Download - Hype, Hope and Happenstance: Cyber Threats and Opportunities in an Age of Automation

Hype, Hope, and Happenstance: Cyber Threats and Opportunities in an Age of

Automation

Georgia Distribution and Transmission Automation Group

April 2, 2012Forsyth, GA

204/12/2023

A Quote

Everybody talks about

cybersecurity, but nobody does

anything about it.-Mark Twain

The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy

A Question

404/12/2023

A Hypothesis

We have yet to see a significant cyber related outage in the North

American power grid because those who have the ability to

cause such, lack the motivation to do so.


About Me

Security Professional by choice Nextel Communications 1997-2000 US Bank Information Security 2000-

2001 PacifiCorp Security 2001-2009 WECC CIP Auditor 2009-2010 EnergySec (NESCO) 2010 - ?

I am not an Engineer

About EnergySec

7/2004: EnergySec founded as E-Sec NW 1/2008: SANS Information Sharing Award 12/2008: Incorporated as EnergySec 10/2009: 501(c)(3) nonprofit determination 4/2010: EnergySec applied for National Electric

Sector Cybersecurity Organization (NESCO) FOA 7/2010: NESCO grant award from DOE 10/2010: NESCO became operational

804/12/2023

The System

Greatest engineering achievement of 21st century1 Trillion watts of generation850 Billion watts of transmission capacity150,000 miles of high voltage transmissionUbiquitousAverage uptime 99.995% (SAIDI = 244)


904/12/2023

Smart Gridtopia


1004/12/2023

But what can I do with it?

Distributed GenerationDemand ResponseMarket pricing at the consumer levelFrequency Response (EVs)Renewables integrationMicro GridsEnergy Storage


1104/12/2023

Automation

Automated Generation ControlSpecial Protection SystemsSynchrophasor ApplicationsLoad SheddingAdvanced Metering InfrastructuresCentralized Control Systems


1204/12/2023

There’s an App for That

The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySecwith funding assistance from the U.S. Department of Energy.

“Get mobile access to your control system via an iPhone, iPad, Android and other smartphones and tablet devices. The Ignition Mobile Module gives you instant access to any HMI / SCADA project created with the Ignition Vision Module.”

1304/12/2023

To The Cloud!


“Use any standard browser on any device to access HMI. No downloads, no tedious installs, no plug-ins. Login and you have the HMI in your hands wherever you are: factory cafeteria, or parking lot, or on the beach, or even the golf course!”“GoToMyHMI provides Secure, Easy and Fast access from any Browser to InstantHMI 6.0, ready to serve you on the cloud today. Remotely Monitor, ACK Alarms and Control your HMI for one low flat fee.”

1404/12/2023

The Double-edged Sword

EmailFacebookOnline BankingComputerized TradingSmart Grid

Fraud/PhishingPrivacyOnline TheftMarket Manipulation???


1504/12/2023

Attack Surface

EMSDMSDCSE-TaggingTradingAGCICCPAMI

CommunicationRemote AccessVendor SupportSupply Chain[HLWMV]ANsThe CloudMobile devicesSCADA


1604/12/2023

Logical Distance Increasing

Clicky-clicky

Whirly-whirlyThe National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec

with funding assistance from the U.S. Department of Energy

1704/12/2023

Today’s Shiny Object

Headline presentations at BlackHat/DefCon, DerbyCon, RootedCon, BSides …Wall Street Journal, National Journal, CNNToo many IT trade publications to nameBlockbuster films, prime time TV showsPerson-on-the-street, Congress, White House


1804/12/2023

March 2012


1904/12/2023

From Obscurity to Novelty

Smart Meter hackingHacking cookbooks, fuzzers, sniffers, reversingMetasploit, Core Impact, etcSupply chain attacksManuals available in all languages on Internet


2004/12/2023

Current Events

Facebook Social Engineering Attack Strikes NATOhttp://www.informationweek.com/news/security/government/232602419

"The top military commander in NATO has been targeted by attackers wielding fake Facebook pages.”

Teen Exploits Three Zero-Day Vulns for $60K Win in Google Chrome Hack Contesthttp://www.wired.com/threatlevel/2012/03/zero-days-for-chrome/

"The tall teen, who asked to be identified only by his handle “Pinkie Pie” … spent just a week and a half to find the vulnerabilities and craft the exploit, achieving stability only in the last hours of the contest.”


2104/12/2023

…To Name a Few


2204/12/2023

TwitBookBlogosphere


2304/12/2023

Cybersecurity Landscape


People are talking

6,750,000 results

2504/12/2023

Point, Click, Hack


Source: Network World (http://goo.gl/K5xZ7)

“In some scarier than your average security news, thanks to several Program Logic Controllers (PLC) exploits that were added to Metasploit today, "hacking SCADA systems can be push of a button easy," tweeted HD Moore, CSO of Rapid7 and Chief Architect of Metasploit.”

2604/12/2023

Vulnerability Disclosure


Vulnerabilities

2804/12/2023

Air-Gaps, Unicorns and Bigfoot


2904/12/2023

10,000 Reasons to Worry


Source: www.wired.com/threatlevel/2012/01/10000-control-systems-online

Technology Landscape

A new digital world order

Lingering legacy Widespread

connectivity Hyper-embeddedness Cyber-kinetic impacts

Advantage: Adversaries

Intelligent, adaptive adversaries exist,

and they don’t follow the rules or compliance checklists

3204/12/2023

The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy

Advantage: Adversaries

Google search for “APT”– 34 hits in Jul 09– 169 hits in Jan 10– 1.2M+ hits June 11

Google search for “cyberwar”– 416 hits Dec 09– 1.4M hits Feb 10– 3.4M+ hits June 11

Welcome to the cyberarms race

3304/12/2023

What to do?


3404/12/2023

Nothing New Under The Sun

Mature security practices; highly refined– Defense in Depth– Principle of Least Privilege– Segregation of Duties– Need to Know– Availability, Integrity and Confidentiality

No Silver Bullet, 100%, Total Security Strong protection has never been easy,

inexpensive or quick to implement (pick two)


3504/12/2023

Compliance


There ought to be a Law…???

Laws are reactionary, not visionary.

3704/12/2023

Regulatory Landscape Posse Comitatus Act, 18 U.S.C. §1385 Antitrust Laws Sherman Antitrus Act, 15 U.S.C. §§1-7 Wilson Tariff Act 15, U.S.C. §§8-11 Clayton Act §5 of the Federal Trade Commission (FTC), 15 U.S.C. §§12-27 Clayton Act §5 of the Federal Trade Commission (FTC), 15 U.S.C. §45(a) National Institute of Standards and Technology (NIST), Act (p. 13) 15 U.S.C. §271 Radio Act of 1912 Federal Power Act (p. 13), 16 U.S.C. §791a et seq., §824 et seq. Radio Act of 1927 Communications Act of 1934 (p.14), 47 U.S.C. §151 et seq. National Security Act of 1947 (p. 15), 50 U.S.C. §401 et seq. US Information and Educational Exchange Act of 1948 (Smith-Mundt Act) (p. 15), 22 U.S.C. §1431 et seq. Defense Production Act of 1950, 50 U.S.C. App. §2061 et seq. State Department Basic Authorities Act of 1956 (p. 17), 22 U.S.C. §2651a Brooks Automatic Data Processing Act Freedom of Information Act (FOIA) (p. 17), 5 U.S.C. §552 Omnibus Crime Control and Safe Streets Act of 1968 (p. 19), 42 U.S.C. Chapter 46, §§3701 to 3797ee-1 Racketeer Influenced and Corrupt Organizations Act (RICO) (p. 19), 18 U.S.C. Chapter 96, §§1961-1968 Federal Advisory Committee Act (p. 20), 5 U.S.C. App., §§1-16 War Powers Resolution, 50 U.S.C. Chapter 33, §§1541-1548. Privacy Act of 1974 (p. 20), 5 U.S.C. §552a Foreign Intelligence Surveillance Act of 1978 (FISA), 18 U.S.C. §§2511, 2518-9, Foreign Intelligence Surveillance Act of 1978 (FISA), 50 U.S.C. Chapter 36, §§1801-1885c Privacy Protection Act of 1980, 42 U.S.C. Chapter 21A, §§2000aa-5 to 2000aa-12 Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 (p. 21), 18 U.S.C. §1030 Computer Fraud and Abuse Act of 1986, 18 U.S.C. §1030 Electronic Communications Privacy Act of 1986 (ECPA) (p. 22), 18 U.S.C. §§2510- 2522, 2701-2712, 3121-3126 Department of Defense Appropriations Act, 1987 (p. 24), 10 U.S.C. §167 Computer Security Act of 1987, 15 U.S.C. §§272, 278g-3, 278g-4, 278h Computer Matching and Privacy Protection Act of 1988, 5 U.S.C. §552a High Performance Computing Act of 1991 (p. 24), 15 U.S.C. Chapter 81 Communications Assistance for Law Enforcement Act (CALEA) of 1994 (p. 26), 47 U.S.C. §1001 et seq.

Source: Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions, Eric A. Fischer, Senior Specialist in Science and Technology December 22, 2011


Yes, this is an eye-chart to make a

point

Regulation is Futile

Regulation kills creativity, innovation, and passion, all of which are needed to achieve success in cybersecurity.

39

The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program

EnergySecTM

NERC CIP in 30 Seconds

CIP-002 - Figure out what needs to be protectedCIP-003 - Establish policy and programsCIP-004 - Address personnel issuesCIP-005 - Create electronic perimetersCIP-006 - Create physical perimetersCIP-007 - Provide system level securityCIP-008 - Figure out how to respond to incidentsCIP-009 - Figure out how to recover from incidents

Action vs. Attitude

You can prescribe action, but not attitude

Activity vs. Outcome

Are we doing/requiring the right things?

Backwards?… Maybe so

Compliance spending increasing sharply while security spending is increasing slowly.

Companies find $$ for compliance while cutting other critical areas.

Leverage NERC CIP

CIP spending 25% of IT security budgets

Get Smarter about spending

Integrate Decisions (IT- Ops–Compliance)

Secure solutions + Compliance

Misthinking

It Can’t Happen

It W

on’t

Happe

n

It Won’t

Matter

It Can’t Happen

This is nearly always FALSE

Attackers are always seeking (and finding) new ways to compromise technology

Obscurity is not a defense.

DNS Exfiltration

If you can resolve a DNS name on a system…

Technique is being actively used in the wild

In many cases, detection is the only defense

4704/12/2023

Flank Attacks

RSA – Stolen 2-factor auth token dataIndustrial Espionage/Supply ChainCertificate AuthoritiesCorporate NetworksPartner Networks


4804/12/2023

Organized Attackers

Underground marketsCriminal infrastructureBotnetsAttackers for hire


It Won’t Happen

It most cases, this is TRUE, but we don’t know which ones

Somebody WILL be compromised.

Everybody MIGHT be compromised

We are becoming a target

The Wildebeest Defense

Yes, there are lions, but there are so many of us that the chances I’ll get eaten are small

Can effective against isolated threats, but doesn’t help against common maladies

Doesn’t work if you’re slow or weak

There may be more lions than you think

HBGary RSA Sony Lockheed Martin NASDAQ

It won’t matter

Kinetic impactsEconomic impactsReputational impactsOthers?

What is Critical?

5404/12/2023

Culturing Security

Treat security like safetyThe basics shouldn’t be magicDistribute the loadSecurity is everyone’s jobSocial engineering is a waste of timeFocus on the solution: training & awareness


5504/12/2023

Prevention

Detection

Response

No 100% Prevention


5604/12/2023

And Finally

“The rumors of my death have been greatly exaggerated.”-Mark Twain


5704/12/2023

Thank You!


Steven H ParkerV.P. Technology Research and Projects, EnergySec

Co-Principal Investigator, National Electric Sector Cybersecurity Organization

[email protected] (desk)

@es_shp (twitter)www.energysec.org

Download - Hype, Hope and Happenstance: Cyber Threats and Opportunities in an Age of Automation

Top Related