security considerations in process control and scada environments

Security Considerations in Process Control

and SCADA Environments

Rich ClarkIndustry Security Guidance

Wonderware and ArchestrA Business UnitsInvensys Wonderware

2

Introduction

► Security risks come with rapidly evolving technological advances

► Threat vectors (security holes or technology exploits) appear in rapidly changing technology

► New security features are built into Wonderware Products and newer Microsoft OS's and toolkits, and are being added to every day.

► Close coordination with industry organizations ISA and other Guidance Organizations Government Labs and Entities 3rd Party Vendors

• Microsoft, Security Vendors, Tool Manufacturers, etc.

3

Context for Discussing PCN/SCADA Security

► The DHS (Department of Homeland Security) believes that the next major war most likely will be an infrastructure war or will involve disabling our infrastructure

► There is no such thing as an Enterprise that is 100% secure even though some people want it

► 80/20 rule for Security The first 80% of threat vectors are relatively

inexpensive to secure against

The costs and maintenance climb exponentially when attempting to secure the remaining 20%

4

Context for Discussing PCN/SCADA Security (cont.)

► Process Control Software is designed to add intelligence and efficiency to a Production Enterprise Wonderware: “Powering Intelligent Plant Decisions

in Real Time”

5



in Real Time”

► Remember that: “A properly designed and fully operational Process

Control Network (PCN) or SCADA System is greater than the sum of the parts”

6



in Real Time”

► Remember that: “A properly designed and fully operational Process

Control Network (PCN) or SCADA System is greater than the sum of the parts”

► A central issue to implementation and security Most IT personnel view individual PCN machines as

end devices, instead of the whole PCN as the end device

This is the fundamental disconnect between Process Control Engineers and IT Personnel

7

Control Enterprise Definitions

► What is the difference between a Process Control Network (PCN) and a SCADA System? Not Much!

8

Control Enterprise Definitions

► What is the difference between a Process Control Network (PCN) and a SCADA System? Not Much!

► Industry groups are having trouble categorizing each Enterprise Type because there are too many similarities between them SCADA (Supervisory Control and Data Acquisition)

Systems usually have remote, sometimes independent nodes running single tasks

PCNs usually perform more complex or a wider variety of tasks than SCADA Systems

9

Typical Industry Process Control Network (PCN)

10

Typical Industry SCADA System

11

Evolution of the Plant

► The need for protecting and securing PCN/SCADA Systems is mostly due to growth in Proliferation of open platforms and OS’s

Wireless technologies

Increase in joint ventures/mergers

Outsourcing

Regulatory mandates

Complex plant environments/intelligent equipment

Increased connectivity

Increased network intrusion

12

Solution Delivery Project Completion

► Complete Enterprise Integration will include the Process Design Solution incorporating the following Industry regulations and regulatory agencies

Standards organizations

Security risk identification and assessment with appropriate countermeasures

Compliance to legacy systems

Architectural changes and latest guidance

External and internal influences affecting the Enterprise

Multiple vendors

Company policies and industry best practices

13

Standards and Regulations

► To make your job easier, Wonderware is working with these organizations and helping to establish standards MSMUG

OPC Standards Committee

FDA

ISO 900x

NERC 1300 Electrical Industry

ENISA 460 Euro Control Systems Standards

ISA S-99

GAO

DHS

14

Establishing a Security Program for the PCN

► Create a formal project and address the following topics

Security Program Performance Management

Awareness & Assessment

Policy & Procedures

Security Solution

15




Awareness &

Assessment Policy &

ProceduresSecurity Solution

16





Policy & Procedures

Security Solution

17





Policy & Procedures

Security Solution

18





Policy & Procedures

Security Solution

19

Awareness and Assessment Review

► Establish Security Team

► Define Security Objectives

► Identify Current Vulnerabilities

► Establish Security Plan


Awareness &

Assessment

Policy & Procedures

Security Solution

20

Risk Analysis and Assessment

► Risk is broadly defined as IF a Threat Agent uses a tool, technique, or method

to exploit a Vulnerability, THEN a loss of (confidentiality, integrity, or availability) to an Asset may result in an impact

► Risk Assessment is a methodical process to determine threats, vulnerabilities, and risks to determine what solutions should be put in place

► A Formal Risk Assessment will produce a probability number from 0-1 of the event occurring

► Generally speaking, low probability (of occurring) risks are harder to protect against and cost moreto do so

21

Cost of Protection vs Breach Event Probability

More Vulnerable to Attack Safer Against Breach Events

Cost curve for increasing the

protection level

Breach events having a high probability of never occurring

22

Risk Analysis and Assessment (cont.)

► Sources of threats External

Internal

Accidental

Vulnerabilities

23

General attacker threatsCommon criminals

Organized crime

Nation states/Governments

Non state-sponsoredterrorism

Anti world trade/Anti globalizationactivists

Regional political activism

Animal rights activists

Environmental groups

Malicious code attack specifically directed against a Customer

General malicious code threat

Illegal information brokers andfreelance agents

Competitors, contractors, corporations

Disaffected staff(including contractors)

Some Sources of These Threats…

Corporate intelligence/Investigation companies

“Insider” threats including social engineering, espionage, and spoofing people with high access levels

Unintentional exposure of vulnerabilities by untrained personnel

24

Risk Analysis and Assessment (cont.)

► Sources of threats External

Internal

Accidental

Vulnerabilities

► As attack software and network tools become more sophisticated, the attacker’s need for technical knowledge of what they are doing is being greatly reduced

25

Attack Sophistication vs. Intruder Technical Knowledge

Sources: Carnegie Mellon University, 2002 and Idaho National Laboratory, 2005

1980 1985 1990 1995 2000 2005 2010

Automated Probes/Scans

Password Guessing

Self-Replicating Code

Password Cracking

Exploiting Known Vulnerabilities

Disabling Audits

Hijacking Sessions

Sweepers

Sniffers

Distributed Attack Tools

Denial of Service

GUI

Network Management Diagnostics

WWW Attacks

“Stealth”/AdvancedScanning TechniquesHigh

Low

Intruders

Back Doors

Zombies

BOTS

Morphing

Malicious Code

Attack Sophistication

Intruder Knowledge

Packet Spoofing

26

Final Note: Vulnerabilities Risk Mitigation

► The largest vulnerability that existed was open source Operating Systems

► Microsoft put $10M into tightening up security of Windows XP and 2003 Server last year

► None of the other open platform Operating Systems manufacturers have committed those kinds of resources to tighten up similar vulnerabilities intheir OS’s

► Microsoft OS Security has become a matter of user identification of risks (risk analysis) and applying specific countermeasures at appropriate levels of OS interaction

27

Policy and Procedures

►Established Standards

►Regulatory Drivers

►Local and Company Requirements

►ISO 17799, ISA-SP99, META, CERT, etc.

►FDA, FERC, NERC, SEC, DEA, etc.

►Site Policy, Information, Authorizations, etc.



Policy & Procedure

s

Security Solution

28

Establishing Policies and Procedures

► Create a committee of Subject Matter Experts

► SMEs should include Process Engineers and IT personnel who are being cross-trained

► Get Executive buy-in

► No one is exempt from company security policy including Executive Level…

29

Historian –

InSQL

Application Object Server



OperatorStation

OperatorStation

OperatorStation

OperatorStation

DevelopmentStation

DevelopmentStation

The Case of the CFO’s Sleeping Notebook

Instead of shutting down the machine properly, he made the machine sleep keeping the virus in resident memory.

Company policy required that all machines connected to the Corp Net be rebooted and virus scanned. They did not enforce this policy at the Executive Level.

When it connected to the Corp Net and woke up, the virus spread immediately to all machines that were not properly patched for the particular virus (a lot of them).

The Enterprise was down for 2 days.

His daughter used the machine to surf the web and it contracted a virus.

CFO Notebook

30

Establishing Policies and Procedures

► Create a committee of Subject Matter Experts

► SMEs should include Process Engineers and IT personnel who are being cross-trained

► Get Executive buy-in

► No one is exempt from company security policy including Executive level

► A security officer is a good idea This position is the single point of contact between

outside connections and the PCN

This position enforces the policy created by thesecurity committee

31

Policies and Procedures

► Establishing Policies and Procedures is the foundation of a solid security strategy

► Some considerations for user accounts Only validated users Users IDs have unique names with medium to

strong passwords Individuals are accountable Restrict access Lockout duration well defined Groups are defined by user access needs and roles Reset any Guest and Default accounts Operator accounts defined/limited by operational

area Service accounts on local domain machines

are not used to logon to network domains

32

Policies and Procedures (continued)

► Passwords Enforce password history to limit reuse of old

passwords

Enforce password aging to force interval changing of passwords

Enforce minimum password length

• Usually 7 or 8 characters minimum

33



passwords




Enforce password complexity

• Some strong password requirements can result in less security because people tend to write these down

• Do not use strong passwords unless you can enforce social engineering

34



passwords




Enforce password complexity

• Some strong password requirements can result in less security because people tend to write these down

• Do not use strong passwords unless you can enforce social engineering

Do not store using reversible encryption

35


► Remote Access Limit access by defining access based upon needs

Check all equipment brought to the site

Separate role based user groups for temporary accounts —review often

Define/document all outside access routes and accounts

36






► Physical Access Keep locked

Have specific personnel directly responsible

37






► Physical Access Keep locked

Have specific personnel directly responsible

► Final Note: You as the engineer or integrator should have a keen awareness of all these issues before the project even starts!

38

Security Solution

► Solution Design

► Solution Recommendations

► Solution Implementation



Policy & Procedures

Security Solution

39

Security Ecosystem

► Security perspective of a manufacturing and/or industrial ecosystem System Architecture

External and Internal Influence

Vendors

Policies and Procedures

Platform Vendor

Automation Software Vendor

Standards

40

Security Ecosystem

41

Requirements for a Secure Network

► Have a prevention policy using Firewalls and firewall devices Network based intrusion prevention/detection Host based intrusion prevention/detection Layer, Layer, Layer

• Bury any vulnerabilities inside of secure layers!

42

Requirements for a Secure Network

► Have a prevention policy using Firewalls and firewall devices Network based intrusion prevention/detection Host based intrusion prevention/detection Layer, Layer, Layer.

• Bury any vulnerabilities inside of secure layers!

► Do not put Corporate and Plant networks on the same domain

► No secure and insecure protocols on same network

► Continually monitor, create alerting and diagnostics of plant network control systems, and look for any “backdoor” integration to the corporate network

43

Secure Architectures

► Secure systems are directly related to Infrastructure

• Servers• Workstations• Ethernet Cables• Fiber Optics

• Switches• Routers• Firewalls• Connectivity

44




Protocols and Communications

Host Software• Operating Systems• Virus Protection• Intrusion Protection


45




Protocols and Communications

Host Software• Operating Systems• Virus Protection• Intrusion Protection

► Recommendation: Define the Enterprise into Secure Areas (Layers or Rings)


46

Current Designs of Secure Architectures: SCADA

Legacy HMIOPC or SuiteLink Enabled

Firewall

Client PC withActive Factory

SuiteVoyagerClient

Win TerminalClient HMI

Win TerminalClient Dev

Other CorporateIT Functions

Corporate Network Infrastructure

Firewall

InSQL ServerPlatform / AlarmDB

Other WW Databases

SuiteVoyagerPlatform

Win Terminal ServerPlatform

InTouch TSEFS A2 Dev TSE

DMZ

InTouch PlatformActiveFactory

Alarm History ViewerOther WW DB Viewers

PLCs

Sub-station Network

OptionalFirewall

SCADAlarmWith Modem andMonitored DO line

Galaxy RepositoryInTouch file server

AOS PlatformDI Network Object


SCADA Com Manager

PLCs

Proprietary DistributedSCADA Communications

Infrastructure

Firewall

Firewall

Firewall

Supervisory Control Network

TCP/IP DistributedSCADA Communications

Infrastructure

InTouch PlatformActive Factory

Alarm History ViewerOther WW DB Viewers

PLCs

Sub-station Network

47

Current Designs of Secure Architectures: PCN

Firewall


SuiteVoyagerClient





Firewall


Other WW Databases




DMZ

InTouch PlatformActiveFactoryAlarm Clients

QI Client

Router

PLCs

Factory Floor Network (TCP/IP)

OptionalFirewall



TSE serverIDE


PLCs

Non TCP/IP based PLC Network

Process Control Network

48


Firewall


SuiteVoyagerClient





Firewall


Other WW Databases




DMZ


QI Client

Router

PLCs


OptionalFirewall



TSE serverIDE


PLCs



This is aSerious DataBottleneck

49

Firewall


SuiteVoyagerClient





Firewall


Other WW Databases




DMZ


QI Client

Router

PLCs


OptionalFirewall



TSE serverIDE


PLCs




This is all the same logon/admin domain.The PCN is susceptible to Corp Net

failure and attacks.

50

Current Wonderware Architecture Guidance

Secure Area(Effective DMZ)

The whole domain is an“End Device”

51


Only one single point of ingress/egress

52


ActiveDirectoryManages Users

and PCN DomainSecurity

53


Only minimaltraffic passes

here

54


This network only carries PCN traffic.No corporate spending projections.

No emails to Aunt Hildebrandt.No web surfing to see how my stocks are doing.

55

Data Communications and Protocols► Getting data securely from one place to another

requires some forethought and understanding

► Data is usually binary, hexadecimal, or text (ASCII)

► Data can be secured by Encrypting with an algorithm Common encryption methods include a Virtual

Private Network (VPN) which uses IPSec as a tunneling protocol

56

Data Communications and Protocols

IPSec co-processor and firewall cards installed here.

57


IPSec Appliance (small router) installed here

58


Edge Device (represents a single router or router pair)

59

Data Communications and Protocols► Getting data securely from one place to another

requires some forethought and understanding

► Data is usually binary, hexadecimal, or text (ASCII)

► Data can be secured by Encrypting with an algorithm Common encryption methods include a Virtual

Private Network (VPN) which uses IPSec as a tunneling protocol

Limiting it through specific ports with DCOM Config

• Certain ports are used by every software manufacturer that has to have access to security or domain services, including Kerberos, Terminal Services, HTTP; anything whether TCP or UDP

• DCOM is also used to request or start services or programs (using RPC), which makes it viewed by some IT departments as something that cannot be used

60

OSI Model and the Security Schemes

DCOM and port selection occurs in this layer above the TDI. (Transport Driver Interface) It is difficult to secure the processes.

IPSec Occurs in this layer mostly below the TDI and at the kernel level and the data is secure before it gets into the machine.

61

Final Solution Requirements May Include:

► Retention of forensic information to support investigation/legal litigation

► Secure connectivity to wireless devices

► Doing these exercises will ensure that major elements are considered and incorporated into the final design and include People

Process

Policies

Products

62

Security Considerations

► Site Networks and Control System Security Approach View from management and technical perspective

Address solutions from the IT and Process Control System perspectives

Design/develop multiple layers of network, system, and application security

Ensure compliance with industry, regulatory,and international standards

63

Total Security Design Considerations

► Following these steps will prevent Process Control Networks (PCNs) from being implemented in pieces that will result in inconsistent or unsafe security designs Develop security policy

Define requirements to implement a secure process environment

Develop plan to implement security

Implement the PCN without tightening down the machines

Only after the above steps are complete…

Apply the security policies and plan once the PCN is operating correctly!

64

Final Solution Thoughts: Creating Infrastructure

► Review the types of available authenticators that you may want to use Password, Biometric, Key Card, etc.

65

Final Solution Thoughts: Creating Infrastructure

► Review the types of available authenticators that you may want to use Password, Biometric, Key Card, etc.

► Final Review: Compliance with your company’s established Security Policy

► Make sure the devices that you select for the solution will do what they are supposed to in relation to your established security policies and requirements Firewalls, Routers, Switches Domain Controllers Physical Networks Remote Access Devices Wireless Access

66




Policy & Procedures

Security Solution

67



Policy & Procedures

Security Solution


► Continual Monitoring and Alerting

► Yearly Review and Auditing

► Periodic Testing and Validation

► Continual Updating of Security System Requirements

68

Security Lifecycle Project Management

Procure or Build Security

Countermeasures

Define Risk Goals

Assess & Define Existing System

Design or Select Countermeasures

Conduct Risk Assessment & Gap Analysis

69



Countermeasures

Define Risk Goals



Define Integration Test Plan

Define Component Test

Plans

Define System Validation Test

Plan


70



Countermeasures

Finalize Operational

Security Measures

Test Countermeasures

Perform Pre-Installation Integration Test

Define Risk Goals




Perform Validation Test on Installed

System


Plans


Plan


71



Countermeasures

Reevaluate Security

Countermeasures (Break-in or Major

Plant Change)

Periodic Auditand Compliance

Measures

Routine Security Reporting and

Analysis

Finalize Operational

Security Measures

Test Countermeasures

Perform Pre-Installation Integration Test

System Goes Operational

HereDefine Risk Goals




Perform Validation Test on Installed

System


Plans


Plan


72


► Establish ways to identify attacks before they occur Honeypots lure attackers away from actual assets

Excessive numbers of Logon attempts is a good indicator

Do your own packet monitoring and set up alarms for out of parameter or unusual activity

Educate your personnel—all users of the systems—to look for and report anything unusual or out-of-the-ordinary

73


► Establish ways to identify attacks before they occur Honeypots lure attackers away from actual assets

Excessive numbers of Logon attempts is a good indicator

Do your own packet monitoring and set up alarms for out of parameter or unusual activity

Educate your personnel—all users of the systems—to look for and report anything unusual orout-of-the-ordinary

► Monitoring and Alerts also give metrics on the health of the PCN and security systems If unusual activity is noted, fix it before it brings

the system down

74


► The policies and procedures should be reviewed annually to insure compliance with established or updated corporate security policies New policies may have been adopted that do not

make sense in a PCN/SCADA environment

75


► The policies and procedures should be reviewed annually to insure compliance with established or updated corporate security policies New policies may have been adopted that do not

make sense in a PCN/SCADA environment

► Audit your metrics to be sure they make sense Some attacks can be long-term and can be

disguised within expected data

Some regulatory agencies may require audits of your PCN/SCADA security in the future

• Start doing this on your own before it is required so you can understand your processes when the time comes!

76

In Summary…

► You must understand the corporate security policies They should be formal policies and they should be

written out—if not, it could be a slippery slope

77

In Summary…

► You must understand the corporate security policies They should be formal policies and they should be

written out—if not, it could be a slippery slope

► The application integration must be constructed with the corporate security policies in mind In some cases it will not be possible to adhere to

corporate IT policies because of cumulative poor IT security definition practices or deficient network design

Mitigation strategies should be addressed up front for any perceived security breaches• Common mitigation strategies include asking why a

specific security policy is in place and doing a risk analysis of this perceived threat

• Additional mitigation strategies include burying the perceived breach inside of a secure layer or DMZ

78

Additional Resources► Best Practices Guidelines V1.0 document from the

Microsoft Manufacturing Users Group, available at

http://www.omac.org/wgs/MfgInfsrct/MSMUG/msmug_default.htm

► Microsoft Security Guidance

http://www.microsoft.com/security/guidance

► ArchestrA Community

http://www.ArchestrA.biz

► GAO Documents (GAO-04-354 and GAO-04-321)

► Department of Homeland Security

http://www.dhs.gov/dhspublic/

► ISA

http://www.isa.org/

79

Additional Resources► Antivirus Technical Article

http://www.wonderware.com/support/mmi/comprehensive/kbcd/html/t002098.htm

► Wonderware Security White Paper

http://dominoext.wonderware.com/PublicWWR5/PromoCol.nsf/wwwhite/0E58BBBF3F73885388257003005A5641/$file/SecurityWP_May16_color_Final.pdf

► Wonderware Security Resource Center

http://www.wonderware.com/support/security/

80

Please drop me an email if you have any security related questions.

Your Presenter has been…

Customer Security Guidance

81

Thank You Very Much!

► The complete Basic Security Class is available online.

► Look for the schedule of all the Online Seminars at:

www.wonderware.com/Training

82

Thank You Very Much!

QUESTIONS?

Customer Security Guidance

security considerations in process control and scada environments

Technology

pcnscada security

security vendors

security considerations

security team

security objecti

introduction security

process control software

process control engineers