SUBSTATION SECURITY WHY FIREWALLS DON’T WORK! ©Copyright 1998, Systems Integration Specialists Company, Inc. All Rights Reserved Presented by:

Slides:

Advertisements

Similar presentations

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Advertisements

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

System Security Scanning and Discovery Chapter 14.

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

WS-Denial_of_Service Dariusz Grabka M.Sc. Candidate University of Guelph February 13 th 2007.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

Communications and Networks

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Wi-Fi Structures.

Circuit & Application Level Gateways CS-431 Dick Steflik.

Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.

Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.

Smart Grid Research Consortium Conference Communications: Technologies Systems Future Trends Dr Rick Russell.

WIRELESS SECURITY ASHIMA SOOD PEYTON GREENE. OVERVIEW History Introduction to Wireless Networking Wireless Network Security Methods Securing Wireless.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Guide to Operating System Security Chapter 9 Web, Remote Access, and VPN Security.

Shared success Outline What is network security? Why do we need security? Who is vulnerable? Common security attacks and countermeasures. How to secure.

Intranet, Extranet, Firewall. Intranet and Extranet.

CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.

COEN 252 Computer Forensics

Introduction to Networking. Key Terms packet  envelope of data sent between computers server  provides services to the network client  requests actions.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

11 SECURING COMMUNICATIONS Chapter 7. Chapter 7: SECURING COMMUNICATIONS2 CHAPTER OBJECTIVES  Explain how to secure remote connections.  Describe how.

This courseware is copyrighted © 2015 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

Module 8: Designing Network Access Solutions. Module Overview Securing and Controlling Network Access Designing Remote Access Services Designing RADIUS.

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

1 Chapter 20: Firewalls Fourth Edition by William Stallings Lecture slides by Lawrie Brown(modified by Prof. M. Singhal, U of Kentucky)

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

John Trinidad Senior Systems Engineer Harris Corporation Rochester, NY (585) The Challenge in Developing an SCA Compliant.

VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.

11.59 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

Hands-On Microsoft Windows Server Introduction to Remote Access Routing and Remote Access Services (RRAS) –Enable routing and remote access through.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It.

OS Services And Networking Support Juan Wang Qi Pan Department of Computer Science Southeastern University August 1999.

IEC TC57 WG15 - Security Status & Roadmap, TC57 Plenary, May 2007

Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.

Module 11: Designing Security for Network Perimeters.

Wireless Networks. Wireless Network A wireless network transports data from one device to another without cables or wires – RF signals – Microwaves –

Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.

Module 10: Windows Firewall and Caching Fundamentals.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Lesson 7 Networks Unit 1—Computer Basics. Computer Concepts BASICS - 2 Objectives Describe the benefits and disadvantages of networks. List and describe.

IS3220 Information Technology Infrastructure Security

Cryptography and Network Security

@Yuan Xue CS 285 Network Security Fall 2012 Yuan Xue.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Cisco Exam Questions IMPLEMENTING CISCO IOS NETWORK SECURITY (IINS V2.0) VERSION: Presents: 1.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Creating the Network Design Designing and Supporting Computer Networks – Chapter.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Networks and Security Great Demo

Team 1 – Incident Response

CONNECTING TO THE INTERNET

Introduction to Networking

* Essential Network Security Book Slides.

Firewalls Purpose of a Firewall Characteristic of a firewall

Virtual Private Network

Firewalls Routers, Switches, Hubs VPNs

Introduction to Networking Security

Presentation transcript:

SUBSTATION SECURITY WHY FIREWALLS DON’T WORK! ©Copyright 1998, Systems Integration Specialists Company, Inc. All Rights Reserved Presented by:

What are the issues? What is the purpose of the substation? What functions need to be protected and How? What are the issues in protecting substations?

Functions of Substation Substation Protect Equipment Enable Power Distribution Control Center Enable Control Center Communications Enable Revenue Metering Enable Power Quality Information

Protect Equipment - Physical Security

Vulnerable to Physical Destruction/Terrorism Gates typically locked but not monitored Control Cabinets Locked but not monitored Substation and Power Diagrams typically in control house or panels

Control Center Communications Typically Use –Radio –Dial-up –Lease Line –WAN

Radio: 5 minutes and $1500 MAS/Licensed frequencies available on Microwave Spread Spectrum Listed in order of progressing communication security

Dial-up Telco Switches are susceptable Non-publication of phone number is no protection. Implementation in called device typically doesn’t have time-out, call-back, nor challenge.

WAN Typical IS/IT would use Firewall to Protect? Most People think WAN::=

Firewalls - The way they work E C NO EXTERNAL COMMUNICATIONS - IT’S SAFE

Firewalls - The way they work E C OPEN HOLE IN WALL CONTROL CENTER COMMUNICATION: EXPOSURE ESTABLISH COMM LINK

Firewalls - The way they work E C TCP/IP Port (e.g. 20/21 for FTP) WELL KNOWN PORTS MEAN HIGHER RISK

Firewalls - The way they work E C TCP/IP Port (e.g. 20/21 for FTP) FIREWALLS TYPICALLY CONTROLL WHO CAN CONNECT IN/OUT PER PORT PROTOCOL IS PER PORT

FUNCTIONS OF FIREWALL RULES ADDRESS TRANSLATION/ PROXY LAN INTERFACE EXTERNAL WAN INTERFACE WHICH PORT CONNECTION RULES TO WHOM FROM WHOM

CONNECTION RULES DETERMINE WHO CAN CONNECT AND TO WHOM –NO RULES: ONLY PORT RESTRICITON –SOURCE ROUTING –USER ID/PASSWORD –CHALLENGE –TOKEN –DIGITAL CERTIFICATE

SO WHAT’S WRONG? WAN E C E C Control Center

SO WHAT’S WRONG? E C Control Center EAVESDROPPING CC->SUB (userid, password, certificate) HACKER->SUB (userid, password, certificate) SPOOF, MASQUERADE

Its OK, Nobody knows our protocol! NOT A TRUE STATEMENT ONLY 29% of Protocols in use are not publicly available!

EVEN MORE FUEL ONLY 65% of Substation Devices have Passwords enabled. Few Firewalls restrict services running over a given port. –E.G. GET/SET

Multiple Passwords a problem The Greyhound Story NO SECURITY: NO USER PAIN SINGLE PASSWORD: EASY TO REMEMBER MULTIPLE PASSWORDS: HARD TO REMEMBER

UTILITY CONCERNS Repudiation Information Leakage Eavesdropping Replay Masquerade Spoof Intercept/Alter Denial of Service Indescretion of Personnel Integrity Violation Illegitmate Use Authorization Violation Bypassing Controls

POWER QUALITY Substation Control Center EAVESDROPPING AND INTERCEPT/ALTER MAY HAVE LARGE FINANCIAL CONSEQUENCES IN THE NEAR FUTURE!

FIREWALL SHOULD PROVIDE STRONG AUTHENTICATION NEGOTIABLE ENCRYPTION SECURE MANAGEMENT ATTACK DETECTION ANNUNCIATION

WHY AREN’T FIREWALLS ENOUGH? Security is only as good as the weakest link in the system. –Security in the Control Center –Management Support and Policy –Crisis Team –Management

WHY AREN’T FIREWALLS ENOUGH? Service (e.g. GET/SET) must be enabled/disabled in devices. –Vendors see no value in strong security! Only 3 of 1000 vendors returned surveys –Utilities want strong security! 12% of contacted utilities responded! Protocols and Implementation have LARGE impact after FIREWALL

Vendors Must Participate But Why?

Let's analyze a new protocol! Proprietary over TCP/IP Where Vendors go Wrong: Just an Example! (no names to protect the guilty parties!)

General Implementation Proprietary Protocol TCP IP Ethernet Non-session oriented

Denial of Service Proprietary Protocol TCP IP Ethernet "Ping of Death" (known to kill without patches: Solaris, AOS, Windows95, Linux,.....) Ping of Death information:

Denial of Service Proprietary Protocol TCP IP Ethernet "Ping of Death" (known to kill without patches: Solaris, AOS, Windows95, Linux,.....) Port connection exhaustion

Denial of Service Proprietary Protocol TCP IP Ethernet "Ping of Death" (known to kill without patches: Solaris, AOS, Windows95, Linux,.....) Port connection exhaustion Potential for bus traffic congestion.

Masquerade Proprietary Protocol TCP IP Ethernet No USER/PASSWORD No session timeout

Information Leakage Proprietary Protocol TCP IP Ethernet No USER/PASSWORD No session encryption

Conclusion of Protocol Design "Any man may make a mistake; none but a fool will persist in it!" OR Security must be designed and protocols must be extended to support security features!

CONCLUSION to SECURITY Firewalls add a degree of security Management Support is Critical Security has value and utilities need to be willing to pay. Vendors need to be willing to implement strong security and authentication.