Techno Security's Guide to Securing SCADA

Transcription

1 Techno Security's Guide to Securing SCADA

2 Foreword xxiii Chapter 1 Physical Security: SCADA and the Critical Infrastructure's Biggest Vulnerability 1 Introduction 2 Key Control 3 Check All Locks for Proper Operation 4 A Little More about Locks and Lock Picking 5 The Elephant Burial Ground 12 Dumpster Diving Still Works 18 Employee Badges 20 Shredder Technology Has Changed 22 Keep an'eye on Corporate or Agency Phonebooks 23 Tailgating 24 Building Operations Cleaning Crew Awareness 25 Spot-Checking Those Drop Ceilings 28 Checking for Key Stroke Readers 28 Checking Those Phone Closets 31 Removing a Few Door Signs 32 Review Video Security Logs 32 Motion-Sensing Lights 33 Let's Go to Lunch 34 Fun in Manholes 37 Internal Auditors Are Your Friends 40 Always Be Slightly Suspicious 40 Getting Every Employee Involved 41 Summary 42 Solutions Fast Track 42 Frequently Asked Questions (and Special Interviews) 45 Chapter 2 Supervisory Control and Data Acquisition 61 Introduction 62 Just What Is SCADA? 62 SCADA Systems and Components 65 Remote Terminal Units (RTUs) 65 Programmable Logic Controllers (PLC) 65 xv

3 Discrete Control 65 Continuous Control 65 Human Machine Interface (HMI) 66 Distributed Control Systems (DCS) 66 Hybrid Controllers 67 Event Loggers 67 Common SCADA Architectures 68 SCADA Communications Protocols 70 How Serious Are the Security Issues of SCADA? 71 Determining the Risks in Your SCADA System 75 Risk Mitigation for SCADA 76 Firewall Considerations for SCADA 78 Negative and Positive Security Models in Firewalls 79 Multi-Network Connectivity 79 Reactive and Proactive Solutions 80 Firewall Inspection Methods 82 Static Packet Filter 82 The Stateful Packet Filter 83 The Circuit-Level Gateway 84 Application-Level Gateway (Proxy) 85 Intrusion Prevention Gateway 87 Deep Packet Inspection 88 Unified Threat Management (UTM) 89 Summary 90 Solutions Fast Track 90 Frequently Asked Questions 93 Chapter 3 SCADA Security Assessment Methodology 95 Introduction 96 Why Do Assessments on SCADA Systems? 96 Assessments Are the Right Thing to Do 97 Assessments Are Required 97 Information Protection Requirements 97 National Institute of Standards and Technology (NIST) Guidance 98 North American Electric Reliability Council (NERC) Critical Infrastructure Protection (CIP) Standards 99 Water Infrastructure Security Enhancement (WISE) 99 The Critical Infrastructure Information Act of An Approach to SCADA Information Security Assessments 100 Pre-Project Activities 102

4 Vetting the Assessment Request 102 Gaining Buy-In from Management and Technical Personnel 102 Management Buy-In 103 Technical Staff Buy-In 103 Researching the Organization 104 Researching Regulatory and Policy Requirements 105 Determining if this Is a Baseline Assessment or a Repeat Assessment 106 Making a Go/No-Go Decision 106 Pre-Assessment Activities 106 Determining the Organizational Mission 107 Identifying Critical Information 107 Example: Information Criticality 108 Business Description 108 Mission Statement 108 Critical Information for OOPS 109 Identifying Impacts 109 Example Continued: OOPS Impact 110 The Information Criticality Matrix 110 Using the Impact Definitions Ill Organizational Criticality Ill Example Continued: OOPS OICM 112 Identifying Critical Systems/Networks 113 OOPS Example Continued 113 Defining Security Objectives 116 Determining Logical and Physical Boundaries 117 Physical Boundaries 117.Logical Boundaries 117 Determining the Rules of Engagement, Customer Concerns, and Customer Constraints 117 The Rules of Engagement 118 Levels of Invasiveness 118 Testing Machine Addressing 118 Time Frames for Scanning and Interviews 119 Notification Procedures 119 Scanning Tools and Exclusions 119 Customer Concerns 119 Customer Constraints 120 Legal Authorization 120 Writing the Assessment Plan 120

5 Components of the Assessment Plan 120 On-Site Assessment Activities 122 Conducting the Organizational Assessment 122 Documentation Review 123 Interviews 123 System Demonstrations 124 Observation 124 Conducting the Technical Assessment 124 Enumeration Activities 125 Vulnerability Identification Activities 125 Tools 127 Communication 127 Post Assessment Activities 127 Conducting Analysis 127 Final Report Creation 128 Resources 129 Summary 130 Solutions Fast Track 131 Frequently Asked Questions- 134 Chapter 4 Developing an Effective Security Awareness Program 137 Introduction 138 Why an Information Security Awareness Program Is Important 140 We Fail to Recruit Our Employees into the Company's Security Program 141 We Need to Take the Issue Seriously 142 How to Design an Effective Information Security Awareness Program 143 Seven Times, Seven Different Ways 146 Show Me the Money! 148 Two Important Keys to Implementing an Effective Program 150 To Print or Not to Print 152 Online Training Programs 154 Your In-House Web Site 154 How to Implement an Information Security Awareness Program 155 What We Have Here Is a Failure to Communicate 157 Communicate, Communicate, Communicate! 157 Other Touch Points 157 Manager's Quick Reference Guide 158 Let's Talk about Alliances 159 Audit 159

6 Legal 159 Privacy 159 Compliance 160 Training and Communications 160 Personnel 160 Information Security Consultants 161 How Do You Keep Your Program a Successful Component of Your Company's Mindset? 162 How to Measure Your Program 163 Summary 167 Solutions Fast Track 167 Chapter 5 Working with Law Enforcement on SCADA Incidents 171 Introduction 172 SCADA System Overview 172 Secure Network Management 175 Securing Wide Area Network Perimeter 175 Controlling Access 176 Performing Network Backup and Recovery 176 Transmitting Legacy Non-Routable Protocol Securely 176 Dial-Up Access to the Remote Terminal Units (RTU) 178 Vendor Support: Dial-Up Modem/VPN Access 178 IT Controlled Communication Gear 178 Corporate VPNs 179 Database Links 179 Poorly Configured Firewalls 180 Business Partner Links 180 Managing Security Events 181 Conduct Routine Assessments 182 Examples of Common Attack Techniques 182 Man-In-The-Middle Attacks (MITM) 182 Key-Logger Software 183 Summary 184 Solutions Fast Track 185 Frequently Asked Questions 187 Chapter 6 Locked but Not Secure: An Overview of Conventional and High Security Locks 189 Introduction 191 Conventional Pin Tumbler Locks 192 The Origins of the Modern Pin Tumbler Lock 194

7 A Review: The Essentials of Pin Tumbler Lock Design 196 Security Enhancements for Conventional Locks 197 Anti-Bumping Pins 197 Security Pins 198 Keyways and Related Designs 199 Bitting Design 199 Design of the Key 200 Standards for Conventional and High Security Locks 201 Transforming a Conventional Cylinder to High Security 202 Deficiencies in the UL 437 Standard 204 Failure to Specify Real World Testing 204 Pick and Impressioning Resistance 205 Complex Forms of Picking 206 Forced Entry Resistance 206 Issues Not Addressed by UL Bump Keys 207 Decoding Attacks 208 Key Control 208 Mechanical Bypass of Locking Mechanisms 209 BHMA/ANSI Standards: and BHMA/ANSI High Security Locks and the BHMA/ANSI Standard 210 The Concept of Security 211 BHMA/ANSI High Security Standard 212 Key Control 213 Destructive Testing 213 Surreptitious Entry Resistance 214 Deficiencies in the Standard 214 Security Vulnerabilities of Conventional Locks: Why High Security Locks Are Supposed to Offer More Protection Against Methods of Entry 215 Conventional Pin Tumbler Locks: Security Vulnerabilities and Their Compromise 216 Lock Control Procedures 217 Key Control and Key Security 218 Key Security 218 The Concept of Key Control As It Applies to Security 219 The Importance of Key Control and Key Security 219 Rights Amplification 220 Replication, Duplication, and Simulation of Keys and Key Blanks 221

8 Gathering Intelligence About a System from Its Keys 221 Covert Entry Techniques: Manipulation of Internal Locking Components Bumping 223 Picking 223 Impressioning 223 Extrapolation of the TMK 223 Mechanical Bypass 223 High Security to High Insecurity: Real World Attacks 224 Summary 226 Solutions Fast Track 226 Frequently Asked Questions 228 Chapter 7 Bomb Threat Planning: Things Have Changed 231 Introduction 232 The Day Our World Changed 233 Insider Information: Where Do These Guys Get This Stuff? 234 The Terrorist Profile 236 Potential Terror Targets 237 Statement Targets 237 Infrastructure Targets 238 Commercial Targets 239 Transportation Targets 239 What Should I Be Looking For? 239 The Container 240 The Power Source 240 Switches 240 Initiators 241 Main Charge 242 Searching: What Am I Looking For and Where? 244 Recommendations for Target Hardening. 245 Outside 245 Employee Identification 246 Cameras 246 Deliveries 246 Interior 246 Mail rooms 247 Evacuation Plans 249 Summary 251

9 Chapter 8 Biometric Authentication for SCADA Security 253 Introduction 254 Understanding Biometric Systems and How They Are Best Used for SCADA Security 255 Footprints to DNA Readings 255 Human Measurements Can Slow Machines 255 Biometric System Imperfections Are at Odds with Perception 256 What is Biometric Authentication? 256 Multiple Factor Authentication 257 What Parts of You Can Be Measured for Security Purposes? 257 Common Measurements for Current Biometric Authentication 257 How Does Biometric Comparison Work? 258 Where Are Biometrics Used in SCADA Systems? 260 Choosing the Best Form of Measurement for Your System 261 Biometric Measurements Trigger Recognition 261 Biometric Measurements Useful in SCADA Security Processes 262 Identify Your System Priorities Before Choosing a Biometric Application 264 Where are Biometric Authentication Regimes Vulnerable? 266 Tricking the Biometric Capture Device 266 Electronic Manipulation of the Authentication Process 268 Identity Theft with Biometric Files: Capturing Your Essence 269 Presumptions of Accuracy 270 How Can We Replace That Finger? 270 Measuring Minutia Can Be Safer Than Storing a Whole Biometric Photograph 271 Anticipating Legal and Policy Changes That Will Affect Biometrics 272 Summary 274 Solutions Fast Track 274 Frequently Asked Questions 276 Appendix 279 Index 319