scada, security & automation scada security: ... • training classes ... powermetrics...
TRANSCRIPT
I ns ide Th is I ssue• SCADASecurity:
Challenges&Solutions• SCADABasics(Part2)• SCADASystematSSWD• FiretideWirelessBridges• WirelessProductoftheYear• TrainingClasses
Protecting Critical Infrastructure Includes Secure SCADASupervisoryControlandDataAcquisition(SCADA)systemsaretypicallyusedformonitoringandcontrollinggeographicallyremoteoperations.Inrelativeobscurity,theseextensivecontrolsystemsperformbehind-the-scenes,collectingsensormeasurementsandoperationaldatafromthefield,processinganddisplayingthisinformation,andrelayingcontrolcommandstolocalorremoteequipment.AlthoughSCADAsystemsareemployedaroundtheworldinnumerousindustries,theaveragecitizenisunawareoftheircriticalimportance.However,thisisquicklychanging,asmoreinformationaboutthecybervulnerabilitiesofutilitySCADAsystemsispubliclyavailable.ThereisgoodreasonwhySCADAsystemsaregettingtheattentionofhostilegovernmentsandcompetitors,terroristgroups,disgruntledemployees,andothermaliciousintruders—theyofferthehuge
potentialtoacquireconfidentialdataanddisruptoperations.SCADAsystemscontrolsomeofthemostvitalinfrastructureinindustrialandenergysectors,fromoilandgaspipelinestonuclearfacilitiestowatertreatmentplants.CriticalinfrastructureisdefinedasthephysicalandITassets,networksandservicesthatifdisruptedordestroyedwouldhaveaseriousimpactonthehealth,security,oreconomicwellbeingofcitizensandtheefficientfunctioningofacountry’sgovernment.1Onedoesnothavetolookfarforexamplesofdisruptionsthathavecostorganizationstime,resources,andpossiblylives.AddedtothisisthefactthatmanySCADAsystemsarevulnerable.ItisthereforeimperativethatsystemsecurityandriskmitigationbeattheforefrontofthemindsofallSCADAsystemusers.
The Growing Vulnerability of Control SystemsHistorically,securityconcernsover
Volume 22, Issue 1 • Spring/Summer 2012 A Publication of Sage Designs, Inc.
150 Shoreline Hwy., Suite #8A • Mill Valley, CA 94941-3634 • 1-888-ASK-SAGE (1-888-275-7243) • 1-888-FAX-SAGE • www.SageDesignsInc.com
S C A DA , S e C u r i t y & Au to m At i o n n e w S l e t t e r
Continued on page 4
PowermetricsInc(Cleveland,Ohio)introducesthePM-UPS-12-24-15.ThisUPS/Powersupplyoperatesfrom85-264VACora12voltbattery,andprovidesaregulated24VDCoutputandaregulatedadjustable12VDC-15VDCoutput.Inaddition,theunitincorporatesatemperaturecompensatedtwomodebatterychargerforchargingthe12voltbattery.TheunitisdesignedforpoweringaPLCandradioinRTUapplications.ThebuiltinModbus/RTUinterfaceallowsaremotehosttoenableanddisabletheindividualoutputvoltages;andtoadjustthe12V-15VDCoutputtooptimizeradiooperation.Inaddition,anumberofotherparametersmaybemonitoredandadjustedremotely.Awatchdogtimercanbeprogrammed,eitherthroughtheserviceportorovertheMODBUSinterface,whichcanbeused
toresetthesystemifcommunicationsislostforaprogrammedperiodoftime.ThePLCcanalsosendaModbusinstructiontotheUPStodisabletheinternalAC/DCpowersupplywhichforcestheUPStobatterybackupmodefortestingpurposes.AlthoughthepowersectionofPM-UPSwilloperateasastand-aloneUPS,itisintendedtooperatealongwithamicroprocessorsubsystemwhichprovidesavarietyofcontrolandmonitoringfunctions.Forapplicationsnotrequiringremotemonitoringandcontrol,theunitcanbepurchasedwithoutthemicroprocessorboard.ThemicroprocessorsubsystemcommunicateswithanexternalPLCusingMODBUSprotocoloveranRS485interface.InadditionaUSBserviceportisprovidedtoallowconfigurationofthesystem’sprogrammableparameters.
Powermetrics Introduces a UPS / Power Supply for SCADA-RTU Applications
SCADA Security: Challenges and Solutions
MostoftheseparameterscanalsobesetorchangedusingMODBUScommandsthroughtheRS485interface.TheUPSmaybeinterrogatedbytheremotehosttoreportnineanalogandsevendigitalinputs.Analoginputsincludeoutputvoltagesandcurrents,batteryvoltage,batterychargeanddischargecurrent,remotebatterytemperature,andACvoltage.DigitaloutputsincludeACvoltagepresent,batterychargerstatus,DCoutputsinrange,andwhethertheunitisACpoweredorbatterypowered.ForfurtherinformationcontactSageDesigns.
controlsystemswerelimitedtophysicalattacks.SCADAsystemoperatorsrationalizedthatifthemanagementconsoleswereadequatelyisolatedandonlyauthorizedpersonnelhadaccesstothenetwork,thesystemwasintrinsicallysecure.Therewaslittleriskoftamperingsincefewpeoplehadtechnicalexpertiseofthesystemandthedatacommunicationpathsremainedisolated.SCADAhasbeenhiddenbehinditscloakofobscurityforthepastfourdecades,withinformationtechnologymanagersconvincedthatthesesystemswouldneverbeaccessedthroughcorporatenetworksorfromremoteaccesspoints.ThemodernSCADAsystemhasevolved
significantly.Utilitycompaniesrecognizethelowercosts,easieraccessibility,andimprovedefficiencygainedthroughconnectingtheirTCP/IPnetworkstotheirSCADAsystems.Thesenextgenerationsystems,integratedwithcorporatenetworksandtheInternet,facemanychallengesintheirquesttobecomingsecure.Severalfactorshavecontributedtothegrowingvulnerabilityofcontrolsystems,including:1. Thenetworkingofcontrolsystems—
Enterpriseshaveincreasedconnectivitythroughtheintegrationoftheircontrolsystemsandenterprisenetworks.Breachesinenterprisesecuritycanariseifappropriatesecuritycontrolsarenotputinplaceforbothnetworks.
2. Insecureremoteconnections—Accesslinkssuchasdial-upmodemsandwirelesscommunicationsareusedforremotediagnostics,maintenance,andexaminationofsystemstatus.Ifencryptionorauthenticationmechanismsarenotutilized,theintegrityofthetransmitted
1 Myriam Dunn, “Critical Infrastructures: Vulnerabilities, Threats, Responses”, CSS Analyses in Security Policy, Vol. 2, No. 16, June 2007. Typically, each country has their own definition of Critical Infrastructure. For more information on the 17 U.S. sectors visit http://www.dhs.gov/files/programs/gc_1189168948944.shtm.
150 Shoreline Hwy., Suite #8A • Mill Valley, CA 94941-3634 • 1-888-ASK-SAGE (1-888-275-7243) • 1-888-FAX-SAGE • www.SageDesignsInc.com
Sage advice
SCADA Basics Part 2Part2ofacontinuingseriesofarticlesaboutSCADAissueswherewediscussoneofthemanycommunicationsoptionsthatmaybeapartofaSCADAsystem.ThesearticlesdealwithwidelydistributedSCADAsystemsratherthanin-plantsystemswherecommunicationsissuesdifferwidelyfromthosediscussedhere.
Communications OptionsAsanyoneintheremoteSCADAindustrycantellyou,communicationstoyourremotesisthemostchallengingissuefacingtheenduserorsystemsintegrator.Inthebestofcircumstances,anyoftheavailablechoicescanworkwell,providingareliablelinktofieldassetsforpropermonitoringandcontrolofyourprocesses.Intheworstcases,theycanbeaconstantsourceoffrustrationfortechniciansandoperatorsalikeastheyarecentraltothesuccessofaSCADAsystemandoftenthemostdifficultparttotroubleshootandkeepinoperation.
Wired CommunicationsWiredcommunicationsmaysoundlikethebestchoice,butoften,thisisnotthecase.Thereareseveraloptionsforawiredsystemwhichincludedial-upmodems,leasedlinemodems,digitalphonelines,fiberopticcableanddirectwire.Ofthese,owner-installeddirectwireorfiberaretheonlytypesthatprobablyhavenomonthlyfees.Inrecentyears,
theemergenceofdigitalleased-linecommunicationproductsavailablefromthephonecompany,hasgreatlyimprovedthereliabilityofthewiredsystemwhileinthepast,theonlyoptionsotherthaninstallingyourowndirectwireweredial-upandleasedlines.Dial-upandleasedlinesystemsusethesamephonelinesbutdifferinthatleasedlinesarecontinuallyoff-hook
andareoftenbridgedinapointtomultipointtopography.Themodemsforleasedlinesareconsiderablydifferentfromdial-upmodems,astheBell-202standardislimitedto1200baudwhiledial-upcanoperateat28,800(28.8Kbps)to57,600(57.6Kbps)andevenfastersometimes.Theadvantagesoftheleasedlineoptionoverthedial-upare:(1)nodialdelay,(2)easiertoconfiguremodems,and(3)aresomewhatmoresecure.Thebiggestproblemwiththeleasedlineoptionisthatphonecompanytechniciansarenotoriousfordisconnectingthemandleavingyouwithoutcommunicationswithyourremotefordaysorevenweeksatatime.Whileadvanceddigitalphonelinesdon’toftengetaccidentallydisconnectedbyphonetechnicians,entiresystemshavebeenknowntocomedownbecauseoneleadononeremotegoestoground.Theyofferhighdataratesandgoodreliability;however,theircostcanbeprohibitive.Alsokeepinmind
thatallofthesesystemsaresusceptibletofires,baddriversorinfrastructureproblemsnotofyourmaking.Insummary,wiredsystemsusuallycarryamonthlycharge,maybeexpensivetoobtainorinstallandcanbeunreliable,butmaybeanecessarypartofyoursystem.
FiretideMesh Node Firetide Backhaul
Wireless Mesh
Firetide HotPort® 7000 SeriesWireless Mesh Nodes
• Reliable, High-Performance Networks in Challenging Wireless Environments
• Street-Level Connectivity• Encryption for End-to-End Security
UtilityCompany
Smart UtilityMeter
DataCollectionUnit
Security Products Magazine 2011 New Product of the Year
Firetide’sMobilityInfrastructurehasbeenselectedasthewinnerofSecurityProductsmagazine’s‘2011NewProductoftheYearAward’inthewirelesstechnologycategory.Firetide’sMobilityInfrastructure,whichincludestheHotPort7000andFMC-2000,deliversreliable,uninterruptedInternetconnectivityfromvirtuallyanymovingvehicleincludingfirstresponders,trains,buses,andmore,enablingarangeofexcitingnewapplicationsthatwerenotpossiblebefore.EssentiallyanystandardEthernetorWi-Fi-enableddevicesuchasiPhones,laptopcomputers,evenvideosecuritycameras,canmaintaincontinuousnetworkconnectivity,evenwhiletravellingathighspeeds.“The New Product of the Year contest gets better every year with a wider array of products and incredible technologic advances,” saidRalphC.Jensen,editor-in-chiefatSecurityProductsmagazine.“This year, participation focused on more product verticals that captured every segment of the security industry. We appreciate the entrants and their willingness to share the newest innovations of security products with us and our readers.”“Winning the Security Products New Wireless Product of the Year is a welcomed reward that highlights Firetide’s dedication in developing the very best in wireless broadband products,”saidBoLarsson,CEOofFiretide.“We have worked tirelessly to create highly reliable and
secure solutions that have a great deal of flexibility in deployment and are cost effectively utilized for a wide range of applications, from security to municipal services to public access. It’s an honor to be recognized by an industry leading security publication.”TheSecurityProductsNewProductoftheYearAwardhonorstheoutstandingproductdevelopmentachievementsofsecurityequipmentmanufacturerswhoseproductsareconsideredtobeparticularlynoteworthyintheirabilitytoimprovesecurity.Toviewallofthisyear’swinners,youcanvisittheSecurityProducts’presentation.About Firetide Inc.Firetideistheleadingproviderofwirelessinfrastructuremeshnetworksthatenableconcurrentvideo,voiceanddataforgovernment,transportationandcommercialapplications.Firetideprovidesreliablehigh-performancewirelessinfrastructuremeshandaccesssolutionsforvideosurveillance,Internetaccess,publicsafetynetworksandtemporarynetworkswhereverrapiddeployment,mobilityandease-of-installationarerequired.HeadquarteredinLosGatos,Calif.withofficesinAsiaPacific,Firetideisaprivatelyheldcompanywithworldwideproductdistribution.www.firetide.com
Security Products Magazine Names Firetide Mobility Infrastructure Family 2011 New Wireless Product of the Year
150 Shoreline Hwy., Suite #8A • Mill Valley, CA 94941-3634 • 1-888-ASK-SAGE (1-888-275-7243) • 1-888-FAX-SAGE • www.SageDesignsInc.com
ClearSCADA Training CourseJune 4-7, 2012 - Mill Valley, CAOctober 22-25, 2012 - Mill Valley, CA (TBA)Day1(8AM–4PM) InstallingClearSCADA,IntroductiontoClearSCADA, Components,UsingViewX,UsingWebX,ClearSCADAHelp
Day2(8AM-4PM) ConfiguringusingViewX,DatabaseOrganization,BasicTelemetryConfiguration,CreatingMimics,CreatingTrends
Day3(8AM-4PM) ConfiguringusingViewX,Templates&Instances,LogicLanguages,Security,CommunicationsDiagnostics
Day4(8AM-4PM) Reports,SystemConfiguration,SystemArchitecture,Questions
Cost: ClearSCADATrainingCourse $1,890
SCADAPack Telepace Studio Training CourseMay 1-3, 2012 - Mill Valley, CAOctober 16-18, 2012 - Mill Valley, CAAn optional SCADAPack 350, SCADAPack 334 or SCADAPack 32 is available at a special price* with the course—an excellent way to get started using SCADAPack controllers.
Day1(8AM-4PM) SCADAPackcontrolleroperation,Series5000I/O,TelepaceStudiointroduction
Day2(8AM-4PM) TelepaceStudioadvancedprogrammingtechniquesandadvancedfunctions
Day3(8AM-2PM) Controllercommunications,ModbusMaster/Slaveprotocol,Diagnostics,Modems
Cost: SCADAPackTelepaceStudioCourse$1,340*OptionalSCADAPack350TrainingKit–adds$1040*OptionalSCADAPack334TrainingKit–adds$1040*OptionalSCADAPack32TrainingKit–adds$1,100
Instructors: ClearSCADA&SCADAPackTelepaceclasseswillbetaughtbyTonySannellla,SageDesigns,aFactory-CertifiedInstructor.TheClearSCADATestdriveswillbeconductedbySageDesignsorafactoryrepresentative.Location:Seeindividualcourseregistrationform.Thoserequiringovernightaccommodationsshouldcallthehoteldirectlyforreservations.
What should I bring?Laptopcomputerwithminimumrequirementsasshownonthespecificcourseregistrationforms,plusnecessarypermissionstoinstallsoftwareonyourcomputer.
What is provided?Lunchandcoffee,softdrinksandsnackseachday.
*Optional Training Kits at special course pricing (Telepace class only): Limit one (1) for every two (2) students per organization. Training Kits will be shipped N/C to training facility, provided your registration is received approximately 4 weeks before the first day of the course, or shipped to you after the course when available. Training kits include a SCADAPack 350, SCADAPack 334 or SCADAPack 32 Controller, Telepace Studio Software, Hardware Manual (on CD-ROM), I/O Simulator board, AC/2 Transformer, & programming cable. Prices do not include applicable California sales taxes.
TM Training Classes
Download the Registration form at: http://www.sagedesignsinc.com/events/index.htm
Please send me the Registration Form ClearSCADA: ❑ June 4–7, 2012 – Mill Valley, CA ❑ October 22–25 2012 – Mill Valley, CA SCADAPack Telepace: ❑ May 1–3, 2012 – Mill Valley, CA ❑ October 16-18, 2012 – Mill Valley, CA
Name(please print): Title:Company: Phone:Address: Fax:
Email:City/State/Zip:
* * * Registration Deadline: 2 weeks before 1st day of course * * *Allregistrationsaresubjecttocancellationfees.Aconfirmationnoticewillbesenttoallregistrantsonorbeforethedeadlinedate.
Schedule Your Own
Free Hands-On Test DriveCalltoScheduleaTestDriveCall 1-888-ASK-SAGEemail:[email protected]
(20 Contact Hours)(28 Contact Hours)
ClearSCADA SCADAPack
150 Shoreline Hwy. #8A, Mill Valley, CA 94941-3634 � Phone: 415-331-8826 . 1-888-ASK-SAGE . Fax: 415-331-8969 . 1-888-FAX-SAGE � www.SageDesignsInc.com
S C A D A W i s e B a s i c s
November 9, 2011 December 7, 2011 8AM — 1PM 8AM — 1PM SpringHill Suites by Marriott Holiday Inn Hotel & Conference Center 10593 Fairway Drive 9000 W. Airport Drive Roseville, CA 95678 Visalia, CA 93277 This ½-day course is designed for the non-technical person who wants to understand basic SCADA principles.
• PLCs vs. RTUs • Radio Systems • Host SCADA Software • Open Architecture Systems • SCADA Protocols
(3.5 Contact Hours)
S C A D A P a c k B a s i c s
November 9, 2011 December 7, 2011
Noon — 5 PM Noon — 5 PM SpringHill Suites by Marriott Holiday Inn Hotel & Conference Center 10593 Fairway Drive 9000 W. Airport Drive Roseville, CA 95678 Visalia, CA 93277 This ½-day course is designed for the mildly technical person who owns SCADAPack Controllers, but will never write programs.
• Tour of New Telepace Studio Software • Indicator Lights on SCADAPack Controllers • Communication Port Setup and Diagnostics • Boot Modes • Dowloading and Monitoring Programs
(3.5 Contact Hours)
What should I bring? Your thinking cap only. The SCADAPack Basics Course offers limited hand-on portions, equipment provided.
What is provided? Lunch (from Noon-1PM), coffee, soft drinks and snacks during course day.
To Register: Call 1-888-ASK-SAGE to reserve your seat. Then complete the information below and send to us
via fax to 1-888-FAX-SAGE or by email [email protected]. A confirmation will be emailed to you.
Name (please print):
Title:
Company:
Phone:
Address:
Fax:
City/State/Zip: Email:
Lunch choice (Nov 9) – A, B or C:
Lunch Choice A = Chicken Pesto Ciabatta, Choice B = Creole Chicken Wrap or Choice C = Penne Pomodoro (vegetarian)
Lunch choice (Dec 7) – A, B or C:
Lunch Choice A = Chicken Cordon Bleu, Choice B = Marinated Beef Tenderloin or Choice C = Pasta Primavera (vegetarian)
□ Roseville (November 9, 2011) — o r — □ Visalia (December 7, 2011) □ SCADAWise Basics Course (Morning Class only, lunch from 12-1PM) $ 450.00 (non-taxable services)
□ SCADAPack Basics Course (Afternoon class only, lunch from 12-1) $ 450.00 (non-taxable services)
□ Both SCADAWise Basics & SCADAPack Basics Courses (all day rate) $ 795.00 (non-taxable services)
METHOD OF PAYMENT: Purchase Order, Prepaid Check, Visa or Mastercard. Payment should be made to Sage Designs, Inc.
Course fees are due on or before the first day of class. No Shows or Cancellations made less than 6 business days prior to the first day of training will be billed at the full amount and
are not refundable. A confirmation notice will be sent to all registrants on or before the deadline date.
□ Purchase Order Billing: After telephoning your intent to register, fax/email Purchase Order addressed to Sage Designs, Inc.
Total to be invoiced against PO #____________________ is $_________________.
□ Prepaid Check: After telephoning your intent to register, mail a check addressed to Sage Designs, Inc. along with a copy of this form. Total Prepaid Check Amount: $________________.
□ Visa or MasterCard Billing: After telephoning your intent to register, fax or email this form. Total to charge on the first day of course $_________.
Visa or Master Card Acct #: ____________________________________________ Expires (MO/YR):_______ Cardholder Name (please print): _________________________________________ Phone: _____________________ Cardholder Authorization Signature: ____________________________________ email: ______________________ Cardholder Billing Address: _________________________________________________________________________ City:_____________________________________________ State: _____ Zip: ________________________________
* * * Registration Deadlines: November 2, 2011 (Roseville) and November 30, 2011 (Visalia)* * *
150 Shoreline Hwy., Suite #8A • Mill Valley, CA 94941-3634 • 1-888-ASK-SAGE (1-888-275-7243) • 1-888-FAX-SAGE • www.SageDesignsInc.com
FiretideFWB-205outdoorwirelessEthernetbridgesprovidelow-cost,high-capacityconnectivitybetweentwolocations.FWB-205utilizestheMIMOtechnologytoprovideincreasedthroughputandperformanceforabackhaullink.FWB-205issoftware-configurabletooperatein5and4.9GHzandcandeliverupto150MbpsofUDPthroughput.
Complete Infrastructure SolutionFWB-205productlineisanaturalexpansionofFiretide’scorewirelessinfrastructuretechnology.Firetide’sexpertiseinlarge-scalewirelessmeshnetworksforvideo,dataandvoiceapplicationsinharshenvironmentsensuresthatitsbridgesareoptimizedtoprovidethehighestperformance,securityandreliabilityintheindustry.
Concurrent Voice, Video, DataFWB-205bridgeisoptimizedtoprovidehigh-capacityandlow-latencyconnectivityfordemandingdata,voiceandvideoapplications.Point-to-pointconnectivityiscriticalformunicipalities,publicsafety,industrialinstallationsandcampusenvironments.Inadditiontothesemarkets,thisproductservestheneedsofwirelessInternetserviceprovidersandtelecomoperatorsFWB-205providestruebridgingfunctionalityandisagnostictothetypesofclientorprotocolsonthenetwork.FWB-205supportstransparentoverlayofmultiplesubnet(VLANs)overthepoint-to-pointlink.Italsoprovidesseamlesstransportofmulticastandbroadcasttrafficoverthepoint-to-pointlink,includingIPTVdistribution,videoondemand,videosurveillanceandvideoconferencing.Inaddition,topreventbandwidthabuse,FWB-205providesadvancedtoolssuchasmulticastratelimits.
Privacy and SecurityFWB-205supportstheindustry’shighestlevelofsecuritytoensureprivacyforcommunicationsandreduceliabilityforserviceproviders.LikeallcomponentsoftheFiretidewirelessmeshandaccessinfrastructure,FWB-205offersWPA2-PSK(Wi-FiProtectedAccess)encryptionforanunmatched,solid,andtrustednetwork.
Flexibility of DeploymentDeployedasastandalonesolution,theFWB-205linkismanagedviaabrowser-basedmanagementinterface.CustomerscanalsointegratetheFWB-205linksintoalargerFiretidemeshnetworkmanagedbyHotViewPro™networkmanagementsoftware.Designedforaneasy“out-of-the-box”installationexperience,theunitpairisshippedpreconfiguredandwithallaccessoriesincluded.TheFWB-205isbundledwithtwoexternal3-in-1MIMOantennasfor4.9and5GHz.Anintegratedantennaalignmenttoolprovidesstep-by-stepguidanceinachievingmaximumsignal
Firetide Point-To-Point Bridges - Make Any Network Device Wireless informationisvulnerable.
3. Standardizedtechnologies—Organizationsaretransitioningtostandardizedtechnologies,suchasMicrosoft’sWindows,inordertoreducecostsandimprovesystemscalabilityandperformance.Theresultismorepeoplearmedwiththeknowledgeandtoolsabletoattackasystem,andanincreaseinthenumberofsystemsvulnerabletoanattack.
4. Availabilityoftechnicalinformation—Publicinformationaboutinfrastructuresandcontrolsystemsisreadilyavailabletopotentialhackersandintruders.Designandmaintenancedocumentsandtechnicalstandardsforacriticalsystemcanallbefoundontheinternet,greatlyjeopardizingoverallsecurity.2
WithsomuchridingonSCADAsystems,itshouldcomeasnosurprisethatshortlyafterSeptember11,2001,governmentofficialsfoundevidenceofterroristgroupsvisitingwebsitesthatoffersoftwareandprogramminginstructionsforthedigitalequipmentthatrunpower,water,transportandcommunicationsgrids.Furthermore,ithassincebeenproventhattheinnercontrolsofcriticalinfrastructuresystemshavebeenthetargetofcyberattacks.Forexample,in2006awaterfiltrationplantnearHarrisburg,Pennsylvaniahaditssecuritysystemhacked.Malicioussoftwarethathadthecapabilityofdisruptingthewatertreatmentoperationswasplantedfromanoutsidesourceintothecomputersystem.3
Mostrecentlytoshakethecybersecurityworldwasthe“Stuxnet”malware,discoveredinJune2010.OnNov29,2010,Iran’spresidentMahmoundAhmadinejadpubliclydisclosedthattheStuxnetcyber-threathadaffectedhiscountry’suraniumenrichmentefforts.Itisbelievedthatthecodewasdesignedtosabotagenuclearplants,specificallytargetinganindividualcompany’sconfigurationsoftwareandcontroldevices.ThisintelligentwormwasprimarilyspreadviaUSBsticksbutwasfoundtoalsoinfectsystemsthroughnetworksharesandSQLdatabases.AccordingtoSymantec,thewormwouldsearchforspecificmodelsoffrequencyconverterdrivesmadebytwofirms.Oncethewormfoundtherightconfiguration,itsabotagedoperationsbyintroducingsubtlechangestothespeedofthefrequencydrivesoverseveralweeks,
whiledisplayingnormalreadingstomaintainitsstealth.TheStuxnetmalwarebeganinfectingsystemsinJanuary2009andreportsindicatethatmorethan100,000computersystemshavebeeninfectedworldwide.Historicdatafromtheearlydaysoftheattackshowedthat58.85%ofinfectionsoccurredinIran,18.22%occurredinIndonesia,and8.31%occurredinIndia.4Althoughnoseriousdamagewascausedtoanyutilitysectors,thissophisticatedmalwarehighlightstherisksmodernSCADAsystemsfacewithrespecttoconnectivity,insecureremoteconnections,standardizedtechnologies,andreadilyavailabletechnicalinformation.Cybersecurityisatopicforutilityexpertsandmanufacturersthatcannolongerbeignored.5
Proactive Cyber Security is Smart BusinessEnsuringcybersecurityincontrolsystemsmayatfirstseemlikeadauntingtask,asitrequiresacommitmentfromtheentireorganization.UppermanagementneedstorecognizethenumerousbenefitsofasecureSCADAsystem.Theseadvantagesincludeensuringsystemuptime,reliabilityandavailability.Implementinggoodcybersecurityissmartbusinessbecauseasecuresystemisatrustedsystem,andcustomerretentionandloyaltyisbuiltaroundtrust.Vendors,systemintegrators,ITandcontrolengineersallshareintheresponsibility.TherearemanyresourcesavailablenowtohelpcriticalinfrastructureSCADAsystemsenhancetheirsecurity.Forexample,thestandardISA99–IndustrialAutomationandControlSystemsSecurity,establishesbestpractices,technicalreports,andrelatedinformationtodefineproceduresforimplementingandassessingelectronicallysecuresystems.Compliancewiththisstandardcanimprovemanufacturingandcontrolsystemelectronicsecurity,helpidentifyandaddressvulnerabilities,andreducetheriskofcompromisedconfidentialinformationandsystemdegradation.6
Governmentregulationsalsoexistandcontinuetoevolvewiththegoalofsecuringcriticalinfrastructureindustries.Themostambitiousforinfluencinggovernmentpolicyisthenon-profitNorthAmericanElectricReliabilityCorporation(NERC)–CriticalInfrastructureProtection(CIP)standard.KnownasNERC-CIP,thisstandardhasitsrootsintheElectricityModernizationActwhich
Continued from page 1
Continued on page 6
SCADA Security: Challenges and Solutions
FWB-205and Video
SurveillanceCamera
FWB-205
FWB-205
Remote Office
Remote Office
Head Office
5 GHz Broadband Link
4.9 GHz Surveillance Link
Firetide Wireless BridgeTypical Deployment Scenario
FWB-205
FWB-205and Video
SurveillanceCamera
FWB-205
FWB-205
Remote Office
Remote Office
Head Office
5 GHz Broadband Link
4.9 GHz Surveillance Link
Firetide Wireless BridgeTypical Deployment Scenario
FWB-205
2 United States General Accounting Office, “Critical Infrastructure Protection, Challenges and Efforts toSecure Control Systems”, GAO-04-354, March 2004.3 Philip Leggiere, “Infrastructure Security, Securing SCADA”, HSToday, www.hstoday.us, September 2008.4 Jarrad Shearer, “W32.Stuxnet”, Symantec, www.symantec.com, September 17, 2010.
Continued on page 7
150 Shoreline Hwy., Suite #8A • Mill Valley, CA 94941-3634 • 1-888-ASK-SAGE (1-888-275-7243) • 1-888-FAX-SAGE • www.SageDesignsInc.com
Security
Instruments & Controls
BaseRadio
SCADAPack
Field Devices
SCADAPackSmart RTU
AccutechWirelessInstrumentation
RemoteCommunication Network
BusinessSystems
Control Room
BackboneIP Network
ClearSCADASoftware
TrioData Radio
RemoteMaintenance
RemoteWeb Users
BusinessApplication Servers
Remote Assets
A complete integrated sensor to enterprise solution that will go beyond addressing the most
challenging remote monitoring and control application and help you efficiently manage and operate
a secure and reliable water infrastructure.
Telemetry Solutions for Water & Wastewater
200MM
100MM 70MM
50MM
25MM
15MM
9MM
35MM
Telemetry & Remote SCADA Solutions
> ClearSCADA Software
> Trio Data Radios
> SCADAPack Smart RTUs
> Accutech Wireless
Instrumentation
www.controlmicrosystems.com
SCADA Security: Challenges and Solutions
150 Shoreline Hwy., Suite #8A • Mill Valley, CA 94941-3634 • 1-888-ASK-SAGE (1-888-275-7243) • 1-888-FAX-SAGE • www.SageDesignsInc.com
ispartoftheUSEnergyPolicyActof2005.WithintheEnergyPolicyActof2005,thereisasection,whichdictatesthattheNERC-CIPstandardrequiresallpowerplantsandelectricutilityfacilitiestodevelopnewcybersecuritysystemsandproceduresinaccordancewitha3-yearimplementationplan.ThereareeightdifferentCIPstandardscoveringeverythingfromSecurityManagementControlandCriticalCyberAssets,toIncidentReportingandRecoveryPlans.Eachoneoftheeightstandardsdefinesaseriesofspecificrequirements.Thestandardsare:• CIP-002-1:CriticalCyberAsset
Identification• CIP-003-1:SecurityManagement
Controls• CIP-004-1:PersonnelandTraining• CIP-005-1:ElectronicSecurity
Perimeter• CIP-006-1:PhysicalSecurityof
CriticalCyberAssets• CIP-007-1:SystemsSecurity
Management• CIP-008-1:IncidentReportingand
ResponsePlanning• CIP-009-1:RecoveryPlansforCritical
CyberAssetsNowthatwe’reseeingcongressionalactionandgovernmentpenaltiesfornon-compliance,SCADAcybersecurityisbeingtakenmoreseriously.7
Encryption and AuthenticationInordertomeetCIP-005-1andCIP-007-1standards,encryptionandauthenticationarecriticalelementsinacomprehensivecybersecuritysolution.TypicalSCADAsecuritymeasuresconsistofphysicallysecuringthehardwareandtransmissionmedia,andemployingcommoncybersecuritydefensessuchaspasswordprotectionandanti-virusutilities.Communicationsecuritymeasuresarehardertoenforcesincemoderndayhackerscaneasilyidentifyconfidentialphonenumbers,decodeproprietaryprotocols,andbypassfirewallsandgateways.EncryptionandauthenticationarehighlyeffectivemethodstoreducesomeofthesecyberthreatstoSCADAcommunications.TherearetwoopenstandardsforSCADAcommunicationsavailableonthemarkettodaythatweredevelopedtoprovidesecuritythroughencryptionandauthentication:• IEEE6189suite—AlsoknownasAGA
12incorporatedinIEEE1711,thesestandardssecureSCADAequipmentcommunication.
• IEC62351suite—SecureAuthenticationforDNP3communicationisbasedonthisstandard.
Encryptionistheactofmanipulatinginformationuntilitappearsalmostmeaninglesstothecasualobserver.Decryptionistheprocessthattakesplacetorestoreanencryptedmessagebacktoitspreviousreadablestate.InatypicalSCADAsystem,messagesaresentusingagivenprotocolformat,suchasMODBUSorDNP3.Anyonewhocanseethemessagesbeingtransmittedcandecodethemandseewhatinformationisbeingtransferredfromdevicetodevice.OnanencryptedSCADAcommunicationsystem,messagesaretransformedintoaseeminglygarbledsequenceofbytes.Shortmessagesarestuffedwithextrarandomdatatomakeitdifficulttoestimatethesizeortypeofthemessagesbeingtransmitted.Acasualobservercandeterminelittlemorethanthefactthatamessagehasbeensentfromonedevicetoanother.EncryptionmakesspyingonandtamperingwithSCADAnetworksmuchmoredifficult.Likemanyformsofphysicalorelectronicsecurity,encryptionusesakey.Thistypeofkeyisasecretsequenceofdatathatdetermineshowtheinformationbeingsentbetweendevicesisobscured(encrypted).KeepingthiskeysecureisafundamentalpartofSCADAsecurity.Itisthereforeimportanttoreiteratethatemployingadiverserangeofsecuritymeasureswillalwaysprovemoreeffective.Theotherlayersofsecurity,likephysicallocks,operatingprocedures,andseparatelysecuredcorporateandSCADAnetworksarenecessarytoprotectencryptionkeys,andthesystemasawhole.AuthenticationistheprocessbywhichonepartofaSCADAsystemprovesitsidentitytoanother.ASCADAdevicereceivingacriticalmessage,suchasacommandtoperformcontrolsorrespondwithdata,canchallengethesendingdevice’sidentity.Thesendingdevicemustthenprovidethechallengeresponse.Ifthereceivingdeviceissatisfiedwiththechallengeresponsethenitwillactontheoriginalcommand.Likeencryption,authenticationrequiresthecommunicatingSCADAdevicestohaveamutuallyknowsecretkey.Whereasencryptionusesitskeyto
transformentiremessagesintoanencrypteddatastream,authenticationchallengesandchallengeresponsesusetheirkeystocreatespecialdigitalsignatures.Themathematicsusedinauthenticationissimilartothatofencryption,butasmalleramountofdataneedstobemanipulated.ThismeansthatauthenticationiscomputationallyfarcheaperthanencryptionandtypicallyusesthestructureoftheoriginalSCADAprotocolforbettercommunicationefficiency.AuthenticationpreventsmaliciouspartiesfromcontrollingasecuredSCADAdevice,butitwillnotstopthemfrominterceptingmessagesandreadingtheircontent.Achieving Your Secure SCADA with Schneider ElectricAsdescribedabove,governmentismandatingthedeploymentofsecuritytechnologyforSCADAsystemsinsomeutilitysectors,whileforthemomentleavingothersfreetochoosewhethertheydeploysecurityornot.Withthegrowingvulnerabilitiesofcontrolsystemsandthepotentialforharmandcivildisruptioninabreachedcriticalinfrastructuresystem,SCADAusersareadvisedtoformulateanddeployasecurityplanthatmeetstheirindividualandimmediateneeds.Evenwithinasecuritymandatethereisscopeforchoiceabouthowtoimplementthesecuritysystem:authenticationorencryption,orboth.SchneiderElectric’sSCADAPackEcontrollersprovidebothIEEE6189messageencryptionandDNP3secureauthentication.TheEcontrollersnowprovideDNP3communicationstothelatestDNP3-2009standardaswell.Anewuser-friendlysecurityadministratorisavailableformanagingDNP3secureauthenticationandAGA12encryption
securityandismultigroupawaresoitcanbeusedtomanagesecurityconfigurationsformultiplecontrollersinasystem.TheSCADAPackEConfiguratorsoftwarefurtherenhancessystemsecurityasitcooperateswiththeEcontrollerstoauthorizeconfigurationsoftwareinstallation,authorizeusers,andpreventsystemmanipulation.Thistechnologyaddressesthevulnerablesecuritygapthatcommonlyexistsbetweencontroldevicesandtheirmanagementsoftware.ThispowerfullineofprogrammablelogiccontrollerswithremoteterminalunitfunctionalityisdesignedspecificallyfortelemetryandremoteSCADAwaterandwastewaterapplications.Withimprovingoverallsystemvisibilityandsecurityatitscore,Econtrollersmaintainnoholesindataevenwhencommunicationlinksgodownandallowenduserspeaceofmindintheirsystemdata’sintegrityforbillableapplicationsorcriticaloperations.In2011,wewillseeutilitiestakeamoreproactiveapproachtoprotectingtheirSCADAinfrastructurewiththeadoptionofencryptionandauthenticationtechnologiestomeetcompliancestandardsandavoidthemonetaryfinesandreputationaldamagethatasecuritybreachcancause.— by Metin Ozturk & Phil Aubin, Schneider Electric, Telemetry & Remote SCADA Solutions
Continued from page 4
5 For control system security program information and incident reporting, visit Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) at www.ics-cert.org.6 The International Society of Automation, “ISA99, Industrial Automation and Control System Security”, http://www.isa.org/MSTemplate.cfm?MicrositeID=988&CommitteeID=6821.7 Philip Leggiere, “Infrastructure Security, Securing SCADA”, HSToday, www.hstoday.us, September 2008.
SCADAMaster Station
ConfigurationSoftware
Secure SecureCommunicationNetwork
SCADAPack E Controllers
Telemetry & Remote SCADA Solutions
150 Shoreline Hwy., Suite #8A • Mill Valley, CA 94941-3634 • 1-888-ASK-SAGE (1-888-275-7243) • 1-888-FAX-SAGE • www.SageDesignsInc.com
In2005,SweetwaterSpringWaterDistrictinGuerneville,CAinstalledanewSCADAsystemforwaterdistribution.Thisisatoughapplicationforradios,withhills,mountains,anddenseredwoodforestsprovingchallengingfortheradiosystem.Thecompletedsystemhasovertimeproventoberobustandreliable,requiringlessmaintenanceandhigherreliabilitythanmighthavebeenanticipated.Agooddesign,coupledwithcarefulsystemintegration,hashelpedachievethishighreliability.TheSCADAsystemprovidesforcontrolandmonitoringof10remotesites.Tankleveldataissenttopumpsites,andpumpsitesreacttothetankleveldatabyoperationofthepumpstokeepthetanksfull.TheSCADAsystemprovidesmonitoringatthecentralofficeofequipmentstatus,processdata,alarmdata,anddatacollection.TheSCADAsystemconsistsof11SCADAPackprogrammablelogiccontrollers(PLC),monitoringapproximately13remotesites.TeledesignSystemsTS4000radiosateachPLCsiteprovidelicensedfrequencycommunicationsat467MHz.Thisfrequencyisabletocutthroughthethickredwoodforeststhatsurroundmanysites.ASCADAPackVision10operatorinterfaceprovidedlocallyateachPLCsiteprovideslocalcontrolandmonitoring.SomePLCsitescommunicateviaBell202modemandburiedcabletoothernearbysites.TheFrontEndProcessorPLCandtheSCADAcomputerarelocatedatthecentraloffice.TheSCADAcomputerisfull-featured,andprovidesformonitoringandcontrol,alarming,alarmdial-out,andremoteaccess.ThePLC’s,radios,andoperatorinterfaceswereallprovidedthoughSageDesigns.ControloftheSCADAsystemisdistributedthroughouttheSCADAsystem.Thismeansthattanklevelcontrolatapumpingsitedoesnotrequirethemastersite(DistrictOfficesite)tobefunctionalforthelevelcontroltobeoperational.Thetanklevelcontroldoesnotrequireeventhataradiorepeaterbefunctional.Thisdistributionofcontrolprovidesforrobustnessbyavoidingsinglepointsoffailure.Radiocommunicationscontrolisdistributed
Robust SCADA System at Sweetwater Springs Water Districtalso.Thereisnotonemasterradiositethatprovidesforradiocommunicationsthoughouttheradiosystem.Thereisnosinglepointoffailureintheradiosystem.Thedetailsofthisfeatureareinthefollowingparagraphs.Theradiosystemconsistsofremotesites,repeatersites,combinationremoteandrepeatsites,andonemastersite.Thepumpsitesgenerallyhavedirectionalantennaspointingtotheirassociatedtanksite.Thetanksiteshaveantenna(omni-directionalordirectional)thatallowcommunicationsbothwiththeirassociatedpumpsite,aswellasarelaysiteand/orthemastersite(centralofficesite).ThereisalsoamainrepeatersiteonMountJacksonthatisusedbymuchoftheradiosystem.Quiescenttelemetrywasdeployedonthisprojectasspecified.QuiescenttelemetryisamethodofSCADAcommunicationsinwhichtheremotesitesarenotpolledbyamastersite.Withquiescenttelemetry,eachremotesitetransmitsdatatothemastersiteonanas–neededbasis,sendingalarmsandchange-of-stateinformationonanas-neededbasis,andalsosendinganalogdataperiodicallyasneededwhenaspecifiedchangeofanalogsignalisdetectedbythePLC.Thisissometimescalledreport-by-exception.Quiescenttelemetryismoredifficulttodeploythanthetypicalpollingsystem,butdoesoffersignificantadvantages.ThedisadvantagetoquiescenttelemetryisthatthelogicforcommunicationsisspreadovertheSCADAsystem,andtransmissionscanoriginatefromalmostanyremotesite,makingstartupandtroubleshootinglessstraightforwardandpossiblyincreasingtheamountoftimethatstartuprequires.Thisdisadvantageofquiescenttelemetryismitigatedbyonevaluablefeature:TheremotediagnosticfeatureavailablewiththeTeledesignSystemsTS4000radiosallows“pinging”ofeachremoteandrelaysitefromthemastersite,whichprovidesinformationonthecommunications
routing,signalstrengths,andsuccessandfailureofthepinging.Theremotediagnosticfeaturealsoallowstracingofradiopacketsreceivedatanyradio.Withthisradiodiagnostictool,fromonecentrallocationtheusermayobtainavaluablepictureofthehealthandperformanceoftheentireradiosystem.Therearealsosomesignificantadvantagestotheuseofquiescenttelemetry.Becausedataistransmittedonlyonanas-neededbasisbytheremotesites,theradiofrequencyremainsquiet(hencethename“quiescenttelemetry”).Thisquietoftheradiosystemleavesroomformultipleradioconversationsoverasinglecommunicationschannel.TheSCADAsystemdesigncalledforbackuppeer-to-peerradiocommunications.Inotherwords,normallytheremotetanksitelevelsignalistransmittedtothecentral,andthecentralsitere-transmitsthissignaldatatotheremotesites(primarilypumpingsites)thatneedthisdataforcontroloftheprocess.Thepeer-to-peermodeworksasfollows:Ifapumpsitehasnotreceivedleveldatafromthecentralofficesiteinaspecifiedperiodoftime,thepumpsite’sradiowilltransmita
requestforlevelsignaldatadirectlyfromit’sassociatedtanksite.IftheDistrictOfficesite(mastersite)fails,andthemainrepeatersitefailsatMountJackson,thepairsoftankandpumpsiteswillthencommunicatewitheachotherbypeer-to-peercommunications,providingfortanklevelcontrolinadistributedfashion.ReliabilityoftheSCADAsystemisfurtherenhancedbyuseofmultiplerepeaters.Someremotesitesdoubleasrepeatersites.Manyremotesitescancommunicatewiththealternaterepeatersites,sothatincaseoffailureofthemainrepeatersiteatMountJackson,thealternaterepeatersitesseamlesslyprovideforanalternatecommunicationsroute.— By Douglas H Wirth, Sky Valley Engineering Services. Sky Valley Engineering Services has provided startup services and ongoing support to Sweetwater since 2006. Sky Valley specializes in SCADA system installation, upgrades, and maintenance for water districts and other industries in Central California since 2006. Sky Valley Engineering Services may be reached at [email protected].
quality,translatingtobetternetworkperformanceandthroughput.
Enhanced Radio ManagementTheFWB-205enhancestheRadioManagementcapabilitiesofthebridgebyprovidingasecondradiowhichwillbededicatedforRFMonitoringpurposes.Thisenablesfeaturessuchasspectrumanalysis,channelloadanalysis,interferencedetectionandmitigation.
Alsosincetheradioisdedicated,thisenablesfasterresponsetoneighborhoodRFchanges.
Features Include:• WirelessVideoTransmission• 150MbpsofUDPthroughput• IEEE802.11a/b/g/n• Highpowerradio:3X3MIMOdual
stream,400mW
• Supportstheindustry’shighestlevelofsecurityWPA2-PSK
• UnitpoweredviaPower-over-Ethernet(PoE)
• Intuitiveweb-basedinterface• Adjustablefrequencyranges
minimizinginterference• Easyinstallation Formoreinformation,contactyour
FiretidePartner,SageDesigns.
Firetide Point-To-Point Bridges - Make Any Network Device Wireless Continued from page 4
SCADAClearSCADA Enterprise Software SCADAPack RTU/PLC Controllers
FlowStation Pump ControllersWIN-911 Alarm Notification Software
WIRELESSTRIO Spread Spectrum & Licensed Radios
Firetide Broad-Band Mesh Network
Teledesign Systems VHF & UHF Licensed
FreeWave Spread Specturm Serial & Ethernet
SECURITYAnalog & IP Cameras, Video Surveillance
Hardware & Software
PureActiv Video Analytics & Camera Management
MS4 PERMITTING SOFTWARE CBI Systems, Ltd MS4 Permit Manager™
& MS4web™ software
1-888-ASK-SAGE • 1-888-FAX-SAGEwww.SageDesignsInc.com
Acknowledgements: SCADAPack™, FlowStation™, and ClearSCADA™ are trademarks of Control Microsystems Inc., (Schneider Electric Telemetry & Remote SCADA Solutions brand). Win-911® is a registered trademark of Specter Instruments. HotPort™, HotClient™, and HotView™ are trademarks of Firetide, Inc.. Firetide® is a registered trademark of Firetide, Inc.
S C A DA , S e C u r i t y & Au to m At i o n n e w S l e t t e rCa lendar of Events
SAve A TRee
150 Shoreline Hwy., Suite #8AMill Valley, CA 94941-3634
Return Service Requested
STANDARD MAILuS poSTAGE pAID
pERMIT 191SANTA RoSA CA
March5-8,2012 ClearSCADA Training Course*,Indio,CA
April4,2012 CA-NV AWWA 2012 Spring Conference,SantaClara,CA
April18,2012 CWEA AC 2012 Annual Conference, Sacramento,CA
May1-3,2012 SCADAPack - Telepace Studio Ladder Logic Training Course*, MillValley,CA.
June4-7,2012 ClearSCADA Training Course*, MillValley,CA
June10-14,2012 AWWA ACE ’12 Expo, Dallas,TX.Visitourmanufacturers’exhibits.
June20,2012 Wine Country Water Works Trade Show & Symposium,Healdsburg,CA
September12-14,2012 CWEA Northern Regional Training,Redding,CA
September25-27,2012 Tri-State Seminar on the River,Primm,NV
Sept.29-Oct3,2012 WEFTEC.12, NewOrleans,LA.Visitourmanufacturers’exhibits.
October8-11,2012 CA-NV AWWA 2012 Fall Conference, SanDiego,CA
October16-18,2012 SCADAPack - Telepace Studio Ladder Logic Training Course*,MillValley,CA.
October22-25,2012 ClearSCADA Training Course*, MillValley,CA
November5-7,2012 CASQA Annual Stormwater Conference, SanDiego,CA
*Downloadtheregistrationformfromourwebsiteorcallformoreinformation.