mitigating security risks in industrial control systems and smart...

1

Mitigating Security Risks in Industrial Control Systems and Smart Meter deployments A View from Symantec

Michelle Lewis Device Authentication Specialist EMEA Region

Industrial Security and Smart Grid: A View from Symantec

Tom Thomassen Senior Development Manager Office of the CTO

SYMANTEC VISION 2012

Agenda

• Industrial Security and Smart Grid – Setting the Stage

• Industrial Security and Smart Grid – Challenges

• Targeted Threats and Advanced Persistent Threats (APT)

• Prevention

• Detection

• Conclusions

2 Industrial Security and Smart Grid: A View from Symantec

3

Industrial Security and Smart Grid – Setting the Stage



Grid Technology Operations Service Providers

Content

Data at Rest

• Customer billing • Personal data / privacy • Data retention • Compliance • MDM (meter) data hub

Infrastructure

• Servers • Storage • Gateways • Grid IT asset

management

Network/Cloud

Data in Motion

• Private & public cloud /

networks • Networks are IP based

Embedded Devices

Data in Use

• Substations: Windows XP embedded (XPe), Linux, Intel

• Meters: ARM, Flash

Electrical Grid

GENERATION TRANSMISSION DISTRIBUTION CUSTOMER

Industrial Grid: IT and Operations Architecture

AMI Data

Private Wireless Network

Customer

Demand Response

Public / Internet

SCADA

Private & Public Networks

Industrial Security and Smart Grid: A View from Symantec 4

Operations Domain

SYMANTEC VISION 2012 Industrial Security and Smart Grid: A View from Symantec

• Utilize ‘defense-in-depth’ techniques

• Leverage years of network security experience in IP world

Operations Security

• Encrypt information

• Authenticate devices

• Manage keys

• Managed / hosted PKI & device level certificates

• Windows-based control systems: harden and control applications running on these systems

Embed Security Close to „Field‟ Manage Endpoints

• Manage Windows sub-station automation systems

• Securely update device firmware e.g. AMI collectors

• Securely invoke SSL services through trusted mechanisms resident on device

Manage Data Explosion

Symantec Industrial Security Solutions – ‘Four Pillars’

• Make state of the art IT security solutions ubiquitous in the operations control centers

• Utilize Common Data model: information shared among solutions to meet regulatory compliance needs

Information Governance • Compliance • Control access • Regulatory & auditing • Customer Privacy • Reporting

Information Infrastructure • Storage management • Data protection • Archiving • Legal discovery

5

Operations Domain

6

Industrial Security and Smart Grid – Challenges



Industrial Security and Critical Infrastructure Threats


Industry Challenges Rapid Change and Increased Complexity

Operational Grid

Networking

Distributed Data

Cyber Security

Utilities playing catch up National security issue – physical access not required

Operations Complexity

Convergence: Enterprise IT, TCP/IP w/field operations, SCADA; Smart Meter requires new thinking

Reliability

Expectations higher for uptime and recovery

Data Explosion

10M meters = 28 petabytes of data to manage

Privacy

Protect PII – now on internet

Visibility and Transparency

Threats more targeted and persistent. Monitoring, Risk Identification and mitigation needs to keep pace.

Regulation and Compliance

Existing Regulations Increased Focus on Consumer Protection

Insider Risk

Data and IP Leakage


SYMANTEC VISION 2012 9

1.0%

1.5%

2.0%

2.5%

3.0%

Val

ue

of

Co

nn

ecti

vity

(%

of

Wo

rld

GD

P)

Number of Connections (# of devices, people, services)

Increased Networking

Growth in Connectivity (1959 – Today)

Thousands Billions

0.5%

Mainframe Era (1959 – 1981)

Internet Era (1996 – 2007)

Interaction Era (2007 – )

Client-Server Era (1981 – 1996)

Millions


Internet of Things (2010 – )


1.0%

1.5%

2.0%

2.5%

3.0%

Val

ue

of

Co

nn

ecti

vity

(%

of

Wo

rld

GD

P)

Number of Connections (# of devices, people, services)

More Threats

Changes in Threat Landscape (1959 – Today)

Thousands Billions

0.5%

Data Corruption (1959 – 1981)

Era of Fame & Glory (1996 – 2007)

Era of Mass Cybercrime

(2007 – )

Era of Discovery (1981 – 1996)

Millions


Era of Targeted Threats Against Critical Infrastructure

(2010– )


• The goal is to do damage, destruct, influence, reach political goals, or support a conventional attack.

Changing Threat Landscape

• Highly sophisticated

• Infinite financial resource

• Well-planned and executed with unprecedented levels of control.

Newest Motivation

Political

Espionage and Sabotage



Number of Targeted Attacks Increasing

0

50

100

150

200

250

300

350

400

450

500

Ave

rage

nu

mb

er

of

atta

cks

pe

r d

ay

Month Source: Symantec.cloud email scanning service.

Figures for June, July, August may be subject to revision.



Vulnerability Analysis of Energy Delivery Control Systems


25%

17%

16%

8% 7%

6%

5%

5% 4% 4% 3%

ICCP Services and Protocol Stack

Supervisory Control Protocol Services

SCADA Hosts

Historian Database

Supervisory Control Protocol

Control Protocol Services

Network Devices

Source: Vulnerability Analysis of Energy Delivery Control Systems , 2011, Idaho National Laboratory,Idaho Falls, Idaho 83415, http://www.inl.gov

NSTB = National Supervisory Control and Data Acquisition (SCADA) Test Bed


BSI – Germany - ranking of Industrial Vulnerabilities

14

BSI ranking BSI Vulnerability descrption

1 Non authorized use of remote access

2 Online attacks over the Office and Enterprise Network

3 Attacks again standard ICS components (Application Server, DB)

4 (D) DOS attacks

5 User and Sabotage

6 Attacks over remote devices (USB)

7 Read and write of messages over the ICS network

8 Unauthorized access to resources

9 Attacks agains network and network components (Man-in-the-middle Attack)

10 Technical issues


(The Myth of the Network Air Gap)


Industrial Attacks in Detail


16

Targeted Threats and Advanced Persistent Threats (APT)



Recent Attacks on Production Systems (ICS)

17

W32.Gauss

AUG 2012

Estonia DDoS

APR 2007

W32.Duqu

[dyü-kyü]

SEP 2011

W32.Disttrack

SEP 2012

W32.Stuxnet

JUL 2010

W32.Flamer

W32 FLAMER

MAY 2012


2 0 0 7 2 0 0 8 2 0 0 9 2 0 1 0 2 0 1 1 2 0 1 2


Advanced Persistent Threats (APT) – the Beginning…



Case Study: Stuxnet

19

Brought cyber-sabotage to the world’s attention

Key Features

• Targets very specific industrial processes associated with controls of high speed centrifuges

• Configuration of targeted systems known to attackers

• Modifications made to PLC code to change behavior of infected systems

Machine Code Injection

PLC

Control PC running Step 7 Software



Advanced Persistent Threats (APT) - Shamoon


21

Recent Energy Industry Attacks


SYMANTEC VISION 2012 Industrial Security and Smart Grid: A View from Symantec 22

What Happened?


Sources:

www.bbc.com/news/technology-19293797

www.bbc.com/news/technology-19434920

15thAugust

31st August

Two Oil Companies Attacked

http://www.bbc.com/news/technology-19293797







Key Points

• Shamoon malware used in both attacks (also known as W32.Disttrack))

• Targeted attack using bespoke malware

• Malware written to run on both 64bit and 32bit systems

Spreader function disseminates malware over network

Exfiltration function passes data to attackers

Wiper function erases disks of infected machines

Malware modules


ATTACKER

Company Network

Unknown vector

Initial point of

infection

Malware spreads

via network shares

Transmits

information

Receives

instructions

Command &

control over

internet

Spreads to

domain

controller

Spreads directlyCollects information

Issues commands

At predetermined

time wipes disksXX

Infection Schema


Case Study: W32.Disttrack – Shamoon Attacks

26

Destructive attacks against energy companies

Two middle eastern organizations targeted in quick succession

Multi Stage Attack

• Gather information about target network

• Acquire user credentials

• Gain access to domain controllers

• Spread to computers across network

• Trigger destructive payload


27

Advanced Persistent Threats: Prevention and Detection



The Targeted Attack

New Attackers… New Targets…

• New Attacker

– State-sponsored or state-condoned attacker

– Long-term, strategic goals rather than short-term gain

• New Strategies

– The attacker uses social engineering to infiltrate the network

– Attacks targeted at properly-placed individuals with access to key systems

– Multiple attacks launched simultaneously, over prolonged periods

• New Targets

– Ultimate targets are key intellectual property and critical infrastructure

• Intellectual Property: Emails, PKI credentials, strategic plans, Schematics, process documents

• Critical infrastructure: Industrial control systems – hydro, power, manufacturing



APT Lifecycle

29

Activities APT Steps

Source: M-Trends, Symantec

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Initial Intrusion into the network

Establish a backdoor into the network

Obtain user credentials

Install various utilities

Privilege escalation / Lateral movement / Data exfiltration

Maintain Persistence

Step 1 Reconnaissance

Spear phishing

Log in as domain administrator

Staging servers

Camouflaged network traffic

Infect 10-150 hosts

Attackers respond to partial cleanup

Identify multiple victims in target organization, research using public information sources

Obtain domain admin credentials

Spread backdoors, dump passwords, etc with valid credentials

Target domain controllers to obtain password hashes en masse


30

Symantec Four Pillars




Content

Data at Rest


Infrastructure


management

Network/Cloud

Data in Motion



Embedded Devices

Data in Use



Electrical Grid



AMI Data


Customer

Demand Response

Public / Internet

SCADA



Operations Domain




Operations Security



• Manage keys



Embed Security with Data Manage Endpoints










32

Operations Domain


At the Center of Everything ...

33

Source: Koramis AG



IT Security Policies & Procedures

Infrastructure Security

Security Operations & Management

Critical Information Protection

Device Protection

Immediate Risk Reduction Initiatives


Critical System Protection (CSP)

Network Protection

Mobile Security

Endpoint Security

Patch Management

Security Monitoring

Incident Response & Management

Security Operations

Threat & Vulnerability Management

Early Warning Alters

Data Backup

Data Encryption

Data Protection

Emergency Response

Risk Management

Crisis Management

Forensics

Governance & Compliance

Identity & Access Management

2 Factor Authentication

Device Authentication

34

35

Prevention and Detection: SCSP – Symantec Critical System Protection



SCSP – Real Time Exploit Prevention (IPS)


Symantec Critical

System Protection

creates a “shell”

around each program

and daemon/service

that defines

acceptable behavior

How it Works Files

Registry

Network

Devices

Read/Write Data Files

Read Only Configuration Information

Usage of Selected Ports and Devices

… Email Client

Office

Browser

Mail

Web

… crond

RPC

LPD Printer

Core OS Daemons

Application Daemons

Interactive Programs

Normal Resource Access Host Programs

…


Symantec Critical System Protection

37

Auditing & Alerting

Network Protection

System Controls

Exploit Prevention

• Monitor logs & security events

• Consolidate & forward logs for archives and reporting

• Smart event response for quick action

• Limit network connectivity by application

• Restrict traffic flow inbound and outbound

• Close back doors (blocks ports)

• Locks down configuration & settings

• Enforces security policy

• De-escalates user privileges

• Prevents removable media use

• Restrict application & O/S behaviors

• Protect systems from buffer overflow

• Intrusion prevention for day-zero attacks

• Application control

Real-Time Visibility. Maximum Control

Intrusion Detection System (IDS) Intrusion Prevention System (IPS) System Hardening and Application Control



SCSP = Least Privilege Application Control (LPAC) …

38

• Windows UAC

• Google Chrome

• Adobe Reader X

• Android OS

• Apple

• SELinux & Others

Industry Examples Also known as Sandboxing…

.. Processes

• Based on Fundamental Security Principles • Highly effective against malware (known & unknown) • Containment model limits the potential for exploitation • Proactive, policy-based security complements AV solutions • Applicable to all environments and applications • Dramatically improves security posture & reduces IA costs



SCSP – advantages agains Anitvirus and System lockdown

• Low system impact (RAM, CPU and Hard disk) - a CSP agent is using 14MB on Windows and 9MB on Linux

• Low operational cost

• 24h protection, no recalculating as on a System lockdown approach is necessary

• No pre requirement checks are requested (an System lockdown approach is needing a initial check like AV)

• Resistant against persistent methods and CA attacks

• Is supporting Patch mitigation

• Is supporting (case based) non Antivirus Solution on device

• In most cases customer a take the standard Strict Policy with additional tasks



Correlate SCSP Events with SSIM

• Rules

– Pre defined out of the box rules

– CSP events map to EMR

– Custom rules based on CSP data

– Cross correlate rules of different type


41

Prevention and Detection: SSIM – Symantec Security Information Manager



Symantec Information Manager

Identified .

threats

Known vulnerabilities

Business-critical IT assets

Risk-based Prioritization Threat Determined

Firewalls/ VPN

Intrusion Detection Systems

Vulnerability Assessment

Network Equipment

Server and Desktop OS Anti-Virus Applications Databases

User Activity Monitoring

Critical file modifications

Policy

Changes

Malicious IP

Traffic

Web Traffic

Tens of Millions:

Raw Events

Millions:

Security Relevant Events

Hundreds:

Correlated Events



Symantec Security Information Manager

“Optional”

Intelligence

Feed

(GIN)

Universal

Collector

Other

sources…

Firewall

Intrusion

Prevention

Windows

Events

Syslog

Collectors

Correlation

Manager

Manager

Console

Pre-built

Queries

LiveUpdate

Service

Log

Archiving

Infrastructure

Components Reports and

Dashboards

All Inclusive Solution

150+

Pre-defined

Reports

• Only 1 Optional Component

• No excessive “add-on” costs

• Single deployment supports evolving needs



APT Detection: Data Sources Used by SSIM

• Account and identity data to detect account compromise

• Log repeated login attempts

• Identity Access logging

• Integrate key logs (firewall, VPN, DNS, DHCP, etc)

• Messaging Gateway detects suspect payload (exe) and alerts SIEM

Infiltration Backdoor Lateral

Movement

Data

Discovery Exfiltration

• Change control information logged and compared to CMDB asset information

• IPS observes phone-home attempt, notes in log

• HIPS systems note changes to registry

• File reputation detects unknown program

• IPS detects remote service initiation

• Privilege escalation flagged by HIPS to SIEM

• Several login attempts logged for database and email systems

• Systems attacked compared against vulnerability database

• IPS flags admin login to privileged account

• DLP detects access to password file

• Database and application monitoring to detect access to critical information systems

• Data Insight and DLP log sensitive documents being encrypted and accessed by privileged users

• IP addresses of outbound connection on external data blacklist



45

Security Risk translated for the Business


46

Prevention and Detection: Device Authentication



Connected Devices need to be secured


http://www.perihel.at/2/wlan/07WL-Security-B-WEP-v2.pdf


Smart Grid Domains


Gas Electric

IHD

Hub / Gateways

Metropolitan Area Network (MAN)

Home Area Network (HAN)

Controllable Local Systems

Device Domain Application Domain (Multi-tenant Cloud)

M2M Application Platforms

Cloud characteristics: - Service-based - Scalable & elastic - Shared - Self Service - Internet Technologies - Pay as you go billing

Network Domain

Mobile / Fixed Line Network (WAN)

SGSN

GGSN

Base Station

GSM / GRPS / UMTS

S-GWY P-GWY

MME

HSS

EPC - Evolved Packet Core

4G / LTE


Smart Grid Domains - challenges


Gas Electric

IHD

Hub / Gateways




Device Domain Application Domain (Multi-tenant Cloud)


Cloud characteristics: - Service-based - Scalable & elastic - Shared - Self Service - Internet Technologies - Pay- as you go

Network Domain

Mobile / Fixed Line Network (WAN)

SGSN

GGSN

Base Station

GSM / GRPS / UMTS

S-GWY P-GWY

MME

HSS

EPC - Evolved Packet Core

4G / LTE

Application Domain


Cloud characteristics: - Service-based - Scalable & elastic - Shared - Self Service - Internet Technologies - Pay- as you go

Various network bearers

Various communication protocols

Internet / All-IP networks

Denial of Service attacks

Less sophisticated devices need good network protection

Detection of network-based attacks against the AMI/Grid


PKI – A Renaissance



History of PKI

• Initially discovered by GCHQ scientists in 1969

• Commercially available in 1976

PKI’s have been typically used for

• Web Servers (SSL)

• Email, document and/or user encryption and authentication

• Bootstrapping secure communications protocols

• Mobile environments e.g. Code signing



Smart Grid Eco System

Source: NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0

52

Device Manufacturer

Smart PKI

• Large companies are typically active in multiple domains

• Markets are regulated in several countries

Appliance Man.


http://www.nist.gov/public_affairs/releases/upload/smartgrid_interoperability_final.pdf


Smart PKI

• Smart grid devices need to be authenticated in order to protect smart grids against attacks. As a consequence such devices need cryptographic keys for authentication and encryption.

• PKI is best practice for large scale key management. It is proposed to be used for smart grids1.

• As most households will be connected to the smart grid in the future, a scalable and robust PKI supporting millions of devices is required.

• Smart Grid projects are complex.

53

1: IEEE Transactions on Smart Grid: Security Technology for Smart Grid Networks


http://ieeexplore.ieee.org/search/freesrchabstract.jsp?tp=&arnumber=5460903&queryText=10.1109/TSG.2010.2046347&openedRefinements=*&searchField=Search+All


PKI Benefits to Industrial Security and Smart Grid

• By implementing PKI into the meters themselves, ...

– the smart grid can be secured at the communication layer,

– Verifies that the meters are configured correctly

– No tampering

– Validates the meters for network access.

• PKIs are ideal for large-scale security deployments that require a high level of security with minimal impact on performance.

• In a PKI environment, it is essential that private keys and certificates are guarded with a reliable key management solution that protects against ever-evolving data threats



Smart Meter Security Design Considerations



PKI Related Smart Grid Security Measures

Gas Electric

IHD

Hub

56

Concentrator

or Back-end




WAN + FAN

• Only trusted devices

• Only authenticated access through WAN, FAN, MAN and HAN to Hub

• Hub must authenticate itself to Back-end and MAN+HAN devices

• It must be possible to change security domain of Hub to different utility

• Authenticated firmware updates for Hubs and Smart Meters

• Integrity of measurement data from meters needs to be protected

• Encrypted data transmission WAN: Wide Area Network

FAN: Field Area Network



PKI Related Smart Grid Security Measures

• Only trusted devices

• Only authenticated access through WAN, FAN, MAN and HAN to Hub

• Hub must authenticate itself to Back-end and MAN+HAN devices

• It must be possible to change security domain of Hub to different utility

• Authenticated firmware updates for Hubs and Smart Meters

• Integrity of measurement data from meters needs to be protected

• Encrypted data transmission

Manufacturer device certificate attesting device certification

Operator device certificates for authenticating Hubs and other devices

Firmware Code Signing

Signing of metering data

Encryption certificates



Certificate Purposes

Manufacturer Security Domain

Device type attestation

Attestation of

- device id

- device type

- device certification

Firmware signing

Operator Security Domain

Strong device authentication and authorization

Persistent signing of meter data

Encryption of metering data



Device Certificate – Project Focus

CI Plus LLP • Content protection of premium pay

TV services

• Batch issuance of manufacturer

device certificates for TV sets

• Device certificates - delivered world

wide to the major TV set

manufacturers - attest device

identity and compliance to CI+

security standard

• More than 60 million certificates

issued in 2010.

Confidential I • Authenticating LTE devices when

accessing backbone network

• Online (real-time) issuance of

operator device certificates to LTE

devices.

• Certificates are delivered to LTE

devices operated by our customer.

• Device certificate attests authenticity

of the LTE device.

• Specifics: SHA2; CMPv2 according to

3GPP standard

Confidential II • Authenticating smart meters to the

back-end system

• Online (real-time) issuance of

operator device certificates to

smart meters.

• Certificates are delivered to smart

meters operated by our customer.

• Certificate attests authenticity of

the smart meter device.

• Specifics: ECDSA, SHA2



Spotlight on EMEA Utility – Device Certificates for Smart Grid

• Symantec is providing:

– A fully managed cloud based PKI solution

– Extremely easy to manage, portal access for Utility Admin staff

– Highly scalable – this particular solution will support in excess of 12 million smart meters

– Online solution where certificates are implemented at time of Meter Installation

• Device Certificates are implemented in Smart Meters and Head End Communications Devices

• The solution ensures that genuine devices are the only ones on the Smart Grid network, and also ensures that any data sent from the Meters to the Head End Systems is protected and unable to be viewed, compromised or tampered with

• The certificates are installed at time of meter installations in consumer homes. When certificates expire and new ones are issues, this is all done online with no requirement for engineer attendance



Symantec’s Pedigree: A Proven Enterprise Approach

Cross-platform

Applications

Browsers

Devices

Transparent

Automated

Flexible

Simplified

Reliable

Efficient

Extensible

Robust and Scalable

61

5.7m PKI seats loaded to

accounts at Symantec last year

>200m device certificates

issued to date

Millions more PKI seats loaded to

Processing Centers and CLPs

11,500 secure online

transactions enabled every second



Industrial Security: Things to Consider

• Windows systems are still a significant part of any industrial operations domain

• But typical enterprise approaches must be modified

• Authentication of device identity ensures integrity & security for the device, protecting the network and the device

• Operator certificates to protect the operator

• Contractor system: was on internet, now on private LAN

• Testing, and pushing applications directly to the field

• USB drives … do not allow automatic execution

• Security for SCADA systems – security needs to be built-in from the ground up

• Networking SCADA devices can help secure the operations domain by enabling more powerful systems for detection


Windows

Systems

Security

Certificate

Management

Air gaps

do not protect

SCADA

Security

62


Data Sharing Among Symantec Solutions

• Symantec solutions share information among compliance, data control, application control, monitoring and archiving systems. Some examples of solutions:

– Critical System Protection (CSP – application, device, file & execution control, system intrusion protection)

– SSIM (Symantec Security Incident Manager – security event correlation)

– Control Compliance Suite (CCS – Compliance reporting and monitoring)

– Symantec Protection Center (SPC – security console)

– Symantec Storage Foundation HA

– Data Loss Prevention (DLP) for content aware security policy

• For categorizing, archiving and controlling information, high level of integration among Symantec solutions including:

– Data Loss Prevention & Data Insight (Critical information control and discovery)

– Enterprise Vault (Archiving)

– Backup Exec (Backup




Content

Data at Rest


Infrastructure


management

Network/Cloud

Data in Motion



Embedded Devices

Data in Use



Electrical Grid



AMI Data


Customer

Demand Response

Public / Internet

SCADA



Operations Domain




Operations Security



• Manage keys



Embed Security with Data Manage Endpoints










65

Operations Domain


Infection Recovery

Recent Oil Industry Attacks 66

Prevent

Detect

Review & Improve

Identify vulnerabilities for affected systems

Establish data perimeter

Stop the attackers reacting

Stop the attack repeating

Identify the infection & affected systems

Stop infection spread

Keep vital systems functioning

Prioritise systems to restore first

Engage, communicate with users and public

Learn from the experience


Prepare in Advance

Recent Oil Industry Attacks 67

Prepare response team now

• Include an executive who has authority to approve actions

• Include appropriate stake holders

• Include technical experts

• Will you need external resources?

Prepare response plan

• Define policies, roles & responsibilities

• Define procedures

• How will the response plan be triggered?

• Who will do what?

Practice, practice, practice

• Paper simulations

• Live penetration testing


Symantec helps Industrial Security challenges across various dimensions

Compliance and Privacy Protection Control Compliance Suite, Data Loss Prevention

Compliance & Privacy

Threats Infrastructure Protection: SEP, Critical System Protection; Insider Threat: Data …… Loss Prevention; Field security: NAC,

Data Growth & Complexity Storage Foundation-HA, Command Central Storage, Netbackup, Backup

Outage Management Symantec Security Information Manager, Symantec Workflow

Engine, CMDB; SF/HA and Clustering for failover and disaster recovery

Endpoint Management Endpoint Management Solutions: Server Management Suite, Client Management Suite, Configuration Management Database (CMDB), LiveUpdate

Data Deluge & Complexity

Availability

Management Security & Insider Risk

SEP for Embedded , MSS Deepsight, Cloud based security & Key Mgment

Exec, Enterprise Vault, Control Compliance Suite, Data Loss Prevention, Cloud based Data Protection


Thank you!

Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Tom Thomassen Office of the CTO [email protected]

Michelle Lewis Device Authentication Specialist [email protected]


mailto:[email protected]

mailto:[email protected]


Attacks in Detail



Example: SCADA Attacks in Production Systems (ICS)

71

1982|...|1994|…|1999|2000|…|2003|…|2006|2007|2008|2009|2010

Roosevelt Dam (1994): Hacker breaks into floodgate SCADA systems

California Canal System (2007): Insider hacks SCADA systems

Trans-Siberian Pipeline Explosion (1982): Trojan inserted into SCADA software that caused an explosion

Slammer (2003): Knocks nuclear monitoring system offline;

GAZPROM (2000): Hackers gain control of Russian natural gas pipeline

Stuxnet Ring Runs First SCADA operations (2009): Early proof-of-concept attacks launched and detected by Symantec

Sewage Dump (2000): Insider attack on sewage systems in Australia; Dumps 1 million gallons of raw sewage


W32.Stuxnet

JUL 2010

mitigating security risks in industrial control systems and smart...

Documents