University of South Australia School of Computer and Information Science SECURITY METRICS IN SCADA SYSTEM Duc Nam Nguyen (ID: 110057721) Master of Science (Computer and Information Science) Supervisor: Dr. Elena Sitnikova Submission Date: June 17th 2012 Abstract Supervisory Control and Data Acquisition (SCADA) networks are used to control and monitor critical infrastructure such as oil, gas, electricity, water etc. in most developed organizations and countries. Due to the development of hacking tools, the ability of hackers or terrorists, the lack of security functions in history of SCADA system, the gap to apply security solutions from IT system, the systems have become ‘open’ and easy to be attacked and controlled. The problem in these systems is how to know or decide these systems are secured. Unfortunately, at this time there is no a widely accepted definition, standards which can define one system is secured or not. To find answer for this concern, the research uses available materials and analyse the architecture as well as weaknesses of SCADA system. Possible answer is security metric which is quantifiable measurement of an aspect in SCADA system. It also helps operators for making decisions and improves performance of SCADA systems. The answer of research question is completely given in the paper based on analyse theoretically. The outcomes of this research is supporting further studies on security area in Process Control System which cover SCADA system. i Acknowledgements I am wholeheartedly thankful to my supervisor, Dr. Elena Sitnikova, who has encouraged, guided and supported me to finish this minor thesis. I know I made a lot of annoys for your work during the time I am doing my thesis. I will never forget your efforts to help me to finish my thesis. Besides my supervisor, it is a pleasure to thank Professor Jiuyong Li for helping me to arrange other parts of the thesis such as presentation and minor thesis 1. My sincere thanks also go to Nguyen Thanh Nhan who has supported me in the start of this thesis. Sorry because I could not help you in your thesis. Last but not the least; I would like to thank my parent who always encourages me even sometimes I wanted to give up. ii Contents Abstract ....................................................................................................................... i Acknowledgements .....................................................................................................ii Contents ..................................................................................................................... iii List of Figures ............................................................................................................. v List of Tables ..............................................................................................................vi Abbreviations ............................................................................................................ vii Chapter 1. Introduction .............................................................................................. 1 1.1 Research Problems....................................................................................... 1 1.2 Motivation ...................................................................................................... 3 1.3 Research question ........................................................................................ 4 1.4 Contribution ................................................................................................... 4 1.5 Chapter Review............................................................................................. 4 Chapter 2. SCADA system ......................................................................................... 5 2.1 Definition of SCADA system ............................................................................. 5 2.2 SCADA System General Layout ....................................................................... 5 2.3 Modern architecture of SCADA systems ........................................................... 7 2.4 How a SCADA system can be attacked? .......................................................... 9 2.4.1 Possible threats on SCADA system ............................................................ 9 2.4.2 Well-known attacks on SCADA system .................................................... 12 2.5 Discussion....................................................................................................... 15 2.6 Chapter Review .............................................................................................. 17 Chapter 3. Security metrics ...................................................................................... 18 3.1 Definition of security metric ............................................................................. 18 3.2 Challenges and opportunities for security metrics in SCADA system ............. 19 3.3 Category of security metrics ............................................................................ 21 3.3.1 Organizational metrics .............................................................................. 21 3.3.2 Operational metrics ................................................................................... 22 3.3.3 Technical metrics ...................................................................................... 23 3.4 Recommendations of developing security metrics .......................................... 23 3.4.1 The relationships between security metrics and risk analysis ................... 24 3.4.2 Framework for metric development and evaluation .................................. 25 3.5 Chapter Review .............................................................................................. 26 iii Chapter 4. Security metrics in SCADA system ......................................................... 27 4.1 Number of attacks ........................................................................................... 27 4.2 Probability of attacks ....................................................................................... 27 4.3 Shortest Length of attacks .............................................................................. 28 4.4 Attack surface metric ...................................................................................... 28 4.5 Rogue change days ........................................................................................ 29 4.6 Security evaluation deficiency count ............................................................... 29 4.7 Data transmission exposure............................................................................ 29 4.8 Known vulnerability days ................................................................................. 30 4.9 Password crack time ....................................................................................... 30 4.10 Detection mechanism deficiency count ......................................................... 30 4.11 Restoration time ............................................................................................ 30 4.12 Chapter review .............................................................................................. 31 Chapter 5. Conclusion .............................................................................................. 32 References: .............................................................................................................. 33 iv List of Figures Figure 1: SCADA system general layout (Stouffer et al. 2008) .................................. 6 Figure 2: SCADA System Implementation Example (Stouffer et al. 2008) ................. 8 Figure 3: SCADA System Implementation Example (Rail Monitoring and Controlling) (Stouffer et al. 2008)................................................................................................... 9 Figure 4: Attacks map into SCADA systems (Kang et al. 2009) ............................... 11 Figure 5: Metric Categorization Identified at Workshop on Information Security System Rating and Ranking (ACSA 2001) ............................................................... 21 Figure 6: Framework for metric development (Grantz et al. 2003) ........................... 25 Figure 7: Security framework for SCADA system (Nhan 2012) ................................ 26 v List of Tables Table 1: possible threats on SCADA system (edited from GAO 2005 and Stouffer et al. 2008) ................................................................................................................... 10 Table 2: Common SCADA security threats (Kang et al. 2009) ................................. 12 vi Abbreviations CERT Computer Emergency Response Team CNN Cable News Network DoS Denial of Services GAO Government Accountability Office HMI Human Machine Interface ICS Industrial Control System IED Intelligent Electronic Device IT Information Technology IP Internet Protocol I3P Institute for Information Infrastructure Protection ISO International Standards Organization LAN Local Area Network MTU Master Terminal Unit NERC North American Electric Reliability Corporation PLC Programmable Logic Controller PCS Process Control System RTU Remote Terminal Unit SCADA Supervisory Control and Data Acquisition TCP Transmission Control Protocol vii Chapter 1. Introduction Supervisory Control and Data Acquisition (SCADA) systems are widely used to control and monitor resources of the critical infrastructure in many organizations and nations. SCADA systems are built for many fields such as oil and gas, air traffic and railways, power generation and transmission, water management, manufacturing, production plants and electricity (Slay & Sitnikova 2009). The original SCADA systems were built as standalone networks. The control system and system devices communicated with each other in an isolated network and very limited information which is sent to outside. There was no concern about security in SCADA at that time. In recent years, due to the improvements of computer science, new technologies and requirements from business, SCADA systems are not able to work independently. They needed to transfer data to communicate with corporate networks, allow real time access and control processes by supervisor from a personal computer which can be located far from system (Kang 2009, Stouffer et al. 2008). The communication links in SCADA system becomes more complicated and they are targets for hackers to attack SCADA system. There are many designs for each kind of networks or purposes and these designs have differences but they have some commons such as allowing for remote access to systems, allowing for connections between SCADA networks and internal network. These networks are also built on common technologies such as Windows, Ethernet and Web Services (Slay & Miller 2006). In recent years, concerns about cyber-attacks on SCADA systems which are used to control and monitor the major critical infrastructure, is extremely increasing in many organizations and nations. 1.1 Research Problems Slay and Miller (2007) mentions the most well-known attack on SCADA system was the attack on the Maroochy Shire Council’s sewage control system in Queensland, Australia in January 2000. Another example is the Davis-Besse Ohio Nuclear Power Plant in January 2003 (Poulsen 2003). In August 2005, Zotob which is a worm spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability, crashed thirteen automobile manufacturing plants in United State and many other corporations and forced them unavailable for an hour (Robert 1 2005). In March 2007, the results of an experiment named “Aurora Generator Test” which is provided by Idaho National Labs, elevate cyber-attack threats to new level. In 2008, an emergency shutdown of the Hatch Nuclear Power Plant in Georgia due to a software update was cause of loss of millions dollars (Krebs 2008). In April and June 2009, the Wall Street Journal reported that Russian and Chinese spies attacked the United State electrical grid and the North American Electric Reliability Corporation (NERC) and a defence contractor evaluate abilities of the company to resist cyber-attacks (Bauch et al. 2010). In 2010, the Stuxnet worm which includes specialized malware payload, is designed to target Siemens SCADA systems and 60 per cent of Stuxnet worm is located in Iran and affected many computers in other countries (Keizer 2010). And one debated situation was event of Northwest Rail Company in December 2012 in United State. On December 1st, train service was slow for a short while and schedules delayed for 15 minutes and second event happened on December 2nd. The investigation could not find the culprit and concluded that there were no attacks on control system. Many scientists started worrying about vulnerabilities of SCADA system which is used to control countries’ critical infrastructure (Rashid 2012). In United State, eighty per cent of the power is generated by investor-owned public utilities and according to the security firm Riptech, 70% of their clients had at least one major attack in the first six months of 2002 and it is 57% in the last six months of 2001 (Barnes et al. 2004). According to the report by the Center of Strategic and International Studies, in 2009, there were nearly half of the respondents confirm that their systems were not attacked by large scale denial of service attacks or network infiltrations but in 2010, 80 per cent faced a large scale denial of service attacks and 85 per cent got experiences to network infiltrations. In addition, a quarter of daily or weekly report from interviewees is about denial of service attacks on a large scale and two-third report (at least monthly) said that malware designed had been found for sabotage on their systems (Baker et al. 2010). It is easy to recognize that cyber-attacks have become increasing day by day on SCADA systems. The owners and researchers in SCADA systems are struggling to find answer for questions such as “How secure is our system?”, “How secure does it need to be?” and “How we can improve security for SCADA system?”. Security metrics are 2 tools which can help to provide possible answers for these questions. Security metrics are used widely in information technology field. It provides a practical approach to measuring information security. Based on collection, analysis and report of data in the systems, security metrics can evaluate security level of the system and also provide decision making and accountability (Payne 2006). However, IT security metrics cannot always be applied or implemented in SCADA systems even the technologies are the same. According to research report from I3P, the information security community developed some security metrics, some of them can directly and immediately applied to SCADA system and most security metrics cannot be used immediately to SCADA system. To explain this difficulty, scientists stated differences between SCADA system and traditional IT system. The SCADA system has different risks and priorities. It pays more concerns about risks to the health and safety of human lives and damage to the environment while typical IT system pays more concerns about production loss and impacts on economy (Stouffer et al. 2008, I3P SCADA project). It does not mean that SCADA system does not have concerns about financial issues, it only differs about priority. In addition, the purpose of safety and efficiency in SCADA system can make conflicts with the operations of control system due to differences of performance, availability and other requirements (Stouffer 2008 and I3P SCADA project). 1.2 Motivation SCADA systems are used to control important infrastructure in modern world, so losing control security in SCADA systems bring huge impacts on human lives and economy. The current trends on securing SCADA system focused on developing new SCADA architectures or the technologies or methods to adapt with threats from cyber-attacks (Slay & Sitnikova 2009). Security metrics are good tools to identify the SCADA system is secured or not. However security metrics are not easy to apply immediately to SCADA system. It is a gap of applying security metrics in SCADA system. There were a lot of efforts from owners and researchers to define useful metrics for SCADA systems (I3P SCADA Research Project 2003, Payne 2006, Krautsevich et al. 2010, and Wing & Manadhata 2004-2005-2007). 3 1.3 Research question This research answers the question “How the security of SCADA systems be measured?” As mentioned above, the use of security metrics in security fields is becoming more commonly and widely, so the goal of this research explains how to use security metrics to identify security level in SCADA systems. 1.4 Contribution The results of this research will help in extending the study of SCADA system in security area. It will provide a big literature review of security metrics in SCADA system. If the research is successful in providing the overall picture of the security of SCADA system including general knowledge of SCADA architecture, challenges of SCADA system in cyber-attacks, the needs and difficulties of using security metrics to identify security level of system and some suggestions of developing and using metrics for SCADA system, these will be motivations for further researches and in supporting the development of useful metrics which are very limited in the public domain for securing the SCADA system. This research has a general picture of SCADA system and security metrics for who wants to have basic information of the system and supports them in their further works. It also includes some technical metrics which are used in some SCADA systems. These metrics could be used in other studies to develop a new metric (or combination of metrics) for specific SCADA system. 1.5 Chapter Review This chapter provides introduction on problems of modern SCADA system, basic ideas for security metrics, difficulties when applying security metrics to SCADA system, thesis question and research contributions. Next chapter will provide in details about SCADA system, its characteristics and reasons why security metrics for IT system cannot be applied directly to SCADA system. 4 Chapter 2. SCADA system 2.1 Definition of SCADA system Supervisory Control and Data Acquisition (SCADA) systems are computerbased control systems which are used to monitor and control physical processes. These systems generally contain a set of network devices such as controllers, sensors actuators and communication devices. SCADA systems are designed to collect data, transfer it to a central computer facility, display the data to the operator and allow the operators to monitor or control entire system form a location in real time (Coates et al. 2010, Dos et al. 2008). SCADA systems are used in distribution systems such as electrical power grids, water distribution and wastewater collection systems, oil and natural gas pipelines and railway transportation systems (Slay and Miller 2006, Barnes et al. 2004, Cai et al. 2008). In the past, these systems were designed and worked in isolated environments. The control systems and devices communicated with each other in an isolated network and sharing information with outside is very rare (Chandia et al. 2007). So the systems’ security functions were not concerned by the owners or researchers. These days, the connections between SCADA systems and open networks are complicating. The increasing of components of control systems which are connected with the outside using Internetbased standards and the integrating of control networks to corporate networks in order to share data, are raising a big question about protecting SCADA network from cyber-attacks for owners, users and scientists (Coates et al. 2010). The demand about identifying these systems are secured or not and protecting these systems are also highly increasing. 2.2 SCADA System General Layout In general layout of SCADA system, there are three main parts: Control Center, Communication Link and Field Sites. Figure 1 shows a general layout of SCADA system (Kang et al. 2009, Stouffer et al. 2008). 5 Figure 1: SCADA system general layout (Stouffer et al. 2008) The Control Center of SCADA system includes control server, data historian, human machine interface, engineering workstations and communication routers. A SCADA Control Server (normally called Master Terminal Unit – MTU) has tasks to monitor and control for field sites over long distance communications network including alarming, processing system status and reporting. Based on information from field sites, the MTU will process data and help to provide automatic commands or give suggestions for operator to remote stations and control devices in field sites (Kang et al. 2009, Stouffer et al. 2008). Human Machine Interface (HMI) allows operators to monitor the states of processes by control or modify settings and control operations when system has an emergency situation. The HMI also provides process status and historical information. A HMI could be a workstation in the control center, a laptop on a wireless LAN or a browser on a system connected to SCADA control server network (Kang et al. 2009, Stouffer 2008). The Data Historian is used to store process data in the system. The data could be historical data collected from firewalls, systems messages, intrusion detection system log, traffic capturing. This data can be used to analysing, studying or reporting in different levels (Kang et al. 2009, Stouffer et al. 2008). The Communication Router is used to transfer data between control center and other parts of SCADA system (Stouffer et al. 2008). Communication links between the control site and various field sites vary among different implementations. SCADA devices can connect to others by some 6 ways such as optical fiber, radio, telephone line, microwave, satellite or Ethernet (Kang et al. 2009, Stouffer et al. 2008, and Chikuni et al. 2007). The tasks of Field Site are performing and controlling local process. A Remote Terminal Unit (RTU) is a special purpose data acquisition and control unit which is used to support the operations of SCADA stations. If wire connections are not possible, wireless radio interfaces are implemented in RTU to support wireless connections (Kang et al. 2009, Stouffer et al. 2008). A Programmable Logic Controller (PLC) is a small industrial computer which is used to calculate logic functions by electrical hardware such as relays, switches and mechanical counters. In SCADA systems, PLCs are often used as field devices due to its economical, versatile, flexible and configurable (Kang et al. 2009, Stouffer et al. 2008). An Intelligent Electronic Device (IED) is a smart sensor which is used to process data, communicate to other devices and perform local processing and controlling. An IED could combine an analog input sensor, analog output, low level control capabilities, and a communication system and program memory. The use of IEDs is allowing for control automatically at local process (Kang et al. 2009, Stouffer et al. 2008). The general layout of SCADA system provided a general picture of SCADA components and its tasks. The next section will introduce modern architecture of SCADA system which is developed from general layout of SCADA system. 2.3 Modern architecture of SCADA systems Figure 2 shows an example implementation of a SCADA system. It still has Control Center and three Field Sites which are mentioned in the previous section. The improvement of modern architecture of SCADA system is the opening of the system architecture and the utilizing of open standards and protocols. There are several differences to the general layout of SCADA system in section 2.2. A Backup Control Center was installed to provide redundancy if the functions of a primary control center are lost. And a Regional Control Center is used for higher level of supervisory control. One Field Site is located near to Control Center and use the wide area network (WAN) to communicate. The employees in corporate network can access to all devices in Control Centers through the WAN and access remotely to Field Sites to troubleshooting and maintaining. In this example, the connections 7 between Control Center and two Field Sites are using radio frequency to communicate (Stouffer et al. 2008). Figure 2: SCADA System Implementation Example (Stouffer et al. 2008) Stouffer et al. (2008) also introduce an example of SCADA system implementation in rail monitoring and controlling. Figure 3 show that the Rail Monitoring and Control system has a control center and three sections of a rail system. The SCADA system collects and processes information from the rail sections including status of the trains, signal systems, traction electrification and ticket vending machines. This information is also transferred to operation consoles at the HMI station inside the rail control center. The SCADA system monitors operator inputs at the rail control center and give high level commands to the rail section components (Stouffer et al 2008). 8 Figure 3: SCADA System Implementation Example (Rail Monitoring and Controlling) (Stouffer et al. 2008) Modern architecture of SCADA system still keeps the basic idea of the general layout and it has some improvements to adapt with specific situation of SCADA system in real world. 2.4 How a SCADA system can be attacked? In this section, this paper will provide information for possible threats on SCADA system, analysis potential attacks and give some well-known attacks in approximately 20 years. 2.4.1 Possible threats on SCADA system In 2005, Government Accountability Office in United State analysed data from the Federal Bureau of Investigation, Central Intelligent Agency and the Software Engineering Institute’s CERT Coordination Center to provide 9 emergency cyber security threats for industrial control system (including SCADA). And in 2008, 9 Stouffer added industrial spies to have totally 10 emergency cyber security threats. In this thesis, possible threats on SCADA system will be concluded into 6 major kinds of threats which are listed in Table 1: Threat Agent Foreign intelligent services Description Other countries use cyber tools to attack on critical infrastructure of target country. It could include warfare doctrines, programs and capabilities. The consequences are impacts on the supply, communications and economic infrastructure which could have negative effects to human lives and environment. Insiders Insiders do not need to have great knowledge about computer intrusions, but they can use their experiences when using system often to allow them to gain access and damage system or steal data. Insiders might be employees, contractors or business partners. Insiders could make one of the highest impacts on SCADA system. Phishers The culprit could be an individual or small groups attacked Spammers system to gain money or steal information or send unsolicited Spyware/malware email with false information to sell products, spread authors spyware/malware or attack directly targets. This threat is based on spreading virus or worm to target’s system and could harm data, hard drives etc. Some well-known worms and virus: Zotob, Slammer (Sapphire), Blaster etc. Terrorists This kind of threat is trying to give as much damage as possible to countries’ critical infrastructure to threaten national security. The methods could be virus, worm, denial of service etc. Criminal group Criminal groups attack system to gain money. Their higher priority is money not damage like terrorists. Hacker Attackers break into networks for proving themselves in community or conquering a challenge (target system). Another kind of hackers could be bot-network operators. They take over multiple systems to coordinate attacks and spread phishing schemes, spams and malware. Attackers now can easily download attack scripts and protocols from internet and choose a system as a target. While the tools which are used for attack become complicating, they also become easier to use. Table 1: possible threats on SCADA system (edited from GAO 2005 and Stouffer et al. 2008) The previous part of this section provided results from analysing data in United State by Government Accountability Office. Another point of view is looking for common threats by analysing architecture of SCADA system. Kang et al. (2009) stated in his paper common threats on SCADA system based on analysing weaknesses in SCADA architecture. The author divided attacks on SCADA system 10 into 3 main categories: attacks upon the power system, attacks by the power system and attacks through the power system. In the first category, the target of attack is infrastructure itself, the goal of attack could be a single component such as a critical substation or transmission tower. The target in the second category is the people who are using infrastructure and the target in the last category is the individual infrastructure such as lines, pipes, cables and tunnels etc. Figure 4: Attacks map into SCADA systems (Kang et al. 2009) Figure 4 show that there are about 32 types of security threats on SCADA networks. These threats can be found in Table 2. These are common security threats on SCADA systems, these threats can be combined to one threat. However there are more threats in the real world and they are very complicated to analyze as well as understand. 1.Authorization violation 2.Bombs 3.Browsing 4.Bypassing 9.Information leakage 10.Intercept/alter 11.Interfernce database query analysis 12.Masquerade 11 17.Sabotage 25.Traffic analysis 18.Scavenging 19.Spying 26.Trap Door 27.Trojan Horse 20.Service 28.Tunneling controls 5.Data Modifications Spoofing 21.Sniffers 13.Physical Intrusion 6.Denial of Service 14.Replay 22.Substitution 7.Eavesdropping 8.Illegitimate use 15.Repudiation 16.Resourse Exhaustion 23.Terrorism 24.Theft 29.Unauthorized access violations of permission 30.Unauthorized access piggybacking 31.Virus 32.Worm Table 2: Common SCADA security threats (Kang et al. 2009) The improvement of modern SCADA systems creates a big hole for many vulnerabilities and possible attacks. An attack could be done from corporate network, virtual private network, wireless network, di-up modem and local network as well. Possible attacks on an SCADA system could separate into: backdoors and holes in network parameters, vulnerabilities in common protocols, database attacks, communications hijacking, attacks on field devices and “man in middle” attacks (Stouffer et al. 2008 and Kuipers and Fabro 2006). From different methods to identify possible attacks in SCADA system, there has still same point which is exploiting the weaknesses of SCADA system as well as the impacts from the need of expanding SCADA system to other networks. The next section will introduce famous attacks on SCADA system and also point out the target of each attack. 2.4.2 Well-known attacks on SCADA system In March 1997, a teenager in Worcester, Massachusetts using a dial-up connection to Worcester Air Traffic control system broke into the system and disabled part of public switched telephone. The consequences were phone services at the control tower, airport security, airport fire department, the weather service and carriers stopped. The attack blocked phone services to 600 homes and businesses in the nearby town of Rutland (CNN 1998). In June 1999, due to the poor performance of SCADA system in controlling gasoline pipeline, 237,000 gallons of gasoline from a 16-inch pipeline flowed through Whatcom Falls Park in Bellingham, Washington. The consequences were the gasoline ignited and burned in 1.5 miles length and causing 3 deaths and 8 injuries. 12 The total economic loss was $45 million. According the investigation from the National Transportation Safety Board, one of five reasons of the accident was the Olympic Pipe Line Company used SCADA system in practicing their database development work while the system need to be used to monitor the pipeline. This made the system unavailable to control the pipeline in critical event (National Transportation Safety Board 1999). Slay and Miller (2007) mentions the most well-known attack on SCADA system was the attack on the Maroochy Shire Council’s sewage control system in Queensland, Australia in January 2000. After the control system for the sewage plant was completely implemented by a contractor company, the system had some problems such as fails on start or stop operation when required, fails on alarming and loss of communications between control centers and pumping stations. At the beginning, the managers thought there was a leak in the pipes and the valves were opening without commanded .They wasted several months to discover that the valves were activated by the spoofed controllers. And the culprit is an ex-employee of the contractor company who installed the control system. The consequences were the flooding of nearby hotels, park, and river with approximately 264,000 gallons of raw sewage. When investigating this attack, the police discovered that it is hard to detect this kind of attack due to the slow of the responses and the culprit totally finished 46 documented attacks (Slay and Miller 2007). In January 2003, The Nuclear Regulatory Commission stated that the Microsoft SQL Server worm called Slammer or Sapphire was the cause of the disable a safety monitoring system about 5 hours at the idled Davis-Besse nuclear power plant in Oak Harbor, Ohio. And it took about six hours to become available again. The investigation showed that the worm entered the Davis-Besse plant through an unsecured network. Slammer exploited a buffer overflow vulnerability in computers which running Microsoft’s SQL Server or Microsoft Data Engine, it could double in size every 8.5 seconds (Poulsen 2003). On August 14th 2003, parts of Midwest, Northeast United States and Ontario, Canada had an electric power blackout. The investigation stated that reasons were the failure of the alarm processor in SCADA system and incomplete information on topology changes. It affected 50 million people in eight states in United State and 13 Ontario province in Canada. It took four days to restore in United State and more than a week in Ontario. Total economic loss was between $4 billion and $10 billion dollars (NERC 2004). In August 2003, the Sobig virus was attached in an email and when opened, it sends itself to other email addresses of the victim’s address book. The virus can create an open backdoor which helps hackers to control victims’ computer without detection. Spammers can use the backdoor to upload applications which can send spam email continually. The impacts of Sobig virus were infecting the computer system at CSX Corp.’s Jacksonville, Florida headquarters, shutting down signals, dispatches and other systems. And consequences were short distance train from Richmond, Virginia to Washington and New York was delayed for more than two hours and long distance trains were delayed about 5 hours (Niland 2003). In August 2005, based on vulnerability of Microsoft Windows Plug and Play Buffer Overflow, a worm named Zotob crashed thirteen of DaimlerChrysler’s automobile manufacturing plants and made them disable for an hour. Plants in Illinois, Indiana, Wisconsin, Ohio, Delaware and Michigan also were shut due to Zotob. Zotob slows the computers process, makes them crash and reboot continually. Zotob can create an open backdoor control channel and allow hackers to control the infected computer. It also prevents the infected computer to connect to antivirus website by adding some codes into computer’s operating system files (Robert 2005). In March 2008, there was an emergency shutdown due to software update on the plant’s business network of the Hatch Nuclear Power Plant in Georgia. The business network and the SCADA system used two way communication and the update synchronized information on both systems. After reboot, the SCADA safety systems found a lack of data and alarmed that the water level in the cooling systems had dropped, thus automatically shut the system and started emergency plan. The manager did not recognize that the update in business work would synchronize data between two networks and it was the cause of accident. The consequences were the loss of millions of dollars to recover this mistake (Krebs 2008). Stuxnet is a computer worm which discovered in June 2010 and categorized in July 2010. It exploits the vulnerabilities in Microsoft Windows to spread copies of 14 itself through networks and removable drives. It installs server and client components to create backdoor to any clients which it can connect to. It connects to a remote server to test internet connection, send and receive commands from hackers. The primary goal of Stuxnet worm is to gain access control of industrial facilities (including SCADA system). If it can find these systems on the effected computer, it can steal code and design project from system. It also can upload its own code to the Programmable Logic Controller (PLC) which is a component of SCADA system. It is not easy to find these codes on PLC. According to records of Stuxnet from Symantec, 60 per cent of Stuxnet appeared in Iran and the left infected other countries such as Indonesia, India, United State and others (Symantec 2010). 2.5 Discussion This section discusses about the differences between SCADA systems and IT systems. Thus the audiences could be easy to understand why security techniques (include security metrics) cannot be applied directly to SCADA systems. As mentioned in production section, SCADA systems have higher priority concern for risk of health and safety of human lives than financial issues. In addition, some targets of health and safety bring conflicts with design of security in the system. In general, the most significant different between the SCADA system and IT system is the high availability requirement for monitoring and control operations. For SCADA systems, the priority for security goals from lowest to highest is confidentiality, integrity and availability while the priority or IT system is availability, integrity and confidentiality. Stouffer et al. (2008) listed 13 considerations when analysing security for industrial control system (including SCADA): Performance requirements: IT system is non-real time system which requires high throughput, consistent responses and can accept some levels of delay and jitter. While SCADA system is real time system which requires time-critical responses, modest throughput and cannot accept high delay or jitter. Availability requirements: the SCADA system normally works 24 hours/7 days. The system must ensure high availability for processing. Unexpected stops of the system are not acceptable and expected stops must be planned and scheduled. Many SCADA systems cannot be easily stopped and started 15 without negative effects to production. Thus some strategies which is used for IT system such as reboot a component, port scanning, service fingerprinting are not acceptable for SCADA system. Risk management requirements: higher priority concerns in IT system are data confidentiality and integrity while in SCADA are human and environment safety and fault tolerance. The security employees for SCADA system must understand the link between security and safety which are very different in other systems. Architecture security focus: in IT system, the primary focus of security is protecting the information which normally stored in main office. Thus it gives more convenient to protect this information. While SCADA system needs to protect information not only stored in main office but also in end stations (PLC, IED and RTU). Physical interaction: typical IT system does not have physical interaction with the environment while SCADA system has complex interactions with physical processes and consequences. All security functions must be proved that there are no conflicts with operations of the system. Time-Critical Response: in SCADA system, information flow must not be interrupted while requires an access control into system. The response time to human interaction is very critical while in IT system, access control can be implemented without regard for information flow. System operation: typical IT system has advantages for finding hardware and software for replacing while SCADA system uses specialized hardware and software, thus it is difficult to upgrade for SCADA system. Resource constraints: SCADA system is designed to support the industrial process and may not have enough resources or capabilities to support security functions. In addition, when adding new security functions to SCADA system, it may make conflicts with system vendor license and services agreements. In IT system, it is specified that the system will have enough resources to support third party applications for security functions. Communications: SCADA system uses specialized protocols such as Modbus/TCP, EtherNet/IP and DNP317 to communicate between control 16 center and field sites while IT system uses other standard communications protocols. Change management: upgrading software is a main requirement for both IT system and SCADA system to prevent exploitation of vulnerabilities of software. For IT system, software updates are applied in a timely fashion based on security policy and procedures (normally automatic). While in SCADA system, software updates must be tested by vendor of the system, and only implemented in planned outages. Managed support: typical IT system allows supports from many different vendors while SCADA system usually allows supports from a single vendor. Component lifetime: typical IT system has a lifetime from 3 to 5 years due to the quick improvements of new technologies while SCADA system has a lifetime from 15 to 20 years due to its special design and requirements of software and hardware. Access to components: it is easy to access the typical IT components while SCADA components are isolated and require physical efforts to gain access to them. To conclude, SCADA system with its specialized design (including hardware, software and communication protocols) and high requirements for availability makes difficulties to apply security solutions from typical IT system to SCADA system. 2.6 Chapter Review This chapter provided general picture about SCADA system which includes its architecture, improvements in modern system, weaknesses of the system, differences between SCADA system and typical IT system. Thus audiences can understand even security in SCADA system becomes seriously but it still has a gap to apply typical solutions for SCADA system. Next chapter will provide one solution – security metric and analysis the effects of this solution in SCADA system. 17 Chapter 3. Security metrics The term “metrics” describes a broad category of tools which are used to evaluate data in many organizations. Metrics are widely used by industry for many years. The simplest form of a metric could be a measurement which is compared to a scale or benchmark to produce results (I3P report 2005). For example, a system has 100 computers and 98 computers have completed software update. Thus there are 2 per cent of computers which have not completed software update. This measurement can be used to determine a security metric by comparing it with the system‘s benchmarks. The security goal could be “no more than 1% computers have not completed software update”. The difference between metrics and measurements are measurements provides single point to point view for specific sector or dimension of a system while metrics are used to comparing the results from measurements to a pre-identify baseline. Measurements are made from counting while metrics are created from comparing and analyzing (Jansen 2009).There is a rich of set for security metrics in IT systems which have been developed around 40 years. However, the security metrics for SCADA system are not widely available. The reason comes from the special environment of SCADA systems. There were a lot of efforts to create, develop and apply security metrics from IT system to SCADA system. However there are limited security metrics for security metrics which are published in security community. This chapter will provide short definition of security metric, its categories, challenges for applying a security metric in SCADA system, how to put a security metric into a SCADA system and some existing security metrics. 3.1 Definition of security metric At a high level, security metrics are quantifiable measurements of security aspect of a system. Security metrics could include tools which are designed to help making decision automatically, improve performance and evaluate system and accountability through collection, analysis and report from related data (Jansen 2009). A measurement can quickly identify aspects of a system or process. This measurement could be a form of a number, trend line, relative position etc. However the measurements by themselves normally have little meanings while when using 18 measurements and comparing them with benchmarks, the result will bring more meaningful and that is a metric. Benchmarks provide a frame of reference for comparing measurements. Benchmarks could be industry standards, past performance, corporate security goals, expected performance and peer averages. A metric which is involved with security aspects of system, is called security metric (Jansen 2009, Glantz et al. 2003, I3P report 2005, I3P SCADA project). 3.2 Challenges and opportunities for security metrics in SCADA system The current trends of improving security in SCADA system is developing new SCADA structure which can adapt with threatens from cyber-attacks (Fernandez, EB & Larrondo-Petrie 2010 and Yakkali & Subramanian 2010). Most of the SCADA systems are designed for long time ago and worked in isolated environment. Thus they could not provide security functions. However, to develop and build a new SCADA system will spend a lot of money for the owners (organizations, individuals or governments). The new development of SCADA structure would be useful when start building a totally new system. A question has been appeared what is possible solution for the old SCADA systems? Researchers started finding and improving vulnerabilities in old SCADA systems. Due to the increase of requirements of using new devices and the evolution of new technologies in SCADA systems to improve effectiveness and efficiency of the processes, it becomes more complicating to fix every hole or vulnerability in SCADA systems. One big gap to apply security solutions in SCADA system is that any new security solution need to be tested carefully before implemented into the systems while SCADA system always requires very high about accountability. Any small mistake or hole from new security solution will bring huge impacts on SCADA system (Kang et al. 2009, Stouffer et al. 2008, and I3P report 2005). Exploiting security solutions from IT system to use it in SCADA system does not bring good signal for researches due to the differences between two systems and the special of SCADA system itself. One well-known example for this could be using password in IT system and SCADA system. In IT system, it always encourages the users to use as much complicating passwords as possible to prevent the cyber-attacks on passwords. However in SCADA system, if the staffs use too complicating password to log in the system, one possible situation is when a critical event happens, complicating password would make confuse to the staff while 19 at that time, the staffs need to be logged into the system as soon as possible to make effective decision (Stouffer et al. 2008, I3P report 2005). And scientists came to an idea about security metrics which are used widely in IT system. First time, they also tried to apply security metrics which are developed for IT system into SCADA systems. Some metrics could be applied directly to SCADA systems while most of metrics could not. The reasons are due to the differences between two systems and the connection link between security and safety in SCADA system. Then the evolution on developing new security metrics for SCADA system started. This solution for securing SCADA system also can answer the research question “How security of SCADA system be measured?” Thus security of SCADA system can be measured, the scientists can answer the question “Is this SCADA system secured or not?” From this stage, security community can prevent or reduce the risks in SCADA system. One big effort from security community on developing security metrics for SCADA system is the I3P Process Control System (including SCADA) in 2003 and the I3P SCADA project recently. In 2003, with the supports from 10 institutions and the National Institute of Standards and Technology, the I3P PCS research project is organized into six major tasks and these tasks are separated to research in 10 institutions: Task 1: Assess dependence on PCS and its security Task 2: Account for the type and magnitude of PCS interdependencies Task 3: Develop metrics for the assessment and management of PCS security Task 4: Develop tools and technologies to enable inherently secure PCS security Task 5: Develop cross domain solutions for information sharing Task 6: Transfer technology of these solutions into industry Task 3 of the project was developing metrics for securing PCS; however the results from this stage were very limited. They could not provide some specific security metrics for PCS (including SCADA) but they provided some recommendations when developing a security metric. The research project also 20 provided the categories of security metrics for PCS which can be used for SCADA systems as well. 3.3 Category of security metrics The security metrics for SCADA system could be categorized into three broad classes: Organizational metrics, Operational metrics and Technical metrics (ACSA 2001 and I3P report 2005). The I3P project identified three sets of SCADA stakeholders include industry (operators and users of systems), vendors (developer of system, system integrators and IT security service providers) and government (I3P report 2005). Figure 5: Metric Categorization Identified at Workshop on Information Security System Rating and Ranking (ACSA 2001) 3.3.1 Organizational metrics Organizational metrics are used to evaluate the effectiveness of organizational programs and processes. They can be used to assess the adequacy of the standards, policies and procedures of the organization to improve security. They also help to provide decisions of the uses of organization’s resources. These decisions could cover investment in architectures or technologies, security programs processes and divided resources between security program components and 21 activities. This kind of metric might answer some questions about standards, policies or procedures such as “Has organization use some security standards?” and “Is there a security policy for SCADA system and its component?” etc. Organizational security metrics could separate into security program metrics and security process metrics. Organizational security metrics are more relevant to industry and vendors. They are normally used in mandating performance or reporting and they are quite tied to standards of good practice. An example of organizational metrics could be the percentage of staffs that finished security training course reaches the security program goal of security awareness and training. The metric could be identified like “the percentage of staffs that finished security training course must more than 98 per cent”. The SCADA system should use these metrics as indicators to reach the security goals of the organizations. (I3P report 2005). There are three broad categories of security metrics which were accepted by security community in SCADA system. There still have the combinations of three categories to provide relevant security metrics for specific situation. 3.3.2 Operational metrics Operational metrics are used to evaluate and manage risks to operational environments of the systems. Most metrics of risk or its component sector are operational metrics. They could be metrics that describe the threat environment, metrics used in risk management, metrics that support incident response etc. Operational metrics could be used to assess organizations’ security posture or indicate changes in system processes to improve risk management of the systems. One advantage of this metric is that operational data of the SCADA systems is already collected and could be analysed to provide operational security metrics. Operational metrics can be used to assess how effective of the organization’s policies and procedures to the responsible staffs. The operational metrics could be defined based on answers of some questions such as “Are cyber security inspections of SCADA system done by staffs who finished training course about cyber security?”, “Was the certified training course meets industry standards?” and are the results of each inspection reported and stored into a database?” etc. (I3P report 2005). 22 3.3.3 Technical metrics Technical security metrics are used to evaluate and compare technical objects such as algorithms, specifications, architectures, designs. Technical security metrics could be used to help organizations to select products which are the best suitable for their security goals. For example, the organization could use technical security metrics to identify required or desired characteristics of the SCADA systems or its product. Technical security metrics could be used to assess the adequacy of the security being implemented to protect every component of SCADA systems. This kind of metrics normally is done every day to secure the system. This metrics could be involved with some questions such as “how many attacks in the system by day/week or month?”, “how many successful accesses into the system by day/week or month? And is there any raising number accesses could make concern?” etc. (I3P report 2005). 3.4 Recommendations of developing security metrics A report from I3P SCADA security workshop (2005) could not provide specific security metrics for SCADA systems however the supporters and scientists agreed on some recommendations on developing a security metric for SCADA system. They include 5 major points: Two major approaches should be used to develop security metrics were bottom up and top down. The bottom up approach is to identify the objectives of the system first, then find a suitable metric for the objective and from the metric, they could determine for the measurement (Payne 2001 and I3P report 2005). An example of bottom up approach: the objective could be “reduce the number of virus infections within the company by 30% comparing by 2011”. Then the metric could be “current ratio of virus alerts to actual infections as compared to the baseline in 2011” and the measurement could be “number of virus alerts issued to the organization by month or year”. The top down approach goes from choosing measurement, then identifying metric and finding objective. For example, the measurement could be “average number of high vulnerabilities detected per server using Symantec scanning tool”, the metric could be “changes in number of critical vulnerabilities detected on servers since last reporting” and the objective could be “reduce the level 23 of detectable vulnerabilities on servers within the company” (Payne 2001 and I3P report 2005). The security metrics for evaluating SCADA products, topologies, protocols and designs could bring more attractive to industry. They could be applied for new and existing systems. This metrics could be a consumer report metric or a product design metric (Payne 2001 and I3P report 2005). Return on investment metric is used to evaluate products, security policies and security performance. The advantages of this are to provide well understood form to manager and can be directly applied to bottom line decisions (Payne 2001 and I3P report 2005). Develop a new security metric based on existing security research and standards could bring more benefits for both scientists and industry. One specific recommendation was ISO-17799, Code of Practice for Information Security Management (ISO 2002). The most important thing is that develop a security metric is for a real-time monitoring system. The operators do not have enough time to manually fix all network traffic and access patterns during system processes. A metric could alerts the operator to provide an easy to understand state of system to the operators (Payne 2001 and I3P report 2005). These recommendations stated some important points when developing a security metric for a SCADA system. It could help developer to focus on some important directions when working with SCADA system. 3.4.1 The relationships between security metrics and risk analysis Security metrics are built to evaluate security states of the system. It also helps to make automatically decisions or give suggestions for operators. Many of the decisions which are supported by security metrics go into risk management decisions. Security risk metrics could be one of the most difficult to determine because they are relevant to some subjective factors such as capabilities of adversaries and political or financial consequences of a threat (I3P report 2005, Jansen 2009, I3P SCADA project). 24 3.4.2 Framework for metric development and evaluation One possible method to develop and evaluate security metric is developing a framework for the SCADA system. Figure 6 is an example of a framework for metric development (Grantz et al. 2003). The framework started identifying target audience. Different target audience will need a different metric. Target audience could be different positions in an organization such as managers, engineers and operators etc. or different organization in a sector such as oil and gas corporations, policy makers, regulatory agencies, vendors, consultants etc. From target audience, the next step is to identify metric objectives for each target audience. Measurable attributes components could cover risk (threats, vulnerabilities and consequences), engineering (technical measurements to support design and configuration), value (costs and benefits), assurance (confidence) and performance. From measurable attributes and metric objectives, the framework will compare with benchmarks of the system then provide results which are normally visualized for easy analysis. And the out of the framework is supporting decision making or analysing security levels of the SCADA system (Grantz et al. 2003). Figure 6: Framework for metric development (Grantz et al. 2003) Another example is a security framework which uses data mining techniques to create models of models for predictions or filtering data (Nhan 2012). The framework for SCADA system in Figure 7 uses data mining techniques, historical data and security metrics to filter historical data, predict future event, support security 25 assessment, identify state of the system and report or alarm to manager when necessary (Nhan 2012). Figure 7: Security framework for SCADA system (Nhan 2012) From two frameworks, the audiences could understand how to implemented or use security metrics in SCADA system. The next section will provide seven dimensions which are represented for seven important aspects of cyber security in control system (including SCADA) (Department of Homeland Security 2009). 3.5 Chapter Review This chapter brings to the audiences general picture of security metrics in both IT system and SCADA system. It also provides important sectors which developers of security metrics in SCADA system need to be concentrated. In addition, it explains how to use security metrics in SCADA system using framework. Next chapter will focus on answer the research question, security metrics are used to measure the security metrics for SCADA system but the answer for the questions “what are they?” and “how does 26 it look like?” will be given. Chapter 4. Security metrics in SCADA system This section will provide some existing security metrics which can be applied on SCADA system. 4.1 Number of attacks The idea of this metric is based on number of attacks the system can identify and count how many attacks on an existing system. This is the most common way to start building security metric in a system. And the system which has higher number of attacks; is less secure than others. This idea is developed and used by Jansen 2009, Ortalo et al. 1999 and Pamula et al. 2006. The original idea of this metric is counting the number of bugs found on system A and system B. The goal of original idea is to determine or measure whether system A is “more secure” than system B. Krautsevich et al. (2010) defines his metric based on number of attacks: system A is more secured than system B if number of attacks on system A is smaller than number of attacks on system B. However, in SCADA system, the purpose of using security metrics is to determine a system is secured or not. This security metric can be applied directly to SCADA system by pre-determined a safe point for SCADA system. For example, the benchmark for this metric is the number of attacks on the system in week 20 identified that system is secured. Thus for every week, after finished measurements of number of attacks, the security metric could be “if the number of attacks on system in week N is smaller than the number of attacks in week 20, the system is secured and if the number of attacks on system in week N is bigger than the number of attacks in week 20, the system is not secured”. It can be applied for months or years depend on requirements of security of the system. The number of attacks on system in week 20 could be defined as security goal for the system. 4.2 Probability of attacks The probability to accomplish an attack successfully is a well-known metric. The metric identifies how probable is that a hacker is capable of reaching final target. According to Krautsevich et al. (2010), the author states that to reach the final goal, the attacker must to do a number of events. In order to get the probability to do an attack successfully, every action required for the attack must be done successfully. The author defines maximal probability of attack is equal to the result which is 27 calculated by multiple all probability of each action in one attack. The idea comes from security metrics for IT system but it can be applied directly to SCADA system and is useful for industry. For example, to attack successfully a system with attack A, it requires n actions from a1 to an. The maximal probability of attack A is Pa= P(a1).P(a2).,,,P(an). The benchmark for probability of attack A is P (xa). If Pa is smaller than P(xa), the system is not secured. If P(xa) is smaller than Pa, the system is secured. This security metric can be applied for each attack. 4.3 Shortest Length of attacks The idea of this metric is the less step attacker has to make, the simpler is to reach the target and the less secure the system is. According to Ortalo et al. (2005) and Krautsevich et al. (2010), in the SCADA system it is possible to find some nodes or targets as the privileges of possible attackers and a path exists between these nodes to final nodes or final targets which is a cause of a potential security breach. So the length of this path is long and has many inter-nodes, the attackers have to spend more time, efforts to attack the target. For each component of SCADA system, it is possible to evaluate the shortest length from each component to hackers. Depend on the value of the measurement for the shortest length, it is possible to set a value of SL for each component or device. For example, the number of nodes (steps) needed to reach device A is SL a. The operators analyse the data log files of critical events and find that hackers need SL a’ nodes or steps to attack device A. If SLa’ is smaller than SLa, the SCADA system is not secured and in contrast. 4.4 Attack surface metric This metric has been proposed by Manadhata and Wing (2004, 2005 and 2007). The idea in this metric is the system which has bigger “surface”, is easier to be attacked than the system which has smaller “surface”. So the system which has smaller “surface” is more secure than bigger one. There are two challenges to use this metric in SCADA system: the first one is to define surface of a system, the second is how to define a safe surface for a system. The system’s surface is smaller than safe surface is secured, otherwise it is not secured. The authors consider about three dimensions of an attack surface: targets, channels and access rights. They state that the more targets or the more channels or the more generous the access 28 rights, the larger the attack surface. This security metric covers a large area in SCADA system. Assume that attack surface metric is combinations of security metrics in SCADA system. Each component metric will be used to evaluate one dimension or aspect of the system, thus the result is the more secured aspects, the more secured system. The measurement could be the percentage of secured aspect out of total aspects. The ideal value for this metric is 100% however it could be set as acceptable value – AS. If the percentage of secured aspects is more than AS, the system is secured and in contrast. 4.5 Rogue change days A rogue change is any change to the system configuration without sending any alarms or notifications to the security staffs. Rogue Change Days are equal to the number of rogue changes multiplied by the number of days which is used to recognize the changes by security staffs. For example, if three laptops were added to the SCADA system without the understandings of security staffs and they did not discover this change until 7 days. The value of rogue change days is equal to 3 multiplied by 7 and it is 21 rogue change days to the calculation. The ideal value of this security metric is zero. Any changes in the SCADA system need to be reported to responsible staffs (Department of Homeland Security 2009). 4.6 Security evaluation deficiency count The security evaluation deficiency count is the number of devices in the system which is not covered by security protection and evaluation. The measurement of this metric is counting how many devices in the system which is evaluated by a security program. The ideal value of this metric is zero (Department of Homeland Security 2009). 4.7 Data transmission exposure To reduce the impacts of hackers on data transmission in SCADA system, all data which is transferred in or out the system need to be encrypted. The measurement is how many transmission channels which are used by the SCADA system do not have any encryptions. For example, if using Telnet to transfer data between the SCADA system and the Internet, the value of this metric will be added one because Telnet does not use encryptions while transfer data. The ideal value of this metric is zero (Department of Homeland Security 2009). 29 4.8 Known vulnerability days The known vulnerability days metric is calculated by total known and unpatched vulnerabilities multiplied by their exposure days. The value of this metric is increasing each day due to the discovery of unknown vulnerabilities increases too. For example, if there are 5 unpatched vulnerabilities and these vulnerabilities were discovered 15 days ago. The value of measurement is 5 multiplied by 15 and result is 75 known vulnerabilities days. The ideal value of this metric is also zero (Department of Homeland Security 2009). 4.9 Password crack time The password crack time is the shortest time needed to crack a single password of any account on the system. The measurement of this metric is the minimum amount of time for attackers to crack password successful. It will help to identify the best lifetime for password on the system. For example, the amount of time for cracking password is 7 days, 9 days and 16 days. So the password crack time is the shortest time – 7 days for cracking password. The ideal value of this metric is infinity (Department of Homeland Security 2009). 4.10 Detection mechanism deficiency count The detection mechanism deficiency count metric is the number of computers or devices which do not have antivirus programs or any kinds of malware detection or attack detection mechanisms in the system. For example, there are 140 out of 150 computers which are installed antivirus programs and the antivirus software is updated. Thus there have 10 computers that do not have any detection mechanisms. The value of the measurement of this metric is 10. The ideal value of this metric is zero (Department of Homeland Security 2009). 4.11 Restoration time The restoration time metric is calculated by the amount of time needed to restore all devices of a SCADA system from consequences of an attack multiplied by the number of devices which are affected by the attack. For example, there are 3 RTUs and 1 PLCs stopped working due to an attack on SCADA system and it took 2 hours to restore each devices. The measurement for this metric is 4 multiplied by 30 120 minutes and the result is 480 minutes. The ideal value of this metric is zero (Department of Homeland Security 2009). 4.12 Chapter review This chapter introduced some existing security metrics that could come from security metrics in IT system or could be developed to apply to SCADA system. Security metrics which are mentioned in this chapter can be applied directly to SCADA system. 31 Chapter 5. Conclusion To summary, this minor thesis is completely answering the research question “how can the security in SCADA system be measured?” To answer this question, the thesis started introducing and analysing the SCADA system to point out the gap between SCADA system and IT system. With the increasing of using SCADA system in controlling critical infrastructure and the raising of new technologies, security in SCADA system SCADA system with its specialized design and devices bring difficulties to apply security solutions to measure its security level. Security metric is the possible solution to measure security level in SCADA system. The thesis also mentioned some security metrics which can be applied directly to SCADA system as stimulations to answer the research question. The answer for the research question was concluded by researching and analysing SCADA system and its component as well as the development of security metrics theoretically without any experiments. it could be seen as a limitation of this research. The need of developing security metrics in SCADA system is increasing due to the high requirements of security in SCADA system. This research is the beginning of study on security metrics area and it will bring benefits for who want to start working in security environment of SCADA system and general is Process Control System. The next step for this research is applying metrics which were developed in the paper to real system and continuing to improve effectiveness of useful security metrics. The next step of this research requires supports from security communities, organizations as well as SCADA project from all over the world. 32 References: Applied Computer Security Associates (ACSA) 2001, Proceedings of Workshop on Information-Security-System Rating and Ranking (WISSRR), Williamsburg, Virginia. ACSA, Silver Spring, Maryland. Baker, S, Fillipiak, N & Timlin, K 2010, “In the Dark”, McAfee second annual critical infrastructure protection report, Centre for Strategic and International protection report. Barnes, K ,Johnson, B & Nickelson, R 2004, “Review of Supervisory Control and Data Acquisition (SCADA) Systems”, Idaho National Engineering and Environmental Laboratory Bechtel BWXT, Idaho, LLC. Cai, N, Wang, J & Yu, X 2008, ‘SCADA system security: Complexity, history and new developments’, 6th IEEE International Conference on Industrial Informatics, Daejeon, Korea. Chandia, R , Gonzalez, J, Kilpatrick, T, Papa, M & Shenoi, S 2007, ‘Security Strategies for SCADA networks’, IFIP International Federation for Information Processing, no. 9, vol. 253, pp. 117-131. Chikuni, E & Dondo, M 2007, ‘Investigating the security of electrical power systems SCADA’, AFRICON 2007, pp. 1-7. CNN Interactive, ‘Teen Hacker Faces Federal Charges’, viewed on 15th November 2011, http://edition.cnn.com/TECH/computing/9803/18/juvenile.hacker/index.html Coates, G, Hopkinson, K, Graham, S & Kurkowski, S 2010, ‘A Trust System Architecture for SCADA Network Security’, IEEE Transaction on Power Delivery, vol.25, no.1, pp. 158-169. Department of Homeland security 2009, ‘Primer Control Systems Cyber Security Framework and Technical Metrics’, Control Systems Security Program, National Cyber Security Division. Dos Anjos, T, Brito, A & Motta Pires, P 2008, ‘A model for security management of SCADA systems’, IEEE International Conference on Emerging Technologies and Factory Automation, pp. 448-51. Fernandez, EB & Larrondo-Petrie, MM 2010, 'Designing Secure SCADA Systems Using Security Patterns', System Sciences (HICSS), 2010 43rd Hawaii International Conference on, 5-8 Jan. 2010, pp. 1-8. Glantz, C, Stoddard, M, Mcintyre, A, Santos, J, Bodeu, D, O’neil, L and Gennert, B 2003, ‘The Development of Security Metrics for Process Control System’, report to I3P. 33 Graham, J. & Patel, S 2004, ‘Security Considerations in SCADA Communication Protocols’, Intelligent Systems Research Laboratory, viewed 23November 2011, http://www.louisville.edu/speed/cecs/facilities/ISLab/tech%20papers/ISRL-04-01.pdf Government Accountability Office (GAO) 2005, Department of Homeland Security’s (DHS’s) Role in Critical Infrastructure Protection (CIP) Cybersecurity, GAO-05-434 (Washington, D.C.: May, 2005), viewed 8 December 2011 http://www.gao.gov/new.items/d05434.pdf International Standards Organization (ISO) 2002, Information technology -- Systems Security Engineering -- Capability Maturity Model, Geneva, Switzerland. Institute for Information Infrastructure Protection (I3P) 2003, Cyber Security Research and Development Agenda. I3P SCADA project, SCADA pedia, <http://www.digitalbond.com/scadapedia/>. I3P report 2005, Process Control System Security Metrics State of Practice, viewed on 15th November http://stuweb.ee.mtu.edu/~ssmoily/section_4.pdf. Kang, D, Lee, J, Kim, S & Park, J 2009, Analysis on cyber threats to SCADA systems, Transmission and Distribution Conference and Exposition: Asia and Pacific, pp. 1-4. Keizer, G 2010, ‘Is Stuxnet the ‘best’ malware ever?’, viewed on 15 th November 2011, http://www.infoworld.com/print/137598. Kuipers, D & Fabro, M 2006, Control Systems Cyber Security: Defense in Depth Strategies, Homeland Security External Report -06-1478, viewed on 15th November <http://www.inl.gov/technicalpublications/Documents/3375141.pdf> Krautsevich, L, Martinelli, F & Yautsiukhin, A 2010, ‘Formal approach to security metrics. What does “more secure” mean to you?’, ECSA 2010 August, Copenhagen, Denmark, pp23-26. Krebs, B 2008, ‘Cyber Incident Blamed for Nuclear Power Plant Shutdown’, Washingtonpost. Newsweek Interactive. Manadhata, J & Wing J. M. 2004, ‘Measuring a system’s attack surface’, Technical Report CMU-TR-04-102, CMU. Manadhata, J & Wing J. M. 2005, ‘An attack surface metric’, Technical Report CMUCS-05-155, CMU. Manadhata, J & Wing J. M. 2007, ‘An approach to measuring a system’s attack surface’, Technical Report CMU-CS-07-146, CMU. Miller, M & Slay, J 2006, ‘A Security Architecture for SCADA Networks’, the 17th Australian Conference on Information Systems, Adelaide . 34 NERC, ‘Technical Analysis of August 14, 2003, Blackout: What Happened, Why and What did we learn?’, viewed on 15th November 2011, http://www.nerc.com/docs/docs/blackout/NERC_Final_Blackout_Report_07_13_04.p df. Nhan, N. T 2012, Final Document of Minor Thesis, Submission to the University of South Australia, 30th March. Niland, M 2003, ‘Computer Virus Brings Down Train Signals’, viewed on 15th November 2011, http://www.informationweek.com/news/13100807. NTSB (National Transportation Safety Board) 1999, ‘Pipeline Accident Report: Pipeline Rupture and Subsequent Fire in Bellingham’, Washington. Ortalo, R, Deswarte, Y & Kaaniche, M 1999, ‘Experimenting with quantitative evaluation tools for monitoring operational security’, IEEE TSE, pp. 663-650. Pamula, J 2006, ‘A weakest adversary security metric for network configuration security analysis’, Proceeding of QoP-06 ACM Press. Payne, S. C., 2006, ‘A Guide to Security Metrics’, SANS Institute InfoSec Reading Room, http://www.sans.org/reading_room/whitepapers/auditing/guide-securitymetrics_55. Poulsen, K 2003, “Slammer worm crashed Ohio nuke plant network”, Security Focus, viewed 23 November 2011, http://www.securityfocus.com/news/6767 Rashid, F. Y 2012, ‘SCADA Systems in Railways Vulnerable to Attack’, IT Security & Network Security News. Robert, PF 2005, “Zotob, PnP Worms Slam 13 Daimler Chrysler Plants”, IT Security and Network Security News. Slay, J & Sitnikova, E 2009, 'The Development of a Generic Framework for the Forensic Analysis of SCADA and Process Control Systems Forensics in Telecommunications, Information and Multimedia', in Sorell, M (ed), vol. 8, Springer Berlin Heidelberg, pp. 77-82 Slay, J and Miller, M 2007, “Lessons learned from the Maroochy water breach”, In Critical Infrastructure Protection (November 2007), vol. 253/2007, Springer Boston, pp. 73–82. Stouffer, K, Falco, J and Scarfone, K 2008, Guide to Industrial Control System (ICS) Security, Nist Special Publication, vol. 800, no.82, pp. i-F14. Symantec 2010, ‘W32.Stuxnet’, viewed on 15th November 2011, http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-312399. 35 Yakkali, H & Subramanian, N 2010, “Efficient design of SCADA system using minimum spanning tree and the NFR Framework”, Proceedings of the 2010 42 nd IEEE Southeastern symposium on system theory, Tyler, Texas, pp.346-351. 36