SCADA Security @ City of Raleigh

Martin Petherbridge, CPA, CIA – Internal Audit Manager

Shirley McFadden, CPA, CIA – Senior Internal Auditor

Agenda

1. PLCs, SCADA and Stuxnet

2. Selecting Audit Standards

3. Audit Scope

4. Audit Report & Follow Up

Siemens PLC

PLC – Programmable

Logic Controller

Computer that receives

analog and digital inputs

and outputs. Designed

to withstand:

• Extreme temperatures

• electrical noise

• vibration and impact

PLCs are Everywhere…..

• Heating and air conditioning

• Elevators

• Traffic lights

• Railroad track switches

• Water production, waste water management

• Electricity generation

• Robots on assembly lines

• Ingredients in pharmaceutical manufacturing

• Temperatures in food production

SCADA System

SCADA –

Supervisory

Control And

Data

Acquisition

System

SCADA System

Northern Rockies Regional Municipality - Water Treatment Plant

STUXNET

What was STUXNET?

• a worm

• designed to sabotage centrifuges

• in the Bushehr nuclear facility in Natanz, Iran

Centrifuges

Iranian President Ahmadinijad walking between centrifuges in the

Fuel Enrichment Plant in Natanz, Iran

STUXNET

How did STUXNET sabotage the centrifuges?

Reprogrammed the PLCs

• Modified the frequency of their power supply, causing the

centrifuges to speed up and slow down

• One hour a day, once a month

• Man in the middle exploit – sent back normalized data to

avoid identification

STUXNET – Technical

• Infected network via USB flash drive

• Propagated through MS Windows operating systems

• Scanned for Siemens Step7 software controlling PLCs

• At least four zero day exploits

• Received updates and reported back to servers in

Denmark and Malaysia

• STUXNET was marginally successful – slowed Iranian

uranium enrichment process by two years, damaged 20%

of their centrifuges

Stuxnet – A Game Changer

Key Points:

• Very high level of sophistication

• Sabotage is now a hacking objective

• Internet and IT have become weaponized

• The term “cyberwar” enters the public lexicon

• 2013 Presidential order 13636 - corporate assets

are now part of national security

City of Raleigh - Public Utilities Department

• 500,000 customers (Raleigh, Wake Forest, Garner,

Knightdale, Wendell, Zebulon)

• Two Water Treatment Plants

• One Waste Water Treatment Plant

• Over $1.3bn in infrastructure – plants, pumps, pipes, lift

stations, water towers

Falls of the Neuse Waste Water Treatment Plant

E.M. Johnson Water Treatment Plant, Raleigh NC

SCADA Security Audit

In 2013 we initiated an audit of SCADA security. Why?

• 2012 - STUXNET story becomes public

• Extensive use of PLCs in water production and waste

water management

• PLCs are NOT designed with security in mind

• Minimal understanding of SCADA and PLCs in IT

department

• Potentially catastrophic impact if PLCs were compromised

http://www.threatgeek.com

Before the

Audit……

After the Audit……

Agenda

1. PLCs, SCADA and Stuxnet

2. Selecting Audit Standards

3. Audit Scope

4. Audit Report & Follow Up

Audit Objective

Is security over the SCADA system adequate?

Who Performed the Audit?

Internal Audit or Hire a Specialist

Why?

• Learning Curve

• Knowledge Transfer

• Control over Report Writing

The Challenge: Finding Someone with SCADA Audit

Experience

Defining Responsibility for SCADA

Defining Responsibility for SCADA

Does Public

Utilities

Department

have

IT Staff?

http://heroized.com/hero/cyber-

sentry/

Audit Subject – Public Utilities SCADA Network

Security

http://www.yokogawa.com/us/technical-library/application-notes/scada-cyber-security.htm

City of Raleigh -

Central Network

Public Utilities

Department –

SCADA Network

PLC’s at the Treatment

Plants

Audit Criteria

ISO 27001 /

ISO 27002

NERC CIP 002

& CIP 003

Framework for Cybersecurity

Policy

ISA - ANSI/ISA-62443

NIST 800-53 and

NIST SP 800-82

Audit Criteria

NIST -

Framework for

Improving

Critical

Infrastructure

Cybersecurity

AWWA: Process Control

System Security

Guidance for the Water

Sector & Cybersecurity

Tool

Executive Order 13636 –

Improving Critical Infrastructure

Cybersecurity

NIST - Framework for Improving Critical Infrastructure Cybersecurity

http://www.complianceforge.com/nist-cybersecurity-framework-compliance-policies-standards

http://www.nist.gov/cyberframework/

NIST - Framework for Improving Critical Infrastructure Cybersecurity –

Subcategory ID.AM-1

Function Category Subcategory Informative References

PROTECT (PR)

Awareness and

Training (PR.AT)

PR.AT-3: Third-party

stakeholders (e.g.,

suppliers, customers,

partners) understand

roles &

responsibilities

· CCS CSC 9

· COBIT 5 APO07.03,

APO10.04, APO10.05

· ISA 62443-2-1:2009

4.3.2.4.2

· ISO/IEC 27001:2013

A.6.1.1, A.7.2.2

· NIST SP 800-53 Rev.

4 PS-7, SA-9

SP 800-53 Rev. 4 Table D-2 (Partial): Security

Controls for Access Control (AC)

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

http://www.complianceforge.com/nist-cybersecurity-framework-compliance-policies-standards

Scope of the Audit

Audit Plan/Testing

PS-7 THIRD-PARTY PERSONNEL SECURITY

Control: The organization:

a. Establishes …security roles and responsibilities…

b. Requires third-party providers to comply with personnel security policies and procedures …;

c. Documents personnel security requirements;

d. Requires third-party providers to notify …of any personnel transfers or terminations …; and

e. Monitors provider compliance.

Preliminary Cybersecurity Framework - Framework Core AWWA NIST 800-53 - based

on alignment made in

the Cybersecurity

Framework

Functions

Categories

Subcategories

AWWA

Guidance

Control

Mitigating Control

Description

PR

Protect

AT Awareness and

Training

PR-AT-3: Third-party

stakeholders (suppliers,

customers, partners)

understand roles &

responsibilities

AT-2 PS-7, SA-9

Audit Plan/Testing

Logical Security

Monitoring Event Logs

Anti-virus and/or Anti-malware

Network Security

Remote Access

Network Connections

Physical Security

PLC’s

SCADA Servers & Workstations

Audit Plan/Testing

• Policies and procedures

• Training requirements;

• Documented roles and responsibilities;

• Periodic and documented risk assessments (i.e. monitoring firewalls, establishment of an insider threat program, and vulnerability scans)

Governance:

• Inventory;

• Event Logs and Monitoring;

• Security Alerts and follow up process;

• Firewall configurations;

• Change controls

• UPS (Uninterrupted Power Supply)

• USB ports

Traditional Areas:

Audit Report

Finding

Number

Cybersecurity

Framework

Sub-Category

Finding Risk Risk

Rating

Recommended

Corrective

Actions

• Table Presentation for Technical Findings:

• Report was written for non-technical audience

Audit Report

• All findings were aligned with a corresponding AWWA

Cybersecurity Guidance

• Communicated the Report to IT Department not just

Public Utilities

Current Status

• Collaboration with Central IT

• Several of the Technical Findings Corrected