Академический Документы
Профессиональный Документы
Культура Документы
Nov. 2009
Cyber Security
for the Power Grid:
Cyber Security Issues &
Securing Control Systems
• High-Level
– Industrial Control Systems and Cyber Security Issues
– Securing Control Systems
• Detailed
– Security Issues in Industrial Control Systems
– Today’s Threats
– Securing Control Systems
A Control System
Sensor(s) +
Actuator(s) +
Controller(s)
Types of Industrial Control Systems (ICS)
Distributed Control
Systems (DCS) Automation
Historical ICS
• Proprietary
• Complete vertical solutions
• Customized
• Specialized communications
– Wired, fiber, microwave, dialup, serial, etc.
– 100s of different protocols
– Slow; e.g. 1200 baud
• Long service lifetimes: 15–20 years
• Not designed with security in mind
Modern ICS Trends Internet
IP
Optimization
Suite
Firewall Third Party
Application Mobile
Server Operator
Services
Network
Connectivity Historian Application Engineering
Server Server Server Workplace
Control
Network
Serial, OPC
Redundant
or Fieldbus
Device Network
Third Party
Controllers,
Servers, etc.
Serial RS485
Technology Trends in ICS
• Loss of production
• Penalties
• Lawsuits
• Loss of public trust
• Loss of market value
• Physical damage
• Environmental damage
• Injury
• USSR pipeline explosion, 1982
• Loss of life
• Bellingham pipeline rupture, 1999
• Queensland sewage release, 2000
$$$.$$
• Davis Besse nuclear plant infection, 2003
• Northeast USA blackout, 2003
• Browns Ferry nuclear plant scram, 2006
So How Do We Secure
Industrial Control Systems?
Nov. 2009
There is No Silver Bullet!
No Silver Bullet!
Defense in Depth
• Perimeter Protection
– Firewall, IPS, VPN, AV
– Host IDS, Host AV
– DMZ
• Interior Security
– Firewall, IDS, VPN, AV
– Host IDS, Host AV
– IEEE P1711 (AGA 12)
– NAC IDS Intrusion Detection System
– Scanning IPS Intrusion Prevention System
• Monitoring DMZ DeMilitarized Zone
VPN Virtual Private Network (cryptographic)
• Management AV Anti-Virus (anti-malware)
NAC Network Admission Control
50000 Foot View
Internet
IT Stuff
Enterprise Network IT Stuff
VPN FW
Proxy AV IPS
Scan Host IPS Host AV Log Mgmt IPS
IDS Event Mgmt FW
Control Network Partner
NAC Reporting 62351 Site
Host IDS Host AV VPN
FW
VPN P1711
IDS FW
AV Field Site
Scan Field Site NAC
Field Site
Security Issues in
Industrial Control Systems
Nov. 2009
Availability, Integrity and Confidentiality
backdoor to the
control center!
Legacy Equipment
• Temperature
• Vibration
• Dust
• Humidity
• Electrical
Transients
Attack Vectors into Control Systems
Includes Infected
Laptops and Is Growing
Nov. 2009
Intense Media Visibility on the Cyber Security Issue
Nov. 2009
Adversaries
• Script kiddies
• Hackers
• Organized crime
• Disgruntled insiders
• Competitors
• Terrorists
• Hactivists
• Eco-terrorists
• Nation states
How an Attack Proceeds—Step #1
IED Engineering
Workstation Management
Console HMI
IED
Modem Pool
Data
Historian
Web
Email
Server
Server
RTU Control
FEP System
Network
enterprise
Firewall
ICS Enterprise
Firewall Network Internet
Web
Server
Domain Name
Server (DNS)
Business
Workstation Attacker
Database Server
How an Attack Proceeds—Step #2
IED Engineering
Workstation Management
Console HMI
IED
Modem Pool
Data
Historian
Web
Email
Server
Server
RTU Control
FEP System
Network
enterprise
Firewall
ICS Enterprise
Firewall Network Internet
Web
Server
Domain Name
Server (DNS)
Business
Workstation Attacker
Database Server
How an Attack Proceeds—Step #3
IED Engineering
Workstation Management
Console HMI
IED
Modem Pool
Data
Historian
Web
Email
Server
Server
RTU Control
FEP System
Network
enterprise
Firewall
ICS Enterprise
Firewall Network Internet
Web
Server
Domain Name
Server (DNS)
Business
Workstation Attacker
Database Server
How an Attack Proceeds—Step #4
IED Engineering
Workstation Management
Console HMI
IED
Modem Pool
Data
Historian
Web Vendor Web
Email Server
Server
Server
RTU Control
FEP System
Network
enterprise
Firewall
ICS Enterprise
Firewall Network Internet
Web
Server
Domain Name
Server (DNS)
Business
Workstation Attacker
Database Server
How an Attack Proceeds—Step #5
IED Engineering
Workstation Management
Console HMI
IED
Modem Pool
Data
Historian
Web Vendor Web
Email Server
Server
Server
RTU Control
FEP System
Network
enterprise
Firewall
ICS Enterprise
Firewall Network Internet
Web
Server
Domain Name
Server (DNS)
Business
Workstation Attacker
Database Server
How an Attack Proceeds—Step #6
IED Engineering
Workstation Management
Console HMI
IED
Modem Pool
Data
Historian
Web
Email
Server
Server
RTU Control
FEP System
Network
enterprise
Firewall
ICS Enterprise
Firewall Network Internet
Web
Server
Domain Name
Server (DNS)
Business
Workstation Attacker
Database Server
How an Attack Proceeds—Step #7
IED Engineering
Workstation Management
Console HMI
IED
Modem Pool
Data
Historian
Web
Email
Server
Server
RTU Control
FEP System
Network
enterprise
Firewall
ICS Enterprise
Firewall Network Internet
Web
Server
Domain Name
Server (DNS)
Business
Workstation Attacker
Database Server
Defending ICS
Internet
IT Stuff
Enterprise Network IT Stuff
VPN FW
Proxy AV IPS
Scan Host IPS Host AV Log Mgmt IPS
IDS Event Mgmt FW
Control Network Partner
NAC Reporting 62351 Site
Host IDS Host AV VPN
FW
VPN P1711
IDS FW
AV Field Site
Scan Field Site NAC
Field Site
Logical Overlay on SP99 / Purdue Model of Control
Terminal Patch AV
Services Mgmt Server
DMZ
Historian Web Services Application
(Mirror) Operations Server
Level 1 Batch
Control
Discrete
Control
Continuous
Control
Hybrid
Control
Basic
Control
Level 0 Process
Logical Architecture
• Dual-homed server
• Dual-homed server with Host IPS / AV
• Router with packet filter ACLs
• Two-port Firewall
• Router + Firewall combination
IDS
AV Proxy VPN
Terminal Patch AV FW
Services Mgmt Proxy
IPS
Multiple
Functional Scan DMZ
Sub-Zones IDS
No Direct
Historian Web Application
Traffic
Mirror Services Server
Host AV Operations
NAT Security
Appliance
DMZ LAN 2 With
Multiple
DMZ LAN 3 Ports
Routing
DMZ LAN 4 FW
IPS
Anti-Virus
Proxy
VLAN-capable
L2 switch NAT
DMZ VLAN 2 Security
Appliance
dot1q
DMZ VLAN 3 trunk
Routing
FW
DMZ VLAN 4 IPS
NOT L3!
VLAN
Anti-Virus
Proxy
Remote
Terminal AAA Certificate
Access
Services Server Authority VPN
DMZ
DMZ/Control
Interconnect
WAN/LAN
Remote Access
DMZ
Level 1 Batch
Control
Discrete
Control
Continuous
Control
Hybrid
Control
Basic
Control
Level 0 Process
Control Zone Design Principles
FW FW
Level 3
L3
L3
IDS
SPAN Gigabit Control
Scan
L2 L2 Zone
Level 2 dot1q Trunks
QoS, Shaping, Policing
Port Security
10/100
Level 1
• Ring reduces wiring for linear • but spanning tree can have
sites like power dams problems with large rings
FW FW
Level 3
L3
L3
IDS
SPAN Gigabit Control
Scan
L2 dot1q Trunks L2 Zone
Level 2
QoS, Shaping, Policing
Port Security
10/100
Level 1
Firewall
Site-to-site
IDS/IPS
VPN
Client VPN
DMZ
Proxy
Network AV
Host IDS/IPS
NAC
Interior Protection in Utilities
IDS
Port Scan
Vuln Scan
Firewall
NAC
SCADA VPN
Firewall
SCADA VPN
Port Scan
IDS
Monitor, Log, Analyze, Report
Log Managed
Analyze Security
Report
Compliance
Beyond Network Security
Nov. 2009
Standards Efforts
• NERC CIPs
• NIST Smart Grid Interoperability Standards Project
• NIST SP800-82
• NIST SP800-53
• NIST PCSRF Protection Profiles
• AMI-SEC
• ISA SP99
• ODVA
• www.nist.gov/smartgrid
• Securing Your SCADA and Industrial Control
Systems, Version 1.0, DHS, ISBN 0-16-075115-8
• Guide to SCADA and Industrial Control System
Security, NIST SP800-82
• ISA99 Industrial Automation and Control Systems
Security, www.isa.org/MSTemplate.cfm?
MicrositeID=988&CommitteeID=6821
• AGA 12/IEEE P1689 SCADA Encryption Standard,
scadasafe.sf.net