Semaphore SCADA SECURITY UPDATE.pdfSemaphore SCADA

文件名称: Semaphore SCADA SECURITY UPDATE.pdf

所属分类: 其它

开发工具:

文件大小: 623kb

下载次数: 0

上传时间: 2019-10-31

提供者: weixin_********

下载 (623kb)

不能下载？报告错误

详细说明：Semaphore SCADA SECURITY UPDATEpdf,Semaphore SCADA SECURITY UPDATESCADA SECURITY UPDATE a) security policie b) Asset Inventory c) Access Requirements and Controls d) threats and vulnerabilities e) Consequences of a Security Breach f) Authorized Technology g) Change Management Process For a SCada system, aNSI/ISA-99, Part I defines various, logical zones to include the Enterprise Zone which is generally considered the IT system, and the SCADA Zone, which includes the subsystems we normally associate with a SCADa system Control Center Zone or Primary and Backup Control Center Zones Serial or p network Control Zones, which are the remote sites normally associated with rtu installations ANSI/ISA-99, Part 1 includes two versions, one of which encloses the entire scada system in a single securi ty zone. The other is the " separate zones" model In the separate zones model, control center zones and control zones are defined with differing characteristics. The control zones are the locations which are usually remote from the control centers and include the rtu equipment. It is conceivable that one control zone can have much different characteristics from another. For example, one location could be classified as more vulnerable or have higher risks than another NERC CIP-005-1 requires an electronic security perimeter for what are termed, critical cyber assets While it is not explicitly stated in ClIP-005-1, the electronic security perimeter concept does apply to ANSI/ ISa security zones and there is general consistency, between the two standards, in definitions of assets and other terms. ClP-006-1 provides physical security requirements and, again, is not inconsistent with aNSI/ISA-99 Part l. This white paper will describe measures in terms of applicability to aNSI/ISA-99 as well as Nerc ciP as much as possible CONTROLZONES Remote process installation Figure 1 Operators including anTU, HMl device, etc Shown here, is a simpl fied representation of the securily zones for SCADA SyStems Intenet or Intranets 成 SCADAComputer Serial Network System CONTROLCENTERZONE SCADA Servers HM l/ Clients, and Data SERIAL OR IP NETWORKS Communication Equipment-there can Could be outs ide secure Zones be primary and Backup control center Zones Local users in or near Contro Zones presenta specialcase for security. SCADA SECURITY UPDATE The white paper will focus on the control zones and their interfaces to the wide area network Remote sites provide numerous characteristics, which differ signific antly from those associated with the enterprise zone or Control Center Zones. Since the latter two have been explored much more thoroughly, there is more to offer if we focus on control zones. In addition, the wide area network in SCADa systems presents a very interesting set of characteristics, as it is typic ally outside of any of the operator's security zones Securing the RTU Devices at Remote Sites In SCADA systems, the control zones are normally in remote areas, away from control center zones. This presents a number of unique characteristics, which are notably different from control centers as well as plant processes. We will consider both the cyber and physical threats and offer measures in terms of monitoring for intrusions as well as prevention. The term, RTU, will be used for the electronic monitoring and control device at these locations. Please keep in hind that the device could actually be a Pac, Plc, or a product that uses some other three-letter abbreviation Addressing RTU Cyber Threats- Prevention In many systems, it is simply too easy to gain access via an rtu local serial port or, even worse, a dial-up, radio or other network link that makes the rtU accessible from practically anywhere in the world How important is this aspect compared to the rest of the SCada system? In the attack in Australia, Vitek Boden targeted the remote stations by using a radio to access serial ports and was able to operate pumps RTU ports can basically fall into one of two groups: local and remote. Local ports are wired directly to nearby equipment such as analyzers, flow meters, pressure transmitters and a Pc or other HMi device. Wireless inter- faces are becoming more popular for local links, e.g. wireless HARt between an RTU and pressure transmitter and Bluetooth between a lap-top PC and the rtu If the rtu is not in a physically secure zone, a major risk is that anyone can plug into-or wirelessly access the local port that is intended for configuration taking readings and other, local operations via a Pc Unfortunately it is too easy to say that it is mandatory for the rtu to be physically secure and be done with it Today's trend toward wireless communications, even for "local functions, reintroduces the risk of intrusion because the radio range can extend beyond the physically secure zone. a wireless local link, thus, shares a major risk with a remote port, which is defined as one with a modem, radio or other physical connection to a Wide area network Since much of a SCADA wide area network is located, both physically and logically, outside of any of the oper- ator's secure zones this is a major cause for concern Authentication has emerged as the cyber security provision-of-choice when it comes to remote port access In some cases, protocol standards are being amended to adopt authentication. The dNP Users Group Steering Committee has recently ratified a security extension that mandates the authentication of master devices through the use of one-way cryptographic hash functions employing a shared key in order to access critical DNP functions. These critical functions include write, select, operate, direct operate, cold restart, warm restart, initialize application, start application, stop application, enable unsolicited responses, disable unsolicit ed responses, record current time and activate configuration Authentication ensures that messages arriving at the rtu come from the control center, or other, legitimate asset in the SCAda system. Since the SCada wide area network can be located mostly outside of any security it is subject to eavesdrop SCADA SECURITY UPDATE a number of years ago, Bill Rush of the gas technology Institute(GTl) proposed SCaDa message encryption to address this risk. As Bill pointed-out, if someone can eavesdrop and learn to recognize messages, the party can likely also practice spoofing that is, inject commands, which can operate process equipment or corrupt proprietary information This is the thrust behind the SCADa encryption standardization effort, which was originally proposed as American Gas Association(AGA)Report No. 12. Since then, the technical standards community has favored authentication over encryption primarily because it is much less resource-intensive and can more reasonably be retrofitted in existing systems In any event, encryption standardization efforts continue and encryption is finding its way into new installa tions. Some data communication devices, such as radios, offer it as an option. Many IP-based systems use encryption and, for those users replacing direct-wire local links with wireless, it is also a feature of Bluetooth The SCADAprotocol, e.g. DNP3, carries Figure 2 commandsand uploads information on processoperations, including alarms, live while the SCADA proto Operators data and historical data col handles all opera tions messaging, S/MP RTU devicesuse authentication to ensure that scADAmessages originate is used for device status from legitmate assets and security monitoring SCADA Netwo SCADAComputer System CONTROLCENTER ZONE SNMP simultaneously carries shadowdata"such as device status and site security monitoring ure information Semaphore RTU products such as the G30, shown below are industrial CONTROL ZONES Defender Enabled, as they support industrial Defender's monitoring and reporting via SNMP Addressing RTU Cyber Threats- Monitoring and Detection At a minimum, the rtu must be able to log all activity on local or modem ports and report it to operators on the SCADA network NERC CIP-005-1 requires 24/7 logging at all access points to the electronic security perimeter The Simple Network Management Protocol (SNMP)is emerging as a vehicle for security monitoring in SCADa networks. Traditionally used by It to monitor components such as routers, servers and switches, SNMP is now being employed to monitor remote sites. For example, such control zone parameters as main power status, bat- tery voltage, cabinet temperature, and door switch status can be reported via SNMP. Similarly, SNMP can report activity on RTU serial ports. That information can be used for intrusion detection SNMP operates over TCP/P links and can function concurrently with other SCADA protocols. While dNP3 or lEC60870-5 protocols are used to transfer process or operational information between the SCADa server and the rTUs, SNMP is used, over the same physical network, in a background mode, transferring shadow data that is used for system health monitoring and security SCADA SECURITY UPDATE In this architecture, a Semaphore rtu is Industrial Defender Enabled. The Industrial Defender Risk Mitigation platform is a central monitoring system for the health, status and security state of critical cyber assets. By using Industrial Defender to maintain an ongoing inventory of cyber assets, automatic reporting is provided for ClP-005-1 compliance The monitoring and reporting feature within Industrial defender greatly reduces any manual reporting burden on the entity's IT staff Addressing RTU Physical Threats-Prevention Following are measures to physically secure the rTU installations in your SCADA system The best practice for rtu location is to place it in a physically secure area. Risk is significantly decreased if the rtu is insta lled in a location with access control Keep information about RTU locations secured. Risk is also significantly decreased if as few people as possi- ble know the location of the rtu in the first pla Similarly, power and network cabling should be kept secure and out of sight. Information on their routing and termination locations should be secured In case of a main power failure, the rtu should include adequate battery backup to continue all operations for a time you determine This time depends on how long you feel it could take to restore main power. Note that this does not mean how long it could take for operators to find out about the problem. The alarm system must inform operators of a main power failure immediately- we will cover that more in the next section on moni- toring and detection. Typical RTU backup times are between eight and 72 hours-the latter taking three-day holiday weekends into consideration The backup batteries should be secured inside a locked cabinet with ventilation. For outdoor locations, the most appropriate rating is Nema 3R or IP14. You must periodically maintain the batteries on a schedule provid ed by the battery supplier. You can expect a maximum of a five-year lifetime from lead acid cell batteries but you should check them at least once per year. In areas in which temperatures are often at the extremes of the operating range, battery lifetime is significantly reduced. The rtu should continually monitor the batteries and set an alarm if they lose their charge. If their condition is in doubt, replace the batteries Include line filters and surge suppression on the power input. accidentally or otherwise, and battery-backed otherwise, power problems should not take the rtu out Always keep rtu cabinet doors closed and secured. Once the door is opened it is just too easy to cause any number of probler If the rtu is not in a physically secure area, then you must keep keypads, pushbuttons, and switches secured. Users should have to open up a door, that is secured by access control -which could be as simple as a key lock-in order to access these devi SCADA SECURITY UPDATE Nw硎 igure 4 Once the remote instal lation is started-up, keep those panel door closed and locked at all times! Availability of an HMI and manual controls on the outside of the front door require this room to have access (Photo courtesy n Gen Technologies Inc. Of course, this is all easy to say but what do you do about an existing installation? In most cases, it has been feasible to secure the room or building in which the rtu is located In cases this has been impossible, it was better to secure the rtu inside a locked cabinet or put a gate around it. ideally, both the room and the rtu enclosure are secured. However, you may have to settle for one or the other. Finally, be on the alert for innovative methods of disabling the rtu. In other industries, computer equipment has been disabled through the use of fire extinguishers, other chemical spray, excessive dust or sand, flooding sprinkler systems, radio interference and surges on wiring. Vulnerability assessments must include such sce narios, even though they would likely be far down the list in terms of risk. Best practices in terms of locating and physically securing the RTU should prevent these problems Addressing RTU Physical Threats- Monitoring and Detection The rtu should detect entry into the physical secure zone via an access control device, that is, when a door or gate is opened, and alert operators via an al The rtu should continually monitor main power and report an alarm on main power failure The rtu must be able to report that a user has plugged a hand held device or Pc into the local port--or gaine access via Bluetooth or other, local wireless link. This could be an alarm but some users simply log it as an event Log an event when the user signs on by entering a password. Log an event for each value change the user makes Operators must be aware that value changes are being made, locally. Log an event when the user signs off and either log an event or clear/reset the alarm when the user unplugs the hand held device or PC. If the user forgets to sign off, the rtu should automatically do this after a set time Alarm clear/reset when the door closes. What if the user forgets to close the door? The original alarm, set upon opening of the door, should continue to be displayed as a live alarm. as a further provision, you can consider escalating that alarm after a certain time SCADA SECURITY UPDATE B FIEB-E Figure 5. Featuring alarm man agement, data logging, programmability, integral battery charger/power management, secure DNP3 and snmp as well as push" messaging to multiple recipients, th T-BOX RTU is ready-/or- Insta∥ ation in a secure SCADA system Coordinate the alarms, mentioned thus far, with operating procedures. These procedures should include schedules for site visits and ways to keep operators informed regarding them. Dont disable alarms just because operators know that a site visit is taking place. Keeping alarming active reinforces procedures and allows the alarms to be kept in a hi The rtu should not only report alarms, over the sCada network on a priority basis, it should also keep a date and-time-stamped record of all alarms and events locally in memory. The memory must be non-volatile RAM must be backed up by a battery and flash, which does not require battery backup, is now being used more often Many of today's rtu products incorporate data logging capability, including maintenance of an alarm/ event log In the gas flow computer business, this is known as the audit trail One problem with an alarm/event log is a noisy alarm condition whose recurring messages fill it up. Not only is this very annoying but, worse, meaningful messages drop out and are permanently lost. In most cases, it is sim ple to automatically filter out these transitions or disable the alarming characteristic of the misbehaving input. The alarm/event log is an excellent backup in case of problems with the scada host or network, which could cause alarm reports and event logs to be lost Typically, it allows the user to access all such information, local- ly. In addition, many RTUs will allow the audit trail, as well as historical averages and totals, to be transmitted to the scada host once communication is restored You have seen that many of the security tactics in this section involve use of the rtu for alarm reporting. Please be aware that a common problem with SCAda alarm systems is that engineers are tempted to define too many points as alarms. These quickly become nuisance" alarms, which are ignored. You should avoid this situation because the alarm system should never lose credibility with operators for any reason Far worse than that is it creates a situation in which an operator can be easily overloaded and overlook an important development. It is even possible that a security violation can occur because operators are decoyed by a deliberate overload your alarm system design should define alarms points as sparingly as possible and it should use alarm man- a gement as a further measure to reduce the quantity of alarms generated from any process or zone Finally, for remote site security, using the rtU to report alarms for fire, smoke, water spray or water flooding is also very feasible. The rtu can also be put in the security loop through interfaces with access control devices and video cameras. This will be the subject matter of another white paper from Semaphore SCADA SECURITY UPDATE Design Practices in Case of Failures Best practice system design calls for provisions in case of various failures(or breaches)of the SCADA system In case the host computer or network fails, the rtu should independently monitor and control the process Remote processes, today, should not depend on the availability or performance of the network The rtU should continue operating even in case the network is jammed or one or more ports are kept busy While this would amount to a denial-of-service attack on the rtu, we have seen many cases in which the SCADA network was simply overloaded The multitasking kernals in today's rtus prioritize tasks and allow the measurement and control functions to continue even with heavy activity on the network You should also consider a redundant network Competition in the communications industry has resulted in decreasing pricing for hardware that includes cellular radio, licensed radio, spread spectrum radio and wire less Ethernet. I know some users will scoff at this because they 've found that selecting even one network is difficult enough But, increasingly, users are installing redundant SCADa networks. Most SCada software will automatically switch over to a standby network if the primary network fails. At the rtu, the standby network uses a separate communication port that is not affected by problems on the primary network port. To detect tampering with process equipment, you can use sanity limits or sanity condition tables to validate commands or process conditions. Even though no rtu includes expert system software you can still put your expertise in the rTU program, whatever the programming language. If you know that all three influent pumps shouldnt be on when the settling basin is at 12 feet, put that in the rtu. the rtu should know that the chlori nator shouldn't be set on maximum when the flow is only 0.4 MGD Your first reaction might be that this would add too much complexity to the rtu but some languages make the programming almost as easy as making the statement. If access control is violated and someone manually changes a process equipment setting the rtu could detect it and report an alarm Finally best practices for system design call for provisions in case of rTu failure, regardless of security issues Upon failure, what happens to the control outputs, with or without power, is a basic design issue. If power remains available, many devices allow selection of a"safe mode" for the outputs. Process equipment contin ues to run in a reasonable manner you also need a separate provision to cover the case in which the rtu fails and all power is lost. Equipment run using backup power must have a safe"default setting Many users have rock solid procedures for activity at the sites in response to any failure or security breach in the SCADa system. You need to be in this category Conclusion Today, information that is widely available and products and technologies, which are now on the market, allow SCADA SyStem operators to install and maintain very secure systems Utilities need to be well aware of NErc cIP, which requires compliance in your planning, processes and pro cedures. Meanwhile, ANSI/ISA-99 is a work-in-process Part L, which is now available, establishes important common ground"in definitions of security-related concepts, assets, risks, threats, and vulnerabilities Users, today, can assess threats, both physical and cyber-related and implement measures for detection as well as prevention of intrusions and attacks in their SCADA systems SCADA SECURITY UPDATE SCADA Security Checklist Prevention 1. Use authentication (e.g. Secure DNP3) on all remotely- accessible serial ports 2. Use encryption if available, e. g on Bluetooth and IP connections 3. Note that password security is a minimum measure, which does not eliminate cyber risks 4. Locate the rTU in a physically secure area with access control 5. If the rtu is not in a physically secure area, then you must keep keypads, pushbuttons and switches phys- ically secured, e. g. behind a locked door 6. Always keep Rtu cabinet doors closed and locked 7. Keep information about rtu locations secured 8. Power and network cabling must be secure and out of sight 9. Keep information on cable routing and termination locations secured 10. Use battery backup in case of main power failure and consider backup times up to 72 hours 11. Backup batteries must be physically secured 12. Keep up with battery maintenance 13. Include line filters and surge suppression on the power input 14. Vulnerability assessments must consider risks from chemical spray, wind-blown dust or sand, flooding sprinkler systems, radio interference and surges on wiring Monitoring and Detection 1. Log all activity on all serial ports, local and remotely-accessible, e.g. SNMP reporting of"shadow data"to the Industrial Defender Risk Mitigation platform 2. The rtU should detect entry into the physical secure zone via an access control device and alert operators via an alarm 3. The rTU should continually monitor main power and report an alarm upon failure 4. The rTU must be able to report an alarm or event when a user has plugged a hand held device or Pc into the local port-or gained access via Bluetooth or other, local wireless link 5. Log an event when the user signs on by entering a password 6. Log an event for each value change the user makes 7. Log an event when the user signs off 8. Either log an event or clear/reset the alarm when the user unplugs the hand held device or PC or discon nects a wireless link e.g. bluetooth 9. Clear/reset the door open" alarm when the door closes 10. Coordinate all alarms and events, mentioned above, with operating procedures 11. Don't disable alarming when users are visiting a site 12. The RTU should maintain a local, date and time-stamped, alarm/event log in non-volatile memory as a back- up of the alarm reporting mechanism over the SCADa network

(系统自动生成,下载前可以参看下载内容)