1 / 21

SCADA Security

SCADA Security. William (Bill) Brown Metric Systems Corporation. The Wireless Factor. Ph: 760.560.0348 x 211 bbrown@metricsystems.com. SCADA Security … the Wireless Factor.

elma
Download Presentation

SCADA Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SCADA Security William (Bill) Brown Metric Systems Corporation The Wireless Factor Ph: 760.560.0348 x 211 bbrown@metricsystems.com

  2. SCADA Security … the Wireless Factor As far as we know, no one has ever deliberately hacked into the U.S. electrical grid and pulled the plug on millions, even thousands, of people. Just as on September 11, 2001, no one had ever deliberately crashed a jet airliner into a skyscraper.

  3. Agenda • Why another wireless security presentation? • Terrorist threats • Domestic • Foreign • Internal • One scenario

  4. Focus Today: Developing a concept of, and practical foundation for, mitigating corporate security threats attempting to use internal or external wireless assets as an ingress point • Internal Networks: LAN, WAN, Wireless, Microwave • Third party embedded threats: • Operating systems • Application software including mobile 2G and 3G wireless networking • Industrial automation devices • Networking equipment (wired, wireless, fiber) • Telecommunication carriers • Recovery concepts: Maintaining business continuity

  5. Terrorist Game Plan • Mission: Transient denial of electrical service • Strategy: Electromagnetic deception • Tactics: • Using Open Source material, physical surveillance and off-the-shelf equipment and components to interrupt or spoof SCADA information. Why? So that SCADA control believes short non-periodic communication outages are normal. • Leverage this conditioning as a ruse for delayed detection of physical attack or to inflict low-level random maintenance alarm attacks.

  6. Basic SCADA Operational System Model Points of Vulnerability SCADA Strategies • Public • Private • Mix SCADA Software Application Operating System Hardware Platform Local Gateways and Networks Enterprise Gateways Com Media Remote Gateway Remote Plant Distribution Network SCADA Device Population SCADA Strategies Human Interface Equipment Under Control or Monitoring

  7. The Plan • Locate SCADA sites • Determine band/specific frequencies • Interject noise (any unwanted signal) • Listen for Master Station response (if any) • Is there a maintenance response? • Set up random plan of interdiction • Execute conditioning plan • When appropriate execute core objective

  8. Customer Owned Private Leased Microwave Private Wireless Entry Points Licensed MAS/UHF/VHF Unlicensed Mixed

  9. Data Networking (VPN) Dial-Up Frame Relay Dial-Up/ Nailed up Public Wireless Entry Points Cellular Satellite Public Telco Internet Unknown

  10. Tools of the Trade • Discovery Location of Remote SCADA Sites • FCC web site database • Reconnaissance Jamming Sources Private: • Narrowband Sources (VHF, UHF, MAS) • Modulated tunable frequency sources – 100 MHz – 6GHz: $1k • SCADA radios • Wideband Sources (902-928 MHz, 2400-2483 MHz, 5.8 GHz) • Modulated wideband noise sources • Single frequency noise generators Public: • CDMA and GSM test Equipment • Low-cost, low-power jammers

  11. Narrowband Denial Tactics Signal Level Minimum discernible signal level for detectable packet (includes error detection and correction) Spot Jammer Normal Signal Capture Range +/- 3 dB Barrage Noise Jammer Average Noise Floor Frequency

  12. Wideband Denial Tactics Frequency Hopper Signal Level Minimum discernible signal level for detectable packet (includes error detection and correction) Spot Jammer Barrage Noise Jammer Average Noise Floor Per frequency bin Capture Range +/- 3 dB Hop Signals Frequency

  13. Wideband Denial Tactics Direct Sequence Signal Level Minimum discernible signal level for detectable packet (includes error detection and correction) Direct Sequence Signal Jamming to Signal Improvement Margin: 10-15 dB: 10Log (Occupied Bandwidth / Modulating Bandwidth) e.g. 10Log(10 MHz / 1MHz)=10 dB Spot Jammer Barrage Noise Jammer Frequency

  14. Wireless Denial of Service Attack Geometry Node 1 Node 2 System Example Configuration L21 L11 L22 L12 .1 Mile .5 Mile Jammer 1 Jammer 2 1 Mile

  15. Making a Wireless Choice UHF Narrow Band Scenario Denial of Service Attack Node 1 Node 2 Rx Sig=53.4 dBm L21=47.4dBm L12=52.5 dBm L11=33.4 dBm L22=47.4 dBm .1 Mile .5 Mile Jammer 1 Jammer 2 1 Mile .6 Miles Node 1 Rx Signal=53.4 dBm Rx Jammer 1 = 33.4 dBm Rx Jammer 2 = 47.4 dBm Rx Jammer 1- Rx Signal = 20 dB Rx Jammer 2 – Rx Signal = 6 dB FM Capture Region .5 Miles

  16. Making a Wireless Choice 2.4 GHz ISM Wide-Band Scenario Denial of Service Attack Node 1 Node 2 Rx Sig=68 dBm Jamming to Signal Improvement =10Log(# of Hopping Channels) L21=62.1dBm L12=67.1 dBm L11=48.1 dBm • 100 Hopping Channels: 20 dB • Jamming to Signal Improvement Margin • 50 Hopping Channels: 17 dB • Jamming to Signal Improvement Margin L22=47.4 dBm .1 Mile .5 Mile Jammer 1 Jammer 2 1 Mile .6 Miles Node 1 Rx Signal= 68 dBm Rx Jammer 1 = 48.1 dBm Rx Jammer 2 = 62.1 dBm Rx Jammer 1- Rx Signal = 20 dB Rx Jammer 2 – Rx Signal = 6 dB FM Capture Region .5 Miles

  17. Could We Have Detected This Attack? • Terrorists leveraged two human fallibilities: • The law of small numbers • Susceptibility to conditioning • The inability of the target utility to detect or interpret small inconsequential changes • Example: Loss of continuity to a remote site for very short periods may be interpreted as caused by intermittent equipment faults and/or natural or friendly interference • Conditioning - acceptance of short interruptions as normal

  18. Countermeasures • Model network components - in-plant and wide-area • Develop an objective “feeling” for your specific network prior to deployment. Understand “choke points” • Real time traffic analysis – Monitor and track traffic trends • Use statistical analysis to discover possible intrusion patterns • Understand network vulnerabilities of all system components • SCADA strategies • SCADA applications – Consider having software certified • Consider using non-Windows® based operating systems with a security certified kernel (Linux/Unix on suggestions) • Understand vulnerabilities of 802.11a/b/g wireless systems, and limit deployment to securable facilities • Public transport systems

  19. Topology Vulnerabilities Suppose you are a terrorist seeking to damage your organization’s networking capabilities – telecom, wireless, microwave, Intranet/Internet Vulnerability is measured in the smallest number of vertices or hub points that will cause disconnections within a network.

  20. Summary of Best Practices • Strong preventative maintenance program – continuous training • Model your network – understand operation and vulnerabilities • Create strong firewalls and gateways between external and internal nets • Create a DMZ network to allow friendlies in - exclude entrance to corporate network • Consider appropriate radio link technology (narrow-band vs. ISM) • Upgrade vulnerable equipment • Deny access via strong password control policy, Host and Remotes • Monitor and analyze traffic, search for patterns • Mitigate the effects of Denial of Service attacks including: • Hijacking • Jamming • Blinding • Spoofing

  21. Questions? William (Bill) Brown bbrown@metricsystems.com 760.560.0348 1.800.549.7421 www.scadawireless.comwww.metricsystems.com

More Related