How Secure is Your SCADA System? Charles Drobny GlobaLogix, Inc. Houston, TX, USA
Our Industry is a Target 40% of cyber attacks on Critical Infrastructure targets are aimed at the Energy Industry The potential to disrupt commerce and generate catastrophic events is real. Oil & Gas companies are vulnerable and attractive targets. SCADA is a point of concern. SCADA (Supervisory Control And Data Acquisition) Supervisory Control of pipeline operations, plant operations, platform operations and well site operations. Data Acquired includes strategic information on production, deliveries, operating efficiencies that offer competitive advantage and can impact product pricing and shareholder value if it falls in the wrong hands.
Cyber Attacks on Critical Infrastructure Targets are Under-reported d Media reports in the past year include: In 2012 Saudi Aramco was crippled by malware (possibly the Shamoon Worm) from 15 Aug to 10 Sept. A Major SCADA software provider was hacked in late August early September of 2012 Chevron announced in 2012 that the Stuxnet virus had been introduced into the Chevron networks. There are many more anecdotal reports spread by word of mouth and rumor. Why are attacks under reported?
Four Major Risks 1. The Safety Risk Targeting a SCADA system in order to gain control of the operating system brings to mind the worst case scenarios. Deliberate Malicious Interference Catastrophic Results Life Threatening
Four Major Risks 2. Meeting Regulatory Requirements Failure to act now waiting to see what may be required is a poor plan. Failure to meet regulatory steps can result in interruption of business and fines.
Four Major Risks 3. Lost Production & Lost or Damaged Major Assets Impact to production Interruption of trade Disastrous to a company s reputation and profitability.
Four Major Risks 4. Impacts to Share Holder Value The damage to a company s reputation from a catastrophic incident caused by the cyber attack on a SCADA system can drive down stock prices. The shareholder value will be effected by physical events such as explosions, pipeline ruptures, fires and the release of production into the environment.
SCADA Vulnerabilities At the end point in a SCADA system the devices can be access points to a SCADA system. Many are IP addressed locations. Some have USB ports or Ethernet connections. There are managed switches in these remote locations. All are entry points for the hacker or a site where malware can be introduced.
SCADA Vulnerabilities At local controllers, RTUs, EFMs, Panels etc, communication connection points exist for maintenance and programming. In some cases these locations have wireless connectivity. Often these boxes and devices have no physical security.
SCADA Vulnerabilities The Local Area Networks and Wide Area Networks are potentially vulnerable to attacks and incursions. These WiFi, LTE, Radio, Microwave and Satellite points offer targets to the hacker.
SCADA Vulnerabilities The SCADA Server room, control room, engineering desks offer the most easily understood d access target t for a cyber attack. The separation of the Process Control Network from the Enterprise Networks do not insure full protection from incursions. The Stuxnet virus was introduced at this level with a USB thumb drive.
SCADA Vulnerabilities The back office where the SCADA data is converted into actionable information is often times the entry point via the connections between the enterprise networks and the process control network.
Typical Architecture of SCADA systems More than one door and one window to lock.
What can/should be done by Oil & Gas companies? To put a cyber security strategy in place and in action, today s executive needs to know: How can critical infrastructures such as SCADA be compromised? How can they insure the information they report is accurate? What regulations apply and are coming in 2014? What tactics must be in place to address risks?
How to address these issues Prevention & Defense Assessment & Evaluation Detection & Response Monitoring
Assessment & Evaluation Assessment & Evaluation Conduct Regular Evaluations of SCADA security Plan to Defend against an attack How will the company Respond to an Attack Plan to Report the Attack Plan for Litigation Defense Plan to Comply Plan to Reassess and Reevaluate
Prevention Prevention & Defense The Defense Strategy Firewalls* Packet Filtering Firewalls Stateful Inspection Firewalls Application-Proxy Gateway Firewalls Software Approaches Server Room Approaches * NIST Special Publication 800-82rev151 5.1
Monitoring Monitoring What is monitored? Comparing normal traffic to abnormal traffic on network Using Firewall reporting of attempts to identify patterns Compare data patterns Compare alarm events for patterns Comparing remote user traffic patterns
Detection & Response Detection & Response Identify what does an attack look like Identify the response plan Redeploy alternative systems Manual intervention Respond at multiple levels Practice Test & Drill
Strategy Assessment Assessment These may be overdue or inadequate Standards Writing These are organic living documents that need to be maintained and updated. Response Plans - These may be overdue e or inadequate. These may need to change. Intrusion Defense These are typically considered after the attack has occurred. Recovery Defense If a company waits until the attack they are too late.
IA is not IT IA (Information Assurance) is an independent role from IT. IT is typically an internal role. IA is not necessarily an internal role. Are you allowed to perform your financial audits internally? Consider a qualified 3 rd party professional for IA audits.
Alternative Approaches The hacker s friend is the standard approach. Consider alternatives ti which h may offer better security. Example: Is the server room the best place for the SCADA application software & data bases?
Distributed Cloud Platform A Distributed Cloud Platform spreads your application and data across multiple data centers each with different security layers. Don t put all your eggs in one basket. Many use exclusively tier 3 and tier 4 Data Centers offering superior security. 2048 bit encryption is often an option. This soption o offers eseconomic o c advantages as well.
What is at stake? Can any executive afford to not address the risks: Human Life Lost Production Damaged or Lost Assets Environmental Disaster Reputation Shareholder h value There are steps that can be taken now. Is Is your SCADA system as secure as it should be?