come see what’s cooking in my lab

8th Security Summit Portland, Oregon 9th Security Summit Denver, Colorado

Come see what’s cooking in my lab: Why you need a lab and how to get one

Chris Sistrunk, PE Sr. Engineer Entergy – Jackson, MS


Why do we need a lab, Chris?


What happens when you use nmap on an Industrial Control System

http://securityreactions.tumblr.com


Why do we need a lab?

With a lab, you can •  Test relay and RTU seAngs on a replica of producDon systems

•  Test new firmware before issuing to field •  Perform root-‐cause analysis

– Why is this device locking up once a month?

•  Try out new equipment from a vendor


Why do we need a lab?

Save Dme & money by •  CreaDng standard seAngs templates •  Find problems before they are widespread (Not having to recall units with firmware issues) •  Develop and test equipment pilots in-‐house rather than hiring a company to do it

•  Use lab equipment as emergency spare


Why security tesDng?

•  Not all SCADA/relay vendors do negaDve or security tesDng at their factories

•  Even if they did, they can’t test equipment the EXACT way that you use it

•  Test your own equipment before hackers or some drive-‐by malware does it for you

•  Use the results to miDgate vulnerabiliDes


What kinds of tesDng?


•  Factory/Site Acceptance TesDng (RTU system) •  Firmware/SoTware TesDng (new or patches) •  Protocol TesDng (DNP3, Modbus, etc) •  Protocol Fuzzing (custom or off-‐the-‐shelf) •  PenetraDon TesDng (Metasploit, etc) •  Physical security tesDng (cabinet locks etc) •  DOCUMENT! DOCUMENT! DOCUMENT!

What kinds of tesDng?


What would be your stuxnet?

•  Be a hardhat hacker •  Think like an a\acker who has your prints! •  Build your systems with layers of defense •  If you find a vulnerability, let your vendor know (they might even have a patch)

“To make things work well, you must break them!”


How I Audit SCADA Systems

http://securityreactions.tumblr.com


OK, how do I get a lab?


OK, how do I get a lab?

•  Ask your boss! Ask the CIO! Ask Ask Ask! •  If you are the boss, ask your best people what they want in their lab and go buy it!

•  Put together a plan or a business case! – Add it to NERC/CIP compliance budget (big driver)

•  Go get spare equipment and make a rack! •  Start small and add to it.

– Mine started as 2 relay racks in my cubicle


Some ideas


SDll can’t afford it?


Can’t afford one, don’t have the manpower, don’t have the experDse?

•  3rd party tesDng such as Enernex, Digital Bond, Kinectrics, CimaDon to name a few

•  The US Gov’t has the Idaho NL NaDonal SCADA Test Bed, Pacific NW NL, & Sandia NL

•  Colleges such as Louisiana Tech, Mississippi State, Jackson State have power, SCADA, and security equipment in their labs

•  Farm out the tesDng and work with them to get the results you want & capitalize the test costs


To be the best, you need the best tools!


Entergy THQ Virtual Lab Tour


Transmission HQ Labs

•  Transmission HQ moved from NOLA to Jackson •  Business conDnuity aTer Hurricane Katrina •  Brand new building in Fall of 2009 •  5 large rooms designated for lab space

–  Relay & SCADA Lab –  CommunicaDons & Security Lab –  Real-‐Dme Power System Simulator Lab – Mississippi Grid Lab – High Voltage Lab


Relay & SCADA Lab


Relay & SCADA Lab NO

LAB RATS OR

CYBERATTACK SQUIRRELS ALLOWED


Relay & SCADA Lab


Relay & SCADA Lab

•  Cubicle: 2 racks >> Old Break Room: 7 racks •  New THQ: 15 bolted racks, 10 rolling racks

–  40+ ProtecDve Relays (7 different standard panels) – Digital Fault Recorder –  8+ RTUs, 3 CommunicaDon Processors –  SubstaDon Grade LAN & Corp Network – GPS Clock (IRIG-‐B), HMI Screen & Keyboard –  Toolbox, O-‐Scope, MulDmeter, Cables, WorkstaDons, Chip Burner, Relay & RTU Test Sets, etc


Relay & SCADA Lab

•  THE LAB OF MY DREAMS! •  We can replicate almost any substaDon •  Test new configuraDons •  Test problemaDc field configuraDons •  Test new firmware & soTware •  Test drive new equipment •  Train relay & RTU technicians and engineers


CommunicaDons & Security Lab



•  SubstaDon Hardened Router & Switch •  Radios of different bands and technologies •  Six-‐sided PSP for simulaDng CCA sites •  Several field firewalls •  Wurldtech Achilles Fuzzer

–  Test network robustness of devices –  Fuzzing DNP3, Modbus, & IEC 61850 –  Test new RTU & Relay firmware patches – Will network storm affect control outputs?



•  Custom DNP3 Fuzzer – Created by Adam Crain to test openDNP3 – Closed source for now – Tests DNP3 *Client* and Server – Project Robus – h\p://Automatak.com/robus – Plan to release as open source next year …stay tuned


Power Real-‐Time Simulator Lab


Power Real-‐Time Simulator Lab

“Hypersim is the only real-‐Dme digital simulator with the power to simulate and analyze very large-‐scale power systems with more than 2000 three-‐phase buses.” -‐ h\p://www.opal-‐rt.com •  Simulate different fault scenarios

– Will the Relay A, B, C have a misoperaDon? – Will relay fault acDvity affect comm (vice versa)?

•  R&D & commissioning tests


Mississippi Grid Lab


Mississippi Grid Lab

•  MulDpurpose type lab used by Entergy Mississippi T&D Grid Engineers

•  InspecDng/repairing equipment •  Pre-‐test new panels before field installaDon •  Spare parts inventory


High Voltage Lab


High Voltage Lab

•  The Hi-‐VARC (High Voltage AC ResisDve Current) test set provides rapid, automaDc evaluaDon of MOV arresters and polymer insulators using AC voltages up to 132kV.” h\p://www.jmxservices.com

•  InspecDon & root cause of failed insulators, HV circuit breaker components, etc


Last but not least…


Go make stuff…Go break stuff


A Few Thoughts SCADA Security isn’t easy

•  Doing the best we can with what we have SCADA, Relay, & Security Labs

•  Having a lab is so valuable for tesDng, troubleshooDng, breaking & fixing stuff

•  Yes I have a fuzzer and I’m not afraid to use it

DNP3/IP Secure AuthenDcaDon v5 •  Please tell your vendors you want NEED it


Dream BIG!


Follow @chrissistrunk

[email protected]

QuesDons?

come see what’s cooking in my lab

Technology