Modeling a SCADA Environment

A domain where we have found the threat modeling approach to IT security to be particularly suitable is within the critical infrastructure sector. This includes power distribution, power generation and related areas, as well as several production line and factory setups, where a SCADA solution is typically used.

If you are familiar with SCADA environments, this article will mainly be a repetition of what you already know. If so, you are welcome to skip down to the end where you can download the securiCAD SCADA model.

In essence, a SCADA solution is a set of systems for controlling distributed physical equipment. Operators control and monitor the physical processes via the centralized system which in turn is communicating with more local systems until the physical equipment is reached.

Apart from distributing commands from the staff, the central system is also involved in the delivery of measurements and status signals collected at the actual hardware in the field back to the operators and because of this, the SCADA abbreviation reads out to Supervisory Control and Data Acquisition.

Furthermore, a traditional “office-like” approach to IT security involving network- and vulnerability scanning, penetration testing and other active investigation methods, are prohibited due to the potential hazard of provoking irregular behavior and maybe overthrowing the whole solution. Therefore, the offline threat modeling approach using securiCAD is particularly suitable.

In order to create a basis for security analysis of critical and confidential solutions like these, the SEGRID research project was carried out resulting in a the the Load balancing of renewable energy: a cyber security analysis research paper being published in June of 2018. It involved both threat modeling experts from the Royal Institute of Technology in Sweden, as well as experts with thorough experience within the power distribution domain.

The SCADA Reference Architecture Example Model material will guide you through the SEGRID material to show how a SCADA system is typically represented in securiCAD.

READ MORE »

Downloads and references

The detailed map of the environment outlined by the SEGRID project, where the above screen shots are coming from, is available for download here.

The securiCAD model coming from the SEGRID project is available for download here.

segrid.sCAD

The complete description of the SEGRID use case is available at the project website.

Do you have an egg or an onion?

Do you have an, obviously very solid maybe you’d even say foolproof, perimeter and trust everything on the inside? Then you’re an egg. Once the attacker cracks the hard shell everything is up for grabs?

Or do you have a, maybe not quite so foolproof, perimeter on the outside but inside of that you also have checks and verifications in layers upon layers? Then you’re an onion. If the attacker cracks the first layer there’s several more before the attacker can reach your golden eggs at the center?

Using securiCAD you can model both of these architecture variants:
  • Egg: A solid perimeter and place the attacker on the outside to check which routes you should focus on securing first.
  • Onion: If you’ve got your layers you can place the attacker at various points, in each instance checking how far they can get after each layer of security has been broken through, and estimates on how fast.

For the Egg type of architecture, compromising the Payment validator service takes 8 days if the external firewall would contain firewall rules that the attacker can make use of. If it doesn’t, then the Egg architecture is completely safe. (You can elaborate with this by altering the KnownRuleSet defense setting of the Firewall object.)

If the same situation should happen to the Onion type of architecture, compromising the Payment validator service takes 355 days.

Furthermore, the Egg type of architecture is only resistant towards external attacks. If we look at other attack scenarios, only the Onion architecture will make the life of the attacker hard while the Egg type of architecture will be more or less a walk in the park.

You can move the Attacker from the Internet network zone to the Internal network zone to see the effect of for instance a phishing attack.

We have prepared two small securiCAD models for you to download and experiment with, egg.sCAD and onion.sCAD. One with one hard shell, and the second with defense in depth.

egg.sCAD

 

onion.sCAD

Feel free to download securiCAD Community Edition and play around with defenses, objects and attacks. See what works for you and your architecture.