1. SCADA / Industrial Control Systems Security Solutions
www.dts-solution.com
shah@dts-solution.com
2. Industrial Control Systems Security
Securing Industrial Control Systems (ICS) is enterprise is not business but mission critical.
The overall impact can be catastrophic.
Securing a process has different paradigm to securing a service
The framework should be built around National Critical Infrastructure Protection
3. Industrial Control Systems Security
• Industrial Control Systems Security should be an integrated core mission of any
organization in the Utilities and Transportation sector;
• Electricity and Power Plants
• Water Authorities
• Energy Producers – Oil / Gas
• Aviation and Airports
4. • SCADA – Supervisory Control and Data Acquisition
• SCADA systems are vital components of most nation’s
critical infrastructures
• SCADA systems control:
– Gas pipelines
– Water and wastewater systems
– Transportation systems
– Electrical Utilities
– Refineries and chemical plants
– Manufacturing operations
What is SCADA?
5. SCADA System
SCADA systems are intended to provide a human
operator with updated real-time information about the
current state of the remote process being monitored, as
well as the ability to manipulate the process remotely.
William T. Shaw
6. SCADA Systems
• Used to monitor and remotely control critical industrial
processes
• Industrial control systems (ICS)
– SCADA systems
– Distributed Control Systems (DCS)
– Programmable Logic Controllers (PLC)
• SCADA Components
– Master Terminal Unit (Architecture unique)
– Human Machine Interface
– Remote Terminal Unit
– Communications
7. SCADA Systems
• Highly distributed
• Geographically separated assets
• Centralized data acquisition and control are
critical
– Oil and gas pipelines
– Electrical power grids
– Railway transportation systems
• Field devices control local operations
8. Distributed Control System
• Supervisory control of multiple integrated systems
responsible for a local process
• DCSs used extensively in process-based industries
• Examples:
– Oil and gas refineries
– Electrical power generation
– Automotive production
• Feedback loops maintain set points
• Programmable logic controllers used in the field
9. Programmable Logic Controllers
• Computer based solid state devices
• Control industrial equipment and processes
• Regulate process flow
– Automobile assembly line
10. SCADA, DCS or PLC
Compare and Contrast
• Location
– SCADA – geographically dispersed
– DCS and PLC – factory centered
• Communications
– SCADA – long distance, slow speed
– DCS and PLC – LAN, high speed
• Control
– SCADA – supervisory level
– DCS and PLC – closed feedback loops
11. SCADA – Why the emphasis?
• SCADA Supports Critical Infrastructures
• 80-90% of critical infrastructures (CI) are privately
owned and operated
• Critical to National survival and prosperity, yet
dependent on industries driven by profit, not
security
12. SCADA – Why the emphasis?
• Many challenges exist when securing SCADA
– Complex systems…patching, rebooting, authentication
– Preponderance of legacy hardware, software and
transmission protocols ($)
– Multiple and divers access points…by design…radio,
wireless, phone
– The need to connect to business network
• The Cyberwar Plan. Article by Shane Harris, Saturday, Nov. 14, 2009: President
Obama confirmed that cyber-warriors have aimed at American networks. "We
know that cyber-intruders have probed our electrical grid," he said at the White
House in May, when he unveiled the next stage of the national cyber-security
strategy. The president also confirmed, for the first time, that the weapons of
cyberwar had claimed victims. "In other countries, cyberattacks have plunged
entire cities into darkness."
13. SCADA Evolution
• 1960 -1980s – Central Architectures
– Single powerful computer performing all functions
– 2nd identical computer for redundancy
14. SCADA Evolution
• 1980s to present – Distributed Architectures
– Multiple computers networked together with each
performing a specific function
– LAN improvements – practical and possible
– Functions:
• Remote terminal polling
• Complex applications processing
• Historian – data archiving and trending
– Graceful degradation
15. SCADA Evolution
• 1990s to present – Client/Server
– Powerful PCs
– TCP/IP networking
– High speed Ethernet
– Commercial real-time operating systems
• Looking more like IT systems
– Scalable and fault tolerant
– Smart software makes redundancy easy
16. SCADA Evolution
• Human Machine Interface
– Printouts
– Map board
– Mimic panel
– Video projection technology
18. SCADA Evolution
• Remote Terminal Unit
– Electronic devices located at key measurement
and control points
– Originally hardwired devices with limited
capabilities and one proprietary communications
protocol
– Modern RTUs contain their own microprocessors
and can support multiple sophisticated protocols
19. SCADA Evolution
• Communications
– Initially used telephone systems and radio
transmitters designed for voice
• Slow
• Some remote areas had to build their own
communication systems
– Latest systems are digital networks designed to
transfer data
• TCP/IP
• Wireless including cellular and satellite
20. SCADA Evolution Summary
• SCADA systems are based on computer
technology so they have evolved with
computer technology
• New technologies have also been introduced
to SCADA systems
• Huge decreases in proprietary nature
21. SCADA Evolution Summary
• The Good News
– Cheaper
– Interoperable between vendors
– Larger pool of available workers
• The Bad News
– Susceptible to malware, hackers and cyber attacks
• We can’t go back. We must provide secure
designs for now & the future
22. • Cost Savings
– Reduced down time and maintenance costs
– Improved productivity
– Enhanced business continuity
• Simplified Regulatory and Standards Compliance
– FERC / NERC CIP
– ANSI/ISA-99
– IEC 62443
• Enhanced Security and Safety
– Improved safety for the plant, employees and community
– Improved defense against malicious attacks
Why is Cyber Security important?
24. Mission Critical Security is Our Specialty
When dealing with Mission Critical Systems, partner with someone whose
done it before…
25. Industrial Defender
• Automation System Security Management
• Exclusive focus on providing an integrated set of products and services for
Automation Systems Security Management
• Unify two challenging domains:
• Automation Systems
• Cyber security
• 350+ customers worldwide – 10,000 deployments – Industrial Defender
28. Corporate IT Automation Systems IT
Not life threatening Safety first
Availability important Non-interruption is critical
Transactional orientation Real-time focus
IBM, SAP, Oracle, ….. ABB, Emerson, GE, Honeywell, Siemens...
People ~= Devices Few people; Many, many devices
PCs and Servers Sensors, Controllers, Servers
Web services model is dominant Polled automation control model
MS Windows is dominant OS Vendor-embedded operating systems
Many commercial software products installed on each PC Purpose-specific devices and application
Protocol is primarily HTTP/HTTPS over TCP/IP -- widely known
Many industrial protocols, some over TCP/IP – vendor and sector-
specific
Office environment, plus mobile Harsh operating plant environments
Cross-industry IT jargon Industry sector-specific jargon
Cross-industry regulations (mostly) Industry-specific regulations
Automation Systems Security Really Unique?
29. Oil & Gas Industry Customers
… many more
Electric Power Industry
Chemical Industry
Water and Transportation Industry
30. Experience Across Many Automation Environments
Security/Performance monitoring for:
• ABB 800xA
• ABB Symphony/Harmony
• ABB Infi90
• ABB Network Manager
• Automsoft RAPID Historian
• Emerson DeltaV
• Emerson Ovation
• Emerson/Westinghouse WDPF
• GE XA / 21
• Foxboro I/A Series
• Honeywell Experion
• Itron OpenWay System
• Rockwell RSView
• Schneider Momentum
• Schneider Quantum
• Siemens PCS7
• Yokogawa Centrum CS 3000
Operating systems:
• HP-UX PA-RISC & Itanium
• W2K, WinNT, W2003
• Linux
• DEC Tru-64
• Sun Solaris
• IBM AIX
Industrial rules for:
• DNP3
• Modbus
• ICCP
• IEC
• Siemens S7 Protocol
• TCP/IP
31. Security Maturity Evolution in Industrial Control
Firewalls
Business
connectivity
Locks on the
Door
Intrusion
Detection
Network Based
Host Based
Known Bad
Industrial
Protocols
Alarm Sensors
Event Monitor
Central Logging
Monitor and
respond
Alert on Events of
interest
Log everything
and apply
forensics
Incident
Management
Flight recorder
Intrusion Prevention
Network Based
Host Based
Deep packet
inspection
Known Bad
signatures
Known Good
Signatures
Whitelisting
System hardening
System locked down
Security
Management
Automates manual
process
Enforces policy,
process &
procedures
Leverages
“baselines”
Manages changes
Audit reporting
Continuous
assessments
Attestation data
Doing it and
Proving you are
doing it
TechnologySophistication
2003 2005 2007 2009 2011
41. • Compliance Manager consolidates all events, logs
and configuration settings for archiving and audit
reporting - Collectors
• Security Event Manager (SEM) aggregates security
events from all monitored systems
• UTM/firewalls provide intrusion prevention at the
network perimeter – ESP protection
• HIPS provides the Host Intrusion Prevention –
Protectors
• HIDS provides the Host Intrusion Detection – Host
Sensors
• NIDS provides the Network Intrusion Detection –
Network Sensors
Industrial Defenders Defense-in-Depth - Solution
42. Tofino – Byres Security
• Founder of the BCIT Critical Infrastructure
Security Centre, a leading academic
facility for SCADA cyber-security research.
• Canadian representative for IEC TC65/WG10 standards effort for the
protection of industrial facilities from cyber attack.
• Chairs ISA S-99 Security Technologies W.G.
• Member of DHS best practices approval board.
• 2006 SANS Institute Security Leadership Award.
• Six ISA and IEEE awards for security research.
• Testified to the US Congress on SCADA Security.
43. “Security” Issues in Control Networks
• “Soft” Targets
– PCs run 24x7 without security updates or even antivirus
– Controllers are optimized for real-time I/O, not for robust
networking connections
• Multiple Network Entry Points
– The majority of cyber security incidents originate from
secondary points of entry to the network
– USB keys, maintenance connections, laptops, etc.
• Poor Network Segmentation
– Many control networks are “wide-open” with no isolation
between different sub-systems
– As a result problems spread rapidly through the network
44. External Network
Control LAN
Plant Network
Office LAN
Internet
Infected
Laptops
Infected Remote
Support
Mis-Configured
Firewalls
Unauthorized
Connections
Modems
3rd Party Issues
USB Drives
Pathways into the Plant Floor
45. A Perimeter Defense is Not Enough
• We can’t just install a control system firewall and forget
about security.
– The bad guys will eventually get in
– Many problems originate inside the plant network
• We must harden the plant floor.
• We need Defense in Depth.
Crunchy on the
Outside - Soft
in the Middle
46. The Solution in the IT World
• Your desktop has flaws so you add security software:
– Patches
– Personal Firewalls (like ZoneAlarm)
– Anti-Virus Software
– Encryption (VPN Client or PGP)
• This is a good idea for PCs in the control system…
• But you can’t add software to your DCS, PLC or RTU
• The Result? Your receptionist’s PC is probably much
better protected than the average PLC or RTU
47. Distributed Security Appliances
• Add hardware instead - a security appliance designed to
be placed in front of control devices (such as PLC, DCS,
RTU etc).
• User-configured firewall rules permit only the minimum
network traffic required for correct plant operation
• Complement security measures implemented by IT
• Address the unique requirements of the plant network
48. ANSI/ISA-99: Dividing Up The Control System
• A core concept in the new ANSI/ISA-99 security standard
is “Zones and Conduits”
• Offers a level of segmentation and traffic control inside
the control system.
• Control networks divided into layers or zones based on
control function.
• Multiple separated zones help to provide “defense in
depth”.
49. Security Zone Definition
• “Security zone: grouping of logical or physical assets that
share common security requirements”. [ANSI/ISA-
99.01.01–2007- 3.2.116]
– A zone has a clearly defined border (either logical or physical),
which is the boundary between included and excluded elements.
HMI Zone
PLC Zone
50. Conduits
• A conduit is a path for the flow of data between two
zones.
– can provide the security functions that allow different zones to
communicate securely.
– Any communications between zone must have a conduit.
HMI Zone
PLC Zone
Conduit
51. Protecting the Network with Zones and Conduits
• A firewall in each conduit will allow only the MINIMUM
network traffic necessary for correct plant operation
HMI Zone
PLC Zone
Firewall
55. The Tofino™ Industrial Security Solution – What is it?
• It is a distributed security
solution managed from a
central location.
• Flexible architecture allows
you to create security zones
throughout your control
network to protect critical
system components.
(ANSI/ISA-99 standards)
• Monitoring and
management are easy using
one centralized software
program.
57. • These are the devices that physically connect to the
802.3 Ethernet and provide Zone Level Security™ for
other devices the IT firewall cannot protect
The Tofino Security Appliance is the hardware
component of the system
Tofino Security Appliance
Authorized
SECURE ZONE
Unauthorized
58. • Configure, manage and monitor all your Tofino Security
Appliances from one workstation
The Central Management Platform (CMP) is the
centralized software program
59. Fast Deployment using Tofino™ CMP
• Map your network
• Drag and drop talkers and
protocols to create rules
• Test
• Deploy & manage
60. Intuitive Rule Editor
Preconfigured to
block known
device flaws
Globally control
specific types of
communications
Create a list of devices that
can “talk” to a protected
device using allowed
protocols
61. • Tofino™ operates in three modes:
– PASSIVE - all traffic allowed, logging off
– TEST – all traffic allowed; logging on
– OPERATIONAL – firewall rules applied
• When operational, Tofino™ will drop any traffic for which there is no
‘allow’ rule.
• Test mode allows all traffic, but reports traffic that would have been
dropped if operational
– Critical to ensuring that all required traffic has a corresponding rule to
permit it
Process-Friendly Test Mode
62. Tofino Loadable Security Modules are licensed to each Tofino Security
Appliance based on the needs in that security zone
• Downloaded into each Tofino Security
Appliance (Tofino SA) via the CMP the LSMs
offer customizable security functions
depending on the zone-by-zone requirements
of the control system.
63. • The SAM LSM is a sentry that identifies and reports the devices that
communicate through the Tofino SA to the protected devices in the
security zone. This builds a useful model of the network upon Tofino
SA start up.
• After system commissioning, the SAM LSM continues to scan for
new devices and reports these to the CMP as a potential security
threat
Describing the Tofino™ Secure Asset Management
LSM quickly
64. • When incoming communications arrive at the Tofino SA the
Tofino™ Firewall LSM traffic cop determines if the communication
traffic can pass into the security zone
• This determination is based on a set of rules easily created by the
control engineer in Tofino CMP
Describing the Tofino™ Firewall LSM quickly
Tofino™ Firewall LSM
Authorized
Protected
Controller
Unauthorized
65. • On a Modbus network traffic that passes the Firewall can have
its “luggage searched” by the border guard
• The Tofino™ Modbus TCP Enforcer LSM analyzes each packet
based on a defined list of allowed Modbus commands,
registers, coils and standards
• Unlawful traffic is blocked and reported to the CMP
Describing the Tofino™ Modbus TCP Enforcer LSM
quickly
Tofino™ Modbus TCP Enforcer
Modbus Master Modbus Slave
66. • OPC servers cannot be protected by traditional firewalls because they create
data connections using a wide range of TCP port numbers that cannot be
determined in advance
• OPC Enforcer is a ‘gatekeeper’ that tracks OPC data connections as they are
created and opens only the minimum required ports in the firewall for
authorized clients
Describing the Tofino™ OPC Enforcer LSM quickly
67. • The Event Logger LSM records Tofino security alarm reports
– Tofino SA’s with this LSM can report alarms directly to a syslog server
(no CMP required) AND buffer/resend them if the connection to the
server is interrupted/restored
– Alarms can also be stored on the Tofino SA, then later offloaded via USB
memory stick or CMP
Describing the Tofino™ Event Logger LSM quickly
68. • This simple to set up LSM creates secure tunnels between Tofino
Security Appliances; between Tofino and PCs; and between
Tofino and supported third-party devices
• It is designed for the control network, not the home or office
network, and works hand-in-hand with other LSMs
Describing the Tofino™ VPN LSM quickly
VPN Tunnel
Remote Client Main Facility
Eavesdroppers
Internet
HIPS Protectors supports multiple platformsWindows NT 4 SP6a, 2000, XP(e), Server 2003, Windows Server 2008/Windows Vista, Win 7Solaris 7-10UTMs provide: Secure remote access Secure network segmentation such as historians in DMZ