ultra electronics, 3eti from the newspaper to the … · ultra electronics, 3eti from the newspaper...

Nov 3rd-4th 2016

Matt Cowell GICSP CWNA

[email protected]+1 301 529 2801@m_p_cowell on twitter

Ultra Electronics, 3eTI

From the Newspaper to the Network: How Chronicled Cyber-Attacks Can Damage Nation’s Utilities

mailto:[email protected]

© 2016 Ultra Electronics

Ultra Electronics, 3eTISLIDE 2

• Introduction and overview: The utilities-security landscape

• Understanding the challenges: How utility systems are easily breached

• Appreciating the risk severity: Summarizing actual and potential results of cyber-attack

• Considerations in developing a cyber security plan

• Methods for efficiently implementing a utilities plan for cyber security:

• Understanding tactics, technologies, costs and timelines

Session Overview



From the Newspaper to the Network



Network UbiquityComputers are everywhere

Computers talking to other computers…

Power plants ~1000 computers

Buildings ~100 computers

Cars ~20 computers

Surveillance systems ~50 computersOperations are becoming

reliant on the IoT

The proliferation of the IoT is broadly enabling automation

Aircrafts ~100 computers

…creating a network of connected systems or the ‘Internet of Things’ (IoT)

SCADA systems~20 computers



• M2M is computers talking to other computers without humans

• IoT is the natural extension of M2M

• Why connect them?– Increased performance – Lower spending– Better efficiency

• A lot of infrastructures and operations are reliant on reliable M2M systems

• Many M2M systems involve national security, or mission criticality

Machine to Machine (M2M) ProliferationHow it all connects back to you



ICS Attacks Are Getting More Intense A growing issue for government and energy sectors

Disgruntled ex-employee hacks into the water system and floods the community of sewage.

INSIDER ATTACKMaroochy Water System - 2010

The Conficker worm infected the control network causing an instability in the communications.

ENTERPRISE INFECTION“Unnamed” Steel Mill - 2011

Hackers disrupted networks to access automation equipment resulted in massive damage.

INSIDER ATTACK“Unnamed” Steel Mill, Germany - 2014

SHODAN discovered over 21,000 miss-configured building automation systems.

MISS-CONFIGUREGoogle HQ, Wharf - 2013

The attackers backed their way into network by compromising a 3rd-party vendor to steal data.

BACKDOOR ATTACKTarget Retail Stores - 2013

Stuxnet infected the air-gapped control network bypassing causing damage to centrifuge..

SCADA MALWARENatanz Nuclear Facility - 2010

WHAT’S NEXT?

Networks infected with the Shamoon virus erased information causing enterprise network outages.

ENTERPRISE ATTACKSaudi Aramco & RasGas - 2012

A team used a penetration test on PLCs to realize how badly vulnerable their SCADA/ICS were .

PLC ATTACKProject Basecamp - 2012

Iranian hackers tried to open flood gates. Was this a dress rehearsal for something bigger?

BACKDOOR ATTACKNew York Dam - 2015

Left 225,000 customers in the dark. 1st successful cyber attack to knock a power grid offline..

SCADA ATTACKUkraine Utilities - 2015

Hack accessed hundreds of PLCs used to manipulate control applications altering chemicals.

PLC ATTACKKemuri Water Company - 2016



ICS CERT Recommended Architecture

Figure 10. Complete defense-in-depth strategy with the intrusion detection system and SIEM



• Nation states• Criminals• Activists• Employees• Children!

A World Full of Hackers Various Motivations

• Money• Political protest• Environmental

activism

• Industrial Espionage

• Retaliation• Job security• Fun

Unintentional Disasters

An attacker doesn’t even know what they are doing to cause a huge impact

Who Launches Cyber AttacksYou don’t need to be a hacker to hack

Admiral Michael Rogers, DirectorNSA & US Cyber Command

“… China along with ‘one or two’ other countries have the capability to successfully launch a cyber-attack that could shut down the electric grid in parts of the United States”.

NSA Director testimony to Congress, Nov. 2014



AuthenticationServer

Mirrored Data Servers

Report/Alarm Server

HMI

Application Server

SCADA Server

Engineering Terminal

Wireless

PLC

Industrial Process

Infrastructure Automation

Facility MonitoringPLC

PLC

Data/Historian Server

External Networks

External Cyber Attacks

Support Network

ICS Network

How Are They Attacking?

An outsider/insider gains access to an external system and uses it to impact a more critical ICS network

Enterprise Networks

Remote Access



Enterprise Networks



Report/Alarm Server

HMI

Application Server

SCADA Server


Wireless

PLC

Industrial Process


Facility MonitoringPLC

PLC


External Networks


Support Network

ICS Network


Unauthorized Device Connections

An outsider/insider introduces their own device into the network making your internal network externally accessible, and directly exploitable by the attacker

Remote Access



Enterprise Networks



Report/Alarm Server

HMI

Application Server

SCADA Server


Wireless

PLC

PLC

PLC


External Networks

Support Network

ICS Network

Industrial Process


Facility Monitoring


Malware infects the control system and causes a dangerous or malicious action


Internal Host-based /Malware AttacksUnauthorized Device Connections

Remote Access



Enterprise Networks

External Networks



Report/Alarm Server

HMI

Application Server

SCADA Server

Support Network

ICS Network


Wireless

PLC

PLC

PLC


Targeted malware utilizes a zero-day vulnerability to cause a specifically designed impact to the ICS network & devices

Industrial Process


Facility Monitoring



Internal Host-based /Malware AttacksUnauthorized Device Connections

Zero-day Attacks

Remote Access



Post-Stuxnet Protections• Anti-virus on PCs & Servers

• Firewalls/data-diodes

• Configuration/patch management

Overlooked Security Gaps• PLCs

• RTUs

ICS Cyber Security GapThe IT/OT gap is a divide that must be bridged

Boundary Protections• Firewalls

• Network Intrusion Detection

• DMZ/Proxy Servers

Endpoint Protections • Host intrusion prevention

(anti-virus/firewall/application whitelisting)

• Policy enforcement

• Configuration management

• Device connection management

• Data transfer management

• External alerting & reporting

Pre-Stuxnet Protection• Firewalls

• DMZ/Proxy Servers

• Air Gaps

IT vs OT



What Should We Be Doing?

1. Data manipulation2. Voice eavesdropping3. Physical manipulation4. Backdoor5. Intelligence gathering6. Hardware Trojans7. Man in the middle8. Network eavesdropping9. Spoofing

1. Insider attacks2. Data exfiltration3. Traffic rerouting4. Worm5. Trojan6. Virus7. Root-kits8. Web hacking9. Drive-by download10. Key logger11. Denial of service12. Phishing13. Hackers14. Spear phishing

1. Coordinated attack2. Advanced persistent treat3. Remote access tools4. Unpatched infrastructure5. Brute force cracking6. Proxied attack7. Vulnerability probing8. Credential impersonation9. Foreign agents

1. Federal Government2. DoD/Military3. Corporate/Financial4. Telecomms5. Healthcare6. Utilities7. Distribution8. Building Automation9. Industrial Facilities10. Energy Management



Important questions to ask about your ICS

• What are ‘they’ able to do?

• Can my ICS differentiate between a fake/spoofed message and a legitimate one?

• How do my systems respond to intentionally invalid or corrupt information from a known and trusted source?

• Can my systems identify if the data it receives or reads has been intentionally modified?

• Will my systems respond to any undesired commands my implementation does not require?

• Can I identify when any changes to my system occur, what they are, and be able to revert to the original state if required?


Ultra Electronics, 3eTISLIDE 16What It Should Look Like

Effective implementation of ICS cyber security

Corporate LAN• Risk = External PC attack

• Mitigation = Agents on PCs, SIEM, Network Segmentation

Control System LAN• Risk = Internal PC attack

• Mitigation = Agents on PCs, SIEM, Network Segmentation

Field Locations• Risk = Internal device attack

• Mitigation = Device level firewalls with agent style IDS

Attack 2 Attack 3

Attack 1

Attack surface 1

Attack surface 2

Attack surface 3



Application Whitelisting Detect and prevent attempted execution of malware uploaded by adversaries. Organizations need to consider new approaches.

Ensure Proper Configuration Management

Get installations from authenticated vendors and publish hashes via an out-of-bound communications path, and use these to authenticate.

Reducing Your Attack Surface Area

Isolate ICS networks from any untrusted networks. Lockdown all unused ports. Turn-off all unused services.

Build A Defendable Environment

Segment networks into logical enclaves and restrict host-to-host communications paths.

Manage Authentication Implement multi-factor authentication where possible. Reduce privileges to only those needed for a user’s duties.

Secure Remote Access Implement “monitoring only” access. Do not allow remote persistent vendor connections into the control network.

Monitor and Respond Establish monitoring programs to watch IP traffic on ICS boundaries, monitor IP traffic within the control network.

1234

567

DHS Strategies for a Secure ICS Seven essential steps



Straight from the DHS

98% of incidents reported could have been prevented

In 2015, 295 incidents were reported to ICS-CERT



Assume You Will Be Compromised!

2016 Observations• Shadow brokers - NSA breach – toolkit released• Rockwell MicroLogix1400 – Undocumented feature, No patch, 787 public

facing• Legacy malware still a threat therefore APT DEFINITELY a threat• Mirai IOT BOTNET.

Interesting Statistics20% increase in reported ICS incidents from 2014 to 2015 (Energy 2nd largest affected industry)1 1/3 of ICS

malware enters ICS via USB2

1/3 of published vulnerabilities are zero days with no patch available at time of disclosure3

5 instances of ICS vulnerabilitiesbeing exploited in wild were conducted by

nation states3

91% of public facing ICS is remotely exploitable4

1) ICS CERT 2) Honeywell 3) FireEye 4) Kaspersky



Effectively implementing DID security in ICS/SCADA networks will

keep you out of the newspapers.

Key TakeawaysKeep out of the headlines!

1. Protect your networks

2. Authenticate / authorize devices on your network

3. Protect your endpoints

4. Monitor & analyze operations



Final Thought

Matthew Cowell GICSP CWNADirector, Industrial Markets

Ultra Electronics, 3eTI+1 [email protected]

@m_p_cowell on Twitter

[email protected]

mailto:[email protected]

ultra electronics, 3eti from the newspaper to the … · ultra electronics, 3eti from the newspaper...

Documents