1. CP-EXPO - Genova, 30 Oct 2013
IT vs. OT: ICS cyber security in TSOs
G. Caroti
2. “CI SYSTEM”: “Inter-dipendences” and domino effect …
Critical Infrastructure … services essential for everyday life such as energy,
food, water, transport, communications, health and banking and finance.
Power
System
Railw
H
E
Gas
Helth
Econ/Fin
Social
order
L
L
E
H
M
L
L
H
L
ICT
Gas
L
ICT
L
H
H
E
E
Water
Oil
Power
System
Railw
M
M
L
L
H
L
Water
H
H
E
Estimated degree of dependence of a "CI" (column) following significant
interruption of service and extensive (> 24 h) of other "CI" (row) –
Source:AIIC 2007
CP-EXPO - Genova, 30 October 2013
2
4. CP-EXPO - Genova, 30 Oct 2013
Cyber threats, security breaches and impacts
Unauthorised data
disclosure
Unauthorised
access to
systems
Technologies
Failures
Malicious
Attacks
(Hackers)
Sabotages
Criminal
activities
ICT
Systems
Infrastructures
Applications
Services
Natural
disaster
Human error
inadequate
procedures
System
maltreatment
ICT Business&Operational Critical
Unauthorised
system alteration
Data loss or
corruption
Economics losses
Reputational losses
Operational
disruption to
services
PS and Grid
continuity and
safety reduction
Public safety and
Citizens’
and maintain an
protection
By the use of the Corporate and we characterise the systems that provide
term “Resilient” business Information Systems
acceptable level of service in face of faults (unintentional, intentional, or naturally caused)
affecting
Potential serious
Threats their normal operation. The main aim of the resilience is for faults to be invisible to
users (ENISA)
implications
4
5. New risks … recently many warning messages!
a.
(EU) Work Programme FP7 2009-2010: “protection of critical information
infrastructures”
b.
(IT) Report of COPASIR 2010 on cyber crime (july 2010)
c.
<< … >>
d.
(US) Obama's executive order: "better protection of the country's critical
infrastructure from cyber attacks"(feb 2013)
e.
(US) Warning of “CIA Director” on new scenarios on “cyberattack” (feb 2013)
f.
(EU) Commission: Cybersecurity Strategy of the European Union (feb 2013)
g.
(IT) Report of COPASIR 2013 on threats to national security (feb 2013)
h.
(IT) Reporting DIS 2012 (feb 2013)
i.
(IT) Monito Prime Minister Monti on cyber risk (mar 2013)
j.
(IT) DPCM 24/1/13 guidelines for cyber security and nationale information
security (G.U. mar 2013)
CP-EXPO - Genova, 30 October 2013
5
6. “Operational Technology“
IT vs. OT
[1]
…
An independent world of "operational technology" (OT) is developing separately from IT
groups … if IT organizations do not engage with OT environments to assess convergence,
create alignment and seek potential areas of integration, they may be sidelined from major
technology decisions - and place OT systems at risk.
[Gartner - 2009]
Convergence and Alignment? And Integration?
[1] OT environment: defined as an independent world of physical-equipment-oriented computer technology (ICS)
CP-EXPO - Genova, 30 October 2013
6
7. I(A)CS environment …
IACS: “eterogeneus world” with several classifications
For functional applications
•
•
•
•
•
•
•
•
•
Energy Management Systems (EMS)
Substation control/protection systems
Substation Automation Systems (SAS)
Market Management Systems (MMS)
Distributed Control Systems (DCS)
Industrial Automation
Safety Instrumented Systems (SIS)
Process Control Systems
Plant Control Systems
For technologies
o
o
o
o
o
o
Supervisory Control and Data
Acquisition (SCADA)
Remote Terminal Unit (RTU)
Intelligent Electronic Device (IED)
Programmable Logic Controller (PLC)
Distributed Computer System (DCS)
Process Control Network (PCN)
CP-EXPO - Genova, 30 October 2013
7
8. IACS key-elements
AGC controls the generation unit to ensure that the
optimal load is managed with the criteria of
economy …
submit additional control signals to adjust to GU production based on
forecasts of load, the availability, speed of response and exchanges
planned.
servers, data-gathering and control units (RTUs) and a set of
standard applications and / or custom to monitor / control the
elements remote. It can reach more than 50,000 data collection
points and transmit information analog or digital, to send control
signals, receive input state as feedback to the control operations.
It can perform complex sequences of operations and ensure the
collection of information with appropriate frequency
EMS manage the data set …
used by the operators to manage the
state estimation, energy flows, analysis
of contingency, the load forecasting and
allocation of generating units
EMS
(Apps&DB)
Scada systems collect from the field data
characteristic of the system to be controlled,
generates alarms to operators and executes the
commands to the field by managing
communications with the RTU ... one or more
AGC
SCADA
systems
LAN Control Center
UI (MMI/HMI)
UI
UI allows operators to have an interactive interface …
to monitor the performance
of the PS, manage alarm conditions and to study the potential conditions that ensure system security
policies on the network
CP-EXPO - Genova, 30 October 2013
Field
Field
Field
Data acquisition
Control actions (call-up, data entry, ...)
Processing historical data
Conducting elements of a plant (remote
controls)
Management "limits"
Defined calculations run time
Statistics functioning network elements
Calculating average P and E elementary
Calculation of financial statements
Load shedding
Alarms and Events
8
9. SCADA data flows …
S
S
S
S
S
S
S
S
S
S
Industrial process Domain
Field
Layer
Plant
Layer
Process Network
Enterprise
Domain
Ext.
Centre Layer
CP-EXPO - Genova, 30 October 2013
9
10. Link chain: Threats -> Contingencies
Component
Component /
Component/
Component
Device
Vulnerability
(exploitable)
exploitable)
Threats
“IT”
<>
System
Contingency
“OT”
APP
APP
HW/SW
HW/SW
Network
Network
Threats
Threats
Threats
Threats
Common Resources and
Services
C
I A
CP-EXPO - Genova, 30 October 2013
C
I
A
10
11. Why a protection program for ICS?
N
Enclave (“obscurity”)
–
–
–
–
–
–
–
Technological evolution
(Change of scenario)
Awareness
(compensatory
measures)
Security “embedded”
in the systems
(tech & process)
Proprietary (non-standard) protocols known to very few people
No information published on the functioning of the systems
Only point-to-point connection, often hosted in private
telecommunication environment
No interconnection with network management
No interconnection with any external network (i.e. Internet)
Operational environment inherently protected and segregated
Low probability of unpredictable conditions of stress load
–
Migration (also "tacit") by the vendors to technologies
"off-the-shelf”
"off-the–
Introduction of open standards and protocols (TCP / IP
and wireless technologies), which exposes the system to
its vulnerability without proper awareness
–
Interconnecting needs with other corporate networks and
systems, making the systems potentially accessible to
unwanted entities too
–
Transition from private communications networks or
based on "leased lines" services of public infrastructure,
which results in increased "addiction" to public
telecommunications services operators
–
Remote “maintenance” needs
Cyber Threats
Cyber Vuln
Y
‘80
‘90
‘00
‘10
CP-EXPO - Genova, 30 October 2013
‘20
11
12. Cyber incident on ICS by “human” attack!?
Violation of availability
Security Incidents show OT
vulnerability
System
Security
Network
Security
Violation of confidentiality/integrity
Application
Security
Data
Security
User
Profile
Security
APT
Crackers
Insiders
Saboteurs
Terrorists
Attack
for access
(unauthorized)
to the resources
Attack
to cause
unavailability
complete/partial
Information Theft
Financial Losses
Inappropriate handling of components of the PS
loss of production, outages, operational safety
Difficulty of industrial operations
Lower ability of control of the power system
Difficulty of emergency management
Increased risk of instability
Domino effect on other CI
Consequences for the community
CP-EXPO - Genova, 30 October 2013
12
13. What do we have? …
CIP 002 Identificazione delle IIC a supporto delle EPU
AC
Access Control
Tech
AT
Awareness and Training
Operational
CIP 003 Controllo gestione sicurezza
AU
Audit & Accountability
Tech
CA Certification, Accreditation and Security Assessments Management CIP 004 Personale e formazione
CM
Access Control
Operational
CP
Contingency Planning
Operational CIP 005 Sicurezza degli accessi alle reti
IA
Identification & Authentication
Tech
CIP 006 Sicurezza fisica
IR
Incident Response
Operational
MA
Maintenance
Op
CIP 007 Gestione della sicurezza di sistema
MP
Media Protection
Op
CIP 008 Incident Report
PE
Physical & Environmental Protection
Op
PL
Planning
Managem
CIP 009
COMMON CRITERIA Piani di recupero e DR
PS
Personnel Security
Op
RA
Risk Assessment
Managem
A5.
Policy per la sicurezza delle informazioni
SA
System & Services Acquisition
Managem
Principi organizzativi per la gestione della IS
SC
System & Communications Protection Tech A6.
SI
System & Information Integrity
Op
A7.
Gestione degli asset
A8.
Politiche del personale in materia di IS
A9.
Sicurezza fisica e ambientale
A10.
Gestione delle comunicazioni e delle operazioni
A11.
Controllo degli accessi
A12.
Gestione IS nell’acquisto, sviluppo e manut. sistemi
RDF: Restrict Data Flow
A13.
Gestione incidenti di sicurezza
TRE: Timely Response to Event
A14.
Gestione della continuità dei processi aziendali
NRA: Network Resource Availability
A15.
Controlli di conformità
AC: Access Control
UC: Use Control
DI: Data Integrity
DC: Data Confidentiality
CP-EXPO - Genova, 30 October 2013
13
14. The first “brick” …
+ Improved …
+ Kept …
+ Verified …
+ Implemented …
+ Documented …
Selected …
Structured FRAMEWORK …
… as a key enabler, regardless of the source of the "controls" used as a
reference (ISO, NIST or other Information Risk Management tools)
CP-EXPO - Genova, 30 October 2013
14
15. “Secure-by-design” framework: “pipeline” for security
Development / Acquisition Phase
“Building” a secure system
Operational Phase
Disposal Phase
Keep the system secure Secure disposal
of the system
Monitoring
Access control (Phys/Log)
Phys/Log)
Incident Handling
Patch management
Periodic Security Assessm
Training
Awareness
Change management
Start
System Life Cycle
CP-EXPO - Genova, 30 October 2013
15
16. Unfortunately:
IT Systems
OT System (IACS)
Antivirus Not compatible with many
Available for all systems and
applications
!?
regularly updated
No level authentication protocols
Functions always implemented & Aut and console
Id
- individual Account, unique,
Accountability
Group account, even with PW
complex with PW, changed
!?
wired or weak cm ²
policy
Not in time, no automated tools
In time, with automated tools Patching
Often not supported in time
As a rule always supported in
!?
(obsolescence)
the life cycle of a system
Centralized
System Local delegated to figures Control
Administ system engineer
!?
CP-EXPO - Genova, 30 October 2013
16
17. Unfortunately:
IT Systems
OT System (IACS)
Antivirus Not compatible with many
Available for all systems and
applications
!?
regularly updated
No level authentication protocols
Functions always implemented & Aut and console
Id
- individual Account, unique,
Accountability
Group account, even with PW
complex with PW, changed
!?
wired or weak cm ²
Same controls
policy
but need of
Not in time, no automated tools
In time, with automated tools Patching
compensatory
Often not supported in time
As a rule always supported in
!?
countermeasures
(obsolescence)
the life cycle of a system
Centralized
Special
System Local delegated to figures Control
Administ system engineer
Physical & Logical
Architectures
!?
CP-EXPO - Genova, 30 October 2013
17
18. The typical scenario …
X
Technicians on the road
Vendors
Outsourcers
PSTN/ISDN
GPRS/UMTS
Internet
Outsourcers (ex. TelCo)
Remote Access
CP-EXPO - Genova, 30 October 2013
Other TSO/Utility/Operator
Outsourcers (ex. IT - TelCo)
Third Parties (partners)
Remote Access for staff
Personal mobility
18
19. … must be adapted …
Going towards a Defense-in-Depth approach
X
X
Internet
PSTN/ISDN
GPRS/UMTS
Technicians on the road
Vendors
Outsourcers
Outsourcers (ex. TelCo)
Remote Access
CP-EXPO - Genova, 30 October 2013
Other TSO/Utility/Operator
Outsourcers (ex. IT - TelCo)
Third Parties (partners)
Remote Access for staff
Personal mobility
19
20. … for different security requirements!
X
Public
networks
(Internet)
X
CP-EXPO - Genova, 30 October 2013
20
21. … for different security requirements!
Public
networks
(Internet)
X
DMZ for (management)
Remote Access
DMZ for Exposed
IACS Services
Services/Applications
with replicated
(mirrored) DBs
(“one-way” mode)
Remote
Access
Gateway
IACS internal DBs
(Typically real-time critical DBs)
Not accessible from outside of
process networks
CP-EXPO - Genova, 30 October 2013
21