Foreword
xxiii
Chapter 1 Physical Security: SCADA and the Critical
Infrastructure's Biggest Vulnerability
1
Introduction 2
Key Control 3
Check All Locks for Proper Operation 4
A Little More about Locks and Lock Picking 5
The Elephant Burial Ground 12
Dumpster Diving Still Works 18
Employee Badges 20
Shredder Technology Has Changed 22
Keep an'Eye on Corporate or Agency Phonebooks 23
Tailgating 24
Building Operations—Cleaning Crew Awareness 25
Spot-Checking Those Drop Ceilings 28
Checking for Key Stroke Readers 28
Checking Those Phone Closets 31
Removing a Few Door Signs 32
Review Video Security Logs 32
Motion-Sensing Lights 33
Let's Go to Lunch 34
Fun in Manholes 37
Internal Auditors Are Your Friends 40
Always Be Slightly Suspicious 40
Getting Every Employee Involved 41
Summary 42
Solutions Fast Track 42
Frequently Asked Questions (and Special Interviews) 45
Chapter 2 Supervisory Control and Data Acquisition
61
Introduction 62
Just What Is SCADA? 62
SCADA Systems and Components 65
Remote Terminal Units (RTUs) 65
Programmable Logic Controllers (PLC) 65
Discrete Control 65
Continuous Control 65
Human Machine Interface (HMI) 66
Distributed Control Systems (DCS) 66
Hybrid Controllers 67
Event Loggers 67
Common SCADA Architectures 68
SCADA Communications Protocols 70
How Serious Are the Security Issues of SCADA? 71
Determining the Risks in Your SCADA System 75
Risk Mitigation for SCADA 76
Firewall Considerations for SCADA 78
Negative and Positive Security Models in Firewalls 79
Multi-Network Connectivity 79
Reactive and Proactive Solutions 80
Firewall Inspection Methods 82
Static Packet Filter 82
The Stateful Packet Filter 83
The Circuit-Level Gateway 84
Application-Level Gateway (Proxy) 85
Intrusion Prevention Gateway 87
Deep Packet Inspection 88
Unified Threat Management (UTM) 89
Summary 90
Solutions Fast Track 90
Frequently Asked Questions 93
Chapter 3 SCADA Security Assessment Methodology
95
Introduction 96
Why Do Assessments on SCADA Systems? 96
Assessments Are the Right Thing to Do 97
Assessments Are Required 97
Information Protection Requirements 97
National Institute of Standards and Technology (NIST) Guidance 98 North American Electric Reliability Council (NERC) Critical
Infrastructure Protection (CIP) Standards 99
Water Infrastructure Security Enhancement (WISE) 99
The Critical Infrastructure Information Act of 2002 99
An Approach to SCADA Information Security Assessments 100
Vetting the Assessment Request 102
Gaining Buy-In from Management and Technical Personnel 102
Management Buy-In 103
Technical Staff Buy-In 103
Researching the Organization 104
Researching Regulatory and Policy Requirements 105
Determining if this Is a Baseline Assessment or a Repeat Assessment 106
Making a Go/No-Go Decision 106
Pre-Assessment Activities 106
Determining the Organizational Mission 107
Identifying Critical Information 107
Example: Information Criticality 108
Business Description 108
Mission Statement 108
Critical Information for OOPS 109
Identifying Impacts 109
Example Continued: OOPS Impact 110
The Information Criticality Matrix 110
Using the Impact Definitions Ill
Organizational Criticality Ill
Example Continued: OOPS OICM 112
Identifying Critical Systems/Networks 113
OOPS Example Continued 113
Defining Security Objectives 116
Determining Logical and Physical Boundaries 117
Physical Boundaries 117
.Logical Boundaries 117
Determining the Rules of Engagement, Customer Concerns,
and Customer Constraints 117
The Rules of Engagement 118
Levels of Invasiveness 118
Testing Machine Addressing 118
Time Frames for Scanning and Interviews 119
Notification Procedures 119
Scanning Tools and Exclusions 119
Customer Concerns 119
Customer Constraints 120
Legal Authorization 120
Components of the Assessment Plan 120
On-Site Assessment Activities 122
Conducting the Organizational Assessment 122
Documentation Review 123
Interviews 123
System Demonstrations 124
Observation 124
Conducting the Technical Assessment 124
Enumeration Activities 125
Vulnerability Identification Activities 125
Tools 127
Communication 127
Post Assessment Activities 127
Conducting Analysis 127
Final Report Creation 128
Resources 129
Summary 130
Solutions Fast Track 131
Frequently Asked Questions- 134
Chapter 4 Developing an Effective Security Awareness Program
137
Introduction 138
Why an Information Security Awareness Program Is Important 140 We Fail to Recruit Our Employees into the Company's
Security Program 141
We Need to Take the Issue Seriously 142
How to Design an Effective Information Security Awareness Program 143
Seven Times, Seven Different Ways 146
Show Me the Money! 148
Two Important Keys to Implementing an Effective Program 150
To Print or Not to Print 152
Online Training Programs 154
Your In-House Web Site 154
How to Implement an Information Security Awareness Program 155
What We Have Here Is a Failure to Communicate 157
Communicate, Communicate, Communicate! 157
Other Touch Points 157
Manager's Quick Reference Guide 158
Let's Talk about Alliances 159
Legal 159
Privacy 159
Compliance 160
Training and Communications 160
Personnel 160
Information Security Consultants 161
How Do You Keep Your Program a Successful Component of Your
Company's Mindset? 162
How to Measure Your Program 163
Summary 167
Solutions Fast Track 167
Chapter 5 Working with Law Enforcement on SCADA Incidents
171
Introduction 172
SCADA System Overview 172
Secure Network Management 175
Securing Wide Area Network Perimeter 175
Controlling Access 176
Performing Network Backup and Recovery 176
Transmitting Legacy Non-Routable Protocol Securely 176
Dial-Up Access to the Remote Terminal Units (RTU) 178
Vendor Support: Dial-Up Modem/VPN Access 178
IT Controlled Communication Gear 178
Corporate VPNs 179
Database Links 179
Poorly Configured Firewalls 180
Business Partner Links 180
Managing Security Events 181
Conduct Routine Assessments 182
Examples of Common Attack Techniques 182
Man-In-The-Middle Attacks (MITM) 182
Key-Logger Software 183
Summary 184
Solutions Fast Track 185
Frequently Asked Questions 187
Chapter 6 Locked but Not Secure: An Overview of
Conventional and High Security Locks
189
Introduction 191
Conventional Pin Tumbler Locks 192
A Review: The Essentials of Pin Tumbler Lock Design 196
Security Enhancements for Conventional Locks 197
Anti-Bumping Pins 197
Security Pins 198
Keyways and Related Designs 199
Bitting Design 199
Design of the Key 200
Standards for Conventional and High Security Locks 201
Transforming a Conventional Cylinder to High Security 202
Deficiencies in the UL 437 Standard 204
Failure to Specify Real World Testing 204
Pick and Impressioning Resistance 205
Complex Forms of Picking 206
Forced Entry Resistance 206
Issues Not Addressed by UL 437 206
Bump Keys 207
Decoding Attacks 208
Key Control 208
Mechanical Bypass of Locking Mechanisms 209
BHMA/ANSI Standards: 156.50 and 156.30 210
BHMA/ANSI 156.50 210
High Security Locks and the BHMA/ANSI Standard 210
The Concept of Security 211
BHMA/ANSI 156.30 High Security Standard 212
Key Control 213
Destructive Testing 213
Surreptitious Entry Resistance 214
Deficiencies in the 156.30 Standard 214
Security Vulnerabilities of Conventional Locks: Why High Security Locks
Are Supposed to Offer More Protection Against Methods of Entry 215 Conventional Pin Tumbler Locks: Security Vulnerabilities and Their
Compromise 216
Lock Control Procedures 217
Key Control and Key Security 218
Key Security 218
The Concept of Key Control As It Applies to Security 219
The Importance of Key Control and Key Security 219
Rights Amplification 220
Gathering Intelligence About a System from Its Keys 221 Covert Entry Techniques: Manipulation of Internal Locking Components .... 222
Bumping 223
Picking 223
Impressioning 223
Extrapolation of the TMK 223
Mechanical Bypass 223
High Security to High Insecurity: Real World Attacks 224
Summary 226
Solutions Fast Track 226
Frequently Asked Questions 228
Chapter 7 Bomb Threat Planning: Things Have Changed
231
Introduction 232
The Day Our World Changed 233
Insider Information:
Where Do These Guys Get This Stuff? 234
The Terrorist Profile 236
Potential Terror Targets 237
Statement Targets 237
Infrastructure Targets 238
Commercial Targets 239
Transportation Targets 239
What Should I Be Looking For? 239
The Container 240
The Power Source 240
Switches 240
Initiators 241
Main Charge 242
Searching: What Am I
Looking For and Where? 244
Recommendations for Target Hardening . 245
Outside 245 Employee Identification 246 Cameras 246 Deliveries 246 Interior 246 Mail rooms 247 Evacuation Plans 249 Summary 251
Chapter 8 Biometric Authentication for SCADA Security
253
Introduction 254
Understanding Biometric Systems and How They Are Best Used for
SCADA Security 255
Footprints to DNA Readings 255
Human Measurements Can Slow Machines 255
Biometric System Imperfections Are at Odds with Perception 256
What is Biometric Authentication? 256
Multiple Factor Authentication 257
What Parts of You Can Be Measured for Security Purposes? 257 Common Measurements for Current Biometric Authentication 257
How Does Biometric Comparison Work? 258
Where Are Biometrics Used in SCADA Systems? 260
Choosing the Best Form of Measurement for Your System 261
Biometric Measurements Trigger Recognition 261
Biometric Measurements Useful in SCADA Security Processes 262 Identify Your System Priorities Before Choosing a
Biometric Application 264
Where are Biometric Authentication Regimes Vulnerable? 266
Tricking the Biometric Capture Device 266
Electronic Manipulation of the Authentication Process 268
Identity Theft with Biometric Files: Capturing Your Essence 269
Presumptions of Accuracy 270
How Can We Replace That Finger? 270
Measuring Minutia Can Be Safer Than Storing a Whole
Biometric Photograph 271
Anticipating Legal and Policy Changes That Will Affect Biometrics 272
Summary 274
Solutions Fast Track 274
Frequently Asked Questions 276
