•APPS Course , Cyber Security

Cyber Security
Why do we need cyber-security?
To protect against “incidents”
“Incidents” may be deliberate (Attack) or accidental
(Negligence)
Impact could be minor
− Lose some functionality
− Lose some data

Impact could be major



- -P2

Complete shut-down
Loss of supply
Injuries / Damage to equipment
Loss of life

Cyber Security Why do we need cyber-security? Accidental Incidents − Untrained personnel have access to critical areas − Trained personnel have access to the wrong critical areas Deliberate attacks − Attempt to compromise the behaviour of the system − Try to cause failure or try to discover information . no training . Intrusion detection systems − Lack of awareness • Poor practices.-P4 .-P3 Cyber Security Why do we need cyber-security? Why do attacks work? − They capitalise on key weaknesses − Vulnerability Exploitation • Unused services still enabled • ‘known’ vulnerabilities in standard components − No embedded security • Authentication or Authorisation not implemented − Poorly configured or missing security mechanisms • Firewalls. inadequate policies. routers.

Coercion) • Clever guys . IEC61850 − Attackers will (eventually) decode proprietary data • Strong incentives (Money. IEC60870-5-103 & IEC60870-5-104. Disgruntled Former Employees − Revenge Contract and 3rd Party Staff − All of the above .Cyber Security Why do we need cyber-security NOW? Security by Isolation.-P6 .-P5 Cyber Security Who are the attackers? Criminals − Money (Extortion) Terrorists − Disruption Hackers − Challenge Employees − Coerced. − Control networks were cutoff from outside world − Control networks interconnect with other systems • Control network → Management system • Management system → Corporate network • Corporate network → Internet Security by Obscurity − Proprietary protocols known only to manufacturer − Now giving way to open standards • DNP3.

hires hackers to identify vulnerabilities" − "the power company gets attacked frequently. CEO of Southern Company (US Utility) − "cyber security issues must be resolved before a so-called smart electricity grid can be fully built“ − "Southern Co.-P8 .Tom Fanning. − Access − Authentication − Authorisation − Confidentiality − Integrity − Audit − Detection & Response − Awareness . Financial Systems." . Nuclear Facilities etc.Cyber Security Areas of Concern Critical Infrastructure − Power Grid. Road/Rail Transport. Smart Grid − Massive Impact • June 2011 . Air Traffic Control.-P7 Cyber Security What is Cyber-Security? Cyber-security is achieved through many approaches.

− Firewalls. − Perform checks on someone (or something) attempting to use the system or relay to ensure that they are allowed to use it. paths. What you know. − Limit and control the means.P 10 .Cyber Security What is Cyber-Security? Access. protocols and ports by which someone (or something) can access the system or relay. mother’s maiden name) What you have − Biometric scan (Fingerprint/Retinal scan) − Swipe card/USB stick .. isolate sections of network − Disabling of unused ports and services . − Username/Password − Personal information (DOB. filter out undesired traffic − Routers.-P9 Cyber Security What is Cyber-Security? Authentication. limits traffic type and TCP/UDP ports − Gateways.

P 11 Cyber Security What is Cyber-Security? Confidentiality. Write.P 12 . Extract.g. Operate − Permissions assigned to objects • Settings. User − Each role has permissions • Read. Controls − E. Measurements. − Ensure that any authenticated user only has authority (Permission) to perform certain actions. Logs.Cyber Security What is Cyber-Security? Authorisation.. Create.. − Each authenticated user has a Role • Commissioning. Delete. User role has permissions to read measurements and logs but can’t write settings or operate controls − Role Based Access Control (RBAC) . − Ensure that any critical information is kept secret. − Protect against eavesdropping − Cryptography − Encrypt data in communication streams (Data in Transit) − Encrypt data held in files (Data at Rest) − Encryption creates its own problems • Speed • Key management . Administrator.

. − Logs used in any audit of an incident • Identify what was done • Identify who did it • Identify when it was done . − Ensure that any information received from a user or a remote entity hasn’t been tampered with. confidentially and integrity ensured.P 14 . user accesses. uploads/downloads. − Logs to be kept in non-volatile memory. • Signatures & Certificates • Authentication (Challenge/Response) . − Logging of all changes.Cyber Security What is Cyber-Security? Integrity..P 13 Cyber Security What is Cyber-Security? Audit. • Encryption could be used to provide anti-tamper protection • CRC/Checksums are simpler and easier − Ensure that information is actually from the person or entity that claims to have sent it. operations and control actions.

P 16 .P 15 Cyber Security What is Cyber-Security? Awareness..Cyber Security What is Cyber-Security? Detection. − Logging of log-on attempts. − Monitoring of communication traffic to detect abnormal conditions − Monitoring of ports to detect undesired traffic − Screening of data to detect malware Response − Block user account − Generate events and alarms − Remove or quarantine malware . whether successful or not.. − Understanding the risks and consequences − Staff training − Effective Policies that are followed • Employees should not open attachments in emails from unknown sources. • Maintaining up-to-date anti-virus software on PCs • Carelessness about passwords − Screening and checking of prospective employees − Policy to deal with employees that leave • Deactivate their logon account − Vigilance • If you see something suspicious. report it .

..P 17 Cyber Security What standards are available? NERC CIP Standards − Eight Standards • • • • • • • • .P 18 CIP-002: Critical Cyber Asset Identification CIP-003: Security Management Controls CIP-004: Personnel and Training CIP-005: Electronic Security Perimeters CIP-006: Physical Security of Critical Cyber Assets CIP-007: Systems Security Management CIP-008: Incident Reporting and Response Planning CIP-009: Recovery Plans for Critical Cyber Assets . − Became mandatory in June 2006 − Compliance auditing started in June 2007 − From June 2009 utilities face heavy fines for non-compliance .Cyber Security What standards are available? NERC (North American Electric Reliability Corporation) − Critical Infrastructure Protection (CIP) Standards • intended to ensure the protection of the Critical Cyber Assets that control or effect the reliability of North America’s bulk electric systems.

P 19 Cyber Security What standards are available? IEC 62351 − Recommends security measures for communications • IEC61850 • IEC60870-5 • DNP3 ..P 20 ..Cyber Security What standards are available? IEEE 1686 − Directly addresses relays and substations − Provides practical and realistic measures for securing IEDs • 8 character passwords • Levels of access • Logging of changes (for later audit) .

P 22 • ISA-99 Security for Industrial Automation and Control Systems CIGRE (Conseil International des Grands Réseaux Électriques ) • D2.Network and system security • Part 2-1: Establishing an industrial automation and control system security program • Part 2-2: Operating a manufacturing and control systems security program • Part 2-4: Certification of Industrial Security (In Preparation) .Cyber Security What standards are available? IEC 62443 − Industrial communication networks .38 – Impact of cyber-security on IEC61850 systems RWE • White Book: Requirements for Secure Control and Telecommunication Systems IEEE PSRC H13 And others… (UCA.P 21 Cyber Security What standards are available? Other standards and advice − ISA (Instrument Society of America ) − − − − ..22 – Information Security • B5. ENTLEC) ..

it is blocked • Blocking is for a configured number of minutes. user name as well as password) − Increase levels of access. (Currently security events are mixed up with protection events.g. − Improve logging.) − IEC61850 & DNP3 • Neither of these has been addressed in phase 1 • main requirements and measures are defined in IEC62351 • but issues with GOOSE authentication − − − − . Need to be separate. • Password required to read from relay (read-only level) • Below read-only is a limited read level − Password Blocking • After a number of wrong attempts to enter password. − Password Encryption • Used by Courier & Modbus − Unused port disabling − S1 Agile will reflect these changes • S1 Agile has its own password .. numeric and specials.P 24 TCP/IP TLS RBAC Security Server Consistent security across all products .P 23 APPS Cyber Security Roadmap Future proposals − Improve authentication. (e. Alpha (upper & lower case)..Cyber Security Alstom Px40 Implemenation Phase 1 (complete) − Improved password scheme • Supports upto 8 characters. (currently 4 but IEEE P1686 proposes 8).

Cyber Security Issues with Cyber-Security How many devices are there in an average substation? How many devices have passwords? How many substations are there to manage? How many passwords are there to manage? Passwords need − Storing − Refreshing − Controlling ...P 25 Cyber Security Issues with Cyber-Security Encryption − Encryption needs keys − How will relays acquire keys? − What will be the remedial action for a key compromise? − How will interoperability work? .P 26 .

Ohio − The Slammer worm penetrated a private computer network at Ohio's Davis-Besse nuclear power plant in January and disabled a safety monitoring system for nearly five hours.. .Cyber Security Some actual attacks Maroochy Waste Water (Australia) − In 2000 Vitek Boden.P 27 Cyber Security Some actual attacks StuxNet Worm − In July 2010 a multi-attack vectored virus was discovered in Siemens PLC equipment used in nuclear power plants and other industrial applications. The attack was motivated by revenge on the part of Mr.P 28 .Boden after he failed to secure a job with the Maroochy Shire Council. despite a belief by plant personnel that the network was protected by a firewall. • Virus used 4 separate vulnerabilities to install itself on the PC. • Virus was transferred on USB sticks .. he released one million liters of untreated sewage into a stormwater drain from where it flowed to local waterways. Davis Besse Nuclear Power Plant. a former contractor. Over a three-month period. including installing a driver. • On PC it looked for Siemens SIMATIC WinCC/Step 7 controller software • Used another vulnerability to transfer malware to the Siemens controller • On controller it changed some specific areas of data. used a laptop computer and a radio transmitter to take control of 150 sewage pumping stations.

P 30 . ..”anti-virus” built in. encrypted command-&control. even through the firewall! “Customers are not interested in cyber-security” − Utilities will want it or will be legally required to have it “A substation can’t be attacked through the internet” − Yes it can! “The security I put in last year is OK today” − Security requires regular updates and assessments. “My security meets the current standards so I am secure” − No you’re not! ..P 29 Cyber Security Myth Busting “Cyber-security is an IT problem” − Everyone’s problem “We have a firewall so we can’t be attacked” − Attackers have many ways to get in.Cyber Security Current Threats TDL-4 • Virus infecting 4 million computers • Uses sophisticated techniques to maintain itself and avoid detection/elimination − Peer-to-peer communication.

Cyber Security Any Questions? ..P 31 .