scada security l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
SCADA Security PowerPoint Presentation
Download Presentation
SCADA Security

Loading in 2 Seconds...

play fullscreen
1 / 21

SCADA Security - PowerPoint PPT Presentation


  • 169 Views
  • Uploaded on

SCADA Security. William (Bill) Brown Metric Systems Corporation. The Wireless Factor. Ph: 760.560.0348 x 211 bbrown@metricsystems.com. SCADA Security … the Wireless Factor.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

SCADA Security


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
scada security
SCADA Security

William (Bill) Brown

Metric Systems Corporation

The Wireless Factor

Ph: 760.560.0348 x 211

bbrown@metricsystems.com

slide2

SCADA Security … the Wireless Factor

As far as we know, no one has ever deliberately hacked into the U.S. electrical grid and pulled the plug on millions, even thousands, of people.

Just as on September 11, 2001, no one had ever deliberately crashed a jet airliner into a skyscraper.

slide3

Agenda

  • Why another wireless security presentation?
  • Terrorist threats
      • Domestic
      • Foreign
      • Internal
  • One scenario
focus today
Focus Today:

Developing a concept of, and practical foundation for, mitigating corporate security threats attempting to use internal or external wireless assets as an ingress point

  • Internal Networks: LAN, WAN, Wireless, Microwave
  • Third party embedded threats:
      • Operating systems
      • Application software including mobile 2G and 3G wireless networking
      • Industrial automation devices
      • Networking equipment (wired, wireless, fiber)
      • Telecommunication carriers
  • Recovery concepts: Maintaining business continuity
slide5

Terrorist Game Plan

  • Mission: Transient denial of electrical service
  • Strategy: Electromagnetic deception
  • Tactics:
    • Using Open Source material, physical surveillance and off-the-shelf equipment and components to interrupt or spoof SCADA information. Why? So that SCADA control believes short non-periodic communication outages are normal.
    • Leverage this conditioning as a ruse for delayed detection of physical attack or to inflict low-level random maintenance alarm attacks.
basic scada operational system model
Basic SCADA Operational System Model

Points of Vulnerability

SCADA

Strategies

  • Public
  • Private
  • Mix

SCADA

Software

Application

Operating

System

Hardware

Platform

Local

Gateways

and

Networks

Enterprise

Gateways

Com

Media

Remote

Gateway

Remote

Plant

Distribution

Network

SCADA

Device

Population

SCADA

Strategies

Human

Interface

Equipment Under Control or Monitoring

the plan
The Plan
  • Locate SCADA sites
  • Determine band/specific frequencies
  • Interject noise (any unwanted signal)
  • Listen for Master Station response (if any)
  • Is there a maintenance response?
  • Set up random plan of interdiction
  • Execute conditioning plan
  • When appropriate execute core objective
slide8

Customer

Owned

Private

Leased

Microwave

Private Wireless Entry Points

Licensed

MAS/UHF/VHF

Unlicensed

Mixed

public wireless entry points

Data

Networking

(VPN)

Dial-Up

Frame Relay

Dial-Up/

Nailed up

Public Wireless Entry Points

Cellular

Satellite

Public

Telco

Internet

Unknown

slide10

Tools of the Trade

  • Discovery Location of Remote SCADA Sites
  • FCC web site database
  • Reconnaissance

Jamming Sources

Private:

  • Narrowband Sources (VHF, UHF, MAS)
    • Modulated tunable frequency sources – 100 MHz – 6GHz: $1k
    • SCADA radios
  • Wideband Sources (902-928 MHz, 2400-2483 MHz, 5.8 GHz)
    • Modulated wideband noise sources
    • Single frequency noise generators

Public:

    • CDMA and GSM test Equipment
    • Low-cost, low-power jammers
narrowband denial tactics
Narrowband Denial Tactics

Signal Level

Minimum discernible signal level for detectable packet (includes error detection and correction)

Spot Jammer

Normal Signal

Capture Range

+/- 3 dB

Barrage Noise Jammer

Average Noise Floor

Frequency

wideband denial tactics frequency hopper
Wideband Denial Tactics Frequency Hopper

Signal Level

Minimum discernible signal level for detectable packet (includes error detection and correction)

Spot Jammer

Barrage Noise Jammer

Average Noise Floor

Per frequency bin

Capture Range

+/- 3 dB

Hop Signals

Frequency

wideband denial tactics direct sequence
Wideband Denial Tactics Direct Sequence

Signal Level

Minimum discernible signal level for detectable packet (includes error detection and correction)

Direct Sequence Signal

Jamming to Signal Improvement

Margin: 10-15 dB: 10Log (Occupied Bandwidth / Modulating Bandwidth) e.g. 10Log(10 MHz / 1MHz)=10 dB

Spot Jammer

Barrage Noise Jammer

Frequency

slide14

Wireless Denial of Service Attack Geometry

Node 1

Node 2

System Example Configuration

L21

L11

L22

L12

.1 Mile

.5 Mile

Jammer 1

Jammer 2

1 Mile

slide15

Making a Wireless Choice UHF Narrow Band Scenario Denial of Service Attack

Node 1

Node 2

Rx Sig=53.4 dBm

L21=47.4dBm

L12=52.5 dBm

L11=33.4 dBm

L22=47.4 dBm

.1 Mile

.5 Mile

Jammer 1

Jammer 2

1 Mile

.6 Miles

Node 1

Rx Signal=53.4 dBm

Rx Jammer 1 = 33.4 dBm

Rx Jammer 2 = 47.4 dBm

Rx Jammer 1- Rx Signal = 20 dB

Rx Jammer 2 – Rx Signal = 6 dB

FM Capture Region

.5 Miles

slide16

Making a Wireless Choice 2.4 GHz ISM Wide-Band Scenario Denial of Service Attack

Node 1

Node 2

Rx Sig=68 dBm

Jamming to Signal Improvement =10Log(# of Hopping Channels)

L21=62.1dBm

L12=67.1 dBm

L11=48.1 dBm

  • 100 Hopping Channels: 20 dB
  • Jamming to Signal Improvement Margin
  • 50 Hopping Channels: 17 dB
  • Jamming to Signal Improvement Margin

L22=47.4 dBm

.1 Mile

.5 Mile

Jammer 1

Jammer 2

1 Mile

.6 Miles

Node 1

Rx Signal= 68 dBm

Rx Jammer 1 = 48.1 dBm

Rx Jammer 2 = 62.1 dBm

Rx Jammer 1- Rx Signal = 20 dB

Rx Jammer 2 – Rx Signal = 6 dB

FM Capture Region

.5 Miles

slide17

Could We Have Detected This Attack?

  • Terrorists leveraged two human fallibilities:
    • The law of small numbers
    • Susceptibility to conditioning
  • The inability of the target utility to detect or interpret small inconsequential changes
    • Example: Loss of continuity to a remote site for very short periods may be interpreted as caused by intermittent equipment faults and/or natural or friendly interference
  • Conditioning - acceptance of short interruptions as normal
slide18

Countermeasures

  • Model network components - in-plant and wide-area
    • Develop an objective “feeling” for your specific network prior to deployment. Understand “choke points”
  • Real time traffic analysis – Monitor and track traffic trends
    • Use statistical analysis to discover possible intrusion patterns
  • Understand network vulnerabilities of all system components
    • SCADA strategies
    • SCADA applications – Consider having software certified
    • Consider using non-Windows® based operating systems with a security certified kernel (Linux/Unix on suggestions)
    • Understand vulnerabilities of 802.11a/b/g wireless systems, and limit deployment to securable facilities
    • Public transport systems
topology vulnerabilities
Topology Vulnerabilities

Suppose you are a terrorist seeking to damage your organization’s networking capabilities – telecom, wireless, microwave, Intranet/Internet

Vulnerability is measured in the smallest number of vertices or hub points that will cause disconnections within a network.

summary of best practices
Summary of Best Practices
  • Strong preventative maintenance program – continuous training
  • Model your network – understand operation and vulnerabilities
  • Create strong firewalls and gateways between external and internal nets
  • Create a DMZ network to allow friendlies in - exclude entrance to corporate network
  • Consider appropriate radio link technology (narrow-band vs. ISM)
  • Upgrade vulnerable equipment
  • Deny access via strong password control policy, Host and Remotes
  • Monitor and analyze traffic, search for patterns
  • Mitigate the effects of Denial of Service attacks including:
  • Hijacking
  • Jamming
  • Blinding
  • Spoofing
questions
Questions?

William (Bill) Brown

bbrown@metricsystems.com

760.560.0348 1.800.549.7421

www.scadawireless.comwww.metricsystems.com