substation security why firewalls don’t work! ©copyright 1998, systems integration specialists...

SUBSTATION SECURITY

WHY FIREWALLS DON’T WORK!

©Copyright 1998, Systems Integration Specialists Company, Inc. All Rights Reserved

Presented by:

What are the issues?

• What is the purpose of the substation?

• What functions need to be protected and How?

• What are the issues in protecting substations?

Functions of Substation

Substation

Protect EquipmentEnable Power Distribution

Control Center

Enable Control Center CommunicationsEnable Revenue Metering

Enable Power Quality Information

Protect Equipment - Physical Security

Vulnerable to Physical Destruction/Terrorism

• Gates typically locked but not monitored

• Control Cabinets Locked but not monitored

• Substation and Power Diagrams typically in control house or panels

Control Center Communications

• Typically Use– Radio– Dial-up– Lease Line– WAN

Radio: 5 minutes and $1500

• MAS/Licensed frequencies available on www.fcc.gov!

• Microwave

• Spread Spectrum

Listed in order of progressing communication security

Dial-up

• Telco Switches are susceptable

• Non-publication of phone number is no protection.

• Implementation in called device typically doesn’t have time-out, call-back, nor challenge.

WAN

Typical IS/IT would use Firewall to Protect?

Most People think WAN::=

Firewalls - The way they work

984

E

C

NO EXTERNAL COMMUNICATIONS - IT’S SAFE

Firewalls - The way they work

984

EC

OPEN HOLE IN WALL

CONTROL CENTER COMMUNICATION: EXPOSURE

ESTABLISH COMM LINK

Firewalls - The way they work

984

EC

TCP/IP Port (e.g. 20/21 for FTP)

WELL KNOWN PORTSMEAN HIGHER RISK

Firewalls - The way they work

984

EC

TCP/IP Port (e.g. 20/21 for FTP)

FIREWALLS TYPICALLYCONTROLL WHO CANCONNECT IN/OUT PER PORT

PROTOCOL IS PER PORT

FUNCTIONS OF FIREWALL

RULES

ADDRESS TRANSLATION/PROXY

LAN INTERFACE

EX

TE

RN

AL

WA

N IN

TE

RFA

CE

WHICH PORT

CONNECTION RULESTO WHOMFROM WHOM

CONNECTION RULES DETERMINE

• WHO CAN CONNECT AND TO WHOM– NO RULES: ONLY PORT RESTRICITON– SOURCE ROUTING– USER ID/PASSWORD– CHALLENGE– TOKEN– DIGITAL CERTIFICATE

SO WHAT’S WRONG?

WAN

984

EC

984

EC

Control Center

SO WHAT’S WRONG?984

EC

Control Center

EAVESDROPPINGCC->SUB (userid,

password,certificate)

HACKER->SUB (userid,password,

certificate)

SPOOF, MASQUERADE

Its OK, Nobody knows our protocol!

0 10 20 30 40

ASCII

TCP/IP

DNP 3.0

UCA

OTHER

NOT A TRUE STATEMENT ONLY 29% of Protocolsin use are not publicly available!

EVEN MORE FUEL

• ONLY 65% of Substation Devices have Passwords enabled.

• Few Firewalls restrict services running over a given port.– E.G. GET/SET

Multiple Passwords a problem

The Greyhound Story

NO SECURITY: NO USER PAIN

SINGLE PASSWORD: EASY TO REMEMBER

MULTIPLE PASSWORDS: HARD TO REMEMBER

UTILITY CONCERNS

0 10 20 30 40

RepudiationInformation Leakage

EavesdroppingReplay

MasqueradeSpoof

Intercept/AlterDenial of Service

Indescretion of PersonnelIntegrity Violation

Illegitmate UseAuthorization Violation

Bypassing Controls

POWER QUALITY

Substation

Control Center

EAVESDROPPING AND INTERCEPT/ALTER MAY HAVE

LARGE FINANCIAL CONSEQUENCES IN THE NEAR FUTURE!

FIREWALL SHOULD PROVIDE

• STRONG AUTHENTICATION

• NEGOTIABLE ENCRYPTION

• SECURE MANAGEMENT

• ATTACK DETECTION ANNUNCIATION

WHY AREN’T FIREWALLS ENOUGH?

• Security is only as good as the weakest link in the system.– Security in the Control Center– Management Support and Policy– Crisis Team– Management

WHY AREN’T FIREWALLS ENOUGH?

• Service (e.g. GET/SET) must be enabled/disabled in devices.– Vendors see no value in strong security!

Only 3 of 1000 vendors returned surveys

– Utilities want strong security! 12% of contacted utilities responded!Protocols and Implementation have LARGE impact

after FIREWALL

Vendors Must Participate

But Why?

Let's analyze anew protocol!

Proprietary over TCP/IP

Where Vendors go Wrong: Just an Example!

(no names to protect the guilty parties!)

General Implementation

Proprietary Protocol

TCP

IP

Ethernet

Non-session oriented

Denial of Service

Proprietary Protocol

TCP

IP

Ethernet

"Ping of Death"(known to kill without patches:

Solaris,AOS,Windows95,Linux,.....)

Ping of Death information:http://www.sophist.demon.co.uk/ping/

Denial of Service

Proprietary Protocol

TCP

IP

Ethernet

"Ping of Death"(known to kill without patches:

Solaris,AOS,Windows95,Linux,.....)

Port connection exhaustion

Denial of Service

Proprietary Protocol

TCP

IP

Ethernet

"Ping of Death"(known to kill without patches:

Solaris,AOS,Windows95,Linux,.....)

Port connection exhaustion

Potential for bus trafficcongestion.

Masquerade

Proprietary Protocol

TCP

IP

Ethernet

No USER/PASSWORDNo session timeout

Information Leakage

Proprietary Protocol

TCP

IP

Ethernet

No USER/PASSWORDNo session encryption

Conclusion of Protocol Design

"Any man may make a mistake; none but a fool will persist in it!"

OR

Security must be designed and protocols mustbe extended to support security features!

CONCLUSION to SECURITY• Firewalls add a degree of security

• Management Support is Critical

• Security has value and utilities need to be willing to pay.

• Vendors need to be willing to implement strong security and authentication.