IT vs. OT: ICS Cyber Security in TSOs

CP-EXPO - Genova, 30 Oct 2013

G. Caroti

IT vs. OT: ICS cyber security in IT vs. OT: ICS cyber security in TSOsTSOs

“CI SYSTEM”: “Inter-dipendences” and domino effect …

Critical Infrastructure … services essential for everyday life such as energy,

food, water, transport, communications, health and banking and finance.

ICT GasPower

SystemRailw Water Helth Econ/Fin

Social

order

ICT

Gas

L H

E

L

M

L

L

E

L

H

H

CP-EXPO - Genova, 30 October 2013 2

Oil

Power

System

Railw

Water

M M

L L

L H

L

H

H

L

E

H

E

H

E

Estimated degree of dependence of a "CI" (column) following significant

interruption of service and extensive (> 24 h) of other "CI" (row) –

Source:AIIC 2007

“CI SYSTEM”: “Inter-dipendences” and domino effect …


CP-EXPO - Genova, 30 Oct 2013

Unauthorised

access to

systems

Technologies

Failures

Malicious

Attacks

(Hackers)

Sabotages

Criminal

activities

Unauthorised data

disclosure

Unauthorised

system alteration

Economics losses

Data loss or

corruption

ICT ICT

Systems

Infrastructures

Applications

Services

Cyber threats, security breaches and impacts

4

ThreatsThreats PotentialPotential seriousserious

implicationsimplications

Corporate and business Information Systems

activities

Natural

disaster

Human error

inadequate

procedures

Reputational lossesServices

Operational

disruption to

services

PS and Grid

continuity and

safety reduction

Public safety and

Citizens’

protection

ICT Business&Operational Critical

System

maltreatmentBy the use of the term “Resilient” we characterise the systems that provide and maintain an

acceptable level of service in face of faults (unintentional, intentional, or naturally caused)

affecting their normal operation. The main aim of the resilience is for faults to be invisible to

users (ENISA)

New risks … recently many warning messages!

a. (EU) Work Programme FP7 2009-2010: “protection of critical information

infrastructures”

b. (IT) Report of COPASIR 2010 on cyber crime (july 2010)

c. << … >>

d. (US) Obama's executive order: "better protection of the country's critical

infrastructure from cyber attacks"(feb 2013)

e. (US) Warning of “CIA Director” on new scenarios on “cyberattack” (feb 2013)


e. (US) Warning of “CIA Director” on new scenarios on “cyberattack” (feb 2013)

f. (EU) Commission: Cybersecurity Strategy of the European Union (feb 2013)

g. (IT) Report of COPASIR 2013 on threats to national security (feb 2013)

h. (IT) Reporting DIS 2012 (feb 2013)

i. (IT) Monito Prime Minister Monti on cyber risk (mar 2013)

j. (IT) DPCM 24/1/13 guidelines for cyber security and nationale information

security (G.U. mar 2013)

“Operational Technology“

An independent world of "operational technology" (OT) is developing separately from IT

groups … if IT organizations do not engage with OT environments to assess convergence,

create alignment and seek potential areas of integration, they may be sidelined from major

technology decisions - and place OT systems at risk.

IT vs. OT[1]…

[Gartner - 2009]


[1] OT environment: defined as an independent world of physical-equipment-oriented computer technology (ICS)

Convergence and Alignment? And Integration?

• Energy Management Systems (EMS)

IACS: “eterogeneus world” with several classifications

For functional applications For technologies

o Supervisory Control and Data

I(A)CS environment …


• Energy Management Systems (EMS)

• Substation control/protection systems

• Substation Automation Systems (SAS)

• Market Management Systems (MMS)

• Distributed Control Systems (DCS)

• Industrial Automation

• Safety Instrumented Systems (SIS)

• Process Control Systems

• Plant Control Systems

o Supervisory Control and Data

Acquisition (SCADA)

o Remote Terminal Unit (RTU)

o Intelligent Electronic Device (IED)

o Programmable Logic Controller (PLC)

o Distributed Computer System (DCS)

o Process Control Network (PCN)

IACS key-elements

Scada systems collect from the field data

characteristic of the system to be controlled,

generates alarms to operators and executes the

commands to the field by managing

communications with the RTU ... one or more servers, data-gathering and control units (RTUs) and a set of

standard applications and / or custom to monitor / control the

elements remote. It can reach more than 50,000 data collection

points and transmit information analog or digital, to send control

signals, receive input state as feedback to the control operations.

It can perform complex sequences of operations and ensure the

collection of information with appropriate frequency

EMS manage the data set … used by the operators to manage the

state estimation, energy flows, analysis

of contingency, the load forecasting and

allocation of generating units

AGC controls the generation unit to ensure that the

optimal load is managed with the criteria of

economy … submit additional control signals to adjust to GU production based on

forecasts of load, the availability, speed of response and exchanges

planned.


UI allows operators to have an interactive interface … to monitor the performance

of the PS, manage alarm conditions and to study the potential conditions that ensure system security

policies on the network

EMS

(Apps&DB)

EMS

(Apps&DB)AGCAGC

SCADA

systems

SCADA

systems

UI

LAN Control Center

FieldFieldField

UI (MMI/HMI)Data acquisition

Control actions (call-up, data entry, ...)

Processing historical data

Conducting elements of a plant (remote

controls)

Management "limits"

Defined calculations run time

Statistics functioning network elements

Calculating average P and E elementary

Calculation of financial statements

Load shedding

Alarms and Events

SCADA data flows …

S

SS

S


S

S

S

S

SS

Enterprise

DomainCentre LayerProcess Network

Plant

Layer

Field

Layer

Ext.Industrial process Domain

ComponentThreatsThreats

VulnerabilityVulnerability

((exploitableexploitable))ComponentComponentComponent//

DeviceDevice

SystemSystem

ContingencyContingency

Link chain: Threats -> Contingencies

“IT” < > “OT”

HW/SW

APP

HW/SW

APPThreatsThreats


Common Resources and

Services

Network

HW/SW

Network

HW/SWThreatsThreats

ThreatsThreats

ThreatsThreats

C I A C I A

Cyber Threats

N

Enclave (“obscurity”)Technological evolution

(Change of scenario)

Awareness

(compensatory

measures)

Security “embedded”

in the systems

(tech & process)

Why a protection program for ICS?

–– Migration (also "tacit") by the vendors to technologies Migration (also "tacit") by the vendors to technologies

"off"off--thethe--shelf”shelf”

–– Introduction of open standards and protocols (TCP / IP Introduction of open standards and protocols (TCP / IP

and wireless technologies), which exposes the system to and wireless technologies), which exposes the system to

its vulnerability without proper awarenessits vulnerability without proper awareness

– Proprietary (non-standard) protocols known to very few people

– No information published on the functioning of the systems

– Only point-to-point connection, often hosted in private

telecommunication environment

– No interconnection with network management

– No interconnection with any external network (i.e. Internet)

– Operational environment inherently protected and segregated

– Low probability of unpredictable conditions of stress load


Cyber Vuln

‘80 ‘10 ‘20

Y

‘90

its vulnerability without proper awarenessits vulnerability without proper awareness

–– Interconnecting needs with other corporate networks and Interconnecting needs with other corporate networks and

systems, making the systems potentially accessible to systems, making the systems potentially accessible to

unwanted entities toounwanted entities too

–– Transition from private communications networks or Transition from private communications networks or

based on "leased lines" services of public infrastructure, based on "leased lines" services of public infrastructure,

which results in increased "addiction" to public which results in increased "addiction" to public

telecommunications services operatorstelecommunications services operators

–– Remote “maintenance” needsRemote “maintenance” needs

‘00

Cyber incident on ICS by “human” attack!?

NetworkSecurity

SystemSecurity

ApplicationSecurity

Data Security

UserProfile

Security

Violation of availability Violation of confidentiality/integrity

Security Incidents show OT

vulnerability

Attack Information Theft

APTAPTAPTAPTAPTAPTAPTAPT


Attack

for access

(unauthorized)

to the resources

Information Theft

Financial LossesInappropriate handling of components of the PSloss of production, outages, operational safety

Difficulty of industrial operationsLower ability of control of the power systemDifficulty of emergency managementIncreased risk of instabilityDomino effect on other CIConsequences for the community

Attack

to cause

unavailability

complete/partial

Insiders

Saboteurs

Crackers

Terrorists

AC Access Control Tech

AT Awareness and Training OperationalAU Audit & Accountability TechCA Certification, Accreditation and Security Assessments Management

CM Access Control OperationalCP Contingency Planning Operational

IA Identification & Authentication TechIR Incident Response OperationalMA Maintenance Op

MP Media Protection OpPE Physical & Environmental Protection Op

PL Planning ManagemPS Personnel Security Op

CIP 002 Identificazione delle IIC a supporto delle EPU

CIP 003 Controllo gestione sicurezza

CIP 004 Personale e formazione

CIP 005 Sicurezza degli accessi alle reti

CIP 006 Sicurezza fisica

CIP 007 Gestione della sicurezza di sistema

CIP 008 Incident Report

CIP 009 Piani di recupero e DRCOMMON CRITERIA

What do we have? …


AC: Access Control

UC: Use Control

DI: Data Integrity

DC: Data Confidentiality

RDF: Restrict Data Flow

TRE: Timely Response to Event

NRA: Network Resource Availability

PS Personnel Security Op

RA Risk Assessment ManagemSA System & Services Acquisition ManagemSC System & Communications Protection TechSI System & Information Integrity Op

A5. Policy per la sicurezza delle informazioni

A6. Principi organizzativi per la gestione della IS

A7. Gestione degli asset

A8. Politiche del personale in materia di IS

A9. Sicurezza fisica e ambientale

A10. Gestione delle comunicazioni e delle operazioni

A11. Controllo degli accessi

A12. Gestione IS nell’acquisto, sviluppo e manut. sistemi

A13. Gestione incidenti di sicurezza

A14. Gestione della continuità dei processi aziendali

A15. Controlli di conformità

CIP 009 Piani di recupero e DRCOMMON CRITERIA

The first “brick” …

Selected …

+ Documented …

+ Implemented …

+ Kept …

+ Improved …

+ Verified …


… as a key enabler, regardless of the source of the "controls" used as a

reference (ISO, NIST or other Information Risk Management tools)

Structured FRAMEWORK …

MonitoringMonitoring

Access Access controlcontrol ((PhysPhys/Log/Log))

IncidentIncident HandlingHandling

PatchPatch managementmanagement

PeriodicPeriodic Security Security AssessmAssessm

“Building” a secure system Keep the system secure Secure disposalof the system

Development / Acquisition Phase Operational Phase Disposal Phase

“Secure-by-design” framework: “pipeline” for security


System Life System Life CycleCycle

TrainingTraining

AwarenessAwareness

ChangeChange managementmanagement

StartStart

Available for all systems and

regularly updated

Functions always implemented

- individual Account, unique,

complex with PW, changed

Not compatible with many

applications

No level authentication protocols

and console

Group account, even with PW

wired or weak cm ²

OT System (IACS)IT Systems

Unfortunately:

Antivirus

!?

Id & Aut Accountability

!?



policy

In time, with automated tools

As a rule always supported in

the life cycle of a system

Centralized

wired or weak cm ²

Not in time, no automated tools

Often not supported in time

(obsolescence)

Local delegated to figures Control

system engineer

!?

Patching

!?

System Administ

!?

Available for all systems and

regularly updated

Functions always implemented

- individual Account, unique,


Not compatible with many

applications

No level authentication protocols

and console

Group account, even with PW

wired or weak cm ²

OT System (IACS)IT Systems

Unfortunately:

Antivirus

!?

Id & Aut Accountability

!?



policy

In time, with automated tools

As a rule always supported in

the life cycle of a system

Centralized

wired or weak cm ²

Not in time, no automated tools

Often not supported in time

(obsolescence)

Local delegated to figures Control

system engineer

!?

Patching

!?

System Administ

!?

Same controls

but need of

compensatory

countermeasures

Special

Physical & Logical

Architectures

The typical scenario …

X


InternetPSTN/ISDN GPRS/UMTS

Technicians on the road

Vendors

Outsourcers

Outsourcers (ex. TelCo)

Remote Access

Other TSO/Utility/Operator

Outsourcers (ex. IT - TelCo)

Third Parties (partners)

Remote Access for staff

Personal mobility

PSTN/ISDN

X X

Going towards a Defense-in-Depth approach

… must be adapted …

Internet


PSTN/ISDN GPRS/UMTS

Technicians on the road

Vendors

Outsourcers

Outsourcers (ex. TelCo)

Remote Access

Other TSO/Utility/Operator

Outsourcers (ex. IT - TelCo)

Third Parties (partners)

Remote Access for staff

Personal mobility

Internet

XPublic

networks

(Internet)

X

… for different security requirements!


X

DMZ for (management)

Remote AccessDMZ for Exposed

IACS Services

XPublic

networks

(Internet)

… for different security requirements!


Services/Applications

with replicated

(mirrored) DBs

(“one-way” mode)

Remote

Access

Gateway

IACS internal DBs

(Typically real-time critical DBs)

Not accessible from outside of

process networks

Conclusion …

Convergence and Alignment? And Integration?


Thank you for the attention!
