SlideShare une entreprise Scribd logo

Null Feb 13

Sundar N
Sundar N

Securing Critical Infrastructure

1  sur  36
Télécharger pour lire hors ligne
- Sundar
• Systems in real-time data management , on which our day to day activities depend : – Water plants – Gas – Electric grids – Refineries – Nuclear plants – Large manufacturing plants – Traffic control Systems
 Vitek boden took over the entire control system in Australia and released the sewage water into drinking water  Slammer worm disabled the safety monitoring system of Ohio's Davis Besse nuclear plant for nearly 5 hrs in Jan 2003  Gas pipelines in Russia was controlled by a hacker for 24 hrs in 1999
SCADA systems are often physically distributed over large areas, making hysical security a challenge. Simple vandalism is a real/well known risk: -- “[…] vandals shot out approximately 80 individual insulators on the BPA Cougar-Thurston 115,000 volt transmission line causing it to go out of service at that time. The vandalism occurred near Cougar Dam, which is approximately 25 miles east of Eugene. BPA crews replaced the damaged insulators at an estimated cost of $6,000. Even though no electrical service to EWEB and Lane Electric Cooperative customers was disrupted by the vandalism. Eugene Water and Electric had to purchase additional power to serve its customers during the 13 hours that it took to repair the damaged line.” http://www.bpa.gov/corporate/BPAnews/archive/2002/ NewsRelease.cfm?ReleaseNo=297
• -- „A Washington man who admitted to tampering with more than 20 high-voltage transmission towers in four Western states said yesterday he was trying to point out the power system's vulnerabilities. "I intended to loosen the bolts and by doing so illustrate the vulnerabilities of these towers," Poulin told the judge. • Poulin said in a telephone interview before his arrest that he considered his actions necessary to point out that he was able to damage the towers despite being "62 years old, overweight, arthritic, diabetic, half-blind and a cancer patient living on a minimum of 12 medication pills a day.“‟ • seattletimes.nwsource.com/html/localnews/20017963 73_transmission20m.html
“Starting around 14:14, FE [FirstEnergy] control room operators lost the alarm function that provided audible and visual indications when a significant piece of equipment changed from an acceptable to problematic status. Analysis of the alarm problem performed by FE after the blackout suggests that the alarm processor essentially “stalled” while processing an alarm event. With the software unable to complete that alarm event and move to the next one, the alarm processor buffer filled and eventually overflowed. After 14:14, the FE control computer displays did not receive any further alarms, nor were any alarms being printed or posted on the EMS‟s alarm logging facilities. “FE operators relied heavily on the alarm processor for situational awareness, since they did not have any other large-scale visualization tool such as a dynamic map board. The operators would have been only partially handicapped without the alarm processor, had they known it had failed. However, by not knowing that they were operating without an alarm processor, the operators did not recognize system conditions were changing and were not receptive to information received later from MISO and neighboring systems. The operators were unaware that in this situation they needed to manually, and more closely, monitor and interpret the SCADA information they were receiving.” ftp://www.nerc.com/pub/sys/all_updl/docs/blackout/ NERC_Final_Blackout_Report_07_13_04.pdf [emphasis added]
 Traditionally network and security folks have focused virtually all our attention on the “enterprise” side of the network, ignoring the parallel “hidden” half of the network associated with process control systems and embedded systems.  Process control systems and embedded systems use different protocols, and no one ever really mentioned them. They were out of sight and out of mind, and managed by hardware guys.
• Supervisory control and data acquisition is defined as a common process control application that collects data from sensors from the remote locations and sends them to remote central console for management and control. • Mainly used large scale distributed measurement and control system spread over geographies • Control of complex dynamic critical infrastructure systems
 Physical Control Measurements such as  RTU,MTU, PLC  Measure Voltage, Adjust Valve, flip switch  Normally based on Windows , Linux or Unix  Human Machine Interfaces  Transport mediums Analog , serial, internet, wifi, radio etc
 SCADA devices are often controlled from central monitoring stations (MTUs, or “master terminal units”).  Historically those were Unix-based systems, but many contemporary MTUs are now Microsoft Windows based.  “The end-of-life for Windows NT is having a big impact on the industry.”
 Because SCADA devices with embedded controllers tend to have limited computational power,  Connected via low speed serial lines,  SCADA protocols tend to be quite simple, with little or no protection against spoofing, replay attacks, or a variety of denial of service attacks.  „In a demonstration at a recent security conference, [Jeff Dagle, a PNNL EE] hacked into his testbed system and tripped an electrical breaker. The breaker then signaled the SCADA software that it had opened. But the SCADA controller did not respond because it had not instructed the breaker to open. It was a classic denial-of-service attack. "We were demonstrating a weakness at the protocol level itself," said Dagle.‟  http://memagazine.org/backissues/dec02/features/scada vs/scadavs.html
 Industrial plants, and the instrumentation they include, tend to be long life cycle projects – ten, fifteen or twenty year project lives are by no means uncommon.  by the time the facility is finally decommissioned, there‟s no provision for refreshing those devices the way you might upgrade out of date PCs in some office.  „"Anti-virus software doesn't work on these SCADA systems,“ said Robert Childs, information security analyst at the Public Service Company of New Mexico, who spoke at NetSec about the challenges in working with SCADA vendors to get them to comply with the new rules. "Many of these systems are based on old Intel 8088 processors, and security options are limited to us.“‟ http://napps.nwfusion.com/news/2004/062104secwrap.ht ml
 Remote devices (RTUs and PLCs) also tend to be hard to upgrade : --  The device may use an OS and application that was burned to ROM, and which is not rewritable (“upgrade” == replacing ROMs) –  The device may be physically sealed and not upgradeable,  Or be located in a difficult location, or have no removable media ---  The vendor may no longer be in business, or may not be producing upgrades,  Or the vendor may not be allowing upgrades
 In some cases the patches require approval from external bodies such as FDA which might delay the upgrades.  An example from the embedded system world: “Health care IT professionals say medical device makers prohibit them from changing the systems and even from running anti-virus software in some cases. These IT administrators say manufacturers often are slow to supply software patch updates and routinely claim the Food and Drug Administration (FDA) requires approval of patch-base changes. However the FDA says it has no such rules…”  http://www.nwfusion.com/news/2004/070504hospit alpatch.html
 Owing to need for positive access and control, there is a trend toward simple, known, and shared passwords.  Users like to avoid situations such as: “Do you know the password to turn off the nuclear reactor before it melts down? I forgot mine today…” http://www.digitalbond.com/dale_peterso n/ISA%20July%20Event.ppt
 Very poor authentication protocols  Legacy systems are used which have very well known vulnerabilities (platform dependency)  Systems not patched regularly  Sometimes quite a few nodes are exposed to external environment for debug points , that are used for attacks  No standard or minimal standards of encryption are used in the applications
 There‟s also the sheer issue of managing passwords for thousands of devices – passwords will tend to be common across devices as a practical matter  And of course those passwords aren‟t changed very often (if at all), even when staff transitions occur or years have gone by…  And always tend to have simple and easy to remember passwords for authorization.
 In many cases, SCADA traffic will be on just one port such as 502/tcp (e.g., Modbus/TCP).  The use of a single port (or just a couple of ports) makes it easy to track that traffic, or to poke a hole in firewalls to allow that traffic to pass,  Also makes it easy for the bad guys to scan for connected devices, and it makes it impossible to do port-based selective filtering.
• One false data one mess up the whole of the system rather than one single unit Can bring down the whole system. • The disruption could be due to natural events, such as hurricanes, earth quakes, and wild fires or due to man- made malicious events, such as physical destructions or electronic intrusions into infrastructure systems. Identifying, understanding, and analyzing such interdependencies among infrastructure systems pose significant challenges [2-4]. • These challenges are greatly magnified by the geographical expanse and complexity of individual infrastructures and the nature of coupling among them. The rest of the discussion focuses on electric power infrastructure.
 Much of what‟s being faced in the SCADA world has already been hashed through and fixed in the enterprise IT world. Those solutions, where suitable, need to be “thrown over the wall” to SCADA networks and systems so SCADA folks don‟t “reinvent the wheel.” We need to visit with our process control brethren.
 DNP3  MODBUS  TASE 2.0 / ICCP
 User  UI (Generally known as Man Machine Interface - MMI)  Master Terminal Unit (MTU)  Interfaces remote units and collects data from them  Remote Terminal Unit – Interfaces the remote sensors to the MTU – Communication channel – Such as internet (mostly clear text), BUS channels
 Mostly based on request response protocol  Does not validate the if the person requesting info is genuine or not  Just throws info when requested  No data encryption  So easily one could poison the BUS data or set the system to reset.  Inject false data into the BUS and create a havoc
 Modify the data coming from the RTU  Denial of service  Exploit Protocol anomalies  Shut down RTU`s , MTU`s
 The MODBUS protocol defines a simple Protocol Data Unit (PDU) independent of the underlying communication layers. The mapping of MODBUS protocol on specific buses or networks can introduce some additional fields on the Application Data Unit (ADU).  The client that initiates a MODBUS transaction builds the MODBUS Application Data Unit. The function code indicates to the server which kind of action to perform.
• Describes the encapsulation of a MODBUS request or response when it is carried on a MODBUS TCP/IP network. • A dedicated header is used on TCP/IP to identify the MODBUS Application Data Unit, called the MBAP header (MODBUS Application Protocol header).
 These challenging problems call for inter- disciplinary research collaboration between physical as well as cyber systems researchers, and call for laying strong foundation for inter- disciplinary educational program on cyber- enabled critical infrastructure systems focusing on protection, security, resiliency, and sustainability.
 Defcon 15- T335 unraveling Scada protocols  http://www.scadasecurity.org/index.php/Main_ Page  http://www.modbus.org/docs/Modbus_Messagi ng_Implementation_Guide_V1_0b.pdf  Sandia SCADA Program - High-Security SCADA LDRD Final Report by Rolf Carlson  SCADA Security And terrorism - Internet Security Systems  Scada Security – by Joe St Sauver (uoregon University)  MODSCAN – DEFCON 2008
 Video Links :  scadasecurity.org - Open SCADA Security Project

Recommandé

SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA PresentationEric Favetta
 
Guideline for the certification of wind turbine service technicians 2015 july
Guideline for the certification of wind turbine service technicians 2015 julyGuideline for the certification of wind turbine service technicians 2015 july
Guideline for the certification of wind turbine service technicians 2015 julyMichael Mattocks
 
Mission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMarina Krotofil
 
2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systemsJaap van Ekris
 
American Bar Assoc. ISC 2009
American Bar Assoc. ISC 2009American Bar Assoc. ISC 2009
American Bar Assoc. ISC 2009infracritical
 
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Jaap van Ekris
 
CS5032 Lecture 20: Dependable infrastructure 2
CS5032 Lecture 20: Dependable infrastructure 2CS5032 Lecture 20: Dependable infrastructure 2
CS5032 Lecture 20: Dependable infrastructure 2John Rooksby
 
Safety System Modularity
Safety System ModularitySafety System Modularity
Safety System ModularityFasiul Alam
 

Recommandé

SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA PresentationEric Favetta
 
Guideline for the certification of wind turbine service technicians 2015 july
Guideline for the certification of wind turbine service technicians 2015 julyGuideline for the certification of wind turbine service technicians 2015 july
Guideline for the certification of wind turbine service technicians 2015 julyMichael Mattocks
 
Mission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMission Impact Assessment for Industrial Control Systems
Mission Impact Assessment for Industrial Control SystemsMarina Krotofil
 
2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systemsJaap van Ekris
 
American Bar Assoc. ISC 2009
American Bar Assoc. ISC 2009American Bar Assoc. ISC 2009
American Bar Assoc. ISC 2009infracritical
 
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...
Embedded Systems, Asset or Security Threat? (6 May 2014, (ICS)2 Secure Rotter...Jaap van Ekris
 
CS5032 Lecture 20: Dependable infrastructure 2
CS5032 Lecture 20: Dependable infrastructure 2CS5032 Lecture 20: Dependable infrastructure 2
CS5032 Lecture 20: Dependable infrastructure 2John Rooksby
 
Safety System Modularity
Safety System ModularitySafety System Modularity
Safety System ModularityFasiul Alam
 
DTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsDTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsShah Sheikh
 
Cresatech Substation Safety Mitigation and Outage Management
Cresatech Substation Safety Mitigation and Outage ManagementCresatech Substation Safety Mitigation and Outage Management
Cresatech Substation Safety Mitigation and Outage ManagementCatherine Fulton
 
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...Marina Krotofil
 
DHS ICS Security Presentation
DHS ICS Security PresentationDHS ICS Security Presentation
DHS ICS Security Presentationguest85a34f
 
Ch14
Ch14Ch14
Ch14vigneshwaran vignesh
 
16928 6274 1
16928 6274 116928 6274 1
16928 6274 1kibet sang
 
20090106c Presentation Custom
20090106c Presentation Custom20090106c Presentation Custom
20090106c Presentation Customgkelley
 
Stuxnet
StuxnetStuxnet
StuxnetSymantec
 
Condition Monitoring of DC Motor using Artificial Intelligence Technique
Condition Monitoring of DC Motor using Artificial Intelligence TechniqueCondition Monitoring of DC Motor using Artificial Intelligence Technique
Condition Monitoring of DC Motor using Artificial Intelligence Techniqueijsrd.com
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevMarina Krotofil
 
DEVELOPMENT AND EVALUATION OF A CONTACT CENTER APPLICATION SYSTEM TO INTEGRAT...
DEVELOPMENT AND EVALUATION OF A CONTACT CENTER APPLICATION SYSTEM TO INTEGRAT...DEVELOPMENT AND EVALUATION OF A CONTACT CENTER APPLICATION SYSTEM TO INTEGRAT...
DEVELOPMENT AND EVALUATION OF A CONTACT CENTER APPLICATION SYSTEM TO INTEGRAT...IJCNCJournal
 
Assignment 1
Assignment 1Assignment 1
Assignment 1Jeewanthi Fernando
 
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...Marina Krotofil
 
Cresatech CuTS ZM & LV Presentation NPG
Cresatech CuTS ZM & LV Presentation NPGCresatech CuTS ZM & LV Presentation NPG
Cresatech CuTS ZM & LV Presentation NPGThorne & Derrick International
 
Cenpes ff rom demo overview renato ogeda - petrobras
Cenpes ff rom demo overview renato ogeda - petrobrasCenpes ff rom demo overview renato ogeda - petrobras
Cenpes ff rom demo overview renato ogeda - petrobrasFieldComm Group
 
safety_critical_applications_and_customer_concerns
safety_critical_applications_and_customer_concernssafety_critical_applications_and_customer_concerns
safety_critical_applications_and_customer_concernsRufino Olay III
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
Compromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayCompromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayEnergySec
 
Safety and security in mission critical IoT systems
Safety and security in mission critical IoT systemsSafety and security in mission critical IoT systems
Safety and security in mission critical IoT systemsEinar Landre
 
35958867 safety-instrumented-systems
35958867 safety-instrumented-systems35958867 safety-instrumented-systems
35958867 safety-instrumented-systemsMowaten Masry
 
Final Project For Web Class
Final Project For Web ClassFinal Project For Web Class
Final Project For Web Classguestb513fb
 
final Web Project
final Web Projectfinal Web Project
final Web Projectguestb513fb
 

Contenu connexe

Tendances

DTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsDTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsShah Sheikh
 
Cresatech Substation Safety Mitigation and Outage Management
Cresatech Substation Safety Mitigation and Outage ManagementCresatech Substation Safety Mitigation and Outage Management
Cresatech Substation Safety Mitigation and Outage ManagementCatherine Fulton
 
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...Marina Krotofil
 
DHS ICS Security Presentation
DHS ICS Security PresentationDHS ICS Security Presentation
DHS ICS Security Presentationguest85a34f
 
20090106c Presentation Custom
20090106c Presentation Custom20090106c Presentation Custom
20090106c Presentation Customgkelley
 
Condition Monitoring of DC Motor using Artificial Intelligence Technique
Condition Monitoring of DC Motor using Artificial Intelligence TechniqueCondition Monitoring of DC Motor using Artificial Intelligence Technique
Condition Monitoring of DC Motor using Artificial Intelligence Techniqueijsrd.com
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevMarina Krotofil
 
DEVELOPMENT AND EVALUATION OF A CONTACT CENTER APPLICATION SYSTEM TO INTEGRAT...
DEVELOPMENT AND EVALUATION OF A CONTACT CENTER APPLICATION SYSTEM TO INTEGRAT...DEVELOPMENT AND EVALUATION OF A CONTACT CENTER APPLICATION SYSTEM TO INTEGRAT...
DEVELOPMENT AND EVALUATION OF A CONTACT CENTER APPLICATION SYSTEM TO INTEGRAT...IJCNCJournal
 
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...Marina Krotofil
 
Cenpes ff rom demo overview renato ogeda - petrobras
Cenpes ff rom demo overview renato ogeda - petrobrasCenpes ff rom demo overview renato ogeda - petrobras
Cenpes ff rom demo overview renato ogeda - petrobrasFieldComm Group
 
safety_critical_applications_and_customer_concerns
safety_critical_applications_and_customer_concernssafety_critical_applications_and_customer_concerns
safety_critical_applications_and_customer_concernsRufino Olay III
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
Compromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayCompromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayEnergySec
 
Safety and security in mission critical IoT systems
Safety and security in mission critical IoT systemsSafety and security in mission critical IoT systems
Safety and security in mission critical IoT systemsEinar Landre
 
35958867 safety-instrumented-systems
35958867 safety-instrumented-systems35958867 safety-instrumented-systems
35958867 safety-instrumented-systemsMowaten Masry
 

Tendances (20)

DTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsDTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security Solutions
 
Cresatech Substation Safety Mitigation and Outage Management
Cresatech Substation Safety Mitigation and Outage ManagementCresatech Substation Safety Mitigation and Outage Management
Cresatech Substation Safety Mitigation and Outage Management
 
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
If I Were MITRE ATT&CK Developer: Challenges to Consider when Developing ICS ...
 
DHS ICS Security Presentation
DHS ICS Security PresentationDHS ICS Security Presentation
DHS ICS Security Presentation
 
Ch14
Ch14Ch14
Ch14
 
16928 6274 1
16928 6274 116928 6274 1
16928 6274 1
 
20090106c Presentation Custom
20090106c Presentation Custom20090106c Presentation Custom
20090106c Presentation Custom
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
Condition Monitoring of DC Motor using Artificial Intelligence Technique
Condition Monitoring of DC Motor using Artificial Intelligence TechniqueCondition Monitoring of DC Motor using Artificial Intelligence Technique
Condition Monitoring of DC Motor using Artificial Intelligence Technique
 
CS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsevCS3STHLM_2019_krotofil_kopeytsev
CS3STHLM_2019_krotofil_kopeytsev
 
DEVELOPMENT AND EVALUATION OF A CONTACT CENTER APPLICATION SYSTEM TO INTEGRAT...
DEVELOPMENT AND EVALUATION OF A CONTACT CENTER APPLICATION SYSTEM TO INTEGRAT...DEVELOPMENT AND EVALUATION OF A CONTACT CENTER APPLICATION SYSTEM TO INTEGRAT...
DEVELOPMENT AND EVALUATION OF A CONTACT CENTER APPLICATION SYSTEM TO INTEGRAT...
 
Assignment 1
Assignment 1Assignment 1
Assignment 1
 
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
A Diet of Poisoned Fruit: Designing Implants & OT Payloads for ICS Embedded D...
 
Cresatech CuTS ZM & LV Presentation NPG
Cresatech CuTS ZM & LV Presentation NPGCresatech CuTS ZM & LV Presentation NPG
Cresatech CuTS ZM & LV Presentation NPG
 
Cenpes ff rom demo overview renato ogeda - petrobras
Cenpes ff rom demo overview renato ogeda - petrobrasCenpes ff rom demo overview renato ogeda - petrobras
Cenpes ff rom demo overview renato ogeda - petrobras
 
safety_critical_applications_and_customer_concerns
safety_critical_applications_and_customer_concernssafety_critical_applications_and_customer_concerns
safety_critical_applications_and_customer_concerns
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
 
Compromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayCompromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles Away
 
Safety and security in mission critical IoT systems
Safety and security in mission critical IoT systemsSafety and security in mission critical IoT systems
Safety and security in mission critical IoT systems
 
35958867 safety-instrumented-systems
35958867 safety-instrumented-systems35958867 safety-instrumented-systems
35958867 safety-instrumented-systems
 

En vedette

Final Project For Web Class
Final Project For Web ClassFinal Project For Web Class
Final Project For Web Classguestb513fb
 
final Web Project
final Web Projectfinal Web Project
final Web Projectguestb513fb
 
my slideshow
my slideshowmy slideshow
my slideshowmaggie b
 
Introduction to me
Introduction to meIntroduction to me
Introduction to meDavid TM
 
Ums 2009 Slide Share Ks
Ums 2009 Slide Share KsUms 2009 Slide Share Ks
Ums 2009 Slide Share KsKim Storm
 
Presentation1
Presentation1Presentation1
Presentation1David TM
 
Presentation1
Presentation1Presentation1
Presentation1David TM
 

En vedette (8)

Final Project For Web Class
Final Project For Web ClassFinal Project For Web Class
Final Project For Web Class
 
final Web Project
final Web Projectfinal Web Project
final Web Project
 
my slideshow
my slideshowmy slideshow
my slideshow
 
Introduction to me
Introduction to meIntroduction to me
Introduction to me
 
Ums 2009 Slide Share Ks
Ums 2009 Slide Share KsUms 2009 Slide Share Ks
Ums 2009 Slide Share Ks
 
Presentation1
Presentation1Presentation1
Presentation1
 
Presentation1
Presentation1Presentation1
Presentation1
 
CLI
CLICLI
CLI
 

Similaire à Null Feb 13

Cyber Security for SCADA
Cyber Security for SCADACyber Security for SCADA
Cyber Security for SCADARichard Umbrino
 
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)Byres Security Inc.
 
Evolution of protective systems in petro chem
Evolution of protective systems in petro chemEvolution of protective systems in petro chem
Evolution of protective systems in petro chemGlen Alleman
 
SCADA Systems and its security!
SCADA Systems and its security!SCADA Systems and its security!
SCADA Systems and its security!Shiv Sahni
 
IJSRED-V2I2P15
IJSRED-V2I2P15IJSRED-V2I2P15
IJSRED-V2I2P15IJSRED
 
Scenarios for Specifying an Uninterruptible Power Supply for Industrial Appli...
Scenarios for Specifying an Uninterruptible Power Supply for Industrial Appli...Scenarios for Specifying an Uninterruptible Power Supply for Industrial Appli...
Scenarios for Specifying an Uninterruptible Power Supply for Industrial Appli...Classic Controls, Inc.
 
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADARITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADAcsandit
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...Muhammad FAHAD
 
The Not So Smart Grid
The Not So Smart GridThe Not So Smart Grid
The Not So Smart Gridgueste0b5fe
 
An Expert System For Power Plants Paper Presentation
An Expert System For Power Plants Paper PresentationAn Expert System For Power Plants Paper Presentation
An Expert System For Power Plants Paper Presentationguestac67362
 
Wide area protection-and_emergency_control (1)
Wide area protection-and_emergency_control (1)Wide area protection-and_emergency_control (1)
Wide area protection-and_emergency_control (1)Alaa Eladl
 
Guideline for the Chartered Certification WTSR of Wind Turbine Service Techni...
Guideline for the Chartered Certification WTSR of Wind Turbine Service Techni...Guideline for the Chartered Certification WTSR of Wind Turbine Service Techni...
Guideline for the Chartered Certification WTSR of Wind Turbine Service Techni...Michael Mattocks
 
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012Ahmed Al Enizi
 
SCADAPresentation.pptx information about scada
SCADAPresentation.pptx information about scadaSCADAPresentation.pptx information about scada
SCADAPresentation.pptx information about scadadarshanbs18
 

Similaire à Null Feb 13 (20)

Cyber Security for SCADA
Cyber Security for SCADACyber Security for SCADA
Cyber Security for SCADA
 
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
ANSI/ISA-99 and Intrinsically Secure Systems (May 2009)
 
Evolution of protective systems in petro chem
Evolution of protective systems in petro chemEvolution of protective systems in petro chem
Evolution of protective systems in petro chem
 
Scada slide
Scada slideScada slide
Scada slide
 
SCADA Systems and its security!
SCADA Systems and its security!SCADA Systems and its security!
SCADA Systems and its security!
 
IJSRED-V2I2P15
IJSRED-V2I2P15IJSRED-V2I2P15
IJSRED-V2I2P15
 
Scenarios for Specifying an Uninterruptible Power Supply for Industrial Appli...
Scenarios for Specifying an Uninterruptible Power Supply for Industrial Appli...Scenarios for Specifying an Uninterruptible Power Supply for Industrial Appli...
Scenarios for Specifying an Uninterruptible Power Supply for Industrial Appli...
 
Moise.pdf
Moise.pdfMoise.pdf
Moise.pdf
 
SCADA Security in CDIC 2009
SCADA Security in CDIC 2009SCADA Security in CDIC 2009
SCADA Security in CDIC 2009
 
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADARITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
RITA SECURE COMMUNICATION PROTOCOL: APPLICATION TO SCADA
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
 
The Not So Smart Grid
The Not So Smart GridThe Not So Smart Grid
The Not So Smart Grid
 
The Not So Smart Grid
The Not So Smart GridThe Not So Smart Grid
The Not So Smart Grid
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Security
 
An Expert System For Power Plants Paper Presentation
An Expert System For Power Plants Paper PresentationAn Expert System For Power Plants Paper Presentation
An Expert System For Power Plants Paper Presentation
 
Wide area protection-and_emergency_control (1)
Wide area protection-and_emergency_control (1)Wide area protection-and_emergency_control (1)
Wide area protection-and_emergency_control (1)
 
Guideline for the Chartered Certification WTSR of Wind Turbine Service Techni...
Guideline for the Chartered Certification WTSR of Wind Turbine Service Techni...Guideline for the Chartered Certification WTSR of Wind Turbine Service Techni...
Guideline for the Chartered Certification WTSR of Wind Turbine Service Techni...
 
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
 
SCADAPresentation.pptx information about scada
SCADAPresentation.pptx information about scadaSCADAPresentation.pptx information about scada
SCADAPresentation.pptx information about scada
 
3.3_Cyber Security R&D for Microgrids_Stamp_EPRI/SNL Microgrid
3.3_Cyber Security R&D for Microgrids_Stamp_EPRI/SNL Microgrid3.3_Cyber Security R&D for Microgrids_Stamp_EPRI/SNL Microgrid
3.3_Cyber Security R&D for Microgrids_Stamp_EPRI/SNL Microgrid
 

Null Feb 13

  • 2. Systems in real-time data management , on which our day to day activities depend : – Water plants – Gas – Electric grids – Refineries – Nuclear plants – Large manufacturing plants – Traffic control Systems
  • 3. Vitek boden took over the entire control system in Australia and released the sewage water into drinking water  Slammer worm disabled the safety monitoring system of Ohio's Davis Besse nuclear plant for nearly 5 hrs in Jan 2003  Gas pipelines in Russia was controlled by a hacker for 24 hrs in 1999
  • 4. SCADA systems are often physically distributed over large areas, making hysical security a challenge. Simple vandalism is a real/well known risk: -- “[…] vandals shot out approximately 80 individual insulators on the BPA Cougar-Thurston 115,000 volt transmission line causing it to go out of service at that time. The vandalism occurred near Cougar Dam, which is approximately 25 miles east of Eugene. BPA crews replaced the damaged insulators at an estimated cost of $6,000. Even though no electrical service to EWEB and Lane Electric Cooperative customers was disrupted by the vandalism. Eugene Water and Electric had to purchase additional power to serve its customers during the 13 hours that it took to repair the damaged line.” http://www.bpa.gov/corporate/BPAnews/archive/2002/ NewsRelease.cfm?ReleaseNo=297
  • 5. -- „A Washington man who admitted to tampering with more than 20 high-voltage transmission towers in four Western states said yesterday he was trying to point out the power system's vulnerabilities. "I intended to loosen the bolts and by doing so illustrate the vulnerabilities of these towers," Poulin told the judge. • Poulin said in a telephone interview before his arrest that he considered his actions necessary to point out that he was able to damage the towers despite being "62 years old, overweight, arthritic, diabetic, half-blind and a cancer patient living on a minimum of 12 medication pills a day.“‟ • seattletimes.nwsource.com/html/localnews/20017963 73_transmission20m.html
  • 6. “Starting around 14:14, FE [FirstEnergy] control room operators lost the alarm function that provided audible and visual indications when a significant piece of equipment changed from an acceptable to problematic status. Analysis of the alarm problem performed by FE after the blackout suggests that the alarm processor essentially “stalled” while processing an alarm event. With the software unable to complete that alarm event and move to the next one, the alarm processor buffer filled and eventually overflowed. After 14:14, the FE control computer displays did not receive any further alarms, nor were any alarms being printed or posted on the EMS‟s alarm logging facilities. “FE operators relied heavily on the alarm processor for situational awareness, since they did not have any other large-scale visualization tool such as a dynamic map board. The operators would have been only partially handicapped without the alarm processor, had they known it had failed. However, by not knowing that they were operating without an alarm processor, the operators did not recognize system conditions were changing and were not receptive to information received later from MISO and neighboring systems. The operators were unaware that in this situation they needed to manually, and more closely, monitor and interpret the SCADA information they were receiving.” ftp://www.nerc.com/pub/sys/all_updl/docs/blackout/ NERC_Final_Blackout_Report_07_13_04.pdf [emphasis added]
  • 7. Traditionally network and security folks have focused virtually all our attention on the “enterprise” side of the network, ignoring the parallel “hidden” half of the network associated with process control systems and embedded systems.  Process control systems and embedded systems use different protocols, and no one ever really mentioned them. They were out of sight and out of mind, and managed by hardware guys.
  • 8.
  • 9. Supervisory control and data acquisition is defined as a common process control application that collects data from sensors from the remote locations and sends them to remote central console for management and control. • Mainly used large scale distributed measurement and control system spread over geographies • Control of complex dynamic critical infrastructure systems
  • 10.
  • 11.
  • 12. Physical Control Measurements such as  RTU,MTU, PLC  Measure Voltage, Adjust Valve, flip switch  Normally based on Windows , Linux or Unix  Human Machine Interfaces  Transport mediums Analog , serial, internet, wifi, radio etc
  • 13. SCADA devices are often controlled from central monitoring stations (MTUs, or “master terminal units”).  Historically those were Unix-based systems, but many contemporary MTUs are now Microsoft Windows based.  “The end-of-life for Windows NT is having a big impact on the industry.”
  • 14. Because SCADA devices with embedded controllers tend to have limited computational power,  Connected via low speed serial lines,  SCADA protocols tend to be quite simple, with little or no protection against spoofing, replay attacks, or a variety of denial of service attacks.  „In a demonstration at a recent security conference, [Jeff Dagle, a PNNL EE] hacked into his testbed system and tripped an electrical breaker. The breaker then signaled the SCADA software that it had opened. But the SCADA controller did not respond because it had not instructed the breaker to open. It was a classic denial-of-service attack. "We were demonstrating a weakness at the protocol level itself," said Dagle.‟  http://memagazine.org/backissues/dec02/features/scada vs/scadavs.html
  • 15. Industrial plants, and the instrumentation they include, tend to be long life cycle projects – ten, fifteen or twenty year project lives are by no means uncommon.  by the time the facility is finally decommissioned, there‟s no provision for refreshing those devices the way you might upgrade out of date PCs in some office.  „"Anti-virus software doesn't work on these SCADA systems,“ said Robert Childs, information security analyst at the Public Service Company of New Mexico, who spoke at NetSec about the challenges in working with SCADA vendors to get them to comply with the new rules. "Many of these systems are based on old Intel 8088 processors, and security options are limited to us.“‟ http://napps.nwfusion.com/news/2004/062104secwrap.ht ml
  • 16. Remote devices (RTUs and PLCs) also tend to be hard to upgrade : --  The device may use an OS and application that was burned to ROM, and which is not rewritable (“upgrade” == replacing ROMs) –  The device may be physically sealed and not upgradeable,  Or be located in a difficult location, or have no removable media ---  The vendor may no longer be in business, or may not be producing upgrades,  Or the vendor may not be allowing upgrades
  • 17. In some cases the patches require approval from external bodies such as FDA which might delay the upgrades.  An example from the embedded system world: “Health care IT professionals say medical device makers prohibit them from changing the systems and even from running anti-virus software in some cases. These IT administrators say manufacturers often are slow to supply software patch updates and routinely claim the Food and Drug Administration (FDA) requires approval of patch-base changes. However the FDA says it has no such rules…”  http://www.nwfusion.com/news/2004/070504hospit alpatch.html
  • 18. Owing to need for positive access and control, there is a trend toward simple, known, and shared passwords.  Users like to avoid situations such as: “Do you know the password to turn off the nuclear reactor before it melts down? I forgot mine today…” http://www.digitalbond.com/dale_peterso n/ISA%20July%20Event.ppt
  • 19. Very poor authentication protocols  Legacy systems are used which have very well known vulnerabilities (platform dependency)  Systems not patched regularly  Sometimes quite a few nodes are exposed to external environment for debug points , that are used for attacks  No standard or minimal standards of encryption are used in the applications
  • 20. There‟s also the sheer issue of managing passwords for thousands of devices – passwords will tend to be common across devices as a practical matter  And of course those passwords aren‟t changed very often (if at all), even when staff transitions occur or years have gone by…  And always tend to have simple and easy to remember passwords for authorization.
  • 21. In many cases, SCADA traffic will be on just one port such as 502/tcp (e.g., Modbus/TCP).  The use of a single port (or just a couple of ports) makes it easy to track that traffic, or to poke a hole in firewalls to allow that traffic to pass,  Also makes it easy for the bad guys to scan for connected devices, and it makes it impossible to do port-based selective filtering.
  • 22. One false data one mess up the whole of the system rather than one single unit Can bring down the whole system. • The disruption could be due to natural events, such as hurricanes, earth quakes, and wild fires or due to man- made malicious events, such as physical destructions or electronic intrusions into infrastructure systems. Identifying, understanding, and analyzing such interdependencies among infrastructure systems pose significant challenges [2-4]. • These challenges are greatly magnified by the geographical expanse and complexity of individual infrastructures and the nature of coupling among them. The rest of the discussion focuses on electric power infrastructure.
  • 23. Much of what‟s being faced in the SCADA world has already been hashed through and fixed in the enterprise IT world. Those solutions, where suitable, need to be “thrown over the wall” to SCADA networks and systems so SCADA folks don‟t “reinvent the wheel.” We need to visit with our process control brethren.
  • 24.
  • 25. DNP3  MODBUS  TASE 2.0 / ICCP
  • 26. User  UI (Generally known as Man Machine Interface - MMI)  Master Terminal Unit (MTU)  Interfaces remote units and collects data from them  Remote Terminal Unit – Interfaces the remote sensors to the MTU – Communication channel – Such as internet (mostly clear text), BUS channels
  • 27. Mostly based on request response protocol  Does not validate the if the person requesting info is genuine or not  Just throws info when requested  No data encryption  So easily one could poison the BUS data or set the system to reset.  Inject false data into the BUS and create a havoc
  • 28. Modify the data coming from the RTU  Denial of service  Exploit Protocol anomalies  Shut down RTU`s , MTU`s
  • 29. The MODBUS protocol defines a simple Protocol Data Unit (PDU) independent of the underlying communication layers. The mapping of MODBUS protocol on specific buses or networks can introduce some additional fields on the Application Data Unit (ADU).  The client that initiates a MODBUS transaction builds the MODBUS Application Data Unit. The function code indicates to the server which kind of action to perform.
  • 30.
  • 31.
  • 32.
  • 33. Describes the encapsulation of a MODBUS request or response when it is carried on a MODBUS TCP/IP network. • A dedicated header is used on TCP/IP to identify the MODBUS Application Data Unit, called the MBAP header (MODBUS Application Protocol header).
  • 34. These challenging problems call for inter- disciplinary research collaboration between physical as well as cyber systems researchers, and call for laying strong foundation for inter- disciplinary educational program on cyber- enabled critical infrastructure systems focusing on protection, security, resiliency, and sustainability.
  • 35. Defcon 15- T335 unraveling Scada protocols  http://www.scadasecurity.org/index.php/Main_ Page  http://www.modbus.org/docs/Modbus_Messagi ng_Implementation_Guide_V1_0b.pdf  Sandia SCADA Program - High-Security SCADA LDRD Final Report by Rolf Carlson  SCADA Security And terrorism - Internet Security Systems  Scada Security – by Joe St Sauver (uoregon University)  MODSCAN – DEFCON 2008
  • 36. Video Links :  scadasecurity.org - Open SCADA Security Project