Cyber security tools for SCADA

1
Cyber security tools for SCADA

• Prepared byOPUS Publishing
• www.opusss.com
• John T. Tengdin949-361-9595 phone fax
• Email j.t.tengdin_at_ieee.org
• 13 September 2004

2
Much talk about needNow three initiatives
underway

• Gas Technology Institute
• Standards
• AGA 12
• AGA 12-1
• Others to follow
• Field tests
• Sandia National Laboratories
• Proof of concept modules
• Field Tests
• TecSec contract with HSARPA

3
But What Are the Security Issues?

• Today, someone can impact SCADA in many ways
• Interception Listening to Messages
• Fabrication Creating Forged Messages
• Alteration Changing Valid Messages
• Replay Copying Message, Send Later
• Corruption Changing values in SCADA database
• Properly designed (for SCADA) cyber security
  system will address all

4
Impressions vs Reality

• We only use leased lines, so no one has access
• Nobody knows our dial-up phone numbers
• We use frequency hopping spread spectrum radio.
  Its secure
• Our maintenance ports are protected by passwords

• They are easy to tap. Go to www.tscm.com/outsidep
  lant.html
• A tap on the outgoing line will reveal every one.
  War dialers will find auto-answer modems.
• The Wireless LAN Assn specifically recommends
  encryption of spread spectrum radio.
• Easy to get just eavesdrop on the line, are
  sent in the clear (and rarely changed)

5
Dial up Maintenance Ports Are Vulnerable

• Many uses and users
• Obtain data and status information
• Change setting/manual control (2nd password)
• Download new programs or patches (3rd password)
• Reality
• Passwords rarely changed
• Passwords easily guessed (company name, etc.)
• War dialers can find the auto answer modems
• Need
• Authenticate the remote user before allowing any
  access

6
Who are the attackers?They could be

• Recently laid off employees
• Disgruntled employees
• Disgruntled employees of one of your suppliers
• the Queensland, Australia incident
• Hacked into SCADA system 46 times dumped raw
  sewage

7
Who are the attackers?They could be

• Recently laid off employees
• Disgruntled employees
• Third party maintenance contractors
• Vendor supplying SCADA updates
• Energy traders looking for an edge
• Insiders looking for saleable information
• Rogue state attackers (terrorists)

8
SCADA Master Station data has value

• Data is stored in master station database
• In the past, could be read by many
• Todays trading environment is different
• Data cannot be open to all
• Immense value to bidders for next energy block
• Even insiders could read and pass on sensitive
  financial data
• With Ethernet links connecting SCADA database to
  the corporate LAN, new approaches are required
• One solution use a one-way fire wall
• Another solution Role Based Access Control with
  secure authentication (when firewalls are not
  enough)

9
Work at Gas Technology Institute

• Funded by AGA, NIST, TSWG
• Directed at needs of all utilities
• Electric, gas, pipelines, water, waste water
• Covers SCADA links, data at rest, maint. ports
• A series of AGA standards
• First step AGA 12 - completed
• Cryptographic protection of SCADA
  Communications General Recommendations

10
So whats in AGA 12? Examples

• Overview
• Intro Who needs security and why
• Policy Recommendations
• Technical use of sessions, protection of data
• Operational maintenance, key management
• Quality - interoperability
• Annexes partial list
• SCADA Security Background
• Risk Assessment and Threat Analysis
• SCADA Security Policy Fundamentals
• Test Plan

11
AGA 12 to be a standard

• Document available on the web http//gtiservices.o
  rg/security/index.shtml
• Objectives
• Save SCADA owners time money
• Be comprehensive for SCADA
• Recommend secure practices
• Uses NIST approved crypto algorithms
• Easier to implement than roll your own

12
AGA 12-1Retrofit link encryption/authentication
for asynchronous serial communications

• For SCADA
• The bump in the wire approach
• No change in master station or remote software
• Will handle multi-drop and mixed mode
• Authenticates master/remote session, then
  encrypts messages
• For maintenance ports
• Two factor user authentication for session
• No change in IED software or passwords

13
AGA 12-1 Field Tests

• Select Source for Test Modules
• Reference model RFC on web site
• RFP in August 2004
• Interoperable with GTI Reference Module
• Initial Tests Planned at Peoples Energy Chicago
  
• Gas SCADA over Modbus
• By 1Q 2005

14
Future AGA Work

• AGA 12 2
• Protection of IP based networked systems
  (connections via Ethernet LAN/WAN)
• AGA 12 3
• Protection embedded in new SCADA products
• AGA 12 Addendums
• Key management
• Protection of data at rest

15
Sandia contract with NETLNational Energy
Technology Lab(part of Department of Energy)

• Sandias contract partners
• OPUS Publishing
• TecSec, Inc.
• Mykotronx
• utility partners DTE Peoples Energy
• Develop/demonstrate proof-of-concept modules
• Field tests at utility partners Started July 04
• Building on work at GTI
• Project Fact Sheet available www.ea.doe.gov/pdfs
  /cyber_security.pdf

16
Proof of Concept Modules/Software

• SCM (SCADA Cryptographic Module)
• For authentication/encryption of SCADA links
  (demonstrated with three protocols ModBus, DNP
  3, and one legacy protocol)
• MCM (Maintenance Cryptographic Module)
• For secure authenticated access via dial up to
  IED and RTU maintenance ports
• Key management system for both

17
Reference Model
18
Retrofit SCM Requirements

• At remote sites, install between modem Remote
  Terminal Unit (RTU)
• At master, between modem and front end processor
• Protocol independent (for byte oriented)
• Minimum latency (no more than 20 decrease in
  polling frequency)
• When initialized at the master, establish a
  secure session with all SCMs on that channel
• Within a secure session, use NIST approved
  encryption algorithms
• Change session keys at prescribed intervals
  (minimizes chance of replay)

19
The SCADA Retrofit Challenge

• Many multidrop channels common in
• Radio
• Leased lines
• Need to deploy modules sequentially operate in
  Mixed Mode
• On one channel, install SCM at master
• Set to pass through all messages
• Install SCM at one remote and re-program SCM at
  master to send it only encrypted
• Proceed to other remotes, and repeat

20
Retrofit MCM Requirements

• Install at remote sites between auto answer modem
  and IED maintenance port or port switch
• Two factor authenticated access from remote
  notebook or desk top computer (USB fob plus a
  password)
• Once MCM grants authenticated access to the
  maintenance port, MCM shall pass through all
  messages and commands without alteration
• No changes to be required in IED software
• If USB fob is removed, the connection terminates

21
Role Based Access Control of Data

• Access defined as
• Read only, write only, read/write
• Each with expiration date/time
• Incremental access rights
• Entire file, portion of a file, single word or
  object
• Access granted through two factor authentication
  e.g. USB fob password
• Requires a Key Management System (for keys stored
  in fobs)

22
_at_ access to only that
business entitys own data  
23
TecSec contract with HSARPA - Objectives

• Manage keying material for
• SCMs (SCADA Crypto Modules)
• MCMs (Maintenance CMs)
• Authentication keys
• Provide means for key distribution via
• Dial up
• WAN
• Internet
• Control center LAN to SCMs

24
High-value Next Steps

• RFP for prototype SCM and MCM units
  ( issued Aug 04)
• Lab and field tests of these prototypes
• Implement Commercialization Plan
• Feedback from field test and utility partners
• AGA 12-1 standard
• Develop and ballot AGA 12 addendums and 12-1
• SCADA users should
• Examine AGA 12 (available free on web site)
• Implement policies that fit their own
  organization
• To protect data at rest, a solution exists today

25
Questions?

• John T. Tengdin
• OPUS Publishing
• 2859 Calle Heraldo
• San Clemente, CA 92673-3572
• www.opusss.com
• Phone fax 949-361-9595
• Cell 949-370-1140
• Email j.t.tengdin_at_ieee.org