Welcome to PHOENIX CONTACT
Industrial SCADA network security seminar
ISAWWA
Matt CowellPhoenix ContactASE – North Central
www.phoenixcontact.com/water
847 226 5197
2 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Who am I?
�Matt Cowell
�ASE (Automation Sales Engineer) – N Central reg.
�Tenure – Joined Phoenix Contact Jan 2008
�Located Gurnee, IL (north of Chicago)
�Responsible for all Phoenix Contact Automation product in N. Central Region
�Automation product responsibility includes Ethernet, network security products, controllers and software, Industrial PC’s, HMI’s, I/O and Wireless
�Territory includes IL, WI, MN, MO, IA, KS, NE, ND, SD
�Background – Various Engineering roles with later years focused in system integration
What does Phoenix Contact do?
Connectors? Terminal Blocks?
Plus a whole lot More…
4 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Who are you?
�Water operators?
�System integrators?
�Engineering firm?
� IT?
�Other?
5 | Presentation | Matt Cowell | ASE Central | 24 February 2012
6 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Agenda
� Industrial/SCADA networking introduction
�Recent product vulnerabilities
�Case studies of recent security breaches
� ‘Typical’ network layouts and comparisons
� Introduction to basic Hacking techniques
�Live demonstration of hacking techniques used
� Highlighting ease of implementation
� Offering simple countermeasures and prevention
�Remote connectivity review
�Standards and regulations
�Product solutions and recommendations
7 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Objectives of this seminar
�Not intended as a class in hacking to
teach would-be hackers
�Raise awareness to often overlooked
vulnerabilities
�Offer simple concepts and solutions
for improved security
WARNING!
�Lots of TLA’s and other acronyms
8 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Question Time
�Has your network ever been hacked?
� How do you know?
�Was Springfield’s Curran-Gardner facility hacked?
� Contrary to news reports - It appears not…
�Who’s responsibility is network security?
� Everyone’s
� Don’t assume someone else (IT) has it covered
9 | Presentation | Matt Cowell | ASE Central | 24 February 2012
What is a SCADA network?
�SCADA = Supervisory Control And Data Acquisition
�Commonly associated with an Industrial Control System
(ICS)
�Typically a dedicated network interlinking critical devices
that are part of controlling and/or monitoring a plant,
infrastructure or a process
10 | Presentation | Matt Cowell | ASE Central | 24 February 2012
11 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Typical devices – SCADA network
Typically Field Devices in/near control panel
Wastewater SCADA n/w example
12 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Copper
Fiber
Wireless
Main Control
Room
Wastewater SCADA n/w example
13 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Copper
Fiber
Wireless
Main Pump
Station
Sludge
DewateringDisinfection
Blower
Building
Final
Clarifiers
Reject
Pumps
Characteristics of an SCADA network
�Often engineer governed
�Desire high speed (typically small data transfer – bits vs.
mB)
�Deterministic
�Acceptable latency typically measured in mS
�High reliability data transfer in rugged form factor
�Typically comprising various protocols (ModbusTCP, DNP3,
E/IP)
� Interconnected via various media (Fiber, copper, wireless,
leased lines etc.)
�Originally isolated islands (no WAN or internet connectivity)
�Longer system life cycle = more older technology and OS14 | Presentation | Matt Cowell | ASE Central | 24 February 2012
15 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Internet
Typical IT/Enterprise network
�Large network, vast data transfer, variable speed dependent
upon load, latency measured in seconds, isolation of
devices less critical, broadcast traffic common, integrated
security (anti virus/sw firewall)
16 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Evolution of connecting SCADA to IT network or internet?
Internet
Router/Firewall
Enterprise/Company level
SCADA/Ind. Network
Why converge?Reporting – Regulatory requirements/ComplianceConvenience – Access from desk, city networkAutonomy & Remote access – Outside access for contractorsIntegration - to database/laboratoryMistake - Could also be inadvertent
Acce
ss th
rou
gh
ou
t
17 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Why consider security now?
� Scope of industrial networks has grown beyond conventional “switch only” networks (layer 2)
� Device access from IT/enterprise network is desired
� Remote access to SCADA systems is required for support
� Industrial devices lack network security features we have become familiar with (robust NIC’s, win. updates, patches, anti virus, HTTPS etc.)
� Vulnerabilities are being discovered daily
� Increase in network devices & trends are relying upon use of ‘the cloud’
� Few standards in place yet to enforce security
� Stuxnet demonstrated the sophistication and damage that can be caused by industrial specific malware – don’t wait for stuxnet 2.0
� Industrial attacks are becoming more common and brazen - 1/3 of ALL malware was developed in past year (Stuxnet, Night Dragon, Stars all made news headlines)
You already have physical security…
�Cameras and surveillance
� Analogous to IDS (Intrusion Detection System)/logging
�Access control – access based upon credentials
� Analogous to account/password control policy
�Perimeter security – fences, gates, locks
� Analogous to firewall’s
�Alarms
� Analogous to Email/SMS/SNMP/HMI alarms
� SIEM (Security Information & Event Management) or IDS
�Security guard
� Analogous to IT/security focused professional
�We generally take physical security very seriously
18 | Presentation | Matt Cowell | ASE Central | 24 February 2012
The cyber threat is real….
19 | Presentation | Matt Cowell | ASE Central | 24 February 20128:40
Types of cyber incident
�Auditing
� Legitimate attack/test
� Vulnerability assessment
�Accidental
� Broadcast storm, misconfiguration, faulty product etc..
� Wrong IP
�Non malicious intrusion
� Monitoring data, stealing information etc..
�Malicious intrusion
� Bad intentions/causing harm
� Breaking something (equipment/process/data)
20 | Presentation | Matt Cowell | ASE Central | 24 February 2012
A few recently discovered vulnerabilities
�All confirmed and published by US CERT (DHS)
� Schneider – ICS-ALERT-11-346-01—SCHNEIDER ELECTRIC QUANTUM ETHERNET
MODULE MULTIPLE VULNERABILITES
– ICSA-11-277-01—SCHNEIDER ELECTRIC UNITELWAY DEVICE DRIVER
BUFFER OVERFLOW
– ICSA-11-307-01—SCHNEIDER ELECTRIC VIJEO HISTORIAN WEB SERVER
MULTIPLE VULNERABILITIES
� Siemens– ICSA-11-356-01—SIEMENS SIMATIC HMI AUTHENTICATION
VULNERABILITIES
– ICS-ALERT-11-332-02A—SIEMENS SIMATIC WINCC FLEXIBLE
VULNERABILITIES
– ICS-ALERT-11-186-01— PASSWORD PROTECTION VULNERABILITY IN
SIEMENS SIMATIC CONTROLLERS S7-200, S7-300, S7-400, AND S7-1200
– ICS-ALERT-11-161-01—SIEMENS SIMATIC S7-1200 PLC VULNERABILITIES
21 | Presentation | Matt Cowell | ASE Central | 24 February 2012
..more recently discovered vulnerabilities
� Rockwell Automation– VU#144233 - Rockwell Automation Allen-Bradley MicroLogix PLC
authentication and authorization vulnerabilities
– ICSA-10-070-01A-UPDATE�ROCKWELL AUTOMATION RSLINX CLASSIC
EDS HARDWARE INSTALLATION TOOL BUFFER OVERFLOW
– ICS-ALERT-10-194-01 OPEN UDP PORT IN 1756-ENBT ETHERNET/IP™
COMMUNICATION INTERFACE
– ICSA-11-273-03A—ROCKWELL RSLOGIX DENIAL-OF-SERVICE
VULNERABILITY
� Others– ICS−ALERT-11-080-02�MULTIPLE VULNERABILITIES IN ICONICS
GENESIS (32 & 64)
– ICSA-11-173-01—CLEARSCADA REMOTE AUTHENTICATION BYPASS
– ICSA-11-332-01—INVENSYS WONDERWARE INBATCH ACTIVEX
VULNERABILITIES
– ICSA-11-243-03A—GE INTELLIGENT PLATFORMS PROFICY HISTORIAN
DATA ARCHIVER BUFFER OVERFLOW VULNERABILITY
22 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Network security breach case study: Stuxnet
�The industrial virus that brought mass media attention
�Complex rootkit exploiting 4 x zero day exploits
�Designed to attack Siemens control networks and Win OS
�Used stolen digital certificates to look inconspicuous
�Could manipulate PLC logic and network traffic
�Automatically spreads via USB jump drive
�Reports updates back to internet server
�Targeted Iran’s uranium enrichment centrifuges causing
significant damage but also spread worldwide
�Suspected to be a state sponsored virus
� It has a ‘kill date’ coded into it to stop spreading on 6/24/12
23 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Network security breach case study: South Houston wastewater facility
� On Nov 18th 2011 a hacker named ‘Pr0f’ breached into south Houston’s network as reaction to DHS downplaying suspected security breach in IL
� He posted his rant and HMI screenshots on pastebin.com
� Took advantage of Siemens vulnerability using 3 character default password to gain access to publicly available HMI
� Breach wasn’t malicious but could have been
� He could of affected processes causing harm as well as accessing site documentation and drawings
� He could also have placed virus on the network to cause harm/gain access at later date
� No official announcement was made other than the DHS and FBI are investigating further
24 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Network security breach case study: Davis-Besse Nuclear power plant
�Slammer worm caused PC’s on safety monitoring system to
shutdown
�Caused systems to be down for 5 hours
�Believed to been inadvertently passed by company
contractor on an insecure network
�Spread to control network through internal T1 link to
enterprise network
�Affected unpatched server
�Example of a “Blind Worm” using Denial of Service to
overwhelm a system and shut it down
25 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Network security breach case study: Maroochy Shire wastewater facility
�Disgruntled former contractor gained access via insecure
wireless network
�Released 264,000 gallons of sewage into rivers
�Responsible for killing marine life not to mention create a
stench for residents
�This occurred over 3 week period, no one noticed for 1st 2.5
wks.
�He was later arrested and sentenced to prison
26 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Hot off the press…
27 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Even Big Bird cant help you!
28 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Why do people ‘hack’?
�There are a number of motivators, including:
� Ego
� Criminal
� Political/Spying
� Hacktivism
� Terrorism
� War
� Personal gain
� Corporate gain
� Sabotage
� Retribution
� Personal Concern
29 | Presentation | Matt Cowell | ASE Central | 24 February 2012
30 | Presentation | Matt Cowell | ASE Central | 24 February 2012
How do people hack?� Inside job/disgruntled employee - abusing network privileges
� Sniffing – intercepting network traffic, ARP spoofing. Intercept. Unsecure messages (HTTP, SNMP v1 & 2) may contain passwords in text form
� Password cracking – exploiting defaults, password generator, phishing, keylogging, brute force
� DoS – Denial of Service attacks overwhelm a network interface by sending excessive traffic to that device.
� Spoofing – Firewalls define rules based upon IP address, mac address and port. Spoofing modifies source IP/MAC to pretend its from a legitimate source to get access and hijack a session. Cyber imposter
� Wireless attack – Using packet captures and decryption tools its possible to extract the WEP key of a wireless AP.
� Virus/Worm – Self replicating infectious computer code (malware) that can take control of a system or steal information. Infect and spread.
� Trojan – Malicious code attached to legitimate file – once run, compromises the system by giving access to a hacker(s) as a virus would.
� Exploiting vulnerabilities – latest windows updates, stuxnet
� Social Engineering – manipulating people to divulge information or perform action – cyber con artist. Email/phone/baiting/phishing
Usually Automated..scripts etc.
How easy is it to ‘hack’ a facility?
�Just ask Google
�Wireless breach
� Wardriving
� If no access to the inside network, first have to find it:
� Specialist search engines
� Public IP and Port scans
� Social engineering via Trojan or Phishing
�Vulnerabilities
� Easy targets
� Publically available online and being found daily
�Dedicated tools to make life easier
…..as we will see
31 | Presentation | Matt Cowell | ASE Central | 24 February 2012
32 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Our demonstration scenario
Perimeter
192.168.0.100
192.168.0.102
192.168.0.200
192.168.0.101
192.168.0.1
PC (HMI)Master
Lean Managed
Switch
PLCSlave
Attacking PC
Internet
1.2.3.4
LANWAN
Router
9:00
33 | Presentation | Matt Cowell | ASE Central | 24 February 2012
1. Explore and learn the network (learning)
�����Time
34 | Presentation | Matt Cowell | ASE Central | 24 February 2012
1. Explore and learn the network
� What did we learn?
� What subnet they are using (192.168.0.x – i.e. 255.255.255.0)
� What devices are on the network (Linksys, LMS, VL, PLC)
– What manufacturer (First 3 bytes MAC ID)
– What host name (if used)
� What IP addresses/MAC addresses appear vacant for our attacking PC
� What traffic is being broadcasted and who from – see multicast too with
unmanaged switch.
� Recommendations:
� Regulate who has access to network – layer 1 prevention?
� Isolation using Routers/VLAN’s eliminate what devices can be scanned
35 | Presentation | Matt Cowell | ASE Central | 24 February 2012
2. Sniffing (learning cont.)
�����Time
36 | Presentation | Matt Cowell | ASE Central | 24 February 2012
2. Sniffing
� What did we learn?
� Switch sends traffic to destination MAC address only, therefore to sniff
someone else's packets, need to do an ARP spoof
� Now we can see what devices are communicating with each other (VL-
PLC) – Man in the middle attack
� What type of traffic is flowing (UDP 44818 – E/IP)
� What device seems to be a router/firewall (192.168.0.1)
� The LMS password as we happened to intercept an HTTP packet from
Valueline to LMS that contained password (‘private’)
� Could intercept/modify any unencrypted data - Stuxnet
� Recommendations:
� Incorporate software or switch that monitors ARP activity
� Encrypt traffic - Use HTTPS where possible
37 | Presentation | Matt Cowell | ASE Central | 24 February 2012
3. Port Scanning (learning cont.)
�����Time
38 | Presentation | Matt Cowell | ASE Central | 24 February 2012
3. Port Scanning (learning)
�What did we learn?
� What ports are open on each device
– TCP
– UDP
� Potentially exploit known vulnerabilities
& back doors
�Recommendations:
� Use a firewall when possible
� Use logging to notify you of port scan’s
39 | Presentation | Matt Cowell | ASE Central | 24 February 2012
4. DoS Attack
�����Time
40 | Presentation | Matt Cowell | ASE Central | 24 February 2012
4. DoS Attack
Perimeter
192.168.0.100
192.168.0.102
192.168.0.200
192.168.0.101
192.168.0.1
PC (HMI)Master
Lean Managed
Switch
PLCSlave
Attacking PC
Internet
1.2.3.4
LANWAN
41 | Presentation | Matt Cowell | ASE Central | 24 February 2012
4. Denial Of Service attack
�What did we learn?� With information we collected by learning the network, we can
now break it
� Network adapters (particularly on Industrial devices) can be overwhelmed if you send excessive packets
� This can manifest in many devastating ways – preventing legitimate communications and in some cases locking up the device requiring power cycle or losing its program
�Recommendations:� Use Firewalls to control/restrict access
� Use managed switches with bandwidth limitation or routers to prevent excess traffic
� Enable monitors/logging to watch and automatically notify of dangerous traffic levels
42 | Presentation | Matt Cowell | ASE Central | 24 February 2012
5. Outside Port Scan and DoS
�����Time
43 | Presentation | Matt Cowell | ASE Central | 24 February 2012
5. Outside Port Scan and DoS
Perimeter
192.168.0.100
192.168.0.102
192.168.0.101
192.168.0.1
PC (HMI)Master
Lean Managed
Switch
PLCSlave
Attacking PC
Internet
1.2.3.4
LANWAN
Router
Port forwardUDP44818 to 4481844818 OPEN
44 | Presentation | Matt Cowell | ASE Central | 24 February 2012
5. Outside Port Scan and DoS
� What did we learn?
� Simple port scans on public IP address uncover open/unrestricted ports
– 448181 open
� The public network is constantly being scanned by scripts looking for
open ports/backdoors
� Not only can we learn from the outside but can cause damage also
� Don’t rely on ‘Security by Obscurity’ and don’t assume that somebody
else has it covered
� Recommendations:
� Don’t open ports without due care - Use VPN instead!
� Set firewall rules to restrict any open access
� Enable monitors/logging to watch and automatically notify of unknown
traffic or dangerous traffic levels
45 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Control the ‘inside’
�Prevent unnecessary access to industrial devices/network
�Use a firewall to control traffic rules
�Be careful of open ports and ‘backdoors’
�Ensure adequate encryption when using wireless (WPA2) &
long, unusual pass phrase
�Restrict USB drive usage
�Be careful of infected internal PC’s – a Virus or Trojan can
run on the inside ‘inside job’, cause havoc and send
information out
� Its claimed 60-70% of all security breaches are carried out
by insiders
46 | Presentation | Matt Cowell | ASE Central | 24 February 2012
6. WIFI cracking (on the outside)
�����Time
47 | Presentation | Matt Cowell | ASE Central | 24 February 2012
6. Gaining access through WIFI crack
� What did we learn?
� WIFI packets are transmitted over the air for all to see
� Using specialist tools its easy to intercept 802.11 network traffic and get
enough ‘samples’ to decipher a WEP encrypted keyword.
� Which can then be used to gain access to the network from afar.
� WPA can be breached too but requires a bit more time and the use of
rainbow tables or brute force
� A wireless network could also be jammed rather than penetrated
� Some recommendations:
� Only use wireless if truly necessary and be aware of consequences
� Use the highest level of encryption available (min WPA2 for WIFI)
� Disable SSID broadcasting
� Use long, complex passphrases when possible
� Use an Intrusion Detection System (IDS) and logging
� Segment wireless networks and place behind firewalls
Half time - Break?
�5-10 min's
48 | Presentation | Matt Cowell | ASE Central | 24 February 2012
49 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Our demonstration scenario
Perimeter
192.168.0.100
192.168.0.102
192.168.0.200
192.168.0.101
192.168.0.1
PC (HMI)Master
Lean Managed
Switch
PLCSlave
Attacking PC
Internet
1.2.3.4
LANWAN
Router
How could we prevent this attack?
�Stateful Firewall – define rules of access – allow only
legitimate access to those who need it. Locked down to
those who don’t and all other ports are blocked (potential
vulnerabilities or backdoors). Keeps track of connections to
prevent illegitimate traffic (spoofed/hijacked).
�Hides/protects potential product vulnerabilities
�Usually combined with a router which also provides isolation
from ARP’s and broadcasts – devices appear hidden.
50 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Firewall cont.
�NOTE use of a firewall is a common recommendation by the
US CERT for posted vulnerabilities
51 | Presentation | Matt Cowell | ASE Central | 24 February 2012
How could we prevent this attack?
�Plug and play – some security products can be applied as
a drop in solution (no changes required to existing devices
IP’s, default gateway) – least intrusive to existing network.
�Hides potential product vulnerabilities
52 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Lean Managed
Switch
PLCSlave
Rules
192.168.0.200
How could we prevent this attack?
�Extra Control – Device to check packet consistency to
block malformed packets (checksum, packet size), regulate
use of PING’s, regulate TCP connections
�Sometimes used to hack a device
53 | Presentation | Matt Cowell | ASE Central | 24 February 2012
How could we prevent this attack?
�DoS flooding prevention – Restrict number of incoming
SYN requests (prevent SYN flood), further ICMP and ARP
control
54 | Presentation | Matt Cowell | ASE Central | 24 February 2012
How could we prevent this attack?
�Logging and notification – Local logging, remote logging
using SYSLOG, SNMP traps, Email, SMS as soon as
something occurs
55 | Presentation | Matt Cowell | ASE Central | 24 February 2012
56 | Presentation | Matt Cowell | ASE Central | 24 February 2012
7. Inside DoS Attack with firewall protection
�����Time
57 | Presentation | Matt Cowell | ASE Central | 24 February 2012
7. DoS Attack with firewall
Perimeter
192.168.0.100
192.168.0.200
192.168.0.101
192.168.0.1
PC (HMI)Master
Lean Managed
Switch
Attacking PC
Internet
1.2.3.4
LANWAN
192.168.0.102
PLCSlave
58 | Presentation | Matt Cowell | ASE Central | 24 February 2012
7. Denial Of Service attack with firewall
�What did we learn?� The firewall can easily be dropped into an existing network
� Firewall rules are quick and easy to add and allow to define control in either direction based upon IP, Port and MAC
� The firewall prevents the attack from getting to the target device (PLC) whilst allowing legitimate communications to continue
� The PLC continues to operate as expected during the attack
� The SYSLOG suggests something untoward is happening as our signal for attention
59 | Presentation | Matt Cowell | ASE Central | 24 February 2012
8. Outside DoS Attack with firewall protection
�����Time
60 | Presentation | Matt Cowell | ASE Central | 24 February 2012
8. DoS Attack with firewall
Perimeter
192.168.0.100
192.168.0.101
192.168.0.1
PC (HMI)Master
Lean Managed
Switch
Internet
1.2.3.4
LANWAN
192.168.0.102
PLCSlave
Attacking PC
Port forwardUDP44818 to 44818
Router
44818 OPEN
61 | Presentation | Matt Cowell | ASE Central | 24 February 2012
8. Denial Of Service attack with firewall
�What did we learn?� The hacker can still see that port 44818 is open but is unable to
DoS the PLC
� Even a DoS attack from an IP/MAC that is allowed in the firewall cannot attack the PLC because of the STATEFUL firewall
� Trying to spoof the MAC or IP will not allow a DoS attack to be successful either
� As on the inside the firewall prevents the attack from getting to the target device (PLC) whilst allowing legitimate communications to continue
� The PLC continues to operate as expected during the attack
� The SYSLOG suggests something untoward is happening as our signal for attention
62 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Remote connectivity solutions
�Dial up modem – Analog lines
�Cellular modem – GSM/GPRS
�Satellite
�3rd party hosted connection – Citrix, GoToMyPC, Webex
�VPN Tunneling
�Others? – dedicated circuits (leased line, T1, T3 etc.)
? LocalRemote
63 | Presentation | Matt Cowell | ASE Central | 24 February 2012
3rd party hosted connection
�Typically remote desktop type solution thus requires PC
�Using a service provided by a 3rd party & special software. The 3rd party acts as a middle man for remote connections
�Requires all necessary software and LICENSES to be installed on remote PC
�Potential for security vulnerability as data is public
�Link is owned and maintained by 3rd party, therefore becoming reliant upon them and typically with ongoing cost – monthly fee
�Slower than direct connection as traffic has to travel to 3rd party data center and then on to destination
�Can be relatively slow under limited bandwidth conditions as streaming live GUI information
�Generally not recommended for control systems
64 | Presentation | Matt Cowell | ASE Central | 24 February 2012
VPN tunneling
�Virtual Private Network connection between VPN routers
using encrypted authentication and encrypted data transfer
�Provides complete network access as if you were physically
connected to the remote network
�Provides very secure network access across public network
�Typically used across the internet to provide secure tunnel
�Requires higher level networking/security knowledge
�Can be connected directly to Internet. If behind another
router (i.e. on private network) a NAT rule or port forward
would be required.
�Fast data transfer (70mpbs is possible with mGuard)
65 | Presentation | Matt Cowell | ASE Central | 24 February 2012
VPN continued
�Different types of VPN – open standards
� IPsec – Internet Protocol Security – end to end
� SSL – Secure Socket Layer - require log in via browser
� PPTP – Point to Point Tunneling Protocol – Mature technology
� L2TP – Layer 2 Tunneling Protocol – Mature technology
�Security - Ability to encrypt traffic traversing internet,
authentication to only allow exchanges between approved
devices and ability to prevent message alteration
� Authentication - recommend X.509 certificates
� Encryption and hashing - 3DES, AES, SHA1 etc.
� Firewall
� IPsec Ports – UDP 500 & 4500 but can sometimes be
encapsulated in TCP also
66 | Presentation | Matt Cowell | ASE Central | 24 February 2012
9. Using VPN instead of port forwarding
�����Time
67 | Presentation | Matt Cowell | ASE Central | 24 February 2012
9. VPN Example
Perimeter
192.168.0.100
192.168.0.101
192.168.0.1
PC (HMI)Master
Lean Managed
Switch
Internet
1.2.3.4
LANWAN
192.168.0.102
PLCSlave
Port forwardUDP500 and 4500
68 | Presentation | Matt Cowell | ASE Central | 24 February 2012
9. VPN Example
�What did we learn?� VPN is considerably more secure than the previous port forward
mechanism (authenticated and encrypted)
� Supporting engineer can still use his own laptop to connect to the PLC as he did before
� VPN client is a piece of software running on PC
� VPN client can only see LAN control network
� VPN is interoperable due to open standards
What industries should be concerned?
�ALL Critical infrastructure
�Water/Wastewater
�Oil and Gas
�Hospitals
�Prisons
�Power generation and Power distribution
�Chemical plants
�Nuclear reactors
�HVAC systems – these not only cool people but critical
servers
69 | Presentation | Matt Cowell | ASE Central | 24 February 201211:00
It gets worse…
70 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Cybersecurity Act of 2012
Water is considered critical infrastructure!…the DHS says so
71 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Regulations, Standards and Guidelines
72 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Regulations (federal law)
Not industry specific
Standards
Sometimes Industry specific but not yet for W/WW
Guidelines
Specific for W/WW
11:15
Regulations, Standards and Guidelines
�Which regulations, standards & guidelines DO YOU think
are important to you?
�CFATS
�NIST
� ISA 99
�G430-09
�J100-10 (RAMCAP)
�NERC/CIP – an example from the energy sector that has
pass/fail conformance testing with legal consequences
73 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Standards, Regulations and Guidelines
74 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Regulations (federal law)
Bioterrorism Act (2002)
CFATS, Pending (2009) Cyber Security Act
StandardsNEC 708
NERC CIP
NIST
G430
ISA-99
J-100
Guidelines
Roadmap to Secure
Control Systems
Guidelines & Standards
�NIST (www.nist.gov)
� Overall security practices
� Initially oriented towards gov’t, now more inclusive
� 800-12 An Introduction to Computer Security
� 800-14 Generally Accepted Principles and Practices for securing
Information Technology Systems
� 800-53 Recommended Security Controls for Federal Information
Systems and Organizations
� 800-61 Computer Security Incident Handling Guide
� 800-82 - Guide to Industrial Control Systems Security
�FIPS – subdivision within NIST
� Federal Information Processing Standard
� FIPS-140 deals with cryptography and data security
ISA99 – Ind. Automation & Control System Security Committee
� “Process” to help secure a network
�Authentication and Auditing play big roles
�Firewalls a necessity
�VPN “Strongly Recommended” for remote connectivity
� ISA99 will become international standard IEC 62443
76 | Presentation | Matt Cowell | ASE Central | 24 February 2012
ISA99 – Ind. Automation & Control System Security Committee
77 | Presentation | Matt Cowell | ASE Central | 24 February 2012
� ISA 99.01.XX Describes terminology, concepts, models
and metrics
� ISA 99.02.XX Describes the requirements for
establishing and operating an IACS
security program.
� ISA 99.03.XX Describes the technical requirements at
the systems level and the definition and
requirements for security assurance
levels
� ISA 99.04.XX Describes the technical requirements for
the components and devices that could
be used to build an IACS system
ANSI / AWWA G430-09 - Security Practices for Operation & Management
Purpose is to define the minimum requirements for protective
security program for a water or wastewater utility that will
promote the protection of employee safety, public health,
public safety, and public confidence.
� 4.8.2 Define security-sensitive systems & information
� 4.8.2 Protecting IT and SCADA systems: The utility should review the
Roadmap to Secure Control Systems in the Water Sector as an aid in
evaluating its ICS or SCADA vulnerabilities and recommending strategies for
improvement.
� 5.1.2 Documented procedure for protecting/maintaining critical IT & SCADA
systems
ANSI / AWWA G430-09 - Security Practices for Operation & Management
�Requirements:� a)Explicit Commitment to Security
� b)Security Culture
� c)Defined Security Roles and Employee Expectations
� d)Up-To-Date Assessment of Risk (Vulnerability)
� e)Resources Dedicated to Security and Security Implementation Priorities
� f)Access Control and Intrusion Detection
� g)Contamination, Detection, Monitoring and Surveillance
� h)Information Protection and Continuity
� i)Design and Construction
� j)Threat Level-Based Protocols
� k)Emergency Response and Recovery Plans and Business Continuity Plan
� l)Internal and External Communications
� m)Partnerships
� n)Verification
ANSI/ASME-ITI/AWWA J100-10 RAMCAP: Risk Analysis and Management for Critical Asset Protection
�Process for analyzing and managing risks associated with
malevolent attacks and naturally occurring hazards against
critical infrastructure.
�Calculates risk of attack, natural hazard and resilience
�Documents a process for identifying security vulnerabilities,
consequences, and incident likelihood and provides
methods to evaluate the options for reducing these
elements of risk.
80 | Presentation | Matt Cowell | ASE Central | 24 February 2012
ANSI/ASME-ITI/AWWA J100-10 RAMCAP: Risk Analysis and Management for Critical Asset Protection
81 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Advancing the Culture of Security and Preparedness in the Water Sector – Kevin Morley – AWWA Journal June 2010
Roadmap to Secure Control Systems in the Water Industry
�Developed by the Water Sector Coordinating Council
(WSCC) Cyber Security Working Group (CSWG) with
support from the Department of Homeland Security National
Cyber Security Division and American Water Works
Association (AWWA).
�Download: http://www.awwa.org/files/GovtPublicAffairs/PDF/WaterSecurityRoadmap031908.pdf
Excerpt from Roadmap to Secure Control Systems in the Water Sector
Taking a page out of Electricity’s book…
�FERC formulated NERC to ensure reliability of N. American bulk
power system
�Who formed NERC/CIP (Critical Infrastructure Protection)
standards amongst others
�Requires compliance audit
�No product only solution can provide compliance, contrary to
marketing. Requires electronic security, physical security,
personnel training, recovery plans etc..
�Federal penalties for non compliance
�Whilst it does not directly apply to W/WW, it’s a likely snapshot of
the future
� 21 steps to improve cyber security of SCADA networks� http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/21_Steps_-_SCADA.pdf
84 | Presentation | Matt Cowell | ASE Central | 24 February 2012
NERC/CIP
85 | Presentation | Matt Cowell | ASE Central | 24 February 2012
CIP Requirement Controls
CIP 002 Cyber Asset Identification
CIP 003 Security Management Controls
CIP 004 Personnel Security and Training
CIP 005 Electronic Security Perimeter
CIP 006 Physical Security
CIP 007 Systems Security Management
CIP 008 Incident Reporting and Response Planning
CIP 009 Recovery Plans for Critical Cyber Assets
86 | Presentation | Matt Cowell | ASE Central | 24 February 2012
87 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Defense in Depth in theory
�Security concept borrowed from the military
�More difficult for an enemy to penetrate many smaller and
varied layers of defense than 1 single large layer that may
have a flaw.
�More layers of security = more secure network
�Limits scope of an attack to only the layer(s) that have been
breached. The rest of the network is protected.
�Breach of outer layers can signal an alarm that an attack is
ongoing, allowing protective measures to take place before
all is lost.
�Allows for combinations of security product solutions,
industrial firewall in panel and IT grade equipment up
stream88 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Defense in Depth in practice
www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf
ZonesFirewallsDMZIDS/Logging
Example SCADA Specifications
90 | Presentation | Matt Cowell | ASE Central | 24 February 2012
2.4 ETHERNET SWITCH
A.General: Furnish and install fiber-optic Ethernet switches as shown.
B.Features:• 100/1000 base-T (auto-sensing).• Minimum of five (5) RJ-45 ports. Ethernet ports shall be
expanded as needed to interconnect all system components.• Minimum of two (2) fiber optic ports for one (1) fiber pair. Fiber
optic ports shall be expanded as needed to interconnect all system components.
• LED for indicating port status.• Internal Panel mounting kit.• Failsafe output relay to indicate malfunction with unit.• FCC Part 15, Class A compliant• Provide management software for multilevel security, web
based configuration and remote monitoring.• Powered by circuit on Uninterruptible Power Supply.
C. Product and manufacturer:ConneXium Switches Model 499-NOS-27100.No Substitutions.
2.5 FIBER-TO-COPPER MEDIA CONVERTERS
A. Fiber optic converters shall convert Ethernet TCP/IP network data to a format suitable for transmission over multi-mode fiber optic cable.
B.Features: Converters shall provide:• Full-duplex 100M/1000Gbps Ethernet operation.• Multimode fiber optic media support.• Remote and local interface status.
C. Provide suitable transformers to convert 120VAC power to appropriate voltage necessary to provide power to Transceivers.
D. For control panel mounting, converter shall be DIN-rail mountable.
E. Product and manufacturer:• IFS.• Or Equal.
2.8 SWITCHES AND MEDIA CONVERTERS
A. Provide Switches meeting the following requirements1. Provide Phoenix Contact switch SFN6TX2FXST. Switch to operate on 24VDC.
Switch to have six (6) RJ45 copper ports and two (2) fiber ports with ST connections
2. Provide one switch in each remote I/O cabinet and one switch for PLC B-C
B. Provide fiber optic media converter(s) as shown on the drawings, called for in the specifications or as required to result in a complete and working system
1. Media converter(s) shall operate on either 120VAC or 24VAC power and shall be supported by a UPS
2. Provide media converter with RJ-45 port for copper cable and ST connector for fiber optic cable.
3. Provide one media converter for PLC C-B and two additional media converters to be used by the owner.
2.9 NETWORK SECURITY
A. Provide central managed switches meeting the following requirements1. Provide Phoenix Contact switch MCS 14TX/2FX. Switch to operate on 24VDC.
Switch to have six (14) RJ45 copper ports and two (2) fiber ports with SC connections
2. Provide one switch in lockable, main control cabinet3. VLAN support to be enabled
B. Provide one (1) firewall per each lockable, RTU cabinet1. Firewall rules to be configured to allow only port 502 inbound from main PLC IP
address to RTU PLC IP address.2. DoS prevention to be active
C. Provide one (1) firewall for the lockable, main control cabinet1. Firewall rules to be configured to allow only port TCP 502 inbound from main
SCADA PC IP address to main PLC IP address.2. DoS prevention to be active
D. A designated ICS must be implemented on the SCADA network
E. VPN must be configured for outside remote access
F. Control and SCADA network must implement a defense in depth, layered approach as per ISA-99
11:45
Product solutions
�Commercial vs. industrial
�Routers help with isolation but not security appliances
�Stateful Firewall with logging capability – as part of Def. in
Depth strategy
�Unidirectional gateways/data diodes
�Proxy servers – regulate HTTP traffic
�Deep packet inspection firewall – add’s extra latency & cost
�VPN solution - hardware or software
� IDS/IPS – dedicated system (likely running on dedicated
PC/server - Snort)
�SIEM – Aggregator of all logs, IDS etc.. - provides
dashboard – similar to police dispatcher91 | Presentation | Matt Cowell | ASE Central | 24 February 2012
92 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Summary - Prevention is better than cure
� Many industrial devices are vulnerable…not just AB MLX 1100
� An Air gap is a good line of defense if possible but not complete
� Adopt a defense in depth strategy employing various layers of security
� Keep an inventory of networked devices and watch for vulnerabilities/updates
� Implement layer 1 security solutions, lockable panels, patch cables etc..
� Use updated AV/Spyware and ensure any PC’s are routinely patched/updated
� When interconnecting devices/panels use a firewall
� Isolate industrial devices and restrict network access to only those that need it (access control)
� Consider specialist firewall functions (DoS prevention, CIFS monitoring)
� VLAN’s and MAC filtering can be used to provide some defense using managed switches
� Change default passwords and use ‘strong’ passwords
93 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Summary - Prevention is better than cure
� Use VPN for ALL remote connections
� Restrict use of USB jump drives (disable PC autorun feature, consider encrypted jump drives, don’t allow anyone’s stick)
� Restrict/prevent web access to internet from control network
� Try to use HTTPS exclusively when using passwords/secure webpages
� Consider using network logging, SNMP, Alerts, Intrusion detection, Honeypots – how else will you know something bad happened?
� When using wireless always encrypt with minimum of WPA2 for WIFI
� Be aware of smartphone vulnerabilities and their place in SCADA
� Implement authentication/authorization policy including how to handle access credentials for former employee’s/contractors
� Security is not a one and done solution – continuously evolving standards, new vulnerabilities – someone has to stay on top of things
� Security is also more than just a one product solution – it’s a way of life
� Security requires behavioral diligence from EVERYONE
94 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Summary - Prevention is better than cure
� Take ownership, don’t assume it is already covered – ask questions
� Take advantage of online resources
� Talk to a specialist and consider getting a vulnerability assessment
� Educate all employees
� Evaluate your system conceptually using the free US CERT - CSET tool (risk analysis)
� Devise a cyber security policy – what are your security goals?
� Devise a response/recovery plan to any potential events and have secure backups of all critical code
95 | Presentation | Matt Cowell | ASE Central | 24 February 2012
Thank You – Questions?
� Distrust and caution are the parents of security - Benjamin Franklin
12:00
Online Resources
�www.us-cert.gov� http://www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf
�www.infragard.net
�https://portal.waterisac.org/web/
�www.isa.org
�www.awwa.org� http://www.awwa.org/files/GovtPublicAffairs/PDF/WaterSecurityRoadmap031908.pdf
�www.nist.gov
�www.phoenixcontact.com/waterhttp://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/21_Steps_-_SCADA.pdf
96 | Presentation | Matt Cowell | ASE Central | 24 February 2012