Control System Security:

1

• Control System Security
• Corporate and Control Resources Working Together

2
Bjorn Gudehus Senior Security Advisor Bell
Canada (403) 410-8045 Bjorn.Gudehus_at_bell.ca
3
System Resilience

• Setting the Picture Corporate vs. Control
• Threats / Risks
• How to work together
• Application of Security Principles
• Summary

4
It Wont Happen

• In March 2002, this quote appeared in a
  well-known IT magazine
• Most public utilities rely on a highly
  customized SCADA system. No two are the same, so
  hacking them requires specific knowledge.
• Scott Berinato
• Debunking the Threat to Water Utilities
• CIO Magazine
• March 15, 2002

5
280 BC - Ctesibius
50 AD - Heron of Alexandria
1452-1519 - Leonardo da Vinci
Modern Times
Remote Network
6
Melissa Hathaway urges more cooperation,
government attention to cybersecurity

• Melissa E. Hathaway today reiterated calls for
  communication and cooperation between and among
  private corporations and the public sector in
  helping to protect not only critical
  infrastructure, but the welfare of the U.S.
  economy.

"We need to invest in resiliency," Hathaway said.
"We need to understand and communicate the
gravity of the situation. This is our way of
life. Our infrastructure is the global economy.
Whether we take responsibility to address those
vulnerabilities will determine the future of our
economy and national security." By Michael S.
Mimoso, Editor, Information Security magazine.14
Sep 2009 SearchSecurity.com
7
Hacker Disabled Offshore Oil Platforms
Leak-Detection System

• System off line from May 8 to June 29, 2008

Convicted in September 2009.
8
Control System vs. Corporate
AIC vs. CIA
Confidentiality Assets and information are
protected to ensure only those with appropriate
rights to view, and/or use information are able
to.
Availability Assets and information are available
to run the business when required.
Resilience
Integrity Assets and information are accurate
and have not been accessed or manipulated
without authorization.
9
Corporate
Control
10
Sample Control Protocols
FOUNDATION fieldbus
Sinec H1
TTEthernet
Profibus
Modbus
BSAP
SERCOS
CIP (Common Industrial Protocol)
FINS
EtherNet/IP
IEC_60870-5-103
Optomux
Interbus
EtherCAT
MelsecNet/10
DNP3
IEC_60870-5-101 / IEC_60870-5-104
Mechatrolink
IEC 61850
11
Threats / Risks

• Old belief Air-gapped, proprietary
• Standardization
• Inter-Connectivity
• Proprietary / legacy protocol knowledge
  availability
• Lack of understanding of traffic Flows

• Protocol over IP
• Expose devices / systems not designed to handle
  IP.
• Device layer visibility to exposures /
  vulnerabilities

12
An Internal Survey of a Major Energy Company

• Majority of the business units' management
  believed their control systems were not connected
  to the business network
• Audit showed that the 80 of systems were
  connected to the business network
• Business network was only secured to support
  general business processes and not safety
  critical systems

13
Conficker infected critical hospital equipment

• Several hundred machines and critical medical
  equipment .
• Heart monitors and MRI machines, and the PCs
  (Older Windows)
• Not supposed to have access to the Internet

14
The Bastion Model of Security

• The Great Wall of China
• The Maginot Line
• Industrial Security Incident Database June 2006
• The Slammer Worm infiltrated a
• Nuclear plant via a contractors T1 line
• Power utility SCADA system via a VPN
• Petroleum control system via laptop
• Paper machine HMI via dial-up modem.
• Firewalls existed in at least three of these
  cases.

15
Cultural

• Corporate is the monster that slows things down
  and does not understand

Control is the wild west
16
Going Forward
Control / Engineering / Etc
Corporate
17
3 1 Security Principles

• What / Who is on your systems?
• What can / are they doing?
• What has changed?
• Emergency Response

18
Integrated Security Framework
Proactive organizational risk-based approach to
provide intelligent defence in depth
19
Start the Conversation
20

• Policy
• Standards / Organizations
• Architecture
• Access Management
• Operational Excellence
• Change Management
• Physical
• Awareness
• Assessment

21
(No Transcript)
22
Policy

• Need to assign a responsible person for control
  system security.
• Policy simply needs to state, at a high level,
  the responsibility and mechanism to achieve
  security for everyone.
• Remember Procedures are there to solidify policy
  at an operational state.
• The most important devices in a SCADA system are
  the edge devices like PLC, RTU, IED.

23
Standards / Organizations
ISO17799/27K
ISA-SP99 January 13, 2009 Part 2 Approved
NERC CIP 002-009 May 6, 2009 - Strengthened Cyber
Security Standards Approved
NIST (National Institute of Standards and
Technology)
Directive 71
Chemical Facility Anti-Terrorism Standards (CFATS)
AGA (American Gas Association)
FAA (Federal Aviation Association)
24
Critical Infrastructure Criminal Intelligence
(CICI)

• Part of RCMP National Security Criminal
  Investigations
• Examines physical and cyber threats to critical
  infrastructure in support of the RCMP's and
  Government of Canada's critical infrastructure
  protection mandates
• CICI collaborates closely with domestic and
  international partners to acquire, assess,
  analyze, produce and share criminal intelligence
  to assist in the prevention, detection,
  deterrence and response to actual and/or
  potential criminal threats to Canada's critical
  infrastructure.
• CICI is building the Suspicious Incident
  Reporting Framework (SIR) in order to capture
  threat information from private sector
  owner-operators of critical infrastructure.

National Security Criminal Investigations Enquêtes
criminelles relatives à la sécurité nationale
25
Architecture

• Segment the network and control what / who can go
  where
• Reduce visibility to critical data flows to
  minimal set

Zone and Conduit
VLANs, Tunnels / routes
Wireless Access Points MODBUS read only
Connections to Safety System Place historian in
DMZ, or metrics / monitoring information.
Study of 37 firewalls from financial, energy,
telecommunications, media, automotive, and
security firms Almost 80 percent of firewalls
allow both the "Any" service on inbound rules and
insecure access to the firewalls. These are gross
mistakes by any account. Source Avishai Wool,
A quantitative study of firewall configuration
errors, IEEE Computer Magazine, IEEE Computer
Society, June 2004
26
Browns Ferry Nuclear Plant

• August 19, 2006
• Data storm / excessive traffic
• 2 days offline

27
Access Management

• User ID
• Generic vs. named accounts
• Privileged vs. functional access
• Passwords
• On / Off Boarding and Transfer
• Employees vs. contractors.

• Network Access Control (NAC)
• Connecting device what is state of connecting
  device?
• No sane IT department lets computers on its
  network that have known vulnerabilities.

• Remote
• Simultaneous Corporate and Control System access.
• Allow Internet access.

28
Maroochy Shire Sewage Spill

• Remotely accessed
• Poured toxic sludge into parks and rivers
• 46 reported attacks

29
Economic Factor

• Texas Comanche Peak nuclear power plant
• VPN account used to e-mail out proprietary data
  to a personal Yahoo account and modify and
  delete files.
• Asked engineering group about the safety of the
  reactor
• One of the files that was tampered with, Hourly
  Capacity Supplied 2009 upload.xls,

30
Access Management

• Social Networks
• Have to address especially on data related to
  control system
• Where and how to use them
• How to protect what transacts on these networks
• MSN, Yahoo, FaceBook, Twitter, Peer2Peer , Kazoo

31
Marine One Security Breach
A Pittsburgh-area company that monitors
peer-to-peer networks accessed with file-sharing
software like LimeWire and Napster says it has
identified a potentially serious security breach
involving Marine One and an IP address in Tehran,
Iran.

• File detailing the helicopter's blueprints and
  avionics package
• Iran, Pakistan, Yemen, Qatar, and China Access
  sensitive information via the Internet.

32
Power Plant's Data Leaks Onto Net
2006 A Japanese power plant discovered that
sensitive security documents were uploaded to an
Internet file-sharing network by a virus-infected
PC.
33
Operational Excellence

• Asset Management
• Do you really know what is on the network?
• How to create the complete picture?
• Problem for both sides.. But
• Network Administration
• Certified resources managing devices to ensure
  accurate and secure configurations.
• Network Management Layer separate from normal
  network connection

34
Operational Excellence

• Log Management / SIEM
• Ability to correlate abnormal events from the
  process control network and its interfaces to the
  business network.

Who monitors the logs and alerts? Who responds to
them?
Linking Oil and Gas Industry to improve cyber
security
NOTE Provides regulatory compliance and ability
to maintain forensic integrity of data.
35
Operational Excellence

• Patch and Anti-malware
• Patching is not about deploying a patch but
  mitigating the vulnerability!
• Anti-malware is not about latest signature but
  prevention of infection!

36
Change Management
Purpose
Documentation
Time Window
Authorization
Backup / out
Validation
37
Hatch nuclear power plant

• March 2008 - emergency shutdown for 48 hours
• Software update on the business network to
  synchronize data on both systems.
• On reboot, it reset the data on the control
  system
• Company was aware of two-way communication
• But the engineer was not aware.

38
Physical

• Physical protection, especially access, needs to
  be considered.
• Control uses big burly guards, motion sensors,
  gates, etc
• Corporate uses keypads, locks, etc

39
Toronto airport under review following security
breach

• "There were doors that were unlocked, no security
  present that would allow anyone from the street
  to be able to walk in," Transport Minister John
  Baird
• Senator Colin Kenny, who is the chair of the
  Senate's national security committee, accompanied
  Baird during the security test at the airport.

40
Awareness
Continuous awareness education to reinforce
security risk and responsibility.

• Topics
• Policy
• Employee and 3rd party.
• Social Engineering
• Responsibility
• Implications / Risk

• Delivery Methods
• Courseware,
• posters,
• newsletters,
• videos,
• email

41
Assessment

• Such failures are common among PLC and
  supervisory control and data acquisition (SCADA)
  systems, because the manufacturers do not test
  the devices' handling of bad data.
• Dale Peterson, CEO of industrial system security
  firm DigitalBond.

• Knowledge is Power
• Know and understand the Threat / Risk landscape
  to enhance your resilience
• Policy
• Architecture
• Systems
• Applications
• End-point devices

CitectSCADA Core Security Technology
42
Processes Technology People
43
Extortion
Hackers have penetrated and extorted multiple
utilities "Hundreds of millions of dollars have
been extorted, and possibly more. It's difficult
to know, because they pay to keep it a
secret," Incident Employee threatened to hack
system if not give better severance package
(Mutual Fund Company)
44
Bell Solutions
45
Summary

• Corporate and Control Resource Can work together
• Integrated Security Approach
• Technology, Process and People
• Knowledge
• Security Principles not Practice

46
Bjorn Gudehus Senior Security Advisor Bell
Canada (403) 410-8045 Bjorn.Gudehus_at_bell.ca
47
Backup

• SCADA Incidents

48
Aurora Generator Test
March 2007 A picture of the Idaho National
Laboratory (INL) demonstration of the capability
to intentionally destroy an electric generator
from a cyber attack http//news.yahoo.com/s/ap/200
70927/ap_on_go_ca_st_pe/hacking_the_grid_13
49
Electricity Grid in U.S. Penetrated By Spies

• Cyber spies have penetrated the U.S. electrical
  grid and left behind software programs that could
  be used to disrupt the system, according to
  current and former national-security officials.
• The spies came from China, Russia and other
  countries.

• Believed to be on a mission to navigate the U.S.
  electrical system and its controls.
• The intruders haven't sought to damage the power
  grid or other key infrastructure, but officials
  warned they could try during a crisis or war.

50
On June 10, 1999, a pipeline owned by Olympic
Pipeline Company ruptured and gasoline leaked
into two creeks in Bellingham, Washington. The
gasoline ignited, resulting in a fireball that
killed three persons, injured eight other
persons, caused significant property damage, and
released approximately ¼ million gallons of
gasoline, causing substantial environmental
damage. The Bellingham, WA Gasoline Pipeline
Rupture which an investigation concluded was not
caused by an intentional act. Because of the
detailed evaluation by NTSB, this is arguably the
most documented ICS cyber incident. According to
the NTSB Final Report, the unresponsiveness of
the SCADA system was the proximate cause of the
event. Because of the availability of that
information, a detailed post-event analysis was
performed which provided a detailed time line,
examination of the event, actions taken and
actions that SHOULD HAVE been taken. http//csrc.n
ist.gov/groups/SMA/fisma/ics/documents/Bellingham_
Case_Study_report2020Sep071.pdf
51
January 8, 2008 Teenage boy hacks into the
track control system of the Lodz city tram
system, derailing four vehicles. Twelve people
were injured in one of the incidents.
He had adapted a television remote control so it
could change track switches.
52
ZOTOB

• Aug 18, 2005, 13 DaimlerChrysler's US auto
  factories shut down for almost an hour
• 50,000 employees ceased work
• Approximately 14M loss
• Australia Holden Auto Plant in Adelaide for
  several hours on after its computer network was
  infiltrated
• CNN, ABC, the Associated Press, the New York
  Times
• Caterpillar Inc.

53
Vancouver example

• Clocks that run city traffic lights flipped to
  night mode after computer's clock was reset by
  seven hours
• Saboteur called an All Traffic AM radio station
  to boast.
• He identified himself as "C.U.P.E." and warned
  that traffic snarls would continue until the
  strike is over.