c&esar 2013...c&esar 2013 : sécurité des systèmes numériques industriels nous voici arrivés à...

C&ESAR 2013

Computer & Electronics

Security Applications

Rendez-vous

Sécurité des Systèmes Numériques Industriels

19 � 20 � 21 novembre 2013

Rennes - France

http ://www.cesar-conference.org

C&ESAR 2013 : Sécurité des Systèmes NumériquesIndustriels

Nous voici arrivés à la 20ème édition de C&ESAR (Computer & ElectronicsSecurity Applications), alias Journées SSI de la Défense. Que de chemin parcourudepuis la première édition des journées SSI du CELAR en 1997 ! L'auditoire s'estlargement étendu au-delà du ministère de la Défense, et les thèmes couverts ontpermis de balayer au �l des années le spectre toujours plus vaste de la cyber-sécurité. L'évolution des technologies et des usages a profondément transforméle monde qui nous entoure au cours des deux dernières décennies. Si l'ubiquitégrandissante des systèmes informatiques a sans doute accru considérablement l'ef-�cacité de ses processus, quels qu'ils soient, le revers de la médaille est la vulné-rabilité croissante du monde moderne aux agressions à caractère informatique. Lasphère de nos préoccupations déborde maintenant largement des classiques sys-tèmes d'information et de communication, vers des domaines moins connus dugrand public comme les systèmes embarqués, les systèmes d'armes, ou encore lessystèmes numériques industriels.

La sécurité de ce dernier type de systèmes constitue cette année le thème choisipour C&ESAR. Souvent désignés - de façon quelque peu réductrice - par l'acro-nyme anglais SCADA (Supervisory, Control and Data Acquisition), ils regroupenten fait des dispositifs très variés, allant sans être exhaustif des automates program-mables autonomes aux systèmes numériques de contrôle-commande intégrés, enpassant par l'instrumentation intelligente ou encore les systèmes numériques de su-pervision. Dénominateur commun : ils jouent un rôle critique dans de nombreusesinstallations industrielles et constituent un support désormais indispensable desinfrastructures vitales de la Nation.

Leur sécurité (au sens protection contre les attaques informatiques dans notrecontexte) est longtemps restée un sujet marginal, voire tabou, alors que toutesles attentions se concentraient sur leur �abilité et leur disponibilité. Historique-ment à l'écart des technologies et des évolutions de l'informatique tertiaire, lessystèmes industriels ont pourtant ces dernières années employé les technologiesnumériques toujours plus près du procédé, et connu une standardisation et uneinterconnexion grandissantes. Si ces évolutions ont permis d'indéniables gains deperformance et de productivité, elles ont aussi grandement augmenté l'expositionaux attaques informatiques. Le ver Stuxnet a projeté en 2010 cette réalité sur ledevant de la scène. La médiatisation de diverses opérations d'espionnage ou d'at-taque (Flame, Gauss, Rocra, Duqu, Shamoon pour n'en citer que quelques unes),bien qu'instructive, ne doit pas faire oublier qu'il ne s'agit que de la partie émergéede l'iceberg. La sécurité des systèmes numériques industriels est aujourd'hui unenjeu majeur et un dé� à la fois technique, organisationnel et culturel. Le mythede leur protection par leur isolation physique et leurs technologies propriétaires avécu. La prise de conscience de leur vulnérabilité et le besoin crucial d'approcheset de solutions adaptées sont autant de dimensions que cette édition se propose de

2

couvrir, à travers un programme dont nous allons maintenant décrire les grandeslignes.

L'amiral Coustillière, o�cier général cyber-défense, nous fait cette année l'hon-neur d'ouvrir la conférence, soulignant l'importance capitale des systèmes numé-riques industriels pour la sécurité de la Nation. Le programme s'articule par lasuite en trois temps. Fidèle à sa vocation didactique, la première après-midi viseà poser la problématique générale. Elle doit permettre à l'audience de mieux com-prendre la nature et les particularités des systèmes industriels, des architecturesassociées et de leurs implications en termes de sécurité. A cet e�et, les représen-tants de secteurs grands utilisateurs de systèmes numériques industriels auront laparole en séance plénière ou en table ronde pour apporter leur éclairage sur lasécurité de leurs infrastructures, et échanger avec l'audience. La seconde journéecouvrira un large spectre de thématiques, abordant la problématique sous diversangles : aspects techniques et organisationnels, gouvernance, spéci�cation, normeset référentiels, certi�cation ou encore contractualisation, autant de thèmes et depoints de vue qui permettront d'appréhender le sujet de façon transverse, et denourrir échanges et débats autour des interventions. Le dernier volet de la confé-rence s'intéresse au futur, proche ou plus éloigné, en traitant des dispositions àprendre pour gérer l' � après-attaque �, de l'évolution des activités de l'ENISAà la maille européenne, et de travaux de recherche prometteurs pour le domaine.En�n l'ANSSI clôturera cette conférence en dégageant pour nous enseignementset orientations.

Nous espérons que les participants à ces journées - et les lecteurs de ses actes- trouveront à ce programme autant d'intérêt que celui que nous avons trouvéà son élaboration. Pour �nir, nous tenons à remercier encore une fois chaleureu-sement tous ceux dont l'engagement rend possible ce rendez-vous annuel de lacommunauté SSI : les intervenants et conférenciers, les membres du comité deprogramme, les organisateurs, et tous les partenaires sans qui cette manifestationne pourrait avoir lieu.

Yves Correc (DGA-MI, ARCSI), Président du comité d'organisation.Ludovic Pietre-Cambacedes (EDF), Président du comité de programme.

Olivier Heen (Technicolor), Directeur de publication.

3

Comité d'organisation

Yves CORREC, Chair (ARCSI, France)José ARAUJO (ANSSI, France)Boris BALACHEFF (HP Labs, France)Florent CHABAUD (DGSIC, MoD, France)Olivier HEEN (Technicolor, France)Benoît MARTIN (DGA-MI, MoD, France)Ludovic MÉ (Supélec, France)Éric WIATROWSKI (Orange, France)

Comité de programme

Ludovic PIETRE-CAMBACEDES, Chair (EDF, France)Marc ANTONI (SNCF, France)Pierre BIEBER (ONERA, France)Mathieu BLANC (CEA, France)Patrice BOCK (Areva, France)Brice COPY (CERN, Switzerland)Yves CORREC (ARCSI, France)Giovanna DONDOSSOLA (RSE, Italy)Donald DUDENHOEFFER (IAEA, Austria)Mathias EKSTEDT (KTH, Sweden)Yannick FOURASTIER (EADS, France)Igor Nai FOVINO (European Comm. � JRC, Italy)Frédéric GUYOMARD (EDF, France)Patrick HEBRARD (DCNS, France)Sébastien HEON (Cassidian, France)Robert HOFFMAN (Idaho National Labs, USA)Thomas HUTIN (Thales, France)Mohammed KAÂNICHE (CNRS/LAAS, France)Jean LENEUTRE (Telecom ParisTech, France)Stefan LUEDERS (CERN, Switzerland)Jean-Christophe MATHIEU (Siemens, France)Jean-Pierre MENNELLA (Alstom, France)Stéphane MEYNET (ANSSI, France)Vitaly PROMYSLOV (Russian Academy of Sciences, Russia)Orion RAGOZIN (Sogeti, France)Pascal SITBON (EPRI, Etats-Unis)Fabrice TEA (Schneider, France)

Partenaires

ANSSI, ARCSI, DGA, DGSIC, DIRISI, HP, Orange Business Services, Supé-lec, Technicolor.

4

Table des matières

Cyber Sécurité des Systèmes de Contrôle Industriel : les spéci�cités des SCI, unchallenge pour leur sécurité, Jean-Michel Brun, Laurent Platel, Fabrice Tea. Ver-sion française / English version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6/16Retour d'expérience RTE suite à Stuxnet, Patrick Assailly, Jean Marie Boisset,Philippe Jeannin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Des bus de terrain à l'Industrial Ethernet/IP : Spéci�cités et impacts sur la sécu-rité des systèmes industriels, David Boucart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Détection d'intrusion pour les systèmes industriels, Thomas Demongeot . . . . . . 46Sécurité informatique des systèmes de contrôle industriels : Détection et sur-veillance au niveau des équipements et du bus de terrain, Jean-Michel Brun,Laurent Platel, Fabrice Tea. Version française / English version . . . . . . . . . . . 62/76Investigating requirements models completeness in a uni�ed process for safety andsecurity, Vikash Katta, Christian Raspotnig, Peter Karpati . . . . . . . . . . . . . . . . . . . 90Certi�cations de sécurité : Panorama, intérêts et limites pour les systèmes indus-triels, Frédéric Guyomard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Security requirements in procurement for Electric Power Utilities, Dennis Holstein,Pascal Sitbon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122Monitoring Advanced Metering Infrastructures with Amilyzer, Robin Berthier,William H. Sanders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Orateurs invités (sans article dans les actes)

Olivier Lesbre (DGA-MI) Introduction

Yves Correc (ARCSI), Ludovic Programme C&ESAR 2013Pietre-Cambacedes (EDF)

Arnaud Coustillière (EMA) Ouverture des Journées

Olivier Chenèble (DGA-MI) Démo. : Vulnérabilité des automates industriels

Patrick Hébrard (DCNS), Problématiques de sécurité sur un navire de guerrePhilippe Gaucher (EMM)

Yannick Fourastier (EADS) Table ronde : Contraintes et spéci�cités de la sécuritéet intervenants des systèmes industriels selon les secteurs d'activité

David Sancho (Trend Micro) Who's really attacking your ICS equipment ?

Jean-Luc Trollé (EDF) Gouvernance et intégration de la sécurité desdi�érents domaines informatiques

Gerome Billois (CLUSIF) Référentiels de sécurité pour le domaine industriel

Stéphane Meynet (ANSSI) Groupe de travail ANSSI sur la sécurité des systèmesnumériques industriels

Yannick Fourastier (EADS) Table ronde : Retex organisationnel, référentielset intervenants

Sébastien Bombal (Areva) Cybersécurité : Lorsque le temps vient de faire face. . .

Guillaume Prigent (Diateam) Simulation et sécurité des systèmes industriels

Adrian Pauna (ENISA) ENISA current and future activities on SCADA andand ICS security

5

� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �

� � � � � � � � � � � � � � � � � � ! " # $ % � & ' ( ( � % ) � � * $ + ( � $ + � � � $ + � � �, - . / 0 1 2 3 4 - 5 6 7 8 / 9 : 7 3 4 2 ; - 3 ; - < - / 2 = 7 - / < > 3 8 7 2 ; > 2 / ? = 7 @ . ; 2 A 8 - 0 B 3 4 / - 2 C - 7 D 5 - 3 ; 7 2 3E . 8 7 - / ; F 5 . ; - 5 0 : 7 3 4 2 ; - 3 ; - - / < > 3 8 7 2 ; > 2 / ? = 7 @ . ; 2 A 8 - 0 B 3 4 / - 2 C - 7 D 5 - 3 ; 7 2 3G . H 7 2 3 - I - . 9 J > K - 5 = L L - 8 7 = ? ? 7 - < - 7 K 2 3 - < M N H - 7 B > 3 8 7 2 ; > B 3 4 / - 2 C - 7 D 5 - 3 ; 7 2 3O P Q R S T U V W P X Y Z [ \ R ] ^ V W R P U _ P [ S P X P V ` [ U V Y V a Tb c d e f c g h P ^ ^ i ^ ` j T P ^ U R _ \ ^ ` [ U P X ^ k W Q Z U ` \ P X X P T P R ` Q l l P X m ^ n o _ P X p Q R q X Q U ^n l P [ Q ` U a R Q X o P V W R a X a q i r P ` l Q [ ` U V \ X U j [ P T P R ` X P ^ ^ i ^ ` j T P ^ _ P s a R ` [ t X P u R _ \ ^ S` [ U P X ^ k v s u r a R ` ` a \ O a \ [ ^ l [ U w U X m q U m X Q [ a Z \ ^ ` P ^ ^ P k _ U ^ l a R U Z U X U ` m x ^ m V \ [ U ` m y a R V S` U a R R P X X P z r P ` X Q l P [ y a [ T Q R V P { ` a \ ` P Q \ ` [ P V a R ^ U _ m [ Q ` U a R Y s P ^ V W a U | a R ` y a [ q m\ R P R w U [ a R R P T P R ` _ Q R ^ X P } \ P X X Q ^ m V \ [ U ` m U R y a [ T Q ` U } \ P _ P ^ ^ i ^ ` j T P ^ u o P ^ `l Q [ y a U ^ U R Q _ Q l ` m P x X P \ [ l [ U R V U l P _ P Z Q ^ P m ` Q R ` Q Z ^ P R ` _ P ^ Q [ V W U ` P V ` \ [ P ^ U R _ \ ^ S` [ U P X X P ^ Q V ` \ P X X P ^ Ys P _ a V \ T P R ` P | l a ^ P X P ^ ^ l m V U y U V U ` m ^ _ P ^ Q [ V W U ` P V ` \ [ P ^ U R _ \ ^ ` [ U P X X P ^ l a \ [ T a R ` [ P [X P ^ U R V a T l Q ` U Z U X U ` m ^ Q w P V X P ^ ^ a X \ ` U a R ^ _ P ^ m V \ [ U ` m _ P X p u o ^ ` Q R _ Q [ _ Y~ � � � * % � � � � � � � � � � � � � � � * % � + ( � � % � $ � � + � � (E . < > 3 8 7 2 ; > 2 / ? = 7 @ . ; 2 A 8 - / - < ; L 5 8 < 8 / - - 2 - / 3 - < - 3 = / C . 2 7 - C . / < 5 - @ = / C - C 8 3 = / 0; 7 5 - 2 / C 8 < ; 7 2 - 5 3 = / ; - @ L = 7 . 2 / E - < < N < ; @ - < C - 3 = / ; 7 5 - 2 / C 8 < ; 7 2 - 5 B M H . < > < < 8 7 C - < ; - 3 4 / = 5 = 2 - < 2 / ? = 7 @ . ; 2 A 8 - < - . 8 C - A 8 . 5 2 ; > 2 / C 8 < ; 7 2 - 5 5 - < = / ; - / 8 < . - C - L 8 2 < C - < C > 3 - / / 2 - < E - < L 7 - 0@ 2 7 - < . 7 3 4 2 ; - 3 ; 8 7 - < C - < N < ; @ - C - 3 = / ; 7 5 - ? 8 7 - / ; C > K - 5 = L L > - < . K - 3 C - < ; - 3 4 / = 5 = 2 - ; . 2 7 - < - ; > ; . 2 - / ; 2 < = 5 > - < C 8 @ = / C - - ; > 7 2 - 8 7 I 7 < < = 8 K - / ; 5 . L 7 = ; - 3 ; 2 = / C - ; . 2 ; 8 > - < 8 ? ? 2 < . / ; - - ; 5 . < > 3 8 7 2 ; > 2 / ? = 7 @ . ; 2 A 8 - / > ; . 2 ; L . < 8 / -L 7 > = 3 3 8 L . ; 2 = / @ . - 8 7 - : 8 = 8 7 C 4 8 2 C - / = @ H 7 - 8 < N < ; @ - < C - 3 = / ; 7 5 - 8 ; 2 5 2 < - / ; C - < ; - 3 4 / = 5 = 2 - < 7 > L . / 0C 8 - < = 8 = 8 K - 7 ; - < - ; < ; . / C . 7 C 2 < > - < ; - 5 < A 8 - 5 - < < N < ; @ - < C - L 5 = 2 ; . ; 2 = / 2 / C = < C -1 2 3 7 = < = ? ; 5 - < 7 > < - . 8 C - ; - 3 4 / = 5 = 2 - D ; 4 - 7 / - ; I M F F - ; 5 . ; - 3 4 / = 5 = 2 - - H L = 8 77 > C 8 2 7 - 5 - < 3 = ; < - ; . @ > 5 2 = 7 - 7 5 - < L - 7 ? = 7 @ . / 3 - < J - / = @ H 7 - 8 < - < . 7 3 4 2 ; - 3 ; 8 7 - < 8 ; 2 5 2 < - / ;> . 5 - @ - / ; 5 . 3 = @ @ 8 / 2 3 . ; 2 = / C 2 7 - 3 ; - - / ; 7 - 5 - < < N < ; @ - < C - 3 = / ; 7 5 - 2 / C 8 < ; 7 2 - 5 - ; 5 - 5 2 = 7 - 7 5 - ? ? 2 3 . 3 2 ; > = L > 7 . ; 2 = / / - 5 5 - - ; 5 . 7 - / ; . 0H 2 5 2 ; > C - < . 3 ; 2 ? < C - L 7 = C 8 3 ; 2 = / M - ; ; - > K = 5 8 ; 2 = / ; - 3 4 / 2 A 8 - - L = < - 5 - < < N < ; @ - < C - 3 = / ; 7 5 - 2 / C 8 < ; 7 2 - 5 . 8 @ - / . 3 - < - . 8 H 8 7 - . 8 ; 2 A 8 - C - 5 - / ; 7 - L 7 2 < - : 3 - < @ - / . 3 - 7 2 ; > - < C - < ; - 3 4 / = 5 = 2 - < C 8 @ = / C - I B ; 8 / - ; - ; < - < C > 7 2 K > < . = 8 ; - / ; 8 / - @ - / . 3 -< L > 3 2 ? 2 A 8 - - ; ; 7 < . K . / 3 > - ; N L - : F I : C K . / 3 - C F - 7 < 2 < ; - / ; I 4 7 - . ; C > C 2 > - . 8 < N < 0; @ - < C - 3 = / ; 7 5 - 2 / C 8 < ; 7 2 - 5 A 8 2 < = / ; C > < = 7 @ . 2 < K 8 5 / > 7 . H 5 - < C - < . ; ; . A 8 - < 2 / 06

� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� ! � � � � � � � " � � � � � � � � � � � � � � � � � � � � � # � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� $ � � � � � � % & � � � � � � � � � � � ' # � � $ � � � �� #� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� $ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� ( � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ) � � � � � � � � � ' � � � � � *•

� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ � � � � � * � � $ � � � � � � � � � � � ) � � � � � +� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ' � � � � � � � � � � � � � � � � � � � � � � � �� ' � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �• , � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � - � � � � � � � � � � � � � � � �•

� � � � � � � � � � � � � � � � � � � � � � � � � � � � � . � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� •

� � � � � � � � � / � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� ' 0 1 � , ' � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ' � �� ) �•

� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� 2 % 0 � ' � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ' � � � � � � +� � � � � � � � � � � � � � � � � � � � � � � � � � � + � � � �•

� � � � � � � � � � � � � � � � $ � � � � � � � � � � � � ) � � � � � � $ � � � � � � � � $ � � � � � � � � � � +� � � � � ' � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ � � � � � � � � � � � � � � � � �� / � � � � 3 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� ( � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ' � � � � � � � � � � � � �� 4 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # � � � � � � � � � � � � � � � � � � � � � � � � � +� � � � � * � � � � � � � � � � � � � � � � � � � � � � � � � � � 5 � � � � � � � � � � � � � � � � � � � � ' � � � � � � � � � � # � � � � � � � � � � � � � � � � � � � ' � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ' � � � � � � � � �� % � � � � � � � � � � � � ' � � � � � ) � � � � � � � � � � � � � � � � � � � � � � � � � � � 6 � � � � � � � � � � � � � � � � � �7 � � � ' � � � � � � � � � � � 8 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ' � �� ' � � � � + � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ � � � � � � � � � � +� � ) � � � � � � � � � �7

9 : ; < = > ? @ A ? = B C ; < A B > B A D E > ? < D ? F G ; < H ; < E F G ? = ; I ; @ D < ? @ H G < D > ? ; C

� � � � � � � � � � � � � � � � � ' � � % & b , b � � � � � � � � � � � � � � � � � � � � � � � � � � +� � � � � � � � � � � � � � # � � � � � � � � � � � � � � � � �e � � � j � � � � j * ( � � � � * � � � � � 2 � � � � � � � � � � � � # � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ' � � � � � � � � � � � � � � � � � � � � � � � � � � � + � � � � � � � � � $ � � � � � 7 ! % " 7 � � � � � � � � � ! � � � � � � % $ � � � � � �e � � � k � � � � k ! � � � � � � � � � � * � � � � � ! � � � � � � � � � � � � � � � � � � � � *• , � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �• , � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �• , � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � l � � � � � � * � % b c d � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � +� � � � � � � � � � � � � � � � � $ � � � � � � � � � � � � ) � � � 8 � � � � � � � � � � � � � � � � � � � � � � � � � � � +� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 8 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � +� � � � � � � � � � � � � � � b � � � � ' � % b c d � 8 � � � � � � � � � � � � � � � � � � � � � � � � � � 8 � � � � � � $ � � � � � �� $ � � � � � � � � � � � � � � � � � % � � � � m � � � � �J K J Z S n P R o R P R T n O N T P U V T Q p R V T N O W X Y V Z [ O T \ ] N W N ^ U V T Q _ ` N a V W Y O T Q R N `& � � � � � � � � � � � � � � 3 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �% $ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � % $ � � � � � � � � & � � � � ) � � � � � � � � � ' � �� q N O P U V T Q p R V T N O W N T N ] S O K� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ' � � � � + # + � � � � � � � � � � � � # � � � +� � � � � � � � � � � � � � � � � 4 � � � � � � � � � � � � � r f � � � � b � � � � ' � � � � � � � � � $ � � � � � �� # � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �s t u v w x t y z y { t | } ~ u | ~ t � � � � � � � � � $ � � � � � � � � � � � � � � � � � # � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ' � � � � $ � � � � � � � � � � � � � � � � � � � � � � � � � " � � � � � � � � � $ � � � � � � � � � � � � � � � � � � � � � �� ' � � � � � � � � � � � + � 4 � � # � � � � � � � ' � � � � � � � �� $ � � � � � � � � � � � � � � � � d � � � � f � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � & % � � �� ) � � � � � � � � � � � � � � � � � � � � � � �s t u v w x t v w t � � � � � � � � � � � � � � � � � � � � � � � # � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � +� � � � � � � � � � � � � � � � � � � � � � � 4 � � � � � � � 4 � � � � � � � � � � � � � � � � � � � � � ' f � � � � �� " � � � � � � � � � � � � � � m � � � � � � � � � � � � � � � � ! & f d � � � � � � � � � � � � � +� � � � � " � � � � � � � � � � � � � � � �

9

~ t u w u t � � � � � � � � 8 � � � � � " � � � � � � � � � � � 4 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � y ~ | y ~ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ � � � � � � � � � � � � � � # � � � � � � � � � � � � � � � � � � � � � � # � � � � � � � � � � � � � � � � � * � � � � � � � � � � ' � � � 4 � � � � � � � � '� � � � � � � � � � � ' � � � � � � � � � � & � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ � � � � � �q N O P U V T Q p R V T N O W N Q N O O U Y Q P N O K� � � � � � � � � � � � � � � � � � � � � � � � � � � � � 8 b � � � � � � � ( � � � � � � � � � � � � ( � & � ' � � � � � � + � � � � � ! � � � � � � , � � � � � ! , � ' � � � � � � � � � � � � � � � � # � � � � � � � � � � � � � � � � � ) � + � � � � � � � � � � � $ � � � � � � � � � � � � � � � � � � � � � � � � � � � + � � � � � � � � � � � � � � � � � � �� ' � � � � � � � � � # � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # � � � � � � � � � � � '� � � � � � � � � � � � � � � � � � � � � � � � � � � � ' � � � � �q N O O S n P R o R P R T n O W N O S Q U T U P U ` N O R V W Y O T Q R N ` O K� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 4 � � � � � � � � � � � � & ( " � ( � � � � � � � � � � � � � � +� � � � � � � � � � � � � � � � � � � � � � � � � � � � � *s | u t w y } ~ t w � � � � � � � � h + f � � � � � * � � � % & � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� ' � � � � � � � � � � � � � � � � 4 � � � � | w x t t w ~ x t ~ | w | y ~ � � � $ � � � � � � � � � � � � � � � � � 4 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � t w w t | } s � � � � � � � � � � � � � � � � � � � ' � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ' � � � � � � � � � �� * � � � � � � � � � � � � � � ' � � � � � & b e ' q N ] p V Y N W N O n P Y Q R T n W N O S Q U T U P U ` N O R V W Y O T Q R N ` O( � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ' � � � � � � � � � � � � � � � � � � � � � � � � � � � � � +� � � � � � *•

( � � � � � � � � � � � � � � � � � � � � � � � ' � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �•

( � � � � � � � � � � � � � � � � � �•

� � % & b , b � � � � � � � � � � � % & � � � � � � � � � � � � � � � � � � � � � � � 4 � � � � � � � � � � � �� 4 � � � � � � � � � � � �•

( � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �•

( � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �10

q N P [ P ` N W N R N W N O Z ^ a K, � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ � � � � � *•

� � � � � � � � � � � � � % & � � � � � � � � � � � � � � � � � � � � � � � � f � � h � � �•

� � % & � � � � � � � � � � � � � � * � � � � � � � � � � � � � � � � � � � � � � " � � � � � � ' � � � � � +� � � � " � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � q N O P U V T Q p R V T N O W X U Q p V R O p T R U V W N O Z ^ a K� � � � � � � � � � % & � � � � � � � � � � � � h k � " h k ' j d 3 � � � � � � � � � � � � � � � 4 � � � � � � � � � � + � � � � � � � � � � � � � � � � � ' � � � � � � � � � � � � � � � � � � � � � � � � � � 2 � � � � 4 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� 4 � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� ' � � � � � � � � � � � � � � � � � � � � � ' � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 4 � � � � � � � � � � � � � � � � � � � � � � � � # 3 � � �( � � � � � � � � � � � � � � � ' � � � � � � � � � � � � � � � � � � � � � � � � ' � � � � � � � � � � � � � �� ' � � � � � � � # 3 � � � � � � � � � � � � � % & b , b ' � $ � � � � � � � � � � � � � � � � � � '� � � � / � � � � � � � � � � � � � � � � � � � � � � � � V R Q U V V N ] N V T W R O T Q R Y n N T ] Y ` T R O R T N O Y Q W N ` p Q N O U V N O n U Q p S R Y N O 2 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ' � � � � � � � � � � � +� � � � � � ' � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� - � � � � � � � � � � � � � � �q N O P U V T Q p R V T N O W X N V R Q U V V N ] N V T W N O Z ^ a K� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � % & � � � � � � � � # � � � � � � � � � � � � � � � � � �� ) � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � +� � � � � , � � � � � � � � � * � � � � � � � � � � � � � � 4 � � ' � � � � � � � � ' � � � � � � � � � � � � � � � � � � � ' � � � � � � � +� � � � � � � � � � � � � � � � � � � & ! 7 � �

11

E A G > ? < ; > G @ < D ¡ I ; H ; ¢ £ @ D > ¤ C ; ¥ @ H G < D > ? ; C ¦ § £ G > F G £ ? C ; ? D E < ¨ B © ? D G ; C C ; < £ @ D H ; < C ? I ? D ; < ª« K L q N O P U V T Q p R V T N O W N T N ] S O¬ N ] S O W N Q n S U V O N� � � 3 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � / � � � � � � � 3 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �& � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � % & � �( � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � + � � � � � � � � � � � � ' � � � � � � � � � +� � � � � � � � � � � � � � � � � � � � � � *•

� � � � � � � � � � � � � � � �•

� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �•

� � � � � � � � � � � � � � � � � � � � � � � � � � � �•

� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �M n T N Q ] R V R O ] N K� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � / � � � & � � � � � � �� " � � � � � � � �� % & � � P T R U V ® ¯ n p P T R U V K� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # � � � � � � �� ! � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� $ � � , � � � � � � � � � � � � � � � � � " � � � � � � � � � � � � � � � � � � � � ' � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � " � � � � � � � � �« K J q N O P U V T Q p R V T N O W N Q N O O U Y Q P N O� � � � � � � � � � � � � � � � � � � � � � � � � � 3 # � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � + � � � � � � � � � � � � � � � � � � 3 � � � � � � � ° � � � � � � � � � � � � � � � � � � � � � � % $ � � � � � � � � � � � +� � � � � � � � � � � � � � � � � � � � � i � , % " i � � � � � � � � � � � � � , � � � � � � � % $ � � � � � ' � $ � � � � � � �� $ � � & � � � � ) � � � b � � � � � � � � � ± � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � '� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �12

« K « q N O O S n P R o R P R T n O W N O S Q U T U P U ` N O R V W Y O T Q R N ` O¬ Q p ] N O P U Y Q T N O� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ' � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 4 � � � � � � � � ' � � � � � � � � � � � � � �� 4 � � � � � � ( � & ' � � � � � � � � � � � +� � � � � � � � � � � � � � � � � � � � �� $ � � � � � � � � � 4 � � � � � ² 7 � � � � � � � � � � � � � � � � � � � � � � ( � � � � � � � ' � $ � � � � +� � � � � � � f ' h � f � � � 4 � � � � � � � � � � � � � � � � � � � � �& � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ' � � � � � � � � � � � � � � +� � � � � � � � � � �³ p O W N T Q p V O p P T R U V ® O N O O R U V K& � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � " � � � � � � � � � � � & � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 3 � � � � � � � � � � � � � � � � � � � �� , � � � � � � � � � � � � � � � � � � � � � ' � � � $ � � � � � � � � $ � � � � � � � � � � � � � � � � � � � � +� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 4 � � � � � � � � � � � � � �� ( � � � � � � � ' � � � � � � � � � � � � � � � $ � � � � � � � � � � � � � � � � � � � � �q N O S Q U T U P U ` N O V U V ¬ ^ ³ ® a ³ K! � � � � � � � � � � � � ' � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � +� � � � " � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � & ( " � ( ' � � � � � � � � � � � � � �2 , ( " � & ( � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ° � � � ! � � � � � � � ' � � � ° � � � � � � � � � � � � � 7 � � � � ´ ' & � � � � � � ' 0 � e � � ' � � � 4 � � � � � � � � � � � � � � � � � � � � � �� 7 � � � � + l � 2 ' g � � ' ( � � � � � � ' g � � � 0 � � � � � � � � � � � � � � � � � � � � � � � � � � ± � � � � b � � � � � � � � � � � � � � � � ' � � � � 3 � � � � � � � � � � � � � � � � � � � � µ � � � � � ' � � ± ( b e �& � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ' � � � �� ( ' � � � � � � � � � � � � � # � � % � � � � � � 3 � � � � � �« K ¶ q N P [ P ` N W N R N W N O Z ^ a� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ' � � � � � � � � � � � � � � � � � � � � � � ' � � � � � � � � � � � � � � � � � � � � � � � � � � � � ' � � � � � � � � � � � ' � � � � � � � � � � � � ' � � � � � � � � � � � �� - � � � � � � � � � � � � � � � � � � $ � � � � � � � � � � � � ) � � � � � � � � � � � � � � � �� f � h � � � ' � � � � � � � � � � � � � � � � � � � � � � � 4 � � � �� $ � � � + � � � � � � � � � � � � � � � � � � h � � � ' � � �� ! � � � � � � ' # � � � � � � � � � � � � � � � � � � / � � $ � h � � � ·¸ � � � � � � � � � � � � � � � � � + � ·13

b � � � � � � � � ' � � � � � � + � + � � � � � h � � � ·¸ � � � � � � � � � � � � � � � � � � � � � � ·¸ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ·% � � � � � � � � � � � � ·, � � � 4 � � � � 6 � � ' � � � � � � � � � � � � � � � � � � � # � � � � � � � � � � � � � � � � � � �� ' � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ' � � � � � � � � � �� # � � � � � � � � � � � � � � � � � � � � � � � �� ' � � � � � � � # � � � � � � � � � � � � � � � � � � � � � � � � � � � ' � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � # � � � � � � � � +� � � � � � � � � � � � � � h � � � �, � � � ' � � � � � / � � � � � � � % � � � � � � � � 6 � � � � � � # 3 � � � � � � � � � h � � � � � � � � � +� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �« K ¹ q N O P U V T Q p R V T N O W X U Q p V R O p T R U V W N O Z ^ a ` p W R O S U V R R ` R T n� � � � � � � � � � � � � � � � $ � � � � � � � � � � � � � � � � � ' � � � � � $ � � � $ � � � � � � � � � � � � � � � � +� � � � � � � � � � � � � � � � � � 8 � � � � � � � � � � �! � � � � 8 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 8 � � � � � � � � � � � � � � � ( � & �� 4 � � � � � � � � � � � � � � � � ) � � ' � � � � � � � � � � � � �� 8 � � � � � � � � � ' � � � � � � � � � � � � � � � � � � " � � � � � � � � � � � � � � � � � � � � � $ � � � � � � � � � � � � +� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � " � � � � � � � � � �, 8 � � � � � � � � ' � � � � � 8 � � � � � � ' � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � +� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 7 � � � ' � � � � � � � � � � � � � � � � ' � � � � +� � � � � � � � � � � 4 � � � � � � 4 � � � �& � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 8 � � � � � � � � � � � � � � � � � � � # � � � � � +� � � � � � � � � � � � � � � � � 4 � � ·« K º q N O P U V T Q p R V T N O W X N V R Q U V V N ] N V T W N O Z ^ a K� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� ' � � � � � � � � � � � � � 4 � � � � � � � � � � � � � � ' � � � � � � � � ' � � � � � � � � � � � � � � � � � '� � � � � � � � � � � � � � � � � � � � � � � � � � � � �( � � � � � � � � � � � � � � � � � � � � � � � � � � ' � � � � � � � � � � � � � � � � � � ) � � � � � � � � � � +� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ' � � � � 8 � � �� 8 � � � � � � � � � � � � � � � � � � � � � � � �� 8 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ° � � � �� & � � � � � � � � � � � � � � � � � � � � � � � � � � # � � � � � � � � � � � � � � � � � � � � � � � � � � � � +� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � - � � � � � � � � � � � � � � � � � � � � +� � � � � � � � � � � � � � � � � � � � � ' � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �14

» ¢ £ @ A C G < ? £ @� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � +� � � � � � � � � � � � � � � � � � � � � � � � � / � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� ' � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � +� � � � � �� # � � � � � � � � � ¼ � � � � � � +� � � � � � � � � � � � � � � � � � � � � � � � " � � � � � � � � � 6 � � � � � � � � � � � � � � � � � � � � � � � � � $ � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �� 4 � � � � � � � � � � � � � � � � � � � � � � � � � � � � +� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � % & � � � � � � � � � � � � � � � +� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �& � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � 8 � & % � � � � � � � � � � � + � � � � � � � � � � � � � � � � � ! � � � � � � � � � � � � � $ � � � � � � � � � � � � � � � � � � � ' � � � �� 4 � � � � � � � ' � � � � � 4 � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � ( � � � � � � � � �� ' � � � � � � � � � � � � � � � � � � � � � � � � � � � � ' � � � � � � � +� � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � �½ ¾ C £ < < B ? > ;� � * � � � � � � � � � � � � � � � � � � � � � � � �� * � � � � � � � � � � � � � � � � � $ ' � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � � $ � � � � � �� ( � & * � ( � � � � � � � � � � � � � � & � � � � � � � � * b � � � � � � � � � � � � � � � � � � �� ! , * � � � � � � � � � ! � � � � � � , � � � ' ! � � � � � � � � ! � � � � � � � � � � � � � � � � � ' � � � � � � � � � � � � � � � � � $ � � � � � � � � � � � � � �i 7 � " � i 7 * � � � � � � � � i � � � � 7 � � � � �% & b , b * % � � � � � � � $ & � � � � � b � � , � � � b � � � � � � � � ' � � � � � � � � � � � � � +� � � � � � � � � � � � � � � � � � % � � � � � � � � � � � � � � � � , % * � � � � � � � � , � � � � � � � % $ � � � � ' % $ � � � � � � � � � � � � � � � � � � � � � � � � �•

e � , % * e � � / � � � � � � � � � � , � � � � � � � % $ � � � � ' % $ � � � � � � � � � � � � � � �� •

i � , % * i � � � � � � � � � � � � � , � � � � � � � % $ � � � � ' % $ � � � � � � � � � � � � � � � � � � � � � � � � �� ( % * � � � � � � � � ( � � � � � � � � % $ � � � � ' ' % $ � � � � � � � � � � � � � � � � � � � � � � � � � �± � � � � � � � � � � * & � � � � ) � � � � � � � � � � � � � � � � � � � � � � � � # � � � � � � � � � � � � � � � � � � � � � �� ¿ � � � � � � � � � � � � � ' � � � � � � � � � � � � � � � � � � � � � � �15

adfa, p. 1, 2011. © Springer-Verlag Berlin Heidelberg 2011

Cyber Security of Industrial Control System

Why ICS specificity lead to Cyber Security Challenge?

Jean-Michel Brun –Cyber Security Senior Architect - Schneider Electric Laurent Platel - Cyber Security Architect- Schneider Electric

Fabrice Tea –Cyber Security Services Business Developer - Schneider Electric

[email protected]

Abstract : Industrial systems (usually named Operational Technology system) and specially the Industrial Control System (ICS) always focused the robustness (availability, safety…) and performances to any other considerations. These choices have forged an environment where IT security systems are sometimes inadequate and their basic principle missing from the current industrial architec-ture. This document outlines the specifics of industrial architecture to show inconsis-tencies with security solutions of standard IT.

Keywords: determinism, response time, availability, life cycle, industrial pro-tocol,

1 The context of industrial control systems

Cyber security is no longer a secondary requirement in the world of contemporary industrial control.

The industrial control systems (ICS) based on computer technology and industrial grade network are in use for decades. The first control system architectures were de-veloped with proprietary technologies and were isolated from the outside world. Of-ten physical perimeter security was deemed adequate and cyber security was not a primary concern.

Today, many control systems use common or open and standardized technologies such as the Microsoft™ Windows ©, IP network technology Ethernet TCP / IP and Web technology systems to reduce costs and improve performances. Many architec-tures also use some direct communications between the industrial control systems and the business management systems to improve operational efficiency and profitability of production assets.

This technical evolution exposes the industrial control systems to threats that target IT applications and office corporate network. Upon these threats inherited of the IT world technologies, Stuxnet and its derivatives add a specific threat and very ad-vanced threat like APT (Advanced Persistent Threat) dedicated to industrial control systems. ICS are now vulnerable to "internal" attacks (attacks specifically targeting technology OT) and "external" (attacks propagated by IT technology).

16

The success of the Ethernet / Internet connectivity can also lead to "override" of the basic safety rules and focus on ease of maintenance (for example) by directly connecting the ICS systems on the Internet. Also they were previously using specia-lized monitoring and remote maintenance connection and therefore security risks much lower.

The security of industrial systems therefore goes through a thorough understanding of these characteristics and the constraints. Among the security challenges in the world of industrial control include:

Multiple logical and physical boundaries: an industrial control system is composed of very different devices on different network technology and different capacities, carrying a variety of protocols.

Architectures with multiple sites over large geographical areas. The adverse effects of the implementation of the security on the process availabili-

ty. The opening to the Web of the company‟s networks (mobile computing, BYOD,

social networks), which increases exposure to viruses and worms which could mi-grate from information network to monitoring network.

The increasing exposure to malware by the increased use of portable drives (USB key or disk), laptops (technical service provider) and wireless networks.

The direct impact of the control systems on the physical and mechanical systems, which can induce risks to safety (injury or death).

The implementation of a firewall has never been sufficient to ensure the safety of industrial installations. With a “defense in depth” approach, companies must be vigi-lant in choosing the measures to secure these facilities: a cyber attack can cause a loss of production, damage the image of the company, an ecological disaster in the worst case, loss of life. On this approach, industrial control should draw lessons from the IT world. But, as we will intend to demonstrate in this document, cyber security solu-tions that have been standardized for IT world may not fit into OT world, and special-ly the Industrial Control Systems.

17

2 Industrial devices main characteristics

2.1 Industrial Control Systems description

ISA95 intends to provide a model of a company including management and opera-tional functions. The model defines several layers, layers dedicated to different func-tions and with different constraints.

Level 1 or field level is dedicated to sense and manipulate the production process. Level 2 or Process level, is dedicated to monitor and control the production

process, i.e. these equipments drive the level 1 devices. Level 2 includes: SCADA (Supervisory Control And Data Acquisition) that displays the

process status within a graphic interface, manages alerts, log data and allows an operator to drive the process

HMI (Human Machine Interface) that displays the process status and alerts within a graphic interface, and allows an operator to drive the process

PLC (Programmable Logic Controller), automated control of the process. It receives input from level 1 devices, from HMI or from SCADA and process the information to drive the outputs

18

Level 3 or Plant level, is dedicated to manage, optimize and dispatch the produc-tion according to workflow, recipes usually using an MES (Manufacturing Execution System).

Level 4 or Enterprise level is dedicated to plan the production according to customer‟s orders

to manage material orders and delivery

to manage other logistic issues

Remark: ISA 95 is an international standard for developing an automated interface between enterprise and control systems. It is used in this document to illustrate the different layers of Industrial Control applications& devices. ISA 95 is not relevant to describe other systems like Smart Grid or electrical systems, but there can be some similarities.

2.2 Specificities and constraints of an Industrial Control Systems

This chapter objective is to describe the diverse specificities and constraints of OT and especially of ICS that can be a challenge to standard IT security solutions.

Time constraint. The industrial process is managed in real time, the reaction to a process event must

be immediate (less than 1 millisecond). Thus, the cycle time and response time are essential for maintaining the productivity rate or the functional safety (not to be con-fused with cyber security).

PLC Cyclic time The PLC Cyclic time is the repetition frequency of the program, linked to the pace

of scan I/O system. It‟s the execution time of the application, looping back on itself to

infinity, with an average value between 5ms and 100ms according the process. The ICS devices have a control mechanism for this timing: the watchdog.

Response Time The devices have to answer to request in a limited time. The response time is high-

ly critical and can be extremely tight (e.g 1ms to send/receive a “Goose” alert in the IEC61850 standard for electric sub-station).

Determinism The duration of the action / application must be predictable and stable over time.

19

Action/reaction The network traffic volume increases sharply when the system is preparing to

change state (maintenance, emergency stop, restart, calibration). This modification should not degrade the performance of the system.

Resource constraints. Industrial devices, such as the controller (PLC) or Intelligent Electronic Device

(IED) for protection and control command of electrical systems (stations or electrical substations, etc.), are subject to resource constraints (CPU limited capacity, low sto-rage capacity and memory, UPS ...).

Industrial protocol specificities. The existing Industrial protocols (even based on TCP/IP) generally have the fol-

lowings characteristics:

Short Frames Frames size is between 200 and 1000 bytes. If the ICS need to exchange a “big”

quantity of data, the system will generate several requests.

No transaction management The system will generate several independent requests.

Non-TCP/IP network The final part of the network that serves the sensors and actuators is using fieldbus

based on dedicated technologies: network serial bus, CAN network...

The lack of security of Industrial Protocols For some existing industrial protocol, there is a lack of security features:

No Session management or proprietary solution No Authentication The SCADA or any ICS client(HMI, etc) can generate a lot of request in parallel

(and for the same device)

ICS life cycle. Two main constraints that govern life cycle:

The life cycle of an ICS is usually between 10 to 20 years The ICS is evolving frequently : replacement of device, extension/modification of

manufacturing lines, etc

20

ICS organizational constraints Most part of ICS runs 24h/day, 365 days / year. Any „STOP‟ has implications for

the production, so the income of the company. A monthly stop for a patch installation (e.g. on the first Tuesday of the month) is not acceptable.

Any failure (hardware or software) must be solved in a short time. Most of the time, it‟s “repair and restart”, it is out of question to 'benefit' of the stop to update

anything. To avoid such failures, or to minimize the risk of failures, unplanned application

changes, updates (antivirus, operating system ...) are rarely accepted.

Distributed environment and multi-site over large geographical areas Water distribution architecture with pumping, water treatment, waste water treat-

ment will manage different installation spread all over a city area, or over a complete county in case of metropolitan.

ICS environment constraints Devices running in industries face different environments far from controlled and

regulated atmosphere of a IT data center: extreme temperatures, pressure, explosive atmospheres, ElectroMagnetic Compatibility…

21

3 To Secure an Industrial Control System: Why the standard security solutions show their limitations?

3.1 Time constraints

Response time Integrating of a communication filter solution such as firewall may add latency in

the communication traffic. This delay may be incompatible with required tight response time of the ICS. Thus, to select a filtering device and to define its location within the ICS architec-

ture, it is critical to consider: Communication traffic flows

Required response time of each device

Frame sizes of communication

Specifications of filtering device.

Determinism Irregularities in the trading volume and the systematic filtering of the flow (eg

firewall) can generate network congestion (and firewall overload). This is not compat-ible with the requirement of determinism in actions / reactions.

Action/Reaction The response time should not increase during traffic bursts (crisis or preparing a

new state). This requires that the 'time' dedicated to safety is not proportional to the traffic. And no part of the traffic could disappear after a decision of the monitoring equipment (cyber-security equipment like Intrusion Detection / Prevention System).

3.2 Resources constraints

The memory and the processor are already used by the industrial process. It is diffi-cult to envisage adding a task computer for security (detection system or intrusion Machine HIDS / Hosted Intrusion Detection System), type system Application Con-trol and Whitelisting ...) in these devices, because resources are not available.

22

3.3 Industrial protocol specificities

Short Frames Industrial protocols are based on very simple exchanges on limited data size. The

exchanges prefer short queries, but several requests. The first idea is to facilitate the management of a request by the PLC to ensure a good response time.

There are no queries in XML or structured responses. By cons there are often 10, 20 or 100 queries issued simultaneously.

It is a real burden for any safety equipment, responsible for filtering the traffic.

No transaction/session Some industrial protocols do not have session management / transaction. This

makes them particularly vulnerable to replay the attacks. So there is no way to define a trust for some frames over their place in an identified

transaction. All frames must be inspected in depth (but a stateless mode filtering sys-tem is enough).

Non-TCP/IP protocols At the bottom part of the networks, field buses used to connect sensors / actuators

to PLCs are not based on TCP / IP, or even UDP / TCP. They can use specific map-pings of Ethernet cables, special cables (+ Modbus, CANopen, BACnet,), the serial lines (Modbus-RTU, FIP, Profibus, Fieldbus) or even use powerline (LonWorks). And now we can also find some radio solutions (Zigbee, 6LoWPAN).

These protocols are out of range of a monitoring tool based on IP, and yet it is here that Stuxnet was playing.

3.4 ICS life-cycle

Industrial facilities (steel, chemicals, automotive) and infrastructure (roads, power lines and water management) have lifetimes of several decades. Control systems of these facilities are installed for 10 or 20 years, with very few and short windows of maintenance.

The cyber security tools must be usable on this for 20 years, and this is a big prob-lem.

What was a firewall 20 years ago? What did it check? Conversely, what will it do in 20 years? What rules will apply? What level of complexity is necessary to evaluate these rules? Which protocols? Similarly, the production line tends to have more action (quality measurement,

management of different versions of the manufactured product, different packaging) and have more and more equipments.

23

The lifetime of industrial facilities combined with the evolution of the production system makes it very difficult to determine the capacity required for network equip-ment in the next 20 years.

In addition, a firewall, whose OS has not been updated for 20 years, is probably much less effective.

3.5 ICS organizational constraints: Availability

System availability is essential; it is synonymous with safety (for people) and cash-flow for the company.

In case of special events such as a PLC status change (PLC) or a specific operation (which may be a crisis under control) that generate increases communication with specific exchanges (exchange revenue of the application, Hot standby / backup ...) the system must remain operational with different levels of availability and / or safety.

On the other hand, in case of attack, the communication traffic may also increase with abnormal or "strange" trade. But in this situation, this communication must be stopped.

How to detect and differentiate these two use cases as the response to is not at all the same?

3.6 ICS Environnement constraints.

The devices dedicated to “IT Cyber-security” are rarely provided for dirty envi-ronments (dust, humidity) or extreme environments (low/high temperature, pressure, explosive atmosphere, electromagnetic interference ...)

To address these constraints, control equipment and communication equipment are installed in a single cabinet, to which access is not specifically limited.

It is therefore difficult to apply the usual rules of "separation of duties" and "least privilege" in these facilities.

These devices are then found both too accessible (too many people can open these cabinets) and not enough accessible (cabinets are distributed throughout the installa-tion, you must actually travel through the site to perform industrial maintenance or troubleshooting).

24

4 Conclusion

The security solutions in the IT field have grown steadily since the early '80s fire-walls. The developments followed the evolution of uses, especially the explosion of the Internet and these applications.

Cyber-security in industrial area has a lot to learn, but apply the products / solu-tions designed for another area can directly affect the production system instead of improving security.

Technical security solutions need to be re-design and adapted to effectively fulfill their mission of safety while leaving the ICS to do its obligations of performance and availability.

These solutions must take into account the characteristics of the ICS that we men-tioned above. They should be based on these characteristics, which can be good pil-lars of security, for example the great regularity of exchanges during periods of no-minal output, can easily afford to detect unwanted communications.

5 Glossary

IT: Information Technology OT: Operational Technology PLC : Programmable Logic Controller IED: Intelligent Electronic Device HMI: Human Machine Interface SCADA: Supervisory Control And Data Acquisition, UPS : Uninterruptible Power Supply IDS : Intrusion Detection System, NIDS: Network Intrusion Detection System HIDS: Hosted Intrusion Detection System IPS: Intrusion Prevention System Whitelisting software: Software application that allows to start and run the authentified

process (white list), blocking all other processes.

25

! " # $ % & # ' ( & & %) * $ + , - . / + 0 1 / + 2 . 3 / + 2 , - 4 / , ! / 2 5 / + . ' ( & &

6 7 8 9 : ; < = > > 7 : ? ? @ A B C D E F G H C IJ K 7 L M 7 9 : K N O : > > K 8 A B C D P Q R D B I6 S : ? : T T K J K 7 L L : L A B C D P F G H C IU V W X Y Z [ X \ ] ^ _ ` a b c ` d ` a b e f g g h e i ` j k i l a ` h k j ` b i h g a m f i b j n l c ` o b i e o e b l p i h g q h e a rs t u v w x x u v y v x w z { x x { t | } ~ { x t x y u | ¡ x ¢ t v { £ { | y v { x ¤ t z y z w { x { ¢ x y x w ¥ v ¢ u x ¤ v u ¤ { w ¢ ¦ u y x ¤ t z ¢ t v ¦ u y x x u v ¥ y | u y | § ¨ © ¨ ¢ y ¥ { v u x ª u « | y ¬ | y y } ¢ w ¤ t | | w { x x w | ¤ y y ¢ y « { x y | ¤ y ® ¯ ° ± ² | x x y x t x y x ¢ y ¤ v { ¦ u y x t x u | ¤ t | v ³ ¢ y ¤ t z z w | y | u z v { ¦ u y ¬ ´ y ¥ { v u x y x µ v t u ¥ w { w x z w { x w u v y x ¥ { v u x ¶ ¶ ° ± ² · ¸ ® ¹ ° ± ² { x t x y u | y y u { ® ¹ ¯ º » ¼ ½ ¾ Y ¿ W À Á Â Â ¯ Â Â Â Â ® Ã Ä Å Ä Â Æ Â ¸ Ç È É Ê Ë Ì Í Î Ï Î Ð Ñ Í Ò Ì Ó Ô Õ Ö Ò Ì Ë Ï × Ð Ë Ë Ð Ñ Í Ì Î Ò Ì Ë Ì Ë Ì Í Ø Ì Ù ÚB C D Û > O ; : Ü 8 Ü 7 L O L @ Ý K Þ ß à 9 O ß T K D F á Û K > 8 ? K à K > 8 : O L L 7 : 9 K Þ ß 9 Ü > K 7 ß â 9 7 L ã 7 : > Þ K 8 9 7 L > Pä å æ ç è é ê ë ì í ç æ î í î ç ê ï ð ñ ò ç ì ì ç ç æ ó ô ð ñ ò ç ì ç ì õ ô î å õ ö ÷ õ ç æ ì ä æ î ô ì è ì ô ì æ ø î í ì ä ò ù ë î í ì ç ú ä ê æ 7 Pç ì ò æ è é û ü ä å æ ç ñ õ í ì ý : 8 7 ? K Û : ? 7 T O ß 9 Ý : > > : O L ? þ K ÿ T ? O : 8 7 8 : O L Û ? 7 Ý 7 : L 8 K L 7 L ; K K 8 ? K Þ Ü K P? O T T K Ý K L 8 Þ ß 9 Ü > K 7 ß S 7 ß 8 K K 8 8 9 ! > S 7 ß 8 K 8 K L > : O L " H ? K > 8 à 7 9 7 L 8 Þ ß # O L â O L ; 8 : O L L K Ý K L 8K 8 Þ K ? 7 > $ 9 K 8 Ü Þ ß > @ > 8 ! Ý K Ü ? K ; 8 9 : % ß K "B C D K : ? ? K & ? 7 % ß 7 ? : 8 Ü Þ K > K > : L â 9 7 > 8 9 ß ; 8 ß 9 K > K 8 & ß L K à K > 8 : O L O T 8 : Ý 7 ? K Þ K > â ? ß ÿè é ê ë ì í ç æ î í î ç ê ô ò æ ë ì æ ê ô ì ñ ò ì ç í å õ ç æ î ù ò ì ' ä ñ æ ô ñ ü î ô ô î å õ ü ( ü ì ' ï ë ñ ü î ô ì ì õ ) ò ø æ ì è ì ë ñ8 9 7 L > : 8 : O L Ü L K 9 à Ü 8 : % ß K "B C D 7 ; S K Ý : L K ? þ Ü ? K ; 8 9 : ; : 8 Ü K L 8 9 K ? K > â O ß 9 L : > > K ß 9 > A â 9 7 L ã 7 : > K 8 K ß 9 O T Ü K L > I K 8 > K > ; ? : K L 8 > Û% ß : T K ß K L 8 * 8 9 K Þ K > Þ : > 8 9 : # ß 8 K ß 9 > O ß Þ K > : L Þ ß > 8 9 : K ? > Þ : 9 K ; 8 K Ý K L 8 9 7 ; ; O 9 Þ Ü > 7 ß 9 Ü > K 7 ßÞ K 8 9 7 L > T O 9 8 "= K ; + , , , , , < Ý Þ K ? : à L K > Þ K 8 K L > : O L > ; O Ý T 9 : > K > K L 8 9 K - . , , , K 8 / , , , , , O ? 8 > K 8/ - ? : à L K > 8 9 7 L > â 9 O L 8 7 ? : ! 9 K > A 7 T T K ? Ü K > 0 : L 8 K 9 ; O L L K ÿ : O L > 0 I Û ? K 9 Ü > K 7 ß à Ü 9 Ü T 7 9 B C D K > 8 ? KT ? ß > : Ý T O 9 8 7 L 8 Þ þ D ß 9 O T K "B C D 7 9 Ü 7 ? : > Ü ß L ; S : â â 9 K Þ þ 7 â â 7 : 9 K > Þ K / 1 2 3 4 5 ì õ 2 6 7 2 ì ç ì ü ä ë å î ì 8 / , , > 7 ? 7 9 : Ü > "26

! " # $ % & ' ( ' ) * & + , - . / 0 1 2 ! " # & $ * " 3 ( ' ) * & + % 4 5 6% 7 8 9 : ; < = > : = ? 9 > @ ? & ' A = B C > @ 7 D E ( F 9 C 8 = < F E ) & D * @ > + , G > A = F 9 - 8 E < A H > > E I . J K L M /· 0 L & D @ 7 > E = 9 > N 9 < A > > A = ? E < E = 9 8 E > = 8 ? 1 ? > O A F E = : F E E > : = H A O > A N F A = > A @ > = 9 8 P 8 < O = > Q R= < 8 < 9 > A @ > A 8 - > E = A @ > O 7 > E = 9 > N 9 < A > S O > A 8 N N O < : 8 = < F E A @ > - > A = < F E > = = > : ; E < 1 ? > M T J Q M= > C N A 9 H > O @ > + , G > = O > 9 H A > 8 ? < E = > 9 E > = N F ? 9 8 A A ? 9 > 9 O > A H : ; 8 E - > A 8 P > : O 7 > 2 = > 9 E > U· 0 L V W X L Y Z M Q [ L \ ] J Y Z Q L K ^ \ L M M _ M X ` Y L M ^ L ] J K X Q 3 \ L ] J Y Y a K ^ L ^ L M ^ b M Z a X ] T b K c M L X^ L M Z J M X L M [ \ L ] X Q b d e L M U W \ L M X ] J K K L ] X [ f e K Q [ M L a e ^ L X [ \ [ ] J Y Y e K b ] a X b J K M d e b a M RM e Q L \ L M [ ] T a K c L M a g L ] \ L M 4 L M X b J K K a b Q L M ^ L h [ M L a e ^ L i Q a K M Z J Q X L e Q J Z [ L K M U5 6 7 j 8 j k l m n o l p q r

s L M ^ L e t M _ M X ` C > A @ 7 < E ( F 9 C 8 = < F E J K X [ X [ ] J K u e M ] J Y Y L [ X a K X M [ Z a Q [ M L X L t Z \ J b X [ M Z a Q@ > A F N H 9 8 = > ? 9 A @ < ( ( H 9 > E = A ) ? E < E ( F - H 9 8 E = > 2 = > 9 E > N F ? 9 O > & D @ 7 > E = 9 > N 9 < A > > = @ > A H 1 ? < N > AQ [ c b J K a \ L M ^ L Y a b K X L K a K ] L ^ L h i v Z J e Q \ L V W X L Y Z M Q [ L \ w 9 ] L M ^ L e t Y J K ^ L M M J K X] J K K L ] X [ M L K X Q L L e t a e X Q a g L Q M ^ L ] J e Z L R x L e U: ! " # $ % & ' ( ' ) * & + , " ; < % + % $ + ) $ = ( ' > ? ) & @ $ y + % $ = * $ ' % $ % ' + % < % , "> * & ' " ; < % A > * 3 3 ( & + %0 L ] J K X Q 3 \ L R ] J Y Y a K ^ L ^ e Q [ M L a e [ \ L ] X Q b d e L L M X J Q c a K b M [ L K d e a X Q L K b g L a e t /· 0 L ^ b M Z a X ] T b K c K a X b J K a \ a Z J e Q Y b M M b J K ^ > - H 9 > 9 O > 9 H A > 8 ? B z z C D S O 7 H 1 ? < O < { 9 > > E = 9 >O 7 F ( ( 9 > > = O 8 @ > C 8 E @ > @ 7 H O > : = 9 < : < = H > = O > A H : ; 8 E - > A @ 7 H E > 9 - < > 8 P > : O > A N 8 ' A P F < A < E A |· 0 L M E ^ b M Z a X ] T b K c M J e s L K X Q L M ^ L ] J K ^ e b X L Q [ c b J K a e t J K X Z J e Q Y b M M b J K ^ L c [ Q L Q \ L MQ [ M L a e t ^ L K b g

c&esar 2013...c&esar 2013 : sécurité des systèmes numériques industriels nous voici arrivés à...

Documents