Madrock

This is a presentation I gave on SCADA security some time ago. It was originally set for about 2 hrs, although I broke it into 2 halves so if time permitted (or the partisipants wanted more inforamation), the backend of the presentation has many more areas and guidence relaing to SCADA, devices, environment security, etc.

I defined the following outcomes for the presentation:

• Broaden the awareness and necessity of security within the SCADA environment.
• Understanding of business role in the governance/risk identification process.
• Heighten the understanding of technology risks.

I hope people find the material interesting and useful.

SCADA Security Presentation Derek Grocke

I have been working in the SCADA engineering, network design, project governance and security area for lots of years.

As a result I have many documents and techniques I will be sharing here. This is the first of many documents which I hope others will find informative and help others to understand and shape their approach to these environments.

Local file

SCADA Presentation

A cool document I thought I would share. It shows some good understanding and presents some good ideas.

General Questions

• How can users gain access to the SCADA application?
• Objective to consolidate access to all information sources – i.e. to make access available to all users via a single interface
• Are any RAS modems utilised within the SCADA environment?
• Is the RAS call back feature utilised?
• Is the mandatory RAS encryption feature used?
• Are users allowed multiple attempts at authentication on the RAS?
• Has the RAS auditing feature been enabled?
• How is access between the business / corporate network and SCADA network controlled?
• How is the administrator password controlled?
• How is vendor access to the SCADA network controlled – i.e. password changes after contract has been completed?
• Are SLA’s for outsourced support agreements reviewed on a periodic basis?
• Are critical components of the SCADA Network supported by a UPS and are these batteries tested on a regular basis to ensure that they are reliable?
• What capacity management and monitoring of critical SCADA network systems is performed (i.e. CPU utilisation and hard disk drive space)?
• Are legal captions utilised during the login process to the SCADA application and associated infrastructure / devices?
• Has an intrusion detection system (IDS) been deployed within the SCADA environment?
• Has security been a focus within the development and deployment of the SCADA network?
• Is there additional staff screenings performed when staff are hired to work within the SCADA environment (inclusive of vendors etc)?

Policies & Procedures

• Is there a defined security strategy for the SCADA environment?
• Who is responsible / accountable for security management within SCADA environment? Has the ownership of this responsibility been clearly defined and/or stated in any documentation?
• Are there any periodic security reviews of the SCADA network performed?
• What procedures are in place to handle the disposal of SCADA network media and devices? Additionally, is there a process in place for the disposal of confidential information / documentation?
• Are there any policies or procedures covering the introduction of new devices to the SCADA environment?
• What formal change control procedures exist for the SCADA environment?
• Does a formal disaster recovery plan exist for the SCADA environment?
• Does a formal business continuity plan exist for the SCADA environment?
• Do physical and logical security standards differ significantly between SCADA sites?
• Has a standard operating environment (SOE) minimum baseline standard been developed for systems being introduced into the SCADA environment?
• What security logs are maintained for critical computer equipment and how often are the logs reviewed?
• Who is responsible for the reviewing of security logs?
• Has access to event logs been restricted?
• Upon commencement of employment, are users provided with IT security information as part of the induction process? Additionally, are users provided with further information on security issues on a periodic basis?
• What procedures exist to monitor dial-in access?
• Is there a formally defined backup and recovery procedure?
• Are encryption techniques and/or passwords applied to backup tapes?

Physical Access

• How is physical access to SCADA terminals controlled?
• Are SCADA control rooms segregated from other rooms?
• What building security exists at remote sites to prevent unauthorised access?
• What authentication methods are used at remote sites to allow access – i.e. swipe cards?
• Are external windows at remotes sites barred?
• What alarm systems have been employed at remote sites?

Network Security

• Have all deployed routers been configured to ensure the filtering of communications that are unauthorised or not required?
• What traffic control and monitoring capabilities have been deployed – i.e. all communication travels to a central point before traversing further on the network.
• How are dial-in facilities to the SCADA environment secured?
• How is suspicious or unusual activity on the SCADA WAN detected?
• What firewall configurations have been set up to segregate the SCADA WAN from the United Water corporate network?
• Are all key filtering devices on the network (such as routers and firewalls) configured to log all attempts to access the network? If so are they reviewed on a regular basis?
• Have the auditing features of all routers and firewalls been enabled?
• Has access to event logs been restricted?
• How is the management of patches / hot fixes controlled in regards to firewalls and routers?
• What backup and recovery measures are in place for network resources – firewalls and routers?
• Has SNMP been implemented on core infrastructure?
• Has any wireless equipment been deployed within the SCADA environment – has this been configured to a secure state?
• Are all default passwords removed from SCADA devices after implementation?
• Does a development environment exist to test changes prior to deployment into the SCADA network production environment?

Workstation Security

• What operating systems (version) are installed on SCADA terminals?
• Have operating system level passwords been activated on all SCADA terminals?
• Do passwords have an indefinite expiry date?
• What file and directory permission controls have been implemented on SCADA terminals to restrict unauthorised access by general users?
• What logs are generated at the operating system level?
• Has access to event logs been restricted?
• What tools and services at the operating system level have been restricted for general users?
• Who is responsible for patch management of SCADA terminals?
• Has an audit feature been enabled for all SCADA terminals?
• Are default services available with the operating system restricted?
• Is virus protection implemented? Is this software manually or automatically updated?
• Are shares enabled on SCADA terminals / workstations?
• Are SCADA terminals backed up on a regular basis?
• Is registry auditing of SCADA terminals performed?
• Are user reviews and associated access rights performed on a regular basis?

SCADA Application Security

• What are the username and password requirements of SCADA application?
• Are session time out features activated?
• Are complex passwords enforced to access the SCADA application?
• Are user reviews and associated access rights performed on a regular basis?

System Penetration Testing

• Internal penetration testing
• External penetration testing
• Password strength tests

Changes to the SCADA network

• Please provide / list all potential changes being considered to the SCADA network.

Procedures

• Corporate Information Protection
• Security Management
• Information Classification
• Physical (and Environmental) Security
• Personnel Security
• Security Awareness Training
• Security Incident Response
• Security Monitoring
• Network Security
• PC/Workstation Security
• Support and Operational Security Related
• Encryption and Information Confidentiality
• Authorization Controls
• Identification and Authentication Mechanisms
• Systems Life Cycle Security
• Business Continuity Planning
• Media Security
• Third Party Services

Typical concerns and points discussion:

• Inbound and out Bound FTP
• Suggest use of DMZ
• Suggest use of Secure FTP
• Suggest use of restricted secure IP addresses / tunnelling
• Suggest use of private feeds

Modem issues used with dial in services

• No dial back
• No Authentication
• No Secure ID
• Possibly automated scripts used, so hard coded usernames and passwords used.
• Internet sharing may be turned on, allowing routing via workstations.

Increased data security and integrity considerations

• Data backups
• System redundancy
• Site and content filtering
• Virus protection
• Standard system procurement (discounts and spares)
• Network and services redundancy
• Network monitoring
• Service availability monitoring
• Internal controls
• Vendor / external service supplier
• Capacity management
• Change management system
• Asset management system
• Telecommunication and telephony bulk cost discounting
• Etc.

Use and support for corporate application considerations

• Email
• Intranet
• Internet
• Corporate virus protection
• Asset management
• Change management
• Project management
• Performance / capacity management
• Reduction of Cost
• Use of corporate applications
• Reduction of manual processes

Other things to keep in mind:

• SCADA monitoring system must be isolated from network errors and systems events. This will prevent SCADA operational systems being effected by network or corporate system issues / outages.
• Review Network topology to ensure internal and external vulnerabilities are not currently being and cannot be abused.
• Review of router configurations
• Use of change management system
• Review remote dial in systems
• Firewall SCADA systems off from corporate applications
• Uncontrolled networks and systems within the SCADA environment will compromise the corporate environments integrity and security.
• Determine if systems used within SCADA are built to a standard operating environment.