Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
FundedbytheU.S.DepartmentofEnergyandtheU.S.DepartmentofHomelandSecurity|cred-c.org
ATourThroughPowerSystemCyberSecurity
TimYardleyUniversityofIllinoisUrbana-Champaign
cred-c.org|3
ElectricPowerSystem
Generation
Distribution12kV– 34kV
Transmission69kV– 500kV
Consumption120V,240V
Courtesy:DavidE.Whitehead,SchweitzerEngineeringLaboratories,Inc.
cred-c.org|4
Primary Power Equipment
Phasor Measurement
Unit
Relays
Control Center
Security Gateway
Terminal Server
+12V
-12V
+5V
0V
ISO45V
WESDAC D20 PS
HARRIS
HARRIS
WESDAC D20 m ++
WESMAINT
Legacy Relays
SCADA Gateway
Digital Fault
Recorder
Communications Transport System
Local HMI
Relay Controller
GPS Clock
Switch Switch
Local Batteries
and Power Distribution
ON
O/L
OFF
AL
EMS Kit
Programmable Logic Controllers
Pilot Relay
Distributed I/O Asset
Health Monitor
Log Collector
Physical Security
CISCO ASA 5540
POWER STATUS ACTIVE VPN FLASH
Adaptive Security Appliance
SERIES
Station Router (Firewall, IDS)
PS 1
PS 2
PS 3
PS 4
iLO 2
1 2
10 9PCI-E x4 PCI-E x8
811 7 6 5 4 3 2 1
Proxy Server
DWDM Fiber Terminal
Connection Types
Secondary and Control Wiring (Signals)
Digital SerialEthernet
Revision
09/23/2016
AMI Data Concentrator
Substation Network
Title
Future Substation Architecture
NOTE: All lines shown without arrows are bi-directional communications
Yard Network
NOTE: Breaks represent segmentation of network
Physica
lDevices
cred-c.org|5
Cyber-PhysicalInfrastructure
ElectricalInfrastructure
“Intelligence” Infrastructure
Courtesy:PaulMyrda,EPRI
cred-c.org|6
RoadmapVisionIn10years,controlsystemsforcriticalapplicationswillbedesigned,installed,operated,andmaintainedtosurvive anintentionalcyberassaultwithnolossofcriticalfunction.
• Published in January 2006• Energy Sector’s synthesis of critical
control system security challenges, R&D needs, and implementation milestones
• Provides strategic framework to– align activities to sector needs– coordinate public and private
programs– stimulate investments in control
systems security
Roadmap– FrameworkforPublic-PrivateCollaboration
Notfullyachieved
cred-c.org|7
Develop andIntegrate Protective
Measures
Detect Intrusion & Implement
Response StrategiesSustain SecurityImprovements
Sustain SecurityImprovements
Measure and Assess Security
Posture
Energy asset owners are able to perform fully automated security state monitoring and control systems networks with real-time remediation
Next-generation control systems components and architectures produced with built-in, end-to-end security will replace older legacy systems
Control systems networks will inform operator response to provide contingency and remedial actions in response to attempted intrusions
Implement effective incentives through Federal and state governments to accelerate investment in secure control system technologies and practices
DOERoadmap– KeyStrategies&2015Goals
cred-c.org|8
FERC/NERCRegulations• FederalEnergyRegulatoryCommission
• Enforcetheregulations– havefiningauthority
• NorthAmericanElectricReliabilityCorporation• Providethesecurityrequirementsfortheelectricitysector(CIP1-11)• CIPstandardsarevotedonbyindustry
• Utilitieswouldn’t“policethemselves”,soregulationwasneeded
cred-c.org|9
ExampleRegulationDetails• Requirement:AssetsthatarecarryingoutcriticalfunctionalityandthatareconnectedviaIP,mustadheretoCIPguidelines.
• Utilityresponse:DisconnectIPanduseserialinstead.Nolongerneedtoadhere.
• Followingregulatoryresponse:ChangetheCIPrequirementstoidentifyrequirementsbasedofffunctioninthegrid.
• Sortofacatandmousegame… butchanging.
cred-c.org|10
NISTIR7628Overview• GuidelinesforSmartGridCyberSecurity
• Providesanoverviewofthehigh-levelsecuritystrategy• Actasatooltoguideresearchandimplementationforestablishedandemergingtechnology
• Provideanevaluativeframeworkforassessingrisk• Actasaguidetopolicycreationandmitigationofrisk
cred-c.org|13
CIATriad• Confidentiality
• Basically“privacy”,inotherwordsprotectinginformationsothatonlytherightpeoplecanseeit
• Integrity• Makingsurethatdataisn’tchanged/alteredfromitsoriginalstatewhilebeingconveyed
• Availability• Keepingthingsaccessible
Availability
cred-c.org|16
BasicofAuthentication• Authentication:bindingofidentitytosubject
• Identityisthatofexternalentity(myidentity,theIlliniUnionBookstore,etc.)• Subjectiscomputerentity(process,networkconnection,etc.)
• Twosteps• Identificationstep:presentidentifiertosecuritysystem.Registration• Verificationstep:Presentorgenerateauthenticationinformationthatcorroboratesthebindingbetweenentityandidentifier
cred-c.org|17
EstablishingIdentity• Oneormoreofthefollowing
• Whatentityknows(e.g.password,privatekey)• Whatentityhas(e.g.badge,smartcard)• Whatentityis(e.g.fingerprints,retinalcharacteristics)• Whatentitydoes(e.g.,voicepattern,handwriting,typingrhythm)• Whereentityis(e.g.Infrontofaparticularterminal)
• Example:Creditcardtransaction• Multi-factorauthentication
• Usemultipleelementstoproveidentity
cred-c.org|18
Challenge-Response• Userandsystemshareasecretfunction• Userprovesknowledgeofsecretfunctionbyansweringchallenge
user systemrequest to authenticate
user systemrandom message r(the challenge)
user systemf(r)(the response)
cred-c.org|20
ClassicalCryptography• Sender,receiversharecommonkey
• symmetriccryptography• Keysmaybethesame,ortrivialtoderivefromoneanother
• asymmetriccryptography• Keysaresplitintomultipleparts(someknown,someunknown)
cred-c.org|21
Symmetric:TranspositionCipher• Rearrangelettersinplaintexttoproduceciphertext• Example:Reverseeverygroupoffournon-spacecharacters
THEWINTEROFOURDISCONTENT
Becomes
WEHTETNIOFORIDRUNOCNTNET
• Moregenerallyknownas‘permutation’
cred-c.org|22
Symmetric:AES(AdvancedEncryptionStandard)• USNISTissuedcallforciphersin1997
• Requirements• Privatekeysymmetricblockcipher• 128-bitdata,128/192/256-bitkeys• Stronger&fasterthanTriple-DES• Activelifeof20-30years(+archivaluse)• Providefullspecification&designdetails
cred-c.org|23
Asymmetric:PublicKeyCryptography• KeyK=(e,d)hastwoparts
• ‘e’,the“public”part• ‘d’,theprivatepart
• AlicewantstosendmessagemtoBob• Bob’skeyis(eBob,dBob)
• ShelooksupBob’spublickeyinadatabase,eBob• Sheencrypts(particularfunctionE)musingeBob,E(eBoB,m)
• Canbetransmittedintheclear• BobreceivesE(eBob,m),appliesdecodefunctionDusingprivatekeydBob:
• D(dBob,E(eBob,m))=m• AliceandBobshareNOsecretinformation!
cred-c.org|24
Asymmetric:PublicKeyCryptography• Canbeusedtoprovepossessionofaprivatekey:
• Amessageis‘signed’withAlice’sprivatekeydAlice• D(dAlice,m)• NoteuseofD,notE,butD==Einsomesystems
• Bob(andanyoneelse)receivesmessage(m,D(dAlice,m))andcanlookupAlice’spublickeyeAlice
• ComputeE(eAlice,D(dAlice,m))=m,andcomparewithminmessage• Whatthisproves:
• (a)thatthesignaturecomputedwascomputedonm• Providingaproofofintegrity
• (b)thatthesignerhadpossessionofAlice’sprivatekey• IsthisproofthatthesignerwasAlice?
• RSAmostcommonalgorithmofthistype
cred-c.org|25
Asymmetric:PublicKeyCryptography• Inpracticepublickeycryptoiscomputationallymuchmoreexpensivethansymmetric
• Itisusedprincipallyto• Encodeandexchangesymmetric‘sessionkeys’,afterwhichthecryptoisdoneusingAESorsomeothersymmetricscheme
• Signadigestofamessage,asameansofintegrity• A‘one-way’hashfunctionhtakesanarbitrarilylongmessagem,andcomputesh(m)whoseresultsizeisfixed,e.g.,180or256bytes
• ‘one-way’meansthatknowingh(m)itiscomputationallydifficulttodiscoverm• Given(m,D(private,h(m)))thereceivercan
• Computeh(m)• Comparecomputedh(m)withE(public,D(private,h(m)))
cred-c.org|26
Asymmetric:PublicKeyInfrastructure• PKIisaframeworkforusingandmanagingpublickeycryptosystems• Mostprevalentuseiswithdigitalcertificates• Problem:Bobreceivessignedmessage,reportedfromAlice.WhyshouldhebelieveitisfromAlice?
• A(digital)certificateisissuedbyacertificateauthoritywho• VerifiesthatarequesterclaimingtobeAlice,isindeedAlice• Createsadigitaldocumentthat
• StatesthiscertificateassertsthatAlice’sidentityhasbeenverified• ContainsapublickeytobeusedincommunicationwithAlice• Containsasignedhashofthecertificate,signedbytheprivatekeyofthecertificateauthority
• SoifBobtruststhecertificateauthority(towhat?),hewilltrustthepublickeythatthecertificateholds
cred-c.org|27
Useofcertificates• SSLconnection
• Clientwishestocommunicatesensitiveinformationtoaserver(e.g.,creditcard)• Serverofferscertificatewithitspublickey
• Ifclienttruststhecertificateandthecertificateissuer,sensitiveinformationcanbeencryptedwithserver’spublickey
• Integrityofsoftware• e.g.,driverforsomedevice• Certificateissuedforsoftware,containsh(C),signedbyprivatekeyofissuer
• Systemlooksuppublickeyofissuer,recomputesh(C),decodesversioncontainedincert,acceptsifcomparisonchecksout
cred-c.org|29
FirewallGoal• Insertafterthefactsecuritybywrappingorinterposingafilteronnetworktraffic
Inside Outside
cred-c.org|30
Limitstofirewalls• Cannotanalyzeencryptedtraffic
• Beyondheaderinformation
• Reliesonportasindicatorofservice• Newerfirewallsdynamicallyanalyzetraffictodetermineprotocol
• TrackingIPaddressesinsteadofpeople• Managementiscomplex
cred-c.org|31
ElectronicSecurityPerimeter(ESP)• ManyutilitiesuseacombinationofdiagramsandtheconfigurationsoftheirfirewallstodefinetheESPandsecuritycontrolssurroundingtheESP
• Theutilityneedstodocumentorganizationalprocessesandtechnicalandproceduralmechanismsforcontrolofelectronicaccess
cred-c.org|34
Availability• Thesystemisupandabletodoitsjob• Thesystemisrespondingwithinspecifications• …
cred-c.org|38
CaseStudyLegacyProtocol:DNP3• StandsforDistributedNetworkProtocolv3DevelopedbyWestronic(nowGEHarris)in1990
• ForuseinelectricSCADAinNorthAmerica• Controlcentertosubstations
• BasedonpartiallycompletedIEC60870-5• PopularinEurope
• InteroperablealternativetoModbus(anotherpowerprotocol)• Noinherentsecurityinprotocol• NowpopularinotherSCADAsystems(water,oil&gas)
• ManagedbyDNPUsersGroupsince1993• Standardizedin2010asIEEE1815-2010(current-2012)
cred-c.org|39
CaseStudyNewProtocol:IEC61850• Anelectricsectorspecific“superprotocol”• DesignedforIP• Initialfocuswasonsubstationautomation
• Nowexpandedtoaddressmanysystemsintheelectricsector
• Supportstraditionalprotectionandcontrolfunctionandenablesnewadvancedcapabilities
• ProvidesfutureintegrationwiththeenterpriseusingCIM(CommonInformationModel)
cred-c.org|40
61850History
Source:EnerNex.NASPI2012
Notes:• IEC61850Edition2was
releasedstartingin2010• DNP3waspublishedas
IEEE1815in2010
cred-c.org|43
Operationssystems• operationssystemsinclude
• traditionalcontrolsystemssuchasSCADA,DCS• AMI,DR,OMS,DGM
• enterprisesystemsinclude• desktopworktools(email,wordprocessing,…)• datacentersystems(storage,backup,…)• webservices(customerportals,billpayment,…)
OccasionalusesofControlSystem/Network/DMZappearingintheseslidesshouldbereadasOperationsSystem/Network/DMZ
cred-c.org|44
Availability,IntegrityandConfidentiality• EnterprisesystemsaretypicallythoughtaboutasC-I-A
• Confidentialityofintellectualpropertymattersmost• ControlsystemsareoftenA-I-C
• Availabilityandintegrityofcontrolmattersmost• controltraffichaslessneedforconfidentiality
• lowentropy• exceptforembeddedcleartextpasswords
• Manycontrolvendorsprovide99.9999%availability• typicalnetworkinggearisfive9’s
• Ensuringavailabilityishard• Cryptographydoesnothelp(directly)• DDOSprotection,ratelimiting,QoS,resourcecapping,redundancy,robusthardwarewithhighMTBF
cred-c.org|45
PoorAuthenticationandAuthorization• Machine-to-machinecommsinvolveno“user”• Manycontrolsystemshavepoorauthenticationmechanismsandlimitedauthorizationmechanisms
• Manyprotocolsusecleartextpasswords• Manycontrolsystemdeviceslackcryptosupport• Devicepasswordsarehardtomanageappropriately
• Oftenonepasswordissharedamongstalldevicesandallusersandseldomifeverchanged
• Manydevicesstillshipwithdefaultpasswords
cred-c.org|46
SecurityRiskstooperationssystemsPoor separation from enterprise Legacy OSes and applicationsLimited security monitoring Inability to limit accessPoorly secured 3rd party access Inability to revoke access quicklyDialup modems Unexamined system logsUnpatched systems Accidental misconfigurationLimited use of anti-virus Improperly secured devicesLimited use of host-based firewalls Lack of security featuresImproper use of ops workstations Improperly secured wirelessUnauthorized applications Unencrypted links to remote sitesUnnecessary applications Passwords sent in clear textOpen FTP, Telnet, SNMP, HTML ports Password management problems
Fragile control devices Default OS security configurationsNetwork scans by IT staff Unpatched routers / switches
andmore!
cred-c.org|48
FragileControlSystemDevices• SomeIPstackimplementationsarefragile
• SomedeviceslockuponpingsweeporNMAPscan• NumerousincidentsofcontrolsystemsshutdownbyuninformedITstaffrunningawell-intentionedvulnerabilityscan
• Moderncontroldevicesaremuchmorecomplex• Manyincludewebserverforconfigandstatus• Morelinesofcodeleadstomorebugs• Moderncontroldevicesrequirepatchingjustlikeservers
cred-c.org|49
UnpatchedSystems• Manycontroldevicesarenotpatchedcurrent
• ParticularlyWindowsservers• NopatchesavailableforolderversionsofWindows
• OSandapplicationpatchescanbreakcontrolsystems• Uncertifiedpatchescaninvalidatewarranty• Patchingoftenrequiresserverreboot• Beforeinstallationofapatch:
• Vendorcertification—typicallyoneweek• Labtestingbyoperator• Stageddeploymentonlesscriticalsystemsfirst• Avoidinterruptinganycriticalprocessphases
• Automaticupdatescanoccuratinopportunetimes
cred-c.org|50
LimiteduseofAnti-Virus• AVoperationscancausesignificantsystemdisruptionatinopportunetimes
• 3amisnobetterthananyothertimeforafulldiskscanonasystemthatoperates24x7x365
• notallcontrolsystemvendorssupportanti-virus• Anti-virusisonlyasgoodasthesignatureset• Signaturesmayrequiretestingjustlikepatches
• SymantecsaysAVmisses55%ofthreats• WallStreetJournal,May2014
cred-c.org|51
PoorAuditandLogging• Manycontroldeviceshavepoorornon-existentsupportforloggingsecurity-relatedactions
• Attemptedorsuccessfulintrusionsmaygounnoticed
• Wherekept,logsarereviewedinfrequently• Regulatoryrequirementsareweakinthisarea:
• NERCCIP005-3R3.2:Wherealertingisnottechnicallyfeasible,theResponsibleEntityshallrevieworotherwiseassessaccesslogsforattemptsatoractualunauthorizedaccessesatleasteveryninetycalendardays.
cred-c.org|52
UnmannedFieldSites• Manyunmannedfieldsites• Somewithhigh-speedconnectivitytocontrolcenter• Mostwithpoorauthenticationandauthorization• Manywithdialupaccess• Canbeaneasybackdoortothecontrolcenter
cred-c.org|53
LegacyEquipment• Muchlegacyequipmentusingserialprotocols• Usuallyimpossibletoupdatetoaddsecurityfeatures• Difficulttoprotectlegacycommunications
• butseeIEEE1711forserialencryption
cred-c.org|54
UnauthorizedApplications• Unauthorizedappsinstalledoncontrolsystemssystemscaninterferewithoperation
• Manytypesofunauthorizedappshavebeenfoundduringsecurityaudits• Instantmessaging• P2Pfilesharing• DVDandMPEGvideoplayers• Games,includingInternet-based• Webbrowsers
cred-c.org|55
InappropriateUseofControlSystems• WebbrowsingfromHMIcaninfectcontrolsystem
• Browservulnerabilities• Downloads• Cross-sitescripting• Spyware
• Emailto/fromcontrolserverscaninfectcontrolsystem• Sendmailandoutlookvulnerabilities
• Resourceexhaustioncanimpactcontroloperation• Storageofmusic,videos• CPUusageforbitcoinmining
cred-c.org|56
PeopleIssues• Opsnetworkoftenmanagedby“OperationsDepartment”,distinctfrom“ITDepartment” runningenterprisenetwork
• OpspersonnelarenotITornetworkingexperts• ITpersonnelarenotOpsexperts
• Significantfractionofcontrolsystemsworkforceisolderandnearingretirement
• Fewyoungpeopleenteringthisfield• Fewacademicprograms
cred-c.org|58
EvolutionofCyberThreatsToUtilities
Stuxnet 2010Duqu 2011NightDragon2011ARAMCO2012Telvent 2012EnergeticBear2014
Sony2011,2014Cryptolocker 2013Target2013UnlimitedOperations2014Carbanak 2015IRS2015botnetsbotnetsbotnets
Morrisworm1988ILoveYou2000Nimda 2001CodeRed2001SQLSlammer2003Zotob 2005
GoogleAurora2010OperationShadyRat2011DigiNotar 2011Flame2012Snowden2013w
orms,viruses
financial
statelevel
energyse
ctor
inpractice,untargetedthreatsmatterjustasmuch!
cred-c.org|59
SubstationsMeters
DistributionDevices
SCADAAMI
OMS
InternetAttack
1a.Malwareinfectsdesktopviawebbrowsing,email,phishing,socialengineering
1b.AttackercompromisesDMZserverviawebvulnerability
2.Scansnetworkandspreads,and/orsetsupC&Cchannel
3.Elevatesaccessbyobtainingothercredentials,gainscontrolofdomain
213
1
4
4.CompromisesOperationsfrompoorlycontrolledlaptops,flashdrives,backupsystems,engineeringsystems,etc.
cred-c.org|60
SubstationsMeters
DistributionDevices
SCADAAMI
OMS
FieldNetworkAttack
1a.Substationnetworkphysicallybreached
1b.Fieldcommunicationsbreached
1c.FielddevicesconnectedtopublicInternet
1d.Infectedportablemediaorlaptopsconnectedtooperations
2.Scannetwork,setupC&Cchannel
3.Attackerelevatesaccess,gainscontrolofoperationssystems
2
1 1
3
cred-c.org|61
3rdparty
SubstationsMeters
DistributionDevices
SCADAAMI
OMS
3rdPartyAttack1.Attackercompromises3rdparty:vendor,consultant,hostedservice,carrier,neighborutility,powerprovider,marketoperator,ISO,etc.
2.Expandsthrough3rd partyremoteaccessconnection,softwareupgrade,etc.
3.Scansnetworkandspreads,and/orsetsupcontrolchannel
4.Elevatesaccessbyobtainingothercredentials,gainscontrolofportabledevices
23
1
4
cred-c.org|63
DefenseinDepth• PerimeterProtection
• Firewall,IPS,VPN,AV• HostIDS,HostAV• DMZ
• InteriorSecurity• Firewall,VPN,AV• HostIDS,HostAV• AppWhitelisting• IEEE1711(AGA12)• NAC
• Monitoring• Host&NetworkIDS• Port&Vuln Scanning
• Management
IDS Intrusion Detection SystemIPS Intrusion Prevention SystemDMZ DeMilitarized ZoneVPN Virtual Private Network (cryptographic)AV Anti-VirusNAC Network Admission Control
cred-c.org|64
50,000FootViewInternet
Operations Network
Field Site Field Site Field Site
PartnerSite
VPN
VPN
FW
FW
IPSIDS
IT Stuff
Scan
AV
FWIPS
1711
FWAV
Host IPS Host AVProxy
Host IDS Host AV
IDSScan
Enterprise Network
cred-c.org|65
DefendingUtilityNetworks
Harden Interior
Separate Control Network
Harden Enterprise Perimeter
Harden Field Perimeter
Monitor
Harden Field Networks
Monitor Field Sites
cred-c.org|66
DefendingUtilityNetworks• Separateoperationsfromenterprisenetwork
• Hardenperimeterconnectiontoenterprisenetwork• Protectallpointsofentrywithstrongauthentication• Makereconnaissancedifficultfromoutside
• Hardeninteriorofoperationsnetwork• Makereconnaissancedifficultfrominside• Limitsinglepointsofvulnerability• Frustrateopportunitiestoexpandacompromise
• Hardenfieldsitesandpartnerconnections• Monitorsecurityeventsfromperimetersandinside• Monitorserverandnetworkbehavior• Periodicallyscanforchangesinsecurityposture
cred-c.org|67
OperationsDMZPerimeterProtection
Firewall with NATRemote Access VPNNetwork Anti-VirusIntrusion Prevention
cred-c.org|68
OperationsDMZArchitecture• EnterpriseNetworkcontainstypicalofficesystems
• Email,web,officeapps,etc.
• OperationsDMZprovidesconnectivity• Containsonlynon-criticalsystemsthatprovideconnectivitybetweenOperationsandEnterpriseNetworks
• EnforcesseparationbetweenEnterpriseandOperationsNetworks• Mayconsistofmultiplefunctionalzones• SeparatedbyFirewall,IPS,Anti-Virus,etc.
• OperationsNetworkdemarcatescriticalsystems• Mayconsistofmultiplefunctionalzones• InternallyprotectedbyFirewall,IDS,Anti-Virus,etc.
cred-c.org|69
OperationsDMZDesignPrinciples• Multiplefunctionalsecurityzones• Trafficbetweenzonesundergoesfirewall&IPS• Onlypathin/outofoperationsNetwork• Defaultdenyforallfirewallinterfaces• No/MinimaldirecttrafficacrossDMZ• Nocommonportsbetweenoutside&inside• Nocontroltraffictooutside• Highlylimitedoutboundtraffic• NoconnectionsinitiatedfromDMZintoOperations• Emergencydisconnectatinsideoroutside• Nonetworkmanagementfromoutside
cred-c.org|70
RemoteAccess• SecurityApplianceterminatesRemoteAccessVPN
• IPSECVPN,SSLVPN,PPTPVPN
• Authenticatesuservia:• AAAserver,LDAP,ActiveDirectory,etc.• Canenforceuseofmulti-factorauthentication
• Time-varyingpasswordtokensforvendoraccess
• ClientsuseVNC,Citrix,orRemoteDesktop(RDP)toconnecttoTerminalServerinDMZ
• ThenVNC,Citrix,orRDPtoOperationsSystem
cred-c.org|71
HowNOTtoconnectOperations/Enterprise• Dual-homedserver• Dual-homedserverwithHostIPS/AV• RouterwithpacketfilterACLs• Two-portFirewall• Router+Firewallcombination
• SeeNISCCGoodPracticeGuideonFirewallDeploymentforSCADAandProcessControlNetworks,NISCCandBCIT,Feb2005
cred-c.org|72
OperationsDMZInteriorProtection
Intrusion Detection/PreventionPort ScanningVulnerability Scanning
Host IPSHost Anti-virusApplication WhitelistingNetwork Access ControlVirtualization & Snapshots
cred-c.org|73
OperationsDMZInteriorProtection• Deploymirrorserversfordataexport• Deployterminalserversforremoteaccess• AllDMZserversarenon-critical,thus:
• useHostIPS• useHostAnti-Virus• useApplicationWhitelisting• useVirtualizationwithSnapshotsandRollback• useNetworkAccessControltoblockunintentionaluseofDMZandhelpenforceadherencetopolicy
• patchasoftenaspossible(WindowsUpdate)
cred-c.org|74
OperationsNetworkDesignPrinciples• MinimalnumberofconnectionstoDMZ• OperationsNetworkindependentofDMZ,Enterprise
• SeparateNetworkingHardwarefromDMZ• SeparateTimeServer• SeparateAAA• AllowsemergencydisconnectfromDMZ
• QoSwhereapplicable• Redundancywhereappropriate
cred-c.org|75
OperationsNetworkInteriorProtection
Intrusion DetectionPort ScanningVulnerability ScanningServer MonitoringNetwork Monitoring
Switch Core with SPAN or Port Mirror
cred-c.org|76
OperationsNetworkInteriorProtection• usehostAnti-viruswhereendorsedbyvendor• usehostIDS/IPSwhereendorsedbyvendor
• withSCADAsignaturesifavailable
• patchasfrequentlyasvendorsupports• usenetworkprotectionsnotpronetofalsepositives
• IDS• slowportscanning• carefulvulnerabilityscanningwithdirectoversight
• includingsecurityconfigurationaudit• carefulnetworkaccesscontrol• networkandserverperformancemonitoring
cred-c.org|78
3rdPartyConnectionSecurity• site-to-siteVPNto3rdpartysites• firewallfacing3rdpartylinks• IPSorIDSfortrafficto/from3rdpartylinks• accesscontrolledbyutility,using2-factorauthenticationand/orwebconferencetool
cred-c.org|79
FieldSiteProtection
FirewallSite-to-site VPNNetwork Access ControlIntrusion DetectionPort ScanningServer MonitoringNetwork Monitoring
FirewallSite-to-Site VPNNetwork Access Control
FirewallSCADA VPNNetwork Access Control
cred-c.org|80
FieldSiteProtection• site-to-siteVPNorSCADAVPNtofieldsites• firewallatbothcontrolcenterandfieldsites• forIP-enabledsubstationswithLANS
• IDSatfieldsites• networkaccesscontrolatfieldsites• portscanning• servermonitoring• networkmonitoring
cred-c.org|81
SubstationSecurity
FirewallSite-to-site VPNNetwork Access ControlIntrusion DetectionPort ScanningServer MonitoringNetwork Monitoring
cred-c.org|82
CloudandhostedServices• Cloudenableseconomiesofscale
• especiallyvaluableforutilitieswithlimitedITstaff• canenableservicesotherwisetoocomplex• securityofservicescanbestronger
• dataencryption,keymanagement,2-factorauthentication,etc.fromcloudprovider• patchmanagementhandledbyserviceprovider
• Butavailabilitymustbeconsidered• Internetavailabilityduringoutage?• ServiceLevelAgreementwithISP• notsosuitableforcontrolserviceslikeSCADA
cred-c.org|84
Standards&BestPractices• NERCCIP
• compliancerequirementsforutilities
• NISTIR7628• hugecompilationofcybersecurityguidanceforsmartgridsystems
• NISTSP800-53,rev4• securitycontrolsandhowtoselectandapplythem
• ISA99/ISASP99/IEC62443• broadsetofsecurityrecommendationsforIndustrialAutomationandControlSystems,includinggeneral,policies&procedures,system,and
componentrecommendations
• NISTSP800-82,rev2• differencesbetweenenterpriseandICSsystems• networksegmentationandsegregation
• NISTCyberSecurityFramework,Feb2014• usingbusinessdriverstoguidecybersecurityactivities,riskmanagement• IdentifyProtectDetectRespondRecover
• DHSCatalogofControlSystemSecurity• Catalogofpracticesforsecuringcontrolssystemsfrombothphysicalandcyberattack
• ElectricitySubSectorCybersecurityCapabilityMaturityModel(ES-C2M2)• NISTSP1800CybersecurityPracticeGuides