addressing the security of industrial automation and control systems€¦ · ·...
TRANSCRIPT
Tom Good - DuPont
Automation and Process Control Engineering Consultant
November 5, 2010
Addressing the Security
of Industrial Automation
and Control Systems
Pa
Speaker - Tom Good
� DuPont Engineering Department (Automation and Process Control
Engineering Consultant - BS Chemical Engineering Lehigh University, 1974)
� Work Experience –
� 30 years of experience with systems integration projects.
� For the past 9 years, emphasis has been on the security ICS.
� Currently leading DuPont’s internal process control security initiatives and
compliance to DHS CFATS regulations
� Industry Activities –
� Participant in several current ISA99 Working Groups
� Past chair and major author of ANSI/ISA-99.02.01(Security for Industrial
Automation and Control Systems Security Program.
� Member of the Chemical Sector Cyber Security Program
3
Agenda
Life cycle cost model challenge – risk impact
Sources of guidance
New security recommendations – additional layers of protection
Robust but not hardened – expectation of performance: reliable, robust, and hardened
Industrial Control Systems are a target
Changing threat landscape
� 2001 – 2011 “Carpet Bombing” attacks� Botnets, scams, scareware� Organized Crime dominated the news
� Russian Mafia
� Short term $ gain� Identity theft
� Financial transfers
� Credit card information
� Extortion
� Occasional news of an ICS (Industrial Control System) incident� Most often collateral damage
4
Changing threat landscape – cont’d
� 2009 – 2011 Sophisticated, focused, “targeted attack” with a clear
objective
� Rise of political activism� Wikileaks - 2010� LulzSec - 2011
� Sony hack
� CIA - Took CIA website offline
� Anonymous – 2011� Announced capability to attack ICS using
internally developed tools , power grid
� Rise of cyber warfare� Cyber attack on Estonia paralyzed the country’s Internet
infrastructure5
Changing threat landscape – cont’d
� ? – Present “Surgical precision” stealth attacks� Spear Phishing� Social Engineering� Stolen security certificates
� 2010 Stuxnet a wake-up to process control practitioners� Fully automated � ICS are a target, attacks can be successful
� 2010 – Present APT (Advanced Persistent Threat) have been a wake-up� Industry is now learning how much proprietary information has been
pilfered over the last several years by the APT� RSA SecurID token algorithms stolen
6
Stuxnet – A game changer (June 2010)
� Fully automated worm designed to go after air-gapped process control assets
� Most sophisticated malicious code discovered to-date
� Took 20 mo. for someone to discover its presence
� Infected around 100,000 hosts (60% located in Iran, India very high)
� Target – Iran’s uranium enrichment centrifuges
� Creator – According to NY Times – Israel and US Govt.
Stuxnet – propagation details
� Initial delivery –
� USB drive to Russian systems integrator
� Exploited 1st zero-day vulnerability to launch app even if auto-run is disabled
� 2nd variant 1Q2010 using 2nd zero day vulnerability (.lnk file)
� Established foothold in PC
� Used valid stolen certificate from a chip manufacturer to avoid detection
� Hid itself inside valid Windows files (encrypted code)
� Code contains over 4000 functions
� Propagate – 4 different manners
� Uncovers all user accounts and uses them to gain access to other computers via
Shares
� Spreads to computers offering print sharing (3rd zero-day exploit)
� Spreads using 4th zero-day vulnerability of Server Service
Stuxnet – propagation details cont’d
� Propagate cont’d
� Looked for Siemens WinCC based code (WinCC and PCS7)
� Used Siemens internal system password that cannot be changed to log into SQL
server, transfer a version of Stuxnet and then executed it locally
� Imbedded itself into Siemens Step7 projects and auto executes whenever the
infected project file is opened
� Uses peer-to-peer networking to update itself when phone home doesn’t work
� Deliver payload
� Secretly writes 40 blocks of code to Siemens PLCs
Stuxnet - payload
� Stuxnet targets specific frequency-converter drives, intercepts commands sent to the drives from
the Siemens SCADA software, and replaces them with malicious commands to control the speed of
a device, varying it wildly, but intermittently. Reported to playback normal state information to
operators.
� It inventories a plant’s network and only springs to life if the plant has at least 33 frequency
converter drives made by Fararo Paya in Teheran, Iran, or by the Finland-based Vacon.
� If the number of drives from the Iranian firm exceeds the number from the Finnish firm,
Stuxnet unleashes one sequence of events. If the Finnish drives outnumber the Iranian ones,
a different sequence is initiated.
� Stuxnet targets only frequency drives running at high speeds — between 807 Hz and 1210
Hz. (Such high speeds are used only for select applications. “Frequency converter drives that
output over 600 Hz are regulated for export in the United States by the Nuclear Regulatory
Commission as they can be used for uranium enrichment.”)
Stuxnet - payload cont’d
� “Stuxnet changes the output frequency for short periods of time to 1410Hz and then to
2Hz and then to 1064Hz. “Modification of the output frequency essentially sabotages the
automation system from operating properly. Other parameter changes may also cause
unexpected effects.” Recent article hints of physical damage to the centrifuge.
� There is a long wait time between different stages of malicious processes initiated
by the code — in some cases more than three weeks — indicating that the attackers
were interested in sticking around undetected on the target system, rather than blowing something up in a manner that would attract notice.
Recent actions targeting ICS
� Stuxnet exploit mechanisms published 2010
� Duqu malware (2011)
� Specialized search engines
� ERIPP and SHODAN developed to find PLC and DCS systems
� The GLEG Agora SCADA+ Exploit pack for Immunity’s CANVAS system is a collection of
exploits written and compiled for industrial control system (ICS) products.
� Phishing campaign targeting Energy Sector and Gas Pipeline Sector (Sept – Oct. 2012)
13
Target not known - Shamoon malware wipes boot sector and disk of 30,000 PCs at Aramco in August 2012
Making systems more secure
� Supplier responsibility� Certifications facilitate
common measures of security but are expensive
� Suppliers should start with “system hardening”
� User responsibility� New security
recommendations
� Users should adopt appropriate layers of security
15
What is ICS robustness?
� The ability of the industrial control system to continue to perform its
intended function under perturbations or unusual conditions.
� Examples:
� Maintain control when the multiple alarms are tripped and annunciated.
� Maintain control when switching to the redundant operating device.
� Maintain control when the communications data packet is longer than expected
(buffer overflow)
� Maintain control when the operator console is receiving and logging many failed
login requests (denial of service)
� Maintain control when a server is receiving many “Ping” messages (Ping of death)
� Refers to reducing the industrial control system’s operating
system surface of vulnerability.
� Vulnerabilities are constantly being found and fixed in software
� Until fixed (security hotfixes) security vulnerabilities are avenues for exploit
� Removing non-essential software, unnecessary user accounts, disable
or removal of unnecessary services, change default system accounts
and passwords, etc.� Reduces risk
� Well recognized IT Industry Best Practice
What is ICS hardening?
Comparison – current situation
� Hardened� Different end use cases
may require more or less software and services running
� ICS Supplier does not necessarily feel accountable
� Supplier should sell products already hardened
� Provide guidance how to
harden installed devices
� Robust� Common expectations of
performance to circumstances
� User expects robustness
� ICS Supplier feels accountable and delivers this as part of standard product
New security recommendations for ICS
� Changing threats are requiring additional mitigation
strategies beyond the well recognized “layers of protection”
Adobe Acrobat
Document
New layers – Detection & Response
ICS-CERT Recommendation Current industry layers of protection
Patching Accepted – practice is mixed
Role based access control Accepted - general practice
Strong logon credential management Accepted – extensive use of shared accts.
Network segmentation Accepted - general practice
Increased use of logging Not valued – minimally used
Audit network hosts for suspicious files Not practiced
Preserve forensic data Not practiced – recovery focused
Incident response Recovery focused – from backups
Application Whitelisting Early introduction
Intrusion detection Very early introduction
20
Detection - Whitelisting
� New mindset� Anything new is suspect and requires investigation
� “Guilty until proven innocent”� New file added to the device� Change in file size of a base-lined file
� Anti virus� “Innocent until proven guilty”
� Pros - Addresses zero day vulnerabilities/exploits
� Cons - False positives are likely � All alerts require follow-up action� Resources needed for follow-up
Detection – Intrusion Detection/Prevention
� Employed at the Host and Network level
� Any change from a defined baseline could be
an indication of unwanted malicious activity� New communication source and destination� Higher than normal communication volume� New file added to the device� Change in file size of a base-lined file� New process started� Etc.
Detection – Intrusion Detection/Prevention
� Pros - Addresses zero day vulnerabilities/exploits and unauthorized use by
an authenticated user
� Cons - False positives are likely � All alerts require follow-up action� Resources needed for follow-up
Data mining logged information
� Proactive - looking for something unusual in
device logs, correlation of separate
events that indicate unwanted activity
� Reactive – incident occurred, follow-up forensics investigation
� Pros –� You can’t fix what you don’t know is happening� Can provide the chain of events leading to the incident/exploit
� Cons –� Logging consumes additional device resources� Data must be aggregated (additional $ for analysis devices,
increased network load)� Need skilled resources to analyze information
Incident response team
� Trained individuals ready to respond to alerts/incidents and determine
the proper course of action� Preserve forensic data� Assessment of alerts� Mitigation actions, remediation actions� Work with law enforcement agencies
� Team must integrate network, IT, and ICS skills
� Pros –� Leveraged skilled team reduces $ for the corporation
� Cons –� Skilled team costs $, new expenditure
Need our ICS Suppliers to step up
� Embrace the new security technology tools� Whitelisting� Intrusion Detection/Prevention� Test compatibility� Offer services to support introduction and sustained security
� Design the systems to incorporate increased logging
� CERT Service - skilled incident response team to lead corrective action
engagement
26
Sources of guidance
� US-CERT Control Systems Security Program (CSSP)
� ICS-CERT – Industrial Control Systems Cyber Emergency Response
Team
� ISA99 Industrial Automation and Control Systems Security
� DHS Chemical Sector Industrial Control System Security Resource� CDs available
� Roadmap to Secure Control Systems in the Chemical Sector
� Roadmap to Secure Control Systems in the Water Sector
� Roadmap to Secure Control Systems in the Energy Sector
28
ICS life cycle challenge
Functional life cycle practice by Operations
Examples: Windows 2000, Windows XP 1Q2014
ICS life cycle challenge
ICS Supplier and End-user must work together to develop an acceptable compromise on $
Must understand and make a risk based decision balancing the cost of refreshing the ICS devices to the cost of a potential consequence .
One option: Whitelisting as a compensating security measure.