Title: Electronic Intrusion into Your Control Systems
1Electronic Intrusion into Your Control Systems
Facilitated by
- Bob WebbPOWER Engineers rcw4_at_ix.netcom.com
- ISA SP Department Board of DirectorsISA
NORCAL Section Past President
Joe WeissKEMA Consultingjweiss_at_kemaconsulting.co
m ISA SP Department Board of DirectorsISA
NORCAL Section - Planning Board IEEE/IEC liaison
2Agenda
- Self introductions - Bob 15 min
- The problem scope and examples - Bob Joe 15
min - What others are doing - Joe 15 min
- Government
- Vendors
- Other organizations
- Break 10 min
- Where current solutions fall short - Joe 10 min
- What you can do today - Joe 15 min
- Where to learn more - Bob 10 min
- Open discussion - All 30 min
3Initial Survey of Participants
- How many of you are responsible for control
systems? - DCSs?
- SCADAs?
- PLCs?
- Other?
- How many of those systems have connections to any
network or other system ? - Another control system?
- IT network?
- Internet?
- Dial up access for vendor or techs?
- Wireless connectivity to any devices?
4Initial Survey, continued
- How many of you
- Have a written control system security policy?
- Regularly change your passwords?
- Use strong passwords?
- Have ever changed your passwords?
- Know the status of the dial in connections to
your system as we speak? - Use pcAnywhere or XWindows to communicate with
your systems? - Have done a control system vulnerability or
security assessment?
5Introduction of Participants
- Facilitators
- Joe Weiss
- Bob Webb
- Participants
- Name, company
- Area of responsibility
- What problems have you encountered?
- What would you like to get from this seminar?
- Help us plan for the future by completing the
Conference Survey before you leave.
6Picture of wide open eyes to go with Words
below..
7Objectives
- Know if and where your systems can be vulnerable
- Walk away with an understanding of control system
cyber vulnerabilities and an approach to deal
with those vulnerabilities - Know where to get help when you need it
8The Problem
- Some definitions
- Control Systems
- Electronic Intrusion
- What we are not going to talk about
- What makes control systems unique
- Real time requirements
- Changing nature
- Not yet addressed in most IT strategies
- What has happened elsewhere
- Electronic Intrusions from inside and outside the
corporate firewall - Unintentional and deliberate
- Your examples
- How can you add to our problem descriptions?
- What do you see in your systems?
9Definitions
- Control Systems
- The broadest interpretation - to include both
process control, manufacturing operations and
systems, continuous, discrete, and batch, local,
direct, and wide area supervisory (e.g., SCADA),
control and safety systems, serving all types of
plants, facilities, and systems in all industries - Electronic Intrusion
- Undesired communications with your systems
internal (inside your firewall), external,
typically via a network, but could be by any
other means, including RF eavesdropping,
sneakernet, foreign laptops, jamming, etc. - Not included
- Essential elements, but not part of this
discussion - Physical security
- IT security
10What makes control systems unique
- You might be asking, why dont we just apply
existing business system IT security techniques
to our control systems (a good question) - In response, we will recommend that you do, WHERE
IT MAKES SENSE - But we will also caution you to be aware of your
systems unique properties that limit application
of IT approaches - Need to operate in real time often requires speed
or frequency response that precludes use of
traditional techniques, like block encryption - Need to provide ease of use for operators may
preclude traditional use of passwords and the
like - Need to rigorously test all changes to operating
systems precluding regular updates for security
patches and the like
11Where current solutions fall short
- Awareness, education, training
- Processes and Procedures inadequate or
non-existent - Hardware and Software
- OSs, Processors, etc. not designed for security,
missing hooks and handles to incorporate it - Designed without thought of what could go wrong
with malicious intrusion - Raw vulnerability to designer viruses on Ethernet
or other ports - if firewalls are breached there
is nothing else, and our demonstrations show the
open systems can be easily compromised - Speed limitations
12What has happened elsewhere?
- Examples and conclusions have been assembled by
Eric Byres of the British Columbia Institute of
Technology and Joe Weiss - Examples are representative of real events across
multiple industries, from multiple causes - Current trending of cyber intrusions does not
include Control Systems - For example Carnegie-Mellon Center for , (CERT)
has not identified any control system intrusions - Cyber incidents can have a variety of causes
- Audit
- Accidental
- Non-malicious intrusion
- Malicious intrusion
13Examples of Cyber Incidents
- Noise or Bad Packets
- IP Address Duplication
- Broadcast Storms
- Internal Intrusion
- External Intrusion
- Procedures/Architecture
14Noise or Bad Packets
- Propagation of noise or bad packets throughout an
entire network is a serious risk. - Pulp mill case history-
- Cable damage problem in one area creates bad
packets from reflections. - Dumb network equipment spreads problem to other
areas.
15IP Address Duplication
- TCP/IP protocol demands that every device has an
unique IP address. - Paper Machine Profile Controller Case History
- Controller Scanners use TCP/IP to communicate.
- Printer in admin gets same address as controller.
- Scanners try to talk to printer instead of
controller.
16Broadcast Storms
- Broadcasts are messages addressed to all network
nodes. - A few broadcasts are okay. Many create broadcast
storms and will use up a devices CPU resources. - Case History- Steam Plant DCS
- DCS uses Ethernet to communicate between screen
server and operator consoles. - Broadcasts from miss-configured Windows 95
machine in another mill area overloads screen
server. Shuts down all DCS operator consoles.
17Internal Intranet Intrusion
- Eastern plant does major upgrade of DCS.
- Several months later, head-office engineer
connects to the mill DCS from head office, using
the company's wide area network (WAN).
18Internal Intranet Intrusion
- Engineer loads program onto operator station to
send data to head office for expert system. - This new task overloaded DCS/PLC gateways.
- Operators lose control of devices connected to
PLCs.
19Control Highway Intrusion
- Disgruntled employee attacks PLC in another plant
area over PLC highway. - Password changed to obscenity, blocking
legitimate maintenance and forcing process
shutdown.
20External Wireless Intrusion
- Hacker attacks sewage control system using radio
link. - Causes millions of liters of raw sewage to spill
out into local parks, rivers and the grounds of a
Hyatt Regency hotel.
21PLCs are Vulnerable
- Eric Byres has also demonstrated the ability to
kill a PLC by sending a single packet to it via
an Ethernet connection. - How many of you have Ethernet network connections
to your PLCs (for HMI, etc.)
22Inadvertent Denial of Service-DOS
- Control system procedures have not addressed
conditions that could lead to DOS - Requesting excessive data resulting in loss of
Database Server - Requesting excessive data resulting in loss of
control function - Excessive trending leading to DOS of control
function - Control System architecture not designed for new
information oriented requirements - Loss of DCS operator access
- Loss of SCADA operator access
- Loss of DCS control
23Some Assessment Results
- These results are from over 58 utility
assessments facilitated or conducted by John E.
Allen, of LogOn Consulting - SCADA Systems-5
- Plant Control Systems-53
- Assessment Type
- Self-Directed
- Consultant
- Utility Type
- Electric
- Natural Gas
- Water
24Some Assessment Results, continued
- For SCADA systems
- No SCADA configuration data was accurate or
complete - Information systems interface not accurately
defined - Accuracy Range 50-70
- Data communication scheme not well understood or
documented - Accuracy Range 85-98
- For Plant Control Systems
- Most PCS configuration accurate
- 8 error rate
- Information systems interface generally
accurately defined - Accuracy range 90-100
- Data flow generally confined to facility process
- Some defined exceptions
- Accuracy Range over 96
25Some Assessment Results, continued
- Conclusions
- Limited to SCADA Plant Control Systems
- Configuration is not well understood or
documented - Architecture
- External connections
- Little configuration management
- No formal process/procedures
- Minimal understanding of system interaction
- Minimal operational knowledge of security
- Lack of procedural guidance
- Lack of internal controls
- Little to no personnel security awareness
- Communication among responsible stakeholders is
deficient - Decisions and actions often made in isolation
affecting security integrity
26Some Assessment Results, continued
- Conclusions, continued
- Deficient understanding of security issues by
responsible personnel - Specific and general security knowledge
- Security performance requirements are
non-existent - User community is not well documented
- Lack of access criteria
27Some Assessment Results, continued
- Observations
- Knowledge of potential threats are limited
- Knowledge of vulnerabilities are limited to
non-existent - Stakeholder resistance to security assessments
range from minor to declarations of war - Security assessment findings require attendant
corrective action or enhancement plans
28Conclusions
- Control systems have been impacted by cyber
intrusions - Problems come from inside the corporate firewall
in most identified events - There is a clear interdependence between Control
Systems and IT Department policies and practices - IT procedures are not always applicable to
control systems - Control and IT personnel must work together using
both domains expertise to establish and
implement effective and workable policies
29Conclusions, continued
- Most control systems rely heavily on Microsoft
Windows NT or 2000 which is well understood by
hackers - Control systems can be accessed independent of
Microsoft - Most control systems have poor security designs
and weak protection - Many of the existing incidents could have been
prevented by the application of currently
accepted IT security practices
30What Others Are Doing
- The Government
- National Strategy to Secure Cyberspace
- DOE
- NIST
- CIAO
- NIPC
- Vendors
- Other Users
- Policies and programs
31The Government
- National Strategy to Secure Cyberspace
- Most information, activity in Business IT area
- DOE-National Test Bed Initiative
- National Institute of Standards and Technology
(NIST) and National Security Agency (NSA) - Some activity in real time control systems, as
related to Critical Infrastructure
Protection-PCSRF - Substantial amount of material to review and
apply where it makes sense - Federal Energy Regulatory Commission (FERC)
- Critical Infrastructure Assurance Office (CIAO)
32Sector Lead Agencies
- Electric Utilities North American Electric
Reliability Council (NERC) - Oil and Gas National Petroleum Council
- Water Association of Metropolitan Water
Agencies and AWWA and NAWC - Chemical Process Industry - Chemical Sectors
Cyber Security Information Sharing Forum
33Vendors
- Typically, IT security is being addressed rather
than real time control - Varying levels of activity by different vendors
- Policies
- Network controls
- Some offer security programs for their clients
- Most vendors are waiting for industry direction
or consensus before significant hardware/
software changes
34Vendor Discussion
- What have your vendors done ?
- What have you asked for?
35Relevant Standards Organizations
- ISA (Instrumentation, Systems and Automation
Society) - IEEE (Institute of Electrical and Electronics
Engineers) - ISO (International Standards Organization)
- IEC (International Electrotechnical Committees)
- AGA (American Gas Association)
36Break
37What You Can Do, Today
- Develop a policy specific to control systems
- Existing IT policies do not address control
systems - Define scope and purpose
- Assure all relevant organizations are involved
- Define current state
- Vulnerability assessment
- Perform risk assessment
- What needs to be addressed?
38What You Can Do, Today
- Develop specific security procedures for your
control systems - Training
- Control electronic access
- Testing and appropriate operating procedures
- Verify all patches are rigorously tested
- Evaluate impact
39What You Can Do, Today
- Maintain physical security
- Provide incident response and contingency plans
- Work with vendors, consultants, and system
integrators - Participate in appropriate industry groups and
forums - Sector lead organizations, other organizations
discussed earlier
40ISA and Industry Activities
- Articles in INTECH, ISA Online, and Division
Newsletters - Active Discussion on ISA List Servers
- Industry Technical Conferences
- July 30-31 KEMA Consulting Control System Cyber
Security Conference Vancouver - August 7th ISA Training Seminar - Securing
Industrial Networks Cyber Protection for
Automation, Control and SCADA Systems - August 8th ISA Conference Hacking demo, issues
and concerns, assessments, secure network design,
security strategies - September 18th ISA SP 99 Standard kickoff
w/Teleconference - October 22 Chicago ISA 2002 conference,
standard, and PCSRF - Membership in NIST PCSRF
- IEEE and IEC ongoing activities
41Be careful what you ask for!
- Essential basis for open, vendor independent,
connectivity, networking, and control - End users have driven the open systems
- Standards Development Organizations (SDOs) need
to provide for enhanced security - End users need to adopt enhanced standards
Picture of DCS
42ISA Response - Standards
- Development of positions, issues, industry
guidance, and/or subcommittee scope and purpose
and activity in - ISA 50 Fieldbus for use in Industrial Control
Systems - ISA 67 Nuclear Power Plant Standards
- ISA 77 Fossil Power Plant Standards
- ISA 84 Programmable Electronic Systems for Use
in Safety Applications - ANSI/ISA S84.01-1996, ANSI/ISA S91.01, IEC 61511)
- Responsible for functional safety in the process
sector - Sub-committee on security
- ISA 95 Enterprise/Control Integration
- Formation of ISA SP 99 a new committee to
- Cover the issues common to all controls related
security - Coordinate related ISA standards activities
- Standards activities will continue with meetings
at ISA 2002 in Chicago
43ISA Response Awareness, Training
- Electronic Intrusion into YOUR Real Time Control
Systems ISA NORCAL Conferences, October 9 Santa
Clara and October 15 Sacramento - Threats, Vendors Perspective, Standards
Activities - 90 minute overview plus discussion
- Facilitated by Joe Weiss, Bob Webb
- Real Time Control Systems Security Issues and
Direction, a conference track at ISA 2002 October
21, 2002 Chicago - The Issues and Challenges - an Overview
- Vendor Solutions
- Role of Standards
- 6 hours of information
- Session Developers Joe Weiss, Bob Webb
- Continuation of Standards, Conferences and
Training Courses in 2003 and beyond
44ISA Future Directions
- Growing area of activity
- More integration and coordination within and
outside of Society - ISA SP 99 detailed scope to be defined at 10/22
Chicago meeting - Participate in our standards, conferences, and
work! - rcw4_at_ix.netcom.com
- lferson_at_isa.org
45IEEE Response
- Panel session at IEEE Winter Power Meetings
- Task Force to review cyber security impacts on
IEEE Power Engineering Society (PES) Standards - Joe Weiss Task Force Chair
46Get help or learn more ?
- Resources and References
- National Strategy to Secure Cyberspace
- http//www.whitehouse.gov/pcipb/
- NIST National Institute of Standards and
Technology - Programs/Initiatives/Forums
- Critical Infrastructure Protection Cybersecurity
of Industrial Control Systems http//www.mel.nist
.gov/proj/cip.htm - Process Control Security Requirements Forum
(PCSRF) http//www.isd.mel.nist.gov/projects/proce
sscontrol/ - National Infrastructure Assurance Partnership
(NIST and NSA) http//niap.nist.gov/ - Computer Security Resource Center
http//csrc.nist.gov/
47Get help or learn more, continued
- CIAO - Critical Infrastructure Assurance Office
- The Twenty Most Critical Internet Security
Vulnerabilities http//www.sans.org/top20.htm - North American Electric Reliability Council
(NERC) - Critical Infrastructure Protection Advisory Group
(CIPAG) http//www.nerc.com/filez/cipfiles.html - Federal Energy Regulatory Commission (FERC)
- NOPR on Standard Market Design http//www.ferc.go
v/Electric/RTO/Mrkt-Strct-comments/discussion_pape
r.htm - Requires security to sell into grid, and yearly
self audits - DOE 21 steps to secure your SCADA network
- http//oea.dis.anl.gov/home.htm
48Get help or learn more, continued
- Technical Non Profit Organizations addressing
Electronic Intrusion - ISA
- Awareness, information, standards development,
training aimed specifically at control systems
www.isa.org - IEEE
- Standards www.ieee.org
- ISO
- ISO 15408 - Information technology -- Security
techniques -- Evaluation criteria for IT security
- ISO 15408 Common Criteria http//www.commoncrite
ria.org/
49Get help or learn more, continued
- Organizations with control systems and security
expertise, whose information was used in this
conference - KEMA KEMA Consulting, Inc jweiss_at_kemaconsulti
ng.com - Cyber security procedure development
- Assessments, program development and management,
reviews and recommendations - Research and development direction and support
50Get help or learn more, continued
- BCIT British Columbia Institute of Technology
Eric Byres, eric_byres_at_bcit.ca - BCIT Industrial Incident Database - tracks
network securityincidents that directly impact
industrial control operations. - BCIT Internet Engineering Research Lab - conducts
security tests on control system products and
designs. - LogOn Consulting John Allen -
jeallen_at_logonconsulting.com - Assessments, program development and management,
reviews and recommendations
51Summary A.C.T.I.O.N.S.
- IT focused recommendations from The National
Strategy To Secure Cyberspace Sept. 2002 - Authentication
- Configuration management
- Training
- Incident response
- Organization network
- Network management
- Smart procurement
- Exercise caution when applying to control systems
52Further Discussions
Picture of Dinner