Cyber Security in Power Systems

Transcription

1 KTH ROYAL INSTITUTE OF TECHNOLOGY Cyber Security in Power Systems Matus Korman Industrial information and control systems, KTH Image source: zdnet.com

2 ?

3 Example consequences: US Northeast blackout (2003) Cause: A software defect in a control room. Restoration: Some customers after 6 hours, some after 2 days, some remote places after nearly a week. Consequences (among other): 45M people in 8 US states 10M people in Canada Healthcare facilities experienced $100M lost revenue 6 hospitals bankrupt one year after Source: Wikipedia

4

5

6 Outline 1. Background (IT-security) 2. Attackers, threats 3. Vulnerabilities in power systems 4. Solutions for securing power systems 5. Standards & guidelines, where to look further

7 IT security what it is about (roughly) TO ENSURE: DURING THE REQUIRED STATE OF DATA, IT SERVICES AND OTHER RESOURCES: BY APPLYING Technology Organization, processes & rutines Human & culture

8 Actually more than that Requirements identification and specification It takes the whole lifecycle Design and analysis Development and verification (testing) of technical systems of organizations (socio-technical systems, work systems) Operation and maintenance (changing, upgrading etc.) Disposal

9 What parts does cyber security relate to? Smart Grid Architecture Model. CEN-CENELEC-ETSI Smart Grid Coordination Group: Smart Grid Information Security pretty much all these layers, domains and zones: To ensure security of the power delivery that s on the business layer and that is dependent on roughly everything else in the picture.

10 NISTIR 7628 rev. 1: reference model entities, actors

11 NISTIR 7628 rev. 1 entities and data flows

12 Outline 1. Background (IT-security) 2. Attackers, threats 3. Vulnerabilities in power systems 4. Solutions for securing power systems 5. Standards & guidelines, where to look further

13 Threats of the cyberspace (general) FRAUDSTERS DIFFERENT CRIMINALS HACKTIVISTS [PROFESSIONAL] HACKERS RANSOMWARE BOTNETS AND THEIR OPERATORS MALWARE TECHNICAL FAILURES USERS, WE OURSELVES MILITARY & STATE UNITS

14 Outline 1. Background (IT-security) 2. Attackers, threats 3. Vulnerabilities in power systems 4. Solutions for securing power systems 5. Standards & guidelines, where to look further

15 In information technology vulnerabilities are all around Due to complexity multiple layers, interdependencies: From physical signals and processing in hardware (the chips, processors with all their registers and how they work) Through operating system level (e.g., Windows/Linux/VxWorks/ kernel) Through numerous levels of libraries/apis + networking (distributed computing) (e.g., system libraries like libc all the way up) To user/application level (e.g., file transfer, bus protection logic, ) Additional considerations: virtualization, cloud coming in to ICS, too.

16 Why ICS are vulnerable Systems are traditionally designed and tested to: Work in ideal conditions (functionality) Work even under different expected variation in the process environment (field-robustness rugged ) To some extent work under cyber-noise (e.g., higher network load, patching of systems, network scanning etc.) However, they increasingly need to: Resist sophisticated attacks from intelligent and capable threat agents (cyber-security)

17 Why ICS are vulnerable cont d Convergence between ICS and general IT: General IT-technology is increasingly used in ICS (IP-networks, Windows, Linux, wireless, web-based systems all well-known, well-compromised) Connections between the process network and other networks tend to lack securement A variety of data flows between networks, using various protocols (including old, proprietary, insecure ones) Sometimes unprotected control system components (IEDs, RTUs, etc.) for flexible access for technical personnel, consultants/contractors Physically and logically distributed environments => more difficult to secure

18 Different levels of vulnerabilities System/component design: SCADA-software, HMI and workstation operating systems (Windows, Linux), other systems; PLC, RTU, IED, switches, routers Network design: ICS-network (process network) + its connection to the office network (and other networks); Application services running on machines in the ICS-network; Configuration of IT-security protection in the network (firewalls, IDS/IPS, configuration of operating systems) Organization, people and operations: Security policy and security culture in the organization; How people carry out different technical operations; What devices one can use in the ICS-network (own computers on which one surfs in private, USB-sticks etc.);

19 Common vulnerabilities in ICS Documentation and processes: Lack of formal documentation Lacking change management process Lacking security policy and security culture(awareness, attitudes etc.) Access control: Lacking access control (which user/role has access where, when, how, etc.) Vulnerable handling of authentication data (e.g., passwords) Over-privileged access accounts, old accounts, etc. Network design and state of systems hosted there: Vulnerable network design, insufficient protection of networks (e.g., unnecessarily broad exposure of systems and data traffic in a network, insufficient separation between process networks, office networks, outside Internet ) Outdated systems, active modems/vpns with poor authentication... Security countermeasures (e.g., firewalls, IDS/IPS, configuration, security operations): Weak network protection (firewall restrictions such as what ports, what IP ranges, what intensity of communication, etc.) Lacking security reviews and accountability Vulnerable configuration of system such as unnecessary services and software installed and even running

20 How an attack can take place A network can be penetrated e.g.: Directly: An attacker manages to get into a network from outside (e.g., by obtaining an own IP-address in there, ARP-spoofing some other machine, ) Indirectly: An attacker exploits that personnel surfs on Internet, reads , etc in order to infect the personnel s machine(s), and then attack further and deeper Social engineering: An attacker tricks personnel to do something compromising (e.g., give away a username, password etc.) through pretending to be a legitimate person, commonly in an urgent situation (e.g., a technician who quickly needs some non-standard help to prevent a major failure/incident from happening ) A software can be infected through (a single data flow can be enough) e.g.: Known vulnerabilities (on outdated systems) statistically frequent and often unnecessary vulnerability. Whoever can get exploits and shoot them at a system. Zero-day vulnerabilities (0-days, yet publicly unknown) majority is not captured even by advanced, expensive, collaborative security solutions (NGIPS). Luckily, 0-days are very expensive to buy usable exploits for (e.g., black market) and very demanding to identify and develop on own for a generic software. There are different types of attacks, e.g.: DoS (Denial of Service), DDoS (distributed DoS) sabotage that blocks, saturates, locks in or takes down systems/functions so that they no longer are available (temporarily or permanently) MITM (Man-In-The-Middle) hidden manipulation of data communication Intrusion leads to illegitimate control over a system or a part of it, which then can lead to modifications/sabotage, mapping/espionage, etc

21 Identifying potential victim devices Shodan it s like Google, just for devices with public access: It s a computer search engine. Partially free of charge. Helps people to find webcams, fridges, RTUs, etc according to country, ports/services, organizations, operating systems, installed software packages

22 Outline 1. Background (IT-security) 2. Attackers, threats 3. Vulnerabilities in power systems 4. Solutions for securing power systems 5. Standards & guidelines, where to look further

23

24 How to secure ICS environments? Identify and eliminate greatest security holes Harden systems and networks (get rid of unused functionality, unused software installed on machines, unnecessarily open ports; harden your systems configuration, etc. etc.) The goal of all this is to: Constrain the possibilities and maneuvering space of the attacker(s), and so make their work as difficult, expensive and risky as possible. Scan for vulnerabilities, do penetration tests as applicable (e.g., ICS test beds, typically not on-site, as things could break ) to measure security Establish a systematic, formal work with IT security Risk analyses and risk treatment there are risk analysis methods Reviews and log analyses Analysis of in- and outgoing network traffic (e.g. Netflow) Updates + other security maintenance Education and training of personnel etc.

25 Example countermeasures just a few BASIC MORE ADVANCED Network segmentation and DMZs between networks Firewalls Access control to systems, plus: Reasonably strong passwords Smart cards (eventually) Connection tracking and network access control Blacklisting Whitelisting Intrusion detection (both based on signatures and models of normal behavior) Honeypots / honeynets The following document gives a very good overview of the different realistic security controls to consider The Critical Security Controls for Effective Cyber Defense by Council on Cyber Security:

26 Outline 1. Background (IT-security) 2. Attackers, threats 3. Vulnerabilities in power systems 4. Solutions for securing power systems 5. Standards & guidelines, where to look further

27 Cyber security standards and guidelines General IT security: ISO/IEC series (27001, 27002, ) Security in industrial control systems: NIST SP (rev. 2): Guide to Industrial Control Systems (ICS) Security IEC for communication protocols NIST Framework for Improving Critical Infrastructure Cybersecurity NERC CIP (Critical Infrastructure Protection) Security in power systems (specifically): NISTIR 7628 (rev. 1): Guidelines for Smart Grid Cyber Security

28 Where to look further Industrial Control Systems Computer Emergency Response Team (ICS-CERT): EU Agency for Network and Information Security (ENISA): Critical Security Controls (by Center for Internet Security): SCADAHacker forum (by Joel Langill):

29 Great books Highly topic-relevant: Eric D. Knapp & Joel Thomas Langill (2015): Industrial Network Security: Securing Critical Infrastructure, Network for Smart Grid, SCADA, and other Industrial Control Systems A good book about information security (general): John R. Vacca (2013): Computer and Information Security Handbook (second edition)

30 Books with highly applied, practical focus Tyson Macaulay & Bryan Singer (2012): Cybersecurity for Industrial Control Systems Ralph Langner (2012): Robust Control System Networks

31 Thanks for your attention and good luck!