Cyber Security for SCADA Systems
advertisement
www.thalescyberassurance.com In this white paper Modern control systems are increasingly complex, digital and connected. Where in the past these were isolated from other networks, today’s operators typically require data to be transferred between industrial and external networks. This has created the potential for malware and hackers to gain access to and disrupt real time control systems and dependent infrastructure. This white paper analyses the different types of control systems and their associated threats, the methods of countering cyber intrusions, and the services Thales is able to provide to counter these cyber security threats. White Paper Cyber Security for SCADA Systems Autumn 2013 www.thalescyberassurance.com Introduction The security of SCADA (Supervisory Control and Data Acquisition) and realtime systems represents a significant challenge in today’s world. High profile cyber security threats are a recent phenomenon – think of the Stuxnet or Night Dragon attacks – yet the systems running critical industrial processes are typically a generation older. Consequently, there are many legacy systems that may be vulnerable to cyber attack because cyber security was simply not a consideration at the time of initial design and installation. The security of even recently deployed systems may also be an issue, and often there are media reports of instances where systems are connected to the internet with inadequate protection, or the manufacturers of the equipment have used hardcoded usernames and passwords, thereby gifting cyber intruders with inside knowledge with the ability to manipulate the system settings. What is SCADA? SCADA, or Supervisory Control and Data Acquisition, is a type of industrial control system (ICS). These are computer controlled systems that monitor and control industrial processes that exist in the physical world. SCADA systems historically distinguish themselves from other ICS systems by being large scale processes that can include multiple sites, and large distances. These processes include industrial, infrastructure, and facility-based processes. It is against this backdrop that we can consider the critical differences between real-time/SCADA systems versus the protection and risks associated the enterprise systems. Figure 1 summarises these issues. An organisation may be more concerned about intellectual property theft, persons gaining access to financial or strategic information, or just plain denial of service on IT systems. Although serious for a business, these risks are unlike those for industrial control systems (ICS) / SCADA where the impact may be to lose visibility of the system sensor readings, and consequently loss of control of the plant. So where threats against business systems may impact the financial viability of the company, the potential consequences of attacks on ICS/SCADA represent a threat to safety and human life in an extreme case. This is not to say Industrial IT Systems are not vulnerable to loss of critical Historical Records, loss of Data Integrity, loss of time-dependent or synchronised performance, progressive degradation and randomised effects. Over 1 million SCADA / ICS systems are connected to the internet with unique IPs Financial Integrity General state of real time system security seen as poor by hackers Honeypot deployment of virtual SCADA proves attackers change settings Industrial Control Systems Business IT Systems Denial of Service Financial and Reputational Risk Loss of Information Loss of View Loss of Control Impact on Systems Safety and Operational Risk Figure 1 - Business System versus ICS Risk Cyber Security for SCADA Systems - Autumn 2013 2 www.thalescyberassurance.com A holistic view of security Before moving further into the Cyber aspects we must consider the wide range of threats that can be broadly categorised as below – Threat Category Typical Represention Typical Mitigation Controls Personnel Insider attack, bribery & subversion Personnel Vetting Acceptable Use Policy, Audit regime, Logs & Alerting Physical Intruders, burglars, prohibited items (drugs, explosives, firearms) Locks, fences, CCTV, guards, alarms, C&C etc. Cyber Hackers, malware Security audits, IDS /SIEM, antivirus, firewalls, etc. Environmental Fire, flood, earthquake, power failure, severe weather DR facilities, BCP, redundancy, remote access controls etc. In some cases it may not be practical to enforce security controls that would be mandatory in a business environment. For example, common user accounts – though preferable, in a real time plant environment accounts may be shared by a number of users in a control room under a group account. It is, however, necessary to take a holistic view and where practical a common approach to dealing with the personnel, physical, cyber and environmental threats. For example, with a critical site there is little point in only implementing physical controls by building a large fence with cameras around the periphery if a cyber attack can be used to disable the cameras in a certain location to replay a video loop, and allow access via the turnstiles into the site. Indeed, the ability to carry out a cyber attack negates the need for a physical attack if the systems within the site can be shut-down or put into an undesired and perhaps unstable mode from outside, perhaps overriding interlocks, and causing pressures, temperatures, rotational speeds and levels to go beyond safe limits. The cyber attack may be seen as the easy option by attackers, which may be undertaken from another country, with attribution of source difficult to prove. To put it simply, rather than travelling hundreds or thousands of miles to perform a physical attack on a well defended site, after months of planning, a competent belligerent is liable to instead to use SHODAN to determine the IP number of a SCADA system located on the other side of the world, download exploit code for the SCADA systems from Metasploit, then launch the attack via the anonymity services of TOR, perhaps within the time frame of 1 hour or less. In short, SCADA/ICS systems must be defended more robustly than they are now. Industrial Systems, Controllers and Risk The computerised equipment used in the control of equipment and industrial processes are deployed in every aspect of Critical National Infrastructure, such as: uclear Power Plants & N Reprocessing Facilities Railway signalling systems Chemical Plants LPG Tankers Mail Sorting Offices Oil Refineries Gas Processing Facilities Food Production Cyber Security for SCADA Systems - Autumn 2013 Pharmaceutical Production Distribution Centres and Ports Motor Vehicle Production Facilities Wind Turbines 3 www.thalescyberassurance.com Clearly an adverse event taking place in any of these facilities could have serious health implications for those persons in the vicinity and nearby locations. Some attacks will have more serious implications than others – a cyber attack on a wind-farm is unlikely to have the same impact as another attack on a Nuclear Reprocessing facility which may result in a long-lasting nuclear event, radioactive plume, and contamination. The consequences of a cyber, or other attack on these facilities should be given due consideration within site risk assessments, and national risk registers, so as to understand the extent of physical, cyber, personnel and environmental security controls that should be put in place. Exploitation of SCADA Systems Google Search is an everyday common tool for most people accessing the internet, which operates by indexing the content of web pages to allow rapid retrieval based on user search criteria. SHODAN on the other-hand is a search engine similar to Google except this search engine indexes HTTP (web message) header information – allowing users to find routers, servers, traffic lights, and industrial control equipment. Project SHINE (SHodan Intelligence Extraction), uncovered that over 1 million SCADA / ICS systems are connected to the internet with unique IPs, and this figure is growing by between 2000 – 8000 / day. It is most likely that many of these devices will be insecure and exploitable. All the attacker needs to do is use SHODAN to determine the device facing the internet based on the header information revealing the software version in place or other similar information, retrieve the appropriate exploit code for that device from a repository such as Metasploit, set up a proxy connection using TOR or similar, then exploit the remote system. It is commonly recognised that the robustness of SCADA/ICS in the face of a direct cyber attack is poor, as many systems were not intended to be connected to the internet. Systems should be designed such that there are security controls (such as firewalls/ data-diodes, and identity & access management systems) between the real time systems and the internet. The current state of SCADA/ICS systems is regarded as woeful by security researchers. It is common to find ActiveX, secure coding approaches are rare, and many systems are so brittle they are unable to withstand security scans & probing. Backdoor administrative accounts are present, and in some cases hardcoded authentication credentials used – which if known guarantees hacker access. Basic fuzzing of ICS causes some to crash and buffer overflows are a serious problem, and some have no password timeouts allowing brute-force login attempts. Hacking of ICS is made easier with ready-made plug-ins for the Metasploit framework and Nessus, to allow hackers easy access to real-time systems. Cyber Security for SCADA Systems - Autumn 2013 4 www.thalescyberassurance.com Once a system has been “owned” such as a PLC, then new “ladder logic” can be uploaded. During the attack on Natanz with Stuxnet, it was reported that the controller logic was changed to cause the centrifuges to speed up / slow down rapidly. A similar approach could be adopted on other systems to ignore multiple safety interlocks with catastrophic effects. Perhaps the controllers are duplicated for safety and availability, but if the cyber attack changes the logic in all systems, then the outlook is not good. Cyber attacks on SCADA/ICS are rare but increasing. The temptation is to dismiss the problem; however, a blackhat presentation in 20131 proved that if a honeypot was placed on the internet simulating a real-time system, some connecting parties changed settings to potentially hazardous levels. This was just a virtual honeypot, not a real SCADA system, but the outcome of external hackers connecting to real systems and changing settings, may have serious implications. If possible, robust SCADA/ICS products should be used, with security built– in, not an afterthought. However, this may not be practical and it is therefore essential to segregate these systems from high risk networks such as the internet, and certainly do not allow IP numbers for SCADA/ICS to be directly accessible from the internet, unless there is a good reason and appropriate security controls are in place. Industrial Protocols A protocol, in the original sense of the word, is a code of conduct or defined procedures to be followed. With respect to Industrial IT systems, the protocol allows communication from one device to be understood by other devices. Given that Industrial IT hardware has a range of functionality, provided by many manufacturers, there has evolved a very wide range of industrial protocols, often vendor specific. There has been some standardisation around the use of Fieldbus, Profibus, and Modbus – but these have all been developed and deployed long before IT security became a major issue. Modbus, for example, has no controls against unauthorized commands and interception of data. Therefore, routing of industrial protocols over the internet or other IP networks nowadays requires professional care and additional controls to maintain security of the data and ensure both commands interactions and critical information retain their integrity. Understanding the Business Risk The business risk will vary between different sectors of the CNI, but also within specific aspects of the same company. For example a key risk for a Gas Processing plant in an area of political unrest may be physical intrusion and/or terrorist attack. However, an oil rig off the coast of the UK will have a different risk profile – perhaps relating no non-availability of systems due to severe weather or concerns of leaks causing environmental damage. It is this variability of threat and risk that must be considered during a risk assessment, which should be undertaken through the whole business cycle – from conceptual design though to close-down and decommissioning. 1. https://media.blackhat.com/us-13/US-13-Wilhoit-The-SCADA-That-Didnt-Cry-Wolf-Whos-Really-Attacking-Your-ICS-Devices-Slides.pdf Cyber Security for SCADA Systems - Autumn 2013 5 www.thalescyberassurance.com Typical Threat sources listed by CPNI (Centre for Protection of National Infrastructure) that should be considered are - Cyber Security for SCADA Systems - Autumn 2013 Threat Sources / Actors Representation of Threat Contractors Externally employed staff on company premises, that may not be trained in the appropriate measures that should be undertaken (e.g. removal of faulty IT equipment from site that contains sensitive information). These persons may not have appropriate vetting and represent a threat if influenced to undertake malevolent activities whilst on the CNI site (such as inserting USB key-loggers, or gathering site security details). Corporate intelligence Competitors, some of whom will target CNI facilities to understand the site and steal intellectual property such that this can be replicated elsewhere, perhaps in competitive bids. This threat can also be present where companies are requested to bid for lucrative contracts, only to have these designs copied and used elsewhere in competitive bids. Criminals / Organised Crime Criminals will be an issue where financial gain is of interest. This could be a break-in to steal computer equipment, which if not backed-up would represent a threat to business continuity. Criminals may also subvert staff to undertake malicious activity. Disgruntled Staff Persons with a grudge, who may have been passed over for promotion, notified of redundancy, have moral objections to what the organisation is undertaking, or with other circumstances such as financial difficulties that put them at risk of compromising security, perhaps giving information to outsiders. Foreign Intelligence Services Highly capable nation state organisations that are able to deploy considerable resources to gain information, such as interception of data, influence other threat actors to steal data, or hack in to environments for industrial espionage purposes. It is not only state secrets that will interest the FIS. For countries that have a close link between state & industry, the FIS will actively seek industrial information, and intellectual property for financial gain of the state linked industries. Hackers Whether state sponsored, funded by serious organised crime, or independently motivated, hackers have the potential to compromise the confidentiality, integrity or availability of systems by their actions. Externally this action may manifest itself in website defacement, or theft of customer details. However for clients running real time / ICS systems, perhaps geographically spread, hackers may use search tools such as SHODAN to discover internet connected equipment, and perform malevolent actions on this infrastructure. Internal Attackers / bystanders Persons on-site perhaps temporarily, who are visitors or bystanders may pose a risk, by observing information when present in the facility, or perhaps unauthorised access systems that are logged in. Protestors and Activists Persons having an ideological grudge against the operations of the company. Traditionally this has been to blockade facilities, or intimidate staff to impede company operations or gain media publicity. However the recent emergence of ‘Hacktivism’ has meant the wilful unauthorised penetration into company systems by politically motivated parties. Staff undertaking unauthorised actions Sometimes wilful, but other times may be due to inadvertent consequences. Unauthorised actions by staff, perhaps trying to get round what is seen as onerous / inflexible security controls can introduce threats. A typical example would be the use of personal USB sticks which contain malware, in the absence of an alternative and available route to transfer information. Terrorists Persons with malicious intent whose primary aim to date has been physical attacks on systems to compromise availability. This does not necessarily mean that electronic attacks will not occur in future with respect to real time / SCADA systems as available exploits against these systems become common-place. 6 www.thalescyberassurance.com Regulatory Compliance With the emergence of cyber threats and the need to secure data, standards have arisen for other industries such as defined in the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS). The difficulty with applying a modern compliance regime to SCADA systems would be the difficulty in adapting the old systems to a new framework of controls. With the landmark event of Stuxnet, the security issues of SCADA came into prominence. It became evident that organised parties were intent on performing cyber attacks to access SCADA/PLC systems to invoke damage of plant equipment. Given the difficult nature of implementing robust controls in industrial environments, various national authorities such as NIST and CPNI have produced standards and security guides for real-time systems integrators. With the abundance of poorly protected ICS equipment, which will be in place for many years to come, often running protocols where security was never a consideration, there has been considerable effort by national and international bodies to define standards for securing the CNI infrastructure. Notable examples being: UK CPNI Security Guides ISA 99 USA NIST 800-82 IEC62443 Zoning, Segregation, and Protection of Industrial Networks It is the interconnected nature of environments, and the need and expectation for access to data generated in the real-time arena, that causes the challenges. For example, in a rail transport scenario it would be very useful for travellers to know the position of trains, but it would also represent a risk if hackers or malware could enter via this internet connectivity, and compromise the safety of the track signalling systems. It is only by performing thorough risk assessments, and designing secure gateways, perhaps including one-way diodes, that ICS/SCADA networks can be protected from external threats. ISA99 and IEC62443 propose the zoning of architectures, and this has been generalised in Figure 2. This shows that with no security controls, external malware and hackers may gain access to ICS/SCADA systems, but with secure controls such as one-way-diodes, the threats resident on the business systems cannot spread to the real time arena, with a Level 0 to Level 4 zoning approach in the segregation of systems. The principles of Figure 2 should be followed, but the practicality of securing a widespread ICS/SCADA infrastructure will be complex with the “conduits” (WAN, VPNs) needing to be secured to remote outstations, and the need for controlling support personnel having remote access into the infrastructure below the industrial DMZ. Cyber Security for SCADA Systems - Autumn 2013 7 www.thalescyberassurance.com Enterprise / DMZ Enterprise Systems Internet Gateway Devices Level 5 Internet Centralised ERP, ERM CRM, C&C, Helpdesk Internet Middleware Level 4 MOM, ESB, etc. Site Manufacturing Operations and Control Gateway Devices Conduit Enterprise Systems Enterprise Systems Industrial / Level 3 DMZ Industrial Control Systems Industrial Control Systems Level 2 PLC SCADA, ICS Level 1 Critical I/O Infrastructure Level 0 Sensors, Actuators, Motors Industrial Control Systems Figure 2 - Segregation of Business and Real-Time Networks Situational Awareness Stuxnet graphically illustrated that even air gapped industrial controls systems (ICS) in high security environments are vulnerable to sophisticated attack, especially with many ICS directly controlled via the host company’s business network. Appreciating that many ICS are directly connected to the internet, the attack vectors, attack surfaces and likelihood of a security incident increase dramatically. If it is not within the immediate remit of the organisation to change the design and configuration of the network supporting the ICS. It is vital to have full situational awareness of the nature of the attack even if it has proved impossible to prevent the successful compromise. In order to achieve this it is necessary to incorporate protective monitoring technology, supported by policies and process into the organisation, coupled with experienced analysts who can identify suspicious network activity. Should this not be a practical solution, if for example the company size does not justify the expenditure on full-time security monitoring, then engaging with a managed service provider should be considered, who is able to provide the services of a 24/7 SOC (Security Operating Centre) that can monitor vulnerable networks together with other crucial feeds, such as Access Control Systems. Security and Incident/Emergency Management solutions exist that build a full Situational Awareness picture of physical, environmental personnel and cyber domains, enabling effective controlled and recorded responses. Cyber Security for SCADA Systems - Autumn 2013 8 www.thalescyberassurance.com Forensic Readiness In the event of the worst case scenario occurring and a security compromise is suspected or has been identified, time is not a luxury that will be available. In the event of a serious incident, how the incident is managed and the time it takes to investigate and remediate it is likely be scrutinized closely by various organisations. Depending on the industry sector concerned, various compliance requirements may be mandated, this is highly likely to include Forensic Readiness. As an example ISO 27001 series of security control measures recommend that responsibilities and procedures should be established in order to quickly and effectively respond to security incidents, this includes cyber security breaches. In the UK, the Government has published the Security Policy Framework that mandates baseline security measures in 20 different areas to address technical security risks; this document is applicable to all Government employees (including contractors) and covers all areas of government and associated departments. The Risk Treatment section (Mandatory Requirement 9) states that “Departments and Agencies must have a forensic readiness policy that will maximise the ability to preserve and analyse data generated by an ICT system that may be required for legal and management purposes”. To assist with the drafting and implementation of a forensic readiness policy, CESG (Communications-Electronics Security Group, part of the state intelligence agency, GCHQ) have produced a Good Practice Guide (GPG 18) together with Information Assurance Implementation Guide Forensic Readiness Planning. This guide recommends a scenario-based approach to forensic readiness planning, examining hypothetical risks and real previous incidents. Each of these potential incidents should have a corresponding incident response policy that is documented and exercised. Incident Response Key to successful investigation and remediation is to have an assured Cyber Incident Response provider identified and preferably engaged as a forensic service provider in advance of an incident. This way the client has the confidence that the supplier has the availability, technology and capability to manage the incident on the client’s behalf. Engaging a forensic company that employs manual techniques to identify and remediate a malware incident on a large enterprise network is likely to result in a protracted cyber version of “Whack a Mole”. Technical solutions now exist where entire enterprise networks can be examined concurrently for malware or an unknown APT, for example by looking for suspicious applications that are running in computer memory. Once the malware is identified a forensic snapshot of the data can be taken and all systems on the network forensically searched, whereupon remediation of infected devices can take place. The remediation option could then include (if required) the simultaneous stopping of processes or the forensic wiping of all traces of the malware across the entire domain. Previously, the manual approach would probably have taken weeks onsite or may not have fully remediated the attack. Now, new technology dramatically brings the response and remediation time down, allowing companies to resume normal business in a timely fashion. Cyber Security for SCADA Systems - Autumn 2013 9 www.thalescyberassurance.com Integration of Cyber Monitoring and Defence can be combined into modern Security Facilities enabling Cyber Security, Physical Security and Process Management to be combined into holistic Situational Awareness and Tactical Response Management control rooms. Cyber Incident Reporting Depending on the industry sector there is likely to be a requirement for the mandatory reporting of the incident to one of the UK Computer Emergency Response Teams such as GovCertUK or MODCERT (MODWARP). How quickly and accurately the information on your cyber attack is passed to that authority will reflect in their ability to alert in a timely fashion other areas of industry, especially critical national infrastructure. It may also be reflected in any enforcement measures that the Information Commissioner (or similar organisation) may wish to take as a result of the cyber breach. So where does Thales fit in? When it comes to security and critical systems Thales is a world leader. There are many statistics, here are some – T hales technology secures 80% of the world’s financial transactions (90% in the UK) billion rail passengers 3 carried annually by the Thales SelTrac CBTC systems T hales implementation of the World’s largest urban security project in Mexico City Thales implementation of security for the world’s largest oil terminal Thales securing thousands of kilometres of pipelines and border surveillance Road toll collection on 4000 lanes of 30 motorways worldwide Significant involvement in air-traffic management, and airport security IT should be noted that CNI & ICS/SCADA spreads over a multitude of industries, and Thales is a major player in these arenas, if not a world leader, with much experience in implementing large-scale operation critical secure systems. Cyber Security for SCADA Systems - Autumn 2013 10 www.thalescyberassurance.com Thales Critical Infrastructure & Cyber-security Services Thales believes Good Cyber is Good Business. Taking a holistic approach to security is the critical factor. Layered architectural models should be built that bring together world leading products from both the system/technology integrator and third parties to ensure that the holistic security requirements of the customer are met. It should be part of a solution to ensure the integrity of both the integration layer and the operation elements. Individual components of the solution should be understood in conjunction with concept of operation, policies, training, maintenance, supportability and the service aspects. Possible individual components and services are listed below but it should be understood that the real benefits come from solution providers, who can deliver all encompassing holistic security solutions. Critical Infrastructure Cyber Security for SCADA Systems - Autumn 2013 Service Comment CCTV / Site Security Controls Selection of appropriate CCTV systems, calculation of field of view, illumination requirements, and other fence technology such as PIDs. Calculation of zoning for image analytics, and physical control selection such as inner / outer fence, camera poles, towers, bunds, biometrics, access control, video analytics and other measures to deter & detect intruders. Command Centre Design With involvement in the largest and most sophisticated command centres on a worldwide basis, Thales is well placed to select the most appropriate technologies for inclusion in the command centre to support user requirements. The physical security aspects of the command centre will be considered, together with the internal IT system requirements / systems integration, and secure connectivity to local and remote stakeholders to offer holistic Situational Awareness and Response Capabilities. Physical Intrusion Tests Covert intrusion by specialised Thales employees with skills in physical entry into critical facilities, using various techniques to overcome existing controls are used to test existing controls and operational processes in place to stop intruders. Thales personnel will leave agreed markers which will signify places that were reached which could signify the placement of explosives or theft of material – whatever the client values and is trying to protect. Physical Security Audits Visiting client sites to understand existing security controls such as guard mechanisms, fences, doors, alarms, CCTV, and other aspects including security management systems and reporting mechanisms, and production of reports for clients highlighting shortfalls and what should be done with respect to security improvements. 11 www.thalescyberassurance.com Security and Emergency / Event Management Integration Selection of appropriate event management software to cover security, incident and emergency management. These systems can be highly sophisticated, and require integration with a large number of other system / site & remote sensors & CCTV, and stakeholders for management of events to give maximum operational benefit. Communications Network Design CNI sites may have a lot of on-site sensors such as CCTV / PIDs, or ground based sensors and radar technology for detection of threats further away. GPS tracked assets such as vehicles and personnel may need to be monitored, for dynamic display on the video wall in the command centre. This entire site based data, plus data to / from offsite stakeholders, needs to be secure. Thales is skilled in the design of such networks allowing fixed cable, wireless / microwave / laser / radio / satellite communications in a secure, integrated, highly available and resilient manner. Process Control and Automation Thales has decades of experience in providing comprehensive Process Control and Automation systems. SCADA, Monitoring, DCS and Command Centres, both fixed, multi-site and mobile. The integration of traditional Industrial IT System expertise with Security System and Cyber System expertise sets Thales as a key total solution provider. Cyber Security Cyber Security for SCADA Systems - Autumn 2013 Service Comment Cyber-Range Activities Ability to undertake cyber engagements against other participants acting as APT actors or DDOS attackers. Cyber Security Training Ability for users of the Cyber Integration Centre to practice incident response, and configuration of hardware / software on both virtual and real industrial systems. Enterprise / Solutions Architecture Design & Systems Integration Analysis of the customer requirements and determine whole enterprise architecture requirements, such as server architecture, SANs , enterprise software components, ESB, Databases, etc. Design of whole solution. Hardware / Software Evaluation Evaluation of hardware appliances and / or software for external clients Holistic Security / Cyber Maturity Audits Deployment of Thales personnel onto client sites, to gather information on current client cyber maturity and make recommendations regarding controls that should be put in place. Thales operate teams where personnel are members of CLAS, and recognised under the CCP scheme. Incident Response Emergency deployment to client sites on a worldwide basis to resolve issues relating to APT and other cyber incidents. Ability to deploy hardware network appliances and client probes to capture indicator of compromise information, analyse the date and remove the cyber intrusion. Load Testing Ability to take customer appliances and apply severe data loading to understand behaviour. Similarly for server based software to understand that the specified servers will be able to support the expected user community. 12 www.thalescyberassurance.com Security Architecture Design Analysis of existing or new architecture requirements, and determine the security controls that should be in place to secure the architecture. Selection of products & detailed design. Virtualised DR Failover Testing Use of Cyber Integration Centre to test disaster recovery scenarios to prove that is one virtualised instance fails, other infrastructure can recover the situation, and human processes defined & users trained. Virtualised Enterprise Environment (VEE) Ability within the Cyber Integration Centre to simulate whole enterprise networks including servers, routers, switches, LAN/WAN issues (bottlenecks, jitter, time delays), real time infrastructure, and user communities. This enables clients to understand systems prior to deployment, or test changes prior to roll-out and understand how the system will operate under user load. Virtualised Vulnerability Testing Similar to VEE above, except ability to use Thales VA team to analyse software / firmware build status to understand components that should be patched or have lockdown policies applied. Vulnerability Assessment / Penetration Testing Deployment of Thales teams to client sites to perform vulnerability assessments against existing architecture, allowing current build status and vulnerabilities to be identified, and a report produced on these findings. Similarly, if the customer wishes, Thales is able to take these vulnerabilities and exploit these to gain access to further resources. Thales team members are recognised under the CREST scheme. Gateway Services Cyber Security for SCADA Systems - Autumn 2013 Service Comment NOC as a service Thales is able to link to client sites and undertake a Network Operations Centre (SOC) Service, where client network infrastructure is managed & monitored, and software updates / patching is applied. PSN Gateway Services Thales is a provider of gateway services to the PSN and other networks, and is able offer clients the ability to connect to the UK Public Sector Network (PSN) is required CSOC as a service Thales is able to link to client sites and undertake a Cyber Security Operations Centre (CSOC) service, where these networks are monitored for cyber attacks, and APT characteristics. This is a particularly useful service for those clients who have taken advantage of the Thales Incident Response service, allowing through life aftercare. 13 www.thalescyberassurance.com Figure 3 - One of the growing number of Thales Cyber Integration Labs Figure 3 shows one of the interconnected network of labs used for staging and testing of concepts in relation to real-time / SCADA and enterprise systems. In this case a video wall is present for displays covering CCTV and security management. Simulations are present for nuclear reactor control, pipeline monitoring, and site perimeter security. Other systems allow the overlay of incidents and sensor / asset data on top of site maps. There are a number of SCADA, PLC and Security Management systems in place and the ability to feed these systems from a number of sensors. Within this lab a section of fence is present, together with physical intrusion sensors, and cameras to react to intrusion events. This lab is available for industrial control and physical security solution and it can be linked to other labs allowing cyber incidents to be simulated. Thales has access to thousands of malware signatures, and is able to simulate sophisticated attacks against the ICS/SCADA and Security equipment, then design appropriate security architectures to keep such attacks out. The virtualised labs can also act as a Cyber training centre enabling the deployment of cyber attacks, and allowing response personnel to train in containing the event and removal of the malware or attackers from the network. Although the labs can operate to support cyber range training in cyber-warfare-defence, the labs are primarily aimed at repelling existing cyber attacks, which are commonplace. The availability of such facilities is a formidable resource in allowing clients to test equipment & concepts prior to deployment with realistic simulated loads and architectures, having extensive server resources and state of the art network simulation equipment means that millions of users can be simulated, events timed to the nanosecond, and network problems such as bottlenecks / jitter / timedelays simulated to provide the most realistic of environments Thales can help solve client problems, test the real system software to be used with realistic loads and events, then deploy to client sites via our consultancy and implementation teams, wherever the client is located on a global basis. Physical Artefacts Switches, CCTV, PIDS etc. Virtualised Enterprise Environment Virtual User Community Switch / Routing Infrastructure External User Community External Components and Non-Virtualised Infrastructure External Hacking Community Company Enterprise Server / Application Infrastrucure Internal / External – LANs/MANs External Hacking Community Security / Authentication Infrastructure Real-time Industrial Control Infrastructure and Process Stage Complete / Partial Enterprise Infrastructure Replicate Processes & Workflow SCADA Simulation Simulate Network Infrastucture and Bottlenecks Stress Test Applications Pen Test / Vulnerbility Assessments Supply Chain Interaction Replicate Hacking and Incident Response Figure 4 - Virtualised Enterprise Environment Cyber Security for SCADA Systems - Autumn 2013 14 www.thalescyberassurance.com Conclusion We live in a fast changing world. Unfortunately, this includes the threats against the SCADA integral to the functioning and prosperity of businesses and Critical National Infrastructure. There are many misconceptions on the levels of threat, the extent of damage or disruption and the effort and skills required for protection. The field of cyber security in relation to SCADA and Industrial Control Systems is complex, and the consequences of either ignoring the threats or implementing inadequate controls may have significant consequences, perhaps involving loss of life if an attack was launched which achieved the end objective. Cyber and SCADA Security is now of major concern for all industrial infrastructures. The nature of the threat demands rapid, accurate, and informed decision-making to ensure safety, security, and operational effectiveness are maintained regardless of any incidents or accidents that may occur. This requires the application of holistic security solutions, delivered by organisations such as Thales who is able to deliver the integrated security systems designed to meet the increasing threats and ensure that Critical Operations receive the best protection. This white paper has shown that vulnerable organisations should take a holistic approach to securing their SCADA systems. Interrelated cyber, physical, and industrial IT vulnerabilities must be managed effectively from the outset to meet new threats. With its wide range of services and state of the art testing, integration and simulation facilities, Thales is able to understand the nature of the customer environment, integrate security into the system design from the ground up to cover the main risks of physical, cyber, personnel or environmental security, or retrofit solutions to shield legacy solutions from the wide range of threats today. Cyber Security for SCADA Systems - Autumn 2013 15 www.thalescyberassurance.com About Thales Whenever critical decisions need to be made, Thales has a role to play. World-class technologies and the combined expertise of 65,000 employees in 56 locally based country operations make Thales a key player in assuring the security of citizens, infrastructure and nations in all the markets we serve – aerospace, space, ground transportation, security and defence. For more than 40 years, Thales has delivered state of the art physical and cyber security solutions to commercial, critical national infrastructure, government and military customers. Thales will help you refocus your security spend to defend your organisation and prevent significant loss of revenue and reputation. Thales will ensure your competitive advantage is maintained by being able to demonstrate resilient and secure use of physical and cyber security. Why Thales? As a world leader in providing modular, integrated physical and cyber security solutions, Thales is able to: Design and implement upgrades to the existing security of your organisation with minimal impact to your business operations. Thales is trusted to secure critical energy facilities, transport networks and defence assets in the UK and around the world. P ull through capabilities from the global Thales Group and our industry partners to deliver secure solutions that deliver tangible business benefits. For example, Thales implemented a fully integrated security management system in Mexico City as part of the ‘Secure City’ project. Use our world leading encryption product suite to protect your data. Our encryption hardware help secure an estimated 80% of the world’s payment transactions, including 3.7 billion BACS transactions every year. Contact Us Thales UK Ltd, Mountbatten House, Basing View, Basingstoke RG21 4HJ, UK Tel: +44 (0) 1256 376633 Email: cyber@uk.thalesgroup.com Website: www.thalescyberassurance.com © 2013 THALES UK LTD. This document and any data included are the property of Thales UK Ltd. No part of this document may be copied, reproduced, transmitted or utilised in any form or by any means without the prior written permission of Thales UK Limited having first been obtained. Thales has a policy of continuous development and improvement. Consequentially the equipment may vary from the description and specification in this document. This document may not be considered as a contract specification. Graphics do not indicate use or endorsement of the featured equipment or services. Cyber Security for SCADA Systems - Autumn 2013 16
