The NIST Framework – Protecting Your SCADA Infrastructure | Automation.com

The NIST Framework – Protecting Your SCADA Infrastructure

The NIST Framework – Protecting Your SCADA Infrastructure

By Edward Nugent –Business Development Director, PcVue Inc.

Executive Order 13636 addressed protecting the US critical infrastructure against cyber intrusions while directing the agencies responsible for the elements of the infrastructure to share information.  The National Institute of Standards and Technology (NIST) has released the Cybersecurity Framework  for systematically identifying the critical assets of the organization, identifying the threats and finally securing these critical assets.  It is based on risk assessment techniques including periodic reassessment with the goal of identifying and neutralizing a threat before it occurs, but also recovery plans in the case of a successful attack.

The implementation of Cybersecurity under the NIST Framework is ultimately the responsibility of the SCADA Application owner and operator as it encompasses the entire system including the organization developing the SCADA application, the corporate networks and computers that it runs on and the control devices and instrumentation attached to it.  However, the implementation of security standards and the capabilities of the software to implement security processes are the responsibility of the SCADA provider.

NERC Reliability Standards
On November 9, 1965, North America experienced the largest blackout to that date, in which 30 million people lost power for up to 13 hours (North American Electric Reliability Corporation, 2013) .  This outage lead to an increased understanding that the grid required common operating and protection standards as well as coordinated plans to restore power after an outage.  As a result on June 1, 1968, the National Electric Reliability Council (NERC) was established to coordinate voluntary operating standards.  The name was later changed to North American Electric Reliability Corporation.

On August 14, 2003, less than two years after the attacks of 9/11 another blackout exceeded the 1965 event and left over 50 million people in the Northeast and Midwest without power. In response, NERC created the permanent Critical Infrastructure Advisory Committee in 2004 and the US Government signed the Energy Policy Act of 2005, which for the first time stated that compliance with Reliability Standards would be mandatory and enforceable.  Soon after, NERC was approved as the electrical reliability organization of the United States and Canada with a mandate to develop, implement and enforce mandatory Reliability Standards for the Bulk-Power System.

Over the course of NERC’s history the technology used in Supervisory Control and Data Acquisition (SCADA) has been moving steadily to increase digital communications using Information Technology (IT) adapted to Operations Technology (OT).  This trend has been widespread across all industrial segments.  The adoption has had great benefit in reducing costs and improving reliability but it has also created new vulnerabilities to reliability through failure modes that include intentional disruption through cyber intrusions.

Critical Infrastructure Protection
In February 2013, with a growing awareness that cybersecurity is a critical defense against an attack which can potentially disrupt our power, water, communication and other critical systems, President Obama issued an Executive Order (EO) on Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience. These policies reinforce the need for holistic thinking about security and risk management (Department of Homeland Security, 2013) .

Executive Order 13636 directs the executive branch, which includes NERC, the Department of Homeland Security and the National Institute of Science and Technology to:
•    Develop a technology-neutral voluntary cybersecurity framework
•    Promote and incentivize the adoption of cybersecurity practices
•    Increase the volume, timeliness and quality of cyber threat information sharing
•    Incorporate strong privacy and civil liberties protections into every initiative to secure our critical infrastructure
•    Explore the use of existing regulation to promote cyber security
Presidential Policy Directive-21: Critical Infrastructure Security and Resilience replaces Homeland Security Presidential Directive-7 and directs the Executive Branch to:
•    Develop a situational awareness capability that addresses both physical and cyber aspects of how infrastructure is functioning in near-real time
•    Understand the cascading consequences of infrastructure failures
•    Evaluate and mature the public-private partnership
•    Update the National Infrastructure Protection Plan
•    Develop comprehensive research and development plan.
While these directives are focused on the US critical infrastructure, there is clear benefit of the approach when applied to other SCADA infrastructures.

NIST Framework
The Framework enables organizations – regardless of size, degree of cybersecurity risk, or cybersecurity sophistication – to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure. The Framework provides organization and structure to today’s multiple approaches to cybersecurity by assembling standards, guidelines, and practices that are working effectively in industry today. Moreover, because it references globally recognized standards for cybersecurity, the Framework can also be used by organizations located outside the United States and can serve as a model for international cooperation on strengthening critical infrastructure cybersecurity (NIST, 2014).

Two important points must be recognized about the Framework.  One is it is not limited to technology.  It is a holistic approach that includes the people, business processes and physical characteristics of the infrastructure to be protected.  It is also not a static assessment, it is a risk analysis technique which requires periodic reassessment.

What a threat assessment in 2014 reveals is that cybersecurity has many dimensions and attacks can be launched through a variety of vectors.  For SCADA applications we must consider both corporate data centers and field operations. Data center threats include people (insider threats), malware targeting data stored on servers, BYOD  such as smart phones and tablets, malware phishing via email and smishing, which similar to phishing but targeting SMS text messages.  At the field level there is also the insider threat, malware targeted at the SCADA system and denial of service attacks to block the flow of operations information.

Malware are programs that are installed on target computers to gather sensitive information or modify the behavior of a software program.  In 2012 the most common attack vectors were application repackaging, malicious URLs and phishing and smishing (Siegel, Josh; Motorola Solutions, 2014).  However, the widely publicized Stuxnet malware was delivered using a memory stick connected to a computer on the network by an insider .

Unauthorized access is another threat mode to be considered.  It is may be achieved using one of the previous methods.  Even when the threat of unauthorized access from the outside the company has been secured, there may still be a threat from insiders. This is particularly true when passwords are posted in plain site or other system access is left unattended.  While these are forms of an information leak, there are also threats from eavesdroppers who are able to gain access by listening to authorized communication.  Access may be gained through gaining login credentials of an authorized user or by gaining control of equipment without full system access.
In a modern SCADA there are often many devices residing on the control network.  A threat to be considered is that of a rogue device cloning the appropriate certifications that allows it to connect to a private network.

When assessing the risk to SCADA data including historical information, it is helpful to separate data at rest from data in use or in transit.  Data at rest consists of stored records of value to an attacker while data in motion or data in use refers to the transmission of data and the threat that the attacker is able to fool either the sender or the data receiver into using misinformation as to who is requesting the action.  This is analogous to phishing a human, but is typically machine-to-machine communication that is targeted.

Table 1 Ten Most Common SCADA Vulnerabilities

VULNERABILITY

IMPACT

Un-patched Published Vulnerabilities

Most Likely Access Vector

Web Human-machine Interface (HMI) Vulnerabilities

Supervisory Control Access

Use of Vulnerable Remote Display Protocols

Supervisory Control Access

Improper Access Control (Authorization)

Access to SCADA Functionality

Improper Authentication

Access to SCADA Applications

Buffer Overflows in SCADA Services

SCADA Host Access

SCADA Data and Command Message Manipulation and Injection

Supervisory Control Access

SQL Injection

Data Historian Access

Use of Standard IT Protocols with Clear-text Authentication

SCADA Credentials Gathering

Unprotected Transport of SCADA Application Credentials

SCADA Credentials Gathering

(Source: Idaho National Laboratory[i])

 



[i] Idaho National Laboratory, Vulnerability Analysis of Energy Delivery Control Systems, 2011

 

Improving Your Critical Infrastructure Cybersecurity

In order to implement the Framework for your critical infrastructure the first step is to identify your company’s critical assets.  This requires a cross discipline effort to identify and classify the risk of your critical infrastructure assets starting with the list above as a guideline.  

The second step is to take a lifecycle view of the critical assets you have defined.  A prioritization of the assets is suggested based on the risk analysis performed.  With this in place a roadmap for securing the assets, possibly over a number of years, emerges to drive the security plan.

The third step is securing your assets. In addition to the IT cybersecurity, it is important to consider physical access to critical assets.  This must be done in the context of operational needs to access those systems, but for example video surveillance is a non-intrusive security step that does not affect operations ability to do their job.

It is very important to educate employees on the threats and possible consequences of security lapses.  While insider threats are always a possibility, an educated vigilant workforce significantly improves the security of the operation.

One of the most disturbing statistics of the current state of affairs is that cyber intruders spend an estimated 243 days on a victim’s network before being discovered.  In 2013, it took over a month (32 days on average) to resolve a cyber-attack.  One reason may be that the victims just weren’t paying attention as 63% were made aware of the breach of their system by an external organization telling them about it. (Siegel, Josh; Motorola Solutions, 2014)

Given these statistics, an important aspect of securing your SCADA is to regularly monitor your security logs and consider investing in tools to highlight possible threats.  In the SCADA world we have long dealt with nuisance alarms, but have developed techniques to make sure that critical alarms are brought to the attention of the operator.  In your security monitoring it is important to bring this same discipline to bear.

SCADA Cybersecurity Partnership
SCADA Platforms provide several tools for implementing the SCADA cybersecurity framework.  These include configuration management tools so that changes to SCADA configuration are auditable, the ability to provide secure access to the software with centralized Authentication, Authorization and Accounting (AAA), the monitoring of CERT vulnerabilities and creation of security updates to address vulnerabilities.  In addition, the SCADA provider must ensure that the application is capable of running in a secure environment.
 

Table 2 Solutions to Common Vulnerabilities

VULNERABILITY

Solution SCADA Operator + Provider

Un-patched Published Vulnerabilities

Lifecycle planning, Security Updates

Web Human-machine Interface (HMI) Vulnerabilities

Centralized AAA with integrated SCADA Login including user profile supported

Use of Vulnerable Remote Display Protocols

Allow use of SSH and VPN by SCADA operator

Improper Access Control (Authorization)

Whitelisting, Centralized AAA

Improper Authentication

Centralized AAA

Buffer Overflows in SCADA Services

Use of secure programming techniques

SCADA Data and Command Message Manipulation and Injection

Application AAA, VPN

SQL Injection

Read-only access, Secure SQL programming techniques

Use of Standard IT Protocols with Clear-text Authentication

Allow use of SSH and VPN by SCADA operator

Unprotected Transport of SCADA Application Credentials

Link Encryption, VPN

At PcVue we work with our system integrators and end users in partnership to ensure that cybersecurity concerns are addressed so that the operator is able to achieve a secure SCADA solution.  The NIST Framework provides a way in which this partnership is more effective and cybersecurity prioritization is rationalized to meet the needs of the operator.

About the Author
Edward Nugent has 24 years’ experience with SCADA development and implementation and is currently the Business Development Director for PcVue Inc. a global independent SCADA/HMI provider in Woburn, MA.  His career has spanned education, engineering and management leveraging a passion for capturing and communicating the business value of measurement and control technology.  He has a Bachelor of Science in Engineering Mechanics from the University of Wisconsin and a Masters in Business Administration from the University of Puget Sound.  He is past President of the International Society of Automation’s Aloha Section and member of the Western States Petroleum Association.  Nugent is an author and editor for the University of Hawaii’s Pacific Center for Advanced Technology Training SMART Grid Curriculum Development project; an American Recovery and Reinvestment Act program of the U.S. Department of Energy.  He is an Industry Advisor and Instructor for the Process Technology (PTEC) Program within the University of Hawaii OCEWD program and was an Associate Professor of Operations Research at the University of Puget Sound.

MORE ARTICLES

VIEW ALL

RELATED