Editor's Note: This article was contributed by David Alexander, head of vulnerability research at Regency IT Consulting.
To understand the problems faced by SCADA users, the team at Regency IT Consulting wanted to build a basic test rig. The goal with the rig was to help us understand the users’ challenges and to interact with the technology and protocols.
I've always worked on the basis of needing to be able to 'take things apart' and understand its internals before I look at how to protect them. Call it going back to the first principles of Information Security if you like, but to me it’s a simple common sense and a methodical approach.
Development of the SCADA Security Operations Centre (SOC)
The first prototype was boxes and wires everywhere on a bench. We could change it around and try things, add and subtract components and attempt ‘off the wall’ stuff that challenged conventional thinking. Never assume that the intuitive approach is the best. Instead, deliberately throw a metaphorical spanner1 in the works and see what happens. Do what doesn’t make sense and apply Murphy’s Law, because in real life that is what tends to happen all too regularly.
Having learned from the prototype, we worked on the Mark 2 version. This version was intended not just as a test rig, but also as a demonstration system. We didn’t want to have a SCADA security demo that was pre-recorded and used a script with a video. Those are too boring.
Instead, we wanted to show people the reality, and to allow them to interact with it. We used the Tofino SCADA Security Simulator, large version, as the starting point, and then added touch screens and the actual working systems to control it. This was called “Security Operations Centre in a Box”, which quickly became “SOC-in-a-Box”. I can’t take credit for the name or for the engineering behind it, that was our Operations Manager Dan Hanman and his team.
The “SOC-in-a-Box” contains the control workstation for the Tofino Security Appliances, a fully working McAfee SIEM (Security Information and Event Management program) and their Whitelisting technology. There are firewalls, a switch and all the cabling and power. The box is hidden in the base of the stand you can see in the picture.
Shown is the Regency IT “Security Operations Centre in a Box”. Photo: Regency IT Consulting.
It Demonstrates, It Tests Stuff, It Looks Good and It Travels Too!
From arriving on site with 3 flight cases I can have the stand and system set up and running in just over an hour. Yes, I did say flight cases. This system is not only effective; it’s also air-portable! We’re just waiting for the first emergency call from a client to bring it to their defense – and we could do the same on your site.
Using the system we can run a variety of attacks from different vectors in undefended mode, partially or fully defended. We can show the different impacts, the value of each defense, and the behavior of associated monitoring tools.
This isn’t smoke and mirrors, I have run hundreds of live demonstrations, including at the recent International Cyber Security Forum for Energy and Utilities conference in Abu Dhabi. Eric Byres had the opportunity to examine and play with the system himself, so over to him for a few words....
More than just a SCADA Security Demo
David’s SOC-in-a-Box is an amazing bit of engineering. There are many SCADA demos out there (including our Tofino SCADA Security Simulator) that can show you a cool SCADA hack or two. And there are even a few that integrate a solution in them too. But what Regency IT did was create a wide range of different attack scenarios to represent the real world of threats faced by the typical power or oil and gas company.
Then they integrated a number of separate security products together to provide a realistic defense scenario as well. No company can depend on a single technology to solve all their security needs, so a demo that shows a multi-technology situation is far closer to real life.
To cap it off, Regency IT worked to create a seamless interaction between PLCs, HMI, Firewalls, Whitelisting and SIEMs. For example, launch a Modbus based attack against the PLC and of course the Tofino Firewall will detect it. But it is then integrated into the SIEM system to provide a dashboard view of what is happening across the entire SCADA and IT network. That integration is more than a demo – it is proof that integrated security solutions can be created.
If you get a chance to see the SOC-in-a-Box demo, take advantage of it. It will open your eyes to what is possible using the technology on the market today.
1 The UK word for wrench
Update Sept 20, 2012
The “Security Operations Centre-in-a-Box” has been nominated for an innovation award by Utilities Middle East. Here is what the publication says about it:
“With utilities operators becoming increasingly aware of the existence of cyber threats to automation systems, Cassidian CyberSecurity's recent launch of its Security Operation Centre has been timely. Utilizing industrial firewalls, whitelisting and deep packet inspection of data, the firm has created an integrated system to protect the information systems of critical national infrastructure.”
(Ed. Note: Cassidian is the parent company of Regency IT Consulting)
Eric Byres collaborated with David on this article.
- Webpage: Regency IT Home Page
- Blog: A Truly Portable SCADA Security Simulator
- Blog: Use Purchasing Decisions to Demand better ICS Security
- Blog: SCADA Security and the Broken Business Model for Software Testing
© Tofino Security 2012 | All Rights Reserved | Tofino Security is part of Hirschmann, a Belden Brand