1. Electronic Intrusion into �Your Control Systems Bob Webb�POWER Engineers rcw4@ix.netcom.com
ISA S&P Department �– Board of Directors�ISA NORCAL Section �– Past President
2. Agenda Self introductions - Bob 15 min
The problem – scope and examples - Bob & Joe 15 min
What others are doing - Joe 15 min
Government
Vendors
Other organizations
Break 10 min
Where current solutions fall short - Joe 10 min
What you can do today - Joe 15 min
Where to learn more - Bob 10 min
Open discussion - All 30 min
3. Initial Survey of Participants How many of you are responsible for control systems?
DCSs?
SCADAs?
PLCs?
Other?
How many of those systems have connections to any network or other system ?
Another control system?
IT network?
Internet?
Dial up access for vendor or techs?
Wireless connectivity to any devices?
4. Initial Survey, continued How many of you:
Have a written control system security policy?
Regularly change your passwords?
Use “strong” passwords?
Have ever changed your passwords?
Know the status of the dial in connections to your system as we speak?
Use pcAnywhere or XWindows to communicate with your systems?
Have done a control system vulnerability or security assessment?
5. Introduction of Participants Facilitators
Joe Weiss
Bob Webb
Participants
Name, company
Area of responsibility
What problems have you encountered?
What would you like to get from this seminar?
Help us plan for the future by completing the Conference Survey before you leave.
7. Objectives Know if and where your systems can be vulnerable
Walk away with an understanding of control system cyber vulnerabilities and an approach to deal with those vulnerabilities
Know where to get help when you need it
8. The Problem Some definitions
Control Systems
Electronic Intrusion
What we are not going to talk about
What makes control systems unique
Real time requirements
Changing nature
Not yet addressed in most IT strategies
What has happened elsewhere
Electronic Intrusions from inside and outside the corporate firewall
Unintentional and deliberate
Your examples
How can you add to our problem descriptions?
What do you see in your systems?
9. Definitions Control Systems
The broadest interpretation - to include both process control, manufacturing operations and systems, continuous, discrete, and batch, local, direct, and wide area supervisory (e.g., SCADA), control and safety systems, serving all types of plants, facilities, and systems in all industries
Electronic Intrusion
Undesired communications with your systems – internal (inside your firewall), external, typically via a network, but could be by any other means, including RF eavesdropping, sneakernet, foreign laptops, jamming, etc.
Not included
Essential elements, but not part of this discussion
Physical security
IT security
10. What makes control systems unique You might be asking, why don’t we just apply existing “business system” IT security techniques to our control systems (a good question)
In response, we will recommend that you do, WHERE IT MAKES SENSE
But we will also caution you to be aware of your systems unique properties that limit application of IT approaches:
Need to operate in real time often requires speed or frequency response that precludes use of traditional techniques, like block encryption
Need to provide ease of use for operators may preclude traditional use of passwords and the like
Need to rigorously test all changes to operating systems precluding regular updates for security patches and the like
11. Where current solutions fall short Awareness, education, training
Processes and Procedures inadequate or non-existent
Hardware and Software
OSs, Processors, etc. not designed for security, missing hooks and handles to incorporate it
Designed without thought of what could go wrong with malicious intrusion
Raw vulnerability to designer viruses on Ethernet or other ports - if firewalls are breached there is nothing else, and our demonstrations show the “open” systems can be easily compromised
Speed limitations
12. What has happened elsewhere? Examples and conclusions have been assembled by Eric Byres of the British Columbia Institute of Technology and Joe Weiss
Examples are representative of real events across multiple industries, from multiple causes
Current trending of cyber intrusions does not include Control Systems
For example: Carnegie-Mellon Center for …, (CERT) has not identified any control system intrusions
Cyber incidents can have a variety of causes
Audit
Accidental
Non-malicious intrusion
Malicious intrusion
13. Examples of Cyber Incidents Noise or Bad Packets
IP Address Duplication
Broadcast Storms
Internal Intrusion
External Intrusion
Procedures/Architecture
14. Noise or Bad Packets Propagation of noise or bad packets throughout an entire network is a serious risk.
Pulp mill case history-
Cable damage problem in one area creates bad packets from reflections.
“Dumb” network equipment spreads problem to other areas.
15. IP Address Duplication TCP/IP protocol demands that every device has an unique IP address.
Paper Machine Profile Controller Case History:
Controller & Scanners use TCP/IP to communicate.
Printer in admin gets same address as controller.
Scanners try to talk to printer instead of controller.
16. Broadcast Storms Broadcasts are messages addressed to all network nodes.
A few broadcasts are okay. Many create broadcast storms and will use up a device’s CPU resources.
Case History- Steam Plant DCS:
DCS uses Ethernet to communicate between screen server and operator consoles.
Broadcasts from miss-configured Windows 95 machine in another mill area overloads screen server. Shuts down all DCS operator consoles.
17. Internal Intranet Intrusion Eastern plant does major upgrade of DCS.
Several months later, head-office engineer connects to the mill DCS from head office, using the company's wide area network (WAN).
18. Internal Intranet Intrusion Engineer loads program onto operator station to send data to head office for expert system.
This new task overloaded DCS/PLC gateways.
Operators lose control of devices connected to PLCs.
19. Control Highway Intrusion Disgruntled employee attacks PLC in another plant area over PLC highway.
Password changed to obscenity, blocking legitimate maintenance and forcing process shutdown.
20. External Wireless Intrusion Hacker attacks sewage control system using radio link.
Causes millions of liters of raw sewage to spill out into local parks, rivers and the grounds of a Hyatt Regency hotel.
21. PLCs are Vulnerable Eric Byres has also demonstrated the ability to kill a PLC by sending a single packet to it via an Ethernet connection….
How many of you have Ethernet network connections to your PLCs (for HMI, etc.)
22. Inadvertent Denial of Service-DOS Control system procedures have not addressed conditions that could lead to DOS
Requesting excessive data resulting in loss of Database Server
Requesting excessive data resulting in loss of control function
Excessive trending leading to DOS of control function
Control System architecture not designed for new information –oriented requirements
Loss of DCS operator access
Loss of SCADA operator access
Loss of DCS control
23. Some Assessment Results These results are from over 58 utility assessments facilitated or conducted by John E. Allen, of LogOn Consulting
SCADA Systems-5
Plant Control Systems-53
Assessment Type
Self-Directed
Consultant
Utility Type
Electric
Natural Gas
Water
24. Some Assessment Results, continued For SCADA systems:
No SCADA configuration data was accurate or complete
Information systems interface not accurately defined
Accuracy Range: 50-70%
Data communication scheme not well understood or documented
Accuracy Range: 85-98%
For Plant Control Systems:
Most PCS configuration accurate
8% error rate
Information systems interface generally accurately defined
Accuracy range: 90-100%
Data flow generally confined to facility process
Some defined exceptions
Accuracy Range: over 96%
25. Some Assessment Results, continued Conclusions:
Limited to SCADA & Plant Control Systems
Configuration is not well understood or documented
Architecture
External connections
Little configuration management
No formal process/procedures
Minimal understanding of system interaction
Minimal operational knowledge of security
Lack of procedural guidance
Lack of internal controls
Little to no personnel security awareness
Communication among responsible stakeholders is deficient
Decisions and actions often made in isolation affecting security integrity
26. Some Assessment Results, continued Conclusions, continued
Deficient understanding of security issues by responsible personnel
Specific and general security knowledge
Security performance requirements are non-existent
User community is not well documented
Lack of access criteria
27. Some Assessment Results, continued Observations:
Knowledge of potential threats are limited
Knowledge of vulnerabilities are limited to non-existent
Stakeholder resistance to security assessments range from minor to declarations of war
Security assessment findings require attendant corrective action or enhancement plans
28. Conclusions Control systems have been impacted by cyber intrusions
Problems come from inside the corporate firewall in most identified events
There is a clear interdependence between Control Systems and IT Department policies and practices
IT procedures are not always applicable to control systems
Control and IT personnel must work together using both domain’s expertise to establish and implement effective and workable policies
29. Conclusions, continued Most control systems rely heavily on Microsoft Windows NT or 2000 which is well understood by hackers
Control systems can be accessed independent of Microsoft
Most control systems have poor security designs and weak protection
Many of the existing incidents could have been prevented by the application of currently accepted IT security practices
30. What Others Are Doing The Government
National Strategy to Secure Cyberspace
DOE
NIST
CIAO
NIPC
Vendors
Other Users
Policies and programs
31. The Government National Strategy to Secure Cyberspace
Most information, activity in “Business IT” area
DOE-National Test Bed Initiative
National Institute of Standards and Technology (NIST) and National Security Agency (NSA)
Some activity in real time control systems, as related to Critical Infrastructure Protection-PCSRF
Substantial amount of material to review and apply where it makes sense
Federal Energy Regulatory Commission (FERC)
Critical Infrastructure Assurance Office (CIAO)
32. Sector Lead Agencies Electric Utilities – North American Electric Reliability Council (NERC)
Oil and Gas – National Petroleum Council
Water – Association of Metropolitan Water Agencies and AWWA and NAWC
Chemical Process Industry - Chemical Sectors Cyber Security Information Sharing Forum
33. Vendors Typically, IT security is being addressed rather than real time control
Varying levels of activity by different vendors
Policies
Network controls
Some offer security programs for their clients
Most vendors are waiting for industry direction or consensus before significant hardware/ software changes
34. Vendor Discussion What have your vendors done ?
What have you asked for?
35. Relevant Standards Organizations ISA (Instrumentation, Systems and Automation Society)
IEEE (Institute of Electrical and Electronics Engineers)
ISO (International Standards Organization)
IEC (International Electrotechnical Committees)
AGA (American Gas Association)
36. Break
37. What You Can Do, Today Develop a policy specific to control systems
Existing IT policies do not address control systems
Define scope and purpose
Assure all relevant organizations are involved
Define current state
Vulnerability assessment
Perform risk assessment
What needs to be addressed?
38. What You Can Do, Today Develop specific security procedures for your control systems
Training
Control electronic access
Testing and appropriate operating procedures
Verify all patches are rigorously tested
Evaluate impact
39. What You Can Do, Today Maintain physical security
Provide incident response and contingency plans
Work with vendors, consultants, and system integrators
Participate in appropriate industry groups and forums
Sector lead organizations, other organizations discussed earlier
40. ISA and Industry Activities Articles in INTECH, ISA Online, and Division Newsletters
Active Discussion on ISA List Servers
Industry Technical Conferences
July 30-31 KEMA Consulting Control System Cyber Security Conference – Vancouver
August 7th ISA Training Seminar - Securing Industrial Networks – Cyber Protection for Automation, Control and SCADA Systems
August 8th ISA Conference – Hacking demo, issues and concerns, assessments, secure network design, security strategies
September 18th – ISA SP 99 Standard kickoff w/Teleconference
October 22 – Chicago ISA 2002 conference, standard, and PCSRF
Membership in NIST PCSRF
IEEE and IEC ongoing activities
41. Be careful what you ask for! Essential basis for “open”, vendor independent, connectivity, networking, and control
End users have �driven the “open” �systems
Standards Development �Organizations (SDOs) �need to provide for �enhanced �security
End users need to �adopt enhanced �standards
42. ISA Response - Standards Development of positions, issues, industry guidance, and/or subcommittee scope and purpose and activity in:
ISA 50 – Fieldbus for use in Industrial Control Systems
ISA 67 – Nuclear Power Plant Standards
ISA 77 – Fossil Power Plant Standards
ISA 84 – Programmable Electronic Systems for Use in Safety Applications
ANSI/ISA S84.01-1996, ANSI/ISA S91.01, IEC 61511)
Responsible for functional safety in the process sector
Sub-committee on security
ISA 95 – Enterprise/Control Integration
Formation of ISA SP 99 a new committee to:
Cover the issues common to all controls related security
Coordinate related ISA standards activities
Standards activities will continue with meetings at ISA 2002 in Chicago
43. ISA Response – Awareness, Training Electronic Intrusion into YOUR Real Time Control Systems – ISA NORCAL Conferences, October 9 Santa Clara and October 15 Sacramento
Threats, Vendors Perspective, Standards Activities
90 minute overview plus discussion
Facilitated by Joe Weiss, Bob Webb
Real Time Control Systems Security Issues and Direction, a conference track at ISA 2002 October 21, 2002 – Chicago
The Issues and Challenges - an Overview
Vendor Solutions
Role of Standards
~ 6 hours of information
Session Developers – Joe Weiss, Bob Webb
Continuation of Standards, Conferences and Training Courses in 2003 and beyond
44. ISA Future Directions Growing area of activity
More integration and coordination within and outside of Society
ISA SP 99 detailed scope to be defined at 10/22 Chicago meeting
Participate in our standards, conferences, and work!
rcw4@ix.netcom.com
lferson@isa.org
45. IEEE Response Panel session at IEEE Winter Power Meetings
Task Force to review cyber security impacts on IEEE Power Engineering Society (PES) Standards
Joe Weiss Task Force Chair
46. Get help or learn more ? Resources and References
National Strategy to Secure Cyberspace
http://www.whitehouse.gov/pcipb/
NIST – National Institute of Standards and Technology
Programs/Initiatives/Forums:
Critical Infrastructure Protection: Cybersecurity of Industrial Control Systems http://www.mel.nist.gov/proj/cip.htm
Process Control Security Requirements Forum (PCSRF) http://www.isd.mel.nist.gov/projects/processcontrol/
National Infrastructure Assurance Partnership (NIST and NSA) http://niap.nist.gov/
Computer Security Resource Center http://csrc.nist.gov/
47. Get help or learn more, continued
CIAO - Critical Infrastructure Assurance Office
The Twenty Most Critical Internet Security Vulnerabilities http://www.sans.org/top20.htm
North American Electric Reliability Council (NERC)
Critical Infrastructure Protection Advisory Group (CIPAG) http://www.nerc.com/~filez/cipfiles.html
Federal Energy Regulatory Commission (FERC) –
NOPR on Standard Market Design �http://www.ferc.gov/Electric/RTO/Mrkt-Strct-comments/discussion_paper.htm
Requires security to sell into grid, and yearly self audits
DOE 21 steps to secure your SCADA network
http://oea.dis.anl.gov/home.htm
48. Get help or learn more, continued Technical Non Profit Organizations addressing Electronic Intrusion
ISA
Awareness, information, standards development, training aimed specifically at control systems – www.isa.org
IEEE
Standards www.ieee.org
ISO
ISO 15408 - Information technology -- Security techniques -- Evaluation criteria for IT security
ISO 15408 – Common Criteria http://www.commoncriteria.org/
49. Get help or learn more, continued Organizations with control systems and security expertise, whose information was used in this conference:
KEMA – KEMA Consulting, Inc – �jweiss@kemaconsulting.com
Cyber security procedure development
Assessments, program development and management, reviews and recommendations
Research and development direction and support
50. Get help or learn more, continued BCIT – British Columbia Institute of Technology – Eric Byres, eric_byres@bcit.ca
BCIT Industrial Incident Database - tracks network security�incidents that directly impact industrial control operations.
BCIT Internet Engineering Research Lab - conducts security tests �on control system products and designs.
LogOn Consulting – John Allen - jeallen@logonconsulting.com
Assessments, program development and management, reviews and recommendations
51. Summary A.C.T.I.O.N.S. IT focused recommendations from “The National Strategy To Secure Cyberspace” Sept. 2002
Authentication
Configuration management
Training
Incident response
Organization network
Network management
Smart procurement
Exercise caution when applying to control systems
52. Further Discussions Q&A
Thanks!
