Download - IT vs. OT: ICS Cyber Security in TSOs
CP-EXPO - Genova, 30 Oct 2013
G. Caroti
IT vs. OT: ICS cyber security in IT vs. OT: ICS cyber security in TSOsTSOs
“CI SYSTEM”: “Inter-dipendences” and domino effect …
Critical Infrastructure … services essential for everyday life such as energy,
food, water, transport, communications, health and banking and finance.
ICT GasPower
SystemRailw Water Helth Econ/Fin
Social
order
ICT
Gas
L H
E
L
M
L
L
E
L
H
H
CP-EXPO - Genova, 30 October 2013 2
Oil
Power
System
Railw
Water
M M
L L
L H
L
H
H
L
E
H
E
H
E
Estimated degree of dependence of a "CI" (column) following significant
interruption of service and extensive (> 24 h) of other "CI" (row) –
Source:AIIC 2007
“CI SYSTEM”: “Inter-dipendences” and domino effect …
CP-EXPO - Genova, 30 October 2013 3
CP-EXPO - Genova, 30 Oct 2013
Unauthorised
access to
systems
Technologies
Failures
Malicious
Attacks
(Hackers)
Sabotages
Criminal
activities
Unauthorised data
disclosure
Unauthorised
system alteration
Economics losses
Data loss or
corruption
ICT ICT
Systems
Infrastructures
Applications
Services
Cyber threats, security breaches and impacts
4
ThreatsThreats PotentialPotential seriousserious
implicationsimplications
Corporate and business Information Systems
activities
Natural
disaster
Human error
inadequate
procedures
Reputational lossesServices
Operational
disruption to
services
PS and Grid
continuity and
safety reduction
Public safety and
Citizens’
protection
ICT Business&Operational Critical
System
maltreatmentBy the use of the term “Resilient” we characterise the systems that provide and maintain an
acceptable level of service in face of faults (unintentional, intentional, or naturally caused)
affecting their normal operation. The main aim of the resilience is for faults to be invisible to
users (ENISA)
New risks … recently many warning messages!
a. (EU) Work Programme FP7 2009-2010: “protection of critical information
infrastructures”
b. (IT) Report of COPASIR 2010 on cyber crime (july 2010)
c. << … >>
d. (US) Obama's executive order: "better protection of the country's critical
infrastructure from cyber attacks"(feb 2013)
e. (US) Warning of “CIA Director” on new scenarios on “cyberattack” (feb 2013)
CP-EXPO - Genova, 30 October 2013 5
e. (US) Warning of “CIA Director” on new scenarios on “cyberattack” (feb 2013)
f. (EU) Commission: Cybersecurity Strategy of the European Union (feb 2013)
g. (IT) Report of COPASIR 2013 on threats to national security (feb 2013)
h. (IT) Reporting DIS 2012 (feb 2013)
i. (IT) Monito Prime Minister Monti on cyber risk (mar 2013)
j. (IT) DPCM 24/1/13 guidelines for cyber security and nationale information
security (G.U. mar 2013)
“Operational Technology“
An independent world of "operational technology" (OT) is developing separately from IT
groups … if IT organizations do not engage with OT environments to assess convergence,
create alignment and seek potential areas of integration, they may be sidelined from major
technology decisions - and place OT systems at risk.
IT vs. OT[1]…
[Gartner - 2009]
CP-EXPO - Genova, 30 October 2013 6
[1] OT environment: defined as an independent world of physical-equipment-oriented computer technology (ICS)
Convergence and Alignment? And Integration?
• Energy Management Systems (EMS)
IACS: “eterogeneus world” with several classifications
For functional applications For technologies
o Supervisory Control and Data
I(A)CS environment …
CP-EXPO - Genova, 30 October 2013 7
• Energy Management Systems (EMS)
• Substation control/protection systems
• Substation Automation Systems (SAS)
• Market Management Systems (MMS)
• Distributed Control Systems (DCS)
• Industrial Automation
• Safety Instrumented Systems (SIS)
• Process Control Systems
• Plant Control Systems
o Supervisory Control and Data
Acquisition (SCADA)
o Remote Terminal Unit (RTU)
o Intelligent Electronic Device (IED)
o Programmable Logic Controller (PLC)
o Distributed Computer System (DCS)
o Process Control Network (PCN)
IACS key-elements
Scada systems collect from the field data
characteristic of the system to be controlled,
generates alarms to operators and executes the
commands to the field by managing
communications with the RTU ... one or more servers, data-gathering and control units (RTUs) and a set of
standard applications and / or custom to monitor / control the
elements remote. It can reach more than 50,000 data collection
points and transmit information analog or digital, to send control
signals, receive input state as feedback to the control operations.
It can perform complex sequences of operations and ensure the
collection of information with appropriate frequency
EMS manage the data set … used by the operators to manage the
state estimation, energy flows, analysis
of contingency, the load forecasting and
allocation of generating units
AGC controls the generation unit to ensure that the
optimal load is managed with the criteria of
economy … submit additional control signals to adjust to GU production based on
forecasts of load, the availability, speed of response and exchanges
planned.
CP-EXPO - Genova, 30 October 2013 8
UI allows operators to have an interactive interface … to monitor the performance
of the PS, manage alarm conditions and to study the potential conditions that ensure system security
policies on the network
EMS
(Apps&DB)
EMS
(Apps&DB)AGCAGC
SCADA
systems
SCADA
systems
UI
LAN Control Center
FieldFieldField
UI (MMI/HMI)Data acquisition
Control actions (call-up, data entry, ...)
Processing historical data
Conducting elements of a plant (remote
controls)
Management "limits"
Defined calculations run time
Statistics functioning network elements
Calculating average P and E elementary
Calculation of financial statements
Load shedding
Alarms and Events
SCADA data flows …
S
SS
S
CP-EXPO - Genova, 30 October 2013 9
S
S
S
S
SS
Enterprise
DomainCentre LayerProcess Network
Plant
Layer
Field
Layer
Ext.Industrial process Domain
ComponentThreatsThreats
VulnerabilityVulnerability
((exploitableexploitable))ComponentComponentComponent//
DeviceDevice
SystemSystem
ContingencyContingency
Link chain: Threats -> Contingencies
“IT” < > “OT”
HW/SW
APP
HW/SW
APPThreatsThreats
CP-EXPO - Genova, 30 October 2013 10
Common Resources and
Services
Network
HW/SW
Network
HW/SWThreatsThreats
ThreatsThreats
ThreatsThreats
C I A C I A
Cyber Threats
N
Enclave (“obscurity”)Technological evolution
(Change of scenario)
Awareness
(compensatory
measures)
Security “embedded”
in the systems
(tech & process)
Why a protection program for ICS?
–– Migration (also "tacit") by the vendors to technologies Migration (also "tacit") by the vendors to technologies
"off"off--thethe--shelf”shelf”
–– Introduction of open standards and protocols (TCP / IP Introduction of open standards and protocols (TCP / IP
and wireless technologies), which exposes the system to and wireless technologies), which exposes the system to
its vulnerability without proper awarenessits vulnerability without proper awareness
– Proprietary (non-standard) protocols known to very few people
– No information published on the functioning of the systems
– Only point-to-point connection, often hosted in private
telecommunication environment
– No interconnection with network management
– No interconnection with any external network (i.e. Internet)
– Operational environment inherently protected and segregated
– Low probability of unpredictable conditions of stress load
CP-EXPO - Genova, 30 October 2013 11
Cyber Vuln
‘80 ‘10 ‘20
Y
‘90
its vulnerability without proper awarenessits vulnerability without proper awareness
–– Interconnecting needs with other corporate networks and Interconnecting needs with other corporate networks and
systems, making the systems potentially accessible to systems, making the systems potentially accessible to
unwanted entities toounwanted entities too
–– Transition from private communications networks or Transition from private communications networks or
based on "leased lines" services of public infrastructure, based on "leased lines" services of public infrastructure,
which results in increased "addiction" to public which results in increased "addiction" to public
telecommunications services operatorstelecommunications services operators
–– Remote “maintenance” needsRemote “maintenance” needs
‘00
Cyber incident on ICS by “human” attack!?
NetworkSecurity
SystemSecurity
ApplicationSecurity
Data Security
UserProfile
Security
Violation of availability Violation of confidentiality/integrity
Security Incidents show OT
vulnerability
Attack Information Theft
APTAPTAPTAPTAPTAPTAPTAPT
CP-EXPO - Genova, 30 October 2013 12
Attack
for access
(unauthorized)
to the resources
Information Theft
Financial LossesInappropriate handling of components of the PSloss of production, outages, operational safety
Difficulty of industrial operationsLower ability of control of the power systemDifficulty of emergency managementIncreased risk of instabilityDomino effect on other CIConsequences for the community
Attack
to cause
unavailability
complete/partial
Insiders
Saboteurs
Crackers
Terrorists
AC Access Control Tech
AT Awareness and Training OperationalAU Audit & Accountability TechCA Certification, Accreditation and Security Assessments Management
CM Access Control OperationalCP Contingency Planning Operational
IA Identification & Authentication TechIR Incident Response OperationalMA Maintenance Op
MP Media Protection OpPE Physical & Environmental Protection Op
PL Planning ManagemPS Personnel Security Op
CIP 002 Identificazione delle IIC a supporto delle EPU
CIP 003 Controllo gestione sicurezza
CIP 004 Personale e formazione
CIP 005 Sicurezza degli accessi alle reti
CIP 006 Sicurezza fisica
CIP 007 Gestione della sicurezza di sistema
CIP 008 Incident Report
CIP 009 Piani di recupero e DRCOMMON CRITERIA
What do we have? …
CP-EXPO - Genova, 30 October 2013 13
AC: Access Control
UC: Use Control
DI: Data Integrity
DC: Data Confidentiality
RDF: Restrict Data Flow
TRE: Timely Response to Event
NRA: Network Resource Availability
PS Personnel Security Op
RA Risk Assessment ManagemSA System & Services Acquisition ManagemSC System & Communications Protection TechSI System & Information Integrity Op
A5. Policy per la sicurezza delle informazioni
A6. Principi organizzativi per la gestione della IS
A7. Gestione degli asset
A8. Politiche del personale in materia di IS
A9. Sicurezza fisica e ambientale
A10. Gestione delle comunicazioni e delle operazioni
A11. Controllo degli accessi
A12. Gestione IS nell’acquisto, sviluppo e manut. sistemi
A13. Gestione incidenti di sicurezza
A14. Gestione della continuità dei processi aziendali
A15. Controlli di conformità
CIP 009 Piani di recupero e DRCOMMON CRITERIA
The first “brick” …
Selected …
+ Documented …
+ Implemented …
+ Kept …
+ Improved …
+ Verified …
CP-EXPO - Genova, 30 October 2013 14
… as a key enabler, regardless of the source of the "controls" used as a
reference (ISO, NIST or other Information Risk Management tools)
Structured FRAMEWORK …
MonitoringMonitoring
Access Access controlcontrol ((PhysPhys/Log/Log))
IncidentIncident HandlingHandling
PatchPatch managementmanagement
PeriodicPeriodic Security Security AssessmAssessm
“Building” a secure system Keep the system secure Secure disposalof the system
Development / Acquisition Phase Operational Phase Disposal Phase
“Secure-by-design” framework: “pipeline” for security
CP-EXPO - Genova, 30 October 2013 15
System Life System Life CycleCycle
TrainingTraining
AwarenessAwareness
ChangeChange managementmanagement
StartStart
Available for all systems and
regularly updated
Functions always implemented
- individual Account, unique,
complex with PW, changed
Not compatible with many
applications
No level authentication protocols
and console
Group account, even with PW
wired or weak cm ²
OT System (IACS)IT Systems
Unfortunately:
Antivirus
!?
Id & Aut Accountability
!?
CP-EXPO - Genova, 30 October 2013 16
complex with PW, changed
policy
In time, with automated tools
As a rule always supported in
the life cycle of a system
Centralized
wired or weak cm ²
Not in time, no automated tools
Often not supported in time
(obsolescence)
Local delegated to figures Control
system engineer
!?
Patching
!?
System Administ
!?
Available for all systems and
regularly updated
Functions always implemented
- individual Account, unique,
complex with PW, changed
Not compatible with many
applications
No level authentication protocols
and console
Group account, even with PW
wired or weak cm ²
OT System (IACS)IT Systems
Unfortunately:
Antivirus
!?
Id & Aut Accountability
!?
CP-EXPO - Genova, 30 October 2013 17
complex with PW, changed
policy
In time, with automated tools
As a rule always supported in
the life cycle of a system
Centralized
wired or weak cm ²
Not in time, no automated tools
Often not supported in time
(obsolescence)
Local delegated to figures Control
system engineer
!?
Patching
!?
System Administ
!?
Same controls
but need of
compensatory
countermeasures
Special
Physical & Logical
Architectures
The typical scenario …
X
CP-EXPO - Genova, 30 October 2013 18
InternetPSTN/ISDN GPRS/UMTS
Technicians on the road
Vendors
Outsourcers
Outsourcers (ex. TelCo)
Remote Access
Other TSO/Utility/Operator
Outsourcers (ex. IT - TelCo)
Third Parties (partners)
Remote Access for staff
Personal mobility
PSTN/ISDN
X X
Going towards a Defense-in-Depth approach
… must be adapted …
Internet
CP-EXPO - Genova, 30 October 2013 19
PSTN/ISDN GPRS/UMTS
Technicians on the road
Vendors
Outsourcers
Outsourcers (ex. TelCo)
Remote Access
Other TSO/Utility/Operator
Outsourcers (ex. IT - TelCo)
Third Parties (partners)
Remote Access for staff
Personal mobility
Internet
XPublic
networks
(Internet)
X
… for different security requirements!
CP-EXPO - Genova, 30 October 2013 20
X
DMZ for (management)
Remote AccessDMZ for Exposed
IACS Services
XPublic
networks
(Internet)
… for different security requirements!
CP-EXPO - Genova, 30 October 2013 21
Services/Applications
with replicated
(mirrored) DBs
(“one-way” mode)
Remote
Access
Gateway
IACS internal DBs
(Typically real-time critical DBs)
Not accessible from outside of
process networks
Conclusion …
Convergence and Alignment? And Integration?
CP-EXPO - Genova, 30 October 2013 22
Thank you for the attention!
CP-EXPO - Genova, 30 October 2013 23