powered by #IndustrialInternet
Security In A Cyber Physical World
Build your brilliant industry
October 1, 2015
powered by #IndustrialInternet
powered by #IndustrialInternet
Agenda
Industrial Cyber Security Landscape
1
Recent Incidents
Security Investment Drivers
2
3
powered by #IndustrialInternet
Industrial Cyber Security Landscape
powered by #IndustrialInternet
Picture Here
Industrial control systems are more interconnected
…and hack-able, as air gaps no longer exist.
powered by #IndustrialInternet
Picture Here
Systems are easy to target
Find them with tools like Shodan, the Google of hackers
powered by #IndustrialInternet
SHINE (SHodan INtelligence Extraction)
• Researchers identified 185+ manufacturers who were considered traditional SCADA and control system manufacturers, and built relevant search queries based on those names to find devices exposed directly to the Internet
• Roughly 2.2 MILLION devices were identified as being exposed either directly or indirectly related to SCADA or control systems
powered by #IndustrialInternet
Google Dorks – using Google to hack!
Source: http://www.exploit-db.com/google-dorks/
powered by #IndustrialInternet
Weaknesses are Prevalent Everywhere
powered by #IndustrialInternet
Concerns are on the Rise
67% of critical infrastructure companies suffered an attack in the last year (Ponemon 2014)
78% of senior security officials expect a successful attack on their ICS/SCADA systems within 24 months (Ponemon 2014)
$7.82 billion total market size for ICS cyber security solutions in 2014 (Markets and Markets 2015)
79,790 security incidents across 61 countries in 2014 (Verizon DBIR 2015)
powered by #IndustrialInternet
Incident – Time to Compromise / Time to Discovery • The Verizon DBIR illustrated that
97% of breaches analyzed could
have been prevented by simple or
intermediate controls.
• Malware is undetected for months
or years.
powered by #IndustrialInternet
Why Security Matters
Pipeline explosion caused by remote attack
Wastewater plant spilled sewage into rivers
Prius crash triggered via mobile phone
Pacemaker hacked to cause heart attack
Pipeline explosion caused by remote attack
Wastewater plant spilled sewage into rivers
Prius crash triggered via mobile phone
Pacemaker hacked to cause heart attack
Pipeline explosion caused by remote attack Wastewater plant spilled sewage into rivers
Prius crash triggered via mobile phone Pacemaker hacked to cause heart attack
powered by #IndustrialInternet
ICS Vulnerability Security Research Under the Spotlight • Security researchers are now more focused on industrial systems
• Additional attention has led to more than 80% of all ICS vulnerabilities being disclosed since 2011 (the year after Stuxnet was found)
• Worldwide SCADA attacks increased from 91,676 in January 2012 to 675,186 in January 2014 (Dell 2015)
0
50
100
150
200
250
300
1983 2001 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
ICS (SCADA/DCS) Vulnerability Disclosures per Year
powered by #IndustrialInternet
Industrial Threat Landscape Targeted attacks are executed by professional, organized teams
• Sophisticated tools
• Well-funded, especially when sponsored by nation-states
Threat actors evolve and use more advanced methods and tactics
• Cyber crime
• Hacktivism
• Insider attack
• Distributed attack
• Network Attack
• Physical damage
powered by #IndustrialInternet
Types of Attackers
• Insiders (disgruntled employees)
• Nation states
• Cyber terrorists
• Script kiddies
• Professional hackers
• Hacktivists
• Crime organizations
powered by #IndustrialInternet
Attacker Goal Against Industrial Control Systems
FieldControllersRTU/PLC
WWW
Corporate Network DMZ
Corporate Network
Supervisory Network
Control System Network
Router
MailServer
WebServer
DNSServer
PrintServer
ContentServer
FileServer
ApplicationServer
OfficePC’s
CorporateFirewall
Firewall
Historian(2)
PatchServer
OPC SCADAServer
HMI
Historian HMI Maint. &Engineering
IED SerialBus
(serial)
Sensors &Activators
Workstations
Gain access to the control system:
• Gain physical or remote access to an
ICS host
• Compromise a machine with access
to the ICS network
• Leverage a corporate system to
attack the control system network
• Damage Physical assets remotely
powered by #IndustrialInternet
Gaining Physical Access Examples
Control Center
CommunicationsRouters
Field Site 1
PLCModem
WAN CARD IED
Field Site 2
Modem RTU
Field Site 3
HMIEngineering
Workstations
DataHistorian
Control Server(SCADA – MTU
Wide Area Network
Switched Telephone.
Leased Line or Power
Line BasedCommunications
Radio Microwaveor Cellular
Satellite
• Attackers with physical access can
wreak significant damage
• Attackers use pre-existing malware
and adapt
Metasploit
Tools from underground forums
• Attackers focus on areas of weaker
physical security
Radio links by Software Defined Radio hacks
Fiber connections via fiber tapping Systems with weak or no passwords
powered by #IndustrialInternet
OT & IT Security Differences Security Priorities – CAIC vs. CIA
Threat Types – Physical vs. data
Staffing – Differing expertise needed
Vulnerability Lifecycle – Longer for OT
Protocols – Need OT visibility
Segmentation – No more “air gap”
Solution Availability – Need ease of use
powered by #IndustrialInternet
Noteworthy Incidents
powered by #IndustrialInternet
Stuxnet 2010 • Discovered in July 2010
• Targeted Iran’s nuclear enrichment program
• Attacked Siemens PCS7, S7 PLC and WIN-CC systems
• Infected 100,000 computers and at least 22 manufacturing sites
• Destroyed up to 1000 centrifuges between November 2009 and January 2010
powered by #IndustrialInternet
Stuxnet 2010 (cont'd) • Initially spread using infected
removable drives
• Exploited the architecture of the controller by hijacking the vendor’s DLL driver
• Modified ladder logic sent to/received from the controller without the notice of the development application or the controller
• No signed code was in use
• No code execution or configuration tamper control was developed Source: Symantec
powered by #IndustrialInternet
DUQU and FLAME (2011 and 2012) The Sons of Stuxnet
• Duqu
Malware had large similarities with Stuxnet
Trojan horse aimed to capture and exfiltrate information via a jpeg file
• Flame
Spyware discovered in Iran oil and nuclear installations
Was more complex than Stuxnet
Could record audio, screenshots, keyboard
activity and network traffic
Source: Symantec
powered by #IndustrialInternet
Shamoon (2012) • Targeted Saudi Aramco (Oil and
Gas Company)
• Was the most destructive attack on the business sector seen to date
• Infected more than 75% of the company’s workstations (30,000 to 55,000 workstations)
• Replaced crucial system files with an image of a burning U.S. flag
• Impacted messaging services severely for several weeks
powered by #IndustrialInternet
US Power Plant Hit by USB-based Malware (2013) • An infected USB stick used for
software updates and to back up control system configurations
• A virus in a turbine control system that impacted about 10 computers on its control system network, and affected operations for about three weeks
powered by #IndustrialInternet
Dragonfly (2013, 2014) • AKA Energetic Bear in operation since 2011
• Initially targeted defense and aviation
companies in the US and Canada followed by
European energy firms
• Targeted companies related to industrial
control systems
• Managed to compromise a number of
strategically important organizations for
spying purposes
• Damaged and disrupted target companies
• Used spam email campaigns and watering
hole attacks to infect targeted organizations
powered by #IndustrialInternet
US Utility’s Control System Hacked (2014) • A sophisticated hacking group attacked
a U.S. public utility’s control system
network
• Hackers may have launched the latest
attack through an Internet portal that
enabled workers to access the utility's
control systems.
• Hackers used brute-forcing to break the
simple password mechanism
powered by #IndustrialInternet
Havex (2014)
• Attackers add Trojan to ICS software on
vendor’s site
• ICS customer downloads software
to their PC
• Customer connects PC to ICS
• Active scan of OPC servers used for
controlling SCADA
• Also scan for other connected
computers and shared resources
• Data Exfiltration starts
powered by #IndustrialInternet
BlackEnergy (2014) 'Trojan Horse' bug lurking in vital US computers since 2011
A coal-fired power plant in Wyoming is seen on March 14, 2014 and the Trans-Alaska oil pipeline, pictured on June 14, 2009.
powered by #IndustrialInternet
German Steel Mill Attack (2014) Attackers remotely manipulated the
industrial control system
• Used spear-phishing to infiltrate the company network
• Successfully transitioned to industrial network and control systems
• Disrupted the blast furnace to not shut down properly
• Resulted in “massive” physical damage
Second occurrence of a fully digital attack
leading to physical damage
powered by #IndustrialInternet
Security Investment Drivers
powered by #IndustrialInternet
Notes on Industrial Cyber Security
"For many austerity-hit Western countries, the defense budget has been a prime target
for significant cuts. Nowhere has this been more apparent than in the United States.
Yet one element of the Pentagon’s budget continues to grow: cyber.”
Robert M. Lee & Thomas Rid (2014) OMG Cyber!, The RUSI Journal
U.S. President issued Executive Order 13636,
“Improving Critical Infrastructure Cybersecurity,” on February 12, 2013
“…we expect cyber-attacks on these systems to remain a serious challenge for operators.
The dual use aspect and availability of cybercrime facilitators, including zero-day exploits
for ICS/SCADA systems, combined with the relative ease to locate critical infrastructure
devices, will continue to attract actors with different motives.”
Europol – The Internet Organised Crime Threat Assessment (iOCTA) 2014
powered by #IndustrialInternet
Drivers for Investment in ICS security Recently, government, industry, academia, and
non-profit organizations are actively researching industrial cyber security
The investment drivers for ICS security are intertwined:
• Economical – inoperative critical
infrastructures can cause large financial losses for companies and countries
• Social – these infrastructures are used by
millions of people everyday
• Political – the sovereignty of a nation can
be undermined if certain infrastructures are
compromised
powered by #IndustrialInternet
Securing Vendors and Suppliers
powered by #IndustrialInternet
Securing the Procurement Process • Protect sensitive data and critical transactions between large CMs
and suppliers
• Source and track cyber sensitive components throughout the SC lifecycle
• Monitor and influence cyber security operations and supply of suppliers
Research products using risk management
Use security checklists
Ensure risks are clearly documented and mitigation plans
included in overall costs
Use security experts in the Tender, Contract , RFP, and RFI evaluation steps
Monitor and test security during implementation
Use auditing to highlight
problems and prepare EOL
powered by #IndustrialInternet
Security is Only as Strong as the Weakest Link Ensure suppliers/vendors are following secure
practices
• Extend security controls to vendors and
sub-vendors
• Ensure visibility into vendor practices and
supplier activities
• Require vendors to comply with industry
standards such as WIB and IEC 62443
powered by #IndustrialInternet
Summary • The air gap no longer exists • Industrial security is evolving as more devices
and systems are interconnected • Attacks are more frequent and sophisticated • Attacks are done by skilled professionals, many
times from insiders • Customers need to demand security and vendors
need to design security into products • Proprietary does not mean invincible or invisible • The costs from a breach extend beyond direct
financial losses • Include security in your budget now:
assessments, technology, training, and more
General Electric Company reserves the right to make changes in specifications and features, or discontinue the product or service described at any time, without notice or obligation. These
materials do not constitute a representation, warranty or documentation regarding the product or service featured. Illustrations are provided for informational purposes, and your configuration
may differ.
This information does not constitute legal, financial, coding, or regulatory advice in connection with your use of the product or service. Please consult your professional advisors for any such
advice.
No part of this document may be distributed, reproduced or posted without the express written permission of General Electric Company.
GE, Predix and the GE Monogram are trademarks of General Electric Company.
©2015 General Electric Company – All rights reserved.