Electronic Intrusion into Your Control Systems - PowerPoint PPT Presentation


PPT – Electronic Intrusion into Your Control Systems PowerPoint presentation | free to view - id: 9a2ea-ODhiM


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Electronic Intrusion into Your Control Systems


ISA The Instrumentation, Systems, and Automation Society. Electronic ... to spill out into local parks, rivers and the grounds of a Hyatt Regency hotel. ... – PowerPoint PPT presentation

Number of Views:61
Avg rating:3.0/5.0
Slides: 53
Provided by: bobwebban


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Electronic Intrusion into Your Control Systems

Electronic Intrusion into Your Control Systems
Facilitated by
  • Bob WebbPOWER Engineers rcw4_at_ix.netcom.com
  • ISA SP Department Board of DirectorsISA
    NORCAL Section Past President

Joe WeissKEMA Consultingjweiss_at_kemaconsulting.co
m ISA SP Department Board of DirectorsISA
NORCAL Section - Planning Board IEEE/IEC liaison
  • Self introductions - Bob 15 min
  • The problem scope and examples - Bob Joe 15
  • What others are doing - Joe 15 min
  • Government
  • Vendors
  • Other organizations
  • Break 10 min
  • Where current solutions fall short - Joe 10 min
  • What you can do today - Joe 15 min
  • Where to learn more - Bob 10 min
  • Open discussion - All 30 min

Initial Survey of Participants
  • How many of you are responsible for control
  • DCSs?
  • SCADAs?
  • PLCs?
  • Other?
  • How many of those systems have connections to any
    network or other system ?
  • Another control system?
  • IT network?
  • Internet?
  • Dial up access for vendor or techs?
  • Wireless connectivity to any devices?

Initial Survey, continued
  • How many of you
  • Have a written control system security policy?
  • Regularly change your passwords?
  • Use strong passwords?
  • Have ever changed your passwords?
  • Know the status of the dial in connections to
    your system as we speak?
  • Use pcAnywhere or XWindows to communicate with
    your systems?
  • Have done a control system vulnerability or
    security assessment?

Introduction of Participants
  • Facilitators
  • Joe Weiss
  • Bob Webb
  • Participants
  • Name, company
  • Area of responsibility
  • What problems have you encountered?
  • What would you like to get from this seminar?
  • Help us plan for the future by completing the
    Conference Survey before you leave.

Picture of wide open eyes to go with Words
  • Know if and where your systems can be vulnerable
  • Walk away with an understanding of control system
    cyber vulnerabilities and an approach to deal
    with those vulnerabilities
  • Know where to get help when you need it

The Problem
  • Some definitions
  • Control Systems
  • Electronic Intrusion
  • What we are not going to talk about
  • What makes control systems unique
  • Real time requirements
  • Changing nature
  • Not yet addressed in most IT strategies
  • What has happened elsewhere
  • Electronic Intrusions from inside and outside the
    corporate firewall
  • Unintentional and deliberate
  • Your examples
  • How can you add to our problem descriptions?
  • What do you see in your systems?

  • Control Systems
  • The broadest interpretation - to include both
    process control, manufacturing operations and
    systems, continuous, discrete, and batch, local,
    direct, and wide area supervisory (e.g., SCADA),
    control and safety systems, serving all types of
    plants, facilities, and systems in all industries
  • Electronic Intrusion
  • Undesired communications with your systems
    internal (inside your firewall), external,
    typically via a network, but could be by any
    other means, including RF eavesdropping,
    sneakernet, foreign laptops, jamming, etc.
  • Not included
  • Essential elements, but not part of this
  • Physical security
  • IT security

What makes control systems unique
  • You might be asking, why dont we just apply
    existing business system IT security techniques
    to our control systems (a good question)
  • In response, we will recommend that you do, WHERE
  • But we will also caution you to be aware of your
    systems unique properties that limit application
    of IT approaches
  • Need to operate in real time often requires speed
    or frequency response that precludes use of
    traditional techniques, like block encryption
  • Need to provide ease of use for operators may
    preclude traditional use of passwords and the
  • Need to rigorously test all changes to operating
    systems precluding regular updates for security
    patches and the like

Where current solutions fall short
  • Awareness, education, training
  • Processes and Procedures inadequate or
  • Hardware and Software
  • OSs, Processors, etc. not designed for security,
    missing hooks and handles to incorporate it
  • Designed without thought of what could go wrong
    with malicious intrusion
  • Raw vulnerability to designer viruses on Ethernet
    or other ports - if firewalls are breached there
    is nothing else, and our demonstrations show the
    open systems can be easily compromised
  • Speed limitations

What has happened elsewhere?
  • Examples and conclusions have been assembled by
    Eric Byres of the British Columbia Institute of
    Technology and Joe Weiss
  • Examples are representative of real events across
    multiple industries, from multiple causes
  • Current trending of cyber intrusions does not
    include Control Systems
  • For example Carnegie-Mellon Center for , (CERT)
    has not identified any control system intrusions
  • Cyber incidents can have a variety of causes
  • Audit
  • Accidental
  • Non-malicious intrusion
  • Malicious intrusion

Examples of Cyber Incidents
  • Noise or Bad Packets
  • IP Address Duplication
  • Broadcast Storms
  • Internal Intrusion
  • External Intrusion
  • Procedures/Architecture

Noise or Bad Packets
  • Propagation of noise or bad packets throughout an
    entire network is a serious risk.
  • Pulp mill case history-
  • Cable damage problem in one area creates bad
    packets from reflections.
  • Dumb network equipment spreads problem to other

IP Address Duplication
  • TCP/IP protocol demands that every device has an
    unique IP address.
  • Paper Machine Profile Controller Case History
  • Controller Scanners use TCP/IP to communicate.
  • Printer in admin gets same address as controller.
  • Scanners try to talk to printer instead of

Broadcast Storms
  • Broadcasts are messages addressed to all network
  • A few broadcasts are okay. Many create broadcast
    storms and will use up a devices CPU resources.
  • Case History- Steam Plant DCS
  • DCS uses Ethernet to communicate between screen
    server and operator consoles.
  • Broadcasts from miss-configured Windows 95
    machine in another mill area overloads screen
    server. Shuts down all DCS operator consoles.

Internal Intranet Intrusion
  • Eastern plant does major upgrade of DCS.
  • Several months later, head-office engineer
    connects to the mill DCS from head office, using
    the company's wide area network (WAN).

Internal Intranet Intrusion
  • Engineer loads program onto operator station to
    send data to head office for expert system.
  • This new task overloaded DCS/PLC gateways.
  • Operators lose control of devices connected to

Control Highway Intrusion
  • Disgruntled employee attacks PLC in another plant
    area over PLC highway.
  • Password changed to obscenity, blocking
    legitimate maintenance and forcing process

External Wireless Intrusion
  • Hacker attacks sewage control system using radio
  • Causes millions of liters of raw sewage to spill
    out into local parks, rivers and the grounds of a
    Hyatt Regency hotel.

PLCs are Vulnerable
  • Eric Byres has also demonstrated the ability to
    kill a PLC by sending a single packet to it via
    an Ethernet connection.
  • How many of you have Ethernet network connections
    to your PLCs (for HMI, etc.)

Inadvertent Denial of Service-DOS
  • Control system procedures have not addressed
    conditions that could lead to DOS
  • Requesting excessive data resulting in loss of
    Database Server
  • Requesting excessive data resulting in loss of
    control function
  • Excessive trending leading to DOS of control
  • Control System architecture not designed for new
    information oriented requirements
  • Loss of DCS operator access
  • Loss of SCADA operator access
  • Loss of DCS control

Some Assessment Results
  • These results are from over 58 utility
    assessments facilitated or conducted by John E.
    Allen, of LogOn Consulting
  • SCADA Systems-5
  • Plant Control Systems-53
  • Assessment Type
  • Self-Directed
  • Consultant
  • Utility Type
  • Electric
  • Natural Gas
  • Water

Some Assessment Results, continued
  • For SCADA systems
  • No SCADA configuration data was accurate or
  • Information systems interface not accurately
  • Accuracy Range 50-70
  • Data communication scheme not well understood or
  • Accuracy Range 85-98
  • For Plant Control Systems
  • Most PCS configuration accurate
  • 8 error rate
  • Information systems interface generally
    accurately defined
  • Accuracy range 90-100
  • Data flow generally confined to facility process
  • Some defined exceptions
  • Accuracy Range over 96

Some Assessment Results, continued
  • Conclusions
  • Limited to SCADA Plant Control Systems
  • Configuration is not well understood or
  • Architecture
  • External connections
  • Little configuration management
  • No formal process/procedures
  • Minimal understanding of system interaction
  • Minimal operational knowledge of security
  • Lack of procedural guidance
  • Lack of internal controls
  • Little to no personnel security awareness
  • Communication among responsible stakeholders is
  • Decisions and actions often made in isolation
    affecting security integrity

Some Assessment Results, continued
  • Conclusions, continued
  • Deficient understanding of security issues by
    responsible personnel
  • Specific and general security knowledge
  • Security performance requirements are
  • User community is not well documented
  • Lack of access criteria

Some Assessment Results, continued
  • Observations
  • Knowledge of potential threats are limited
  • Knowledge of vulnerabilities are limited to
  • Stakeholder resistance to security assessments
    range from minor to declarations of war
  • Security assessment findings require attendant
    corrective action or enhancement plans

  • Control systems have been impacted by cyber
  • Problems come from inside the corporate firewall
    in most identified events
  • There is a clear interdependence between Control
    Systems and IT Department policies and practices
  • IT procedures are not always applicable to
    control systems
  • Control and IT personnel must work together using
    both domains expertise to establish and
    implement effective and workable policies

Conclusions, continued
  • Most control systems rely heavily on Microsoft
    Windows NT or 2000 which is well understood by
  • Control systems can be accessed independent of
  • Most control systems have poor security designs
    and weak protection
  • Many of the existing incidents could have been
    prevented by the application of currently
    accepted IT security practices

What Others Are Doing
  • The Government
  • National Strategy to Secure Cyberspace
  • DOE
  • NIST
  • CIAO
  • NIPC
  • Vendors
  • Other Users
  • Policies and programs

The Government
  • National Strategy to Secure Cyberspace
  • Most information, activity in Business IT area
  • DOE-National Test Bed Initiative
  • National Institute of Standards and Technology
    (NIST) and National Security Agency (NSA)
  • Some activity in real time control systems, as
    related to Critical Infrastructure
  • Substantial amount of material to review and
    apply where it makes sense
  • Federal Energy Regulatory Commission (FERC)
  • Critical Infrastructure Assurance Office (CIAO)

Sector Lead Agencies
  • Electric Utilities North American Electric
    Reliability Council (NERC)
  • Oil and Gas National Petroleum Council
  • Water Association of Metropolitan Water
    Agencies and AWWA and NAWC
  • Chemical Process Industry - Chemical Sectors
    Cyber Security Information Sharing Forum

  • Typically, IT security is being addressed rather
    than real time control
  • Varying levels of activity by different vendors
  • Policies
  • Network controls
  • Some offer security programs for their clients
  • Most vendors are waiting for industry direction
    or consensus before significant hardware/
    software changes

Vendor Discussion
  • What have your vendors done ?
  • What have you asked for?

Relevant Standards Organizations
  • ISA (Instrumentation, Systems and Automation
  • IEEE (Institute of Electrical and Electronics
  • ISO (International Standards Organization)
  • IEC (International Electrotechnical Committees)
  • AGA (American Gas Association)

What You Can Do, Today
  • Develop a policy specific to control systems
  • Existing IT policies do not address control
  • Define scope and purpose
  • Assure all relevant organizations are involved
  • Define current state
  • Vulnerability assessment
  • Perform risk assessment
  • What needs to be addressed?

What You Can Do, Today
  • Develop specific security procedures for your
    control systems
  • Training
  • Control electronic access
  • Testing and appropriate operating procedures
  • Verify all patches are rigorously tested
  • Evaluate impact

What You Can Do, Today
  • Maintain physical security
  • Provide incident response and contingency plans
  • Work with vendors, consultants, and system
  • Participate in appropriate industry groups and
  • Sector lead organizations, other organizations
    discussed earlier

ISA and Industry Activities
  • Articles in INTECH, ISA Online, and Division
  • Active Discussion on ISA List Servers
  • Industry Technical Conferences
  • July 30-31 KEMA Consulting Control System Cyber
    Security Conference Vancouver
  • August 7th ISA Training Seminar - Securing
    Industrial Networks Cyber Protection for
    Automation, Control and SCADA Systems
  • August 8th ISA Conference Hacking demo, issues
    and concerns, assessments, secure network design,
    security strategies
  • September 18th ISA SP 99 Standard kickoff
  • October 22 Chicago ISA 2002 conference,
    standard, and PCSRF
  • Membership in NIST PCSRF
  • IEEE and IEC ongoing activities

Be careful what you ask for!
  • Essential basis for open, vendor independent,
    connectivity, networking, and control
  • End users have driven the open systems
  • Standards Development Organizations (SDOs) need
    to provide for enhanced security
  • End users need to adopt enhanced standards

Picture of DCS
ISA Response - Standards
  • Development of positions, issues, industry
    guidance, and/or subcommittee scope and purpose
    and activity in
  • ISA 50 Fieldbus for use in Industrial Control
  • ISA 67 Nuclear Power Plant Standards
  • ISA 77 Fossil Power Plant Standards
  • ISA 84 Programmable Electronic Systems for Use
    in Safety Applications
  • ANSI/ISA S84.01-1996, ANSI/ISA S91.01, IEC 61511)
  • Responsible for functional safety in the process
  • Sub-committee on security
  • ISA 95 Enterprise/Control Integration
  • Formation of ISA SP 99 a new committee to
  • Cover the issues common to all controls related
  • Coordinate related ISA standards activities
  • Standards activities will continue with meetings
    at ISA 2002 in Chicago

ISA Response Awareness, Training
  • Electronic Intrusion into YOUR Real Time Control
    Systems ISA NORCAL Conferences, October 9 Santa
    Clara and October 15 Sacramento
  • Threats, Vendors Perspective, Standards
  • 90 minute overview plus discussion
  • Facilitated by Joe Weiss, Bob Webb
  • Real Time Control Systems Security Issues and
    Direction, a conference track at ISA 2002 October
    21, 2002 Chicago
  • The Issues and Challenges - an Overview
  • Vendor Solutions
  • Role of Standards
  • 6 hours of information
  • Session Developers Joe Weiss, Bob Webb
  • Continuation of Standards, Conferences and
    Training Courses in 2003 and beyond

ISA Future Directions
  • Growing area of activity
  • More integration and coordination within and
    outside of Society
  • ISA SP 99 detailed scope to be defined at 10/22
    Chicago meeting
  • Participate in our standards, conferences, and
  • rcw4_at_ix.netcom.com
  • lferson_at_isa.org

IEEE Response
  • Panel session at IEEE Winter Power Meetings
  • Task Force to review cyber security impacts on
    IEEE Power Engineering Society (PES) Standards
  • Joe Weiss Task Force Chair

Get help or learn more ?
  • Resources and References
  • National Strategy to Secure Cyberspace
  • http//www.whitehouse.gov/pcipb/
  • NIST National Institute of Standards and
  • Programs/Initiatives/Forums
  • Critical Infrastructure Protection Cybersecurity
    of Industrial Control Systems http//www.mel.nist
  • Process Control Security Requirements Forum
    (PCSRF) http//www.isd.mel.nist.gov/projects/proce
  • National Infrastructure Assurance Partnership
    (NIST and NSA) http//niap.nist.gov/
  • Computer Security Resource Center

Get help or learn more, continued
  • CIAO - Critical Infrastructure Assurance Office
  • The Twenty Most Critical Internet Security
    Vulnerabilities http//www.sans.org/top20.htm
  • North American Electric Reliability Council
  • Critical Infrastructure Protection Advisory Group
    (CIPAG) http//www.nerc.com/filez/cipfiles.html
  • Federal Energy Regulatory Commission (FERC)
  • NOPR on Standard Market Design http//www.ferc.go
  • Requires security to sell into grid, and yearly
    self audits
  • DOE 21 steps to secure your SCADA network
  • http//oea.dis.anl.gov/home.htm

Get help or learn more, continued
  • Technical Non Profit Organizations addressing
    Electronic Intrusion
  • ISA
  • Awareness, information, standards development,
    training aimed specifically at control systems
  • IEEE
  • Standards www.ieee.org
  • ISO
  • ISO 15408 - Information technology -- Security
    techniques -- Evaluation criteria for IT security
  • ISO 15408 Common Criteria http//www.commoncrite

Get help or learn more, continued
  • Organizations with control systems and security
    expertise, whose information was used in this
  • KEMA KEMA Consulting, Inc jweiss_at_kemaconsulti
  • Cyber security procedure development
  • Assessments, program development and management,
    reviews and recommendations
  • Research and development direction and support

Get help or learn more, continued
  • BCIT British Columbia Institute of Technology
    Eric Byres, eric_byres_at_bcit.ca
  • BCIT Industrial Incident Database - tracks
    network securityincidents that directly impact
    industrial control operations.
  • BCIT Internet Engineering Research Lab - conducts
    security tests on control system products and
  • LogOn Consulting John Allen -
  • Assessments, program development and management,
    reviews and recommendations

Summary A.C.T.I.O.N.S.
  • IT focused recommendations from The National
    Strategy To Secure Cyberspace Sept. 2002
  • Authentication
  • Configuration management
  • Training
  • Incident response
  • Organization network
  • Network management
  • Smart procurement
  • Exercise caution when applying to control systems

Further Discussions
  • QA
  • Thanks!

Picture of Dinner
About PowerShow.com