Critical Infrastructure & Supervisory Control and Data Acquisition (SCADA) CYBER PROTECTION

Transcription

1 Critical Infrastructure & Supervisory Control and Data Acquisition (SCADA) CYBER PROTECTION ALBERTO AL HERNANDEZ, ARMY RESERVE OFFICER, SOFTWARE ENGINEER PH.D. CANDIDATE, SYSTEMS ENGINEERING PRESENTATION for ACT-IAC: JUNE 25, 2014

2 PRESIDENTIAL POLICY DIRECTIVE/PPD-21, February 12, 2013 SUBJECT: Critical Infrastructure Security and Resilience The Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience advances a national unity of effort to strengthen and maintain secure, functioning, and resilient critical infrastructure. Three strategic imperatives shall drive the Federal approach to strengthen critical infrastructure security and resilience: 1) Refine and clarify functional relationships across the Federal Government to advance the national unity of effort to strengthen critical infrastructure security and resilience; 2) Enable effective information exchange by identifying baseline data and systems requirements for the Federal Government; and 3) Implement an integration and analysis function to inform planning and operations decisions regarding critical infrastructure. The word Cyber is mentioned 18 times Example: Innovation, Research and Development Facilitating initiatives to incentivize cybersecurity investments and the adoption of critical infrastructure design features that strengthen all-hazards security and resilience;

3 Resilience PPD-21 defines resilience as the ability to prepare for and adapt to changing conditions, and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.

4 SCADA Supervisory control and data acquisition (SCADA) networks contain computers and software that perform critical tasks and provide essential services within critical infrastructure. Used to monitor key parameters of production processes Used to operate controls to ensure proper provisioning of critical services. Designed to monitor processes without considering security requirements and protection from external threats. Operate in a context totally different from the one the systems were designed for (many are decades old). SCADA and the Internet are not a happy marriage. Security risks are abundant (definitely no pre-nuptial agreement!). SCADA systems for the most part perform fairly well, except that they are not traditionally highly secured. Impacts to SCADA can take a huge toll on mission critical services, processes, resources, etc. The ultimate impact is to people and infrastructure.

5 SCADA Structure Human-machine interface (HMI) - interface between operator and the commands relevant to SCADA system Master terminal unit (MTU) - client system that collects data locally and transmits it to remote terminal unit Remote terminal unit (RTU) - server that gathers data remotely and sends control signals to field control systems Field control systems - systems that have a direct interface to field data elements such as sensors, pumps, and switches

6 Why SCADA? SCADA systems have operated behind the scenes for many years. SCADA is more visible now due to the Internet. Everybody wants to be CONNECTED. We all want to share information, but that opens the door for the bad guys wanting the information that we share. SCADA is loaded with confidential data among other critically important information that terrorist groups, hostile governments, business competitors, and malicious intruders will love access and control. Let s not forget insider threat. SCADA systems control critical infrastructure such as large physical assets, IT networks and associated services that are mission critical. Degradation or destruction will cause great impact to our financial, health, security, industrial, transportation, and other systems.

7 SCADA Exposure to Threats SCADA control systems are exposed because of : Availability of Technical Information public information about infrastructure and control systems is on the Internet and readily available to professional hackers and intruders. From design, production, maintenance, and physical layout, it s all out there, and many times we are proud of having all that information exposed. Have you checked out our website? It is awesome, full of information Vulnerability Associated with Remote Connections We want to be connected and not miss anything that is happening while we travel or work remotely. Often, remote and wireless connections are utilized to conduct maintenance, diagnostics, monitoring, testing, etc. Without strong measures of access and authentication, as we all know, our information is vulnerable.

8 SCADA and Cyber Strategy There are many solutions available to protect SCADA systems. The biggest challenge for the government is including SCADA systems and Critical Infrastructure IT systems in the corresponding Cyber strategy. Many government audits have been conducted and the results are alarming, with many systems around the world lacking cyber security and many don t have robust physical security measures in place. SCADA systems Cyber security status is not completely known. Then, there is the issue of the diversity of systems and their implementation, operation, and maintenance.

9 SCADA Scares Me! SCADA systems traditionally have the programmable logic controllers (PLCs) directly connected to infield sensors that provide data to control critical components. Many times, the passwords to access the system are hard-coded into the Ethernet cards the systems use. Those cards funnel commands into devices, allowing administrators to remotely log into the machinery. Hard-coded passwords are a common weakness built into many industrial control systems. As we know, these are the systems that control machinery connected to dams, gasoline refineries, and water treatment plants, among other facilities. I m sure we get the picture of the level of vulnerabilities and potential threats.

10 What can happen? US CERT has alerted in recent past to the continuous spear-phishing campaign that targeted the energy sector to gain remote access to control systems. SCADA systems protection must be approached from a systems engineering perspective, where component inter-dependencies, as well as networks that serve the systems, undergo a thorough risk analysis process, to identify the protection required. There is also the need to educate the workforce that manages, operates and maintains SCADA systems on Cyber threats and Cyber security measures and practices.

11 How to Protect A layered approach is essential. Collaboration between government and the Cyber security industry is critical. This sometimes means collaboration with competitors as if they were partners. The goal is securing SCADA systems and Critical Infrastructure against the Cyber Enemy. National Security and our way of life is at stake. In my opinion, we need to move away from becoming millionaires overnight and aim more towards a long lasting relationship with our customers, especially government. It can likely result in billion dollar deals over the course of many years. When it comes to Cyber security, is not necessarily a short sprint, it is a marathon because the enemy never sleeps. Preparation, Stamina and Resilience will carry us through. Layers, we know what they are: Perimeter Control Employees, Policies, Procedures Network Architecture and Operating Systems SECURITY, layered of course! ETC..

12 SCADA Security Best Practices 1 - Understand the Business Risk - risk is a function of threats, impacts and vulnerabilities. 2 - Implement Secure Architecture - it is important that the selection process ensures that the level of protection is commensurate with the business risk and does not rely on one single security measure. 3 - Establish Response Capabilities - obtaining management support, determining responsibilities, establishing communication channels, drafting policies, and procedures, identifying pre-defined actions, providing suitable training and exercising the whole process prior to incidents enables a quick, effective and appropriate response which can minimize the business impacts and their cost. 4 - Improve Awareness and Skills - Personnel need to know what to do to prevent attacks and what to do in the event of an incident. 5 - Manage Third Party Risk - the security of an organization's SCADA systems can be put at significant risk by third parties, e.g. vendors, support organization and other links in the supply chain. 6 - Engage Projects - there are often a number of SCADA systems related projects underway at any point in time, any of which could have security implications. 7 - Establish Ongoing Governance - governance for the management of SCADA systems Cyber security will ensure that a consistent and appropriate approach is followed. Without such governance the protection of SCADA systems can be ad-hoc or insufficient.

13 Conclusion SCADA systems are increasing in complexity, due to the integration of different components (diverse manufacturers, supply chain). Approach Cyber security from a component to a system level environment. This requires also an understanding of the supply chain. Continues reporting of the security status of critical infrastructures and related SCADA systems. The overall security of critical infrastructures must be audited during the entire lifecycle of its components. Think Systems Engineering, holistic approach. Federal Bureau of Investigation (FBI), Department of Homeland Security, and National Counterterrorism Center understand that cyber attacks are the most likely form of terrorism against the United States in the coming years. The World has become ONE neighborhood. There are no Cyber borders, only the ones we can create to protect SCADA systems and their corresponding supply chain.