SCADA SYSTEMS AND SECURITY WHITEPAPER

Transcription

1 SCADA SYSTEMS AND SECURITY WHITEPAPER Abstract: This paper discusses some of the options available to companies concerned with the threat of cyber attack on their critical infrastructure, who as part of their process of tightening up security, wish to prevent unauthorized network access to SCADA systems that monitor and control critical infrastructure. SCADA System Security 1

2 About the Author(s) This document was written by Abhishek Bhattacharjee, (previously Senior Technical Architect, Citect), Stephen Flannigan and Jens Nasholm, both Product Marketing Managers, Citect. About Citect Citect is a worldwide leader in industrial automation and information management. Its CitectSCADA and Plant2Business software and industrial information management (IIM), analysis modules are complemented by professional services, customer support and training. These solutions are enhanced by strong partner programs and are sold in numerous industries, including mining, metals and minerals, food & beverage, manufacturing, pharmaceuticals, water, facilities, gas pipelines and power distribution. Citect is headquartered in Sydney Australia, has 17 offices in Australia, USA, Europe, China and Africa, and its products are distributed in more than 50 countries worldwide. For further information, visit Citect Pty Ltd. All rights reserved. The information contained in this document represents the current view of Citect on the issues discussed as of the date of publication. Because Citect must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Citect, and Citect cannot guarantee the accuracy of any information presented after the date of publication. This white paper is for informational purposes only. CITECT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise) or for any purpose, without the express written permission of Citect Pty Ltd. Citect may have patents, patent applications, trademarks, copyrights or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Citect, the furnishing of this document does not give you any license to these patents, trademarks, copyrights or other intellectual property. Citect, CitectSCADA, CitectHMI, Plant2Business and Plant2NET are either registered trademarks or trademarks of Citect Group Corporation in Australia and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. SCADA System Security 2

3 Contents About the Author(s)... 2 About Citect... 2 Contents... 3 Introduction... 4 Defining a security policy... 4 Measures to secure the SCADA network...5 Implement a secured firewall... 5 Keep your network simple... 5 Minimize network access points... 5 Virtual Private Network... 5 Deploy Internet Protocol Security ( IPsec)... 5 De-militarised Zones (DMZ)... 5 Application Security... 6 Authentication and Authorization... 6 Secured data storage and communication... 6 Audit Trails... 6 Wireless Networks... 6 Intrusion Detection... 7 Regulating physical access to the SCADA network... 7 SCADA System Security 3

4 Introduction In recent times, governments throughout the world have identified critical infrastructure as potential targets for terrorism. Whilst physical measures have been taken to secure these infrastructures, one area of concern remaining is the potential attack on the information and process control systems belonging to the critical infrastructure. Many private companies controlling vital public utilities such as power, gas or water, who never considered they would ever be prone to cyber attacks are now having to implement measures to improve the security of their whole organization. The reality is that many companies have become highly dependant on digital information systems that have been tightly integrated into their business. Many SCADA systems that monitor and control critical infrastructure such as Power Generation and Transmission, Water and Waste Water and Pipelines over a wide area network, run on industry standard computers and networks. As such, these systems run a higher risk of being hacked into by cyber terrorists. Hypothetically, by hacking into a SCADA network monitoring water gates in a dam and taking control of the SCADA system, a cyber terrorist could wreak havoc by opening and closing of the gates at will. Whilst SCADA systems have been around for a few decades, cyber attacks have only become a prominent threat in recent times. As such, many SCADA systems which have been deployed in the past, have little or no security built in. In addition, SCADA systems are often a part of a company s engineering division and as a result, are seldom covered by their corporate security policy. Securing SCADA networks is relatively easy and should be considered as part of the company s overall security policy, requiring security measures and policies to be implemented on multiple levels, including: Defining a security policy Securing the SCADA network and operating environment Securing the SCADA application Detecting unauthorized intrusions Regulating physical access to the SCADA network Defining a security policy Security policies are becoming essential in today s corporate network. A security policy is a living document that allows an organization and its management team to draw very clear and understandable objectives, goals, rules and formal procedures that help to define the overall security position and architecture. As a starting point, an organization should have a corporate security policy and ensure that its SCADA network falls under the jurisdiction of this policy. Failure to have a security policy not only exposes the company to cyber attacks but may also lead to legal action. A security policy should cover the following key components: Roles and responsibility of those affected by the policy What actions, activities and processes are allowed and which are not? What are the consequences of non-compliance? Key personnel who need to be included in the development of the policy include: Senior management Information Technology department Human Resources and Legal The following areas of vulnerability should be considered: Network and operating environment security Application security Intrusion detection Regulating physical access to the SCADA network SCADA System Security 4

5 Measures to secure the SCADA network Corporate networks linked to the Internet or that use wireless technology may be more easily accessible to cyber terrorists and hackers. An organization can heighten its level of network security by isolating its SCADA network thereby restricting channels of external access. In many organizations, isolating the SCADA network from the Internet or Intranet is difficult because of requirements such as monitoring plants from a remote location. In the latter case, measures can be taken to secure your network and operating environment from unauthorized access to the SCADA systems. These include: Firewalls Virtual Private Networks De-militarized Zones Authentication Implement a secured firewall A secured firewall is imperative between the corporate network and Internet. The single point of traffic into and out of a corporate network, it can be effectively secured and monitored. A corporate network should have at least one firewall and a router separating it from the external network that is not within the company s dominion. When examining the firewall solution, consider if and how the firewall supports any security services that you may need. Microsoft Internet Security and Acceleration Server (ISA) virtual private network (VPN) can be used to set up the firewall. On larger sites it is also recommended to protect the control system from attack from within the SCADA network. This may be implemented by providing an additional firewall between the corporate and SCADA network. To maximize access and minimize the configuration required to maintain this firewall, a terminal server can be used to act as a gateway. Only traffic from the terminal server can pass into the SCADA network and a secured terminal server removes the ability for external applications to be used to attack the control system. Keep your network simple Simple networks are at less risk than more complex interconnected networks. Keep the network simple and, more importantly, well documented from the beginning. Minimize network access points A key factor in ensuring a secure network is the number of contact points. While firewalls have secured access from the internet, many existing control system have modems installed to allow remote users access to the system for debugging. These modems are often connected directly to controllers in the substations. The access point, if required, should be through a single point which is password protected and where user action logging can be achieved. Virtual Private Network One of the main security issues facing more complex networks today is remote access. With a VPN, all data paths are secret to a certain extent, yet open to a limited group of persons, for example, to employees of a specific company. VPN is a secured way of connecting to remote SCADA networks. Based on the existing public network infrastructure and incorporating data encryption and tunneling techniques, it provides a high level of data security. Deploy Internet Protocol Security ( IPsec) IPsec can be deployed within a network to provide computer-level authentication, as well as data encryption. IPsec can be used to create a VPN connection between the two remote networks using the highly secured Layer Two Tunneling Protocol with Internet Protocol security (L2TP/IPSec). De-militarised Zones (DMZ) DMZs are a buffer between a trusted network (SCADA network) and the corporate network or internet, separated through additional firewalls and routers, providing an extra layer of security against cyber attacks. SCADA System Security 5

6 Application Security In addition to securing the network, securing access to SCADA system components will provide a further defense layer. Authentication and Authorization Authentication is the software process of identifying a user who is authorized to access the SCADA system. Authorization is the process of defining access permissions on the SCADA system and allowing users with permissions to access respective areas of the system. Authentication and authorization are the mechanisms for single point of control for identifying and allowing only authorized users to access the SCADA system, thereby ensuring a high level of control over the system s security. To provide effective authentication the system must require each user to enter a unique user name and password. A shared user name implies a lack of responsibility for the protection of the password and the actions completed by that user. Users must be able to be created, edited and deleted within the system while the system is active to ensure that individual passwords can be maintained. In addition it is highly recommended that password aging be implemented. Password aging ensures that operators change their passwords over a controlled time period, such as every week, month or so on. To provide authorization the system must be able to control access to every component of the control system. The system must not provide a back door with which to bypass the levels of authentication specified in the application. Secured data storage and communication Critical data pertaining to a SCADA system must be securely persisted and communicated. It is recommended that critical data like a password be stored using an encryption algorithm. Similarly, remote login processes should use VPNs or encryption to communicate the user name and password over the network. Critical data like user name and password must be persisted in a secured data repository and access rights monitored and managed using secured mechanisms like Windows authentication and role based security. Audit Trails It is recommended that Audit trails on critical activities like user logins or changes to system access permissions be tracked and monitored at regular intervals. Securing your SCADA application may make it more challenging for external hackers to gain control of the system, however it won t prevent internal employees with malicious intent. Regularly tracking and monitoring audit trails on critical areas of your SCADA system will help identify unscrupulous activities and consequently take necessary corrective actions. Wireless Networks The two most common ways of gaining unauthorized access to a wireless network are by using an unauthorized wireless client, such as a laptop or PDA, or by creating a clone of a wireless access point. If no measures have been taken to secure the wireless network then either of these methods can provide full access to the wireless network. Many commercial wireless networks are available, these range in price, complexity and level of security provided. When implementing a wireless network a couple of standard security measures can be taken to minimize the chance of an attacker gaining access to the wireless network. Approved clients The access points in the wireless network contains a configurable list of all MAC addresses of the clients that are authorized to gain access to the wireless network. A client not listed in an access point will not gain access to the wireless network. Server Set ID (SSID) This is an identification string that can be configured on all clients and access points in your wireless network. Any client or access point participating on the wireless network must have the same SSID configured. The SSID is however transmitted as a readable text string over the network so only using SSID is not good enough to secure the wireless network. SCADA System Security 6

7 Wired Equivalent Privacy (WEP) All clients and access points should have a configurable static WEP. This is a 40, 64 or 128 bit encryption string that is entered in all clients and access points. Without a correct WEP string no access can be gained to the wireless network and the SSID is also encrypted using this string. In most cases, using an SSID and a WEP provides a secure solution. VPN (described earlier) was developed to provide secure connections through the Internet to internal corporate networks. A VPN simplistically creates a secure tunnel through open networks such as the Internet or a wireless network. Data transmitted through the tunnel is encrypted on the client and then decrypted and validated in a VPN gateway inside of the wireless access point. Another advantage with using a VPN is that a single solution provides security both for the wireless and wired network and the maintenance cost is lower. Intrusion Detection Firewalls and other simple boundary devices currently available lack some degree of intelligence when it comes to observing, recognizing and identifying attack signatures that may be present in the traffic they monitor and the log files they collect. This deficiency explains why intrusion detection systems, (IDS) are becoming increasingly important in helping to maintain network security. In a nutshell, an IDS is a specialized tool that knows how to read and interpret the contents of log files from routers, firewalls, servers and other network devices. Furthermore, an IDS often stores a database of known attack signatures and can compare patterns of activity, traffic or behavior it identifies in the logs it s monitoring against those signatures so it can recognize when a close match between a signature and current or recent behavior occurs. There are various types of IDS monitoring approaches: Network-based IDS characteristics: Network-based IDSs can monitor an entire, large network with only a few well-situated nodes or devices and impose little overhead on a network. Host-based IDS characteristics: Host-based IDS can analyze activities on the host it monitors at a high level of detail. It can often determine which processes and/or users are involved in malicious activities. Application-based IDS characteristics: An application-based IDS concentrates on events occurring within some specific application. They often detect attacks through analysis of application log files and can usually identify many types of attack or suspicious activity. In practice, most commercial environments use some combination of network- and host- and/or application-based IDS systems to observe what s happening on the network while also monitoring key hosts and applications more closely. Regulating physical access to the SCADA network Physical access to your network should be closely monitored: 1. Use built-in Microsoft Windows features such as NTFS to require user authentication when perusing network shares. 2. Do not allow anyone that does not belong to your organization to connect to your network Ethernet or have physical access to your IT server room. 3. Monitor your network regularly for activity that may be suspicious and note the IP addresses when running sniffing software or hardware on the network. 4. Ensure that there are no foreign IP addresses on the list. If you find a foreign IP address, trace route to the IP address. Once you locate where this foreign IP address originates from you can take action. If you are unsure physically disconnect the segment where the potential intruder may be on the network. For further information on Citect products and services, visit SCADA System Security 7