K E M A , I N C .

Ten Steps To Secure

Control Systems

APPA 2005 Conference

Session: Securing SCADA Networks from Cyber Attacks Memphis, TNApril 18, 2005

Jay Abshier, CBCP CISSPKEMA, Inc.

jay.abshier@kema.com

2

K E M A , I N C .

2 Copyright KEMA Inc. Proprietary Information

Ten Steps To Secure Control Systems

Threats? Why take action? What Can You Do Now? -The Ten Steps NERC Standards Questions

3

K E M A , I N C .

3 Copyright KEMA Inc. Proprietary Information

Threats – In Order of Decreasing Probability

Worms and Viruses Internal – Acts of Omission Internal – Acts of Commission External – Acts of Commission

4

K E M A , I N C .

4 Copyright KEMA Inc. Proprietary Information

Why Take Action? If a vulnerability is exploited, in most cases the

impact is a negative effect on the primary function of the control system – a failure.

A failure of one component of a system increases the probability of another component failure occurring or of becoming a critical factor.

Most catastrophic failures involve two or more components of a system. Frequently, one of the failed components is either a human action/inaction or the control system. “Reliability @Risk: A New Paradigm for

Assessing Reliability”, December 2004, The Electricity Journal

5

K E M A , I N C .

5 Copyright KEMA Inc. Proprietary Information

Why Take Action?

Improved Reliability Increased Safety

6

K E M A , I N C .

6 Copyright KEMA Inc. Proprietary Information

Ten Steps To Secure Control Systems1. Governance

2. Security Awareness & Training

3. Policies & Procedures

4. Change Management

5. Secure Architecture

6. Remote Access

7. Vulnerability & Risk Assessments

8. Incident Response

9. Configuration & Patch Management

10. Monitoring

7

K E M A , I N C .

7 Copyright KEMA Inc. Proprietary Information

Ten Steps To Secure Control Systems1. Governance2. Security Awareness & Training3. Policies & Procedures4. Change Management

5. Secure Architecture6. Remote Access7. Vulnerability & Risk Assessments8. Incident Response9. Configuration & Patch Management10. Monitoring

Paper and Presentation discussing all ten available on request.

Our Focus

8

K E M A , I N C .

8 Copyright KEMA Inc. Proprietary Information

What Can You Do Now?

5. Secure Architecture Identify your critical assets. Define the electronic perimeter for your

control environment that includes those assets

Isolate the control environment using firewall(s) and DMZ(s). No access by default. All Communications terminate at the DMZ.

9

K E M A , I N C .

9 Copyright KEMA Inc. Proprietary Information

Secure ArchitecturePlant Information Network (PIN)

Plant Control Network (PCN)

Real time Historian

Relational Database

Users

Historian Operator DisplaysApplicationServer

Other Plant Information Servers

To Corporate Network

FirewallDMZ

DatabaseWeb

Server

Terminal Server

10

K E M A , I N C .

10 Copyright KEMA Inc. Proprietary Information

What Can You Do Now?

5. Secure Architecture (cont’d) Don’t allow browsing of the internet from

the control environment. Don’t allow email into the control

environment. Sending email out will be ok.

Take steps to keep unauthorized devices out.

Avoid wireless

11

K E M A , I N C .

11 Copyright KEMA Inc. Proprietary Information

What Can You Do Now?

5. Secure Architecture Wireless

WEP is useless WPA

– Good encryption. Device Authentication available.– Vulnerable to DOS attack.– Devices capable of WEP should be upgradeable to

WPA with firmware upgrade.

Think of wireless as remote access.

12

K E M A , I N C .

12 Copyright KEMA Inc. Proprietary Information

What Can You Do Now?

5. Secure Architecture Wireless

802.11i is best solution, but requires new hardware if you already have wireless installed.

AES encryption, device authentication available, supposed to not be vulnerable to DOS attack.

Cisco calls 802.11i WPA2. www.wi-fiplanet.com/tutorials

13

K E M A , I N C .

13 Copyright KEMA Inc. Proprietary Information

What Can You Do Now?

6. Remote Access Should be severely

restricted. Try to never allow devices on

the outside to become part of Control Network

DMZ Application Servers Terminal Servers and Citrix are

good choices for access.

14

K E M A , I N C .

14 Copyright KEMA Inc. Proprietary Information

Remote AccessPlant Information Network (PIN)

Plant Control Network (PCN)

Real time Historian

Relational Database

Users

Historian Operator DisplaysApplicationServer

Other Plant Information Servers

To Corporate Network

FirewallDMZ

DatabaseWeb

Server

Terminal Server

15

K E M A , I N C .

15 Copyright KEMA Inc. Proprietary Information

What Can You Do Now?

6. Remote Access VPNs

IPsec VPNs using 3DES or AES encryption are good choice if DMZ App servers and Terminal Servers not available.

Be Aware that the Client computer becomes part of the Control Environment.

Do not allow split tunneling. Try to require anti-virus and personal firewalls. Try to enforce patch levels on software.

16

K E M A , I N C .

16 Copyright KEMA Inc. Proprietary Information

What Can You Do Now?

6. Remote Access Modems

Avoid auto answer dial in modems.

Dial back modems and encrypting modems are ok alternatives if modems are unavoidable.

17

K E M A , I N C .

17 Copyright KEMA Inc. Proprietary Information

What Can You Do Now?

7. Vulnerability and Risk Assessments Vulnerability assessments try to identify all

the known vulnerabilities in a device or architecture.

Risk assessments try to prioritize these vulnerabilities and assess the impact.

18

K E M A , I N C .

18 Copyright KEMA Inc. Proprietary Information

What Can You Do Now?

7. Vulnerability and Risk Assessments Vulnerability assessments often involve

scans, which can cause problems in the control environment.

Good probabilities for risk assessments are not available, but vulnerabilities can be prioritized using accurate relative probabilities for Threats.

19

K E M A , I N C .

19 Copyright KEMA Inc. Proprietary Information

What Can You Do Now?

7. Vulnerability and Risk Assessments Risk assessments are a good way to involve

the stakeholders in the process and get buy-in.

Risk can be calculated as: Probability of Threat Occuring * Probability of

Existing Controls Preventing Threat * Impact if Threat succeeds

20

K E M A , I N C .

20 Copyright KEMA Inc. Proprietary Information

What Can You Do Now? 7. Vulnerability and Risk Assessments

Use a good methodology Which To Use? For Systems, use one focused on assessing the risk

that a vulnerability can be exploited by a threat.

21

K E M A , I N C .

21 Copyright KEMA Inc. Proprietary Information

A Vulnerability/Risk Assessment Methodology

Risk Assessment

Prioritise&

mitigation

Actions & forward planning

Review

Inp

uts

Ou

tpu

tsA

ctivities

• Documents & drawings

• Site Walkthrough/Site Survey

• Policies, procedures,

• Questionnaires, interviews

• Processes

• Systems

• Risk numbers

• Vulnerabilities

• Risk database

• Vulnerability assessment

• Normalised risks

• Recommendations

• Client capabilities, investment plans etc.

• Baseline assessment

• System inventory

• Vulnerability Assessment

• Risk database or

• Risk assessment matrix

• Gap analysis

• Prioritised and ranked recommendations

• Work plans for gap closure

Scoping

• Client Requirements

• Client Organization

• Client Constraints

• Project Plan

• Interview Requirements

• Questionnaires

• Document/Drawing Requirements

22

K E M A , I N C .

22 Copyright KEMA Inc. Proprietary Information

23

K E M A , I N C .

23 Copyright KEMA Inc. Proprietary Information

What Can You Do Now?

Bottom Line Tool or tools will not keep

you secure. No one can guarantee your system or network is “secure”.

Daily due diligence and comprehensive security program is only viable “solution”.

24

K E M A , I N C .

24 Copyright KEMA Inc. Proprietary Information

NERC Permanent Standard• Jan 17 – Feb 17 Post Draft 2 and Comment period• Feb 2 Webcast on Draft 2• Feb 18 – Apr 15 Resolve comments on Draft 2 and prepare Draft 3• Apr 15 – May 31 Post Draft 3 and Comment period• June 1 – 30 Resolve comments on Draft 3 and prepare for

Ballot• July 1 – 31 30 day posting prior to Ballot• Aug 1 – 30 2 rounds of Ballots • August 13 NERC 1200 expires• Sept 1 – 30 30 day posting prior to NERC Board

adoption• October 1 NERC Board adopts standards• November 1 Standards become “Effective”• 1st Quarter 2006 Self Certification and Audit begins

25

K E M A , I N C .

25 Copyright KEMA Inc. Proprietary Information

NERC Permanent Standard CIP–002–1 Critical Cyber Assets CIP–003–1 Security Management Controls CIP–004–1 Personnel and Training CIP–005–1 Electronic Security CIP–006–1 Physical Security CIP–007–1 Systems Security Management CIP–008–1 Incident Reporting and Response Planning CIP–009–1 Recovery Plans

26

K E M A , I N C .

26 Copyright KEMA Inc. Proprietary Information

NERC Permanent Standard What it covers

SCADA/Control Center Power plant control systems

Many exceptions Transmission substations

What it doesn’t Many power plants Distribution Telecom Requirement for understanding control systems

27

K E M A , I N C .

27 Copyright KEMA Inc. Proprietary Information

Ten Steps To Secure Control Systems

Questions? For more information:

Jay Abshier, CBCP CISSP713.240.4146 (mobile)832.717.3072 (office)jay.abshier@kema.com