March 2012
Methodology
INTECO PROYECT ABOUT SCADA SYSTEMS SECURITY
Study
Diagnostic
Practical guide
Training and awareness
Applications and advantage of using supervisory and control systems Applicable law and international standards Security risks of supervisory and control systems Security measures and good practices Policy recommendations Recommendations to users and industry
Industrial Process Supervisory and Control This term usually includes ICS, SCADA, DCS y PLC SCADA Systems Components
Systems
Control Center
Positions where the systems is operated, supervised and controlled.
Communications
Communication networks, between the control center and endpoints.
Final locations
Devices that are supervised and controlled remotely. Sensors, valves, cameras, air conditioning
ICT Systems
SCADA Systems
Physical safety
H M-L M-L
Logical Security
M M L
Functionality
H H H
Summary Functionally, the maturity in this devices can be considered very high. From the security point of view, the maturity can be treated as medium or medium-low.
Energy Generation
Petrochemical industry
Water Treatment
Regulatory framework
Generic regulations for SCADA systems does not exist Sectorial and critical infrastructure regulations Act 8/2011: Actions for the Protection of Critical Infrastructure Appropriate strategies and structures used to direct and coordinate activities of Public Administration for protection of Critical Infrastructure are defined. Protection system of Critical Infrastructure regulation. Interior Ministry, other state organizations and private sectors are involved. Legislative actions taken are appropriate as a first step.
10
Physical communication links Security audits Network system inventory. Integrate security requirements
in design stage.
12
Cipher communications
Internal attack: Sabotage and spy Overconfidence on the internal security Overconfidence in employees Absence of internal security measures
Previous
to
staff
of rules
Restrict
Securing
systems
Keep
Definition
levels
of different security
14
Malware Lack of policies and procedures to update software Lack of staff awareness Well-known vulnerabilities for outdated systems Absence of security tools (antivirus)
15
Recommendations
Industry Offer products that integrate security measures Include security requirements in the design stage for each component of the system Prioritize the solution of well-know vulnerabilities using official security patches Facilitate integration purpose products of general Users Demand products that guarantee security requirements Stay informed about incidents, vulnerabilities and security notifications Establish requirements and policies about security SCADA products
16
Recommendations
Legislators Deepening in the legislative framework Ponder the use of establishing sanctioning organisms and mechanism Define security mandatory measures Increased collaboration Public Administration - private sector Sectorial regulation Consider other origins and motivations for attacks Consider the possibility of establishing requirements or demanded certifications for security logical specialists for this kind of systems
17
Conclusions - Strengths
Centralized monitoring and management Process automation Improvement in process efficiency Complexity of maintenance reduction
Long-term cost reduction Applicability of ICT solutions Significant reduction of costs Possibility to acceptance standards
High availability
18
Conclusions - Opportunities
General purpose technology migration Reduce costs and improving current shortcomings High efficiency Regulation and legislation The new legislation means an improve opportunity Changing environment Opportunity to correct historical deficiencies detected
19
Conclusions - Weakness
Inherited vulnerabilities From specific technology and general purpose technology High dependence from manufacturers Lack security awareness Magnitude and complexity of the system Inappropriate organization chart Segregation of logical and physical security means less preparation against threads.
Absence of specialized solutions Limitations from the need for availability Prioritize availability has led to a decrease of security
20
Conclusions - Threats
Malicious Users Terrorist group, hackers, etc. Disclosure on the Internet High exposition = greater attack surface Vulnerability publications Means a weakness to systems affected Basic service interruptions The materialization of a threat in these systems may involve the disruption of an essential service
21
Conclusions - Potentialities
POTENTIALITIES= OPPORTUNITIES STRENGTHS
Development of supervisory and management systems in real time via general purpose technology Using ICT solutions to improve Security Long-term cost reduction Taking advantage of greater efficiency and general purpose technologies
Production processes or services automation Guarantee of monitoring process robustness High availability and more efficiently. Use of general purpose technology to improve regulations compliance
22
Conclusions - Limitations
LIMITATIONS = WEAKNESS THREATS
Vulnerabilities are particularly dangerous Publication of vulnerability details Rise of cyber terrorism
Lack of solutions and high exposition Broad attack surface The attack surface is due to high exposure and the magnitude of SCADA systems Low protection against any kind of threats Due to the differences between physical and logical security Strong availability requirements sometimes result in limitations to security
23
Conclusions - Risks
RISKS = STRENGTHS THREATS
Interest focus to attackers Growing up Internet connections For both availability and confidentiality Service interrupted can lead to high economic impacts Possible negative impact of ICT solutions Applying these solutions to a particular environment must be studied thoroughly.
24
Conclusions - Challenges
CHALLENGES= OPPORTUNITIES WEAKNESSES
General purpose technology migration Should be done without their vulnerabilities Regulations compliance Particularly for small business Correct deployment of SCADA systems Possibility of becoming the target of attacks and threats Adapt to changing environment Poor adaptation can result in a situation of great insecurity
25
Finals considerations
Some organizations are not aware that they have a SCADA system SCADA systems are vulnerable and are exposed to external networks SCADA Systems operating environment is changing An important opportunity to create and apply a right regulation is presented currently Gradual migration and use of general purpose technologies Security should be approached from an integral point of view Before applying improvements a risk analysis should be performed
26
Follow us on:
Web
http://observatorio.inteco.es Facebook Profile http://www.facebook.com/ObservaINTECO Twitter Profile http://www.twitter.com/ObservaINTECO Scribd Profile http://www.scribd.com/ObservaINTECO Youtube Profile http://www.youtube.com/ObservaINTECO Information Security Observatory BLOG http://www.inteco.es/blogs/inteco/Seguridad/BlogSeguridad
http://www.inteco.es http://observatorio.inteco.es