34
Threat modeling a wind farm THOMAS HEYMAN – CYBER SECURITY COALITION, 26/05/2021
Threat modeling a wind farm
THOMAS HEYMAN – CYBER SECURITY COALITION, 26/05/2021
Hello, my name is
Thomas Heyman
Academic background (PhD in secure software architecture, KU Leuven)
Threat modeling instructor
Security architect (focus on bridging gap between IT/OT)
2
Agenda
3
Wind farms
Identifying risks
with threat modeling
Addressing
risks
Wrap up
Wind farms and
cyber security
Wind farms
The growing importance of wind
By year end 2019 Belgium had 3.9 GW installed capacity of wind power.
• 2.3 GW land based, 1.6 GW offshore
• 8120 GWh total production
Offshore wind capacity will rise to 4.5 GW and onshore wind will exceed 4 GW by 2030.
To compare, Belgium has two nuclear power plants operating with a net (generation) capacity of 5.8 GW.
OUR EXPERTISES
Electricity generation mix in 2020 (TWh;%), Elia
5
6
A (simplified) wind farm
7
Business / IT
Generation / OTElia
Wind farms andcyber security
OT versus IT
• OT department: electrical and civil engineers
• Lack of security and solution architects
• OT environment: mix of vendors with open solutions
• Vendors do their own thing if not challenged
• OT security: the firewall
Critical attack vector 1: supply chain attacks
9
Standard IT solutions do not work
• OT has different security requirements
• AIC instead of CIA
• Safety and loss of life
• Grid stability and environmental considerations
• Typically no dedicated OT security capability
• …but depending on IT introduces own risks
Critical attack vector 2: phishing
10
Risk keeps increasing
Risk = likelihood x impact
• More interconnected open platforms (likelihood )
• You cannot copy-paste IT solutions, but lack of dedicated OT security capability (likelihood )
• Even larger impact on power grid (impact )
• Juicy target for criminals / terrorism (likelihood )
11
Real world consequences
12
Colonial Pipeline ransomware attack, May ‘21
Finding risks
• Pentests are not always the answerBut when all you have is a firewall…
• Security level is not maturity levelIt might just be secure by accident…
• Risk requires architectural thinking
13
Identifying risks withthreat modeling
Threat modeling…or systematically identifying architectural weaknesses
15
Ideally up-front, but can be performed on existing systems.“The sooner the better, but never too late”
How Toreon does threat modeling
16
Data Flow Diagram
(DFD)
STRIDEor attack trees,
domain specific frameworks
OWASP risk rating+
Standard mitigations &
architectural patterns
Follow-up interview,
to ICS specific
security assessment
A (high level) wind farm model
17
ICS architecture
• Data
• Control
Taking into account OT requirements
STRIDE with modified priorities
18
!
!
!
Taking into account OT threats
MITRE ATT&CK for ICS
19
Handling missing info
Focus on the big picture, do not get lost in network diagrams
Do not take provided info at face value, challenge!
In case of missing or conflicting info, you have identified a risk ☺
20
Wind farm – revisited
21
• Spoofing
• Tampering
• Repudiation
• Denial of service
The top three recurring threats
1. Low IAM governance
• Local accounts, direct access, IT accounts, …
• Who can access what? Why?
2. Low supplier governance
• Responsibilities for patching, incident management, …?
• Lack of auditing and accountability
3. Lack of network segregation
• Direct connections
• Too permissive firewall configuration
22
Addressing risks
23
Ingredients
• Framework
• How to think about security?
• Requirements
• What should we want?
• Architectural building blocks
• How will we achieve it?
24
The five NIST CSF functions.
IEC 62443
25
Security requirements
1. Identification and authentication control (13)
2. Use control (12)
3. System integrity (9)
4. Data confidentiality (3)
5. Restricted data flow (4)
6. Timely response to events (2)
7. Resource availability (8)
26
SR 3.2 – Malicious code protectionUse protection mechanisms to prevent, detect,
mitigate and report instances of detected
malicious code.
RE 1 (starting security level 2)
On all entry and exit points
RE 2 (starting security level 3)
Central management and reporting
Example “System integrity” security requirement.
Support of essential functionsThe main OT/IT differentiator
• Security measures shall not adversely affect essential functions of a high availability IACS
• Access Controls shall not prevent the operation of essential functions
• Essential functions of an IACS shall be maintained if zone boundary protection goes into fail-close and/or island mode
• A denial of service (DoS) event on the control system or safety instrumented system network shall not prevent the safety instrumented function from acting
27
“Sorry, but the Group Policy Client service failed the logon.
Emergency reactor shutdown is denied.”
Pattern 1 – Layered architecture
The Enterprise Zone
Level 5 – The Enterprise network
Level 4 – Site business and logistics
The Industrial Demilitarized Zone
The Manufacturing Zone (or Industrial Zone)
Level 3 – Site operations
Level 2 – Area supervisory control
Level 1 – Basic control
Level 0 – The process28
28
Pattern 2 – Zones and conduits
Concepts:
• Zone: assets that share the same cybersecurity requirements.
• Conduit: assets dedicated exclusively to communications which share the same cybersecurity requirements.
Rules:
• A zone can have sub-zones.
• A conduit cannot have sub-conduits.
• A zone can have more than one conduit.
• A conduit cannot traverse more than one zone.
• A conduit can be used to connect two or more zones.
29
30
A (high level) security architecture
31Purdue Enterprise Reference Architecture (PERA) model by ISA-99,
from “Industrial Cybersecurity” by Pascal Ackerman, 2017
Jump hosts
Dedicated OT accounts
Consider vendor risk when
defining zones
Wrap up
32
Lessons learned
• OT is not IT, but right collaboration between OT/IT is key
• Threat model first, security architecture second, pentest later
• Manage your suppliers well
33
