putting scada security to the test - sans.org · putting scada security to the test: why you need a...
TRANSCRIPT
![Page 1: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/1.jpg)
8th Security Summit Portland, Oregon
Putting SCADA Security to the Test: Why you need a lab and how to get one
Chris Sistrunk, PE Sr. Engineer Entergy – Jackson, MS
![Page 2: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/2.jpg)
8th Security Summit Portland, Oregon
Why do we need a lab,
Chris?
![Page 3: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/3.jpg)
8th Security Summit Portland, Oregon
What happens when you use nmap on an Industrial Control System
http://securityreactions.tumblr.com
![Page 4: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/4.jpg)
8th Security Summit Portland, Oregon
Why do we need a lab?
With a lab, you can
• Test relay and RTU settings on a replica of production systems
• Test new firmware before issuing to field
• Perform root-cause analysis
– Why is this device locking up once a month?
• Try out new equipment from a vendor
![Page 5: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/5.jpg)
8th Security Summit Portland, Oregon
Why do we need a lab?
Save time & money by
• Creating standard settings templates
• Find problems before they are widespread
(Not having to recall units with firmware issues)
• Develop and test equipment pilots in-house rather than hiring a company to do it
• Use lab equipment as emergency spare
![Page 6: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/6.jpg)
8th Security Summit Portland, Oregon
Why security testing?
• Not all SCADA/relay vendors do negative or security testing at their factories
• Even if they did, they can’t test equipment the EXACT way that you use it
• Test your own equipment before hackers or some drive-by malware does it for you
• Use the results to mitigate vulnerabilities
![Page 7: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/7.jpg)
8th Security Summit Portland, Oregon
What kinds of testing?
![Page 8: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/8.jpg)
8th Security Summit Portland, Oregon
• Factory/Site Acceptance Testing (RTU system)
• Firmware/Software Testing (new or patches)
• Protocol Testing (DNP3, Modbus, etc)
• Protocol Fuzzing (custom or off-the-shelf)
• Penetration Testing (Metasploit, etc)
• Physical security testing (cabinet locks etc)
• DOCUMENT! DOCUMENT! DOCUMENT!
What kinds of testing?
![Page 9: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/9.jpg)
8th Security Summit Portland, Oregon
What would be your stuxnet?
• Be a hardhat hacker
• Think like an attacker who has your prints!
• Build your systems with layers of defense
• If you find a vulnerability, let your vendor know (they might even have a patch)
“To make things work well, you must break them!”
![Page 10: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/10.jpg)
8th Security Summit Portland, Oregon
How I Audit SCADA Systems
http://securityreactions.tumblr.com
![Page 11: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/11.jpg)
8th Security Summit Portland, Oregon
OK, how do I get a lab?
![Page 12: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/12.jpg)
8th Security Summit Portland, Oregon
OK, how do I get a lab?
• Ask your boss! Ask the CIO! Ask Ask Ask!
• If you are the boss, ask your best people what they want in their lab and go buy it!
• Put together a plan or a business case! – Add it to NERC/CIP compliance budget (big driver)
• Go get spare equipment and make a rack!
• Start small and add to it. – Mine started as 2 relay racks in my cubicle
![Page 13: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/13.jpg)
8th Security Summit Portland, Oregon
Some ideas
![Page 14: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/14.jpg)
8th Security Summit Portland, Oregon
Still can’t afford it?
![Page 15: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/15.jpg)
8th Security Summit Portland, Oregon
Can’t afford one, don’t have the manpower, don’t have the expertise?
• 3rd party testing such as Enernex, Digital Bond, Kinectrics, Cimation to name a few
• The US Gov’t has the Idaho NL National SCADA Test Bed, Pacific NW NL, & Sandia NL
• Colleges such as Louisiana Tech, Mississippi State, Jackson State have power, SCADA, and security equipment in their labs
• Farm out the testing and work with them to get the results you want & capitalize the test costs
![Page 16: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/16.jpg)
8th Security Summit Portland, Oregon
“Engineering isn't about perfect solutions; it's about doing the best you can with limited resources.” -Randy Pausch, The Last Lecture
Engineering Truth
![Page 17: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/17.jpg)
8th Security Summit Portland, Oregon
To be the best, you need the best tools!
![Page 18: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/18.jpg)
8th Security Summit Portland, Oregon
Entergy THQ Virtual Lab Tour
![Page 19: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/19.jpg)
8th Security Summit Portland, Oregon
Transmission HQ Labs
• Transmission HQ moved from NOLA to Jackson
• Business continuity after Hurricane Katrina
• Brand new building in Fall of 2009
• 5 large rooms designated for lab space – Relay & SCADA Lab
– Communications & Security Lab
– Real-time Power System Simulator Lab
– Mississippi Grid Lab
– High Voltage Lab
![Page 20: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/20.jpg)
8th Security Summit Portland, Oregon
Relay & SCADA Lab
![Page 21: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/21.jpg)
8th Security Summit Portland, Oregon
Relay & SCADA Lab NO
LAB RATS OR
CYBERATTACK SQUIRRELS ALLOWED
![Page 22: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/22.jpg)
8th Security Summit Portland, Oregon
Relay & SCADA Lab
![Page 23: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/23.jpg)
8th Security Summit Portland, Oregon
Relay & SCADA Lab
• Cubicle: 2 racks >> Old Break Room: 7 racks
• New THQ: 15 bolted racks, 10 rolling racks – 40+ Protective Relays (7 different standard panels)
– Digital Fault Recorder
– 8+ RTUs, 3 Communication Processors
– Substation Grade LAN & Corp Network
– GPS Clock (IRIG-B), HMI Screen & Keyboard
– Toolbox, O-Scope, Multimeter, Cables, Workstations, Chip Burner, Relay & RTU Test Sets, etc
![Page 24: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/24.jpg)
8th Security Summit Portland, Oregon
Relay & SCADA Lab
• THE LAB OF MY DREAMS!
• We can replicate almost any substation
• Test new configurations
• Test problematic field configurations
• Test new firmware & software
• Test drive new equipment
• Train relay & RTU technicians and engineers
![Page 25: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/25.jpg)
8th Security Summit Portland, Oregon
Communications & Security Lab
![Page 26: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/26.jpg)
8th Security Summit Portland, Oregon
Communications & Security Lab
• Substation Hardened Router & Switch
• Radios of different bands and technologies
• Six-sided PSP for simulating CCA sites
• Several field firewalls
• Wurldtech Achilles Fuzzer – Test network robustness of devices
– Fuzzing DNP3, Modbus, & IEC 61850
– Test new RTU & Relay firmware patches
– Will network storm affect control outputs?
![Page 27: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/27.jpg)
8th Security Summit Portland, Oregon
Power Real-Time Simulator Lab
![Page 28: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/28.jpg)
8th Security Summit Portland, Oregon
Power Real-Time Simulator Lab
![Page 29: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/29.jpg)
8th Security Summit Portland, Oregon
Power Real-Time Simulator Lab
“Hypersim is the only real-time digital simulator with the power to simulate and analyze very large-scale power systems with more than 2000 three-phase buses.” - http://www.opal-rt.com
• Simulate different fault scenarios
– Will the Relay A, B, C have a misoperation?
– Will relay fault activity affect comm (vice versa)?
• R&D & commissioning tests
![Page 30: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/30.jpg)
8th Security Summit Portland, Oregon
Mississippi Grid Lab
![Page 31: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/31.jpg)
8th Security Summit Portland, Oregon
Mississippi Grid Lab
• Multipurpose type lab used by Entergy Mississippi T&D Grid Engineers
• Inspecting/repairing equipment
• Pre-test new panels before field installation
• Spare parts inventory
![Page 32: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/32.jpg)
8th Security Summit Portland, Oregon
High Voltage Lab
![Page 33: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/33.jpg)
8th Security Summit Portland, Oregon
High Voltage Lab
• The Hi-VARC (High Voltage AC Resistive Current) test set provides rapid, automatic evaluation of MOV arresters and polymer insulators using AC voltages up to 132kV.” http://www.jmxservices.com
• Inspection & root cause of failed insulators, HV circuit breaker components, etc
![Page 34: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/34.jpg)
8th Security Summit Portland, Oregon
Last but not least…
![Page 35: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/35.jpg)
8th Security Summit Portland, Oregon
Go make stuff…Go break stuff
![Page 36: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/36.jpg)
8th Security Summit Portland, Oregon
A Few Thoughts
SCADA Security isn’t easy
• Doing the best we can with what we have
SCADA, Relay, & Security Labs
• Having a lab is so valuable for testing, troubleshooting, breaking & fixing stuff
• Yes I have a fuzzer and I’m not afraid to use it
DNP3/IP Secure Authentication v5
• Please tell your vendors you want NEED it
![Page 37: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/37.jpg)
8th Security Summit Portland, Oregon
Dream BIG!
![Page 38: Putting SCADA Security to the Test - sans.org · Putting SCADA Security to the Test: Why you need a lab and how to get one Chris Sistrunk, PE Sr. Engineer ... they can’t test equipment](https://reader036.vdocument.in/reader036/viewer/2022070708/5eb57851816140256f53b03d/html5/thumbnails/38.jpg)
8th Security Summit Portland, Oregon
Follow @chrissistrunk
Questions?