Preventing Cyber Security Attacks Against the Water Industry

Transcription

1 Preventing Cyber Security Attacks Against the Water Industry Presented by Michael Karl October 2012

2 Acknowledgements Infracri5cal SCADA Security Newsgroup CH2M HILL, Automa5on Cyber- Security Prac5ce Team All the folks at McAfee (thanks for your help and support) The Department of Homeland Security CSSP Invensys/Wonderware Cri5cal Infrastructure & Security Prac5ce Team

3 Our World is Changing

4 The Threat is Real! Overview of the DHS program Why control systems are vulnerable to attack Case study New Industry Trend

5 What is needed to perform a hack? Attacker (Threat Agent) Communications channel Weakness (vulnerability) Targeted device 4 Hacker Virus Malware Insider Vendor Activist group Organized crime Dial-up telephone Cellular communications Leased communication Satellite Internet LAN/WAN Wireless/WiFi Removable media Laptops Poor policy Insufficient firewall Windows updates Application patches Poor configuration network Poorly configured application Default passwords HMI work station Application server Historian server PCs Radio equipment PLC RTU

6 We can improve Security and Reliability! With proper tools your systems can be secure Reduce our exposure against the most likely and probable threats Security improvements will reduce operational risk Balance risk reduction with the cost of security measures Security Risk

7 Media Coverage 6 Pump destroyed at water plant Springfield, IL o Believed to be due to cyberattack (not confirmed by DHS). o Story covered by news media such as the Washington Post, Fox News, CNN, and MSNBC o Even though unconfirmed, the utility was in the national spotlight for weeks Texas SCADA system hacked and screenshots of HMI released Response to DHS downplay of IL incident Again carried by major news media Used a virtual network connection with the internet with simple password to access network

8 Questions and Comments from the Industry Myths Ques5ons from Management I m secure, I m not connected to the Internet. Public Works Director What is the real risk to us? I m secure, I have three passwords What is the golden solu5on? before I can connect Opera5ons Manager What needs to be protected? Using Passwords takes too long and I What do I need to do? 8 can t respond to emergencies Wastewater systems aren t in jeopardy Lead Maintenance Mgr. Cyber security is like an arms race there is no silver bullet Michael Assante Chief Security Of:icer NERC

9 Case Study - Typical SCADA Assessment SCADA System Supported by Local Integrator Part of the system is new, Others > 25 years old Software/Hardware was typical common equipment from the NW Public Works Director Stated the following: I want to perform due-diligence and have our system evaluated by a third party I know our system isn t connected to the internet I am not using Windows 7 yet so I m a bit nervous I also realize that an Security assessment provides information that assist in knowing where our single points of failure are.

10 More details SCADA covered a master site and remote facilities SCADA system had historian, HMI nodes and alarm notification software Local Ethernet network Local PLCs for control Radio network for telemetry communications Remote PLCs 10

11 Phased SCADA Evaluation 11 Phase 1 Review SCADA communication network Evaluate the security of remote access Phase 2 Implement recommendations found in Phase 1 Perform training for utility staff Develop policy and procedures for maintaining software and network Phase 3 Implement the NIST SP guide for SCADA security

12 Approach to Phase 1 Request for documenta5on Debriefs Management Systems Integrator Opera5ons staff IT staff Perform on- site forensics (physical and cyber) on SCADA assets 12

13 Findings of preliminary assessment SCADA directly connected to internet IT group didn t understand the importance of SCADA Know vulnerabili5es with PLC Programming So]ware HMI So]ware Remote Access So]ware Radio network open to the world Surprises - No redundancy and not one backup 13

14 How do I meet Due Diligence? Perform an evalua5on Implement tools Implement policies Don t forget physical securi5es Perform regular evalua5ons

15 Great Job - The New Industry Trend Being a Healthy Skep5c Understanding Cyber Security isn t just protec5ng against Hackers Thank you for your willingness to change! Implemen5ng mul5- factor security Having firm provide Perform a Table Top Exercise as you would with redundancy

16 Open Discussion Forum

17 Thank You! Questions? Contact Informa5on