SECURING WIRELESS SCADA

Presented by: TSgt Andrew R. Krekow954th Reserve Support Squadron, JTRUUSTRANTSCOM TCJ3-YC DoDIN Operations Center (TDOC)

SECURING WIRELESS SCADA

The presentation does not represent the official

position of the DOD, USTRANSCOM, or the USAF. Unless explicitly stated otherwise.

The intent of this session is to discuss design concepts and ideas pertaining to wirelessSCADA/ICS/IIoT infrastructure. Specifically, applications of regulatory guidance,

migration from legacy to modern network infrastructure, and future trends in wireless telecommunications.

A range of cybersecurity guidelines are available for critical infrastructure and industrial control systems. These guidelines help users assess threats, plan their

networks, and employ the right security controls. The most common guidelines are outlined below.

NERC CIP

NIST SP800-

97

NIST SP800-

82

Industry Guidelines

NERC CIP- The mission of the North American Electric Reliability Corporation (NERC) is to ensure the reliability of the bulk power system in North America. The NERC CIP (Critical Infrastructure Protection) standards specify a cybersecurity framework that includes incident reporting, management of security controls, training, and recovery planning that is applicable to electric utilities and energy providers. NERC CIP defines responsibilities, processes, policies, and activities that an entity must establish and maintain to manage the cybersecurity risks on its infrastructure.

NIST SP800-82-The National Institute of Science and Technology (NIST) has been heavily involved in setting guidelines and industry best practices for industrial control systems for many years. NIST publication SP800-82 Guide to Industrial Control Systems Security is applicable to any organization with a distributed control or SCADA system. SP800-82 provides guidance on the selection and application of security controls including configuration management, access control, identification and authentication, in addition to audit and accountability.

NIST SP800-97-This publication seeks to assist organizations in understanding, selecting, and implementing technologies based on Institute of Electrical and Electronics Engineers (IEEE) 802.11i, part of the IEEE 802.11 family of wireless networking standards.The document explains at length the security features and

capabilitiesassociated with IEEE 802.11i through its framework for Robust Security Networks (RSN), and provides extensive guidance on the planning and deployment of RSNs. The document also discusses previousIEEE 802.11 security measures and their shortcomings.

DoD GuidanceEnhancing Cyber Security Risk Management for Control Systems Supporting DoD Owned Defense Critical Infrastructure

DoD GuidanceLegacy Network Technologies

FIPS 140-2- This Federal Information Processing Standard (140-2) specifies the security requirements that will be satisfied by a cryptographic module, providing four increasing, qualitative levels intended to cover a wide range of potential applications and environments. The areas covered, related to the secure design and implementation of a cryptographic module, include specification; ports and interfaces; roles, services, and authentication; finite state model; physical security; operational environment; cryptographic key management; electromagnetic interference/electromagnetic compatibility (EMI/EMC); self-tests; design assurance; and mitigation of other attacks.

Motorola R56

IT Meet OT

IT vs OT

12

IT vs OT

14

• Electrical & Telecommunications Engineers• Electrical Technicians, Electricians,

Lineman and Maintainers• Information Technology: Infrastructure,

Security, Switching, Routing, and Applications Specialists

• SCADA and Network Operations Professionals

• Cyber Security Specialists

Industrial Communicators

Security Levels

Wireless Security Framework: Secure the User

Configuration FilesDevice configuration file should be stored on redundant secure servers and only be made available to a device after it has been authenticated.

User AccountsUsername / password login required for device management interfaces. Automatic lockout afterconsecutive failed login attempts. Different user levels of read, write, and execute privileges.

RADIUS / AAACentralized user authentication through RADIUS with support for a secondary RADIUS server to provide high reliability. RADIUS user accounts can be mapped to specific RBAC roles.

Restrict to Secure ProtocolsHTTPS, SSH, SNMPv3, and NETCONF can provide secure access to device configuration and management. No HTTP, TELNET, or SNMP V1 or V2.

Audit and LoggingDevices should have On-board event logging and alarm tracking including user login/logout, config changes, and network connections. Events should be forwarded to central system via SNMPV3 or other approved IETF protocol.

802.1xUtilizing ethernet port authentication ensures that only permitted devices can plug into the Ethernet port and gain access. Devices should be challenged with user/pass prior to granting access.

Digitally Signed FirmwareFirmware cryptographically signed by the OEM (and) customer to ensure authenticity. A secure wireless device checks signature at power-on and on firmware upgrades.

Tamper DetectionMovement in any axis or rotation should be detected by accelerometers or magnetometers around the wireless device.

Port DisableEach and every logical port, such as HTTPS, SSH, and SNMP, virtual interface, physical port or wireless port should be individually enabled and disabled.

Secure Firmware UpgradeFirmware upgrades are loaded on the wireless device through a secure transfer protocol such as SFTP to ensure secure transfer.

Wireless Security Framework : Secure the Device

FirewallStateful Packet Inspection (SPI) firewalls can be configured to accept, drop, or reject traffic through each wireless or wired network interface.

Secure BootWireless routers should run secure checks upon booting and prevent themselves from fully booting up if it is discovered that the hardware has been tampered with.

Physical Layer EncryptionAuthentication and encryption are driven by pre-shared keys or certificate-based EAP-TLS handshake with key rotation. Encryption should be performed with 256-bit AES or higher.WiFi SecurityWPA2 Enterprise delivers the strongest, standards-based authentication and encryption. Do not broadcast SSID’s. Leverage VPN tunnels and firewalls for additional security.

Edge FirewallsStateful Packet Inspection (SPI) firewalls that can be configured to accept, drop, or reject traffic through each wireless or wired network interface should be employed.

IPsec VPN EncryptionIPsec VPN provides encrypted end-to-end tunnels between wireless devices or to a VPN concentrator. Some wireless routers support DMVPN for scalable deployments.

Certificate managementX.509 digital certificates, in DER and PEM format, are provisioned and automatically renewed through Simple Certificate Enrollment Protocol (SCEP) . Secure wireless routers can integrate with multi-tier PKI structures.

VLANs Traffic Segregation IEEE 802.1Q VLAN trunks and access ports can provide separation of traffic. In addition separating SCADA and management traffic can prevent data loss or corruption.

Wireless Security Framework: Secure the Network

System ReliabilityEnsure the system reliability is high enough to provide expected response time. This should be determined by the criticality of the link. Think PACE!

Fresnel ZonesEnsure .6 of the first Fresnel zone is un-impeded.

Dirt is you friendAntennas should be no higher than is necessary. Minimize output power in order to reduce self interference. Be a good neighbor!

RF IsolationSeparate antennas sufficiently such that near field effects are insignificant compared to far-field effects. Either by physical separation or by polarization.

Ensure Proper InstallationGrounding, bonding, shielding, clean power, lightning protection cable termination, aesthetics, weatherproofing are all critical factors in a proper installation.

Minimize ObstructionsNear obstructions are worse than far obstructions. Lower carrier frequency are significantly less susceptible to obstructions.

Wireless Security Framework: Secure the Signal

! " = $%&

'()*

Obstructions

Obstructions

Obstructions

Lightning Protection

Poor Installation

Proper Installation

Future Trends

Present

Bands: 2, 4, 5, 12, 13, 17, 25, 26

In Progress

Band 14 (First Net)

PendingBand 8 Private LTE

Cellular/LTE

Bridge

900 MHz2.4 GHZ

5.8GHz

Unlicensed WB

Historical

100MHz200MHz

300MHz450 MHz

(700 MHz)900 MHz

Licensed NB

BureaucracyRaise you hand if you enjoy doing paperwork. Licenses can take upwards of six months to acquire and involve a rigorous application process. Legally protected from interference.Not ScalableAs a systems grow and more devices are brought online restrictions based on FCC licenses reduce the ability of system to handle large numbers of end points.

Expensive ChipsetsChips designed to operate in classical SCADA bands are not mass produced on a scale comparable to LTE chips.

TCP IPsec VPN EncryptionOverhead bandwidth for encrypted TCP packets and layer 2 frames may not be available without advanced modulation techniques. More complex modulation generally reduces the RF coverage of radios.

DoSOperating frequencies are publicly know and are static. Therefore easily jammed

HMI and SNMP TrapsActive monitoring of the network device comes at great BW expense. However in order to monitor network health and security these functions must be made available.

Licensed Narrowband Networks

BureaucracyNo licenses required turn on and operate. Only limited by band EIRP (ERP).

ScalableCompared to narrowband significantly more devices can be added to the network without significantly impacting network operations. 1 MBPS

Expensive ChipsetsChips designed to operate in classical SCADA bands are not mass produced on a scale comparable to LTE chips.

TCP IPsec VPN EncryptionOverhead bandwidth for encrypted TCP packets and layer 2 frames is available without advanced modulation techniques. EIRP limits output power, gain, and range.

FHSSFrequency Hopping Radios are inherently resistant to jamming due to utilization of a broad spectrum of frequencies. Similar to Legacy Have quick communications.

HMI and SNMP TrapsMore available BW to support network monitoring protocols.

Un-Licensed Broadband Networks

BureaucracyNo licenses required turn on and operate. Currently major telecom providers provide spectrum management.

ScalableLarge amounts of available bandwidth allow for thousands of devices to operate on a single network. 5 MBPS +

Expensive ChipsetsChipset are relatively cheap due to there mass production for the cellular phone industry.

TCP IPsec VPN EncryptionOverhead bandwidth for encrypted TCP packets and layer 2 frames may is available. Can support DMVPN with IPSEC, NHRP & GRE Tummel's to securely link several LANs together.

Private LTEAlthough the back bone infrastructure is quite expensive(Imagine owning your own cellular tower), The low cost of end-points can make these type of networks no brainers when the numbers of endpoint are in the thousands. True private turn key LTE systems may become available in the near future with FCC approval.

Firmware, Configuration, HMI and SNMP TrapsMore available BW to support network monitoring protocols. Sufficient bandwidth to push EEPROM updates and configuration changes to end point devices.

Cellular LTE

The EndPersonally Recommended Further Reading

Questions