how do we keep the lights on when everyone has access to ... · 7/16/2016 · • redesign network...
TRANSCRIPT
16 July 2016
Saturday
ISSA-COS Mini-Seminar
Colorado Technical University
Colorado Springs, CO
Wally Magda, SOHK
WallyDotBiz LLC
How do we keep the lights on when
everyone has access to the switch?
2 WallyDotBiz LLC © 2016
• No animals were harmed in the making of
this presentation!
Industrial Control Systems: How do we keep the lights on…..?
3 WallyDotBiz LLC © 2016
Industrial Control Systems: How do we keep the lights on…..?
4 WallyDotBiz LLC © 2016
• Please put alert generating devices into
silent or vibrate mode if possible
• Be kind to your colleagues; please take
phone conversation out in the hall
Cellphone, BB, PDA Advisory
5 WallyDotBiz LLC © 2016
• The author is not a lawyer and cannot give legal
advice
• The author does not endorse any specific product
or entity
• This presentation is simply the author’s
professional perspective on Industrial Control
Systems (ICS) Cyber and Physical Security
• References used can be found in Helpful Links
section
DISCLAIMER
6 WallyDotBiz LLC © 2016
How do we keep the lights on when the
switch is connected to the internet?
7 WallyDotBiz LLC © 2016
• SCADA overview
• Threat vectors into ICS devices
• Possible consequences once in control
• Horror stories and threat scenarios
• Actions to protect business and customers
AGENDA
8 WallyDotBiz LLC © 2016
SCADA overview
9 WallyDotBiz LLC © 2016
• SCADA
• Supervisory Control and Data Acquisition
o “Typically” deployed across large geographic
area like electric grid or natural gas pipelines
o One type of many systems used to keep the
lights on and energy flowing
SCADA overview
10 WallyDotBiz LLC © 2016
SCADA overview
Typical SCADA Diagram
11 WallyDotBiz LLC © 2016
SCADA overview
Alphabet soup--Lots of acronyms for similar systems/devices
We shall choose one for purposes of this presentation
12 WallyDotBiz LLC © 2016
• ICS
• Industrial Control System
o Broad set of control systems
o General term that encompasses all
SCADA overview
13 WallyDotBiz LLC © 2016
SCADA overview
14 WallyDotBiz LLC © 2016
SCADA overview
15 WallyDotBiz LLC © 2016
SCADA overview
16 WallyDotBiz LLC © 2016
SCADA overview
• Typical ICS system found in many homes…
17 WallyDotBiz LLC © 2016
SCADA overview
Temperature Display
Cold Air Hot Air
Heat Exchanger Burner & Blower
Thermostat to set desired temp
Natural Gas Valve
Igniter/Pilot
Blower
Turn on/off Gas
House temperature
Heat loss from home
Natural Gas BTU Heat Content
Teenager
LED/iPhone/Dial-up
Typical Home Heating System
18 WallyDotBiz LLC © 2016
• HVAC
• PACS
• Manufacturing
• Vehicles
• Airplanes
• Sprinkler/Irrigation
• Pharmaceutical--Remote drug injection
• Pacemakers
SCADA overview
19 WallyDotBiz LLC © 2016
Threat vectors into ICS devices
20 WallyDotBiz LLC © 2016
Threat vectors into ICS devices
FUDThe Good
The Bad
The Ugly
21 WallyDotBiz LLC © 2016
Threat vectors into ICS devices
!!!! This ain’t FUD !!!!
22 WallyDotBiz LLC © 2016
Threat vectors into ICS devices
23 WallyDotBiz LLC © 2016
Threat vectors into ICS devices
ISSSource.com about a report from Rockwell Automation
about a ransomware attack from a file being made
available on the internet (no source given) called
‘Allenbradleyupdate.zip’ (April 2016)
24 WallyDotBiz LLC © 2016
Threat vectors into ICS devices
25 WallyDotBiz LLC © 2016
Threat vectors into ICS devices
26 WallyDotBiz LLC © 2016
Threat vectors into ICS devices
27 WallyDotBiz LLC © 2016
Threat vectors into ICS devices
28 WallyDotBiz LLC © 2016
Threat vectors into ICS devices
Interdependencies
29 WallyDotBiz LLC © 2016
Threat vectors into ICS devices
30 WallyDotBiz LLC © 2016
• Generation--coal, natural gas, oil, hydro,
geo-thermal, wind, solar, steam, nuclear
o Mix of natural gas exceeds 50%
o No gas, no fuel supply, no electricity
o Rinse, Lather and Repeat
• Cyber attack can easily shut it down
Threat vectors into ICS devices
31 WallyDotBiz LLC © 2016
32 WallyDotBiz LLC © 2016
Threat vectors into ICS devices
• FTP
• Telnet
• SNMPv1 (v3 available for 14 years)
• Firewall misconfiguration
• VLAN misconfiguration
• Wireless (MIJI)
• Spearphishing
33 WallyDotBiz LLC © 2016
Threat vectors into ICS devices
Sneaker Net
34 WallyDotBiz LLC © 2016
Threat vectors into ICS devices
• Social Engineering
35 WallyDotBiz LLC © 2016
Possible consequences once in control
36 WallyDotBiz LLC © 2016
Possible consequences once in control
Smart Grid home monitoring; connected to internet
37 WallyDotBiz LLC © 2016
Possible consequences once in control
38 WallyDotBiz LLC © 2016
Possible consequences once in control
• Project Aurora 2.25 MW generator (2007)
• Remote cyberattack destroys generator
39 WallyDotBiz LLC © 2016
Possible consequences once in control
• Let the smoke out and it stops working!
40 WallyDotBiz LLC © 2016
Possible consequences once in control
• Not to be confused with Operation Aurora• 2010 hack stealing Intellectual Property
• 2003 Northeast electric grid outage, situational
awareness lost in Ohio when computer systems
slowed down
• Not a hack but was contributing cyber component
41 WallyDotBiz LLC © 2016
Possible consequences once in control
• Ping sweep causes robotic arm to swing wildly
• Ping caused IC fab plant to hang
• $50,000 worth of wafers destroyed
• IT performing pen test on corporate network
• Unintentionally stumbles into SCADA
• Locks up gas pipeline SCADA
• 4 hours gas service shutdown
42 WallyDotBiz LLC © 2016
Possible consequences once in control
Feb 2016
43 WallyDotBiz LLC © 2016
Horror stories and threat scenarios
44 WallyDotBiz LLC © 2016
Horror stories and threat scenarios
Top 3
Public Enemies
Electric
45 WallyDotBiz LLC © 2016
Horror stories and threat scenarios
46 WallyDotBiz LLC © 2016
Horror stories and threat scenarios
AIR GAP
International Space Station (ISS)
47 WallyDotBiz LLC © 2016
• Houston! Windows Has Problems
o 2008-Password Stealing Virus Infects Space
Station Laptops (W32.Gammima.AG)
o Not the first time
o Payload laptops do NOT provide virus
protection/detection software
Horror stories and threat scenarios
48 WallyDotBiz LLC © 2016
• NASA assures astronauts flight control
systems were not in danger
o But to be safe….
o Migrates all the computer systems related to
the ISS over to Linux for
Security
Stability
Reliability reasons
o Mistaken belief that Linux has no vulns
Horror stories and threat scenarios
49 WallyDotBiz LLC © 2016
Horror stories and threat scenarios
50 WallyDotBiz LLC © 2016
• 787 vulnerable to hackers
o Common Core System (CCS)
o Saves weight—less line units
o Wireless computer controls
o FAA raised security concerns
o Boeing claims they have addressed issues
o Maintenance crews--wireless laptops
Horror stories and threat scenarios
51 WallyDotBiz LLC © 2016
• Airports and airlines considered CI
• Airlines do not have to report cyber attacks
• Senator queries air industry about aircraft
cybersecurity defenses
• Oh my!!!!
o Hack-able cars at risk in a cyber attack
o Navigation, Wi-Fi, Bluetooth, cellular
o Brakes & steering on Bluetooth!!!!
Horror stories and threat scenarios
52 WallyDotBiz LLC © 2016
• Stuxnet via sneakernet (June 2010)
o Natanz Fuel Enrichment Plant
o Digitally Signed malware
o HMI spoofed (operator intuition)
o Slow attack under radar
o Destroy centrifuges
• Variants out in wild
Horror stories and threat scenarios
53 WallyDotBiz LLC © 2016
o Stuxnet infected Chevron’s IT Network (Nov 8,
2012)
o TELVENT hit by sophisticated cyber attack
SCADA admin tool compromised (Sep 26,
2012)
Telvent supplies remote admin and monitoring tools
Intelligent transportation systems, train, metro, traffic
lights
Warns customers of advanced persistent threat!!!!
Horror stories and threat scenarios
54 WallyDotBiz LLC © 2016
Horror stories and threat scenarios
• Power generation facility
• Malware discovered USB drive
• Two engineering workstations
• No backups
55 WallyDotBiz LLC © 2016
Horror stories and threat scenarios
• Turbine control system
• Scheduled outage for maintenance
• Third party tech USB for uploads
• Mariposa botnet virus discovered USB drive
• Delayed restart 3 weeks = $$$$$
56 WallyDotBiz LLC © 2016
Horror stories and threat scenarios
• Use case (optional) ICS-Cert Advisory (ICSA-10-090-01), revised 2014
o USUTIL2 notifies USUTIL1 of malware employee
o Instructor shared at industry conference
o Mariposa botnet-trojan
Username/passwords
o USUTIL1 malware tools did not detect
o Windows system-still spreading but can’t phone home
o Command & Control (C2) callbacks
hnox.org, socksa.com, ronpc.net
Initial contact 49 bytes, UDP 21039
57 WallyDotBiz LLC © 2016
Horror stories and threat scenarios
• Netherland
o Dike controls on internet--Shodan
o Veere county admin using password “Veere”
o Server running SunOS 5.8 not patched for 6
years
58 WallyDotBiz LLC © 2016
Horror stories and threat scenarios
• Netherland
o New low—Bavaria Beer Brewer site hacked
o Large electronics company hacked
o Dutch gov lost cyber security incident database
Backup tapes could not be read anymore
59 WallyDotBiz LLC © 2016
Horror stories and threat scenarios
Courtesy of SHODAN
60 WallyDotBiz LLC © 2016
Horror stories and threat scenarios
•FUD
•Hacktivists
•Specialized Search Engines
• (SHODAN, SHINE, ERIPP)
•Exploitation Tool Kits
61 WallyDotBiz LLC © 2016
Horror stories and threat scenarios
• 2012 Chines Hackers gain access to
NASA’s Jet Propulsion Lab
• Saudi Aramco Attack; 30,000+ computer
systems data wiped (Shamoon-sneakernet)
• 400% increase vuln reports since 2010
• Major spearphishing campaign US Oil &
Natural Gas Pipelines
62 WallyDotBiz LLC © 2016
Horror stories and threat scenarios
63 WallyDotBiz LLC © 2016
Horror stories and threat scenarios
Tuesday, April 16, 2013, 1:30 AM PDTFlashes lower left show round hitting fence
Metcalf
Substation
64 WallyDotBiz LLC © 2016
Web site encouraging followers to initiate “electronic jihad.”
65 WallyDotBiz LLC © 2016
66 WallyDotBiz LLC © 2016
67 WallyDotBiz LLC © 2016
• ICS cyber attack scenario (INL)
o Malicious code embedded in a PowerPoint
presentation--corporate domain
o Opens a covert channel from the victim’s
computer through the corporate firewall to the
attackers on the internet
o Hijack sessions between the corporate domain
and the ICS domain
Horror stories and threat scenarios
68 WallyDotBiz LLC © 2016
o Took control of pumps to overflow tanks
o Operator screens show all systems running
normally
Horror stories and threat scenarios
69 WallyDotBiz LLC © 2016
• Vast majority of hacking incidents go unreported
o Inability to detect attacks
o Reasons of security
o Avoid embarrassment
o Affect stock prices
o Affect CEO ROI
Horror stories and threat scenarios
70 WallyDotBiz LLC © 2016
Actions to protect business and
customers
71 WallyDotBiz LLC © 2016
Actions to protect business and
customers
Regulate the heck out of it!!!!
72 WallyDotBiz LLC © 2016
• Can’t afford to protect everything
o Cost of doing nothing can be much greater
o Regulatory and safety not negotiable
• Human Safety is PARAMOUNT
o Employees and Citizens
• Protect equipment if possible
o Not necessarily cost—lead time to replace
Actions to protect business and
customers
73 WallyDotBiz LLC © 2016
Security Triad
Actions to protect business and
customers
74 WallyDotBiz LLC © 2016
• You may be caught in the middle
o Corporate and Operational wall coming down
o IT and OT Converging
o Physical Security and Logical Security
converging
o Exciting, challenging and downright scary
• Do the basic Security 101 stuff
Actions to protect business and
customers
75 WallyDotBiz LLC © 2016
• Defense-in-depth approach
• Redesign network layouts
• Validate integrity of downloads/updates/patches
• Deploy security patches AFTER testing
• Work with vendor and control systems engineer
• Restrict physical access (Physical Security)
o One mouse can bring down the kingdom!
Actions to protect business and
customers
76 WallyDotBiz LLC © 2016
77 WallyDotBiz LLC © 2016
• Restrict physical access (Physical Security)
o Really now!!!
o What is wrong with this picture?
Actions to protect business and
customers
78 WallyDotBiz LLC © 2016
Actions to protect business and
customers
79 WallyDotBiz LLC © 2016
Actions to protect business and
customers
• Good solution but…..
• Logging is a problem
• Daily clean up required
• Insurance
80 WallyDotBiz LLC © 2016
Actions to protect business and
customers
WARNINGI CAN MAKE IT TO THE FENCE IN 2.8 SECONDS
CAN YOU?
81 WallyDotBiz LLC © 2016
• Customize traditional security for ICS environment
• Least privilege (including vendor)
• Password management (including vendor)
• Account management (including vendor)
• VPN-two factor (including vendor)
• Who is taking care of HVAC?
• What about building monitoring systems?
Actions to protect business and
customers
82 WallyDotBiz LLC © 2016
• Account lockout policy- (including vendor)
• Caution!!! Do not lock out the operator
• Application White listing
• Data diodes
• Current application updates
• Separation of duties
• Consider managed security services (MSS)
• Your core business is not IT security
Actions to protect business and its
customers
83 WallyDotBiz LLC © 2016
• Assume you will be hacked and lose everything
• Ransomware = Game over!!!
• Detect, contain, mitigate and investigate
• PICERL
• NIST SP 800-61r2
• Build in Resilience and Continuity of Operations
• Do you have readily available & usable backup media?
• Automate where it makes sense
• Repeatable
• Minimize human error
Actions to protect business and its
customers
84 WallyDotBiz LLC © 2016
Actions to protect business and its
customers
85 WallyDotBiz LLC © 2016
Actions to protect business and its
customers
86 WallyDotBiz LLC © 2016
Actions to protect business and its
customers
87 WallyDotBiz LLC © 2016
Actions to protect business and its
customers
88 WallyDotBiz LLC © 2016
Actions to protect business and its
customers
• What about the supply chain?
89 WallyDotBiz LLC © 2016
Actions to protect business and its
customers
90 WallyDotBiz LLC © 2016
• ICS security testing adverse effects
• Tools & Scans can cause machines to fail
• Serious and drastic consequences
o People can suffer serious injury or be killed
o All security testing must be well planned,
thought out and communicated to all business
units involved
• Cyber security testing can be done if planned out
eg… tcpdump, netstat, wmic….
Summary
91 WallyDotBiz LLC © 2016
• SCADA overview
• Threat vectors into ICS devices
• Possible consequences once in control
• Horror stories and threat scenarios
• Actions to protect business and customer
Summary
92 WallyDotBiz LLC © 2016
Helpful Links (retrieved 12 July 2016)
93 WallyDotBiz LLC © 2016
• Guide to Industrial Control Systems (ICS) Security NIST
SP 800-82o http://dx.doi.org/10.6028/NIST.SP.800-82r2
• DHS ICS-CERTo https://ics-cert.us-cert.gov/
o https://ics-cert.us-cert.gov/advisories/ICSA-10-090-01
• Executive Order 13636: Cybersecurity Framework o http://www.nist.gov/cyberframework/
o http://www.nist.gov/cyberframework/upload/Workshop-Summary-2016.pdf
Helpful Links (retrieved 12 July 2016)
94 WallyDotBiz LLC © 2016
• Common Cyber Security Vulnerabilities in Industrial
Control Systemso https://ics-cert.us-cert.gov/content/overview-cyber-vulnerabilities
• Seven Strategies to Defend ICSo https://ics-cert.us-cert.gov/sites/default/files/documents/Seven Steps to Effectively
Defend Industrial Control Systems_S508C.pdf
• 21 Steps to Improve Cyber Security of SCADA Networkso http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf
• Defense in Depth Strategieso https://ics-cert.us-
cert.gov/sites/default/files/recommended_practices/Defense_in_Depth_Oct09.pdf
Helpful Links (retrieved 12 July 2016)
95 WallyDotBiz LLC © 2016
• Supply chaino https://ics-cert.us-
cert.gov/sites/default/files/documents/Procurement_Language_Rev4_100809_S508
C.pdf
o http://www.energy.gov/sites/prod/files/2014/04/f15/CybersecProcurementLanguage-
EnergyDeliverySystems_040714_fin.pdf
o https://ics-cert.us-
cert.gov/sites/default/files/documents/CatalogofRecommendationsVer7.pdf
o http://www.ferc.gov/media/news-releases/2015/2015-3/07-16-15-E-1.asp
• Digital Bondo http://www.digitalbond.com
Helpful Links (retrieved 12 July 2016)
96 WallyDotBiz LLC © 2016
• Stuxnet, Duqu, Flame, Gaussso http://arstechnica.com/security/2013/03/the-worlds-most-mysterious-potentially-
destructive-malware-is-not-stuxnet/
o http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
• DHS ICS-CERT Cyber Security Evaluation Toolo https://ics-cert.us-cert.gov/Assessments
Helpful Links (retrieved 12 July 2016)
97 WallyDotBiz LLC © 2016
• ICS-CERT Trainingo https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT
o https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT#workshop
• ISA99 Industrial Automation and Control Systems
Security-ISA/IEC 62443o http://isa99.isa.org/ISA99%20Wiki/Home.aspx
o https://www.isa.org/training-and-certifications/isa-certification/isa99iec-
62443/isa99iec-62443-certificate-program-requirements/
o https://www.isa.org/templates/two-column.aspx?pageid=121797
• SANS ICSo http://ics.sans.org/
o http://www.sans.org/course/ics-scada-cyber-security-essentials
Helpful Links (retrieved 12 July 2016)
98
Questions?
99 WallyDotBiz LLC © 2016
How do we keep the lights on when the
switch is connected to the internet?
Thank You!