Office of Critical Infrastructure Protection SCADA Security Prepared for SECA XVI Conference Brooklyn Park, Minnesota October 9, 2000 Prepared by Jeff

Office of Critical Infrastructure Protection

SCADA Security

Prepared for

SECA XVI Conference

Brooklyn Park, MinnesotaOctober 9, 2000

Prepared by

Jeff Dagle

Pacific Northwest National LaboratoryRichland, Washington

(509) [email protected]


Outline

Context: Current Trends in Industry– Information Technology

– Implications of Restructuring

Federal Perspective– Critical Infrastructure Protection Initiative

– DOE Vulnerability Assessment Activity

SCADA Security– Trends and Implications

– Vulnerability Demonstration

– Mitigation Strategies


Information Technology TrendsInformation Technology Trends

Dependency

Ris

k

Increasing:

– enterprise dependence on IT

– connectivity and standardization

– access to information assets

– dependencies on other infrastructures

Role of the Internet

– E-Biz projected increase from $8B (‘97) to $320B (‘02)

– Utility E-Biz projection: $2B (‘97) to $10B (‘02)

Information technologies are becoming inseparable from the core business of businesses


Information Technology AnecdotesInformation Technology Anecdotes

Hacker Trends– First computer virus conceived in 1987 -- today there are 30,000

(10 more each day)– Hacker software and sophistication increasing exponentially– More than 1/2 of the 50 largest banks report significant

network attacks in ‘98– Gas/electric utility reports over 100,000 scans per month– Distributed denial of service attacks against e-commerce sites

Response– FBI computer caseload: 200 cases to 800 cases in last two years --

number of cases now agent limited – IT security gaining increased attention in auditing, insurance and

underwriting communities– $1.6 trillion forecast world wide to deal with cyber challenges.

$6.7 billion in first 5 days of response to “I Love You”


Information Age Threat SpectrumInformation Age Threat Spectrum

Info WarriorInfo Warrior

TerroristTerrorist

IndustrialIndustrialEspionageEspionage

Reduce U.S. Decision Space, Strategic Advantage, Chaos, Target Damage

Reduce U.S. Decision Space, Strategic Advantage, Chaos, Target Damage

Monetary GainThrill, Challenge, PrestigeMonetary GainThrill, Challenge, Prestige

Thrill, ChallengeThrill, Challenge

National National IntelligenceIntelligence

Institutional Institutional HackerHacker

Recreational Recreational HackerHacker

Visibility, Publicity, Chaos, Political ChangeVisibility, Publicity, Chaos, Political Change

Competitive AdvantageIntimidationCompetitive AdvantageIntimidation

Organized CrimeOrganized Crime

NationalSecurityThreats

NationalSecurityThreats

SharedThreatsSharedThreats

LocalThreatsLocal

Threats

Revenge, Retribution, Financial Gain, Institutional ChangeRevenge, Retribution, Financial Gain, Institutional Change

Information for Political, Military, Economic AdvantageInformation for Political, Military, Economic Advantage


Energy Incidents and AnecdotesEnergy Incidents and Anecdotes

DOE database reports 20,000 attacks on lines, substations, and power plants from 1987 to 1996 – many attacks continue

1997 San Francisco outage – probably an insider June 1999 Bellingham pipeline explosion accompanied by

SCADA failure Belgium & US (Mudge) hackers threaten to shut down

electric grid (Fall ‘99) Hacker controls Gazprom natural gas in Russia (Spring

2000) Potential plot to attack nuclear plant during Sydney

Olympics


Trends - RestructuringTrends - Restructuring

Industry downsizing– 20% or more reductions of staff over last five years

– Physical and IT security implications – “Doing more with less”

Mergers– Increased 4x between 1990 and 1997

– Keeping staff trained and updated

– New business & players

Open access and open architecture systems– Mandated by regulation

– Maintainability and low cost – security implications?


Outline









May 1998 - Presidential Decision Directive 63: Policy on Critical Infrastructure Protection

“Waiting for disaster is a

dangerous strategy. Now is the

time to act to protect our future.”

October 1997 - PCCIP report (Critical Foundations: Protecting America’s Infrastructures)

July 1996 - President’s Commission on Critical Infrastructure Protection (PCCIP)

“Certain national infrastructures are

so vital that their incapacitation or

destruction would have a debilitating

impact on the defense or economic

security of the United States”

National Action

SECTOR LEAD AGENCY

Dept. of Treasury

Dept. of Transportation

Dept. of Energy

Dept. of Commerce

Dept. of Justice

FEMA

FEMA

HHS

EPA

Financial Services

Transportation

Electric, Gas & Oil

Information/Comms

Law Enforcement

Continuity of Gov’t.

Fire

Emerg. Health Svcs.

Water

Policy & Program Management

National Organizational StructureProposed by Critical Infrastructure Protection PDD

Crisis Management

LegendNew Organization

EOP

OSTP(R&D)

Special Function Agencies

DOJLaw Enforcement

DoDNational Defense

CIAIntelligence

DOSForeign Affairs

National Infrastructure

Protection Center

Information Sharing and

Analysis Center

Private Sector

President

Critical Infrastructure Coordinating Group

National Security Advisor

National Coordinator

National Infrastructure Assurance Council

DoD/DOC

Critical Infrastructure Assurance Office


The Department of Energy’s Infrastructure Assurance Outreach Program (IAOP)

The Department of Energy’s Infrastructure Assurance Outreach Program (IAOP)

Oil

Energy Infrastructures

Electric power

Natural Gas

Utilize DOE expertise to assist in enhancing energy infrastructure security.

Awareness - vulnerabilities & risks

Assistance - assessment to identify and correct vulnerabilities

Partnership- teaming with industry to collectively advance critical infrastructure protection

Voluntary participation conducted under strict terms of confidentiality


IAOP ScopeIAOP Scope

IAOP Assessments:– Electric power infrastructure (started in FY 1998)

• Primarily cyber, includes physical security and risk management

• Approximately 10 electric utilities received voluntary assessments

– Natural gas (started in FY 2000) • Physical and cyber

– Expertise from multiple national laboratories and other Federal agencies

– Assessment, not audit

IAOP Outreach– Conferences, meetings, information sharing– Support industry groups (NERC, NPC, EPRI, …)– Engagement with other Federal agencies (FBI, NSA, NRC ...)


Project OutlineProject Outline

Task I - Project Planning & Pre-Assessment Project Planning and Scoping Pre-Assessment -- Critical asset definition

Task II - Assessment Threat Environment Network Architecture Network Penetration Physical Security, Operations Security Administrative Policies, Procedures Energy System Influence Risk Analysis

Optional Task III - Methodology & Prudent Practices Methodology Handbook Prudent Practices Awareness (Closed forums and workshops)


Risk ManagementSpectrum of ActionRisk Management

Spectrum of Action

Armored Resilient


Outline









SCADA TrendsSCADA Trends

Open protocols– Open industry standard protocols are replacing vendor-specific

proprietary communication protocols

Interconnected to other systems– Connections to business and administrative networks to obtain

productivity improvements and mandated open access information sharing

Reliance on public information systems– Increasing use of public telecommunication systems and the

internet for portions of the control system


SCADA ConcernsSCADA Concerns

Integrity– Assuring valid data and control functions– Most important due to impact

Availability– Continuity of operations– Historically addressed with redundancy

Confidentiality– Protection from unauthorized access– Important for market value, not reliability


SCADA Vulnerability DemonstrationSCADA Vulnerability Demonstration

Field Device(RTU, IED or PLC)

OperatorInterface

RTU Test Set(Intruder)


Operator InterfaceOperator Interface

Simulated display of electrical substation

Circuit breaker status information read from field device


SCADA Message StringsSCADA Message Strings

Captured byRTU test set

Repeating easilydecipherable format


Attack ScenariosAttack Scenarios

Denial of service– Block operator’s ability to observe and/or respond to changing

system conditions

Operator spoofing– Trick operator into taking imprudent action based on spurious or

false signals

Direct manipulation of field devices– Send unauthorized control actions to field device(s)

Combinations of above


Mitigation StrategiesMitigation Strategies

Security through obscurity– Poor defense against “structured adversary”

Isolated network

Communication encryption– Concerns over latency, reliability, interoperability– Vendors waiting for customer demand

Signal authentication– May provide good defense without the concerns associated with

full signal encryption


Value PropositionValue Proposition

Expectations

The government and industry will collaboratively develop technologies consistent with shared infrastructure assurance objectives

Public sector funding necessary to initiate development of new technologies

Industry Proactive in protecting

customers stockholder interests Insights into vulnerability and

risk assessment techniques Due diligence

Government Proactive in protecting public

interests and national security Insights into industry risk

management perspectives Facilitate long-term research and

development, best practices


ConclusionsConclusions

SCADA is becoming more vulnerable– Standard, open protocols– Interconnected to other systems and networks– Industry in transition

Focus countermeasures to protect –– Integrity– Availability– Confidentiality

Documents

Office of Critical Infrastructure Protection SCADA Security Prepared for SECA XVI Conference Brooklyn Park, Minnesota October 9, 2000 Prepared by Jeff