DNP SCADA to SCADA Over : Standards, Regulations Security and Best Practices Earl Emerson, Director Systems Engineering RAD Data Communications 2014 Utilities Telecom Council of Canada
Motivations for Migration to /Packet Decreasingly available TDM WAN networks Scalability of packet networks Mature packet technology Low cost packet technology Modern RTU/IEDs based on packet Aged equipment 2
Traditional Network Architecture Remote Site A RTUs T1 Line Multiplexer DS-3/OC-3 TDM Network Control Room Multiplexer Remote Site N RTUs T1 Line Multiplexer 3
DNP Migration to /Packet Challenges Incremental vs forklift Costs Network technologies Security concerns 4
Incremental Migration with Terminal Server Remote Site A RTUs T1 Line Multiplexer Terminal Server DS-3/OC-3 TDM Network Control Room Multiplexer Remote Site N RTUs T1 Line Multiplexer 5
Incremental Migration with Terminal Server Remote Site A RTUs TDM PSN Network Terminal Server Remote Site B RTUs Terminal Server Control Room DS-3/OC-3 TDM Network T1 Line Remote Site N RTUs Multiplexer Multiplexer 6
Risks Introduced by Migrating to Packet As DNP3 is used at critical infrastructure areas, handling real time processes, designated cyber security measures should be taken to protect from tampering with the process flow The protocol itself has no security measures like encryption or authentication The SCADA networks at which DNP3 is key in, are no longer maintained in closed LAN environments but are large inter-site networks, sometimes using public clouds as the medium. 7
The Potential Impact of Successful Cyber Attacks Change in a system, operating system, or application configuration Change in programmable logic in PLCs, Outstations, or other controllers Misinformation reported to operators Tampering with safety systems Information theft Information alteration 8
Malicious Cyber Attack A hacker might retrieve the Outstation address and make configuration changes on it,corrupting its readings The effect on grid management system is critical. 9
Network Selection DOES Matter Some packet protocols are easier than others to breach Attacks can be initiated on both the control and data planes Especially susceptible are packet protocols who do not provide source authentication, have the ability to provide dynamic routing and those removing source information these include and MPLS More static rigid networks that require NMS authentication for routing and provide a universal address space with source authentication are more resistant these include SONET and Ethernet 10
Examples of Attacks to /MPLS Control plane attacks: DoS attack on the control plane: could cause nodes to reboot and network reconvergance Control Plane Corruption: Feeding erroneous/malicious information to control plane causing snooping, packets falling of the edge or network loops Data plane attacks: Plane vanilla DoS attacks Snooping of network resources Masquerading 11
Defense In Depth Layered Protection Standard Firewall, L2-L4 Filters and Encryption Selecting a security robust network technology (e.g. Ethernet) Distributed Application Aware Firewall Malware Protection Perimeter Network Protection 12
Carrier Ethernet Network Security Impervious to Control/Signaling attacks No signaling/control plane Provides Source Authentication Universal Address Space (MACs) 802.1X standard for source authentication Resistant to Snooping/Scouting L2 filtering Host granular at a universal level 13
Distributed Firewall Distributed firewall concept, allowing per port activation Minimum addition to network latency In-depth packet inspection DNP3 DNP3 SCADA Outstation Control Center Sub station 14
Distributed Firewall Detailed set of rules between the SCADA and an Outstation L2 filtering to allow traffic only between the SCADA and Server MAC addresses L3 filtering to allow traffic only between the SCADA and Server addresses Validation of MAC addresses Validation of addresses DNP3 DNP3 Violation Legit SCADA Packet drop (optional) Log Alert Packet allowed SCADA MAC MAC 15
Distributed Firewall Detailed set of rules between the SCADA and an Outstation L4 filtering to validate session flow between the SCADA and Server addresses Validation of TCP Port direction Dst port 20000 DNP3 Violation Legit DNP3 Src port 20000 SCADA Packet drop (optional) Log Alert Packet allowed Outstation MAC MAC 16
Distributed Firewall Detailed set of rules between the SCADA and an Outstation Link Addresses LA validation, verifying the allowed Outstation is addressed Validation of Outstation ASDU Src link address Dst link address DNP3 Violation Legit DNP3 Src link address Dst link address SCADA Packet drop (optional) Log Alert Packet allowed Outstation MAC MAC 17
Distributed Firewall Detailed set of rules between the SCADA and an Outstation Function code validation Group ID validation Objects validation Validation of function code & group id Function code messages DNP3 Violation Legit DNP3 Reply to allowed function codes SCADA Packet drop (optional) Log Alert Packet allowed Outstation MAC MAC 18
Firewall Modes of Operation Controlled integration of firewall system is important to avoid unnecessary down time to the live process Firewall Simulation mode Traffic is inspected but not blocked Violations are logged and presented visually 19
Firewall Modes of Operation Packet drop mode for ad hoc blocking Firewall Protect mode. Traffic is inspected and either allowed or blocked. Violations are logged and presented visually Traps are sent to northbound management system Email notifications 20
Firewall Modes of Operation Ease of integration of firewall system is important to reduce customer effort Learning mode Traffic is learned and a tentative firewall rules is suggested 21
22
23
Summary Packet Networks are the future Migration Solutions exist Packet Networks Raise Security Questions Not All Network Technologies Equal Use of distributed application aware firewalls can further enhance security Technology is available today to defend against the multitude of threats 24