Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA SCADA Security Measures CSE 598E Critical Infrastructure Security 1
Paper 1: The VIKING Project - Towards more Secure SCADA Systems Written by: Gunnar Björkman Presented by: Diana Koshy 2
Type of Paper Expository This paper discusses a future project aimed at analyzing the security of SCADA systems. It also describes how SCADA systems work. 3
The Problem: Security on SCADA systems needs to be improved ( or at least exist!) 4
The Problem SCADA systems need to be secure since a problem with the system has dire consequences Security is non-trivial since the systems are very complex and must perform under strict conditions 5
The Problem Risks come from insiders as well as new access points opened by connecting the SCADA system to corporate networks, engineers, contractors, vendors, etc. These risks have been somewhat mitigated by firewalls and Demilitarized Zones (DMZs) Risks also come from use of standardized protocols, hardware and software Communication protocols are becoming more standardized to allow different hardware to communicate 6
The Solution The objective of the VIKING project is to develop, test and evaluate methodologies for the analysis, design and operation of resilient and secure industrial control systems for critical infrastructure. 7
Background Structure of a SCADA System Sensors Remote Terminal Units (RTUs) Station Control Systems Central Control System Workstations Front-End Servers SCADA Servers Archive Servers 8
The Solution The VIKING project aims to take a holistic approach in analyzing security 9
The Solution: VIKING Goals 1. Assess security risk and (financial) consequences of an attack on a SCADA system 2. Create a tool that can quantify security for comparison across different systems 3. Use model-based system as IDS 4. Secure power system communication 5. Be able to identify vulnerable spots in a SCADA system 6. Create a system that can be used to test security solutions and their effects 10
The Solution: Method Create 3 models: 1. power system model - used to model the effects of an attack on electricity supply 2. society model - used to gauge economic consequences of an attack 3. SCADA system models (architectural and cyber-physical) - used to see the effect of an attack on SCADA system behavior 11
The Assumptions None The paper was just summarizing a proposed project. 12
Paper 2: 21 Steps to Improve Cyber Security of SCADA Networks Written by: US Department of Energy Presented by: Diana Koshy 13
Type of Paper Best-practices paper This paper proposes 21-steps to take in order to alleviate the security problem inherent in current SCADA systems 14
The Problem SCADA systems were not designed with security in mind Organizations using SCADA networks need to improve their security 15
The Solution 2 Categories: 1. Actions to Take to Increase Security 2. Management Actions to Establish Effective Security Program 16
The Solution: Actions to Take 1. Understand the risk, protection and necessity of every connection to the SCADA network 2. Make the network as isolated as possible and use safe methods for data transfer 3. Analyze and implement a strong security strategy for all remaining connections 4. Remove or disable unused services provided by non-proprietary operating systems 17
The Solution: Actions to Take 5. Proprietary (obscure) protocols should not be mistaken for secure protocols 6. Enable and configure all security features already present and/or demand upgrades 7. Secure backdoors and vendor connections 8. Monitor for internal and external intrusions 24- hours-a-day 18
The Solution: Actions to Take 9. Conduct audits of the system to find common vulnerabilities 10.Check physical security of all remote sites that communicate with the SCADA system 11.Put together a Red Team to come up with potential attack scenarios 19
The Solution: Management 12.Clearly define roles and responsibilities for all organization personnel 13.Document the information security architecture and its components 14.Identify risks and vulnerabilities and create an ongoing risk management process 15.Base protection strategy on defense-in-depth principle 20
The Solution: Management 16.Create a clear, structured security program with delineated requirements 17.Establish configuration management processes 18.Conduct routine self-assessments 19.Create system backups and disaster recovery plans 21
The Solution: Management 20.Establish an expectation for strong security for all levels of personnel 21.Train personnel to prevent disclosure of sensitive information about the SCADA system 22
The Assumptions None The paper was a list of suggested best-practices. 23
Paper 3: SCADA-specific Intrusion Detection/Prevention Systems: A Survey and Taxonomy Written by: Bonnie Zhu and Shankar Sastry Presented by: Diana Koshy 24
Type of Paper Survey paper This paper discusses past work on Classification and characteristics of attacks SCADA-specific IDS attempts 25
The Problem SCADA systems are vulnerable Standardized protocols, software and hardware De-isolation of SCADA systems Legacy components not designed for security 26
The Problem Specific Vulnerabilities Listed: HMI controller: Can falsify what operator sees sensor-hmi link: Can spy on what operator sees actuator-controller link: Can see what actuators are told to do sensor threshold values and settings: Can modify settings actuator settings: Can modify settings 27
The Problem Security research on SCADA systems is lacking Unrealistic testing environments Poorly analyzed threat models IDS implementations specific to different SCADA environments Lack of analysis of false positives/false negatives of IDSs 28
The Problem 100% prevention of attacks is impossible Must combine prevention with detection Can t use existing IDSs since SCADA is different It is a hard real-time system, which means timeliness, freshness of data, and availability are crucial Its terminal devices have limited computing and memory resources Safety is a primary concern 29
The Solution Create SCADA-specific IDS and security metrics Ideal system should be able to: detect and block intrusions in real time do so without interrupting performance do so without extra burdens due to false positives do so despite normal noise 30
The Solution Types of IDS: signature detection approach anomaly detection approach probabilistic approach specification-based approach behavioral detection approach 31
The Solution All of these can be applied to different parts of SCADA systems 32
The Solution: Past Work Model-Based IDS for SCADA Using Modbus/TCP Uses the fact that network traffic on a SCADA system is relatively constant to find anomalies Most SCADA-specific of the implementations 33
The Solution: Past Work Anomaly-Based IDS 1. AutoAssociative Kernel Regression and Statistical Probability Ratio Test - monitor anomalous non-malicious activity to establish baseline - use baseline database to compare with new activity 2. Multi-Agent IDS Using Ant Clustering Approach and Unsupervised Feature Extraction -use multiple intelligent agents to perform IDS duties -monitor agents capture packets, extract features and perform PCA -decision agents perform clustering and notify of abnormalities -action agents respond to threats accordingly 34
The Solution: Past Work Configurable Embedded Middleware-Level Detection put a detection system in the middle of the communication channels kind of like a firewall easiest to incorporate since few changes to existing system would need to be made 35
The Solution: Past Work Intrusion Detection and Event Monitoring in SCADA Networks specific to SCADA power-grid and RTUs automatically produce signatures for unauthorized access store settings and details of each SCADA device and compare over time 36
The Solution: Past Work Model for Cyber-Physical Interaction 1. Power Plant interfacing Substations through Probabilistic validation of attack-effect bindings 2. Workflow-based non-intrusive approach for enhancing the survivability of critical infrastructures in Cyber Environment 37
The Solution: Past Work Model for Cyber-Physical Interaction 1. Power Plant interfacing Substations through Probabilistic validation of attack-effect bindings probabilistically build a profile of legitimate data flows and main characteristics of normal information exchange only works for known attacks 38
The Solution: Past Work Model for Cyber-Physical Interaction 2. Workflow-based non-intrusive approach for enhancing the survivability of critical infrastructures in Cyber Environment separate SCADA system into cyber, physical, and workflow layers each physical component is a node in workflow layer model functionality and attack patterns only works on known attacks 39
The Solution: Past Work Modeling Flow Information and other Control Systems Behavior To Detect Anomalies analyzes flow on the network (so only good for network layers) combine anomaly-, behavioral-, and specification-based techniques to detect abnormal behavior 40
The Solution: Past Work SHARP uses authentication and privilege escalation protection to detect and block unauthorized physical and network access 41
The Assumptions None The paper was a survey. 42