Step by Step: The Journey to Secure SCADA Systems Miguel Chavero Dec 2012 The Journey to Secure SCADA Systems IBERDROLA OVERVIEW Installed Capacity +286% 46.026 Total Production 145.126 +147% 13.690 16.081 13.189 98.699 19.147 2000 2011 2000 2011 Dirección de Servicios – Negocio Liberalizado Europa Continental 2 The Journey to Secure SCADA Systems IBERDROLA OVERVIEW 2011 x2+ 16.081 MW 46.026 MW Renewable, 3 Hydro, 21 Coal, 27 Renewable, 29 Nuclear, 7 Hydro, 51 Cogen, 2 Nuclear, 20 Coal, 10 Combined Cicle, 28 2000 2011 Dirección de Servicios – Negocio Liberalizado Europa Continental 3 The Journey to Secure SCADA Systems IBERDROLA OVERVIEW EBITDA (MM €) EBITDA by Bussiness Renewable Liberalized Regulated Dirección de Servicios – Negocio Liberalizado Europa Continental 4 The Journey to Secure SCADA Systems IBERDROLA OVERVIEW EBITDA by Country KPI’s (MM €) Brazil Spain Gross Margin USA Net Op. Exp. EBITDA UK Dirección de Servicios – Negocio Liberalizado Europa Continental 5 The Journey to Secure SCADA Systems IBERDROLA OVERVIEW SANTURCE 396 MW, 109FA CASTEJÓN 379 MW, 109FA TARRAGONA POWER 417 MW , 1FA We lead the construction of combined cycle power plants on Spain…5.600 MW since 2001 CASTELLÓN A 782 MW, 209FA CASTELLÓN B 839 MW, 209FB ARCOS I y II 783 MW, 2X109 FA ESCOMBRERAS ARCOS III 823 MW, 209FB 816 MW, 209FB ACECA 386 MW, 109FA Dirección de Servicios – Negocio Liberalizado Europa Continental 6 The Journey to Secure SCADA Systems Chinese philosopher Lao-Tzu said, “A journey of a thousand miles begins with a single step,” “SECURITY IS NOT A PRODUCT IS A PROCESS” Dirección de Servicios – Negocio Liberalizado Europa Continental 7 The Journey to Secure SCADA Systems ISO 27001 “Information is an asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected. This is especially important in the increasingly interconnected business environment. As a result of this increasing interconnectivity, information is now exposed to a growing number and a wider variety of threats and vulnerabilities”. ASSETS => MANAGE RISKS => REVENUES CYBERSECURITY = RISK Dirección de Servicios – Negocio Liberalizado Europa Continental 8 The Journey to Secure SCADA Systems Electrical Sector ¡¡1M USD / day!! penalty Since 2006 -> CIP 002-09 standards mandatory UK leading (CNPI), EU still starting Since 2008 -> Nuclear CyberSecurity Standards. After11-S , “Department of Homeland Security” appeared Dirección de Servicios – Negocio Liberalizado Europa Continental 9 The Journey to Secure SCADA Systems Our Journey 2005: EPRI Program 86 EIS (Energy Informatio n Security) 2005: Started AURA Project 2006: AURA.PER IN Project (Firewallin g) on CCGT’s 2006: CISSP Certificati on and SANS training 2007: First CyberSecu rity Plan for Thermal Stations 2007: EPRI PowerSec (sectorial benchmar king) 2007: AURA.XXXX projects started 2009: Coal Stations projects 2011: COGEN stations projects 2012: Collaboration with Nuclear stations Dirección de Servicios – Negocio Liberalizado Europa Continental 10 The Journey to Secure SCADA Systems AURA PROJECT = The Beginning…. Impact on your assets ¡RISKS! Consecuences on your process ¡ACTIONS! Dirección de Servicios – Negocio Liberalizado Europa Continental 11 The Journey to Secure SCADA Systems AURA PROJECT Dirección de Servicios – Negocio Liberalizado Europa Continental 12 The Journey to Secure SCADA Systems AURA PROJECT D N B T P 0 9 7 1 W V ADH GT ST Contramedidas Punto Acceso #2: NINGUNA GE Atlanta UDH/ ArcNet OSM HMI HMI Contramedidas Punto Acceso #6: NINGUNA PDH WAN DCG Router PDA VIB PI NODE BUS AW AW Contramedidas Punto Acceso #3: NINGUNA RTU CP CP PC-PLC Fabricante IT-MONITOR Contramedidas Punto Acceso #1: Firewall’s CP PLC WAN IBERDROLA INTERNET PC-PLC Contramedidas Punto Acceso #5: VPN’s Otras Redes Host Contramedidas Punto Acceso #4: NINGUNA Casetas CEMS MEDIOAMBIENTE Gobierno Dirección de Servicios – Negocio Liberalizado Europa Continental 13 The Journey to Secure SCADA Systems AURA PROJECT Dirección de Servicios – Negocio Liberalizado Europa Continental 14 The Journey to Secure SCADA Systems AURA PROJECT EW Vitoria, Aranda , La Laguna 500 MW Valladolid Santurce 4 Monterrey III 1000 MW Jun’02 Altamira III y IV Altamira V 1000 MW Nov’03 150 MW CT Pasajes CT LadaJul’10 200 MW 400 MW Jun’09 Jun’09 400 MW Ene ‘05 CC Riga 400 MW Castejón 1 400 MW 1000 MW CT Velilla Jun’06 400 MW Abr’03 Tarragona Power Jun’09 400 MW Ene’04 Aceca 3 400 MW Jun’05 Tamazunchale 1000 MW Castellón 3 Castellón 4 Junio’07 Arcos 1 y 2 800 MW 800 MW Sep’02 Dic’04 Arcos 3 CN EW Cartagena Cofrentes 800 MW 150 MW 1.100 MW Jul’10 Sep’10 Jun’05 Termopernambuco 500 MW Feb’04 850 MW Dic´07 Escombreras 6 800 MW Nov’06 Dirección de Servicios – Negocio Liberalizado Europa Continental 15 The Journey to Secure SCADA Systems D N B T P 0 9 7 1 W V AURA.ANVIR AURA PROJECT Contramedidas Punto Acceso #2: Migrar a conexión Red a Red ADH AURA.CABSE AURA.NETMON AURA.SECDIS GT ST GERES-RT134 UDH/ ArcNet OSM HMI HMI PDH PDTE. Contramedidas Punto Acceso #6: A estudiar WAN DCG Router PDA VIB NODE BUS PI AW AW ? Fabricante RTU CP AURA.PERIN AURA.DETIN AURA.SECAR/GESUR AURA.ENCRIPTA IT-MONITOR Contramedidas Punto Acceso #1: Firewall’s + Doble Factor + WAN Encriptación + IBERDROLA Detección Intrusión INTERNET AURA.DIALUP PC-PLC CP PLC RAS PC-PLC Casetas Contramedidas Punto Acceso #5: VPN’s + Doble Factor Otras Redes Host CP CEMS AURA.SECAR/GESUR Gobierno MEDIOAMBIENTE Contramedidas Punto Acceso #3 y #4: RAS con CHAP Dirección de Servicios – Negocio Liberalizado Europa Continental 16 The Journey to Secure SCADA Systems AURA.PERIN CABLE RED PLANO CABLE RED CRUZADO CABLE ALIMENTACIÓN RED CORPORATIVA IBERDROLA FWPERCGARA01 External External Lan1/Sync Lan1/Sync FWPERCGARA02 220 V - SAI Consola Consola TV2 + TV2 Touch Pannel Internal DMZ Port 1 Fa1 Port 3 BOP/HSRG HMITV+Resto elementos Fa0/1 Fa0/2 Fa0/9 Fa0/5 Fa0/17 Fa0/8 Fa0/6 Fa0/12 Fa0/24 Fa0/11 Fa0/16 Fa0/15 1 2 3 4 5 6 7 8 9 10 11 13 12 14 15 16 17 18 19 20 21 22 23 Catalyst 2960 SERIES 24 1X 11X 13X 23X 2X 12X 14X 24X Port 2 Port 4 CYCLACGARA SWPERCGARA01 Gi0/2 Gi0/1 Consola SYST RPS MASTR STAT DUPLX SPEED 1 2 Consola Fa0/1 Fa0/2 1 2 3 4 5 6 7 8 9 Gi0/2 10 11 13 12 14 15 16 17 18 19 20 21 22 23 Catalyst 2960 SERIES 24 1X 11X 13X 23X 2X 12X 14X 24X 1 2 SWPERCGARA02 MODE Fa0/24 Fa0/5 Fa0/12 Woodward NetCon Fa0/6 Fa0/13 Fa0/11 RED-2 RED-1 RWIFICGARA VOLANTE (PDA) Gi0/1 SYST RPS MASTR STAT DUPLX SPEED MODE HMICGARA 220 V - RED Internal DMZ AP RED-3 RED-1 SWITCH OFICINA GW EMERSON TV1 RED-1 RED-2 RSA RSA RSA RED-2 OSMCGARA NIDSCGARA HSTCGARA OPCCGARA PTA Dirección de Servicios – Negocio Liberalizado Europa Continental 17 The Journey to Secure SCADA Systems AURA.DETIN (NIDS + HIDS) Dirección de Servicios – Negocio Liberalizado Europa Continental 18 The Journey to Secure SCADA Systems AURA.ANVIR IBERDROLA Network AutoFTP Manager Firewall Perimetral CMDS Gestor Actualizaciones Ficheros Ciclo Combinado #1 Firewall Perimetral INTERNET INTRANET Firewall Corporativo Ciclo Combinado #n Web Fabricante Firewall Perimetral Dirección de Servicios – Negocio Liberalizado Europa Continental 19 The Journey to Secure SCADA Systems AURA.BACKUP Automated Backups/Restores Dirección de Servicios – Negocio Liberalizado Europa Continental 20 The Journey to Secure SCADA Systems AURA.BACON Users Off-Line On-Line Networking devices OS + APP’s Cyphered e-SAFE Dirección de Servicios – Negocio Liberalizado Europa Continental 21 The Journey to Secure SCADA Systems AURA.SECAR Network to Network Dirección de Servicios – Negocio Liberalizado Europa Continental 22 The Journey to Secure SCADA Systems AURA.SECAR Network to Network Dirección de Servicios – Negocio Liberalizado Europa Continental 23 The Journey to Secure SCADA Systems AURA.SECAR Host to Network Dirección de Servicios – Negocio Liberalizado Europa Continental 24 0 not not not not available available available available -0,2 The Journey to Secure SCADA Systems -0,4 -0,6 -0,8 -1 -1 -1 -1 -1 -1 -1 24,00 horas -1 -1 -1 AURA.CPD 1 1 1 1 1 1 1 1 -1 -1 -1 -1 07/05/2012 7:44:28 24,00 horas 08/05/2012 7:44:28 -1 1 08/05/2012 7:44:28 UNIT 1 - Valor Sensor 1 1 1 20,000 50,000 52,000 20,000 0,0000 0,0000 0,0000 0,0000 0,0000 0,0000 0,0000 0,0000 0,0000 0,0000 0,0000 0,0000 24 52 55 25 172.21.38.140:unit1SensorValue:1 20,000 23,5 172.21.38.140:unit1SensorValue:2 50,000 23 172.21.38.140:unit1SensorValue:3 52,000 22,5 172.21.38.140:unit1SensorValue:4 20,000 22 21,5 21 20,5 -1 -1 -1 -1 -1 -1 -1 24,00 horas -1 -1 -1 -1 -1 08/05/2012 7:44:28 20 32 30 20 07/05/2012 7:44:29 08/05/2012 7:44:29 UNIT 1 - Valor Sensores Temperatura 40 172.21.38.140:unit1SensorValue:1 20,000 172.21.38.140:unit1SensorValue:4 20,000 SETPOINT LOW.Value 10 SETPOINT WARNING.value 30 SETPOINT HIGH.Value 35 35 30 25 20 15 10 5 0 07/05/2012 7:44:29 24,09 horas 08/05/2012 7:50:02 UNIT 1 - Valor Sensores Humedad 90 80 172.21.38.140:unit1SensorValue:2 50,000 70 172.21.38.140:unit1SensorValue:3 52,000 60 50 SETPOINT LOW_.Value 0 40 30 SETPOINT WARNING_.Value 80 20 10 0 07/05/2012 7:44:29 SETPOINT HIGH_.Value 85 24,09 horas 08/05/2012 7:50:02 Dirección de Servicios – Negocio Liberalizado Europa Continental 25 The Journey to Secure SCADA Systems AURA.CPD Dirección de Servicios – Negocio Liberalizado Europa Continental 26 The Journey to Secure SCADA Systems AURA LABCON DCS MKVI de GE Turbogrup PLC S7400 Siemens DCS I/A Invensys BOP & Boiler Real Sensors LAB Field Points - National Instruments RealPROCESS (Combined Cycels, Coal, Cogen, etc) LABPC with Models using Labview 2 Dirección de Servicios – Negocio Liberalizado Europa Continental 27 The Journey to Secure SCADA Systems AURA.xxxx Other Projects AURA.ARMIA: Physical SAFES for backups and media devices. AURA.CABSE: Physical protection against wilfull damages on Network pactch cords and networking devices AURA.ENCRIPTA: Comunnication channels encryptation (256 AES) AURA.NETMON: SCADA end-point and network devices monitoring AURA.DAPLI: Lay-Out and protocols documentation AURA.CENLOG: SIEM tool AURA.DETIN 2.0: Netwitness tool Dirección de Servicios – Negocio Liberalizado Europa Continental 28 The Journey to Secure SCADA Systems AURA PROJECT: AWARENESS AND POLICIES EQUIPMENT INVENTORY INFORMATION CLASSIFICATION CRITICAL CYBER ASSETS ASSESMENT NELIB Global Criteria APPLICATION INVENTORY PHYSICAL LAYOUTS BY BUSSINESS LOGIC LAY-OUTS CYBERSECURITY INCIDENT RESPONSE INCIDENT DATABASE CHANGE MANAEMENT CHANGE DATABASE Dirección de Servicios – Negocio Liberalizado Europa Continental 29 The Journey to Secure SCADA Systems AURA PROJECT: AWARENESS AND POLICIES MALWARE PROTECTION End-Point Secured Inventory BACKUP/RESTORE Maintenance procedures REMOVABLES DEVICES Granted Devices Inventory Procedure Records TECHNICAL PROCEDURES THIRD PARTY DEVICES USAGE Approval Form CREDENTIAL MANAGEMENT Chypered Safe REMOTE ACCESS Granted Provides Inventory NETWORK GUIDELINES Lay-Out Templates Dirección de Servicios – Negocio Liberalizado Europa Continental 30 The Journey to Secure SCADA Systems AURA PROJECT: AWARENESS AND POLICIES Key-Users awareness through webex Upper Management reporting Key-Users Technical reporting Never give up……….keep fighting….. Dirección de Servicios – Negocio Liberalizado Europa Continental 31 The Journey to Secure SCADA Systems The journey never ends……doing now Dirección de Servicios – Negocio Liberalizado Europa Continental 32 The Journey to Secure SCADA Systems AURA.MARS CONCEPT • What is MARS? – A hollistic approach to Security Monitoring and Response • Why MARS? – Because threats are complex, resources are scarce, and response time is critical • How is MARS different from standard approaches? – We use both the standard and the most advanced Security Strategies and Technologies and highly integrate and automate them so they can work together efficiently Dirección de Servicios – Negocio Liberalizado Europa Continental 33 The Journey to Secure SCADA Systems AURA.MARS CONCEPT (Note: Nothing to do with Cisco MARS) Dirección de Servicios – Negocio Liberalizado Europa Continental 34 The Journey to Secure SCADA Systems AURA.MARS CONCEPT Dirección de Servicios – Negocio Liberalizado Europa Continental 35 The Journey to Secure SCADA Systems AURA SECDIS – End-Point Security – Whitelisting + Sandboxing Dirección de Servicios – Negocio Liberalizado Europa Continental 36 The Journey to Secure SCADA Systems AURA e-CONSEG Reporting Web Console Dirección de Servicios – Negocio Liberalizado Europa Continental 37 The Journey to Secure SCADA Systems Fighting with STANDARS ISO 27001 CIP 002 – 009 ISA-99 RG 5.71 NIST SANS CERT CPNI Getting the most Fitting legal/bussiness requirements Dirección de Servicios – Negocio Liberalizado Europa Continental 38 The Journey to Secure SCADA Systems SANS TOP 20 CONTROLS SANS CONTROL Critical Control 1: Inventory of Authorized and Unauthorized Devices Critical Control 2: Inventory of Authorized and Unauthorized Software Critical Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers Critical Control 4: Continuous Vulnerability Assessment and Remediation Critical Control 5: Malware Defenses IBERDROLA STATUS COMMENTS Nowadays defining templates Procedure in place, resources pending Dirección de Servicios – Negocio Liberalizado Europa Continental 39 The Journey to Secure SCADA Systems SANS TOP 20 CONTROLS SANS CONTROL Critical Control 6: Application Software Security Critical Control 7: Wireless Device Control Critical Control 8: Data Recovery Capability Critical Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps Critical Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches IBERDROLA STATUS COMMENTS Whitelisting Never ending… Vendor restrictions Dirección de Servicios – Negocio Liberalizado Europa Continental 40 The Journey to Secure SCADA Systems SANS TOP 20 CONTROLS SANS CONTROL Critical Control 11: Limitation and Control of Network Ports, Protocols, and Services Critical Control 12: Controlled Use of Administrative Privileges Critical Control 13: Boundary Defense Critical Control 14: Maintenance, Monitoring, and Analysis of Audit Logs Critical Control 15: Controlled Access Based on the Need to Know IBERDROLA STATUS COMMENTS Very difficult on SCADA environment Very difficult on SCADA environment Dirección de Servicios – Negocio Liberalizado Europa Continental 41 The Journey to Secure SCADA Systems SANS TOP 20 CONTROLS SANS CONTROL Critical Control 16: Account Monitoring and Control Critical Control 17: Data Loss Prevention Critical Control 18: Incident Response and Management Critical Control 19: Secure Network Engineering Critical Control 20: Penetration Tests and Red Team Exercises IBERDROLA STATUS COMMENTS Waiting for resources… Dirección de Servicios – Negocio Liberalizado Europa Continental 42 The Journey to Secure SCADA Systems CONCLUSIONS TAKE YOUR TIME!!!! Holistic approach required. Be GLOBAL Focus on your own risks, each business is different!!! You have to assume some risks (i.e.: vendor restrictions) Be ready for the impact!!!!. Recovery Disaster procedures very important Do not miss forensics tools and procedures Testing facilities is a must There is not a super product. Integration is required Working close to your control system vendors, remember they are not good!!! Open Source helps – do not miss it!!! Never walk alone….internal and external support is critical!!! Dirección de Servicios – Negocio Liberalizado Europa Continental 43 The Journey to Secure SCADA Systems Spanish writer Antonio Machado said, “Caminante, no hay camino se hace camino al andar”, “Walker, there is no path, you do it when you walks” Miguel Chavero [email protected] CISSP#: 122240 Dirección de Servicios – Negocio Liberalizado Europa Continental 44