SCADA and Smart Grid Security Tests

Transcription

1 SCADA and Smart Grid Security Tests Document number

2

3 EPCIP: EU Program for Protecting Critical Infrastructures The EU Context Summarized 3 Strategy The general objective of EPCIP (European Programme for Critical Infrastructure Protection) is to improve the protection of critical infrastructure in the European Union (EU). The legislative framework for the EPCIP consists of the following: a procedure for identifying and designating European critical infrastructure and a common approach to assessing the need to improve the protection of such infrastructure. This will be implemented by means of a directive; measures designed to facilitate the implementation of EPCIP, including an EPCIP action plan, the Critical Infrastructure Warning Information Network (CIWIN), CIP information sharing processes, and the identification and analysis of interdependencies; support for EU countries regarding National Critical Infrastructures (NCIs) that may optionally be used by a particular EU country, and contingency planning EU Funding available

4 In particular : EU program for protecting Critical Infrastructures ( Driven by DG Home ) The DIRECTIVE 2008/114/EC establishes a common procedure for the identification and designation of European Critical Infrastructure (ECI), defined as critical infrastructure located in the EU Member States, the disruption or destruction of which would have a significant impact on at least two EU M.S. Obligations of the Member States by Jan 2011: Transpose the EU directive into national law Identification and designation of EU critical infrastructures in their country, in the area of Transport (air, water, road) and Energy (oil, gas, electricity) Assure for each ECI have an Operator Security Plan (a risk assessment and identification, selection and prioritization of counter measures and procedures) and designate a Security Liaison Officer; Appoint a European Critical Infrastructure Protection Contact Point; Objective of the commission is improve the protection for the critical infrastructures in Europe The implementation of CIP is not attending expected results: A review of the Directive is being negotiated, with additional topics: EU facilitating implementation: CIPS fund program Call for grant for 2013 expected in May 2013 Critical Infrastructure Warning Information Network (CIWIN) Information sharing on Critical Infrastructure Protection (CIP) and expert groups Stakeholders: Government drives the implementation of the directive: Ministries of home affairs, Agencies on critical infrastructures, National crisis center Operators: Owners and operators of Critical infrastructures OSP 4 Focus on all hazards Move away from protection of physical assets to resilience of service From crisis management to prevention, preparedness and response More attention to interdependencies and multilevel approach De facto EU critical infrastructures: Galileo, air traffic control, grid, gas and oil pipe

5 Skilled and motivated hactivists..not only Anonymous 5

6 What are we seeing? Key Findings from the 2012 X-Force Report 2012 Sampling of Security Incidents by Attack Type, Time and Impact Conjecture of relative breach impact is based on publicly disclosed information regarding leaked records and financial losses Source: IBM X-Force Research 2012 Trend and Risk Report

7 ICS-ALERT Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) ha emesso un alert riguardo al motore di ricerca SHODAN, che può essere utilizzato per identificare I sistemi SCADA che sono connessi a Internet. Questo può essere sfruttato da parte di attacker per compromettere questi sistemi. ICS-ALERT descrive una serie di raccomandazioni per ridurre questo rischio.

8 Substation technologyes evolution

9 SCADA Security Comparisons A comparison of Security used in U.S. companies vs. Security used in process systems: Topic Corporate IT Process Systems Anti Virus Widely used Used with care Lifetime 3-5 years 5-20 years Outsourcing Widely used Rarely used for operations Patching Frequent Slow (requires vendor approval or extensive testing) Change Frequent Rare Security Skills & Awareness Medium to High Poor IT security, no awareness training Security Testing Widely used Must be used with care Physical Security Usually secure & manned Good controls but often remote & unmanned 99

10 Impact of a breach to power control systems could be severe Serious disruption to national critical infrastructure Loss of system availability Process interruption Equipment damage Asset mis-configuration Loss of data and confidentiality Personal injury Penalties resulting from regulatory violations Loss of customer and public trust 10

11 Smart Grid macro components Cyber security of the Smart Grids European Commission (work package 1.1) 11

12 Where are the specific areas concerns? Investors: downtime, fines, cost, investment and related impact on revenue Operators: optimization of asset management and, specifically: Emerging Smart Grid Issues Millions of new end points Massive amounts of data System security Vulnerable software Lack of access control Mis-configuration of options Data Vulnerability Weak/No encryption Inappropriate storage Installation of malcode Cyber security of the Smart Grids European Commission (work package 1.1) Potential Fraud Invalid credentials Weak authorization Insufficient tamper protection Smart Meters fraud Downtime Denial of service risk System corruption 12

13 SCADA: technolgies and protocols Field Devices RTU Remote Terminal Unit PLC Programmable Logic Controller IED Integrated Electronic Device PAC Programmable Automation Controller Protocols Modbus DNP3 DeviceNet IEC proprietary protocols SCADA Control Center HMI Human Machine Interface SCADA Controller Real time processing Historian database of events Control Center Protocols (es. OPC, ICCP, IEC 101/103 etc..) Communication Technologies Serial connections (hardwire & dial-up) Ethernet & TCP/IP / Wireless RF & Microwave Cell: CDMA ZigBee HAN Middleware MS IIS,.Net Trends ->mixed criticality systems 13

14 Smart Meter security test (case) Customers Can Access Acme Backend Servers and Networks Critical Risk Finding Users who have working PLIDs in their homes can use the network access that this device provides to access back end servers in excess of what should be allowed. Services like database servers and unused web servers should not be accessible to customers. In addition, services were accessed that were behind the most current stable patch level. Customers who connect PLIDs to their own network equipment could, even unintentionally, introduce network worms into the Acme environment. Systems affected: Several backend Acme networks, but not the SCADA or Corporate networks. Impact This increased access will open up avenues of attack into the Acme environment that do not contribute to functionality or availability. Recommendation Apply network filtering at the gateway routers. A least privilege model should be employed. Every packet coming out of a Smarthouse should be filtered except those that are absolutely necessary for a documented purpose. For example, if the smart home only needs to contact one single backend web server on TCP port 80, this is the only connection that should be allowed.

15 Security tests challenges - Systems fragility - Non standard/unknown protocols - Non IP based protocols - Embedded devices - Unusual «IT» wireless spectrum - SCADA Applications knowledge - Critical Infrastructure threats - Specialized tools (even opensource but often need to be customized) - Specialized skills 15

16 This is a possible approach Operations requirements analysis Threat modeling/threats threes Testing scope definition Attack surface Fragility/criticality analysis Test strategy/framework Attack scenarious 16

17 Target definition The goal of this activity is to identify which are the critical systems that, if compromised, can lead to major power outage: As an example: SCADA core systems DMS/OMS/EMS systems Real-time systems Batch systems Process critical applications Non real-time critical systems and applications (but critical for process!) Phone lines, LAN/WAN/HAN Networks Sensors/embedded systems And many others Must be evaluated all systems considered dangerous for critical systems security. Not only SCADA or real-time components, but also interface applications, supply chain systems, back up etc..

18 Threat modeling The goal of threat modeling is to identify potential risks or attacks against your software and to make decisions about how to address these risks. I. Identify the attack surface II. Identify the potential threats III. Assign an impact for each threat IV. Determine the probability of compromise It is paramount to have a deep knowledge of the attack vectors and.. think as an attacker

19 Domande? 19