• No results found

How To Protect Your Network From Attack

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "How To Protect Your Network From Attack"

Copied!
34
0
0

Loading.... (view fulltext now)

Download now ( 34 Page )

Full text

(1)

NextGen SCADA security

(2)

Setting the stage

This talk is not

• An introduction to SCADA security

• AIC versus CIA

• The latest blinky-lights SCADA security appliance

• How to use IT security in OT envrionments This talk is

(3)

~/$ whoami

Ing. Erwin Kooi, MSIT CISSP SCP … …

Security Manager at Alliander

Primary focus on OT, IT Data Center and “new developments” Background in healthcare electronics & IT

Hacker and avid lockpicker

(4)

~/$ cat /etc/group | grep erwin

Dutch Smart Meter Privacy & Security working group Dutch Smart Grid Cyber Security working group

European FP7 project CRISALIS

(5)

Meet DSO Alliander in key figures

Electricity distribution

• Customers: 3,3 million

• Grid: 94.700 km

• Stations (sub, distribution): 48.000

Gas distribution

• Customers: 2,6 million

• Grid: 36.900 km

• Stations (sub, distribution): 1.500

Company

€ 12 Billion asset value € 1.4 Billion revenues

€ 400 Million Investment / Annum 6.000 FTE

KPI, Performance

19.8 SVBM (outage time in minutes per end user)

(6)

Our assignment

Establish, maintain and manage energy networks

1

Ensure reliable, affordable and safe energy supply

2

Contribute to (sustainable) developments

3

Contribute to better society

(7)

7

Connect customers (prosumers) to energy

via Information-intensive network

New sensors / distributed computing on Transmission and Distribution Lines

alarm operators, resolve problems, integrate large scale renewable

generation

Smart Metersand

HAN help users to deploy energy more wisely, mitigate peak demand and integrate local generation

Generation Transmission Distribution Users / Customers

The DSO’s new grid world 1. Electricity

2. Gas

(8)

Connect customers (prosumers) to energy

via Information-intensive network

Introduction of IT in lower parts of the grid Information sharing across domains

Need for fast, reliable communication networks

• Guarantied propagation times

Communication network layout does not follow grid layout Own Cu / (SiO2)n network

(9)

9

(10)
(11)

Remote location

(12)
(13)

13

Average

IT security expert

(14)
(15)

15

Security vision

Alliander resilience vision*:

Alliander is a resilient organization capable of anticipating and responding on a range or threats against her mission

Alliander security vision:

Protecting the mission of Alliander and her stakeholders by securing our crown jewels against intentionally caused

damage through human actions

(16)

Anatomy of an attack

Intel Gathering Vuln Research Exploit Maintain Control Post Exploit Intel Gathering Threat Analysis Data Correlation Intrusion Detection Contain & Mitigate Attacker

(17)

17

(18)

Security approach

Baseline + additional measures and

• detection

• detection

• detection

+ flexible response -> CERT / CSIRT Breaches will occur

• prevent the stupid ones

• detect and respond to the others

This is me

(19)

19

Anticipation – overview

Clear data ownership and responisbility

Security one of the main topics in IOT integration program Security framework for IT based on ISO 2700x, IEC and

SABSA in line with IT architecture (TOGAF)

Security framework for OT based on nationally accepted OLF 104 (subset of ISO 2700x)

National privacy & security framework for smart meters based on ISO 2700x

(20)

Anticipation – standards

Standards and frameworks are nice

Standards and frameworks give direction Standards and frameworks are compromises Standards and frameworks take time to develop

(21)

21

Anticipation – situational awareness

Monitoring community for known vulnerabilities Need an up-to-date inventory

Example:

• Ruggedcom Private Key / known ID’s vulnerability

• Only switch certified for IEC 61850

• Should I fix this?

• Where is it deployed in our networks?

• Is it in Metasploit? -> yes, took only days

msf > use auxiliary/scanner/telnet/telnet_ruggedcom

msf auxiliary(telnet_ruggedcom) > set RHOSTS [TARGET HOST RANGE] msf auxiliary(telnet_ruggedcom) > run

(22)

Attention – monitoring

Current IDS focussed on IT. How low can you go?

• IEC 60870-5-101 / -104?

• IEC 61850?

• ICCP?

• Modbus?

But a chatty Windows / *NIX laptop on our 104 network is never acceptable -> easy to detect

(23)

23

Attention – monitoring

Vendors are catching up!

SCADA protocols no longer “exotic”.

Pilots in our 104 network with anomaly detection:

• 5 mins learning -> 7 false positives in a week

• 1 day learning -> 3 false positives in a month Doable!

(24)

Attention – monitoring / action

IDS -> IPS strategy

Depending on the place in your network.

• Known badness (signature-based) blocked automatically?

• Anomalies passed to a human?

Received From: 192.168.25.12->/var/log/auth.log

Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the system." Src Location: US,Pennsylvania,Scranton

Portion of the log(s):

Mar 12 04:39:33 vs3547 sshd[25648]: Invalid user user from 66.197.183.133 Mar 12 04:39:33 vs3547 sshd[25622]: Invalid user x from 66.197.183.133

(25)

25

Attention – research

Security research is not our core business Partnering with research institutions

• ENCS

• University Twente Partnering with industry

• IBM

• Siemens

(26)

Attention – research

Security industry

Control system industry/end users

(27)

27

Attention – correlation

Not only network and system events, but also its surroundings (NOTE: these also introduce interesting vulnerabilities…

(28)

Attention – correlation

Data correlation, a scenario:

Someone is entering a substation

There are no work permits for this time at that station There is no disruption or malfunction in that station

There is suddenly a HMI protocol running on the network + Intruder alert!

(29)

Rational response – contain & mitigate

Computer Emergency Response Team (CERT)

• Also the team that does vulnerability / threat analysis

• Also the team that does monitoring Prepare and mandate common scenarios

• Temporary disconnect a substation from the Control Room

• Reboot systems in the Control Room

Escalate to business crisis team if scenarios are not mandated

• Shutdown a substation

• Shutdown SCADA networks

• Shutdown Internet connection

(30)

Rational response – evaluate & learn

Share incidents with vendors and community

Need to have establish trusted relations with your vendors and “competitors”

Incidents are input for continuous improvenemt and growing to the next NextGen SCADA security

(31)
(32)
(33)

On a personal note

“Black out” by Austrian writer Marc Elsberg

ISBN 9789000315352 (Dutch version)

An European black out

scenario with its impact on society, using a simple

Smart Meter / SCADA hack with some physical

sabotage

Not sure if I should make this compulsory or banned…

(34)

End-to-End SCADA Security: Implementing a robust cyber security strategy to protect SCADA systems in the

digital age

Creating a company-wide cyber security vision with SCADA systems in mind

Translating this vision into a strategy with a roadmap and how a security architecture can help

Defining how robust your security should be

Identifying opportunities to increase (embedded) security measures for new and existing SCADA systems and

References

Download now ( PDF - 34 Page - 2.16 MB )

Related documents

Teaching strategy use for oral communication tasks to ESL learners

findings raise the interesting issue of the possible awareness-raising effects of strategy instruction. A surprise result, however, was the short-term rise in the frequency

An unsupervised neuromorphic clustering algorithm

3 Visualization of stages in self-organized mapping out of 100 cluster points in MNIST feature space over the course of presentation of 1600 training digits.. The left column shows,

Three-dimensional black-blood multi-contrast carotid imaging using compressed sensing: a repeatability study

The results showed that wall area, lumen area and wall thickness is reproducible in a CS accelerated multi-contrast protocol, using a productised reconstruc- tion with

The Massachusetts Homeless Post- Secondary Students Network A network to support homeless youth in access to public education

The Massachusetts Appleseed Center and the Office of Urban and Off-Campus Support Services (U-ACCESS) at UMass Boston seek to establish the “Massachusetts Homeless

Effects of two PBDE congeners on the moulting enzymes of the freshwater amphipod Gammarus pulex

This work aimed to study the effects of BDE-47 and BDE-99 congeners on the chitobiase and chitinolytic enzymes activities of the freshwater amphipod Gammarus pulex, according to

A Radial Basis Function Method for Computing Helmholtz-Hodge Decompositions

Abstract A radial basis function RBF method based on matrix-valued kernels is presented and analyzed for computing two types of vector decompositions on bounded domains: one where

Structured Judgments and Periodic Payments in Missouri: Uncertainty on the Meaning of Tort Reform

that the claimant's pre-injury life expectancy be considered in the period over which injury-related encumbrances. However, a "life expectancy" is a