Framework for SCADA Cybersecurity

By Richard Clark and Stephen Miller

Purpose: Provide Critical Infrastructure customers and academic students an understanding of the NIST Cybersecurity Critical Infrastructure Framework and how to apply the framework to new and existing SCADA applications and implementations.
The objectives of this book are as follows:
1. Establish an overview and introduction of the EO13636 Improving Critical Infrastructure Cybersecurity.
2. Provide knowledge, understanding, and application of the five functions of the framework.
3. Apply tools and standards to enable the framework implementation.
4. Apply industry security recommendations to meet the framework categories.

This eBook is being used as a class textbook in the Cybersecurity Curriculum at Eastern New Mexico University - Ruidoso taught by Professor Stephen Miller

• Language: English
• Publisher: Richard Clark
• Release date: Jan 12, 2015
• ISBN: 9781310309960

Richard Clark

Technical Specialist and Controls Engineer at InduSoft concentrating on cybersecurity, 3rd party product integration, specialized application development, and product marketing. Mr. Clark has been in Automation, Process System, and Control System design and implementation for more than 25 years and was employed by Wonderware where he developed a non-proprietary means of using IP-Sec for securing current and legacy Automation, SCADA, and Process Control Systems, and developed non-proprietary IT security techniques. Industry expert by peer review and spokesperson on IT security; consultant, analyst and voting member of ISA- SP99. Contributor to PCSF Vendor Forum. Consultant to NIST and other government labs and NSA during the development of NIST Special Publication 800-82. Published engineering white papers, manuals, and instruction documents, developed and given classes and lectures on the topic of ICS/SCADA Security.

Book preview

FRAMEWORK FOR SCADA CYBERSECURITY

By Professor Stephen Miller and Richard H. Clark

Revision A-01.19.2015

Abstract

Purpose: Provide Critical Infrastructure customers and academic students an understanding of the NIST Cybersecurity Critical Infrastructure Framework and how to apply the framework to new and existing SCADA applications and implementations.

The objectives of this book are as follows:

1) Establish an overview and introduction of the EO13636 Improving Critical Infrastructure Cybersecurity.

2) Provide knowledge, understanding, and application of the five functions of the framework.

3) Apply tools and standards to enable the framework implementation.

4) Apply industry security recommendations to meet the framework categories.

FRAMEWORK FOR SCADA CYBERSECURITY

By Professor Stephen Miller and Richard H. Clark

Revision A-01.19.2015

Smashwords Edition

License Notes:

This ebook is available free of charge or for a minimal cost, depending on the requirements of the local ebook distributor or publisher.

 Portions or sections of this book may be copied, distributed, reposted, reprinted, or shared as required or needed; simply by including the acknowledgement of the origins of those used or redistributed materials.

eBook ISBN: 978-1310-30996-0

All profits from this ebook are to be directed and donated to the Eastern New Mexico University-Riudoso Foundation, as noted below.

If you find this ebook useful in your business, tax deductible donations to the university 501 (c) (3) foundation are encouraged by contacting:

Copyright 2014 InduSoft, Inc., a Schneider Electric company.  All rights reserved.  All trademarks are owned by Schneider Electric Industries SAS or its affiliated companies or their respective owners.

Permission is hereby given to Eastern New Mexico University by InduSoft, Inc. to incorporate and reprint copyrighted materials contained in this eBook, including Chapter 5: InduSoft Security Guide.

This ebook contains original content and materials created by the authors, as well as some materials designated as public domain or freely distributable as described within the associated footnotes. The ebook does not contain any known copyrighted information. Copyright violations should be reported to:

InduSoft, Inc., 11044 Research Blvd., Suite A100, Austin, TX 78759 U.S.A, or by email at info@indusoft.com, and every effort will be made to make corrections in subsequent revisions and editions.

Further information about selected subjects within this ebook is available from the website at http://www.indusoft.com and the designated references in Appendix C.

Foreword

InduSoft is proud to be able to participate and provide this Security Guide to the NIST Cybersecurity Framework and to be a part of the Eastern New Mexico University (ENMU) - Ruidoso curriculum. InduSoft strives to maintain customer awareness and education regarding Industrial Control System and Critical Infrastructure Security and in the use of our products. To this end, we continually conduct ongoing product and informational security webinars, publish Technical Notes and White Papers on application construction and security related topics, and publish corporate blogs on security and a number of other useful topics by a variety of different authors. Topics from various InduSoft publications and other media are presented here to help you with your security issues. Feel free to explore any of the topics and subjects in more depth by clicking on the links provided within the sections and in the footnotes, in order to get more information about the subject. We always welcome any new ideas and product suggestions that you may have at info@indusoft.com.

Table of Contents

Abstract

Foreword

Chapter 1: SCADA Cybersecurity Introduction and Review

Section 1: What is SCADA?

Overview

History and Installed Base

How SCADA Systems Work

A More In-Depth Look at a SCADA System

Field Devices Measure the Process for Flow Rate, Pressure, Temperature, Level, Density, Etc.

Field Control Uses Two Types of Controllers

Examples of HMI Screens and Displays Used Within SCADA Systems

Section 2: Overview of Cyber Vulnerabilities

In this section the key objectives are:

Challenges of Securing Information

Understanding and Defining Information Security

Cyber Threat Source to Control/SCADA Systems Descriptions

GAO Threat Table

Cyber-Attacks and Defenses

Vulnerability Assessment and Mitigating Attacks

Section 3: Understanding Control System Cyber Vulnerabilities

Gaining Control of the SCADA System

Three Categories of SCADA Systems

Chapter 2: Cybersecurity Framework Introduction

Section 1: Framework Introduction

Overview of the Framework

Framework Core

Framework Implementation Tiers

Framework Profile

Section 2: Risk Management and the Cybersecurity Framework

Risk Management Redefined

Chapter 3: Cybersecurity Framework Basics

Section 1: Framework Basics

Section 2: Framework Core

Functions

Categories

Subcategories

Framework Implementation Tiers

Section 3: How Does it All Come Together?

Coordination of Framework Implementation

Business Process Management (BPM) Approach to the Framework

Cybersecurity Framework Assessment Process Model Breakdown and Component Parts

Chapter 4: How to Use the Framework

Section 1: Basic Review of Cybersecurity Practices

Section 2: Establishing or Improving a Cybersecurity Program

Step 1: Prioritize and Scope

Step 2: Orient

Step 3: Create a Current Profile

Step 4: Conduct a Risk Assessment

Step 5: Create a Target Profile

Step 6: Determine, Analyze, and Prioritize Gaps

Step 7: Implement Action Plan

Section 3: Communicating Cybersecurity Requirements with Stakeholders

Identifying Gaps

Chapter 5: InduSoft Security Guide

Section 1: New Projects and Security as a Design Consideration

The following is an extract from the InduSoft Technical Note: Application Guidelines

Section 2: Existing Projects

Section 3: Cloud Based Applications

The following is an extract from the InduSoft White Paper: Cloud Computing for SCADA

Section 4: InduSoft Application Security

The following is a transcript extract from the InduSoft Webinar:  SCADA System Security Webinar

Section 5: InduSoft Security Discussion for Web Based Applications

Extract 1 - From InduSoft White Paper: Security Issues with Distributed Web Applications

Extract 2 - From the InduSoft Tech Note: IWS Security System for Web Based Applications

Reprint - Control Engineering Magazine - August 2014: Cybersecurity for Smart Mobile Devices

Section 6: InduSoft Recommendations for IT Security

Transcript extract from the InduSoft Webinar: SCADA and HMI Security in InduSoft Web Studio

Transcript extract from the InduSoft Webinar: SCADA Security Considerations: Overview

Transcript extract from the InduSoft Webinar: SCADA Security Considerations: Operational

Transcript extract from the InduSoft Webinar: SCADA Security Considerations: Management

Appendix A: Framework Core

Information regarding Informative References described in Appendix A may be found at the following locations:

Appendix B: Cyber Security Evaluation Tool (CSET) Information

Appendix C: References

Recommended Publications for Purchase

Further Reading and Links to Organizations

Appendix D: Glossary

Terms Used in this Publication

Acronyms Used in this Publication

Endnotes

About the Authors and More Information

Chapter 1: SCADA Cybersecurity Introduction and Review

This chapter will provide an introduction to Supervisory Control and Data Acquisition (SCADA), Distributed Control Systems (DCS), and Process Control Systems (PCS). What they are and how they are used. Then we will look at cybersecurity vulnerabilities in general and those that are of a higher concern for SCADA and PCS systems.

Section 1: What is SCADA?

Overview

Most readers will already have an in-depth understanding of SCADA System concepts. This section will provide an introduction and review of SCADA systems for students who are using this book for coursework.

SCADA is the acronym for Supervisory Control and Data Acquisition. DCS is the acronym for Distributed Control Systems. PCS is the acronym for Process Control System.

Go to TOC

History and Installed Base

SCADA and PCS systems have been in use since the 1960’s. They are used to centralize and optimize operations in various process and control industries. Those industries are Oil and Gas, Water and Waste Water, Electrical, Utilities, Transportation (Pipelines and rail), Nuclear, and Manufacturing to name a few and as depicted in Figure 1.1 below. They were justified by reducing labor costs and reduced cycle times to delivering and or manufacturing products.

Figure 1.1: SCADA is used for many varied types of processes and industries and for widely diverse purposes[1]

The Supervisory Control System configuration and environment consists of Supervisory and Control Computers for the Operator/Dispatcher Human Machine Interface (HMI) console, Data Acquisition Server, Application Server, Master Database Server, Engineering Workstations, and Firewall in the central control room. The Remote Field Controller units are made up of Remote Terminal Units (RTU), Programmable Logic Control (PLC), and Distributed Control Systems (DCS). A typical SCADA system may look similar to the layout in Figure 1.2.

Figure 1.2: Typical SCADA Configuration[2]

Go to TOC

How SCADA Systems Work

A SCADA system performs four functions:

1) Data acquisition

2) Networked data communication

3) Data presentation

4) Control

These functions are performed by four kinds of SCADA components:

1) Sensors and Control Relays that directly interface with the managed system. They can be either digital or analog in design.

2) Remote Telemetry Units (RTUs/Programmable Control Units (PLCs): These are small computerized units deployed in the field at specific sites and locations. RTUs and PLCs serve as local collection points for gathering reports from sensors and delivering commands to control relays. Legacy RTU’s can also be relay driven.

3) SCADA Master Units: These are larger computer based consoles that serve as the central processor for the SCADA system. Legacy systems were minicomputers and usually OEM products.

a. Master Units provide a human interface to the system and regulate the managed system in response to sensor inputs.

4) The Communications Network connects the control SCADA master unit to the RTUs in the field.

Example: A Simple SCADA System

The simplest SCADA system example would be a single circuit that notifies the operator of one event. Let's use an automated lube mixing manufacturing machine that produces motor oils:

·         Every time the machine finishes a bottle of oil, it activates a switch.

·         The switch turns on a light on a control panel, which tells the operator that a bottle of oil has been completed.

In a real SCADA system much more processing would be done than this simple example, however the principle is the same. A complete SCADA system monitors much more equipment and processes in a larger scale geographical area.

Go to TOC

A More In-Depth Look at a SCADA System

Systems that need to monitored are much more complex than the above mentioned example. Within a real world application, a SCADA system can monitor thousands of device sensors and tags. Some devices sensors measure inputs into the system (for example, oil flowing into a tank), and some sensors measure outputs (like valve pressure as oil is pumped from a tank). Some of those sensors measure simple events that can be detected by a straightforward on/off switch, called a discrete input or a digital input. For example, in a pipeline, the switch that turns on the valve open light would be a discrete input. Discrete inputs are used to measure simple states, like whether equipment is on or off, or event triggered alarms, like a power failure at a critical facility.

Some device sensors measure more complex events and/or situations where exact measurement is important. These are analog device sensors, which can detect continuous changes in a flow, wind, voltage, or current input. Analog sensors are used to track fluid levels in tanks, wind speed for wind turbines, voltage levels in batteries, temperature and other factors that can be measured in a continuous range of input. In most of the analog factors, there is a normal range defined by a high and low level. For example, you may want an oil tank level to stay within a high and low fill level E.G. High Level: 60 feet and Low Level: 10 feet. If the volume level goes above or below this range, it will trigger a threshold alarm. In more advanced systems, there are four threshold alarms for analog sensors, defining Emergency Low, Normal Low, Normal High, and Emergency High alarms.

In the example of the lube plant, the network is just the communication wire leading from the switch to the panel light. In a full SCADA system, you want to be able to monitor multiple systems from a central location, so you need a communications network to transport all the data collected from your device sensors. Legacy SCADA networks communicated over radio, modem or dedicated serial lines. Today the trend is to put SCADA data