REDESIGNING SYSTEM SECURITY OF A CONTROL ROOM

GREG JONES - SCADA AND DATA SYSTEMS ENGINEER

12 MARCH, 2014

Redesigning system security based on the front end engineering & design of a control room

Overview

Safety Moment → Introduction

→ Control systems data, access and technology business drivers

→ Effectiveness of patching and anti-virus

→ Going back to the old ways of segregation

→ Conclusion

Safety moment – threat of power loss to 2.1 million people →  Integral Energy distributes electricity to 2.1 million people in NSW

→  Network Virus Attack (2009)

→  Business network infected by conficker worm

•  Hackers able to issue commands to infected machines from the internet

•  All desktops rebuilt by external security experts

→  Threats due to control systems being on the same network

•  Loss of power to 2.1 million people

•  Uncontrolled access to control system

→  Control System not vulnerable to Infection

•  Generally unaffected as mostly on Unix

Data access for business intelligence

→ Big data provides competitive advantages •  Regulatory requirements e.g. NGERS •  Asset management •  Worker empowerment (Kanban) •  Remote screen view •  Collaboration CWE

→ This is done by •  Historian / database out •  File transfer out

→ I3 – Intelligent, Instrumented and Interconnected

System access for management and support → Cost, schedule and worker empowerment

•  Centralised management – CCR •  Centralised support •  Remote vendor support •  Mobile operators

→ This requires: •  3rd Party WAN •  Wireless networks •  Internet access •  File transfer in and out •  3rd party devices •  Mobile devices

Technology – borderless networks →  Cost, schedule and worker empowerment

→  Office network using •  Cloud services (SaaS, PaaS, IaaS...) •  BYOD (smart phone, laptop, tablet) •  Use of portable media (USB, DVD ...)

→  Ubiquitous remote access

→  Office network meshed with the Internet and home networks

→  Social engineering (Facebook, Phishing ...)

→  Proliferation of malware / zero day exploits / hacking tools

→  Access to systems from anywhere

→  Office network is untrusted

Effectiveness of patching and anti-virus →  Blacklisting philosophy →  Office network

•  System downtime and integrity •  Test / dev cycle •  Large number of users dependent on the system •  Out of hours work and roll back •  AV within 24 hours and patches monthly

→  Process control network •  Safety is first priority •  System downtime and integrity •  Vendor guarantee required – patches / AV certified •  Test / dev cycle •  AV within a month and patching 3+ months

→  Inadequate patch speed to ensure protection →  Always vulnerable to day zero threats

COTS systems and technology in the PCN

Cost, supportability and end of life issues force use of its COTS systems and services →  Office  network  security  requirements:  

→  Process  control  network  security  requirements:  

Confidentiality Medium high importance

Integrity High importance

Availability High lower importance

Regulatory Low importance

Availability Very high importance

Integrity Highest high importance

Confidentiality Medium low importance

Regulatory Medium low importance

Is it too much work? →  Businesses and people only use solutions that are efficient and effective (mind the

gap) →  Albert Einstein:

•  “Intellectuals solve problems, geniuses prevent them.” →  Technologies

•  Data diodes / IP KVM •  Thin clients •  Application white listing •  Timed access •  Network segregation

→  Human firewall •  Chronic unease - need to access / need to know

→  Design based on risk scenarios •  CHAZOP

Exporting data securely to the business network →  We can’t disconnect the PCN

→  Need data export for business intelligence

→  Can’t allow return traffic

→  Can’t be vulnerable to malware, hackers and human error

→  Use a data diode and export data

→  Replicate systems

→  Put PCN support systems on the PCN

Patc

h Ti

me

Crit

ical

ity

Clear accountabilities through physical boundaries

Patc

h Ti

me

Crit

ical

ity

→  Shared infrastructure makes ownership unclear

→  Support is compromised

→  Necessary changes are not implemented.

→  Management needs to be from a secure location (Management devices cannot have internet or email access)

→  Use dedicated management clients in the PCN

→  Keep PCN, PCN remote access and office network physically separate.

No internet access. Private WAN and dedicated clients for remote access

Patc

h Ti

me

Crit

ical

ity

→  Remote access is a necessity for timely and cost effective support

→  Requires inbound access

→  Internet access leaves you vulnerable

→  Only enabled upon request (just like the turning on and modems)

→  Use private WAN (MPLS)

→  Use dedicated PCN mobile devices that are not allowed to connect to the internet

→  In case of emergency use IP KVM connected to internet and host based firewall restrictions so the PCN is protected from malware

Network segregation and device hardening →  WAN and wireless links cannot be fully trusted. →  Need defence in depth →  PCN nodes are an attack path →  Uncontrolled portable media bring viruses and

carry data away →  Operating systems on PCN clients are

vulnerable. →  Encrypt 3rd party WAN and wireless links. →  Introduce network segmentation of clients,

management, nodes, sites and PCD servers. →  Use thin clients with all applications and systems

on servers →  Disable USB’s and use network file transfer →  Use an integrated security product suite

Patc

h Ti

me

Crit

ical

ity

Conclusions →  Safety must be designed in

→  Changed security requirements

→  Be efficient and effective (mind the gap)

→  Cannot successfully defend with patching

→  Must use a different solution

•  Technology

−  Data diodes / thin clients

−  Host and server segments

−  Private remote access network with end to end security management

•  Human firewall – need to access / need to know

•  Design based on risk scenarios - CHAZOP

→  Ethos of white listing

Questions

Titan ICT Consultants

→ Australian-owned Engineering consultancy

→ Leading-edge tailored Integrated Technology and Business Solutions

→ Proven strategies and processes, and many years of project delivery experience

→ Vendor neutral meaning our recommendations are not influenced by any commercial arrangements - we find the best solution for our client’s needs

→  Dedicated project management office based on Prince2 and ISO:9001 accreditation

www.titanict.com.au

References

→  The delta between work capabilities and consumer capabilities is where "FUIT" happens. Luckily we're past that now!: BrianMadden, 24 Apr 2013, Jack Madden

→  Solving the SCADA/ICS Security Patch Problem: 27 Mar 2013, Tofino Security, Eric Byres

→  13 ways through a firewall: What you don’t know can hurt you, Mar/Apr 2013, ISA, Andrew Ginter

→  Web-based SCADA Gathers More Fans: AutomationWorld, 5 Dec 2012, James R. Koelsch

→  SCADA Security In A Post-Stuxnet World: 6 Nov 2012, Dark Reading, Kelly Jackson Higgins

→  Maintaining Necessary Information Paths over Unidirectional Gateways: Oct 2011, Mohan Ramanathan & Andrew Ginter

→  Process Control Domain – Security Requirements for Vendors: Sep 2010, WIB