the journey to secure scada systems - sans by step - the...the journey to secure scada systems 10...
TRANSCRIPT
Step by Step:
The Journey to Secure
SCADA Systems
Miguel Chavero
Dec 2012
Dirección de Servicios – Negocio Liberalizado Europa Continental
The Journey to Secure SCADA Systems
2
Installed Capacity Total Production
2011 2000
+286% 46.026
13.690
13.189
19.147
16.081
145.126
2000 2011
98.699
+147%
IBERDROLA OVERVIEW
Dirección de Servicios – Negocio Liberalizado Europa Continental
The Journey to Secure SCADA Systems
3
IBERDROLA OVERVIEW
46.026 MW 16.081 MW x 2 +
2011
Hydro, 21
Nuclear, 7
Coal, 10
Combined Cicle, 28
Cogen, 2
Renewable, 29
Hydro, 51
Nuclear, 20
Coal, 27
Renewable, 3
2000 2011
Dirección de Servicios – Negocio Liberalizado Europa Continental
The Journey to Secure SCADA Systems
4
IBERDROLA OVERVIEW
EBITDA (MM €) EBITDA by Bussiness
Renewable
Liberalized
Regulated
Dirección de Servicios – Negocio Liberalizado Europa Continental
The Journey to Secure SCADA Systems
5
IBERDROLA OVERVIEW
EBITDA by Country
Spain
UK
USA
Brazil
Gross Margin
Net Op. Exp.
EBITDA
KPI’s (MM €)
Dirección de Servicios – Negocio Liberalizado Europa Continental
The Journey to Secure SCADA Systems
6
IBERDROLA OVERVIEW
TARRAGONA POWER
417 MW , 1FA
CASTELLÓN A
782 MW, 209FA
ESCOMBRERAS
816 MW, 209FB
SANTURCE
396 MW, 109FA
ACECA
386 MW, 109FA
ARCOS III
823 MW, 209FB
ARCOS I y II
783 MW, 2X109 FA
CASTEJÓN
379 MW, 109FA
CASTELLÓN B
839 MW, 209FB
We lead the construction of combined cycle power plants on Spain…5.600 MW since 2001
Dirección de Servicios – Negocio Liberalizado Europa Continental
The Journey to Secure SCADA Systems
7
Chinese philosopher Lao-Tzu said, “A journey of a thousand miles begins with a single step,”
“SECURITY IS NOT A PRODUCT IS A PROCESS”
Dirección de Servicios – Negocio Liberalizado Europa Continental
The Journey to Secure SCADA Systems
8
ISO 27001
“Information is an asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected. This is especially important in the increasingly interconnected business environment.
As a result of this increasing interconnectivity, information is now exposed to a growing number and a wider variety of threats and vulnerabilities”.
ASSETS => MANAGE RISKS => REVENUES
CYBERSECURITY = RISK
Dirección de Servicios – Negocio Liberalizado Europa Continental
The Journey to Secure SCADA Systems
9
Electrical Sector
After11-S , “Department of Homeland Security” appeared
Since 2006 -> CIP 002-09 standards mandatory
Since 2008 -> Nuclear CyberSecurity Standards.
¡¡1M USD / day!! penalty
UK leading (CNPI), EU still starting
Dirección de Servicios – Negocio Liberalizado Europa Continental
The Journey to Secure SCADA Systems
10
Our Journey
2005: EPRI Program
86 EIS (Energy
Information Security)
2005: Started AURA
Project
2006: AURA.PERIN Project (Firewallin
g) on CCGT’s
2006: CISSP
Certification and SANS
training
2007: First CyberSecurity Plan
for Thermal Stations
2007: EPRI PowerSec (sectorial benchmar
king)
2007: AURA.XXXX
projects started
2009: Coal Stations projects
2011: COGEN stations projects
2012: Collaboration with Nuclear
stations
Dirección de Servicios – Negocio Liberalizado Europa Continental
The Journey to Secure SCADA Systems
11
AURA PROJECT = The Beginning….
¡RISKS!
Impact on your assets
Consecuences on your process ¡ACTIONS!
Dirección de Servicios – Negocio Liberalizado Europa Continental
The Journey to Secure SCADA Systems
12
AURA PROJECT
Dirección de Servicios – Negocio Liberalizado Europa Continental
The Journey to Secure SCADA Systems
13
AURA PROJECT
WAN
DCG
Otras
Redes
Gobierno
Casetas
GE
Atlanta
WAN
IBERDROLA
DNBTP0971WV
CP
DNBTP0971WV
CP
DNBTP0971WV
CP
GT
HMI HMI
AW AW
ST
PDA VIB PI
UDH/
ArcNet
PDH
NODE
BUS
PC-PLC
PC-PLC
MEDIOAMBIENTE
Contramedidas
Punto Acceso #2:
NINGUNA
Contramedidas
Punto Acceso #3:
NINGUNA
Contramedidas
Punto Acceso #4:
NINGUNA
ADH
Fabricante
OSM
PLC
CEMS
Contramedidas
Punto Acceso #1:
Firewall’s
IT-MONITOR
INTERNET
Host
Contramedidas
Punto Acceso #5:
VPN’s
Contramedidas
Punto Acceso #6:
NINGUNA
Router
RTU
Dirección de Servicios – Negocio Liberalizado Europa Continental
The Journey to Secure SCADA Systems
14
AURA PROJECT
Dirección de Servicios – Negocio Liberalizado Europa Continental 15
Escombreras 6
800 MW
Nov’06
Castellón 3
800 MW
Sep’02
Tarragona Power
400 MW
Ene’04
Castejón 1
400 MW
Abr’03
Santurce 4
400 MW
Ene ‘05
Aceca 3
400 MW
Jun’05
Arcos 1 y 2
800 MW
Dic’04
Arcos 3
800 MW
Jun’05
Castellón 4 850 MW Dic´07
EW Cartagena
150 MW
Jul’10
CT Velilla
400 MW
Jun’09
CT Lada
400 MW
Jun’09
CT
Pasajes
200 MW
Jun’09
CN
Cofrentes
1.100 MW
Sep’10
EW Vitoria, Aranda , Valladolid
150 MW
Jul’10
Monterrey III 1000 MW
Jun’02
Termopernambuco
500 MW
Feb’04
Altamira III y IV
1000 MW
Nov’03
La Laguna 500 MW
Tamazunchale
1000 MW
Junio’07
Altamira V
1000 MW
Jun’06
CC Riga
400 MW
AURA PROJECT
The Journey to Secure SCADA Systems
Dirección de Servicios – Negocio Liberalizado Europa Continental
The Journey to Secure SCADA Systems
16
AURA PROJECT
WAN
DCG
Otras
Redes
Gobierno
Casetas
WAN
IBERDROLA
DNBTP0971WV
CP
DNBTP0971WV
CP
DNBTP0971WV
CP
GT
HMI HMI
AW AW
ST
PDA VIB PI
UDH/
ArcNet
PDH
NODE
BUS
PC-PLC
PC-PLC
MEDIOAMBIENTE
Contramedidas
Punto Acceso #2:
Migrar a conexión Red
a Red
Contramedidas
Punto Acceso #6:
A estudiar
Contramedidas
Punto Acceso #3
y #4:
RAS con CHAP
ADH
Fabricante
OSM
PLC
CEMS
Contramedidas
Punto Acceso #1:
Firewall’s +
Doble Factor +
Encriptación +
Detección Intrusión
IT-MONITOR
INTERNET
Host
Contramedidas
Punto Acceso #5:
VPN’s +
Doble Factor
RAS
Router
RTU
?
AURA.PERIN
AURA.DETIN
AURA.SECAR/GESUR
AURA.ENCRIPTA
AURA.SECAR/GESUR
AURA.ANVIR
AURA.CABSE
AURA.NETMON
AURA.SECDIS
GERES-RT134
AURA.DIALUP
PDTE.
Dirección de Servicios – Negocio Liberalizado Europa Continental 17
The Journey to Secure SCADA Systems AURA.PERIN
Fa0/1
Fa0/2
Fa0/1
Fa0/2
Port 3
Port 1 Port 2
Port 4
Internal
External
DMZ
Lan1/Sync Lan1/Sync
DMZ
External
Internal
RED CORPORATIVA
IBERDROLA
Gi0/1Gi0/2Gi0/1 Gi0/2
Consola Consola
ConsolaConsola
Fa0/15Fa0/17 Fa0/12 Fa0/11 Fa0/12 Fa0/24 Fa0/5
FWPERCGARA01
FWPERCGARA02
SWPERCGARA01
SWPERCGARA02
CYCLACGARA
HSTCGARANIDSCGARA
OPCCGARA
SWITCH
OFICINA
Fa0/6Fa0/9
RSA
RED-1
RED-2
RED-1
RED-2
RED-3
RED-2RED-1
RSA
220 V - SAI
220 V - RED
Fa1
CABLE RED PLANO
CABLE RED CRUZADO
CABLE ALIMENTACIÓN
HMICGARA Fa0/8
Catalyst 2960 SERIES
MODE
SYST
RPS
MASTR
STAT
DUPLX
SPEED
1
13X
14X
13 14 15 16 17 18 19 20 21 22
23X
24X
23 24
1X
2X
1 2 3 4 5 6 7 8 9 10
11X
12X
11 12
2
Fa0/13
OSMCGARA
Catalyst 2960 SERIES
MODE
SYST
RPS
MASTR
STAT
DUPLX
SPEED
1
13X
14X
13 14 15 16 17 18 19 20 21 22
23X
24X
23 24
1X
2X
1 2 3 4 5 6 7 8 9 10
11X
12X
11 12
2
PTA
GW EMERSON
Fa0/5 Fa0/24
RSA
Fa0/11 Fa0/6Fa0/16
RWIFICGARA
TV1
Woodward
NetCon
VOLANTE (PDA) AP
HMITV+Resto
elementos
TV2 + TV2
Touch Pannel
BOP/HSRG
Dirección de Servicios – Negocio Liberalizado Europa Continental 18
The Journey to Secure SCADA Systems AURA.DETIN (NIDS + HIDS)
Dirección de Servicios – Negocio Liberalizado Europa Continental 19
The Journey to Secure SCADA Systems AURA.ANVIR
INTERNETINTRANET
Ciclo Combinado
#1
Ciclo Combinado
#n
Web Fabricante
IBERDROLA Network
Firewall
Corporativo
Firewall
Perimetral
Firewall
Perimetral
Ficheros
AutoFTP Manager
Gestor
ActualizacionesFirewall Perimetral
CMDS
Dirección de Servicios – Negocio Liberalizado Europa Continental 20
The Journey to Secure SCADA Systems AURA.BACKUP Automated Backups/Restores
Dirección de Servicios – Negocio Liberalizado Europa Continental 21
The Journey to Secure SCADA Systems AURA.BACON
Users
Networking
devices
OS + APP’s
Off-Line
On-Line
Cyphered e-SAFE
Dirección de Servicios – Negocio Liberalizado Europa Continental 22
The Journey to Secure SCADA Systems AURA.SECAR Network to Network
Dirección de Servicios – Negocio Liberalizado Europa Continental 23
The Journey to Secure SCADA Systems AURA.SECAR Network to Network
Dirección de Servicios – Negocio Liberalizado Europa Continental 24
The Journey to Secure SCADA Systems AURA.SECAR Host to Network
Dirección de Servicios – Negocio Liberalizado Europa Continental 25
The Journey to Secure SCADA Systems AURA.CPD
16,000
1,0000
CMC-TC-IOW
1,0000
08/05/2012 7:44:2707/05/2012 7:44:27 24,00 horas
UNIT 1
15
15,4
15,6
15,8
16
16,2
16,4
16,6
17
0
2
-1
1
0
2 0,0000
7,0000
not avail
08/05/2012 7:44:2707/05/2012 7:44:27 24,00 horas
UNIT 2
-1
-0,6
-0,4
-0,2
0
0,2
0,4
0,6
1
6
8
-1
1
0,0000
7,0000
not avail
08/05/2012 7:44:2707/05/2012 7:44:27 24,00 horas
UNIT 3
-1
-0,6
-0,4
-0,2
0
0,2
0,4
0,6
1
6
8
-1
1 0,0000
7,0000
not avail
08/05/2012 7:44:2707/05/2012 7:44:27 24,00 horas
UNIT 4
-1
-0,6
-0,4
-0,2
0
0,2
0,4
0,6
1
6
8
-1
1
TEMPERATURA EXT
HUMEDAD EXT
HUMEDAD INT
TEMPERATURA INT
not available
not available
not available
not available
not available
not available
not available
not available
not available
not available
not available
not available
08/05/2012 7:44:2707/05/2012 7:44:27 24,00 horas
UNIT 1
-1
-0,8
-0,6
-0,4
-0,2
0
0,2
0,4
0,6
0,8
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1 172.21.38.140:unit1MsgText:1
TEMPERATURA EXT
172.21.38.140:unit1MsgText:2
HUMEDAD EXT
172.21.38.140:unit1MsgText:3
HUMEDAD INT
172.21.38.140:unit1MsgText:4
TEMPERATURA INT
08/05/2012 7:44:2807/05/2012 7:44:28 24,00 horas
UNIT 1 - Sensores instalados
-1
-0,8
-0,6
-0,4
-0,2
0
0,2
0,4
0,6
0,8
1
-1
1
-1
1
-1
1
4,0000
4,0000
4,0000
4,0000
1,0000
1,0000
1,0000
1,0000
1,0000
1,0000
1,0000
1,0000
1,0000
1,0000
1,0000
1,0000
08/05/2012 7:44:2807/05/2012 7:44:28 24,00 horas
UNIT 1 - Estado
3
3,2
3,4
3,6
3,8
4
4,2
4,4
4,6
4,8
5
3
5
3
5
3
5
0
2
0
2
0
2
0
2
0
2
0
2
0
2
0
2
0
2
0
2
0
2
0
2 172.21.38.140:unit1SensorStatus:1
4,0000
172.21.38.140:unit1SensorStatus:2
4,0000
172.21.38.140:unit1SensorStatus:3
4,0000
172.21.38.140:unit1SensorStatus:4
4,0000
08/05/2012 7:44:2807/05/2012 7:44:28
UNIT 1 - Estado
3
3,2
3,4
3,6
3,8
4
4,2
4,4
4,6
4,8
5
3
5
3
5
3
5
WL Temperature
WL Humidity
WL Humidity
WL Temperature
not available
not available
not available
not available
not available
not available
not available
not available
not available
not available
not available
not available
08/05/2012 7:44:2807/05/2012 7:44:28 24,00 horas
UNIT 1 - Texto Sensor
-1
-0,8
-0,6
-0,4
-0,2
0
0,2
0,4
0,6
0,8
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1 172.21.38.140:unit1SensorText:1
WL Temperature
172.21.38.140:unit1SensorText:2
WL Humidity
172.21.38.140:unit1SensorText:3
WL Humidity
172.21.38.140:unit1SensorText:4
WL Temperature
08/05/2012 7:44:2807/05/2012 7:44:28 24,00 horas
UNIT 1 - Texto Sensor
-1
-0,8
-0,6
-0,4
-0,2
0
0,2
0,4
0,6
0,8
1
-1
1
-1
1
-1
1
20,000
50,000
52,000
20,000
0,0000
0,0000
0,0000
0,0000
0,0000
0,0000
0,0000
0,0000
0,0000
0,0000
0,0000
0,0000
08/05/2012 7:44:2807/05/2012 7:44:28 24,00 horas
UNIT 1 - Valor Sensor
20
20,5
21
21,5
22
22,5
23
23,5
24
32
52
30
55
20
25
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1
-1
1 172.21.38.140:unit1SensorValue:1
20,000
172.21.38.140:unit1SensorValue:2
50,000
172.21.38.140:unit1SensorValue:3
52,000
172.21.38.140:unit1SensorValue:4
20,000
08/05/2012 7:44:2907/05/2012 7:44:29
UNIT 1 - Valor Sensor
20
20,5
21
21,5
22
22,5
23
23,5
24
32
52
30
55
20
25
172.21.38.140:unit1SensorValue:1
20,000
172.21.38.140:unit1SensorValue:4
20,000
SETPOINT LOW.Value
10
SETPOINT WARNING.value
30
SETPOINT HIGH.Value
35
08/05/2012 7:50:0207/05/2012 7:44:29 24,09 horas
UNIT 1 - Valor Sensores Temperatura
0
5
10
15
20
25
30
35
40
172.21.38.140:unit1SensorValue:2
50,000
172.21.38.140:unit1SensorValue:3
52,000
SETPOINT LOW_.Value
0
SETPOINT WARNING_.Value
80
SETPOINT HIGH_.Value
85
08/05/2012 7:50:0207/05/2012 7:44:29 24,09 horas
UNIT 1 - Valor Sensores Humedad
0
10
20
30
40
50
60
70
80
90
Dirección de Servicios – Negocio Liberalizado Europa Continental 26
The Journey to Secure SCADA Systems AURA.CPD
Dirección de Servicios – Negocio Liberalizado Europa Continental 27
AURA LABCON
2
7
DCS MKVI de GE Turbogrup
DCS I/A Invensys BOP & Boiler
PLC S7400 Siemens
RealPROCESS (Combined Cycels, Coal, Cogen, etc)
LABPC with Models using Labview
Real Sensors LAB Field Points - National Instruments
The Journey to Secure SCADA Systems
Dirección de Servicios – Negocio Liberalizado Europa Continental 28
The Journey to Secure SCADA Systems AURA.xxxx Other Projects
AURA.ARMIA: Physical SAFES for backups and media devices.
AURA.CABSE: Physical protection against wilfull damages on Network pactch cords and networking devices
AURA.ENCRIPTA: Comunnication channels encryptation (256 AES)
AURA.NETMON: SCADA end-point and network devices monitoring
AURA.DAPLI: Lay-Out and protocols documentation
AURA.CENLOG: SIEM tool
AURA.DETIN 2.0: Netwitness tool
Dirección de Servicios – Negocio Liberalizado Europa Continental 29
The Journey to Secure SCADA Systems AURA PROJECT: AWARENESS AND POLICIES
NELIB Global Criteria
BY BUSSINESS
INFORMATION CLASSIFICATION
CRITICAL CYBER ASSETS
ASSESMENT
EQUIPMENT INVENTORY
APPLICATION INVENTORY
PHYSICAL LAY-OUTS
LOGIC LAY-OUTS
CYBERSECURITY INCIDENT RESPONSE
INCIDENT DATABASE
CHANGE MANAEMENT
CHANGE DATABASE
Dirección de Servicios – Negocio Liberalizado Europa Continental 30
The Journey to Secure SCADA Systems AURA PROJECT: AWARENESS AND POLICIES
TECHNICAL PROCEDURES
MALWARE PROTECTION
End-Point Secured Inventory
BACKUP/RESTORE Maintenance procedures
REMOVABLES DEVICES
Granted Devices Inventory
THIRD PARTY DEVICES USAGE
Approval Form
CREDENTIAL MANAGEMENT
Chypered Safe
REMOTE ACCESS Granted Provides
Inventory
NETWORK GUIDELINES
Lay-Out Templates
Procedure
Records
Dirección de Servicios – Negocio Liberalizado Europa Continental 31
The Journey to Secure SCADA Systems AURA PROJECT: AWARENESS AND POLICIES
Key-Users awareness through webex
Upper Management reporting
Key-Users Technical reporting
Never give up……….keep fighting…..
Dirección de Servicios – Negocio Liberalizado Europa Continental 32
The Journey to Secure SCADA Systems The journey never ends……doing now
Dirección de Servicios – Negocio Liberalizado Europa Continental 33
AURA.MARS CONCEPT
• What is MARS? – A hollistic approach to Security Monitoring and
Response
• Why MARS? – Because threats are complex, resources are scarce,
and response time is critical
• How is MARS different from standard approaches? – We use both the standard and the most advanced
Security Strategies and Technologies and highly integrate and automate them so they can work together efficiently
The Journey to Secure SCADA Systems
Dirección de Servicios – Negocio Liberalizado Europa Continental 34
AURA.MARS CONCEPT
The Journey to Secure SCADA Systems
(Note: Nothing to do with Cisco MARS)
Dirección de Servicios – Negocio Liberalizado Europa Continental 35
AURA.MARS CONCEPT
The Journey to Secure SCADA Systems
Dirección de Servicios – Negocio Liberalizado Europa Continental 36
AURA SECDIS – End-Point Security – Whitelisting + Sandboxing
The Journey to Secure SCADA Systems
Dirección de Servicios – Negocio Liberalizado Europa Continental 37
AURA e-CONSEG Reporting Web Console
The Journey to Secure SCADA Systems
Dirección de Servicios – Negocio Liberalizado Europa Continental 38
Fighting with STANDARS
Getting the most
Fitting legal/bussiness requirements
SANS CERT CPNI
ISO 27001
ISA-99
NIST
CIP 002 – 009
RG 5.71
The Journey to Secure SCADA Systems
Dirección de Servicios – Negocio Liberalizado Europa Continental 39
SANS TOP 20 CONTROLS
The Journey to Secure SCADA Systems
SANS CONTROL IBERDROLA STATUS
COMMENTS
Critical Control 1: Inventory of Authorized and Unauthorized Devices Critical Control 2: Inventory of Authorized and Unauthorized Software
Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Nowadays defining templates
Critical Control 4: Continuous Vulnerability Assessment and Remediation
Procedure in place, resources pending
Critical Control 5: Malware Defenses
Dirección de Servicios – Negocio Liberalizado Europa Continental 40
SANS TOP 20 CONTROLS
The Journey to Secure SCADA Systems
SANS CONTROL IBERDROLA STATUS
COMMENTS
Critical Control 6: Application Software Security
Whitelisting
Critical Control 7: Wireless Device Control
Critical Control 8: Data Recovery Capability
Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps
Never ending…
Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
Vendor restrictions
Dirección de Servicios – Negocio Liberalizado Europa Continental 41
SANS TOP 20 CONTROLS
The Journey to Secure SCADA Systems
SANS CONTROL IBERDROLA STATUS
COMMENTS
Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services Critical Control 12: Controlled Use of Administrative Privileges
Very difficult on SCADA environment
Critical Control 13: Boundary Defense
Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs Critical Control 15: Controlled Access Based on the Need to Know
Very difficult on SCADA environment
Dirección de Servicios – Negocio Liberalizado Europa Continental 42
SANS TOP 20 CONTROLS
The Journey to Secure SCADA Systems
SANS CONTROL IBERDROLA STATUS
COMMENTS
Critical Control 16: Account Monitoring and Control Critical Control 17: Data Loss Prevention
Critical Control 18: Incident Response and Management Critical Control 19: Secure Network Engineering
Critical Control 20: Penetration Tests and Red Team Exercises
Waiting for resources…
Dirección de Servicios – Negocio Liberalizado Europa Continental 43
CONCLUSIONS
TAKE YOUR TIME!!!!
Holistic approach required. Be GLOBAL
Focus on your own risks, each business is different!!!
You have to assume some risks (i.e.: vendor restrictions)
Be ready for the impact!!!!. Recovery Disaster procedures very important
Do not miss forensics tools and procedures
Testing facilities is a must
There is not a super product. Integration is required
Working close to your control system vendors, remember they are not good!!!
Open Source helps – do not miss it!!!
Never walk alone….internal and external support is critical!!!
The Journey to Secure SCADA Systems
Dirección de Servicios – Negocio Liberalizado Europa Continental
The Journey to Secure SCADA Systems
44
Spanish writer Antonio Machado said, “Caminante, no hay camino se hace camino al andar”, “Walker, there is no path, you do it when you walks”
Miguel Chavero
CISSP#: 122240