Operating SCADA Systems in Potential Risk Intrusion Network Environment and Risk Management

Operating SCADA Systems in
Potential Risk Intrusion Network

Environment and Risk Management
STANKOVSKI Mile,
Ss. Cyril and Methodius University, Skopje,

Faculty of Electrical Engineering and Information Technologies
Republic of Macedonia
OUTLINE
SCADA Systems – Overview and Importance in the

Modern World
Security in SCADA Systems
HS Zletovica SCADA System – A Case Study
Integrated Security into HS Zletovica SCADA System
Conclusion
NATO ARW Workshop Antalya 24-26 May 2011 2/39

Where can we meet SCADA systems?
 Monitor and control industrial systems
 Electricity, Power generation and transmission
 Industrial Automation, Manufacturing
 Marine
 Oil and Gas
 Telecommunication
 Transport, Air traffic and railways
 Water and waste water management

SCADA Systems - main parts

SCADA Systems – Field devices
 Instruments in the field for sensing conditions such as water level, temperature,
pressure, power level , flow rate...
 Field equipment such as motors, pumps, valves and conveyors
 Remote terminal units or Programmable logic controllers

SCADA - Communication Systems
 Wireless communication
 GPRS
 Radio communication
 Optical cables
 Cupper wires
 Ethernet
 ADSL

SCADA Center
 Host computers that act as the central point of monitoring and control.
 supervise the process,
 receive alarms,
 review data and
 exercise control.

SCADA Systems –
SCADA system can be defined as a collection of

 SCADA hardware and
 SCADA software.

SCADA Systems – Software
Key features of SCADA software are:

• Protocols
• User interface
• Graphics displays
• Alarms
• Trends
• RTU (and PLC) interfaces
• Scalability
• Access to data
• Database
• Networking
• Fault tolerance and redundancy
• Client/server distributed processing

SCADA Systems - software
CONTROL CENTER SOFTWARE
There are three components to the Control Center software
The operating system software

The system SCADA software (suitably configured)
The SCADA application software
The operating system software can be WINDOWS based or

various UNIX and LINUX systems.

SCADA Security
Threat – закана
intrusion - упад
Hacking - хакирање
 SCADA in the past was an isolated system malware – малициозен софтвер
 Nowadays, SCADA systems are opened to the internet
 This opening of SCADA systems to the internet has broth new treats like
internet intrusion, hacking, malware and so on.
Attacks can provoke

 Massive power blackout
 Oil refinery explosion
 Waste mixed in with drinking water

SCADA Systems –Well-known incidents
◊ Computers and manuals seized in Al Qaeda training camps were full of

SCADA information related to dams and related structures.
◊ Ohio Davis-Besse Nuclear power plant safety monitoring system was offline
for 5-hours due to Slammer Worm in January 2003.
◊ In 2000, former employee Vitek Boden release a million litters of water into
the coastal waters of Queensland, Australia.
◊ In 2003, the east coast of America experienced a blackout, while not the
cause, many of the related systems were infected by the Blaster worm
◊ In 1992, former Chevron employee disabled it’s emergency alert system in

22 states, which wasn’t discovered until an emergency happened that
needed alerting.

SCADA Systems –Well-known incidents
◊ In 1997, a teenager breaks into NYNEX and cuts off Worcester Airport in
Massachusetts for 6 hours, affecting both air and ground
communications.
◊ In the action to liberate Kosovo, NATO used information warfare

techniques against the Serbs, Russian hackers attacked NATO
computers, Chinese hackers (in response to accidental U.S. bombing of
Chinese embassy) attacked United States computers.
◊ In 2000, the Russian government announced that hackers succeeded in

gaining control of the world’s largest natural gas pipeline network
(owned by Gazprom).

SCADA Systems - problem with STAXNET worm
◊ Stuxnet is a Windows computer worm discovered in July 2010 that

targets industrial software and equipment Specially programmable logic
controller (PLC)
◊ The worm is designed to target only Siemens SCADA systems that are configured to
control and monitor specific industrial processes
◊ Speculations about the target and origin
◊ Israel and the United States or other Western nations, China, Jordan, and France are
other possibilities, and Siemens may have also participated
◊ There are speculation that the infection may have spread from USB drives belonging
to Russian contractors
◊ Iran as target (Natanz nuclear facilities)

SCADA Systems - problem with STUXNET worm
Overview of normal communications between Step 7 and a Siemens PLC

SCADA Systems - problem with STUXNET worm
Overview of Stuxnet hijacking communication between Step 7 software and a Siemens PLC

SCADA Systems - problem with STAXNET worm
Affected countries
A study of the spread of Stuxnet by Symantec
Country Infected computers

Iran 58.85%
Indonesia 18.22%
India 8.31%
Azerbaijan 2.57%
United States 1.56%
Pakistan 1.28%
Others 9.2%
There are still discussions about who is responsible for this worm, specially of its origin

 SCADA systems are no only system for control industrial and commercial
operations.
 There are attractive targets for different kinds of attacks
 Authorities are still reluctant to admit that the SCADA systems are becoming
attractive targets for:
 malicious individuals,
 belligerent nations,
 terrorist groups,
 curious hackers,
 organization’s competitors.
 Additionally with the complete networking of a country it is much easier to find a

weak chain in the system and make an intrusion.

 The industry employs SCADA systems more and more
 Engineers still design these systems more towards proper functioning and
user friendly interface rather than to high level integrated security.
 In SCADA systems, the security from intrusion is critical, mainly because

this systems are defined as crucial for the public security.
 The level of security in SCADA is typically much lower to the similar IT

systems with no reasonable explanation.
 That is why the SCADA design engineers in recent years integrate the
security in the primary design of the SCADA systems.

 Intentional security threats to SCADA systems can be grouped as
follows:
 Malware – Like any IT system, SCADA systems are potentially
vulnerable to:
virus – вирус
 viruses, worms - црв
troyan – тројански вирус
 worms, spyware – шпијунски софтвер
 troyans and
 spyware since they are adopted to work on standard platforms.
 Insider – The disgruntled worker who knows the system can be one of
the largest threats.
 Hacker – Here the individual is an outsider who may be interested in
probing, intruding, or controlling a system because of the challenge.
 Terrorist – This is the threat that distinguishes critical infrastructure
systems from most IT systems.

 Some typical SCADA attack routes (1):

 Internet connections
 Business or enterprise network connections
 Connections to other networks that contain vulnerabilities
 Compromised virtual private networks (VPNs)
 Back-door connections through dial-up modems

 Some typical SCADA attack routes (2):

 Malformed IP packets, in which packet header information conflicts with
actual packet data
 IP fragmentation attacks, where a small fragment is transmitted that forces
some of the TCP header field into a second fragment
 Through vulnerabilities in the simple network management protocol
(SNMP), which is used to gather network information and provide
notification of network events
 Open computer ports, such as UDP or TCP ports that are unprotected or
left open unnecessarily
 Weak authentication in protocols and SCADA elements

 The three major misconceptions held by the utility managers

of the SCADA systems are
1. The SCADA system resides on a physically separate, standalone
network;
2. Connections between SCADA systems and other corporate

networks are protected by strong access controls;
3. SCADA systems require specialized knowledge, making them

difficult for network intruders to access and control.

Zletovica SCADA System – A Case Study
 The hydro system Zletovica is one of the biggest hydro

systems in Republic of Macedonia.
 It has to meet the following basic needs:

 Water supply for the inhabitants and water for North-Easter Macedonia.
 Irrigation of 5.100 ha of agricultural area(Phase II)
 Production of the electrical energy (Phase III);
 Maintaining the biological minimum of the river Zletovica;
 Decreasing the possibility of floods and
 Keeping the outflow in the accumulation space.
DAM – OPEN CHANELS – PIPELINES – WATER TREATMENT PLANTS

The SCADA architecture for Hydro System Zletovica.

Kratovo Intake
Pump Station
Redundant Gigabit Ethernet
Intake Fiber Optic Ring
1
WTP
Kratovo Intake 3
Subcenter – Knezevo Dam

ADSL
Branch Point
Pipeline
Lozovo
GPRS
Pipeline
Main SCADA center - Probistip Karbinci
WTP Probistip
Power Station
Zletovo 1
WTP Stip
Power Station
Zletovo 2
WTP Sv. Nikole
Power Station
Zletovo 3 WTP Lozovo
Irigation Control Point 1

WTP Karbinci
Irigation Control Point 2
Redundant Gigabit Ethernet
Fiber Optic Ring

Primary Control Center
3U
Storage
Supervisory Display
DB Server 1 DB Server 2 Suirvilance Voice Server

Server
UPS
Uninteruptible SCADA SCADA Printer
Power Supply Workstation Workstation Backup and
Reporting server
SCADA LAN 1 (Local Area Network) – Ethernet
SCADA LAN 2 (Local Area Network) – Ethernet
MONITORING CENTER
ADSL
GPRS
Switch 1 Switch 2
Router
Firewall
Gigabit Ethernet Fiber Optic Ring 1 (WAN)
Gigabit Ethernet Fiber Optic Ring 2 (WAN) Primary Control Center structure

Main control room and Server room

Main control room and Server room

Structure of a Control points
Fiber-optic / Gigabit
Ethernet ring GPRS
Router/Firewall
UPS - Uninteruptible PLC

Operator
Power Supply Terminal
Vois Video
communication surveillance
system system Frequency Emergency
motor controller Gate
Temp. Temp.
Level Inside Outside
Flow Meter
Meter Intake
Gate Positioning Gauge Frequency Gate
motor controller
Typical structure of control point

 The implementation of the Zletovica SCADA system is realized using

SIEMENS software and equipment.
 As standard SIEMENS software for such systems in this case SIMATIC STEP 7,
WinCC and PCS 7 are used.
 Siemens WinCC is a Human Machine Interface (HMI) application for the

visualization and supervision of process control and SCADA systems.
 Siemens STEP 7 is a family of software tools for configuration and

programming of Siemens automation systems.
 Siemens PCS 7 is an integrated distributed control system comprised of

various operator systems (WinCC), automation systems (S7-400 PLC),
engineering systems (STEP 7) and other components.

Integrated security into Zletovica SCADA system
 Main security risks that treat the normal operating of the Hydro-system
Zletovica SCADA are:
 cyber treat,
 hacker intrusion,
 terrorist attack and
 natural disaster.
 We must consider all possible scenarios in order to design a system that is

flexible and fully operating, and in the same time secure both from the
inside and outside attacks,

 We can group the cyber terrorism and the hacker treats in the same area
and design mechanisms that will prevent intrusion into the system from an
outsider.
 In case of inside threats, security is achieved by using passwords and

different levels of authorization, logging and tracking of the users that
access data into the system.
 The servers are password protected, known only by the administrator and
external access, such as DVDs, USB, is not allowed.
 The work stations are also password protected with no external access
and uses logging and tracking of the users that access data into the system

 As a primary security element for protection of any SCADA system from

network intrusion and/or hacking we use a firewall.
 Typical positioning of the firewall is between the closed SCADA system

network and the Internet.
 A firewall provides protection against viruses, worms, and other types of

malicious code as well as from network intrusions.
 An issue with firewalls applied to SCADA systems is that most firewalls do not
support handling of SCADA protocols.

 The Zletovica SCADA System is a combination of open and closed

communication system. (optical fiber ring topology)
 Optical fiber cannot be overheard by a third party. And for this reason,
optical fiber is the preferred medium for data security applications. No
internet access is allowed through the optical fibers so this is considered
as a closed system.
 There is only one opened link in the primary communication nodes
(Kratovo WTP) that uses ADSL connection.
 We manage security by using private IP addresses and firewall units on
both ends, configured to receive and transmit data only from the
equipment installed on the two ends of the ADSL link, gives the Zletovica
SCADA System a higher level of security.

 Incase of malfunctioning of the primary communication

channel
 The SCADA system automatically transfers to the backup GPRS
communication system which uses public internet service .
 Sending critical and crucial data through a public service is not safe at all!
 To improve security we use an advanced virtual private network (VPN) as a

highly effective solution for transmitting data securely over the Internet by
encapsulating and encrypting, the data and then transmitting it over the
network. GPRS server firewall is independent from the other equipment.
 The specifications for the configurations and types of encryption for the
Hydro-system Zletovica SCADA system cannot be presented due to
security reasons.

 Inthe SCADA system , there are installed software tools that

automatically search for treats such as malware, virus, worms
or trojans; following some standard intrusion patterns and
implementing hi-tech security algorithms.
 Additionally the manufacturer is continuously following the

security trends and new safety treats and responds with
upgrades or new system tools for the SCADA software.

 There is Security System integrated into the existing SCADA system, enabling
the security control of the control sites.
 The security system monitors the doors, windows, presence of the people on
the control sites, as well as fire detection.
 The PIR movement detectors, the door and windows sensors and fire alarm
sensors are used for the monitoring of the doors and windows on the
control sites, as well as the presence of the people in the monitored
premises.

 Using the SCADA System for security reasons gives the possibility of real
time monitoring of the security issues.
 The logs created and recorded on the SCADA Server enable the further
analysis of the security events, if necessary.
 Card readers are installed on the control points sites, enabling the higher
level security and identification of the persons allowed to have access to
the control equipment installed in the control point buildings.

 For integrated security in the SCADA systems, worst case scenario must
be implemented due to terrorist attack or natural catastrophes.
 In the case of the SCADA system for the Hydro-system Zletovica, there
exists independent warning and alarm system.
 The purpose of the on-time warning system of some dam is to give

alarming in case of defect, natural catastrophe or terrorist attack and in
the same time giving proper time period for safe evacuation of the
population that lives downstream and is exposed to danger.

Conclusion
 SCADA systems are not designed having security in mind.

 In the recent years the problem with SCADA security has raised a lot of
questions in different industries:
 How to secure the plants that are considered as critical from public
security point of view?
 How to secure the important information from leaking out when they are
transferred through SCADA networks?
 Future SCADA security depends on:

 Secure implementations of technology and procedures managed by effective security
administration,
 including enforcement and audit;
 better security technology,
 including SCADA-specific capabilities
 on third-party assessment of administration and implementation.

Questions?
Thanks…

Operating SCADA Systems in Potential Risk Intrusion Network Environment and Risk Management

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Operating SCADA Systems in Potential Risk Intrusion Network Environment and Risk Management

Caricato da

Copyright:

Formati disponibili

Operating SCADA Systems in

Potential Risk Intrusion Network

Ss. Cyril and Methodius University, Skopje,

SCADA Systems – Overview and Importance in the

NATO ARW Workshop Antalya 24-26 May 2011 2/39

NATO ARW Workshop Antalya 24-26 May 2011 3/39

NATO ARW Workshop Antalya 24-26 May 2011 4/39

NATO ARW Workshop Antalya 24-26 May 2011 5/39

NATO ARW Workshop Antalya 24-26 May 2011 6/39

NATO ARW Workshop Antalya 24-26 May 2011 7/39

SCADA system can be defined as a collection of

NATO ARW Workshop Antalya 24-26 May 2011 8/39

Key features of SCADA software are:

NATO ARW Workshop Antalya 24-26 May 2011 9/39

CONTROL CENTER SOFTWARE

There are three components to the Control Center software

The operating system software

The operating system software can be WINDOWS based or

NATO ARW Workshop Antalya 24-26 May 2011 10/39

 Nowadays, SCADA systems are opened to the internet

Attacks can provoke

NATO ARW Workshop Antalya 24-26 May 2011 11/39

◊ Computers and manuals seized in Al Qaeda training camps were full of

◊ In 1992, former Chevron employee disabled it’s emergency alert system in

NATO ARW Workshop Antalya 24-26 May 2011 16/39

◊ In the action to liberate Kosovo, NATO used information warfare

◊ In 2000, the Russian government announced that hackers succeeded in

NATO ARW Workshop Antalya 24-26 May 2011 17/39

◊ Stuxnet is a Windows computer worm discovered in July 2010 that

◊ Speculations about the target and origin

◊ Iran as target (Natanz nuclear facilities)

NATO ARW Workshop Antalya 24-26 May 2011 18/39

Overview of normal communications between Step 7 and a Siemens PLC

NATO ARW Workshop Antalya 24-26 May 2011 19/39

NATO ARW Workshop Antalya 24-26 May 2011 20/39

A study of the spread of Stuxnet by Symantec

Country Infected computers

NATO ARW Workshop Antalya 24-26 May 2011 21/39

 Additionally with the complete networking of a country it is much easier to find a

NATO ARW Workshop Antalya 24-26 May 2011 22/39

 The industry employs SCADA systems more and more

 In SCADA systems, the security from intrusion is critical, mainly because

 The level of security in SCADA is typically much lower to the similar IT

NATO ARW Workshop Antalya 24-26 May 2011 23/39

NATO ARW Workshop Antalya 24-26 May 2011 24/39

 Some typical SCADA attack routes (1):

NATO ARW Workshop Antalya 24-26 May 2011 25/39

 Some typical SCADA attack routes (2):

NATO ARW Workshop Antalya 24-26 May 2011 26/39

 The three major misconceptions held by the utility managers

2. Connections between SCADA systems and other corporate

3. SCADA systems require specialized knowledge, making them

NATO ARW Workshop Antalya 24-26 May 2011 27/39

 The hydro system Zletovica is one of the biggest hydro

 It has to meet the following basic needs:

DAM – OPEN CHANELS – PIPELINES – WATER TREATMENT PLANTS

NATO ARW Workshop Antalya 24-26 May 2011 28/39

The SCADA architecture for Hydro System Zletovica.

Subcenter – Knezevo Dam

Irigation Control Point 1

NATO ARW Workshop Antalya 24-26 May 2011 29/39

DB Server 1 DB Server 2 Suirvilance Voice Server

SCADA LAN 2 (Local Area Network) – Ethernet