1. Improving Control System Security
by Chaiyakorn Apiwathanokul
CISSP, GCFA, IRCA:ISMS
Chief Security Officer
PTT ICT Solutions Co., Ltd.
A Company of PTT Group
July 2010
2. About Speaker
Name: Chaiyakorn Apiwathanokul
ไชยกร อภิวัฒโนกุล
Title: Chief Security Officer (CSO)
Company: PTT ICT Solutions Company Limited
A Company of PTT Group
Certificates: ISC2:CISSP, IRCA:ISMS (ISO27001), SANS:GCFA
• Contribute to Thailand Cyber Crime Act B.E.2550
• Security Sub-commission under Thailand Electronic Transaction Commission
(ET Act B.E. 2544)
• Workgroup for CA service standard development
• Committee of national standard adoption of ISO27001/ISO27002
• Committee of Thailand Information Security Association (TISA)
• Committee of Cybersecurity taskforce development, Division of Skill
Development, Ministry of Labour
3. Sub Topic:
Examining current security trends and their
impact for SCADA systems
Increasing the security and usability of SCADA
systems
Understanding tools and techniques to
mitigate SCADA security risk
4. See Videos
1. DHS experiment on hacking to destroy a
generator
2. US Power Grid under attack - Clarke
5. Malicious code/
Virus/Worm
Adversary/
Terrorist/ Disgruntled
Hacker employee
Vulnerabilities/
Weaknesses
has Manufacture
National
Critical Plant
Infrastructure Control Operation
Systems
Law/
Industry-
Government Compliance/
specific
Standard/ Regulator
Guideline
6. Simplification
Not only
someone Someone
Someone Someone (and someone
but else)
hate develop a
someone has to do
someone weapon
else got something
trouble
7. Is the system integrator
has security in mind?
• Is all possible condition properly handled?
• Is the program running in the controller a security-
aware by design?
• The more security, the harder for UAT and
commissioning, thus it may cause the delay of project
payment. Guess what!!! They don’t do it only unless
explicitly required or asked for.
• Is it in the TOR?
8. Is the system integrator
has security in mind? (cont.)
“None of the industrial control systems used to monitor
and operate the nation's utilities and factories were
designed with security in mind. Moreover, their very
nature makes them difficult to secure. Linking them to
networks and the public Internet only makes them
harder to protect.”
Said by Joseph Weiss, executive consultant for KEMA
Consulting
http://www.memagazine.org/backissues/dec02/features/scadavs/scadavs.html
11. Normal Operation
HMI Web & DB Operator
Operator Workstation
PLC Server
12. Hacking on Operator workstation
Scenario #1.1 Known local admin password
HMI Web & DB Operator Workstation Operator
PLC Server
Connected Connect to
GUI‘s Server Remote desktop
Remotely control GUI
Add new user
Open Share folder
Hacker knows local admin password
13. Hacking on Operator workstation
Summary Scenario #1.1 Known local admin password
Required condition:
Local admin password is known (default password)
Remote Desktop is opened
Consequence:
Attacker can take over the system
Attacker can take over GUI
Attacker can add new user
Attacker can open share folder
Remediation:
Change default password
Restrict access to Remote Desktop
14. Hacking on Operator workstation
Scenario #1.2 unpatched
HMI Web & DB Operator
PLC Operator
Server Workstation
Unpatched
GUI‘s Server Exploited server
Remotely control GUI
Add new user
Open Share folder
Hacker attack on vulnerability’s server
15. Hacking on Operator workstation
Summary Scenario #1.2 unpatched
Required condition:
Operator workstation is not patched
Consequence:
Attacker can take over the system
Attacker can take over GUI
Attacker can add new user
Attacker can open share folder
Remediation:
Regularly update the workstation
Monitor the system integrity
Consider intrusion detection system
Consider security perimeter
16. Hacking on Operator workstation
Scenario #1.3 Password Sniffing
password
PLC HMI Web & DB Server Operator Work station Operator
Sniff password
in the network
17. Hacking on Operator workstation
Summary Scenario #1.3 Password Sniffing
Required condition:
Web-based HMI
Operator sends login password via HTTP
Consequence:
Password is known to hacker
Hacker can login to Web-based HMI
Remediation:
Use HTTPS instead of HTTP
Consider detection measure
18. Hacking on Operator workstation
Scenario #1.4 Remember password
PLC HMI Web & DB Server Operator Work station Operator
Remember password
Dump “remember password” Plug USB U3
Thumb drive
19. Hacking on Operator workstation
Summary Scenario #1.4 Remember password
Required condition:
Physically access to system
Autorun enabled
Consequence:
Password is stolen
Remediation:
Limit physical access to system
Disable Autorun (all drive)
Don’t use remember password feature
20. Hacking on HMI Web & DB server
Scenario #2 SQL Injection
HMI Web & DB Server Operator Work Operator
PLC
Injection flaw! station
SQL Injection
Delete table
Modify data in table
Insert, Delete, Update
21. Hacking on HMI Web & DB Server
Summary Scenario #2 SQL Injection
Required condition:
Web-based HMI
SQL Injection flaw
Consequence:
Direct database manipulation
Remediation:
Input validation
Web Application security assessment
Web Application Firewall (WAF)
22. Hacking on PLC
Scenario #3 Direct PLC Manipulation
PLC HMI Web & DB Server Operator Work station Operator
Open port 2222/TCP !
Control valve/pump
Change PLC Mode system halt
Take control of PLC
Modify PLC data
Disrupt PLC operation
23. Hacking on PLC
Summary Scenario #3 Direct PLC Manipulation
Required condition:
Port 2222/TCP is opened (Allen Bradley)
No authentication
Network routable
Consequence:
Access PLC’s data table
Remediation:
Enable authentication where possible
Routing control/ Network isolation (verify)
25. The Implication
• Only small number of professional with right
competency to help you out
• Collaboration and support from professional
community is highly needed
26. Available Guidelines
• 21 Steps to Improve Cyber Security of SCADA
Networks, US-DOE
• Roadmap to Secure Control Systems in the Chemical
Sector, US-DHS
• Security Vulnerability Assessment Methodology for
the Petroleum and Petrochemical Industries, API
• ISA99 - Control Systems Security Model
• ISO27001, ISO27002 (ISO17799)
27. 21 Steps to Improve Cyber Security
of SCADA Networks, US-DOE
1. Identify all connections to SCADA networks 12. Clearly define cyber security roles, responsibilities, and
2. Disconnect unnecessary connections to the SCADA authorities for managers, system administrators, and
network users
3. Evaluate and strengthen the security of any remaining 13. Document network architecture and identify systems that
connections to the SCADA network serve critical functions or contain sensitive information
4. Harden SCADA networks by removing or disabling that require additional levels of protection
unnecessary services 14. Establish a rigorous, ongoing risk management process
5. Do not rely on proprietary protocols to protect your 15. Establish a network protection strategy based on the
system principle of defense-in-depth
6. Implement the security features provided by device 16. Clearly identify cyber security requirements
and system vendors 17. Establish effective configuration management processes
7. Establish strong controls over any medium that is used 18. Conduct routine self-assessments
as a backdoor into the SCADA network 19. Establish system backups and disaster recovery plans
8. Implement internal and external intrusion detection 20. Senior organizational leadership should establish
systems and establish 24-hour-a-day incident expectations for cyber security
monitoring. • performance and hold individuals accountable for their
9. Perform technical audits of SCADA devices and performance
networks, and any other connected networks, to 21. Establish policies and conduct training to minimize the
identify security concerns likelihood that organizational personnel will inadvertently
10. Conduct physical security surveys and assess all disclose sensitive information regarding SCADA system
remote sites connected to the SCADA network to design, operations, or security controls.
evaluate their security
11. Establish SCADA “Red Teams” to identify and evaluate
possible attack scenarios
28. NIST SP800-82
NIST Special Publication 800-82: Guide to Industrial
Control Systems (ICS) Security
Executive Summary
1. Introduction
2. Overview of Industrial Control Systems
3. ICS Characteristics, Threats and Vulnerabilities
4. ICS Security Program Development and Deployment
5. Network Architecture
ICS Security Controls
http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf
29. What is Industrial Control Systems (ICS),
SCADA and DCS?
Industrial Control Systems are computer-based
systems that are used by many infrastructures and industries to monitor
and control sensitive processes and physical functions. Typically, control
systems collect sensor measurements and operational data from the
field, process and display this information, and relay control commands
to local or remote equipment.
There are two primary types of Control Systems.
– Distributed Control Systems (DCS) typically are used
within a single processing or generating plant or over a
small geographic area.
– Supervisory Control and Data Acquisition (SCADA)
systems typically are used for large, geographically
dispersed distribution operations.
NIST SP800-82 Final Public DRAFT (Sep. 2008)
http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-82-fpd.pdf
30. Major ICS Security Objectives
• Restricting logical access to the ICS network and network
activity
– This includes using a demilitarized zone (DMZ) network architecture
with firewalls to prevent network traffic from passing directly
between the corporate and ICS networks, and having separate
authentication mechanisms and credentials for users of the
corporate and ICS networks. The ICS should also use a network
topology that has multiple layers, with the most critical
communications occurring in the most secure and reliable layer.
• Restricting physical access to the ICS network and devices
– Unauthorized physical access to components could cause serious
disruption of the ICS’s functionality. A combination of physical
access controls should be used, such as locks, card readers, and/or
guards.
31. Key Take Away to Securing ICS
The most successful method for securing an ICS is to:
• Gather industry recommended practices
• Engage in a proactive, collaborative effort between
management, the controls engineer and operator, the
IT department, the physical security department, and a
trusted automation advisor
• Draw upon the wealth of information available from
ongoing federal government, industry group, vendor
and standards organizational activities.
32. ISA 99
ISA SP-99 – Manufacturing and Control Systems Security
Scope - A Broad View
• ISA has taken a broad view:
– Based on function, not industry, type of control or other limited
views
• Includes
– SCADA/EMS
– DCS
– PLCs
– RTUs/IEDs
– Transmitters, meters, control valves, to enterprise wide HMIs, …
– Enterprise applications, to the extent they can affect control
• Not limited to one or a few industries or technologies
– In other words, a very broad encompassing definition
33. Scope of Security Standards
Company Management Company Management
IT Security Policies and Practices
Data Presentation Information
Level 5
(ISO 17799)
Company Production
Company Production
Assignment Scheduling
Scheduling Assignment
Supervision
Purdue reference Model Levels
Production Scheduling
Level 4 Operational & Production
& Operational
Supervision
Management
Level 3 Supervisor’s Console Inter-Area Coordination
Mfg Security Policies
Supervisor’s Console
and Practices
Level 2 Supervisory Control
(ISA 99)
Level 1 Operator’s Console Direct Digital Control
Process Safety
IEC 61511)
IEC 61508,
(ISA 84,
Controllers
Process
33
34. ISA SP-99 Part 1
• What is included in SP-99 Part 1:
– Definitions of Manufacturing and Control Systems
security terms
– Description of the terminology used in security as it
applies to Manufacturing and Control Systems
– A Common Model for specifying security requirements
for Manufacturing and Control Systems program
– Covers reference architecture for describing the
security environment
– The standard is not specific to vendors, customers, or
any particular aspect of Manufacturing and Control
Systems security
• First ballot expected by Q1 2006
34
35. ISA SP-99 Part 2
• What is included in SP-99 Part 2:
– Activity 1 – Develop a Business Case
– Activity 2 – Obtain Leadership Commitment, Support, and
Funding
– Activity 3 – Define the Charter and Scope of M&CS Security
for Your Company
– Activity 4 – Form a Team of Stakeholders
– Activity 5 – Raise Staff Cyber Security Capability Through
Training
– Activity 6 – Characterize the Key M&CS Risks
– Activity 7 – Define the Corporate Risk Tolerance Level
– Activity 8 – Establish High-Level Cyber Security Policies that
Support the Risk Tolerance Level
– Activity 9 – Perform a Screening Assessment
– Activity 10 – Organize for Security
– Activity 11 – Prioritize Systems and Conduct a Detailed
Security Assessment
35
36. ISA SP-99 Part 2, continued
• What is included in SP-99 Part 2, continued:
– Activity 12 – Develop Detailed M&CS Cyber Security Policies
& Procedures
– Activity 13 – Define Standard Set of M&CS Security Risk
Mitigation Controls
– Activity 14 – Develop Integrated Cyber Security
Management System Plan
– Activity 15 – Quick Fix
– Activity 16 – Charter, Design, & Execute Cyber Security Risk
Mitigation Projects
– Activity 17 – Refine and Implement Cyber Security
Management System
– Activity 18 – Adopt Continuous Improvement Operational
Measures
• First ballot is expected by Q3 2006
36
37. TR99.00.01 - Technology Areas
• Authentication and Authorization
• Filtering/Blocking/Access Control
• Encryption and Data Validation
• Audit, Measurement, Monitoring and
Detection Tools
• Operating Systems
• Physical Security
37
38. TR99.00.01 Authentication and Authorization
• Role Based Authorization Tools
• Password Authentication
• Challenge Response Authentication
• Physical/Token Authentication
• Smart Card Authentication
• Biometric Authentication
• Location Based Authentication
• Password Distribution and Management
Technologies
• Device to Device Authentication
38
40. TR99.00.01 Encryption Technologies
and Data Validation
• Symmetric (Private) Key Encryption
• Public Key Encryption and Key Distribution
• Virtual Private Networks (VPNs)
• Digital Certificates
40
42. TR99.00.01 Computer Software
• Server and Workstation Operating Systems
• Real-time and Embedded Operating Systems
• Web and Internet Technologies
42
43. Summary
• Guidelines and best practices are
available
• Study and apply those related to your
specific requirement and circumstances
• Keep update