How To Protect Your Network From Attack

Transcription

1 NextGen SCADA security Erwin Kooi

2 Setting the stage This talk is not An introduction to SCADA security AIC versus CIA The latest blinky-lights SCADA security appliance How to use IT security in OT envrionments This talk is About next steps in SCADA security 2

3 ~/$ whoami Ing. Erwin Kooi, MSIT CISSP SCP Security Manager at Alliander Primary focus on OT, IT Data Center and new developments Background in healthcare electronics & IT Hacker and avid lockpicker 3

4 ~/$ cat /etc/group grep erwin Dutch Smart Meter Privacy & Security working group Dutch Smart Grid Cyber Security working group European FP7 project CRISALIS various Dagstuhl scientific seminars on SCADA security 4

5 Meet DSO Alliander in key figures Electricity distribution Customers: 3,3 million Grid: km Stations (sub, distribution): Gas distribution Customers: 2,6 million Grid: km Stations (sub, distribution): Company 12 Billion asset value 1.4 Billion revenues 400 Million Investment / Annum FTE KPI, Performance 19.8 SVBM (outage time in minutes per end user) 5

6 Our assignment 1 Establish, maintain and manage energy networks 2 Ensure reliable, affordable and safe energy supply 3 Contribute to (sustainable) developments 4 Contribute to better society

7 Connect customers (prosumers) to energy via Information-intensive network The DSO s new grid world 1. Electricity 2. Gas 3. Data New sensors / distributed computing on Transmission and Distribution Lines alarm operators, resolve problems, integrate large scale renewable generation Smart Meters and HAN help users to deploy energy more wisely, mitigate peak demand and integrate local generation Generation Transmission Distribution Users / Customers 7

8 Connect customers (prosumers) to energy via Information-intensive network Introduction of IT in lower parts of the grid Information sharing across domains Need for fast, reliable communication networks Guarantied propagation times Communication network layout does not follow grid layout Own Cu / (SiO 2 ) n network 8

9 Old SCADA 9

10 New SCADA 10

11 Remote location 11

12 Even more remote location 12

13 OMG Average IT security expert 13

14 However 14

15 Security vision Alliander resilience vision*: Alliander is a resilient organization capable of anticipating and responding on a range or threats against her mission Alliander security vision: Protecting the mission of Alliander and her stakeholders by securing our crown jewels against intentionally caused damage through human actions * Underwriting the WEF resilience principles 15

16 Anatomy of an attack Attacker Intel Gathering Vuln Research Exploit Maintain Control Post Exploit Intel Gathering Threat Analysis Data Correlation Intrusion Detection Contain & Mitigate Defender 16

17 Security approach 17

18 Security approach Baseline + additional measures and detection detection detection + flexible response -> CERT / CSIRT Breaches will occur prevent the stupid ones detect and respond to the others This is me Design and build for failures This is me too This requires close cooperation with asset owners! 18

19 Anticipation overview Clear data ownership and responisbility Security one of the main topics in IOT integration program Security framework for IT based on ISO 2700x, IEC and SABSA in line with IT architecture (TOGAF) Security framework for OT based on nationally accepted OLF 104 (subset of ISO 2700x) National privacy & security framework for smart meters based on ISO 2700x National security framework for smart grid in progress 19

20 Anticipation standards Standards and frameworks are nice Standards and frameworks give direction Standards and frameworks are compromises Standards and frameworks take time to develop Standards and frameworks are someone elses risk decisions 20

21 Anticipation situational awareness Monitoring community for known vulnerabilities Need an up-to-date inventory Example: Ruggedcom Private Key / known ID s vulnerability Only switch certified for IEC Should I fix this? Where is it deployed in our networks? Is it in Metasploit? -> yes, took only days msf > use auxiliary/scanner/telnet/telnet_ruggedcom msf auxiliary(telnet_ruggedcom) > set RHOSTS [TARGET HOST RANGE] msf auxiliary(telnet_ruggedcom) > run 21

22 Attention monitoring Current IDS focussed on IT. How low can you go? IEC / -104? IEC 61850? ICCP? Modbus? But a chatty Windows / *NIX laptop on our 104 network is never acceptable -> easy to detect Known bots are never acceptable -> easy to detect What are your devices telling you (and are you listening)? 22

23 Attention monitoring Vendors are catching up! SCADA protocols no longer exotic. Pilots in our 104 network with anomaly detection: 5 mins learning -> 7 false positives in a week 1 day learning -> 3 false positives in a month Doable! But who is going to monitor the logs and alerts? 23

24 Attention monitoring / action IDS -> IPS strategy Depending on the place in your network. Known badness (signature-based) blocked automatically? Anomalies passed to a human? Received From: >/var/log/auth.log Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the system." Src Location: US,Pennsylvania,Scranton Portion of the log(s): Mar 12 04:39:33 vs3547 sshd[25648]: Invalid user user from Mar 12 04:39:33 vs3547 sshd[25622]: Invalid user x from Mar 12 04:39:29 vs3547 sshd[25514]: Invalid user mmroot from Mar 12 04:39:28 vs3547 sshd[25482]: Invalid user kai from Mar 12 04:39:24 vs3547 sshd[25373]: Invalid user mythtv from Mar 12 04:39:21 vs3547 sshd[25255]: Invalid user postgres from Mar 12 04:39:19 vs3547 sshd[25180]: Invalid user prueba from Mar 12 04:39:17 vs3547 sshd[25149]: Invalid user db2inst1 from

25 Attention research Security research is not our core business Partnering with research institutions ENCS University Twente Partnering with industry IBM Siemens Fox-IT 25

26 Attention research The CRISALIS consortium Security industry Control system industry/end users Academia

27 Attention correlation Not only network and system events, but also its surroundings (NOTE: these also introduce interesting vulnerabilities security devices!:= secure devices) 27

28 Attention correlation Data correlation, a scenario: Someone is entering a substation There are no work permits for this time at that station There is no disruption or malfunction in that station There is suddenly a HMI protocol running on the network + Intruder alert! Respond notify operators notify police limit network traffic from that station 28

29 Rational response contain & mitigate Computer Emergency Response Team (CERT) Also the team that does vulnerability / threat analysis Also the team that does monitoring Prepare and mandate common scenarios Temporary disconnect a substation from the Control Room Reboot systems in the Control Room Escalate to business crisis team if scenarios are not mandated Shutdown a substation Shutdown SCADA networks Shutdown Internet connection 29

30 Rational response evaluate & learn Share incidents with vendors and community Need to have establish trusted relations with your vendors and competitors Incidents are input for continuous improvenemt and growing to the next NextGen SCADA security 30

31 31

32

33 On a personal note Black out by Austrian writer Marc Elsberg ISBN (Dutch version) An European black out scenario with its impact on society, using a simple Smart Meter / SCADA hack with some physical sabotage Not sure if I should make this compulsory or banned 33

34 End-to-End SCADA Security: Implementing a robust cyber security strategy to protect SCADA systems in the digital age Creating a company-wide cyber security vision with SCADA systems in mind Translating this vision into a strategy with a roadmap and how a security architecture can help Defining how robust your security should be Identifying opportunities to increase (embedded) security measures for new and existing SCADA systems and processes, in line with your security strategy Erwin Kooi, Information Security Manager, Alliander 34