schweitzer engineering labs: securing scada and ems communications to thwart advanced persistent...
TRANSCRIPT
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved.
PUBLIC INFORMATION
Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Securing SCADA and EMS Communications to Thwart Advanced Persistent Threats and Surpass
NERC CIP Requirements
Schweitzer Engineering Labs
Dwight Anderson
Security Engineer - Schweitzer Engineering Laboratories
June, 2015
Power System Network
A B C
D E F
Source Midpoint
Source Midpoint
Tie
Source
Source
Trip Sequence
and Lockout
1 2 Sense Loss
of Voltage
Recloser Re
clo
se
r
RecloserRecloser
Recloser
Substation Teleprotection Requirements
Substation 2Substation 1
Relays
RelaysRelays • • •
Firewall Firewall
HMI HMI
Communications
Network
Control Center Requirements
Firewall
Firewall
HMI
ServersSecure
Workstation
Switch
Corporate Requirements
Firewall
Firewall
HMI
Secure
WorkstationServers
Switch
Switch
Enterprise
Requirements
Corporate DMZ
Internet
Firewall
Firewall
Corporate
Servers
NERC CIP
• CIP-004 – human factor
• CIP-005 – network
boundary controls
• CIP-007 – controls for
individual devices
Malware – Zero-Day Exploits and APTs
Attacker Code
• Hides or is disguised
• Executes infrequently
• Is not known
• Replicates or morphs
(possibly)
Zero-Day Exploit Is Easier to Create
McCorkle and Rios
“100 Bugs in 100 Days”
DerbyCon 2011
Protection Measures
• Network isolation
• Firewalls
• Gateways / IPsec VPNs
• EMET
• Antivirus
• Whitelisting
• Intrusion detection and next-generation firewalls
Example Firewall
HTTP, FTPApplication
Layer
MIME, XDRPresentation
Layer
NetBIOS, SAPSession Layer
TCP, UDP, TLSTransport
Layer
IP, ICMP, IPsecNetwork
Layer
Ethernet, Frame RelayData Link
Layer
T1, SONETPhysical
Layer
OSI Model and Port Numbers
Port
Number
Types of Firewalls
R
S
T
P
S
H
C
W
R
E
C
E
U
R
G
A
C
K
Sequence Number
Source Address
Destination Address
Acknowledgment Number
Source Port Destination Port
F
I
N
S
Y
N
FIREWALL
Packet
Filtering
Stateful
Inspection
Application
Gateway
Network
Proxy
IP Packet
Reject Permit
Drop
IP Packet
IP Packet
IP Packet
Firewall Considerations
• Zero-day exploit – moderate application
• NERC CIP – good application
• IT systems coexist
• Log management
• Central management
• Little impact on performance
Application Layer Firewall
Block Specific URLs
www.shodanhq.org
Detect File Transfers
Next-Generation Firewall Considerations
• Zero-day exploit – high impact
• NERC CIP – high impact
• Management intuitive but not simple to get right
VPN Gateway
• Authentication
• Confidentiality
• Message integrity
IPsec Encapsulating Security Payload Header
• Encrypts IP packet payload
• Supports strong encryption protocols, such as
Blowfish and AES
• Provides data origin authentication, data integrity, and
replay protection
Gateway-to-Gateway VPN Tunnels
Data Protected
by VPN Security
Protocols
Trusted
Networks
Encrypting
Router
Encrypting
Firewall
VPN
Concentrator
VPN
Concentrator
Untrusted
Network
VPN Considerations
• Zero-day exploit – no impact
• NERC CIP – high impact
• Coexisting IT systems
• Management – critical for getting it right
• Centralized support
• Some impact on performance
• Redundancy and failover
EMET
EMET – DEP
Prevent vulnerability exploitation
Code A Code B
Code C Code E
Code F
Exception Points
to Malware
Code D
Malware
Structured Exception Handler Overwrite Protection
Prevent exploiting stack overflows in Microsoft® Windows®
Handler
0x0c0c0c0c
0x0c0c0c0c
0x0c0c0c0c
0x0c0c0c0c
0x0c0c0c0c
0xfffffff
Final Handler
Next
Stack
Function
Stack Frames
EMET On
Handler
0x0c0c0c0c
0x0c0c0c0c
0x0c0c0c0c
0x0c0c0c0c
0x0c0c0c0c
0xfffffff
Final Handler
Next
Stack
Function
Stack Frames
EMET Off
Address Space Randomization
Locate code in different places in memory each time
computer is restarted
Restart 1
Ntdll
App.exe
Kernel32
Restart 2
Kernel32
Ntdll
App.exe
Restart 3
App.exe
Kernel32
Ntdll
EMET Considerations
• Zero-day exploit – high impact
• NERC CIP – high impact
• Prefer not to bring Windows into substation
• Interoperability tested with existing software
• Events are logged
• No impact on performance
Malware Growth
110,000,000
99,000,000
88,000,000
77,000,000
66,000,000
55,000,000
44,000,000
33,000,000
22,000,000
11,000,000
19
85
19
87
19
89
19
95
19
91
19
93
19
97
19
99
20
01
20
03
20
05
20
07
20
09
20
11
20
13
14.5% of Viruses Undetected
14.5%
Undetected
85.5%
Detected
Antivirus
• Zero-day exploit – no / low impact
• NERC CIP – high impact
• Network and operational overhead created with
constant updates
• Antivirus update burden eased with proxy and
centralized management software
• CPU spikes, false positives and negatives
• Event logs
Whitelisting
• Bring deny-all security strategy to local host
• Ease whitelist management with dynamic
whitelisting capabilities
• Leverage protection techniques to block
memory-based exploits
• Gain change control with minimum
operational impact
Whitelisting in Action
Remote HMI
SCADA
Ethernet
Switch
Other IED
Local HMI Control Center
Historian / Asset
Management System
Off-Site or Pole-Top
RDP / OPC Data Access /
Event File Logging
Relay
Relay
Relay
Relay
Computing
Platform
Modbus® TCP,
IEC 61850,
DNP3 LAN
Fast Messaging
Whitelisting
• Zero-day exploit – high impact
• NERC CIP – high impact for multiple areas
• New threats blocked without signature updates
• Logs provide excellent history of failed program execution
• Negligible performance impact with tiny footprint
Securing SCADA and EMS Communications
Protection Measure Results Impact on Performance
Isolation Medium (but often violated) Low
Firewalls High Low
VPN gateways Low Medium
Antivirus Low Medium to High
EMET High Low
Whitelisting High Low
Next-generation firewall High (needs testing) High (needs testing)
www.rockwellautomationteched.com
Copyright © 2015 Rockwell Automation, Inc. All Rights
Reserved.
PUBLIC INFORMATION
Rockwell Automation TechED 2015 @ROKTechED
#ROKTechED
Thank you!