APPS Course , Cyber Security

Cyber Security
Why do we need cyber-security?
To protect against incidents
Incidents may be deliberate (Attack) or accidental
(Negligence)
Impact could be minor
Lose some functionality
Lose some data

Impact could be major

- -P2

Complete shut-down
Loss of supply
Injuries / Damage to equipment
Loss of life

Cyber Security
Why do we need cyber-security?
Accidental Incidents
Untrained personnel have access to critical areas
Trained personnel have access to the wrong
critical areas

Deliberate attacks
Attempt to compromise the behaviour of the
system
Try to cause failure or try to discover information

- -P3

Cyber Security
Why do we need cyber-security?
Why do attacks work?
They capitalise on key weaknesses
Vulnerability Exploitation
Unused services still enabled
known vulnerabilities in standard components

No embedded security

Authentication or Authorisation not implemented

Poorly configured or missing security

mechanisms

Firewalls, routers, Intrusion detection systems

Lack of awareness

Poor practices, inadequate policies, no training

- -P4

Cyber Security
Why do we need cyber-security NOW?
Security by Isolation.
Control networks were cutoff from outside world
Control networks interconnect with other systems
Control network Management system
Management system Corporate network
Corporate network Internet

Security by Obscurity
Proprietary protocols known only to manufacturer
Now giving way to open standards
DNP3, IEC60870-5-103 & IEC60870-5-104, IEC61850

Attackers will (eventually) decode proprietary data

Strong incentives (Money, Coercion)
Clever guys

- -P5

Cyber Security
Who are the attackers?
Criminals

Money (Extortion)
Terrorists

Disruption
Hackers

Challenge
Employees

Coerced, Disgruntled
Former Employees

Revenge
Contract and 3rd Party Staff
All of the above
- -P6

Cyber Security
Areas of Concern
Critical Infrastructure
Power Grid, Financial Systems, Air Traffic Control,
Road/Rail Transport, Nuclear Facilities etc.

Smart Grid
Massive Impact
June 2011 - Tom Fanning, CEO of Southern Company (US
Utility)
"cyber security issues must be resolved before a so-called
smart electricity grid can be fully built
"Southern Co. hires hackers to identify vulnerabilities"
"the power company gets attacked frequently."

- -P7

Cyber Security
What is Cyber-Security?
Cyber-security is achieved through many
approaches.
Access
Authentication
Authorisation
Confidentiality
Integrity
Audit
Detection & Response
Awareness

- -P8

Cyber Security
What is Cyber-Security?
Access.
Limit and control the means, paths, protocols and
ports by which someone (or something) can
access the system or relay.
Firewalls, limits traffic type and TCP/UDP ports
Gateways, filter out undesired traffic
Routers, isolate sections of network
Disabling of unused ports and services

- -P9

Cyber Security
What is Cyber-Security?
Authentication.
Perform checks on someone (or something)
attempting to use the system or relay to ensure
that they are allowed to use it.

What you know.

Username/Password
Personal information (DOB, mothers maiden
name)

What you have

Biometric scan (Fingerprint/Retinal scan)
Swipe card/USB stick
- - P 10

Cyber Security
What is Cyber-Security?
Authorisation.
Ensure that any authenticated user only has authority
(Permission) to perform certain actions.
Each authenticated user has a Role
Commissioning, Administrator, User

Each role has permissions

Read, Write, Create, Delete, Extract, Operate

Permissions assigned to objects

Settings, Measurements, Logs, Controls

E.g. User role has permissions to read measurements and

logs but cant write settings or operate controls
Role Based Access Control (RBAC)

- - P 11

Cyber Security
What is Cyber-Security?
Confidentiality.
Ensure that any critical information is kept secret.
Protect against eavesdropping
Cryptography
Encrypt data in communication streams (Data in
Transit)
Encrypt data held in files (Data at Rest)
Encryption creates its own problems
Speed
Key management

- - P 12

Cyber Security
What is Cyber-Security?
Integrity.
Ensure that any information received from a user
or a remote entity hasnt been tampered with.
Encryption could be used to provide anti-tamper
protection
CRC/Checksums are simpler and easier

Ensure that information is actually from the

person or entity that claims to have sent it.
Signatures & Certificates
Authentication (Challenge/Response)

- - P 13

Cyber Security
What is Cyber-Security?
Audit.
Logging of all changes, user accesses,
uploads/downloads, operations and control
actions.
Logs to be kept in non-volatile memory,
confidentially and integrity ensured.
Logs used in any audit of an incident
Identify what was done
Identify who did it
Identify when it was done

- - P 14

Cyber Security
What is Cyber-Security?
Detection.
Logging of log-on attempts, whether successful
or not.
Monitoring of communication traffic to detect
abnormal conditions
Monitoring of ports to detect undesired traffic
Screening of data to detect malware

Response
Block user account
Generate events and alarms
Remove or quarantine malware
- - P 15

Cyber Security
What is Cyber-Security?
Awareness.
Understanding the risks and consequences
Staff training
Effective Policies that are followed
Employees should not open attachments in emails from
unknown sources.
Maintaining up-to-date anti-virus software on PCs
Carelessness about passwords

Screening and checking of prospective employees

Policy to deal with employees that leave
Deactivate their logon account

Vigilance

If you see something suspicious, report it

- - P 16

Cyber Security
What standards are available?
NERC (North American Electric Reliability Corporation)
Critical Infrastructure Protection (CIP) Standards
intended to ensure the protection of the Critical
Cyber Assets that control or effect the reliability of
North Americas bulk electric systems.

Became mandatory in June 2006

Compliance auditing started in June 2007
From June 2009 utilities face heavy fines for
non-compliance

- - P 17

Cyber Security
What standards are available?
NERC CIP Standards
Eight Standards

- - P 18

CIP-002: Critical Cyber Asset Identification

CIP-003: Security Management Controls
CIP-004: Personnel and Training
CIP-005: Electronic Security Perimeters
CIP-006: Physical Security of Critical Cyber Assets
CIP-007: Systems Security Management
CIP-008: Incident Reporting and Response Planning
CIP-009: Recovery Plans for Critical Cyber Assets

Cyber Security
What standards are available?
IEEE 1686
Directly addresses relays and substations
Provides practical and realistic measures for
securing IEDs
8 character passwords
Levels of access
Logging of changes (for later audit)

- - P 19

Cyber Security
What standards are available?
IEC 62351
Recommends security measures for
communications
IEC61850
IEC60870-5
DNP3

- - P 20

Cyber Security
What standards are available?
IEC 62443
Industrial communication networks - Network and system
security
Part 2-1: Establishing an industrial automation and control
system security program
Part 2-2: Operating a
manufacturing and control systems security program
Part 2-4: Certification of Industrial Security (In Preparation)

- - P 21

Cyber Security
What standards are available?
Other standards and advice
ISA (Instrument Society of America )

- - P 22

ISA-99 Security for Industrial Automation and Control

Systems
CIGRE (Conseil International des Grands Rseaux
lectriques )
D2.22 Information Security
B5.38 Impact of cyber-security on IEC61850 systems
RWE
White Book: Requirements for Secure Control and
Telecommunication Systems
IEEE PSRC H13
And others (UCA, ENTLEC)

Cyber Security
Alstom Px40 Implemenation
Phase 1 (complete)
Improved password scheme
Supports upto 8 characters, Alpha (upper & lower case),
numeric and specials.
Password required to read from relay (read-only level)
Below read-only is a limited read level

Password Blocking

After a number of wrong attempts to enter password, it is

blocked
Blocking is for a configured number of minutes.

Password Encryption

Used by Courier & Modbus

Unused port disabling

S1 Agile will reflect these changes
S1 Agile has its own password
- - P 23

APPS Cyber Security

Roadmap
Future proposals
Improve authentication. (e.g. user name as well as password)
Increase levels of access, (currently 4 but IEEE P1686
proposes 8).
Improve logging. (Currently security events are mixed up with
protection events. Need to be separate.)
IEC61850 & DNP3
Neither of these has been addressed in phase 1
main requirements and measures are defined in IEC62351
but issues with GOOSE authentication

- - P 24

TCP/IP TLS
RBAC
Security Server
Consistent security across all products

Cyber Security
Issues with Cyber-Security
How many devices are there in an average
substation?
How many devices have passwords?
How many substations are there to manage?
How many passwords are there to manage?
Passwords need
Storing
Refreshing
Controlling

- - P 25

Cyber Security
Issues with Cyber-Security
Encryption
Encryption needs keys
How will relays acquire keys?
What will be the remedial action for a key
compromise?
How will interoperability work?

- - P 26

Cyber Security
Some actual attacks
Maroochy Waste Water (Australia)
In 2000 Vitek Boden, a former contractor, used a laptop
computer and a radio transmitter to take control of 150
sewage pumping stations. Over a three-month period, he
released one million liters of untreated sewage into a
stormwater drain from where it flowed to local waterways.
The attack was motivated by revenge on the part of
Mr.Boden after he failed to secure a job with the Maroochy
Shire Council.

Davis Besse Nuclear Power Plant, Ohio

The Slammer worm penetrated a private computer network
at Ohio's Davis-Besse nuclear power plant in January and
disabled a safety monitoring system for nearly five hours,
despite a belief by plant personnel that the network was
protected by a firewall.
- - P 27

Cyber Security
Some actual attacks
StuxNet Worm
In July 2010 a multi-attack vectored virus was discovered
in Siemens PLC equipment used in nuclear power plants
and other industrial applications.
Virus used 4 separate vulnerabilities to install itself on the PC,
including installing a driver.
On PC it looked for Siemens SIMATIC WinCC/Step 7 controller
software
Used another vulnerability to transfer malware to the Siemens
controller
On controller it changed some specific areas of data.
Virus was transferred on USB sticks

- - P 28

Cyber Security
Current Threats
TDL-4
Virus infecting 4 million computers
Uses sophisticated techniques to maintain itself and
avoid detection/elimination
Peer-to-peer communication, encrypted command-&control,anti-virus built in.

- - P 29

Cyber Security
Myth Busting
Cyber-security is an IT problem
Everyones problem

We have a firewall so we cant be attacked

Attackers have many ways to get in, even through the firewall!

Customers are not interested in cyber-security

Utilities will want it or will be legally required to have it

A substation cant be attacked through the internet

Yes it can!

The security I put in last year is OK today

Security requires regular updates and assessments.

My security meets the current standards so I am secure

No youre not!
- - P 30

Cyber Security

Any Questions?

- - P 31