文件名称:
Semaphore SCADA SECURITY UPDATE.pdf
开发工具:
文件大小: 623kb
下载次数: 0
上传时间: 2019-10-31
详细说明:Semaphore SCADA SECURITY UPDATEpdf,Semaphore SCADA SECURITY UPDATESCADA SECURITY UPDATE
a) security policie
b) Asset Inventory
c) Access Requirements and Controls
d) threats and vulnerabilities
e) Consequences of a Security Breach
f) Authorized Technology
g) Change Management Process
For a SCada system, aNSI/ISA-99, Part I defines various, logical zones to include the Enterprise Zone which
is generally considered the IT system, and the SCADA Zone, which includes the subsystems we normally
associate with a SCADa system
Control Center Zone or Primary and Backup Control Center Zones
Serial or p network
Control Zones, which are the remote sites normally associated with rtu installations
ANSI/ISA-99, Part 1 includes two versions, one of which encloses the entire scada system in a single securi
ty zone. The other is the " separate zones" model
In the separate zones model, control center zones and control zones are defined with differing characteristics.
The control zones are the locations which are usually remote from the control centers and include the rtu
equipment. It is conceivable that one control zone can have much different characteristics from another. For
example, one location could be classified as more vulnerable or have higher risks than another
NERC CIP-005-1 requires an electronic security perimeter for what are termed, critical cyber assets While it is
not explicitly stated in ClIP-005-1, the electronic security perimeter concept does apply to ANSI/ ISa security zones
and there is general consistency, between the two standards, in definitions of assets and other terms. ClP-006-1
provides physical security requirements and, again, is not inconsistent with aNSI/ISA-99 Part l. This white paper
will describe measures in terms of applicability to aNSI/ISA-99 as well as Nerc ciP as much as possible
CONTROLZONES
Remote process installation
Figure 1
Operators
including anTU, HMl device, etc
Shown here, is a simpl
fied representation of
the securily zones for
SCADA SyStems
Intenet or Intranets
成
SCADAComputer
Serial Network
System
CONTROLCENTERZONE
SCADA Servers HM l/ Clients, and Data
SERIAL OR IP NETWORKS
Communication Equipment-there can
Could be outs ide secure Zones
be primary and Backup control center
Zones
Local users in or
near Contro
Zones presenta
specialcase for
security.
SCADA SECURITY UPDATE
The white paper will focus on the control zones and their interfaces to the wide area network Remote sites
provide numerous characteristics, which differ signific antly from those associated with the enterprise zone or
Control Center Zones. Since the latter two have been explored much more thoroughly, there is more to offer if
we focus on control zones. In addition, the wide area network in SCADa systems presents a very interesting
set of characteristics, as it is typic ally outside of any of the operator's security zones
Securing the RTU Devices at Remote Sites
In SCADA systems, the control zones are normally in remote areas, away from control center zones. This presents
a number of unique characteristics, which are notably different from control centers as well as plant processes.
We will consider both the cyber and physical threats and offer measures in terms of monitoring for intrusions as
well as prevention.
The term, RTU, will be used for the electronic monitoring and control device at these locations. Please keep in
hind that the device could actually be a Pac, Plc, or a product that uses some other three-letter abbreviation
Addressing RTU Cyber Threats- Prevention
In many systems, it is simply too easy to gain access via an rtu local serial port or, even worse, a dial-up, radio
or other network link that makes the rtU accessible from practically anywhere in the world
How important is this aspect compared to the rest of the SCada system? In the attack in Australia, Vitek Boden
targeted the remote stations by using a radio to access serial ports and was able to operate pumps
RTU ports can basically fall into one of two groups: local and remote. Local ports are wired directly to nearby
equipment such as analyzers, flow meters, pressure transmitters and a Pc or other HMi device. Wireless inter-
faces are becoming more popular for local links, e.g. wireless HARt between an RTU and pressure transmitter
and Bluetooth between a lap-top PC and the rtu
If the rtu is not in a physically secure zone, a major risk is that anyone can plug into-or wirelessly access
the local port that is intended for configuration taking readings and other, local operations via a Pc
Unfortunately it is too easy to say that it is mandatory for the rtu to be physically secure and be done with it
Today's trend toward wireless communications, even for "local functions, reintroduces the risk of intrusion
because the radio range can extend beyond the physically secure zone. a wireless local link, thus, shares a
major risk with a remote port, which is defined as one with a modem, radio or other physical connection to a
Wide area network
Since much of a SCADA wide area network is located, both physically and logically, outside of any of the oper-
ator's secure zones this is a major cause for concern
Authentication has emerged as the cyber security provision-of-choice when it comes to remote port access
In some cases, protocol standards are being amended to adopt authentication. The dNP Users Group Steering
Committee has recently ratified a security extension that mandates the authentication of master devices
through the use of one-way cryptographic hash functions employing a shared key in order to access critical
DNP functions. These critical functions include write, select, operate, direct operate, cold restart, warm
restart, initialize application, start application, stop application, enable unsolicited responses, disable unsolicit
ed responses, record current time and activate configuration
Authentication ensures that messages arriving at the rtu come from the control center, or other, legitimate
asset in the SCAda system. Since the SCada wide area network can be located mostly outside of any security
it is subject to eavesdrop
SCADA SECURITY UPDATE
a number of years ago, Bill Rush of the gas technology Institute(GTl) proposed SCaDa message encryption
to address this risk. As Bill pointed-out, if someone can eavesdrop and learn to recognize messages, the party
can likely also practice spoofing that is, inject commands, which can operate process equipment or corrupt
proprietary information
This is the thrust behind the SCADa encryption standardization effort, which was originally proposed as
American Gas Association(AGA)Report No. 12. Since then, the technical standards community has favored
authentication over encryption primarily because it is much less resource-intensive and can more reasonably
be retrofitted in existing systems
In any event, encryption standardization efforts continue and encryption is finding its way into new installa
tions. Some data communication devices, such as radios, offer it as an option. Many IP-based systems use
encryption and, for those users replacing direct-wire local links with wireless, it is also a feature of Bluetooth
The SCADAprotocol, e.g. DNP3, carries
Figure 2
commandsand uploads information on
processoperations, including alarms, live
while the SCADA proto
Operators
data and historical data
col handles all opera
tions messaging, S/MP
RTU devicesuse authentication to
ensure that scADAmessages originate
is used for device status
from legitmate assets
and security monitoring
SCADA Netwo
SCADAComputer
System
CONTROLCENTER ZONE
SNMP simultaneously
carries shadowdata"such
as device status and site
security monitoring
ure
information
Semaphore RTU products
such as the G30, shown
below are industrial
CONTROL ZONES
Defender Enabled, as they
support industrial
Defender's monitoring and
reporting via SNMP
Addressing RTU Cyber Threats- Monitoring and Detection
At a minimum, the rtu must be able to log all activity on local or modem ports and report it to operators on the
SCADA network NERC CIP-005-1 requires 24/7 logging at all access points to the electronic security perimeter
The Simple Network Management Protocol (SNMP)is emerging as a vehicle for security monitoring in SCADa
networks. Traditionally used by It to monitor components such as routers, servers and switches, SNMP is now
being employed to monitor remote sites. For example, such control zone parameters as main power status, bat-
tery voltage, cabinet temperature, and door switch status can be reported via SNMP.
Similarly, SNMP can report activity on RTU serial ports. That information can be used for intrusion detection
SNMP operates over TCP/P links and can function concurrently with other SCADA protocols. While dNP3 or
lEC60870-5 protocols are used to transfer process or operational information between the SCADa server and
the rTUs, SNMP is used, over the same physical network, in a background mode, transferring shadow data
that is used for system health monitoring and security
SCADA SECURITY UPDATE
In this architecture, a Semaphore rtu is Industrial Defender Enabled. The Industrial Defender Risk
Mitigation platform is a central monitoring system for the health, status and security state of critical cyber
assets. By using Industrial Defender to maintain an ongoing inventory of cyber assets, automatic reporting is
provided for ClP-005-1 compliance The monitoring and reporting feature within Industrial defender greatly
reduces any manual reporting burden on the entity's IT staff
Addressing RTU Physical Threats-Prevention
Following are measures to physically secure the rTU installations in your SCADA system
The best practice for rtu location is to place it in a physically secure area. Risk is significantly decreased if
the rtu is insta lled in a location with access control
Keep information about RTU locations secured. Risk is also significantly decreased if as few people as possi-
ble know the location of the rtu in the first pla
Similarly, power and network cabling should be kept secure and out of sight. Information on their routing and
termination locations should be secured
In case of a main power failure, the rtu should include adequate battery backup to continue all operations for
a time you determine This time depends on how long you feel it could take to restore main power. Note that
this does not mean how long it could take for operators to find out about the problem. The alarm system must
inform operators of a main power failure immediately- we will cover that more in the next section on moni-
toring and detection. Typical RTU backup times are between eight and 72 hours-the latter taking three-day
holiday weekends into consideration
The backup batteries should be secured inside a locked cabinet with ventilation. For outdoor locations, the
most appropriate rating is Nema 3R or IP14. You must periodically maintain the batteries on a schedule provid
ed by the battery supplier. You can expect a maximum of a five-year lifetime from lead acid cell batteries but
you should check them at least once per year. In areas in which temperatures are often at the extremes of the
operating range, battery lifetime is significantly reduced. The rtu should continually monitor the batteries and
set an alarm if they lose their charge. If their condition is in doubt, replace the batteries
Include line filters and surge suppression on the power input. accidentally or otherwise, and battery-backed
otherwise, power problems should not take the rtu out
Always keep rtu cabinet doors closed and secured. Once the door is opened it is just too easy to cause any
number of probler
If the rtu is not in a physically secure area, then you must keep keypads, pushbuttons, and switches secured.
Users should have to open up a door, that is secured by access control -which could be as simple as a key
lock-in order to access these devi
SCADA SECURITY UPDATE
Nw硎
igure 4
Once the remote instal
lation is started-up, keep
those panel door
closed and locked at all
times! Availability of an
HMI and manual controls
on the outside of the
front door require this
room to have access
(Photo courtesy n Gen
Technologies Inc.
Of course, this is all easy to say but what do you do about an existing installation? In most cases, it has been
feasible to secure the room or building in which the rtu is located In cases this has been impossible, it was
better to secure the rtu inside a locked cabinet or put a gate around it. ideally, both the room and the rtu
enclosure are secured. However, you may have to settle for one or the other.
Finally, be on the alert for innovative methods of disabling the rtu. In other industries, computer equipment has
been disabled through the use of fire extinguishers, other chemical spray, excessive dust or sand, flooding
sprinkler systems, radio interference and surges on wiring. Vulnerability assessments must include such sce
narios, even though they would likely be far down the list in terms of risk. Best practices in terms of locating
and physically securing the RTU should prevent these problems
Addressing RTU Physical Threats- Monitoring and Detection
The rtu should detect entry into the physical secure zone via an access control device, that is, when a door
or gate is opened, and alert operators via an al
The rtu should continually monitor main power and report an alarm on main power failure
The rtu must be able to report that a user has plugged a hand held device or Pc into the local port--or gaine
access via Bluetooth or other, local wireless link. This could be an alarm but some users simply log it as an event
Log an event when the user signs on by entering a password. Log an event for each value change the user
makes Operators must be aware that value changes are being made, locally. Log an event when the user signs
off and either log an event or clear/reset the alarm when the user unplugs the hand held device or PC. If the
user forgets to sign off, the rtu should automatically do this after a set time
Alarm clear/reset when the door closes. What if the user forgets to close the door? The original alarm, set upon
opening of the door, should continue to be displayed as a live alarm. as a further provision, you can consider
escalating that alarm after a certain time
SCADA SECURITY UPDATE
B FIEB-E
Figure 5.
Featuring alarm man
agement, data logging,
programmability, integral
battery charger/power
management, secure
DNP3 and snmp as well
as push" messaging to
multiple recipients, th
T-BOX RTU is ready-/or-
Insta∥ ation in a secure
SCADA system
Coordinate the alarms, mentioned thus far, with operating procedures. These procedures should include
schedules for site visits and ways to keep operators informed regarding them. Dont disable alarms just
because operators know that a site visit is taking place. Keeping alarming active reinforces procedures and
allows the alarms to be kept in a hi
The rtu should not only report alarms, over the sCada network on a priority basis, it should also keep a date
and-time-stamped record of all alarms and events locally in memory. The memory must be non-volatile RAM must
be backed up by a battery and flash, which does not require battery backup, is now being used more often
Many of today's rtu products incorporate data logging capability, including maintenance of an alarm/ event
log In the gas flow computer business, this is known as the audit trail
One problem with an alarm/event log is a noisy alarm condition whose recurring messages fill it up. Not only is
this very annoying but, worse, meaningful messages drop out and are permanently lost. In most cases, it is sim
ple to automatically filter out these transitions or disable the alarming characteristic of the misbehaving input.
The alarm/event log is an excellent backup in case of problems with the scada host or network, which could
cause alarm reports and event logs to be lost Typically, it allows the user to access all such information, local-
ly. In addition, many RTUs will allow the audit trail, as well as historical averages and totals, to be transmitted
to the scada host once communication is restored
You have seen that many of the security tactics in this section involve use of the rtu for alarm reporting. Please
be aware that a common problem with SCAda alarm systems is that engineers are tempted to define too many
points as alarms. These quickly become nuisance" alarms, which are ignored. You should avoid this situation
because the alarm system should never lose credibility with operators for any reason
Far worse than that is it creates a situation in which an operator can be easily overloaded and overlook an
important development. It is even possible that a security violation can occur because operators are decoyed
by a deliberate overload
your alarm system design should define alarms points as sparingly as possible and it should use alarm man-
a gement as a further measure to reduce the quantity of alarms generated from any process or zone
Finally, for remote site security, using the rtU to report alarms for fire, smoke, water spray or water flooding is
also very feasible. The rtu can also be put in the security loop through interfaces with access control devices
and video cameras. This will be the subject matter of another white paper from Semaphore
SCADA SECURITY UPDATE
Design Practices in Case of Failures
Best practice system design calls for provisions in case of various failures(or breaches)of the SCADA system
In case the host computer or network fails, the rtu should independently monitor and control the process
Remote processes, today, should not depend on the availability or performance of the network
The rtU should continue operating even in case the network is jammed or one or more ports are kept busy
While this would amount to a denial-of-service attack on the rtu, we have seen many cases in which the
SCADA network was simply overloaded The multitasking kernals in today's rtus prioritize tasks and allow the
measurement and control functions to continue even with heavy activity on the network
You should also consider a redundant network Competition in the communications industry has resulted in
decreasing pricing for hardware that includes cellular radio, licensed radio, spread spectrum radio and wire
less Ethernet. I know some users will scoff at this because they 've found that selecting even one network is
difficult enough
But, increasingly, users are installing redundant SCADa networks. Most SCada software will automatically
switch over to a standby network if the primary network fails. At the rtu, the standby network uses a separate
communication port that is not affected by problems on the primary network port.
To detect tampering with process equipment, you can use sanity limits or sanity condition tables to validate
commands or process conditions. Even though no rtu includes expert system software you can still put your
expertise in the rTU program, whatever the programming language. If you know that all three influent pumps
shouldnt be on when the settling basin is at 12 feet, put that in the rtu. the rtu should know that the chlori
nator shouldn't be set on maximum when the flow is only 0.4 MGD
Your first reaction might be that this would add too much complexity to the rtu but some languages make the
programming almost as easy as making the statement. If access control is violated and someone manually
changes a process equipment setting the rtu could detect it and report an alarm
Finally best practices for system design call for provisions in case of rTu failure, regardless of security issues
Upon failure, what happens to the control outputs, with or without power, is a basic design issue. If power
remains available, many devices allow selection of a"safe mode" for the outputs. Process equipment contin
ues to run in a reasonable manner you also need a separate provision to cover the case in which the rtu fails
and all power is lost. Equipment run using backup power must have a safe"default setting
Many users have rock solid procedures for activity at the sites in response to any failure or security breach in
the SCADa system. You need to be in this category
Conclusion
Today, information that is widely available and products and technologies, which are now on the market, allow
SCADA SyStem operators to install and maintain very secure systems
Utilities need to be well aware of NErc cIP, which requires compliance in your planning, processes and pro
cedures. Meanwhile, ANSI/ISA-99 is a work-in-process Part L, which is now available, establishes important
common ground"in definitions of security-related concepts, assets, risks, threats, and vulnerabilities
Users, today, can assess threats, both physical and cyber-related and implement measures for detection as
well as prevention of intrusions and attacks in their SCADA systems
SCADA SECURITY UPDATE
SCADA Security Checklist
Prevention
1. Use authentication (e.g. Secure DNP3) on all remotely- accessible serial ports
2. Use encryption if available, e. g on Bluetooth and IP connections
3. Note that password security is a minimum measure, which does not eliminate cyber risks
4. Locate the rTU in a physically secure area with access control
5. If the rtu is not in a physically secure area, then you must keep keypads, pushbuttons and switches phys-
ically secured, e. g. behind a locked door
6. Always keep Rtu cabinet doors closed and locked
7. Keep information about rtu locations secured
8. Power and network cabling must be secure and out of sight
9. Keep information on cable routing and termination locations secured
10. Use battery backup in case of main power failure and consider backup times up to 72 hours
11. Backup batteries must be physically secured
12. Keep up with battery maintenance
13. Include line filters and surge suppression on the power input
14. Vulnerability assessments must consider risks from chemical spray, wind-blown dust or sand, flooding
sprinkler systems, radio interference and surges on wiring
Monitoring and Detection
1. Log all activity on all serial ports, local and remotely-accessible, e.g. SNMP reporting of"shadow data"to
the Industrial Defender Risk Mitigation platform
2. The rtU should detect entry into the physical secure zone via an access control device and alert operators
via an alarm
3. The rTU should continually monitor main power and report an alarm upon failure
4. The rTU must be able to report an alarm or event when a user has plugged a hand held device or Pc into
the local port-or gained access via Bluetooth or other, local wireless link
5. Log an event when the user signs on by entering a password
6. Log an event for each value change the user makes
7. Log an event when the user signs off
8. Either log an event or clear/reset the alarm when the user unplugs the hand held device or PC or discon
nects a wireless link e.g. bluetooth
9. Clear/reset the door open" alarm when the door closes
10. Coordinate all alarms and events, mentioned above, with operating procedures
11. Don't disable alarming when users are visiting a site
12. The RTU should maintain a local, date and time-stamped, alarm/event log in non-volatile memory as a back-
up of the alarm reporting mechanism over the SCADa network
(系统自动生成,下载前可以参看下载内容)
下载文件列表
相关说明
- 本站资源为会员上传分享交流与学习,如有侵犯您的权益,请联系我们删除.
- 本站是交换下载平台,提供交流渠道,下载内容来自于网络,除下载问题外,其它问题请自行百度。
- 本站已设置防盗链,请勿用迅雷、QQ旋风等多线程下载软件下载资源,下载后用WinRAR最新版进行解压.
- 如果您发现内容无法下载,请稍后再次尝试;或者到消费记录里找到下载记录反馈给我们.
- 下载后发现下载的内容跟说明不相乎,请到消费记录里找到下载记录反馈给我们,经确认后退回积分.
- 如下载前有疑问,可以通过点击"提供者"的名字,查看对方的联系方式,联系对方咨询.