welcome to phoenix contact industrial scada network

Welcome to PHOENIX CONTACT

Industrial SCADA network security seminar

ISAWWA

Matt CowellPhoenix ContactASE – North Central

[email protected]

www.phoenixcontact.com/water

847 226 5197

2 | Presentation | Matt Cowell | ASE Central | 24 February 2012

Who am I?

�Matt Cowell

�ASE (Automation Sales Engineer) – N Central reg.

�Tenure – Joined Phoenix Contact Jan 2008

�Located Gurnee, IL (north of Chicago)

�Responsible for all Phoenix Contact Automation product in N. Central Region

�Automation product responsibility includes Ethernet, network security products, controllers and software, Industrial PC’s, HMI’s, I/O and Wireless

�Territory includes IL, WI, MN, MO, IA, KS, NE, ND, SD

�Background – Various Engineering roles with later years focused in system integration

What does Phoenix Contact do?

Connectors? Terminal Blocks?

Plus a whole lot More…


Who are you?

�Water operators?

�System integrators?

�Engineering firm?

� IT?

�Other?



Agenda

� Industrial/SCADA networking introduction

�Recent product vulnerabilities

�Case studies of recent security breaches

� ‘Typical’ network layouts and comparisons

� Introduction to basic Hacking techniques

�Live demonstration of hacking techniques used

� Highlighting ease of implementation

� Offering simple countermeasures and prevention

�Remote connectivity review

�Standards and regulations

�Product solutions and recommendations


Objectives of this seminar

�Not intended as a class in hacking to

teach would-be hackers

�Raise awareness to often overlooked

vulnerabilities

�Offer simple concepts and solutions

for improved security

WARNING!

�Lots of TLA’s and other acronyms


Question Time

�Has your network ever been hacked?

� How do you know?

�Was Springfield’s Curran-Gardner facility hacked?

� Contrary to news reports - It appears not…

�Who’s responsibility is network security?

� Everyone’s

� Don’t assume someone else (IT) has it covered


What is a SCADA network?

�SCADA = Supervisory Control And Data Acquisition

�Commonly associated with an Industrial Control System

(ICS)

�Typically a dedicated network interlinking critical devices

that are part of controlling and/or monitoring a plant,

infrastructure or a process



Typical devices – SCADA network

Typically Field Devices in/near control panel

Wastewater SCADA n/w example


Copper

Fiber

Wireless

Main Control

Room

Wastewater SCADA n/w example


Copper

Fiber

Wireless

Main Pump

Station

Sludge

DewateringDisinfection

Blower

Building

Final

Clarifiers

Reject

Pumps

Characteristics of an SCADA network

�Often engineer governed

�Desire high speed (typically small data transfer – bits vs.

mB)

�Deterministic

�Acceptable latency typically measured in mS

�High reliability data transfer in rugged form factor

�Typically comprising various protocols (ModbusTCP, DNP3,

E/IP)

� Interconnected via various media (Fiber, copper, wireless,

leased lines etc.)

�Originally isolated islands (no WAN or internet connectivity)

�Longer system life cycle = more older technology and OS14 | Presentation | Matt Cowell | ASE Central | 24 February 2012


Internet

Typical IT/Enterprise network

�Large network, vast data transfer, variable speed dependent

upon load, latency measured in seconds, isolation of

devices less critical, broadcast traffic common, integrated

security (anti virus/sw firewall)


Evolution of connecting SCADA to IT network or internet?

Internet

Router/Firewall

Enterprise/Company level

SCADA/Ind. Network

Why converge?Reporting – Regulatory requirements/ComplianceConvenience – Access from desk, city networkAutonomy & Remote access – Outside access for contractorsIntegration - to database/laboratoryMistake - Could also be inadvertent

Acce

ss th

rou

gh

ou

t


Why consider security now?

� Scope of industrial networks has grown beyond conventional “switch only” networks (layer 2)

� Device access from IT/enterprise network is desired

� Remote access to SCADA systems is required for support

� Industrial devices lack network security features we have become familiar with (robust NIC’s, win. updates, patches, anti virus, HTTPS etc.)

� Vulnerabilities are being discovered daily

� Increase in network devices & trends are relying upon use of ‘the cloud’

� Few standards in place yet to enforce security

� Stuxnet demonstrated the sophistication and damage that can be caused by industrial specific malware – don’t wait for stuxnet 2.0

� Industrial attacks are becoming more common and brazen - 1/3 of ALL malware was developed in past year (Stuxnet, Night Dragon, Stars all made news headlines)

You already have physical security…

�Cameras and surveillance

� Analogous to IDS (Intrusion Detection System)/logging

�Access control – access based upon credentials

� Analogous to account/password control policy

�Perimeter security – fences, gates, locks

� Analogous to firewall’s

�Alarms

� Analogous to Email/SMS/SNMP/HMI alarms

� SIEM (Security Information & Event Management) or IDS

�Security guard

� Analogous to IT/security focused professional

�We generally take physical security very seriously


The cyber threat is real….

19 | Presentation | Matt Cowell | ASE Central | 24 February 20128:40

Types of cyber incident

�Auditing

� Legitimate attack/test

� Vulnerability assessment

�Accidental

� Broadcast storm, misconfiguration, faulty product etc..

� Wrong IP

�Non malicious intrusion

� Monitoring data, stealing information etc..

�Malicious intrusion

� Bad intentions/causing harm

� Breaking something (equipment/process/data)


A few recently discovered vulnerabilities

�All confirmed and published by US CERT (DHS)

� Schneider – ICS-ALERT-11-346-01—SCHNEIDER ELECTRIC QUANTUM ETHERNET

MODULE MULTIPLE VULNERABILITES

– ICSA-11-277-01—SCHNEIDER ELECTRIC UNITELWAY DEVICE DRIVER

BUFFER OVERFLOW

– ICSA-11-307-01—SCHNEIDER ELECTRIC VIJEO HISTORIAN WEB SERVER

MULTIPLE VULNERABILITIES

� Siemens– ICSA-11-356-01—SIEMENS SIMATIC HMI AUTHENTICATION

VULNERABILITIES

– ICS-ALERT-11-332-02A—SIEMENS SIMATIC WINCC FLEXIBLE

VULNERABILITIES

– ICS-ALERT-11-186-01— PASSWORD PROTECTION VULNERABILITY IN

SIEMENS SIMATIC CONTROLLERS S7-200, S7-300, S7-400, AND S7-1200

– ICS-ALERT-11-161-01—SIEMENS SIMATIC S7-1200 PLC VULNERABILITIES


..more recently discovered vulnerabilities

� Rockwell Automation– VU#144233 - Rockwell Automation Allen-Bradley MicroLogix PLC

authentication and authorization vulnerabilities

– ICSA-10-070-01A-UPDATE�ROCKWELL AUTOMATION RSLINX CLASSIC

EDS HARDWARE INSTALLATION TOOL BUFFER OVERFLOW

– ICS-ALERT-10-194-01 OPEN UDP PORT IN 1756-ENBT ETHERNET/IP™

COMMUNICATION INTERFACE

– ICSA-11-273-03A—ROCKWELL RSLOGIX DENIAL-OF-SERVICE

VULNERABILITY

� Others– ICS−ALERT-11-080-02�MULTIPLE VULNERABILITIES IN ICONICS

GENESIS (32 & 64)

– ICSA-11-173-01—CLEARSCADA REMOTE AUTHENTICATION BYPASS

– ICSA-11-332-01—INVENSYS WONDERWARE INBATCH ACTIVEX

VULNERABILITIES

– ICSA-11-243-03A—GE INTELLIGENT PLATFORMS PROFICY HISTORIAN

DATA ARCHIVER BUFFER OVERFLOW VULNERABILITY


Network security breach case study: Stuxnet

�The industrial virus that brought mass media attention

�Complex rootkit exploiting 4 x zero day exploits

�Designed to attack Siemens control networks and Win OS

�Used stolen digital certificates to look inconspicuous

�Could manipulate PLC logic and network traffic

�Automatically spreads via USB jump drive

�Reports updates back to internet server

�Targeted Iran’s uranium enrichment centrifuges causing

significant damage but also spread worldwide

�Suspected to be a state sponsored virus

� It has a ‘kill date’ coded into it to stop spreading on 6/24/12


Network security breach case study: South Houston wastewater facility

� On Nov 18th 2011 a hacker named ‘Pr0f’ breached into south Houston’s network as reaction to DHS downplaying suspected security breach in IL

� He posted his rant and HMI screenshots on pastebin.com

� Took advantage of Siemens vulnerability using 3 character default password to gain access to publicly available HMI

� Breach wasn’t malicious but could have been

� He could of affected processes causing harm as well as accessing site documentation and drawings

� He could also have placed virus on the network to cause harm/gain access at later date

� No official announcement was made other than the DHS and FBI are investigating further


Network security breach case study: Davis-Besse Nuclear power plant

�Slammer worm caused PC’s on safety monitoring system to

shutdown

�Caused systems to be down for 5 hours

�Believed to been inadvertently passed by company

contractor on an insecure network

�Spread to control network through internal T1 link to

enterprise network

�Affected unpatched server

�Example of a “Blind Worm” using Denial of Service to

overwhelm a system and shut it down


Network security breach case study: Maroochy Shire wastewater facility

�Disgruntled former contractor gained access via insecure

wireless network

�Released 264,000 gallons of sewage into rivers

�Responsible for killing marine life not to mention create a

stench for residents

�This occurred over 3 week period, no one noticed for 1st 2.5

wks.

�He was later arrested and sentenced to prison


Hot off the press…


Even Big Bird cant help you!


Why do people ‘hack’?

�There are a number of motivators, including:

� Ego

� Criminal

� Political/Spying

� Hacktivism

� Terrorism

� War

� Personal gain

� Corporate gain

� Sabotage

� Retribution

� Personal Concern



How do people hack?� Inside job/disgruntled employee - abusing network privileges

� Sniffing – intercepting network traffic, ARP spoofing. Intercept. Unsecure messages (HTTP, SNMP v1 & 2) may contain passwords in text form

� Password cracking – exploiting defaults, password generator, phishing, keylogging, brute force

� DoS – Denial of Service attacks overwhelm a network interface by sending excessive traffic to that device.

� Spoofing – Firewalls define rules based upon IP address, mac address and port. Spoofing modifies source IP/MAC to pretend its from a legitimate source to get access and hijack a session. Cyber imposter

� Wireless attack – Using packet captures and decryption tools its possible to extract the WEP key of a wireless AP.

� Virus/Worm – Self replicating infectious computer code (malware) that can take control of a system or steal information. Infect and spread.

� Trojan – Malicious code attached to legitimate file – once run, compromises the system by giving access to a hacker(s) as a virus would.

� Exploiting vulnerabilities – latest windows updates, stuxnet

� Social Engineering – manipulating people to divulge information or perform action – cyber con artist. Email/phone/baiting/phishing

Usually Automated..scripts etc.

How easy is it to ‘hack’ a facility?

�Just ask Google

�Wireless breach

� Wardriving

� If no access to the inside network, first have to find it:

� Specialist search engines

� Public IP and Port scans

� Social engineering via Trojan or Phishing

�Vulnerabilities

� Easy targets

� Publically available online and being found daily

�Dedicated tools to make life easier

…..as we will see



Our demonstration scenario

Perimeter

192.168.0.100

192.168.0.102

192.168.0.200

192.168.0.101

192.168.0.1

PC (HMI)Master

Lean Managed

Switch

PLCSlave

Attacking PC

Internet

1.2.3.4

LANWAN

Router

9:00


1. Explore and learn the network (learning)

��Time


1. Explore and learn the network

� What did we learn?

� What subnet they are using (192.168.0.x – i.e. 255.255.255.0)

� What devices are on the network (Linksys, LMS, VL, PLC)

– What manufacturer (First 3 bytes MAC ID)

– What host name (if used)

� What IP addresses/MAC addresses appear vacant for our attacking PC

� What traffic is being broadcasted and who from – see multicast too with

unmanaged switch.

� Recommendations:

� Regulate who has access to network – layer 1 prevention?

� Isolation using Routers/VLAN’s eliminate what devices can be scanned


2. Sniffing (learning cont.)

��Time


2. Sniffing


� Switch sends traffic to destination MAC address only, therefore to sniff

someone else's packets, need to do an ARP spoof

� Now we can see what devices are communicating with each other (VL-

PLC) – Man in the middle attack

� What type of traffic is flowing (UDP 44818 – E/IP)

� What device seems to be a router/firewall (192.168.0.1)

� The LMS password as we happened to intercept an HTTP packet from

Valueline to LMS that contained password (‘private’)

� Could intercept/modify any unencrypted data - Stuxnet


� Incorporate software or switch that monitors ARP activity

� Encrypt traffic - Use HTTPS where possible


3. Port Scanning (learning cont.)

��Time


3. Port Scanning (learning)

�What did we learn?

� What ports are open on each device

– TCP

– UDP

� Potentially exploit known vulnerabilities

& back doors

�Recommendations:

� Use a firewall when possible

� Use logging to notify you of port scan’s


4. DoS Attack

��Time


4. DoS Attack

Perimeter

192.168.0.100

192.168.0.102

192.168.0.200

192.168.0.101

192.168.0.1

PC (HMI)Master

Lean Managed

Switch

PLCSlave

Attacking PC

Internet

1.2.3.4

LANWAN


4. Denial Of Service attack

�What did we learn?� With information we collected by learning the network, we can

now break it

� Network adapters (particularly on Industrial devices) can be overwhelmed if you send excessive packets

� This can manifest in many devastating ways – preventing legitimate communications and in some cases locking up the device requiring power cycle or losing its program

�Recommendations:� Use Firewalls to control/restrict access

� Use managed switches with bandwidth limitation or routers to prevent excess traffic

� Enable monitors/logging to watch and automatically notify of dangerous traffic levels


5. Outside Port Scan and DoS

��Time



Perimeter

192.168.0.100

192.168.0.102

192.168.0.101

192.168.0.1

PC (HMI)Master

Lean Managed

Switch

PLCSlave

Attacking PC

Internet

1.2.3.4

LANWAN

Router

Port forwardUDP44818 to 4481844818 OPEN




� Simple port scans on public IP address uncover open/unrestricted ports

– 448181 open

� The public network is constantly being scanned by scripts looking for

open ports/backdoors

� Not only can we learn from the outside but can cause damage also

� Don’t rely on ‘Security by Obscurity’ and don’t assume that somebody

else has it covered


� Don’t open ports without due care - Use VPN instead!

� Set firewall rules to restrict any open access

� Enable monitors/logging to watch and automatically notify of unknown

traffic or dangerous traffic levels


Control the ‘inside’

�Prevent unnecessary access to industrial devices/network

�Use a firewall to control traffic rules

�Be careful of open ports and ‘backdoors’

�Ensure adequate encryption when using wireless (WPA2) &

long, unusual pass phrase

�Restrict USB drive usage

�Be careful of infected internal PC’s – a Virus or Trojan can

run on the inside ‘inside job’, cause havoc and send

information out

� Its claimed 60-70% of all security breaches are carried out

by insiders


6. WIFI cracking (on the outside)

��Time


6. Gaining access through WIFI crack


� WIFI packets are transmitted over the air for all to see

� Using specialist tools its easy to intercept 802.11 network traffic and get

enough ‘samples’ to decipher a WEP encrypted keyword.

� Which can then be used to gain access to the network from afar.

� WPA can be breached too but requires a bit more time and the use of

rainbow tables or brute force

� A wireless network could also be jammed rather than penetrated

� Some recommendations:

� Only use wireless if truly necessary and be aware of consequences

� Use the highest level of encryption available (min WPA2 for WIFI)

� Disable SSID broadcasting

� Use long, complex passphrases when possible

� Use an Intrusion Detection System (IDS) and logging

� Segment wireless networks and place behind firewalls

Half time - Break?

�5-10 min's



Our demonstration scenario

Perimeter

192.168.0.100

192.168.0.102

192.168.0.200

192.168.0.101

192.168.0.1

PC (HMI)Master

Lean Managed

Switch

PLCSlave

Attacking PC

Internet

1.2.3.4

LANWAN

Router

How could we prevent this attack?

�Stateful Firewall – define rules of access – allow only

legitimate access to those who need it. Locked down to

those who don’t and all other ports are blocked (potential

vulnerabilities or backdoors). Keeps track of connections to

prevent illegitimate traffic (spoofed/hijacked).

�Hides/protects potential product vulnerabilities

�Usually combined with a router which also provides isolation

from ARP’s and broadcasts – devices appear hidden.


Firewall cont.

�NOTE use of a firewall is a common recommendation by the

US CERT for posted vulnerabilities



�Plug and play – some security products can be applied as

a drop in solution (no changes required to existing devices

IP’s, default gateway) – least intrusive to existing network.

�Hides potential product vulnerabilities


Lean Managed

Switch

PLCSlave

Rules

192.168.0.200


�Extra Control – Device to check packet consistency to

block malformed packets (checksum, packet size), regulate

use of PING’s, regulate TCP connections

�Sometimes used to hack a device



�DoS flooding prevention – Restrict number of incoming

SYN requests (prevent SYN flood), further ICMP and ARP

control



�Logging and notification – Local logging, remote logging

using SYSLOG, SNMP traps, Email, SMS as soon as

something occurs



7. Inside DoS Attack with firewall protection

��Time


7. DoS Attack with firewall

Perimeter

192.168.0.100

192.168.0.200

192.168.0.101

192.168.0.1

PC (HMI)Master

Lean Managed

Switch

Attacking PC

Internet

1.2.3.4

LANWAN

192.168.0.102

PLCSlave


7. Denial Of Service attack with firewall

�What did we learn?� The firewall can easily be dropped into an existing network

� Firewall rules are quick and easy to add and allow to define control in either direction based upon IP, Port and MAC

� The firewall prevents the attack from getting to the target device (PLC) whilst allowing legitimate communications to continue

� The PLC continues to operate as expected during the attack

� The SYSLOG suggests something untoward is happening as our signal for attention


8. Outside DoS Attack with firewall protection

��Time


8. DoS Attack with firewall

Perimeter

192.168.0.100

192.168.0.101

192.168.0.1

PC (HMI)Master

Lean Managed

Switch

Internet

1.2.3.4

LANWAN

192.168.0.102

PLCSlave

Attacking PC

Port forwardUDP44818 to 44818

Router

44818 OPEN


8. Denial Of Service attack with firewall

�What did we learn?� The hacker can still see that port 44818 is open but is unable to

DoS the PLC

� Even a DoS attack from an IP/MAC that is allowed in the firewall cannot attack the PLC because of the STATEFUL firewall

� Trying to spoof the MAC or IP will not allow a DoS attack to be successful either

� As on the inside the firewall prevents the attack from getting to the target device (PLC) whilst allowing legitimate communications to continue

� The PLC continues to operate as expected during the attack

� The SYSLOG suggests something untoward is happening as our signal for attention


Remote connectivity solutions

�Dial up modem – Analog lines

�Cellular modem – GSM/GPRS

�Satellite

�3rd party hosted connection – Citrix, GoToMyPC, Webex

�VPN Tunneling

�Others? – dedicated circuits (leased line, T1, T3 etc.)

? LocalRemote


3rd party hosted connection

�Typically remote desktop type solution thus requires PC

�Using a service provided by a 3rd party & special software. The 3rd party acts as a middle man for remote connections

�Requires all necessary software and LICENSES to be installed on remote PC

�Potential for security vulnerability as data is public

�Link is owned and maintained by 3rd party, therefore becoming reliant upon them and typically with ongoing cost – monthly fee

�Slower than direct connection as traffic has to travel to 3rd party data center and then on to destination

�Can be relatively slow under limited bandwidth conditions as streaming live GUI information

�Generally not recommended for control systems


VPN tunneling

�Virtual Private Network connection between VPN routers

using encrypted authentication and encrypted data transfer

�Provides complete network access as if you were physically

connected to the remote network

�Provides very secure network access across public network

�Typically used across the internet to provide secure tunnel

�Requires higher level networking/security knowledge

�Can be connected directly to Internet. If behind another

router (i.e. on private network) a NAT rule or port forward

would be required.

�Fast data transfer (70mpbs is possible with mGuard)


VPN continued

�Different types of VPN – open standards

� IPsec – Internet Protocol Security – end to end

� SSL – Secure Socket Layer - require log in via browser

� PPTP – Point to Point Tunneling Protocol – Mature technology

� L2TP – Layer 2 Tunneling Protocol – Mature technology

�Security - Ability to encrypt traffic traversing internet,

authentication to only allow exchanges between approved

devices and ability to prevent message alteration

� Authentication - recommend X.509 certificates

� Encryption and hashing - 3DES, AES, SHA1 etc.

� Firewall

� IPsec Ports – UDP 500 & 4500 but can sometimes be

encapsulated in TCP also


9. Using VPN instead of port forwarding

��Time


9. VPN Example

Perimeter

192.168.0.100

192.168.0.101

192.168.0.1

PC (HMI)Master

Lean Managed

Switch

Internet

1.2.3.4

LANWAN

192.168.0.102

PLCSlave

Port forwardUDP500 and 4500


9. VPN Example

�What did we learn?� VPN is considerably more secure than the previous port forward

mechanism (authenticated and encrypted)

� Supporting engineer can still use his own laptop to connect to the PLC as he did before

� VPN client is a piece of software running on PC

� VPN client can only see LAN control network

� VPN is interoperable due to open standards

What industries should be concerned?

�ALL Critical infrastructure

�Water/Wastewater

�Oil and Gas

�Hospitals

�Prisons

�Power generation and Power distribution

�Chemical plants

�Nuclear reactors

�HVAC systems – these not only cool people but critical

servers

69 | Presentation | Matt Cowell | ASE Central | 24 February 201211:00

It gets worse…


Cybersecurity Act of 2012

Water is considered critical infrastructure!…the DHS says so


Regulations, Standards and Guidelines


Regulations (federal law)

Not industry specific

Standards

Sometimes Industry specific but not yet for W/WW

Guidelines

Specific for W/WW

11:15

Regulations, Standards and Guidelines

�Which regulations, standards & guidelines DO YOU think

are important to you?

�CFATS

�NIST

� ISA 99

�G430-09

�J100-10 (RAMCAP)

�NERC/CIP – an example from the energy sector that has

pass/fail conformance testing with legal consequences


Standards, Regulations and Guidelines


Regulations (federal law)

Bioterrorism Act (2002)

CFATS, Pending (2009) Cyber Security Act

StandardsNEC 708

NERC CIP

NIST

G430

ISA-99

J-100

Guidelines

Roadmap to Secure

Control Systems

Guidelines & Standards

�NIST (www.nist.gov)

� Overall security practices

� Initially oriented towards gov’t, now more inclusive

� 800-12 An Introduction to Computer Security

� 800-14 Generally Accepted Principles and Practices for securing

Information Technology Systems

� 800-53 Recommended Security Controls for Federal Information

Systems and Organizations

� 800-61 Computer Security Incident Handling Guide

� 800-82 - Guide to Industrial Control Systems Security

�FIPS – subdivision within NIST

� Federal Information Processing Standard

� FIPS-140 deals with cryptography and data security

ISA99 – Ind. Automation & Control System Security Committee

� “Process” to help secure a network

�Authentication and Auditing play big roles

�Firewalls a necessity

�VPN “Strongly Recommended” for remote connectivity

� ISA99 will become international standard IEC 62443


ISA99 – Ind. Automation & Control System Security Committee


� ISA 99.01.XX Describes terminology, concepts, models

and metrics

� ISA 99.02.XX Describes the requirements for

establishing and operating an IACS

security program.

� ISA 99.03.XX Describes the technical requirements at

the systems level and the definition and

requirements for security assurance

levels

� ISA 99.04.XX Describes the technical requirements for

the components and devices that could

be used to build an IACS system

ANSI / AWWA G430-09 - Security Practices for Operation & Management

Purpose is to define the minimum requirements for protective

security program for a water or wastewater utility that will

promote the protection of employee safety, public health,

public safety, and public confidence.

� 4.8.2 Define security-sensitive systems & information

� 4.8.2 Protecting IT and SCADA systems: The utility should review the

Roadmap to Secure Control Systems in the Water Sector as an aid in

evaluating its ICS or SCADA vulnerabilities and recommending strategies for

improvement.

� 5.1.2 Documented procedure for protecting/maintaining critical IT & SCADA

systems

ANSI / AWWA G430-09 - Security Practices for Operation & Management

�Requirements:� a)Explicit Commitment to Security

� b)Security Culture

� c)Defined Security Roles and Employee Expectations

� d)Up-To-Date Assessment of Risk (Vulnerability)

� e)Resources Dedicated to Security and Security Implementation Priorities

� f)Access Control and Intrusion Detection

� g)Contamination, Detection, Monitoring and Surveillance

� h)Information Protection and Continuity

� i)Design and Construction

� j)Threat Level-Based Protocols

� k)Emergency Response and Recovery Plans and Business Continuity Plan

� l)Internal and External Communications

� m)Partnerships

� n)Verification

ANSI/ASME-ITI/AWWA J100-10 RAMCAP: Risk Analysis and Management for Critical Asset Protection

�Process for analyzing and managing risks associated with

malevolent attacks and naturally occurring hazards against

critical infrastructure.

�Calculates risk of attack, natural hazard and resilience

�Documents a process for identifying security vulnerabilities,

consequences, and incident likelihood and provides

methods to evaluate the options for reducing these

elements of risk.


ANSI/ASME-ITI/AWWA J100-10 RAMCAP: Risk Analysis and Management for Critical Asset Protection


Advancing the Culture of Security and Preparedness in the Water Sector – Kevin Morley – AWWA Journal June 2010

Roadmap to Secure Control Systems in the Water Industry

�Developed by the Water Sector Coordinating Council

(WSCC) Cyber Security Working Group (CSWG) with

support from the Department of Homeland Security National

Cyber Security Division and American Water Works

Association (AWWA).

�Download: http://www.awwa.org/files/GovtPublicAffairs/PDF/WaterSecurityRoadmap031908.pdf

Excerpt from Roadmap to Secure Control Systems in the Water Sector

Taking a page out of Electricity’s book…

�FERC formulated NERC to ensure reliability of N. American bulk

power system

�Who formed NERC/CIP (Critical Infrastructure Protection)

standards amongst others

�Requires compliance audit

�No product only solution can provide compliance, contrary to

marketing. Requires electronic security, physical security,

personnel training, recovery plans etc..

�Federal penalties for non compliance

�Whilst it does not directly apply to W/WW, it’s a likely snapshot of

the future

� 21 steps to improve cyber security of SCADA networks� http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/21_Steps_-_SCADA.pdf


NERC/CIP


CIP Requirement Controls

CIP 002 Cyber Asset Identification

CIP 003 Security Management Controls

CIP 004 Personnel Security and Training

CIP 005 Electronic Security Perimeter

CIP 006 Physical Security

CIP 007 Systems Security Management

CIP 008 Incident Reporting and Response Planning

CIP 009 Recovery Plans for Critical Cyber Assets



Defense in Depth in theory

�Security concept borrowed from the military

�More difficult for an enemy to penetrate many smaller and

varied layers of defense than 1 single large layer that may

have a flaw.

�More layers of security = more secure network

�Limits scope of an attack to only the layer(s) that have been

breached. The rest of the network is protected.

�Breach of outer layers can signal an alarm that an attack is

ongoing, allowing protective measures to take place before

all is lost.

�Allows for combinations of security product solutions,

industrial firewall in panel and IT grade equipment up

stream88 | Presentation | Matt Cowell | ASE Central | 24 February 2012

Defense in Depth in practice

www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf

ZonesFirewallsDMZIDS/Logging

Example SCADA Specifications


2.4 ETHERNET SWITCH

A.General: Furnish and install fiber-optic Ethernet switches as shown.

B.Features:• 100/1000 base-T (auto-sensing).• Minimum of five (5) RJ-45 ports. Ethernet ports shall be

expanded as needed to interconnect all system components.• Minimum of two (2) fiber optic ports for one (1) fiber pair. Fiber

optic ports shall be expanded as needed to interconnect all system components.

• LED for indicating port status.• Internal Panel mounting kit.• Failsafe output relay to indicate malfunction with unit.• FCC Part 15, Class A compliant• Provide management software for multilevel security, web

based configuration and remote monitoring.• Powered by circuit on Uninterruptible Power Supply.

C. Product and manufacturer:ConneXium Switches Model 499-NOS-27100.No Substitutions.

2.5 FIBER-TO-COPPER MEDIA CONVERTERS

A. Fiber optic converters shall convert Ethernet TCP/IP network data to a format suitable for transmission over multi-mode fiber optic cable.

B.Features: Converters shall provide:• Full-duplex 100M/1000Gbps Ethernet operation.• Multimode fiber optic media support.• Remote and local interface status.

C. Provide suitable transformers to convert 120VAC power to appropriate voltage necessary to provide power to Transceivers.

D. For control panel mounting, converter shall be DIN-rail mountable.

E. Product and manufacturer:• IFS.• Or Equal.

2.8 SWITCHES AND MEDIA CONVERTERS

A. Provide Switches meeting the following requirements1. Provide Phoenix Contact switch SFN6TX2FXST. Switch to operate on 24VDC.

Switch to have six (6) RJ45 copper ports and two (2) fiber ports with ST connections

2. Provide one switch in each remote I/O cabinet and one switch for PLC B-C

B. Provide fiber optic media converter(s) as shown on the drawings, called for in the specifications or as required to result in a complete and working system

1. Media converter(s) shall operate on either 120VAC or 24VAC power and shall be supported by a UPS

2. Provide media converter with RJ-45 port for copper cable and ST connector for fiber optic cable.

3. Provide one media converter for PLC C-B and two additional media converters to be used by the owner.

2.9 NETWORK SECURITY

A. Provide central managed switches meeting the following requirements1. Provide Phoenix Contact switch MCS 14TX/2FX. Switch to operate on 24VDC.

Switch to have six (14) RJ45 copper ports and two (2) fiber ports with SC connections

2. Provide one switch in lockable, main control cabinet3. VLAN support to be enabled

B. Provide one (1) firewall per each lockable, RTU cabinet1. Firewall rules to be configured to allow only port 502 inbound from main PLC IP

address to RTU PLC IP address.2. DoS prevention to be active

C. Provide one (1) firewall for the lockable, main control cabinet1. Firewall rules to be configured to allow only port TCP 502 inbound from main

SCADA PC IP address to main PLC IP address.2. DoS prevention to be active

D. A designated ICS must be implemented on the SCADA network

E. VPN must be configured for outside remote access

F. Control and SCADA network must implement a defense in depth, layered approach as per ISA-99

11:45

Product solutions

�Commercial vs. industrial

�Routers help with isolation but not security appliances

�Stateful Firewall with logging capability – as part of Def. in

Depth strategy

�Unidirectional gateways/data diodes

�Proxy servers – regulate HTTP traffic

�Deep packet inspection firewall – add’s extra latency & cost

�VPN solution - hardware or software

� IDS/IPS – dedicated system (likely running on dedicated

PC/server - Snort)

�SIEM – Aggregator of all logs, IDS etc.. - provides

dashboard – similar to police dispatcher91 | Presentation | Matt Cowell | ASE Central | 24 February 2012


Summary - Prevention is better than cure

� Many industrial devices are vulnerable…not just AB MLX 1100

� An Air gap is a good line of defense if possible but not complete

� Adopt a defense in depth strategy employing various layers of security

� Keep an inventory of networked devices and watch for vulnerabilities/updates

� Implement layer 1 security solutions, lockable panels, patch cables etc..

� Use updated AV/Spyware and ensure any PC’s are routinely patched/updated

� When interconnecting devices/panels use a firewall

� Isolate industrial devices and restrict network access to only those that need it (access control)

� Consider specialist firewall functions (DoS prevention, CIFS monitoring)

� VLAN’s and MAC filtering can be used to provide some defense using managed switches

� Change default passwords and use ‘strong’ passwords



� Use VPN for ALL remote connections

� Restrict use of USB jump drives (disable PC autorun feature, consider encrypted jump drives, don’t allow anyone’s stick)

� Restrict/prevent web access to internet from control network

� Try to use HTTPS exclusively when using passwords/secure webpages

� Consider using network logging, SNMP, Alerts, Intrusion detection, Honeypots – how else will you know something bad happened?

� When using wireless always encrypt with minimum of WPA2 for WIFI

� Be aware of smartphone vulnerabilities and their place in SCADA

� Implement authentication/authorization policy including how to handle access credentials for former employee’s/contractors

� Security is not a one and done solution – continuously evolving standards, new vulnerabilities – someone has to stay on top of things

� Security is also more than just a one product solution – it’s a way of life

� Security requires behavioral diligence from EVERYONE



� Take ownership, don’t assume it is already covered – ask questions

� Take advantage of online resources

� Talk to a specialist and consider getting a vulnerability assessment

� Educate all employees

� Evaluate your system conceptually using the free US CERT - CSET tool (risk analysis)

� Devise a cyber security policy – what are your security goals?

� Devise a response/recovery plan to any potential events and have secure backups of all critical code


Thank You – Questions?

� Distrust and caution are the parents of security - Benjamin Franklin

12:00

Online Resources

�www.us-cert.gov� http://www.us-cert.gov/control_systems/practices/documents/Defense_in_Depth_Oct09.pdf

�www.infragard.net

�https://portal.waterisac.org/web/

�www.isa.org

�www.awwa.org� http://www.awwa.org/files/GovtPublicAffairs/PDF/WaterSecurityRoadmap031908.pdf

�www.nist.gov

�www.phoenixcontact.com/waterhttp://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/21_Steps_-_SCADA.pdf
