A Future of SCADA and Control System Security
-
Upload
asep-herman -
Category
Documents
-
view
131 -
download
2
Transcript of A Future of SCADA and Control System Security
1© 2003, Cisco Systems, Inc. All rights reserved.
A Future of SCADA and A Future of SCADA and Control System SecurityControl System Security
API Industry Security Forum (24 April ’03)API Industry Security Forum (24 April ’03)Matthew Franz (Matthew Franz ([email protected]@cisco.com))
Critical Infrastructure Assurance Group (CIAG)Critical Infrastructure Assurance Group (CIAG)
http://www.cisco.com/go/ciag/http://www.cisco.com/go/ciag/
22© 2003, Cisco Systems, Inc. All rights reserved. 2
AgendaAgenda
• Introduction
• Cisco and control system security
• Review of cyber threats, vulnerabilities, and countermeasures
• Addressing the need for secure SCADAA sampling of cyber security initiative standards
Assessment of security products
Need for testing industrial-network devices
SCADA protocol enhancement
• Conclusion
33© 2003, Cisco Systems, Inc. All rights reserved. 3
Critical Infrastructure Assurance Group (CIAG)Critical Infrastructure Assurance Group (CIAG)
http://www.cisco.com/go/ciag/
44© 2003, Cisco Systems, Inc. All rights reserved. 4
CIAG Control System Research InitiativeCIAG Control System Research Initiative
Vulnerability research – analysis and testing of design/implementation flaws in industrial products and protocols
Feature enhancement – identify new features in security and communication devices to reduce vulnerabilities and mitigate threats to control systems and networks
Architecture development – secure deployment and configuration of communication and security devices
Collaboration/advisory – participation in control system security forums and initiatives, leverage expertise in network and product security testing and evaluation
55© 2003, Cisco Systems, Inc. All rights reserved. 5
CIAG Research InitiativesCIAG Research Initiatives
• Internal Research ProjectsBGP Security Analysis & Testing
TCP/IP Stack Evaluation
Protocol Implementation Testing
Mobile/Wireless Security
BIND/DNS Security
Control System Security
• Coordination & AdvisoryInterface with Government Cyber Security Organizations
Industry Working Groups (AGA-12, SP99, IETF, etc.)
• Research Sponsorship
66© 2003, Cisco Systems, Inc. All rights reserved. 6
Cisco’s Interest in Industrial NetworkingCisco’s Interest in Industrial Networking
• Industrial Ethernet is a new and growing market
• Identify unique security requirement to enhance Cisco products and secure customer networks
• Share our security expertise with the community
Participation in SCADA/DCS security initiatives
Collaboration with other vendors
External publication of findings
• Raise awareness of control system security issues–especially within IT security community
77© 2003, Cisco Systems, Inc. All rights reserved. 7
Control System TrendsControl System Trends
• Increasing integration of IT and SCADA networksWill IP/Ethernet/Wireless be the primary transport?
• Ethernet is becoming a “fieldbus”Leverage common network for control and data applications
Redundant, hardened, deterministic, ubiquitous
• Open communication protocols for automationModbus/TCP, Ethernet/IP, Foundation Fieldbus High Speed Ethernet (HSE), Interface for Distributed Automation (IDA), PROFInet
• TCP/IP-enabled controllers and IO devices that utilize “IT” technology
HTTP, SNMP, FTP, DHCP, OPC, DCOM, ActiveX, Java
88© 2003, Cisco Systems, Inc. All rights reserved. 8
Open Issues in SCADA Security*Open Issues in SCADA Security*
• Will industrial devices be subject to the same design, implementation, and configuration vulnerabilities that plague IT products?
• How well do existing security products meet the needs of industrial devices, networks, and protocols?
• What new security technologies are needed to protect industrial networks?
• Do industrial vendors have the infrastructure to handle vulnerability identification and disclosure?
* Lot of FUD and inaccurate information about SCADA threats, vulnerabilities, and incidents
99© 2003, Cisco Systems, Inc. All rights reserved. 9
Where/how do vulnerabilities occur in products, Where/how do vulnerabilities occur in products, protocols, and systems?protocols, and systems?
• Definition & Design
Inadequate or unrealistic security requirements
Lack of security features (i.e. encryption authentication authorization)
• Implementation
Insecure coding practices
Narrow focus on functionality testing
• Configuration & Deployment
Insecure features enabled by default
Failure to configure devices and applications properly
1010© 2003, Cisco Systems, Inc. All rights reserved. 10
Known vulnerabilities in control system networksKnown vulnerabilities in control system networks
802.11 Defaults (no WEP)
Weak/default passwords
Inadequate filtering on router/firewall
OS defaults
TCP/IP stack issues?
Protocol flaws?
OS/App flaws?
Windows HMI Flaws
WEP Flaws
Network infrastructure device DoS
Insecure comm links
Insecure devices & protocols
Less than weakauthentication in devices and protocols
Insecure remote access
Undocumented commands/backdoors
ConfigurationImplementationDesign
1111© 2003, Cisco Systems, Inc. All rights reserved. 11
AGA 12AGA 12--1 Cryptographic Protection of SCADA 1 Cryptographic Protection of SCADA CommunicationsCommunications
• Goal is to protect Master-Slave(RTU) communication links from a variety of active/passive attacks
• Develops standard “retrofit solution” for insecure communication links via “cryptographic modules”
Dialup Frame Relay Microwave and other Serial Links
• Encryption and key management protocol developed specifically for low-latency applications
Low speed links
Short Messages
Request/Response
Polled Messages
1212© 2003, Cisco Systems, Inc. All rights reserved. 12
Addressing SCADA Control System VulnerabilitiesAddressing SCADA Control System Vulnerabilities
• So what needs to be done?
Best Practices – policy, procedures, design and deployment of existing tools and technology
New Technology – identify limitations of existing products and technology, conduct mid-long term R&D to define requirements
Both require extensive testing and validation
1313© 2003, Cisco Systems, Inc. All rights reserved. 13
AGA 12AGA 12--1 (continued)1 (continued)
• Provides shared-key authentication
• Defines new SCADA Link Security (SLS) Protocol
• FIPS 140-2 Compliant
• Currently up for ballot
• For more info
Bill Rush ([email protected] )
http://www.gtiservices.org/security/
1414© 2003, Cisco Systems, Inc. All rights reserved. 14
Instrumentation Society of America (ISA) SPInstrumentation Society of America (ISA) SP--9999
• Cross-sector effort to identify and consolidate best practices for Manufacturing & Control System (MC&S) Environment
• Three Technical Reports to be released in 2003Security Technologies for M&CS
Integrating Electronic Security into M&CS
Audit and Metrics for Security Performance
• http://www.isa.org
1515© 2003, Cisco Systems, Inc. All rights reserved. 15
SPSP--99.1 Security Technologies99.1 Security Technologies
• Surveyed existing security technology and identified:
Typical Deployment
Weaknesses
Cost
Relevance/Applicability M&CS
• Spawned effort to develop specific reference architectures for specific M&CS applications
• Lots of questions – can be used drive research
1616© 2003, Cisco Systems, Inc. All rights reserved. 16
The question of countermeasuresThe question of countermeasures
• Security cannot be added everywhere
• So assuming we understand the control system requirements, threats, and vulnerabilities–where do we deploy countermeasures???
End devices – device authentication and authorization
Protocol – message integrity and authorization
Applications – user authentication and authorization
Network Devices – protocol awareness, integrity, traffic encryption, user/traffic authentication
• Assuming we can address performance, but how do we address complexity?
1717© 2003, Cisco Systems, Inc. All rights reserved. 17
Analysis of Current Security TechnologyAnalysis of Current Security Technology
• Network Intrusion DetectionIf we don’t know exactly what the vulnerabilities are, how can signatures be created?
How much understanding of protocol is necessary to detected attacks or anomalies?
How do we share alerts with operator consoles and other applications and integrate physical and cyber
Passive IDS should have no impact on performance
• Host-based Firewall/Intrusion Detection/Anti-VirusCompromise of general purpose OS is greatest risk?
HMI or other applications need extensive testing and vendor certification
May need safety override, depending on application?
1818© 2003, Cisco Systems, Inc. All rights reserved. 18
Existing security technology (cont.)Existing security technology (cont.)
• Network firewalls
Need appropriate rule-sets for specific control protocols and applications
Add application inspection of control system protocols
How do we manage large numbers of micro-firewalls or is virtualization the answer?
Add filtering capability to Ethernet/Serial-Xbus devices to secure legacy devices
1919© 2003, Cisco Systems, Inc. All rights reserved. 19
Existing security technology (cont.)Existing security technology (cont.)
• Virtual Private Networks
Not all control system traffic is “real time” (i.e. programming and configuration)
Protect traffic from enterprise (terminate on CS edge), but what about Internet VPN?
Provides more scalable authorization than access control lists?
Add protocol awareness and quality of services—what can we learn from Voice + VPN
2020© 2003, Cisco Systems, Inc. All rights reserved. 20
Testing Industrial Network DevicesTesting Industrial Network Devices
• Lots of discussion about “Secure RTOS” but let’s ensure minimal robustness levels first
• Vendors and security researchers should conduct security testing against all Ethernet-enabled devices and communication modules
Conduct known TCP/IP attacks
Spoofing, Flooding, Malformed Messages
Well-known application-layer attacks
Evaluate unique protocols, features, or applications and test based on risk/criticality
2121© 2003, Cisco Systems, Inc. All rights reserved. 21
Protocol Security: Lessons from the InternetProtocol Security: Lessons from the Internet
• Like control system protocols, the majority of Internet protocols were not designed with security in mind
• Retrofitting critical Internet protocols (i.e. BGP, DNS, etc.) has proven to be extremely difficult:
Vendors have been slow to implement security features
Customers seldom use available security features
Lack of realistic threat model and inadequate testing has slowed activity in standards bodies
• 100% solutions are unlikely…
2222© 2003, Cisco Systems, Inc. All rights reserved. 22
ConclusionsConclusions
• As with the terrorism, cyber risk models are trickyHow can we determine the probability?
Should we focus on vulnerabilities or threats?
• Multiple ongoing security initiatives that document and develop near-term SCADA security solutions
Will best-practices be used?
Are practitioners actually engaged?
How will customer requirements be integrated?
• Significant amount of research, testing, and analysis is needed to identify threats, unique vulnerabilities, and effective countermeasures
Will there be a market demand? Or regulation?
How can information-sharing obstacles be overcome?
• Feedback?
2323© 2003, Cisco Systems, Inc. All rights reserved. 23
For more info…For more info…
• Contact info:Matthew Franz
Email: [email protected]
• Critical Infrastructure Assurance Group (CIAG)http://www.cisco.com/go/ciag/
• This presentation:http://www.io.com/~mdfranz/papers/