Step by Step: The Journey to Secure SCADA Systems

Transcription

1 Step by Step: The Journey to Secure SCADA Systems Miguel Chavero Dec 2012

2 IBERDROLA OVERVIEW Installed Capacity Total Production +286% % Dirección de Servicios Negocio Liberalizado Europa Continental 2

3 IBERDROLA OVERVIEW MW x MW Renewable, 3 Hydro, 21 Coal, 27 Renewable, 29 Hydro, 51 Nuclear, 7 Cogen, 2 Coal, 10 Nuclear, 20 Combined Cicle, Dirección de Servicios Negocio Liberalizado Europa Continental 3

4 IBERDROLA OVERVIEW EBITDA (MM ) EBITDA by Bussiness Renewable Liberalized Regulated Dirección de Servicios Negocio Liberalizado Europa Continental 4

5 IBERDROLA OVERVIEW EBITDA by Country KPI s (MM ) Brazil Spain USA Gross Margin Net Op. Exp. UK EBITDA Dirección de Servicios Negocio Liberalizado Europa Continental 5

6 IBERDROLA OVERVIEW SANTURCE 396 MW, 109FA CASTEJÓN 379 MW, 109FA We lead the construction of combined cycle power plants on Spain MW since 2001 TARRAGONA POWER 417 MW, 1FA CASTELLÓN A 782 MW, 209FA ARCOS I y II 783 MW, 2X109 FA ARCOS III 823 MW, 209FB ACECA 386 MW, 109FA CASTELLÓN B 839 MW, 209FB ESCOMBRERAS 816 MW, 209FB Dirección de Servicios Negocio Liberalizado Europa Continental 6

7 Chinese philosopher Lao-Tzu said, A journey of a thousand miles begins with a single step, SECURITY IS NOT A PRODUCT IS A PROCESS Dirección de Servicios Negocio Liberalizado Europa Continental 7

8 ISO Information is an asset that, like other important business assets, is essential to an organization s business and consequently needs to be suitably protected. This is especially important in the increasingly interconnected business environment. As a result of this increasing interconnectivity, information is now exposed to a growing number and a wider variety of threats and vulnerabilities. ASSETS => MANAGE RISKS => REVENUES CYBERSECURITY = RISK Dirección de Servicios Negocio Liberalizado Europa Continental 8

9 Electrical Sector After11-S, Department of Homeland Security appeared Since > CIP standards mandatory Since > Nuclear CyberSecurity Standards. 1M USD / day!! penalty UK leading (CNPI), EU still starting Dirección de Servicios Negocio Liberalizado Europa Continental 9

10 Our Journey 2005: EPRI Program 86 EIS (Energy Informatio n Security) 2005: Started AURA Project 2006: AURA.PER IN Project (Firewallin g) on CCGT s 2006: CISSP Certificati on and SANS training 2007: First CyberSecu rity Plan for Thermal Stations 2007: EPRI PowerSec (sectorial benchmar king) 2007: AURA.XXXX projects started 2009: Coal Stations projects 2011: COGEN stations projects 2012: Collaboration with Nuclear stations Dirección de Servicios Negocio Liberalizado Europa Continental 10

11 AURA PROJECT = The Beginning. Impact on your assets RISKS! Consecuences on your process ACTIONS! Dirección de Servicios Negocio Liberalizado Europa Continental 11

12 AURA PROJECT Dirección de Servicios Negocio Liberalizado Europa Continental 12

13 D N B T P W V AURA PROJECT ADH Contramedidas Punto Acceso #2: NINGUNA GT ST UDH/ ArcNet GE Atlanta OSM HMI HMI PDH Contramedidas Punto Acceso #6: NINGUNA WAN DCG PDA VIB PI AW AW NODE BUS RTU Router Contramedidas Punto Acceso #3: NINGUNA IT-MONITOR Contramedidas Punto Acceso #1: Firewall s WAN IBERDROLA INTERNET Otras Redes Contramedidas Punto Acceso #5: VPN s CP CP CP PLC CEMS PC-PLC PC-PLC MEDIOAMBIENTE Fabricante Contramedidas Punto Acceso #4: NINGUNA Casetas Gobierno Host Dirección de Servicios Negocio Liberalizado Europa Continental 13

14 AURA PROJECT Dirección de Servicios Negocio Liberalizado Europa Continental 14

15 AURA PROJECT La Laguna 500 MW Monterrey III 1000 MW Jun 02 Tamazunchale 1000 MW Junio 07 Altamira III y IV 1000 MW Altamira V Nov MW Jun 06 CT Pasajes 200 MW Jun 09 CT Velilla 400 MW Jun 09 Aceca MW Jun 05 Termopernambuco 500 MW Feb MW CT Lada Jul MW Jun 09 Arcos 1 y MW Dic 04 Arcos MW Jun 05 EW Vitoria, Aranda, Valladolid Santurce 4 EW Cartagena 150 MW Jul MW Ene 05 Escombreras MW Nov 06 Castejón MW Abr 03 Castellón MW Sep 02 CN Cofrentes MW Sep 10 CC Riga 400 MW Tarragona Power 400 MW Ene 04 Castellón MW Dic 07 Dirección de Servicios Negocio Liberalizado Europa Continental 15

16 D N B T P W V AURA PROJECT AURA.ANVIR AURA.CABSE AURA.NETMON AURA.SECDIS GT ST UDH/ ArcNet ADH Contramedidas Punto Acceso #2: Migrar a conexión Red a Red GERES-RT134 OSM PDA VIB PI HMI AW HMI AW PDH NODE BUS RTU Contramedidas Punto Acceso #6: A estudiar Router? PDTE. WAN DCG Fabricante IT-MONITOR Contramedidas Punto Acceso #1: Firewall s + Doble Factor + WAN Encriptación + IBERDROLA Detección Intrusión Host Contramedidas INTERNET Punto Acceso #5: VPN s + Doble Factor Otras Redes CP CP AURA.PERIN AURA.DETIN AURA.SECAR/GESUR AURA.ENCRIPTA AURA.SECAR/GESUR CP PLC CEMS PC-PLC PC-PLC MEDIOAMBIENTE AURA.DIALUP RAS Casetas Gobierno Contramedidas Punto Acceso #3 y #4: RAS con CHAP Dirección de Servicios Negocio Liberalizado Europa Continental 16

17 MODE SYST RPS MASTR STAT DUPLX SPEED 1X 2X X 12X 13X 14X X 24X Catalyst 2960 SERIES 1 2 MODE SYST RPS MASTR STAT DUPLX SPEED 1X 2X X 12X 13X 14X X 24X Catalyst 2960 SERIES 1 2 AURA.PERIN CABLE RED PLANO CABLE RED CRUZADO CABLE ALIMENTACIÓN RED CORPORATIVA IBERDROLA 220 V - SAI External FWPERCGARA01 Lan1/Sync External Lan1/Sync FWPERCGARA02 DMZ Consola Consola Internal 220 V - RED TV2 + TV2 Touch Pannel Internal DMZ Port 1 Fa1 Port 2 BOP/HSRG Port 3 CYCLACGARA Port 4 HMICGARA HMITV+Resto elementos SWPERCGARA01 Gi0/2 Gi0/1 Consola Fa0/1 Fa0/2 Fa0/1 Fa0/2 Consola Fa0/8Fa0/9 Fa0/17 Fa0/6 Fa0/15 Fa0/12 Fa0/5 Fa0/24 Fa0/11 Fa0/12 Fa0/24 Fa0/5 Fa0/16 Gi0/1 Gi0/2 Fa0/11 Fa0/6 Fa0/13 SWPERCGARA02 Woodward NetCon RED-2 VOLANTE (PDA) AP RWIFICGARA SWITCH OFICINA RSA RED-1 RED-2 RED-1 RED-3 RSA RED-1 RED-2 RSA OSMCGARA TV1 GW EMERSON HSTCGARA NIDSCGARA OPCCGARA PTA Dirección de Servicios Negocio Liberalizado Europa Continental 17

18 AURA.DETIN (NIDS + HIDS) Dirección de Servicios Negocio Liberalizado Europa Continental 18

19 AURA.ANVIR IBERDROLA Network Firewall Perimetral CMDS AutoFTP Manager Gestor Actualizaciones Ficheros Ciclo Combinado #1 Firewall Perimetral INTRANET INTERNET Firewall Corporativo Web Fabricante Ciclo Combinado #n Firewall Perimetral Dirección de Servicios Negocio Liberalizado Europa Continental 19

20 AURA.BACKUP Automated Backups/Restores Dirección de Servicios Negocio Liberalizado Europa Continental 20

21 AURA.BACON Users Off-Line On-Line Networking devices OS + APP s Cyphered e-safe Dirección de Servicios Negocio Liberalizado Europa Continental 21

22 AURA.SECAR Network to Network Dirección de Servicios Negocio Liberalizado Europa Continental 22

23 AURA.SECAR Network to Network Dirección de Servicios Negocio Liberalizado Europa Continental 23

24 AURA.SECAR Host to Network Dirección de Servicios Negocio Liberalizado Europa Continental 24

25 -0,2-0,4 The Journey to Secure SCADA Systems -0,6 AURA.CPD ,00 horas /05/2012 7:44:28 not available not available not available not available 0-0, /05/2012 7:44:28 24,00 horas 08/05/2012 7:44:28 UNIT 1 - Valor Sensor 1 20,000 50,000 52,000 20,000 0,0000 0,0000 0,0000 0,0000 0,0000 0,0000 0,0000 0,0000 0,0000 0,0000 0,0000 0, , , , :unit1SensorValue:1 20, :unit1SensorValue:2 50, :unit1SensorValue:3 52, :unit1SensorValue:4 20, , ,00 horas /05/2012 7:44: /05/2012 7:44: /05/2012 7:44:29 UNIT 1 - Valor Sensores Temperatura :unit1SensorValue:1 20, :unit1SensorValue:4 20,000 SETPOINT LOW.Value 10 SETPOINT WARNING.value 30 SETPOINT HIGH.Value /05/2012 7:44:29 24,09 horas UNIT 1 - Valor Sensores Humedad 08/05/2012 7:50: :unit1SensorValue:2 50, :unit1SensorValue:3 52, SETPOINT LOW_.Value SETPOINT WARNING_.Value /05/2012 7:44:29 24,09 horas 08/05/2012 7:50:02 SETPOINT HIGH_.Value 85 Dirección de Servicios Negocio Liberalizado Europa Continental 25

26 AURA.CPD Dirección de Servicios Negocio Liberalizado Europa Continental 26

27 AURA LABCON DCS MKVI de GE Turbogrup DCS I/A Invensys BOP & Boiler PLC S7400 Siemens Real Sensors LAB Field Points - National Instruments Real PROCESS (Combined Cycels, Coal, Cogen, etc) LAB PC with Models using Labview 2 Dirección de Servicios Negocio Liberalizado Europa Continental 27

28 AURA.xxxx Other Projects AURA.ARMIA: Physical SAFES for backups and media devices. AURA.CABSE: Physical protection against wilfull damages on Network pactch cords and networking devices AURA.ENCRIPTA: Comunnication channels encryptation (256 AES) AURA.NETMON: SCADA end-point and network devices monitoring AURA.DAPLI: Lay-Out and protocols documentation AURA.CENLOG: SIEM tool AURA.DETIN 2.0: Netwitness tool Dirección de Servicios Negocio Liberalizado Europa Continental 28

29 AURA PROJECT: AWARENESS AND POLICIES INFORMATION CLASSIFICATION CRITICAL CYBER ASSETS ASSESMENT EQUIPMENT INVENTORY APPLICATION INVENTORY PHYSICAL LAY- OUTS NELIB Global Criteria BY BUSSINESS LOGIC LAY-OUTS CYBERSECURITY INCIDENT RESPONSE CHANGE MANAEMENT INCIDENT DATABASE CHANGE DATABASE Dirección de Servicios Negocio Liberalizado Europa Continental 29

30 AURA PROJECT: AWARENESS AND POLICIES MALWARE PROTECTION End-Point Secured Inventory BACKUP/RESTORE Maintenance procedures REMOVABLES DEVICES Granted Devices Inventory Procedure Records TECHNICAL PROCEDURES THIRD PARTY DEVICES USAGE Approval Form CREDENTIAL MANAGEMENT Chypered Safe REMOTE ACCESS Granted Provides Inventory NETWORK GUIDELINES Lay-Out Templates Dirección de Servicios Negocio Liberalizado Europa Continental 30

31 AURA PROJECT: AWARENESS AND POLICIES Key-Users awareness through webex Upper Management reporting Key-Users Technical reporting Never give up.keep fighting.. Dirección de Servicios Negocio Liberalizado Europa Continental 31

32 The journey never ends doing now Dirección de Servicios Negocio Liberalizado Europa Continental 32

33 AURA.MARS CONCEPT What is MARS? A hollistic approach to Security Monitoring and Response Why MARS? Because threats are complex, resources are scarce, and response time is critical How is MARS different from standard approaches? We use both the standard and the most advanced Security Strategies and Technologies and highly integrate and automate them so they can work together efficiently Dirección de Servicios Negocio Liberalizado Europa Continental 33

34 AURA.MARS CONCEPT (Note: Nothing to do with Cisco MARS) Dirección de Servicios Negocio Liberalizado Europa Continental 34

35 AURA.MARS CONCEPT Dirección de Servicios Negocio Liberalizado Europa Continental 35

36 AURA SECDIS End-Point Security Whitelisting + Sandboxing Dirección de Servicios Negocio Liberalizado Europa Continental 36

37 AURA e-conseg Reporting Web Console Dirección de Servicios Negocio Liberalizado Europa Continental 37

38 Fighting with STANDARS ISO ISA-99 NIST CIP RG 5.71 SANS CERT CPNI Getting the most Fitting legal/bussiness requirements Dirección de Servicios Negocio Liberalizado Europa Continental 38

39 SANS TOP 20 CONTROLS SANS CONTROL Critical Control 1: Inventory of Authorized and Unauthorized Devices Critical Control 2: Inventory of Authorized and Unauthorized Software Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Critical Control 4: Continuous Vulnerability Assessment and Remediation Critical Control 5: Malware Defenses IBERDROLA STATUS COMMENTS Nowadays defining templates Procedure in place, resources pending Dirección de Servicios Negocio Liberalizado Europa Continental 39

40 SANS TOP 20 CONTROLS SANS CONTROL Critical Control 6: Application Software Security IBERDROLA STATUS COMMENTS Whitelisting Critical Control 7: Wireless Device Control Critical Control 8: Data Recovery Capability Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Never ending Vendor restrictions Dirección de Servicios Negocio Liberalizado Europa Continental 40

41 SANS TOP 20 CONTROLS SANS CONTROL Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services IBERDROLA STATUS COMMENTS Critical Control 12: Controlled Use of Administrative Privileges Very difficult on SCADA environment Critical Control 13: Boundary Defense Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs Critical Control 15: Controlled Access Based on the Need to Know Very difficult on SCADA environment Dirección de Servicios Negocio Liberalizado Europa Continental 41

42 SANS TOP 20 CONTROLS SANS CONTROL Critical Control 16: Account Monitoring and Control IBERDROLA STATUS COMMENTS Critical Control 17: Data Loss Prevention Critical Control 18: Incident Response and Management Critical Control 19: Secure Network Engineering Critical Control 20: Penetration Tests and Red Team Exercises Waiting for resources Dirección de Servicios Negocio Liberalizado Europa Continental 42

43 CONCLUSIONS TAKE YOUR TIME!!!! Holistic approach required. Be GLOBAL Focus on your own risks, each business is different!!! You have to assume some risks (i.e.: vendor restrictions) Be ready for the impact!!!!. Recovery Disaster procedures very important Do not miss forensics tools and procedures Testing facilities is a must There is not a super product. Integration is required Working close to your control system vendors, remember they are not good!!! Open Source helps do not miss it!!! Never walk alone.internal and external support is critical!!! Dirección de Servicios Negocio Liberalizado Europa Continental 43

44 Spanish writer Antonio Machado said, Caminante, no hay camino se hace camino al andar, Walker, there is no path, you do it when you walks Miguel Chavero CISSP#: Dirección de Servicios Negocio Liberalizado Europa Continental 44