symposium 2011 govcert.nl decade of challenges presentatie ronald heil kpmg
DESCRIPTION
This year's theme was 'Decade of Challenges’. As Cyber Security and Incident Response Team, we have been making efforts for the last ten years to create a secure cyber society in cooperation with the CERT community. The 'change' we have all been working so hard to achieve is now bearing fruit. The raison d'être of an organisation such as GOVCERT.NL is now undisputed. Our 10th symposium, addressed the past, the present and the future of digital security. The programme itself provided something of interest to all attendees, from technicians and scientists to policymakers, through plenary and parallel sessions. The symposium offered a variety of topics, presented by inspiring speakers and leading experts in the field and a lot of opportunities to network with the national and international participants.TRANSCRIPT
- 1. Process Control NetworksInsights in our experience and somesurprisingly unexpected featuresRotterdam 15 November 11.50 12.40Ronald Heil
2. Agenda Speaker Introduction Process Control Systems Unexpected features project Wall-E Lessons learned Q&A 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (KPMG International), a Swiss entity. 3. Speaker IntroductionKPMG IT Advisory, The NetherlandsTeam ICT Security & Control (ISC)ir. Ronald Heil MSc. CISSP CISA Senior Manager @ team ISC Specialises in providing technical advisory and audit services, penetration tests and technical studies. Helps companies with information protection and security monitoring Security Awareness trainings / workshops Why me? Involved as ethical hacker on red cell testing on large scale / multinational infrastructure environments that are thought to be protected. Performed a complex penetration test at one of the world largest new built refinery in the Middle East, tested on all layers from the access domains (office to reporting servers), to all the 4 underlying PCD layers. Expanding KPMGs global effort on PCD security. Involved with worldwide testing of retail systems that have a similar network and communication structure as PCD systems (as vendors are often expanding markets). 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (KPMG International), a Swiss entity. 4. Process Control Systems 101Assumption : you already have (some) knowledge about Process Control Systems?! Source: siemens.com 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (KPMG International), a Swiss entity. 5. Process Control System (Failure) These systems can be found throughout our industries and live from power plants, refineries to water processing facilities, to for example traffic light controlling. Despite the importance the state of security of those crucial components is often not (or should we say almost never) what should be expected. 6. Can that happen? in our real world? I was under the impression that those critical systems would be protected. Not? The state of security of the crucial process control networks and components is often not what should be expected. Caused by amongst others rapid innovation, technology integration, automation and a lack of security focus on the layers: people, process and technology 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International 5Cooperative (KPMG International), a Swiss entity. 7. Lets start with insights from a different perspectiveProject Wall-E 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (KPMG International), a Swiss entity. 8. New building 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (KPMG International), a Swiss entity. 9. Advanced Building Management System[ removed in shared version ] 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (KPMG International), a Swiss entity. 10. What is wrong with it? ? ? ? It has weak It controlsIt is connected to passwords likeeverything (let me the Internet admin/admin repeat everything) in the building 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (KPMG International), a Swiss entity. 11. What is wrong with it?It is connected to It has weakIt controlsthe Internet passwords like everything (let me admin/adminrepeat everything)in the building 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (KPMG International), a Swiss entity. 12. New building we added some lines 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (KPMG International), a Swiss entity. 13. Project Wall-E phase 1Challenges: The interface is a difficult Java applet Communicating to a back-end Java environment We are ready to test at night!Solution: Many hours of after office hours / night research Dozens of pizzas, other food and gallons of coffee and more food and coffee Basically rewriting a complete front-end engine but now with us in control 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (KPMG International), a Swiss entity. 14. [ removed in shared version ] 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (KPMG International), a Swiss entity. 15. Project Wall-E phase 2Solution: As we were full administrator we could have disabled the configured time limitations. But as ethical hacker, didntwant to make changes to the actual configuration. Another option was to focus on the administration interface that is always onChallenges: We again had to deal with the difficult Java applets and underlying interfaces It cant control the lights directly but can read the status of everything Could it also be used to control?Wait.... By setting the right circumstances we can directly communicate with the core building management digital bus (thenetwork that controls lights, fans, heating, power, etc. in the building...) and that over the Internet! No? YES!!! 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (KPMG International), a Swiss entity. 16. Project Wall-E phase 2Solution: As we were full administrator we could have disabled the configured time limitations. But as ethical hacker, didntwant to make changes to the actual configuration. Another option was to focus on the administration interface that is always onChallenges: We again had to deal with the difficult Java applets and underlying interfaces It cant control the lights directly but can read the status of everything Could it also be used to control?Wait.... By setting the right circumstances we can directly communicate with the core building management digital bus (thenetwork that controls lights, fans, heating, power, etc. in the building...) and that over the Internet! No? YES!!! 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (KPMG International), a Swiss entity. 17. 40000+ sensors and controlsyou like puzzles? [ removed in shared version ]VerdiepingKamer678 9_aan_uit 9_intensiteit 10 1112 1947445 44388 - - - - - 18 47363 en 47271 44296 en 44204413213834535278 32211 - 1747197 44112 412293825435187 32120 - 16 -- 411373816235095 32028 27333 1547087 44020 410453807035003 31936 27242 1446995 43928 - - - - 27151 1346903 43836 409353797834911 31844 27060 1246811 43744 408613788634819 31752 - 1146719 43652 407693816238150 34727 31660 26969 en 26878 1046626 43559 406773770237690 34635 31568 26787 en 26696946534 43467 405853761034543 3147626605846442 43375 404923751837506 34451 31348265147 46350 en 46258 43283 en 43191404003742534358 31291264236 -42363 403083733337321 34266 3119926332546166 43099 402163724137229 34174 3110726241446074 43007 401243714937137 34082 3101526150345982 42915 400323705737045 33990 3092326059245798 42731 399403696533898 30831259681 -- 398483687333806 3073925877 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (KPMG International), a Swiss entity. 18. 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (KPMG International), a Swiss entity. 19. 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (KPMG International), a Swiss entity. 20. The Building Management System:What went wrong? There was (initial) segregation of functionality butweak administration passwords Security through obscurity? The same interfaces used for reading data were alsocapable to send control messages Despite layers of web and application server, thecontrol bus is in effect directly connected to theInternet No security monitoring Not even part of (IT) security processesOne of the most unexpected results was the fact that despite the multiplelayers and access control, the layer with the control interfaces wasreachable from the Internet 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International19Cooperative (KPMG International), a Swiss entity. 21. The building management system... ... and process control systems Do you see the similarity? We are still busy expanding awareness on Process Control Systems security, but we are actually not always aware where those systems are located. It is easy to forgot many important systems that are part of our daily lives... 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International20Cooperative (KPMG International), a Swiss entity. 22. Todays threats are real and happening to all of usGlobal Energy Cyber attacks Night StuxnetDragonDedicated malicious software to harmStarting in November 2009, specific PCD components, specificallycoordinated covert and targetednuclear centrifuges.cyberattacks have been conductedagainst global oil, energy, andDuqupetrochemical companies. These Duqu virus/malware aiming at Iranattacks have involved.nuclear sites.By McAfee Foundstone Professional Servicesand McAfee Labs February 10, 2011 Who is next? You? More and more process control networks become (inter)connected More and more regular IT components Cybercrime is increasing Including dedicated state-of-the-art attacks on PCD (e.g. Stuxnet, Duqu) 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International21Cooperative (KPMG International), a Swiss entity. 23. New developments Functionality changesWireless connectivity 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (KPMG International), a Swiss entity. 24. New developmentsconnectivity old situation 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (KPMG International), a Swiss entity. 25. New developmentsconnectivity new situationRisk RiskRiskRiskRisk Risk 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (KPMG International), a Swiss entity. 26. Insights Missing patches Security based on 64 character keys MS08-067 provides direct administrative access Why should we protect the mobile operator station (pda, laptop, etc.)? Weak passwords Isnt admin considered a strong password? Vendors and on-site contractors Have their own roomdirectly connected to level 1,2,3 and 4. Maybe we should use space? Yes security! Unprotected interfaces Have direct connections to level 1 devices for status, support Why should you put a password on VNC or HMI application? and maintenancebut that is proprietary protocolssecure Anything about LAC / RBAC? Segmentation New technologies Firewalls are based on inbound, not outbound security. Enabling a nice reverse exploit all the way from level 1 back to Wireless? Directly connected to layer 1 (lets jeopardize the the office network crossing 6 layersinvestment of 5 security layers) Sophisticated layers in place, but security between the layers Dumb controllers become smart (read have Windows based on rough IP blocks with no limitation on serviceXP)but we humans are not smart enough to recognise portsthat is equal to almost no security in place. Anti-virus / Malware Development 2004 outdated? Really? Lets directly migrate from the Malware doesnt get herebut USB sticks and PDF does unprotected development lab to Or even not allowed to install the field. Security based on certificates. Sounds good. But please do not store the private keys on a public share 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International25Cooperative (KPMG International), a Swiss entity. 27. Process Control Security at the layers People, Process and Technology Security is highly interdependent No weak links allowed Proper People Information security is a joint effort governance Know what you need to monitor Prevent information overload Monitoring and Process Quick reaction is keyfollow-up Protect all logical access paths Segmentation Technology Apply network segmentation and endpoint Endpoint protection is crucial protection 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International26Cooperative (KPMG International), a Swiss entity. 28. Question / Answers KPMG Key Contact DetailsThank you for your attention!.Please feel free to contact us for further information on process control security, both audit and advisory. Ronald Heil Senior Manager KPMG IT Advisory Laan van Langerhuize 1 1186 DS Amstelveen The Netherlands Tel: +31 6 51369785 Email: [email protected] 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (KPMG International), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International 27Cooperative (KPMG International), a Swiss entity. 29. 2011 KPMG Advisory N.V., registered with the trade register in theNetherlands under number 33263682, is a subsidiary of KPMG EuropeLLP and a member firm of the KPMG network of independent memberfirms affiliated with KPMG International Cooperative (KPMGInternational), a Swiss entity. All rights reserved. Printed in theNetherlands. The KPMG name, logo and cutting through complexityare registered trademarks of KPMG International Cooperative.The KPMG name, logo and cutting through complexity are registeredtrademarks or trademarks of KPMG International Cooperative (KPMGInternational).