Test di sicurezza in ambienti Smart Grid e SCADA Simone Riccetti, IBM Italy simone.riccetti@it.ibm.com
Agenda SCADA/Smart Grid overview SCADA/Smart Grid security issues Security test challenges Testing approaches 2
Evolution of the Electricity Sector The energy industry uses Supervisory Control and Data Acquisition (SCADA) networks. SCADA systems are complex event driven systems with centralized monitoring of thousands of remotely managed points of process control equipment. This information infrastructure forms a grid of its own- a control grid. Control Grids are rapidly adopting IP addressable solutions to promote corporate connectivity for remote access of equipment Smart Grid implies overhauling both the Power system infrastructure and the Information Control Grid 3
EPCIP: EU Program for Protecting Critical Infrastructures Strategy The EU Context Summarized 4 The general objective of EPCIP (European Programme for Critical Infrastructure Protection) is to improve the protection of critical infrastructure in the European Union (EU). The legislative framework for the EPCIP consists of the following: a procedure for identifying and designating European critical infrastructure and a common approach to assessing the need to improve the protection of such infrastructure. This will be implemented by means of a directive; measures designed to facilitate the implementation of EPCIP, including an EPCIP action plan, the Critical Infrastructure Warning Information Network (CIWIN), CIP information sharing processes, and the identification and analysis of interdependencies; support for EU countries regarding National Critical Infrastructures (NCIs) that may optionally be used by a particular EU country, and contingency planning EU Funding available
Smart Grid Macro Components Cyber security of the Smart Grids European Commission (work package 1.1) 5
Substation Technologies Evolution www.wikipedia.com, www.pacw.org, www.abb.com 6
A TCP/IP Enabled World Process Control Systems (PCS) migrating to TCP/IP networks SCADA and DCS typically rely upon wrapped protocols Analog control and reporting protocols embedded in digital protocols Encryption and command integrity limitations Poor selection of TCP/IP protocols Problems with patching embedded operating systems Controllers typically running outdated OS s Security patches and updates not applied Difficulty patching the controllers 7
Proliferation of Networked Devices Switch from analog to digital controls Incorporation of network standards TCP/IP communications Wireless communications Wireless integration Replacement SKU parts include new features free Additional features may be on by default May be turned on by engineers From analog to digital (+ networked)
Bridging Networks Softest targets appear to be the control centers Greatest use of PC systems Frequent external connectivity Entry-point to critical plant systems Bridging control centers and the plant operational framework Network connectivity for ease of operational control Vulnerable to malware - proxy remote attacks
ICS-ALERT-10-301-01 Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) ha emesso un alert riguardo al motore di ricerca SHODAN, che può essere utilizzato per identificare I sistemi SCADA che sono connessi a Internet. Questo può essere sfruttato da parte di attacker per compromettere questi sistemi. ICS- ALERT-10-301-01 descrive una serie di raccomandazioni per ridurre questo rischio.
Motivated activists..not only Anonymous 11
Vulnerabilities disclosed in ICS/SCADA systems in 2012 affected over 2,600 products from 1,330 vendors Infosecurity Europe, 5/2/2013 Vulnerabilities in IT systems that underpin critical infrastructure like the energy grid, water supply facilities, oil and gas systems and transportation have skyrocketed 600% since 2010, NSS Labs reported a concerning state of affairs that may add yet more wind to the public rhetoric surrounding the potential for a major cyber-terrorist attack. The nation s infrastructure, largely administered by IT systems knows as SCADA, is firmly in the crosshairs of our enemies, public officials have increasingly warned. Last autumn, US Defense Secretary Leon Panetta talked about an impending Cyber Pearl Harbor, while newly confirmed US Secretary of State John Kerry commented last month that cyber-attacks are the equivalent of modern-day nuclear weapons. Meanwhile, Janet Napolitano, Secretary of the Department of Homeland Security, warned that a cyber- 9/11 is a very real possibility. 12
Impact of a breach to power control systems could be severe Serious disruption to national critical infrastructure Loss of system availability Process interruption Equipment damage Asset mis-configuration Loss of data and confidentiality Personal injury Penalties resulting from regulatory violations Loss of customer and public trust 13
Where are the specific areas concerns? Investors: downtime, fines, cost, investment and related impact on revenue Operators: optimization of asset management and, specifically: Emerging Smart Grid Issues Millions of new end points Massive amounts of data System security Vulnerable software Lack of access control Mis-configuration of options Data Vulnerability Weak/No encryption Inappropriate storage Installation of malcode Cyber security of the Smart Grids European Commission (work package 1.1) Potential Fraud Invalid credentials Weak authorization Insufficient tamper protection Smart Meters fraud Downtime Denial of service risk System corruption 14
Smart Grid typical critical areas C u s to m e r P re m is e M e te rs /H A N M e te r C o m m u n ic a tio n N e tw o rk S C E C e n tra l D a ta C e n te rs ` M e te r D a ta U s a g e W e b S e rv e r C u s to m e r N e ig h b o rh o o d A g g re g a to r P U B L IC W IR E L E S S N E T W O R K E A L o a d C o n tro l D C A M D M S I B illin g & C u s to m e r C a re O u ta g e M a n g e m e n t www.nist.gov 15
SCADA: technolgies and protocols Field Devices RTU Remote Terminal Unit PLC Programmable Logic Controller IED Integrated Electronic Device PAC Programmable Automation Controller Protocols Modbus DNP3 DeviceNet IEC 61850 100+ proprietary protocols Communication Technologies Serial connections (hardwire & dial-up) Ethernet & TCP/IP / Wireless RF & Microwave Cell: CDMA ZigBee HAN Middleware MS IIS,.Net SCADA Control Center HMI Human Machine Interface SCADA Controller Real time processing Historian database of events Control Center Protocols (es. OPC, ICCP, IEC 101/103 etc..) 16
Security for Industrial Control Systems (SCADA) ICS Security based on IEC 62443 Air-gap networks, apps and control data with firewalls, proxies 17
SCADA Security Comparisons A comparison of Security used in U.S. companies vs. Security used in process systems: Topic Corporate IT Process Systems Anti Virus Widely used Used with care Lifetime 3-5 years 5-20 years Outsourcing Widely used Rarely used for operations Patching Frequent Slow (requires vendor approval or extensive testing) Change Frequent Rare Security Skills & Awareness Medium to High Poor IT security, no awareness training Security Testing Widely used Must be used with care Physical Security Usually secure & manned Good controls but often remote & unmanned 18 18
Security tests challenges - Systems fragility - Non standard/unknown protocols - Non IP based protocols - Embedded devices - Unusual «IT» wireless spectrum - SCADA Applications knowledge - Critical Infrastructure threats - Specialized tools (even opensource but often need to be customized) - Specialized skills 19
This is a possible approach Requirements analysis Threat modeling Scope definition Attack surface Fragility/criticality analysis Test selection Attack scenarious 20
Target definition The goal of this activity is to identify which are the critical systems that, if compromised, can lead to major power outage: As an example: SCADA core systems DMS/OMS/EMS systems Real-time systems Batch systems Process critical applications Non critical process application (but critical for security!) Phone lines, LAN/WAN/HAN Networks Sensors, embedded systems And many others
Threat modeling The goal of threat modeling is to identify potential risks or attacks against your software and to make decisions about how to address these risks. I. Identify the attack surface II. Identify the potential threats III. Assign an impact for each threat IV. Determine the probability of compromise It is paramount to have a deep knowledge of the attack vectors and.. think as an attacker
Typical assessment findings
Common Security Assessment Findings Weak protocols leave systems vulnerable PCS networks lack overall segmentation PCS networks lack antivirus protection Standard operating systems leave the device open to well known security vulnerabilities Most IP-based communications within the PCS network are not encrypted Most PCS systems have limited-to-no logging enabled Patches are not, or cannot be installed on SCADA systems No host based security controls are configured on these devices Many organizations still rely heavily on physical security measures