Modeling a SCADA Environment

A domain where we have found the threat modeling approach to IT security to be particularly suitable is within the critical infrastructure sector. This includes power distribution, power generation and related areas, as well as several production line and factory setups, where a SCADA solution is typically used.

If you are familiar with SCADA environments, this article will mainly be a repetition of what you already know. If so, you are welcome to skip down to the end where you can download the securiCAD SCADA model.

In essence, a SCADA solution is a set of systems for controlling distributed physical equipment. Operators control and monitor the physical processes via the centralized system which in turn is communicating with more local systems until the physical equipment is reached.

Apart from distributing commands from the staff, the central system is also involved in the delivery of measurements and status signals collected at the actual hardware in the field back to the operators and because of this, the SCADA abbreviation reads out to Supervisory Control and Data Acquisition.

Furthermore, a traditional “office-like” approach to IT security involving network- and vulnerability scanning, penetration testing and other active investigation methods, are prohibited due to the potential hazard of provoking irregular behavior and maybe overthrowing the whole solution. Therefore, the offline threat modeling approach using securiCAD is particularly suitable.

In order to create a basis for security analysis of critical and confidential solutions like these, the SEGRID research project was carried out resulting in a the the Load balancing of renewable energy: a cyber security analysis research paper being published in June of 2018. It involved both threat modeling experts from the Royal Institute of Technology in Sweden, as well as experts with thorough experience within the power distribution domain.

The SCADA Reference Architecture Example Model material will guide you through the SEGRID material to show how a SCADA system is typically represented in securiCAD.

READ MORE »

Downloads and references

The detailed map of the environment outlined by the SEGRID project, where the above screen shots are coming from, is available for download here.

The securiCAD model coming from the SEGRID project is available for download here.

segrid.sCAD

The complete description of the SEGRID use case is available at the project website.

Egg or an onion?

Do you have an, obviously very solid maybe you’d even say foolproof, perimeter and trust everything on the inside? Then you’re an egg. Once the attacker cracks the hard shell everything is up for grabs?

Or do you have a, maybe not quite so foolproof, perimeter on the outside but inside of that you also have checks and verifications in layers upon layers? Then you’re an onion. If the attacker cracks the first layer there’s several more before the attacker can reach your golden eggs at the center?

Using securiCAD you can model both of these architecture variants:
  • Egg: A solid perimeter and place the attacker on the outside to check which routes you should focus on securing first.
  • Onion: If you’ve got your layers you can place the attacker at various points, in each instance checking how far they can get after each layer of security has been broken through, and estimates on how fast.

For the Egg type of architecture, compromising the Payment validator service takes 8 days if the external firewall would contain firewall rules that the attacker can make use of. If it doesn’t, then the Egg architecture is completely safe. (You can elaborate with this by altering the KnownRuleSet defense setting of the Firewall object.)

If the same situation should happen to the Onion type of architecture, compromising the Payment validator service takes 355 days.

Furthermore, the Egg type of architecture is only resistant towards external attacks. If we look at other attack scenarios, only the Onion architecture will make the life of the attacker hard while the Egg type of architecture will be more or less a walk in the park.

You can move the Attacker from the Internet network zone to the Internal network zone to see the effect of for instance a phishing attack.

We have prepared two small securiCAD models for you to download and experiment with, egg.sCAD and onion.sCAD. One with one hard shell, and the second with defense in depth.

egg.sCAD



onion.sCAD

Feel free to download securiCAD Community Edition and play around with defenses, objects and attacks. See what works for you and your architecture.

 

Finding the golden eggs

The perimeter, just like the city walls of past centuries, is all but gone. Proliferation of Internet of Things-devices and cheap SaaS-solutions that can be bought by anyone with a credit card has decreased the little control the CIOs had on their perimeter security to a point where “zero trust” has become the new paradigm.

But even zero trust suffers if you do not know what to protect. Configuring every application, firewall or service from a zero-trust perspective creates enormous amounts of administrative backend. Just like DLP-technology, it is a great idea on paper, but applying it wholesale to any large IT-environment becomes an endless “false positive” nightmare until someone simply turns it off.

The city walls of old did not disappear by themselves. Much like todays IT-landscape, technological advances created new problems that the city walls were not adapted to. Old city walls were built high and slim. The prime objective was to prevent someone climbing over. Gunpowder and artillery changed that. As walls needed to be built thicker and thicker, they became hard to move. They cost astronomical amounts and restricted the growth of cities. Finally, they became tourist attractions and were replaced by a new paradigm. The new way to protect is to designate key targets such as parliament, banks and critical infrastructure and then protect these targets in a way that adapts to the threat.

IT security is going in an analogous direction with better detection and response-capabilities, as well as protection of the information at source. But what is the source that needs to be protected? Many organizations have not defined their critical assets, or “golden eggs”. But without doing that, you cannot really protect your organization in an efficient way.

How do you find your golden eggs?

A simple way of doing this is to interview the leaders of your organization and ask them: “what information, if it were lost, leaked, offline or changed, would have catastrophic impacts on your area of responsibility (e.g. production, sales, etc.)?” Even without knowing anything at all about IT security, any leader should be able to answer that question. Deducing where that information resides should then be the work of the IT and Security people. If you cannot get that information from top management, there are other ways which we will come back to in other articles.

Typical “golden eggs” that most organizations share are quarterly reports, recipes, formulas, product intellectual property and know-how, short term corporate secrets (such as lay-offs or marketing campaigns), incident reports, customer lists and money streams (e.g. banks and treasuries).

Having defined your “golden eggs”, you can then designate them as critical objects in your securiCAD model and see how vulnerable they are to attacks.

Article by: Jacob Henricson, Head of Risk Services, foreseeti

securiCAD is the world leading tool when it comes to design case threat modeling, IT risk assessment, and automated modeling and security analysis. The approaches employed in the tool are inline with the most recent research in the field, taking place in Stockholm at KTH Royal Institute of Technology.

How to automate your cyber threat modeling & risk assessments

Threat modeling and IT risk assessment is known to be time consuming and difficult. This includes both the process of gathering information for the models and the actual assessment of risks. With securiCAD you can automate both activities by utilizing data you already have available and running quantitative attack simulations automatically.

Have you also experienced large programs aiming to do holistic modeling for an entire organization (don’t mention the word enterprise architecture), but failing miserably? This is not uncommon and many organizations are rethinking their strategy when it comes to holistic systems modeling. Often this means starting small and building a successful business case to continue from. However, you don’t need to start small. With securiCAD by foreseeti you can automate the build of your IT infrastructure threat model by using data already available in your organization. For instance, cloud configurations, network and/or vulnerability scans, firewall configurations, inventory systems et cetera. securiCAD will automatically process the relevant information from each data source and combine them into one complete model of your IT infrastructure. The automatic model generation process can also be combined with manually created models to represent systems where no data is available or parts of the infrastructure that is not yet in production.

Furthermore, most threat modeling applications are based on manual analysis of the model and trying to figure out if your system is secure or not. With securiCAD the analysis is automated by running simulated attacks across the entire IT infrastructure. The simulations test all types of attacks taking known vulnerabilities and implemented countermeasures into account. Since the simulations are based on probabilistic statistics (Bayesian networks) it can also calculate the probability of zero-day vulnerabilities occurring and what their impact would be.

The only thing you as an end-user need to do is tell the model what assets that are most critical for you. Based on the attack simulation probabilities and the consequence of successful attacks to certain assets a risk assessment is provided. Since the tool is not only for modeling and assessing the current state you can run different scenarios (for instance potential improvements) and see what affect these would have. For example: will the risks go down? If so, how much compared to other scenarios? With the securiCAD API, users can get continuous risk assessments and automatically generated reports in securiCAD for tactile feedback on their risk exposure over time and manage vulnerabilities based on objective and data-driven threat and risk simulations.

Article by: Robert Lagerström, Associate Professor in Software Systems Architecture & Security, KTH & foreseeti

Engineer your security architecture – using threat modeling and cyber-attack simulations

Background

Managing IT, especially risk and security, is difficult and costly. There is a constant struggle and the main solution seems to be to throw more manpower on the problem. However, there are two issues with this solution; 1) finding and keeping competent people is not easy, and 2) the IT problems today are often too large and complex for any person, even the most skilled one, to handle without computerized help. Plus, is pumping water out of a leaking ship really the best use for your highly skilled staff?

Thus, it is time to be the engineers we are trained to be, also when it comes to IT and security. With the right engineering tools we can analyze our current security posture and design future architectures that meet our security requirements.

Introduction

In mature engineering disciplines it is a golden standard to use tools when making decisions, designing new products, and making changes.

When constructing a bridge, manufacturing a new car or an airplane, blueprints are being used instead of designing these based on gut feeling. These design specifications and blueprints are often created and tested using Computer Aided Design (CAD) tools. Besides just presenting a description these tools can often also simulate and analyze important aspects of the product under design.

Another aspect related to design is that in most disciplines, it is easier to design something that is way too strong or way too weak. The trick is to find a balance and related to IT security, it is the balance between security and usability that needs to be handled.

It is about time that IT and IT security start following the same principle when implementing and changing the IT landscape with new systems and features incl. security countermeasures such as firewalls and encryption. That is, an architectural description acting as a blueprint that different stakeholders have agreed upon implemented in a CAD tool so that security and risk analysis can be automated (quantitative and data driven).

This is how you do it?

In securiCAD, a model of the existing or planned architecture is created. The model is usually created manually, similar to drawing an architecture in VISIO. The model can be enriched with existing data sources, such as vulnerability scanners or logs, but it is usually not important to have all the details in place in the model before the first simulation is run.

Once the model is created, an attacker is placed somewhere in the model. Where the attacker is placed depends on what kind of attacker the user wishes to study. It could be, e.g. an external attacker coming from the Internet, or a disgruntled employee with legitimate access to the internal network and a laptop.

Depending on where the attacker is in the model, it will have different opportunities of collecting credentials, making use of missing security patches, listening to and making use of legitimate communication and access as well as finding security flaws in web applications, just to mention some of them. Then, when the attacker has achieved some of these operations, other operations might become available and then the attacker will take a new look around in its new position.

In securiCAD, we can follow this attacker’s whereabouts in our model to see what our weak spots are most likely to be. To be more specific, we will see what methods the attacker is expected to use, how much effort/time it is expected to take and what assets in the model the attacker is expected to make most use of.

Based on the results, the user can explore the effects of potential mitigations and design suggestions in the model and run the simulation over again.

Conclusions

Being responsible for a ship, you don’t want your crew to run around searching for and fixing leaks, if they are not busy pumping water, that is. And you don’t want them to go around hammering different parts of the construction (the parts they can easily hammer on), to see if it will break. What you would really like to do instead is to let your staff use tools to foresee where problems will occur next, how bad they will be and in what way they are related, based on the ship’s design and the quality of the material used. That is what threat modeling with attack simulation is all about.

Article by: Robert Lagerström, Joar Jacobsson, and Jacob Henricson, foreseeti