scada_first.pdf
TRANSCRIPT
-
8/6/2019 SCADA_FIRST.pdf
1/16
Vulnerabilities & Incident
Response for Control Systems
Dale Peterson
Digital Bond, Inc.
2008 Digital Bond, Inc.
-
8/6/2019 SCADA_FIRST.pdf
2/16
Digital Bond
Control System Security PracticeResearch and Consulting
Available on Digital Bond Site IDS Signatures for Control System ProtocolsNessus SCADA PluginsSCADA PLC HoneynetBlog, SCADApedia, White Papers, PodcastsSCADA Security Scientific Symposium (S4)
-
8/6/2019 SCADA_FIRST.pdf
3/16
Control Systems
Monitor and control physical processesSCADA: Supervisory Control and Data
Acquisition (WAN) Oil Pipelines, Trains, Electric TransmissionDCS: Distributed Control System (LAN)
Manufacturing, Power Generation, RefineryVery Similar TechnologiesGet Out of the Data Center - - Wear a Hard Hat
-
8/6/2019 SCADA_FIRST.pdf
4/16
Simplified Control System
Control
Center
Sensors &
Actuators
Field
Device
Realtime Servers
Historians
Operator Stations
PLCs
RTUs
IEDs
Flowmeters
Gates and Valves
-
8/6/2019 SCADA_FIRST.pdf
5/16
RESPECT
Control Systems lag IT and IT Security byat least 5 years, but
They control very complex processes with10,000+ or even 100,000+ points
Timing is extremely important, 4 ms typicalHuge automation, one or two operators can run
an entire plant, pipeline, water treatment, trainHighly reliable, 24 x 7 x 365 for years
No downtime in many control systems Failure can cost lives or huge economic damage
-
8/6/2019 SCADA_FIRST.pdf
6/16
Why No Cyber Security?
Control systems were truly isolatedSerial protocols designed for control systems
4-20 mA, serial, still represent maybe 80%
No Ethernet, IP or TCP/UDPDifficult to reach or attack the system without a
physical connection to the network
Even with connection requires specialized toolsand a lot of control system knowledge
-
8/6/2019 SCADA_FIRST.pdf
7/16
What Changed?
In the 90s the PC invaded the control centerCustomers demanded itVendors enjoyed leveraging WindowsEthernet NICs and LANs were deployedEnter the IP stack and routing
Next SCADA data was sent to enterpriseValid business reasonsNo thought of security implications
-
8/6/2019 SCADA_FIRST.pdf
8/16
-
8/6/2019 SCADA_FIRST.pdf
9/16
Control System Security
Catching up after the exposureNetwork segmentation with firewalls
Enterprise now needs even more SCADA dataBUT NOT CONTROLLearning DMZs, least privilege rulesets
Anti-virusPatching - - huge issueAdministrative controls
-
8/6/2019 SCADA_FIRST.pdf
10/16
Latent Vulnerabilities Lurking
Control System Vendors rarely worriedabout bad data or packets
Almost no negative QA testing
It works perfectly with good data / packetsNo guarantees on bad dataPartial implementation of protocols
Even proper packets can cause crashing
-
8/6/2019 SCADA_FIRST.pdf
11/16
Latent Vulnerabilities Lurking
Control System Vendors rarely worriedabout bad data or packets
Almost no negative QA testing
It works perfectly with good data / packetsNo guarantees on bad data
Example: Port scans or light TCP/UDPfuzzing causes devices to crash and ports to
close
-
8/6/2019 SCADA_FIRST.pdf
12/16
Security Development Lifecycle
5 to 10 years behind IT app developmentHave all the same problems as FIRST and
CERTs have dealt with this decade
-
8/6/2019 SCADA_FIRST.pdf
13/16
Other Security Issues
Insecure Control System ProtocolsNo source or data authentication
Any command will be accepted
Minimal security featuresPoor architecture and semi-custom
Patching often will break the application
-
8/6/2019 SCADA_FIRST.pdf
14/16
How Can You Help?
You = FIRST and Coordination CentersRepeat what you did for the IT user and
vendor communitySeriously! Have a meeting and remember what
worked and repeat. (We are 5 years behind)
Attend control system industry eventsEducate the control system communityLearn and develop two-way trust
-
8/6/2019 SCADA_FIRST.pdf
15/16
Reporting Problems
Real World ExampleGE Fanuc vulnerabilities took 11 months to get
to the right point of contact despite diligent
researcher and CERT efforts
Proactively identify control system vendorsDevelop points of contact for incident handlingPersuade the vendor to implement common
vulnerability contact methods
-
8/6/2019 SCADA_FIRST.pdf
16/16
Questions?
Dale Peterson
Digital Bond, Inc.
954-384-7049