K E M A, I N C. Ten Steps To Secure Control Systems APPA 2005 Conference Session: Securing SCADA...
-
Upload
victoria-powell -
Category
Documents
-
view
219 -
download
0
Transcript of K E M A, I N C. Ten Steps To Secure Control Systems APPA 2005 Conference Session: Securing SCADA...
K E M A , I N C .
Ten Steps To Secure
Control Systems
APPA 2005 Conference
Session: Securing SCADA Networks from Cyber Attacks Memphis, TNApril 18, 2005
Jay Abshier, CBCP CISSPKEMA, Inc.
2
K E M A , I N C .
2 Copyright KEMA Inc. Proprietary Information
Ten Steps To Secure Control Systems
Threats? Why take action? What Can You Do Now? -The Ten Steps NERC Standards Questions
3
K E M A , I N C .
3 Copyright KEMA Inc. Proprietary Information
Threats – In Order of Decreasing Probability
Worms and Viruses Internal – Acts of Omission Internal – Acts of Commission External – Acts of Commission
4
K E M A , I N C .
4 Copyright KEMA Inc. Proprietary Information
Why Take Action? If a vulnerability is exploited, in most cases the
impact is a negative effect on the primary function of the control system – a failure.
A failure of one component of a system increases the probability of another component failure occurring or of becoming a critical factor.
Most catastrophic failures involve two or more components of a system. Frequently, one of the failed components is either a human action/inaction or the control system. “Reliability @Risk: A New Paradigm for
Assessing Reliability”, December 2004, The Electricity Journal
5
K E M A , I N C .
5 Copyright KEMA Inc. Proprietary Information
Why Take Action?
Improved Reliability Increased Safety
6
K E M A , I N C .
6 Copyright KEMA Inc. Proprietary Information
Ten Steps To Secure Control Systems1. Governance
2. Security Awareness & Training
3. Policies & Procedures
4. Change Management
5. Secure Architecture
6. Remote Access
7. Vulnerability & Risk Assessments
8. Incident Response
9. Configuration & Patch Management
10. Monitoring
7
K E M A , I N C .
7 Copyright KEMA Inc. Proprietary Information
Ten Steps To Secure Control Systems1. Governance2. Security Awareness & Training3. Policies & Procedures4. Change Management
5. Secure Architecture6. Remote Access7. Vulnerability & Risk Assessments8. Incident Response9. Configuration & Patch Management10. Monitoring
Paper and Presentation discussing all ten available on request.
Our Focus
8
K E M A , I N C .
8 Copyright KEMA Inc. Proprietary Information
What Can You Do Now?
5. Secure Architecture Identify your critical assets. Define the electronic perimeter for your
control environment that includes those assets
Isolate the control environment using firewall(s) and DMZ(s). No access by default. All Communications terminate at the DMZ.
9
K E M A , I N C .
9 Copyright KEMA Inc. Proprietary Information
Secure ArchitecturePlant Information Network (PIN)
Plant Control Network (PCN)
Real time Historian
Relational Database
Users
Historian Operator DisplaysApplicationServer
Other Plant Information Servers
To Corporate Network
FirewallDMZ
DatabaseWeb
Server
Terminal Server
10
K E M A , I N C .
10 Copyright KEMA Inc. Proprietary Information
What Can You Do Now?
5. Secure Architecture (cont’d) Don’t allow browsing of the internet from
the control environment. Don’t allow email into the control
environment. Sending email out will be ok.
Take steps to keep unauthorized devices out.
Avoid wireless
11
K E M A , I N C .
11 Copyright KEMA Inc. Proprietary Information
What Can You Do Now?
5. Secure Architecture Wireless
WEP is useless WPA
– Good encryption. Device Authentication available.– Vulnerable to DOS attack.– Devices capable of WEP should be upgradeable to
WPA with firmware upgrade.
Think of wireless as remote access.
12
K E M A , I N C .
12 Copyright KEMA Inc. Proprietary Information
What Can You Do Now?
5. Secure Architecture Wireless
802.11i is best solution, but requires new hardware if you already have wireless installed.
AES encryption, device authentication available, supposed to not be vulnerable to DOS attack.
Cisco calls 802.11i WPA2. www.wi-fiplanet.com/tutorials
13
K E M A , I N C .
13 Copyright KEMA Inc. Proprietary Information
What Can You Do Now?
6. Remote Access Should be severely
restricted. Try to never allow devices on
the outside to become part of Control Network
DMZ Application Servers Terminal Servers and Citrix are
good choices for access.
14
K E M A , I N C .
14 Copyright KEMA Inc. Proprietary Information
Remote AccessPlant Information Network (PIN)
Plant Control Network (PCN)
Real time Historian
Relational Database
Users
Historian Operator DisplaysApplicationServer
Other Plant Information Servers
To Corporate Network
FirewallDMZ
DatabaseWeb
Server
Terminal Server
15
K E M A , I N C .
15 Copyright KEMA Inc. Proprietary Information
What Can You Do Now?
6. Remote Access VPNs
IPsec VPNs using 3DES or AES encryption are good choice if DMZ App servers and Terminal Servers not available.
Be Aware that the Client computer becomes part of the Control Environment.
Do not allow split tunneling. Try to require anti-virus and personal firewalls. Try to enforce patch levels on software.
16
K E M A , I N C .
16 Copyright KEMA Inc. Proprietary Information
What Can You Do Now?
6. Remote Access Modems
Avoid auto answer dial in modems.
Dial back modems and encrypting modems are ok alternatives if modems are unavoidable.
17
K E M A , I N C .
17 Copyright KEMA Inc. Proprietary Information
What Can You Do Now?
7. Vulnerability and Risk Assessments Vulnerability assessments try to identify all
the known vulnerabilities in a device or architecture.
Risk assessments try to prioritize these vulnerabilities and assess the impact.
18
K E M A , I N C .
18 Copyright KEMA Inc. Proprietary Information
What Can You Do Now?
7. Vulnerability and Risk Assessments Vulnerability assessments often involve
scans, which can cause problems in the control environment.
Good probabilities for risk assessments are not available, but vulnerabilities can be prioritized using accurate relative probabilities for Threats.
19
K E M A , I N C .
19 Copyright KEMA Inc. Proprietary Information
What Can You Do Now?
7. Vulnerability and Risk Assessments Risk assessments are a good way to involve
the stakeholders in the process and get buy-in.
Risk can be calculated as: Probability of Threat Occuring * Probability of
Existing Controls Preventing Threat * Impact if Threat succeeds
20
K E M A , I N C .
20 Copyright KEMA Inc. Proprietary Information
What Can You Do Now? 7. Vulnerability and Risk Assessments
Use a good methodology Which To Use? For Systems, use one focused on assessing the risk
that a vulnerability can be exploited by a threat.
21
K E M A , I N C .
21 Copyright KEMA Inc. Proprietary Information
A Vulnerability/Risk Assessment Methodology
Risk Assessment
Prioritise&
mitigation
Actions & forward planning
Review
Inp
uts
Ou
tpu
tsA
ctivities
• Documents & drawings
• Site Walkthrough/Site Survey
• Policies, procedures,
• Questionnaires, interviews
• Processes
• Systems
• Risk numbers
• Vulnerabilities
• Risk database
• Vulnerability assessment
• Normalised risks
• Recommendations
• Client capabilities, investment plans etc.
• Baseline assessment
• System inventory
• Vulnerability Assessment
• Risk database or
• Risk assessment matrix
• Gap analysis
• Prioritised and ranked recommendations
• Work plans for gap closure
Scoping
• Client Requirements
• Client Organization
• Client Constraints
• Project Plan
• Interview Requirements
• Questionnaires
• Document/Drawing Requirements
23
K E M A , I N C .
23 Copyright KEMA Inc. Proprietary Information
What Can You Do Now?
Bottom Line Tool or tools will not keep
you secure. No one can guarantee your system or network is “secure”.
Daily due diligence and comprehensive security program is only viable “solution”.
24
K E M A , I N C .
24 Copyright KEMA Inc. Proprietary Information
NERC Permanent Standard• Jan 17 – Feb 17 Post Draft 2 and Comment period• Feb 2 Webcast on Draft 2• Feb 18 – Apr 15 Resolve comments on Draft 2 and prepare Draft 3• Apr 15 – May 31 Post Draft 3 and Comment period• June 1 – 30 Resolve comments on Draft 3 and prepare for
Ballot• July 1 – 31 30 day posting prior to Ballot• Aug 1 – 30 2 rounds of Ballots • August 13 NERC 1200 expires• Sept 1 – 30 30 day posting prior to NERC Board
adoption• October 1 NERC Board adopts standards• November 1 Standards become “Effective”• 1st Quarter 2006 Self Certification and Audit begins
25
K E M A , I N C .
25 Copyright KEMA Inc. Proprietary Information
NERC Permanent Standard CIP–002–1 Critical Cyber Assets CIP–003–1 Security Management Controls CIP–004–1 Personnel and Training CIP–005–1 Electronic Security CIP–006–1 Physical Security CIP–007–1 Systems Security Management CIP–008–1 Incident Reporting and Response Planning CIP–009–1 Recovery Plans
26
K E M A , I N C .
26 Copyright KEMA Inc. Proprietary Information
NERC Permanent Standard What it covers
SCADA/Control Center Power plant control systems
Many exceptions Transmission substations
What it doesn’t Many power plants Distribution Telecom Requirement for understanding control systems
27
K E M A , I N C .
27 Copyright KEMA Inc. Proprietary Information
Ten Steps To Secure Control Systems
Questions? For more information:
Jay Abshier, CBCP CISSP713.240.4146 (mobile)832.717.3072 (office)[email protected]