Towards an efficient ICS security assessment
National and European Organizations are concerned about security in ICS environments. In the past, such devices were designed and implemented to work only in isolated networks. However, these isolated systems are being connected, increasingly, to Internet. This brings huge benefits, but it also increases the number threats, including cyber-terrorism.
Also, there is a particular growing interest in security testing of this kind of architectures. For instance, at European level, ENISA is discussing important matters like "The Creation of a common test bed, or alternatively, an ICS security certification framework". Achieving this crucial target can take us a long time. But, in the meantime: What can we do?
INCIBE , as a cyber-security centre at the national level, is aware of the importance of working in this challenge, and proposed the SCADA LAB Project (SCADA Laboratory and Test-bed as a Service for Critical Infrastructure Protection), which bundles up efforts by nine members from different EU countries: Hungary, Italy, United Kingdom and Spain.
This project is an action within the programme Prevention, Preparedness and Consequence Management of Terrorism. A specific programme funded by the European Commission. The project aims to analyse the current security measures implemented in ICS environments, with two main objectives:
- Develop a laboratory and a test bed, focused on the energy sector.
- Re-use existing assets, knowledge, and equipment, in an efficient way.
Another important precedent to consider is ENISA’s "Protecting Industrial Control Systems. Recommendations for Europe and Member States" report, describing the current situation of security in ICS and proposing seven recommendations to improve it. In particular, in its recommendation number 5, it highlights the lack of specific initiatives on ICS security and the need for independent evaluations and tests of ICS security products. Among others, ENISA encourages the establishment of test-beds. They make use of realistic environments with the appropriate resources for conducting tests permitting independent verification and validation.
To sum up, the main purpose of SCADA LAB is to create a test environment, allowing to assess remotely the security level of an ICS, or any part of it. To accomplish this purpose, the SCADA LAB architecture is split into two main areas: the laboratory and the test-bed.
- Main Areas in SCADA LAB -
The Laboratory Area includes the hardware and software needed to launch a security assessment against a test-bed.
The Test-Bed Area is the target of the test. Implementation should ideally be as close as possible to a production system.Within the project, the Test-Bed Area is housed in the headquarters of Telvent Energy, in Seville, and he Laboratory Area is housed in the Data Centre of INCIBE , León.
The first task of the project was a survey conducted among the involved stakeholders (from Italy, Hungary and Spain), aimed to assess the current level of awareness and the security needs. Interviewees answered more than 60 questions about:
- Organization profile
- Existing Threats
- Security Controls
- Identified Needs
Just to mention some findings, only 36% of the stakeholders performed security tests on their ICS on a regular basis and the 10% had implemented a permanent environment for security tests. These results indicate that security are still not integrated. Unfortunately, only 30% had a cyber-security policy in place.
The next activity was the development of a testing methodology, aimed to provide a set of guidelines to ease security assessments.
Conceptually, this testing methodology is based on the following aspects:
- Key points of the methodology -
I. Basic Architecture of an Industrial Control System
The first point taken into account was the minimum set of components for an ICS environment. The basic architecture of an ICS consists of three main levels:
- Field and Control level. This level contains RTUs, PLCs, IEDs, actuators and sensors, and associated communications.
- Communication level. This level contains the communication interface between Field and Control level and the Supervisory level. Supervisory level: This level can contain monitoring workstations, SCADA Servers, OPC Servers, Data Servers, etc.
Fifty-eight requirements were identified and and prioritized (high, medium or low). Those requirements were identified based on criteria such as:
- "The implementation should be as similar as possible to a real system".
- "The components of the test bed may be implemented and shared from geographically diverse networks to enable remote tests".
- "The SCADA LAB implementation has to be aligned with the SCADA LAB Testing Methodology".
III. Analysis of Existing Methodologies
Proverbially, one should not re-invent the wheel. Hence, the main existing testing methodologies for ICS, standards and related documentation were analysed. The conclusion was that there was no testing methodology that fully met the aims of the project, so it was decided to develop such a methodology. Additional key points were considered:
- The general structure of the methodology is based on the assessment process specified in Cyber Security Assessments of Industrial Control Systems. Good Practice Guide (Centre for the Protection of National Infraestructure, 2010).
- The attack vectors were defined according to the guidelines specified in Commercially Available Penetration Testing (Centre for the Protection of National Infraestructure, 2006).
- The TOEs (Targets of Objective) and Test Procedures used in the proposed testing methodology are based on the specifications contained in Vendor System Vulnerability Testing (Idaho National Engineering and Environmental Laboratory, 2005).
- The proposed methodology could potentially be made compatible with the Common Criteria (AVA class – Vulnerability Assessment).
IV. Type of Security Assessment
The purpose of any security testing method is to ensure the strength of a system in the face of malicious attacks or regular software failures. This is usually accomplished by performing security tests. The methodology comprises three main types of security assessment: black box, grey box and white box testing.
V. An Approach to a Test Inventory
The methodology also provides a security test inventory.
- Example of details of one test -
The roles required during a security assessment, included in the methodology, was:
- Developer / Vendor.
- Evaluation Authority.
- Test-bed manager.
Phases in the methodology
When operators request an security assessment, three phases will need to be undertaken: Planning, Assessment and Reporting.
Phase I, Planning
During this phase, an environment is prepared on the basis of the type of evaluation being undertaken, taking into account factors such as: the test team, tests of connectivity, and other features that complete the assessment plan.
Phase II, Assessment
Once the tests are planned, appropriate steps are taken to run each test.
Phase III, Reporting
After each test is completed, the results are evaluated and conclusions are drawn.
- Phases in the testing methodology -
Laboratory and test-bed implementation
The next activity was the implementation both the laboratory and the test-bed. In the light of the basic architecture of ICSs, the test-bed includes the three main levels (field and control level, communication interface and supervisory level).
Design of the test-bed architecture
The test-bed architecture proposed includes all the components needed, from the highest-level items located in the Supervisory level to the most basic elements sited at the Field and Control level. It also includes three types of communication channel: digital and analog input and output signals, Ethernet and serial communications. In addition, the main control protocols from the energy sector are represented: DNP 3.0, MODBUS and IEC 104.
Additionally, in order to carry out tests, an agent needs to be connected directly to the test-bed (SCADA LAB Testing Agent).
Design of the laboratory architecture
The laboratory is responsible for managing test plans, including all the information received from the operator. The main components of the Laboratory are:
- SCADA LAB Server, that manages the test plans, including the setup of the test-bed and tests to be performed.
- SCADA LAB Front-End, that allow the user to interact with SCADA LAB laboratory to request security assessments of their environments and monitor them in real time.
- SCADA LAB Architecture -
Once the laboratory and Test-Bed have been implemented and configurated, the moment comes to start security assessments. A description of the entire process is given below.
- Workflow of SCADA LAB -
- The operator accesses the SCADA LAB Front-End component to perform a new request.
- The technician receives a notification about that request.
- The operator is requested via email to send required documentation: NDA, authorization form, etc.
- Once the request is accepted, the technician registers the operator on SCADA LAB Server and gets the operator configuration file.
- The technician also registers the operator on SCADALAB Front-end and uploads the configuration file on the operator workspace. That file includes user-id, ports used in the test-bed, etc.
- The operator downloads both the ISO image and the configuration file.
- The operator installs the ISO image on the SCADA LAB Testing Agent component. The configuration file must be also plugged into it, via USB, in order to configure the SCADA LAB Testing Agent.
- The operator logs on to the SCADA LAB Front-End and following this, he requests new assessment.
- SCADA LAB Front-End calls the SCADA LAB Server in order to receive further information about the assessment: type of assessment, slot time, target, etc.
- SCADA LAB Server connects to SCADA LAB Testing Agent and sets up the test plan.
- SCADA LAB Testing Agent performs the tests against the target.
- SCADA LAB Testing Agent gathers the results of the tests.
- SCADA LAB Testing Agent sends those results to the SCADA LAB Server.
- The SCADA LAB Server generates a technical report and it is uploaded to the SCADA LAB Front-End. Thereafter the operator will be able to download it.
- Finally, the operator may consult the technical report.
Steps 2 and form 9 to 14 are automatic, the rest are manual or semi-automatic.
In conclusion, this full solution includes all the technical and procedural features required to perform a remote security assessment against environments based on industrial control systems.
Because of a security assessment, those responsible can gather the relevant information for making decisions, which minimize the risk of security incidents, which might seriously affect the reputation of a company and sometimes even put human life at risk.
We definitively feel that it is time to act; these kinds of proposals like SCADA LAB project can be use to face one of the main security challenges happening at present time.
- Centre for the Protection of National Infrastructure, 2006. Commercially Available Penetration Testing. Best Practice Guide.
- Centre for the Protection of National Infrastructure, 2010. Cyber Security Assessments of Industrial Control Systems. Good Practice Guide.
- Common Criteria Recognition Arrangement, 2012. CC v3.1 Release 4.
- European Union Agency for Network and Information Security, 2011. Protecting Industrial Control Systems. Recommendations for Europe and Member States, Heraklion, Greece.
- Idaho National Engineering and Environmental Laboratory, 2005.
This article was published in the journal Cyber Security Review, Winter 2014/15 edition