Securing Control Systems in the Oil and Gas Infrastructure The I3P SCADA Security Research Project...
-
Upload
grant-brown -
Category
Documents
-
view
218 -
download
2
Transcript of Securing Control Systems in the Oil and Gas Infrastructure The I3P SCADA Security Research Project...
Securing Control Systems in the Oil and Gas Infrastructure
The I3P SCADA Security Research Project
Ulf LindqvistSRI International
[email protected] Seminar at UC Berkeley
Nov. 17, 2005
This work was supported under Award number 2003-TK-TX-0003 from the U.S. Department of Homeland Security, Science and Technology Directorate. Points of view in this document are those of the authors and do not necessarily represent the official position of the U.S. Department of Homeland Security or the Science and Technology Directorate. The I3P is managed by Dartmouth College.
What Is The I3P?The Institute for Information Infrastructure Protection
Funded by Congress, managed by Dartmouth College with oversight from DHS
Established in 2001 to identify and address critical research problems facing our nation’s information infrastructure
Consortium of 27 universities, non-profit research institutions, and federal labs
What Is This Research Project?
Two-year applied research effort to improve cyber security for control systems/SCADA
Specific focus on oil & gas industry Help industry better manage risk by
providing risk characterization developing and demonstrating new cyber
security tools and technologies enhancing sustainable security practices for
control systems
An Important Problem
Oil and gas processing is controlled by computer systems
Trend toward general-purpose platforms and universal connectivity
These systems are vulnerable to cyber attack An attack could have severe consequences for
Human lives The environment The economy
Example:Pipelines June 10, 1999 In Bellingham, Washington,
a gasoline pipeline operated by Olympic Pipeline Company ruptured
237,000 gallons of gasoline was released into Whatcom Creek
The gasoline ignited, sending a fireball racing down the creek
Two 10-year old boys and an 18-year old man were killed
SCADA system problems partial cause
Why Is There A Problem?Control system side Top priority is reliability and
availability, not security Traditionally relied on
obscurity and isolation Trend: using general
hardware and OS Owner/operator companies
are in the hands of vendors Vendors often have
backdoor modem lines Default passwords
IT side Traditional security tools
may not work for control systems
IT people do not know control systems
Enterprise networks are being connected to control systems
Control systems are overlooked because they are not managed by IT
Goals
Demonstrated improved cyber security in the Oil & Gas infrastructure sector New research findings New technologies
Significantly increased awareness of Security challenges and
solutions The capabilities of the
I3P and its members
Approach
Build upon ongoing cyber security research to apply to the process control arena
Develop tools and technology which could enhance the robustness of critical infrastructure process control systems
Focus on the oil and gas sector by partnering with industry
Develop research collaborations with other institutions with cyber security domain expertise
Communicate and demonstrate results of the research
Project Overview
Oil and Gas Industry
Requirements,
InformationTechnologyTransfer
Workshops, Demonstrations
Risk Characterization
SNL
Risk Characterization
SNL
Topic 1Inter-
dependenciesUVa
Inter-dependencies
UVa
MetricsPNNL
MetricsPNNL
Security ToolsMIT/LL
Security ToolsMIT/LL
InformationSharingMITRE
InformationSharingMITRE
Tech TransferSRI
Tech TransferSRI
Topic 2 Topic 3 Topic 4 Topic 5 Topic 6
Research Team
Topic 1 – Risk Characterization
Problem: What is the risk to infrastructure caused by potential vulnerabilities of the process control systems?
Approach: Year 1 and 2 SCADA risk workshops focused on oil and gas
sector to collect data for all tasks in the plan Aggregate information from owners, operators, and domain
experts Analysis of the data to determine classes of SCADA
systems to include vulnerabilities, threats, consequences, and risks for SCADA security
Development of attack taxonomy and mitigation strategy analysis
Profiles of security situations, generalized threats, classes of consequences
Best Practices handbook information
Topic 1 – First Year Workshop The workshop was held in Houston, Texas, on June 2-3, 2005 Sample highlights from industry breakout sessions:
On-site contractors present a major vulnerability to facility and IT/SCADA security
Attackers can use easily accessible emergency response plans and identification of key personnel to amplify attacks
Vendors are only able to provide the products (including security) demanded by their clients
Cost and certification of security measures are a concern Systems in the oil & gas industry represent wide range of
maturation levels from beginner to advanced Need to include consideration of all systems: legacy,
modern, and heterogeneous Most control systems in use today are insecure by design
Topic 1 – Results
One page summary of workshop Workshop analysis report
being prepared Industry perspectives Profiles of security situations Technological profiles Understanding the threat Consequences and measures Industry risk trends
Future Work Attack taxonomy Interim and final risk characterization reports Risk characterization to quantify security impact and
improve business case 2nd workshop focused on technical demonstrations June 8, 2006 in La Jolla, CA
Topic 2 – Interdependencies
Assess the degree of SCADA dependence and associated risk exhibited by interlinked critical infrastructures
Understand the indirect risk to the U.S. Economy resulting from Oil & Gas SCADA system vulnerability and cyber threat potential
Develop risk management practices that reduce the risk of cascading effects resulting from system interdependencies and cyber attacks
est. 1987 Center for Risk Management of Engineering Systems
Topic 2 – General Response Model Overview
Purpose:1) Map cyber intrusion events to macro-economic inoperability effects2) Integrate System Dynamics model with the Inoperability Input-Output
Model (IIM) for comprehensive and tractable impact analysis3) Use scenarios of cyber attack, information security, infrastructure
resilience and emergency management systems to derive supply- and demand-side perturbations for IIM economic and inoperability impact analysis
4) Understand the role of public response to industry events in shaping, amplifying and dampening economic impact
5) Develop means by which the efficacy of candidate risk management strategies can be quantitatively evaluated
Inoperability Input-Output Model (IIM)
ProductivityLoss (%)
Econ. Loss ($)
Recovery Dynamics
time
SCADA- Infrastructure Response
Model
Attack
Topic 2 – General Response Model Framework
SCADA-Infrastructure Response Model
Public Response
Intrusion Dynamics
Process Control Manipulation
Process Disruption
Cyber Risk Scenarios
Cyber Attack
on SCADA System
Risk Management
Network Security Strategies
Recovery Dynamics
Management
Regional Risk Management
Recovery Dynamics
IIM
Demand Perturbatio
n
Supply Perturbatio
n
Product Disruption
Physical Coupling
Physical Effects Propagation
Sector Inoperability
Economic Inoperability
Topic 3 – Security Metrics
Problem: How can the security of control systems be measured and related to business and functional requirements?
Security metrics provide tools that enable decisions based on quantitative or qualitative assessments rather than hunches or best guesses.
Lead – Pacific Northwest National Laboratory – Martin Stoddard ([email protected])
Team Members – Sandia National Laboratory, University of Virginia, The MITRE Corp.
Topic 3 – A Few Sample Metrics
Adversary work factor
Capability Maturity Model (CMM)
Security Scorecard
Assurance Levels/Categories
Risk Analysis/Security Vulnerability Assessments
Readiness Levels
Topic 3 – Approach
Phase I: Survey existing security metrics and provide a high-level view of metrics tools and their application to PCS.
Phase II: Develop detailed requirements for process control metrics. Apply existing technologies where applicable and identify gaps requiring further development.
Phase III: Prioritize the gaps from Phase II and apply research to develop the highest-priority metrics tools.
Topic 4 – Inherently Secure SCADA Systems Problem: How do you design, verify, install and
monitor secure process control systems?
Deliverables: Tools and techniques to Support Secure Operations
Risk management for configuration and deployment Assess architectural security vulnerabilities Model and monitor correct behavior
Enable Secure Components Application software Protocols and protocol stacks Operating systems
Topic 4 – Team Members
Topic Lead – MIT/LL – Rob Cunningham Support Secure Operations
Risk management for configuration and deployment - MITRE
Assess architectural security vulnerabilities - University of Illinois
Model and monitor correct behavior - SRI Enable Secure Components
Application software - MIT/LL Protocols and protocol stacks - University of Tulsa Operating systems - PNNL
Topic 4 – Research Strategy
Pull: Expand operator awareness of approaches to improved security Develop prototype tools to suggest, verify
implementation, monitor systems Push: Enable more secure vendor solutions
Develop prototypes to improve application software, protocols, underlying operating system
Research to support market conditions for more secure components and systems
Topic 4 – Architecture With I3P Security Components
The Traffic Assessment Tool (TAT) analyzes how well the system of firewall rules adheres to global traffic policy. The JSST is a SCADA protocol policy-aware network monitor. The HSMTU (High Security MTU) is an architecture that hardens the master control functions from. The HIDS (host intrusion detection system) and NIDS (network intrusion detection system) look for misbehavior, reported to the SIM (security incident manager).
Topic 4 – Risk Management
Approach•Adapt established security risk
assessment techniques to SCADA–Integrate with current industry practices for managing operational/business risk
–Adjust/enhance established security risk management practices (e.g., DoD, IC)
Represent systems, vulnerabilities, and operational consequences in operational / business terms
Product/Deliverable•Describe the security risk problem
domain relative to SCADA systems•Describe system modeling and
assessment methodology•Prototype tool
Need Addressed•Assess security risks of PCNs (as-
used, as-built, or as-proposed) to support design/config/use decisions
–Treat security risk as component of operational/business risk
–Improve communication of operational/ business risk to decision-makers
Approach•Adapt established security risk
assessment techniques to SCADA–Integrate with current industry practices for managing operational/business risk
–Adjust/enhance established security risk management practices (e.g., DoD, IC)
Represent systems, vulnerabilities, and operational consequences in operational / business terms
Product/Deliverable•Describe the security risk problem
domain relative to SCADA systems•Describe system modeling and
assessment methodology•Prototype tool
Need Addressed•Assess security risks of PCNs (as-
used, as-built, or as-proposed) to support design/config/use decisions
–Treat security risk as component of operational/business risk
–Improve communication of operational/ business risk to decision-makers
SCADA Network
SCADA Network
Security Risks
Business Risks
Topic 4 – Architectural Vulnerabilities
Firewall rules graphApproach• Develop exhaustive means of analyzing impact of rule sets on admitted traffic in SCADA systems
• Develop means of using system logs and records of firewall modifications to dynamically sample security implementation
• Model systems using rule sets from real implementations, optimize approach
Deliverables• SCADA system firewall analysis methodology tool• Demonstration of ability to detect deviations from global security policy and focus analysis on high risk areas affected by new changes to firewall rules on SCADA system security
Needs Addressed• Relating security impact of firewall configurations and modifications to policy• Understanding the security posture of a distributed firewall system
Firewall rules graphApproach• Develop exhaustive means of analyzing impact of rule sets on admitted traffic in SCADA systems
• Develop means of using system logs and records of firewall modifications to dynamically sample security implementation
• Model systems using rule sets from real implementations, optimize approach
Deliverables• SCADA system firewall analysis methodology tool• Demonstration of ability to detect deviations from global security policy and focus analysis on high risk areas affected by new changes to firewall rules on SCADA system security
Needs Addressed• Relating security impact of firewall configurations and modifications to policy• Understanding the security posture of a distributed firewall system
Topic 4 – Modeling and Monitoring
Approach• Design detectors for process control systems using EMERALD algorithms and framework• Integrate EMERALD and other detectors into correlation framework and demonstrate alert aggregation and prioritization, and incident correlation• Model some systems and/or protocols in SAL (Symbolic Analysis Laboratory)
Deliverables• Intrusion detectors for process control systems• Demonstration of alert correlation across multiple heterogeneous detectors• Formal modeling and analysis of some specific systems and/or protocols
Needs Addressed• Process control systems are not monitored for security events – attacks could go unnoticed until it is too late• Protocols, source code, and system designs used in control systems could contain security vulnerabilities – as observed in other applications
Approach• Design detectors for process control systems using EMERALD algorithms and framework• Integrate EMERALD and other detectors into correlation framework and demonstrate alert aggregation and prioritization, and incident correlation• Model some systems and/or protocols in SAL (Symbolic Analysis Laboratory)
Deliverables• Intrusion detectors for process control systems• Demonstration of alert correlation across multiple heterogeneous detectors• Formal modeling and analysis of some specific systems and/or protocols
Needs Addressed• Process control systems are not monitored for security events – attacks could go unnoticed until it is too late• Protocols, source code, and system designs used in control systems could contain security vulnerabilities – as observed in other applications
MissionDomain
Cross-Domain Inc identCorrelation
MissionDomain
Cross-Domain Inc identCorrelation
Topic 4 – Application Software
Approach•Extend software development tools to automatically instrument and test SCADA software•Use SCADA message protocol generators, augment with knowledge of software implementation
Deliverable•An prototype automated testing environment for SCADA systems•An environment to prevent certain faults from occurring, identify mitigation strategies
Need Addressed•All software contains defects, some of which can be maliciously exploited•Developer tools are inadequate to eliminate those vulnerabilities
Approach•Extend software development tools to automatically instrument and test SCADA software•Use SCADA message protocol generators, augment with knowledge of software implementation
Deliverable•An prototype automated testing environment for SCADA systems•An environment to prevent certain faults from occurring, identify mitigation strategies
Need Addressed•All software contains defects, some of which can be maliciously exploited•Developer tools are inadequate to eliminate those vulnerabilities
Topic 4 – Protocols
Approach•Analyze SCADA/PCN standards (e.g., ISA SP-99, API-1164, AGA-12)•Implement SCADA protocol stacks•Design and implement security services for serial and layered protocols•Model SCADA protocol stacks; Verify security properties and negative protocol interactions
Products/Deliverables•Toolkit for testing and analyzing SCADA protocols (Java SCADA Security Toolkit)•Security tools for PCN scanning, monitoring and hardening•Security verification tools for analyzing peer-to-peer and interlayer protocol interactions
Needs Addressed•Securing process-related data in transit•Mitigating vulnerabilities in SCADA carrier protocols (e.g., DNP3 over TCP, Modbus/TCP)•Verifying security properties of SCADA protocol stacks
Approach•Analyze SCADA/PCN standards (e.g., ISA SP-99, API-1164, AGA-12)•Implement SCADA protocol stacks•Design and implement security services for serial and layered protocols•Model SCADA protocol stacks; Verify security properties and negative protocol interactions
Products/Deliverables•Toolkit for testing and analyzing SCADA protocols (Java SCADA Security Toolkit)•Security tools for PCN scanning, monitoring and hardening•Security verification tools for analyzing peer-to-peer and interlayer protocol interactions
Needs Addressed•Securing process-related data in transit•Mitigating vulnerabilities in SCADA carrier protocols (e.g., DNP3 over TCP, Modbus/TCP)•Verifying security properties of SCADA protocol stacks
Topic 4 – Operating Systems
Approach
•Compartmentalize access to SCADA resources
•Control and audit the actions of all users
•Encrypt the file system
Deliverables
•Secure MTU architecture design
•Secure process gatekeeper prototype
•Multi-key cryptographic file system prototype
Need Addressed
•Malicious users or programs can undetectably access or modify control systems
Approach
•Compartmentalize access to SCADA resources
•Control and audit the actions of all users
•Encrypt the file system
Deliverables
•Secure MTU architecture design
•Secure process gatekeeper prototype
•Multi-key cryptographic file system prototype
Need Addressed
•Malicious users or programs can undetectably access or modify control systems
Topic 5 – Cross Domain Information Sharing (CDIS)
Domain: A collection of individuals, resources, and information owned by one organization that requires protection from other domains
Cross Domain Information Sharing: Exchange of information between two or more domains
First
Responders
Business LAN
Control
Center LAN
Owner
Orders
Vendor
FlawsGov’t
Agency
Owner
Trade Associations
Events
RTUI/OOrders
Internet
Events
Topic 5 – Research Plan
Prioritize the information sharing needs within the Gas & Oil sector What information sharing is taking place, but at a risk? What necessary information sharing is not taking
place, and why not? What information sharing will be necessary to support
new business processes? What information sharing would be beneficial, if
properly constrained? (e.g., non-attribution) Identify where existing solutions do not meet critical
needs Research, develop, and demonstrate CDIS solutions
to address high priority needs Feed Technology Transfer
Topic 5 – Use Cases Business LAN - Control Center LAN
Database queries against financial databases that reside on the Business LAN
Email containing product orders or inventory levels Fixed formatted messages containing product nominations or sampling
results Asset Owner - Asset Owner
Use collaborative environment to share IDS scan results, raw log data, reconnaissance activities, attack techniques (including social engineering), forensic information, system vulnerabilities, system status information
Asset Owner - Government Agencies Submit formal reports of incidents to appropriate government agencies Coordinate with first responders and law enforcement in the event of a
crisis as well as to share after action reports Asset Owner - Vendor
Push/pull product updates and security patches Discuss product features and their operational use
Topic 5 – One Solution
Industry site is accessible by authenticated members
Owners report problems to vendors
Vendors and owners report problems and solutions anonymously to industry site
Industry site analyzes anonymous data
Industry site reports analysis to government site
Owner
Vendor
Owner
Vendor
Owner
Owner
Vendor
Owner
Owner
Owner
Industry Site
Gov Site
Topic 6 – Technology and Knowledge Transfer We are not doing “blue sky” basic research Transition of our results into the infrastructure
is essential for success If what we are doing is not relevant to industry
cyber security needs, then we shouldn’t be doing it
In this project, we are actively working to organize and speed up the transfer process
Topic 6 – Technology Transfer Mechanisms
Technology Transition Taskforce
Partnerships Evaluations and
Experiments Technology
demonstration programs
Structured Process for Value Creation
SCADA Red Team Labat Sandia National Labs
Topic 6 – Knowledge Transfer
Knowledge transfer is bidirectional Researchers Industry
Workshops Site visits Technical papers Project books will be published by ISA Training class offered to industry Working with industry groups – API, NPRA
Related Efforts
SCADA SBIRs
Research Development Test Evaluation Demonstration Transition Deployment
Energy:Electric power
Energy:Oil and Gas
Chemical
Water andWastewater
Telecom
Transportation(rail))
I3P SCADA
CSSTC CSSTC
LOGI2C
PCSF
NSTB
Summary
This is the only large government-funded research effort for control system security for the oil and gas infrastructure
Focused on industry needs 6 topic areas, 11 institutions, hundreds of
stakeholders, thousands of lives at risk in a major cyber attack on oil & gas systems…
Contact Information
Ulf Lindqvist, Ph.D.Program DirectorComputer Science Laboratory
Direct: 650.859.2351Fax: [email protected]@sri.com
333 Ravenswood AvenueMenlo Park, California 94025-3493650.859.2000www.sri.com