ERE Information Security Auditors
Home | Site Map | Contact Us | Blog
This text is replaced by the Flash movie.
 Executive Strategies for Managing Risk
Audit Tactics for Managing Risk

Posts Tagged ‘SCADA’

Can you Sell these NERC CIP Mitigation Steps to Executive Management?

Tuesday, November 9th, 2010

Last week I described real life SCADA vulnerabilities. My intent was to assist IT security people to dialogue with their executive management about security budgets. This week I will continue by identifying mitigation steps for the vulnerabilities.

I know that you already know these steps. But sometimes it’s helpful in discussions with management when you, the internal IT security team, quote recommendations by a third party, impartial security “expert”. So here goes.
CIP 002-1 Critical Cyber Asset Identification
Create a central list of critical SCADA IT assets including hardware, software, and services. The list should include both a physical and logical SCADA network diagram and an emergency contact list. This information should be regularly updated and centrally available to all people on a need to know basis. The list could be deployed in house in a format as simple as a spread sheet or on a documentation software package, or outsourced to a documentation storage provider.

CIP 003-1 Security Management Controls and CIP 007-1 Systems Security Management
Similarly to creating asset documentation above, create a set of high level policies which must be signed- off by an executive committee. No sign –off; no teeth. The document can be very short and in point-form, with a goal of creating action items to implement policy.
Then write a set of IT security procedures, starting with access and authentication controls, perhaps starting with third party access to the corporate network, then expanding to IT security operations, and then to end users. Since access and authentication controls consist of technology and people processes, both are included as part of the policy implementation budget.
In my opinion, for small and medium size organizations, policy and procedures documents should be created on spread sheets that include forms for documenting important events.
A process should be created for IT security to report their progress to the executive committee and for the executive committee to update security policy in accordance with changing business priorities. And Voila, you have created a dialogue for IT security Governance.
CIP 004-1 Personnel and Training
Ensure you include the need to enforce compliance for policy and procedures for all applicable groups. Then include compliance testing, training and IT security awareness as part of implementation.

CIP 005-1 Electronic Security Perimeter(s)
Here’s your chance to include in IT security operations procedures all the things you want to do but may not have the time or cycles (translation budget) to do: ongoing regular self initiated internal or external vulnerability assessments; structured process for implementing patches / revisions including and for: testing the updates prior to implementation, testing to ensure all intended updates were implemented successfully; implementing a robust log retention / recovery process; correlation of vulnerability assessments with current patch / revision levels; in house or third party evaluation of firewall rules to check for inconsistencies; hardening reviews of SCADA network architecture; implementation of both network and host IDS with provision for ongoing tuning out false positives; ongoing review of event logs; regular or ongoing correlation of event logs with firewall rules / IDS rules / vulnerability assessments / anti-virus or anti-spam filters.

CIP 006-1 Physical Security of Critical Cyber Assets
Again, here’s your chance to itemize budget requirements for IT physical security procedures; secured junction boxes situated in the field; implement physical security alarms on junction boxes or remote stations (attended and unattended) in the field and on doors in at the SCADA operations perimeter; visitor accompaniment or challenge policy.

CIP 008-1 Incident Reporting and Response Planning and CIP 009-1 Recovery Plans for Critical Cyber Assets
Here’s an opportunity to nudge into existence an IT security Governance process while building IT security working relationships with other departments. Request budgets for implementing; IT security incident identification, reporting and response plan; create or test outdated DRP and BCP.

We Can Not Afford All This! Or Can We?
I think you can, even with a limited budget.

The key is to write the documentation with an emphasis on ease of implementation. Keep the initial documentation short and simple, in a format that is easy to update, and keep it updated.
Once you have proved the initial policy, process, and other documentation to be successful in terms of meeting objectives, then you can look for budget to expand scope. I have seen this approach work successfully many times.
As far as technology implementation budgets, I’ve seen best success with creating a multi-year plan with smaller annual budgets. As long as you can prove success with meeting each year’s goals, your chances of getting successive budgets of course improves. Nothing succeeds like success.
Have a secure week. Ron Lepofsky CISSP, CISM www.ere-security.ca

Tags: , , , ,
Posted in Security Postings | No Comments »

DO you Know about these Real-Life NERC CIP SCADA Vulnerabilities?

Tuesday, November 2nd, 2010

Most security operations people I’ve spoken with at electrical utilities have a good handle on the security vulnerabilities within their own SCADA environments. Their problem is convincing their management to sufficiently fund remediation.

So here are just a few SCADA security related problems we’ve uncovered over the years, which may be of interest to those in control of the purse strings. I’ll mention them in order of NERC CIP compliance standards.

CIP 002-1 Critical Cyber Asset Identification
No central list of critical SCADA related software; no updated SCADA network diagram or configuration lists for SCADA servers.

CIP 003-1 Security Management Controls and CIP 007-1 Systems Security Management

Slim to none clearly written policies for: SCADA IT operations, for corporate IT operations, or for end user acceptable use. No structured regular process of communications between SCADA IT and an executive committee. I’ve never seen a good IT Security Governance process in place. No access privilege lifecycle process for network access for: previous employees, consultants, contractors, vendors, visitors.

CIP 004-1 Personnel and Training
No budget for IT security training for either SCADA operations or for end users. No security awareness program or budgeting for one. No reward system for employees who report suspicious or anomalous activity which might negatively affect security.

CIP 005-1 Electronic Security Perimeter(s)
Direct, unrestricted Internet access from network node points within junction boxes situated in the field. 

 No ongoing regular self initiated internal or external vulnerability assessments. No logical and physical network diagram of key elements or segments of the network. No structured process for implementing patches / revisions including; testing the updates prior to implementation, testing to ensure all intended updates were implemented successfully, insufficient logs of updates or processes for rolling back to a previous stable state. No correlation of vulnerability assessments with current patch / revision levels.
No recent evaluation of firewall rules to check for inconsistencies. SCADA network segment relying upon the corporate firewall for SCADA security. No IDS or improperly tuned IDS. No ongoing review of event logs; no correlation of event logs with firewall rules / IDS rules / vulnerability assessments / anti-virus or anti-spam filters.

CIP 006-1 Physical Security of Critical Cyber Assets
Unsecured junction boxes in the field; no physical security alarms on junction boxes or remote stations (attended and unattended) in the field; unsecured doors in at the SCADA operations perimeter. No visitor accompaniment or challenge policy.

CIP 008-1 Incident Reporting and Response Planning and CIP 009-1 Recovery Plans for Critical Cyber Assets

No incident reporting plan, documentation of any sort, or training; no definition of what an incident looks like. Untested or outdated DRP; no BCP. Ad-hoc recovery plan based upon knowledge stored in the heads of IT; difficult to have a recovery plan for critical assets when there is no list of critical assets. No updated, centrally stored list of emergency contacts for: employees, vendors, contractors, emergency services; no emergency escalation plan.

So Who’s to Blame?

In my opinion we certainly can NOT blame the IT folks. They know about the security problems. We especially cannot blame SCADA IT security groups at LDCs as NERC CIP does not mandate LDC compliance.

So the blame and responsibility must rest with the senior executives who have governance responsibility for security and who need to create the appropriate IT security budgets to allow their SCADA IT security staff to do their jobs.

Have a secure week. Ron Lepofsky CISSP, CISM www.ere-security.ca

Tags: , ,
Posted in Security Postings | No Comments »

Why is NERC CIP Scope Insufficient?

Tuesday, October 19th, 2010

 

Last week I asked if electrical utilities’ IT security is de facto guaranteed by compliance with the NERC CIP standard. 

With no disrespect whatsoever intended towards NERC or their CIP standard, I continue my well intended questioning, especially after an esteemed colleague phoned me to discuss my article.  So here goes. 

The scope of NERC CIP does not include local distribution companies LDCs who bring electricity (or their equivalent in the natural gas industry) “the last mile” to the client.   NERC CIP does mandate compliance for electrical transmission and generation utilities .  Yet LDCs along with  transmission and generation utilities are all capable of causing cascading network failures. 

Without overdramatizing the situation, it is possible for a single node failure in any system to potentially cause successive failures to ripple through other networks to which they are connected.  This concept equally applies to various types of networks including electrical, telecommunications, and of course specifically to the Internet.

 This concept is described in detail with accompanying graphic illustrations the article Model for Cascading Failures in Complex Networks  .

The key point here is that even a small electrical distribution network can cause a major blackout by ripple effect. 

To keep on point, the role of control software in electrical networks is crucial to their stability.  The article published by MIT “The 3 R’s of Critical Energy Networks: Reliability, Robustness and Resiliency” addresses how and why both SCADA and control software play a pivotal role in network stability.  With the possibility of LDCs being possible instigators of cascading network failures I therefore suggest NERC CIP should equally apply to all LDCs.

 Credit Due to Evolving NERC CIP Standards

I am impressed with three new NERC CIP standards: 

  • CIP 001-1 — Sabotage Reporting was adopted by NERC in 2009. This standard adds pro-active elements of both identifying and reporting anomalous or suspicious events and activity, and adds real-time response to the existing standard 008-1 Incident Reporting and Response Planning.  This is critically important for stopping malicious activity before it causes damage and downtime.
  •  CIP 010 -1 cyber system categorization   is pending.  IT important for those responsible for SCADA security but who may have difficulty in cost justifying security budgets to senior executive.  I believe this element assists the person  creating the cost justification business case increase scope of their business case accordingly. 
  • CIP 011-1 cyber system protection  is pending.   This standard is an excellent drill-down to the existing 005-1 Electronic Security Perimeter and 006-1 Physical Security of Critical Cyber Assets, again valuable as a tool for those creating cost justification cases.  It provides for the inclusion the appropriate scope for proposed security budgets. 

While these standards are excellent additions to NERC CIP they still do not mandate compliance for LDCs.

Have a secure week.   Ron Lepofsky CISSP   http://www.ere-security.ca/

Tags: , ,
Posted in Information Security, Internet Security, Security Postings | 1 Comment »

Securing the Smart Grid

Wednesday, April 21st, 2010


Am I reading an oxymoron in this title?  Or what!

In a recent article in CNET news, Elinor Mills investigates potential new security vulnerabilities by adding smart metering onto our legacy North American electricity distribution architecture.

First of all North America has not fully implemented a smart electricity architecture or “Grid”.  A smart grid would not have allowed the type of cascading meltdown that occurred in August 2003, and as far as I know that grid has not been sufficiently modified as to be considered ubiquitously smart.  Has anyone got a different perspective on the status of the grid upgrade?  For a look at this article please click to: http://www.ere-security.ca/index.php , RSS feed, April 9, 2010.

The issue with adding smart meters with IP addresses does not compromise the security of the rest of the smart grid, in my humble opinion.  This would be more of an issue if many key devices on the grid had IP addresses and were managed accordingly.  But again, a smart IP grid is not there yet.

The CNET article goes on to explore the possibility of the smart meter’s being compromised and the countermeasures being implemented by various vendors.  I’ve even read some articles identifying concerns that smart meters are possibly an entry point into a household’s network for hacking purposes.  This sounds like dark magic to me, especially if the smart meter is in no way connected to the household’s network.  The bottom line, I believe, is that smart meters in and of themselves do not present a security threat or a vulnerability to the grid.

However…….

Opening the control technology used by electrical distribution networks to a wider network certainly does pose a plethora of threats to the control technology and, therefore,  to the entire control network.

The electrical distribution industry has standardized on SCADA control technology, and SCADA networks are sacrosanct.  They control and monitor actual electrical equipment, and errors can result in death, damage to equipment, and power outages.  So opening a SCADA control network to encompass smart meters expands access points exponentially.  For more information please see http://www.ere-security.ca/SCADA_CIP.html

The problem then becomes securing the vastly greater scope of network against all the usual security suspects.  The utility industry relies on a security standard called NERC CIP  http://www.ere-security.ca/NERC_CIP_Compliance_Audit.html

In our experience as security and NERC CIP compliance auditors, we’ve seen nightmare scenarios regarding the unauthorized access  vulnerabilities just on SCADA networks.  I don’t want to give anybody any ideas, so I’m not going to be any more specific here.   But you get the idea.  If it is difficult as is to keep SCADA networks secure, imagine expanding the scope of access to the network by hundreds of thousands of locations.

My idea is that a smart grid is one with superbly controlled access and authentication.  Access and authentication controls of course are composed of: logical controls, physical security, and people behavior.  So some smart meters are the least of the worries for ensuring the availability and dependability of a smart grid.

Have a secure week.

Regards, Ron Lepofsky, CISSP

President,

ERE Information Security and Compliance Auditors

www.ere-security.ca

Tags: , , , ,
Posted in Information Security | 5 Comments »
Home | Point in Time Audit | Doc Audit/Authorship | 7x24 Monitoring | Knowledge Transfer | ERE Differentiators | About Us | Site map | Contact Us | Blog
Copyrights © 2007-2008. All rights reserved.  Non-security resources 1|2|3|4|5|6|7|8|9

   AddThis Social Bookmark Button