Title:
Securing SCADA systems
Personal Author:
Publication Information:
Indianapolis, IN : Wiley Publishing, 2006
ISBN:
9780764597879
Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
|---|---|---|---|---|---|
Searching... | 30000010114548 | TS156.8 K78 2006 | Open Access Book | Book | Searching... |
Searching... | 30000010114547 | TS156.8 K78 2006 | Open Access Book | Book | Searching... |
Searching... | 30000010114550 | TS156.8 K78 2006 | Open Access Book | Book | Searching... |
Searching... | 30000010114549 | TS156.8 K78 2006 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
Bestselling author Ron Krutz once again demonstrates his ability to make difficult security topics approachable with this first in-depth look at SCADA (Supervisory Control And Data Acquisition) systems Krutz discusses the harsh reality that natural gas pipelines, nuclear plants, water systems, oil refineries, and other industrial facilities are vulnerable to a terrorist or disgruntled employee causing lethal accidents and millions of dollars of damage-and what can be done to prevent this from happening Examines SCADA system threats and vulnerabilities, the emergence of protocol standards, and how security controls can be applied to ensure the safety and security of our national infrastructure assets
Author Notes
Ronald L. Krutz, PhD, P.E., CISSP, ISSEP, is Senior Information Security Researcher for Lockheed Martin Information Technologies
Table of Contents
| About the Author | p. vii |
| Acknowledgments | p. xvii |
| Introduction | p. xix |
| Chapter 1 What Is a SCADA System? | p. 1 |
| History of Critical Infrastructure Directives SCADA System Evolution, Definitions, and Basic Architecture | p. 3 |
| SCADA Evolution | p. 5 |
| SCADA Definition | p. 6 |
| SCADA System Architecture | p. 7 |
| SCADA Applications | p. 10 |
| SCADA System Security Issues Overview | p. 16 |
| SCADA and IT Convergence | p. 16 |
| Conventional IT Security and Relevant SCADA Issues | p. 17 |
| Redundancy as a Component of SCADA Security | p. 20 |
| SCADA System Desirable Properties | p. 20 |
| Summary | p. 22 |
| Chapter 2 SCADA Systems in the Critical Infrastructure | p. 23 |
| Employment of SCADA Systems | p. 23 |
| Petroleum Refining | p. 23 |
| The Basic Refining Process | p. 24 |
| Possible Attack Consequences | p. 26 |
| Nuclear Power Generation | p. 26 |
| The Boiling Water Reactor | p. 27 |
| The Pressurized Water Reactor | p. 28 |
| Possible Attack Consequences | p. 29 |
| Conventional Electric Power Generation | p. 30 |
| Petroleum Wellhead Pump Control | p. 32 |
| Water Purification System | p. 34 |
| Crane Control | p. 36 |
| SCADA in the Corporation | p. 37 |
| Chemical Plant | p. 38 |
| Benzene Production | p. 38 |
| Embedded Systems | p. 40 |
| Why We Should Worry about These Operations | p. 40 |
| Summary | p. 41 |
| Chapter 3 The Evolution of SCADA Protocols | p. 43 |
| Evolution of SCADA Protocols | p. 43 |
| Background Technologies of the SCADA Protocols | p. 44 |
| Overview of the OSI Model | p. 44 |
| Overview of the TCP/IP Model | p. 48 |
| SCADA Protocols | p. 50 |
| The MODBUS Model | p. 50 |
| The DNP3 Protocol | p. 52 |
| UCA 2.0 and IEC61850 Standards | p. 53 |
| Controller Area Network | p. 54 |
| Control and Information Protocol | p. 55 |
| DeviceNet | p. 56 |
| ControlNet | p. 57 |
| EtherNet/IP | p. 57 |
| FFB | p. 59 |
| Profibus | p. 61 |
| The Security Implications of the SCADA Protocols | p. 63 |
| Firewalls | p. 63 |
| Packet-Filtering Firewalls | p. 63 |
| Stateful Inspection Firewalls | p. 65 |
| Proxy Firewalls | p. 65 |
| Demilitarized Zone | p. 65 |
| Single Firewall DMZ | p. 66 |
| Dual Firewall DMZ | p. 66 |
| General Firewall Rules for Different Services | p. 66 |
| Virtual Private Networks | p. 69 |
| Summary | p. 71 |
| Chapter 4 SCADA Vulnerabilities and Attacks | p. 73 |
| The Myth of SCADA Invulnerability | p. 73 |
| SCADA Risk Components | p. 76 |
| Managing Risk | p. 78 |
| Risk Management Components | p. 79 |
| Assessing the Risk | p. 79 |
| Mitigating the Risk | p. 80 |
| SCADA Threats and Attack Routes | p. 81 |
| Threats | p. 81 |
| SCADA Attack Routes | p. 82 |
| Typical Attacker Privilege Goals | p. 83 |
| SCADA Honeynet Project | p. 85 |
| Honeypots | p. 85 |
| Honeynet Project | p. 86 |
| SCADA Honeynet | p. 86 |
| Summary | p. 87 |
| Chapter 5 SCADA Security Methods and Techniques | p. 89 |
| SCADA Security Mechanisms | p. 89 |
| Improving Cybersecurity of SCADA Networks | p. 90 |
| Implementing Security Improvements | p. 96 |
| SCADA Intrusion Detection Systems | p. 97 |
| Types of Intrusion Detection Systems | p. 98 |
| Network-Based and Host-Based IDS | p. 98 |
| Signature-Based and Anomaly-Based IDS | p. 99 |
| Active-Response IDS | p. 99 |
| Passive-Response IDS | p. 100 |
| Processing of IDS Data | p. 100 |
| Vulnerability Scanning and Analysis | p. 100 |
| SCADA Audit Logs | p. 102 |
| Security Awareness | p. 106 |
| Summary | p. 108 |
| Chapter 6 SCADA Security Standards and Reference Documents | p. 109 |
| ISO/IEC 17799:2005 and BS 7799-2:2002 | p. 110 |
| ISO/IEC 1779:2005 | p. 111 |
| BS 7799-2:2002 | p. 112 |
| ISA-TR99.00.01-2004, Security Technologies for Manufacturing and Control Systems | p. 113 |
| ISA-TR99.00.02-2004, Integrating Electronic Security into the Manufacturing and Control Systems Environment | p. 114 |
| GAO-04-140T, Critical Infrastructure Protection, Challenges in Securing Control Systems | p. 115 |
| NIST, System Protection Profile for Industrial Control Systems (SPP ICS) | p. 117 |
| Federal Information Processing Standards Publication (FIPS Pub) 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004 | p. 117 |
| Additional Useful NIST Special Publications | p. 119 |
| NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems | p. 119 |
| NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems | p. 120 |
| NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems | p. 121 |
| Summary | p. 122 |
| Chapter 7 SCADA Security Management Implementation Issues and Guidelines | p. 123 |
| Management Impressions of SCADA Security | p. 123 |
| SCADA Culture | p. 124 |
| Unique Characteristics and Requirements of SCADA Systems | p. 125 |
| Limitations of Current Technologies | p. 126 |
| Guidance for Management in SCADA Security Investment | p. 127 |
| Information-System Security Engineering | p. 127 |
| Discover Information Protection Needs | p. 128 |
| Define System Security Requirements | p. 128 |
| Design System Security Architecture | p. 128 |
| Develop Detailed Security Design | p. 129 |
| Implement System Security | p. 129 |
| Common Criteria Protection Profiles | p. 130 |
| Defense-in-Depth | p. 130 |
| People | p. 131 |
| Technology | p. 131 |
| Operations | p. 132 |
| Defense-in-Depth Strategy | p. 132 |
| The NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems | p. 134 |
| NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems | p. 136 |
| Summary | p. 137 |
| Chapter 8 Where We Stand Today | p. 139 |
| The Status Today | p. 139 |
| Human Issues | p. 140 |
| Weakness of Standard Security Approaches | p. 142 |
| The Oil and Gas Industry | p. 142 |
| API Standard 1164 | p. 143 |
| AGA Report Number 12 | p. 144 |
| Interdependencies | p. 144 |
| Rail System Security | p. 145 |
| Port Security | p. 146 |
| Legislation | p. 148 |
| Threats to Seaports | p. 148 |
| Countermeasures | p. 149 |
| Conventional Countermeasures | p. 149 |
| Advanced Countermeasures | p. 150 |
| Security Controls That Can Be Put in Place Now | p. 151 |
| Summary | p. 152 |
| Appendix A Acronyms and Abbreviations | p. 153 |
| Appendix B System Protection Profile - Industrial Control Systems | p. 157 |
| Appendix C Bibliography | p. 195 |
| Index | p. 201 |
