Security in SCADA solutions

Security in SCADA solutions Green Hills Software Peter Hoogenboom Engineering Manager - EMEA 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 1

Security in SCADA solutions - Agenda What is SCADA? 3 Generations of SCADA systems Should we care more about security in SCADA systems? Security Defined Security and Reliability Robustness Common Criteria: Protection Profiles and Evaluation Assurance Levels Virtualization (Hypervisors) Secure solutions References 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 2

What is SCADA? Supervisory Control and Data Acquisition Monitor and control a plant or equipment in industries such as: telecommunications, water and waste control, energy, oil and gas refining and transportation SCADA systems typically consist of: Field data interface devices Remote Terminal Units (RTUs), combined with PLCs and sensors/actuators Communication system Radio, Phone (PSN), cable, satellite, field buses etc. Central host computer(s) Also known as SCADA master or Master Terminal Unit (MTU) Operator computer(s) Human Machine Interface (HMI) Software on all these computers/devices HMI, MMI, Communication Protocols, Host/RTU/Operator applications etc. 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 3

First Generation - Monolithic Typically Mainframe based Cable: inside the factory PSN lease line for continuous readings PSN dial-up line for say hourly updates Radio for remote sites Proprietary, very lean protocols used 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 4

Second Generation - Distributed Typically based on Minicomputers running different functions: HMI, Calculations, Database, Communications etc. LAN between different functions Local (no Internet!) Proprietary (vendor specific) LAN protocols used, often optimized for real-time 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 5

Third Generation - Networked Based on: Open system architecture Open standards Open protocols Standard/Industrial PCs Benefits (convenience): Off the shelf systems Distribute functions using Internet Protocol Disaster survivability: the SCADA system can survive a total loss of a location 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 6

Today Easy overview of all possible connections Wireless Access Points for Support Stations Protected with multiple firewalls Running standard commercial OSes on PCs Standard commercial Switches, Routers, Proxy Servers 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 7

Report on Critical Infrastructure Protection Quote from Robert Dacey, Director Information Security Issues (Oct 2003), Ref[2] For several years, security risks have been reported in control systems, upon which many of the nation s critical infrastructures rely to monitor and control sensitive processes and physical functions. In addition to general cyber threats, which have been steadily increasing, several factors have contributed to the escalation of risks specific to control systems, including (1) adoption of standardized technologies with known vulnerabilities (2) connectivity of control systems to other networks (3) constraints on the use of existing security technologies and practices (4) insecure remote connections (5) widespread availability of technical information about control systems 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 8

Should we care more about security in SCADA systems? IBM researchers hack into a nuclear power station. Plant owners claimed there was NO WAY that critical components could be accessed from the Internet IBM Researchers: It turned out to be one of the easiest penetration tests I d ever done. By the first day, we had penetrated the network. Within a week, we were controlling a nuclear power plant. 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 9

Hackers Shut Down Foreign Power Grid (January 2008) Hackers Demand Extortion Payment after Breaking into Electrical Utilities Inside knowledge Outages occurred in several regions outside the US 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 10

Power, water and waste SCADA systems affected (September 2011) Zero day industrial control system exploits published 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 11

A laundry list of vulnerabilities in SCADA systems 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 12

The OS is key NCS Technical Information Bulletin on SCADA systems (Ref[1]) states: Operating systems can be compromised, even with proper patching, to allow network entry as soon as the network is activated. This is due to the fact that operating systems are the core of every computer system and their design and operating characteristics are well known world wide. As a result, operating systems are a prime target for hackers. Further, in- place operating system upgrades are less efficient and secure than design-level migration to new and improved operating systems. 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 13

Security and Reliability Dan O Dowd: Reliability is proving that software behaves the way it s supposed to, security is proving that software doesn t behave the way it s not supposed to. Reliability requires planned paths to behave well Security requires that all paths behave well They share the same design as solution: Separate and minimize critical components All critical components scrutinized Chain is only as strong as its weakest link 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 14 Slide 14

Safe and Secure Component Management Processes (not threads) Each component is protected in its own memory space with guaranteed resources of memory and CPU time Separate, minimize and assure safety and security critical components 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 15 Slide 15

Security Defined (Common Criteria) 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 16

Security Defined (CIA) Integrity Data does not become altered or corrupted Confidentiality Information that you don t want disclosed does not get disclosed Availability Resources including data that need to be there are there Confidentiality Integrity Availability 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 17

Robustness requirements High robustness requires high assurance 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 18

What is Common Criteria? International standard for evaluation of security in IT products The purpose of the Common Criteria process is to Develop standard packages of commonly found requirements (called Protection Profiles) Have a standard process of independent evaluation by which an expert evaluation team arrives at a level of assurance for some particular software product. 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 19

EAL: Evaluation Assurance Level EAL 1 = functionally tested EAL 2 = structurally tested EAL 3 = methodically tested and checked EAL 4 = methodically designed, tested, and reviewed analysis of security functions informal model of security policy & independent testing vulnerability analysis for low attack potential attackers EAL 5 = semiformally designed and tested semiformal functional spec & HL design + semiformal correspondence covert channel analysis vulnerability analysis for moderate attack potential attackers EAL 6 = semiformally verified design and tested structured development process & more structured architecture vulnerability analysis for high attack potential attackers structured presentation + semiformal LL design systematic covert channel analysis more comprehensive vulnerability analysis improved CM and development environment controls EAL 7 = formally verified design and tested formal functional spec and HL design + formal correspondence comprehensive testing 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 20

Protection Profile Categories Access Control Devices and Systems Boundary Protection Devices and Systems Databases Data Protection Detection Devices and Systems ICs, Smart Cards and Smart Card related Devices and Systems Key Management Systems Network and Network related Devices and Systems Operating Systems Other Devices and Systems 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 21

Common OS Protection Profiles (Ref[6]) CAPP Low robustness profile Protection profile that Microsoft Windows 2000 and Linux have met (EAL4+) SLOS/MLOS Medium robustness profiles High number of SFRs. EAL4+ assurance RBAC PP Adds access control based on roles, not just user IDs. Part of Trusted Solaris LSPP Adds labeled security attributes to access control requirements Part of Trusted Solaris SKPP High robustness profile Separation Kernel Protection Profile Protection profile that GHS has met with INTEGRITY (EAL6+) 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 22

Can we get the best of two worlds? So, is there a technology that enables the incorporation of huge legacy applications and traditional operating systems, such as Windows and Linux (Usability) in a high robustness environment together with secure applications (Restrictions)? 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 23

Virtualization (Guest Operating System) Allows consolidation of disparate systems onto dedicated virtual machines Benefits Minimize Size, Weight, Power and Bill Of Materials Enable rapid migration to new hardware Sandboxing of untrusted applications Does virtualization make the system more secure? This heavily depends on the architecture and robustness of the underlying Hypervisor 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 24

Monolithic Hypervisor Architecture Either Type-1 (on top of bare-metal) or Type-2 (on top of OS) When the Hypervisor is attacked and compromised, all the Guest Operating Systems are affected Malware and rootkits are more difficult to detect, as they install themselves below the operating system, intercepting messages. 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 25

Microkernel-based Hypervisor Architecture When the Hypervisor is attacked and compromised, only one Guest Operating System is affected. No impact on safety critical partitions. Remember: Separate, minimize and assure security critical components: the microkernel. 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 26

User / Application Space Security Critical Applications High Availability Applications Safety Critical Applications Real-time Applications Ethernet Driver Graphics Driver Bluetooth, NFC, other Drivers File Systems, PJFS USB, Additional Middleware, etc. Network Management GateD Routing and Switching GHNet TCP/IP v4/v6 Application 1 Application 2 Application 3 Application 1 Application 2 Application 3 Secure Microkernel-based Hypervisor Solution used in Defense The ultimate solution for SCADA systems security Critical Applications Virtual Device Drivers Middleware Networking Guest Operating Systems INTEGRITY Secure VM INTEGRITY Secure VM ASP BSP INTEGRITY Multivisor Core 1 Core 2 Core 3 Core 4 Core N VGA USB Eth 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 27

Proof by independent certification Certifying Authority Level Achieved Applicability Industry FAA DO-178B Level A Reliability, Safety Avionics EASA DO-178B Level A Reliability, Safety Avionics NSA EAL6+, High Robustness, Type 1 Security Defense FDA Class II, III Reliability, Safety Medical TUV Nord, Exida IEC 61508: SIL 3 Safety Industrial Automation TUV Nord, Exida EN 50128: SWSIL 4 Safety Rail, Transportation Transdyne Corp. SEI/CMMI Certified Quality All IEEE and The Open Group 1003.1 IEEE POSIX Certified Open, Interoperable All 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 28

References 1. NCS Technical Information Bulletin 04-1, Supervisory Control and Data Acquisition (SCADA) Systems, Oct 2004 2. Critical Infrastructure Protection Challenges in Securing Control Systems, General Accounting Office (GAO) Report, GAO-04-140T, October 1, 2003 3. Information Security, General Accounting Office (GAO) Report, GAO-09-701T, May 19, 2009 4. http://www.scmagazine.com.au/news/272175,zero-day-industrial-control-systemexploits-published.aspx 5. http://aluigi.altervista.org/ 6. http://www.commoncriteriaportal.org/products/#os 2011 Green Hills Software D&E Event, 22 Sep 2011, Evoluon Eindhoven (NL) Slide 29