scada_first.pdf

8/6/2019 SCADA_FIRST.pdf

1/16

Vulnerabilities & Incident

Response for Control Systems

Dale Peterson

Digital Bond, Inc.

[email protected]

2008 Digital Bond, Inc.


2/16

Digital Bond

Control System Security PracticeResearch and Consulting

Available on Digital Bond Site IDS Signatures for Control System ProtocolsNessus SCADA PluginsSCADA PLC HoneynetBlog, SCADApedia, White Papers, PodcastsSCADA Security Scientific Symposium (S4)


3/16

Control Systems

Monitor and control physical processesSCADA: Supervisory Control and Data

Acquisition (WAN) Oil Pipelines, Trains, Electric TransmissionDCS: Distributed Control System (LAN)

Manufacturing, Power Generation, RefineryVery Similar TechnologiesGet Out of the Data Center - - Wear a Hard Hat


4/16

Simplified Control System

Control

Center

Sensors &

Actuators

Field

Device

Realtime Servers

Historians

Operator Stations

PLCs

RTUs

IEDs

Flowmeters

Gates and Valves


5/16

RESPECT

Control Systems lag IT and IT Security byat least 5 years, but

They control very complex processes with10,000+ or even 100,000+ points

Timing is extremely important, 4 ms typicalHuge automation, one or two operators can run

an entire plant, pipeline, water treatment, trainHighly reliable, 24 x 7 x 365 for years

No downtime in many control systems Failure can cost lives or huge economic damage


6/16

Why No Cyber Security?

Control systems were truly isolatedSerial protocols designed for control systems

4-20 mA, serial, still represent maybe 80%

No Ethernet, IP or TCP/UDPDifficult to reach or attack the system without a

physical connection to the network

Even with connection requires specialized toolsand a lot of control system knowledge


7/16

What Changed?

In the 90s the PC invaded the control centerCustomers demanded itVendors enjoyed leveraging WindowsEthernet NICs and LANs were deployedEnter the IP stack and routing

Next SCADA data was sent to enterpriseValid business reasonsNo thought of security implications


8/16


9/16

Control System Security

Catching up after the exposureNetwork segmentation with firewalls

Enterprise now needs even more SCADA dataBUT NOT CONTROLLearning DMZs, least privilege rulesets

Anti-virusPatching - - huge issueAdministrative controls


10/16

Latent Vulnerabilities Lurking

Control System Vendors rarely worriedabout bad data or packets

Almost no negative QA testing

It works perfectly with good data / packetsNo guarantees on bad dataPartial implementation of protocols

Even proper packets can cause crashing


11/16

Latent Vulnerabilities Lurking

Control System Vendors rarely worriedabout bad data or packets

Almost no negative QA testing

It works perfectly with good data / packetsNo guarantees on bad data

Example: Port scans or light TCP/UDPfuzzing causes devices to crash and ports to

close


12/16

Security Development Lifecycle

5 to 10 years behind IT app developmentHave all the same problems as FIRST and

CERTs have dealt with this decade


13/16

Other Security Issues

Insecure Control System ProtocolsNo source or data authentication

Any command will be accepted

Minimal security featuresPoor architecture and semi-custom

Patching often will break the application


14/16

How Can You Help?

You = FIRST and Coordination CentersRepeat what you did for the IT user and

vendor communitySeriously! Have a meeting and remember what

worked and repeat. (We are 5 years behind)

Attend control system industry eventsEducate the control system communityLearn and develop two-way trust


15/16

Reporting Problems

Real World ExampleGE Fanuc vulnerabilities took 11 months to get

to the right point of contact despite diligent

researcher and CERT efforts

Proactively identify control system vendorsDevelop points of contact for incident handlingPersuade the vendor to implement common

vulnerability contact methods


16/16

Questions?

Dale Peterson

Digital Bond, Inc.

954-384-7049

[email protected]

scada_first.pdf

Documents