Securing Control Systems �in the Oil and Gas Infrastructure��The I3P SCADA Security Research Project� : Securing Control Systems in the Oil and Gas Infrastructure The I3P SCADA Security Research Project Ulf Lindqvist
SRI International
ulf@sri.com
Trust Seminar at UC Berkeley Nov. 17, 2005 This work was supported under Award number 2003-TK-TX-0003 from the U.S. Department of Homeland Security, Science and Technology Directorate. Points of view in this document are those of the authors and do not necessarily represent the official position of the U.S. Department of Homeland Security or the Science and Technology Directorate. The I3P is managed by Dartmouth College.
What Is The I3P?�The Institute for Information Infrastructure Protection : What Is The I3P? The Institute for Information Infrastructure Protection Funded by Congress, managed by Dartmouth College with oversight from DHS
Established in 2001 to identify and address critical research problems facing our nation’s information infrastructure
Consortium of 27 universities, non-profit research institutions, and federal labs
What Is This Research Project? : What Is This Research Project? Two-year applied research effort to improve cyber security for control systems/SCADA
Specific focus on oil & gas industry
Help industry better manage risk by
providing risk characterization
developing and demonstrating new cyber security tools and technologies
enhancing sustainable security practices for control systems
An Important Problem : An Important Problem Oil and gas processing is controlled by computer systems
Trend toward general-purpose platforms and universal connectivity
These systems are vulnerable to cyber attack
An attack could have severe consequences for
Human lives
The environment
The economy
Example:�Pipelines : Example: Pipelines June 10, 1999
In Bellingham, Washington, a gasoline pipeline operated by Olympic Pipeline Company ruptured
237,000 gallons of gasoline was released into Whatcom Creek
The gasoline ignited, sending a fireball racing down the creek
Two 10-year old boys and an 18-year old man were killed
SCADA system problems partial cause
Why Is There A Problem? : Why Is There A Problem? Control system side
Top priority is reliability and availability, not security
Traditionally relied on obscurity and isolation
Trend: using general hardware and OS
Owner/operator companies are in the hands of vendors
Vendors often have backdoor modem lines
Default passwords IT side
Traditional security tools may not work for control systems
IT people do not know control systems
Enterprise networks are being connected to control systems
Control systems are overlooked because they are not managed by IT
Goals : Goals Demonstrated improved cyber security in the Oil & Gas infrastructure sector
New research findings
New technologies
Significantly increased awareness of
Security challenges and solutions
The capabilities of the I3P and its members
Approach : Approach Build upon ongoing cyber security research to apply to the process control arena
Develop tools and technology which could enhance the robustness of critical infrastructure process control systems
Focus on the oil and gas sector by partnering with industry
Develop research collaborations with other institutions with cyber security domain expertise
Communicate and demonstrate results of the research
Project Overview : Project Overview Oil and Gas Industry Requirements, Information Technology Transfer Workshops, Demonstrations Topic 1 Topic 2 Topic 3 Topic 4 Topic 5 Topic 6
Topic 1 – Risk Characterization : Topic 1 – Risk Characterization Problem: What is the risk to infrastructure caused by potential vulnerabilities of the process control systems?
Approach:
Year 1 and 2 SCADA risk workshops focused on oil and gas sector to collect data for all tasks in the plan
Aggregate information from owners, operators, and domain experts
Analysis of the data to determine classes of SCADA systems to include vulnerabilities, threats, consequences, and risks for SCADA security
Development of attack taxonomy and mitigation strategy analysis
Profiles of security situations, generalized threats, classes of consequences
Best Practices handbook information
Topic 1 – First Year Workshop : Topic 1 – First Year Workshop The workshop was held in Houston, Texas, on June 2-3, 2005
Sample highlights from industry breakout sessions:
On-site contractors present a major vulnerability to facility and IT/SCADA security
Attackers can use easily accessible emergency response plans and identification of key personnel to amplify attacks
Vendors are only able to provide the products (including security) demanded by their clients
Cost and certification of security measures are a concern
Systems in the oil & gas industry represent wide range of maturation levels from beginner to advanced
Need to include consideration of all systems: legacy, modern, and heterogeneous
Most control systems in use today are insecure by design
Topic 1 – Results : Topic 1 – Results One page summary of workshop
Workshop analysis report being prepared
Industry perspectives
Profiles of security situations
Technological profiles
Understanding the threat
Consequences and measures
Industry risk trends
Future Work
Attack taxonomy
Interim and final risk characterization reports
Risk characterization to quantify security impact and improve business case
2nd workshop focused on technical demonstrations
June 8, 2006 in La Jolla, CA
Topic 2 – Interdependencies : Topic 2 – Interdependencies Assess the degree of SCADA dependence and associated risk exhibited by interlinked critical infrastructures
Understand the indirect risk to the U.S. Economy resulting from Oil & Gas SCADA system vulnerability and cyber threat potential
Develop risk management practices that reduce the risk of cascading effects resulting from system interdependencies and cyber attacks
Topic 2 – General Response Model Overview : Topic 2 – General Response Model Overview Purpose:
1) Map cyber intrusion events to macro-economic inoperability effects
2) Integrate System Dynamics model with the Inoperability Input-Output Model (IIM) for comprehensive and tractable impact analysis
3) Use scenarios of cyber attack, information security, infrastructure resilience and emergency management systems to derive supply- and demand-side perturbations for IIM economic and inoperability impact analysis
4) Understand the role of public response to industry events in shaping, amplifying and dampening economic impact
5) Develop means by which the efficacy of candidate risk management strategies can be quantitatively evaluated
Topic 2 – General Response Model Framework : Topic 2 – General Response Model Framework
Topic 3 – Security Metrics : Topic 3 – Security Metrics Problem: How can the security of control systems be measured and related to business and functional requirements?
Security metrics provide tools that enable decisions based on quantitative or qualitative assessments rather than hunches or best guesses.
Lead – Pacific Northwest National Laboratory – Martin Stoddard (martin.stoddard@pnl.gov)
Team Members – Sandia National Laboratory, University of Virginia, The MITRE Corp.
Topic 3 – A Few Sample Metrics : Topic 3 – A Few Sample Metrics Adversary work factor
Capability Maturity Model (CMM)
Security Scorecard
Assurance Levels/Categories
Risk Analysis/Security Vulnerability Assessments
Readiness Levels
Topic 3 – Approach : Topic 3 – Approach Phase I: Survey existing security metrics and provide a high-level view of metrics tools and their application to PCS.
Phase II: Develop detailed requirements for process control metrics. Apply existing technologies where applicable and identify gaps requiring further development.
Phase III: Prioritize the gaps from Phase II and apply research to develop the highest-priority metrics tools.
Topic 4 – Inherently Secure SCADA Systems : Topic 4 – Inherently Secure SCADA Systems Problem: How do you design, verify, install and monitor secure process control systems?
Deliverables: Tools and techniques to
Support Secure Operations
Risk management for configuration and deployment
Assess architectural security vulnerabilities
Model and monitor correct behavior
Enable Secure Components
Application software
Protocols and protocol stacks
Operating systems
Topic 4 – Team Members : Topic 4 – Team Members Topic Lead – MIT/LL – Rob Cunningham
Support Secure Operations
Risk management for configuration and deployment - MITRE
Assess architectural security vulnerabilities - University of Illinois
Model and monitor correct behavior - SRI
Enable Secure Components
Application software - MIT/LL
Protocols and protocol stacks - University of Tulsa
Operating systems - PNNL
Topic 4 – Research Strategy : Topic 4 – Research Strategy Pull: Expand operator awareness of approaches to improved security
Develop prototype tools to suggest, verify implementation, monitor systems
Push: Enable more secure vendor solutions
Develop prototypes to improve application software, protocols, underlying operating system
Research to support market conditions
for more secure components and systems
Topic 4 – Reference Refinery Network Architecture : Topic 4 – Reference Refinery Network Architecture
Topic 4 – Architecture With �I3P Security Components : Topic 4 – Architecture With I3P Security Components The Traffic Assessment Tool (TAT) analyzes how well the system of firewall rules adheres to global traffic policy. The JSST is a SCADA protocol policy-aware network monitor. The HSMTU (High Security MTU) is an architecture that hardens the master control functions from. The HIDS (host intrusion detection system) and NIDS (network intrusion detection system) look for misbehavior, reported to the SIM (security incident manager).
Topic 4 – Risk Management : Topic 4 – Risk Management
Topic 4 – Architectural Vulnerabilities : Topic 4 – Architectural Vulnerabilities
Topic 4 – Modeling and Monitoring : Topic 4 – Modeling and Monitoring
Topic 4 – Application Software : Topic 4 – Application Software
Topic 4 – Protocols : Topic 4 – Protocols
Topic 4 – Operating Systems : Topic 4 – Operating Systems
Topic 5 – Cross Domain Information Sharing (CDIS) : Topic 5 – Cross Domain Information Sharing (CDIS) Domain: A collection of individuals, resources, and information owned by one organization that requires protection from other domains
Cross Domain Information Sharing: Exchange of information between two or more domains
Topic 5 – Research Plan : Topic 5 – Research Plan Prioritize the information sharing needs within the Gas & Oil sector
What information sharing is taking place, but at a risk?
What necessary information sharing is not taking place, and why not?
What information sharing will be necessary to support new business processes?
What information sharing would be beneficial, if properly constrained? (e.g., non-attribution)
Identify where existing solutions do not meet critical needs
Research, develop, and demonstrate CDIS solutions to address high priority needs
Feed Technology Transfer
Topic 5 – Use Cases : Topic 5 – Use Cases Business LAN - Control Center LAN
Database queries against financial databases that reside on the Business LAN
Email containing product orders or inventory levels
Fixed formatted messages containing product nominations or sampling results
Asset Owner - Asset Owner
Use collaborative environment to share IDS scan results, raw log data, reconnaissance activities, attack techniques (including social engineering), forensic information, system vulnerabilities, system status information
Asset Owner - Government Agencies
Submit formal reports of incidents to appropriate government agencies
Coordinate with first responders and law enforcement in the event of a crisis as well as to share after action reports
Asset Owner - Vendor
Push/pull product updates and security patches
Discuss product features and their operational use
Topic 5 – �One Solution : Topic 5 – One Solution Industry site is accessible by authenticated members
Owners report problems to vendors
Vendors and owners report problems and solutions anonymously to industry site
Industry site analyzes anonymous data
Industry site reports analysis to government site
Topic 6 – Technology and Knowledge Transfer : Topic 6 – Technology and Knowledge Transfer We are not doing “blue sky” basic research
Transition of our results into the infrastructure is essential for success
If what we are doing is not relevant to industry cyber security needs, then we shouldn’t be doing it
In this project, we are actively working to organize and speed up the transfer process
Topic 6 – Technology Transfer Mechanisms : Topic 6 – Technology Transfer Mechanisms Technology Transition Taskforce
Partnerships
Evaluations and Experiments
Technology demonstration programs
Structured Process for Value Creation
Topic 6 – Knowledge Transfer : Topic 6 – Knowledge Transfer Knowledge transfer is bidirectional
Researchers Industry
Workshops
Site visits
Technical papers
Project books will be published by ISA
Training class offered to industry
Working with industry groups – API, NPRA
Related Efforts : Related Efforts
Summary : Summary This is the only large government-funded research effort for control system security for the oil and gas infrastructure
Focused on industry needs
6 topic areas, 11 institutions, hundreds of stakeholders, thousands of lives at risk in a major cyber attack on oil & gas systems…
Contact Information : Contact Information