You are on page 1of 23

A Future of SCADA and Control System Security

API Industry Security Forum (24 April 03)


Matthew Franz (mfranz@cisco.com) Critical Infrastructure Assurance Group (CIAG) http://www.cisco.com/go/ciag/
2003, Cisco Systems, Inc. All rights reserved.

Agenda
Introduction Cisco and control system security Review of cyber threats, vulnerabilities, and countermeasures Addressing the need for secure SCADA
A sampling of cyber security initiative standards Assessment of security products Need for testing industrial-network devices SCADA protocol enhancement

Conclusion

2003, Cisco Systems, Inc. All rights reserved.

Critical Infrastructure Assurance Group (CIAG)

http://www.cisco.com/go/ciag/
2003, Cisco Systems, Inc. All rights reserved.

CIAG Control System Research Initiative


Vulnerability research analysis and testing of design/implementation flaws in industrial products and protocols Feature enhancement identify new features in security and communication devices to reduce vulnerabilities and mitigate threats to control systems and networks Architecture development secure deployment and configuration of communication and security devices Collaboration/advisory participation in control system security forums and initiatives, leverage expertise in network and product security testing and evaluation
2003, Cisco Systems, Inc. All rights reserved.

CIAG Research Initiatives


Internal Research Projects
BGP Security Analysis & Testing TCP/IP Stack Evaluation Protocol Implementation Testing Mobile/Wireless Security BIND/DNS Security Control System Security

Coordination & Advisory


Interface with Government Cyber Security Organizations Industry Working Groups (AGA-12, SP99, IETF, etc.)

Research Sponsorship
2003, Cisco Systems, Inc. All rights reserved.

Ciscos Interest in Industrial Networking


Industrial Ethernet is a new and growing market Identify unique security requirement to enhance Cisco products and secure customer networks Share our security expertise with the community Participation in SCADA/DCS security initiatives Collaboration with other vendors External publication of findings Raise awareness of control system security issues especially within IT security community

2003, Cisco Systems, Inc. All rights reserved.

Control System Trends


Increasing integration of IT and SCADA networks
Will IP/Ethernet/Wireless be the primary transport?

Ethernet is becoming a fieldbus


Leverage common network for control and data applications Redundant, hardened, deterministic, ubiquitous

Open communication protocols for automation


Modbus/TCP, Ethernet/IP, Foundation Fieldbus High Speed Ethernet (HSE), Interface for Distributed Automation (IDA), PROFInet

TCP/IP-enabled controllers and IO devices that utilize IT technology


HTTP, SNMP, FTP, DHCP, OPC, DCOM, ActiveX, Java
2003, Cisco Systems, Inc. All rights reserved.

Open Issues in SCADA Security*


Will industrial devices be subject to the same design, implementation, and configuration vulnerabilities that plague IT products? How well do existing security products meet the needs of industrial devices, networks, and protocols? What new security technologies are needed to protect industrial networks? Do industrial vendors have the infrastructure to handle vulnerability identification and disclosure? * Lot of FUD and inaccurate information about SCADA threats, vulnerabilities, and incidents
2003, Cisco Systems, Inc. All rights reserved.

Where/how do vulnerabilities occur in products, protocols, and systems?


Definition & Design
Inadequate or unrealistic security requirements Lack of security features (i.e. encryption authentication authorization)

Implementation
Insecure coding practices Narrow focus on functionality testing

Configuration & Deployment


Insecure features enabled by default Failure to configure devices and applications properly

2003, Cisco Systems, Inc. All rights reserved.

Known vulnerabilities in control system networks


Design
Insecure comm links Insecure devices & protocols Less than weak authentication in devices and protocols Insecure remote access Undocumented commands/backdoors

Implementation
TCP/IP stack issues? Protocol flaws? OS/App flaws? Windows HMI Flaws WEP Flaws Network infrastructure device DoS

Configuration
802.11 Defaults (no WEP) Weak/default passwords Inadequate filtering on router/firewall OS defaults

2003, Cisco Systems, Inc. All rights reserved.

10

AGA 12-1 Cryptographic Protection of SCADA Communications Goal is to protect Master-Slave(RTU) communication links from a variety of active/passive attacks Develops standard retrofit solution for insecure communication links via cryptographic modules
Dialup Frame Relay Microwave and other Serial Links

Encryption and key management protocol developed specifically for low-latency applications
Low speed links Short Messages Request/Response Polled Messages

2003, Cisco Systems, Inc. All rights reserved.

11

Addressing SCADA Control System Vulnerabilities

So what needs to be done?


Best Practices policy, procedures, design and deployment of existing tools and technology New Technology identify limitations of existing products and technology, conduct mid-long term R&D to define requirements Both require extensive testing and validation

2003, Cisco Systems, Inc. All rights reserved.

12

AGA 12-1 (continued)


Provides shared-key authentication Defines new SCADA Link Security (SLS) Protocol FIPS 140-2 Compliant Currently up for ballot For more info Bill Rush (bill.rush@gastechnology.org ) http://www.gtiservices.org/security/

2003, Cisco Systems, Inc. All rights reserved.

13

Instrumentation Society of America (ISA) SP-99

Cross-sector effort to identify and consolidate best practices for Manufacturing & Control System (MC&S) Environment Three Technical Reports to be released in 2003
Security Technologies for M&CS Integrating Electronic Security into M&CS Audit and Metrics for Security Performance

http://www.isa.org

2003, Cisco Systems, Inc. All rights reserved.

14

SP-99.1 Security Technologies


Surveyed existing security technology and identified:
Typical Deployment Weaknesses Cost Relevance/Applicability M&CS

Spawned effort to develop specific reference architectures for specific M&CS applications Lots of questions can be used drive research

2003, Cisco Systems, Inc. All rights reserved.

15

The question of countermeasures


Security cannot be added everywhere So assuming we understand the control system requirements, threats, and vulnerabilitieswhere do we deploy countermeasures???
End devices device authentication and authorization Protocol message integrity and authorization Applications user authentication and authorization Network Devices protocol awareness, integrity, traffic encryption, user/traffic authentication

Assuming we can address performance, but how do we address complexity?


2003, Cisco Systems, Inc. All rights reserved.

16

Analysis of Current Security Technology


Network Intrusion Detection
If we dont know exactly what the vulnerabilities are, how can signatures be created? How much understanding of protocol is necessary to detected attacks or anomalies? How do we share alerts with operator consoles and other applications and integrate physical and cyber Passive IDS should have no impact on performance

Host-based Firewall/Intrusion Detection/Anti-Virus


Compromise of general purpose OS is greatest risk? HMI or other applications need extensive testing and vendor certification May need safety override, depending on application?
2003, Cisco Systems, Inc. All rights reserved.

17

Existing security technology (cont.)


Network firewalls
Need appropriate rule-sets for specific control protocols and applications Add application inspection of control system protocols How do we manage large numbers of micro-firewalls or is virtualization the answer? Add filtering capability to Ethernet/Serial-Xbus devices to secure legacy devices

2003, Cisco Systems, Inc. All rights reserved.

18

Existing security technology (cont.)


Virtual Private Networks
Not all control system traffic is real time (i.e. programming and configuration) Protect traffic from enterprise (terminate on CS edge), but what about Internet VPN? Provides more scalable authorization than access control lists? Add protocol awareness and quality of serviceswhat can we learn from Voice + VPN

2003, Cisco Systems, Inc. All rights reserved.

19

Testing Industrial Network Devices


Lots of discussion about Secure RTOS but lets ensure minimal robustness levels first Vendors and security researchers should conduct security testing against all Ethernetenabled devices and communication modules
Conduct known TCP/IP attacks
Spoofing, Flooding, Malformed Messages Well-known application-layer attacks

Evaluate unique protocols, features, or applications and test based on risk/criticality

2003, Cisco Systems, Inc. All rights reserved.

20

Protocol Security: Lessons from the Internet


Like control system protocols, the majority of Internet protocols were not designed with security in mind Retrofitting critical Internet protocols (i.e. BGP, DNS, etc.) has proven to be extremely difficult:
Vendors have been slow to implement security features Customers seldom use available security features Lack of realistic threat model and inadequate testing has slowed activity in standards bodies

100% solutions are unlikely


2003, Cisco Systems, Inc. All rights reserved.

21

Conclusions
As with the terrorism, cyber risk models are tricky
How can we determine the probability? Should we focus on vulnerabilities or threats?

Multiple ongoing security initiatives that document and develop near-term SCADA security solutions
Will best-practices be used? Are practitioners actually engaged? How will customer requirements be integrated?

Significant amount of research, testing, and analysis is needed to identify threats, unique vulnerabilities, and effective countermeasures
Will there be a market demand? Or regulation? How can information-sharing obstacles be overcome?

Feedback?
2003, Cisco Systems, Inc. All rights reserved.

22

For more info


Contact info:
Matthew Franz Email: mfranz@cisco.com

Critical Infrastructure Assurance Group (CIAG)


http://www.cisco.com/go/ciag/

This presentation:
http://www.io.com/~mdfranz/papers/

2003, Cisco Systems, Inc. All rights reserved.

23

You might also like