CEATI BurnabyBC 2017Oct31 JBaugh Final - … · •...
Transcript of CEATI BurnabyBC 2017Oct31 JBaugh Final - … · •...
IEC 61850 Deployment: Security, Reliability and CIP Compliance Considera@ons
Dr. Joseph B. Baugh Senior Compliance Auditor, Cyber Security
SEAM Fall 2017 MeeCng: CEATI Conference Burnaby, BriCsh Columbia – October 31, 2017
Slide 2
Speaker CredenCals • Electrical UClity Experience (44 years) – Senior Compliance Auditor, Cyber Security – IT Manager & Power Trading/Scheduling Manager – IT Program Manager & Project Manager – NERC CerCfied System Operator – Barehand Qualified Transmission Lineman
• EducaConal Experience – Degrees earned: Ph.D., MBA, BS-‐Computer Science – CerCficaCons: PMP, CISSP, CISA, CRISC, CISM, PSP, NSA-‐IAM/IEM – Academic & Technical Course Teaching Experience (20+ years)
• Business Strategy, Leadership, and Management • InformaCon Technology, IT Security, and Project Management • PMP, CISA, CISSP, CISM, ITIL, & Cisco exam preparaCon • CIP Compliance workshops and other outreach sessions
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 3
Agenda
1. EvoluCon of threats to and a^acks on Industrial Control Systems [ICS] within the electrical grid
2. Topics on the IEC 61850 protocol 3. Developing Power Grid Reliability &
Resiliency [PGRR] 4. QuesCons?
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 4
Agenda Topic One: ICS Threats & A^acks
EvoluCon of threats to and a^acks on Industrial Control Systems [ICS]
within the electrical grid
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 5
Recent Electrical System Threats • The 2015 & 2016 cyber a^acks on the Ukrainian power grid signaled a new era in vulnerability for electrical and other Industrial Control Systems [ICS]: – Stuxnet – BlackEnergy – Havex – Crashoverride Framework – Industroyer – Palme^o Fusion – Dragonfly 2.0
• However, some of the vulnerabiliCes exploited by these a^acks have been known since 2009
• What does this say about electrical cybersecurity posture? October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 6
Stuxnet (Ze^er, 2014) • First known ICS-‐specific malware was idenCfied in 2010, used known Windows print spooler and three zero-‐day OS vulnerabiliCes to target Siemens PLC solware at Iranian nuclear facility and modify Programmable Logic Controllers [PLC]
• IniCally spread with infected USB drives • Has since infected ICS in other countries, including the U.S. (Kushner, 2013)
• Cyber espionage variants include Flame (idenCfied in 2012, but may predate Stuxnet), Gauss (2011), and Duqu (2011); designed to steal ICS and other informaCon
• Exploit on print spooler vulnerability was published in April 2009, which included source code for exploit
• Microsol patch [MS10-‐61] was available in September 2010; updated patch [MS16-‐087] in July 2016
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 7
BlackEnergy [E-‐ISAC & SANS, 2016) • Implicated in the 2015 Ukrainian power grid a^ack by the
Sandworm team • Primary infecCon used spear phishing a^acks to key engineers and
IT administrators with infected Word and Excel documents • Coordinated a^acks across three power companies • Targeted distribuCon SCADA ICS, but characterized as a test run
– Demonstrated capability to gain a foothold to harvest credenCals and informaCon to gain access to ICS networks
– Demonstrated capability to target Cyber Assets at substaCons, write custom malicious firmware (KillDisk) to render field devices inoperable and unrecoverable
– BlackEnergy and KillDisk were used to enable the a^ack and delay restoraCon efforts, but were not capable of opening field devices
– Outages caused by a^ackers operaCng HMIs manually • Remote admin access capabiliCes, poor VPN pracCces, and failure
to monitor ICS networks contributed to a^ack reconnaissance months (and perhaps years) before the actual a^ack October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 8
Havex (Nelson, 2016) • A Remote Access Trojan [RAT] malware used in 2012-‐2013 a^acks against energy sector companies, also aimed at other ICS users (ConstanCn, 2014)
• Used by Dragonfly group in spear phishing a^acks to gain remote access control over infected ICS computers
• Scans LANs for devices that respond to OPC requests
• Extracts informaCon on network details and harvest Outlook emails, sends data to Dragonfly servers
• Acts as a conduit for other malware October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 9
Crashoverride Framework (Dragos, 2017) • Fourth ICS tailored malware (aler Stuxnet, BlackEnergy 2, and Havex)
• Serves no cyberespionage purpose, first malware framework specifically designed and deployed to automaCcally a^ack electrical control systems
• Suspected in December 2016 Ukrainian a^ack and may be linked to Sandworm team, perhaps deployed as a proof of concept due to limited impact of a^ack
• Not unique to specific vendors or configuraCons • Purpose built to impact electrical grid operaCons and facilitate a^acks in other countries
• Uses various Layer 2 and Layer 3 routable and serial protocols to carry out a^acks, including Ethernet, DNP3, IEC 104, IEC 101, and IEC 61850 used to control field devices October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 10
Industroyer (Cherepanov & Lipovsky, 2017) • ESET researchers published a paper on Industroyer and called it “a par@cularly dangerous threat, since it is capable of controlling electricity substa@on switches and circuit breakers directly” (p. 1)
• ESET believes it is highly probable Industroyer was used in the December 2016 Ukrainian power grid a^ack
• Industroyer targets common industrial control system communicaCon protocols, including IEC 61850, which were specifically exempted from electronic access control protecCons included in CIP Standards for many electrical FaciliCes [see also CIP-‐012-‐1 slides below]
• Can also target vendor-‐specific industrial power control products October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 11
Palme^o Fusion (Perlroth, 2017) • Palme^o Fusion suspected in Wolf Creek Nuclear staCon a^ack in Kansas (2017 May): – No indicaCon of compromise of operaConal systems – OperaConal network is air-‐gapped from corporate network, but may be suscepCble to infected USB drive
– May have been a mapping a^ack, but invesCgators have not been able to analyze the payload
– Introduced as highly targeted email messages with fake infected resumes to senior industrial control engineers
– Techniques mimicked the Sandworm Russian hacking group that has been Ced to energy sector a^acks since 2012
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 12
Dragonfly 2.0 (Greenberg, 2017) • Symantec recently reported a new series of a^acks beginning in 2015 on non-‐nuclear electrical companies by a group idenCfied as Dragonfly 2.0: – A^acks leveraged phishing a^acks to introduce malware into operaConal networks
– A^acks were compared to Ukrainian a^acks (2015, 2016) by Sandworm that resulted in widespread power outages
– 2017 targets included dozens of energy companies, with more than 20 successful breaches of target networks
– Of these breaches, several gained successful operaConal access to control interfaces for electrical equipment such as circuit breakers and took screenshots of control panels
– No control acCons were commi^ed by a^ackers, but Symantec reported this may be a pilot test for a larger a^ack at some strategic Cme in conjuncCon with geopoliCcal events
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 13
A^ack Vectors • NaCon-‐state actors – Future power grid disrupCons considered likely in conjuncCon with geopoliCcal events
– Likely to be automated cyber a^acks to open grid elements and prevent recovery by wiping OS and firmware
• Terrorist/acCvist a^ackers – Physical a^acks on electrical faciliCes, and/or – Cyber a^acks on ICS and associated field devices
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 14
NaCon-‐State Actors (BAE, 2017a) • Provided a “license to hack” by their governments: – Most likely culprits for electrical grid a^acks are Russia, China, Eastern European bloc countries
– Other authors have blamed Stuxnet release on U.S. and Israeli state organizaCons
– No fear of legal retribuCon by target countries – Olen closely linked to military and intelligence control – Have a high level of technical experCse – Tasked with stealing industrial secrets, disrupCng criCcal infrastructure, eavesdropping on poliCcal discussions, conducCng propaganda and disinformaCon campaigns
– Use social engineering, such as highly targeted spear phishing a^acks, to deliver malware to target systems
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 15
Terrorist/AcCvist A^ackers (BAE, 2017b) • MoCvated by ideological, religious, or personal beliefs • Individuals or small groups that are difficult to defend against • Primary goal to disrupt target’s acCviCes, discredit operaCons, and steal sensiCve data to further their goals
• Physical A^acks – Bombing remote electrical faciliCes – Sabotaging transmission lines – ShooCng electrical equipment, such as transformers (e.g., Metcalf substaCon in April 2013)
– CIP-‐014-‐2 developed to enhance physical security measures • Cyber A^acks – May use readily available malware source code developed by naCon-‐state actors
– Infect ICS using similar techniques – Require similar protecCve cybersecurity countermeasures October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 17
Comm Processor
IED IED IED
What is IEC 61850? • Developed in cooperaCon with manufacturers
and users to create a uniform, future-‐proof basis for the protecCon, communicaCon and control of substaCons (Siemens, n.d.)
• Typically uses Ethernet as its Layer 2 framing protocol to facilitate communicaCons between Intelligent Electronic Devices [IED] (Dolezilek, 2010, p. 2), but Ethernet was not designed for use in criCcal ICS operaCons (INL, 2016, p. 13)
• Supports IEDs from mulCple vendors, but local configuraCon files must be installed with vendor-‐specific solware (Dolezilek, p. 8)
• Can support non-‐IEC capable legacy IEDs over serial links through the use of communicaCons processors (Dolezilek, p. 7)
• Remember the serial exempCon from CIPv3, there are many legacy relays and other Cyber Assets in the grid that are now subject to cyber a^acks specific to serial connected devices
October 31, 2017 2017 CEATI -‐ Burnaby BC
Ethernet Switch
IED IED
Slide 18
Uses of IEC 61850 in the Grid • Remote Terminal Units [RTUs] – RTUs tend to be legacy non-‐digital equipment, which is not in scope for CIP, or
– Newer RTUs consist of modern programmable electronic devices [PEDs], which are in scope.
– RTUs generally support a wide variety of communicaCons protocols, including Ethernet, serial, Modbus, DNP3, and several flavors of the IEC standard protocols (i.e., IEC 60870-‐5-‐101/103/104, IEC 60870-‐6-‐ICCP, IEC 61850 etc.).
– The impact raCng of the host Facility and specific communicaCon protocols in use will dictate the applicability of the CIP Standards to the RTU plavorms.
• Electrical Grid Field Devices – Typically used for Cme-‐sensiCve communicaCons between digital relays (e.g., transfer trip schemes)
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 19
Uses of IEC 61850 in the Grid • IEC-‐61850-‐9-‐2 Processor Units – Also known as Merging Units – Generally a^ached to layer 2 “Process Bus” networks, but have layer 3 “StaCon Bus” interfaces for management purposes
– Typically located out in the switchyard • In circuit breaker panels or in transformer control panels • Could be a^ached to structural steel (e.g., for a bus)
– Physical Security • Standalone PSP around the control cabinet with the applicable Physical Security protecCons, or
• Switchyard perimeter (fence line) declared as the PSP – Electronic controls for the processor units are generally incorporated within the larger substaCon BCS ESP, where applicable
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 20
IEC 61850 and the CIP Standards • Standards and Requirements directly addressing Low impact BES Assets containing Low impact BCS [LIBCS]: – BCUC: CIP-‐003-‐5 [R2] – NERC: CIP-‐003-‐6 [R1.2, R2] – NERC: CIP-‐003-‐7 [R1.2, R2]
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 21
IEC 61850 in BCUC CIP-‐003-‐5 • Current approved version in the BCUC footprint – Becomes effecCve on October 1, 2018 – Does NOT directly address IEC 61850 communicaCons links
– R2 currently requires cyber security policies and processes for Low impact BES Assets covering: • Electronic access controls for external routable protocol connecCons and Dial-‐up connecCvity (R2.3, p. 5)
• Will BCUC adopt a more recent version of the CIP-‐003 Standard that integrates addiConal physical security and electronic access controls for Low impact BES Assets before October 1, 2018? October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 22
IEC 61850 in NERC CIP-‐003-‐6 • Current effecCve version in the NERC footprint • Contained within the Glossary definiCon of Low Impact External Routable ConnecCvity (LERC) DefiniCon – Bi-‐direc@onal routable communica@ons between low impact BES Cyber System(s) and Cyber Assets outside the asset containing those low impact BES Cyber System(s). Communica@on protocols created for Intelligent Electronic Device (IED) to IED communica@on for protec@on and/or control func@ons from assets containing low impact BES Cyber Systems are excluded (examples of this communica@on include, but are not limited to, IEC 61850 GOOSE or vendor proprietary protocols). (e.g., NERC, 2014, DefiniCons of Terms, p. 1)
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 23
IEC 61850 in NERC CIP-‐003-‐6 • Applied within R2 (A^achment 1 – SecCon 3) – SecCon 3 -‐ Electronic Access Controls: Examples of evidence for SecCon 3 may include, but are not limited to: • DocumentaCon showing that inbound and outbound connecCons for any LEAP(s) are confined to only those the Responsible EnCty deems necessary (e.g., by restricCng IP addresses, ports, or services);
• LEAPs are required for Low impact BES Assets containing LIBCS using LERC
• The definiCons specifically exclude “point-‐to-‐point communica@ons between intelligent electronic devices that use routable communica@on protocols for @me-‐sensi@ve protec@on or control func@ons between Transmission sta@on or substa@on assets containing low impact BES Cyber Systems,” such as IEC 61850 messaging (G&TB secCon, p. 28)
• The LERC and LEAP Glossary terms will be reCred on the effecCve date of CIP-‐003-‐7 October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 24
IEC 61850 in NERC CIP-‐003-‐7 • Proposed revision in the NERC footprint • Contained within R2 (A^achment 1 – SecCon 3) • SecCon 3. Electronic Access Controls: For each asset containing low impact BES Cyber System(s) idenCfied pursuant to CIP-‐002, the Responsible EnCty shall implement electronic access controls to: – 3.1 Permit only necessary inbound and outbound electronic access as determined by the Responsible EnCty for any communicaCons that are: i. between a low impact BES Cyber System(s) and a Cyber Asset(s)
outside the asset containing low impact BES Cyber System(s); ii. using a routable protocol when entering or leaving the asset
containing the low impact BES Cyber System(s); and, iii. not used for Cme-‐sensiCve protecCon or control funcCons
between intelligent electronic devices (e.g. communicaCons using protocol IEC TR-‐61850-‐90-‐5 R-‐GOOSE).
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 25
IEC 61850 & CIP ProtecCons • Protect local IEC 61850 installaCons by applying required CIP protecCons to the periphery of your IEC enabled installaCons
• Protect the electronic access control points, as applicable – CIP-‐005-‐5: EACMS for Medium BCS w/ ERC
– CIP-‐003-‐7 R2 SecCon 3: electronic access controls for LIBCS
October 31, 2017 2017 CEATI -‐ Burnaby BC
Ethernet Switch
IED IED
Comm Processor
IED IED IED
Electronic Access Control Point
BES Control
Center(s)
SCADA Link
Protected by CIP Standards
Slide 26
TT
TT
IEC 61850 & CIP ProtecCons • What about the transfer-‐trip [TT] communicaCons links that are exempted from CIP-‐003-‐7 SecCon 3 controls?
• Ensure TT links are point-‐to-‐point direct connecCons.
• Protect TT links physically and with CIP electronic access control protecCons on both ends.
• What about the SCADA links? October 31, 2017 2017 CEATI -‐ Burnaby BC
Protected by CIP Standards Protected by CIP Standards
Ethernet Switch
IED IED
Comm Processor
IED IED IED
Electronic Access Control Point
BES Control
Center(s)
SCADA Link
Ethernet Switch
IED IED
Comm Processor
IED IED IED
Electronic Access Control Point
SCADA Link
Slide 27
CIP-‐012-‐1 – Future Standard • Addresses cybersecurity protecCons for data in transit between
key Control Centers • Proposed modificaCons to Control Center definiCon • [R1] Requires documented plans to mi@gate the risk of
unauthorized disclosure or modifica@on of data used for Opera@onal Planning Analysis, Real-‐@me Assessments, and Real-‐@me monitoring while being transmiVed between Control Centers – Excludes oral communicaCons between Control Centers – [R1.1] Risk mi@ga@on shall be accomplished by one or more of the following ac@ons: • Physically protec@ng the communica@on links transmiWng the data; • Logically protec@ng the data during transmission; or • Using an equally effec@ve method to mi@gate the risk of unauthorized disclosure or modifica@on of the data.
• [R2] The Responsible En@ty shall implement the plan(s) specified in Requirement R1, except under CIP Excep@onal Circumstances
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 28
Scope of CIP-‐012-‐1
October 31, 2017 2017 CEATI -‐ Burnaby BC
(NERC, 2017 Aug 11, Technical Ra@onale for CIP-‐012-‐1, p. 5)
• Extends cyber security protecCons to communicaCons networks between key Control Centers with High and Medium BCS Not addressed in
CIP-‐012-‐1, but consider SCADA links to substaCons and TT links
TT
Slide 29
Agenda Topic Three [PGRR]
Developing Power Grid Resiliency & Reliability
(in terms of IEC 61850 and similar protocols)
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 30
PrevenCng A^acks to the Grid • Companies have been
slow to invest capital funds necessary to update and protect Cyber Assets, with some devices running 30-‐year-‐old OperaCng Systems on criCcal infrastructure ICS (Kushner, 2013)
• Electric industry parCcipants must step up pace to improve and enhance overall cybersecurity posture
• Federal, provincial, and regional efforts are currently in place to support cybersecurity October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 31
PrevenCng A^acks to the Grid
October 31, 2017 2017 CEATI -‐ Burnaby BC
• SupporCng cybersecurity measures in the North American electrical grid is a massive undertaking, given its size and complexity, as well as the number and variety of electrical industry parCcipants
Slide 32
Recent Cybersecurity Developments • Regulatory Developments [CIPv5 Standards] – Current CIP Standards, including those that directly address cyber or physical a^acks • CIP-‐007-‐6 [System Security Management for Cyber Assets] • CIP-‐014-‐2 [Physical Security for Transmission FaciliCes]
– Changes to exisCng CIPv5 Standards to promote be^er defenses against automated a^acks (pending FERC approval) • CIP-‐003-‐7 [Security Management Controls] • CIP-‐005-‐6 [Electronic Security Perimeters] • CIP-‐010-‐3 [ConfiguraCon Change Management & Vulnerability Assessment]
– New CIP Standards (pending NERC/FERC approval) • CIP-‐012-‐1 [Control Center CommunicaCon Networks] • CIP-‐013-‐1 [Supply Chain Risk Management]
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 33
Power Grid Resilience • KPMG (2017) published a white paper that recognized the threats posed by cybersecurity a^acks on the BES to U.S. naConal security and summarized key points for developing countermeasures and resiliency, including (pp. 2-‐3): – Build success through business transformaCon – Do not assume technology is the “silver bullet” – Drive transformaCon through senior leaders – Maintain a risk management approach – ConCnually monitor risks and results – Embed good cybersecurity pracCces in rouCne management of criCcal assets and infrastructure
– Align cybersecurity with business prioriCes and iniCaCves – Adopt best pracCces in cybersecurity – Build a first-‐class cyber workforce October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 34
Power Grid Resilience • A recent Department of Energy Report (DOE, 2017) discussed
electrical infrastructure resiliency in terms of hardening against and recovery from cyber a^acks and severe natural events (p. 63): – Hardening refers to physically changing infrastructure to make it less suscep@ble to damage.
– Recovery refers to the ability of an energy facility to recover quickly from damage to any of its components or to any of the external systems on which it depends – typically through storage and redundancy.
• Recovery measures do not prevent damage, but enable conCnued operaCons despite damage and a more rapid return to normal operaCons.
• Electrical enCCes should consider advance planning for conCngencies, interagency coordinaCon, and training exercises to develop an effecCve restoraCon process. [See also CIP-‐008-‐5: R1-‐R3]
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 35
ICS Specific A^acks • Industroyer (Cherepanov & Lipovsky, 2017) and Crashoverride (Dragos, 2017, pp. 15-‐25) have general and protocol specific modules that a^ack ICS components to manipulate device controls, deny visibility and control to system operators, and wipe valid configuraCons
• Launcher Module – Loads payload modules to manipulate the ICS and destroy device capability via the wiper funcCon
• Wiper Module – Clears registry keys associated with system services – Overwrites all ICS config files – Overwrites generic Windows files – Renders the system unusable October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 36
ICS Specific A^acks: IEC 104 • The Crashoverride IEC 104 module is a complete implementaCon of IEC 104 to serve as a Master role
• Provies substaCon automaCon manipulaCon, but can be tailored for specific funcConality
• Exposed funcCons are only limed by configuraCon opCons for a specific target (e.g., RTU or relay)
• Reads config file defining the target and desired acCons • Kills legiCmate master process on target host • Masquerades as new master process in various modes – Sequence mode conCnuously sets RTU InformaCon Object Address [IOAs] to open
– Range mode • Interrogates each RTU for valid IOAs • Toggles each IOA between open and closed states
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 37
ICS Specific A^acks: IEC 101 • The IEC 101 module has similar capabiliCes as the IEC 104 module, but operates over serial connecCons, instead of Ethernet.
October 31, 2017 2017 CEATI -‐ Burnaby BC
Comm Processor
IED IED IED
Ethernet Switch
IED IED
Slide 38
ICS Specific A^acks: IEC 61850 • The IEC 61850 module leverages available configuraCon files to idenCfy targets
• Absent a configuraCon file, the module enumerates the local network to idenCfy potenCal targets
• Communicates with the targets to idenCfy whether or not the target has control capability for circuit breakers
• Can change the state of some variables while generaCng an acCon log
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 39
ICS Specific A^acks: OPC DA Module • A^acks the OLE for Process Control Data Access [OPC DA] funcCon that defines how real-‐Cme data can be transferred between a data source and data sink (i.e., a PLC and an HMI) without the need to understand each device’s naCve protocol
• Does not require a configuraCon file • Enumerates all OPC servers and associated items looking for subset with “ctl” string
• Overwrites the string with 0x01 twice, which gives a primary value out of limits device status, effecCvely disabling the device
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 40
ICS Specific A^acks: DoS Module • Denial of Service [DoS] a^ack mode • Specific to Siemens SIPROTEC relays using the EN100 module for enabling IEC 61850 communicaCons
• Sends UDP packets to port 50000 exploiCng CVE-‐2015-‐5374 vulnerability to fall into an unresponsive state
• Siemens released a patch for this vulnerability in July 2015 (Siemens Advisory SSA-‐732541) – Should have been installed under CIP-‐007-‐6 R2 for Medium BCS, including transmission protecCon systems
– May not have been installed under current CIP Requirements applicable to LIBCS
• Has this module been adapted for other vendor devices using similar communicaCons characterisCcs? October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 41
ICS A^ack Outcomes • All of these modules can result in various systems that perform acCons on the wrong informaCon, report incorrect informaCon to system operators, and/or render the target device unusable and unrecoverable by system operators.
• Hampering protecCve schemes by disabling relays can expand an islanding event and may trigger larger events such as uncontrolled separaCon or cascading outages.
• Denial of visibility into system status amplifies confusion during the outage recovery phase as operator system views may show breakers as closed when they are actually open.
• Outages may be extended due to need for local repairs to firmware and configuraCon files for each affected device.
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 42
ICS Defense RecommendaCons • A prudent enCty will implement the required CIP protecCons for transmission protecCon systems, but look beyond the Standards to ensure the reliability of the BES.
• Always observe basic physical and cybersecurity pracCces, including ports and services security [CIP-‐007-‐6 R1], security patch management [CIP-‐007-‐6 R2], malicious code detecCon [CIP-‐007-‐6 R3], remote access controls [CIP-‐007-‐6 R5], Transient Cyber Asset [TCA], and Removable Media [RM] precauCons [CIP-‐010-‐2, R4; CIP-‐003-‐7, R1.2.5 (see also A^achment 1 – SecCon 5)]. October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 43
ICS Defense RecommendaCons • Dragos (2017) provided recommendaCons for ICS protecCons (pp. 26-‐27): – Have a clear understanding of how DNP3, IEC 104, IEC 61850, and OPC protocols are used within your ICS and do not rely on the use of protocols, such as DNP3, as a protecCon mechanism
– Maintain robust backups of project logic, IED configuraCon files, and ICS applicaCon installers offsite and tested (CIP-‐009-‐6: R1-‐R3; CIP-‐010-‐2: R1-‐R2)
– Prepare incident response plans and perform regular tests to include the need for manual operaCons in field locaCons while recovering the SCADA system and gathering forensic data (CIP-‐008-‐5)
– Consider the use of tools like YARA to search for possible infecCons
– Air-‐gapped networks, unidirecConal firewalls, anC-‐virus in the ICS, and other passive and architectural defenses may not be effecCve against an aggressive adversary. Train and deploy human defenders
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 44
ICS Defense RecommendaCons • KPMG (2017) cited a February 2017 report from the Defense Science Board Task Force on Cyber Deterrence in the Aerospace and Defense sector that idenCfied the need for “a more proac@ve and systema@c approach to U.S. cyber deterrence” (p. 15)
• KPMG also idenCfied three major areas to build deterrence to cyber a^acks in the criCcal infrastructure (p. 15): – Heightened standards – Improved data governance – Deeper industry cooperaCon
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 45
ICS Defense RecommendaCons • KPMG (2017, p. 16) recognized leading organizaCons: – Emphasize deterrence and prevenCon, – Develop strategies that idenCfy and implement best pracCces in advance to understand risks and ensure resilience through miCgaCon strategies,
– Enhance detecCon and response capabiliCes to minimize the impact of cyber a^acks on ICS,
– IdenCfy the “root cause” of the intrusion to prevent future a^acks, and
– Address audit findings in a Cmely manner.
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 46
Speaker Contact InformaCon
Joseph B. Baugh, Ph.D., MBA, PMP, CISA, CISSP, CRISC, CISM, PSP
Senior Compliance Auditor -‐ Cyber Security
Western Electricity CoordinaCng Council (WECC)
jbaugh (at) wecc (dot) biz (C) 520.331.6351 (O) 360.600.6631
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 47
References • BAE Systems. (2017a). The na@on state actor: Cyber threats, methods, and mo@va@ons. Retrieved from h^p://www.baesystems.com/en/cybersecurity/feature/the-‐naCon-‐state-‐actor
• BAE Systems. (2017b). The ac@vist: Cyber threats, methods, and mo@va@ons. Retrieved from h^p://www.baesystems.com/en/cybersecurity/feature/the-‐acCvist
• Cherepanov, A., & Lipovsky, R. (2017 June 12). Industroyer: Biggest threat to industrial control systems since Stuxnet. Retrieved from h^ps://www.welivesecurity.com/2017/06/12/industroyer-‐biggest-‐threat-‐industrial-‐control-‐systems-‐since-‐stuxnet/ October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 48
References • ConstanCn, L. (2014 June 24). New Havex malware variant targets
industrial control system and SCADA users. PC World. Retrieved from h^ps://www.pcworld.com/arCcle/2367240/new-‐havex-‐malware-‐variants-‐target-‐industrial-‐control-‐system-‐and-‐scada-‐users.html
• Department of Energy [DOE]. (2017 August). Staff report to the Secretary on electricity markets and reliability. Retrieved from h^ps://energy.gov/sites/prod/files/2017/08/f36/Staff%20Report%20on%20Electricity%20Markets%20and%20Reliability_0.pdf
• Dolezilek, D. J. (2010, October). IEC 61850: What you need to know about func@onality and prac@cal implementa@on. SEL Journal of Reliable Power, 1(2), 1-‐17. Retrieved from h^ps://cdn.selinc.com/assets/Literature/PublicaCons/Technical%20Papers/6170_IEC61850WhatYouNeed_20050304_Web.pdf?v=20151125-‐081713
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 49
References • Dragos Inc. (2017 June 12). Crashoverride: Analysis of the threat to electric grid opera@ons [v2.20170613]. Retrieved from h^ps://dragos.com/blog/crashoverride/CrashOverride-‐01.pdf
• E-‐ISAC & SANS. (2016 March 18). Analysis of the cyber aVack on the Ukrainian power grid: Defense use case. Retrieved from h^p://www.nerc.com/pa/CI/ESISAC/Documents/E-‐ISAC_SANS_Ukraine_DUC_18Mar2016.pdf
• Greenberg, A. (2017 Sept 6). Hackers gain direct access to US power controls. Wired. Retrieved from h^ps://www-‐wired-‐com.cdn.ampproject.org/c/s/www.wired.com/story/hackers-‐gain-‐switch-‐flipping-‐access-‐to-‐us-‐power-‐systems/amp October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 50
References • Idaho NaConal Laboratory [INL]. (2016 August). Cyber threat and
vulnerability analysis of the U.S. electric sector: Mission Support Center analysis report. Retrieved from h^ps://energy.gov/epsa/downloads/cyber-‐threat-‐and-‐vulnerability-‐analysis-‐us-‐electric-‐sector
• KPMG. (2017 August). Strengthening cybersecurity of federal networks and cri@cal infrastructure: Perspec@ves on implementa@on challenges and leading prac@ces. Retrieved from h^p://www.kpmg-‐insCtutes.com/content/dam/kpmg/governmenCnsCtute/pdf/2017/presidenCal-‐execuCveorder-‐whitepaper.pdf
• Kushner, D. (2013 Feb 26). The real story of Stuxnet: How Kaspersky Labs tracked down the malware that stymied Iran’s nuclear-‐fuel enrichment program. IEEE Spectrum. Retrieved from h^ps://spectrum.ieee.org/telecom/security/the-‐real-‐story-‐of-‐stuxnet
October 31, 2017 2017 CEATI -‐ Burnaby BC
Slide 51
References • NERC. (2017 Aug 11). Technical ra@onale and jus@fica@on for
Reliability Standard CIP-‐012-‐1. Retrieved from h^p://www.nerc.com/pa/Stand/Project%20201602%20ModificaCons%20to%20CIP%20Standards%20DL/2016-‐02_Technical_RaConale_and_JusCficaCon_CIP-‐012-‐1_08142017.pdf
• Nelson, N. (2016 Jan 18). The impact of Dragonfly malware on industrial control systems. SANS InsCtute InfoSec Reading Room. Retrieved from h^ps://www.sans.org/reading-‐room/whitepapers/ICS/impact-‐dragonfly-‐malware-‐industrial-‐control-‐systems-‐36672
• Ze^er, K. (2014 Nov 3). An unprecedented look at Stuxnet, the world’s first digital weapon. Wired. Retrieved from h^ps://www.wired.com/2014/11/countdown-‐to-‐zero-‐day-‐stuxnet/
October 31, 2017 2017 CEATI -‐ Burnaby BC