480 likes | 757 Views
SCADA and Security Issues Beyond the Hacker Threat. Revision 1.5 4/7/2008 By: Jeff Whitney & Chris Paul. Introduction.
E N D
SCADA and Security IssuesBeyond the Hacker Threat Revision 1.5 4/7/2008 By: Jeff Whitney & Chris Paul 2008, BRC and J&P
Introduction • SCADA systems have evolved from being “secure by isolation,” to seeking and sometimes achieving security through the implementation of physical barriers, technology barriers (cyber), and policies and procedures. • SCADA operators are now confronted with securing infrastructure that addresses emerging threats, enterprise connectivity, commercially off the shelf software, public communication paths, and existing and emerging regulatory requirements. 2008, BRC and J&P
Introduction (cont.) • This paper will discuss SCADA Security Compliance (regulatory and legal), addressing both the physical and cyber security components. • The paper will also address solutions to assist operators with compliance. 2008, BRC and J&P
Background Oil and gas pipelines are a major component of the energy and transportation industries of the United States. There are “[two] million miles of oil and gas pipelines in the U.S.”1 That is over 80 times the circumference of the Earth at the equator.2 1 Jay Inslee, Issues – Pipeline Safety, http://www.house.gov/inslee/issues/pipeline/factsheet.html (last visited Oct. 16, 2007). 2About.com, Geography – Circumference of the Earth, http://geography.about.com/library/faq/blqzcircumference.htm (last visited Oct. 26, 2007). 2008, BRC and J&P
Oil pipelines are responsible for “delivering more than 14 billion barrels [of oil] . . . per year,” or “17% of all domestic freight moved nationwide.”3 3American Petroleum Institute, Pipeline Security Preparedness, http://www.api.org/aboutoilgas/sectors/pipeline/securitypreparedness.cfm (last visited Oct. 26, 2007). 2008, BRC and J&P
Natural gas “meets 23[%] of U.S. energy requirements” and is responsible for “heat[ing] 57[%] of U.S. households.” 2008, BRC and J&P
Pipelines are the safest method for transporting oil and natural gas. Oil pipelines are safer than trucks, trains, and tank barges and ships, in terms of injuries, deaths, and fires or explosions. “Relative to pipelines, the safety performance of trucks has been dramatically inferior: death rates 103 times higher, injury rates 32 times higher, and fire/explosion rates 46 times higher.”4 The numbers were less dramatic for trains and waterborne transportations. 4Allegro Energy Consulting, The U.S. Oil Pipeline Industry’s Safety Performance p. 36 (2008), available athttp://www.pipeline101.org/ HSSE/safety.html 2008, BRC and J&P
Pipelines are also the “most efficient and economical” means of transporting oil.5 Natural gas pipelines are also one of the safest modes of energy transportation. “According to the Department of Transportation . . . pipelines are the safest method of transporting . . . natural gas.”6 This is due in large part “to the fact that the infrastructure is fixed, and buried underground.” 5 Pipeline 101, Pipelines – Overview, http://www.pipeline101.org/Overview/ index.html (last visited Oct. 26, 2007). 6NaturalGas.org, The Transportation of Natural Gas, http://www.naturalgas.org/naturalgas/transport.asp (last visited Oct. 26, 2007). 2008, BRC and J&P
The effects of a failure in the pipeline system could be quite far-reaching. A shutdown of certain pipeline operations could impact people, public water, energy, and national defense.7 A shutdown of operations could also impact other forms of transportation, as well as other critical infrastructures. 7American Petroleum Institute, supra note 3. 2008, BRC and J&P
But with all of the positives, the petroleum and transportation industries account for 44% of the industrial control system attacks from 2002-2004. 8 8Department of Energy & Department of Homeland Security, Roadmap to Secure Control Systems in the Energy Sector, p. 11 (2006), available athttp://www.controlsystemsroadmap.net/pdfs/roadmap.pdf. 2008, BRC and J&P
The Current Environment Despite the obvious importance of the U.S. pipeline system, and the realistic threats faced, there remains a relatively limited amount of black letter law pertaining to pipeline security. Pipeline facility operators are often left with nothing but their own good judgment to guide them when implementing security measures. And whether judgment was “good” may be determined in hindsight. 2008, BRC and J&P
There are several studies and sources of guidance available. Multiple organizations, including the Department of Homeland Security (DHS) and Department of Transportation (DOT), have issued documents that address the security issue. These two agencies have stated that they will work together to develop “standards, regulations, guidelines or directives affecting transportation security.”9 9Department of Transportation & Department of Homeland Security, Annex to Memorandum of Understanding Concerning Transportation Security Administration and Pipeline and Hazardous Materials Safety Administration Cooperation on Pipeline and Hazardous Materials Transportation Security, p. 3 (2006). 2008, BRC and J&P
In a Memorandum of Understanding between the DHS and DOT, the Transportation Safety Administration (TSA) and the Pipeline and Hazardous Materials Safety Administration (PHMSA) outlined each party’s roles and responsibilities concerning pipeline and hazardous materials security. The TSA, acting under the authority of DHS, will “act[] as the lead Federal entity for transportation security, including hazardous materials and pipeline security.” Under DOT, “PHMSA is responsible for . . . identifying pipeline safety concerns and developing uniform safety standards.” 2008, BRC and J&P
TSA has issued the “Pipeline Modal Annex.”10 This document “was developed to ensure the security and resiliency of the pipeline sector.” • Provides a nationwide plan for securing pipeline facilities. • Discusses the type of threats to pipelines. • Discusses the “Federal Agencies Responsible for Pipelines.” • Discusses its goals and objectives: • prevention of terrorist threats to the transportation system, • enhancing the transportation system’s resiliency, and • improvements in the area of cost-effective use of transportation security resources. • Includes a section describing the way in which “TSA will use risk-based programs to achieve the overarching Transportation Sector goals.” 10Transportation Security Administration, Pipeline Modal Annex (2007) available athttp://www.tsa.gov/assets/pdf/modal_annex_pipeline.pdf. 2008, BRC and J&P
The DHS “Catalog of Control Systems Security Requirements” offers more detailed guidance.11 This was prepared for the DHS by the Department of Energy’s Idaho Operations Office. The word “requirements,” however, is misleading since the information in the document consists of recommendations for increasing control system security, and is not actually law that must be implemented. Further, the document is not specifically aimed at the pipeline industry, but rather at any industry that uses control systems. It provides “various industry sectors the framework needed to develop sound security standards, guidelines, and best practices.” In doing so it draws on “various industry standards” to “explain recommended security controls and mechanisms.” 11 Department of Homeland Security, Catalog of Control Systems Security Requirements (DRAFT) (2007). 2008, BRC and J&P
The document recognizes that not all of the information will be “appropriate for all applications, so it will be necessary [for the operator] to determine the level of protection needed and only apply the guidance as appropriate.” This guidance pertains to, among other things, management policies and accountability, mitigating threats, and access control.12 12Catalog of Control Systems Security Requirements, supra, note 23. 2008, BRC and J&P
A follow-up was published by the DHS in January 2008. The document is titled “Catalog of Control Systems Security: Recommendations for Standards Developers.”13 “The term ‘Control systems’ . . . includes Supervisory Control and Data Acquisition Systems [SCADA], Process Control Systems, Distributed Control Systems, and other control systems specific to any of the critical infrastructure industry sections.” The document states that “[d]ecisions regarding when, where, and how these standards should be used are best determined by the specific industry sectors.” 13 Department of Homeland Security, Catalog of Control Systems Security: Recommendations for Standards Developers, 2008. 2008, BRC and J&P
Issues addressed, among many others, are: • “Management Accountability,” • “Physical and Environmental Security,” and • “Security Awareness and Training.” 2008, BRC and J&P
The DOT has also offered useful information to pipeline operators in the form of a document titled “Pipeline Security Contingency Planning Guidance.”14 This document is somewhat narrowly tailored in that it is specifically concerned with terrorist threats to pipelines. It was developed to “ensure that pipeline owners and operators are able to discourage attacks and respond quickly and effectively if attacks occur.” 14Department of Transportation, Pipeline Security Contingency Planning Guidance (2002). 2008, BRC and J&P
It was a joint collaboration, with input from industry representatives, the Department of Energy (DOE), and state pipeline security agencies, in addition to DOT. Consensus guidance on industry security practices recommends that each pipeline operator follow three steps: • assess the terrorist threats to its system; • assess the vulnerabilities of its system to these threats; and • develop and implement security, response, and recovery plans that address terrorism. 2008, BRC and J&P
The document goes on to list ways in which operators can determine which facilities are “critical” and then lists appropriate security measures for such facilities, depending upon the then current terror threat level.15 15The threat levels used “mirror the Homeland Security Advisory System (HSAS). Under the HSAS, there are five levels of threat conditions, each identified by a description and corresponding color.” 2008, BRC and J&P
The DOT’s “Pipeline Security Contingency Planning Guidance” is another resource to which pipeline operators may turn for guidance when determining the appropriate measures needed to secure their facilities. 2008, BRC and J&P
The “National Strategy for the Physical Protection of Critical Infrastructures and Key Assets” further illustrates the effort to secure critical facilities against potential attacks.16 This is the result of consultation between numerous groups including federal agencies, public and private infrastructure owners, state and local governments, and the scientific community. The document is very broad in scope, but it specifically addresses both the energy and transportation sectors. In particular, it addresses security challenges facing pipelines and strategies for protecting them. 16 United States White House, National Strategy for the Physical Protection of Critical Infrastructures and Key Assets (2003). 2008, BRC and J&P
The DOT has continued its effort to provide security guidance to pipeline operators by issuing the “Pipeline Security Information Circular.”17 This circular provides a definition for critical facilities and offers information useful when developing and implementing security measures for critical facilities. 17Department of Transportation, Pipeline Security Information Circular (2002). 2008, BRC and J&P
The American Chemistry Council, Chlorine Institute, Inc., and the National Association of Chemical Distributors issued a document titled “Transportation Security Guidelines for the U.S. Chemical Industry.”18 This was “written for transportation specialists, plant managers, and others who have been given responsibility for the safe and secure transportation of their products and raw materials.” It addresses security risks associated with the transportation of hazardous materials. It is rather broad in scope, addressing all modes of transportation and all types of hazardous materials. Pipelines are specifically mentioned. 18 American Chemistry Council, Chlorine Institute, Inc., and National Association of Chemical Distributors, Transportation Security Guidelines for the U.S. Chemical Industry (2001). 2008, BRC and J&P
In 2006, the North American Electric Reliability Council published a document titled “Top 10 Vulnerabilities of Control Systems and their Associated Mitigations.”19 While the document is designed specifically for the electricity sector, it consists of security measures applicable to any sector using a computerized control system. This document “provides a non-prioritized list of the top 10 most common vulnerabilities to control systems.” The document recommends mitigation strategies for each of the vulnerabilities. The mitigation strategies are categorized as either “foundational, intermediate, [or] advanced.” 19 North American Electric Reliability Council, Top 10 Vulnerabilities of Control Systems and their Associated Mitigations (2006). 2008, BRC and J&P
The American Petroleum Institute published “Security Guidelines for the Petroleum Industry.” The document was issued in 2003 and again in 2005.20 The 2003 document is more sector specific and contains sections that pertain directly to pipelines, refineries, and marine transport, as well as other areas. The 2005 version applies more generally and does not contain individual sections for different areas of the petroleum industry. 20 American Petroleum Institute, Security Guidelines for the Petroleum Institute (2003) & (2005). 2008, BRC and J&P
This is not an exhaustive list. There are other materials available for pipeline operators seeking security guidance. Therefore, despite a limited amount of black letter law, there are numerous sources of recommendations and expectations for pipeline system operators. 2008, BRC and J&P
While recommendations are not required, they should not be casually disregarded. When comparing these standards and recommendations to the factors considered when prosecuting corporations, a striking similarity emerges. 2008, BRC and J&P
The Department of Justice has also issued a document titled the “Hazardous Materials Transportation Initiative” (Hazmat Initiative). The Hazmat Initiative is in place to reduce the threat posed by terrorists to the transportation of hazardous materials and to further ensure that those businesses regulated by hazardous materials laws are more secure against potential risks. One of the Hazmat Initiative’s stated purposes is the “development of criminal prosecutions.”21 This reiterates the nexus between an adequate security policy and the possibility of a pipeline owner or operator being subject to criminal sanctions. 21Statement of Assistant Attorney General Thomas L. Sansonetti Before the United States House of Representatives Committee on the Judiciary Subcommittee on Commercial and Administrative Law (2004), available athttp://judiciary.house.gov/OversightTestimony.aspx?ID=145. 2008, BRC and J&P
The Challenge to Operators Ignoring the recommendations and guidance could lead to a corporation being charged with criminal negligence if an incident were to occur. For example, if an accident resulting in death occurred and an operator had not developed, implemented, and educated employees regarding proper security policies and procedures, the operator could be charged with criminal negligence. 2008, BRC and J&P
The Challenge to Operators (cont.) It is in the best interests of pipeline operators to develop and implement security policies and procedures for all aspects of their operations. It is also necessary that they ensure that all employees are properly aware of the security policies and procedures. By taking these important steps regarding security, an operator can prevent accidents from occurring and receive greater deference during an investigation if an accident does occur. 2008, BRC and J&P
Compliance Process – Typical Approach • SCADA Technical Support Group evaluates. current infrastructure to define exposures by performing an Cyber Security SVA. • Develop a remediation plan. • Implement. • Repeat #1 annually. 2008, BRC and J&P
Pitfalls • SVA does not typically include physical security, corporate policies and procedures, current regulatory requirements, or industry best practices. • SVA is subjective. • Evaluations and audits can create issues. • Hindsight – “You should have known.” • Records. 2008, BRC and J&P
Solutions – Achieving Compliance in the Current Environment • SCADA operators should begin to create a process to bring the SCADA environment into compliance. • Management, Corporate, Security, Facilities, the IT Department, I&E and any other stakeholders should be consulted to assist with the process. • Both physical and cyber security must be addressed. • The compliance process should include a time frame to re-address the SCADA environment on an annual basis (Regulatory, Industry, Corporate), as the environment is not static. 2008, BRC and J&P
The Holistic Model – C. Bodungen, BRC and CIDG 2008, BRC and J&P
Compliance Process – Holistic Model Detail • Create a process to bring the SCADA environment into compliance. • Identify security compliance requirements (physical and cyber). Include regulatory requirements, industry best practices and corporate policies and procedures. • Create a matrix of requirements that are applicable to the SCADA environment. • Audit the existing SCADA environment (identify facilities, systems, communication infrastructure, etc.). • Define and perform a Security Vulnerability Analysis (SVA).*** • Define and perform a GAP analysis utilizing the SVA results.*** • Define a mitigation strategy (prioritizing vulnerabilities). • Remediate vulnerabilities where possible, using prioritized list (budgets,*** manpower, timing, etc. may impact remediation schedule). • Define an interval to update the matrix of requirements addressing changes in the environment. • Repeat steps 4 through 7. 2008, BRC and J&P
Measuring Compliance in the Current Environment The real standard which pipelines need to meet in achieving compliance is a combination of Corporate Policies and Procedures, Regulatory Requirements, and Industry Best Practices. 2008, BRC and J&P
Managing Records and Communications throughout the Compliance Process Records – 6 Cs to Avoid 7th • Creation • Content • Context • Control • Compliance • CYA • All Records are Evidence! 2008, BRC and J&P
Creation - Do You Need to Make a Record? (Why am I really writing this down?) • Does what I write capture the facts? • Have I ensured that employee and community safety issues, if any, can be clearly identified by what I wrote down? • Have I overstated ("made a mountain out of a molehill") or understated ("hidden a needle in a haystack") an event? • Can you explain, without embarrassment, what was written – to a regulator? – to a lawyer? – to your boss? – to a judge and jury? – to the community? • Would you want what you wrote to be printed in the newspaper or reported as a television sound bite, without an opportunity for you to explain the meaning and context? 2008, BRC and J&P
Content and Context • Avoid words which give legal opinions, legal conclusions, or characterize conduct (“The person in charge of the NDT was negligent."). • Do not guess, especially on cause. Don't use phrases such as: "I feel that . . ."; "I think that . . ."; "I believe . . ."; "I suppose . . ."; or "appears to be . . .". If you do not know, investigate. 2008, BRC and J&P
Records – Hypothetical I arrived just after dawn to conduct the security audit; Sam was with me. It was a nightmare (both the audit and being with Sam). We got with a Control Room operator who showed us the SCADA system since the supervisor was taking a smoke break. The door to the porch was unlatched. The operator showed us how he rigged his screens so he could watch the basketball tournament. The system seems to have more problems than a beta version of Vista. We're lucky we didn't have a huge major security breach as this was a problem waiting to happen. And any breach could have caused the line to blow up and cause death and major environmental damage. If our personnel would do their job we wouldn't keep having these problems or keep creating these situations – looks like we're out of compliance all over. I think the only way to fix this is to trash the system and start over again. 2008, BRC and J&P
Control – New Legal Standards Sarbanes-Oxley – Beyond Securities • Obstruction provision: new liabilities affecting records retention policies. • 18 U.S.C. § 1519.If destroyed “in contemplation” of an “official proceeding” in the future, even if documents are destroyed in accordance with document retention program, may be considered criminal. Twenty-year maximum. 2008, BRC and J&P
Compliance • Revise compliance programs to reflect records management issues. • Develop strong records creation, retention and recovery programs. • Create effective means for employees to communicate compliance concerns. 2008, BRC and J&P
Solutions • Train on how to write. • Develop written policies. • Follow statutory document retention requirements. • Manage e-mail. • Manage “memos to file” and files “at home.” 2008, BRC and J&P
6 Cs to Avoid 7th • Create • Content • Context • Control • Compliance • CYA 2008, BRC and J&P
CYA We all know what this means. 2008, BRC and J&P
Conclusion The approach to SCADA security must incorporate a holistic approach, incorporating both the physical and cyber components to achieve compliance. Taking this holistic approach will help maximize operational efficiency, help maintain a secure operating environment and minimize the risk of regulatory scrutiny and/or action, while achieving business objectives. 2008, BRC and J&P