Securing Modern Substations With an Open Standard Network Security Solution Kevin Leech Schweitzer Engineering Laboratories, Inc. Copyright SEL 2009
What Makes a Cyberattack Unique? While the resources needed to conduct a physical attack have not changed much recently, the resources necessary to conduct a cyber attack are now commonplace. Communications on Critical Infrastructure Protection, White House, October 1997.
What Are the Tradeoffs?
Example Network Diagram
Identify, Prioritize, and Defend the Electronic Security Perimeter! Electronic Security Perimeter Electronic Attack Entry Points Private Fiber Network Real-Time Protection Substation Relay Protective Relay Leased Line (Telco) Spread- Spectrum Radio Dial-Up Line (Telco) SCADA Dial-Up Engineering Access Ethernet Engineering Access Communications Processor or RTU Dial-Up Modem
Sending Data Securely Cybersecurity Triad Confidentiality Prevents eavesdropping Trust and Authentication Prevents identity spoofing Message Integrity Prevents message alteration
Attack Vector
Network Scanning Use TCP/IP network scanner to map target network Example: discover engineering and corporate LANs separated by simple router
Malicious SCADA Command Injection Attacker injects trip commands to all live control points
Commercial SCADA Protocol Analyzer 42
Mitigating Electronic Threat Use Significant Barriers to Minimize Chance of Successful Attack Make it difficult for attacker to access channel from outside Implement strong link security to augment access control technologies Use access control technologies effectively in devices
Protect SCADA LANs With VLANs Partitioning is an ideal way to isolate critical networks from others, but today s networks are interconnected
Example Network Diagram
Firewall Filters traffic Stateless Stateful Application Placed between network data junctions, such as the demilitarized zone (DMZ) and Internet
Firewall Log and Alarm Who Accessed the Network? Action Source IP address Destination IP address Port Packet size DROP Port 137 UDP packet blocked Other actions OPEN, OPEN-INBOUND, CLOSE, INFO-EVENTS-LOST
Use VPNs for Security Internet Protocol Security (IPSec) SSL Tunneling Point-to-Point Tunneling Protocol (PPTP)
IPSec Choices Authenitcation Header (AH) or Encapsulating Security Payload (ESP)
Datagram of IPSec Options
IPSec VPN Benefits Operates in most WAN access routers and computer platforms Distinguishes which traffic to protect Provides link security
IPSec Tunnel Vs. Transport Mode Transport Tunnel Tunnel mode gateway-to-gateway Transport host-to-host
1 Overview to Setup IPSec VPN Local Security Policy 2 3
Setup IPSec VPN Potential for error during setup Gray highlighting, not radio button, indicates object selected to edit
Setup IPSec VPN
AH and Encryption Verify the address header is hashed Select Negotiate security radio button, and add address header security
Secure Remote Access Request for remote desktop connection
Toggle to Assign Policy
Malicious SCADA Command Injection IPSec and firewalls protect link IPSec VPN
What Is the Best Security Policy? No golden policy Attacks are complex Require complex defenses that continuously change
Protect Against Unauthorized Access Attempts on Substation / SCADA System Monitor system assets Audit system logs Partition critical infrastructure (network separation) Evaluate and review security policies Be aware of social engineering vulnerabilities Train system users
Is Lack of Internet Connection Safe? Unsecured connections may exist from corporate LAN to critical networks Internet-connected LAN exposes critical network Compromised corporate computer puts critical assets at risk Rogue dial-up or wireless Internet systems can exist unnoticed
Conclusion Standards to consider for remote access of routable protocols Firewalls provide alarms and logs VLAN provides segmentation strategy VPN IPSec protects data
Thank You Any questions?