Security in SCADA solutions

(1)

Security in SCADA solutions

Green Hills Software

Peter Hoogenboom

(2)

Security in SCADA solutions - Agenda



_{What is SCADA?}

 3 Generations of SCADA systems



_{Should we care more about security in SCADA systems?}



_{Security Defined}

 Security and Reliability

 Robustness

 Common Criteria: Protection Profiles and Evaluation Assurance Levels



_{Virtualization (Hypervisors)}



_{Secure solutions}

(3)

What is SCADA?



_{Supervisory Control and Data Acquisition}



_{Monitor and control a plant or equipment in industries such as:}

 telecommunications, water and waste control, energy, oil and gas refining and

transportation



_{SCADA systems typically consist of:}

 Field data interface devices

• Remote Terminal Units (RTUs), combined with PLCs and sensors/actuators

 Communication system

• Radio, Phone (PSN), cable, satellite, field buses etc.

 Central host computer(s)

• Also known as SCADA master or Master Terminal Unit (MTU)

 Operator computer(s)

• Human Machine Interface (HMI)

(4)

First Generation - Monolithic



_{Typically Mainframe based}



_{Cable: inside the factory}



_{PSN lease line for}

continuous readings



_{PSN dial-up line for say}

hourly updates



_{Radio for remote sites}



_{Proprietary, very lean}

(5)

Second Generation - Distributed



_{Typically based on}

Minicomputers running

different functions: HMI,

Calculations, Database,

Communications etc.



_{LAN between different}

functions



_{Local (no Internet!)}



_{Proprietary (vendor}

specific) LAN protocols

used, often optimized for

real-time

(6)

Third Generation - Networked

Based on:



_{Open system architecture}



_{Open standards}



_{Open protocols}



_{Standard/Industrial PCs}

Benefits (convenience):



_{Off the shelf systems}



_{Distribute functions using}

Internet Protocol



_{Disaster survivability: the}

SCADA system can survive a

total loss of a location

(7)

Today



_{‘Easy’ overview of all}

possible connections



_{Wireless Access}

Points for Support

Stations



_{Protected with}

multiple firewalls



_{Running standard}

commercial OSes on

PCs



_{Standard commercial}

Switches, Routers,

Proxy Servers

(8)

Report on Critical Infrastructure Protection

Quote from Robert Dacey, Director Information Security Issues (Oct 2003), Ref[2]

“

_{For several years, security risks have been reported in control systems, upon}

which many of the nation’s critical infrastructures rely to monitor and control

sensitive processes and physical functions. In addition to general cyber threats,

which have been steadily increasing, several factors have contributed to the

escalation of risks specific to control systems, including

(1) adoption of standardized technologies with known vulnerabilities

(2) connectivity of control systems to other networks

(3) constraints on the use of existing security technologies and practices

(4) insecure remote connections

(9)

Should we care more about security in SCADA systems?



_{IBM researchers hack into a nuclear}

power station.



_{Plant owners claimed there was NO WAY}

that critical components could be

accessed from the Internet



_{IBM Researchers:}

 “It turned out to be one of the

easiest penetration tests I’d ever

done.”

 “By the first day, we had penetrated

the network. Within a week, we

were controlling a nuclear power

plant.”

(10)

Hackers Shut Down Foreign Power Grid (January 2008)



_{Hackers Demand Extortion Payment}

after Breaking into Electrical Utilities

 Inside knowledge

 Outages occurred in several regions

outside the US

(11)

Power, water and waste SCADA systems affected

(September 2011)



_{Zero day industrial control}

(12)

(13)

The OS is key



_{NCS Technical Information Bulletin on SCADA systems (Ref[1]) states:}

“

_{Operating systems can be compromised, even with proper patching, to allow}

network entry as soon as the network is activated. This is due to the fact that

operating systems are the core of every computer system and their design and

operating characteristics are well known world wide.

As a result, operating systems are a prime target for hackers.

Further, in- place operating system upgrades are less efficient and secure than

design-level

migration to new and improved operating systems

.

”

(14)

Security and Reliability



Dan O’Dowd:

“

_{Reliability is proving that software behaves the way it’s supposed to,}

security is proving that software doesn’t behave the way it’s not

supposed to.

”



Reliability requires planned paths to behave well



_{Security requires that all paths behave well}



_{They share the same design as solution:}

 Separate and minimize critical components

 All critical components scrutinized

(15)

Safe and Secure Component Management



Processes (not threads)

 Each component is protected in its own memory space with guaranteed

resources of memory and CPU time

(16)

(17)

Security Defined (CIA)



Integrity

 Data does not become altered

or corrupted



Confidentiality

 Information that you don’t

want disclosed does not get

disclosed



Availability

 Resources—including data—

that need to be there are there

Availability

Confidentiality

(18)

Robustness requirements

High

robustness

requires high

assurance

(19)

What is Common Criteria?



_{International standard for evaluation of security in IT products}



The purpose of the Common Criteria process is to

 Develop standard packages of commonly found requirements (called

Protection Profiles)

 Have a standard process of independent evaluation by which an expert

evaluation team arrives at a level of assurance for some particular software

product.

(20)

EAL: Evaluation Assurance Level



EAL 1 = functionally tested



EAL 2 = structurally tested



EAL 3 = methodically tested and checked



EAL 4 = methodically designed, tested, and reviewed

• analysis of security functions

• informal model of security policy & independent testing

• vulnerability analysis for low attack potential attackers



EAL 5 = semiformally designed and tested

• semiformal functional spec & HL design + semiformal correspondence

• covert channel analysis

• vulnerability analysis for moderate attack potential attackers



EAL 6 = semiformally verified design and tested

• structured development process & more structured architecture

• vulnerability analysis for high attack potential attackers

• structured presentation + semiformal LL design

• systematic covert channel analysis

• more comprehensive vulnerability analysis

• improved CM and development environment controls



EAL 7 = formally verified design and tested

• formal functional spec and HL design + formal correspondence

(21)

Protection Profile Categories



Access Control Devices and Systems



Boundary Protection Devices and Systems



Databases

Data Protection Detection Devices and Systems



_{ICs, Smart Cards and Smart Card related Devices and Systems}



Key Management Systems



Network and Network related Devices and Systems



Operating Systems

(22)

Common OS Protection Profiles (Ref[6])



_CAPP

 Low robustness profile

 Protection profile that Microsoft Windows 2000 and Linux have met (EAL4+)



_SLOS/MLOS

 Medium robustness profiles

 High number of SFRs. EAL4+ assurance



_{RBAC PP}

 Adds access control based on roles, not just user IDs.

 Part of Trusted Solaris



_LSPP

 Adds labeled security attributes to access control requirements

 Part of Trusted Solaris



_SKPP

 High robustness profile

 Separation Kernel Protection Profile

(23)

Can we get the best of two worlds?



So, is there a technology that enables the incorporation of huge

legacy applications and traditional operating systems, such as

Windows and Linux (Usability)



in a high robustness environment together with secure

applications (Restrictions)?

(24)

Virtualization (Guest Operating System)



_{Allows consolidation of disparate systems onto}

dedicated virtual machines



_Benefits

 Minimize Size, Weight, Power and Bill Of

Materials

 Enable rapid migration to new hardware

 “Sandboxing” of untrusted applications



_{Does virtualization make the system more}

secure?

 This heavily depends on the architecture

and robustness of the underlying

(25)

Monolithic Hypervisor Architecture



_{Either Type-1 (on top of}

bare-metal) or Type-2 (on

top of OS)



_{When the Hypervisor is}

attacked and

compromised, all the

Guest Operating Systems

are affected



_{Malware and rootkits are}

more difficult to detect,

as they install themselves

below the operating

system, intercepting

messages.

(26)

Microkernel-based Hypervisor Architecture



_{When the Hypervisor is}

attacked and

compromised, only one

Guest Operating System is

affected.



_{No impact on safety}

critical partitions.



_Remember:



_{Separate, minimize and}

assure security critical

components: the

microkernel.

(27)

INTEGRITY Multivisor

Secure Microkernel-based Hypervisor Solution used in Defense

The ultimate solution for SCADA systems security

User

/ App

lic

at

ion

Sp

ace

Core 1

Core 2

Core 3

Core N

INTEGRITY

Secure VM

INTEGRITY

Secure VM

Guest Operating Systems

A

p

lic

ati

on

1 A

p

lic

ati

on

2 A

p

lic

ati

on

3 A

p

lic

ati

on

1 A

p

lic

ati

on

2 Ap

pl

ic

ati

on

3 Secur

it

y

Cr

it

ic

al

App

lic

at

ion

s

Critical

Applications

Sa

fe

ty

Cr

it

ic

al

App

lic

at

ion

s

Hi

gh A

vai

la

bi

lit

y

App

lic

at

ion

s

R

ea

l-time

App

lic

at

ion

s

Virtual

Device Drivers

Et

her

ne

t

Dr

iv

er

G

rap

hi

cs

Dr

iv

er

B

lu

et

oot

h

, NF

C,

ot

her

Dr

iv

er

s

Networking

G

HNe

t

TCP

/I

P v4/

v6

G

at

eD

R

out

in

g

an

d

Swit

chi

ng

Ne

tw

or

k

Manag

emen

t

U

SB

,

Addit

ional

M

iddl

ew

ar

e,

et

c.

Fi

le

S

ys

tems,

PJF

S

Middleware

USB

VGA

Eth

Core 4

ASP

BSP

(28)

Proof by independent certification

Certifying Authority

Level Achieved

Applicability

Industry

FAA

DO-178B Level A

Reliability, Safety

Avionics

EASA

DO-178B Level A

Reliability, Safety

Avionics

NSA

EAL6+, High Robustness, Type 1

Security

Defense

FDA

Class II, III

Reliability, Safety

Medical

TUV Nord, Exida

IEC 61508: SIL 3

Safety

Industrial Automation

TUV Nord, Exida

EN 50128: SWSIL 4

Safety

Rail, Transportation

Transdyne Corp.

SEI/CMMI Certified

Quality

All

(29)

References

1. NCS Technical Information Bulletin 04-1, Supervisory Control and Data Acquisition

(SCADA) Systems, Oct 2004

2. Critical Infrastructure Protection Challenges in Securing Control Systems, General

Accounting Office (GAO) Report, GAO-04-140T, October 1, 2003

3. Information Security, General Accounting Office (GAO) Report, GAO-09-701T, May

19, 2009

4. http://www.scmagazine.com.au/News/272175,zero-day-industrial-control-system-exploits-published.aspx

5. http://aluigi.altervista.org/