One of the most interesting challenges of working as Chief Information Security Officer in a utility company is the variety of infrastructure types that supports the business process. I refer here to the infrastructure that supports real-time management systems for generation transmission and distribution of energy and the system that are responsible for coordinating the pumping of water to individual households and industries. The implementation of a information security management system that includes this kind of critical infrastructure to the business processes provides a number of interesting challenges which are not covered in the conventional security model for IT processes:
SCADA systems have a very particular operating environment. Because they are real-time systems, data monitoring and orders sent to the RTU should arrive in the shortest time possible, since an additional delay of even 10 ms can mean a massive blackout by activation of the protections of a substation. Similarly, suppliers of these systems tend to provide support on these only on a specific configuration, which is usually not too safe and lacks basic security controls such as security patches, data encryption, authentication and non default configurations. The architecture for a SCADA system is as follows: The components are:
Due to its criticality, SCADA operators are reluctant to implement any type of information security controls that can change the operating environment for the system. How to implement a security scheme that does not interfere with the functionality needed for the business process? We took the following items specified in the standards of North American Reliability Corp (NERC) Critical Infrastructure Protection (CIP) to implement controls for an Energy SCADA: Project 2008-06 Cyber Security — Order 706
For point number two, we took the same table to classify information assets for the corporate information security management system and applied it to the energy processes:
From the previous table, we assigned controls to implement and ensure the security level for the asset. For point 3 and 4 we adopted all definitions from the corporate Information Security Management System. See all the required controls here: http://www.nerc.com/files/CIP-003-1.pdf and http://www.nerc.com/files/CIP-004-2.pdf. The biggest issue here was authentication and clear-text traffic. Many devices from our SCADA system did not support authentication and also information was sent using cleartext protocols. Every time we tried to introduce a VPN or crypto level-2 devices, the network latency increased and functions of the system were degraded, which is why we had to remove those controls. When we asked our vendor for those controls as native functions for the system, we received a request to purchase the next version of the SCADA System. The corporate antivirus didn't work because it consumed all the resources of the DAS and the HMI. Same happened with the Host IPS. The solution we found for the problem was SolidCore S3 product (http://www.solidcore.com/products/s3-control.html), as it was non-intrusive, did not add extra layers and virtual devices to the operating system and controlled very good the zero-day problems. For configuration changes, we established a weekly maintenance schedule in which the service of the SCADA system would stop for three hours changing the operation mode to contingency, so the IT operators could perform screening for viruses, install security patches and modifying security baselines. If the change was not successful and the system is degraded, the changes were removed and tried again the following week. This was not an easy task, because the vendor would not support us and we had to learn a lot on how the system components worked. For point 5, We tried to redraw the SCADA network so critical traffic would not mix with other type of traffic. For wireless devices, we managed to implement 802.1X authentication. We divided the SCADA network into the following perimeters: Cisco Firewall Service Module inside Catalyst 6509 with VSS supervisors (VS-6509E-S720-10G) gave us the required bandwith and no disruptions were presented within the SCADA environment. It also have IPS (IDSM-2) that sends the alerts along with the log firewalls to our RSA envision correlator. For point 6, all the place has armored doors, CCTV, biometric authentication and security guards patrolling around the physical perimeter. Now we are able to manage the security controls inside the corporate IT network and the SCADA systems. I still know that I have many things to do to to achieve the other points of NERC, but still will be an interesting and challenging goal. -- Manuel Humberto Santander Peláez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org
|
Manuel Humberto Santander Pelaacuteez 195 Posts ISC Handler Aug 23rd 2010 |
||||||||||||||||||||||||||||
Thread locked Subscribe |
Aug 23rd 2010 1 decade ago |
||||||||||||||||||||||||||||
Regarding the consequences table. Look at it from the consumers point of view and the delivery of critical water, power and other basic services. What happens at level "5" if the product being delivered is water? It had better be recoverable or have a manual backup system or plans. If not the delivery area is dead in one week. The company will not go out of business, but people might well be dead in less than a week.
|
KBR 63 Posts |
||||||||||||||||||||||||||||
Quote |
Aug 24th 2010 1 decade ago |
||||||||||||||||||||||||||||
This was a good article, but I have to ask.... What did we do to interconnect SCADA devices before the Internet ? And why is this stuff even remotely Internet accessible.. especially if the consequences are so dire ?
|
KBR 1 Posts |
||||||||||||||||||||||||||||
Quote |
Aug 26th 2010 1 decade ago |
||||||||||||||||||||||||||||
I also found this to be an interesting article, but it really makes me worry about the future. I agree with MikeI: why are these systems even connected to the internet? No matter how good your security policies are, the very fact that the system is connected means a determined attacker can break your system.
I sometimes feel like security 101 has not penetrated the computer generation: a) If two systems are connected, one can be used to break the other. b) Anything traveling over the air is susceptible to easy interception AND/OR manipulation. c) Even 'innocent' information leakage can, and with a determined attacker will, result in a complete breakin/breakage. This is because determination of 'insignificance' (I'm thinking category one in this article) is based on pre-existing assumptions, which are almost always...circumventable. |
KBR 5 Posts |
||||||||||||||||||||||||||||
Quote |
Aug 30th 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!