CONTROL SYSTEMS SECURITY PROGRAM(SCADA CYBER SECURITY)

January 11, 2012Presented by Stephen Miller

ENMU-RuidosoCyber Security Center of Excellencehttp://academic.enmu.edu/millerst/

Topics Covered• Introduction of Cyber Security Center of

Excellence• Control Systems Security Program Overview

– Overview of Cyber Vulnerabilities– Understanding Control System Cyber Vulnerabilities– Access to the Control System LAN– Discovery of the Process– Control of the Process

• Q & A

Content from Eric Cornelius, Director SCADA Cyber Forensics, Department of Homeland Security, Idaho National Labs and USCERT 2

Introduction of Cyber Security Center of Excellence

Provide unique online Evergreen Education and Training Programs in IT/SCADA Cyber Security.

Build on the current online programs:Computer and Network Certification Credit Hour.Professional Education Self-Paced Cyber Security Program.Professional Education CompTIA Security+ Certification Program.

Conduct research, development , and training in the field of IT Cyber Security.Centered on meeting the private and public sectors’ needs for infrastructure monitoring, controlling, and training to protect the security of the United States from enemy cyber attacks.

Supercomputer Decision Support and Counter Attack Measures Cyber Operations System. Utilizing SCADA, Decision Support, Artificial Intelligence, and Knowledge Based processes in a lab environment . Serve as a National Clearinghouse on Cyber Security.

Focus on education/training based on INFOSEC standards. Research/Development in Best Practices, process reengineering, and technology.

Provide Specialized Professional Services to the private and public sectors through conferences/summits, workshops, publications, and speaking engagements.

3

Control Systems Security Program Recommended Practices Overview

• Addresses the issues encountered in developing and maintaining a cyber forensics plan for control systems environments.

• Supports forensic practitioners in creating a control systems forensics plan.• Assumes evidentiary data collection and preservation using forensic best

practices. • The goal is not to reinvent proven methods, but to leverage them in the best

possible way. • The material in this recommended program provides users with the appropriate

foundation to allow these best practices to be effective in a control systems domain.

• The program is organized into three major sections:– Section 1, Traditional Forensics and Challenges to Control Systems.– Section 2, Creating a Cyber Forensics Program for Control Systems Environments.– Section 3, Activating and Sustaining a Cyber Forensics Program.

• Link to White Paper: http://www.uscert.gov/control_systems/practices/documents/Forensics_RP.pdf

4Content from Eric Cornelius, Director SCADA Cyber Forensics, Department of Homeland Security, Idaho National Labs and USCERT

Overview of Cyber Vulnerabilities

5Content from Eric Cornelius, Director SCADA Cyber Forensics, Department of Homeland Security, Idaho National Labs and USCERT

• Control systems are vulnerable to cyber attack from inside and outside the control system network.

• To understand the vulnerabilities associated with control systems you must know:– Types of communications. – Operations associated with the control system.– An understanding of the how attackers are using the system

vulnerabilities to their advantage.

• This discussion provides a high level overview of these topics but does not discuss detailed exploits used by attackers to accomplish intrusion.

Understanding Control System Cyber Vulnerabilities

• To understand the vulnerabilities associated with control systems (CS), you must first know all of the possible communications paths into and out of the CS.

• Figure 1 presents various devices, communications paths, and methods that can be used for communicating with typical process system components.

6Content from Eric Cornelius, Director SCADA Cyber Forensics, Department of Homeland Security, Idaho National Labs and USCERT

Figure 1: Communications access to control systems

Understanding Control System Cyber Vulnerabilities

• In a typical large-scale production system utilizing SCADA or Distributed Control System (DCS) configuration there are many computer, controller and network communications components integrated to provide the operational needs of the system. A typical network architecture is shown in Figure 2.

7Content from Eric Cornelius, Director SCADA Cyber Forensics, Department of Homeland Security, Idaho National Labs and USCERT

Figure 2: Typical two-firewall network architecture

Understanding Control System Cyber Vulnerabilities

8Content from Eric Cornelius, Director SCADA Cyber Forensics, Department of Homeland Security, Idaho National Labs and USCERT

• An attacker who wishes to assume control of a control system is faced with three challenges: 1. Gain access to the control system LAN.2. Through discovery, gain understanding of the

process.3. Gain control of the process.

Access to the Control System LAN• Common Network Architectures• Dial-up (wireless) Access to the RTUs• Vendor Support• IT Controlled Communication Gear

• The first thing an attacker needs to accomplish is to bypass the perimeter defenses and gain access to the control system LAN.

– Most control system networks are no longer directly accessible remotely from the Internet.– Common practice in most industries has a firewall separating the business LAN from the control

system LAN. • This not only helps keep hackers out, it isolates the control system network from outages,

worms, and other afflictions that occur on the business LAN. – Most of the attacker's off-the-shelf hacking tools can be directly applied to the problem.

• There are a number of common ways an attacker can gain access, but the miscellaneous pathways outnumber the common pathways.

• The second most common architecture is the control system network as a Demilitarized Zone (DMZ) off the business LAN.

– A single firewall is administered by the corporate IT staff that protects the control system LAN from both the corporate LAN and the Internet.

• Corporate VPNs• Database Links• Poorly Configured Firewalls• Peer Utility Links

9Content from Eric Cornelius, Director SCADA Cyber Forensics, Department of Homeland Security, Idaho National Labs and USCERT

Discovery of the Process• An attacker that gains a foothold on the control system LAN must discover the

details of how the process is implemented to surgically attack it. – An attacker that wants to be surgical needs the specifics in order to be effective. An attacker that

just wants to shut down a process needs very little discovery.

• The two most valuable items to an attacker are1. Points in the data acquisition server database

• Each control system vendor calls the database something different, but nearly every control system assigns each sensor, pump, breaker, etc., a unique number. On the communications protocol level, the devices are simply referred to by number.

• A surgical attacker needs a list of the point reference numbers in use and the information required to assign meaning to each of those numbers.

2. Human-Machine Interface (HMI) display screens. • The operator HMI screens generally provide the easiest method for understanding the process

and assignment of meaning to each of the point reference numbers.• Each control system vendor is unique in where it stores the operator HMI screens and the

points database. • Rules added to the Intrusion Detection System (IDS) looking for those files are effective in

spotting attackers.

10Content from Eric Cornelius, Director SCADA Cyber Forensics, Department of Homeland Security, Idaho National Labs and USCERT

Control of the ProcessSending Commands Directly to the Data Acquisition Equipment

• The easiest way to control the process is to send commands directly to the data acquisition equipment.

– Most PLCs, protocol converters, or data acquisition servers lack even basic authentication.– They generally accept any properly formatted command. – An attacker wishing control simply establishes a connection with the data acquisition equipment

and issues the appropriate commands. • An effective attack is to export the screen of the operator's HMI console back to the attacker.

– Off-the-shelf tools can perform this function in both Microsoft Windows and Unix environments.– The attacker is also limited to the commands allowed for the currently logged-in operator.

• Man-in-the-middle attacks can be performed on control system protocols if the attacker knows the protocol he/she is manipulating.

– An attacker can modify packets in transit, providing both a full spoof of the operator HMI displays and full control of the control system.

– By inserting commands into the command stream the attacker can issue arbitrary or targeted commands.

– By modifying replies, the operator can be presented with a modified picture of the process.– Direct controls from wireless hand-held devices.

11Content from Eric Cornelius, Director SCADA Cyber Forensics, Department of Homeland Security, Idaho National Labs and USCERT

Q & A

Contact InformationStephen Miller

stephen.miller@enmu.edu ENMU-Ruidoso

Cyber Security Center of Excellencehttp://academic.enmu.edu/millerst/

Link to US-CERT Control System Standards http://www.us-cert.gov/control_systems/csstandards.html