Presentation is loading. Please wait.

Presentation is loading. Please wait.

SCADA Security William (Bill) Brown Metric Systems Corporation The Wireless Factor Ph: 760.560.0348 x 211

Similar presentations


Presentation on theme: "SCADA Security William (Bill) Brown Metric Systems Corporation The Wireless Factor Ph: 760.560.0348 x 211"— Presentation transcript:

1 SCADA Security William (Bill) Brown Metric Systems Corporation The Wireless Factor Ph: x 211

2 As far as we know, no one has ever deliberately hacked into the U.S. electrical grid and pulled the plug on millions, even thousands, of people. Just as on September 11, 2001, no one had ever deliberately crashed a jet airliner into a skyscraper. SCADA Security … the Wireless Factor

3 Agenda  Why another wireless security presentation?  Terrorist threats  Domestic  Foreign  Internal  One scenario

4 Focus Today: Internal Networks: LAN, WAN, Wireless, Microwave Third party embedded threats: Operating systems Application software including mobile 2G and 3G wireless networking Industrial automation devices Networking equipment (wired, wireless, fiber) Telecommunication carriers Recovery concepts: Maintaining business continuity Developing a concept of, and practical foundation for, mitigating corporate security threats attempting to use internal or external wireless assets as an ingress point

5  Mission: Transient denial of electrical service  Strategy: Electromagnetic deception  Tactics:  Using Open Source material, physical surveillance and off-the-shelf equipment and components to interrupt or spoof SCADA information. Why? So that SCADA control believes short non-periodic communication outages are normal.  Leverage this conditioning as a ruse for delayed detection of physical attack or to inflict low-level random maintenance alarm attacks. Terrorist Game Plan

6 Basic SCADA Operational System Model Local Gateways and Networks SCADA Software Application Operating System Hardware Platform Enterprise Gateways Com Media Human Interface SCADA Strategies Remote Gateway Remote Plant Distribution Network SCADA Device Population  Public  Private  Mix SCADA Strategies Equipment Under Control or Monitoring Points of Vulnerability

7 The Plan   Locate SCADA sites   Determine band/specific frequencies   Interject noise (any unwanted signal)   Listen for Master Station response (if any)   Is there a maintenance response?   Set up random plan of interdiction   Execute conditioning plan   When appropriate execute core objective

8 Private Customer Owned Leased Microwave Licensed MAS/UHF/VHF Unlicensed Mixed Private Wireless Entry Points

9 Public Wireless Entry Points Public Cellular Satellite Telco Internet Unknown Dial-Up/ Nailed up Frame Relay Dial-Up Data Networking (VPN)

10 Tools of the Trade Private:  Narrowband Sources (VHF, UHF, MAS)  Modulated tunable frequency sources – 100 MHz – 6GHz: $1k  SCADA radios  Wideband Sources ( MHz, MHz, 5.8 GHz)  Modulated wideband noise sources  Single frequency noise generators Public:  CDMA and GSM test Equipment  Low-cost, low-power jammers Discovery Location of Remote SCADA Sites  FCC web site database  Reconnaissance Jamming Sources

11 Narrowband Denial Tactics Average Noise Floor Normal Signal Barrage Noise Jammer Spot Jammer Capture Range +/- 3 dB Minimum discernible signal level for detectable packet (includes error detection and correction) Frequency Signal Level

12 Wideband Denial Tactics Frequency Hopper Average Noise Floor Per frequency bin Hop Signals Barrage Noise Jammer Spot Jammer Frequency Signal Level Minimum discernible signal level for detectable packet (includes error detection and correction) Capture Range +/- 3 dB

13 Wideband Denial Tactics Direct Sequence Direct Sequence Signal Barrage Noise Jammer Spot Jammer Frequency Signal Level Minimum discernible signal level for detectable packet (includes error detection and correction) Jamming to Signal Improvement Margin: dB: 10Log (Occupied Bandwidth / Modulating Bandwidth) e.g. 10Log(10 MHz / 1MHz)=10 dB

14 Wireless Denial of Service Attack Geometry 1 Mile.1 Mile Jammer 1Jammer 2.5 Mile Node 1Node 2 L 11 L 12 L 22 L 21 Tx Power30 dBm (1 Watt) Rx Sensitivity-104 dBm Antenna Gain6 dBi Antenna Feed loss 6 dB System Example Configuration

15 Making a Wireless Choice UHF Narrow Band Scenario Denial of Service Attack 1 Mile.1 Mile Jammer 1 Jammer 2.5 Mile Node 1Node 2 L 11= 33.4 dBm L 12= 52.5 dBm L 22= 47.4 dBm L 21= 47.4 dBm Rx Sig=53.4 dBm.5 Miles.6 Miles FM Capture Region Node 1 Rx Signal=53.4 dBm Rx Jammer 1 = 33.4 dBm Rx Jammer 2 = 47.4 dBm Rx Jammer 1- Rx Signal = 20 dB Rx Jammer 2 – Rx Signal = 6 dB

16 Making a Wireless Choice 2.4 GHz ISM Wide-Band Scenario Denial of Service Attack 1 Mile.1 Mile Jammer 1Jammer 2.5 Mile Node 1Node 2 L 11= 48.1 dBm L 12= 67.1 dBm L 22= 47.4 dBm L 21= 62.1 dBm Rx Sig=68 dBm.5 Miles.6 Miles FM Capture Region Node 1 Rx Signal= 68 dBm Rx Jammer 1 = 48.1 dBm Rx Jammer 2 = 62.1 dBm Rx Jammer 1- Rx Signal = 20 dB Rx Jammer 2 – Rx Signal = 6 dB  100 Hopping Channels: 20 dB  Jamming to Signal Improvement Margin  50 Hopping Channels: 17 dB  Jamming to Signal Improvement Margin Jamming to Signal Improvement =10Log (# of Hopping Channels)

17   Terrorists leveraged two human fallibilities:   The law of small numbers   Susceptibility to conditioning   The inability of the target utility to detect or interpret small inconsequential changes   Example: Loss of continuity to a remote site for very short periods may be interpreted as caused by intermittent equipment faults and/or natural or friendly interference   Conditioning - acceptance of short interruptions as normal Could We Have Detected This Attack?

18  Model network components - in-plant and wide-area  Develop an objective “feeling” for your specific network prior to deployment. Understand “choke points”  Real time traffic analysis – Monitor and track traffic trends  Use statistical analysis to discover possible intrusion patterns  Understand network vulnerabilities of all system components  SCADA strategies  SCADA applications – Consider having software certified  Consider using non-Windows ® based operating systems with a security certified kernel (Linux/Unix on suggestions)  Understand vulnerabilities of a/b/g wireless systems, and limit deployment to securable facilities  Public transport systems Countermeasures

19 Suppose you are a terrorist seeking to damage your organization’s networking capabilities – telecom, wireless, microwave, Intranet/Internet Vulnerability is measured in the smallest number of vertices or hub points that will cause disconnections within a network. Topology Vulnerabilities

20 Summary of Best Practices   Strong preventative maintenance program – continuous training   Model your network – understand operation and vulnerabilities   Create strong firewalls and gateways between external and internal nets   Create a DMZ network to allow friendlies in - exclude entrance to corporate network   Consider appropriate radio link technology (narrow-band vs. ISM)   Upgrade vulnerable equipment   Deny access via strong password control policy, Host and Remotes   Monitor and analyze traffic, search for patterns   Mitigate the effects of Denial of Service attacks including:   Hijacking  Jamming   Blinding  Spoofing

21 Questions? William (Bill) Brown


Download ppt "SCADA Security William (Bill) Brown Metric Systems Corporation The Wireless Factor Ph: 760.560.0348 x 211"

Similar presentations


Ads by Google