Presentation is loading. Please wait.

Presentation is loading. Please wait.

SCADA Security William (Bill) Brown Metric Systems Corporation The Wireless Factor Ph: 760.560.0348 x 211

Published byEileen Turkel Modified over 9 years ago

Similar presentations

Presentation on theme: "SCADA Security William (Bill) Brown Metric Systems Corporation The Wireless Factor Ph: 760.560.0348 x 211"— Presentation transcript:

1 SCADA Security William (Bill) Brown Metric Systems Corporation The Wireless Factor Ph: 760.560.0348 x 211 bbrown@metricsystems.com

2 As far as we know, no one has ever deliberately hacked into the U.S. electrical grid and pulled the plug on millions, even thousands, of people. Just as on September 11, 2001, no one had ever deliberately crashed a jet airliner into a skyscraper. SCADA Security … the Wireless Factor

3 Agenda  Why another wireless security presentation?  Terrorist threats  Domestic  Foreign  Internal  One scenario

4 Focus Today: Internal Networks: LAN, WAN, Wireless, Microwave Third party embedded threats: Operating systems Application software including mobile 2G and 3G wireless networking Industrial automation devices Networking equipment (wired, wireless, fiber) Telecommunication carriers Recovery concepts: Maintaining business continuity Developing a concept of, and practical foundation for, mitigating corporate security threats attempting to use internal or external wireless assets as an ingress point

5  Mission: Transient denial of electrical service  Strategy: Electromagnetic deception  Tactics:  Using Open Source material, physical surveillance and off-the-shelf equipment and components to interrupt or spoof SCADA information. Why? So that SCADA control believes short non-periodic communication outages are normal.  Leverage this conditioning as a ruse for delayed detection of physical attack or to inflict low-level random maintenance alarm attacks. Terrorist Game Plan

6 Basic SCADA Operational System Model Local Gateways and Networks SCADA Software Application Operating System Hardware Platform Enterprise Gateways Com Media Human Interface SCADA Strategies Remote Gateway Remote Plant Distribution Network SCADA Device Population  Public  Private  Mix SCADA Strategies Equipment Under Control or Monitoring Points of Vulnerability

7 The Plan   Locate SCADA sites   Determine band/specific frequencies   Interject noise (any unwanted signal)   Listen for Master Station response (if any)   Is there a maintenance response?   Set up random plan of interdiction   Execute conditioning plan   When appropriate execute core objective

8 Private Customer Owned Leased Microwave Licensed MAS/UHF/VHF Unlicensed Mixed Private Wireless Entry Points

9 Public Wireless Entry Points Public Cellular Satellite Telco Internet Unknown Dial-Up/ Nailed up Frame Relay Dial-Up Data Networking (VPN)

10 Tools of the Trade Private:  Narrowband Sources (VHF, UHF, MAS)  Modulated tunable frequency sources – 100 MHz – 6GHz: $1k  SCADA radios  Wideband Sources (902-928 MHz, 2400-2483 MHz, 5.8 GHz)  Modulated wideband noise sources  Single frequency noise generators Public:  CDMA and GSM test Equipment  Low-cost, low-power jammers Discovery Location of Remote SCADA Sites  FCC web site database  Reconnaissance Jamming Sources

11 Narrowband Denial Tactics Average Noise Floor Normal Signal Barrage Noise Jammer Spot Jammer Capture Range +/- 3 dB Minimum discernible signal level for detectable packet (includes error detection and correction) Frequency Signal Level

12 Wideband Denial Tactics Frequency Hopper Average Noise Floor Per frequency bin Hop Signals Barrage Noise Jammer Spot Jammer Frequency Signal Level Minimum discernible signal level for detectable packet (includes error detection and correction) Capture Range +/- 3 dB

13 Wideband Denial Tactics Direct Sequence Direct Sequence Signal Barrage Noise Jammer Spot Jammer Frequency Signal Level Minimum discernible signal level for detectable packet (includes error detection and correction) Jamming to Signal Improvement Margin: 10-15 dB: 10Log (Occupied Bandwidth / Modulating Bandwidth) e.g. 10Log(10 MHz / 1MHz)=10 dB

14 Wireless Denial of Service Attack Geometry 1 Mile.1 Mile Jammer 1Jammer 2.5 Mile Node 1Node 2 L 11 L 12 L 22 L 21 Tx Power30 dBm (1 Watt) Rx Sensitivity-104 dBm Antenna Gain6 dBi Antenna Feed loss 6 dB System Example Configuration

15 Making a Wireless Choice UHF Narrow Band Scenario Denial of Service Attack 1 Mile.1 Mile Jammer 1 Jammer 2.5 Mile Node 1Node 2 L 11= 33.4 dBm L 12= 52.5 dBm L 22= 47.4 dBm L 21= 47.4 dBm Rx Sig=53.4 dBm.5 Miles.6 Miles FM Capture Region Node 1 Rx Signal=53.4 dBm Rx Jammer 1 = 33.4 dBm Rx Jammer 2 = 47.4 dBm Rx Jammer 1- Rx Signal = 20 dB Rx Jammer 2 – Rx Signal = 6 dB

16 Making a Wireless Choice 2.4 GHz ISM Wide-Band Scenario Denial of Service Attack 1 Mile.1 Mile Jammer 1Jammer 2.5 Mile Node 1Node 2 L 11= 48.1 dBm L 12= 67.1 dBm L 22= 47.4 dBm L 21= 62.1 dBm Rx Sig=68 dBm.5 Miles.6 Miles FM Capture Region Node 1 Rx Signal= 68 dBm Rx Jammer 1 = 48.1 dBm Rx Jammer 2 = 62.1 dBm Rx Jammer 1- Rx Signal = 20 dB Rx Jammer 2 – Rx Signal = 6 dB  100 Hopping Channels: 20 dB  Jamming to Signal Improvement Margin  50 Hopping Channels: 17 dB  Jamming to Signal Improvement Margin Jamming to Signal Improvement =10Log (# of Hopping Channels)

17   Terrorists leveraged two human fallibilities:   The law of small numbers   Susceptibility to conditioning   The inability of the target utility to detect or interpret small inconsequential changes   Example: Loss of continuity to a remote site for very short periods may be interpreted as caused by intermittent equipment faults and/or natural or friendly interference   Conditioning - acceptance of short interruptions as normal Could We Have Detected This Attack?

18  Model network components - in-plant and wide-area  Develop an objective “feeling” for your specific network prior to deployment. Understand “choke points”  Real time traffic analysis – Monitor and track traffic trends  Use statistical analysis to discover possible intrusion patterns  Understand network vulnerabilities of all system components  SCADA strategies  SCADA applications – Consider having software certified  Consider using non-Windows ® based operating systems with a security certified kernel (Linux/Unix on suggestions)  Understand vulnerabilities of 802.11a/b/g wireless systems, and limit deployment to securable facilities  Public transport systems Countermeasures

19 Suppose you are a terrorist seeking to damage your organization’s networking capabilities – telecom, wireless, microwave, Intranet/Internet Vulnerability is measured in the smallest number of vertices or hub points that will cause disconnections within a network. Topology Vulnerabilities

20 Summary of Best Practices   Strong preventative maintenance program – continuous training   Model your network – understand operation and vulnerabilities   Create strong firewalls and gateways between external and internal nets   Create a DMZ network to allow friendlies in - exclude entrance to corporate network   Consider appropriate radio link technology (narrow-band vs. ISM)   Upgrade vulnerable equipment   Deny access via strong password control policy, Host and Remotes   Monitor and analyze traffic, search for patterns   Mitigate the effects of Denial of Service attacks including:   Hijacking  Jamming   Blinding  Spoofing

21 Questions? William (Bill) Brown bbrown@metricsystems.com 760.560.0348 1.800.549.7421 www.scadawireless.com www.metricsystems.com

Download ppt "SCADA Security William (Bill) Brown Metric Systems Corporation The Wireless Factor Ph: 760.560.0348 x 211"

Similar presentations

Networking: Computer Connections Chapter 7 Data Communications Send and receive information over communications lines.

Networking: Computer Connections Chapter 7 Data Communications Send and receive information over communications lines.
Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Communications Research Centre (CRC) Defence R&D Canada – Ottawa 1 Properties of Mobile Tactical Radio Networks on VHF Bands Li Li & Phil Vigneron Communications.

Communications Research Centre (CRC) Defence R&D Canada – Ottawa 1 Properties of Mobile Tactical Radio Networks on VHF Bands Li Li & Phil Vigneron Communications.
Development of Communication and Control (C 2 ) Subsystems AIF Research Forum, Fredericton, New Brunswick, May, 19, 2006 Julian Meng and Shane Barnes.

Development of Communication and Control (C 2 ) Subsystems AIF Research Forum, Fredericton, New Brunswick, May, 19, 2006 Julian Meng and Shane Barnes.
Agenda Super-Cells Multi-Cells

Agenda Super-Cells Multi-Cells
MN10 - Managing Wireless Networks Building Large Scale Wireless Water Control Networks Eric Marske Product Manager ESTeem Wireless Modems.

MN10 - Managing Wireless Networks Building Large Scale Wireless Water Control Networks Eric Marske Product Manager ESTeem Wireless Modems.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
7000 Series - Overview. Wireless Overview Operating Bands Licensing & Guaranteed Service Regulations Guaranteed Bandwidth & 802.11 Range & link margin.

7000 Series - Overview. Wireless Overview Operating Bands Licensing & Guaranteed Service Regulations Guaranteed Bandwidth & Range & link margin.
WWW.DCBNET.COM Optimizing SCADA Network Communications: An Overview of Metropolitan Wide SCADA Communications Options by John McCain and Russ Straayer.

Optimizing SCADA Network Communications: An Overview of Metropolitan Wide SCADA Communications Options by John McCain and Russ Straayer.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
IS Network and Telecommunications Risks

IS Network and Telecommunications Risks
SATELLITE SYSTEMS Satellite Communications Based on microwave transmission Satellite communication systems consist of ground-based or earth stations.

SATELLITE SYSTEMS Satellite Communications Based on microwave transmission Satellite communication systems consist of ground-based or earth stations.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
A. Paulraj Stanford University & Iospan Wireless Broadband Wireless The MIMO Advantage Wireless Internet and Mobile Computing SNRC/Accel Symposium Stanford.

A. Paulraj Stanford University & Iospan Wireless Broadband Wireless The MIMO Advantage Wireless Internet and Mobile Computing SNRC/Accel Symposium Stanford.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Communications and Networks

Communications and Networks
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Chapter Preview  In this chapter, we will study:  The basic components of a telecomm system  The technologies used in telecomm systems  Various ways.

Chapter Preview  In this chapter, we will study:  The basic components of a telecomm system  The technologies used in telecomm systems  Various ways.
ESTeem Training Class Radio Technology Overview. Radio Basics Terminology – Familiarization with radio expressions Basic Components – Transmitter – Receiver.

ESTeem Training Class Radio Technology Overview. Radio Basics Terminology – Familiarization with radio expressions Basic Components – Transmitter – Receiver.
1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN bridge.

1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN bridge.

Similar presentations

Ads by Google