Professional Documents
Culture Documents
SCADA
PresentedByMorganMarquisBoire
2007SecurityAssessment.com
Whois
Hi,MyNameisMorgan
2007SecurityAssessment.com
Whois
Hi,MyNameisMorgan Imasecurityguy
2007SecurityAssessment.com
Whois
2007SecurityAssessment.com
Whois
2007SecurityAssessment.com
Introduction
TodaywewillbecoveringSCADA
SCADAsecurityandSecuringyourSCADAnetworks Questions
2007SecurityAssessment.com
WhatthehellisSCADA? SCADAis
IndustrialControlSystems(ICS),commonlyreferredtoas
SCADAunderliemuchoftheinfrastructurethatmakeseveryday lifepossibleinthemodernworld.
2007SecurityAssessment.com
WhatthehellisSCADA? SCADAis
IndustrialControlSystems(ICS),commonlyreferredtoas SupervisoryControlandDataAcquisition
SCADAunderliemuchoftheinfrastructurethatmakeseveryday lifepossibleinthefirstworld.
SCADAsystemssupportprocessesthatmanagewatersupply
andtreatmentplants;
WhatthehellisSCADA? SCADANetworksPastandPresent
Thesecouldbedescribedasprimitivewhencomparedtomost
modernnetworks
2007SecurityAssessment.com
WhatthehellisSCADA?
Sowhatisitactually?
ASCADAsystemusuallyincludessignalhardware(inputand
2007SecurityAssessment.com
WhatthehellisSCADA? HowdoesSCADAwork?
MultitierSystems PhysicalMeasurement/controlendpoints RTU,PLC Measurevoltage,adjustvalve,flipswitch Intermediateprocessing UsuallybasedonacommonlyusedOSes *nix,Windows,VMS CommunicationInfrastructure Serial,Internet,Wifi Modbus,DNP3,OPC,ICCP
2007SecurityAssessment.com
WhatthehellisSCADA?
2007SecurityAssessment.com
WhatthehellisSCADA? ComponentsofaSCADAnetwork
RTU/PLCReadsinformationonvoltage,flow,thestatusof
switchesorvalves.Controlspumps,switches,valves
MTUMasterTerminalUnitProcessesdatatosendtoHMI HMIHumanMachineInterfaceGUI,WindowsInformation
traditionallypresentedintheformofamimicdiagram
CommunicationnetworkLAN,Wireless,Fiberetcetc
2007SecurityAssessment.com
WhatthehellisSCADA?
2007SecurityAssessment.com
WhatthehellisSCADA?
http://www.armfield.co.ukIndustrialFoodTechnology
2007SecurityAssessment.com
Forserialradiolinksmainly,butyoucanrunanythingover Readsdata(measuresvoltage/fluidflowetc)
anythingthesedays,especiallyTCP/IP(forbetterorworse)
Sendscommands(flipsswitches,startspumps)/alerts(its
broken!) HighLevelDataProtocolsICCP/OCP
2007SecurityAssessment.com
WhatthehellisSCADA?
Letsnotforget
2007SecurityAssessment.com
WhatthehellisSCADA?
LetsnotforgetTheoperator.
2007SecurityAssessment.com
Inkeepingwithtradition
2007SecurityAssessment.com
Sohotrightnow LotsofResearchBeingPublished
BlackHatFederal2k6MaynorandGraham(ISS)SCADA
SecurityandTerrorism:Werenotcryingwolf.
HackintheBox2k7RaoulChiesaandMayhemHacking
SCADA:Howto0wnCriticalNationalInfrastructure Protocols:UsingSulleyFuzzer
Defcon2k7GaneshDevarajanUnravelingSCADA PetroleumSafetyGresserHackingSCADA/SASSystems
WhyisSCADAthehottopicofsecurity?
Virtualisationrootkitsarehardformostpeopletounderstand ThepossibleramificationsofaSCADAcompromiseare
widespread
NewthreatsApparentlywehavecyberterroristsnow
2007SecurityAssessment.com
CyberTerrorist? Maybeinthisroom.
2007SecurityAssessment.com
SoHotRightNow SCADAischanging
Fromproprietary,obscure,andisolatedsystems Towardsstandard,documentedandconnectedones
It'snotthattheseguysdon'tknowwhattheyaredoing.Partofitis thatthesesystemswereengineered20yearsago,andpartofitis thattheengineersdesignedthesethingsassumingtheywouldbe isolated.Butwham!theyarenotisolatedanymore.
AlanPaller,directorofresearch,SANSInstitute
2007SecurityAssessment.com
SCADAProtocols TestingtheSecurityofSCADANetworks
2007SecurityAssessment.com
Scada(in)Security
2007SecurityAssessment.com
SCADA(in)Security
2007SecurityAssessment.com
SCADA(in)Security LackofAuthentication
Normalpoliciesregardingusermanagement,passwordrotation
CantPatch,Wontpatch
Verylargevulnerabilitywindow
2007SecurityAssessment.com
SCADA(in)Security ItsaBraveNewInterconnectWorld
ItwasacommonlyheldbeliefthatSCADAnetworkswere
isolated
InrealitytherearefrequentlyNUMEROUSconnections Dialinnetworks,radiobackdoors,wireless,LANconnections,
InsecureByDesign dualhomingviasupportlaptops,connectedtocorporateLANfor easeofmanagementandconvenientdataflow
Allprotocolscleartext.Speedmoreimportantconfidentiality
2007SecurityAssessment.com
SCADA(in)Security
2007SecurityAssessment.com
JustMisunderstood SCADAhasadifferentsecuritymodeltotraditionalITNetworks
2007SecurityAssessment.com
JustMisunderstood SCADAhasadifferentsecuritymodeltotraditionalITNetworks
2007SecurityAssessment.com
TimeforsomeF.U.D. SecurityRiskdefinedlargelybythreat
2007SecurityAssessment.com
TimeforsomeF.U.D. SecurityRiskdefinedlargelybythreat
2007SecurityAssessment.com
TimeforsomeF.U.D. RiskisworsethesedaysbecausehackingisEASY!
2007SecurityAssessment.com
TimeforsomeF.U.D. RiskisworsethesedaysbecausehackingisEASY!
2007SecurityAssessment.com
IwaspromisedsomeFUD
RichardClarkantiterroradvisortotheBushadministration cybersecurityczarandterrorismexpert
Mockintrusionscenarioshavealwayssucceeded
2007SecurityAssessment.com
IwaspromisedsomeFUD
RichardClarkantiterroradvisortotheBushadministration cybersecurityczarandterrorismexpert
Mockintrusionscenarioshavealwayssucceeded
Wheresmydigitalarmageddon???
Letswatchavideothenwellhaveacoupleofcasestudies
2007SecurityAssessment.com
IwaspromisedsomeFUD WhenGoodSCADAGoesSERIOUSLYWRONG
About3:28p.m.,Pacificdaylighttime,onJune10,1999,a16
inchdiametersteelpipelineownedbyOlympicPipeLine Companyrupturedandreleasedabout237,000gallonsof gasolineintoacreekthatflowedthroughWhatcomFallsParkin Bellingham,Washington.About1.5hoursaftertherupture,the gasolineignitedandburnedapproximately1.5milesalongthe creek.Two10yearoldboysandan18yearoldyoungman diedasaresultoftheaccident.Eightadditionalinjurieswere documented.Asinglefamilyresidenceandthecityof Bellingham'swatertreatmentplantwereseverelydamaged.As ofJanuary2002,Olympicestimatedthattotalpropertydamages wereatleast$45million.
2007SecurityAssessment.com
10thJune,1999
2007SecurityAssessment.com
IwaspromisedsomeFUD Thiswasanaccident
TheOlympicPipelineSCADAsystemconsistedofTeledyne
2007SecurityAssessment.com
IwaspromisedsomeFUD WormAttack
InAugust2003Slammerinfectedaprivatecomputernetworkat
theidledDavisBessenuclearpowerplantinOakHarbor,Ohio, disablingasafetymonitoringsystemfornearlyfivehours. NIST,GuidetoSCADA
SlammerwormcrashedOhionukeplantnetworkKevin
Poulson http://www.securityfocus.com/news/6767
2007SecurityAssessment.com
IwaspromisedsomeFUD WormAttack
TheSlammerwormenteredtheDavisBesseplantthrougha
2007SecurityAssessment.com
IwaspromisedsomeFUD DigruntledEmployee
VitekBoden,in2000,wasarrested,convictedandjailed
http://www.theregister.co.uk/2001/10/31/hacker_jailed_for_reven
ge_sewage/
2007SecurityAssessment.com
IwaspromisedsomeFUD DigruntledEmployee
"Marinelifedied,thecreekwaterturnedblackandthestenchwas
unbearableforresidents,"saidJanelleBryantoftheAustralian EnvironmentalProtectionAgency. TheMaroochydoreDistrictCourtheardthat49yearoldVitekBoden hadconductedaseriesofelectronicattacksontheMaroochyShire sewagecontrolsystemafterajobapplicationhehadmadewasrejected bythearea'sCouncil.Atthetimehewasemployedbythecompanythat hadinstalledthesystem.Bodenmadeatleast46attemptstotake controlofthesewagesystemduringMarchandApril2000. On23April,thedateofBoden'slasthackingattempt,policewhopulled overhiscarfoundradioandcomputerequipment. LaterinvestigationsfoundBoden'slaptophadbeenusedatthetimeof theattacksandhisharddrivecontainedsoftwareforaccessingand controllingthesewagemanagementsystem.
2007SecurityAssessment.com
IwaspromisedsomeFUD Sabotage
ThomasC.Reed,RonaldRegansSecretary,describedinhis
http://www.themoscowtimes.ru/stories/2004/03/18/014.html
2007SecurityAssessment.com
IwaspromisedsomeFUD Otherincidents
In1992,aformerChevronemployeedisableditsemergency
alertsystemin22states.Thiswasntdiscovereduntilan emergencydidnotraisetheappropriatealarms
In1997,ateenagerbrokeintoNYNEXandcutoffWorcester
campswerefullofSCADAinformationrelatedtodamsandother suchstructures
2007SecurityAssessment.com
O.K.toomuchFUD
ThedigitalArmageddonhasnthappenedyet
IDCnamed2003theyearofcyberterrorism,predictingthata
majorcyberterrorismeventwouldbringtheinternettoitsknees.
2007SecurityAssessment.com
TheWayForward GoodthingshappeninginSCADAsecurity
ThereareagrowingnumberofstandardsinSCADASecurity
SecuringSCADA
SecuringYourSCADA
2007SecurityAssessment.com
SecuringSCADA
SecuringYourSCADA
Notanallinclusivelist!!
2007SecurityAssessment.com
SecuringSCADA
SecuringYourSCADA
Notanallinclusivelist!! Lotsofgoodinformationonline
2007SecurityAssessment.com
SecuringSCADA
SecuringYourSCADA
Somepracticalsteps
2007SecurityAssessment.com
SecuringSCADA IdentifyAllConnectionstoSCADANetworks
2007SecurityAssessment.com
SecuringSCADA IdentifyAllConnectionstoSCADANetworks
2007SecurityAssessment.com
SecuringSCADA IdentifyAllConnectionstoSCADANetworks
2007SecurityAssessment.com
SecuringSCADA DisconnectUnnecessaryConnectionstoSCADANetworks
2007SecurityAssessment.com
Whileconnectionstoothernetworksallowefficientand
convenientpassingofdata,itssimplynotworththerisk.
UtilisationofDMZsanddatawarehousingcanfacilitatethesecure transferofdatafromSCADAtobusinessnetworks.
2007SecurityAssessment.com
2007SecurityAssessment.com
Theresnosubstituteforhavinganactualhumanattemptan
intrusionintoyournetwork Implement:
2007SecurityAssessment.com
SecuringSCADA HardenYourSCADANetworks!
2007SecurityAssessment.com
ThisissueiscompoundedwhenSCADAnetworksare
interconnectedwithothernetworks Removeunusedservicesespeciallythoseinvolvinginternetaccess, emailservices,remotemaintenanceetc WorkwithSCADAvendorsinordertoindentify(in)secure configurations
2007SecurityAssessment.com
ThisissueiscompoundedwhenSCADAnetworksare
interconnectedwithothernetworks Removeunusedservicesespeciallythoseinvolvinginternetaccess, emailservices,remotemaintenanceetc WorkwithSCADAvendorsinordertoindentify(in)secure configurations Thespooks(NSA)haveasomeusefulguidelinesinthisarea
2007SecurityAssessment.com
SecuringSCADA DontRelyonSecurityThroughObscurity
2007SecurityAssessment.com
Relyingontheseforsecurityisnotagoodidea
2007SecurityAssessment.com
Relyingontheseforsecurityisnotagoodidea
Demandthatvendorsdisclosethenatureofvendorbackdoorsor interfacestoyourSCADAsystems Demandthatvendorsprovidesystemsthatcanbesecured!
2007SecurityAssessment.com
SecuringSCADA ImplementSecurityfeatureprovidedbySCADAvendors
WhilemostolderSCADAsystemshavenosecurityfeatures
newerSCADAsystemsoftendo
2007SecurityAssessment.com
SecuringSCADA ImplementSecurityfeatureprovidedbySCADAvendors
WhilemostolderSCADAsystemshavenosecurityfeatures
newerSCADAsystemsoftendo easeofinstallation security
2007SecurityAssessment.com
SecuringSCADA ImplementSecurityfeatureprovidedbySCADAvendors
WhilemostolderSCADAsystemshavenosecurityfeatures
newerSCADAsystemsoftendo easeofinstallation security
^^^^Successfulwardialing/wardrivingcouldbypassallother
2007SecurityAssessment.com
SecuringSCADA ConductPhysicalSecuritySurveys
2007SecurityAssessment.com
SecuringSCADA ConductPhysicalSecuritySurveys
mustbeconsideredatarget(especiallyunmannedorunguarded sites)
2007SecurityAssessment.com
SecuringSCADA ConductPhysicalSecuritySurveys
mustbeconsideredatarget(especiallyunmannedorunguarded sites)
EnsurethatthisincludesALLremotesitesconnectedtotheSCADA network
2007SecurityAssessment.com
SecuringSCADA IntrusionDetectionandIncidentResponse
Tobeabletorespondtocyberattacksyouneedtobeableto
detectthem essential
2007SecurityAssessment.com
2007SecurityAssessment.com
2007SecurityAssessment.com
Questions?
http://www.securityassessment.com morgan@securityassessment.com
2007SecurityAssessment.com