how do we keep the lights on when everyone has access to ... · 7/16/2016 · • redesign network...

16 July 2016

Saturday

ISSA-COS Mini-Seminar

Colorado Technical University

Colorado Springs, CO

Wally Magda, SOHK

WallyDotBiz LLC

How do we keep the lights on when

everyone has access to the switch?

2 WallyDotBiz LLC © 2016

• No animals were harmed in the making of

this presentation!

Industrial Control Systems: How do we keep the lights on…..?


Industrial Control Systems: How do we keep the lights on…..?


• Please put alert generating devices into

silent or vibrate mode if possible

• Be kind to your colleagues; please take

phone conversation out in the hall

Cellphone, BB, PDA Advisory


• The author is not a lawyer and cannot give legal

advice

• The author does not endorse any specific product

or entity

• This presentation is simply the author’s

professional perspective on Industrial Control

Systems (ICS) Cyber and Physical Security

• References used can be found in Helpful Links

section

DISCLAIMER


How do we keep the lights on when the

switch is connected to the internet?


• SCADA overview

• Threat vectors into ICS devices

• Possible consequences once in control

• Horror stories and threat scenarios

• Actions to protect business and customers

AGENDA


SCADA overview


• SCADA

• Supervisory Control and Data Acquisition

o “Typically” deployed across large geographic

area like electric grid or natural gas pipelines

o One type of many systems used to keep the

lights on and energy flowing

SCADA overview


SCADA overview

Typical SCADA Diagram


SCADA overview

Alphabet soup--Lots of acronyms for similar systems/devices

We shall choose one for purposes of this presentation


• ICS

• Industrial Control System

o Broad set of control systems

o General term that encompasses all

SCADA overview


SCADA overview


SCADA overview

• Typical ICS system found in many homes…


SCADA overview

Temperature Display

Cold Air Hot Air

Heat Exchanger Burner & Blower

Thermostat to set desired temp

Natural Gas Valve

Igniter/Pilot

Blower

Turn on/off Gas

House temperature

Heat loss from home

Natural Gas BTU Heat Content

Teenager

LED/iPhone/Dial-up

Typical Home Heating System


• HVAC

• PACS

• Manufacturing

• Vehicles

• Airplanes

• Sprinkler/Irrigation

• Pharmaceutical--Remote drug injection

• Pacemakers

SCADA overview


Threat vectors into ICS devices



FUDThe Good

The Bad

The Ugly



!!!! This ain’t FUD !!!!



ISSSource.com about a report from Rockwell Automation

about a ransomware attack from a file being made

available on the internet (no source given) called

‘Allenbradleyupdate.zip’ (April 2016)



Interdependencies


• Generation--coal, natural gas, oil, hydro,

geo-thermal, wind, solar, steam, nuclear

o Mix of natural gas exceeds 50%

o No gas, no fuel supply, no electricity

o Rinse, Lather and Repeat

• Cyber attack can easily shut it down




• FTP

• Telnet

• SNMPv1 (v3 available for 14 years)

• Firewall misconfiguration

• VLAN misconfiguration

• Wireless (MIJI)

• Spearphishing



Sneaker Net



• Social Engineering


Possible consequences once in control



Smart Grid home monitoring; connected to internet



• Project Aurora 2.25 MW generator (2007)

• Remote cyberattack destroys generator



• Let the smoke out and it stops working!



• Not to be confused with Operation Aurora• 2010 hack stealing Intellectual Property

• 2003 Northeast electric grid outage, situational

awareness lost in Ohio when computer systems

slowed down

• Not a hack but was contributing cyber component



• Ping sweep causes robotic arm to swing wildly

• Ping caused IC fab plant to hang

• $50,000 worth of wafers destroyed

• IT performing pen test on corporate network

• Unintentionally stumbles into SCADA

• Locks up gas pipeline SCADA

• 4 hours gas service shutdown



Feb 2016


Horror stories and threat scenarios



Top 3

Public Enemies

Electric



AIR GAP

International Space Station (ISS)


• Houston! Windows Has Problems

o 2008-Password Stealing Virus Infects Space

Station Laptops (W32.Gammima.AG)

o Not the first time

o Payload laptops do NOT provide virus

protection/detection software



• NASA assures astronauts flight control

systems were not in danger

o But to be safe….

o Migrates all the computer systems related to

the ISS over to Linux for

Security

Stability

Reliability reasons

o Mistaken belief that Linux has no vulns



• 787 vulnerable to hackers

o Common Core System (CCS)

o Saves weight—less line units

o Wireless computer controls

o FAA raised security concerns

o Boeing claims they have addressed issues

o Maintenance crews--wireless laptops



• Airports and airlines considered CI

• Airlines do not have to report cyber attacks

• Senator queries air industry about aircraft

cybersecurity defenses

• Oh my!!!!

o Hack-able cars at risk in a cyber attack

o Navigation, Wi-Fi, Bluetooth, cellular

o Brakes & steering on Bluetooth!!!!



• Stuxnet via sneakernet (June 2010)

o Natanz Fuel Enrichment Plant

o Digitally Signed malware

o HMI spoofed (operator intuition)

o Slow attack under radar

o Destroy centrifuges

• Variants out in wild



o Stuxnet infected Chevron’s IT Network (Nov 8,

2012)

o TELVENT hit by sophisticated cyber attack

SCADA admin tool compromised (Sep 26,

2012)

Telvent supplies remote admin and monitoring tools

Intelligent transportation systems, train, metro, traffic

lights

Warns customers of advanced persistent threat!!!!




• Power generation facility

• Malware discovered USB drive

• Two engineering workstations

• No backups



• Turbine control system

• Scheduled outage for maintenance

• Third party tech USB for uploads

• Mariposa botnet virus discovered USB drive

• Delayed restart 3 weeks = $$$$$



• Use case (optional) ICS-Cert Advisory (ICSA-10-090-01), revised 2014

o USUTIL2 notifies USUTIL1 of malware employee

o Instructor shared at industry conference

o Mariposa botnet-trojan

Username/passwords

Email

o USUTIL1 malware tools did not detect

o Windows system-still spreading but can’t phone home

o Command & Control (C2) callbacks

hnox.org, socksa.com, ronpc.net

Initial contact 49 bytes, UDP 21039



• Netherland

o Dike controls on internet--Shodan

o Veere county admin using password “Veere”

o Server running SunOS 5.8 not patched for 6

years



• Netherland

o New low—Bavaria Beer Brewer site hacked

o Large electronics company hacked

o Dutch gov lost cyber security incident database

Backup tapes could not be read anymore



Courtesy of SHODAN



•FUD

•Hacktivists

•Specialized Search Engines

• (SHODAN, SHINE, ERIPP)

•Exploitation Tool Kits



• 2012 Chines Hackers gain access to

NASA’s Jet Propulsion Lab

• Saudi Aramco Attack; 30,000+ computer

systems data wiped (Shamoon-sneakernet)

• 400% increase vuln reports since 2010

• Major spearphishing campaign US Oil &

Natural Gas Pipelines



Tuesday, April 16, 2013, 1:30 AM PDTFlashes lower left show round hitting fence

Metcalf

Substation


Web site encouraging followers to initiate “electronic jihad.”


• ICS cyber attack scenario (INL)

o Malicious code embedded in a PowerPoint

presentation--corporate domain

o Opens a covert channel from the victim’s

computer through the corporate firewall to the

attackers on the internet

o Hijack sessions between the corporate domain

and the ICS domain



o Took control of pumps to overflow tanks

o Operator screens show all systems running

normally



• Vast majority of hacking incidents go unreported

o Inability to detect attacks

o Reasons of security

o Avoid embarrassment

o Affect stock prices

o Affect CEO ROI



Actions to protect business and

customers



customers

Regulate the heck out of it!!!!


• Can’t afford to protect everything

o Cost of doing nothing can be much greater

o Regulatory and safety not negotiable

• Human Safety is PARAMOUNT

o Employees and Citizens

• Protect equipment if possible

o Not necessarily cost—lead time to replace


customers


Security Triad


customers


• You may be caught in the middle

o Corporate and Operational wall coming down

o IT and OT Converging

o Physical Security and Logical Security

converging

o Exciting, challenging and downright scary

• Do the basic Security 101 stuff


customers


• Defense-in-depth approach

• Redesign network layouts

• Validate integrity of downloads/updates/patches

• Deploy security patches AFTER testing

• Work with vendor and control systems engineer

• Restrict physical access (Physical Security)

o One mouse can bring down the kingdom!


customers


• Restrict physical access (Physical Security)

o Really now!!!

o What is wrong with this picture?


customers



customers



customers

• Good solution but…..

• Logging is a problem

• Daily clean up required

• Insurance



customers

WARNINGI CAN MAKE IT TO THE FENCE IN 2.8 SECONDS

CAN YOU?


• Customize traditional security for ICS environment

• Least privilege (including vendor)

• Password management (including vendor)

• Account management (including vendor)

• VPN-two factor (including vendor)

• Who is taking care of HVAC?

• What about building monitoring systems?


customers


• Account lockout policy- (including vendor)

• Caution!!! Do not lock out the operator

• Application White listing

• Data diodes

• Current application updates

• Separation of duties

• Consider managed security services (MSS)

• Your core business is not IT security

Actions to protect business and its

customers


• Assume you will be hacked and lose everything

• Ransomware = Game over!!!

• Detect, contain, mitigate and investigate

• PICERL

• NIST SP 800-61r2

• Build in Resilience and Continuity of Operations

• Do you have readily available & usable backup media?

• Automate where it makes sense

• Repeatable

• Minimize human error


customers



customers



customers

• What about the supply chain?



customers


• ICS security testing adverse effects

• Tools & Scans can cause machines to fail

• Serious and drastic consequences

o People can suffer serious injury or be killed

o All security testing must be well planned,

thought out and communicated to all business

units involved

• Cyber security testing can be done if planned out

eg… tcpdump, netstat, wmic….

Summary


• SCADA overview

• Threat vectors into ICS devices

• Possible consequences once in control

• Horror stories and threat scenarios

• Actions to protect business and customer

Summary


Helpful Links (retrieved 12 July 2016)


• Guide to Industrial Control Systems (ICS) Security NIST

SP 800-82o http://dx.doi.org/10.6028/NIST.SP.800-82r2

• DHS ICS-CERTo https://ics-cert.us-cert.gov/

o https://ics-cert.us-cert.gov/advisories/ICSA-10-090-01

• Executive Order 13636: Cybersecurity Framework o http://www.nist.gov/cyberframework/

o http://www.nist.gov/cyberframework/upload/Workshop-Summary-2016.pdf


http://dx.doi.org/10.6028/NIST.SP.800-82r2

https://ics-cert.us-cert.gov/

https://ics-cert.us-cert.gov/advisories/ICSA-10-090-01

http://www.nist.gov/cyberframework/

http://www.nist.gov/cyberframework/upload/Workshop-Summary-2016.pdf


• Common Cyber Security Vulnerabilities in Industrial

Control Systemso https://ics-cert.us-cert.gov/content/overview-cyber-vulnerabilities

• Seven Strategies to Defend ICSo https://ics-cert.us-cert.gov/sites/default/files/documents/Seven Steps to Effectively

Defend Industrial Control Systems_S508C.pdf

• 21 Steps to Improve Cyber Security of SCADA Networkso http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf

• Defense in Depth Strategieso https://ics-cert.us-

cert.gov/sites/default/files/recommended_practices/Defense_in_Depth_Oct09.pdf


https://ics-cert.us-cert.gov/content/overview-cyber-vulnerabilities

https://ics-cert.us-cert.gov/sites/default/files/documents/Seven Steps to Effectively Defend Industrial Control Systems_S508C.pdf

http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf

https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/Defense_in_Depth_Oct09.pdf


• Supply chaino https://ics-cert.us-

cert.gov/sites/default/files/documents/Procurement_Language_Rev4_100809_S508

C.pdf

o http://www.energy.gov/sites/prod/files/2014/04/f15/CybersecProcurementLanguage-

EnergyDeliverySystems_040714_fin.pdf

o https://ics-cert.us-

cert.gov/sites/default/files/documents/CatalogofRecommendationsVer7.pdf

o http://www.ferc.gov/media/news-releases/2015/2015-3/07-16-15-E-1.asp

• Digital Bondo http://www.digitalbond.com


https://ics-cert.us-cert.gov/sites/default/files/documents/Procurement_Language_Rev4_100809_S508C.pdf

http://www.energy.gov/sites/prod/files/2014/04/f15/CybersecProcurementLanguage-EnergyDeliverySystems_040714_fin.pdf

https://ics-cert.us-cert.gov/sites/default/files/documents/CatalogofRecommendationsVer7.pdf

http://www.ferc.gov/media/news-releases/2015/2015-3/07-16-15-E-1.asp

http://www.digitalbond.com/


• Stuxnet, Duqu, Flame, Gaussso http://arstechnica.com/security/2013/03/the-worlds-most-mysterious-potentially-

destructive-malware-is-not-stuxnet/

o http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet

• DHS ICS-CERT Cyber Security Evaluation Toolo https://ics-cert.us-cert.gov/Assessments


http://arstechnica.com/security/2013/03/the-worlds-most-mysterious-potentially-destructive-malware-is-not-stuxnet/

http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet

https://ics-cert.us-cert.gov/Assessments


• ICS-CERT Trainingo https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT

o https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT#workshop

• ISA99 Industrial Automation and Control Systems

Security-ISA/IEC 62443o http://isa99.isa.org/ISA99%20Wiki/Home.aspx

o https://www.isa.org/training-and-certifications/isa-certification/isa99iec-

62443/isa99iec-62443-certificate-program-requirements/

o https://www.isa.org/templates/two-column.aspx?pageid=121797

• SANS ICSo http://ics.sans.org/

o http://www.sans.org/course/ics-scada-cyber-security-essentials


https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT

https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT#workshop

http://isa99.isa.org/ISA99 Wiki/Home.aspx

https://www.isa.org/templates/two-column.aspx?pageid=121797

https://www.isa.org/templates/two-column.aspx?pageid=121797

http://ics.sans.org/

http://www.sans.org/course/ics-scada-cyber-security-essentials

98

Questions?


How do we keep the lights on when the

switch is connected to the internet?

Thank You!

how do we keep the lights on when everyone has access to ... · 7/16/2016 · • redesign network...

Documents