Table Of ContentCybersecurity
for SCADA Systems
W T. S , P D, CISSP
ILLIAM HAW H
SShhaaww0000ffmm..iinndddd iiiiii 77//1199//0066 11::3333::4477 PPMM
Disclaimer
The recommendations, advice, descriptions, and the methods in this book
are presented solely for educational purposes. The author and publisher
assume no liability whatsoever for any loss or damage that results from the
use of any of the material in this book. Use of the material in this book is
solely at the risk of the user.
Copyright © 2006 by
PennWell Corporation
1421 South Sheridan Road
Tulsa, Oklahoma 74112-6600 USA
800.752.9764
+1.918.831.9421
sales@pennwell.com
www.pennwellbooks.com
www.pennwell.com
Director: Mary McGee
Managing Editor: Steve Hill
Production/Operations Manager: Traci Huntsman
Assistant Editor: Amethyst Hensley
Production Editor: Tony Quinn
Cover Designer: Karla Pfeifer
Book Designer: Brigitte Pumford-Coffman
Library of Congress Cataloging-in-Publication Data
Shaw, William T.
Cybersecurity for industrial scada systems / William T. Shaw.
p. cm.
Includes index.
ISBN-13: 978-1-59370-068-3 (hardcover)
ISBN-10: 1-59370-068-7 (hardcover)
1. Supervisory control systems. 2. Automatic data collection systems. 3. Data protection.
4. Computer security. I. Title.
TJ222.S53 2006
620'.46028558--dc22
2006013261
All rights reserved. No part of this book may be reproduced, stored in a retrieval
system, or transcribed in any form or by any means, electronic or mechanical, including
photocopying and recording, without the prior written permission of the publisher.
Printed in the United States of America
1 2 3 4 5 10 09 08 07 06
BookShaw.indb 4 7/18/06 8:49:26 AM
Introduction — Industrial Automation
in the Aftermath of 9/11
Without the events of September 11, 2001, there might not have been
a need for this book—or at least not this soon. Until the events of that
day, the people and government of the United States held the belief that
we were insulated from those foreign governments and “true believers”
that might wish us harm. It is true that for many years, computer hacking
and the periodic introduction of computer worms, viruses, and other
forms of malware over the Internet have represented a growing problem.
Nevertheless, these activities were not perceived as serious, intentional
attacks on our country or its infrastructure. After 9/11 everything changed.
We now know that there are people and groups that will spend the time
and money to create havoc and terror to advance their political, social, or
religious agendas.
In response to the events of 9/11, the Department of Homeland
Security (DHS) was formed and given the responsibility for protecting us
from these people and organizations. One of the results of the early work
of the DHS was the recognition that the vast majority of our industrial
and manufacturing facilities, technological and energy infrastructure, and
transportation systems are run and controlled by computer-based systems
and that these systems (mainly SCADA systems, distributed control
systems [DCS], and programmable logic controller [PLC] systems) were
not designed with any intrinsic protective mechanisms. This is not to
imply that such systems are fragile or even readily accessible to an attacker.
Rather, the vendors of these systems generally designed them to be robust
and capable of continued full or partial operation, even with some level of
component failures or damage. This was essential because of the critical or
essential nature of the processes controlled by such systems. Designers of
computer-based automation and control systems have always known that
computers—and electronic devices in general—can and will fail. Thus,
system designs have long accounted for this possibility through redundancy
schemes and architectures that permitted graceful degradation.
XVII
BookShaw.indb 17 7/18/06 8:49:27 AM
CYBERSECURITY FOR SCADA SYSTEMS
In the early years of computer-based automation systems, these
systems were typically employed in a stand-alone configuration without
any communication with or interfaces to other computer systems. The only
way a remote cyber attacker/hacker could access such systems would have
been if a dial-in telephone circuit had been supplied with the system, for
the purpose of providing remote support by the system vendor. However, as
computer and networking technology became pervasive and ubiquitous in
all aspects of modern business enterprises, these automation systems started
to be interfaced with corporate networks, business systems, and eventually,
even to the Internet itself. This evolutionary process has provided cyber
attackers with much greater access to these critical automation systems.
The world of computer-based automation systems can be divided into
two broad classes: those systems used with processes that are spread over a
large geographic area (and thus require the use of wide area communications
technology); and those systems that manage processes that are geographically
constrained (and thus can use local area communications technology).
The first type of system is considered a SCADA system and is used in
applications such as gas and liquid pipelines, electric power transmission
and distribution, and water distribution systems. The second type of
system is called a DCS and is used in plant automation applications—
such as refining, steel production, paper and pulp, food and beverage, and
bulk and fine chemicals. A variation of this second type of system is based
on PLC technology. Almost every high-volume manufacturing facility
is automated using PLC technology. The DHS has initially focused its
efforts on cybersecurity for SCADA systems; therefore, that is the focus
of this book, although many of the issues and principals will be directly
relevant and applicable to DCS as well.
XVIII
BookShaw.indb 18 7/18/06 8:49:27 AM
Preface
In the 1960s, when the first computer-based supervisory control and
data acquisition (SCADA) systems were being developed, there was no
cultural concept of the need for particular protective measures to keep such
systems safe from intentional attacks. After all, why would someone want
to disrupt the operation of such systems? The world was a different place,
and the computer expertise to work on or with such systems was a rare
commodity. The only protective considerations built into those systems
were instituted to minimize or eliminate the impact of user errors.
Not so today. Computers have become commodity appliances, and
computer expertise is far more commonplace. In addition, there are people
who have technical expertise and, for a variety of reasons, choose to use it to
inflict damage. Worse still, there are those who wish to use such expertise
to cause serious harm to the government and citizens of the United States.
The Internet, a world-spanning communications technology that should be
a positive force to unite cultures and peoples, is being used also as a means
to reach into our computer systems by such ill-intentioned people. Much of
our critical industrial infrastructure is managed and controlled by SCADA
systems, and thus, it is now essential that we place protective measures
within and around these systems. This book is intended to provide a general
background of SCADA system technology and of cybersecurity concepts
and technologies and to explain how the two can be brought together to
safeguard our infrastructure and computer automation systems.
XIII
BookShaw.indb 13 7/18/06 8:49:27 AM
Contents
Preface ..........................................................................................xiii
Acknowledgments ............................................................................xv
Introduction — Industrial Automation in the Aftermath of 9/11 ......xvii
Section 1: Introduction to SCADA Systems ........................................1
1 The Technological Evolution of SCADA Systems ........................3
The Early History of SCADA—Mainframes ...............................3
Minicomputers and Microprocessors ..........................................10
Central Architectures ..................................................................13
Distributed Architectures ............................................................16
Client/Server Designs .................................................................18
Technological Convergence ........................................................19
Generalized Software Architecture .............................................21
2 Remote Terminal Units ..............................................................25
Basic Features and Functions ......................................................25
Analog inputs .......................................................................27
Analog outputs .....................................................................28
Status inputs .........................................................................29
Contact outputs ...................................................................30
Pulse inputs ..........................................................................31
Pulse outputs ........................................................................32
Smart RTU Technologies ...........................................................32
Serial ports ...........................................................................35
Local display ........................................................................39
Downloaded logic and parameters .......................................41
Regulatory and sequence control ..........................................44
Low-power operation ...........................................................48
Accumulator freeze ..............................................................49
Global Positioning System time receivers ............................50
Daylight savings time ...........................................................52
Transducer-less AC inputs ..................................................52
Top-Down and Bottom-Up Configuration ................................53
The Emergence of PLCs ............................................................55
Legacy Protocols .........................................................................57
V
BookShaw.indb 5 7/18/06 8:49:26 AM
CYBERSECURITY FOR SCADA SYSTEMS
Protocol Standards ......................................................................61
Network versus serial protocols ............................................61
Encapsulated protocols ........................................................64
IP-Ready RTUs and Protocols ...................................................64
3 Telecommunications Technologies .............................................69
Voice-Grade (Analog) Telephony ..............................................69
Telephone technology ..........................................................70
Licensed radio ......................................................................73
Communications backup .....................................................75
Private telephone systems .....................................................76
Commercial Voice/Data Carriers ................................................78
X.25 packet switching networks ...........................................78
The digital telephone company ............................................80
T1/T3 circuits ......................................................................81
Integrated service digital network ........................................82
Frame relay ..........................................................................83
DSL technologies ................................................................85
Options for Wireless Communications .......................................85
WiFi and WiMAX ..............................................................87
Cellular ................................................................................88
Digital Networking Technologies ...............................................90
Frame relay ..........................................................................90
Fiber-distributed data interface ............................................92
Asynchronous transfer mode ................................................93
TCP/IP Networking ...................................................................94
IP suite of protocols ...........................................................102
Secure Socket Layer ...........................................................102
VPN ...................................................................................103
The Internet ..............................................................................104
Backbone (including MBONE) .........................................105
Internet service providers ...................................................106
IPv4 and IPv6 ....................................................................106
4 Supervisory Control Applications .............................................109
Operating System Utilities ........................................................109
SCADA System Utilities ..........................................................114
Program Development Tools ....................................................123
Standardized APIs ....................................................................130
OPC ...................................................................................130
Standard Query Language .................................................132
Common Object Request Broker Architecture ..................133
DCOM ..............................................................................134
ICCP .................................................................................134
UCA2.0 .............................................................................134
VI
BookShaw.indb 6 7/18/06 8:49:26 AM
TABLE OF CONTENTS
5 Operator Interface ...................................................................137
Access-Control Mechanisms ....................................................137
Standard System Displays .........................................................140
Diagnostic displays .............................................................140
Site/Industry–Specific Displays .................................................145
Graphical displays ..............................................................147
Display hierarchy ...............................................................150
Pan and zoom ....................................................................151
Decluttering .......................................................................153
Layering .............................................................................153
Display navigation ..............................................................154
Alarms and indicators ........................................................154
Alarm filtering ...................................................................158
Alarm annunciation ...........................................................159
Alarm history file ...............................................................160
Alarm-state visual indication .............................................161
Historical Trending ...................................................................164
Historical trending displays ................................................169
Real-time trending .............................................................171
Logs and Reports ......................................................................172
Calculated values ................................................................173
Statistical calculations ........................................................174
Spreadsheet report generators ............................................175
Reports as data-exchange mechanism ...............................175
6 Conventional Information Technology Security ........................179
Availability, Integrity, and Confidentiality ...............................180
Remote Access ..........................................................................182
TCP/IP Suite ............................................................................185
IP addresses and gateways ..................................................188
Firewalls ....................................................................................190
Classes of attack messages ..................................................192
Probing and exploring ........................................................192
Overloading .......................................................................193
Malware delivery ................................................................194
Wireless LANs ..........................................................................200
Rogue APs .........................................................................203
Bluetooth and WiFi ad hoc networks ................................204
Authentication and Validation ..................................................205
Strong authentication .........................................................209
Password strategies .............................................................211
Encryption and Ciphers ............................................................213
Shared secret ......................................................................218
Key size ..............................................................................219
VII
BookShaw.indb 7 7/18/06 8:49:26 AM
CYBERSECURITY FOR SCADA SYSTEMS
Hash code ..........................................................................221
VPNs .................................................................................223
Kerberos ....................................................................................228
Intrusion Detection ...................................................................229
Architecture ..............................................................................235
Section 2: Cybersecurity Principles, Processes,
and Technologies .........................................................................237
7 Identifying Cybersecurity Vulnerabilities ..................................239
Threats and Threat Agents .......................................................239
Internal threats ...................................................................240
External threats ..................................................................241
Targeted attacks .................................................................242
Obvious Points of Attack and Vulnerability .............................246
Most Frequently Used Means of Attack ...................................253
Probability of Attack .................................................................254
Nonspecific attack probabilities .........................................255
Directed attack probabilities ..............................................257
Guesstimating the Impact of a Successful Attack .....................259
Risk Assessment ........................................................................260
8 Classifying Cyber Attacks and Cyber Threats ............................265
Web Site/SQL Attacks .............................................................266
E-mail Attacks ..........................................................................268
Malware ....................................................................................269
Software that mindlessly reproduces and consumes
resources ..........................................................................269
Software that inflicts harm once a programmer-specified
trigger condition is met ...................................................269
Software that allows a remote party to (re)enter your
systems and (re)use your resources ..................................269
Software that finds and collects sensitive
information .....................................................................270
Remote Control/Usage .............................................................271
Zombie Recruitment .................................................................271
Firewall Configuration ..............................................................273
9 Physical Security .....................................................................279
Access Controls .........................................................................280
Manual access controls .......................................................282
Electronic access controls ...................................................282
Hybrid access controls ........................................................283
Access Tracking ........................................................................285
Illegal-Entry Alarms .................................................................285
VIII
BookShaw.indb 8 7/18/06 8:49:27 AM
TABLE OF CONTENTS
Physical Isolation of Assets: Layers of Defense .........................286
Physical Protection of Materials and Information ....................287
Critical Ancillary Subsystems ....................................................291
Fire suppression .................................................................291
Telecommunications ..........................................................292
LANs .................................................................................292
Electric power ....................................................................293
Remote and Field Sites .............................................................294
IP networking in the field ..................................................295
10 Operational Security ................................................................297
Policies and Administrative Controls ........................................297
Procedures .................................................................................300
Procedural validation ..........................................................301
Critical procedure sets ........................................................302
Operational Differences ............................................................306
Training ....................................................................................308
Recovery Procedures .................................................................310
Annual Review ..........................................................................311
Background Checks ..................................................................312
11 Electronic/Systems Security .....................................................315
Removable Media .....................................................................317
Mobile Electronics ....................................................................319
Bluetooth ...........................................................................320
Computer Systems ....................................................................321
PCs ....................................................................................325
RTUs .................................................................................329
12 Electric Utility Industry–Specific Cybersecurity Issues ...............335
Substation Back Doors ..............................................................338
IP to the Substation ..................................................................344
TASE.2/ICCP Connections ....................................................349
UCA2.0 (IEC 61850) ...............................................................351
DNP3.0 .....................................................................................352
NERC 1200/1300 Compliance ................................................353
Section 3: Industrial Sectors ............................................................355
13 Water/Wastewater Industry–Specific Cybersecurity
Issues ...........................................................................................357
Licensed Radio Communications .............................................360
Nonsecure Protocols .................................................................363
PLC Equipment as RTUs ........................................................364
Supervisory and Local Control Applications .............................368
Municipal LANs and WANs ...................................................371
IX
BookShaw.indb 9 7/18/06 8:49:27 AM
