the journey to secure scada systems - sans by step - the...the journey to secure scada systems 10...

Step by Step:

The Journey to Secure

SCADA Systems

Miguel Chavero

Dec 2012

Dirección de Servicios – Negocio Liberalizado Europa Continental

The Journey to Secure SCADA Systems

2

Installed Capacity Total Production

2011 2000

+286% 46.026

13.690

13.189

19.147

16.081

145.126

2000 2011

98.699

+147%

IBERDROLA OVERVIEW



3

IBERDROLA OVERVIEW

46.026 MW 16.081 MW x 2 +

2011

Hydro, 21

Nuclear, 7

Coal, 10

Combined Cicle, 28

Cogen, 2

Renewable, 29

Hydro, 51

Nuclear, 20

Coal, 27

Renewable, 3

2000 2011



4

IBERDROLA OVERVIEW

EBITDA (MM €) EBITDA by Bussiness

Renewable

Liberalized

Regulated



5

IBERDROLA OVERVIEW

EBITDA by Country

Spain

UK

USA

Brazil

Gross Margin

Net Op. Exp.

EBITDA

KPI’s (MM €)



6

IBERDROLA OVERVIEW

TARRAGONA POWER

417 MW , 1FA

CASTELLÓN A

782 MW, 209FA

ESCOMBRERAS

816 MW, 209FB

SANTURCE

396 MW, 109FA

ACECA

386 MW, 109FA

ARCOS III

823 MW, 209FB

ARCOS I y II

783 MW, 2X109 FA

CASTEJÓN

379 MW, 109FA

CASTELLÓN B

839 MW, 209FB

We lead the construction of combined cycle power plants on Spain…5.600 MW since 2001



7

Chinese philosopher Lao-Tzu said, “A journey of a thousand miles begins with a single step,”

“SECURITY IS NOT A PRODUCT IS A PROCESS”



8

ISO 27001

“Information is an asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected. This is especially important in the increasingly interconnected business environment.

As a result of this increasing interconnectivity, information is now exposed to a growing number and a wider variety of threats and vulnerabilities”.

ASSETS => MANAGE RISKS => REVENUES

CYBERSECURITY = RISK



9

Electrical Sector

After11-S , “Department of Homeland Security” appeared

Since 2006 -> CIP 002-09 standards mandatory

Since 2008 -> Nuclear CyberSecurity Standards.

¡¡1M USD / day!! penalty

UK leading (CNPI), EU still starting



10

Our Journey

2005: EPRI Program

86 EIS (Energy

Information Security)

2005: Started AURA

Project

2006: AURA.PERIN Project (Firewallin

g) on CCGT’s

2006: CISSP

Certification and SANS

training

2007: First CyberSecurity Plan

for Thermal Stations

2007: EPRI PowerSec (sectorial benchmar

king)

2007: AURA.XXXX

projects started

2009: Coal Stations projects

2011: COGEN stations projects

2012: Collaboration with Nuclear

stations



11

AURA PROJECT = The Beginning….

¡RISKS!

Impact on your assets

Consecuences on your process ¡ACTIONS!



12

AURA PROJECT



13

AURA PROJECT

WAN

DCG

Otras

Redes

Gobierno

Casetas

GE

Atlanta

WAN

IBERDROLA

DNBTP0971WV

CP

DNBTP0971WV

CP

DNBTP0971WV

CP

GT

HMI HMI

AW AW

ST

PDA VIB PI

UDH/

ArcNet

PDH

NODE

BUS

PC-PLC

PC-PLC

MEDIOAMBIENTE

Contramedidas

Punto Acceso #2:

NINGUNA

Contramedidas

Punto Acceso #3:

NINGUNA

Contramedidas

Punto Acceso #4:

NINGUNA

ADH

Fabricante

OSM

PLC

CEMS

Contramedidas

Punto Acceso #1:

Firewall’s

IT-MONITOR

INTERNET

Host

Contramedidas

Punto Acceso #5:

VPN’s

Contramedidas

Punto Acceso #6:

NINGUNA

Router

RTU



14

AURA PROJECT

Dirección de Servicios – Negocio Liberalizado Europa Continental 15

Escombreras 6

800 MW

Nov’06

Castellón 3

800 MW

Sep’02

Tarragona Power

400 MW

Ene’04

Castejón 1

400 MW

Abr’03

Santurce 4

400 MW

Ene ‘05

Aceca 3

400 MW

Jun’05

Arcos 1 y 2

800 MW

Dic’04

Arcos 3

800 MW

Jun’05

Castellón 4 850 MW Dic´07

EW Cartagena

150 MW

Jul’10

CT Velilla

400 MW

Jun’09

CT Lada

400 MW

Jun’09

CT

Pasajes

200 MW

Jun’09

CN

Cofrentes

1.100 MW

Sep’10

EW Vitoria, Aranda , Valladolid

150 MW

Jul’10

Monterrey III 1000 MW

Jun’02

Termopernambuco

500 MW

Feb’04

Altamira III y IV

1000 MW

Nov’03

La Laguna 500 MW

Tamazunchale

1000 MW

Junio’07

Altamira V

1000 MW

Jun’06

CC Riga

400 MW

AURA PROJECT




16

AURA PROJECT

WAN

DCG

Otras

Redes

Gobierno

Casetas

WAN

IBERDROLA

DNBTP0971WV

CP

DNBTP0971WV

CP

DNBTP0971WV

CP

GT

HMI HMI

AW AW

ST

PDA VIB PI

UDH/

ArcNet

PDH

NODE

BUS

PC-PLC

PC-PLC

MEDIOAMBIENTE

Contramedidas

Punto Acceso #2:

Migrar a conexión Red

a Red

Contramedidas

Punto Acceso #6:

A estudiar

Contramedidas

Punto Acceso #3

y #4:

RAS con CHAP

ADH

Fabricante

OSM

PLC

CEMS

Contramedidas

Punto Acceso #1:

Firewall’s +

Doble Factor +

Encriptación +

Detección Intrusión

IT-MONITOR

INTERNET

Host

Contramedidas

Punto Acceso #5:

VPN’s +

Doble Factor

RAS

Router

RTU

?

AURA.PERIN

AURA.DETIN

AURA.SECAR/GESUR

AURA.ENCRIPTA

AURA.SECAR/GESUR

AURA.ANVIR

AURA.CABSE

AURA.NETMON

AURA.SECDIS

GERES-RT134

AURA.DIALUP

PDTE.


The Journey to Secure SCADA Systems AURA.PERIN

Fa0/1

Fa0/2

Fa0/1

Fa0/2

Port 3

Port 1 Port 2

Port 4

Internal

External

DMZ

Lan1/Sync Lan1/Sync

DMZ

External

Internal

RED CORPORATIVA

IBERDROLA

Gi0/1Gi0/2Gi0/1 Gi0/2

Consola Consola

ConsolaConsola

Fa0/15Fa0/17 Fa0/12 Fa0/11 Fa0/12 Fa0/24 Fa0/5

FWPERCGARA01

FWPERCGARA02

SWPERCGARA01

SWPERCGARA02

CYCLACGARA

HSTCGARANIDSCGARA

OPCCGARA

SWITCH

OFICINA

Fa0/6Fa0/9

RSA

RED-1

RED-2

RED-1

RED-2

RED-3

RED-2RED-1

RSA

220 V - SAI

220 V - RED

Fa1

CABLE RED PLANO

CABLE RED CRUZADO

CABLE ALIMENTACIÓN

HMICGARA Fa0/8

Catalyst 2960 SERIES

MODE

SYST

RPS

MASTR

STAT

DUPLX

SPEED

1

13X

14X

13 14 15 16 17 18 19 20 21 22

23X

24X

23 24

1X

2X

1 2 3 4 5 6 7 8 9 10

11X

12X

11 12

2

Fa0/13

OSMCGARA

Catalyst 2960 SERIES

MODE

SYST

RPS

MASTR

STAT

DUPLX

SPEED

1

13X

14X

13 14 15 16 17 18 19 20 21 22

23X

24X

23 24

1X

2X

1 2 3 4 5 6 7 8 9 10

11X

12X

11 12

2

PTA

GW EMERSON

Fa0/5 Fa0/24

RSA

Fa0/11 Fa0/6Fa0/16

RWIFICGARA

TV1

Woodward

NetCon

VOLANTE (PDA) AP

HMITV+Resto

elementos

TV2 + TV2

Touch Pannel

BOP/HSRG


The Journey to Secure SCADA Systems AURA.DETIN (NIDS + HIDS)


The Journey to Secure SCADA Systems AURA.ANVIR

INTERNETINTRANET

Ciclo Combinado

#1

Ciclo Combinado

#n

Web Fabricante

IBERDROLA Network

Firewall

Corporativo

Firewall

Perimetral

Firewall

Perimetral

Ficheros

AutoFTP Manager

Gestor

ActualizacionesFirewall Perimetral

CMDS


The Journey to Secure SCADA Systems AURA.BACKUP Automated Backups/Restores


The Journey to Secure SCADA Systems AURA.BACON

Users

Networking

devices

OS + APP’s

Off-Line

On-Line

Cyphered e-SAFE


The Journey to Secure SCADA Systems AURA.SECAR Network to Network


The Journey to Secure SCADA Systems AURA.SECAR Host to Network


The Journey to Secure SCADA Systems AURA.CPD

16,000

1,0000

CMC-TC-IOW

1,0000

08/05/2012 7:44:2707/05/2012 7:44:27 24,00 horas

UNIT 1

15

15,4

15,6

15,8

16

16,2

16,4

16,6

17

0

2

-1

1

0

2 0,0000

7,0000

not avail

08/05/2012 7:44:2707/05/2012 7:44:27 24,00 horas

UNIT 2

-1

-0,6

-0,4

-0,2

0

0,2

0,4

0,6

1

6

8

-1

1

0,0000

7,0000

not avail

08/05/2012 7:44:2707/05/2012 7:44:27 24,00 horas

UNIT 3

-1

-0,6

-0,4

-0,2

0

0,2

0,4

0,6

1

6

8

-1

1 0,0000

7,0000

not avail

08/05/2012 7:44:2707/05/2012 7:44:27 24,00 horas

UNIT 4

-1

-0,6

-0,4

-0,2

0

0,2

0,4

0,6

1

6

8

-1

1

TEMPERATURA EXT

HUMEDAD EXT

HUMEDAD INT

TEMPERATURA INT

not available

not available

not available

not available

not available

not available

not available

not available

not available

not available

not available

not available

08/05/2012 7:44:2707/05/2012 7:44:27 24,00 horas

UNIT 1

-1

-0,8

-0,6

-0,4

-0,2

0

0,2

0,4

0,6

0,8

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1 172.21.38.140:unit1MsgText:1

TEMPERATURA EXT

172.21.38.140:unit1MsgText:2

HUMEDAD EXT

172.21.38.140:unit1MsgText:3

HUMEDAD INT

172.21.38.140:unit1MsgText:4

TEMPERATURA INT

08/05/2012 7:44:2807/05/2012 7:44:28 24,00 horas

UNIT 1 - Sensores instalados

-1

-0,8

-0,6

-0,4

-0,2

0

0,2

0,4

0,6

0,8

1

-1

1

-1

1

-1

1

4,0000

4,0000

4,0000

4,0000

1,0000

1,0000

1,0000

1,0000

1,0000

1,0000

1,0000

1,0000

1,0000

1,0000

1,0000

1,0000

08/05/2012 7:44:2807/05/2012 7:44:28 24,00 horas

UNIT 1 - Estado

3

3,2

3,4

3,6

3,8

4

4,2

4,4

4,6

4,8

5

3

5

3

5

3

5

0

2

0

2

0

2

0

2

0

2

0

2

0

2

0

2

0

2

0

2

0

2

0

2 172.21.38.140:unit1SensorStatus:1

4,0000

172.21.38.140:unit1SensorStatus:2

4,0000


4,0000


4,0000

08/05/2012 7:44:2807/05/2012 7:44:28

UNIT 1 - Estado

3

3,2

3,4

3,6

3,8

4

4,2

4,4

4,6

4,8

5

3

5

3

5

3

5

WL Temperature

WL Humidity

WL Humidity

WL Temperature

not available

not available

not available

not available

not available

not available

not available

not available

not available

not available

not available

not available

08/05/2012 7:44:2807/05/2012 7:44:28 24,00 horas

UNIT 1 - Texto Sensor

-1

-0,8

-0,6

-0,4

-0,2

0

0,2

0,4

0,6

0,8

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1 172.21.38.140:unit1SensorText:1

WL Temperature

172.21.38.140:unit1SensorText:2

WL Humidity


WL Humidity


WL Temperature

08/05/2012 7:44:2807/05/2012 7:44:28 24,00 horas

UNIT 1 - Texto Sensor

-1

-0,8

-0,6

-0,4

-0,2

0

0,2

0,4

0,6

0,8

1

-1

1

-1

1

-1

1

20,000

50,000

52,000

20,000

0,0000

0,0000

0,0000

0,0000

0,0000

0,0000

0,0000

0,0000

0,0000

0,0000

0,0000

0,0000

08/05/2012 7:44:2807/05/2012 7:44:28 24,00 horas

UNIT 1 - Valor Sensor

20

20,5

21

21,5

22

22,5

23

23,5

24

32

52

30

55

20

25

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1

-1

1 172.21.38.140:unit1SensorValue:1

20,000

172.21.38.140:unit1SensorValue:2

50,000


52,000


20,000

08/05/2012 7:44:2907/05/2012 7:44:29

UNIT 1 - Valor Sensor

20

20,5

21

21,5

22

22,5

23

23,5

24

32

52

30

55

20

25


20,000


20,000

SETPOINT LOW.Value

10

SETPOINT WARNING.value

30

SETPOINT HIGH.Value

35

08/05/2012 7:50:0207/05/2012 7:44:29 24,09 horas

UNIT 1 - Valor Sensores Temperatura

0

5

10

15

20

25

30

35

40


50,000


52,000

SETPOINT LOW_.Value

0

SETPOINT WARNING_.Value

80

SETPOINT HIGH_.Value

85

08/05/2012 7:50:0207/05/2012 7:44:29 24,09 horas

UNIT 1 - Valor Sensores Humedad

0

10

20

30

40

50

60

70

80

90


The Journey to Secure SCADA Systems AURA.CPD


AURA LABCON

2

7

DCS MKVI de GE Turbogrup

DCS I/A Invensys BOP & Boiler

PLC S7400 Siemens

RealPROCESS (Combined Cycels, Coal, Cogen, etc)

LABPC with Models using Labview

Real Sensors LAB Field Points - National Instruments



The Journey to Secure SCADA Systems AURA.xxxx Other Projects

AURA.ARMIA: Physical SAFES for backups and media devices.

AURA.CABSE: Physical protection against wilfull damages on Network pactch cords and networking devices

AURA.ENCRIPTA: Comunnication channels encryptation (256 AES)

AURA.NETMON: SCADA end-point and network devices monitoring

AURA.DAPLI: Lay-Out and protocols documentation

AURA.CENLOG: SIEM tool

AURA.DETIN 2.0: Netwitness tool


The Journey to Secure SCADA Systems AURA PROJECT: AWARENESS AND POLICIES

NELIB Global Criteria

BY BUSSINESS

INFORMATION CLASSIFICATION

CRITICAL CYBER ASSETS

ASSESMENT

EQUIPMENT INVENTORY

APPLICATION INVENTORY

PHYSICAL LAY-OUTS

LOGIC LAY-OUTS

CYBERSECURITY INCIDENT RESPONSE

INCIDENT DATABASE

CHANGE MANAEMENT

CHANGE DATABASE



TECHNICAL PROCEDURES

MALWARE PROTECTION

End-Point Secured Inventory

BACKUP/RESTORE Maintenance procedures

REMOVABLES DEVICES

Granted Devices Inventory

THIRD PARTY DEVICES USAGE

Approval Form

CREDENTIAL MANAGEMENT

Chypered Safe

REMOTE ACCESS Granted Provides

Inventory

NETWORK GUIDELINES

Lay-Out Templates

Procedure

Records



Key-Users awareness through webex

Upper Management reporting

Key-Users Technical reporting

Never give up……….keep fighting…..


The Journey to Secure SCADA Systems The journey never ends……doing now


AURA.MARS CONCEPT

• What is MARS? – A hollistic approach to Security Monitoring and

Response

• Why MARS? – Because threats are complex, resources are scarce,

and response time is critical

• How is MARS different from standard approaches? – We use both the standard and the most advanced

Security Strategies and Technologies and highly integrate and automate them so they can work together efficiently



AURA.MARS CONCEPT


(Note: Nothing to do with Cisco MARS)


AURA.MARS CONCEPT



AURA SECDIS – End-Point Security – Whitelisting + Sandboxing



AURA e-CONSEG Reporting Web Console



Fighting with STANDARS

Getting the most

Fitting legal/bussiness requirements

SANS CERT CPNI

ISO 27001

ISA-99

NIST

CIP 002 – 009

RG 5.71



SANS TOP 20 CONTROLS


SANS CONTROL IBERDROLA STATUS

COMMENTS

Critical Control 1: Inventory of Authorized and Unauthorized Devices Critical Control 2: Inventory of Authorized and Unauthorized Software

Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

Nowadays defining templates

Critical Control 4: Continuous Vulnerability Assessment and Remediation

Procedure in place, resources pending

Critical Control 5: Malware Defenses





COMMENTS

Critical Control 6: Application Software Security

Whitelisting

Critical Control 7: Wireless Device Control

Critical Control 8: Data Recovery Capability

Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps

Never ending…

Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

Vendor restrictions





COMMENTS

Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services Critical Control 12: Controlled Use of Administrative Privileges

Very difficult on SCADA environment

Critical Control 13: Boundary Defense

Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs Critical Control 15: Controlled Access Based on the Need to Know

Very difficult on SCADA environment





COMMENTS

Critical Control 16: Account Monitoring and Control Critical Control 17: Data Loss Prevention

Critical Control 18: Incident Response and Management Critical Control 19: Secure Network Engineering

Critical Control 20: Penetration Tests and Red Team Exercises

Waiting for resources…


CONCLUSIONS

TAKE YOUR TIME!!!!

Holistic approach required. Be GLOBAL

Focus on your own risks, each business is different!!!

You have to assume some risks (i.e.: vendor restrictions)

Be ready for the impact!!!!. Recovery Disaster procedures very important

Do not miss forensics tools and procedures

Testing facilities is a must

There is not a super product. Integration is required

Working close to your control system vendors, remember they are not good!!!

Open Source helps – do not miss it!!!

Never walk alone….internal and external support is critical!!!




44

Spanish writer Antonio Machado said, “Caminante, no hay camino se hace camino al andar”, “Walker, there is no path, you do it when you walks”

Miguel Chavero

[email protected]

CISSP#: 122240

mailto:[email protected]

the journey to secure scada systems - sans by step - the...the journey to secure scada systems 10...

Documents