Https securepro prod energy siemens com securepro

Industrial Network Security

Securing Critical Infrastructure Networks for Smart Grid,

SCADA, and Other Industrial Control Systems

This page intentionally left blank

Industrial Network Security

Securing Critical Infrastructure Networks for Smart Grid,

SCADA, and Other Industrial Control Systems

Eric Knapp

Technical Editor

James Broad

AMSTERDAM • BOSTON • HEIDELBERG • LONDON NEW YORK • OXFORD • PARIS • SAN DIEGO

SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO

Syngress is an imprint of Elsevier

Acquiring Editor: Angelina Ward Development Editor: Matt Cater Project Manager: Jessica Vaughan Designer: Joanne Blank

Syngress is an imprint of Elsevier 225 Wyman Street, Waltham, MA 02451, USA

© 2011 Elsevier Inc. All rights reserved

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.

This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).

Notices Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility. To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.

Library of Congress Cataloging-in-Publication Data Knapp, Eric. Industrial network security : securing critical infrastructure networks for Smart Grid, SCADA, and other industrial control systems / Eric Knapp. p. cm. Summary: “This book attempts to define an approach to industrial network security that considers the unique network, protocol and application characteristics of an industrial control system, while also taking into consideration a variety of common compliance controls”–Provided by publisher. Includes bibliographical references. ISBN 978-1-59749-645-2 (pbk.) 1. Process control–Security measures. 2. Computer security. I. Title. TS156.8.K58 2011 670.42'7–dc23 2011018442

British Library Cataloguing-in-Publication Data A catalogue record for this book is available from the British Library

ISBN: 978-1-59749-645-2

Printed in the United States of America

11 12 13 14 15 10 9 8 7 6 5 4 3 2 1

For information on all Syngress publications visit our website at www.syngress.com.

v

Contents

About the Author .....................................................................................................xiii About the Technical Editor ...................................................................................... xv Foreword ................................................................................................................xvii

CHAPTER 1 Introduction ........................................................... 1 Book Overview and Key Learning Points ...................................... 1 Book Audience ................................................................................ 1 Diagrams and Figures ..................................................................... 2 The Smart Grid ............................................................................... 2 How This Book Is Organized.......................................................... 3

Chapter 2: About Industrial Networks ........................................ 3 Chapter 3: Introduction to Industrial Network Security ............. 4 Chapter 4: Industrial Network Protocols .................................... 4 Chapter 5: How Industrial Networks Operate ............................ 4 Chapter 6: Vulnerability and Risk Assessment ........................... 4 Chapter 7: Establishing Secure Enclaves ................................... 4 Chapter 8: Exception, Anomaly, and Threat Detection .............. 4 Chapter 9: Monitoring Enclaves ................................................. 5 Chapter 10: Standards and Regulations ...................................... 5 Chapter 11: Common Pitfalls and Mistakes ............................... 5

Conclusion ...................................................................................... 5

CHAPTER 2 About Industrial Networks ....................................... 7 Industrial Networks and Critical Infrastructure .............................. 7

Critical Infrastructure ................................................................. 8 Critical versus Noncritical Industrial Networks ....................... 11

Relevant Standards and Organizations ......................................... 12 Homeland Security Presidential DirectiveSeven/HSPD-7 ....... 12 NIST Special Publications (800 Series) ................................... 13 NERC CIP ................................................................................ 13 Nuclear Regulatory Commission.............................................. 13 Federal Information Security Management Act ....................... 15 Chemical Facility Anti-Terrorism Standards ............................ 16 ISA-99 ...................................................................................... 17 ISO 27002 ................................................................................. 18

Common Industrial Security Recommendations .......................... 18 Identification of Critical Systems ............................................. 18 Network Segmentation/Isolation of Systems ........................... 20

vi Contents

Defense in Depth ...................................................................... 23 Access Control .......................................................................... 24

The Use of Terminology Within This Book ................................. 25 Networks, Routable and Non-routable ..................................... 25 Assets, Critical Assets, Cyber Assets, and Critical Cyber Assets ............................................................................. 25 Enclaves .................................................................................... 26 Electronic Security Perimeters ................................................. 27

Summary ....................................................................................... 28 Endnotes ....................................................................................... 28

CHAPTER 3 Introduction to Industrial Network Security ............ 31 The Importance of Securing Industrial Networks......................... 31 The Impact of Industrial Network Incidents ................................. 34

Safety Controls ......................................................................... 34 Consequences of a Successful Cyber Incident ......................... 35

Examples of Industrial Network Incidents ................................... 36 Dissecting Stuxnet .................................................................... 38 Night Dragon ............................................................................ 41

APT and Cyber War ...................................................................... 41 The Advanced Persistent Threat ............................................... 43 Cyber War ................................................................................. 44 Emerging Trends in APT and Cyber War ................................. 45 Still to Come ............................................................................. 49 Defending Against APT ............................................................ 50 Responding to APT ................................................................... 50

Summary ....................................................................................... 52 Endnotes ....................................................................................... 53

CHAPTER 4 Industrial Network Protocols ................................. 55 Overview of Industrial Network Protocols ................................... 55 Modbus ......................................................................................... 56

What It Does ............................................................................. 56 How It Works ............................................................................ 57 Variants ..................................................................................... 58 Where It Is Used ....................................................................... 59 Security Concerns ..................................................................... 59 Security Recommendations ...................................................... 60

ICCP/TASE.2 ................................................................................ 61 What It Does ............................................................................. 62 How It Works ............................................................................ 62

viiContents

Where It Is Used ....................................................................... 63 Security Concerns ..................................................................... 63 Security Improvements over Modbus ....................................... 64 Security Recommendations ...................................................... 65

DNP3 ............................................................................................ 66 What It Does ............................................................................. 66 How It Works ............................................................................ 67 Secure DNP3 ............................................................................ 69 Where It Is Used ....................................................................... 70 Security Concerns ..................................................................... 71 Security Recommendations ...................................................... 72

OLE for Process Control .............................................................. 73 What It Does ............................................................................. 73 How It Works ............................................................................ 74 OPC-UA and OPC-XI .............................................................. 75 Where It Is Used ....................................................................... 75 Security Concerns ..................................................................... 75 Security Recommendations ...................................................... 77

Other Industrial Network Protocols .............................................. 78 Ethernet/IP ................................................................................ 78 Profibus ..................................................................................... 79 EtherCAT .................................................................................. 80 Ethernet Powerlink ................................................................... 81 SERCOS III .............................................................................. 82

AMI and the Smart Grid ............................................................... 83 Security Concerns ..................................................................... 84 Security Recommendations ...................................................... 85

Summary ....................................................................................... 85 Endnotes ....................................................................................... 86

CHAPTER 5 How Industrial Networks Operate ........................... 89 Control System Assets .................................................................. 89

IEDs .......................................................................................... 89 RTUs ......................................................................................... 90 PLCs ......................................................................................... 90 HMIs ......................................................................................... 93 Supervisory Workstations ......................................................... 94 Data Historians ......................................................................... 94 Business Information Consoles and Dashboards ..................... 96 Other Assets .............................................................................. 96

viii Contents

Network Architectures .................................................................. 97 Topologies Used ....................................................................... 98

Control System Operations ......................................................... 100 Control Loops ......................................................................... 101 Control Processes ................................................................... 102 Feedback Loops ...................................................................... 103 Business Information Management ........................................ 104

Control Process Management ..................................................... 106 Smart Grid Operations ................................................................ 107 Summary ..................................................................................... 109 Endnotes ..................................................................................... 109

CHAPTER 6 Vulnerability and Risk Assessment ...................... 111 Basic Hacking Techniques .......................................................... 111

The Attack Process ................................................................. 112 Targeting an Industrial Network ............................................. 116 Threat Agents .......................................................................... 122

Accessing Industrial Networks ................................................... 123 The Business Network ............................................................ 124 The SCADA DMZ .................................................................. 126 The Control System ................................................................ 127 Common Vulnerabilities ......................................................... 127 The Smart Grid ....................................................................... 132

Determining Vulnerabilities ........................................................ 132 Why Vulnerability Assessment Is Important .......................... 133 Vulnerability Assessment in Industrial Networks ................... 137 Vulnerability Scanning for Configuration Assurance ............. 138 Where to Perform VA Scans ................................................... 139 Cyber Security Evaluation Tool .............................................. 140

Vulnerability Management ......................................................... 140 Patch Management ................................................................. 141 Configuration Management .................................................... 143 Device Removal and Quarantine ............................................ 144

Summary ..................................................................................... 144 Endnotes ..................................................................................... 145

CHAPTER 7 Establishing Secure Enclaves .............................. 147 Identifying Functional Groups .................................................... 148

Network Connectivity ............................................................. 149 Control Loops ......................................................................... 149 Supervisory Controls .............................................................. 150 Control Processes ................................................................... 151

ixContents

Control Data Storage .............................................................. 152 Trading Communications ....................................................... 153 Remote Access ........................................................................ 154 Users and Roles ...................................................................... 155 Protocols ................................................................................. 156 Criticality ................................................................................ 156 Using Functional Groups to Identify Enclaves ....................... 159

Establishing Enclaves ................................................................. 161 Identifying Enclave Perimeters............................................... 161 Network Alterations ................................................................ 164 Enclaves and Security Policy Development ........................... 164 Enclaves and Security Device Configurations ........................ 164

Securing Enclave Perimeters ...................................................... 166 Selecting Perimeter Security Devices ..................................... 166 Implementing Perimeter Security Devices ............................. 169 Intrusion Detection and Prevention (IDS/IPS) Configuration Guidelines ........................................................ 172

Securing Enclave Interiors .......................................................... 181 Selecting Interior Security Systems ........................................ 183

Summary ..................................................................................... 185 Endnotes ..................................................................................... 186

CHAPTER 8 Exception, Anomaly, and Threat Detection............ 189 Exception Reporting ................................................................... 190 Behavioral Anomaly Detection ................................................... 192

Measuring Baselines ............................................................... 192 Anomaly Detection ................................................................. 194

Behavioral Whitelisting .............................................................. 199 User Whitelists ....................................................................... 199 Asset Whitelists ...................................................................... 200 Application Behavior Whitelists ............................................. 202

Threat Detection ......................................................................... 205 Event Correlation .................................................................... 206 Correlating between IT and OT Systems................................ 211

Summary ..................................................................................... 213 Endnotes ..................................................................................... 213

CHAPTER 9 Monitoring Enclaves ........................................... 215 Determining What to Monitor .................................................... 216

Security Events ....................................................................... 217 Assets ...................................................................................... 218

x Contents

Configurations ........................................................................ 220 Applications ............................................................................ 221 Networks ................................................................................. 222 User Identities and Authentication ......................................... 223 Additional Context .................................................................. 225 Behavior .................................................................................. 228

Successfully Monitoring Enclaves .............................................. 229 Log Collection ........................................................................ 229 Direct Monitoring ................................................................... 230 Inferred Monitoring ................................................................ 230 Information Collection and Management Tools (Log Management Systems, SIEMs) ...................................... 233 Monitoring Across Secure Boundaries ................................... 236

Information Management ........................................................... 236 Queries .................................................................................... 237 Reports .................................................................................... 240 Alerts ....................................................................................... 241 Incident Investigation and Response ...................................... 241

Log Storage and Retention ......................................................... 242 Nonrepudiation ....................................................................... 242 Data Retention/Storage ........................................................... 242 Data Availability ..................................................................... 243

Summary ..................................................................................... 245 Endnotes ..................................................................................... 246

CHAPTER 10 Standards and Regulations .................................. 249 Common Standards and Regulations .......................................... 250

NERC CIP .............................................................................. 250 CFATS .................................................................................... 251 ISO/IEC 27002:2005 .............................................................. 252 NRC Regulation 5.71 ............................................................. 253 NIST SP 800-82 ..................................................................... 253

Mapping Industrial Network Security to Compliance ................ 254 Perimeter Security Controls ................................................... 255 Host Security Controls ........................................................... 255 Security Monitoring Controls ................................................. 279

Mapping Compliance Controls to Network Security Functions ..................................................................................... 293 Common Criteria and FIPS Standards ........................................ 293

Common Criteria .................................................................... 293

xiContents

FIPS 140-2 .............................................................................. 300 Summary ..................................................................................... 300 Endnotes ..................................................................................... 300

CHAPTER 11 Common Pitfalls and Mistakes ............................ 303 Complacency .............................................................................. 303

Vulnerability Assessments vs. Zero-Days .............................. 303 Real Security vs. Policy and Awareness ................................. 304 The Air Gap Myth ................................................................... 304

Misconfigurations ....................................................................... 305 Default Accounts and Passwords ............................................ 306 Lack of Outbound Security and Monitoring .......................... 306 The Executive Override .......................................................... 307 The Ronco Perimeter .............................................................. 307

Compliance vs. Security ............................................................. 308 Audit Fodder ........................................................................... 308 The “One Week Compliance Window” .................................. 309

Scope and Scale .......................................................................... 310 Project-Limited Thinking ....................................................... 310 Insufficiently Sized Security Controls .................................... 311

Summary ..................................................................................... 312 Endnotes ..................................................................................... 312

Glossary ................................................................................................................. 313 Appendix A ............................................................................................................ 323 Appendix B ............................................................................................................ 325 Appendix C ............................................................................................................ 329 Index ...................................................................................................................... 331

This page intentionally left blank

xiii

About the Author

Eric D. Knapp is the Director of Critical Infrastructure Markets for NitroSecurity, where he leads the identification, evaluation, and implementation of new security technologies specific to the protection of critical infrastructure, Supervisory Control And Data Acquisition (SCADA), and industrial control networks.

Eric has 20 years of experience in Information Technology, specializing in industrial automation technologies, infrastructure security, and applied Ethernet protocols as well as the design and implementation of Intrusion Prevention Systems and Security Information and Event Management systems in both enterprise and industrial net- works. In addition to his work in information security, Eric is an award-winning author. He studied English and Writing at the University of New Hampshire and the University of London and holds a degree in communications.

This page intentionally left blank

xv

About the Technical Editor

James Broad (CISSP, C|EH, C)PTS, Security, MBA) is the President and owner of Cyber-Recon, LLC, where he and his team of consultants specialize in Information Security, Information Assurance, and Certification and Accreditation and offer other security consultancy services to corporate and government clients.

As a security professional with over 20 years of real-world IT experience, James is an expert in many areas of IT security, specializing in security engineering, pen- etration testing, and vulnerability analysis and research. He has provided security services in the Nation’s most critical sectors including defense, law enforcement, intelligence, finance, and healthcare.

James has a Master’s of Business Administration degree with specialization in Information Technology (MBA/IT) from the Ken Blanchard College of Business, Bachelor’s degrees in Computer Programming and Security Management from Southwestern University and is currently a Doctoral Learner pursuing a PhD in Information Security from Capella University. He is a member of ISSA and (ISC)2®. James currently resides in Stafford, Virginia with his family: Deanne, Micheal, and Temara.

This page intentionally left blank

xvii

Foreword

One of the most mysterious areas of information security is industrial system secu- rity. No other area of information security contains that many myths, mistakes, mis- conceptions and outright lies. Information available online, while voluminous, will only lead information security professionals and industrial systems professionals to more confusion and more misconceptions—which may result in not only costly, but also life-threatening, mistakes.

What raises the mystery even higher is that the stakes in the area of industrial security are extremely high. While the loss of trade secret information may kill a business, the loss of electricity generating capability may kill not just one person, but potentially thousands.

And finally the mystery is solved—with this well-researched book on industrial system network security.

The book had a few parts of particular interest to me. I liked that the book covers the “myth of an air gap”—now in the age of wireless, the air gap is not what it used to be and should not be assumed to be “the absolute security.” I also liked that safety versus security is covered: industrial engineers might know more about the former while my InfoSec colleagues know more about the latter. Today’s interconnected industrial systems absolutely need both! Finally, I also liked the book’s focus on risk and impact, and not simply on following the regulatory minimum.

Both information security and industrial engineers, which are currently two distinctly different tribes, would benefit from this book. And, hopefully Industrial Network Security will bring the much needed union of both tribes, thus helping us build a more secure business and industrial system.

—Dr. Anton A. Chuvakin Security Warrior Consulting

This page intentionally left blank

1

Introduction 1 CHAPTER

INFORMATION IN THIS CHAPTER:

l Book Overview and Key Learning Points l Book Audience l Diagrams and Figures l The Smart Grid l How This Book Is Organized

BOOK OVERVIEW AND KEY LEARNING POINTS This book attempts to define an approach to industrial network security that consid- ers the unique network, protocol, and application characteristics of an industrial control system, while also taking into consideration a variety of common compli- ance controls.

Although many of the techniques described herein—and much of the general guidance provided by regulatory standards organizations—are built upon common enterprise security methods and reference readily available information security tools, there is little information available about how to implement these methods. This book attempts to rectify this by providing deployment and configuration guid- ance where possible, and by identifying why security controls should be imple- mented, where they should implemented, how they should be implemented, and how they should be used.

BOOK AUDIENCE To adequately discuss industrial network security, the basics of two very different systems need to be understood: the Ethernet and Transmission Control Protocol/ Internet Protocol (TCP/IP) networking communications used ubiquitously in the enterprise, and the SCADA and field bus protocols used to manage and/or operate industrial automated systems.

As a result, this book possesses a bifurcated audience. For the plant operator with an advanced electrical engineering degree and a decade of logic programming

2 CHAPTER 1 Introduction

for Modbus controllers, the basics of industrial network protocols in Chapter 4 have been presented within the context of security in an attempt to not only pro- vide value to such a reader, but also to get that reader thinking about the subtle implications of cyber security. For the information security analyst with a Certified Information Systems Security Professional (CISSP) certification, basic information security practices have been provided within the new context of an industrial con- trol system.

There is an interesting dichotomy between the two that provides a further challenge. Enterprise security typically strives to secure the users and hosts on a network while at the same time enables the broad range of open communication services required within modern business. Industrial control systems, on the other hand, strive for the efficiency and reliability of a single, often fine-tuned system. Only by giving the necessary consideration to both sides can the true objective be achieved: a secure industrial network that supports reliable operation while also providing business value to the larger enterprise.

To further complicate matters, there is a third audience: the compliance officer who is mandated with meeting certain regulatory standards in order to survive an audit with minimal penalties and/or fines. Compliance continues to drive information security budgets, and therefore the broader scope of industrial networks must also be narrowed on occasion to the energy industries, where (at least in the United States) electrical energy, nuclear energy, oil, and gas are tightly regulated. Compliance controls are discussed in this book solely within the context of implementing cyber security controls. The recommendations given are intended to improve security and should not be interpreted as advice concerning successful compliance management.

DIAGRAMS AND FIGURES The network diagrams used throughout this book have been intentionally simplified and have been designed to be as generic as possible while adequately represent- ing industrial networks across a very wide range of industrial systems. As a result, the diagrams will undoubtedly differ from real industrial network designs and may exclude details specific to one particular industry while including details that are specific to another. However, they will provide a high-level understanding of the specific industrial network security controls being discussed.

THE SMART GRID Although the smart grid is of major concern and interest, for the most part it is treated as any other industrial network within this book, with specific considerations being made only when necessary (such as when considering available attack vectors). As a result, there are many security considerations specific to the smart grid that are unfortunately not included. This is partly to maintain focus on the more ubiquitous

3How This Book Is Organized

ICS and SCADA security requirement, partly due to the relative immaturity of smart grid security and partly due to the specialized and complex nature of these systems. Although this means that specific measures for securing synchrophasers, meters, etc. are not provided, the guidance and overall approach to security that is provided herein is certainly applicable to smart grid networks. For more in-depth reading on smart grid network security, consider Securing the Smart Grid: Next Generation Power Grid Security by Tony Flick and Justin Morehouse (ISBN: 978-1-59749-570-7, Syngress).

HOW THIS BOOK IS ORGANIZED This book is divided into a total of eleven chapters, followed by three appendices guiding the reader where to find additional information and resources about indus- trial protocols, standards and regulations, and relevant NIST security guidelines. An extensive glossary is also provided to accommodate the wealth of both infor- mation security and industrial networking terms and acronyms used throughout the book.

The chapters begin with an introduction to industrial networking, and what a cyber attack against an industrial control systems might represent in terms of poten- tial risks and consequences, followed by details of how industrial networks can be assessed, secured, and monitored in order to obtain the strongest possible security, and conclude with a detailed discussion of various compliance controls, and how those specific controls map back to network security practices.

It is not necessary to read this book cover to cover, in order. The book is intended to offer insight and recommendations that relate to both specific security goals as well as the cyclical nature of the security process. That is, if faced with performing a vulnerability assessment on an industrial control network, begin with Chapter 6; every effort has been made to refer the reader to other relevant chapters where addi- tional knowledge may be necessary.

Chapter 2: About Industrial Networks In this chapter, there is a brief introduction to industrial networks as they relate to “critical infrastructure,” those infrastructures upon which our society, industry, and way of life depend. The dependencies of critical infrastructures upon industrial control systems lead naturally to a discussion of the many standards, regulations, guidance documents, and policies that have been implemented globally to pro- tect these systems. In addition, the chapter introduces the reader to the most basic premises of industrial security.

Of particular note, Chapter 2 also discusses the use of terminology within the book as it relates to the many applications of industrial networks (again, there is also an extensive Glossary included to cover the abundance of new acronyms and terms used in industrial control networks).

4 CHAPTER 1 Introduction

Chapter 3: Introduction to Industrial Network Security Chapter 3 introduces industrial networks in terms of cyber security, by examining the interrelations between “general” networking, industrial networking, and poten- tially critical infrastructures. Chapter 3 covers the importance of securing industrial networks, discusses the impact of a successful industrial attack, and provides exam- ples of real incidents—including a discussion of the Advanced Persistent Threat and the implications of cyber war.

Chapter 4: Industrial Network Protocols This chapter focuses on industrial network protocols, including Modbus, DNP3, OPC, ICCP, and others in both their native/original fieldbus form or in modern- ized TCP/IP or real-time Ethernet implementations. The basics of protocol opera- tion, frame format, and security considerations are provided for each, with security recommendations being made where applicable.

Chapter 5: How Industrial Networks Operate Industrial networks use specialized protocols because they perform functions that are different than enterprise networks, with different requirements and different security considerations. Chapter 5 discusses control system assets, network archi- tectures, control system operations, and how control processes are managed, with special emphasis on smart grid operations.

Chapter 6: Vulnerability and Risk Assessment Strong security requires a proper assessment of vulnerabilities and risk, which in turn requires that security analysts think like an attacker. Chapter 6 provides a high-level overview of common attack methodologies, and how industrial networks present a unique attack surface with common attack vectors to many critical areas. Chapter 6 also discusses vulnerability assessment and patch management strategies.

Chapter 7: Establishing Secure Enclaves A strong “defense in depth” strategy requires the isolation of functional groups into securable “enclaves.” Chapter 7 looks at how to separate functional groups and where enclave boundaries should be implemented. Specifics are then provided on how to secure both the perimeter and the interior of enclaves, including common security products, methods, and policies that may be implemented.

Chapter 8: Exception, Anomaly, and Threat Detection Awareness is the perquisite of action, according to the common definition of situ- ational awareness. In this chapter, several contributing factors to obtaining situ- ational awareness are discussed, including how to use anomaly detection, exception reporting, and information correlation for the purposes of threat and risk detection.

5Conclusion

Chapter 9: Monitoring Enclaves Before situational awareness can be achieved, however, a necessary body of infor- mation must be obtained. This chapter includes recommendations of what to moni- tor, why, and how. Information management strategies—including log and event collection, direct monitoring, and security information and event management (SIEM)—are discussed, including guidance on data collection, retention, and management.

Chapter 10: Standards and Regulations There are many regulatory compliance standards applicable to industrial network security, and most consist of a wide range of procedural controls that aren’t easily resolved using information technology. There are common cyber security controls (with often subtle but importance variations), however, which reinforce the recom- mendations put forth in this book. Chapter 10 attempts to map those cyber security– related controls from some common standards—including NERC CIP, CFATS, ISO/IEC 27002:2005, NRC RG 5.71, and NIST 800-82—to the security recom- mendations made within this book, making it easier for security analysts to under- stand the motivations of compliance officers, while compliance officers are able to see the security concerns behind individual controls.

Chapter 11: Common Pitfalls and Mistakes Industrial control systems are highly vulnerable, and often with high consequence. In this chapter, some common pitfalls and mistakes are highlighted—including errors of complacency, common misconfigurations, and deployment errors—as by highlighting the pitfalls and mistakes, it is easier to avoid repeating those mistakes.

CONCLUSION Writing this book has been an education, an experience, and a challenge. In the months of research and writing, several historic moments have occurred concerning Industrial Control Systems security, including the first ICS-targeted cyber weapon, and one of the most sophisticated cyber attacks to date. The growing number of attacks, new evidence of Advanced Persistent Threats, and a wave of new SCADA- and ICS-specific vulnerabilities are just the tip of the proverbial iceberg.

Hopefully, this book will be both informative and enjoyable, and it will facili- tate the increasingly urgent need to strengthen the security of our industrial net- works and SCADA systems. Even though the attacks themselves will continue to evolve, the methods provided herein should help to prepare against the inevitable advancement of industrial network threat.

This page intentionally left blank

7

About Industrial Networks 2 CHAPTER

INFORMATION IN THIS CHAPTER:

l Industrial Networks and Critical Infrastructure l Relevant Standards and Organizations l Common Industrial Security Recommendations l The Use of Terminology Within This Book

Before attempting to secure an industrial network, it is important to understand what an industrial network really is. Because of the diversity of both the industrial networks themselves as well as the markets that they serve, it can be confusing to discuss them in general terms. In addition, the many regulatory agencies and com- missions that have been formed to help secure different industrial networks for dif- ferent markets each introduce their own specific nomenclatures and terminology. Finally, the common misuse of terminology within the media further confuses the issue of what an industrial network truly is.

INDUSTRIAL NETWORKS AND CRITICAL INFRASTRUCTURE The world of industrial control systems, like many high-tech sectors, possesses its own lexicon to describe the nuances of its industry. Unfortunately, the terms used are also often interchanged and misunderstood. Industrial Control Systems are often referred to in the media as “SCADA,” for example, which is both inaccurate and misleading. An industrial network is most typically made up of several distinct areas, which are simplified here as a business network or enterprise, business operations, a supervisory network, and process and control networks (see Figure 2.1). SCADA, or Supervisory Control and Data Acquisition, is just one specific piece of an industrial network, separate from the control systems themselves, which should be referred to as Industrial Control Systems (ICS), Distributed Control Systems (DCS), or Process Control Systems (PCS). Each area has its own physical and log- ical security considerations, and each has its own policies and concerns.

The book title “Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems” was cho- sen because this text discusses the security concerns of all the networks that make

8 CHAPTER 2 About Industrial Networks

up an industrial network, including the supervisory and distributed control systems, primarily as they apply to critical infrastructure. The business Local Area Network (LAN), the process control network, and whatever supervisory demilitarized zone (DMZ) exists between them are all equally important. To be more specific, it dis- cusses the cyber security of these networks. For the sake of clarity, it is assumed that a strong security policy, security awareness, personnel, and physical security practices are already in place, and these topics will not be addressed except for where they might be used to strengthen specific areas of network security.

Critical Infrastructure For the purposes of this book, the terms “Industrial Network” and “Critical Infrastructure” are used in somewhat limited contexts. “Industrial Network” is refer- ring to any network operating some sort of automated control system that commu- nicates digitally over a network, and “Critical Infrastructure” is referring to critical network infrastructure, including any network used in the direct operation of any system upon which one of the defined “critical infrastructures” depends. Confusing? It is, and this is perhaps one of the leading reasons that our critical infrastructures

FIGURE 2.1

Sample Industrial Automated Control System Network.

9Industrial Networks and Critical Infrastructure

remain at risk today: many an ICS security seminar has digressed into an argument over semantics, at the sake of any real discussion on network security practices.

Luckily, the two terms are closely related in that the defined critical infrastruc- ture, meaning those systems listed in the Homeland Security Presidential Directive Seven (HSPD-7), typically utilizes some sort of industrial control systems. In its own words, “HSPD-7 establishes a national policy for Federal departments and agencies to identify and prioritize [the] United States critical infrastructure and key resources and to protect them from terrorist attacks.” HSPD-7 includes public safety, bulk elec- tric energy, nuclear energy, chemical manufacturing, agricultural and pharmaceutical manufacturing and distribution, and even aspects of banking and finance: basically, anything whose disruption could impact a nation.1 However, while some, such as glo- bal banking and finance, are considered a part of our critical infrastructure, they do not typically operate industrial control networks, and so are not addressed within this book (although many of the security recommendations will still apply, at least at a high level).

Utilities Utilities—water, gas, oil, electricity, and communications—are critical infra- structures that rely heavily on industrial networks and automated control systems. Because the disruption of any of these systems could impact our society and our safety, they are listed as critical by HSPD-7; because they use automated and distrib- uted process control systems, they are clear examples of industrial networks. Of the common utilities, electricity is often separated as requiring more extensive security. In the United States and Canada, it is specifically regulated to standards of reliabil- ity and cyber security. Oil and gas refining and distribution are systems that should be treated as both a chemical/hazardous material and as a critical component of our infrastructures. It is often regulated as a chemical facility because of these particular qualities.

Nuclear Facilities Nuclear facilities represent unique safety and security challenges due to their inher- ent danger in the fueling and operation, as well as the national security implications of the raw materials used. This makes nuclear facilities a prime target for cyber attack, and it makes the consequences of a successful attack more severe. As such, nuclear energy is heavily regulated in the United States by the Nuclear Regulatory Commission (NRC). The NRC was formed as an independent agency by Congress in 1974 in an attempt to guarantee the safe operation of nuclear facilities and to protect people and the environment. This includes regulating the use of nuclear material including by-product, source, and special nuclear materials, as well as nuclear power.2

Bulk Electric The ability to generate and distribute electricity in bulk is highly regulated. Electrical energy generation and distribution is defined as a critical infrastructure

10 CHAPTER 2 About Industrial Networks

under HSPD-7, and is heavily regulated in North America by NERC—specifically via the NERC Critical Infrastructure Protection (CIP) reliability standards—under the authority of the Department of Energy, which is ultimately responsible for the security of the production, manufacture, refining, distribution, and storage of oil, gas, and non-nuclear power.3

It’s important to note that energy generation and distribution are two distinct industrial network environments, each with its own nuances and special security requirements. Energy generation is primarily concerned with the safe manufacture of a product (electricity), while energy distribution is concerned with the safe and bal- anced distribution of that product. The two are also highly interconnected, obviously, as generation facilities directly feed the power grid that distributes that energy; bulk energy must be carefully measured and distributed upon production. For this same reason, the trading and transfer of power between power companies is an important facet of an electric utility’s operation.

The smart grid—an update to traditional electrical transmission and distribu- tion systems to accommodate digital communications for metering and intelligent delivery of electricity—is a unique facet of industrial networks that is specific to the energy industry that raises many new security questions and concerns.

Although energy generation and distribution are not the only industrial systems that need to be defended, they are often used as examples within this book. This is because the North American Electric Reliability Corporation (NERC) has cre- ated a reliability standard called “Critical Infrastructure Protection” and enforces it heavily throughout the United States and Canada. Likewise, the NRC requires and enforces the cyber security of nuclear power facilities. Ultimately, all other industries rely upon energy to operate, and so the security of the energy infrastruc- ture (and the development of the smart grid) impacts everything else, so that talk- ing about securing industrial networks without talking about energy is practically impossible.

Is bulk power more important than other industrial systems? That is a topic of heavy debate. Within the context of this book, we assume that all control systems are important, whether or not they generate or distribute energy, or whether they are defined that way by HSPD-7 or any other directive. A speaker at the 2010 Black Hat conference suggested that ICS security is overhyped, because these systems are more likely to impact the production of cookies than they are to impact our national infrastructure.4 However, even the production of a snack food can impact many lives: through the manipulation of its ingredients or through financial impact to the producer and its workers, for example.

Chemical Facilities Chemical manufacture and distribution represent specific challenges to securing an industrial manufacturing network. Unlike the “utility” networks (electric, nuclear, water, gas), chemical facilities need to secure their intellectual property as much as they do their control systems and manufacturing operations. This is because the product itself has a tangible value, both financially and as a weapon. For example,

11Industrial Networks and Critical Infrastructure

the formula for a new pharmaceutical could be worth a large sum of money on the black market. The disruption of the production of that pharmaceutical could be used as a social attack against a country or nation, by impacting the ability to pro- duce a specific vaccine or antibody. Likewise, the theft of hazardous chemicals can be used directly as weapons or to fuel illegal chemical weapons research or manu- facture. For this reason, chemical facilities need to also focus on securing the stor- age and transportation of the end product.

Critical versus Noncritical Industrial Networks The security practices recommended within this book aim for a very high standard, and in fact go above and beyond what is recommended by many government and regulatory groups. So which practices are really necessary, and which are exces- sive? It depends upon the nature of the industrial system being protected. What are the consequences of a cyber attack? The production of energy is much more important in modern society than the production of a Frisbee. The proper manufac- ture and distribution of electricity can directly impact our safety by providing heat in winter or by powering our irrigation pumps during a drought. The proper manu- facture and distribution of chemicals can mean the difference between the availabil- ity of flu vaccines and pharmaceuticals and a direct health risk to the population. Regardless of an ICS’s classification, however, most industrial control systems are by their nature important, and any risk to their reliability holds industrial-scale con- sequences. However, while not all manufacturing systems hold life-and-death conse- quences, that doesn’t mean that they aren’t potential targets for a cyber attack. What are the chances that an extremely sophisticated, targeted attack will actually occur? The likelihood of an incident diminishes as the sophistication of the attack—and its consequences—grow, as shown in Figure 2.2. By implementing security practices to address these uncommon and unlikely attacks, there is a greater possibility of avoid- ing the devastating consequences that correspond to them.

Although the goal of this book is to secure any industrial network, it focuses on Critical Infrastructure and electric energy in particular, and will reference vari- ous standards, recommendations, and directives as appropriate. Regardless of the nature of the control system that needs to be secured, it is important to understand these directives, especially NERC CIP, Chemical Facility Anti-Terrorism Standards (CFATS), Federal Information Security Management Act (FISMA), and the control system security recommendations of National Institute of Standards and Technology (NIST). Each has its own strengths and weaknesses, but all provide a good baseline of best practices for industrial network security (each is explored in more detail in Chapter 10, “Standards and Regulations”). Not surprisingly, the industrial networks that control critical infrastructures demand the strongest controls and regulations around security and reliability, and as such there are numerous organizations helping to achieve just that. The Critical Infrastructure Protection Act of 2001 and HSPD-7 define what they are, while others—such as NERC CIP, CFATS, and various publi- cations of NIST—help explain what to do.

12 CHAPTER 2 About Industrial Networks

RELEVANT STANDARDS AND ORGANIZATIONS Many organizations are attempting to define methods of securing our industrial sys- tems. Some are regional, some are national, and some are global. Some are public, some are private. Some—like NERC CIP—carry heavy fines for non-compliance if one falls under their jurisdiction. Others—such as CFATS—offer recommendations for self-assessment and lack the ability to levy penalties for noncompliance.

Each standard is discussed briefly here and in more detail in Chapter 10, “Standards and Regulations.” Although this book does not attempt to provide com- pliance or audit guidelines, the various standards provide valuable insight into how we should and should not be securing our industrial networks. When considered as a whole, we see common requirement challenges and recommendations that can and should be considered “best practices” for industrial network security.

Homeland Security Presidential DirectiveSeven/HSPD-7 The HSPD-7 attempts to distinguish the critical versus noncritical systems. HSPD-7 does not include specific security recommendations, relying instead upon other federal security recommendations such as those by the NIST on the security of both enterprise and industrial networks, as well as the Homeland Security Risk- Based Performance Standards used in securing chemical facilities.

Which regulations apply to your specific industrial network? Possibly several, and possibly none. Although more information is provided in Chapter 10, “Standards

FIGURE 2.2

Likeliness versus Consequence of a Targeted Cyber Attack.

13Relevant Standards and Organizations

and Regulations,” some of the more common regulations are summarized here in order to help you determine which standards you should be striving to meet.

NIST Special Publications (800 Series) NIST’s 800 series documents provide best practices and information of general interest to information security. All 800 series documents concern information secu- rity and should be used as references where applicable. Of particular relevance to industrial network security is SP 800-53 (“Recommended Security Controls for Federal Information Systems”), which defines many aspects of information secu- rity procedures and technologies, and SP 800-82 (“Guide to Supervisory Control and Data Acquisition [SCADA] and Industrial Control Systems Security”), which discusses industrial control system security specifically. Although of the entire SP 800-53 is applicable to the protection of critical infrastructures, the technical aspects defined under SP 800-53 as Access Control, Security Assessment and Authorization, Configuration Management, Identification and Authentication, Risk Assessment, System and Communications Protection, and System and Information Integrity are directly applicable to industrial networks.5

SP 800-82 (currently in draft) details control system architectures, proto- cols, vulnerabilities, and security controls. Specific security recommendations of SP 800-53 and SP 800-82 are addressed in more detail in Chapter 10, “Standards and Regulations.”

NERC CIP The NERC CIP reliability standard identifies security measures for protecting criti- cal infrastructure with the goal of ensuring the reliability of the bulk power system. Compliance is mandatory for any power generation facility, and fines for noncom- pliance can be steep. The CIP reliability standards consist of nine sections, each with its own requirements and measures. They are Sabotage Reporting, Critical Cyber Asset Identification, Security Management Controls, Personnel & Training, Electronic Security Perimeter(s), Physical Security of Critical Cyber Assets, Systems Security Management, Incident Reporting and Response Planning, and Recovery Plans for Critical Cyber Assets.