The State-of-the-State of Control System Cyber Security

Transcription

1 The State-of-the-State of Control System Cyber Security Prepared for HTCIA September 19, 2012 Joe Weiss PE, CISM, CRISC, ISA Fellow (408)

2 Summary Control systems are different than IT Control system cyber forensics and logging is minimal at best so you don t know when there has been a cyber event There will probably be a cyber Pearl Harbor but you won t know it is cyber because of the lack of control system cyber forensics Cyber threats to control systems are not just the network but insecure engineering designs/features that cannot be patched (see Stuxnet and Aurora) A good attacker wanting to cause damage will go after the engineering features Securing control systems is a trade-off between performance and security where performance must win The issue is by how much It takes control system experts that understand the domain and IT experts that understand security working together to secure control systems

3 What are Industrial Control Systems Industrial control systems (ICSs) operate power, water, chemicals, pipelines, military systems, etc ICSs include SCADA/EMS, DCS, PLCs, RTUs, IEDs, smart sensors and drives, emissions controls, equipment diagnostics, AMI (Smart Grid), programmable thermostats, building controls, Focus is reliability and safety

4 Control Systems Basics Slide courtesy of Anixter Proprietary

5 Where is ICS Technology Going More intelligence Intelligence moving closer to the process More interoperability With ICS and IT More networking Inside and outside the plant More on-line interactions Affecting control and safety Cyber!

6 ICSs are Different than IT The Internet and Microsoft are not necessarily the biggest ICS cyber threats External malicious threats are not necessarily the biggest concerns Firewalls and VPNs may not be adequate IDS will probably not identify ICS attacks Field devices have been hacked Default passwords and backdoors are not uncommon Many ICSs have hardware configurations that are cyber vulnerable and cannot be patched or fixed Patching is difficult and can have unintended consequences Cyber forensics and logging may not exist

7 What has happened recently Brazilian control system network infections Russian Sayano Shushenskaya Dam failure ExxonMobil Yellowstone River gasoline pipeline break China bullet train crash BART computer failure San Bruno Illinois water SCADA hack? South Houston water SCADA hack ICS metasploits now available Polish train crash Digital camera shuts down nuclear plant Asian power plant with loss of control logic Iranian paper on Stuxnet

8 ICS Security Expertise Lacking ICS Security Experts IT Security ICS Engineering

9 Cyber Incident Definition An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability (CIA) of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. (FIPS PUB 200, Minimum Security Requirements for Federal Information and Information System, March 2006.) What is important about this definition Intentional or unintentional Actual or potential compromise of CIA Violation or imminent threat to CIA Why care about unintentional If it can be done unintentionally, it can probable be done intentionally

10 Turbine overstress due to systems incompatibility

11 Complete loss of all DCS logic with plant at power

12 Broadcast storm shutting down main coolant pumps

13 Forced scram due to unknown interconnections

14 Pipeline Ruptures June 1999 Bellingham, WA September 2010 San Bruno, CA

15 DC Metro Train Crash

16 Possible Aurora Attack Aurora Demonstration - INL Iranshahr Power Plant - Iran Common thread- Coupling failures

17 What Needs to be Done Obtain senior management buy-in Include security as part of the design basis Understand what you have and that it is a lifecycle issue Recognize potential reliability and safety issues with digital systems Treat plant security as an engineering issue, not a compliance game Include IT and operations as a team

18 Conclusions Can not fully secure ICSs Worry about intentional and unintentional Need to be able to recover Threats are real Lack of forensics complicates root cause analysis Need appropriate knowledge and coordination Security needs to be considered This isn t IT but we need IT

19 Why attend the conference? Learn details of the most recent control system cyberincidents, from people on the front-lines, Exchange best practices with peers and control system users from various industries, Become part of the solution by analyzing root-causes and working with vendors to resolve them, Expand your network of industrial control system users and solution providers. A unique and much-needed event The conference is focused on the specific cyber-security challenges of industrial control systems. In recent years, hopes of achieving security through obscurity and isolation were dashed by the increased connection of control systems to the internet and contagion from outside elements such as USB thumb-drives. Control systems differ from IT systems in key aspects communication protocols & OS, memory & processing capacity, accessibility, lifespan as well as in their purpose and priorities physical world interaction, availability above all else, etc. Despite those differences, cyber-security discussions lump ICSs into Enterprise and Cloud IT and as a result, ill-fitting security processes and products leave large parts of these particular, complex and impactful systems exposed. The conference pursues three objectives: To inform, through the sharing of cyber-vulnerability accounts, in the trusted setting of the conference. To explain, by analyzing adverse events on ICSs and understanding the interaction of their components To improve the status quo, by allowing users to be informed and discuss their needs with vendors of control systems and of security solutions in a constructive environment. More information and registration at Applied Applied Control Control Solutions Solutions Proprietary Proprietary Information Information 19