Critical Infrastructure and Automated Control Systems Security: A Strategy for Securing Against Cyber Attacks Dr. Thomas L. Pigg Director of the Tennessee CSEC CSEC Mission • The Cyber Security Education Consortium is a National Science Foundation ATE Regional Center of Excellence dedicated to building an information security workforce who will play a critical role in implementing the national strategy to secure cyberspace. CSEC Sites Tennessee CSEC Mission • Phase 1 – Train the trainer • Phase 2 – Develop Student Curriculum/Courses/Concentrations • Phase 3 – Develop Partnerships with Business, Industry and Government Core Train the Trainer Workshops • Principles of Information Assurance • Network Security • Enterprise Security Management • Secure E-Commerce • Digital Forensics New CSEC Courses • Automation and Control Systems – Control Systems Architecture – Control Systems Software Applications – Control Systems Security I and II • Mobile Communications Devices – Mobile Device Architecture – Mobile Device Programming – Mobile Device Hardware • Secure Coding – Secure Programming I and II – Software Testing – Software Security What are Control Systems • SCADA (Supervisory Control and Data Acquisition) • DCS (Distributed Control Systems) • ICS (Industrial Control Systems) • BAS (Building Automation Systems) • PLC (Programmable Logic Controllers) • Smart Grid Critical Infrastructures • Agriculture & Food • Banking & Finance • Chemical • Commercial Facilities • Communications • Critical Manufacturing Critical Infrastructures • Dams • Defense Industrial Base • Emergency Services • Energy • Government Facilities • Healthcare & Public Health Critical Infrastructures • Information Technology • National Monuments & Icons • Nuclear Reactors, Materials & Waste • Postal & Shipping • Transportation Systems • Water Key Critical Infrastructures • Key Sectors for Control Systems Security • Energy (Electricity, Oil, and Natural Gas) • Water & Wastewater • Nuclear • Chemical • Dams • Transportation • Critical Manufacturing Current Trends in Control Systems • Continued move to open protocols • Continued move to more COTS operating systems & applications • More remote control & management • More network access to systems • More widespread use of wireless Current State of Security • Control Systems protocols with little or no security • Migration to TCP/IP networks with its inherent vulnerabilities • Interconnection with enterprise networks • Old operating systems & applications with poor patching practices • Little monitoring of Control Systems for attacks being done • Vendors not securing their product offerings adequately Current State of Security • Increased risk of insider attacks by outsourced IT services • Experts seeing increased interest in Control Systems by terrorists & foreign governments • Evidence that nation-states have been taking remote control of Control Systems • Denial by some companies that there is a problem • Some companies are now starting to see the need and address the issues Real Control System Security Breaches • Diamler-Chrysler Plant Shutdown – Zotob worm – August 2005 • First Energy’s Nuclear Plant Infestation – Slammer worm – January 2003 • Maroochy Shire Sewage – Release of millions of gallons of sewage January 2000 – Perpetrator accessed system 46 times Real Control System Security Breaches • Hacking the Industrial Network – http://www.isa.org/FileStore/Intech/White Paper/Hacking-the-industrial-networkUSversion.pdf • DHS Video – Idaho National Laboratory – AURORA Test – http://www.cnn.com/2007/US/09/26/power. at.risk/index.html#cnnSTCVideo AURORA Test Real Control System Security Breaches • Stuxnet – http://www.tofinosecurity.com/stuxnetcentral – http://www.exida.com/images/uploads/The _7_Things_Every_Plant_Manager_Should _Know_About_Control_System_Security.p df Current Threats • Internet Based Threats • Worms • Viruses • Denial of Service Attacks • Targeted Attacks • Terrorist • Foreign Nation • Former Insider Current Threats • Physical Threats • Natural Disasters • Man-made Disasters (War, Riots, etc.) • Terrorist Attacks Current Threats • Internal Threats • Disgruntled employee • On-site contractor • Unintentional attack • IT worker • Curious Employee Current Threats • Targeted Attacks • Can use any threat & threat agent • Internet • Internal • Physical • Social Engineering • Etc. IT Security for Control Systems • CIA • Confidentiality • Integrity • Availability IT Security for Control Systems • Technical Controls • Firewalls • IDS • Smart Cards • Access Controls IT Security for Control Systems • Administrative Controls • Security Policies & Procedures • Security Awareness • People IT Security for Control Systems • TCP/IP • Patches & Updates • Intrusion Detection Systems • Control Systems Monitoring • Signatures for Control Systems • Anti-Virus Software IT Security for Control Systems • Access Control Methods • Passwords • Multi-Factor • Smart Cards • RFID • Proximity • Biometric IT Security for Control Systems • Authentication • Active Directory • Control Systems Integration • Certificates IT Security for Control Systems • Authorization • Role Based • Area of Responsibility • Station Access Control Using an IDS with a Control System • Network based • Inspects all network traffic on that segment (incoming & outgoing) • Uses pattern based signatures • Anomaly based uses baseline • Uses network tap or mirrored port • Monitors multiple hosts Using an IDS with a Control System • Host based • Inspects network traffic for a specific host • Better at protecting a machines specific function • Misses LAN based attacks Using an IDS with a Control System • Commercial • Pre-configured fee based IDS • CA eTrust • McAfee IntruShield & Entercept • SonicWall • StillSecure Strata Guard Using an IDS with a Control System • Open Source • Snort • Base • Sguil – Real-time GUI interface • OSSEC (Open Source Host-based Intrusion Detection System) Using an IDS with a Control System • IPS • Intrusion Prevention System • Automated Response • Dynamically change firewall ruleset • NIST IDS Guide (SP800-94) Security Solutions • Network Segmentation • DMZ Design • Can use ISA S99 standard as guide • Design to protect each segment • Allows for centralized services Security Solutions • Network Segmentation • Centralized Services • Anti-Virus • Updates & Patches • Active Directory Services • Data Historians • System Management Security Solutions • Secure Remote Access • Secured VPN connections • Escorted Access for vendors • Require secured tokens • Call in by vendor with request • Issue 1-time code for access Security Solutions • IDS/IPS for Control Systems • Which one to use? • Where to use? • HIDS or Application Whitelisting? • UTM – Unified Threat Management Security Solutions • Security Event Monitoring & Logging • Network Devices • Switches, Routers, Firewalls, IDS • Computing Devices • Historians, Servers, Operator consoles • Field Devices • RTU, PLC, Telemetry Devices, Embedded Devices Security Solutions • Security Framework • NIPP • NERC CIP • CSSP DHS • NIST Security Solutions • Policy & Guidance • Developing Good Policies • Track Data • Points of Contact • Areas of Concern • Data Risk Assessment • Evaluate the Impact of Data Loss • Available Controls • Technical, Administrative, & Compensating Security Solutions • Policy & Guidance • Implementation • Roles & Responsibilities • Security Requirements • Change Management Process • Backup & Redundancy • Self Assessments Control Systems Security Initiatives • NIPP (National Infrastructure Protection Plan) • CIPAC (Critical Infrastructure Partnership Advisory Council) • ICSJWG (Industrial Control Systems Joint Working Group) • ICS-Cert (Industrial Control Systems Cyber Emergency Response Team) • Strategy for Securing Control Systems Control Systems Security Initiatives • CSSP (Control Systems Security Program) • Idaho National Laboratory • National SCADA Test Bed Program • SCADA & Control Systems Procurement Project • Smart Grid Interoperability Standards Project • UK NISCC - Now CPNI (Centre for the Protection of National Infrastructure) • PCSF/SCySAG (SCADA Cyber Self Assessment Working Group) - Historical Control Systems Regulations • NERC (North American Electric Reliability Council) • Develop & enforce reliability standards • CIDX/ACC – Now ChemITC (American Chemistry Council) • CFATS guidance & assessment tools Control Systems Regulations • ISA SP99 (Industrial Automation & Control System Security) – International Society of Automation • Part 1 Standard: Concepts, Terminology & Models • Part 2 Standard: Establishing an Industrial Automation & Control Systems Security Program • Part 3 Standard: Technical Requirements for Industrial Control Systems (Currently in development Control Systems Regulations • AGA 12 – Discontinued and used in IEEE 1711 Trial Standard • Encryption of Serial Communications • Serial Encrypting Transceivers now available • API Standard 1164 (American Petroleum Institute) • Standard on SCADA security for pipelines • NIST – National Institute of Standards and Technology Control Systems Regulations • SP800-82 – Guide to Industrial Control Systems (ICS) Security • NIST initiative on Critical Infrastructure Protection (CIP) • Uses ISO 15408 Common Criteria methodology Control System Security Takeaway • The 7 Things Every Plant Manager Should Know About Control System Security – John Cusimano – Director of Security Solutions for exida – http://www.exida.com/images/uploads/The_7_Things_Every _Plant_Manager_Should_Know_About_Control_System_Sec urity.pdf Contact Information Dr. Thomas L. Pigg Professor of Computer Information Systems Jackson State Community College 2046 N. Parkway Jackson, TN 38305 (731) 424-3520 Ext. 201 tpigg@jscc.edu