CYBER SECURITY MEETUP

COLOMBO, 26TH SEPTEMBER 2019

Computer based systems that control physical devices:

Traffic lights,

Pumps,

Motors,

Electrical distribution switches

WHAT ARE INDUSTRIAL CONTROL SYSTEMS (ICS)?

WHERE TO FIND THEM IN SRI LANKA?

Electrical Grid

Power plants

Water systems (Water purification,

Waste water treatment, irrigation)

Industrial applications

Building managements

Data centers

Transportation systems (airport, trains,

traffic lights)

CRITICAL INFRASTRUCTURE IS INCREASINGLY IN FOCUS

What is critical infrastructure? US DHS: identifies

16 critical sectors:

Chemical

Communications

Dams

Emergency Services

Financial Services

Government Facilities

Information Technology

Transportation Systems

Commercial Facilities

Critical Manufacturing

Defense Industrial Base

Energy

Food and Agriculture

Healthcare and Public Health

Nuclear Reactors, Material and Waste

Water and Wastewater

Based on open protocols

Most are based on decades old designs

Security was never thought about

Inherently trusting of other devices on the control network

Often installed and left untouched for a long time (many years)

Few updates made as any change brings the risk of interrupting production

INDUSTRIAL CONTROLS ARE INHERENTLY VULNERABLE

VULNERABILITIES ARE EVERYWHERE

Recent advisories from the US

Department of Homeland Security ICS

CERT:

https://ics-cert.us-cert.gov/advisories

All these new disclosures are from the

month of September 2019.

Many IT / Operation managers believe their systems are “air gapped”. However, most systems are connected:

Directly to the outside world

Web servers

VPN for remote diagnostics /engineering

Indirectly via corporate networks:

Historians

MES systems

VPN

“Jump servers”

ICS ARE CONNECTED

ICS CONNECTIVITY WILL INCREASE

DRIVEN BY “PLANT DIGITIZATION” OR

“INDUSTRIAL IOT” ALSO CALLED “INDUSTRY 4.0

(4IR)”

THIS IS THE PROMISE OF EFFICIENCY GAIN IN

PRODUCTION PROCESSES VIA THE USE

OF “BIG DATA”.

DIRECT PROCESS EFFICIENCY GAINS DUE

TO PROCESS AND OPERATIONS

OPTIMIZATION

PREVENTATIVE AND PREDICTIVE

MAINTENANCE

CREATION OF NEW PRODUCTS

THIS IS BASED ON THE COLLECTION,

ANALYSIS, AND SHARING OF

INDUSTRIAL DATA

Linux vulnerability

TLS vulnerability

Probably many more

ICS ARE VULNERABLE TO IT ISSUES

SPECIFIC THREATS ALSO EXIST

CrashOverride malware represents a scalable, capable platform. The modules and

capabilities publically reported appear to focus on organizations using ICS protocols

IEC101, IEC104, and IEC61850

As CrashOverride is a second stage malware capability and has the ability to operate

independent of initial C2, traditional methods of detection may not be sufficient to detect

infections prior to the malware executing.

Source: ICS-CERT

THERE ARE MANY TYPES OF THREATS ACTORS

Internal threat (“disgruntled” employees, knowledgeable contractors, etc)

Hacktivist

“independent” hackers

Organized Crime

State actors: intelligence agencies, military organizations, state sponsored hacking groups, etc

NONE OF THEM CAN BE IGNORED!!!

You may not be a target of choice but your organization could be a target of opportunity or just collateral damage.

ICS contractor rejected for permanent job

Modified ICS system program repeatedly while company was trying to troubleshoot.

Dumped millions of liters of sewerage in parks, rivers and ground of a hotel.

2 years in Jail

INTERNAL: WASTE MANAGEMENT SYSTEM - AUSTRALIA

In 2006, a pair of LA traffic engineers hacked traffic lights to cause gridlock as part of a labor protest.

INTERNAL: LA TRAFFIC SYSTEM

HACKTIVISTS

Try to exert political pressure through cyber compromise.

Usually not ICS related, minimal damage.

• State of Michigan Website - Flint Water crisis

• North Carolina government website – transgender law

• City of Baton Rouge website – after fatal police shooting

This could change …

HACKERS

Just because they can…

Usually not targeting particular organization, just

looking for easy targets.

They can still do real damage.

ICS seen as an interesting “play ground” as they

are usually not so hard to penetrate.

ORGANIZED CRIME

“…the attackers used a spear phishing campaign

aimed at particular individuals in the company to

trick people into opening messages that sought

and grabbed login names and passwords.”

Operators lost control of the plant and were

asked to pay a ransom to get control back.

230,000 computers in 150+ counties infected within 24 hours

ORGANIZED CRIME: RANSOMWARE - WANNACRY

STATE ACTORS: LESSONS FROM STUXNETEven “Air gapped” system can be vulnerable

August 2008 -

“Hackers had shut

down alarms, cut off

communications and

super-pressurized the

crude oil in the line. The

main weapon at valve

station 30 on Aug. 5,

2008, was a keyboard.”

STUXNET WAS NOT THE FIRST CYBER WEAPON

STATE ACTORS: PETYA

STATE ACTORS: PETYA

TERRORISM IS A NEW CYBER SECURITY THREAT

NSA tools used for over a decade, then disclosed by “ShadowBroker”

Used a month later in Wannacry for ransomware and EternalRocks (worm demonstration ?

Doesn’t seem to cause real damage)

ADVANCED THREATS CAN BECOME COMMON QUICKLY

WEAPON IN FUTURE CONFLICTS

Future conflicts will use as many cyber “weapons” as “kinetic” ones.

Critical infrastructure is a target

No picking on the US, but typically documented information is coming from there. Russia, Iran,

North Korea and many other nations are all very active in this area.

FIVE MYTHS OF INDUSTRIAL CONTROL SYSTEMS SECURITY

We’re not connected to the internet

We’re secure because we have a firewall

Hackers don’t understand SCADA/DCS/PLC

Our facility is not a target

Our safety systems will prevent any harm

WHAT CAN BE DONE? BEST PRACTICE

We need to harden our systems so that inherent vulnerabilities

do not lead to large scale compromise: basic cyber hygiene

Patch management

End-point protection (Anti-virus)

Application whitelisting

Log monitoring (SIEM)

Backup management

But is not entirely realistic in an OT environment !

No “reboot time window” available

Hard to keep anti-virus patterns up to date

Requires IT skilled personnel

Old software may not have patches available.

Any change brings risk of stopping operations

IIOT CYBERSECURITY NATIONAL POLICY?

TICK TOCK?

https://www.youtube.com/watch?v=8ThgK1WXUgk

https://www.youtube.com/watch?v=bV47gBsrDkc