SlideShare une entreprise Scribd logo

Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants

Télécharger en tant que PPTX, PDF
M
Manuel Santander

Hydroelectric generation plants possess a number of cyberterrorism risks, which could cause significant problems like interruptions in the power grid or water leaks from the reservoir, among others. This presentation will discuss the vulnerabilities in the infrastructure of hydroelectric generation plants, some tools to check for them and several remediation techniques to avoid materialization of problems.

TechnologieBusiness
1  sur  68
Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants Manuel Humberto Santander Peláez msantand@isc.sans.org
Agenda • Introduction • Power Plant Generation SCADA • SCADA protocols • Cyber Terrorism Risks • Remediation
SCADA • Supervisory Control and Data Acquisition • Platform used to monitor and control all the variables of a real-time process • Several variables to monitor – Vibrations on the turbine rotor – Flow speed of oil inside a turbine rotor – Amount of electric charge passing inside an electricity transmission line
Electrical process • Three big steps – Generation – Transmission – Distribution • Energy is created using any of the following methods – Thermoelectrical plans – Nuclear plants – Hydro electrical plants
Electrical process (2) • SCADA platform is vital to perform the following when generation takes place: – Ensure turbines are not having revolutions more than supported – Generators are not working overloaded – Energy being generated matches the amount of energy that the transmission line can handle
Electrical process (3) • Transmission – Energy being generated needs to be distributed to reach the final users – 115 KV is the power used to transmit in the wire lines – Final destination are the substations that handles energy of a specific amount of instalations – Large number of blocks in a city
Electrical process (4) • SCADA platform is vital to perform the following when transmission takes place: – Monitoring of voltage in transmission lines looking for high amount of electricity flowing – None of them can get overloaded because protections get activated and a blackout appears in all the installations that are controlled by the affected substations
Electrical process (5) • Distribution – Energy being generated needs to be distributed to reach the final users – 115 KV is the power used to transmit in the wire lines – Final destination are the substations that handles energy of a specific amount of instalations – Large number of blocks in a city
Electrical process (6) • SCADA platform is vital to perform the following when distribution takes place: – Monitoring of voltage in transmission lines looking for high amount of electricity flowing – Monitoring of voltage in user meters looking for high amount of electricity flowing
Electrical System Source: United States Department of Energy
Hydroelectrical Plant Process Source: circuitmaniac.com
Hydroelectrical Turbine Source: United States Army Corps of Engineers
Agenda • Introduction • Power Plant Generation SCADA • SCADA protocols • Cyber Terrorism Risks • Remediation
SCADA Network inside Power Plant Unit Controller Turbine Speed Regulator Voltage Regulator Generator Protection Controller Cooling and oil pump controller HMI Console Substation controller Switch Controller Voltage Meter Reader HMI Console Protection Controller SUBSTATION SCADA GENERATION POWER SCADA
SCADA Network inside Power Plant (2) • Generation Power Plant – Unit Controller: Controls all the subsystems making the generator to be able to inject active power to the electrical network – Voltage regulator: Controls the frequency of the active power being produced by the generator. Must match the frequency in the electrical network
SCADA Network inside Power Plant (3) • Generation Power Plant – Turbine speed regulator: Controls the speed of the turbine – Cooling and oil pump controller: Controls refrigeration and lubrication of the rotor system of the turbine so there’s no heat or friction – Generator protection controller: Controls excessive voltage changes in the generator
SCADA Network inside Power Plant (4) • Substation SCADA – Substation Controller: Controls all the systems to make possible the energy being transmitted all across the electrical network – Switch controller: If there is too much energy on a line trying to overcome its capacity, the switch opens the circuit and the energy stops flowing
SCADA Network inside Power Plant (5) • Substation SCADA: – Voltage meter: Meters the amount of electricity flowing in the input and output lines so the Substation Controller can tell if there is a problem regarding the transmission line capacity being overcome its capacity
Agenda • Introduction • Power Plant Generation SCADA • SCADA protocols • Cyber Terrorism Risks • Remediation
SCADA Protocols • Modbus • IEC 104 • DNP3
Modbus Source: Practical Industrial Data Communications
Modbus (2) • Client/server protocol which operates in a request/response mode • Three variants: – Modbus serial RS-232/RS-485: Implemented on serial networks – Modbus TCP: Used for SCADA platforms where delay is not an issue (Water supply) – Modbus UDP: Used for SCADA platforms where delay is a big issue (Energy)
Modbus (3) Source: Practical Industrial Data Communications
Modbus (4) • Modbus protocol structure – Address field: • Request frames: Address of the device being targeted by the request • Response frame: Address of the device responding to request
Modbus (5) • Modbus protocol structure – Function field • Function requested by the HMI to be performed by the field devices • In response packets, when the function performed is succeeded, the field device echoes it. If some exception occurred, the most significant bit of the field is set to 1
Modbus (6) Function Name Function Code Physical Discrete Inputs Read Discrete Inputs 2 Read Coils 1 Write Single Coil 5 Write Multiple Coils 15 Physical Input Registers Read Input Register 4 Read Holding Registers 3 Write Single Register 6 Write Multiple Registers 16 Read/Write Multiple Registers 23 Mask Write Register 22 Read FIFO Queue 24 Read File Record 20 Write File Record 21 Type of access Data Access Bit access Internal Bits or Physical Coils 16-bit access Internal Registers or Physical Output Registers File Record Access
Modbus (7) Function Name Function Code Read Exception Status 7 Diagnostic 8 Get Com Event Counter 11 Get Com Event Log 12 Report Slave ID 17 Read Device Identification 43 Encapsulated Interface Transport 43 Type of access Diagnostics Other
Modbus (8) • Modbus protocol structure – Data field • In request paquets, contains the information required to perform the specific function • In response packets, contains the information requested by the HMI
Modbus (9) • Modbus protocol structure – Error check Field • CRC-16 on the message frame • If packet has errors, the field device does not process it • Timeout is assumed, so the master sends again the packet to attempt again a function execution
IEC 104 • Standard for power system monitoring, control and communications for telecontrol and teleprotection for electric power systems • Completely compatible with: – IEC 60870-5-1: Transmission frame formats for standard 60870-5 – IEC 60870-5-5: Basic application functions
IEC 104 (2) • It has the following features: – Supports master initiated messages and master/slave initiated messages – Facility for time sinchronization – Possibility of classifying data being transmitted into 16 different groups to get the data according to the group – Cyclic and spontaneous data updating schemes are provided.
IEC 104 (3) Source: Practical Industrial Data Communications
IEC 104 (4) Source: Practical Industrial Data Communications
IEC 104 (5) Source: Practical Industrial Data Communications
IEC 104 (6) • Link level Link service class Function Explanation S1 SEND / NO REPLY Transmit message. No ACK or answer required S2 SEND / CONFIRM Transmit message. ACK required S3 REQUEST / RESPOND Transmit message. ACK and answer required
IEC 104 (7) Source: Practical Industrial Data Communications
IEC 104 (8) Source: Practical Industrial Data Communications • Control field for unbalanced transmissions
IEC 104 (8) Source: Practical Industrial Data Communications • Control field for balanced transmissions
DNP3 • Set of communication protocols used between components of a SCADA system • Used for communications between RTU and the IED (field devices) • Implements the communication levels established by the enhance performance architecture (EPA)
DNP3 (2) • Enhance performance architecture (EPA) Source: Practical Industrial Data Communications
DNP3 (3) • Message exchange Source: Practical Industrial Data Communications
DNP3 (4) • Frame format Source: Practical Industrial Data Communications
DNP3 (5) • Control Byte Source: Practical Industrial Data Communications
Agenda • Introduction • Power Plant Generation SCADA • SCADA protocols • Cyber Terrorism Risks • Remediation
Cyberterrorism Risks • Many awful thins can happen to a power plant – Stop generation because of partial or total damage to the generator – Stop generation because of partial or total damage to the transmission substation – Stop generation because of partial or total damage to the turbine
Cyberterrorism Risks (2) • Many awful thins can happen to a power plant – Transformer explosion because lack of transmission line protection capacity – Massive water leakage because of explosion of the turbine container • All of them can happen because of unauthorized manipulations of the HMI and after the configs are updated
Network technologies in SCADA Systems • Many SCADA networks still use RS232/RS485 bus to communicate all components – But also because of the need to access data in a fast way, we also have serial-to- ip gateways to access serial RTU and IED – Lots of hybrid SCADA networks having serial and IP components – Access is open to anyone with connectivity access
Network technologies in SCADA Systems (2) • Many SCADA networks still use RS232/RS485 bus to communicate all components – Admin protocols is not being crypted, so anyone can sniff all the contents, perform a MITM and send to client/server fake content to each other. Insecure services like telnet are mandatory because lack of support – Latency is an issue
Lack of authentication in application protocol • The SCADA protocols does not perform bi-directional authentication to ensure that all parties are trusted – Only commands are sent – Data is sent to the IP address configured as master – All the IP spoofing vulnerabilities works on any MTU or Field device – Any command can be sent
Default configurations in HMI • Insecure services used – rlogin – rcp – rexec • OS Admin privileges used to operate • Trust perimeter created within HMI and external RTU and IED to manipulate configuration parameters
What could be done? • Reset a link state communication or send Test Communication packet several times provoking temporal DoS to the IED controllers – Spoof the HMI IP address and send the following using TCP: 0x56405c00100020074e3 – Spoof the HMI ip address and send the following using TCP: 0x56405f201000200b717
What could be done? (2) • Send commands to the IED controllers – Registers are linked to turn on and off specific devices like oil and refrigeration pumps – A Modbus command to change registers is enough to disable any of those pumps – Command depends on the place where the pump is configured
What could be done? (3) • Execute metasploit to the HMI and try to find remote admin exploits – No patches are installed – Too much vulnerabilities around – The odds of finding remote privilege escalation vulnerabilities are too high – Are passwords strong enough in the HMI software and OS? – Is there any password at all configured?
What could be done? (3) • MITM attacks to the substation elements and generation plant elements – TCP sequence prediction on this elements is pretty high – Prone to session hijacking (http://www.youtube.com/watch?v=s_X D8heYNrc)
Agenda • Introduction • Power Plant Generation SCADA • SCADA protocols • Cyber Terrorism Risks • Remediation
What you cannot do with SCADA • Protocol delay is usually a BIG issue in SCADA – Water supply and Oil SCADA tolerates big delays because it does not have consequences in the process – Power SCADA is critical. A delay higher than 12 miliseconds could end in a massive blackout because of failure to open a breaker in a substation – Be careful on what you do to protect your SCADA
SCADA Network inside Power Plant Unit Controller Turbine Speed Regulator Voltage Regulator Generator Protection Controller Cooling and oil pump controller HMI Console Substation controller Switch Controller Voltage Meter Reader HMI Console Protection Controller SUBSTATION SCADA GENERATION POWER SCADA
Monitor your network • Control Access from outsiders – SCADA Network needs to send information for reports and status checking – You can establish a secure way to get into the SCADA Network for remote support – If no commands need to be sent, one- way communications using waterfall works pretty good.
Monitor your network (2) Source: Waterfall Security
Monitor your network (3) • Use Network Intrusion Prevention System – You definitely can use conventional IPS if they are fast enough to avoid delays in your network – Not all of them support SCADA protocols – If you have snort, you can write rules for Modbus and DNP3. Otherwise, you need to write your own rules – Industrial Defender Solution works pretty good as it includes lots of SCADA signatures
Monitor your network (4) • Control Access from outsiders – Energy market central regulators are able to control your power generation SCADA and make you generate what you won at the electricity market – Be able to override control from your local market control center if for some reason you notice abnormal operations that put your generation infrastructure in risk
Monitor your network (5) Source: FERC
• SCADA platforms are designed to last from 10 to 20 years – Too many technology changes happens in that time – Lots of security issues to deal with – Need a solution to avoid any changes inside computers, as intrusions perform changes in filesystem, configurations and system process Control unauthorized changes to Master Terminal Unit
Control unauthorized changes to Unit Controllers and IED controllers • Configuration and firmware changes can be done on-site and remotely • Can you tell all the times where those changes have been done for all the IED and Unit controllers? • Can you tell if that change actually contains the valid firmware and/or configuration? • Check IndustrialDefender Manage
Control unauthorized changes to Master Terminal Unit (3) • Control any changes inside your SCADA servers – Mcafee Integrity control works pretty good – Defines what can be changed by who – Lots of custom logs to choose from – Can send events to any SIEM configured in the Network
Monitor attacks to Master Unit • Host IPS is definitely needed as any attack could change the integrity and stability of a process • Availability is critical to a SCADA system and cannot be altered • Conventional Host IPS performs extensive use of CPU and can affect performance inside SCADA
Monitor attacks to Master Unit (2) • Industrial Defender Protect works pretty good • Works seamless with Siemens Spectrum Platform • Does not load the machine or needs extensive bandwith to perform its checks • Central console to perform operations inside the platform
Questions? Comments? Manuel Humberto Santander Peláez http://manuel.santander.name http://twitter.com/manuelsantander msantand@isc.sans.org / manuel@santander.name

Recommandé

Survey: Embedded Systems In Power Industry
Survey: Embedded Systems In Power IndustrySurvey: Embedded Systems In Power Industry
Survey: Embedded Systems In Power IndustryShrey Bhatnagar
 
Distributed control system presentation
Distributed control system presentationDistributed control system presentation
Distributed control system presentationAYUSH VARSHNEY
 
OPAL-RT RT13 Conference: New communication protocols
OPAL-RT RT13 Conference: New communication protocolsOPAL-RT RT13 Conference: New communication protocols
OPAL-RT RT13 Conference: New communication protocolsOPAL-RT TECHNOLOGIES
 
Scada protocols-and-communications-trends
Scada protocols-and-communications-trendsScada protocols-and-communications-trends
Scada protocols-and-communications-trendsSandip Roy
 
substation automation
substation automationsubstation automation
substation automationMahbub Rashid
 
Scada systems automating electrical distribution
Scada systems automating electrical distributionScada systems automating electrical distribution
Scada systems automating electrical distributionSHUBHAM SAINI
 
Power system automation
Power system automationPower system automation
Power system automationGuider Lee
 
Gemini_3__3008_web
Gemini_3__3008_webGemini_3__3008_web
Gemini_3__3008_webAlex Bogias, Phd
 

Recommandé

Survey: Embedded Systems In Power Industry
Survey: Embedded Systems In Power IndustrySurvey: Embedded Systems In Power Industry
Survey: Embedded Systems In Power IndustryShrey Bhatnagar
 
Distributed control system presentation
Distributed control system presentationDistributed control system presentation
Distributed control system presentationAYUSH VARSHNEY
 
OPAL-RT RT13 Conference: New communication protocols
OPAL-RT RT13 Conference: New communication protocolsOPAL-RT RT13 Conference: New communication protocols
OPAL-RT RT13 Conference: New communication protocolsOPAL-RT TECHNOLOGIES
 
Scada protocols-and-communications-trends
Scada protocols-and-communications-trendsScada protocols-and-communications-trends
Scada protocols-and-communications-trendsSandip Roy
 
substation automation
substation automationsubstation automation
substation automationMahbub Rashid
 
Scada systems automating electrical distribution
Scada systems automating electrical distributionScada systems automating electrical distribution
Scada systems automating electrical distributionSHUBHAM SAINI
 
Power system automation
Power system automationPower system automation
Power system automationGuider Lee
 
Gemini_3__3008_web
Gemini_3__3008_webGemini_3__3008_web
Gemini_3__3008_webAlex Bogias, Phd
 
DCS fundamentals
DCS fundamentalsDCS fundamentals
DCS fundamentalsAlok Saikia
 
67469276 scada
67469276 scada67469276 scada
67469276 scadathangbd
 
Burns Presantation
Burns PresantationBurns Presantation
Burns Presantationecburnsjr
 
PLC and SCADA communication
PLC and SCADA communicationPLC and SCADA communication
PLC and SCADA communicationTalha Shaikh
 
Dcs
DcsDcs
DcsAKANSHA GURELE
 
Session 21 - DCS Introduction
Session 21 - DCS IntroductionSession 21 - DCS Introduction
Session 21 - DCS IntroductionVidyaIA
 
DCS - Distributed Control System
DCS - Distributed Control System DCS - Distributed Control System
DCS - Distributed Control System Pratheep M
 
Ls catalog thiet bi tu dong master rtu e_dienhathe.vn
Ls catalog thiet bi tu dong master rtu e_dienhathe.vnLs catalog thiet bi tu dong master rtu e_dienhathe.vn
Ls catalog thiet bi tu dong master rtu e_dienhathe.vnDien Ha The
 
Scada ppt
Scada pptScada ppt
Scada pptzudakki
 
NETWORKING, COMMUNICATION SYSTEMS AND SCADA
NETWORKING, COMMUNICATION SYSTEMS AND SCADANETWORKING, COMMUNICATION SYSTEMS AND SCADA
NETWORKING, COMMUNICATION SYSTEMS AND SCADAPratik Aggarwal
 
SCADA
SCADASCADA
SCADAalmuamar
 
Raritan BCM Data Sheet
Raritan BCM Data SheetRaritan BCM Data Sheet
Raritan BCM Data SheetMike Hogan
 
SCADA
SCADASCADA
SCADAMd. Rimon Mia
 
Distributed Control System (Presentation)
Distributed Control System (Presentation)Distributed Control System (Presentation)
Distributed Control System (Presentation)Thunder Bolt
 
Peek Traffic Controller PTC 1
Peek Traffic Controller PTC 1Peek Traffic Controller PTC 1
Peek Traffic Controller PTC 1Peter Ashley
 
Report_Modernization of Gas Metering Station
Report_Modernization of Gas Metering StationReport_Modernization of Gas Metering Station
Report_Modernization of Gas Metering StationTariq Jamil
 
Distributed Control System
Distributed Control SystemDistributed Control System
Distributed Control System3abooodi
 
Cross country pipeline _Telecom_Instrumentation and SCADA
Cross country pipeline _Telecom_Instrumentation and SCADACross country pipeline _Telecom_Instrumentation and SCADA
Cross country pipeline _Telecom_Instrumentation and SCADARakesh Ujjawal
 
All about scada
All about scadaAll about scada
All about scadaStella Hermias
 
Scada classification
Scada classificationScada classification
Scada classificationAhmed Sebaii
 
Lecture+9+-+SCADA+Systems.pdf
Lecture+9+-+SCADA+Systems.pdfLecture+9+-+SCADA+Systems.pdf
Lecture+9+-+SCADA+Systems.pdfSmritiGarg21
 
Lecture+9+-+SCADA+Systems.pptx
Lecture+9+-+SCADA+Systems.pptxLecture+9+-+SCADA+Systems.pptx
Lecture+9+-+SCADA+Systems.pptxsurangagw
 

Contenu connexe

Tendances

DCS fundamentals
DCS fundamentalsDCS fundamentals
DCS fundamentalsAlok Saikia
 
67469276 scada
67469276 scada67469276 scada
67469276 scadathangbd
 
Burns Presantation
Burns PresantationBurns Presantation
Burns Presantationecburnsjr
 
PLC and SCADA communication
PLC and SCADA communicationPLC and SCADA communication
PLC and SCADA communicationTalha Shaikh
 
Session 21 - DCS Introduction
Session 21 - DCS IntroductionSession 21 - DCS Introduction
Session 21 - DCS IntroductionVidyaIA
 
DCS - Distributed Control System
DCS - Distributed Control System DCS - Distributed Control System
DCS - Distributed Control System Pratheep M
 
Ls catalog thiet bi tu dong master rtu e_dienhathe.vn
Ls catalog thiet bi tu dong master rtu e_dienhathe.vnLs catalog thiet bi tu dong master rtu e_dienhathe.vn
Ls catalog thiet bi tu dong master rtu e_dienhathe.vnDien Ha The
 
Scada ppt
Scada pptScada ppt
Scada pptzudakki
 
NETWORKING, COMMUNICATION SYSTEMS AND SCADA
NETWORKING, COMMUNICATION SYSTEMS AND SCADANETWORKING, COMMUNICATION SYSTEMS AND SCADA
NETWORKING, COMMUNICATION SYSTEMS AND SCADAPratik Aggarwal
 
Raritan BCM Data Sheet
Raritan BCM Data SheetRaritan BCM Data Sheet
Raritan BCM Data SheetMike Hogan
 
Distributed Control System (Presentation)
Distributed Control System (Presentation)Distributed Control System (Presentation)
Distributed Control System (Presentation)Thunder Bolt
 
Peek Traffic Controller PTC 1
Peek Traffic Controller PTC 1Peek Traffic Controller PTC 1
Peek Traffic Controller PTC 1Peter Ashley
 
Report_Modernization of Gas Metering Station
Report_Modernization of Gas Metering StationReport_Modernization of Gas Metering Station
Report_Modernization of Gas Metering StationTariq Jamil
 
Distributed Control System
Distributed Control SystemDistributed Control System
Distributed Control System3abooodi
 
Cross country pipeline _Telecom_Instrumentation and SCADA
Cross country pipeline _Telecom_Instrumentation and SCADACross country pipeline _Telecom_Instrumentation and SCADA
Cross country pipeline _Telecom_Instrumentation and SCADARakesh Ujjawal
 
Scada classification
Scada classificationScada classification
Scada classificationAhmed Sebaii
 

Tendances (20)

DCS fundamentals
DCS fundamentalsDCS fundamentals
DCS fundamentals
 
67469276 scada
67469276 scada67469276 scada
67469276 scada
 
Burns Presantation
Burns PresantationBurns Presantation
Burns Presantation
 
PLC and SCADA communication
PLC and SCADA communicationPLC and SCADA communication
PLC and SCADA communication
 
Dcs
DcsDcs
Dcs
 
Session 21 - DCS Introduction
Session 21 - DCS IntroductionSession 21 - DCS Introduction
Session 21 - DCS Introduction
 
DCS - Distributed Control System
DCS - Distributed Control System DCS - Distributed Control System
DCS - Distributed Control System
 
Ls catalog thiet bi tu dong master rtu e_dienhathe.vn
Ls catalog thiet bi tu dong master rtu e_dienhathe.vnLs catalog thiet bi tu dong master rtu e_dienhathe.vn
Ls catalog thiet bi tu dong master rtu e_dienhathe.vn
 
Scada ppt
Scada pptScada ppt
Scada ppt
 
NETWORKING, COMMUNICATION SYSTEMS AND SCADA
NETWORKING, COMMUNICATION SYSTEMS AND SCADANETWORKING, COMMUNICATION SYSTEMS AND SCADA
NETWORKING, COMMUNICATION SYSTEMS AND SCADA
 
SCADA
SCADASCADA
SCADA
 
Raritan BCM Data Sheet
Raritan BCM Data SheetRaritan BCM Data Sheet
Raritan BCM Data Sheet
 
SCADA
SCADASCADA
SCADA
 
Distributed Control System (Presentation)
Distributed Control System (Presentation)Distributed Control System (Presentation)
Distributed Control System (Presentation)
 
Peek Traffic Controller PTC 1
Peek Traffic Controller PTC 1Peek Traffic Controller PTC 1
Peek Traffic Controller PTC 1
 
Report_Modernization of Gas Metering Station
Report_Modernization of Gas Metering StationReport_Modernization of Gas Metering Station
Report_Modernization of Gas Metering Station
 
Distributed Control System
Distributed Control SystemDistributed Control System
Distributed Control System
 
Cross country pipeline _Telecom_Instrumentation and SCADA
Cross country pipeline _Telecom_Instrumentation and SCADACross country pipeline _Telecom_Instrumentation and SCADA
Cross country pipeline _Telecom_Instrumentation and SCADA
 
All about scada
All about scadaAll about scada
All about scada
 
Scada classification
Scada classificationScada classification
Scada classification
 

Similaire à Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants

Lecture+9+-+SCADA+Systems.pdf
Lecture+9+-+SCADA+Systems.pdfLecture+9+-+SCADA+Systems.pdf
Lecture+9+-+SCADA+Systems.pdfSmritiGarg21
 
Lecture+9+-+SCADA+Systems.pptx
Lecture+9+-+SCADA+Systems.pptxLecture+9+-+SCADA+Systems.pptx
Lecture+9+-+SCADA+Systems.pptxsurangagw
 
Scada presentation
Scada presentationScada presentation
Scada presentationAmit Kumar
 
Scada For G Mgt
Scada For G MgtScada For G Mgt
Scada For G MgtAnil Patil
 
Introduction to SCADA
Introduction to SCADAIntroduction to SCADA
Introduction to SCADAPraveen Kumar
 
2017 Atlanta Regional User Seminar - Real-Time Microgrid Demos
2017 Atlanta Regional User Seminar - Real-Time Microgrid Demos2017 Atlanta Regional User Seminar - Real-Time Microgrid Demos
2017 Atlanta Regional User Seminar - Real-Time Microgrid DemosOPAL-RT TECHNOLOGIES
 
2017 Atlanta Regional User Seminar - Virtualizing Industrial Control Systems ...
2017 Atlanta Regional User Seminar - Virtualizing Industrial Control Systems ...2017 Atlanta Regional User Seminar - Virtualizing Industrial Control Systems ...
2017 Atlanta Regional User Seminar - Virtualizing Industrial Control Systems ...OPAL-RT TECHNOLOGIES
 
20BEE042 5th semester Internship PPT.pptx
20BEE042 5th semester Internship PPT.pptx20BEE042 5th semester Internship PPT.pptx
20BEE042 5th semester Internship PPT.pptxSumitRajput83
 
Wireless SCADA Data Communications
Wireless SCADA Data CommunicationsWireless SCADA Data Communications
Wireless SCADA Data CommunicationsDaniel Ehrenreich
 
CONCEPT OF SCADA System EMERSON EDUARDO RODRIGUES
CONCEPT OF SCADA System EMERSON EDUARDO RODRIGUESCONCEPT OF SCADA System EMERSON EDUARDO RODRIGUES
CONCEPT OF SCADA System EMERSON EDUARDO RODRIGUESEMERSON EDUARDO RODRIGUES
 
Distribution System Automation
Distribution System Automation Distribution System Automation
Distribution System Automation Adithya Ballaji
 
DTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsDTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsShah Sheikh
 
DeployingAnAdvancedDistribution.pdf
DeployingAnAdvancedDistribution.pdfDeployingAnAdvancedDistribution.pdf
DeployingAnAdvancedDistribution.pdfbayu162365
 
OPAL-RT HYPERSIM Features applied for Relay Testing
OPAL-RT HYPERSIM Features applied for Relay TestingOPAL-RT HYPERSIM Features applied for Relay Testing
OPAL-RT HYPERSIM Features applied for Relay TestingOPAL-RT TECHNOLOGIES
 
RE3- Transmission Grid Technologies.pdf
RE3- Transmission Grid Technologies.pdfRE3- Transmission Grid Technologies.pdf
RE3- Transmission Grid Technologies.pdfMuhammadArshad436
 

Similaire à Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants (20)

Lecture+9+-+SCADA+Systems.pdf
Lecture+9+-+SCADA+Systems.pdfLecture+9+-+SCADA+Systems.pdf
Lecture+9+-+SCADA+Systems.pdf
 
Lecture+9+-+SCADA+Systems.pptx
Lecture+9+-+SCADA+Systems.pptxLecture+9+-+SCADA+Systems.pptx
Lecture+9+-+SCADA+Systems.pptx
 
Scada presentation
Scada presentationScada presentation
Scada presentation
 
Scada For G Mgt
Scada For G MgtScada For G Mgt
Scada For G Mgt
 
Introduction to SCADA
Introduction to SCADAIntroduction to SCADA
Introduction to SCADA
 
2017 Atlanta Regional User Seminar - Real-Time Microgrid Demos
2017 Atlanta Regional User Seminar - Real-Time Microgrid Demos2017 Atlanta Regional User Seminar - Real-Time Microgrid Demos
2017 Atlanta Regional User Seminar - Real-Time Microgrid Demos
 
2017 Atlanta Regional User Seminar - Virtualizing Industrial Control Systems ...
2017 Atlanta Regional User Seminar - Virtualizing Industrial Control Systems ...2017 Atlanta Regional User Seminar - Virtualizing Industrial Control Systems ...
2017 Atlanta Regional User Seminar - Virtualizing Industrial Control Systems ...
 
20BEE042 5th semester Internship PPT.pptx
20BEE042 5th semester Internship PPT.pptx20BEE042 5th semester Internship PPT.pptx
20BEE042 5th semester Internship PPT.pptx
 
Wireless SCADA Data Communications
Wireless SCADA Data CommunicationsWireless SCADA Data Communications
Wireless SCADA Data Communications
 
Parameters for drive test
Parameters for drive testParameters for drive test
Parameters for drive test
 
SCADA PPT.pdf
SCADA PPT.pdfSCADA PPT.pdf
SCADA PPT.pdf
 
CONCEPT OF SCADA.pdf
CONCEPT OF SCADA.pdfCONCEPT OF SCADA.pdf
CONCEPT OF SCADA.pdf
 
CONCEPT OF SCADA System EMERSON EDUARDO RODRIGUES
CONCEPT OF SCADA System EMERSON EDUARDO RODRIGUESCONCEPT OF SCADA System EMERSON EDUARDO RODRIGUES
CONCEPT OF SCADA System EMERSON EDUARDO RODRIGUES
 
UNIT-5-PPT.ppt
UNIT-5-PPT.pptUNIT-5-PPT.ppt
UNIT-5-PPT.ppt
 
SCH5627P.pdf
SCH5627P.pdfSCH5627P.pdf
SCH5627P.pdf
 
Distribution System Automation
Distribution System Automation Distribution System Automation
Distribution System Automation
 
DTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security SolutionsDTS Solution - SCADA Security Solutions
DTS Solution - SCADA Security Solutions
 
DeployingAnAdvancedDistribution.pdf
DeployingAnAdvancedDistribution.pdfDeployingAnAdvancedDistribution.pdf
DeployingAnAdvancedDistribution.pdf
 
OPAL-RT HYPERSIM Features applied for Relay Testing
OPAL-RT HYPERSIM Features applied for Relay TestingOPAL-RT HYPERSIM Features applied for Relay Testing
OPAL-RT HYPERSIM Features applied for Relay Testing
 
RE3- Transmission Grid Technologies.pdf
RE3- Transmission Grid Technologies.pdfRE3- Transmission Grid Technologies.pdf
RE3- Transmission Grid Technologies.pdf
 

Plus de Manuel Santander

Ciberseguridad en tiempos de trabajo en casa
Ciberseguridad en tiempos de trabajo en casaCiberseguridad en tiempos de trabajo en casa
Ciberseguridad en tiempos de trabajo en casaManuel Santander
 
Respuesta a incidentes en sistemas de transmisión y distribución de energía
Respuesta a incidentes en sistemas de transmisión y distribución de energíaRespuesta a incidentes en sistemas de transmisión y distribución de energía
Respuesta a incidentes en sistemas de transmisión y distribución de energíaManuel Santander
 
Ciberterrorismo: La nueva realidad de la Seguridad de la Información
Ciberterrorismo: La nueva realidad de la Seguridad de la InformaciónCiberterrorismo: La nueva realidad de la Seguridad de la Información
Ciberterrorismo: La nueva realidad de la Seguridad de la InformaciónManuel Santander
 
Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Manuel Santander
 
Cisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsCisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsManuel Santander
 
Monitoring Emerging Threats: SCADA Security
Monitoring Emerging Threats: SCADA SecurityMonitoring Emerging Threats: SCADA Security
Monitoring Emerging Threats: SCADA SecurityManuel Santander
 
Acciones Empresariales En La PrevencióN De Criminalidad Virtual Para Mitigar ...
Acciones Empresariales En La PrevencióN De Criminalidad Virtual Para Mitigar ...Acciones Empresariales En La PrevencióN De Criminalidad Virtual Para Mitigar ...
Acciones Empresariales En La PrevencióN De Criminalidad Virtual Para Mitigar ...Manuel Santander
 

Plus de Manuel Santander (7)

Ciberseguridad en tiempos de trabajo en casa
Ciberseguridad en tiempos de trabajo en casaCiberseguridad en tiempos de trabajo en casa
Ciberseguridad en tiempos de trabajo en casa
 
Respuesta a incidentes en sistemas de transmisión y distribución de energía
Respuesta a incidentes en sistemas de transmisión y distribución de energíaRespuesta a incidentes en sistemas de transmisión y distribución de energía
Respuesta a incidentes en sistemas de transmisión y distribución de energía
 
Ciberterrorismo: La nueva realidad de la Seguridad de la Información
Ciberterrorismo: La nueva realidad de la Seguridad de la InformaciónCiberterrorismo: La nueva realidad de la Seguridad de la Información
Ciberterrorismo: La nueva realidad de la Seguridad de la Información
 
Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...Authentication Issues between entities during protocol message exchange in SC...
Authentication Issues between entities during protocol message exchange in SC...
 
Cisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designsCisco Malware: A new risk to consider in perimeter security designs
Cisco Malware: A new risk to consider in perimeter security designs
 
Monitoring Emerging Threats: SCADA Security
Monitoring Emerging Threats: SCADA SecurityMonitoring Emerging Threats: SCADA Security
Monitoring Emerging Threats: SCADA Security
 
Acciones Empresariales En La PrevencióN De Criminalidad Virtual Para Mitigar ...
Acciones Empresariales En La PrevencióN De Criminalidad Virtual Para Mitigar ...Acciones Empresariales En La PrevencióN De Criminalidad Virtual Para Mitigar ...
Acciones Empresariales En La PrevencióN De Criminalidad Virtual Para Mitigar ...
 

Dernier

Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Dernier (20)

Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 

Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants

  • 1. Avoiding Cyberterrorism Threats Inside Hydraulic Power Generation Plants Manuel Humberto Santander Peláez msantand@isc.sans.org
  • 2. Agenda • Introduction • Power Plant Generation SCADA • SCADA protocols • Cyber Terrorism Risks • Remediation
  • 3. SCADA • Supervisory Control and Data Acquisition • Platform used to monitor and control all the variables of a real-time process • Several variables to monitor – Vibrations on the turbine rotor – Flow speed of oil inside a turbine rotor – Amount of electric charge passing inside an electricity transmission line
  • 4. Electrical process • Three big steps – Generation – Transmission – Distribution • Energy is created using any of the following methods – Thermoelectrical plans – Nuclear plants – Hydro electrical plants
  • 5. Electrical process (2) • SCADA platform is vital to perform the following when generation takes place: – Ensure turbines are not having revolutions more than supported – Generators are not working overloaded – Energy being generated matches the amount of energy that the transmission line can handle
  • 6. Electrical process (3) • Transmission – Energy being generated needs to be distributed to reach the final users – 115 KV is the power used to transmit in the wire lines – Final destination are the substations that handles energy of a specific amount of instalations – Large number of blocks in a city
  • 7. Electrical process (4) • SCADA platform is vital to perform the following when transmission takes place: – Monitoring of voltage in transmission lines looking for high amount of electricity flowing – None of them can get overloaded because protections get activated and a blackout appears in all the installations that are controlled by the affected substations
  • 8. Electrical process (5) • Distribution – Energy being generated needs to be distributed to reach the final users – 115 KV is the power used to transmit in the wire lines – Final destination are the substations that handles energy of a specific amount of instalations – Large number of blocks in a city
  • 9. Electrical process (6) • SCADA platform is vital to perform the following when distribution takes place: – Monitoring of voltage in transmission lines looking for high amount of electricity flowing – Monitoring of voltage in user meters looking for high amount of electricity flowing
  • 13. Agenda • Introduction • Power Plant Generation SCADA • SCADA protocols • Cyber Terrorism Risks • Remediation
  • 14. SCADA Network inside Power Plant Unit Controller Turbine Speed Regulator Voltage Regulator Generator Protection Controller Cooling and oil pump controller HMI Console Substation controller Switch Controller Voltage Meter Reader HMI Console Protection Controller SUBSTATION SCADA GENERATION POWER SCADA
  • 15. SCADA Network inside Power Plant (2) • Generation Power Plant – Unit Controller: Controls all the subsystems making the generator to be able to inject active power to the electrical network – Voltage regulator: Controls the frequency of the active power being produced by the generator. Must match the frequency in the electrical network
  • 16. SCADA Network inside Power Plant (3) • Generation Power Plant – Turbine speed regulator: Controls the speed of the turbine – Cooling and oil pump controller: Controls refrigeration and lubrication of the rotor system of the turbine so there’s no heat or friction – Generator protection controller: Controls excessive voltage changes in the generator
  • 17. SCADA Network inside Power Plant (4) • Substation SCADA – Substation Controller: Controls all the systems to make possible the energy being transmitted all across the electrical network – Switch controller: If there is too much energy on a line trying to overcome its capacity, the switch opens the circuit and the energy stops flowing
  • 18. SCADA Network inside Power Plant (5) • Substation SCADA: – Voltage meter: Meters the amount of electricity flowing in the input and output lines so the Substation Controller can tell if there is a problem regarding the transmission line capacity being overcome its capacity
  • 19. Agenda • Introduction • Power Plant Generation SCADA • SCADA protocols • Cyber Terrorism Risks • Remediation
  • 20. SCADA Protocols • Modbus • IEC 104 • DNP3
  • 21. Modbus Source: Practical Industrial Data Communications
  • 22. Modbus (2) • Client/server protocol which operates in a request/response mode • Three variants: – Modbus serial RS-232/RS-485: Implemented on serial networks – Modbus TCP: Used for SCADA platforms where delay is not an issue (Water supply) – Modbus UDP: Used for SCADA platforms where delay is a big issue (Energy)
  • 23. Modbus (3) Source: Practical Industrial Data Communications
  • 24. Modbus (4) • Modbus protocol structure – Address field: • Request frames: Address of the device being targeted by the request • Response frame: Address of the device responding to request
  • 25. Modbus (5) • Modbus protocol structure – Function field • Function requested by the HMI to be performed by the field devices • In response packets, when the function performed is succeeded, the field device echoes it. If some exception occurred, the most significant bit of the field is set to 1
  • 26. Modbus (6) Function Name Function Code Physical Discrete Inputs Read Discrete Inputs 2 Read Coils 1 Write Single Coil 5 Write Multiple Coils 15 Physical Input Registers Read Input Register 4 Read Holding Registers 3 Write Single Register 6 Write Multiple Registers 16 Read/Write Multiple Registers 23 Mask Write Register 22 Read FIFO Queue 24 Read File Record 20 Write File Record 21 Type of access Data Access Bit access Internal Bits or Physical Coils 16-bit access Internal Registers or Physical Output Registers File Record Access
  • 27. Modbus (7) Function Name Function Code Read Exception Status 7 Diagnostic 8 Get Com Event Counter 11 Get Com Event Log 12 Report Slave ID 17 Read Device Identification 43 Encapsulated Interface Transport 43 Type of access Diagnostics Other
  • 28. Modbus (8) • Modbus protocol structure – Data field • In request paquets, contains the information required to perform the specific function • In response packets, contains the information requested by the HMI
  • 29. Modbus (9) • Modbus protocol structure – Error check Field • CRC-16 on the message frame • If packet has errors, the field device does not process it • Timeout is assumed, so the master sends again the packet to attempt again a function execution
  • 30. IEC 104 • Standard for power system monitoring, control and communications for telecontrol and teleprotection for electric power systems • Completely compatible with: – IEC 60870-5-1: Transmission frame formats for standard 60870-5 – IEC 60870-5-5: Basic application functions
  • 31. IEC 104 (2) • It has the following features: – Supports master initiated messages and master/slave initiated messages – Facility for time sinchronization – Possibility of classifying data being transmitted into 16 different groups to get the data according to the group – Cyclic and spontaneous data updating schemes are provided.
  • 32. IEC 104 (3) Source: Practical Industrial Data Communications
  • 33. IEC 104 (4) Source: Practical Industrial Data Communications
  • 34. IEC 104 (5) Source: Practical Industrial Data Communications
  • 35. IEC 104 (6) • Link level Link service class Function Explanation S1 SEND / NO REPLY Transmit message. No ACK or answer required S2 SEND / CONFIRM Transmit message. ACK required S3 REQUEST / RESPOND Transmit message. ACK and answer required
  • 36. IEC 104 (7) Source: Practical Industrial Data Communications
  • 37. IEC 104 (8) Source: Practical Industrial Data Communications • Control field for unbalanced transmissions
  • 38. IEC 104 (8) Source: Practical Industrial Data Communications • Control field for balanced transmissions
  • 39. DNP3 • Set of communication protocols used between components of a SCADA system • Used for communications between RTU and the IED (field devices) • Implements the communication levels established by the enhance performance architecture (EPA)
  • 40. DNP3 (2) • Enhance performance architecture (EPA) Source: Practical Industrial Data Communications
  • 41. DNP3 (3) • Message exchange Source: Practical Industrial Data Communications
  • 42. DNP3 (4) • Frame format Source: Practical Industrial Data Communications
  • 43. DNP3 (5) • Control Byte Source: Practical Industrial Data Communications
  • 44. Agenda • Introduction • Power Plant Generation SCADA • SCADA protocols • Cyber Terrorism Risks • Remediation
  • 45. Cyberterrorism Risks • Many awful thins can happen to a power plant – Stop generation because of partial or total damage to the generator – Stop generation because of partial or total damage to the transmission substation – Stop generation because of partial or total damage to the turbine
  • 46. Cyberterrorism Risks (2) • Many awful thins can happen to a power plant – Transformer explosion because lack of transmission line protection capacity – Massive water leakage because of explosion of the turbine container • All of them can happen because of unauthorized manipulations of the HMI and after the configs are updated
  • 47. Network technologies in SCADA Systems • Many SCADA networks still use RS232/RS485 bus to communicate all components – But also because of the need to access data in a fast way, we also have serial-to- ip gateways to access serial RTU and IED – Lots of hybrid SCADA networks having serial and IP components – Access is open to anyone with connectivity access
  • 48. Network technologies in SCADA Systems (2) • Many SCADA networks still use RS232/RS485 bus to communicate all components – Admin protocols is not being crypted, so anyone can sniff all the contents, perform a MITM and send to client/server fake content to each other. Insecure services like telnet are mandatory because lack of support – Latency is an issue
  • 49. Lack of authentication in application protocol • The SCADA protocols does not perform bi-directional authentication to ensure that all parties are trusted – Only commands are sent – Data is sent to the IP address configured as master – All the IP spoofing vulnerabilities works on any MTU or Field device – Any command can be sent
  • 50. Default configurations in HMI • Insecure services used – rlogin – rcp – rexec • OS Admin privileges used to operate • Trust perimeter created within HMI and external RTU and IED to manipulate configuration parameters
  • 51. What could be done? • Reset a link state communication or send Test Communication packet several times provoking temporal DoS to the IED controllers – Spoof the HMI IP address and send the following using TCP: 0x56405c00100020074e3 – Spoof the HMI ip address and send the following using TCP: 0x56405f201000200b717
  • 52. What could be done? (2) • Send commands to the IED controllers – Registers are linked to turn on and off specific devices like oil and refrigeration pumps – A Modbus command to change registers is enough to disable any of those pumps – Command depends on the place where the pump is configured
  • 53. What could be done? (3) • Execute metasploit to the HMI and try to find remote admin exploits – No patches are installed – Too much vulnerabilities around – The odds of finding remote privilege escalation vulnerabilities are too high – Are passwords strong enough in the HMI software and OS? – Is there any password at all configured?
  • 54. What could be done? (3) • MITM attacks to the substation elements and generation plant elements – TCP sequence prediction on this elements is pretty high – Prone to session hijacking (http://www.youtube.com/watch?v=s_X D8heYNrc)
  • 55. Agenda • Introduction • Power Plant Generation SCADA • SCADA protocols • Cyber Terrorism Risks • Remediation
  • 56. What you cannot do with SCADA • Protocol delay is usually a BIG issue in SCADA – Water supply and Oil SCADA tolerates big delays because it does not have consequences in the process – Power SCADA is critical. A delay higher than 12 miliseconds could end in a massive blackout because of failure to open a breaker in a substation – Be careful on what you do to protect your SCADA
  • 57. SCADA Network inside Power Plant Unit Controller Turbine Speed Regulator Voltage Regulator Generator Protection Controller Cooling and oil pump controller HMI Console Substation controller Switch Controller Voltage Meter Reader HMI Console Protection Controller SUBSTATION SCADA GENERATION POWER SCADA
  • 58. Monitor your network • Control Access from outsiders – SCADA Network needs to send information for reports and status checking – You can establish a secure way to get into the SCADA Network for remote support – If no commands need to be sent, one- way communications using waterfall works pretty good.
  • 59. Monitor your network (2) Source: Waterfall Security
  • 60. Monitor your network (3) • Use Network Intrusion Prevention System – You definitely can use conventional IPS if they are fast enough to avoid delays in your network – Not all of them support SCADA protocols – If you have snort, you can write rules for Modbus and DNP3. Otherwise, you need to write your own rules – Industrial Defender Solution works pretty good as it includes lots of SCADA signatures
  • 61. Monitor your network (4) • Control Access from outsiders – Energy market central regulators are able to control your power generation SCADA and make you generate what you won at the electricity market – Be able to override control from your local market control center if for some reason you notice abnormal operations that put your generation infrastructure in risk
  • 62. Monitor your network (5) Source: FERC
  • 63. • SCADA platforms are designed to last from 10 to 20 years – Too many technology changes happens in that time – Lots of security issues to deal with – Need a solution to avoid any changes inside computers, as intrusions perform changes in filesystem, configurations and system process Control unauthorized changes to Master Terminal Unit
  • 64. Control unauthorized changes to Unit Controllers and IED controllers • Configuration and firmware changes can be done on-site and remotely • Can you tell all the times where those changes have been done for all the IED and Unit controllers? • Can you tell if that change actually contains the valid firmware and/or configuration? • Check IndustrialDefender Manage
  • 65. Control unauthorized changes to Master Terminal Unit (3) • Control any changes inside your SCADA servers – Mcafee Integrity control works pretty good – Defines what can be changed by who – Lots of custom logs to choose from – Can send events to any SIEM configured in the Network
  • 66. Monitor attacks to Master Unit • Host IPS is definitely needed as any attack could change the integrity and stability of a process • Availability is critical to a SCADA system and cannot be altered • Conventional Host IPS performs extensive use of CPU and can affect performance inside SCADA
  • 67. Monitor attacks to Master Unit (2) • Industrial Defender Protect works pretty good • Works seamless with Siemens Spectrum Platform • Does not load the machine or needs extensive bandwith to perform its checks • Central console to perform operations inside the platform
  • 68. Questions? Comments? Manuel Humberto Santander Peláez http://manuel.santander.name http://twitter.com/manuelsantander msantand@isc.sans.org / manuel@santander.name