Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Destacado
Destacado (20)
Similar a DHS ICS Security Presentation
Similar a DHS ICS Security Presentation (20)
Último
Último (20)
DHS ICS Security Presentation
- 1. Department of Homeland Security Control Systems Security Program Seán Paul McGurk Director, Control Systems Security National Cyber Security Division U.S. Department of Homeland Security
- 2. Overview of Control Systems
- 5. Vulnerability Lifecycle January 2008, Core Security Technologies discovers a vulnerability in the CitectSCADA product, and works with Citect and US-CERT June 2008, Citect releases patches for affected products June 11, 2008, US-CERT publishes Vulnerability Note regarding Citect buffer overflow
- 6. Vulnerability Lifecycle September 5, 2008, Metasploit exploit code posted September 6, 2008, Traffic increases for specified port
- 8. ICS Vulnerabilities categorized by ISA99 Security Zones Level 0-5 Data provided by
- 13. Cyber Incidents and Consequences
- 35. Cyber Security is a Shared Responsibility Report cyber incidents and vulnerabilities www.us-cert.gov Or send email to : [email_address] , [email_address] Or call: 888-282-0870 Get more information at: www.us-cert.gov/control_systems
Notas del editor
- <number>
- What are the critical infrastructure sectors?Homeland Security Presidential Directive 7 (HSPD-7) along with the National Infrastructure Protection Plan (NIPP) identified and categorized U.S. critical infrastructure into the following 18 critical infrastructure sectors and key resources, referred to as CI/KR.Agriculture and Food Banking and Finance Chemical Commercial FacilitiesCritical Manufacturing Dams Defense Industrial Base Emergency Services Energy Government Facilities Information Technology National Monuments and Icons Nuclear Reactors, Materials, and Waste Postal and Shipping Public Health and Healthcare Telecommunications Transportation Water Many are fully automated and cannot function when the control system is not operational.
- Increasing Threat PrevalenceThe risk of successful attacks on control systems from cyber means is increasing due to several factors:Industry pressure to downsize, streamline, automate, and cut costs to maintain profit margins, resulting in connections between IT and SCADA networks. In the electric power industry, for example, deregulation led to more interconnectedness as executives sought more information from control systems to help make output and pricing decisions. Manufacturing executives wanted real-time information from assembly lines, for instance, to monitor how efficiently their factories were running. Ultimately, this meant many control systems were connected to the Internet. The shift from proprietary mainframe-based computer control systems to distributed systems using open protocols and standards, and the expanded use of public protocols to interconnect previously isolated networks. Trending towards web-based SCADA management platforms and network-enabled field devices and the reliance on the Internet rather than installing expensive private telecommunications links to carry SCADA messages.Increased access and interconnectivity to remote sites through the use of the Internet.Shared or Joint Use Systems - Numerous corporations have created shared or joint use systems for e-commerce. Failure of even one of these systems not only has a negative impact on a member of the shared service, but also can percolate throughout the entire infrastructure, creating a sizeable vulnerability.
- Vulnerabilities by Location in the ISA99 Model%Level 5 - Internet DMZ zone16.90%Level 4 - Enterprise LAN zone24.70%25%Level 3 - Operations DMZ46.30%48%Level 2 - Supervisory HMI LAN11.80%Level 1 - Controller LAN0.30%Level 0 - Instrumentations bus network0.00%Further Breakdown of Host and Application Vulnerabilities - Level 3%Email Server Applications5.50%Web Server Platforms (Apache and IIS)41.40%48%Business Applications15.30%Shopping Cart Applications1.10%Applications written on PHP platform1.50%Applications written on ASP or .NET platform2.30%Database Servers (MS SQL, mySQL, and Oracle)19.80%20%FTP Servers3.80%Portal Servers (Blogs and Forums)3.30%Workstation (client) vulnerabilities6.00%
- Notice that there were still a large number of vulnerabilities discovered in the Internet facing systems and on the Enterprise LAN, which can provide an entry point into the lower levels of the SCADA or Control System.The data contained in the above tables and charts makes sense and exposes some issues that we would expect to see. For example, the number of email application vulnerabilities is highest at the network area closest to the Internet, and as you get deeper into the network, these email vulnerabilities drop off. <number>
- Note that the majority of the vulnerabilities are due to miss configured WEB Server applications and Database Servers<number>
- Major issue is the migration to Windows platforms without proper patch management procedures within the ICS domains.<number>
- Field Visit General Findings:Default vendor accounts and passwords do exist in the real world! User and Password management is definitely a task. However, having an organized approach can lessen the pain and frustration.SCADA systems should not use the corporate services. Probably should not be using dynamic services (DHCP, dynamic ARP, dynamic routes) at all. If A is the only guy who talks to B, why does the rest of the network even know that B exists?We have seen architectures where a wire goes directly from one SCADA system to their peer (backup) site. What is the backup site’s posture? You have a right to know. Remember, you are running from a bear! You want to be faster and less tasty than the guy behind you!!Poor software patch management. The message from vendors sometimes seems to be: Patch at your own peril. Part of the problem is that it's difficult to test patches (or any other security technology) in an actual control system environment because of the requirement for 100 percent availability and predictable performance. Another issue is that vendors sometimes approve patches for only certain versions of software. Patches can interrupt the real-time functioning of the operating system with negative consequences, so often not applied. Control systems cannot be easily brought down for the endless operating system patches that seem to abound these days. It would be like changing a tire at 70mph.Limited device processing power. Unlike a typical corporate IT network in which hundreds (or thousands) of PCs, servers, and other devices are packed with processing power and memory – which allow cyber security professionals to apply the latest security technologies without much adverse effect on the network – many legacy control systems still run on Intel 8088, 286 and 386 processors. These processors are adequate for the functions they have, but may not be able to support the additional burden imposed by authentication and encryption techniques.
- More General Findings:The goals of availability, reliability, and safety in control systems conflict with IT security practices of confidentiality, availability, and integrity. Developing security policies is not something control systems staff are familiar with. Control system and IT staff frequently do not work together to establish appropriate security policies.Sharing passwords is common. Difficulty of using two-factor authentication due to working conditions (e.g., dirty hands impede fingerprint technology, use of safety goggles impedes iris scanning techniques.), safety concerns prevent authentication lock-out schemes. Shared passwords are common due in part to the difficulty of managing password policy over the large number of remote devices and also the need for operators to be able to access control screens quickly (without having to think about what the latest password is) in emergency circumstances.>Antivirus software and firewalls are not always used; intrusion detection software is used even less. Trend toward higher efficiency results in staff cutbacks and often little emphasis on reviewing security logs.Use of dynamic ARP tables with no ARP monitoring (leaves systems open to ARP cache poisoning and Man-In-The-Middle attacks). ARP – The address resolution protocol is a protocol used by the Internet Protocol (IP) to map IP network addresses to the hardware addresses used by a data link protocol.Unused software still on systems. Any software on a system adds increased threat of exploitation of that software. If the software is not being actively used, it is probably not being kept patched or otherwise up to date, increasing the chance that vulnerabilities could be exploited.Unused services still active. Services or protocols typically used on the internet are likely to have exploits that can be carried out against them. Hardening the system by disabling or removing them closes down one more avenue of attack.Writeable shares between hosts.Direct VPN from off site allowed to control system network.Web enabled field devices
- According to several published reports, in August 2006, two Los Angeles city employees hacked into computers controlling the city’s traffic lights and disrupted signal lights at four intersections, causing substantial backups and delays. The attacks were launched prior to an anticipated labor protest by the employees. The illegal access occurred hours before a job action in August 2006 by members of the Engineers and Architects Assn., which represents the engineers who run and maintain the city’s traffic center. It took four days to get the traffic control system fully operational afterward and underscored the vulnerability of L.A.’s the complex system.The breach, reported on Aug. 21, 2006 between 9:10 and 9:30 p.m., involved sending computer commands that disconnected four signal control boxes at critical intersections: Sky Way and World Way at LAX; Coldwater Canyon Avenue and Riverside Drive in the San Fernando Valley; Alvarado Street and Glendale Boulevard at Berkeley Avenue in Echo Park; and 1st and Alameda streets
- In August 2005, a round of Internet worm infections knocked 13 of DaimlerChrysler’s U.S. automobile manufacturing plants offline for almost an hour, leaving workers idle as infected Microsoft Windows systems were patched. Zotob and its variations also caused computer outages at heavy-equipment maker Caterpillar Inc., aircraft maker Boeing, and several large U.S. news organizations. The latest worm attacks, exploiting holes in the Windows Plug and Play service, are causing grief to major corporations.A round of Internet worm infections knocked 13 of DaimlerChryslers U.S. auto manufacturing plants offline for almost an hour this week, stranding some 50,000 auto workers as infected Microsoft Windows systems were patched, a company spokesperson told eWEEK. Plants in Illinois, Indiana, Wisconsin, Ohio, Delaware and Michigan were knocked offline at around 3:00 PM on Tuesday, stopping vehicle production at those plants for up to 50 minutes, according to spokesperson Dave Elshoff. The company has patched the affected Windows 2000 systems, but is still mopping up after the attack and doesnt know whether deliveries from parts suppliers, who were also affected, might be delayed, he said.
- A Polish teenager allegedly turned the tram system in the city of Lodz into his own personal train set, triggering chaos and derailing four vehicles in the process. Twelve people were injured in one of the incidents.The 14-year-old modified a TV remote control so that it could be used to change track points, The Telegraph reports. Local police said the youngster trespassed in tram depots to gather information needed to build the device. The teenager told police that he modified track setting for a prank.\"He studied the trams and the tracks for a long time and then built a device that looked like a TV remote control and used it to manoeuvre the trams and the tracks,\" said Miroslaw Micor, a spokesman for Lodz police.\"He had converted the television control into a device capable of controlling all the junctions on the line and wrote in the pages of a school exercise book where the best junctions were to move trams around and what signals to change.\"He treated it like any other schoolboy might a giant train set, but it was lucky nobody was killed. Four trams were derailed, and others had to make emergency stops that left passengers hurt. He clearly did not think about the consequences of his actions,\" Micor added.Transport command and control systems are commonly designed by engineers with little exposure or knowledge about security using commodity electronics and a little native wit. The apparent ease with which Lodz's tram network was hacked, even by these low standards, is still a bit of an eye opener.Problems with the signalling system on Lodz's tram network became apparent on Tuesday when a driver attempting to steer his vehicle to the right was involuntarily taken to the left. As a result the rear wagon of the train jumped the rails and collided with another passing tram. Transport staff immediately suspected outside interference.The youth, described by his teachers as an electronics buff and exemplary student, faces charges at a special juvenile court of endangering public safety.
- Case 2: Maroochy Waste Water AttackEvent:In March 2000, a man named Vitek Boden, a former employee of the company that produced the plant’s remote control and telemetry equipment, remotely attacked the SCADA system in order to release hundreds of thousands of gallons of untreated sewage along Australia’s Sunshine Coast, where it contaminated parks, rivers and the grounds of a hotel.Industry: Water Treatment Location: Maroochy Shire, Queensland, AustraliaEvent: Hundreds of thousands of gallons of untreated sewage intentionally released into parks, rivers, and hotel grounds.Impact: Loss of marine life, public health jeopardized, $200,000 in cleanup and monitoring costs.
- In August 2006, two circulation pumps at Unit 3 of the Browns Ferry, Alabama, nuclear power plant failed, forcing the unit to be shut down manually. The failure of the pumps was traced to excessive traffic on the control system network, possibly caused by the failure of another control system device. As control systems become increasingly interconnected with other networks and the Internet, and as the system capabilities continue to increase, so do the threats, potential vulnerabilities, types of attacks, and consequences of compromising these critical systems.
- A nuclear power plant shutdown for 48 hours after a software update was installed on a single computer. The incident occurred at Unit 2 of the Hatch nuclear power plant near Baxley, Georgia. An engineer from Southern Company, which manages the technology operations for the plant, installed a software update on a computer operating on the plant's business network. The computer in question was used to monitor chemical and diagnostic data from one of the facility's primary control systems, and the software update was designed to synchronize data on both systems. According to the report filed with the Nuclear Regulatory Commission, when the updated computer rebooted, it reset the data on the control system, causing safety systems to errantly interpret the lack of data as a drop in water reservoirs that cool the plant's radioactive nuclear fuel rods. As a result, automated safety systems at the plant triggered a shutdown. Southern Company spokeswoman Carrie Phillips said the nuclear plant's emergency systems performed as designed, and that at no time did the malfunction endanger the security or safety of the nuclear facility. Phillips explained that company technicians were aware that there was full two-way communication between certain computers on the plant's corporate and control networks. But she said the engineer who installed the update was not aware that that the software was designed to synchronize data between machines on both networks, or that a reboot in the business system computer would force a similar reset in the control system machine.
- The Slammer worm entered the Davis-Besse plant through a circuitous route. It began by penetrating the unsecured network of an unnamed Davis-Besse contractor, then squirmed through a T1 line bridging that network and Davis-Besse's corporate network. The T1 line, investigators later found, was one of multiple ingresses into Davis-Besse's business network that completely bypassed the plant's firewall, which was programmed to block the port Slammer used to spread.\"This is in essence a backdoor from the Internet to the Corporate internal network that was not monitored by Corporate personnel,\" reads the April NRC filing by FirstEnergy's Dale Wuokko. \"[S]ome people in Corporate's Network Services department were aware of this T1 connection and some were not.\"Users noticed slow performance on Davis-Besse's business network at 9:00 a.m., Saturday, January 25th, at the same time Slammer began hitting networks around the world. From the business network, the worm spread to the plant network, where it found purchase in at least one unpatched Windows server. According to the reports, plant computer engineers hadn't installed the patch for the MS-SQL vulnerability that Slammer exploited. In fact, they didn't know there was a patch, which Microsoft released six months before Slammer struck.By 4:00 p.m., power plant workers noticed a slowdown on the plant network. At 4:50 p.m., the congestion created by the worm's scanning crashed the plant's computerized display panel, called the Safety Parameter Display System.An SPDS monitors the most crucial safety indicators at a plant, like coolant systems, core temperature sensors, and external radiation sensors. Many of those continue to require careful monitoring even while a plant is offline, says one expert. An SPDS outage lasting eight hours or more requires that the NRC be notified.At 5:13 p.m., another, less critical, monitoring system called the \"Plant Process Computer\" crashed. Both systems had redundant analog backups that were unaffected by the worm, but, \"The unavailability of the SPDS and the PPC was burdensome on the operators,\" notes the March advisory.It took four hours and fifty minutes to restore the SPDS, six hours and nine minutes to get the PPC working again.
- Case 1: Olympic Pipeline ExplosionEvent:About 3:28 p.m., Pacific daylight time, on June 10, 1999, a 16-inch-diameter steel pipeline owned by Olympic Pipe Line Company ruptured and released about 237,000 gallons of gasoline into a creek that flowed through Whatcom Falls Park in Bellingham, Washington. About 1-1/2 hours after the rupture, the gasoline ignited and burned approximately 1 1/2 miles along the creek. Two 10-year-old boys and an 18-year-old young man died as a result of the accident. Eight additional injuries were documented. A single-family residence and the city of Bellingham’s water treatment plant were severely damaged. As of January 2002, Olympic estimated that total property damages were at least $45 million..Industry: Gasoline Pipeline Location: Bellingham, WA, USAEvent: 16-inch gasoline pipeline explosion and fire, exacerbated by inability of SCADA system to perform control and monitoring functions.Impact: 3 fatalities, property damage >$45M, matching fines, of $7.86 million each, to Olympic Pipeline Company and Shell Pipeline Co. (formerly Equilon Pipeline Company, LLC) handed out, along with jail time served.Sequence of Events:Inlet block valve on pipeline had unexpectedly closed 41 times previous to the accident – caused by fluctuating pressures and resulting in upstream pressure spikes with each eventPrior to the accident, controllers had used SCADA system commands to open the block valve and stabilize the pressureOn the day of the accident, system administrators were making alterations to the historical database while the system was on-lineWhen the block valve unexpectedly closed during the fuel transfer operation – the SCADA system was non-responsive.The pipe over pressurized and ruptured, but went undetected for 61 minutes while the system was being cleared
- In 1994, a 27-yr old hacker gained unauthorized access into the computer network of the Salt River Project (SRP) in Arizona. This incident has been widely misreported as a 12-yr old hacker who broke into the computer network for the Roosevelt Dam in Arizona in 1998. The actual incident involved a programmer and software developer named Lane Jarrett Davis, who using a dial-up modem, was able to break into the SRP network with the intention of retrieving billing information. According to reports, Mr. Davis dialed into the server that monitored the water levels of canals in the Phoenix area. At the time of the incident, the SRP water SCADA system operated a 131-mile canal system which was used to deliver water to customers.The type of data vulnerable during the intrusions included monitoring and delivery information for water and power processes, in addition to financial and customer data. The data actually taken or altered included login and password files, in addition to computer system log files. SRP estimated losses at $40,000, not including lost productivity due to the compromise.At the time of the incident, Mr. Davis had an associate’s degree in computer science and believed that he had the right to pursue his intellectual freedom through his hacking activities.
- A technician navigates the nearly 17-mile tunnel that houses the Large Hadron ColliderWhile the SRP incident occurred nearly 14 years ago, more recent incidents have occurred, demonstrating an increased interest in cyber attacks on control systems. Earlier this month on September 12, computer hackers broke into the Large Hadron Collider, a gigantic particle accelerator located 330 feet underground along the French-Swiss border. Considered one of the world’s largest physics experiments to date, it was built by the European Organization for Nuclear Research (also known as CERN) to recreate conditions just after the Big Bang occurred. The hackers targeted the Compact Muon Solenoid Experiment, or CMS, one of the experiments at facility that will be analyzing the fallout of the Big Bang. Reports indicate that they posted a message on the facility's website which read “GSI – Greek Security Team.” “There seems to be no harm done. From what they can tell, it was someone making the point that CMS was hackable,\" said James Gillies, spokesman for CERN. He further indicated that the attack was quickly detected and mitigated.While the damage has been downplayed to what appears to be a harmless web defacement, scientists working at CERN expressed concerned over what the hackers could do as they were “one step away” from the computer control system of one of the huge detectors of the machine, a huge solenoid magnet weighing 12,500 tons[1]. According to CERN, this magnet takes the form of a cylindrical coil of superconducting cable that generates a magnetic field of 4 teslas, about 100,000 times that of the Earth. CERN, like many organizations, employs a vast number of control systems to monitor and run their vital processes and infrastructure. While this attack resulted in little more than embarrassment, a successful attack into these systems could have more far-reaching consequences. These incidents underscore the important mission that exists to increase awareness of the security issues affecting process control systems and provide mitigation strategies for securing critical infrastructure. [1] http://www.telegraph.co.uk/earth/main.jhtml?view=DETAILS&grid=&xml=/earth/2008/09/12/scicern212.xml
- Virus Infects Space Station Laptops (Again)By Ryan Singel August 26, 2008 | 1:22:55 PMCategories: Hacks and Cracks
- Control systems are currently changing course. Mitigations are needed to protect them along the way.Control system security can no longer hide behind proprietary configurations and special training.Control systems are no longer isolated systems that require special skills. Open systems and protocol have changed that. Control systems are no longer isolated from corporate and other networks. Hackers are smart and the prevalence of information available via the Internet makes attacks similar to IT attacks.Control systems are migrating away from their traditional shared and unrestricted configurations, to more secure ones.
- Examples of products and tools that have been developed and made available for industry are listed here.CS2SATThe Self-Assessment Tool helps owners and operators to evaluate the security posture of their control system, and it provides recommendations of how the security can be improved.Recommended PracticesCurrent information
- CSSP utilizes the expertise and facilities at our National Laboratories to evaluate vendor control systems and components.The Cyber Security Test Beds are capable of being setup with all of the input and output requirements and of running a small SCADA or process control system.The CSSP has teamed with SCADA and Control System vendors through Non-Disclosure Agreements (NDA) and Cooperative Research and Development Agreements to test their systems.A team of control system engineers and cyber researchers work within an agreed test plan to identify vulnerabilities. Those vulnerabilities are then reported back to the vendor, who (if possible) develop patches and mitigations for those vulnerabilities. As the vendors provides their customers patches and “new and improved” control systems, the security of the critical infrastructure is improved.The government is benefited as well by having a better understanding of the strengths and weaknesses of the control systems.
- <number>
- The SCADA Procurement Project, established in March 2006, is a joint effort among public and private sectors focused on development of common procurement language that can be used by everyone. The goal is for federal, state and local asset owners and regulators to come together using these procurement requirements and to maximize the collective buying power to help ensure that security is integrated into SCADA systems. Control system security vulnerabilities are often inadvertently introduced due to the customer not specifying appropriate security attributes in the procurement process. By using the Cyber Security Procurement Language for Control Systems guidance when a control system is purchased or upgraded many cyber security vulnerabilities will be addressed and possibly prevented. The Cyber Security Procurement Language for Control Systems document enables asset owners to request security \"built-in\" rather than \"bolted on.”The Cyber Security Procurement Language for Control Systems has been developed with the assistance and review of over 170 control system asset owners and vendor representatives. DHS worked closely with the MS-ISAC, the SANS Institute, the Department of Energy, INL, and other government and industry officials on the Project, which has received positive feedback from users averaging more than 450 downloads per month from the MS-ISAC website since it was posted in January 2007. <number>
- The SCADA Procurement Project, established in March 2006, is a joint effort among public and private sectors focused on development of common procurement language that can be used by everyone. The goal is for federal, state and local asset owners and regulators to come together using these procurement requirements and to maximize the collective buying power to help ensure that security is integrated into SCADA systems. Control system security vulnerabilities are often inadvertently introduced due to the customer not specifying appropriate security attributes in the procurement process. By using the Cyber Security Procurement Language for Control Systems guidance when a control system is purchased or upgraded many cyber security vulnerabilities will be addressed and possibly prevented. The Cyber Security Procurement Language for Control Systems document enables asset owners to request security \"built-in\" rather than \"bolted on.”The Cyber Security Procurement Language for Control Systems has been developed with the assistance and review of over 170 control system asset owners and vendor representatives. DHS worked closely with the MS-ISAC, the SANS Institute, the Department of Energy, INL, and other government and industry officials on the Project, which has received positive feedback from users averaging more than 450 downloads per month from the MS-ISAC website since it was posted in January 2007.
- NTSB Standards Improvement task http://www.inl.gov/scada/standards/index.shtmlWhile cyber security standards are available to address cyber security of Information Technology (IT) systems, there are few technical Control System cyber security standards that have been released at this time. NSTB work includes supporting the development of industry standards covering cyber security of control systems. The NSTB program participated in the formal review of the following standards: IEC 62443, Security for Industrial Process Measurement and Control, DRAFT ISA-99.00.01, Security for Industrial Automation and Control Systems, Part 1: Concepts, Terminology and Models, DRAFT ISA-99.00.02, Security for Industrial Automation and Control Systems, Part 2: Establishing an Industrial Automation and Control System Security Program, DRAFT NERC Standard CIP-002 through -009, Cyber Security, June 2006 NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, RELEASED February 2005, Revision 1 DRAFT NIST Special Publication 800-82, Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control System Security, DRAFT Work to date includes the identification and comparison of standards that are appropriate repositories of relevant guidance. The results of that study are available in two reports: A Comparison of Cross-Sector Cyber Security Standards (http://www.inl.gov/scada/publications/d/a_comparison_of_cross-sector_cyber_security_standards.pdf) and A Summary of Control System Security Standards Activities in the Energy Sector (http://www.inl.gov/scada/publications/d/a_summary_of_control_system_security_standards_activities_in_the_energy_sector.pdf). Ongoing efforts in the standards area also include a detailed analysis of the topics and level of coverage contained in the standards identified in the reports. The following standards are applicable to Control System cyber security: AGA Report No. 12, Cryptographic Protection of SCADA Communications, Part 1: Background, Policies and Test Plan, American Gas Association, March 2006 http://www.aga.org/Content/ContentGroups/Operations_and_Engineering2/Infrastructure_Security1/AGA12.pdfAPI Standard 1164, Pipeline SCADA Security, September 2004 http://www.techstreet.com/cgi-bin/detail?product_id=1175186Guidance for Addressing Cybersecurity in the Chemical Industry, Version 3.0, May 2006 (The CIDX Cyber Security Initiative was consolidated into the Chemical Sector Cyber Security Program under the Chemical Information Technology Council in 2006.) http://www.chemicalcybersecurity.com/cybersecurity_tools/guidance_docs.cfm IEC 61850-SER, Communication Networks and Systems in Substations http://webstore.ansi.org/ansidocstore/product.asp?sku=IEC+61850%2DSER+Ed%2E+1%2E0+en%3A2005IEC 60870-6, Telecontrol Equipment and Systems Part 6: Telecontrol protocols compatible with ISO standards and ITU-T recommendations (Also referred to as IEC standard TASE.2) http://webstore.iec.ch/webstore/webstore.nsf/searchview/?searchView=&SearchOrder=4&SearchWV=TRUE&SearchMax=1000&Submit=OK&Query=TASE.2IEC 62351-1, Data and Communications Security, Introduction, DRAFT http://www.iec.ch/cgi-bin/procgi.pl/www/iecwww.p?wwwlang=E&wwwprog=sea22.p&search=iecnumber&header=IEC&pubno=62351&part=1&se=&submit=SubmitIEC 62443, Security for Industrial Process Measurement and Control, DRAFT http://www.iec.ch/cgi-bin/procgi.pl/www/iecwww.p?wwwlang=E&wwwprog=sea22.p&search=iecnumber&header=IEC&pubno=62443&part=&se=&submit=SubmitIEC TR 62210, Power system control and associated communications - Data and communication security, May 2003 http://webstore.iec.ch/webstore/webstore.nsf/searchview/?searchView=&SearchOrder=4&SearchWV=TRUE&SearchMax=1000&Submit=OK&Query=(%5BHead_Number%5D=%221%22)%20AND%20(%5BDocument_Name%5D%20CONTAINS%20%22TR%2062210%22)IEEE Std 1402-2000, IEEE Guide for Electric Power Substation Physical and Electronic Security, January 2000 http://shop.ieee.org/ieeestore/Product.aspx?product_no=SS94822ISA-99.00.01, Security for Industrial Automation and Control Systems, Part 1: Concepts, Terminology and Models, DRAFT ISA-99.00.02, Security for Industrial Automation and Control Systems, Part 2: Establishing an Industrial Automation and Control System Security Program, DRAFT ISA-TR99.00.01-2004, Security Technologies for Manufacturing and Control Systems, March 2004 http://www.isa.org/Template.cfm?Section=Find_Standards&Template=/Ecommerce/ProductDisplay.cfm&Productid=7372ISA-TR99.00.02-2004, Integrating Electronic Security into the Manufacturing and Control Systems Environment, April 2004 http://www.isa.org/Template.cfm?Section=Shop_ISA&Template=/Ecommerce/ProductDisplay.cfm&Productid=7380ISO/IEC 17799, Information technology - Code of practice for information security management, June 2005 http://webstore.iec.ch/webstore/webstore.nsf/searchview/?searchView=&SearchOrder=4&SearchWV=TRUE&SearchMax=1000&Submit=OK&Query=(%5BHead_Number%5D=%227%22)%20AND%20(%5BDocument_Name%5D%20CONTAINS%20%2217799%22)ISO/IEC 27001, Information technology - Security techniques - Information security management systems - Requirements, October 2005 http://webstore.iec.ch/webstore/webstore.nsf/searchview/?searchView=&SearchOrder=4&SearchWV=TRUE&SearchMax=1000&Submit=OK&Query=(%5BHead_Number%5D=%227%22)%20AND%20(%5BDocument_Name%5D%20CONTAINS%20%2227001%22)NERC Standard CIP-002 through -009, Cyber Security, June 2006 http://www.nerc.com/~filez/standards/Reliability_Standards.htmlNERC Security Guidelines for the Electricity Sector: Control System - Business Network Electronic Connectivity, May 2005 http://www.esisac.com/publicdocs/Guides/SecGuide_ElectronicSec_BOTapprvd3may05.pdfNERC Security Guidelines for the Electricity Sector: Vulnerability and Risk Assessment, June 2002 http://www.esisac.com/publicdocs/Guides/V1-VulnerabilityAssessment.pdfNIST System Protection Profile - Industrial Control Systems, April 2004 http://www.isd.mel.nist.gov/projects/processcontrol/SPP-ICSv1.0.pdfNIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, RELEASED February 2005, Revision 1, DRAFT http://csrc.nist.gov/publications/nistpubs/NIST Special Publication 800-82, Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control System Security, DRAFT
- Two web based training courses have been developed by NCSD CSSP are available – through the Control Systems Security web site located at US-CERT. Over 1500 people have taken our web based training since April 2007.The Cyber Security for Control Systems Engineers and Operators consists of five lessons covering threats, risks, cyber attacks, risk assessments and mitigations for control systems. It can be completed in less than an hour. Since it became available in March 2007, Over a thousand people have taken the course. Several companies and government organizations are asking their employees to take the training as a requirement in their personal training plan.The OPSEC for Control Systems web based course introduces control system employees to the basic concepts of operations security (OPSEC) and applies these concepts to the control system environment. There are interactive exercises where you explore different environments to discover problems, such as the office, at home, and on travel. You even have the opportunity to play the “bad guy” and try to disrupt a competitor’s manufacturing process.<number>
- The resources of the various federal agencies and private partners have enabled us to address vulnerabilities associated with Industrial Control Systems across the critical infrastructure and key resources sectors.From the partnership programs between our local Protective Security Advisors and Asset owners/operators to the information sharing and analysis that is conducted by various organizations we are looking to leverage all available assets in order to ensure we address cyber security and the industrial control environment.
- The CSSP facilitates and coordinates the Control Systems Cyber Security Vendor’s Forum monthly conference calls and periodic meetings. The vendors represent a majority of the control systems community within the US infrastructure and have global facilities and operations.This forum allows for:Vendors sharing security concerns and challengesVendors sharing and implementing security globallyVendors understanding the importance of security and reaching out to the private sectorVendors developing a unified message related to control systems security
- According to several published reports, in August 2006, two Los Angeles city employees hacked into computers controlling the city’s traffic lights and disrupted signal lights at four intersections, causing substantial backups and delays. The attacks were launched prior to an anticipated labor protest by the employees. The illegal access occurred hours before a job action in August 2006 by members of the Engineers and Architects Assn., which represents the engineers who run and maintain the city’s traffic center. It took four days to get the traffic control system fully operational afterward and underscored the vulnerability of L.A.’s the complex system.The breach, reported on Aug. 21, 2006 between 9:10 and 9:30 p.m., involved sending computer commands that disconnected four signal control boxes at critical intersections: Sky Way and World Way at LAX; Coldwater Canyon Avenue and Riverside Drive in the San Fernando Valley; Alvarado Street and Glendale Boulevard at Berkeley Avenue in Echo Park; and 1st and Alameda streets
- Gauge-in-error assumed correctAccurate-gauge assumed wrong.15 dead, 170 injured, economic losses in excess of $1.5 billion, $50 Million Fine(Chemical Safety Board)
- In August 2003, the Sobig computer virus was blamed for shutting down train signaling systems throughout the East Coast of the United States. The virus infected the computer system at CSX Corporation’s Jacksonville, Florida, headquarters, shutting down signaling, dispatching, and other systems. According to an Amtrak spokesman, 10 Amtrak trains were affected. Train service was either shut down or delayed up to 6 hours.
- In December 2005, the Taum Sauk Water Storage Dam, approximately 100 miles south of St. Louis, Missouri, suffered a catastrophic failure, releasing a billion gallons of water. According to the dam’s operator, the incident may have occurred because the gauges at the dam read differently than the gauges at the dam’s remote monitoring station.
- Systems include tank filling, coke conveyor systems, tanker loading and unloading.
- According to an ABC News report and InfoWorld, hackers gained unauthorized access to the computer systems at a Harrisburg, Pennsylvania, water treatment plant in early October. An employee's laptop was compromised via the Internet and used as an entry point by hackers to access administrative systems and installed viruses and spyware.The U.S. Federal Bureau of Investigation is investigating the incident and believes the attackers were working outside the U.S. As of this writing, no arrests have been made. Initial reports indicate that the hackers were not directly targeting the treatment plant, but instead used the compromised system to generate e-mail spam. Regardless, the intrusion could have interfered with the plant's operations.While a no security measure can stop a determined attacker with enough skill, time, and the right resources, properly implemented security practices and policies could have prevented this attack. Industries and organizations that manage far less critical systems do so every day.