Industrial Network Security
Securing Critical Infrastructure Networks for Smart Grid,
SCADA, and Other Industrial Control Systems
This page intentionally left blank
Industrial Network Security
Securing Critical Infrastructure Networks for Smart Grid,
SCADA, and Other Industrial Control Systems
Eric Knapp
Technical Editor
James Broad
AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEW YORK • OXFORD • PARIS • SAN DIEGO
SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO
Syngress is an imprint of Elsevier
Acquiring Editor: Angelina Ward Development Editor: Matt Cater Project Manager: Jessica Vaughan Designer: Joanne Blank
Syngress is an imprint of Elsevier 225 Wyman Street, Waltham, MA 02451, USA
© 2011 Elsevier Inc. All rights reserved
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.
This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).
Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.
Library of Congress Cataloging-in-Publication Data Knapp, Eric. Industrial network security : securing critical infrastructure networks for Smart Grid, SCADA, and other industrial control systems / Eric Knapp. p. cm. Summary: “This book attempts to define an approach to industrial network security that considers the unique network, protocol and application characteristics of an industrial control system, while also taking into consideration a variety of common compliance controls”–Provided by publisher. Includes bibliographical references. ISBN 978-1-59749-645-2 (pbk.) 1. Process control–Security measures. 2. Computer security. I. Title. TS156.8.K58 2011 670.42'7–dc23 2011018442
British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library
ISBN: 978-1-59749-645-2
Printed in the United States of America
11 12 13 14 15 10 9 8 7 6 5 4 3 2 1
For information on all Syngress publications visit our website at www.syngress.com.
v
Contents
About the Author .....................................................................................................xiii About the Technical Editor ......................................................................................xv Foreword ................................................................................................................xvii
CHAPTER 1 Introduction ........................................................... 1 Book Overview and Key Learning Points ......................................1 Book Audience ................................................................................1 Diagrams and Figures .....................................................................2 The Smart Grid ...............................................................................2 How This Book Is Organized..........................................................3
Chapter 2: About Industrial Networks ........................................3 Chapter 3: Introduction to Industrial Network Security .............4 Chapter 4: Industrial Network Protocols ....................................4 Chapter 5: How Industrial Networks Operate ............................4 Chapter 6: Vulnerability and Risk Assessment ...........................4 Chapter 7: Establishing Secure Enclaves ...................................4 Chapter 8: Exception, Anomaly, and Threat Detection ..............4 Chapter 9: Monitoring Enclaves .................................................5 Chapter 10: Standards and Regulations ......................................5 Chapter 11: Common Pitfalls and Mistakes ...............................5
Conclusion ......................................................................................5
CHAPTER 2 About Industrial Networks ....................................... 7 Industrial Networks and Critical Infrastructure ..............................7
Critical Infrastructure .................................................................8 Critical versus Noncritical Industrial Networks .......................11
Relevant Standards and Organizations .........................................12 Homeland Security Presidential DirectiveSeven/HSPD-7 .......12 NIST Special Publications (800 Series) ...................................13 NERC CIP ................................................................................13 Nuclear Regulatory Commission..............................................13 Federal Information Security Management Act .......................15 Chemical Facility Anti-Terrorism Standards ............................16 ISA-99 ......................................................................................17 ISO 27002 .................................................................................18
Common Industrial Security Recommendations ..........................18 Identification of Critical Systems .............................................18 Network Segmentation/Isolation of Systems ...........................20
vi Contents
Defense in Depth ......................................................................23 Access Control ..........................................................................24
The Use of Terminology Within This Book .................................25 Networks, Routable and Non-routable .....................................25 Assets, Critical Assets, Cyber Assets, and Critical Cyber Assets .............................................................................25 Enclaves ....................................................................................26 Electronic Security Perimeters .................................................27
Summary .......................................................................................28 Endnotes .......................................................................................28
CHAPTER 3 Introduction to Industrial Network Security ............ 31 The Importance of Securing Industrial Networks.........................31 The Impact of Industrial Network Incidents .................................34
Safety Controls .........................................................................34 Consequences of a Successful Cyber Incident .........................35
Examples of Industrial Network Incidents ...................................36 Dissecting Stuxnet ....................................................................38 Night Dragon ............................................................................41
APT and Cyber War ......................................................................41 The Advanced Persistent Threat ...............................................43 Cyber War .................................................................................44 Emerging Trends in APT and Cyber War .................................45 Still to Come .............................................................................49 Defending Against APT ............................................................50 Responding to APT ...................................................................50
Summary .......................................................................................52 Endnotes .......................................................................................53
CHAPTER 4 Industrial Network Protocols ................................. 55 Overview of Industrial Network Protocols ...................................55 Modbus .........................................................................................56
What It Does .............................................................................56 How It Works ............................................................................57 Variants .....................................................................................58 Where It Is Used .......................................................................59 Security Concerns .....................................................................59 Security Recommendations ......................................................60
ICCP/TASE.2 ................................................................................61 What It Does .............................................................................62 How It Works ............................................................................62
viiContents
Where It Is Used .......................................................................63 Security Concerns .....................................................................63 Security Improvements over Modbus .......................................64 Security Recommendations ......................................................65
DNP3 ............................................................................................66 What It Does .............................................................................66 How It Works ............................................................................67 Secure DNP3 ............................................................................69 Where It Is Used .......................................................................70 Security Concerns .....................................................................71 Security Recommendations ......................................................72
OLE for Process Control ..............................................................73 What It Does .............................................................................73 How It Works ............................................................................74 OPC-UA and OPC-XI ..............................................................75 Where It Is Used .......................................................................75 Security Concerns .....................................................................75 Security Recommendations ......................................................77
Other Industrial Network Protocols ..............................................78 Ethernet/IP ................................................................................78 Profibus .....................................................................................79 EtherCAT ..................................................................................80 Ethernet Powerlink ...................................................................81 SERCOS III ..............................................................................82
AMI and the Smart Grid ...............................................................83 Security Concerns .....................................................................84 Security Recommendations ......................................................85
Summary .......................................................................................85 Endnotes .......................................................................................86
CHAPTER 5 How Industrial Networks Operate ........................... 89 Control System Assets ..................................................................89
IEDs ..........................................................................................89 RTUs .........................................................................................90 PLCs .........................................................................................90 HMIs .........................................................................................93 Supervisory Workstations .........................................................94 Data Historians .........................................................................94 Business Information Consoles and Dashboards .....................96 Other Assets ..............................................................................96
viii Contents
Network Architectures ..................................................................97 Topologies Used .......................................................................98
Control System Operations .........................................................100 Control Loops .........................................................................101 Control Processes ...................................................................102 Feedback Loops ......................................................................103 Business Information Management ........................................104
Control Process Management .....................................................106 Smart Grid Operations ................................................................107 Summary .....................................................................................109 Endnotes .....................................................................................109
CHAPTER 6 Vulnerability and Risk Assessment ...................... 111 Basic Hacking Techniques ..........................................................111
The Attack Process .................................................................112 Targeting an Industrial Network .............................................116 Threat Agents ..........................................................................122
Accessing Industrial Networks ...................................................123 The Business Network ............................................................124 The SCADA DMZ ..................................................................126 The Control System ................................................................127 Common Vulnerabilities .........................................................127 The Smart Grid .......................................................................132
Determining Vulnerabilities ........................................................132 Why Vulnerability Assessment Is Important ..........................133 Vulnerability Assessment in Industrial Networks ...................137 Vulnerability Scanning for Configuration Assurance .............138 Where to Perform VA Scans ...................................................139 Cyber Security Evaluation Tool ..............................................140
Vulnerability Management .........................................................140 Patch Management .................................................................141 Configuration Management ....................................................143 Device Removal and Quarantine ............................................144
Summary .....................................................................................144 Endnotes .....................................................................................145
CHAPTER 7 Establishing Secure Enclaves .............................. 147 Identifying Functional Groups ....................................................148
Network Connectivity .............................................................149 Control Loops .........................................................................149 Supervisory Controls ..............................................................150 Control Processes ...................................................................151
ixContents
Control Data Storage ..............................................................152 Trading Communications .......................................................153 Remote Access ........................................................................154 Users and Roles ......................................................................155 Protocols .................................................................................156 Criticality ................................................................................156 Using Functional Groups to Identify Enclaves .......................159
Establishing Enclaves .................................................................161 Identifying Enclave Perimeters...............................................161 Network Alterations ................................................................164 Enclaves and Security Policy Development ...........................164 Enclaves and Security Device Configurations ........................164
Securing Enclave Perimeters ......................................................166 Selecting Perimeter Security Devices .....................................166 Implementing Perimeter Security Devices .............................169 Intrusion Detection and Prevention (IDS/IPS) Configuration Guidelines ........................................................172
Securing Enclave Interiors ..........................................................181 Selecting Interior Security Systems ........................................183
Summary .....................................................................................185 Endnotes .....................................................................................186
CHAPTER 8 Exception, Anomaly, and Threat Detection............ 189 Exception Reporting ...................................................................190 Behavioral Anomaly Detection ...................................................192
Measuring Baselines ...............................................................192 Anomaly Detection .................................................................194
Behavioral Whitelisting ..............................................................199 User Whitelists .......................................................................199 Asset Whitelists ......................................................................200 Application Behavior Whitelists .............................................202
Threat Detection .........................................................................205 Event Correlation ....................................................................206 Correlating between IT and OT Systems................................211
Summary .....................................................................................213 Endnotes .....................................................................................213
CHAPTER 9 Monitoring Enclaves ........................................... 215 Determining What to Monitor ....................................................216
Security Events .......................................................................217 Assets ......................................................................................218
x Contents
Configurations ........................................................................220 Applications ............................................................................221 Networks .................................................................................222 User Identities and Authentication .........................................223 Additional Context ..................................................................225 Behavior ..................................................................................228
Successfully Monitoring Enclaves ..............................................229 Log Collection ........................................................................229 Direct Monitoring ...................................................................230 Inferred Monitoring ................................................................230 Information Collection and Management Tools (Log Management Systems, SIEMs) ......................................233 Monitoring Across Secure Boundaries ...................................236
Information Management ...........................................................236 Queries ....................................................................................237 Reports ....................................................................................240 Alerts .......................................................................................241 Incident Investigation and Response ......................................241
Log Storage and Retention .........................................................242 Nonrepudiation .......................................................................242 Data Retention/Storage ...........................................................242 Data Availability .....................................................................243
Summary .....................................................................................245 Endnotes .....................................................................................246
CHAPTER 10 Standards and Regulations .................................. 249 Common Standards and Regulations ..........................................250
NERC CIP ..............................................................................250 CFATS ....................................................................................251 ISO/IEC 27002:2005 ..............................................................252 NRC Regulation 5.71 .............................................................253 NIST SP 800-82 .....................................................................253
Mapping Industrial Network Security to Compliance ................254 Perimeter Security Controls ...................................................255 Host Security Controls ...........................................................255 Security Monitoring Controls .................................................279
Mapping Compliance Controls to Network Security Functions .....................................................................................293 Common Criteria and FIPS Standards ........................................293
Common Criteria ....................................................................293
xiContents
FIPS 140-2 ..............................................................................300 Summary .....................................................................................300 Endnotes .....................................................................................300
CHAPTER 11 Common Pitfalls and Mistakes ............................ 303 Complacency ..............................................................................303
Vulnerability Assessments vs. Zero-Days ..............................303 Real Security vs. Policy and Awareness .................................304 The Air Gap Myth ...................................................................304
Misconfigurations .......................................................................305 Default Accounts and Passwords ............................................306 Lack of Outbound Security and Monitoring ..........................306 The Executive Override ..........................................................307 The Ronco Perimeter ..............................................................307
Compliance vs. Security .............................................................308 Audit Fodder ...........................................................................308 The “One Week Compliance Window” ..................................309
Scope and Scale ..........................................................................310 Project-Limited Thinking .......................................................310 Insufficiently Sized Security Controls ....................................311
Summary .....................................................................................312 Endnotes .....................................................................................312
Glossary .................................................................................................................313 Appendix A ............................................................................................................323 Appendix B ............................................................................................................325 Appendix C ............................................................................................................329 Index ......................................................................................................................331
This page intentionally left blank
xiii
About the Author
Eric D. Knapp is the Director of Critical Infrastructure Markets for NitroSecurity, where he leads the identification, evaluation, and implementation of new security technologies specific to the protection of critical infrastructure, Supervisory Control And Data Acquisition (SCADA), and industrial control networks.
Eric has 20 years of experience in Information Technology, specializing in industrial automation technologies, infrastructure security, and applied Ethernet protocols as well as the design and implementation of Intrusion Prevention Systems and Security Information and Event Management systems in both enterprise and industrial net- works. In addition to his work in information security, Eric is an award-winning author. He studied English and Writing at the University of New Hampshire and the University of London and holds a degree in communications.
This page intentionally left blank
xv
About the Technical Editor
James Broad (CISSP, C|EH, C)PTS, Security, MBA) is the President and owner of Cyber-Recon, LLC, where he and his team of consultants specialize in Information Security, Information Assurance, and Certification and Accreditation and offer other security consultancy services to corporate and government clients.
As a security professional with over 20 years of real-world IT experience, James is an expert in many areas of IT security, specializing in security engineering, pen- etration testing, and vulnerability analysis and research. He has provided security services in the Nation’s most critical sectors including defense, law enforcement, intelligence, finance, and healthcare.
James has a Master’s of Business Administration degree with specialization in Information Technology (MBA/IT) from the Ken Blanchard College of Business, Bachelor’s degrees in Computer Programming and Security Management from Southwestern University and is currently a Doctoral Learner pursuing a PhD in Information Security from Capella University. He is a member of ISSA and (ISC)2®. James currently resides in Stafford, Virginia with his family: Deanne, Micheal, and Temara.
This page intentionally left blank
xvii
Foreword
One of the most mysterious areas of information security is industrial system secu- rity. No other area of information security contains that many myths, mistakes, mis- conceptions and outright lies. Information available online, while voluminous, will only lead information security professionals and industrial systems professionals to more confusion and more misconceptions—which may result in not only costly, but also life-threatening, mistakes.
What raises the mystery even higher is that the stakes in the area of industrial security are extremely high. While the loss of trade secret information may kill a business, the loss of electricity generating capability may kill not just one person, but potentially thousands.
And finally the mystery is solved—with this well-researched book on industrial system network security.
The book had a few parts of particular interest to me. I liked that the book covers the “myth of an air gap”—now in the age of wireless, the air gap is not what it used to be and should not be assumed to be “the absolute security.” I also liked that safety versus security is covered: industrial engineers might know more about the former while my InfoSec colleagues know more about the latter. Today’s interconnected industrial systems absolutely need both! Finally, I also liked the book’s focus on risk and impact, and not simply on following the regulatory minimum.
Both information security and industrial engineers, which are currently two distinctly different tribes, would benefit from this book. And, hopefully Industrial Network Security will bring the much needed union of both tribes, thus helping us build a more secure business and industrial system.
—Dr. Anton A. Chuvakin Security Warrior Consulting
This page intentionally left blank
1
Introduction 1 CHAPTER
INFORMATION IN THIS CHAPTER:
l Book Overview and Key Learning Points l Book Audience l Diagrams and Figures l The Smart Grid l How This Book Is Organized
BOOK OVERVIEW AND KEY LEARNING POINTS This book attempts to define an approach to industrial network security that consid- ers the unique network, protocol, and application characteristics of an industrial control system, while also taking into consideration a variety of common compli- ance controls.
Although many of the techniques described herein—and much of the general guidance provided by regulatory standards organizations—are built upon common enterprise security methods and reference readily available information security tools, there is little information available about how to implement these methods. This book attempts to rectify this by providing deployment and configuration guid- ance where possible, and by identifying why security controls should be imple- mented, where they should implemented, how they should be implemented, and how they should be used.
BOOK AUDIENCE To adequately discuss industrial network security, the basics of two very different systems need to be understood: the Ethernet and Transmission Control Protocol/ Internet Protocol (TCP/IP) networking communications used ubiquitously in the enterprise, and the SCADA and field bus protocols used to manage and/or operate industrial automated systems.
As a result, this book possesses a bifurcated audience. For the plant operator with an advanced electrical engineering degree and a decade of logic programming
2 CHAPTER 1 Introduction
for Modbus controllers, the basics of industrial network protocols in Chapter 4 have been presented within the context of security in an attempt to not only pro- vide value to such a reader, but also to get that reader thinking about the subtle implications of cyber security. For the information security analyst with a Certified Information Systems Security Professional (CISSP) certification, basic information security practices have been provided within the new context of an industrial con- trol system.
There is an interesting dichotomy between the two that provides a further challenge. Enterprise security typically strives to secure the users and hosts on a network while at the same time enables the broad range of open communication services required within modern business. Industrial control systems, on the other hand, strive for the efficiency and reliability of a single, often fine-tuned system. Only by giving the necessary consideration to both sides can the true objective be achieved: a secure industrial network that supports reliable operation while also providing business value to the larger enterprise.
To further complicate matters, there is a third audience: the compliance officer who is mandated with meeting certain regulatory standards in order to survive an audit with minimal penalties and/or fines. Compliance continues to drive information security budgets, and therefore the broader scope of industrial networks must also be narrowed on occasion to the energy industries, where (at least in the United States) electrical energy, nuclear energy, oil, and gas are tightly regulated. Compliance controls are discussed in this book solely within the context of implementing cyber security controls. The recommendations given are intended to improve security and should not be interpreted as advice concerning successful compliance management.
DIAGRAMS AND FIGURES The network diagrams used throughout this book have been intentionally simplified and have been designed to be as generic as possible while adequately represent- ing industrial networks across a very wide range of industrial systems. As a result, the diagrams will undoubtedly differ from real industrial network designs and may exclude details specific to one particular industry while including details that are specific to another. However, they will provide a high-level understanding of the specific industrial network security controls being discussed.
THE SMART GRID Although the smart grid is of major concern and interest, for the most part it is treated as any other industrial network within this book, with specific considerations being made only when necessary (such as when considering available attack vectors). As a result, there are many security considerations specific to the smart grid that are unfortunately not included. This is partly to maintain focus on the more ubiquitous