco Systems, Inc. All rights reserved. 6

Cisco’s Interest in Industrial NetworkingCisco’s Interest in Industrial Networking

• Industrial Ethernet is a new and growing market

• Identify unique security requirement to enhance Cisco products and secure customer networks

• Share our security expertise with the community

Participation in SCADA/DCS security initiatives

Collaboration with other vendors

External publication of findings

• Raise awareness of control system security issues–especially within IT security community

77© 2003, Cisco Systems, Inc. All rights reserved. 7

Control System TrendsControl System Trends

• Increasing integration of IT and SCADA networksWill IP/Ethernet/Wireless be the primary transport?

• Ethernet is becoming a “fieldbus”Leverage common network for control and data applications

Redundant, hardened, deterministic, ubiquitous

• Open communication protocols for automationModbus/TCP, Ethernet/IP, Foundation Fieldbus High Speed Ethernet (HSE), Interface for Distributed Automation (IDA), PROFInet

• TCP/IP-enabled controllers and IO devices that utilize “IT” technology

HTTP, SNMP, FTP, DHCP, OPC, DCOM, ActiveX, Java

88© 2003, Cisco Systems, Inc. All rights reserved. 8

Open Issues in SCADA Security*Open Issues in SCADA Security*

• Will industrial devices be subject to the same design, implementation, and configuration vulnerabilities that plague IT products?

• How well do existing security products meet the needs of industrial devices, networks, and protocols?

• What new security technologies are needed to protect industrial networks?

• Do industrial vendors have the infrastructure to handle vulnerability identification and disclosure?

* Lot of FUD and inaccurate information about SCADA threats, vulnerabilities, and incidents

99© 2003, Cisco Systems, Inc. All rights reserved. 9

Where/how do vulnerabilities occur in products, Where/how do vulnerabilities occur in products, protocols, and systems?protocols, and systems?

• Definition & Design

Inadequate or unrealistic security requirements

Lack of security features (i.e. encryption authentication authorization)

• Implementation

Insecure coding practices

Narrow focus on functionality testing

• Configuration & Deployment

Insecure features enabled by default

Failure to configure devices and applications properly

1010© 2003, Cisco Systems, Inc. All rights reserved. 10

Known vulnerabilities in control system networksKnown vulnerabilities in control system networks

802.11 Defaults (no WEP)

Weak/default passwords

Inadequate filtering on router/firewall

OS defaults

TCP/IP stack issues?

Protocol flaws?

OS/App flaws?

Windows HMI Flaws

WEP Flaws

Network infrastructure device DoS

Insecure comm links

Insecure devices & protocols

Less than weakauthentication in devices and protocols

Insecure remote access

Undocumented commands/backdoors

ConfigurationImplementationDesign

1111© 2003, Cisco Systems, Inc. All rights reserved. 11

AGA 12AGA 12--1 Cryptographic Protection of SCADA 1 Cryptographic Protection of SCADA CommunicationsCommunications

• Goal is to protect Master-Slave(RTU) communication links from a variety of active/passive attacks

• Develops standard “retrofit solution” for insecure communication links via “cryptographic modules”

Dialup Frame Relay Microwave and other Serial Links

• Encryption and key management protocol developed specifically for low-latency applications

Low speed links

Short Messages

Request/Response

Polled Messages

1212© 2003, Cisco Systems, Inc. All rights reserved. 12

Addressing SCADA Control System VulnerabilitiesAddressing SCADA Control System Vulnerabilities

• So what needs to be done?

Best Practices – policy, procedures, design and deployment of existing tools and technology

New Technology – identify limitations of existing products and technology, conduct mid-long term R&D to define requirements

Both require extensive testing and validation

1313© 2003, Cisco Systems, Inc. All rights reserved. 13

AGA 12AGA 12--1 (continued)1 (continued)

• Provides shared-key authentication

• Defines new SCADA Link Security (SLS) Protocol

• FIPS 140-2 Compliant

• Currently up for ballot

• For more info

Bill Rush (bill.rush@gastechnology.org )

http://www.gtiservices.org/security/

1414© 2003, Cisco Systems, Inc. All rights reserved. 14

Instrumentation Society of America (ISA) SPInstrumentation Society of America (ISA) SP--9999

• Cross-sector effort to identify and consolidate best practices for Manufacturing & Control System (MC&S) Environment

• Three Technical Reports to be released in 2003Security Technologies for M&CS

Integrating Electronic Security into M&CS

Audit and Metrics for Security Performance

• http://www.isa.org

1515© 2003, Cisco Systems, Inc. All rights reserved. 15

SPSP--99.1 Security Technologies99.1 Security Technologies

• Surveyed existing security technology and identified:

Typical Deployment

Weaknesses

Cost

Relevance/Applicability M&CS

• Spawned effort to develop specific reference architectures for specific M&CS applications

• Lots of questions – can be used drive research

1616© 2003, Cisco Systems, Inc. All rights reserved. 16

The question of countermeasuresThe question of countermeasures

• Security cannot be added everywhere

• So assuming we understand the control system requirements, threats, and vulnerabilities–where do we deploy countermeasures???

End devices – device authentication and authorization

Protocol – message integrity and authorization

Applications – user authentication and authorization

Network Devices – protocol awareness, integrity, traffic encryption, user/traffic authentication

• Assuming we can address performance, but how do we address complexity?

1717© 2003, Cisco Systems, Inc. All rights reserved. 17

Analysis of Current Security TechnologyAnalysis of Current Security Technology

• Network Intrusion DetectionIf we don’t know exactly what the vulnerabilities are, how can signatures be created?

How much understanding of protocol is necessary to detected attacks or anomalies?

How do we share alerts with operator consoles and other applications and integrate physical and cyber

Passive IDS should have no impact on performance

• Host-based Firewall/Intrusion Detection/Anti-VirusCompromise of general purpose OS is greatest risk?

HMI or other applications need extensive testing and vendor certification

May need safety override, depending on application?

1818© 2003, Cisco Systems, Inc. All rights reserved. 18

Existing security technology (cont.)Existing security technology (cont.)

• Network firewalls

Need appropriate rule-sets for specific control protocols and applications

Add application inspection of control system protocols

How do we manage large numbers of micro-firewalls or is virtualization the answer?

Add filtering capability to Ethernet/Serial-Xbus devices to secure legacy devices

1919© 2003, Cisco Systems, Inc. All rights reserved. 19

Existing security technology (cont.)Existing security technology (cont.)

• Virtual Private Networks

Not all control system traffic is “real time” (i.e. programming and configuration)

Protect traffic from enterprise (terminate on CS edge), but what about Internet VPN?

Provides more scalable authorization than access control lists?

Add protocol awareness and quality of services—what can we learn from Voice + VPN

2020© 2003, Cisco Systems, Inc. All rights reserved. 20

Testing Industrial Network DevicesTesting Industrial Network Devices

• Lots of discussion about “Secure RTOS” but let’s ensure minimal robustness levels first

• Vendors and security researchers should conduct security testing against all Ethernet-enabled devices and communication modules

Conduct known TCP/IP attacks

Spoofing, Flooding, Malformed Messages

Well-known application-layer attacks

Evaluate unique protocols, features, or applications and test based on risk/criticality

2121© 2003, Cisco Systems, Inc. All rights reserved. 21

Protocol Security: Lessons from the InternetProtocol Security: Lessons from the Internet

• Like control system protocols, the majority of Internet protocols were not designed with security in mind

• Retrofitting critical Internet protocols (i.e. BGP, DNS, etc.) has proven to be extremely difficult:

Vendors have been slow to implement security features

Customers seldom use available security features

Lack of realistic threat model and inadequate testing has slowed activity in standards bodies

• 100% solutions are unlikely…

2222© 2003, Cisco Systems, Inc. All rights reserved. 22

ConclusionsConclusions

• As with the terrorism, cyber risk models are trickyHow can we determine the probability?

Should we focus on vulnerabilities or threats?

• Multiple ongoing security initiatives that document and develop near-term SCADA security solutions

Will best-practices be used?

Are practitioners actually engaged?

How will customer requirements be integrated?

• Significant amount of research, testing, and analysis is needed to identify threats, unique vulnerabilities, and effective countermeasures

Will there be a market demand? Or regulation?

How can information-sharing obstacles be overcome?

• Feedback?

2323© 2003, Cisco Systems, Inc. All rights reserved. 23

For more info…For more info…

• Contact info:Matthew Franz

Email: mfranz@cisco.com

• Critical Infrastructure Assurance Group (CIAG)http://www.cisco.com/go/ciag/

• This presentation:http://www.io.com/~mdfranz/papers/