An Operational Cyber Security Perspective on Emerging Challenges

Michael MisumiCIOJohns Hopkins University Applied Physics Lab (JHU/APL)

Johns Hopkins University Applied Physics Lab (JHU/APL)

University Affiliated Research CenterSponsors include DOD, NASA6,500+ staff

Cyber Attack 2009

• 2 Weeks disconnected from the Internet

• 40 GB of unclassified data lost

• 5 malware versions, 13 accounts, 48 systems

1. Completed risk assessment- Cross-APL team evaluated assets, assailants, tactics

2. Began distributing Application White Listing software- 2,000 systems by 6/11/09

3. Engaged Mandiant, preparing for a full network scan - 5,500 systems by 6/11/09, enterprise-wide scanning planned for 6/15/09

Pre-Cyber Attack 2009

Internet

APL Internal

APL Public

APL Unclassified Network1. Analyzed network traffic, found

command and control activity

2. Remediated systems and accounts

3. Consultant recommendation- Attackers are “A” team- Slow data removal typical- High probability of layered,

sophisticated intrusion tools- Partial measures drive the attackers

deeper, making full remediation more difficult

- Map attack via scanning without closing Internet access

4. Decision to stay connected and map the attack

Internet

APL Internal

APL Public

APL Unclassified Network1. Analyzed network traffic, found

command and control activity

2. Remediated systems and accounts

3. Consultant recommendation- Attackers are “A” team- Slow data removal typical- High probability of layered,

sophisticated intrusion tools- Partial measures drive the attackers

deeper, making full remediation more difficult

- Map attack via scanning without closing Internet access

4. Decision to stay connected and map the attack

Malware types

Systems impacted

Login accounts

Systems scanned

Application white listing installed Notes

Thu 6/11 1 3 1 2000 Attack discoveredFri 6/12 1 3 1Sat 6/13 1 3 1 1000 5500Sun 6/14 1 3 1Mon 6/15 1 7 2Tue 6/16 2 23 5 5000Wed 6/17 2 25 6Thu 6/18 3 31 8Fri 6/19 3 34 11 7300 6500Mon 6/22 3 37 13Tue 6/23 3 37 13Wed 6/24 3 37 13Thu 6/25 3 40 13Fri 6/26 * 5 *48 13 All All Internet access opened

Timeline to Restore Internet AccessRequirement

• Find all malware variants

• Secure all computers

Leveraging Synergy at APL

Mission Systems

CorporateCyber

CyberResearch

Leveraging Synergy at JHU/APL

Internal

Public

Unclassified Network

Internet

Internet

Internal

Public

VPN

Korea Hong Kong

ChinaCanada

Unclassified Network

Internet

Internal

Public

VPN

VirtualMachines

Korea Hong Kong

ChinaCanada

Unclassified Network

Internet

Internal

Public

VirtualMachines

X

Korea Hong Kong

ChinaCanada

Unclassified Network

VPN

Internet

Internal

Public

VirtualMachines

X

Korea Hong Kong

ChinaCanada

Unclassified Network

VPNX

Internet

Internal

Public

VPN

VirtualMachines

Korea Hong Kong

ChinaCanada

Unclassified Network

Social Networking

Internet

Internal

Public

VPN

VirtualMachines

Korea Hong Kong

ChinaCanada

Unclassified Network

Coordinating Regional Cyber Response

Team 1

Regional Defensive Teams

Team 2 Team 3 Team 4 Team 5 Team 6

Cyber Analysts

Integrated Threat Analysis Cell

LegalLaw Enforcement

Fusion Cell Cyber Communications

Visualize the Battlespace: Galaxy Main View

Filters for major event

types, lets the analyst turn off “noise”

Primary view is a node-link

graph helping the analyst

make sense of heterogeneous

event data

Zoomable timeline shows all events, provides a sense of scale.

Interactive selection of the focal time window and playback

Visualize the Battlespace: Galaxy Replay Capability

Replay capability helps illustrate sequences of

events. Here, a malicious actor finds a vulnerability and spreads through a

network.

Regional Cyber Response: Positive Exercise Outcomes

1. Increasing amount of threat information shared by defensive teams

2. Crowd-sourced intelligence leads to a broad view of adversary tactics

3. Adversaries shut down after first attack due to information sharing

4. Threat Analysts told to pause sharing Intelligence with Defensive Teams because they were “too fast”

5. Adversaries must bring increasing numbers of staff and infrastructure due to Intelligence-sharing capability

Information Technology (IT)

Operations Technology (OT)

ICS

Plant / Manufacturing Systems

ICS

The scale, scope, and frequency of cyber attacks on digital and physical infrastructure systems is growing rapidly. Threats are escalating as more sophisticated and organized attackers are designing targeted attacks to damage or disrupt vital services and critical physical systems. - President’s NIAC Report 8/2017

Industrial Control Systems (ICS) are EVERYWHERE

IT vs ICSIT System Control Systems (ICS)

Lifetime 3-5 years 10-30 years

Owner CIO Technicians, operators, managers

Purpose General computing, runs variety of applications

Control machines, runs few applications at high availability

Focus Preventing data loss Preventing operational disruption or damage

Patches IT staff; regularly scheduled, enterprise-wide, automated

External vendor; nontrivial scheduling due to production impact and may “break” ICS functionality; ICS owners required to define acceptable risk

Security software, incident response and forensics

Commercial products and consulting available

Few solutions; forensics immature; requires good IT/ICS relationships; difficult to retrofit with security

The greatest vulnerability to ICS occurs at any point of connection

Internet

Example: Fuel Delivery System

1. Phishing attack via the

Internet

2. Reconnaissance to identify pump

controller

3. Shutdown commands stop

fuel delivery

Example Dependency Model: Fuel Delivery System

Store Fuel Receive Fuel Distribute Fuel Provide cooling TransportationProvide safe working

environment

Perform preventative maintenance

Perform corrective

maintenance

Fuel manager DBAutomatic tank

guageHVAC Water Treatment

Building Automation

Fuel handling systems

Fire fighting equipment

Diesel Generator

Perform Operations

Level Sensor 1 Level Sensor 2 Fuel Pump 1 Fuel Pump 2

Wireless Access Point 2Wireless Access Point 1 Fuel Manager Server Windows Workstations

Example Assessment Findings• ICS modernization has largely been ignored

- Lots of end of life products (older hardware, software, expired warranties)- Operators are not fully aware of system interfaces- Systems have low funding priority (since they are so old), yet these elements directly impact the

facility mission (not commonly understood)

• Increasing connectivity between systems- Allows a large attack surface for “isolated” systems to be exploited- Many systems have unencrypted wireless access

• System owners are not aware of cyber risks

• Ownership structure adds complications to management of systems- System owners and operators report to two separate chains of command

• What does component failure mean for the overall system response?

• What does it mean for a multiple interacting systems?

• Overall economic impact?

• Potential to hold society at risk

• Vulnerability invites attack

• What about “soft science” consequences?

30

CyberWire 10/2017

Example Steps to Securing Control Systems (ICS)1. Determine level of risk the organization will accept

2. Decide on cyber security ownership- Bring IT and OT together- Who owns protecting the asset?

3. Identify the ICS functions- Criticality to operations? - Common component across systems?

4. Implement ICS operational security- Baseline devices, apps, comms- Secure network connections- Harden system boundaries- Invest in detection tools- Focus on whitelisting- Create and exercise recovery options- Provide security training

From SANS Securing ICS 2017

ICS

Joint Defense and Red Teaming• Government collaboration

• Consortium cyber response

• External red team

• New product penetration testing

Cyber Defense is a Team Sport

Cross-Organization Response: Tabletop Lessons

1. Where to direct requests for resourcing to solve emergency needs

2. Different levels of classified communications, and staff classification levels

3. Sharing personal contacts/relationships to gather and disseminate information

4. Discussion of how we’re informing the public

5. Coordinate external communications

Building a CONOPS to guide restoration operations is vital