first scada lab international workshop

With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme. European Commission - Directorate-General Home Affairs

SCADA Laboratory and testbed as a service for Critical Infrastructure protection

1ST International ScadaLab Workshop

Madrid, 26th November 2013

Agenda

10.00h: Registration & Welcome

10.30h: ScadaLab Project Presentation

11.30h: Coffee break

12.00h: ScadaLab Validation Exercise

12.45h: Related Projects Presentation

13.30h: Lunch

14.30h: Training Session

16.30h: Closure



WP2

Definition of Testing Methodology

Zanasi & Partners

Content

1. WP 2 Introduction

2. Development of Work

• Aims: to assess the users’ needs, to define the testing methodology to be adopted in the SCADALAB environment, and to elaborate an inventory of security tests to be performed

• Participants: Zanasi & Partners (WP leader), AEI Seguridad, CNPIC, INTECO, Telvent Energy, Theodore Puskas Foundation

• Time-frame: M1-M3 (21/9/2012 – 18/12/2012)

WP2: Definition of Testing Methodology

Three tasks: • T2.1: Initial Survey • T2.2: Develop Testing Methodology • T2.3: Develop Security Tests Inventory Three deliverables: • D2.1: Survey Report: Analysis of

Questionnaires (+ annex: Questionnaire for Stakeholders)

• D2.2: Testing Methodology • D2.3: Security Tests

WP2: List of Tasks

• Aims: to identify users’ needs and to assess stakeholders’ priorities for a SCADALAB environment

• Contributors: AEI Seguridad, CNPIC, INTECO, Telvent Energy, Theodore Puskas Foundation, Zanasi & Partners

WP2 – T2.1: Initial Survey

11 stakeholders were interviewed via written questionnaires

The questionnaires aimed at collecting information on the profile of the respondent organisation, on its awareness about cyber-security risks, on its IT infrastructure and on its perceived security needs

The questionnaires were

Structured in 6 sections:

• Organisation profile

• Awareness

• Architecture

• Existing Threats

• Security Controls

• Identified Needs 8


Main findings: • Most of the respondents (91%) perceive the problem of securing

their ICS as sensitive • 64% of the organisations use ICS directly or indirectly connected

to the public Internet. In 91% of cases the ICS are connected to the corporate network

• Half the respondents use COTS within their ICS • Nobody declared to be victim of cyber-attacks in the past (but

only 45% of respondents feels able to detect intrusions) • There is a general lack of knowledge on ICS security standards

(64% of respondents do not know any, 83% do not adopt any) • Only 36% of stakeholders interviewed regularly perform ICS

security tests (10% only can rely on a permanent testing environment)

• Cryptography systems for front-end and field devices are hardly used (30%)


• Aims: to review the most widely used security testing methodologies and to develop a new one specific for the SCADALAB environment

• Contributors: AEI Seguridad, INTECO, Telvent Energy, Zanasi & Partners

WP2 – T2.2: Develop Testing Methodology

• At a preliminary stage, 11 existing testing methodologies (CPNI, US-CERT, ANSI/ISA, INL [2], DOE, NIST, LEET, CERT-CC, ISECOM, CCRA) were thoroughly analysed and rated based on their suitability for the SCADALAB project

• Later on, the information gathered through the above task has been used as a basis to develop an entirely new testing methodology specific for the SCADALAB environment


The SCADA LAB environment is articulated in two principal areas:

• Laboratory area (from where the security tests are run and controlled)

• Test beds area (which physically contains the components of the various ICS test beds)


The security requirements for both the laboratory area and the test beds area have been identified

Testing methodology - three phases: • Planning

– Organisational level (set up the assessment team, sign NDAs, develop the test plan, collect information on the organisation)

– Operational level (decide the proper type of assessment, establish a set of initial attack vectors, identify the assessment targets, elaborate a detailed plan of the testing)

– Technician level (demand to the manager of the test bed the implementation of the needed technical requirements, identify/acquire required HW/SW, develop the security test inventory)

• Assessment – Set up the lab (according to the target to assess and based on the test

inventory available) – Execution (performing the test, which may involve: information gathering,

network mapping, vulnerability identification, penetration testing)

• Reporting – Calculating metrics (e.g., via Common Vulnerability Scoring Systems,

CVSS) – Report of findings (technical report, executive report)


• Aims: to develop an inventory of security tests that can be performed during security analysis on ICS environments in the SCADALAB environment

• Contributors: INTECO, TPF

WP2 – T2.3: Develop Security Tests Inventory

Security tests (1/2): • Information gathering

– Get information architecture – Fingerprint and enumeration of host information – Port scanning

• Authentication mechanisms – Password testing – Session hijacking

• Program logic flaws – SQL injection – Cross-Site Scripting (XSS) – Buffer overflow – Fuzz testing

• Cryptographic flaws – Cold boot attacks on encryption keys

• Spoofing – MAC address spoofing – IP address spoofing


Security tests (2/2): • Sniffing

– Sniffing

• Denial of service – ICMP flood – SYN flood – Teardrop attacks – Application DoS

• Routing – CAM table overflow – VLAN hopping – Private VLAN attacks – Spanning tree manipulation – DHCP starvation – CISCO discovery protocol


• IPv6 testing

– IPv6 fake router advertisement

– IPv6 gather information

– IPv6 MITM attack

– IPv6 address duplicate

– IPv6 false CGA

– IPv6 network saturation

– Mobile IPv6 route spoofing

With the financial support of the Prevention, Preparedness and Consequence Management of Terrorism and other Security-related Risks Programme.

European Commission - Directorate-General Home Affairs

Questions?



WP 3

Design of Laboratory Architecture

INTECO

Content

1. Objectives / Aim of the activity

2. Expected results / outputs and deliverables

Requirements

SCADA LAB Design

- Laboratory Area

- Test Bed Area

Security Assessment

3. Conclusions

WP3/ Design of Laboratory Architecture

• Participants:

• Tasks:

– T3.1 / Identify requirements

– T3.2 / Analyze requirements

– T3.3 / Prepare high level design

• Deliverables:

– D3.1 System architectural design document

– D3.2 Security Assessments

• Time-frame: M4-M10

Summary

CNPIC TELVENT

ENERGY

TELVENT

GLOBAL

SERVICES

ZANASI &

PARTNERS INTECO

Carry out security assessments to remote Test Beds.

Design aligned with methodology.

Accomplish minimum set of requirements.

Objectives / Aim of the activity

Goal

Stakeholders having their own Test Beds…

Company B Company C Company A

… and carrying out their own security tests.


Why?

Company A

Are these tests all you can do?

More tests = more tools = more €

Has your staff needed knowledge?

Contract expert security services = more €


Why?


Aim

SCADA Laboratory and test bed as a service for Critical

Infrastructure protection.

We will have methodology and tools... You can use them.

Test Beds Area

Test bed 1

Test bed 2

…

Laboratory Area

Test Plan 1

Test Plan 2

Test Plan N

First design based on methodology


Base design

Expected results / outputs and deliverables: Requirements

Initial Requirements

8 HIGH-LEVEL requirements:

• Production system.

• Hardware interface or integration

• Assessment system

• Monitoring system

• Results analysis system

• Distributed tests

• Isolated test beds

• Testing methodology

57 LOW-LEVEL requirements.

• Description.

• Priority.

• Area.

• Implementation guidance.

REQUIREMENT

1.- ID 2.- Requirement name 3.- Priority 4.- Area

R1.3 Each level of the target has an entry point from

where perform the tests. High Test beds

5.- Description

The laboratory should communicate with every level of the scheme in an independent way.

IMPLEMENTATION

6.- Implementation guidance

The laboratory can connect to different networks, sub-networks, or virtual networks (one for

each level), from where carry out the test to the target.

7.- Other considerations

If an agent installed in the test bed is used then it has to have sufficient links to these

connections.

REQUIREMENT




5.- Description


IMPLEMENTATION






connections.

REQUIREMENT




5.- Description


IMPLEMENTATION






connections.

REQUIREMENT




5.- Description


IMPLEMENTATION






connections.

REQUIREMENT




5.- Description


IMPLEMENTATION






connections.

REQUIREMENT




5.- Description


IMPLEMENTATION






connections.

REQUIREMENT




5.- Description


IMPLEMENTATION






connections.

REQUIREMENT




5.- Description


IMPLEMENTATION






connections.

Expected results / outputs and deliverables: Requirements

LOW-LEVEL Requirements

ID Description Priority

R1 Production system

R1.1 The control system shall be composed by control devices and field devices. High

R1.2 The architecture of the test bed shall be representative of a real ICS. High

R1.3 Each level of the target has an entry point from where perform the tests. High

R2 Hardware interface or integration

R2.1 The control devices shall communicate with usual control protocols. High

R3 Assessment system

R3.1 Automatized tests High

R3.2 Set of workstations physically accessible to the operators High

And more…

Expected results / outputs and deliverables: SCADA LAB Design

Global Design


Laboratory Area


Test Bed Area

Really?

Expected results / outputs and deliverables: Security Assessment

Sponsor

Security Assessment

35

Conclusions

1. Based in their own methodology

2. Service for Critical Infrastructure Protection that:

1. Complements other security services/tools

2. Carries out remote tests (and local ones)

3. Can be adapted to any kind of Test bed

4. Is scalable



Questions?



WP 4&5

Laboratory Implementation Pilot Implementation and Experimentation

TELVENT ENERGÍA

Content

1. WP 4

Objectives

• Development of work and outputs

2. WP 5

Objectives

Development of work and outputs

Next activities

WP4&WP5

WP3 DESIGN WP4 IMPLEMENTATION WP5 EXPERIMENTATION

• Goal: The objective of this WP is the implementation of the SCADA LAB laboratory, according to the design and requirements defined in WP3

• Participants: Telvent Energy (co-leader), Telvent Global Services (co-leader), INTECO, CNPIC, AEI Seguridad.

• Time-frame:

February 2013 (M6) – December 2013 (M16) (ongoing)

WP4: Laboratory Implementation

WP4: Tasks

• T4.1: Select infrastructures and

communications

Equipment selection

Software selection

Facilities selection

• T4.2: Integrate HW and SW in the facilities

– Implementation

WP4 – T4.1: Select infrastructures and communications

• Laboratory Area:

Open Vulnerability Assessment System (OpenVAS)

Other Tools: NMAP, NIKTO, SNMP, etc.

• Test Bed Area:

Saitel DR Platform (RTU)

OASyS Platform (SCADA)

WP4 – T4.2: Integrate HW and SW in the facilities

INTECO HEADQUARTERS (LEON) SCADALAB LABORATORY

TELVENT ENERGY HEADQUARTERS (SEVILLE) SCADALAB TESTBED

TESTBED IMPLEMENTATION

REM

OTE C

ON

EC

TIO

N (

VP

N)

• Goals: The objectives of this WP are:

The definition and implementation of the SCADA LAB pilot

The execution of the security tests

The analysis of the test results

• Participants: Telvent Energy (leader), INTECO,

CNPIC, Telvent Global Services.

• Time-frame:

October 2013 (M14) – April 2014 (M20) (ongoing)

WP5: Pilot Implementation and Experimentation

WP5: Tasks

• Tasks:

o T5.1 Select the system to be analyzed as a

pilot

o T5.2 Pilot system installation

o T5.3 Carry on tests over pilot system

o T5.4 Analyze results

WP5 – T5.1 Select the system to be analyzed as a pilot

WP5 – Next Activities

• Next Activities:

Pilot system installation

Carry on tests over pilot system

Analyze results



Questions?



WP6

Results Sharing and Test Bed Saas

TELVENT GLOBAL SERVICES

Content

1. Current situation

2. WP Objectives


4. Conclusions

Current Situation

We have the Testing Methodology

We have set up the Laboratory

We have built the SCADALAB Components

Server / Workstation / Agent

We have the stakeholders ready for security assessments…

What else do we need?

Build up a framework to share

information and experiences

between stakeholders

WP Objective and Description

Identify the information sharing and remote test requirements and needs.

Define and Implement an Information Sharing framework

Define and Develop a Front-End SaaS Framework and a Front-End service

SCADALAB WP6!!!

Objective!

WP Objective and Description

TGS

Energy

Work Package participants:

Time-frame:

February 2013 – December 2013

WP Activities Summary

Identify the information, requirements and all the real needs from the stakeholders

regarding a Remote Security Test platform and a Sharing information framework

Define a functional design according to the stakeholders needs

Activity #1: Identify information and Requirements

Define the requirements for the Information Sharing framework

Looking for synergies in results sharing methods and procedures and Integration

between SCADALAB Front-End SaaS and other ICS security tools

Develop a Front-End which allows the management of the security assessments and integrate

it with the Information Sharing framework.

Implement the identified Front-End requirements and test the platform.

Activity #2: Define the Information sharing framework

Activity #3: Define & Develop Front-End SaaS Framework

Objective: Identify the information which key users involved in ICS scenarios are ready

to share (stakeholder, vendors, operators…) and the requirements for the SCADALAB

Front-End.

Tasks performed:

Stakeholders identified and contacted (by the WP participants) coming from different

countries.

Survey Creation

More than 60 questions

Questions grouped in different categories

Current Situation

Security Assessment Requests

Assessments Results and Sharing

Needs Identified

Needs and Desires

Activity 1: Identify information and Requirements

Tasks performed:

Survey Creation: Developed in PDF format


5

7 (EC_SCADALAB_Security_Assessments_Questionnaire_Request.pdf)

Tasks performed:

Survey Creation: Developed by web-based survey


Tasks performed:

Organized sharing meetings and/or survey delivery to get the results

Analysis and conclusions of the gathered data.

Deliverables: based on the Survey results, “Requirements&Needs” documentation


(EC_SCADALAB_Security_Assessments_Questionnaire_Results_Evaluation.docx)

(EC_SCADALAB_Identified_Requirements.xlsx) Functional requirements

Technical requirements

Security requirements

Design requirements

Activity 2: Define the Information sharing framework

Objective: Define the sharing information framework.

Based on the EU recommendations regarding the intend of complement existing

test bed initiatives for CI protection between UE related projects.

CloudCERT is a cloud testbed for the coordination of Europe Critical Infrastructure

Protection (CIP), which aim is to provide a testbed framework to integrate mechanisms

for coordinating partnerships and stakeholder efforts to effectively exchange information

related to CIP and their security aspects.

CloudCERT testbed ensure easy, simple information sharing for cooperation joint

exercises, as well as a rapid and risk-free implementation in a real operational and

collaborative environment.

CloudCERT test bed platform is an initiative coordinated by INTECO and some assets,

knowledge and infrastructure can be reused in an efficient manner. SCADA Lab will

complement the cooperation framework and will integrate the same exchange of

information mechanisms.

http://cloudcert.european-project.eu/project.php?lang=en

Evaluate the integration looking for

synergies in results sharing methods and

procedures


http://cloudcert.european-project.eu/project.php?lang=en


Expected Results:

Information Sharing Framework

Functional Definition, and

Integration Requirements with CloudCERT

Integration tests and functional documentation

CloudCERT is co-financiated by the European Union (EU) following the specific program named "Prevention, Preparedness and

Consequence Management of Terrorism and other Security-related risks", located within the "Security and Safeguarding

Liberties" program.

Activity 3: Define & Develop Front-End SaaS Framework

Objective: Develop a Front-End SaaS Framework and a Front-End service

Useful tool for Stakeholders

Based and adapted to their real needs, with functionalities and processes

identified

Public and/or private access

Easy and secured results sharing methods

Integrated with the defined Information Sharing framework

With the aim of…

…the management of the Security Evaluations and Results Information Sharing.


SCADALAB Front-End is being developed with best security practices in mind by itself

and leveraging on Drupal's experience avoiding security threats such as cross-side

scripting, SQL Injection, site impersonation and so on ....

Some of the functionalities and requirements that are being developed for the

SCADALAB Front-End are:

Web Interface Multiplatform / Multilingual

Secure Access / Access Control

Users Management / Passwords Policy

Workflows Management

Different types of Assessment

Selection of the Assessment Target

Status of the Assessment

List of existing Assessment Requests

Conclusions

Conclusions



Questions?



WP7

Training and awareness

Europe for Business

Content

1. WP Objectives

2. Description of work

3. Expected Results

1. Objective (1)

What is the problem?

There is insufficient knowledge sharing on SCADA security exercises, bringing

stakeholders together, providing user groups forums and awareness sessions to potential

beneficiaries.

1. Objective (2)

Contribute to create a strong culture of security around SCADA systems.

2. Description of Work - Timetable

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

Training and Awareness

T7.1 / Design training strategy

T7.2 / Elaborate training materials

T7.3 / Carry on Pilot Project

T7.4 / Define awareness Plan

T7.5 / Create awareness materials

WP7 has started during month 15, namely November 2013

T7.1 Design training strategy

Aims: Identify the training needs of different groups

Contributors: E4Business, INTECO, AEI Seguridad, CNPIC

tasks

T7.2 Elaborate training materials

Aims: Create different training materials for different groups

Contributors: E4Business, NISZ, INTECO, AEI Seguridad

tasks

T7.3 Carry on pilot training

Aims: Test that training strategy and materials meet trainee needs


tasks

T7.4 Define awareness plan

Aims: Identify the awareness needs of different groups

Contributors: E4Business, NISZ, INTECO, AEI Seguridad, CNPIC

tasks

T7.5 Create awareness materials

Aims: Create different awareness materials for different groups


tasks

2. Target groups

Security Research Centres

National Authorities

End users CI Operators

Methodology experts

Security training professionals

Independent security experts

Foundations specialized on security technologies

ICT security association of SMEs

Dissemination experts

Software integrators

SCADA Providers.

Expected Results

Through WP7 and WP8 SCADALAB results should reach the largest possible audience.

D7.1 Training: Definition of a SCADA course, 90 hours of training for public officials, 5 training manuals.

D7.2 Awareness: Holding a final conference, 3 research reports, 6 papers released.



Questions?



WP 8

Dissemination

EVERIS

Content

1. WP Objectives


3. Dissemination outputs

Objectives

To build awareness of the ScadaLab Project at both national and European.

To inform the stakeholders of the research findings.

To promote the results of the Project and the possibilities of a future exploitation.

Description of the Work

Audience

- Primary: stakeholders

- Secondary: affected

- Tertiary: influencers

Market

- Policy makers

- Industries/SMEs

- End users

- EU R&D Community

Message

- User requirements stage

- R&D stages

- Testing stage

Dissemination Activities

Channels

- Oral communication channels: Symposiums, seminars, workshops.

- Written communication channels: Website, newsletters, contributions to professional publications.

Dissemination Strategy

Dissemination Outputs

www.scadalab.eu

Scadalab Website

http://www.scadalab.eu/


Scadalab Social Network (I)

Linkedin general overview

• User: ScadaLab Project

• Group: ScadaLab Project – Open forum for stakeholders

discussions

Twitter general overview

• User: @ScadaLabProject


Scadalab Social Network (II)

Social networks management tool: Hootsuit

– Timeline

– Interactions

– Activity

– Search: #SCADA #cybersecurity and “Critical Infrastructures”


Madrid: 1st International Workshop

- General Project Presentation

ScadaLab events

Sevilla: 2nd International Workshop

- Best Practices

Brussels: Final Conference

- Final results

- EU presentation



Questions?



Thank you

first scada lab international workshop

Technology