NextGen SCADA security Erwin Kooi
Setting the stage This talk is not An introduction to SCADA security AIC versus CIA The latest blinky-lights SCADA security appliance How to use IT security in OT envrionments This talk is About next steps in SCADA security 2
~/$ whoami Ing. Erwin Kooi, MSIT CISSP SCP Security Manager at Alliander Primary focus on OT, IT Data Center and new developments Background in healthcare electronics & IT Hacker and avid lockpicker 3
~/$ cat /etc/group grep erwin Dutch Smart Meter Privacy & Security working group Dutch Smart Grid Cyber Security working group European FP7 project CRISALIS various Dagstuhl scientific seminars on SCADA security 4
Meet DSO Alliander in key figures Electricity distribution Customers: 3,3 million Grid: 94.700 km Stations (sub, distribution): 48.000 Gas distribution Customers: 2,6 million Grid: 36.900 km Stations (sub, distribution): 1.500 Company 12 Billion asset value 1.4 Billion revenues 400 Million Investment / Annum 6.000 FTE KPI, Performance 19.8 SVBM (outage time in minutes per end user) 5
Our assignment 1 Establish, maintain and manage energy networks 2 Ensure reliable, affordable and safe energy supply 3 Contribute to (sustainable) developments 4 Contribute to better society
Connect customers (prosumers) to energy via Information-intensive network The DSO s new grid world 1. Electricity 2. Gas 3. Data New sensors / distributed computing on Transmission and Distribution Lines alarm operators, resolve problems, integrate large scale renewable generation Smart Meters and HAN help users to deploy energy more wisely, mitigate peak demand and integrate local generation Generation Transmission Distribution Users / Customers 7
Connect customers (prosumers) to energy via Information-intensive network Introduction of IT in lower parts of the grid Information sharing across domains Need for fast, reliable communication networks Guarantied propagation times Communication network layout does not follow grid layout Own Cu / (SiO 2 ) n network 8
Old SCADA 9
New SCADA 10
Remote location 11
Even more remote location 12
OMG Average IT security expert 13
However 14
Security vision Alliander resilience vision*: Alliander is a resilient organization capable of anticipating and responding on a range or threats against her mission Alliander security vision: Protecting the mission of Alliander and her stakeholders by securing our crown jewels against intentionally caused damage through human actions * Underwriting the WEF resilience principles 15
Anatomy of an attack Attacker Intel Gathering Vuln Research Exploit Maintain Control Post Exploit Intel Gathering Threat Analysis Data Correlation Intrusion Detection Contain & Mitigate Defender 16
Security approach 17
Security approach Baseline + additional measures and detection detection detection + flexible response -> CERT / CSIRT Breaches will occur prevent the stupid ones detect and respond to the others This is me Design and build for failures This is me too This requires close cooperation with asset owners! 18
Anticipation overview Clear data ownership and responisbility Security one of the main topics in IOT integration program Security framework for IT based on ISO 2700x, IEC and SABSA in line with IT architecture (TOGAF) Security framework for OT based on nationally accepted OLF 104 (subset of ISO 2700x) National privacy & security framework for smart meters based on ISO 2700x National security framework for smart grid in progress 19
Anticipation standards Standards and frameworks are nice Standards and frameworks give direction Standards and frameworks are compromises Standards and frameworks take time to develop Standards and frameworks are someone elses risk decisions 20
Anticipation situational awareness Monitoring community for known vulnerabilities Need an up-to-date inventory Example: Ruggedcom Private Key / known ID s vulnerability Only switch certified for IEC 61850 Should I fix this? Where is it deployed in our networks? Is it in Metasploit? -> yes, took only days msf > use auxiliary/scanner/telnet/telnet_ruggedcom msf auxiliary(telnet_ruggedcom) > set RHOSTS [TARGET HOST RANGE] msf auxiliary(telnet_ruggedcom) > run 21
Attention monitoring Current IDS focussed on IT. How low can you go? IEC 60870-5-101 / -104? IEC 61850? ICCP? Modbus? But a chatty Windows / *NIX laptop on our 104 network is never acceptable -> easy to detect Known bots are never acceptable -> easy to detect What are your devices telling you (and are you listening)? 22
Attention monitoring Vendors are catching up! SCADA protocols no longer exotic. Pilots in our 104 network with anomaly detection: 5 mins learning -> 7 false positives in a week 1 day learning -> 3 false positives in a month Doable! But who is going to monitor the logs and alerts? 23
Attention monitoring / action IDS -> IPS strategy Depending on the place in your network. Known badness (signature-based) blocked automatically? Anomalies passed to a human? Received From: 192.168.25.12->/var/log/auth.log Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the system." Src Location: US,Pennsylvania,Scranton Portion of the log(s): Mar 12 04:39:33 vs3547 sshd[25648]: Invalid user user from 66.197.183.133 Mar 12 04:39:33 vs3547 sshd[25622]: Invalid user x from 66.197.183.133 Mar 12 04:39:29 vs3547 sshd[25514]: Invalid user mmroot from 66.197.183.133 Mar 12 04:39:28 vs3547 sshd[25482]: Invalid user kai from 66.197.183.133 Mar 12 04:39:24 vs3547 sshd[25373]: Invalid user mythtv from 66.197.183.133 Mar 12 04:39:21 vs3547 sshd[25255]: Invalid user postgres from 66.197.183.133 Mar 12 04:39:19 vs3547 sshd[25180]: Invalid user prueba from 66.197.183.133 Mar 12 04:39:17 vs3547 sshd[25149]: Invalid user db2inst1 from 66.197.183.133 24
Attention research Security research is not our core business Partnering with research institutions ENCS University Twente Partnering with industry IBM Siemens Fox-IT 25
Attention research The CRISALIS consortium Security industry Control system industry/end users Academia
Attention correlation Not only network and system events, but also its surroundings (NOTE: these also introduce interesting vulnerabilities security devices!:= secure devices) 27
Attention correlation Data correlation, a scenario: Someone is entering a substation There are no work permits for this time at that station There is no disruption or malfunction in that station There is suddenly a HMI protocol running on the network + Intruder alert! Respond notify operators notify police limit network traffic from that station 28
Rational response contain & mitigate Computer Emergency Response Team (CERT) Also the team that does vulnerability / threat analysis Also the team that does monitoring Prepare and mandate common scenarios Temporary disconnect a substation from the Control Room Reboot systems in the Control Room Escalate to business crisis team if scenarios are not mandated Shutdown a substation Shutdown SCADA networks Shutdown Internet connection 29
Rational response evaluate & learn Share incidents with vendors and community Need to have establish trusted relations with your vendors and competitors Incidents are input for continuous improvenemt and growing to the next NextGen SCADA security 30
31
On a personal note Black out by Austrian writer Marc Elsberg ISBN 9789000315352 (Dutch version) An European black out scenario with its impact on society, using a simple Smart Meter / SCADA hack with some physical sabotage Not sure if I should make this compulsory or banned 33
End-to-End SCADA Security: Implementing a robust cyber security strategy to protect SCADA systems in the digital age Creating a company-wide cyber security vision with SCADA systems in mind Translating this vision into a strategy with a roadmap and how a security architecture can help Defining how robust your security should be Identifying opportunities to increase (embedded) security measures for new and existing SCADA systems and processes, in line with your security strategy Erwin Kooi, Information Security Manager, Alliander 34