Systems and Internet Infrastructure Security

Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA

SCADA Security Measures

CSE 598E Critical Infrastructure Security

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page

Paper 1:

The VIKING Project - Towards more Secure SCADA Systems

Written by: Gunnar Bjrkman Presented by: Diana Koshy

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page

Type of Paper
Expository

This paper discusses a future project aimed at

analyzing the security of SCADA systems.

It also describes how SCADA systems work.

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page

The Problem:

Security on SCADA systems needs to be improved (or at least exist!)

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page

The Problem
SCADA systems need to be secure since a

problem with the system has dire consequences

Security is non-trivial since the systems are very

complex and must perform under strict conditions

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page

The Problem

Risks come from insiders as well as new access points opened by connecting the SCADA system to corporate networks, engineers, contractors, vendors, etc. These risks have been somewhat mitigated by firewalls and Demilitarized Zones (DMZs)

Risks also come from use of standardized protocols, hardware and software Communication protocols are becoming more standardized to allow different hardware to communicate
Page 6

Systems and Internet Infrastructure Security (SIIS) Laboratory

The Solution

The objective of the VIKING project is to develop, test and evaluate methodologies for the analysis, design and operation of resilient and secure industrial control systems for critical infrastructure.

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page

Background
Structure of a SCADA System

Sensors Remote Terminal Units (RTUs) Station Control Systems Central Control System

Workstations Front-End Servers SCADA Servers Archive Servers

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page

The Solution
The VIKING project aims to take a holistic

approach in analyzing security

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page

The Solution: VIKING Goals

1. Assess security risk and (financial) consequences of an

attack on a SCADA system

2. Create a tool that can quantify security for comparison

across different systems

3. Use model-based system as IDS 4. Secure power system communication 5. Be able to identify vulnerable spots in a SCADA system 6. Create a system that can be used to test security solutions

and their effects

Page 10

Systems and Internet Infrastructure Security (SIIS) Laboratory

The Solution: Method

Create 3 models:
1. power system model
- used to model the effects of an attack on electricity supply

2. society model
- used to gauge economic consequences of an attack

3. SCADA system models

(architectural and cyber-physical)

- used to see the effect of an attack on SCADA system behavior

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 11

The Assumptions

None The paper was just summarizing a proposed project.

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 12

Paper 2:

21 Steps to Improve Cyber Security of SCADA Networks

Written by: US Department of Energy Presented by: Diana Koshy

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 13

Type of Paper

Best-practices paper

This paper proposes 21-steps to take in order to

alleviate the security problem inherent in current SCADA systems

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 14

The Problem

SCADA systems were not designed with security

in mind
Organizations using SCADA networks need to

improve their security

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 15

The Solution

2 Categories:
1. Actions to Take to Increase Security 2. Management Actions to Establish Effective

Security Program

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 16

The Solution: Actions to Take

1. Understand the risk, protection and necessity of

every connection to the SCADA network

2. Make the network as isolated as possible and

use safe methods for data transfer

3. Analyze and implement a strong security

strategy for all remaining connections

4. Remove or disable unused services provided by

non-proprietary operating systems

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 17

The Solution: Actions to Take

5. Proprietary (obscure) protocols should not be

mistaken for secure protocols

6. Enable and configure all security features

already present and/or demand upgrades

7. Secure backdoors and vendor connections 8. Monitor for internal and external intrusions 24-

hours-a-day

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 18

The Solution: Actions to Take

9. Conduct audits of the system to find common

vulnerabilities
10. Check physical security of all remote sites that

communicate with the SCADA system

11. Put together a Red Team to come up with

potential attack scenarios

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 19

The Solution: Management

12.Clearly define roles and responsibilities for all

organization personnel
13.Document the information security architecture

and its components

14.Identify risks and vulnerabilities and create an

ongoing risk management process

15.Base protection strategy on defense-in-depth

principle
Page 20

Systems and Internet Infrastructure Security (SIIS) Laboratory

The Solution: Management

16.Create a clear, structured security program with

delineated requirements
17.Establish configuration management processes 18.Conduct routine self-assessments 19.Create system backups and disaster recovery

plans

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 21

The Solution: Management

20. Establish an expectation for strong security for

all levels of personnel

21. Train personnel to prevent disclosure of

sensitive information about the SCADA system

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 22

The Assumptions

None The paper was a list of suggested best-practices.

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 23

Paper 3:

SCADA-specific Intrusion Detection/Prevention Systems: A Survey and Taxonomy

Written by: Bonnie Zhu and Shankar Sastry Presented by: Diana Koshy

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 24

Type of Paper

Survey paper

This paper discusses past work on

Classification and characteristics of attacks SCADA-specific IDS attempts

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 25

The Problem

SCADA systems are vulnerable

Standardized protocols, software and hardware De-isolation of SCADA systems Legacy components not designed for security

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 26

The Problem
Specific Vulnerabilities Listed:
HMI controller: Can falsify what operator sees sensor-HMI link: Can spy on what operator sees actuator-controller link: Can see what actuators are told to do sensor threshold values and settings: Can modify settings actuator settings: Can modify settings

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 27

The Problem
Security research on SCADA systems is lacking
Unrealistic testing environments Poorly analyzed threat models IDS implementations specific to different SCADA environments Lack of analysis of false positives/false negatives of IDSs

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 28

The Problem
100% prevention of attacks is impossible
Must combine prevention with detection

Cant use existing IDSs since SCADA is different

It is a hard real-time system, which means timeliness, freshness of data, and availability are crucial Its terminal devices have limited computing and memory resources Safety is a primary concern
Page 29

Systems and Internet Infrastructure Security (SIIS) Laboratory

The Solution
Create SCADA-specific IDS and security metrics Ideal system should be able to:
detect and block intrusions in real time do so without interrupting performance do so without extra burdens due to false positives do so despite normal noise

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 30

The Solution
Types of IDS:
signature detection approach anomaly detection approach probabilistic approach specification-based approach behavioral detection approach

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 31

The Solution

All of these can be applied to different parts of SCADA systems

Page 32

Systems and Internet Infrastructure Security (SIIS) Laboratory

The Solution: Past Work

Model-Based IDS for SCADA Using Modbus/TCP

Uses the fact that network traffic on a SCADA

system is relatively constant to find anomalies

Most SCADA-specific of the implementations

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 33

The Solution: Past Work

Anomaly-Based IDS
1. AutoAssociative Kernel Regression and

Statistical Probability Ratio Test

- monitor anomalous non-malicious activity to establish baseline - use baseline database to compare with new activity

2. Multi-Agent IDS Using Ant Clustering Approach

and Unsupervised Feature Extraction

-use multiple intelligent agents to perform IDS duties -monitor agents capture packets, extract features and perform PCA -decision agents perform clustering and notify of abnormalities -action agents respond to threats accordingly
Page 34

Systems and Internet Infrastructure Security (SIIS) Laboratory

The Solution: Past Work

Configurable Embedded Middleware-Level Detection

put a detection system in the middle of the

communication channels
kind of like a firewall

easiest to incorporate since few changes to

existing system would need to be made

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 35

The Solution: Past Work

Intrusion Detection and Event Monitoring in SCADA Networks
specific to SCADA power-grid and RTUs automatically produce signatures for

unauthorized access
store settings and details of each SCADA device

and compare over time

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 36

The Solution: Past Work

Model for Cyber-Physical Interaction
1. Power Plant interfacing Substations through

Probabilistic validation of attack-effect bindings

2. Workflow-based non-intrusive approach for

enhancing the survivability of critical infrastructures in Cyber Environment

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 37

The Solution: Past Work

Model for Cyber-Physical Interaction
1. Power Plant interfacing Substations through

Probabilistic validation of attack-effect bindings

probabilistically build a profile of legitimate data flows and main characteristics of normal information exchange only works for known attacks

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 38

The Solution: Past Work

Model for Cyber-Physical Interaction
2. Workflow-based non-intrusive approach for

enhancing the survivability of critical infrastructures in Cyber Environment

separate SCADA system into cyber, physical, and workflow layers each physical component is a node in workflow layer model functionality and attack patterns only works on known attacks
Page 39

Systems and Internet Infrastructure Security (SIIS) Laboratory

The Solution: Past Work

Modeling Flow Information and other Control Systems Behavior To Detect Anomalies
analyzes flow on the network (so only good for

network layers)
combine anomaly-, behavioral-, and

specification-based techniques to detect abnormal behavior

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 40

The Solution: Past Work

SHARP
uses authentication and privilege escalation

protection to detect and block unauthorized physical and network access

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 41

The Assumptions

None The paper was a survey.

Systems and Internet Infrastructure Security (SIIS) Laboratory

Page 42