Presentation is loading. Please wait.

Presentation is loading. Please wait.

SUBSTATION SECURITY WHY FIREWALLS DON’T WORK! ©Copyright 1998, Systems Integration Specialists Company, Inc. All Rights Reserved Presented by:

Published byMarilyn Carr Modified over 8 years ago

Similar presentations

Presentation on theme: "SUBSTATION SECURITY WHY FIREWALLS DON’T WORK! ©Copyright 1998, Systems Integration Specialists Company, Inc. All Rights Reserved Presented by:"— Presentation transcript:

1

2 SUBSTATION SECURITY WHY FIREWALLS DON’T WORK! ©Copyright 1998, Systems Integration Specialists Company, Inc. All Rights Reserved Presented by:

3 What are the issues? What is the purpose of the substation? What functions need to be protected and How? What are the issues in protecting substations?

4 Functions of Substation Substation Protect Equipment Enable Power Distribution Control Center Enable Control Center Communications Enable Revenue Metering Enable Power Quality Information

5 Protect Equipment - Physical Security

6 Vulnerable to Physical Destruction/Terrorism Gates typically locked but not monitored Control Cabinets Locked but not monitored Substation and Power Diagrams typically in control house or panels

7 Control Center Communications Typically Use –Radio –Dial-up –Lease Line –WAN

8 Radio: 5 minutes and $1500 MAS/Licensed frequencies available on www.fcc.gov! Microwave Spread Spectrum Listed in order of progressing communication security

9 Dial-up Telco Switches are susceptable Non-publication of phone number is no protection. Implementation in called device typically doesn’t have time-out, call-back, nor challenge.

10 WAN Typical IS/IT would use Firewall to Protect? Most People think WAN::=

11 Firewalls - The way they work E C NO EXTERNAL COMMUNICATIONS - IT’S SAFE

12 Firewalls - The way they work E C OPEN HOLE IN WALL CONTROL CENTER COMMUNICATION: EXPOSURE ESTABLISH COMM LINK

13 Firewalls - The way they work E C TCP/IP Port (e.g. 20/21 for FTP) WELL KNOWN PORTS MEAN HIGHER RISK

14 Firewalls - The way they work E C TCP/IP Port (e.g. 20/21 for FTP) FIREWALLS TYPICALLY CONTROLL WHO CAN CONNECT IN/OUT PER PORT PROTOCOL IS PER PORT

15 FUNCTIONS OF FIREWALL RULES ADDRESS TRANSLATION/ PROXY LAN INTERFACE EXTERNAL WAN INTERFACE WHICH PORT CONNECTION RULES TO WHOM FROM WHOM

16 CONNECTION RULES DETERMINE WHO CAN CONNECT AND TO WHOM –NO RULES: ONLY PORT RESTRICITON –SOURCE ROUTING –USER ID/PASSWORD –CHALLENGE –TOKEN –DIGITAL CERTIFICATE

17 SO WHAT’S WRONG? WAN E C E C Control Center

18 SO WHAT’S WRONG? E C Control Center EAVESDROPPING CC->SUB (userid, password, certificate) HACKER->SUB (userid, password, certificate) SPOOF, MASQUERADE

19 Its OK, Nobody knows our protocol! NOT A TRUE STATEMENT ONLY 29% of Protocols in use are not publicly available!

20 EVEN MORE FUEL ONLY 65% of Substation Devices have Passwords enabled. Few Firewalls restrict services running over a given port. –E.G. GET/SET

21 Multiple Passwords a problem The Greyhound Story NO SECURITY: NO USER PAIN SINGLE PASSWORD: EASY TO REMEMBER MULTIPLE PASSWORDS: HARD TO REMEMBER

22 UTILITY CONCERNS Repudiation Information Leakage Eavesdropping Replay Masquerade Spoof Intercept/Alter Denial of Service Indescretion of Personnel Integrity Violation Illegitmate Use Authorization Violation Bypassing Controls

23 POWER QUALITY Substation Control Center EAVESDROPPING AND INTERCEPT/ALTER MAY HAVE LARGE FINANCIAL CONSEQUENCES IN THE NEAR FUTURE!

24 FIREWALL SHOULD PROVIDE STRONG AUTHENTICATION NEGOTIABLE ENCRYPTION SECURE MANAGEMENT ATTACK DETECTION ANNUNCIATION

25 WHY AREN’T FIREWALLS ENOUGH? Security is only as good as the weakest link in the system. –Security in the Control Center –Management Support and Policy –Crisis Team –Management

26 WHY AREN’T FIREWALLS ENOUGH? Service (e.g. GET/SET) must be enabled/disabled in devices. –Vendors see no value in strong security! Only 3 of 1000 vendors returned surveys –Utilities want strong security! 12% of contacted utilities responded! Protocols and Implementation have LARGE impact after FIREWALL

27 Vendors Must Participate But Why?

28 Let's analyze a new protocol! Proprietary over TCP/IP Where Vendors go Wrong: Just an Example! (no names to protect the guilty parties!)

29 General Implementation Proprietary Protocol TCP IP Ethernet Non-session oriented

30 Denial of Service Proprietary Protocol TCP IP Ethernet "Ping of Death" (known to kill without patches: Solaris, AOS, Windows95, Linux,.....) Ping of Death information:http://www.sophist.demon.co.uk/ping/

31 Denial of Service Proprietary Protocol TCP IP Ethernet "Ping of Death" (known to kill without patches: Solaris, AOS, Windows95, Linux,.....) Port connection exhaustion

32 Denial of Service Proprietary Protocol TCP IP Ethernet "Ping of Death" (known to kill without patches: Solaris, AOS, Windows95, Linux,.....) Port connection exhaustion Potential for bus traffic congestion.

33 Masquerade Proprietary Protocol TCP IP Ethernet No USER/PASSWORD No session timeout

34 Information Leakage Proprietary Protocol TCP IP Ethernet No USER/PASSWORD No session encryption

35 Conclusion of Protocol Design "Any man may make a mistake; none but a fool will persist in it!" OR Security must be designed and protocols must be extended to support security features!

36 CONCLUSION to SECURITY Firewalls add a degree of security Management Support is Critical Security has value and utilities need to be willing to pay. Vendors need to be willing to implement strong security and authentication.

Download ppt "SUBSTATION SECURITY WHY FIREWALLS DON’T WORK! ©Copyright 1998, Systems Integration Specialists Company, Inc. All Rights Reserved Presented by:"

Similar presentations

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
System Security Scanning and Discovery Chapter 14.

System Security Scanning and Discovery Chapter 14.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
WS-Denial_of_Service Dariusz Grabka M.Sc. Candidate University of Guelph February 13 th 2007.

WS-Denial_of_Service Dariusz Grabka M.Sc. Candidate University of Guelph February 13 th 2007.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Communications and Networks

Communications and Networks
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Wi-Fi Structures.

Wi-Fi Structures.
Circuit & Application Level Gateways CS-431 Dick Steflik.

Circuit & Application Level Gateways CS-431 Dick Steflik.
Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : 97077200 7 August 1999 The Chinese University.

Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.

TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.
Copyright Microsoft Corp. 2006 Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
Smart Grid Research Consortium Conference Communications: Technologies Systems Future Trends Dr Rick Russell.

Smart Grid Research Consortium Conference Communications: Technologies Systems Future Trends Dr Rick Russell.

Similar presentations

Ads by Google