hype, hope and happenstance: cyber threats and opportunities in an age of automation
DESCRIPTION
Steve Parker presents to the Georgia Distribution and Transmission Automation Group starting off with a ficticious quote from Mark Twain and ending with a real one. Mr. parker's presentation hinges on his hyposthese: "We have yet to see a significant cyber related outage in the North American power grid because those who have the ability to cause such, lack the motivation to do so."TRANSCRIPT
Hype, Hope, and Happenstance: Cyber Threats and Opportunities in an Age of
Automation
Georgia Distribution and Transmission Automation Group
April 2, 2012Forsyth, GA
204/12/2023
A Quote
Everybody talks about
cybersecurity, but nobody does
anything about it.-Mark Twain
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy
A Question
404/12/2023
A Hypothesis
We have yet to see a significant cyber related outage in the North
American power grid because those who have the ability to
cause such, lack the motivation to do so.
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy
About Me
Security Professional by choice Nextel Communications 1997-2000 US Bank Information Security 2000-
2001 PacifiCorp Security 2001-2009 WECC CIP Auditor 2009-2010 EnergySec (NESCO) 2010 - ?
I am not an Engineer
About EnergySec
7/2004: EnergySec founded as E-Sec NW 1/2008: SANS Information Sharing Award 12/2008: Incorporated as EnergySec 10/2009: 501(c)(3) nonprofit determination 4/2010: EnergySec applied for National Electric
Sector Cybersecurity Organization (NESCO) FOA 7/2010: NESCO grant award from DOE 10/2010: NESCO became operational
804/12/2023
The System
Greatest engineering achievement of 21st century1 Trillion watts of generation850 Billion watts of transmission capacity150,000 miles of high voltage transmissionUbiquitousAverage uptime 99.995% (SAIDI = 244)
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy
904/12/2023
Smart Gridtopia
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy
1004/12/2023
But what can I do with it?
Distributed GenerationDemand ResponseMarket pricing at the consumer levelFrequency Response (EVs)Renewables integrationMicro GridsEnergy Storage
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy
1104/12/2023
Automation
Automated Generation ControlSpecial Protection SystemsSynchrophasor ApplicationsLoad SheddingAdvanced Metering InfrastructuresCentralized Control Systems
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy
1204/12/2023
There’s an App for That
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy.
“Get mobile access to your control system via an iPhone, iPad, Android and other smartphones and tablet devices. The Ignition Mobile Module gives you instant access to any HMI / SCADA project created with the Ignition Vision Module.”
1304/12/2023
To The Cloud!
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy.
“Use any standard browser on any device to access HMI. No downloads, no tedious installs, no plug-ins. Login and you have the HMI in your hands wherever you are: factory cafeteria, or parking lot, or on the beach, or even the golf course!”“GoToMyHMI provides Secure, Easy and Fast access from any Browser to InstantHMI 6.0, ready to serve you on the cloud today. Remotely Monitor, ACK Alarms and Control your HMI for one low flat fee.”
1404/12/2023
The Double-edged Sword
EmailFacebookOnline BankingComputerized TradingSmart Grid
Fraud/PhishingPrivacyOnline TheftMarket Manipulation???
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy
1504/12/2023
Attack Surface
EMSDMSDCSE-TaggingTradingAGCICCPAMI
CommunicationRemote AccessVendor SupportSupply Chain[HLWMV]ANsThe CloudMobile devicesSCADA
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy
1604/12/2023
Logical Distance Increasing
Clicky-clicky
Whirly-whirlyThe National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec
with funding assistance from the U.S. Department of Energy
1704/12/2023
Today’s Shiny Object
Headline presentations at BlackHat/DefCon, DerbyCon, RootedCon, BSides …Wall Street Journal, National Journal, CNNToo many IT trade publications to nameBlockbuster films, prime time TV showsPerson-on-the-street, Congress, White House
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy.
1804/12/2023
March 2012
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy
1904/12/2023
From Obscurity to Novelty
Smart Meter hackingHacking cookbooks, fuzzers, sniffers, reversingMetasploit, Core Impact, etcSupply chain attacksManuals available in all languages on Internet
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy.
2004/12/2023
Current Events
Facebook Social Engineering Attack Strikes NATOhttp://www.informationweek.com/news/security/government/232602419
"The top military commander in NATO has been targeted by attackers wielding fake Facebook pages.”
Teen Exploits Three Zero-Day Vulns for $60K Win in Google Chrome Hack Contesthttp://www.wired.com/threatlevel/2012/03/zero-days-for-chrome/
"The tall teen, who asked to be identified only by his handle “Pinkie Pie” … spent just a week and a half to find the vulnerabilities and craft the exploit, achieving stability only in the last hours of the contest.”
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy
2104/12/2023
…To Name a Few
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy
2204/12/2023
TwitBookBlogosphere
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy
2304/12/2023
Cybersecurity Landscape
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy.
People are talking
6,750,000 results
2504/12/2023
Point, Click, Hack
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy
Source: Network World (http://goo.gl/K5xZ7)
“In some scarier than your average security news, thanks to several Program Logic Controllers (PLC) exploits that were added to Metasploit today, "hacking SCADA systems can be push of a button easy," tweeted HD Moore, CSO of Rapid7 and Chief Architect of Metasploit.”
2604/12/2023
Vulnerability Disclosure
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy
Vulnerabilities
2804/12/2023
Air-Gaps, Unicorns and Bigfoot
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy
2904/12/2023
10,000 Reasons to Worry
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy
Source: www.wired.com/threatlevel/2012/01/10000-control-systems-online
Technology Landscape
A new digital world order
Lingering legacy Widespread
connectivity Hyper-embeddedness Cyber-kinetic impacts
Advantage: Adversaries
Intelligent, adaptive adversaries exist,
and they don’t follow the rules or compliance checklists
3204/12/2023
The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy
Advantage: Adversaries
Google search for “APT”– 34 hits in Jul 09– 169 hits in Jan 10– 1.2M+ hits June 11
Google search for “cyberwar”– 416 hits Dec 09– 1.4M hits Feb 10– 3.4M+ hits June 11
Welcome to the cyberarms race
3304/12/2023
What to do?
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy
3404/12/2023
Nothing New Under The Sun
Mature security practices; highly refined– Defense in Depth– Principle of Least Privilege– Segregation of Duties– Need to Know– Availability, Integrity and Confidentiality
No Silver Bullet, 100%, Total Security Strong protection has never been easy,
inexpensive or quick to implement (pick two)
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy.
3504/12/2023
Compliance
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy
There ought to be a Law…???
Laws are reactionary, not visionary.
3704/12/2023
Regulatory Landscape Posse Comitatus Act, 18 U.S.C. §1385 Antitrust Laws Sherman Antitrus Act, 15 U.S.C. §§1-7 Wilson Tariff Act 15, U.S.C. §§8-11 Clayton Act §5 of the Federal Trade Commission (FTC), 15 U.S.C. §§12-27 Clayton Act §5 of the Federal Trade Commission (FTC), 15 U.S.C. §45(a) National Institute of Standards and Technology (NIST), Act (p. 13) 15 U.S.C. §271 Radio Act of 1912 Federal Power Act (p. 13), 16 U.S.C. §791a et seq., §824 et seq. Radio Act of 1927 Communications Act of 1934 (p.14), 47 U.S.C. §151 et seq. National Security Act of 1947 (p. 15), 50 U.S.C. §401 et seq. US Information and Educational Exchange Act of 1948 (Smith-Mundt Act) (p. 15), 22 U.S.C. §1431 et seq. Defense Production Act of 1950, 50 U.S.C. App. §2061 et seq. State Department Basic Authorities Act of 1956 (p. 17), 22 U.S.C. §2651a Brooks Automatic Data Processing Act Freedom of Information Act (FOIA) (p. 17), 5 U.S.C. §552 Omnibus Crime Control and Safe Streets Act of 1968 (p. 19), 42 U.S.C. Chapter 46, §§3701 to 3797ee-1 Racketeer Influenced and Corrupt Organizations Act (RICO) (p. 19), 18 U.S.C. Chapter 96, §§1961-1968 Federal Advisory Committee Act (p. 20), 5 U.S.C. App., §§1-16 War Powers Resolution, 50 U.S.C. Chapter 33, §§1541-1548. Privacy Act of 1974 (p. 20), 5 U.S.C. §552a Foreign Intelligence Surveillance Act of 1978 (FISA), 18 U.S.C. §§2511, 2518-9, Foreign Intelligence Surveillance Act of 1978 (FISA), 50 U.S.C. Chapter 36, §§1801-1885c Privacy Protection Act of 1980, 42 U.S.C. Chapter 21A, §§2000aa-5 to 2000aa-12 Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 (p. 21), 18 U.S.C. §1030 Computer Fraud and Abuse Act of 1986, 18 U.S.C. §1030 Electronic Communications Privacy Act of 1986 (ECPA) (p. 22), 18 U.S.C. §§2510- 2522, 2701-2712, 3121-3126 Department of Defense Appropriations Act, 1987 (p. 24), 10 U.S.C. §167 Computer Security Act of 1987, 15 U.S.C. §§272, 278g-3, 278g-4, 278h Computer Matching and Privacy Protection Act of 1988, 5 U.S.C. §552a High Performance Computing Act of 1991 (p. 24), 15 U.S.C. Chapter 81 Communications Assistance for Law Enforcement Act (CALEA) of 1994 (p. 26), 47 U.S.C. §1001 et seq.
Source: Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions, Eric A. Fischer, Senior Specialist in Science and Technology December 22, 2011
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy.
Yes, this is an eye-chart to make a
point
Regulation is Futile
Regulation kills creativity, innovation, and passion, all of which are needed to achieve success in cybersecurity.
39
The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program
EnergySecTM
NERC CIP in 30 Seconds
CIP-002 - Figure out what needs to be protectedCIP-003 - Establish policy and programsCIP-004 - Address personnel issuesCIP-005 - Create electronic perimetersCIP-006 - Create physical perimetersCIP-007 - Provide system level securityCIP-008 - Figure out how to respond to incidentsCIP-009 - Figure out how to recover from incidents
Action vs. Attitude
You can prescribe action, but not attitude
Activity vs. Outcome
Are we doing/requiring the right things?
Backwards?… Maybe so
Compliance spending increasing sharply while security spending is increasing slowly.
Companies find $$ for compliance while cutting other critical areas.
Leverage NERC CIP
CIP spending 25% of IT security budgets
Get Smarter about spending
Integrate Decisions (IT- Ops–Compliance)
Secure solutions + Compliance
Misthinking
It Can’t Happen
It W
on’t
Happe
n
It Won’t
Matter
It Can’t Happen
This is nearly always FALSE
Attackers are always seeking (and finding) new ways to compromise technology
Obscurity is not a defense.
DNS Exfiltration
If you can resolve a DNS name on a system…
Technique is being actively used in the wild
In many cases, detection is the only defense
4704/12/2023
Flank Attacks
RSA – Stolen 2-factor auth token dataIndustrial Espionage/Supply ChainCertificate AuthoritiesCorporate NetworksPartner Networks
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy
4804/12/2023
Organized Attackers
Underground marketsCriminal infrastructureBotnetsAttackers for hire
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy
It Won’t Happen
It most cases, this is TRUE, but we don’t know which ones
Somebody WILL be compromised.
Everybody MIGHT be compromised
We are becoming a target
The Wildebeest Defense
Yes, there are lions, but there are so many of us that the chances I’ll get eaten are small
Can effective against isolated threats, but doesn’t help against common maladies
Doesn’t work if you’re slow or weak
There may be more lions than you think
HBGary RSA Sony Lockheed Martin NASDAQ
It won’t matter
Kinetic impactsEconomic impactsReputational impactsOthers?
What is Critical?
5404/12/2023
Culturing Security
Treat security like safetyThe basics shouldn’t be magicDistribute the loadSecurity is everyone’s jobSocial engineering is a waste of timeFocus on the solution: training & awareness
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy.
5504/12/2023
Prevention
Detection
Response
No 100% Prevention
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy
5604/12/2023
And Finally
“The rumors of my death have been greatly exaggerated.”-Mark Twain
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy
5704/12/2023
Thank You!
The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy
Steven H ParkerV.P. Technology Research and Projects, EnergySec
Co-Principal Investigator, National Electric Sector Cybersecurity Organization
[email protected] (desk)
@es_shp (twitter)www.energysec.org