The Journey to Secure SCADA Systems

Step by Step:
The Journey to Secure
SCADA Systems
Miguel Chavero
Dec 2012
The Journey to Secure SCADA Systems
IBERDROLA OVERVIEW
Installed Capacity
+286%
46.026
Total Production
145.126
+147%
13.690
16.081
13.189
98.699
19.147
2000
2011
2000
2011
Dirección de Servicios – Negocio Liberalizado Europa Continental
2
The Journey to Secure SCADA Systems
IBERDROLA OVERVIEW
2011
x2+
16.081 MW
46.026 MW
Renewable, 3
Hydro, 21
Coal, 27
Renewable, 29
Nuclear, 7
Hydro, 51
Cogen, 2
Nuclear, 20
Coal, 10
Combined Cicle,
28
2000
2011
Dirección de Servicios – Negocio Liberalizado Europa Continental
3
The Journey to Secure SCADA Systems
IBERDROLA OVERVIEW
EBITDA (MM €)
EBITDA by Bussiness
Renewable
Liberalized
Regulated
Dirección de Servicios – Negocio Liberalizado Europa Continental
4
The Journey to Secure SCADA Systems
IBERDROLA OVERVIEW
EBITDA by Country
KPI’s (MM €)
Brazil
Spain
Gross Margin
USA
Net Op. Exp.
EBITDA
UK
Dirección de Servicios – Negocio Liberalizado Europa Continental
5
The Journey to Secure SCADA Systems
IBERDROLA OVERVIEW
SANTURCE
396 MW, 109FA
CASTEJÓN
379 MW, 109FA
TARRAGONA POWER
417 MW , 1FA
We lead the construction of combined
cycle power plants on Spain…5.600
MW since 2001
CASTELLÓN A
782 MW, 209FA
CASTELLÓN B
839 MW, 209FB
ARCOS I y II
783 MW, 2X109 FA
ESCOMBRERAS
ARCOS III
823 MW, 209FB
816 MW, 209FB
ACECA
386 MW, 109FA
Dirección de Servicios – Negocio Liberalizado Europa Continental
6
The Journey to Secure SCADA Systems
Chinese philosopher Lao-Tzu said, “A journey
of a thousand miles begins with a single step,”
“SECURITY IS NOT A PRODUCT IS A PROCESS”
Dirección de Servicios – Negocio Liberalizado Europa Continental
7
The Journey to Secure SCADA Systems
ISO 27001
“Information is an asset that, like other important business assets, is essential to an
organization’s business and consequently needs to be suitably protected. This is especially
important in the increasingly interconnected business environment.
As a result of this increasing interconnectivity, information is now exposed to a growing
number and a wider variety of threats and vulnerabilities”.
ASSETS => MANAGE RISKS => REVENUES
CYBERSECURITY = RISK
Dirección de Servicios – Negocio Liberalizado Europa Continental
8
The Journey to Secure SCADA Systems
Electrical Sector
¡¡1M USD /
day!! penalty
Since 2006 ->
CIP 002-09
standards
mandatory
UK leading
(CNPI), EU
still starting
Since 2008 ->
Nuclear
CyberSecurity
Standards.
After11-S ,
“Department of
Homeland
Security”
appeared
Dirección de Servicios – Negocio Liberalizado Europa Continental
9
The Journey to Secure SCADA Systems
Our Journey
2005: EPRI
Program
86 EIS
(Energy
Informatio
n Security)
2005:
Started
AURA
Project
2006:
AURA.PER
IN Project
(Firewallin
g) on
CCGT’s
2006:
CISSP
Certificati
on and
SANS
training
2007: First
CyberSecu
rity Plan
for
Thermal
Stations
2007: EPRI
PowerSec
(sectorial
benchmar
king)
2007:
AURA.XXXX
projects
started
2009: Coal
Stations
projects
2011: COGEN
stations
projects
2012:
Collaboration
with Nuclear
stations
Dirección de Servicios – Negocio Liberalizado Europa Continental
10
The Journey to Secure SCADA Systems
AURA PROJECT = The Beginning….
Impact on your
assets
¡RISKS!
Consecuences on your
process
¡ACTIONS!
Dirección de Servicios – Negocio Liberalizado Europa Continental
11
The Journey to Secure SCADA Systems
AURA PROJECT
Dirección de Servicios – Negocio Liberalizado Europa Continental
12
The Journey to Secure SCADA Systems
AURA PROJECT
D
N
B
T
P
0
9
7
1
W
V
ADH
GT
ST
Contramedidas
Punto Acceso #2:
NINGUNA
GE
Atlanta
UDH/
ArcNet
OSM
HMI
HMI
Contramedidas
Punto Acceso #6:
NINGUNA
PDH
WAN
DCG
Router
PDA
VIB
PI
NODE
BUS
AW
AW
Contramedidas
Punto Acceso #3:
NINGUNA
RTU
CP
CP
PC-PLC
Fabricante
IT-MONITOR
Contramedidas
Punto Acceso #1:
Firewall’s
CP
PLC
WAN
IBERDROLA
INTERNET
PC-PLC
Contramedidas
Punto Acceso #5:
VPN’s
Otras
Redes
Host
Contramedidas
Punto Acceso #4:
NINGUNA
Casetas
CEMS
MEDIOAMBIENTE
Gobierno
Dirección de Servicios – Negocio Liberalizado Europa Continental
13
The Journey to Secure SCADA Systems
AURA PROJECT
Dirección de Servicios – Negocio Liberalizado Europa Continental
14
The Journey to Secure SCADA Systems
AURA PROJECT
EW Vitoria, Aranda ,
La Laguna 500 MW
Valladolid Santurce 4
Monterrey III 1000 MW
Jun’02
Altamira III y IV
Altamira V
1000 MW
Nov’03
150 MW
CT
Pasajes
CT LadaJul’10
200 MW
400 MW
Jun’09
Jun’09
400 MW
Ene ‘05
CC Riga
400 MW
Castejón 1
400 MW
1000 MW
CT Velilla
Jun’06
400 MW
Abr’03
Tarragona Power
Jun’09
400 MW
Ene’04
Aceca 3
400 MW
Jun’05
Tamazunchale
1000 MW
Castellón 3 Castellón 4
Junio’07
Arcos 1 y 2
800 MW
800 MW
Sep’02
Dic’04
Arcos 3
CN
EW Cartagena Cofrentes
800 MW
150 MW
1.100 MW
Jul’10
Sep’10
Jun’05
Termopernambuco
500 MW
Feb’04
850 MW Dic´07
Escombreras 6
800 MW
Nov’06
Dirección de Servicios – Negocio Liberalizado Europa Continental
15
The Journey to Secure SCADA Systems
D
N
B
T
P
0
9
7
1
W
V
AURA.ANVIR
AURA PROJECT
Contramedidas
Punto Acceso #2:
Migrar a conexión Red
a Red
ADH
AURA.CABSE
AURA.NETMON
AURA.SECDIS
GT
ST
GERES-RT134
UDH/
ArcNet
OSM
HMI
HMI
PDH
PDTE.
Contramedidas
Punto Acceso #6:
A estudiar
WAN
DCG
Router
PDA
VIB
NODE
BUS
PI
AW
AW
?
Fabricante
RTU
CP
AURA.PERIN
AURA.DETIN
AURA.SECAR/GESUR
AURA.ENCRIPTA
IT-MONITOR
Contramedidas
Punto Acceso #1:
Firewall’s +
Doble Factor +
WAN
Encriptación + IBERDROLA
Detección Intrusión
INTERNET
AURA.DIALUP
PC-PLC
CP
PLC
RAS
PC-PLC
Casetas
Contramedidas
Punto Acceso #5:
VPN’s +
Doble Factor
Otras
Redes
Host
CP
CEMS
AURA.SECAR/GESUR
Gobierno
MEDIOAMBIENTE
Contramedidas
Punto Acceso #3
y #4:
RAS con CHAP
Dirección de Servicios – Negocio Liberalizado Europa Continental
16
The Journey to Secure SCADA Systems
AURA.PERIN
CABLE RED PLANO
CABLE RED CRUZADO
CABLE ALIMENTACIÓN
RED CORPORATIVA
IBERDROLA
FWPERCGARA01
External
External
Lan1/Sync
Lan1/Sync
FWPERCGARA02
220 V - SAI
Consola
Consola
TV2 + TV2
Touch Pannel
Internal
DMZ
Port 1
Fa1
Port 3
BOP/HSRG
HMITV+Resto
elementos
Fa0/1
Fa0/2
Fa0/9
Fa0/5
Fa0/17
Fa0/8
Fa0/6 Fa0/12
Fa0/24 Fa0/11
Fa0/16 Fa0/15
1
2
3
4
5
6
7
8
9
10
11
13
12
14
15
16
17
18
19
20
21
22
23
Catalyst 2960 SERIES
24
1X
11X
13X
23X
2X
12X
14X
24X
Port 2
Port 4
CYCLACGARA
SWPERCGARA01 Gi0/2 Gi0/1 Consola
SYST
RPS
MASTR
STAT
DUPLX
SPEED
1
2
Consola
Fa0/1
Fa0/2
1
2
3
4
5
6
7
8
9
Gi0/2
10
11
13
12
14
15
16
17
18
19
20
21
22
23
Catalyst 2960 SERIES
24
1X
11X
13X
23X
2X
12X
14X
24X
1
2
SWPERCGARA02
MODE
Fa0/24 Fa0/5
Fa0/12
Woodward
NetCon
Fa0/6 Fa0/13
Fa0/11
RED-2
RED-1
RWIFICGARA
VOLANTE (PDA)
Gi0/1
SYST
RPS
MASTR
STAT
DUPLX
SPEED
MODE
HMICGARA
220 V - RED
Internal
DMZ
AP
RED-3
RED-1
SWITCH
OFICINA
GW EMERSON
TV1
RED-1
RED-2
RSA
RSA
RSA
RED-2
OSMCGARA
NIDSCGARA
HSTCGARA
OPCCGARA
PTA
Dirección de Servicios – Negocio Liberalizado Europa Continental
17
The Journey to Secure SCADA Systems
AURA.DETIN (NIDS + HIDS)
Dirección de Servicios – Negocio Liberalizado Europa Continental
18
The Journey to Secure SCADA Systems
AURA.ANVIR
IBERDROLA Network
AutoFTP Manager
Firewall Perimetral
CMDS
Gestor
Actualizaciones
Ficheros
Ciclo Combinado
#1
Firewall
Perimetral
INTERNET
INTRANET
Firewall
Corporativo
Ciclo Combinado
#n
Web Fabricante
Firewall
Perimetral
Dirección de Servicios – Negocio Liberalizado Europa Continental
19
The Journey to Secure SCADA Systems
AURA.BACKUP Automated Backups/Restores
Dirección de Servicios – Negocio Liberalizado Europa Continental
20
The Journey to Secure SCADA Systems
AURA.BACON
Users
Off-Line
On-Line
Networking
devices
OS + APP’s
Cyphered e-SAFE
Dirección de Servicios – Negocio Liberalizado Europa Continental
21
The Journey to Secure SCADA Systems
AURA.SECAR Network to Network
Dirección de Servicios – Negocio Liberalizado Europa Continental
22
The Journey to Secure SCADA Systems
AURA.SECAR Network to Network
Dirección de Servicios – Negocio Liberalizado Europa Continental
23
The Journey to Secure SCADA Systems
AURA.SECAR Host to Network
Dirección de Servicios – Negocio Liberalizado Europa Continental
24
0
not
not
not
not
available
available
available
available
-0,2
The Journey to Secure SCADA Systems
-0,4
-0,6
-0,8
-1
-1
-1
-1
-1
-1
-1
24,00 horas
-1
-1
-1
AURA.CPD
1
1
1
1
1
1
1
1
-1
-1
-1
-1
07/05/2012 7:44:28 24,00 horas 08/05/2012 7:44:28
-1
1
08/05/2012 7:44:28
UNIT 1 - Valor Sensor
1
1
1
20,000
50,000
52,000
20,000
0,0000
0,0000
0,0000
0,0000
0,0000
0,0000
0,0000
0,0000
0,0000
0,0000
0,0000
0,0000
24
52
55
25
172.21.38.140:unit1SensorValue:1
20,000
23,5
172.21.38.140:unit1SensorValue:2
50,000
23
172.21.38.140:unit1SensorValue:3
52,000
22,5
172.21.38.140:unit1SensorValue:4
20,000
22
21,5
21
20,5
-1
-1
-1
-1
-1
-1
-1
24,00 horas
-1
-1
-1
-1
-1
08/05/2012 7:44:28
20
32
30
20
07/05/2012 7:44:29
08/05/2012 7:44:29
UNIT 1 - Valor Sensores Temperatura
40
172.21.38.140:unit1SensorValue:1
20,000
172.21.38.140:unit1SensorValue:4
20,000
SETPOINT LOW.Value
10
SETPOINT WARNING.value
30
SETPOINT HIGH.Value
35
35
30
25
20
15
10
5
0
07/05/2012 7:44:29
24,09 horas
08/05/2012 7:50:02
UNIT 1 - Valor Sensores Humedad
90
80
172.21.38.140:unit1SensorValue:2
50,000
70
172.21.38.140:unit1SensorValue:3
52,000
60
50
SETPOINT LOW_.Value
0
40
30
SETPOINT WARNING_.Value
80
20
10
0
07/05/2012 7:44:29
SETPOINT HIGH_.Value
85
24,09 horas
08/05/2012 7:50:02
Dirección de Servicios – Negocio Liberalizado Europa Continental
25
The Journey to Secure SCADA Systems
AURA.CPD
Dirección de Servicios – Negocio Liberalizado Europa Continental
26
The Journey to Secure SCADA Systems
AURA LABCON
DCS MKVI de GE
Turbogrup
PLC
S7400 Siemens
DCS I/A Invensys
BOP & Boiler
Real Sensors
LAB Field Points - National Instruments
RealPROCESS (Combined Cycels, Coal, Cogen, etc)
LABPC with Models using Labview
2
Dirección de Servicios – Negocio Liberalizado Europa Continental
27
The Journey to Secure SCADA Systems
AURA.xxxx Other Projects
AURA.ARMIA: Physical SAFES for backups and media devices.
AURA.CABSE: Physical protection against wilfull damages on Network pactch cords and
networking devices
AURA.ENCRIPTA: Comunnication channels encryptation (256 AES)
AURA.NETMON: SCADA end-point and network devices monitoring
AURA.DAPLI: Lay-Out and protocols documentation
AURA.CENLOG: SIEM tool
AURA.DETIN 2.0: Netwitness tool
Dirección de Servicios – Negocio Liberalizado Europa Continental
28
The Journey to Secure SCADA Systems
AURA PROJECT: AWARENESS AND POLICIES
EQUIPMENT
INVENTORY
INFORMATION
CLASSIFICATION
CRITICAL CYBER
ASSETS
ASSESMENT
NELIB Global
Criteria
APPLICATION
INVENTORY
PHYSICAL LAYOUTS
BY BUSSINESS
LOGIC LAY-OUTS
CYBERSECURITY
INCIDENT
RESPONSE
INCIDENT
DATABASE
CHANGE
MANAEMENT
CHANGE
DATABASE
Dirección de Servicios – Negocio Liberalizado Europa Continental
29
The Journey to Secure SCADA Systems
AURA PROJECT: AWARENESS AND POLICIES
MALWARE
PROTECTION
End-Point
Secured Inventory
BACKUP/RESTORE
Maintenance
procedures
REMOVABLES
DEVICES
Granted Devices
Inventory
Procedure
Records
TECHNICAL
PROCEDURES
THIRD PARTY
DEVICES USAGE
Approval Form
CREDENTIAL
MANAGEMENT
Chypered Safe
REMOTE ACCESS
Granted Provides
Inventory
NETWORK
GUIDELINES
Lay-Out Templates
Dirección de Servicios – Negocio Liberalizado Europa Continental
30
The Journey to Secure SCADA Systems
AURA PROJECT: AWARENESS AND POLICIES
Key-Users awareness through webex
Upper Management reporting
Key-Users Technical reporting
Never give up……….keep fighting…..
Dirección de Servicios – Negocio Liberalizado Europa Continental
31
The Journey to Secure SCADA Systems
The journey never ends……doing now
Dirección de Servicios – Negocio Liberalizado Europa Continental
32
The Journey to Secure SCADA Systems
AURA.MARS CONCEPT
• What is MARS?
– A hollistic approach to Security Monitoring and
Response
• Why MARS?
– Because threats are complex, resources are scarce,
and response time is critical
• How is MARS different from standard
approaches?
– We use both the standard and the most advanced
Security Strategies and Technologies and highly
integrate and automate them so they can work
together efficiently
Dirección de Servicios – Negocio Liberalizado Europa Continental
33
The Journey to Secure SCADA Systems
AURA.MARS CONCEPT
(Note: Nothing to do with Cisco MARS)
Dirección de Servicios – Negocio Liberalizado Europa Continental
34
The Journey to Secure SCADA Systems
AURA.MARS CONCEPT
Dirección de Servicios – Negocio Liberalizado Europa Continental
35
The Journey to Secure SCADA Systems
AURA SECDIS – End-Point Security – Whitelisting + Sandboxing
Dirección de Servicios – Negocio Liberalizado Europa Continental
36
The Journey to Secure SCADA Systems
AURA e-CONSEG Reporting Web Console
Dirección de Servicios – Negocio Liberalizado Europa Continental
37
The Journey to Secure SCADA Systems
Fighting with STANDARS
ISO 27001
CIP 002 –
009
ISA-99
RG 5.71
NIST
SANS
CERT
CPNI
Getting the most
Fitting legal/bussiness requirements
Dirección de Servicios – Negocio Liberalizado Europa Continental
38
The Journey to Secure SCADA Systems
SANS TOP 20 CONTROLS
SANS CONTROL
Critical Control 1: Inventory of Authorized and
Unauthorized Devices
Critical Control 2: Inventory of Authorized and
Unauthorized Software
Critical Control 3: Secure Configurations for
Hardware and Software on Mobile Devices,
Laptops, Workstations, and Servers
Critical Control 4: Continuous Vulnerability
Assessment and Remediation
Critical Control 5: Malware Defenses
IBERDROLA
STATUS





COMMENTS
Nowadays defining
templates
Procedure in place,
resources pending
Dirección de Servicios – Negocio Liberalizado Europa Continental
39
The Journey to Secure SCADA Systems
SANS TOP 20 CONTROLS
SANS CONTROL
Critical Control 6: Application Software Security
Critical Control 7: Wireless Device Control
Critical Control 8: Data Recovery Capability
Critical Control 9: Security Skills Assessment and
Appropriate Training to Fill Gaps
Critical Control 10: Secure Configurations for
Network Devices such as Firewalls, Routers, and
Switches
IBERDROLA
STATUS
COMMENTS





Whitelisting
Never ending…
Vendor restrictions
Dirección de Servicios – Negocio Liberalizado Europa Continental
40
The Journey to Secure SCADA Systems
SANS TOP 20 CONTROLS
SANS CONTROL
Critical Control 11: Limitation and Control of
Network Ports, Protocols, and Services
Critical Control 12: Controlled Use of
Administrative Privileges
Critical Control 13: Boundary Defense
Critical Control 14: Maintenance, Monitoring,
and Analysis of Audit Logs
Critical Control 15: Controlled Access Based on
the Need to Know
IBERDROLA
STATUS





COMMENTS
Very difficult on
SCADA environment
Very difficult on
SCADA environment
Dirección de Servicios – Negocio Liberalizado Europa Continental
41
The Journey to Secure SCADA Systems
SANS TOP 20 CONTROLS
SANS CONTROL
Critical Control 16: Account Monitoring and
Control
Critical Control 17: Data Loss Prevention
Critical Control 18: Incident Response and
Management
Critical Control 19: Secure Network Engineering
Critical Control 20: Penetration Tests and Red
Team Exercises
IBERDROLA
STATUS





COMMENTS
Waiting for
resources…
Dirección de Servicios – Negocio Liberalizado Europa Continental
42
The Journey to Secure SCADA Systems
CONCLUSIONS
TAKE YOUR TIME!!!!
Holistic approach required. Be GLOBAL
Focus on your own risks, each business is different!!!
You have to assume some risks (i.e.: vendor restrictions)
Be ready for the impact!!!!. Recovery Disaster procedures very important
Do not miss forensics tools and procedures
Testing facilities is a must
There is not a super product. Integration is required
Working close to your control system vendors, remember they are not good!!!
Open Source helps – do not miss it!!!
Never walk alone….internal and external support is critical!!!
Dirección de Servicios – Negocio Liberalizado Europa Continental
43
The Journey to Secure SCADA Systems
Spanish writer Antonio Machado said,
“Caminante, no hay camino se hace camino al
andar”, “Walker, there is no path, you do it when
you walks”
Miguel Chavero
[email protected]
CISSP#: 122240
Dirección de Servicios – Negocio Liberalizado Europa Continental
44