introducing the activities of control system security center(cssc)
Transcription
introducing the activities of control system security center(cssc)
Control System Security Center INTRODUCING THE ACTIVITIES OF CONTROL SYSTEM SECURITY CENTER(CSSC) 20150618 1 Control System Security Center h(p://www.css-‐center.or.jp/en/index.html CSSC Promotion Video About 8 Minutes If Tokyo city falls into wide-‐area blackout, ・・・・・・・・ h(p://www.youtube.com/watch?v=qgsevPqZpAg&feature=youtu.be 2 Control System Security Center Tagajo? 多賀城 l Jo = 城 = castle; since 8th century l Historically famous and important place in Japan l Tsunami (2-‐‑‒4 m height) caused by the earthquake has covered the 33% of the city land (Mar. 11.2011) l After the earthquake, Tagajo city launched “Research Park for Disaster Reduction” plan. – Internationally prominent effort for achieving disaster reduction – Development of distinct technologies and products – Policies for disaster reduction “The testbed of CSSC truly suits the concept of Research park for disaster reduction.” (Mayor of Tagajo) Source: h(p://www.city.tagajo.miyagi.jp/ 3 Control System Security Center Industrial Control System Network Internet Maintenance/services, related factories, sales Office network Firewall Infrastructure (factories, building, filter plant, sewage plant, disaster control center) Industrial Control System network DCS opening/closing valve controlling temperature, pressure and robot DCS: Distributed Control System PLC: Programmable Logic Controller PLC Monitoring room(SCADA) Engineering PC Parameter configuraYon EvaluaYon SCADA: Supervisory Control And Data AcquisiYon 4 Control System Security Center PLC and DCS DCS Usually, a DCS configuration comprises three elements: an HMI (Human Machine Interface) used by the operator for control and monitoring and a control network that connects the HMI and controller and is connected to a field network. DCS is used in facilities such as chemical and gas plants. PLC PLC comprises a combination of PC monitoring and control software and performs process monitoring and control. PLC is used, for example, in assembly plants or for building control. 5 Control System Security Center Control Security and Information Security • The term “cyber security” means maintaining the confidentiality, integrity, and availability of information assets. These are the three requirements of cyber security and are referred to by the acronym “CIA” formed from the first letters of each. It is important to maintain all three elements with balance. • Confidentiality • The term “confidentiality” refers to the ability of authorized persons to properly access information only by authorized methods. In other words, confidentiality ensures that users without access privileges cannot access information. • Integrity • The term “integrity” refers to the safeguarding of the accuracy and integrity of assets. • Availability • The term “availability” refers to the ability of authorized persons to access assets in a timely fashion when necessary and the maintenance of assets in a state in which they can be used without a problem. Confidentiality Cyber security Integrity Availability !Control Security Availability > Integrity > Confidentiality !Information Security Confidentiality > Integrity > Availability 6 Control System Security Center Typical Examples of Information Security Accidents in Control Systems First example of direct damage caused to important infrastructures in America America 1997 Using a dial-up modem, a teenager stopped the digital loop carrier system of the telecommunications carrier NYNEX that supplied services for equipment at Worcester Airport in Massachusetts, rendering the airport control tower, security, fire department, weather service, and telephone services of airline companies using the airport unusable. Furthermore, the transmitters in the control tower that controlled the runway lights were shut down and were unavailable for use for six hours. Example of attack on the SCADA* System Australia 2000 Because of his resentment that his application for a position at a company operating a service water and sewage treatment plant was turned down, a former employee of the company in Australia that developed the SCADA software penetrated the control system of the company in question 46 times in two months and interfered with operations by acts such as rewriting sewage drainage facility data, with the result that 264,000 gallons of untreated sewage was discharged into places such as rivers and parks. Example of a control system being brought to a stop by viral infection America 2005 Operations at thirteen Daimler Chrysler (present day Daimler) automotive factories were brought to a halt by a simple Internet worm. Despite the fact that a firewall was in place between the information and control networks, the Zotob worm penetrated the control system and spread throughout the plants (It was pointed out that the worm may have been carried in from the outside and released via a laptop connected to the control system). As well as bringing automobile production to a stop for 50 minutes, there were concerns that the infection may have spread to entities such as parts suppliers, giving rise to worries over parts supply, resulting in losses amounting to 14 million dollars. 7 Control System Security Center Worm Infection by “WORM_DOWNAD” at Power Plant in Brazil Example of Problems at Power Plant caused by Malware (Dedicated in-house Factory Power Plant) Date February 6, 2011 Target of Attack Power plant at an iron works in Brazil Outline of Damage Stoppage of power plant operation requiring several months for recovery Outline of the Incident On February 6, 2011, the control system of a power plant in Brazil was infected by “WORM_DOWNAD” (Also known as “DOWNAD” or “Conficker”). The infection brought power plant operation to a halt. The worm spread throughout the entire plant network, resulting in a sudden increase in communication traffic, thus rendering communications between PLC and SCADA unstable. Many of the SCADA functions were brought to a halt. Although, during the recovery process, work was performed to remove the worm from infected machines, problems arose such as re-emergence of infected machines or of worm when connections were made to external networks. As a result, recovery required several months, leading to massive damage. The plant had a power generating capacity of 550MW and was put into operation in 2009. Sequence of Events leading up to the Incident February 6, 2011 The system (ALSPA P320 manufactured by ALSTOM) was brought to a halt. By the time the worm was discovered, it had already infected all machines in the system. Recovery was achieved several months later when the worm had been eradicated from all the machines. 8 8 Control System Security Center Example of Incident with BA System Hacking into an HVAC system at a hospital by a security officer Date April – June, 2009 Target of Attack W.B. Carrell Memorial Clinic in Dallas, Texas (America) Path of Entry Illegal access to the hospital’s HVAC system, patient information computer, etc. Damage System intrusion, online disclosure of system screens. A DDoS attack was also planned, but failed. Timeline W.B. Carrell Memorial Clinic Background and Outline Background A contracted security officer at the hospital in question (25 years old at the time) also acted as leader of a group of hackers called “Electronik Tribulation Army” under the pseudonym “Ghost Exodus.” Attack April – June, 2009 The security officer in question penetrated the hospital’s HVAC system and customer information computer and disclosed screenshots of HMI screens from the HVAC system online. Menus of the various functions of the hospital including pumps and cooling devices in operating theaters could be checked from the screens disclosed (see the next page). Moreover, motion images of scenes depicting acts such as installing malware in PCs in the hospital (apparently, botnetting of PCs in preparation for the DDoS attack detailed later) were also disclosed online. ‒ Meanwhile, although hospital staff thought it strange that the HVAC system alarm was not functioning as programmed because the alarm settings had been stopped, nothing amiss was discovered in the hospital. Discovery and Arrest June, 2009 The attack was discovered when a SCADA security expert examined information he had obtained from a hacker acquaintance and reported it to the FBI and the Texas Attorney General’s Office, leading to the arrest of the security officer in question on June 26, 2009. (He was sentenced to serve 9 years in a federal penitentiary.) Attack Plan (Failed) July, 2009 Although the attack failed with the arrest of the security officer concerned, he had planned to launch a large-scale DDoS attack using the infected hospital system on July 4, 2009 (Independence Day) and was recruiting hackers who wished to help on the Internet. He had already reported his intent to resign to the security company to which he belonged on the day before the scheduled attack date. Source: DOJ Press release (http://www.justice.gov/usao/txn/PressRel09/mcgraw_cyber_compl_arrest_pr.html) 9 Control System Security Center Threats to Control Systems in Japan USB Ports Remote Maintenance Lines Viral infections from USB memories are a common occurrence. n Control system are furnished with huge numbers of USB ports so that it is impossible to eliminate them. n The use of USB ports for maintenance is indispensable. Certain companies monitor turbines in real time via remote maintenance lines from a central monitoring room in America. n Contamination by illegal access and malware from terminals at the ends of remote maintenance lines n n Replacement of Operating Terminals Others In an automotive company in Japan, there was a case where a terminal replaced by a vendor were infected by a virus. n Operating terminals are usually general-purpose PCs with an OS such as Windows. n n Perpetrators on the inside slip through physical security. n Acts such as transmission of illegal packets or wire tapping are possible when PCs are directly connected to switches. n Intrusion from industrial wireless LANs n Standardization or posting on walls of items such as PC IDs or passwords Other Past Incidents: • A Japanese infrastructure company was infected by a virus when an operator connected his terminal to the Internet to play a game. 10 Control System Security Center Trends in Measures against Threats Item No. Threats in Japan 1 USB Memories Trends in Measures Removal of USB ports Malware checks using a dedicated PC when a USB memory is inserted Formulation of USB memory usage regulations ( Introduction of USB memory monitoring tools) 2 Remote Maintenance Lines Authentication of terminals connected to remote maintenance lines (e.g. Distribution of certificates) Security monitoring of terminals 3 Terminal Replacement Stand-alone malware checks when terminals are replaced 4 Others Strict implementation of physical security measures (e.g. Management using keys and room access lists, introduction of biometrics, installation of surveillance cameras, inspections of carried items or checks of body weight) 11 Control System Security Center Activities on Control System Security in Japan 2010 STUXNET METI 2011 APT to Japan (MHI,・・Government) 2012 2013 Shamoon 2014 Cyber Security and Economy by the Study Group (Dec 2010~Aug 2011) Task force to study the security of control systems (Oct 2011~Apr 2012) Control System Security Center (CSSC) (est. March 2012) 2015 will be continued in CSS-Base6 Cyber security exercise (electronics, gas, building) Cyber security Cyber security exercise exercise (electronics, gas, (electronics, gas, building, chemical) building, chemical) Tohoku Tagajo Headquarter Testbed(CSS-Base6) est. 28 May, R&D, testing, Awareness・・ 2013 Tokyo Research Center ・EDSA certification pilot project ・EDSA certification practical service ◇To ensure ICS security of Japanese cri4cal infrastructure ◇Evalua4on and cer4fica4on for ICS product exporters in Japan 12 Control System Security Center Purpose of CSSC Activities and Activities Scheme 1 Contributions to recovery in disaster-stricken areas 2 Ensuring the security of control systems with the focus on important infrastructures 3 Strengthening export competitiveness concomitant with ensuring control system security Contributions to recovery Budget for recovery from earthquake disasters CSSC Ministry of Economy, Trade and Industry Members (User companies, control vendors, security vendors, etc.) Research and development with highly-secure control systems Testing and certification of control systems, control devices, etc. Training human resources to disseminate and promote awareness of control system security Disasterstricken areas Important infrastructure operators, etc. Effects of results Infrastructure export operators, etc. 13 Control System Security Center Organization Dr. Seiichi Shin, President of CSSC Hideaki Kobayashi Vice President Dr. Makoto Takahashi, TTHQ ExecuYve Director Professor, Tohoku University Professor, The University of Electro-‐CommunicaYons Position Name Business Title President Seiichi Shin Professor, The University of ElectroCommunications Vice President Hideaki Kobayashi Control System Security Center Board member Masato Iwasaki Managing Executive Officer, Azbil Corporation President, Advanced Automation Company Board member Satoshi Sekiguchi Director General, Department of Information Technology and Human Factors, National Institute of Advanced Industrial Science and Technology Board member Shoji Takenaka Chief fellow, Toshiba Corporation Social Infrastructure Systems Company Board member Shigeru Sugiyama CSO, Infrastructure Systems Company, Hitachi, Ltd. Board member Masaya Nakagawa Head of ICT Solution Headquarters, Mitsubishi Heavy Industries, Ltd. Board member Kenji Kondo Executive Officer, Corporate Research and Development, Mitsubishi Electric Corporation Board member Hiroo Mori Director and Executive Vice President, Mori Building Co.,Ltd. Board member Chiaki Itoh Vice President, Marketing Headquarters, Yokogawa Electric Corporation R&D Director Kazumasa Kobayashi Advisor Professor, Kurashiki University of Science and the Arts TTHQ Executive Director Makoto Takahashi Advisor Professor, Tohoku University Advisor Kenji Watanabe Professor, Nagoya Institute of Technology Auditor Ryuichi Inagaki Attorney Secretary- General Ichiro Murase Research director, ICT Policy Research Division, Mitsubishi Research Institute 14 Control System Security Center Outline ■As of April 24, 2015 Control System Security Center Name (Abbreviation) CSSC ※A corporation authorized by the Minister of Economics, Trade and Industry Establi shed (In alphabetical order) March 6, 2012 (The registration date) 【[Tohoku Tagajo Headquarters (TTHQ)] Locati on Associati on members Special Supporting members Miyagi Reconstruction Park F21 6F, 3-‐‑‒4-‐‑‒1 Sakuragi, Tagajo City, Miyagi, Supporting members 985-‐‑‒0842, Japan [Tokyo Research Center (TRC)] Atago Green Hills MORI tower 21F, 5-‐‑‒1, Atago 2-‐‑‒chome, Minato-‐‑‒ ku, Tokyo, 105-‐‑‒6221, Japan Collaborativ e organizatio ns National Institute of Advanced Industrial Science and Technology*, ALAXALA Networks Corporation, Azbil Corporation*, Fuji Electric Co., Ltd. , Fujitsu Limited, Hitachi, Ltd.*, Information Technology Promotion Agency, Japan Audit and Certification Organization for Environment and Quality, Japan Quality Assurance Organization, LAC Co., Ltd., McAfee Co., Ltd., Meidensha Corporation, Mitsubishi Electric Corporation, Mitsubishi Heavy Industries Ltd.*, Mitsubishi Research Institute Inc.*, Mori Building Co., Ltd.*, NEC Corporation, NRI Secure Technologies Ltd. , NTT Communications Corporation, OMRON Corporation, The University of Electro-‐‑‒Communications, Tohoku Information Systems Company, Incorporated, Tohoku University, Toshiba Corporation*, Trend Micro Incorporated , Yokogawa Electric Corporation* (*8 starting member corporations) Miyagi Prefecture, Tagajo City, Cyber Solutions Inc., East Japan Accounting Center Co.,Ltd., Eri, Inc., Fukushima Information Processing Center, ICS Co.,Ltd., System Road Co., Ltd., Techno mind Corporation, Toho C-‐‑‒tech Corporation, Tosaki Communication Industry Ltd., TripodWorks CO.,LTD., Tsuken Electric Ind Co., Ltd. Interface Corporation, Ixia Communications K.K., Japan Nuclear Security System Co.,Ltd, NUCLEAR ENGINEERING, Ltd., OTSL Inc. Rock international, The Japan Gas Association(JGA), TOYO Corporation, TTK Co.,Ltd. Japan Computer Emergency Response Team, The Japan Electrical Manufacturers' Association (JEMA), The Society of Instrument and Control Engineers(SICE), Japan Electronics and Information Technology Industries Association(JEITA), The Association of Japan Instrumentation Industry(AJII), Japan Electric Measuring Instruments Manufacturersʼ’ Association(JEMIMA), Manufacturing Science and Technology Center(MSTC), The Federation of Electric Power Companies of Japan(FEPC), Japan Chemical Industry Association(JCIA), Tohoku Economic Federation, Miyagi Information Service Industry Association(MISA), Tagajo-‐‑‒Shicigahama Shokoukai 15 Control System Security Center CSSC Association Members(As of April 24, 2015) 16 Control System Security Center Research & Development l Choosing theme so that the member companies (sometimes competitors) can share output. – Some topics require NDA with CSSC and a member company. l Common research – CSSCʼ’s verification tool u EDSA conformance u Fuzzing functionality against frequently used protocols in domestic environment p (FY2012) BACnet/IP, FL-‐‑‒net, and EC61850 MMS/ASN.1 u Advanced penetration/fuzzing testing functionality p (FUTURE) Merging results of contract researches by three universities u Vulnerability scanner using public vulnerability DB p (FUTURE) Using jVN 17 Control System Security Center Research & Development (Contʼ’d) l Common research (Contʼ’d) – Incident handling tools and methodologies u Early alert system for ICS p Reasoning the status of a plant u Log management/mining for ICS p Mining and visualize logs with conforming to the standards u Evaluating products such as McAfee SIEM, IDS, and Whitelist with the plants in CSS-‐‑‒Base6 – Cyber range for both training and exercise u Using the plants and BreakingPoint to partially automate training and exercise 18 Control System Security Center Research & Development (Contʼ’d) l Application level research – Threat and risk analysis for ICS u Define virtual and typical models of PA, FA, and Smart community and analyze them – “Secure System Construction Guide for ICS” u Publish guide for ICS system integrators – ICS modeling u Define how to describe ICS so that, for example, IDS can be easily deployed 19 Control System Security Center Research & Development (Contʼ’d) l Innovative research – Conducted by AIST, The National Institute of Advanced Industrial Science and Technology (aist.go.jp) u Around 10 researchers are listed as cooperation member – Hypervisor, White list, Security barrier device, Human Factor, etc. 20 Control System Security Center Information & Knowledge Sharing l CSSCʼ’s activities as for this topic are listed below: l C-‐‑‒Level contents – Contents for each plant in CSS-‐‑‒Base6 are created/ updated in this FY – Contents will be arranged for each industry such as electricity, gas, etc. l “Supporting Member”: A new member category. – Augmented numbers of SMEs want to be involved with CSSC. – Member-‐‑‒only contents will be provided with CSSCʼ’s portal. Examples are: u Results of activities u CIP News (by courtesy of IPA.go.jp) u Vulnerability. Info (by courtesy of IPA.go.jp) 21 Control System Security Center Information & Knowledge Sharing (Contʼ’d) l Identifying potential guests for CSS-‐‑‒Base6 (as a part of PPP) – A CSSC member company received another budget to develop a plan for CSSCʼ’s “Promotion and HRD Task Committee”. – METI and CSSC plan to promote ICS security in global scale We focus on awareness raising, training and seminars this year so that more people can recognize CSSC and use our testbed facility. 22 Control System Security Center ISA/IEC62443 and ISA/ISCI ISASecure METI and CSSC promote ISA/IEC62443 as ICS security standard and also ISA/ISCI ISASecure as ICS security cerYficaYon standard. Target of Standardization general-purpose control system specific purpose(industry) system Petroleum/ Electric Chemical plant power system IEC62443 -2-1 Organization CSMS NERC CIP C System component Smart grid IEC 62443 ISA/ISCI ISASecure SDLA SSA EDSA NIST IR7628 Railroad system ISO/IEC 62278 WIB C IEC61850 legend IEEE1686 international standard industry standard C C :existing certification scheme ISCI: ISA Security Compliance Institute WIB: International Instrument User’s Association 23 Control System Security Center Testing & Certification EDSA Certification n IEC62443 is a standard that covers all control system security layers and players. n The antecedent standards issued for testing and certification (e.g. EDSA and WIB certification) are to be used for IEC62443. *1 ) Information network 情報ネットワーク Firewall ファ イアウォール Integrator IEC62443-1 Production ⽣生産管理理 management server サーバ IEC62443-2 Management, operation, processes IEC62443-3 Technology, systems Device vendor Operator Standardization IEC62443-4 Components and devices PIMS HMI EWS DCS/Master Control information network 制御情報ネッ トワーク PLC Control network トワーク コントロールネッ PLC CSMS SSA Field network フィールド ネットワーク DCS/Slave Sensor bus センサバス EDSA M Sensors, etc. センサ・actuators, アクチュエータなど *1) IEC/TC65/WG10 oversees the task of standardization of IEC62443 cyber security (JEMIMA handles the Japan office). *2) EDSA: Embedded Device Security Assurance: Control device (component) certification program → Proposed to IEC62443-4. *3) WIB: International Instrument User’s Association program → Proposed to IEC62443-2-4. DCS: Distributed Control System PLC: Programmable Logic Controller PIMS: Process Information Management System 24 Control System Security Center Testing & Certification(Contʼ’d) Effects of results: Based on pilot cerYficaYon service in 2013, CSSC-‐CL started operaYng an imparYal and fair cerYficaYon service from 2014. 25 Control System Security Center Development of Human Resources Training Program Overview of Implementation of Cyber Security Practice Purpose Persons such as site supervisors, engineers, and related vendors in the fields of electric power, gas, buildings, and chemicals use a mock CSS-Base6 plant to develop awareness of security threats to control systems and practice cyber security with the purpose of verifying the validity of elements such as procedures for detecting the occurrence of security incidents and coping with resulting damage to promote the acquisition of knowledge with the focus on control system security measures in their respective fields. Dates and Venues 4 sessions implemented in four fields using CSS-Base6 from December 2014 through February 2015 Participants Cumulative total 216 people (including observers) participated in the exercises in FY 2014. Participation by entities and persons including industrial groups, operators, well-informed persons, and competent authorities. Electric power Gas Chemicals Buildings Effects of results: Growing awareness of the existence of security threats in each field and the need for countermeasures. 26 Control System Security Center OVERVIEWS OF CONTROL SYSTEM SECURITY CENTER(CSSC) Tohoku Tagajo Headquarters (TTHQ) Tagajyo Tokyo Tokyo Research Center (TRC) http://www.css-‐‑‒center.or.jp/en/index.html Control System Security Center Tohoku Tagajo Headquarters (Testbed:CSS-‐‑‒Base6) System Assessment Room (Seminar) Exercise Room A Exercise Room B Exercise Room C Miyagi Recovery Park 6th Floor F21 Building Total area 2,048㎡ Exercise Room D Entrance Central Monitor Table (3 mul4 displays) Red Team Room Plant SimulaYon Room 28 Control System Security Center Testbed:Entrance and simulated central monitor table 29 Control System Security Center Plant simulations n Extracted characteristic functions of ICS n Developed plant simulations for demonstration and cyber exercises n Implemented 9 kinds of plan simulations (1)Sewerage and drainage process automation system (2)Building automation system (3)Factory automation plant (4)Thermal electrical generating plant (5)Gas plant (6)Electrical substation for broad area (smart city) (7)Chemical process automation system (8)Factory automation plant 2 (9)Building automation system 2 30 Control System Security Center Plant simulation:(1)Sewerage and drainage process automation system 31 Control System Security Center Plant simulation:(2) Building automation system 32 Control System Security Center Plant simulation:(3) Factory automation plant 33 Control System Security Center Plant simulation:(4) Thermal electrical generating plant 34 Control System Security Center Plant simulation:(5) Gas plant 35 Control System Security Center Plant simulation:(6)Electrical substation for broad area (smart city) 36 Control System Security Center Plant simulation:(7)Chemical process automation system 37 Control System Security Center Plant simulation:(8)Factory automation plant 2 38 Control System Security Center Plant simulation:(9)Building automation system 2 39 Control System Security Center Testbed: other main features n Tools for cyber attacks and fuzzing tools for testing and verifying ICS mainly of CSSC members n Virtual network for R&D and verification environment in testbed n Rooms for verification activities n System Assessment Room (full sitting numbers about 40) for seminars and awareness raising n Blue team and red team cyber exercise n JGN-‐‑‒X (research gigabit network provided by NICT) between Tohoku Tagajo Headquarters and Tokyo Research Center 40 Control System Security Center Awareness raising and promotion l Our guests since the opening (May 2013) – 3,661 people / 735 times of plant demo u more than 250 oversea guests u 285organizations (258domestic and 27 oversea) (as of June 19, 2015) l Many VIPs of policics and industry visited CSS-‐‑‒Base6. Year/Month Events 2013.09 Welcomed thes senior vice minister for reconstruction 2014.01 Welcomed the vice ministers of Defense and the vice minister of Education, Culture, Sports, Science and Technology 2014.04 Welcomed DENSEK(Distributed ENergy SEcurity Knowledge; FP7) 2014.04 Welcomed 12 mayers around CSS-Base6 2014.06 Welcomed senior vice minister of the cabinet office 2014.07 Welcomed the president of Japan Business Federation 41 Control System Security Center Appendix: Overview of Stuxnet In September 2010, a cyber attack was launched targeting uranium-enriching centrifugal separators at a nuclear fuel facility in Iran. The attack exploited four unknown vulnerabilities in Windows so that infection would occur when PC users displayed USB memory content using Windows Explorer. It was reported that the centrifugal separators were overloaded, resulting in destruction of 20%. It is also rumored that Stuxnet has caused a major setback (approximately three years) in Iran’s nuclear development program. USB memory Malware Country-specific infection counts confirmed by Symantec Malware infection Control PC SIMATIC WinCC S7 Series PLC Source: Centrifugal separators http://ebiquity.umbc.edu/blogger/2010/09/23/ is-stuxnet-a-cyber-weapon-aimed-at-aniranian-nuclear-site/ 42