1.
Protecting your SCADA system
against cyber security threats
17 June 2009

2.
CHAIYAKORN APIWATHANOKUL
CISSP, IRCA:ISMS, SANS GCFA
Chief Security Officer
PTT ICT Solutions
A Company of PTT Group

3.
CHAIYAKORN APIWATHANOKUL
SCADA Security
National Critical Infrastructure
Cyber Terrorist

4.
Now that the Hollywood is knocking
on your door
Chaiyakorn Apiwathanokul

5.
Transportation System
Chaiyakorn Apiwathanokul

6.
Building Automation System (BAS)
Chaiyakorn Apiwathanokul

7.
Recent in the News
24th May 2009
http://www.us-cert.gov
Chaiyakorn Apiwathanokul

8.
Chaiyakorn Apiwathanokul

9.
What is Industrial Control Systems (ICS),
SCADA and DCS?
Industrial Control Systems are computer-based
systems that are used by many infrastructures and industries to monitor
and control sensitive processes and physical functions. Typically, control
systems collect sensor measurements and operational data from the
field, process and display this information, and relay control commands
to local or remote equipment.
There are two primary types of Control Systems.
– Distributed Control Systems (DCS) typically are used
within a single processing or generating plant or over a
small geographic area.
– Supervisory Control and Data Acquisition (SCADA)
systems typically are used for large, geographically
dispersed distribution operations.
Chaiyakorn Apiwathanokul
NIST SP800-82 Final Public DRAFT (Sep. 2008)

10.
Industrial Control System
The term Industrial Control System (ICS) refers to a
broad set of control systems, which include:
SCADA (Supervisory Control and Data Acquisition)
DCS (Distributed Control System)
PCS (Process Control System)
EMS (Energy Management System)
AS (Automation System)
SIS (Safety Instrumented System)
Any other automated control system

11.
Global Incidents
• Siberia,1982 • 2002: FBI traced found
CIA’s hacker attacked the visitors routed
USSR’s pipeline operation through telecommunication
software caused a massive network of Saudi Arabia,
explosion during the Indonesia and
summer of 1982 in the Pakistan studied
controversial pipeline
delivering Siberian natural emergency
gas to Western Europe. telephone systems,
from book At the Abyss: electric
An Insider's History of the Cold War
generation, and
(Ballantine, 2004, ISBN 0-89141-821-0)
transmission,
water storage and
distribution, nuclear power
plants and haiyakorn Apiwathanokul
C gas facilities.
Key word: The Farewell Dossier http://www.washingtonpost.com/ac2/wp-dyn/A50765-2002Jun26
Gus W. Weiss

12.
Global Incidents (cont.)
• Based on evidence collected in Afghanistan, Al
Qaeda had a “high level of interest” in DCS and
SCADA devices.
(AFI Intelligence Briefing - 28th June 2002)
– Islamic terrorism looks for new methods of attack
– 'Bombs and Bytes' The next Al Qa'ida terrorist threat
– US faces an 'electronic Pearl Harbour'
2003: Slammer Worm crashed Ohio nuke plant
network, Davis-Besse
According to a document released by the North
American Electric Reliability Council in June,
Slammer downed one utility's critical SCADA
network after moving from a corporate network,
Recovery time: through a remote computer to a VPN connection
SPDS – 4hours 50 minutes
to the control center LAN.
PPC – 6 hours 9 minutes
(http://www.securityfocus.com/news/6767)

13.
Cyber Incidents and Consequences
Chaiyakorn Apiwathanokul

14.
Italian Traffic Lights
Event: Feb, 2009 Italian
authorities investigating
unauthorized changes to traffic
enforcement system
Impact: Rise of over 1,400
Lessons learned:
traffic tickets costing > 250K
Do not underestimate the
Euros in two month period insider threat
Specifics: Engineer accused of Ensure separation of
conspiring with local authorities duties and auditing
to rig traffic lights to have
shorter yellow light causing
spike in camera enforced traffic
tickets

15.
Transportation – Road Signs
Event: Jan 2009, Texas road
signs compromised
Impact: Motorists distracted and
provided false information
Specifics: Some commercial road
signs, can be easily altered
because their instrument panels
Lessons learned: are frequently left unlocked and
Use robust physical access their default passwords are not
controls changed. "Programming is as
Change all default passwords
simple as scrolling down the menu
selection," a blog reports. "Type
Work with manufacturers to whatever you want to display … In
identify and protect password
reset procedures all likelihood, the crew will not have
changed [the password]."
15

16.
Activity Timeline of U.S.
Critical Infrastructure Protection
Chaiyakorn Apiwathanokul

17.
U.S. Critical Infrastructure Sectors
Homeland Security Presidential Directive 7 (HSPD-7) along with the National
Infrastructure Protection Plan (NIPP) identified and categorized U.S. critical
infrastructure into the following 18 CIKR sectors
• Agriculture and Food • National Monuments and
• Banking and Finance Icons
• Chemical • Nuclear Reactors,
• Commercial Facilities Materials, and Waste
• Critical Manufacturing • Postal and Shipping
• Dams • Public Health and
• Defense Industrial Healthcare
Base • Telecommunications
• Emergency Services • Transportation
• Energy • Water and Water
• Government Facilities Treatment
• Information
Technology
Many of the processes controlled by computerized control systems
have advanced to the point that they can no longer be operated
without the control system.

18.
Obama elevates the priority of
Cybersecurity concerns
May 29, 2009
U.S. President Barack Obama will
appoint a government-wide
cybersecurity coordinator and
elevate cybersecurity concerns to a
top management priority for the
U.S. government, he announced
Friday.
The White House will also develop a
new, comprehensive national
cybersecurity strategy, with help
from private experts, and it will
invest in "cutting edge"
cybersecurity research and
development, Obama said in a short Chaiyakorn Apiwathanokul
speech.

19.
Risk Drivers: Modernization and
Globalization
Connections between
Information Technology and
Control System networks
(inheriting vulnerabilities)
Shift from isolated systems to
open protocols
Access to remote sites
through the use of modems,
wireless, private, and public
networks
Shared or joint use systems
for e-commerce

20.
General Findings
Default vendor accounts and passwords still in use
Some systems unable to be changed!
Guest accounts still available
Unused software and services still on systems
No security-level agreement with peer sites
No security-level agreement with vendors
Poor patch management (or patch programs)
Extensive auto-logon capability

21.
General Findings
continued
Typical IT protections not widely used (firewalls, IDS, etc.). This
has been improving in the last 6 months
Little emphasis on reviewing security logs (Change
management)
Common use of dynamic ARP tables with no ARP monitoring
Control system use of enterprise services (DNS, etc.)
Shared passwords
Writeable shares between hosts
User permissions allow for admin level access
Direct VPN from offsite to control systems
Web enabled field devices

22.
Issue #1:
Lo Chance – Hi Impact Incident is focused more
after 9/11 incident
Impact
H High
L Low Medium
P1
P2 Probability
P3 L H
P4 • What’s never happened, may happen.
P5 • 0.0001% = POSSIBLE
P6
P7 • RISK = Likelihood x Impact

23.
Issue #1: (cont.)
Lo Chance – Hi Impact Incident is focused more
after 9/11 incident
• National Critical Infrastructure
"critical infrastructure" -- industrial sectors that are
"essential to the minimum operations of the economy and
government." – PDD63, 1998
– Telecommunications
– Energy
P1 – Banking and Finance
P2
P3 – Transportation
P4 – Water Systems
P5 – Emergency Services Chaiyakorn Apiwathanokul
P6
P7

24.
Issue #2:
A Gap of Coordination
• Different vocabulary
– ICT: “I know TCP/IP, NetBIOS, MSSQL, SAP and etc.”
– Operation: “I know Profibus, FieldBus, MODBUS,
Solenoid valve, Turbine, Hydraulic, Pneumatic and
etc.”
• SCADA/DCS could be somewhat frighteningly exciting to
ICT people. Inadequate knowledge and experience on
the system lowers the confident to provide appropriate
P1 support.
P2 • Operation people should work with IT Security
P3 Professionals from ICT Department or consultancies
P4 • Educating IT Department about Process Control & SCADA
P5 operations Chaiyakorn Apiwathanokul
P6
P7

25.
Issue #3:
Unsynchronized Technology Lifecycle
P1
P2
P3
P4
P5 Chaiyakorn Apiwathanokul
P6
P7

26.
Issue #3: (cont.)
Unsynchronized Technology Lifecycle
• ICT technology keep changing while Control System
is here to stay.
• Production processes are rarely changed.
• “We can operate as we always do.
So, WHY UPGRADE ???”
P1 • ICT equipment life is ~3-5 years
P2 • Control equipment life is ~10+ years
P3 • SCADA Security today is where enterprise security
P4 was 5-10 years ago
P5 Chaiyakorn Apiwathanokul
P6
P7

27.
Issue #4:
Sharing the SAME CHALLENGES
• The information or data from devices or controllers
shall be sent or processed at a server of that system
which could expose many possibility to attack as
follow:
– Communication Media
• Radio : Jammer
• Protocol Anomaly
– Operating System running on the server
• Microsoft Windows
• Unix
P1
– Database
P2 • MS-SQL
P3 • Oracle
P4 • System running standard Operating System is
P5 vulnerable to standard attacks Chaiyakorn Apiwathanokul
P6 – Malware/Virus/Worm/SpyWare
P7

28.
Issue #5:
We are Connected
• The operation network is somehow connected
to the corporate network or even able to
access the Internet.
Without proper
protection and control,
P1 the operation
P2 environment is truely
P3
P4 in high risk.
P5 Chaiyakorn Apiwathanokul
P6
P7

29.
Issue #6:
Is the system integrator have security in mind when
engineering the system?
• Is all possible condition properly handled?
• Ex. The engineer may knows that the reading
equipment would never yield a negative value, so
he wrote program to only handle the > 0 value.
WHAT IF…someone injects a negative value to that
P1 variable by tapping the media or at the database
P2 level? Can you tell what will happen?
P3 • Is the program running in the controller a security-
P4
P5 aware by design?
Chaiyakorn Apiwathanokul
P6
P7

30.
Issue #6: cont.
• “None of the industrial control systems used to
monitor and operate the nation's utilities and
factories were designed with security in mind.
Moreover, their very nature makes them difficult
to secure. Linking them to networks and the
public Internet only makes them harder to
protect.”
P1
P2 Said by Joseph Weiss, executive consultant for
P3 KEMA Consulting
P4
http://www.memagazine.org/backissues/dec02/features/scadavs/scadavs.html
P5 Chaiyakorn Apiwathanokul
P6
P7

31.
Issue #7:
Policy Enforcement
• People + Process + Technology
are needed to work in harmony. Sometime we
need certain technology or tool to ensure that the
defined process or policy is in good shape.
• The most vulnerable entity is “PEOPLE”. So keep
P1 them aware of what they are doing and risk they
P2 are fronting, plus the consequent damages and
P3 responsibility if they are not complied with the
P4 policy.
P5 Chaiyakorn Apiwathanokul
P6
P7

32.
Summary
• The journey began • Something to start with
• Collaboration matters • NIST SP800-82
• ISA99ANSI/ISA-99.00.01-2007
– Division / Department
Security for Industrial Automation
– Public / Private and Control Systems Part 1:
– Country / Country Terminology, Concepts, and
– Regional / Global Models
• ANSI/ISA-99.02.01-2009 Security
• The clock is ticking for Industrial Automation and
• You don’t want to say Control Systems: Establishing an
“Gossh…, I didn’t even think Industrial Automation and Control
it would happen to me.” Systems Security Program
• ISO27001,
ISO27002 (ISO17799)
Chaiyakorn Apiwathanokul

33.
Resources
• Guide to Industrial Control Systems (ICS) Security
http://csrc.nist.gov/publications/drafts/800-82/draft_sp800-
82-fpd.pdf
• Control System Security Program at US-CERT
http://www.us-cert.gov/control_systems
• Control System Security Resource and Podcast
http://www.digitalbond.com/
• http://www.tswg.gov/subgroups/ps/infrastructure-
protection/documents/21_Steps_SCADA.pdf
Chaiyakorn Apiwathanokul

34.
Chaiyakorn Apiwathanokul
34