Security of SCADA Systems and Challenges to National Critical … · 2016-11-05 · Introduction...
Transcript of Security of SCADA Systems and Challenges to National Critical … · 2016-11-05 · Introduction...
Security of SCADA Systems and Challenges to
National Critical Infrastructure
Introduction
SCADA Security Concerns
Facts & Figures
Incidents & Scenarios
Solutions, Controls & Effectiveness
Summary
What is SCADA?
The Fuel in your Car
Traffic Lights
The Water at your Home
The Power at Your Home
The Water goes from your home
A bit More details…
Supervisory Control And Data Acquisition.
• It generally refers to Industrial Control Systems (ICS):
“Computer systems that monitor and control industrial, infrastructure, or
facility-based processes”
• Used to control and monitor physical processes
• Transmission of electricity
• Transportation of gas and oil in pipelines,
• Water distribution, traffic lights, and other systems
• HVAC etc.
Components - SCADA
• Master Terminal
• Human Machine Interactions
• Remote Terminal Unit
• Communication protocols
SCADA Network - Sample
SCADA Security Concerns
• Basic/no security on the actual packet control protocol
• Organizations assume that VPN is sufficient protection
and forget physical access to SCADA-related network
jacks and switches
• Unauthorized access to the control software, human or
virus infections and other software threats residing
• Packet access to the network hosting SCADA devices.
Facts
• Outsiders can gain control -via cyber space
• Lead to major destruction/disturbance
• Require No highly sophisticated tools or knowledge
• Gap between control networks and Internet -?
• Systems are not too complex for outsiders
Facts
• No Authentication
• No Patching
• Internet connectivity
Some Scenarios
• Wi-fi at Power Plant
• Oil production network not separate from
corporate network
• Backend network is connected to Internet
• Product information available on Internet
• No Audit trails (common user accounts)
• Modems
Incidents • In 2006, hacker seized control of water treatment facility SCADA
system in Australia
• In June 2010, VirusBlokAda attacks SCADA (Siemens WinCC/PCS7
systems) on Windows
• Called Stuxnet, logs in to the SCADA's database and steals design
and control files
• The malware is also capable of changing the control system and
hiding those changes.
• Flame
• Dragon Fly – Russian hackers targeted European
• June 2014 – Havex (stuxnet type) targeted European power systems
Legacy Hardware/Software/Protocols.
Challenges
01
02
03
04
05
Complex Systems
Multiple/Diverse Access
Points
Need to connect Corporate N/W
Lack of concern about security and
authentication.
GOALS
Availability Authenticity Confidentiality Integrity
Standards/Best Practices
• ISO 27001
• NIST
• ISF (Information Security Forum)
• ADSIC
• Dubai Govt. Information Security Std.
Adopt a Framework
ISO 27001, NIST, etc.
Carry Out a Risk Assessment
Identify the threats, vulnerabilities,
risks etc.
Determine the controls required in
terms of technical, process, people
elements
Implement the Controls
Design and Implement the relevant
controls based on priorities, that are
defined as per the criticality.
Monitor and Improve
Ensure the continuous monitoring
of the SCADA/ICS systems &
security
Identify and implement relevant
improvements.
ICS/SCADA Security
Roadmap
Security in Total Data – Encryption, Access Control
Physical – Locks, Physical access controls
Applications – WAF, Strong Architecture
Perimeter – F/W, IPS/IDS, Data Diodes
Host – Whitelists, HIDS, Central Logs
Internal N/W – VLANs, IDS
Security Levels
Framework
• Information Security Strategy
• Security policy
• Organization of information security
• Asset management
• Human resources security –
awareness, compliance
• Physical and environmental security
Framework – Contd.
• Communications and operations management
• Access control
• Information systems acquisition, development
and maintenance
• Information security incident management
• Business continuity management, and
• Regulatory compliance
Control Details
• Holistic Approach
• Good Governance
• Control of SCADA Infrastructure
• Tools to allow them to identify threats, respond and
expedite forensic analysis in real time.
• Continuous monitoring of all log data generated by
IT system – base line and anomalies
Control Details
• Network Access Control
• Timely intelligence of a cyber attack
– From discovery to full remediation
• Ensure granular controls
• Protect un-patchable critical assets from cyber threats
• Reduce incident reporting time and corrective actions
Control Details
• Link redundancy also important for communication
continuity.
• Security of the data over the links/modems
• PCs used for monitoring and control and with
Internet access and external drive access – virus,
leakage of information.
• SCADA protocol security.
• Ensure security in Polling data from Remote Unit
by the master station.
Control Details
• SCADA protocols are extended to work
even over TCP/IP- So Internet?
• Integrate Security Plan the infrastructure
development stage
• Endpoint-to-endpoint authentication and
authorization -SSL or other cryptographic
techniques.
Control Details
• Network Level Monitoring
• IDS (Intrusion Detection System)
• Integration of cyber and physical security responses
• Design/Configuration that enables digital evidence
retention
• Complementing the existing status with ex-post analysis
experiences
Control Details
• Role based access Control
• Review of access rights
• Good design of the network from beginning - including
physical & environmental
• Secure coding practice
• Co-operation of all the business sections by projecting
security as a business enabler
• Address proactively and based on root cause analysis
Control Details
• Specialized industrial firewall and VPN solutions for
TCP/IP-based SCADA networks.
• Application white listing solutions
• Also, the ISA Security Compliance Institute (ISCI) is
emerging to formalize SCADA security testing starting
soon.
Control Details
• Ex-Post Incident analysis
– Identify the actual target
– Actual goal
– Vulnerabilities
– Possible data theft
Why things go Wrong Still? • No Planning of security from beginning
• New targeted attacks
• Reactive Controls instead of Proactive
• Lack of commitment – Management & Staff, Human error
• Not enough coordination between organizations,
government agencies, ISPs – Lack of TEAM WORK?
Can we achieve 100% security?
• Opportunity and number of cases can be reduce
• Impact could be contained, limited – Minimize losses.
• Save Reputation, by effective and quick actions.
• Business can be continued at the earliest!
In Short! • Comprehensive policy framework with
adequate compliance
• Regular Risk Assessment & Treatment
• Penetration test with business relevant
threat (Extrusion testing)
• Effective Security awareness programs
Summary
Final Word Consider the security of SCADA – Not less
but more than corporate network
Trends
SANS Survey 2014 - increase in
vulnerabilities and threats
Problem
• Connectivity of Critical infrastructure/SCADA to
Corporate network/Internet
• Targeted attacks
• Financial gains
• Politics, terrorism
Future
• Secure Operating System for SCADA
• Considering SCADA network like any
other network – in security aspect
• Back doors should be completed
controlled
• DMZ between SCADA network and
Corporate network
Solutions
• Adopt a Frame work
• Carry out risk assessment
• Ensure right processes
• Deploy adequate technology
• Enhance the awareness
Thank You !