Current Status of Cyber Security Issues 2004 Keynote Address Joe Weiss January 20, 2004

1
Current Status of Cyber Security Issues
2004Keynote Address Joe WeissJanuary 20, 2004

2
Agenda

• Control systems defined
• Control systems cyber security threats are real
• Address the issue It makes good business sense
• Productivity improvements
• Response to security threats
• Reliability
• Regulatory compliance
• Liability

3
Whats a Control System?

• SCADA/EMS
• DCS
• PLCs
• RTUs/IEDs
• Meters
• Enterprise applications for utility operations

4
Successful Attacks With Damage

• Electric Utility
• 100 150 hits/day on control network
• 17 Intrusions
• 2 Denial of Service (DOS) Events
• 3 Loss of Control Events
• Switchgear controller
• Boiler Deaerator controls
• Wastewater Utility
• Wireless hack by disgruntled ex-SCADA supplier
  employee
• Release of millions of liters of sewage

5
Hackers Starting to Look at SCADA

• - Brumcon Report
• It was a detailed breakdown of the RF systems
  used by water management authorities in the UK
  and how these systems can be abused, interfered
  with and generally messed.
• The live demonstration included how to monitor
  the un-encrypted water management systems and
  create a DOS attack. It was clear that additional
  communication channels using dial up connections
  would kick in automatically in the event of an
  attack.

6
Business Drivers

• Need for productivity improvements
• Customer service
• Financial impact
• Response to security threats
• Reliability High visibility
• Regulatory compliance
• Liability

7
Need for productivity improvements

• Technology Advances Enabling
• On-line maintenance (RCM)
• System optimization
• Wide access to system data
• Centralized data analysis
• Security solution
• Standards organizations Lack of coordination
• Policies
• Procedures
• Control systems architecture
• Develop security policies
• ISO 17799 not adequate

8
Productivity ImprovementExamples

• Major Oil/Gas Company
• 90 of control systems world-wide are networked
• IED Supplier
• Systems require dial-up access
• PLC Supplier
• Systems have default passwords hardcoded into
  firmware

9
Response to security threats

• Current responses
• NERC
• Presidential decision directive
• DHS/DOE
• National Plan to secure cyber space
• Industry/standards organizations
• Solution
• Conduct vulnerability and risk assessment
• Develop recovery plans
• Address IT/Operations gap
• Provide training programs

10
SCADA Cyber Assessment

• Test conducted following factory acceptance test
• Most secure possible case
• Vendor knew we were coming
• All patches installed
• No outside connections
• Penetration complete within 2 working days

11
Misidentification

• Penetration test performed by organization
  without significant control system expertise
• Identified unauthorized access of plant DCS
  Engineers Workstation
• Control system assessment
• Confirmed identified workstation was not DCS
  Engineers Workstation
• Additional walkdown identified vulnerabilities
  not found by traditional penetration testing
• Non-IP vulnerabilities

12
Reliability High Visibility

• Cyber security/reliability connection
• Cyber events have impacted reliability of utility
  control systems
• Fixes to improve reliability can impact cyber
  security
• Control systems role in preventing and/or
  mitigating future blackouts
• Solution
• Include cyber security in reliability upgrades

13
Example Substation Automation/EMS Upgrade

• Includes cyber security considerations
• Industry proven specifications
• Remote access
• Data communications/protocols
• Vendor access
• Training

14
Regulatory compliance

• Current compliance issues
• NERC
• Presidential decision directive
• AGA
• EPA
• Solution
• Vulnerability and risk assessment
• Policies and procedures
• IT strategy and plan

15
NERC

• Urgent Action Standard 1200
• Control Center Only
• Substantial compliance by March 2004
• 16 tasks
• Some require additional work
• SAR
• In ballot process
• Includes power plant controls and substation
  equipment

16
Homeland Security Presidential Directive 7
HSPD-7 December 17, 2003

• National goal Protect critical infrastructure
  from physical and cyber attacks

• DHS Lead Agency
• DOE responsible for Energy
• Require a strategy to identify, prioritize, and
  coordinate protection of critical infrastructure
• By July 2004, develop plans for protecting
  critical infrastructure

17
Liability

• Why liability is an issue
• This is not an unforeseen event
• Insurance will have exclusions for cyber
• Insurance may not cover company executives
• SEC may require status of cyber in filings
• Solution
• Perform due diligence
• Move toward industry accepted program

18
National SCADA Test Bed

• Developing new tools
• Determine vulnerabilities
• Large scale assessments
• Testing and validating
• Industry products
• Safe and secure test bed
• Full scale testing
• Computer controls
• Communications
• Field Systems
• Substations and RTUs

19
Conclusion

• Cyber security threats are real
• Cyber security is not just a regulatory or
  national infrastructure issue it makes good
  business sense
• Technology will continue to evolve to meet
  demands for productivity and reliability
  improvements
• Security requirements need to keep pace with
  technology advancements
• There are workable near-term solutions
• We need to work toward
• Addressing the gap between IT and operations
• Long-term technology changes