CPD7 - B1 Lecture Notes - 5b SCADA Network Security

Competency Training and Certification Program in Electric Power System Engineering
Distribution System Automation
Computer and Network Security
U. P. NATIONAL ENGINEERING CENTER

NATIONAL ELECTRIFICATION ADMINISTRATION
2
Course Outline
1. Introduction to Ethical Hacking
2. Network and Computer Attacks
3. Intruder Attacks on Networks and Computers
4. Security and Vulnerability of SCADA Systems
U. P. National Engineering Center Competency Training & Certification Program

National Electrification Administration in Electric Power System Engineering
3
Introduction to Ethical Hacking
Introduction
Hackers
Access computer system or network without authorization
Breaks the law; can go to prison
Crackers
Break into systems to steal or destroy data
U.S. Department of Justice calls both hackers
Ethical hacker
Performs most of the same activities but with owner’s permission

4

Introduction
Ethical hackers
Employed by companies to perform penetration tests
Penetration test
Legal attempt to break into a company’s network to find its weakest link
Tester only reports findings, does not solve problems
Security test
More than an attempt to break in; also includes analyzing company’s

security policy and procedures
Tester offers solutions to secure or protect the network

5

TCP Ports
Protocol
Common language used by computers for speaking
Transmission Control Protocol/Internet Protocol (TCP/IP)

Most widely used protocol
Port
Logical, not physical, component of a TCP connection
Identifies the service that is running
Example: HTTP uses port 80
A 16-bit number – 65,536 ports
Each TCP packet has a source and destination port

6

TCP Ports
Only the first 1023 ports are considered well-known
List of well-known ports

Available at the Internet Assigned Numbers Authority (IANA) Web site
(www.iana.org)
Ports 20 and 21
File Transfer Protocol (FTP)
Use for sharing files over the Internet
Requires a logon name and password
More secure than Trivial File Transfer Protocol (TFTP)

7

TCP Ports
Port 25
Simple Mail Transfer Protocol (SMTP)
E-mail servers listen on this port
Port 53
Domain Name Service (DNS)
Helps users connect to Web sites using URLs instead of IP addresses
Port 69
Trivial File Transfer Protocol
Used for transferring router configurations
Port 80
Hypertext Transfer Protocol (HTTP)
Used when connecting to a Web server

8

TCP Ports
Port 110
Post Office Protocol 3 (POP3)
Used for retrieving e-mail
Port 119
Network News Transfer Protocol
For use with newsgroups
Port 135
Remote Procedure Call (RPC)
Critical for the operation of Microsoft Exchange Server and Active Directory
Port 139
NetBIOS
Used by Microsoft’s NetBIOS Session Service
File and printer sharing
9

TCP Ports
Port 110
Post Office Protocol 3 (POP3)
Port 119
Network News Transfer Protocol
For use with newsgroups
Port 135
Remote Procedure Call (RPC)
Critical for the operation of Microsoft Exchange Server and Active Directory
Port 139
NetBIOS
Used by Microsoft’s NetBIOS Session Service
File and printer sharing
10

TCP Ports
Port 143
Internet Message Access Protocol 4 (IMAP4)
More features than POP3

11

Blocking Ports
Helps you stop or disable services that are not needed
Open ports are an invitation for an attack
You can’t block all the ports

That would stop all networking
At a minimum, ports 25 and 80 are usually open on a server, so it can
send out email and browse web pages.

12
Network and Computer Attacks
Malicious Software (Malware)

Network attacks prevent a business from operating
Malicious software (Malware) includes
• Virus
• Worms
• Trojan horses
Goals
• Destroy data
• Corrupt data
• Shutdown a network or system

13

Viruses
Virus attaches itself to an executable file
Can replicate itself through an executable program
Needs a host program to replicate
No foolproof method of preventing them
Micro Viruses
Virus encoded as a macro
Macro
Lists of commands
Can be used in destructive ways

14

Anti Virus Software
Detects and removes viruses
Detection based on virus signatures
Must update signature database periodically
Use automatic update feature

15

Worms
A Worm uses computer networks to replicate itself. It searches for servers
with security holes and copies itself there. It then begins the search and
replication process again. Can infect every computer in the world in a short
time at least in theory!

16

Trojan Programs
Insidious attack against networks
Disguise themselves as useful programs
• Hide malicious content in program
• Allow attackers remote access

17

Spyware
Sends information from the infected computer to the attacker
Confidential financial data
Passwords
PINs
Any other stored data
Can register each keystroke entered (keylogger)
Prevalent technology
Educate users about spyware

18

Adware
Similar to spyware
Can be installed without the user being aware
Sometimes displays a banner
Main goal
Determine user’s online purchasing habits
Tailored advertisement
Main problem
Slows down computers

19

Protecting Against Malware Attacks
Difficult task
New viruses, worms, Trojan programs appear daily
Antivirus programs offer a lot of protection
Educate your users about these types of attacks

20

Educating Your Users
Structural training
Most effective measure
Includes all employees and management
E-mail monthly security updates
Simple but effective training method
Update virus signature database automatically

21

SpyBot and Ad-Aware
Help protect against spyware and adware
Windows Defender is excellent too
Firewalls
Hardware (enterprise solution)
Software (personal solution)
Can be combined
Intrusion Detection System (IDS)
Monitors your network 24/7

22

A firewall is a hardware and/or software which functions in a networked
environment to block unauthorized access while permitting authorized
communications. Firewall is a device and/or a sotware that stands between a
local network and the Internet, and filters traffic that might be harmful.
An Intrusion Detection System (IDS) is a software or hardware device

installed on the network (NIDS) or host (HIDS) to detect and report intrusion
attempts to the network.

23

We can think a firewall as security personnel at the gate and an IDS device is
a security camera after the gate. A firewall can block connection, while a
Intrusion Detection System (IDS) cannot block connection. An Intrusion
Detection System (IDS) alert any intrusion attempts to the security
administrator.
However an Intrusion Detection and Prevention System (IDPS) can block

connections if it finds the connections is an intrusion attempt.

24
Intruder Attacks on Networks and Computers
Attack
Any attempt by an unauthorized person to access or use network resources
Network Security
Security of computers and other devices in a network
Computer Security
Securing a standalone computer--not part of a network infrastructure
Computer Crime
Fastest growing type of crime worldwide

25

Denial-of-Service (DoS) attack
Prevents legitimate users from accessing network resources
Some forms do not involve computers, like feeding a paper loop through a fax
machine
DoS attacks do not attempt to access information
Cripple the network
Make it vulnerable to other type of attacks

26

Distributed Denial-of-Service (DoS) attack
Attack on a host from multiple servers or workstations
Network could be flooded with billions of requests
Loss of bandwidth
Degradation or loss of speed
Often participants are not aware they are part of the attack
Attacking computers could be controlled using Trojan programs

27

Buffer Overflow Attacks
Vulnerability in poorly written code
Code does not check predefined size of input field
Goal
Fill overflow buffer with executable code
OS executes this code
Can elevate attacker’s permission to Administrator or even Kernel
Programmers need special training to write secure code

28

Sessions Hijacking
Enables attacker to join a TCP session
Attacker makes both parties think he or she is the other party

29

Key Loggers
Used to capture keystrokes on a computer
Hardware
Software
Software
Behaves like Trojan programs
Hardware
Easy to install
Goes between the keyboard and the CPU
KeyKatcher and KeyGhost

30

Addressing Physical Security
Protecting a network also requires physical security
Inside attacks are more likely than attacks from outside the company
Lock up your servers
Physical access means they can hack in
Consider Ophcrack – booting to a CD-based OS will bypass almost any

security
Card Reader Locks
Keep a log of who enters and leaves the room
Security cards can be used instead of keys for better security

31
Security and Vulnerability of SCADA Systems
In addition to general cyber threats, which have been steadily increasing, several
factors have contributed to the escalation of risks specific to control systems,
including the:
Adoption of standardized technologies with known vulnerabilities
Connectivity of control systems to other networks
Constraints on the use of existing security technologies and practices
Insecure remote connections
Widespread availability of technical information about control systems
There is no one magic solution for industry. Each entity must determine what
their goals are and arrive at a costeffective solution to these issues.

32

Attacks Against SCADA Systems
Administrators and Industrial Systems Analysts are often deceived into
thinking that since their industrial networks are on separate systems from the
corporate network, they are safe form outside attacks.
PLCs and RTUs are usually polled by other 3rd party vendor-specific networks
and protocols like RS-232, RS-485, MODBUS4, and DNP, and are usually
done over phone lines, leased private frame relay circuits, satellite systems,
licensed and spread spectrum radios, and other token-ring bus topology
systems.
This often gives the SCADA System Administrators a false sense of security
since they assume that these end devices are protected by these non-
corporate network connections.

33

SCADA computers logging data out to some back-office database repositories
must be on the same physical network as the back-end database systems, or
have a path to access these database systems.
This means that there is a path back to the SCADA systems and eventually
the end devices through their corporate network.
Once the corporate network is compromised, then any IP-based device or

computer system can be accessed.

34

These connections are open 24x7 to allow full-time logging, which provides
an opportunity to attack the SCADA host system with any of the following
attacks:
Use a Denial of Service (DoS) attack to crash the SCADA server leading to
shut down condition (System Downtime and Loss of Operations)
Delete system files on the SCADA server (System Downtime and Loss of
Operations)
Plant a Trojan and take complete control of system (Gain complete control of
system and be able to issue any commands available to Operators)

35

Log keystrokes from Operators and obtain usernames and passwords
(Preparation for future take down)
Log any company-sensitive operational data for personal or competition

usage (Loss of Corporate Competitive Advantage)
Change data points or deceive Operators into thinking control process is out
of control and must be shut down (Downtime and Loss of Corporate Data)
Modify any logged data in remote database system (Loss of Corporate Data)
Use SCADA Server as a launching point to defame and compromise other

system components within corporate network. (IP Spoofing)

36

Developing a SCADA Security Strategy
Developing an appropriate SCADA security strategy involves analysis of
multiple layers of both the corporate network and SCADA architectures
including firewalls, proxy servers, operating systems, application system
layers, communications, and policy and procedures.

37

Most corporate networks employ a number of security countermeasures to
protect their networks. Some of these and a brief description of their
functions are as follows:
Border Router and Firewalls: Firewalls, properly configured and

coordinated, can protect passwords, IP addresses, files and more.
However, without a hardened operating system, hackers can directly
penetrate private internal networks or create a Denial of Service condition.

38

Operating Systems: Operating systems can be compromised, even with
proper patching, to allow network entry as soon as the network is
activated. This is due to the fact that operating systems are the core of
every computer system and their design and operating characteristics are
well known world wide. As a result, operating systems are a prime target
for hackers. Further, in- place operating system upgrades are less efficient
and secure than design-level migration to new and improved operating
systems.

39

Applications: Application layer attacks; i.e., buffer overruns, worms,
Trojan Horse programs and etc., can incapacitate anti-virus software and
bypass the firewall as if it wasn’t even there.
Policies and Procedures: Policies and procedures constitute the

foundation of security policy infrastructures. They include requiring users
to select secure passwords that are not based on a dictionary word and
contain at least one symbol, capital letter, and number, and should be over
eight characters long. Users should not be allowed to use their spouse,
child, or pet’s name as their password.

40

The above list is common to all entities that have corporate networks. SCADA
systems for the most part coexist on the same corporate network.
The following list suggests ways to help protect the SCADA network in
conjunction with the corporate network:

41

SCADA Internal Network Design: SCADA networks should be segmented off into their
own IP segment using smart switches and proper sub-masking techniques to protect the
Industrial Automation environment from the other network traffic, such as file and print
commands.
SCADA Server Operating Systems: Simply installing a firewall or segmenting SCADA

IP addresses will not ensure their SCADA Infrastructure is secure. An experienced hacker
can often bypass firewalls easily. Operating systems running the SCADA applications must
also be maintained. SCADA applications on Windows NT, 2000, or XP are properly
patched against the latest vulnerabilities, and that all of the default NULL NT accounts
and administrator accounts have been removed or renamed. SCADA applications running
in UNIX, LINUX, Novell, or any other Operating System (OS), must also be maintained as
above. All operating systems have back doors and default access accounts that should be
removed and cleaned off of these SCADA Servers.

42

SCADA Applications: You must also address security within the SCADA
application itself. Trojan horses and worms can be inserted to attack
application systems, and they can be used to manipulate data or issue
commands on the server. There have even been cases of Trojan horses being
deployed that completely emulate the application. The operator or user thinks
that he is clicking on a command to stop a pump or generate a graph of the
plant, but he is actually clicking on buttons disguised to look like the SCADA
screen, and these buttons start batch files that delete the entire hard drive, or
send out pre-derived packets on the SCADA system that turn all outputs to ON
or “1” state.

43

SCADA Applications (contd.): Trojan horses and viruses can also be
planted through an email opened by another computer in the plan, and then it
is silently copied over to adjacent SCADA servers, where they wait until a
specified time to run. Many times plant control rooms will have corporate
computers with the Internet and email active on them within the same
physical room, and network switches as SCADA computers.
Methodologies to mitigate against these types of situations are: the use of

anti-virus software running on the computer where the SCADA application
resides; systems administrators disabling installation of any unauthorized
software unless the user has administrator access; and Policies and
Procedures applicable to SCADA systems, which are addressed below.

44

SCADA Policies and Procedures: SCADA policies and procedures associated
with remote vendor and supervisory access, password management, etc. can
significantly impact the vulnerabilities of the SCADA facilities within the SCADA
network. Properly developed Policies and Procedures that are enforced will
greatly improve the security posture of the SCADA system.

45

In summary, these multiple “rings of defense” must be configured in a
complementary and organized manner, and the planning process should
involve a cross-team with senior staff support from operations, facility
engineering, and Information Technology (IT).
The SCADA Security team should first analyze the current risks and threat at
each of the rings of defense, and then initiate a work plan and project to
reduce the security risk, while remembering to avoid any major impacts to
operations.


CPD7 - B1 Lecture Notes - 5b SCADA Network Security

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CPD7 - B1 Lecture Notes - 5b SCADA Network Security

Uploaded by

Copyright:

Available Formats

Competency Training and Certification Program in Electric Power System Engineering

Distribution System Automation

Computer and Network Security

U. P. NATIONAL ENGINEERING CENTER

U. P. National Engineering Center Competency Training & Certification Program

Introduction to Ethical Hacking

U. P. National Engineering Center Competency Training & Certification Program

Introduction to Ethical Hacking

Employed by companies to perform penetration tests

Tester only reports findings, does not solve problems

More than an attempt to break in; also includes analyzing company’s

Tester offers solutions to secure or protect the network

U. P. National Engineering Center Competency Training & Certification Program

Introduction to Ethical Hacking

Transmission Control Protocol/Internet Protocol (TCP/IP)

U. P. National Engineering Center Competency Training & Certification Program

Introduction to Ethical Hacking

List of well-known ports

U. P. National Engineering Center Competency Training & Certification Program

Introduction to Ethical Hacking

U. P. National Engineering Center Competency Training & Certification Program

Introduction to Ethical Hacking

Introduction to Ethical Hacking

Introduction to Ethical Hacking

U. P. National Engineering Center Competency Training & Certification Program

Introduction to Ethical Hacking

You can’t block all the ports

U. P. National Engineering Center Competency Training & Certification Program

Network and Computer Attacks

Malicious Software (Malware)

U. P. National Engineering Center Competency Training & Certification Program

Network and Computer Attacks

Can replicate itself through an executable program

Needs a host program to replicate

No foolproof method of preventing them

Can be used in destructive ways

U. P. National Engineering Center Competency Training & Certification Program

Network and Computer Attacks

Detection based on virus signatures

Must update signature database periodically

Use automatic update feature

U. P. National Engineering Center Competency Training & Certification Program

Network and Computer Attacks

U. P. National Engineering Center Competency Training & Certification Program

Network and Computer Attacks

Disguise themselves as useful programs

• Hide malicious content in program

• Allow attackers remote access

U. P. National Engineering Center Competency Training & Certification Program

Network and Computer Attacks

Confidential financial data

Any other stored data

Can register each keystroke entered (keylogger)

Educate users about spyware

U. P. National Engineering Center Competency Training & Certification Program

Network and Computer Attacks

Can be installed without the user being aware

Sometimes displays a banner

Determine user’s online purchasing habits

Slows down computers

U. P. National Engineering Center Competency Training & Certification Program

Network and Computer Attacks

New viruses, worms, Trojan programs appear daily