Security Considerations in Process Control and SCADA Environments - PowerPoint PPT Presentation

1 / 82
About This Presentation
Title:

Security Considerations in Process Control and SCADA Environments

Description:

Malicious code attack specifically directed against a Customer. General ... Malicious Code. Attack Sophistication. Intruder Knowledge. Packet Spoofing. 26 ... – PowerPoint PPT presentation

Number of Views:404
Avg rating:3.0/5.0
Slides: 83
Provided by: richclark
Category:

less

Transcript and Presenter's Notes

Title: Security Considerations in Process Control and SCADA Environments


1
Security Considerations in Process Control and
SCADA Environments
  • Rich Clark
  • Industry Security Guidance
  • Wonderware and ArchestrA Business Units
  • Invensys Wonderware

2
Introduction
  • Security risks come with rapidly evolving
    technological advances
  • Threat vectors (security holes or technology
    exploits) appear in rapidly changing technology
  • New security features are built into Wonderware
    Products and newer Microsoft OS's and toolkits,
    and are being added to every day.
  • Close coordination with industry organizations
  • ISA and other Guidance Organizations
  • Government Labs and Entities
  • 3rd Party Vendors
  • Microsoft, Security Vendors, Tool Manufacturers,
    etc.

3
Context for Discussing PCN/SCADA Security
  • The DHS (Department of Homeland Security)
    believes that the next major war most likely will
    be an infrastructure war or will involve
    disabling our infrastructure
  • There is no such thing as an Enterprise that is
    100 secure even though some people want it
  • 80/20 rule for Security
  • The first 80 of threat vectors are relatively
    inexpensive to secure against
  • The costs and maintenance climb exponentially
    when attempting to secure the remaining 20

4
Context for Discussing PCN/SCADA Security (cont.)
  • Process Control Software is designed to add
    intelligence and efficiency to a Production
    Enterprise
  • Wonderware Powering Intelligent Plant
    Decisionsin Real Time

5
Context for Discussing PCN/SCADA Security (cont.)
  • Process Control Software is designed to add
    intelligence and efficiency to a Production
    Enterprise
  • Wonderware Powering Intelligent Plant
    Decisionsin Real Time
  • Remember that
  • A properly designed and fully operational
    Process Control Network (PCN) or SCADA System is
    greater than the sum of the parts

6
Context for Discussing PCN/SCADA Security (cont.)
  • Process Control Software is designed to add
    intelligence and efficiency to a Production
    Enterprise
  • Wonderware Powering Intelligent Plant
    Decisionsin Real Time
  • Remember that
  • A properly designed and fully operational
    Process Control Network (PCN) or SCADA System is
    greater than the sum of the parts
  • A central issue to implementation and security
  • Most IT personnel view individual PCN machines as
    end devices, instead of the whole PCN as the end
    device
  • This is the fundamental disconnect between
    Process Control Engineers and IT Personnel

7
Control Enterprise Definitions
  • What is the difference between a Process Control
    Network (PCN) and a SCADA System?
  • Not Much!

8
Control Enterprise Definitions
  • What is the difference between a Process Control
    Network (PCN) and a SCADA System?
  • Not Much!
  • Industry groups are having trouble categorizing
    each Enterprise Type because there are too many
    similarities between them
  • SCADA (Supervisory Control and Data Acquisition)
    Systems usually have remote, sometimes
    independent nodes running single tasks
  • PCNs usually perform more complex or a wider
    variety of tasks than SCADA Systems

9
Typical Industry Process Control Network (PCN)
10
Typical Industry SCADA System
11
Evolution of the Plant
  • The need for protecting and securing PCN/SCADA
    Systems is mostly due to growth in
  • Proliferation of open platforms and OSs
  • Wireless technologies
  • Increase in joint ventures/mergers
  • Outsourcing
  • Regulatory mandates
  • Complex plant environments/intelligent equipment
  • Increased connectivity
  • Increased network intrusion

12
Solution Delivery ? Project Completion
  • Complete Enterprise Integration will include the
    Process Design Solution incorporating the
    following
  • Industry regulations and regulatory agencies
  • Standards organizations
  • Security risk identification and assessment with
    appropriate countermeasures
  • Compliance to legacy systems
  • Architectural changes and latest guidance
  • External and internal influences affecting the
    Enterprise
  • Multiple vendors
  • Company policies and industry best practices

13
Standards and Regulations
  • To make your job easier, Wonderware is working
    with these organizations and helping to establish
    standards
  • MSMUG
  • OPC Standards Committee
  • FDA
  • ISO 900x
  • NERC 1300 Electrical Industry
  • ENISA 460 Euro Control Systems Standards
  • ISA S-99
  • GAO
  • DHS

14
Establishing a Security Program for the PCN
  • Create a formal project and address the following
    topics

15
Establishing a Security Program for the PCN
  • Create a formal project and address the following
    topics

16
Establishing a Security Program for the PCN
  • Create a formal project and address the following
    topics

17
Establishing a Security Program for the PCN
  • Create a formal project and address the following
    topics

18
Establishing a Security Program for the PCN
  • Create a formal project and address the following
    topics

19
Awareness and Assessment Review
Awareness Assessment
  • Establish Security Team
  • Define Security Objectives
  • Identify Current Vulnerabilities
  • Establish Security Plan

Policy Procedures
Security Solution
Security Program Performance Management
20
Risk Analysis and Assessment
  • Risk is broadly defined as
  • IF a Threat Agent uses a tool, technique, or
    method to exploit a Vulnerability, THEN a loss of
    (confidentiality, integrity, or availability) to
    an Asset may result in an impact
  • Risk Assessment is a methodical process to
    determine threats, vulnerabilities, and risks to
    determine what solutions should be put in place
  • A Formal Risk Assessment will produce a
    probability number from 0-1 of the event
    occurring
  • Generally speaking, low probability (of
    occurring) risks are harder to protect against
    and cost moreto do so

21
Cost of Protection vs Breach Event Probability
22
Risk Analysis and Assessment (cont.)
  • Sources of threats
  • External
  • Internal
  • Accidental
  • Vulnerabilities

23
Some Sources of These Threats
General attacker threats
Animal rights activists
Anti world trade/ Anti globalization activists
Common criminals
General malicious code threat
Environmental groups
Illegal information brokers and freelance agents
Regional political activism
Malicious code attack specifically directed
against a Customer
Non state-sponsored terrorism
Disaffected staff (including contractors)
Organized crime
Competitors, contractors, corporations
Nation states/ Governments
Corporate intelligence/ Investigation companies
Insider threats including social engineering,
espionage, and spoofing people with high access
levels
Unintentional exposure of vulnerabilities by
untrained personnel
24
Risk Analysis and Assessment (cont.)
  • Sources of threats
  • External
  • Internal
  • Accidental
  • Vulnerabilities
  • As attack software and network tools become more
    sophisticated, the attackers need for technical
    knowledge of what they are doing is being greatly
    reduced

25
Attack Sophistication vs. Intruder Technical
Knowledge
Sources Carnegie Mellon University, 2002 and
Idaho National Laboratory, 2005
26
Final Note Vulnerabilities Risk Mitigation
  • The largest vulnerability that existed was open
    source Operating Systems
  • Microsoft put 10M into tightening up security of
    Windows XP and 2003 Server last year
  • None of the other open platform Operating Systems
    manufacturers have committed those kinds of
    resources to tighten up similar vulnerabilities
    intheir OSs
  • Microsoft OS Security has become a matter of user
    identification of risks (risk analysis) and
    applying specific countermeasures at appropriate
    levels of OS interaction

27
Policy and Procedures
  • Established Standards
  • Regulatory Drivers
  • Local and Company Requirements
  • ISO 17799, ISA-SP99, META, CERT, etc.
  • FDA, FERC, NERC, SEC, DEA, etc.
  • Site Policy, Information, Authorizations, etc.

28
Establishing Policies and Procedures
  • Create a committee of Subject Matter Experts
  • SMEs should include Process Engineers and IT
    personnel who are being cross-trained
  • Get Executive buy-in
  • No one is exempt from company security policy
    including Executive Level

29
The Case of the CFOs Sleeping Notebook
His daughter used the machine to surf the web and
it contracted a virus.
Instead of shutting down the machine properly, he
made the machine sleep keeping the virus in
resident memory. Company policy required that all
machines connected to the Corp Net be rebooted
and virus scanned. They did not enforce this
policy at the Executive Level. When it connected
to the Corp Net and woke up, the virus spread
immediately to all machines that were not
properly patched for the particular virus (a lot
of them). The Enterprise was down for 2 days.
CFO Notebook
Historian InSQL
Application Object Server
Application Object Server
Application Object Server
30
Establishing Policies and Procedures
  • Create a committee of Subject Matter Experts
  • SMEs should include Process Engineers and IT
    personnel who are being cross-trained
  • Get Executive buy-in
  • No one is exempt from company security policy
    including Executive level
  • A security officer is a good idea
  • This position is the single point of contact
    between outside connections and the PCN
  • This position enforces the policy created by
    thesecurity committee

31
Policies and Procedures
  • Establishing Policies and Procedures is the
    foundation of a solid security strategy
  • Some considerations for user accounts
  • Only validated users
  • Users IDs have unique names with medium to strong
    passwords
  • Individuals are accountable
  • Restrict access
  • Lockout duration well defined
  • Groups are defined by user access needs and roles
  • Reset any Guest and Default accounts
  • Operator accounts defined/limited by operational
    area
  • Service accounts on local domain machinesare not
    used to logon to network domains

32
Policies and Procedures (continued)
  • Passwords
  • Enforce password history to limit reuse of old
    passwords
  • Enforce password aging to force interval changing
    of passwords
  • Enforce minimum password length
  • Usually 7 or 8 characters minimum

33
Policies and Procedures (continued)
  • Passwords
  • Enforce password history to limit reuse of old
    passwords
  • Enforce password aging to force interval changing
    of passwords
  • Enforce minimum password length
  • Usually 7 or 8 characters minimum
  • Enforce password complexity
  • Some strong password requirements can result in
    less security because people tend to write these
    down
  • Do not use strong passwords unless you can
    enforce social engineering

34
Policies and Procedures (continued)
  • Passwords
  • Enforce password history to limit reuse of old
    passwords
  • Enforce password aging to force interval changing
    of passwords
  • Enforce minimum password length
  • Usually 7 or 8 characters minimum
  • Enforce password complexity
  • Some strong password requirements can result in
    less security because people tend to write these
    down
  • Do not use strong passwords unless you can
    enforce social engineering
  • Do not store using reversible encryption

35
Policies and Procedures (continued)
  • Remote Access
  • Limit access by defining access based upon needs
  • Check all equipment brought to the site
  • Separate role based user groups for temporary
    accounts review often
  • Define/document all outside access routes and
    accounts

36
Policies and Procedures (continued)
  • Remote Access
  • Limit access by defining access based upon needs
  • Check all equipment brought to the site
  • Separate role based user groups for temporary
    accounts review often
  • Define/document all outside access routes and
    accounts
  • Physical Access
  • Keep locked
  • Have specific personnel directly responsible

37
Policies and Procedures (continued)
  • Remote Access
  • Limit access by defining access based upon needs
  • Check all equipment brought to the site
  • Separate role based user groups for temporary
    accounts review often
  • Define/document all outside access routes and
    accounts
  • Physical Access
  • Keep locked
  • Have specific personnel directly responsible
  • Final Note You as the engineer or integrator
    should have a keen awareness of all these issues
    before the project even starts!

38
Security Solution
Security Solution
  • Solution Design
  • Solution Recommendations
  • Solution Implementation

Awareness Assessment
Policy Procedures
Security Program Performance Management
39
Security Ecosystem
  • Security perspective of a manufacturing and/or
    industrial ecosystem
  • System Architecture
  • External and Internal Influence
  • Vendors
  • Policies and Procedures
  • Platform Vendor
  • Automation Software Vendor
  • Standards

40
Security Ecosystem
41
Requirements for a Secure Network
  • Have a prevention policy using
  • Firewalls and firewall devices
  • Network based intrusion prevention/detection
  • Host based intrusion prevention/detection
  • Layer, Layer, Layer
  • Bury any vulnerabilities inside of secure layers!

42
Requirements for a Secure Network
  • Have a prevention policy using
  • Firewalls and firewall devices
  • Network based intrusion prevention/detection
  • Host based intrusion prevention/detection
  • Layer, Layer, Layer.
  • Bury any vulnerabilities inside of secure layers!
  • Do not put Corporate and Plant networks on the
    same domain
  • No secure and insecure protocols on same network
  • Continually monitor, create alerting and
    diagnostics of plant network control systems, and
    look for any backdoor integration to the
    corporate network

43
Secure Architectures
  • Secure systems are directly related to
  • Infrastructure
  • Servers
  • Workstations
  • Ethernet Cables
  • Fiber Optics
  • Switches
  • Routers
  • Firewalls
  • Connectivity

44
Secure Architectures
  • Secure systems are directly related to
  • Infrastructure
  • Servers
  • Workstations
  • Ethernet Cables
  • Fiber Optics
  • Protocols and Communications
  • Host Software
  • Operating Systems
  • Virus Protection
  • Intrusion Protection
  • Switches
  • Routers
  • Firewalls
  • Connectivity

45
Secure Architectures
  • Secure systems are directly related to
  • Infrastructure
  • Servers
  • Workstations
  • Ethernet Cables
  • Fiber Optics
  • Protocols and Communications
  • Host Software
  • Operating Systems
  • Virus Protection
  • Intrusion Protection
  • Recommendation Define the Enterprise into Secure
    Areas (Layers or Rings)
  • Switches
  • Routers
  • Firewalls
  • Connectivity

46
Current Designs of Secure Architectures SCADA
47
Current Designs of Secure Architectures PCN
48
Current Designs of Secure Architectures PCN
49
Current Designs of Secure Architectures PCN
50
Current Wonderware Architecture Guidance
The whole domain is an End Device
Secure Area (Effective DMZ)
51
Current Wonderware Architecture Guidance
52
Current Wonderware Architecture Guidance
53
Current Wonderware Architecture Guidance
54
Current Wonderware Architecture Guidance
55
Data Communications and Protocols
  • Getting data securely from one place to another
    requires some forethought and understanding
  • Data is usually binary, hexadecimal, or text
    (ASCII)
  • Data can be secured by
  • Encrypting with an algorithm
  • Common encryption methods include a Virtual
    Private Network (VPN) which uses IPSec as a
    tunneling protocol

56
Data Communications and Protocols
  • IPSec co-processor and firewall cards installed
    here.

57
Data Communications and Protocols
  • IPSec Appliance (small router) installed here

58
Data Communications and Protocols
  • Edge Device (represents a single router or
    router pair)

59
Data Communications and Protocols
  • Getting data securely from one place to another
    requires some forethought and understanding
  • Data is usually binary, hexadecimal, or text
    (ASCII)
  • Data can be secured by
  • Encrypting with an algorithm
  • Common encryption methods include a Virtual
    Private Network (VPN) which uses IPSec as a
    tunneling protocol
  • Limiting it through specific ports with DCOM
    Config
  • Certain ports are used by every software
    manufacturer that has to have access to security
    or domain services, including Kerberos, Terminal
    Services, HTTP anything whether TCP or UDP
  • DCOM is also used to request or start services or
    programs (using RPC), which makes it viewed by
    some IT departments as something that cannot be
    used

60
OSI Model and the Security Schemes
  • DCOM and port selection occurs in this layer
    above the TDI. (Transport Driver Interface) It
    is difficult to secure the processes.
  • IPSec Occurs in this layer mostly below the TDI
    and at the kernel level and the data is secure
    before it gets into the machine.

61
Final Solution Requirements May Include
  • Retention of forensic information to support
    investigation/legal litigation
  • Secure connectivity to wireless devices
  • Doing these exercises will ensure that major
    elements are considered and incorporated into the
    final design and include
  • People
  • Process
  • Policies
  • Products

62
Security Considerations
  • Site Networks and Control System Security
    Approach
  • View from management and technical perspective
  • Address solutions from the IT and Process Control
    System perspectives
  • Design/develop multiple layers of network,
    system, and application security
  • Ensure compliance with industry, regulatory,and
    international standards

63
Total Security Design Considerations
  • Following these steps will prevent Process
    Control Networks (PCNs) from being implemented in
    pieces that will result in inconsistent or unsafe
    security designs
  • Develop security policy
  • Define requirements to implement a secure process
    environment
  • Develop plan to implement security
  • Implement the PCN without tightening down the
    machines
  • Only after the above steps are complete
  • Apply the security policies and plan once the PCN
    is operating correctly!

64
Final Solution Thoughts Creating Infrastructure
  • Review the types of available authenticators that
    you may want to use
  • Password, Biometric, Key Card, etc.

65
Final Solution Thoughts Creating Infrastructure
  • Review the types of available authenticators that
    you may want to use
  • Password, Biometric, Key Card, etc.
  • Final Review Compliance with your companys
    established Security Policy
  • Make sure the devices that you select for the
    solution will do what they are supposed to in
    relation to your established security policies
    and requirements
  • Firewalls, Routers, Switches
  • Domain Controllers
  • Physical Networks
  • Remote Access Devices
  • Wireless Access

66
Security Program Performance Management
67
Security Program Performance Management
  • Continual Monitoring and Alerting
  • Yearly Review and Auditing
  • Periodic Testing and Validation
  • Continual Updating of Security System Requirements

68
Security Lifecycle Project Management
Define Risk Goals
Conduct Risk Assessment Gap Analysis
Assess Define Existing System
Design or Select Countermeasures
69
Security Lifecycle Project Management
Define Risk Goals
Define System Validation Test Plan
Conduct Risk Assessment Gap Analysis
Assess Define Existing System
Define Integration Test Plan
Design or Select Countermeasures
70
Security Lifecycle Project Management
Finalize Operational Security Measures
Define Risk Goals
Define System Validation Test Plan
Conduct Risk Assessment Gap Analysis
Perform Validation Test on Installed System
Perform Pre-Installation Integration Test
Assess Define Existing System
Define Integration Test Plan
Design or Select Countermeasures
71
Security Lifecycle Project Management
System Goes Operational Here
Finalize Operational Security Measures
Define Risk Goals
Define System Validation Test Plan
Conduct Risk Assessment Gap Analysis
Perform Validation Test on Installed System
Routine Security Reporting and Analysis
Perform Pre-Installation Integration Test
Assess Define Existing System
Define Integration Test Plan
Periodic Auditand Compliance Measures
Design or Select Countermeasures
Reevaluate Security Countermeasures (Break-in or
Major Plant Change)
72
Security Program Performance Management
  • Establish ways to identify attacks before they
    occur
  • Honeypots lure attackers away from actual assets
  • Excessive numbers of Logon attempts is a good
    indicator
  • Do your own packet monitoring and set up alarms
    for out of parameter or unusual activity
  • Educate your personnelall users of the
    systemsto look for and report anything unusual
    or out-of-the-ordinary

73
Security Program Performance Management
  • Establish ways to identify attacks before they
    occur
  • Honeypots lure attackers away from actual assets
  • Excessive numbers of Logon attempts is a good
    indicator
  • Do your own packet monitoring and set up alarms
    for out of parameter or unusual activity
  • Educate your personnelall users of the
    systemsto look for and report anything unusual
    orout-of-the-ordinary
  • Monitoring and Alerts also give metrics on the
    health of the PCN and security systems
  • If unusual activity is noted, fix it before it
    brings the system down

74
Security Program Performance Management
  • The policies and procedures should be reviewed
    annually to insure compliance with established or
    updated corporate security policies
  • New policies may have been adopted that do not
    make sense in a PCN/SCADA environment

75
Security Program Performance Management
  • The policies and procedures should be reviewed
    annually to insure compliance with established or
    updated corporate security policies
  • New policies may have been adopted that do not
    make sense in a PCN/SCADA environment
  • Audit your metrics to be sure they make sense
  • Some attacks can be long-term and can be
    disguised within expected data
  • Some regulatory agencies may require audits of
    your PCN/SCADA security in the future
  • Start doing this on your own before it is
    required so you can understand your processes
    when the time comes!

76
In Summary
  • You must understand the corporate security
    policies
  • They should be formal policies and they should be
    written outif not, it could be a slippery slope

77
In Summary
  • You must understand the corporate security
    policies
  • They should be formal policies and they should be
    written outif not, it could be a slippery slope
  • The application integration must be constructed
    with the corporate security policies in mind
  • In some cases it will not be possible to adhere
    to corporate IT policies because of cumulative
    poor IT security definition practices or
    deficient network design
  • Mitigation strategies should be addressed up
    front for any perceived security breaches
  • Common mitigation strategies include asking why a
    specific security policy is in place and doing a
    risk analysis of this perceived threat
  • Additional mitigation strategies include burying
    the perceived breach inside of a secure layer or
    DMZ

78
Additional Resources
  • Best Practices Guidelines V1.0 document from the
    Microsoft Manufacturing Users Group, available at
  • http//www.omac.org/wgs/MfgInfsrct/MSMUG/msmug_de
    fault.htm
  • Microsoft Security Guidance
  • http//www.microsoft.com/security/guidance
  • ArchestrA Community
  • http//www.ArchestrA.biz
  • GAO Documents (GAO-04-354 and GAO-04-321)
  • Department of Homeland Security
  • http//www.dhs.gov/dhspublic/
  • ISA
  • http//www.isa.org/

79
Additional Resources
  • Antivirus Technical Article
  • http//www.wonderware.com/support/mmi/comprehensiv
    e/kbcd/html/t002098.htm
  • Wonderware Security White Paper
  • http//dominoext.wonderware.com/PublicWWR5/PromoCo
    l.nsf/wwwhite/0E58BBBF3F73885388257003005A5641/fi
    le/SecurityWP_May16_color_Final.pdf
  • Wonderware Security Resource Center
  • http//www.wonderware.com/support/security/

80
Your Presenter has been
Please drop me an email if you have any security
related questions.
81
Thank You Very Much!
  • The complete Basic Security Class is available
    online.
  • Look for the schedule of all the Online Seminars
    at
  • www.wonderware.com/Training

82
Thank You Very Much!
  • QUESTIONS?
Write a Comment
User Comments (0)
About PowerShow.com