SCADA Security
Download
1 / 25

SCADA Security - PowerPoint PPT Presentation


  • 271 Views
  • Updated On :

SCADA Security. Prepared for SECA XVI Conference Brooklyn Park, Minnesota October 9, 2000 Prepared by Jeff Dagle Pacific Northwest National Laboratory Richland, Washington (509) 375-3629 [email protected] Outline. Context: Current Trends in Industry Information Technology

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'SCADA Security' - farren


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Slide1 l.jpg

SCADA Security

Prepared for

SECA XVI Conference

Brooklyn Park, Minnesota

October 9, 2000

Prepared by

Jeff Dagle

Pacific Northwest National Laboratory

Richland, Washington

(509) 375-3629

[email protected]


Outline l.jpg
Outline

  • Context: Current Trends in Industry

    • Information Technology

    • Implications of Restructuring

  • Federal Perspective

    • Critical Infrastructure Protection Initiative

    • DOE Vulnerability Assessment Activity

  • SCADA Security

    • Trends and Implications

    • Vulnerability Demonstration

    • Mitigation Strategies


Information technology trends l.jpg

Risk

Dependency

Information Technology Trends

  • Increasing:

    • enterprise dependence on IT

    • connectivity and standardization

    • access to information assets

    • dependencies on other infrastructures

  • Role of the Internet

    • E-Biz projected increase from $8B (‘97) to $320B (‘02)

    • Utility E-Biz projection: $2B (‘97) to $10B (‘02)

  • Information technologies are becoming inseparable from the core business of businesses


Information technology anecdotes l.jpg
Information Technology Anecdotes

Hacker Trends

  • First computer virus conceived in 1987 -- today there are 30,000 (10 more each day)

  • Hacker software and sophistication increasing exponentially

  • More than 1/2 of the 50 largest banks report significant

    network attacks in ‘98

  • Gas/electric utility reports over 100,000 scans per month

  • Distributed denial of service attacks against e-commerce sites

    Response

  • FBI computer caseload: 200 cases to 800 cases in last two years -- number of cases now agent limited

  • IT security gaining increased attention in auditing, insurance and underwriting communities

  • $1.6 trillion forecast world wide to deal with cyber challenges. $6.7 billion in first 5 days of response to “I Love You”


Information age threat spectrum l.jpg

Info Warrior

Reduce U.S. Decision Space, Strategic Advantage, Chaos, Target Damage

National

Security

Threats

National

Intelligence

Information for Political, Military, Economic Advantage

Terrorist

Visibility, Publicity, Chaos, Political Change

Shared

Threats

Industrial

Espionage

Competitive Advantage

Intimidation

Organized Crime

Revenge, Retribution, Financial Gain, Institutional Change

Institutional

Hacker

Monetary Gain

Thrill, Challenge, Prestige

Local

Threats

Recreational Hacker

Thrill, Challenge

Information Age Threat Spectrum


Energy incidents and anecdotes l.jpg
Energy Incidents and Anecdotes

  • DOE database reports 20,000 attacks on lines, substations, and power plants from 1987 to 1996 – many attacks continue

  • 1997 San Francisco outage – probably an insider

  • June 1999 Bellingham pipeline explosion accompanied by SCADA failure

  • Belgium & US (Mudge) hackers threaten to shut down electric grid (Fall ‘99)

  • Hacker controls Gazprom natural gas in Russia (Spring 2000)

  • Potential plot to attack nuclear plant during Sydney Olympics


Trends restructuring l.jpg
Trends - Restructuring

  • Industry downsizing

    • 20% or more reductions of staff over last five years

    • Physical and IT security implications – “Doing more with less”

  • Mergers

    • Increased 4x between 1990 and 1997

    • Keeping staff trained and updated

    • New business & players

  • Open access and open architecture systems

    • Mandated by regulation

    • Maintainability and low cost – security implications?


Outline8 l.jpg
Outline

  • Context: Current Trends in Industry

    • Information Technology

    • Implications of Restructuring

  • Federal Perspective

    • Critical Infrastructure Protection Initiative

    • DOE Vulnerability Assessment Activity

  • SCADA Security

    • Trends and Implications

    • Vulnerability Demonstration

    • Mitigation Strategies


Slide10 l.jpg

July 1996 - President’s Commission on Critical Infrastructure Protection (PCCIP)

October 1997 - PCCIP report (Critical Foundations: Protecting America’s Infrastructures)

“Waiting for disaster is a dangerous strategy. Now is the time to act to protect our future.”

May 1998 - Presidential Decision Directive 63: Policy on Critical Infrastructure Protection

National Action

“Certain national infrastructures are so vital that their incapacitation or destruction would have a debilitating impact on the defense or economic security of the United States”


Slide11 l.jpg

National Organizational Structure Infrastructure Protection (PCCIP)

Proposed by Critical Infrastructure Protection PDD

Policy & Program Management

Crisis Management

EOP

President

National Security Advisor

National Infrastructure Assurance Council

OSTP

(R&D)

National Coordinator

Critical Infrastructure Assurance Office

DoD/DOC

Special Function Agencies

Critical Infrastructure Coordinating Group

SECTOR

LEAD AGENCY

Financial Services

Dept. of Treasury

DOJ

Law Enforcement

DoD

National Defense

Transportation

Dept. of Transportation

Private Sector

CIA

Intelligence

DOS

Foreign Affairs

Dept. of Energy

Electric, Gas & Oil

Information Sharing and Analysis Center

Information/Comms

Dept. of Commerce

National Infrastructure Protection Center

Law Enforcement

Dept. of Justice

Continuity of Gov’t.

FEMA

Fire

FEMA

Emerg. Health Svcs.

HHS

Legend

Water

EPA

New Organization


Slide12 l.jpg

The Department of Energy’s Infrastructure Assurance Outreach Program (IAOP)

Energy Infrastructures

  • Utilize DOE expertise to assist in enhancing energy infrastructure security.

    • Awareness - vulnerabilities & risks

    • Assistance - assessment to identify and correct vulnerabilities

    • Partnership- teaming with industry to collectively advance critical infrastructure protection

  • Voluntary participation conducted under strict terms of confidentiality

Electric power

Oil

Natural Gas


Iaop scope l.jpg
IAOP Scope Outreach Program (IAOP)

  • IAOP Assessments:

    • Electric power infrastructure (started in FY 1998)

      • Primarily cyber, includes physical security and risk management

      • Approximately 10 electric utilities received voluntary assessments

    • Natural gas (started in FY 2000)

      • Physical and cyber

    • Expertise from multiple national laboratories and other Federal agencies

    • Assessment, not audit

  • IAOP Outreach

    • Conferences, meetings, information sharing

    • Support industry groups (NERC, NPC, EPRI, …)

    • Engagement with other Federal agencies (FBI, NSA, NRC ...)


Project outline l.jpg
Project Outline Outreach Program (IAOP)

  • Task I - Project Planning & Pre-Assessment

    • Project Planning and Scoping

    • Pre-Assessment -- Critical asset definition

  • Task II - Assessment

    • Threat Environment

    • Network Architecture

    • Network Penetration

    • Physical Security, Operations Security

    • Administrative Policies, Procedures

    • Energy System Influence

    • Risk Analysis

  • Optional Task III - Methodology & Prudent Practices

    • Methodology Handbook

    • Prudent Practices

    • Awareness (Closed forums and workshops)


  • Risk management spectrum of action l.jpg

    Armored Outreach Program (IAOP)

    Resilient

    Manage Crisis

    Deterence

    Prevention

    Restoration

    Mitigation

    Risk ManagementSpectrum of Action


    Outline16 l.jpg
    Outline Outreach Program (IAOP)

    • Context: Current Trends in Industry

      • Information Technology

      • Implications of Restructuring

    • Federal Perspective

      • Critical Infrastructure Protection Initiative

      • DOE Vulnerability Assessment Activity

    • SCADA Security

      • Trends and Implications

      • Vulnerability Demonstration

      • Mitigation Strategies


    Scada trends l.jpg
    SCADA Trends Outreach Program (IAOP)

    • Open protocols

      • Open industry standard protocols are replacing vendor-specific proprietary communication protocols

    • Interconnected to other systems

      • Connections to business and administrative networks to obtain productivity improvements and mandated open access information sharing

    • Reliance on public information systems

      • Increasing use of public telecommunication systems and the internet for portions of the control system


    Scada concerns l.jpg
    SCADA Concerns Outreach Program (IAOP)

    • Integrity

      • Assuring valid data and control functions

      • Most important due to impact

    • Availability

      • Continuity of operations

      • Historically addressed with redundancy

    • Confidentiality

      • Protection from unauthorized access

      • Important for market value, not reliability


    Scada vulnerability demonstration l.jpg

    Operator Outreach Program (IAOP)

    Interface

    RTU Test Set

    (Intruder)

    SCADA Vulnerability Demonstration

    Field Device

    (RTU, IED or PLC)


    Operator interface l.jpg
    Operator Interface Outreach Program (IAOP)

    • Simulated display of electrical substation

    • Circuit breaker status information read from field device


    Scada message strings l.jpg
    SCADA Message Strings Outreach Program (IAOP)

    Repeating easily

    decipherable format

    Captured by

    RTU test set


    Attack scenarios l.jpg
    Attack Scenarios Outreach Program (IAOP)

    • Denial of service

      • Block operator’s ability to observe and/or respond to changing system conditions

    • Operator spoofing

      • Trick operator into taking imprudent action based on spurious or false signals

    • Direct manipulation of field devices

      • Send unauthorized control actions to field device(s)

    • Combinations of above


    Mitigation strategies l.jpg
    Mitigation Strategies Outreach Program (IAOP)

    • Security through obscurity

      • Poor defense against “structured adversary”

    • Isolated network

    • Communication encryption

      • Concerns over latency, reliability, interoperability

      • Vendors waiting for customer demand

    • Signal authentication

      • May provide good defense without the concerns associated with full signal encryption


    Value proposition l.jpg

    Expectations Outreach Program (IAOP)

    The government and industry will collaboratively develop technologies consistent with shared infrastructure assurance objectives

    Public sector funding necessary to initiate development of new technologies

    Value Proposition

    • Industry

      • Proactive in protecting customers stockholder interests

      • Insights into vulnerability and risk assessment techniques

      • Due diligence

    • Government

      • Proactive in protecting public interests and national security

      • Insights into industry risk management perspectives

      • Facilitate long-term research and development, best practices


    Conclusions l.jpg
    Conclusions Outreach Program (IAOP)

    • SCADA is becoming more vulnerable

      • Standard, open protocols

      • Interconnected to other systems and networks

      • Industry in transition

    • Focus countermeasures to protect –

      • Integrity

      • Availability

      • Confidentiality


    ad