SlideShare una empresa de Scribd logo

Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants

Descargar como PPTX, PDF
M
Manuel Santander

Hydroelectric generation plants possess a number of cyberterrorism risks, which could cause significant problems like interruptions in the power grid or water leaks from the reservoir, among others. This presentation will discuss the vulnerabilities in the infrastructure of hydroelectric generation plants, some tools to check for them and several remediation techniques to avoid materialization of problems.

TecnologíaEmpresariales
1 de 68
Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants Manuel Humberto Santander Peláez msantand@isc.sans.org
Agenda • Introduction • Power Plant Generation SCADA • SCADA protocols • Cyber Terrorism Risks • Remediation
SCADA • Supervisory Control and Data Acquisition • Platform used to monitor and control all the variables of a real-time process • Several variables to monitor – Vibrations on the turbine rotor – Flow speed of oil inside a turbine rotor – Amount of electric charge passing inside an electricity transmission line
Electrical process • Three big steps – Generation – Transmission – Distribution • Energy is created using any of the following methods – Thermoelectrical plans – Nuclear plants – Hydro electrical plants
Electrical process (2) • SCADA platform is vital to perform the following when generation takes place: – Ensure turbines are not having revolutions more than supported – Generators are not working overloaded – Energy being generated matches the amount of energy that the transmission line can handle
Electrical process (3) • Transmission – Energy being generated needs to be distributed to reach the final users – 115 KV is the power used to transmit in the wire lines – Final destination are the substations that handles energy of a specific amount of instalations – Large number of blocks in a city
Electrical process (4) • SCADA platform is vital to perform the following when transmission takes place: – Monitoring of voltage in transmission lines looking for high amount of electricity flowing – None of them can get overloaded because protections get activated and a blackout appears in all the installations that are controlled by the affected substations
Electrical process (5) • Distribution – Energy being generated needs to be distributed to reach the final users – 115 KV is the power used to transmit in the wire lines – Final destination are the substations that handles energy of a specific amount of instalations – Large number of blocks in a city
Electrical process (6) • SCADA platform is vital to perform the following when distribution takes place: – Monitoring of voltage in transmission lines looking for high amount of electricity flowing – Monitoring of voltage in user meters looking for high amount of electricity flowing
Electrical System Source: United States Department of Energy
Hydroelectrical Plant Process Source: circuitmaniac.com
Hydroelectrical Turbine Source: United States Army Corps of Engineers
Agenda • Introduction • Power Plant Generation SCADA • SCADA protocols • Cyber Terrorism Risks • Remediation
SCADA Network inside Power Plant Unit Controller Turbine Speed Regulator Voltage Regulator Generator Protection Controller Cooling and oil pump controller HMI Console Substation controller Switch Controller Voltage Meter Reader HMI Console Protection Controller SUBSTATION SCADA GENERATION POWER SCADA
SCADA Network inside Power Plant (2) • Generation Power Plant – Unit Controller: Controls all the subsystems making the generator to be able to inject active power to the electrical network – Voltage regulator: Controls the frequency of the active power being produced by the generator. Must match the frequency in the electrical network
SCADA Network inside Power Plant (3) • Generation Power Plant – Turbine speed regulator: Controls the speed of the turbine – Cooling and oil pump controller: Controls refrigeration and lubrication of the rotor system of the turbine so there’s no heat or friction – Generator protection controller: Controls excessive voltage changes in the generator
SCADA Network inside Power Plant (4) • Substation SCADA – Substation Controller: Controls all the systems to make possible the energy being transmitted all across the electrical network – Switch controller: If there is too much energy on a line trying to overcome its capacity, the switch opens the circuit and the energy stops flowing
SCADA Network inside Power Plant (5) • Substation SCADA: – Voltage meter: Meters the amount of electricity flowing in the input and output lines so the Substation Controller can tell if there is a problem regarding the transmission line capacity being overcome its capacity
Agenda • Introduction • Power Plant Generation SCADA • SCADA protocols • Cyber Terrorism Risks • Remediation
SCADA Protocols • Modbus • IEC 104 • DNP3
Modbus Source: Practical Industrial Data Communications
Modbus (2) • Client/server protocol which operates in a request/response mode • Three variants: – Modbus serial RS-232/RS-485: Implemented on serial networks – Modbus TCP: Used for SCADA platforms where delay is not an issue (Water supply) – Modbus UDP: Used for SCADA platforms where delay is a big issue (Energy)
Modbus (3) Source: Practical Industrial Data Communications
Modbus (4) • Modbus protocol structure – Address field: • Request frames: Address of the device being targeted by the request • Response frame: Address of the device responding to request
Modbus (5) • Modbus protocol structure – Function field • Function requested by the HMI to be performed by the field devices • In response packets, when the function performed is succeeded, the field device echoes it. If some exception occurred, the most significant bit of the field is set to 1
Modbus (6) Function Name Function Code Physical Discrete Inputs Read Discrete Inputs 2 Read Coils 1 Write Single Coil 5 Write Multiple Coils 15 Physical Input Registers Read Input Register 4 Read Holding Registers 3 Write Single Register 6 Write Multiple Registers 16 Read/Write Multiple Registers 23 Mask Write Register 22 Read FIFO Queue 24 Read File Record 20 Write File Record 21 Type of access Data Access Bit access Internal Bits or Physical Coils 16-bit access Internal Registers or Physical Output Registers File Record Access
Modbus (7) Function Name Function Code Read Exception Status 7 Diagnostic 8 Get Com Event Counter 11 Get Com Event Log 12 Report Slave ID 17 Read Device Identification 43 Encapsulated Interface Transport 43 Type of access Diagnostics Other
Modbus (8) • Modbus protocol structure – Data field • In request paquets, contains the information required to perform the specific function • In response packets, contains the information requested by the HMI
Modbus (9) • Modbus protocol structure – Error check Field • CRC-16 on the message frame • If packet has errors, the field device does not process it • Timeout is assumed, so the master sends again the packet to attempt again a function execution
IEC 104 • Standard for power system monitoring, control and communications for telecontrol and teleprotection for electric power systems • Completely compatible with: – IEC 60870-5-1: Transmission frame formats for standard 60870-5 – IEC 60870-5-5: Basic application functions
IEC 104 (2) • It has the following features: – Supports master initiated messages and master/slave initiated messages – Facility for time sinchronization – Possibility of classifying data being transmitted into 16 different groups to get the data according to the group – Cyclic and spontaneous data updating schemes are provided.
IEC 104 (3) Source: Practical Industrial Data Communications
IEC 104 (4) Source: Practical Industrial Data Communications
IEC 104 (5) Source: Practical Industrial Data Communications
IEC 104 (6) • Link level Link service class Function Explanation S1 SEND / NO REPLY Transmit message. No ACK or answer required S2 SEND / CONFIRM Transmit message. ACK required S3 REQUEST / RESPOND Transmit message. ACK and answer required
IEC 104 (7) Source: Practical Industrial Data Communications
IEC 104 (8) Source: Practical Industrial Data Communications • Control field for unbalanced transmissions
IEC 104 (8) Source: Practical Industrial Data Communications • Control field for balanced transmissions
DNP3 • Set of communication protocols used between components of a SCADA system • Used for communications between RTU and the IED (field devices) • Implements the communication levels established by the enhance performance architecture (EPA)
DNP3 (2) • Enhance performance architecture (EPA) Source: Practical Industrial Data Communications
DNP3 (3) • Message exchange Source: Practical Industrial Data Communications
DNP3 (4) • Frame format Source: Practical Industrial Data Communications
DNP3 (5) • Control Byte Source: Practical Industrial Data Communications
Agenda • Introduction • Power Plant Generation SCADA • SCADA protocols • Cyber Terrorism Risks • Remediation
Cyberterrorism Risks • Many awful thins can happen to a power plant – Stop generation because of partial or total damage to the generator – Stop generation because of partial or total damage to the transmission substation – Stop generation because of partial or total damage to the turbine
Cyberterrorism Risks (2) • Many awful thins can happen to a power plant – Transformer explosion because lack of transmission line protection capacity – Massive water leakage because of explosion of the turbine container • All of them can happen because of unauthorized manipulations of the HMI and after the configs are updated
Network technologies in SCADA Systems • Many SCADA networks still use RS232/RS485 bus to communicate all components – But also because of the need to access data in a fast way, we also have serial-to- ip gateways to access serial RTU and IED – Lots of hybrid SCADA networks having serial and IP components – Access is open to anyone with connectivity access
Network technologies in SCADA Systems (2) • Many SCADA networks still use RS232/RS485 bus to communicate all components – Admin protocols is not being crypted, so anyone can sniff all the contents, perform a MITM and send to client/server fake content to each other. Insecure services like telnet are mandatory because lack of support – Latency is an issue
Lack of authentication in application protocol • The SCADA protocols does not perform bi-directional authentication to ensure that all parties are trusted – Only commands are sent – Data is sent to the IP address configured as master – All the IP spoofing vulnerabilities works on any MTU or Field device – Any command can be sent
Default configurations in HMI • Insecure services used – rlogin – rcp – rexec • OS Admin privileges used to operate • Trust perimeter created within HMI and external RTU and IED to manipulate configuration parameters
What could be done? • Reset a link state communication or send Test Communication packet several times provoking temporal DoS to the IED controllers – Spoof the HMI IP address and send the following using TCP: 0x56405c00100020074e3 – Spoof the HMI ip address and send the following using TCP: 0x56405f201000200b717
What could be done? (2) • Send commands to the IED controllers – Registers are linked to turn on and off specific devices like oil and refrigeration pumps – A Modbus command to change registers is enough to disable any of those pumps – Command depends on the place where the pump is configured
What could be done? (3) • Execute metasploit to the HMI and try to find remote admin exploits – No patches are installed – Too much vulnerabilities around – The odds of finding remote privilege escalation vulnerabilities are too high – Are passwords strong enough in the HMI software and OS? – Is there any password at all configured?
What could be done? (3) • MITM attacks to the substation elements and generation plant elements – TCP sequence prediction on this elements is pretty high – Prone to session hijacking (http://www.youtube.com/watch?v=s_X D8heYNrc)
Agenda • Introduction • Power Plant Generation SCADA • SCADA protocols • Cyber Terrorism Risks • Remediation
What you cannot do with SCADA • Protocol delay is usually a BIG issue in SCADA – Water supply and Oil SCADA tolerates big delays because it does not have consequences in the process – Power SCADA is critical. A delay higher than 12 miliseconds could end in a massive blackout because of failure to open a breaker in a substation – Be careful on what you do to protect your SCADA
SCADA Network inside Power Plant Unit Controller Turbine Speed Regulator Voltage Regulator Generator Protection Controller Cooling and oil pump controller HMI Console Substation controller Switch Controller Voltage Meter Reader HMI Console Protection Controller SUBSTATION SCADA GENERATION POWER SCADA
Monitor your network • Control Access from outsiders – SCADA Network needs to send information for reports and status checking – You can establish a secure way to get into the SCADA Network for remote support – If no commands need to be sent, one- way communications using waterfall works pretty good.
Monitor your network (2) Source: Waterfall Security
Monitor your network (3) • Use Network Intrusion Prevention System – You definitely can use conventional IPS if they are fast enough to avoid delays in your network – Not all of them support SCADA protocols – If you have snort, you can write rules for Modbus and DNP3. Otherwise, you need to write your own rules – Industrial Defender Solution works pretty good as it includes lots of SCADA signatures
Monitor your network (4) • Control Access from outsiders – Energy market central regulators are able to control your power generation SCADA and make you generate what you won at the electricity market – Be able to override control from your local market control center if for some reason you notice abnormal operations that put your generation infrastructure in risk
Monitor your network (5) Source: FERC
• SCADA platforms are designed to last from 10 to 20 years – Too many technology changes happens in that time – Lots of security issues to deal with – Need a solution to avoid any changes inside computers, as intrusions perform changes in filesystem, configurations and system process Control unauthorized changes to Master Terminal Unit
Control unauthorized changes to Unit Controllers and IED controllers • Configuration and firmware changes can be done on-site and remotely • Can you tell all the times where those changes have been done for all the IED and Unit controllers? • Can you tell if that change actually contains the valid firmware and/or configuration? • Check IndustrialDefender Manage
Control unauthorized changes to Master Terminal Unit (3) • Control any changes inside your SCADA servers – Mcafee Integrity control works pretty good – Defines what can be changed by who – Lots of custom logs to choose from – Can send events to any SIEM configured in the Network
Monitor attacks to Master Unit • Host IPS is definitely needed as any attack could change the integrity and stability of a process • Availability is critical to a SCADA system and cannot be altered • Conventional Host IPS performs extensive use of CPU and can affect performance inside SCADA
Monitor attacks to Master Unit (2) • Industrial Defender Protect works pretty good • Works seamless with Siemens Spectrum Platform • Does not load the machine or needs extensive bandwith to perform its checks • Central console to perform operations inside the platform
Questions? Comments? Manuel Humberto Santander Peláez http://manuel.santander.name http://twitter.com/manuelsantander msantand@isc.sans.org / manuel@santander.name

Recomendados

Survey: Embedded Systems In Power Industry
Survey: Embedded Systems In Power IndustrySurvey: Embedded Systems In Power Industry
Survey: Embedded Systems In Power IndustryShrey Bhatnagar
 
Distributed control system presentation
Distributed control system presentationDistributed control system presentation
Distributed control system presentationAYUSH VARSHNEY
 
OPAL-RT RT13 Conference: New communication protocols
OPAL-RT RT13 Conference: New communication protocolsOPAL-RT RT13 Conference: New communication protocols
OPAL-RT RT13 Conference: New communication protocolsOPAL-RT TECHNOLOGIES
 
Scada protocols-and-communications-trends
Scada protocols-and-communications-trendsScada protocols-and-communications-trends
Scada protocols-and-communications-trendsSandip Roy
 
substation automation
substation automationsubstation automation
substation automationMahbub Rashid
 
Scada systems automating electrical distribution
Scada systems automating electrical distributionScada systems automating electrical distribution
Scada systems automating electrical distributionSHUBHAM SAINI
 
Power system automation
Power system automationPower system automation
Power system automationGuider Lee
 
Gemini_3__3008_web
Gemini_3__3008_webGemini_3__3008_web
Gemini_3__3008_webAlex Bogias, Phd
 

Recomendados

Survey: Embedded Systems In Power Industry
Survey: Embedded Systems In Power IndustrySurvey: Embedded Systems In Power Industry
Survey: Embedded Systems In Power IndustryShrey Bhatnagar
 
Distributed control system presentation
Distributed control system presentationDistributed control system presentation
Distributed control system presentationAYUSH VARSHNEY
 
OPAL-RT RT13 Conference: New communication protocols
OPAL-RT RT13 Conference: New communication protocolsOPAL-RT RT13 Conference: New communication protocols
OPAL-RT RT13 Conference: New communication protocolsOPAL-RT TECHNOLOGIES
 
Scada protocols-and-communications-trends
Scada protocols-and-communications-trendsScada protocols-and-communications-trends
Scada protocols-and-communications-trendsSandip Roy
 
substation automation
substation automationsubstation automation
substation automationMahbub Rashid
 
Scada systems automating electrical distribution
Scada systems automating electrical distributionScada systems automating electrical distribution
Scada systems automating electrical distributionSHUBHAM SAINI
 
Power system automation
Power system automationPower system automation
Power system automationGuider Lee
 
Gemini_3__3008_web
Gemini_3__3008_webGemini_3__3008_web
Gemini_3__3008_webAlex Bogias, Phd
 
DCS fundamentals
DCS fundamentalsDCS fundamentals
DCS fundamentalsAlok Saikia
 
67469276 scada
67469276 scada67469276 scada
67469276 scadathangbd
 
Burns Presantation
Burns PresantationBurns Presantation
Burns Presantationecburnsjr
 
PLC and SCADA communication
PLC and SCADA communicationPLC and SCADA communication
PLC and SCADA communicationTalha Shaikh
 
Dcs
DcsDcs
DcsAKANSHA GURELE
 
Session 21 - DCS Introduction
Session 21 - DCS IntroductionSession 21 - DCS Introduction
Session 21 - DCS IntroductionVidyaIA
 
DCS - Distributed Control System
DCS - Distributed Control System DCS - Distributed Control System
DCS - Distributed Control System Pratheep M
 
Ls catalog thiet bi tu dong master rtu e_dienhathe.vn
Ls catalog thiet bi tu dong master rtu e_dienhathe.vnLs catalog thiet bi tu dong master rtu e_dienhathe.vn
Ls catalog thiet bi tu dong master rtu e_dienhathe.vnDien Ha The
 
Scada ppt
Scada pptScada ppt
Scada pptzudakki
 
NETWORKING, COMMUNICATION SYSTEMS AND SCADA
NETWORKING, COMMUNICATION SYSTEMS AND SCADANETWORKING, COMMUNICATION SYSTEMS AND SCADA
NETWORKING, COMMUNICATION SYSTEMS AND SCADAPratik Aggarwal
 
SCADA
SCADASCADA
SCADAalmuamar
 
Raritan BCM Data Sheet
Raritan BCM Data SheetRaritan BCM Data Sheet
Raritan BCM Data SheetMike Hogan
 
SCADA
SCADASCADA
SCADAMd. Rimon Mia
 
Distributed Control System (Presentation)
Distributed Control System (Presentation)Distributed Control System (Presentation)
Distributed Control System (Presentation)Thunder Bolt
 
Peek Traffic Controller PTC 1
Peek Traffic Controller PTC 1Peek Traffic Controller PTC 1
Peek Traffic Controller PTC 1Peter Ashley
 
Report_Modernization of Gas Metering Station
Report_Modernization of Gas Metering StationReport_Modernization of Gas Metering Station
Report_Modernization of Gas Metering StationTariq Jamil
 
Distributed Control System
Distributed Control SystemDistributed Control System
Distributed Control System3abooodi
 
Cross country pipeline _Telecom_Instrumentation and SCADA
Cross country pipeline _Telecom_Instrumentation and SCADACross country pipeline _Telecom_Instrumentation and SCADA
Cross country pipeline _Telecom_Instrumentation and SCADARakesh Ujjawal
 
All about scada
All about scadaAll about scada
All about scadaStella Hermias
 
Scada classification
Scada classificationScada classification
Scada classificationAhmed Sebaii
 
Lecture+9+-+SCADA+Systems.pdf
Lecture+9+-+SCADA+Systems.pdfLecture+9+-+SCADA+Systems.pdf
Lecture+9+-+SCADA+Systems.pdfSmritiGarg21
 
Lecture+9+-+SCADA+Systems.pptx
Lecture+9+-+SCADA+Systems.pptxLecture+9+-+SCADA+Systems.pptx
Lecture+9+-+SCADA+Systems.pptxsurangagw
 

Más contenido relacionado

La actualidad más candente

DCS fundamentals
DCS fundamentalsDCS fundamentals
DCS fundamentalsAlok Saikia
 
67469276 scada
67469276 scada67469276 scada
67469276 scadathangbd
 
Burns Presantation
Burns PresantationBurns Presantation
Burns Presantationecburnsjr
 
PLC and SCADA communication
PLC and SCADA communicationPLC and SCADA communication
PLC and SCADA communicationTalha Shaikh
 
Session 21 - DCS Introduction
Session 21 - DCS IntroductionSession 21 - DCS Introduction
Session 21 - DCS IntroductionVidyaIA
 
DCS - Distributed Control System
DCS - Distributed Control System DCS - Distributed Control System
DCS - Distributed Control System Pratheep M
 
Ls catalog thiet bi tu dong master rtu e_dienhathe.vn
Ls catalog thiet bi tu dong master rtu e_dienhathe.vnLs catalog thiet bi tu dong master rtu e_dienhathe.vn
Ls catalog thiet bi tu dong master rtu e_dienhathe.vnDien Ha The
 
Scada ppt
Scada pptScada ppt
Scada pptzudakki
 
NETWORKING, COMMUNICATION SYSTEMS AND SCADA
NETWORKING, COMMUNICATION SYSTEMS AND SCADANETWORKING, COMMUNICATION SYSTEMS AND SCADA
NETWORKING, COMMUNICATION SYSTEMS AND SCADAPratik Aggarwal
 
Raritan BCM Data Sheet
Raritan BCM Data SheetRaritan BCM Data Sheet
Raritan BCM Data SheetMike Hogan
 
Distributed Control System (Presentation)
Distributed Control System (Presentation)Distributed Control System (Presentation)
Distributed Control System (Presentation)Thunder Bolt
 
Peek Traffic Controller PTC 1
Peek Traffic Controller PTC 1Peek Traffic Controller PTC 1
Peek Traffic Controller PTC 1Peter Ashley
 
Report_Modernization of Gas Metering Station
Report_Modernization of Gas Metering StationReport_Modernization of Gas Metering Station
Report_Modernization of Gas Metering StationTariq Jamil
 
Distributed Control System
Distributed Control SystemDistributed Control System
Distributed Control System3abooodi
 
Cross country pipeline _Telecom_Instrumentation and SCADA
Cross country pipeline _Telecom_Instrumentation and SCADACross country pipeline _Telecom_Instrumentation and SCADA
Cross country pipeline _Telecom_Instrumentation and SCADARakesh Ujjawal
 
Scada classification
Scada classificationScada classification
Scada classificationAhmed Sebaii
 

La actualidad más candente (20)

DCS fundamentals
DCS fundamentalsDCS fundamentals
DCS fundamentals
 
67469276 scada
67469276 scada67469276 scada
67469276 scada
 
Burns Presantation
Burns PresantationBurns Presantation
Burns Presantation
 
PLC and SCADA communication
PLC and SCADA communicationPLC and SCADA communication
PLC and SCADA communication
 
Dcs
DcsDcs
Dcs
 
Session 21 - DCS Introduction
Session 21 - DCS IntroductionSession 21 - DCS Introduction
Session 21 - DCS Introduction
 
DCS - Distributed Control System
DCS - Distributed Control System DCS - Distributed Control System
DCS - Distributed Control System
 
Ls catalog thiet bi tu dong master rtu e_dienhathe.vn
Ls catalog thiet bi tu dong master rtu e_dienhathe.vnLs catalog thiet bi tu dong master rtu e_dienhathe.vn
Ls catalog thiet bi tu dong master rtu e_dienhathe.vn
 
Scada ppt
Scada pptScada ppt
Scada ppt
 
NETWORKING, COMMUNICATION SYSTEMS AND SCADA
NETWORKING, COMMUNICATION SYSTEMS AND SCADANETWORKING, COMMUNICATION SYSTEMS AND SCADA
NETWORKING, COMMUNICATION SYSTEMS AND SCADA
 
SCADA
SCADASCADA
SCADA
 
Raritan BCM Data Sheet
Raritan BCM Data SheetRaritan BCM Data Sheet
Raritan BCM Data Sheet
 
SCADA
SCADASCADA
SCADA
 
Distributed Control System (Presentation)
Distributed Control System (Presentation)Distributed Control System (Presentation)
Distributed Control System (Presentation)
 
Peek Traffic Controller PTC 1
Peek Traffic Controller PTC 1Peek Traffic Controller PTC 1
Peek Traffic Controller PTC 1
 
Report_Modernization of Gas Metering Station
Report_Modernization of Gas Metering StationReport_Modernization of Gas Metering Station
Report_Modernization of Gas Metering Station
 
Distributed Control System
Distributed Control SystemDistributed Control System
Distributed Control System
 
Cross country pipeline _Telecom_Instrumentation and SCADA
Cross country pipeline _Telecom_Instrumentation and SCADACross country pipeline _Telecom_Instrumentation and SCADA
Cross country pipeline _Telecom_Instrumentation and SCADA
 
All about scada
All about scadaAll about scada
All about scada
 
Scada classification
Scada classificationScada classification
Scada classification
 

Similar a Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants

Lecture+9+-+SCADA+Systems.pdf
Lecture+9+-+SCADA+Systems.pdfLecture+9+-+SCADA+Systems.pdf
Lecture+9+-+SCADA+Systems.pdfSmritiGarg21
 
Lecture+9+-+SCADA+Systems.pptx
Lecture+9+-+SCADA+Systems.pptxLecture+9+-+SCADA+Systems.pptx
Lecture+9+-+SCADA+Systems.pptxsurangagw
 
Scada presentation
Scada presentationScada presentation
Scada presentationAmit Kumar
 
Scada For G Mgt
Scada For G MgtScada For G Mgt
Scada For G MgtAnil Patil
 
Introduction to SCADA
Introduction to SCADAIntroduction to SCADA
Introduction to SCADAPraveen Kumar
 
2017 Atlanta Regional User Seminar - Real-Time Microgrid Demos
2017 Atlanta Regional User Seminar - Real-Time Microgrid Demos2017 Atlanta Regional User Seminar - Real-Time Microgrid Demos
2017 Atlanta Regional User Seminar - Real-Time Microgrid DemosOPAL-RT TECHNOLOGIES
 
2017 Atlanta Regional User Seminar - Virtualizing Industrial Control Systems ...
2017 Atlanta Regional User Seminar - Virtualizing Industrial Control Systems ...2017 Atlanta Regional User Seminar - Virtualizing Industrial Control Systems ...
2017 Atlanta Regional User Seminar - Virtualizing Industrial Control Systems ...OPAL-RT TECHNOLOGIES
 
20BEE042 5th semester Internship PPT.pptx
20BEE042 5th semester Internship PPT.pptx20BEE042 5th semester Internship PPT.pptx
20BEE042 5th semester Internship PPT.pptxSumitRajput83
 
Wireless SCADA Data Communications
Wireless SCADA Data CommunicationsWireless SCADA Data Communications
Wireless SCADA Data CommunicationsDaniel Ehrenreich
 
CONCEPT OF SCADA System EMERSON EDUARDO RODRIGUES
CONCEPT OF SCADA System EMERSON EDUARDO RODRIGUESCONCEPT OF SCADA System EMERSON EDUARDO RODRIGUES
CONCEPT OF SCADA System EMERSON EDUARDO RODRIGUESEMERSON EDUARDO RODRIGUES
 
Distribution System Automation
Distribution System Automation Distribution System Automation
Distribution System Automation Adithya Ballaji
 
DTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsDTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsShah Sheikh
 
DeployingAnAdvancedDistribution.pdf
DeployingAnAdvancedDistribution.pdfDeployingAnAdvancedDistribution.pdf
DeployingAnAdvancedDistribution.pdfbayu162365
 
OPAL-RT HYPERSIM Features applied for Relay Testing
OPAL-RT HYPERSIM Features applied for Relay TestingOPAL-RT HYPERSIM Features applied for Relay Testing
OPAL-RT HYPERSIM Features applied for Relay TestingOPAL-RT TECHNOLOGIES
 
RE3- Transmission Grid Technologies.pdf
RE3- Transmission Grid Technologies.pdfRE3- Transmission Grid Technologies.pdf
RE3- Transmission Grid Technologies.pdfMuhammadArshad436
 

Similar a Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants (20)

Lecture+9+-+SCADA+Systems.pdf
Lecture+9+-+SCADA+Systems.pdfLecture+9+-+SCADA+Systems.pdf
Lecture+9+-+SCADA+Systems.pdf
 
Lecture+9+-+SCADA+Systems.pptx
Lecture+9+-+SCADA+Systems.pptxLecture+9+-+SCADA+Systems.pptx
Lecture+9+-+SCADA+Systems.pptx
 
Scada presentation
Scada presentationScada presentation
Scada presentation
 
Scada For G Mgt
Scada For G MgtScada For G Mgt
Scada For G Mgt
 
Introduction to SCADA
Introduction to SCADAIntroduction to SCADA
Introduction to SCADA
 
2017 Atlanta Regional User Seminar - Real-Time Microgrid Demos
2017 Atlanta Regional User Seminar - Real-Time Microgrid Demos2017 Atlanta Regional User Seminar - Real-Time Microgrid Demos
2017 Atlanta Regional User Seminar - Real-Time Microgrid Demos
 
2017 Atlanta Regional User Seminar - Virtualizing Industrial Control Systems ...
2017 Atlanta Regional User Seminar - Virtualizing Industrial Control Systems ...2017 Atlanta Regional User Seminar - Virtualizing Industrial Control Systems ...
2017 Atlanta Regional User Seminar - Virtualizing Industrial Control Systems ...
 
20BEE042 5th semester Internship PPT.pptx
20BEE042 5th semester Internship PPT.pptx20BEE042 5th semester Internship PPT.pptx
20BEE042 5th semester Internship PPT.pptx
 
Wireless SCADA Data Communications
Wireless SCADA Data CommunicationsWireless SCADA Data Communications
Wireless SCADA Data Communications
 
Parameters for drive test
Parameters for drive testParameters for drive test
Parameters for drive test
 
SCADA PPT.pdf
SCADA PPT.pdfSCADA PPT.pdf
SCADA PPT.pdf
 
CONCEPT OF SCADA.pdf
CONCEPT OF SCADA.pdfCONCEPT OF SCADA.pdf
CONCEPT OF SCADA.pdf
 
CONCEPT OF SCADA System EMERSON EDUARDO RODRIGUES
CONCEPT OF SCADA System EMERSON EDUARDO RODRIGUESCONCEPT OF SCADA System EMERSON EDUARDO RODRIGUES
CONCEPT OF SCADA System EMERSON EDUARDO RODRIGUES
 
UNIT-5-PPT.ppt
UNIT-5-PPT.pptUNIT-5-PPT.ppt
UNIT-5-PPT.ppt
 
SCH5627P.pdf
SCH5627P.pdfSCH5627P.pdf
SCH5627P.pdf
 
Distribution System Automation
Distribution System Automation Distribution System Automation
Distribution System Automation
 
DTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsDTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security Solutions
 
DeployingAnAdvancedDistribution.pdf
DeployingAnAdvancedDistribution.pdfDeployingAnAdvancedDistribution.pdf
DeployingAnAdvancedDistribution.pdf
 
OPAL-RT HYPERSIM Features applied for Relay Testing
OPAL-RT HYPERSIM Features applied for Relay TestingOPAL-RT HYPERSIM Features applied for Relay Testing
OPAL-RT HYPERSIM Features applied for Relay Testing
 
RE3- Transmission Grid Technologies.pdf
RE3- Transmission Grid Technologies.pdfRE3- Transmission Grid Technologies.pdf
RE3- Transmission Grid Technologies.pdf
 

Más de Manuel Santander

Ciberseguridad en tiempos de trabajo en casa
Ciberseguridad en tiempos de trabajo en casaCiberseguridad en tiempos de trabajo en casa
Ciberseguridad en tiempos de trabajo en casaManuel Santander
 
Respuesta a incidentes en sistemas de transmisión y distribución de energía
Respuesta a incidentes en sistemas de transmisión y distribución de energíaRespuesta a incidentes en sistemas de transmisión y distribución de energía
Respuesta a incidentes en sistemas de transmisión y distribución de energíaManuel Santander
 
Ciberterrorismo: La nueva realidad de la Seguridad de la Información
Ciberterrorismo: La nueva realidad de la Seguridad de la InformaciónCiberterrorismo: La nueva realidad de la Seguridad de la Información
Ciberterrorismo: La nueva realidad de la Seguridad de la InformaciónManuel Santander
 
Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Manuel Santander
 
Cisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsCisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsManuel Santander
 
Monitoring Emerging Threats: SCADA Security
Monitoring Emerging Threats: SCADA SecurityMonitoring Emerging Threats: SCADA Security
Monitoring Emerging Threats: SCADA SecurityManuel Santander
 
Acciones Empresariales En La PrevencióN De Criminalidad Virtual Para Mitigar ...
Acciones Empresariales En La PrevencióN De Criminalidad Virtual Para Mitigar ...Acciones Empresariales En La PrevencióN De Criminalidad Virtual Para Mitigar ...
Acciones Empresariales En La PrevencióN De Criminalidad Virtual Para Mitigar ...Manuel Santander
 

Más de Manuel Santander (7)

Ciberseguridad en tiempos de trabajo en casa
Ciberseguridad en tiempos de trabajo en casaCiberseguridad en tiempos de trabajo en casa
Ciberseguridad en tiempos de trabajo en casa
 
Respuesta a incidentes en sistemas de transmisión y distribución de energía
Respuesta a incidentes en sistemas de transmisión y distribución de energíaRespuesta a incidentes en sistemas de transmisión y distribución de energía
Respuesta a incidentes en sistemas de transmisión y distribución de energía
 
Ciberterrorismo: La nueva realidad de la Seguridad de la Información
Ciberterrorismo: La nueva realidad de la Seguridad de la InformaciónCiberterrorismo: La nueva realidad de la Seguridad de la Información
Ciberterrorismo: La nueva realidad de la Seguridad de la Información
 
Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...
 
Cisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsCisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designs
 
Monitoring Emerging Threats: SCADA Security
Monitoring Emerging Threats: SCADA SecurityMonitoring Emerging Threats: SCADA Security
Monitoring Emerging Threats: SCADA Security
 
Acciones Empresariales En La PrevencióN De Criminalidad Virtual Para Mitigar ...
Acciones Empresariales En La PrevencióN De Criminalidad Virtual Para Mitigar ...Acciones Empresariales En La PrevencióN De Criminalidad Virtual Para Mitigar ...
Acciones Empresariales En La PrevencióN De Criminalidad Virtual Para Mitigar ...
 

Último

Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants

  • 1. Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants Manuel Humberto Santander Peláez msantand@isc.sans.org
  • 2. Agenda • Introduction • Power Plant Generation SCADA • SCADA protocols • Cyber Terrorism Risks • Remediation
  • 3. SCADA • Supervisory Control and Data Acquisition • Platform used to monitor and control all the variables of a real-time process • Several variables to monitor – Vibrations on the turbine rotor – Flow speed of oil inside a turbine rotor – Amount of electric charge passing inside an electricity transmission line
  • 4. Electrical process • Three big steps – Generation – Transmission – Distribution • Energy is created using any of the following methods – Thermoelectrical plans – Nuclear plants – Hydro electrical plants
  • 5. Electrical process (2) • SCADA platform is vital to perform the following when generation takes place: – Ensure turbines are not having revolutions more than supported – Generators are not working overloaded – Energy being generated matches the amount of energy that the transmission line can handle
  • 6. Electrical process (3) • Transmission – Energy being generated needs to be distributed to reach the final users – 115 KV is the power used to transmit in the wire lines – Final destination are the substations that handles energy of a specific amount of instalations – Large number of blocks in a city
  • 7. Electrical process (4) • SCADA platform is vital to perform the following when transmission takes place: – Monitoring of voltage in transmission lines looking for high amount of electricity flowing – None of them can get overloaded because protections get activated and a blackout appears in all the installations that are controlled by the affected substations
  • 8. Electrical process (5) • Distribution – Energy being generated needs to be distributed to reach the final users – 115 KV is the power used to transmit in the wire lines – Final destination are the substations that handles energy of a specific amount of instalations – Large number of blocks in a city
  • 9. Electrical process (6) • SCADA platform is vital to perform the following when distribution takes place: – Monitoring of voltage in transmission lines looking for high amount of electricity flowing – Monitoring of voltage in user meters looking for high amount of electricity flowing
  • 13. Agenda • Introduction • Power Plant Generation SCADA • SCADA protocols • Cyber Terrorism Risks • Remediation
  • 14. SCADA Network inside Power Plant Unit Controller Turbine Speed Regulator Voltage Regulator Generator Protection Controller Cooling and oil pump controller HMI Console Substation controller Switch Controller Voltage Meter Reader HMI Console Protection Controller SUBSTATION SCADA GENERATION POWER SCADA
  • 15. SCADA Network inside Power Plant (2) • Generation Power Plant – Unit Controller: Controls all the subsystems making the generator to be able to inject active power to the electrical network – Voltage regulator: Controls the frequency of the active power being produced by the generator. Must match the frequency in the electrical network
  • 16. SCADA Network inside Power Plant (3) • Generation Power Plant – Turbine speed regulator: Controls the speed of the turbine – Cooling and oil pump controller: Controls refrigeration and lubrication of the rotor system of the turbine so there’s no heat or friction – Generator protection controller: Controls excessive voltage changes in the generator
  • 17. SCADA Network inside Power Plant (4) • Substation SCADA – Substation Controller: Controls all the systems to make possible the energy being transmitted all across the electrical network – Switch controller: If there is too much energy on a line trying to overcome its capacity, the switch opens the circuit and the energy stops flowing
  • 18. SCADA Network inside Power Plant (5) • Substation SCADA: – Voltage meter: Meters the amount of electricity flowing in the input and output lines so the Substation Controller can tell if there is a problem regarding the transmission line capacity being overcome its capacity
  • 19. Agenda • Introduction • Power Plant Generation SCADA • SCADA protocols • Cyber Terrorism Risks • Remediation
  • 20. SCADA Protocols • Modbus • IEC 104 • DNP3
  • 21. Modbus Source: Practical Industrial Data Communications
  • 22. Modbus (2) • Client/server protocol which operates in a request/response mode • Three variants: – Modbus serial RS-232/RS-485: Implemented on serial networks – Modbus TCP: Used for SCADA platforms where delay is not an issue (Water supply) – Modbus UDP: Used for SCADA platforms where delay is a big issue (Energy)
  • 23. Modbus (3) Source: Practical Industrial Data Communications
  • 24. Modbus (4) • Modbus protocol structure – Address field: • Request frames: Address of the device being targeted by the request • Response frame: Address of the device responding to request
  • 25. Modbus (5) • Modbus protocol structure – Function field • Function requested by the HMI to be performed by the field devices • In response packets, when the function performed is succeeded, the field device echoes it. If some exception occurred, the most significant bit of the field is set to 1
  • 26. Modbus (6) Function Name Function Code Physical Discrete Inputs Read Discrete Inputs 2 Read Coils 1 Write Single Coil 5 Write Multiple Coils 15 Physical Input Registers Read Input Register 4 Read Holding Registers 3 Write Single Register 6 Write Multiple Registers 16 Read/Write Multiple Registers 23 Mask Write Register 22 Read FIFO Queue 24 Read File Record 20 Write File Record 21 Type of access Data Access Bit access Internal Bits or Physical Coils 16-bit access Internal Registers or Physical Output Registers File Record Access
  • 27. Modbus (7) Function Name Function Code Read Exception Status 7 Diagnostic 8 Get Com Event Counter 11 Get Com Event Log 12 Report Slave ID 17 Read Device Identification 43 Encapsulated Interface Transport 43 Type of access Diagnostics Other
  • 28. Modbus (8) • Modbus protocol structure – Data field • In request paquets, contains the information required to perform the specific function • In response packets, contains the information requested by the HMI
  • 29. Modbus (9) • Modbus protocol structure – Error check Field • CRC-16 on the message frame • If packet has errors, the field device does not process it • Timeout is assumed, so the master sends again the packet to attempt again a function execution
  • 30. IEC 104 • Standard for power system monitoring, control and communications for telecontrol and teleprotection for electric power systems • Completely compatible with: – IEC 60870-5-1: Transmission frame formats for standard 60870-5 – IEC 60870-5-5: Basic application functions
  • 31. IEC 104 (2) • It has the following features: – Supports master initiated messages and master/slave initiated messages – Facility for time sinchronization – Possibility of classifying data being transmitted into 16 different groups to get the data according to the group – Cyclic and spontaneous data updating schemes are provided.
  • 32. IEC 104 (3) Source: Practical Industrial Data Communications
  • 33. IEC 104 (4) Source: Practical Industrial Data Communications
  • 34. IEC 104 (5) Source: Practical Industrial Data Communications
  • 35. IEC 104 (6) • Link level Link service class Function Explanation S1 SEND / NO REPLY Transmit message. No ACK or answer required S2 SEND / CONFIRM Transmit message. ACK required S3 REQUEST / RESPOND Transmit message. ACK and answer required
  • 36. IEC 104 (7) Source: Practical Industrial Data Communications
  • 37. IEC 104 (8) Source: Practical Industrial Data Communications • Control field for unbalanced transmissions
  • 38. IEC 104 (8) Source: Practical Industrial Data Communications • Control field for balanced transmissions
  • 39. DNP3 • Set of communication protocols used between components of a SCADA system • Used for communications between RTU and the IED (field devices) • Implements the communication levels established by the enhance performance architecture (EPA)
  • 40. DNP3 (2) • Enhance performance architecture (EPA) Source: Practical Industrial Data Communications
  • 41. DNP3 (3) • Message exchange Source: Practical Industrial Data Communications
  • 42. DNP3 (4) • Frame format Source: Practical Industrial Data Communications
  • 43. DNP3 (5) • Control Byte Source: Practical Industrial Data Communications
  • 44. Agenda • Introduction • Power Plant Generation SCADA • SCADA protocols • Cyber Terrorism Risks • Remediation
  • 45. Cyberterrorism Risks • Many awful thins can happen to a power plant – Stop generation because of partial or total damage to the generator – Stop generation because of partial or total damage to the transmission substation – Stop generation because of partial or total damage to the turbine
  • 46. Cyberterrorism Risks (2) • Many awful thins can happen to a power plant – Transformer explosion because lack of transmission line protection capacity – Massive water leakage because of explosion of the turbine container • All of them can happen because of unauthorized manipulations of the HMI and after the configs are updated
  • 47. Network technologies in SCADA Systems • Many SCADA networks still use RS232/RS485 bus to communicate all components – But also because of the need to access data in a fast way, we also have serial-to- ip gateways to access serial RTU and IED – Lots of hybrid SCADA networks having serial and IP components – Access is open to anyone with connectivity access
  • 48. Network technologies in SCADA Systems (2) • Many SCADA networks still use RS232/RS485 bus to communicate all components – Admin protocols is not being crypted, so anyone can sniff all the contents, perform a MITM and send to client/server fake content to each other. Insecure services like telnet are mandatory because lack of support – Latency is an issue
  • 49. Lack of authentication in application protocol • The SCADA protocols does not perform bi-directional authentication to ensure that all parties are trusted – Only commands are sent – Data is sent to the IP address configured as master – All the IP spoofing vulnerabilities works on any MTU or Field device – Any command can be sent
  • 50. Default configurations in HMI • Insecure services used – rlogin – rcp – rexec • OS Admin privileges used to operate • Trust perimeter created within HMI and external RTU and IED to manipulate configuration parameters
  • 51. What could be done? • Reset a link state communication or send Test Communication packet several times provoking temporal DoS to the IED controllers – Spoof the HMI IP address and send the following using TCP: 0x56405c00100020074e3 – Spoof the HMI ip address and send the following using TCP: 0x56405f201000200b717
  • 52. What could be done? (2) • Send commands to the IED controllers – Registers are linked to turn on and off specific devices like oil and refrigeration pumps – A Modbus command to change registers is enough to disable any of those pumps – Command depends on the place where the pump is configured
  • 53. What could be done? (3) • Execute metasploit to the HMI and try to find remote admin exploits – No patches are installed – Too much vulnerabilities around – The odds of finding remote privilege escalation vulnerabilities are too high – Are passwords strong enough in the HMI software and OS? – Is there any password at all configured?
  • 54. What could be done? (3) • MITM attacks to the substation elements and generation plant elements – TCP sequence prediction on this elements is pretty high – Prone to session hijacking (http://www.youtube.com/watch?v=s_X D8heYNrc)
  • 55. Agenda • Introduction • Power Plant Generation SCADA • SCADA protocols • Cyber Terrorism Risks • Remediation
  • 56. What you cannot do with SCADA • Protocol delay is usually a BIG issue in SCADA – Water supply and Oil SCADA tolerates big delays because it does not have consequences in the process – Power SCADA is critical. A delay higher than 12 miliseconds could end in a massive blackout because of failure to open a breaker in a substation – Be careful on what you do to protect your SCADA
  • 57. SCADA Network inside Power Plant Unit Controller Turbine Speed Regulator Voltage Regulator Generator Protection Controller Cooling and oil pump controller HMI Console Substation controller Switch Controller Voltage Meter Reader HMI Console Protection Controller SUBSTATION SCADA GENERATION POWER SCADA
  • 58. Monitor your network • Control Access from outsiders – SCADA Network needs to send information for reports and status checking – You can establish a secure way to get into the SCADA Network for remote support – If no commands need to be sent, one- way communications using waterfall works pretty good.
  • 59. Monitor your network (2) Source: Waterfall Security
  • 60. Monitor your network (3) • Use Network Intrusion Prevention System – You definitely can use conventional IPS if they are fast enough to avoid delays in your network – Not all of them support SCADA protocols – If you have snort, you can write rules for Modbus and DNP3. Otherwise, you need to write your own rules – Industrial Defender Solution works pretty good as it includes lots of SCADA signatures
  • 61. Monitor your network (4) • Control Access from outsiders – Energy market central regulators are able to control your power generation SCADA and make you generate what you won at the electricity market – Be able to override control from your local market control center if for some reason you notice abnormal operations that put your generation infrastructure in risk
  • 62. Monitor your network (5) Source: FERC
  • 63. • SCADA platforms are designed to last from 10 to 20 years – Too many technology changes happens in that time – Lots of security issues to deal with – Need a solution to avoid any changes inside computers, as intrusions perform changes in filesystem, configurations and system process Control unauthorized changes to Master Terminal Unit
  • 64. Control unauthorized changes to Unit Controllers and IED controllers • Configuration and firmware changes can be done on-site and remotely • Can you tell all the times where those changes have been done for all the IED and Unit controllers? • Can you tell if that change actually contains the valid firmware and/or configuration? • Check IndustrialDefender Manage
  • 65. Control unauthorized changes to Master Terminal Unit (3) • Control any changes inside your SCADA servers – Mcafee Integrity control works pretty good – Defines what can be changed by who – Lots of custom logs to choose from – Can send events to any SIEM configured in the Network
  • 66. Monitor attacks to Master Unit • Host IPS is definitely needed as any attack could change the integrity and stability of a process • Availability is critical to a SCADA system and cannot be altered • Conventional Host IPS performs extensive use of CPU and can affect performance inside SCADA
  • 67. Monitor attacks to Master Unit (2) • Industrial Defender Protect works pretty good • Works seamless with Siemens Spectrum Platform • Does not load the machine or needs extensive bandwith to perform its checks • Central console to perform operations inside the platform
  • 68. Questions? Comments? Manuel Humberto Santander Peláez http://manuel.santander.name http://twitter.com/manuelsantander msantand@isc.sans.org / manuel@santander.name