avoiding cyberterrorism threats inside hydraulic power generation plants
DESCRIPTION
Hydroelectric generation plants possess a number of cyberterrorism risks, which could cause significant problems like interruptions in the power grid or water leaks from the reservoir, among others. This presentation will discuss the vulnerabilities in the infrastructure of hydroelectric generation plants, some tools to check for them and several remediation techniques to avoid materialization of problems.TRANSCRIPT
![Page 1: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/1.jpg)
Avoiding Cyberterrorism Threats Inside Hydraulic Power
Generation Plants
Manuel Humberto Santander Pelá[email protected]
![Page 2: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/2.jpg)
Agenda
• Introduction• Power Plant Generation SCADA• SCADA protocols• Cyber Terrorism Risks• Remediation
![Page 3: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/3.jpg)
SCADA
• Supervisory Control and Data Acquisition
• Platform used to monitor and control all the variables of a real-time process
• Several variables to monitor– Vibrations on the turbine rotor– Flow speed of oil inside a turbine rotor– Amount of electric charge passing inside an
electricity transmission line
![Page 4: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/4.jpg)
Electrical process
• Three big steps– Generation– Transmission– Distribution
• Energy is created using any of the following methods– Thermoelectrical plans– Nuclear plants– Hydro electrical plants
![Page 5: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/5.jpg)
Electrical process (2)
• SCADA platform is vital to perform the following when generation takes place:– Ensure turbines are not having
revolutions more than supported– Generators are not working overloaded– Energy being generated matches the
amount of energy that the transmission line can handle
![Page 6: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/6.jpg)
Electrical process (3)
• Transmission– Energy being generated needs to be
distributed to reach the final users– 115 KV is the power used to transmit in
the wire lines– Final destination are the substations that
handles energy of a specific amount of instalations
– Large number of blocks in a city
![Page 7: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/7.jpg)
Electrical process (4)
• SCADA platform is vital to perform the following when transmission takes place:– Monitoring of voltage in transmission
lines looking for high amount of electricity flowing
– None of them can get overloaded because protections get activated and a blackout appears in all the installations that are controlled by the affected substations
![Page 8: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/8.jpg)
Electrical process (5)
• Distribution– Energy being generated needs to be
distributed to reach the final users– 115 KV is the power used to transmit in
the wire lines– Final destination are the substations that
handles energy of a specific amount of instalations
– Large number of blocks in a city
![Page 9: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/9.jpg)
Electrical process (6)
• SCADA platform is vital to perform the following when distribution takes place:–Monitoring of voltage in transmission
lines looking for high amount of electricity flowing
–Monitoring of voltage in user meters looking for high amount of electricity flowing
![Page 10: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/10.jpg)
Electrical System
Source: United States Department of Energy
![Page 11: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/11.jpg)
Hydroelectrical Plant Process
Source: circuitmaniac.com
![Page 12: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/12.jpg)
Hydroelectrical Turbine
Source: United States Army Corps of Engineers
![Page 13: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/13.jpg)
Agenda
• Introduction• Power Plant Generation SCADA• SCADA protocols• Cyber Terrorism Risks• Remediation
![Page 14: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/14.jpg)
SCADA Network inside Power Plant
Unit Controller
Turbine SpeedRegulator
VoltageRegulator
Generator Protection Controller
Cooling and oil pumpcontroller
HMI Console
Substationcontroller
SwitchController
Voltage MeterReader
HMI Console
ProtectionController
SUBSTATIONSCADA
GENERATION POWER SCADA
![Page 15: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/15.jpg)
SCADA Network inside Power Plant (2)
• Generation Power Plant– Unit Controller: Controls all the
subsystems making the generator to be able to inject active power to the electrical network
– Voltage regulator: Controls the frequency of the active power being produced by the generator. Must match the frequency in the electrical network
![Page 16: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/16.jpg)
SCADA Network inside Power Plant (3)
• Generation Power Plant– Turbine speed regulator: Controls the
speed of the turbine– Cooling and oil pump controller: Controls
refrigeration and lubrication of the rotor system of the turbine so there’s no heat or friction
– Generator protection controller: Controls excessive voltage changes in the generator
![Page 17: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/17.jpg)
SCADA Network inside Power Plant (4)
• Substation SCADA– Substation Controller: Controls all the
systems to make possible the energy being transmitted all across the electrical network
– Switch controller: If there is too much energy on a line trying to overcome its capacity, the switch opens the circuit and the energy stops flowing
![Page 18: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/18.jpg)
SCADA Network inside Power Plant (5)
• Substation SCADA:– Voltage meter: Meters the amount of
electricity flowing in the input and output lines so the Substation Controller can tell if there is a problem regarding the transmission line capacity being overcome its capacity
![Page 19: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/19.jpg)
Agenda
• Introduction• Power Plant Generation SCADA• SCADA protocols• Cyber Terrorism Risks• Remediation
![Page 20: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/20.jpg)
SCADA Protocols
• Modbus• IEC 104• DNP3
![Page 21: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/21.jpg)
Modbus
Source: Practical Industrial Data Communications
![Page 22: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/22.jpg)
Modbus (2)
• Client/server protocol which operates in a request/response mode
• Three variants:– Modbus serial RS-232/RS-485: Implemented on
serial networks – Modbus TCP: Used for SCADA platforms where
delay is not an issue (Water supply)– Modbus UDP: Used for SCADA platforms where
delay is a big issue (Energy)
![Page 23: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/23.jpg)
Modbus (3)
Source: Practical Industrial Data Communications
![Page 24: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/24.jpg)
Modbus (4)
• Modbus protocol structure
– Address field: • Request frames: Address of the device being targeted
by the request• Response frame: Address of the device responding to
request
![Page 25: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/25.jpg)
Modbus (5)
• Modbus protocol structure
– Function field• Function requested by the HMI to be performed by the
field devices• In response packets, when the function performed is
succeeded, the field device echoes it. If some exception occurred, the most significant bit of the field is set to 1
![Page 26: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/26.jpg)
Modbus (6)
Function NameFunction
CodePhysical Discrete Inputs Read Discrete Inputs 2
Read Coils 1Write Single Coil 5Write Multiple Coils 15
Physical Input Registers Read Input Register 4Read Holding Registers 3Write Single Register 6
Write Multiple Registers 16
Read/Write Multiple Registers
23
Mask Write Register 22Read FIFO Queue 24Read File Record 20Write File Record 21
Type of access
Data Access
Bit access Internal Bits or Physical Coils
16-bit access
Internal Registers or Physical Output Registers
File Record Access
![Page 27: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/27.jpg)
Modbus (7)
Function NameFunction
CodeRead Exception Status 7Diagnostic 8Get Com Event Counter 11Get Com Event Log 12Report Slave ID 17Read Device Identification
43
Encapsulated Interface Transport
43
Type of access
Diagnostics
Other
![Page 28: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/28.jpg)
Modbus (8)
• Modbus protocol structure
– Data field• In request paquets, contains the information required
to perform the specific function• In response packets, contains the information
requested by the HMI
![Page 29: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/29.jpg)
Modbus (9)
• Modbus protocol structure
– Error check Field• CRC-16 on the message frame• If packet has errors, the field device does not process it• Timeout is assumed, so the master sends again the
packet to attempt again a function execution
![Page 30: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/30.jpg)
IEC 104
• Standard for power system monitoring, control and communications for telecontrol and teleprotection for electric power systems
• Completely compatible with:– IEC 60870-5-1: Transmission frame formats for
standard 60870-5– IEC 60870-5-5: Basic application functions
![Page 31: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/31.jpg)
IEC 104 (2)
• It has the following features:– Supports master initiated messages and
master/slave initiated messages– Facility for time sinchronization– Possibility of classifying data being transmitted
into 16 different groups to get the data according to the group
– Cyclic and spontaneous data updating schemes are provided.
![Page 32: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/32.jpg)
IEC 104 (3)
Source: Practical Industrial Data Communications
![Page 33: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/33.jpg)
IEC 104 (4)
Source: Practical Industrial Data Communications
![Page 34: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/34.jpg)
IEC 104 (5)
Source: Practical Industrial Data Communications
![Page 35: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/35.jpg)
IEC 104 (6)
• Link levelLink service
class Function Explanation
S1 SEND / NO REPLY
Transmit message. No ACK or answer required
S2 SEND / CONFIRMTransmit message. ACK required
S3 REQUEST / RESPOND
Transmit message. ACK and answer required
![Page 36: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/36.jpg)
IEC 104 (7)
Source: Practical Industrial Data Communications
![Page 37: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/37.jpg)
IEC 104 (8)
Source: Practical Industrial Data Communications
• Control field for unbalanced transmissions
![Page 38: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/38.jpg)
IEC 104 (8)
Source: Practical Industrial Data Communications
• Control field for balanced transmissions
![Page 39: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/39.jpg)
DNP3
• Set of communication protocols used between components of a SCADA system
• Used for communications between RTU and the IED (field devices)
• Implements the communication levels established by the enhance performance architecture (EPA)
![Page 40: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/40.jpg)
DNP3 (2)
• Enhance performance architecture (EPA)
Source: Practical Industrial Data Communications
![Page 41: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/41.jpg)
DNP3 (3)
• Message exchange
Source: Practical Industrial Data Communications
![Page 42: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/42.jpg)
DNP3 (4)
• Frame format
Source: Practical Industrial Data Communications
![Page 43: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/43.jpg)
DNP3 (5)
• Control Byte
Source: Practical Industrial Data Communications
![Page 44: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/44.jpg)
Agenda
• Introduction• Power Plant Generation SCADA• SCADA protocols• Cyber Terrorism Risks• Remediation
![Page 45: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/45.jpg)
Cyberterrorism Risks
• Many awful thins can happen to a power plant– Stop generation because of partial or
total damage to the generator– Stop generation because of partial or
total damage to the transmission substation
– Stop generation because of partial or total damage to the turbine
![Page 46: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/46.jpg)
Cyberterrorism Risks (2)
• Many awful thins can happen to a power plant– Transformer explosion because lack of
transmission line protection capacity–Massive water leakage because of
explosion of the turbine container
• All of them can happen because of unauthorized manipulations of the HMI and after the configs are updated
![Page 47: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/47.jpg)
Network technologies in SCADA Systems
• Many SCADA networks still use RS232/RS485 bus to communicate all components– But also because of the need to access
data in a fast way, we also have serial-to-ip gateways to access serial RTU and IED
– Lots of hybrid SCADA networks having serial and IP components
– Access is open to anyone with connectivity access
![Page 48: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/48.jpg)
Network technologies in SCADA Systems (2)
• Many SCADA networks still use RS232/RS485 bus to communicate all components– Admin protocols is not being crypted, so
anyone can sniff all the contents, perform a MITM and send to client/server fake content to each other. Insecure services like telnet are mandatory because lack of support
– Latency is an issue
![Page 49: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/49.jpg)
Lack of authentication in application protocol
• The SCADA protocols does not perform bi-directional authentication to ensure that all parties are trusted– Only commands are sent– Data is sent to the IP address configured
as master– All the IP spoofing vulnerabilities works
on any MTU or Field device– Any command can be sent
![Page 50: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/50.jpg)
Default configurations in HMI
• Insecure services used– rlogin– rcp– rexec
• OS Admin privileges used to operate• Trust perimeter created within HMI
and external RTU and IED to manipulate configuration parameters
![Page 51: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/51.jpg)
What could be done?
• Reset a link state communication or send Test Communication packet several times provoking temporal DoS to the IED controllers– Spoof the HMI IP address and send the
following using TCP: 0x56405c00100020074e3
– Spoof the HMI ip address and send the following using TCP: 0x56405f201000200b717
![Page 52: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/52.jpg)
What could be done? (2)
• Send commands to the IED controllers– Registers are linked to turn on and off
specific devices like oil and refrigeration pumps
– A Modbus command to change registers is enough to disable any of those pumps
– Command depends on the place where the pump is configured
![Page 53: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/53.jpg)
What could be done? (3)
• Execute metasploit to the HMI and try to find remote admin exploits– No patches are installed– Too much vulnerabilities around– The odds of finding remote privilege
escalation vulnerabilities are too high– Are passwords strong enough in the HMI
software and OS?– Is there any password at all configured?
![Page 54: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/54.jpg)
What could be done? (3)
• MITM attacks to the substation elements and generation plant elements– TCP sequence prediction on this
elements is pretty high– Prone to session hijacking (http://
www.youtube.com/watch?v=s_XD8heYNrc)
![Page 55: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/55.jpg)
Agenda
• Introduction• Power Plant Generation SCADA• SCADA protocols• Cyber Terrorism Risks• Remediation
![Page 56: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/56.jpg)
What you cannot do with SCADA
• Protocol delay is usually a BIG issue in SCADA– Water supply and Oil SCADA tolerates big
delays because it does not have consequences in the process
– Power SCADA is critical. A delay higher than 12 miliseconds could end in a massive blackout because of failure to open a breaker in a substation
– Be careful on what you do to protect your SCADA
![Page 57: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/57.jpg)
SCADA Network inside Power Plant
Unit Controller
Turbine SpeedRegulator
VoltageRegulator
Generator Protection Controller
Cooling and oil pumpcontroller
HMI Console
Substationcontroller
SwitchController
Voltage MeterReader
HMI Console
ProtectionController
SUBSTATIONSCADA
GENERATION POWER SCADA
![Page 58: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/58.jpg)
Monitor your network
• Control Access from outsiders– SCADA Network needs to send
information for reports and status checking
– You can establish a secure way to get into the SCADA Network for remote support
– If no commands need to be sent, one-way communications using waterfall works pretty good.
![Page 59: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/59.jpg)
Monitor your network (2)
Source: Waterfall Security
![Page 60: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/60.jpg)
Monitor your network (3)
• Use Network Intrusion Prevention System– You definitely can use conventional IPS if they
are fast enough to avoid delays in your network
– Not all of them support SCADA protocols– If you have snort, you can write rules for
Modbus and DNP3. Otherwise, you need to write your own rules
– Industrial Defender Solution works pretty good as it includes lots of SCADA signatures
![Page 61: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/61.jpg)
Monitor your network (4)
• Control Access from outsiders– Energy market central regulators are
able to control your power generation SCADA and make you generate what you won at the electricity market
– Be able to override control from your local market control center if for some reason you notice abnormal operations that put your generation infrastructure in risk
![Page 62: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/62.jpg)
Monitor your network (5)
Source: FERC
![Page 63: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/63.jpg)
• SCADA platforms are designed to last from 10 to 20 years– Too many technology changes happens
in that time– Lots of security issues to deal with– Need a solution to avoid any changes
inside computers, as intrusions perform changes in filesystem, configurations and system process
Control unauthorized changes to Master Terminal Unit
![Page 64: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/64.jpg)
Control unauthorized changes to Unit Controllers and IED controllers
• Configuration and firmware changes can be done on-site and remotely
• Can you tell all the times where those changes have been done for all the IED and Unit controllers?
• Can you tell if that change actually contains the valid firmware and/or configuration?
• Check IndustrialDefender Manage
![Page 65: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/65.jpg)
Control unauthorized changes to Master Terminal Unit (3)
• Control any changes inside your SCADA servers–Mcafee Integrity control works pretty
good– Defines what can be changed by who– Lots of custom logs to choose from– Can send events to any SIEM configured
in the Network
![Page 66: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/66.jpg)
Monitor attacks to Master Unit
• Host IPS is definitely needed as any attack could change the integrity and stability of a process
• Availability is critical to a SCADA system and cannot be altered
• Conventional Host IPS performs extensive use of CPU and can affect performance inside SCADA
![Page 67: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/67.jpg)
Monitor attacks to Master Unit (2)
• Industrial Defender Protect works pretty good
• Works seamless with Siemens Spectrum Platform
• Does not load the machine or needs extensive bandwith to perform its checks
• Central console to perform operations inside the platform
![Page 68: Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants](https://reader034.vdocuments.us/reader034/viewer/2022042607/554bda37b4c905ac708b529d/html5/thumbnails/68.jpg)
Questions? Comments?
Manuel Humberto Santander Peláezhttp://manuel.santander.name
http://twitter.com/[email protected] / [email protected]