Cybersecurity for Industrial Control Systems SCADA, DCS, PLC, HMI, and SIS Tyson Macaulay and Bryan Singer CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2011 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S Government works Version Date: 20120113 International Standard Book Number-13: 978-1-4665-1611-3 (eBook - ePub) This book contains information obtained from authentic and highly regarded sources Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint Except as permitted under U.S Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400 CCC is a not-for-profit organization that provides licenses and registration for a variety of users For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com Contents AUTHORS CHAPTER INTRODUCTION Where This Book Starts and Stops Our Audience What Is an Industrial Control System? Is Industrial Control System Security Different Than Regular IT Security? Where Are ICS Used? ICS Compared to Safety Instrumented Systems What Has Changed in ICS That Raises New Concerns? Naming, Functionality, and Components of Typical ICS/ SCADA Systems Supervisory Control and Data Acquisition (SCADA) Remote Terminal Unit (RTU) Distributed Control System (DCS) Programmable Logic Controllers (PLCs) Human–Machine Interface (HMI) Analogue versus IP Industrial Automation Convergence 101: It Is Not Just Process Data Crowding onto IP Convergence by Another Name Taxonomy of Convergence Triple-Play Convergence Transparent Convergence Blue-Sky Convergence The Business Drivers of IP Convergence Cost Drivers Competitive Drivers Regulatory Drivers The Conflicting Priorities of Convergence ICS Security Architecture and Convergence The Discussions to Follow in This Book Endnotes CHAPTER THREATS TO ICS Threats to ICS: How Security Requirements Are Different from ICS to IT Threat Treatment in ICS and IT Threats to ICS Threat-To and Threat-From The Most Serious Threat to ICS Collateral Damage Whatever Happened to the Old-Fashioned E-Mail Virus? Money, Money, Money The Fatally Curious, Naïve, and Gullible Hi-Jacking Malware No Room for Amateurs Taxonomy of Hi-Jacking Malware and Botnets Hi-Jacking Malware 101 Characteristics of a Bot (Zombie/Drone) The Reproductive Cycle of Modern Malware A Socks 4/Sock 5/HTTP Connect Proxy SMTP Spam Engines Porn Dialers Conclusions on ICS Threats Endnotes CHAPTER ICS VULNERABILITIES ICS Vulnerability versus IT Vulnerabilities Availability, Integrity, and Confidentiality Purdue Enterprise Reference Architecture PERA Levels Levels and 4: Enterprise Systems Level 3: Operations Management Level 2: Supervisory Control Level 1: Local or Basic Control Level 0: Process An Ironic Comment on PERA Data at Rest, Data in Use, Data in Motion Distinguishing Business, Operational, and Technical Features of ICS ICS Vulnerabilities Management Vulnerabilities Operational Vulnerabilities Technical Vulnerabilities Functional Vulnerabilities ICS Technical Vulnerability Class Breakdown Technical Vectors of Attack IT Devices on the ICS Network Interdependency with IT Green Network Stacks Protocol Inertia Limited Processing Power and Memory Size Storms/DOS of Various Forms Fuzzing MITM and Packet Injection Summary Endnotes CHAPTER RISK ASSESSMENT TECHNIQUES Introduction Contemporary ICS Security Analysis Techniques North American Electricity Reliability Council (NERC) National Institute of Standards and Technology (NIST) Department of Homeland Security (DHS) ICS Risk Assessment Processes INL National SCADA Test Bed Program (NSTB): Control System Security Assessment INL Vulnerability Assessment Methodology INL Metrics-Based Reporting for Risk Assessment Ideal-Based Risk Assessment and Metrics CCSP Cyber Security Evaluation Tool (CSET) U.S Department of Energy: Electricity Sector Cyber Security Risk Management Process Guideline Evolving Risk Assessment Processes Consequence Matrices Safety Integrity Levels and Security Assurance Levels Security Assurance Level SAL-Based Assessments 10 Internet of Things (IOT), 163–164, 182, 185 Internet Protocol convergence; See Network convergence dominance of, 40 IPv6; See IPv6 spoofing of, 133 Internet Relay Chat (IRC), 70–71 Internet, growth of, 25 Intrusion detection systems (IDS), 66, 131 Intrusion prevention systems (IPS), 66 IPFIX, 155 IPv6 advantages of, 183 disadvantages of, 183 dual-stack networks, 170–171, 174 efficiency, 165 encryption, 180 316 ICS sensors and, 182–183 ICS usage and, 165–166 IPv4, versus, 165, 167 overview, 164–165 requirements, 167–168 route management, 166 security of, 166, 167, 180–182, 183–184 test labs, 168–169, 170–172, 174 ISA-99, 147–148 K Killer apps, 25 L Linux, 114 Loss of control (LoC), 110, 112–113, 114, 120 Loss of view (LoV), 108–109, 112, 114, 120 Low-power wireless personal area (LoWANs), 182, 183–185 M 317 Malicious code, 17 Malware, 59, 60–61, 62, 64–68, 69 network resources, consumption of, 114–115 new devices, attacks on, 104 reproductive cycle of, 72, 73–75 Man-in-the-middle (MITM) attack, 94, 121–122, 132 Manipulation of control (MoC), 110–111, 113, 114, 122 Manipulation of view (MoV), 109, 113, 114 McAfee, 57, 159 Modbus, 4, 24, 41, 117 MS Messenger, 63 Multicasting, 180 MySpace, 63 N National Institute of Standards and Technology (NIST), 3, 6, 59 800-53, 128, 129 800-82, 46, 50, 100, 128 318 ICS risk assessment guidelines, 126, 128–129 National SCADA Test Bed Program (NSTB), 130–131, 132 Netflow, 155, 156 Network convergence blue-sky convergence, 31–32 competitive drivers, 36–37 cost drivers, 33–36 definition, 25, 27–28 origins, 25, 26 priorities, 38–40 regulatory drivers, 37–38 transparent convergence, 30–31 triple-play, 29, 31 North American Electricity Reliability Council (NERC), 5, 126–128 Nuclear Regulatory Commission, O Occupational Safety and Health Administration (OSHA), 140 319 Open Process Control (OPC), 117, 118 Open Shortest Path First (OSPF), 35 Open-source tools, 133 Organized crime, 59 OSI protocol, 25 Overall equipment effectiveness, 148–149 Overall equipment effectiveness, security, 149–152 P Packet injection, 122, 123 Packet storms, 119–120 Passwords, 63 Phishing, 59 Pneumatic systems, 22–23 Porn dialers, 69, 78–79 Process control network (PCN), 50 Process Control System Forum, Process control systems (PCS), 6, 18, 19 320 overview, Profibus, 4, 41, 117 Programmable logic controllers (PLCs), 20–21, 107, 110, 116, 118 Protocol inertia, 116–118 Public Safety Canada, 58 Public switched telephone network (PSTN), 29, 101 Purdue Enterprise Reference Architecture (PERA) development, 92–93 level 0, 91 level 1, 91, 93 level 2, 90–91 level 3, 90 overview, 89 R Radio-frequency identifier (RFID) tags, 32, 163, 183 Remote access procedures, 101 Remote terminal units (RTUs), 20, 60, 107, 110, 116, 118 321 Risk assessment; See also Security analysis, ICS consequence matrices, 138–139 Control Systems Security Program (CSSP); See Control Systems Security Program (CSSP) DOE methodology, 136–137 Homeland Security process, 129–130 ideal-based metrics, 134, 135 metrics-based reporting, 133–134 overall equipment effectiveness, 148–149 security assurance level; See Security assurance level security OEE, 149–152 Router announcements (RAs), 169 S Safety instrumented systems (SIS), 141 controls, 14 description of, 14 design of, 14 failure rates, 14 322 industrial control system (ICS) security, support for, 15 industrial control system (ICS), versus, IP networks, integration on, 15, 42 probabilistic threats to, 14–15 safety requirements, 14 Safety integrity level (SIL), 43, 140 Secure socket layer (SSL), 93 Security analysis, ICS; See also Risk assessment Control Systems Security Program (CSSP); See Control Systems Security Program (CSSP) Homeland Security ICS risk assessment process, 129–130 INL National SCADA Test Bed Program (NSTB), 130–131, 132 National Institute of Standards and Technology (NIST) guidelines, 128–129 network-centric analysis, 153–154, 155–157, 159–160 North American Electricity Reliability Council (NERC) guidelines, 126–128 overview, 125 323 safety integrity level (SIL); See Safety integrity level (SIL) security assurance level; See Security assurance level vulnerability assessment methods, 131–133 Security assurance level, 140 achieved SAL, 143 assessments based on, 144–145 capability SAL, 143 definition, 141 description, 142–143 design SAL, 143 future of, 147–148 SIS, versus, 141–142 target SAL, 143 workflow, 145, 147 Security, industrial control system (ICS) acceptance testing, 104–105 accountability, 99–100 324 administrative roles, 101 age of, 54 analysis of; See Security analysis, ICS attack vectors, 113–114 best practices, 42 budgeting, 100 business controls, 95 challenges, collateral damage to, 54, 59 consequences of failures of, corporate assets, 62–63 CPU utilization management, 119 cyber threats to, data segregation, 100–101 design of, 53–54 direct strikes, 68 Domain Name Server (DNS) attacks, 157–159 325 engagement, management, 100 governance, 99 hardening guidelines, 101–102 importance of, 18 incident detection, 102–103 IT security, versus, 8, 9, 50, 53, 99–100 management of, 8, 103–104 manifestations of security issues, operational controls, 95–96 oversight, 99 overview, 1–2 passwords; See Passwords policies, 99–100 protocol inertia, 116–118 random hits to, 59 remote access procedures, 101 reporting procedures, 102–103 326 risk assessment; See Risk assessment seriousness of threats, 28 servers, 102 standards, 1–2, 5–6 technical controls, 96 threats, 54–56 threats-from, 57–58 threats-to, 57, 58, 79–80; See also specific threat types wireless systems deployment, 101–102 Security, physical, 30 Siemens H1, 24, 117 Six Sigma, 149 Smart phones, 163 SMTP spam engines, 78 Social engineering, 63 Socks proxies, 75, 76–78 Spam, 59, 62, 78 327 Spam and Open Relay Blocking System (SORBS), 77 SpamHaus, 77 Spoofing, IP, 133 Statement of sensitivity (SOS), 138 Stuxnet, 1, Supervisory control and data acquisition (SCADA), 4, 6, 18, 19 changes of state, 19 overview, 19 Symantec, 17, 57 T Telecommunications regulation, 37 Telepresence, 32 Test Bed Program; See National SCADA Test Bed Program (NSTB) Transmission Control Protocol (TCP), 24, 87, 116 routing layer, 25 SYN flood attacks, 145 328 Transparent convergence, 30–31 Triple play, 27, 29, 31 Trojan horses, 61 Twitter, 63 U UK Centre for Protection and National Infrastructure, 42 User Datagram Protocol, 86, 87, 156 V Video streams, encryption of, 88 Virtual LANs (VLANs), 50, 169 Viruses, e-mail, 60 Voice-over IP (VOIP), 29, 37, 84, 87, 93 presence applications, 34 W Wide area networks (WANs), 26 WiFi, protocols, 27 WiMax, 102 329 Windows Media player, 63 World Wide Web, 26 Worms, 60 X XML, 34 Z Zero-day exploits, 59, 61 Zombie botnets, 156; See also Botnets 330 ... Security Controls for Federal Information System,” and 800-82, “Guide to Industrial Control System (ICS) Security,” ISA-99 Industrial Automation and Control Systems Security Standard, and the.. .Cybersecurity for Industrial Control Systems SCADA, DCS, PLC, HMI, and SIS Tyson Macaulay and Bryan Singer CRC Press Taylor & Francis Group 6000... supervisory control and data acquisition (SCADA) and distributed control systems (DCS), to name a couple This soup of acronyms can create a confusing picture and barriers to understanding ICS, SCADA, DCS,