addressing cip
DESCRIPTION
Critical Infrastructure Protection Case StudyPresented in SecureAsia 2010 @Singapore July 2010TRANSCRIPT
Addressing CIP: A Thailand Case Study
by Chaiyakorn ApiwathanokulCISSP, GCFA, IRCA:ISMS
Chief Security Officer
PTT ICT Solutions Co., Ltd.A Company of PTT Group
Note: CIP = Critical Infrastructure Protection
Addressing CIP: A Thailand Case Studyby Chaiyakorn Apiwathanokul, CISSP, GCFA, IRCA:ISMS
Synopsis:In many countries where Critical Infrastructure Protection is not yet a regulatory requirement or is not taken into account seriously by their government; the perception, understanding, collaboration and qualified workforce is big challenge. Many misperceptions about securing those systems make it hard to convince management and stakeholders to support activities and investments. However, the legislation is not the only way to go; there are still many other factors that can be pulled into the scene ex. BCM, Risk Management and etc. to help attract the managements. As a security professional, how can we make things better? How can we utilize other mechanisms available to help addressing this challenge?
In Thailand even though we do not explicitly issues a law specifically for CIP, we have done something to addressed CIP in some extents. We help raise awareness and understanding through trainings and seminars to demonstrate the vulnerability and exploitability of such systems. We introduce ISO27001 as a basic security management framework. Of course, there are many other things that need to be done to address this challenge.
About Speaker
• Contribute to Thailand Cyber Crime Act B.E.2550• Security Sub-commission under Thailand Electronic Transaction Commission
(ET Act B.E. 2544)• Workgroup for CA service standard development• Committee of national standard adoption of ISO27001/ISO27002• Committee of Thailand Information Security Association (TISA)• Committee of Cybersecurity taskforce development, Division of Skill
Development, Ministry of Labour
Name:
Title:
Company:
Certificates:
Chaiyakorn Apiwathanokul
ไชยกร อภิวัฒโนกุลChief Security Officer (CSO)
PTT ICT Solutions Company Limited
A Company of PTT GroupISC2:CISSP, IRCA:ISMS (ISO27001), SANS:GCFA
Disclaimer
• I am not a representative of neither Thailandgovernment nor any commission I have beeninvolved.
• I am not representing a spoke person for mycompany.
• I am here as an infosec professional working andcontributing in Thailand and would like to sharesome experience and Thailand circumstance forthe sake of global professional communitycollaboration and contribution.
Agenda
• Global perspective toward CIP
• Thailand circumstance and challenges
• Approaches
Transportation System From a movie
Italian Traffic Lights
Event: Feb, 2009 Italian
authorities investigating unauthorized changes to traffic enforcement system
Impact: Rise of over 1,400 traffic tickets costing > 250K Euros in two month period
Specifics: Engineer accused of conspiring with local authorities to rig traffic lights to have shorter yellow light causing spike in camera enforced traffic tickets
Lessons learned:
Do not underestimate the insider threat
Ensure separation of duties and auditing
In the real world
Transportation – Road Signs
8
Lessons learned:
Use robust physical access controls
Change all default passwords
Work with manufacturers to identify and protect password reset procedures
Event: Jan 2009, Texas road
signs compromised
Impact: Motorists distracted and
provided false information
Specifics: Some commercial road
signs can be easily altered because
their instrument panels are frequently
left unlocked and their default
passwords are not changed.
"Programming is as simple as
scrolling down the menu selection," a
blog reports. "Type whatever you want
to display … In all likelihood, the crew
will not have changed [the password]."
In the real world
Building Automation System (BAS) From a movie
Security Guard Busted For Hacking Hospital's HVAC,
Patient Information Computers, July 2009
• "A former security guard for a Dallas hospital hasbeen arrested by federal authorities for allegedlybreaking into the facility's HVAC and confidentialpatient information computer systems. In a bizarretwist, he posted videos of his hacks on YouTube,and was trying to recruit other hackers to help himwage a massive DDoS attack on July 4 -- one dayafter his planned last day on the job.
• Jesse William McGraw, 25, also known as"GhostExodus," "PhantomExodizzmo," as well as bya couple of false names, was charged withdownloading malicious code onto a computer atthe Carrell Clinic in order to cause damage and as aresult, "threatened public health and safety,"according to an affidavit filed by the FBI . McGrawworked as a night security guard for UnitedProtection Services, which was on contract withhospital, which specializes in orthopedics andsports medicine."
In the real world
CIA Admits Cyber attacks Blacked Out Cities
• The disclosure was made at a New Orleans security conference Friday attended by international government officials, engineers, and security managers.
• The CIA on Friday admitted that cyberattackshave caused at least one power outage affecting multiple cities outside the United States. By Thomas
Claburn InformationWeek January 18, 2008 06:15 PM
In the real world
A Black-out incident
In the real world
TISA in Bangkok Post : When Hacking risks health
TISA web site : http://www.tisa.or.th
In the real world
Commonly Claim: The system is isolated
Virus Found On Computer In Space Station NASA confirmed on Wednesday that a computer virus was identified on a laptop computer aboard the International Space Station, which carries about 50 computers. The virus was stopped with virus protection software and posed no threat to ISS systems or operations, said NASA spokesperson Kelly Humphries. …
The SpaceRef report suggested that a flash card or USB drive brought on board by an astronaut may have been the source of the laptop infection.
InformationWeek August 27, 2008
In the real world
has Manufacture
PlantOperationControl
Systems
National Critical
Infrastructure
Adversary/Disgruntled employee
Government
Malicious code/Virus/Worm
Vulnerabilities/Weaknesses
Terrorist/Hacker
Law/Compliance/
Standard/Guideline
Industry-specific
Regulator
Simplification
Someone hate
someone
Someone develop a weapon
Not only someone
but someone else got trouble
Someone (and someone
else)
has to do something
Activity Timeline of U.S.Critical Infrastructure Protection Initiative
What Big Brothers do?• US, 1996, Critical Infrastructure Protection (PCCIP)
• US, 1998, FBI National Infrastructure Protection Center (NIPC) and the Critical Infrastructure Assurance Office (CIAO)
• Communications and Information Sector Working Group (CISWG)
• Partnership for Critical Infrastructure Security (PCIS)
• US, 2001, President’s Critical Infrastructure Board (PCIB)
• US, 2003, National Infrastructure Advisory Council (NIAC)
• Control Systems Security Program, National Cyber Security Division, US-DHS
• United States Computer Emergency Readiness Team (US-CERT) Control Systems Security Center (CSSC)
9/11
Obama elevates the priority of Cybersecurity concerns
May 29, 2009U.S. President Barack Obama will appoint a government-wide cybersecurity coordinator and elevate cybersecurity concerns to a top management priority for the U.S. government, he announced Friday. The White House will also develop a new, comprehensive national cybersecurity strategy, with help from private experts, and it will invest in "cutting edge" cybersecurity research and development, Obama said in a short speech.
Common Characteristics
• Tone from the top
• Accountability
• Across government agencies
• Government and industries collaboration
• Industry specific best practices vs. common best practices (share and collaborate)
• Short/Mid/Long term plan
• Review Plan Deploy Monitor Report
Challenges
• Small number of security professional in the market
• Misperceptions on the control system security
– Security by obscurity
– Separated network
– Not an IT business
– we have no secret
• Low awareness among stakeholders
Qualified professional undersupply
IT Professional
InfosecProf.
Control System
Prof.
Control System Cybersecurity Prof.
The Implication
• Only small number of professional with right competency to help you out
• Collaboration and support from professional community is highly needed
InfoSec Professional Involvement
• Law– ETC: Electronic Transaction Commission
– Security Sub-commission
– Electronic Transaction Act:2001
• Performance Appraisal Program (for State Enterprise)
• National Standard Adoption (ISO27001/ISO27002)
• Educate top management in healthcare industry
• Annual conference: Cyber Defence Initiative Conference (CDIC)
• Educate top management, mid-management and technical person involved
Key Influencer
• Electronic Transaction Commission (ETC)
• Thailand Information Security Association (TISA)
• State Enterprise Policy Office (SEPO)
• Ministry of ICT
• NECTEC, Ministry of Science and Technology
• ACIS Professional Center
Guideline on Securing the Electronic Transaction(Derive from ISMS Implementation Guideline)
Thailand Information Security Association
27-Jul-10
http://www.tisa.or.th
27 ACIS Professional Center
TISA Committees
28
ISMS Training
27-Jul-10
TISA Pilot Exam Summary: TISA ITS-EBK Model
27-Jul-1030
Example of TISA TISET Report
TISA Pilot Exam 2009-10-17 31
TISA Pilot Exam Summary: Certification Roadmap
27-Jul-10
TISA TISET Exam
FOUNDATION (Localized)on IT / Information Security Competencies Test
TISA TISET Certification
International Certified IT & Information Security Professional
ManagementAudit Technical
ADVANCE
EXPERT
32
Step to CISSP,SSCP, CISA,CISM
State Enterprise Policy Office (SEPO)• Incentive-base Performance Appraisal Program conducted
annually
• 50+ State Enterprises under this program which include:– Electricity Generation and distribution
– Gas pipeline and energy
– Water work
– Telecommunication
• IT Management– ISO27001
• Business Risk Management– Business Continuity Management (BCM)
34
2007 2008 2009 2011
Plan
Main System
Minor/support system
Main System
Start
ISO27001 Implementation Roadmap
The growth of ISO27001 in Thailand
Number of Certificates Per Country @July 2010 http://www.iso27001certificates.com/Register%20Search.htm
Japan 3572 Philippines 15 Peru 3
India 490 Pakistan 14 Portugal 3
UK 448 Iceland 13 Argentina 2
Taiwan 373 Saudi Arabia 13 Belgium 2
China 373 Netherlands 12 Bosnia Herzegovina 2
Germany 138 Singapore 12 Cyprus 2
Korea 106 Indonesia 11 Isle of Man 2
USA 96 Bulgaria 10 Kazakhstan 2
Czech Republic 85 Norway 10 Morocco 2
Hungary 71 Russian Federation 10 Ukraine 2
Italy 61 Kuwait 9 Armenia 1
Poland 56 Sweden 9 Bangladesh 1
Spain 43 Colombia 8 Belarus 1
Malaysia 39 Iran 8 Denmark 1
Ireland 37 Bahrain 7 Dominican Republic 1
Austria 35 Switzerland 7 Kyrgyzstan 1
Thailand 34 Croatia 6 Lebanon 1
Hong Kong 32 Canada 5 Luxembourg 1
Romania 30 South Africa 5 Macedonia 1
Australia 29 Sri Lanka 5 Mauritius 1
Greece 28 Vietnam 5 Moldova 1 Mexico 24 Lithuania 4 New Zealand 1 Brazil 23 Oman 4 Sudan 1
Turkey 21 Qatar 4 Uruguay 1
UAE 20 Chile 3 Yemen 1
Slovakia 19 Egypt 3
France 18 Gibraltar 3
Slovenia 16 Macau 3 Total 6573
Start with Awareness
• Annual Security Event, CDIC (Public and Private sector)
• Top Management
• Involved Engineer and Technician
Educating the Engineering Department
Normal Operation
HMI Web & DB ServerPLC
Operator WorkstationOperator
Hacker knows local admin password
Connect to Remote desktop
Remotely control GUI Add new user Open Share folder
Connected GUI‘s Server
Scenario #1.1 Known local admin password
Hacking on Operator workstation
HMI Web & DB ServerPLC
Operator Workstation Operator
Summary Scenario #1.1 Known local admin password
Required condition:
Local admin password is known (default password)
Remote Desktop is openedConsequence:
Attacker can take over the system Attacker can take over GUI Attacker can add new user Attacker can open share folder
Remediation: Change default password Restrict access to Remote Desktop
Hacking on Operator workstation
Hacker attack on vulnerability’s server
Unpatched
Exploited server
Remotely control GUI Add new user Open Share folder
GUI‘s Server
Scenario #1.2 unpatched
Hacking on Operator workstation
HMI Web & DB ServerPLC
Operator Workstation
Operator
Summary Scenario #1.2 unpatched
Required condition: Operator workstation is not patched
Consequence:Attacker can take over the system Attacker can take over GUI Attacker can add new user Attacker can open share folder
Remediation: Regularly update the workstation Monitor the system integrity Consider intrusion detection system Consider security perimeter
Hacking on Operator workstation
Operator Work stationPLC HMI Web & DB Server Operator
Sniff password in the network
password
Scenario #1.3 Password Sniffing
Hacking on Operator workstation
Summary Scenario #1.3 Password Sniffing
Required condition:Web-based HMI Operator sends login password via HTTP
Consequence: Password is known to hacker Hacker can login to Web-based HMI
Remediation: Use HTTPS instead of HTTP Consider detection measure
Hacking on Operator workstation
Operator Work stationPLC HMI Web & DB Server Operator
Remember password
Dump “remember password” Plug USB U3 Thumb drive
Scenario #1.4 Remember password
Hacking on Operator workstation
Summary Scenario #1.4 Remember password
Required condition:
Physically access to system Autorun enabled
Consequence: Password is stolen
Remediation: Limit physical access to system Disable Autorun (all drive) Don’t use remember password feature
Hacking on Operator workstation
Operator Work station
PLC HMI Web & DB Server Operator
SQL Injection
Injection flaw!
Delete table Modify data in table
Insert, Delete, Update
Scenario #2 SQL Injection
Hacking on HMI Web & DB server
Summary Scenario #2 SQL Injection
Required condition:Web-based HMI SQL Injection flaw
Consequence: Direct database manipulation
Remediation: Input validation Web Application security assessment Web Application Firewall (WAF)
Hacking on HMI Web & DB Server
Operator Work stationPLC
Open port 2222/TCP!HMI Web & DB Server Operator
Take control of PLC Modify PLC data Disrupt PLC operation
Scenario #3 Direct PLC Manipulation
Hacking on PLC
Control valve/pump Change PLC Mode system halt
Summary Scenario #3 Direct PLC Manipulation
Required condition: Port 2222/TCP is opened (Allen Bradley) No authentication Network routable
Consequence:
Access PLC’s data tableRemediation:
Enable authentication where possible Routing control/ Network isolation (verify)
Hacking on PLC
Summary
• Been doing– Help raise awareness– Informal gather up of industry leaders– Some laws and regulations issued
• Future– Many things are lined up– Government is to work closely with industry– Collaboration and community across countries shall be considered– It will be a long journey
52