substation security why firewalls don’t work! ©copyright 1998, systems integration specialists...
TRANSCRIPT
SUBSTATION SECURITY
WHY FIREWALLS DON’T WORK!
©Copyright 1998, Systems Integration Specialists Company, Inc. All Rights Reserved
Presented by:
What are the issues?
• What is the purpose of the substation?
• What functions need to be protected and How?
• What are the issues in protecting substations?
Functions of Substation
Substation
Protect EquipmentEnable Power Distribution
Control Center
Enable Control Center CommunicationsEnable Revenue Metering
Enable Power Quality Information
Protect Equipment - Physical Security
Vulnerable to Physical Destruction/Terrorism
• Gates typically locked but not monitored
• Control Cabinets Locked but not monitored
• Substation and Power Diagrams typically in control house or panels
Control Center Communications
• Typically Use– Radio– Dial-up– Lease Line– WAN
Radio: 5 minutes and $1500
• MAS/Licensed frequencies available on www.fcc.gov!
• Microwave
• Spread Spectrum
Listed in order of progressing communication security
Dial-up
• Telco Switches are susceptable
• Non-publication of phone number is no protection.
• Implementation in called device typically doesn’t have time-out, call-back, nor challenge.
WAN
Typical IS/IT would use Firewall to Protect?
Most People think WAN::=
Firewalls - The way they work
984
E
C
NO EXTERNAL COMMUNICATIONS - IT’S SAFE
Firewalls - The way they work
984
EC
OPEN HOLE IN WALL
CONTROL CENTER COMMUNICATION: EXPOSURE
ESTABLISH COMM LINK
Firewalls - The way they work
984
EC
TCP/IP Port (e.g. 20/21 for FTP)
WELL KNOWN PORTSMEAN HIGHER RISK
Firewalls - The way they work
984
EC
TCP/IP Port (e.g. 20/21 for FTP)
FIREWALLS TYPICALLYCONTROLL WHO CANCONNECT IN/OUT PER PORT
PROTOCOL IS PER PORT
FUNCTIONS OF FIREWALL
RULES
ADDRESS TRANSLATION/PROXY
LAN INTERFACE
EX
TE
RN
AL
WA
N IN
TE
RFA
CE
WHICH PORT
CONNECTION RULESTO WHOMFROM WHOM
CONNECTION RULES DETERMINE
• WHO CAN CONNECT AND TO WHOM– NO RULES: ONLY PORT RESTRICITON– SOURCE ROUTING– USER ID/PASSWORD– CHALLENGE– TOKEN– DIGITAL CERTIFICATE
SO WHAT’S WRONG?
WAN
984
EC
984
EC
Control Center
SO WHAT’S WRONG?984
EC
Control Center
EAVESDROPPINGCC->SUB (userid,
password,certificate)
HACKER->SUB (userid,password,
certificate)
SPOOF, MASQUERADE
Its OK, Nobody knows our protocol!
0 10 20 30 40
ASCII
TCP/IP
DNP 3.0
UCA
OTHER
NOT A TRUE STATEMENT ONLY 29% of Protocolsin use are not publicly available!
EVEN MORE FUEL
• ONLY 65% of Substation Devices have Passwords enabled.
• Few Firewalls restrict services running over a given port.– E.G. GET/SET
Multiple Passwords a problem
The Greyhound Story
NO SECURITY: NO USER PAIN
SINGLE PASSWORD: EASY TO REMEMBER
MULTIPLE PASSWORDS: HARD TO REMEMBER
UTILITY CONCERNS
0 10 20 30 40
RepudiationInformation Leakage
EavesdroppingReplay
MasqueradeSpoof
Intercept/AlterDenial of Service
Indescretion of PersonnelIntegrity Violation
Illegitmate UseAuthorization Violation
Bypassing Controls
POWER QUALITY
Substation
Control Center
EAVESDROPPING AND INTERCEPT/ALTER MAY HAVE
LARGE FINANCIAL CONSEQUENCES IN THE NEAR FUTURE!
FIREWALL SHOULD PROVIDE
• STRONG AUTHENTICATION
• NEGOTIABLE ENCRYPTION
• SECURE MANAGEMENT
• ATTACK DETECTION ANNUNCIATION
WHY AREN’T FIREWALLS ENOUGH?
• Security is only as good as the weakest link in the system.– Security in the Control Center– Management Support and Policy– Crisis Team– Management
WHY AREN’T FIREWALLS ENOUGH?
• Service (e.g. GET/SET) must be enabled/disabled in devices.– Vendors see no value in strong security!
Only 3 of 1000 vendors returned surveys
– Utilities want strong security! 12% of contacted utilities responded!Protocols and Implementation have LARGE impact
after FIREWALL
Vendors Must Participate
But Why?
Let's analyze anew protocol!
Proprietary over TCP/IP
Where Vendors go Wrong: Just an Example!
(no names to protect the guilty parties!)
General Implementation
Proprietary Protocol
TCP
IP
Ethernet
Non-session oriented
Denial of Service
Proprietary Protocol
TCP
IP
Ethernet
"Ping of Death"(known to kill without patches:
Solaris,AOS,Windows95,Linux,.....)
Ping of Death information:http://www.sophist.demon.co.uk/ping/
Denial of Service
Proprietary Protocol
TCP
IP
Ethernet
"Ping of Death"(known to kill without patches:
Solaris,AOS,Windows95,Linux,.....)
Port connection exhaustion
Denial of Service
Proprietary Protocol
TCP
IP
Ethernet
"Ping of Death"(known to kill without patches:
Solaris,AOS,Windows95,Linux,.....)
Port connection exhaustion
Potential for bus trafficcongestion.
Masquerade
Proprietary Protocol
TCP
IP
Ethernet
No USER/PASSWORDNo session timeout
Information Leakage
Proprietary Protocol
TCP
IP
Ethernet
No USER/PASSWORDNo session encryption
Conclusion of Protocol Design
"Any man may make a mistake; none but a fool will persist in it!"
OR
Security must be designed and protocols mustbe extended to support security features!
CONCLUSION to SECURITY• Firewalls add a degree of security
• Management Support is Critical
• Security has value and utilities need to be willing to pay.
• Vendors need to be willing to implement strong security and authentication.