Over the past 6 years, the team at Byres Security Inc. and Byres Research has envisioned, managed and completed over 20 major research and consulting projects in the field of the SCADA and control system security. Below are a few of projects that we think you might find interesting and where applicable, links to some of the resulting publications...
Project: OPC Good Security Practices Research
Sponsor: Kraft Foods Ltd.
Completed: November 2007
Publications: OPC Security Whitepaper #1, OPC Security Whitepaper #2, OPC Security Whitepaper #3
To create a report defining good security practices for the use of the OLE for Process Control (OPC) industrial communications standards in industrial settings. This includes the widely used Data Access (DA), Alarms and Events (A&E), and Historical Data Access (HDA) portions of the OPC standards.
- The project methodology consisted of literature search and document reviews, an internationally conducted survey of end-users on OPC practices and lab testing of the DCOM/RPC protocol in a simulated industrial setting.
- The final report provides detailed guidance on the secure use of this common protocol in critical industrial control environments.
Project: A White Paper on Security Incidents and Trends in the SCADA and Process Industries
Sponsor: Symantec Corporation
Completed: February 2007
Security Incident Database (ISID), looking for trend data in cyber impacts on critical control systems in the energy industries. The paper itself is divided into three main sections.
- The first section provides background information about the ISID with a description of data collection techniques and reliability ratings.
- The second section contains relevant statistical data (such as incident frequency and types) from the ISID with excerpts from selected incidents to cement the importance of emerging trend data.
- The last section comments on the data presented in the second section drawing conclusions and proposing recommendations for improving SCADA/PCN security.
Project: DNP3 Security Vulnerability Analysis and Testing
Sponsor: CISCO Critical Infrastructure Assurance Group (CIAG)
Completed: August 2006
DNP3 Security Vulnerability Analysis project was funded under Cisco’s Research Grants program to analyze this important SCADA protocol to determine the potential vulnerabilities.
DNP3 Security Vulnerability Analysis project was funded under Cisco’s Research Grants program to analyze this important SCADA protocol to determine the potential vulnerabilities.
- Analysis of the DNP3 specifications to uncover possible risks inherent in the protocol.
- Deconstruction of the protocol to allow the development of a vulnerability checker designed to test SCADA products deploying DNP3.
- Based on the results of this analysis, recommendations were developed for improving the security of the protocol, the SCADA devices using it and the deployment of DNP3 SCADA systems.
Project: Security Testing of Emergency Shutdown Systems
Sponsor: BP International p.l.c, London, UK
Completed: March 2006
Project: ISA SP-99-WG1 Security Technologies Working Group
Sponsor: BCIT Research Project
Sponsor: BCIT Research Project
Publications: Security Technologies for Manufacturing and Control Systems
Project: Application Layer Toolkit for SCADA Protocol Testing
Sponsor: US Department of Defence – Technical Support Working Group (TSWG)
Completed: Novemeber 2005
Publications: E.J. Byres, D. Hoffman and N. Kube; “On Shaky Ground - A Study of Security Vulnerabilities in Control Protocols”
The project focused on the development of a security module generator and toolkit that will provide a rapid means for creating application layer test modules for specific SCADA protocols. Once created, the modules will operate on the Achilles Protocol Vulnerability Test Platform and will allow network security specialists and equipment manufacturers to test critical SCADA network components for both known and undiscovered security flaws at the application layer prior to deployment of the equipment.
The project focused on the development of a security module generator and toolkit that will provide a rapid means for creating application layer test modules for specific SCADA protocols. Once created, the modules will operate on the Achilles Protocol Vulnerability Test Platform and will allow network security specialists and equipment manufacturers to test critical SCADA network components for both known and undiscovered security flaws at the application layer prior to deployment of the equipment.
- This project extended the Achilles Protocol Vulnerability Test Platform by creating the methodology and a core toolkit to allow testers to inexpensively generate application layer security modules for specific SCADA protocols. Once generated by the toolkit, these modules can then be used for testing SCADA devices using fuzzy and two-cover traffic generation techniques. As part of this project, modules will be developed for the MODBUS/TCP protocol, with other protocols developed at a later date. Project phases include:
- Development of module generation toolkit consisting of a structured protocol description language (PDL), a PDL interpreter and case file generator for creating application layer fuzzy, two-cover and corner-case test modules.
- Using the toolkit described above to generate application layer software tools for the vulnerability testing of MODBUS/TCP devices.
- Testing the complete SCADA Protocol Vulnerability Test Platform system against two representative MODBUS/TCP devices.
Project: Quantitative Risk Analysis Methodology for Cyber Threats
Sponsor: Idaho National Labs
Completed: October 2005
Development of a framework and methodology which can be used to estimate the risk associated with cyber attacks on SCADA/Control Systems and the risk reduction when mitigating factors are employed. Primary emphasis is on the development of quantitative parameters and tools to support the risk analysis methodology. Includes the development of a defensible process to estimate the probability of deliberate attacks coming through specific nodes of an attack tree. The attack trees will be used to
estimate the risk a ssociated with an electronic attack (eA) and/or cyber attack (cyA) on a SCADA/Control System and correlated with actual reported events of attacks. This includes:
Sponsor: Idaho National Labs
Completed: October 2005
Development of a framework and methodology which can be used to estimate the risk associated with cyber attacks on SCADA/Control Systems and the risk reduction when mitigating factors are employed. Primary emphasis is on the development of quantitative parameters and tools to support the risk analysis methodology. Includes the development of a defensible process to estimate the probability of deliberate attacks coming through specific nodes of an attack tree. The attack trees will be used to
estimate the risk a ssociated with an electronic attack (eA) and/or cyber attack (cyA) on a SCADA/Control System and correlated with actual reported events of attacks. This includes:
- Developing a typical deployment model for a SCADA/Control System.
- Developing meaningful and orthogonal indicators for the capabilities needed to exploit a vulnerability (The ISID database of known system attack events is be a critical asset used to develop these indicators).
- Identifying the threat agents interested in an eA/cyA of a SCADA/Control System.
- Writing meaningful profiles for each threat agent and assigning appropriate levels to each indicator.
- Testing the profiles and indicators by case study.
- Developing meaningful functions for risk mitigation.
Project: Security Mechanisms for the Nonproliferation of Critical Software
Sponsor: Major Energy Company
Completed: August 2005
Sponsor: Major Energy Company
Completed: August 2005
Project: Control System/SCADA Security Demonstration Unit
Sponsor: US National Defense University, Washington, DC
Completed: August 2005
Sponsor: US National Defense University, Washington, DC
Completed: August 2005
Project: Investigation of Firewall Effectiveness in SCADA Systems
Sponsor: Centre for the Protection of National Infrastructure (CNPI), London, UK
Completed: February 2005
Publications:
E.J. Byres, B. Chauvin, D. Hoffman, J. Karsch and N. Kube; “The Special Needs of SCADA/PCN Firewalls: Architectures and Test Results”, The 11th IEEE International Conference on Emerging Technologies and Factory Automation, Institute of Electrical and Electronics Engineers, Catania Italy, September 2005
BCIT Group for Advanced Information Technology, “Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks - Policy and Best Practice ID. 00157”, National Infrastructure Coordination Centre, UK , 23 February 2005
This project assessed the effectiveness of deploying firewalls in SCADA and process control environments in critical infrastructures. Based on these results, a series of recommendations were developed as best practices for firewall installation in SCADA environments.
This document is now widely used as the primary reference document for firewall application in critical infrastructure protection by major international organizations including the UK- CNPI, the US Department of Homeland Security CSSP and Microsoft Corporation.
Sponsor: Centre for the Protection of National Infrastructure (CNPI), London, UK
Completed: February 2005
Publications:
E.J. Byres, B. Chauvin, D. Hoffman, J. Karsch and N. Kube; “The Special Needs of SCADA/PCN Firewalls: Architectures and Test Results”, The 11th IEEE International Conference on Emerging Technologies and Factory Automation, Institute of Electrical and Electronics Engineers, Catania Italy, September 2005
BCIT Group for Advanced Information Technology, “Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks - Policy and Best Practice ID. 00157”, National Infrastructure Coordination Centre, UK , 23 February 2005
This project assessed the effectiveness of deploying firewalls in SCADA and process control environments in critical infrastructures. Based on these results, a series of recommendations were developed as best practices for firewall installation in SCADA environments.
- The first stage of the SCADA Firewall Effectiveness Investigation assessed the effectiveness of common IT firewalls deployed in SCADA and process control environments. The project commenced with a survey of end-users and vendors to determine current best practices for firewall deployment in these settings. The resulting configurations were then analyzed for effectiveness against typical CIP threats
- The second stage of the study included lab testing the effectiveness of current firewall technology in mitigating known SCADA vulnerabilities and identifying the limitations of these systems.
This document is now widely used as the primary reference document for firewall application in critical infrastructure protection by major international organizations including the UK- CNPI, the US Department of Homeland Security CSSP and Microsoft Corporation.
Project: Process Control System Security Audit
Sponsor: Major North American Petroleum Company
Completed: December 2004
Publications: E.J. Byres and A. Creery; “Industrial Cybersecurity For Power System And SCADA Networks”
This project developed and then deployed a non-intrusive audit methodology for determining the detailed status of all assets connected to process control networks in multiple company locations.
Sponsor: Major North American Petroleum Company
Completed: December 2004
Publications: E.J. Byres and A. Creery; “Industrial Cybersecurity For Power System And SCADA Networks”
This project developed and then deployed a non-intrusive audit methodology for determining the detailed status of all assets connected to process control networks in multiple company locations.
- The audit project started with the development of a set of non-intrusive security audit instruments and procedures tailored to process control facilities in the petroleum industry (in particular Honeywell based systems).
- Once these methodologies were completed, the project moved into the audit phase and four team members traveled to the client sites to conduct structured interviews with process control management and staff
- Next the team conducted a detailed device audit, investigating all networked devices in the process areas at these sites.
- On return from the sites, the audit team commenced the reduction and analysis of the collected device and interview data to produce a comprehensive risk analysis.
- An audit report was produce outlining the areas of both compliance and concern. In addition, a consolidated asset database was created for the company’s long term security management.
Project: Achilles Protocol Vulnerability Test Platform
Sponsor: BP International p.l.c, London, UK
Completed: June 2004
Sponsor: BP International p.l.c, London, UK
Completed: June 2004
Project: Portable SCADA Security Risk Demo Unit
Sponsor: National Infrastructure Security Coordination Centre, London, UK
Completed: December 2003
Sponsor: National Infrastructure Security Coordination Centre, London, UK
Completed: December 2003
Project: SCADA Security Educational Videos
Sponsor: BP International p.l.c, London, UK
Completed: September 2003
Sponsor: BP International p.l.c, London, UK
Completed: September 2003
Project: MODBUS Protocol Vulnerability Analysis
Sponsor: Centre for the Protection of National infrastructure, London, UK
Completed: May 2003
Publications: E.J. Byres, M. Franz and D. Miller ; "The Use of Attack Trees in Assessing Vulnerabilities in SCADA Systems"
MODBUS Security Vulnerability Analysis project was funded to analyze this important SCADA protocol to determine the potential vulnerabilities.
Sponsor: Centre for the Protection of National infrastructure, London, UK
Completed: May 2003
Publications: E.J. Byres, M. Franz and D. Miller ; "The Use of Attack Trees in Assessing Vulnerabilities in SCADA Systems"
MODBUS Security Vulnerability Analysis project was funded to analyze this important SCADA protocol to determine the potential vulnerabilities.
- Analysis of the MODBUS specifications to uncover possible risks inherent in the protocol using attack tree models
- Deconstruction of the protocol to allow the development of a vulnerability checker designed to test SCADA products deploying MODBUS.
- Detailed testing of representative SCADA products.
- Based on the results of this analysis, recommendations were developed for improving the security of the protocol, the SCADA devices using it and the deployment of MODBUS SCADA systems.
Project: Security Risks to Wireless Networks In Industrial Environments
Sponsor: Major Petroleum Company
Completed: September 2002
Sponsor: Major Petroleum Company
Completed: September 2002
Project: Analysis of Security Risks to Process Control Systems
Sponsor: Major Petroleum Company
Completed: January 2002
Project: Security needs in the Energy Sector
Sponsor: Industry Canada
Completed: March 2006
Industry Canada provided funding for the development of a report and industry seminar on the “Security Needs for Critical Infrastructure in the Energy Industry”. The RCMP was a co-presenter in the event. The seminar was held at the BCIT Downtown Campus on March 28, 2006, with 65 participants attending from a mixture of energy and security companies through out BC. The final report was delivered to Industry Canada on March 31.
Project: Process Control System Security Review
Sponsor: Major Petroleum Company
Completed: November 2005
Perform a cyber security review of process control systems and corporate practices at the company refineries. This was then used to develop a detailed plan for process control security program.
Sponsor: Major Petroleum Company
Completed: January 2002
Project: Security needs in the Energy Sector
Sponsor: Industry Canada
Completed: March 2006
Industry Canada provided funding for the development of a report and industry seminar on the “Security Needs for Critical Infrastructure in the Energy Industry”. The RCMP was a co-presenter in the event. The seminar was held at the BCIT Downtown Campus on March 28, 2006, with 65 participants attending from a mixture of energy and security companies through out BC. The final report was delivered to Industry Canada on March 31.
Project: Process Control System Security Review
Sponsor: Major Petroleum Company
Completed: November 2005
Perform a cyber security review of process control systems and corporate practices at the company refineries. This was then used to develop a detailed plan for process control security program.
- An initial review of process control architectures and policies using client supplied diagrams and documentation.
- Onsite inspections of key facilities to view and assess actual security status of each control network.
- A report reviewing the security policies and architectures used to protect Honeywell systems from cyber attack, providing recommendations for possible security improvements.
- Define a recommended process control security program for the refineries.
Byres Security Inc. and Byres Research
P.O. Box 178
Lantzville BC V0R 2H0
Phone: 250-390-1333
Fax: 250-390-3899
Email: info@ByresSecurity.com
