from wannacry to the roadmap of industry 4. from wannacry to cybe… · shadow broker leaked nsa...
TRANSCRIPT
From WannaCry to the Roadmap of
Industry 4.0
Hong Kong Computer Emergency Response Team Coordination Centre
• Established in 2001
• Funded by the HKSAR Government
• Operated by Hong Kong Productivity
Council (香港生產力促進局)
• Mission
– As the coordination of local cyber security incidents,
serving Internet Users and SMEs in Hong Kong
– As the Point of Contact of cyber security incidents
across the border
香港電腦保安事故協調中心
Timeline of WannaCry Handling
12 May (Fri) AM 13 May (Sat)
PM 13 May
PM 14 May (Sun)
WannaCryNo killswitch
HKPC mailed to SMEs & org
HKCERTMicrosoftPress Rel.
HKCERTSecurityBulletin
WinXPSpecial Patch
Attacks reported on Twitter: Telefónica, Vodafone, and Banco Bilbao Vizcaya Argentaria
May 1211:00 UTC19:00 HK Time
Killswitch domain in place
May 1217:00 UTC
May 13 01:00 HK Time
HKCERT Started Response in AM 13 May
HKCERTITFC LegislatorInfoSec ExpertsPress Conf
Alerted 1000 schools via EDB and on TID web
15 May (Mon)
HKCERTOGCIOHKPFPress Conf
Hong Kong
UK
US
WannaCry
11 May
12 May
15 May
16 May
Google Trend
of
• Hong Kong response lagged UK/US by 1 day.• Hong Kong attention kept going up in the
weekend 13-14 May.
• The peak is on 15 May (Mon) for 3 places• Dropped significantly on 16 May to 38%
WannaCry (2017 May)
WannaCry (2017 May)
It spread in form of network
worm, scanning and attacking
any online devices.
VulnerabilityA Windows loophole published in
MS17-010.
WannaCry (2017 May)
It spread in form of network
worm, scanning and attacking
any online devices.
VulnerabilityA Windows loophole published in
MS17-010.
HKCERT received
Over 500 enquiries
Over 30 infection reports
High Risk Area 1Connecting directly to Internet
Having no security update
High Risk Area 2
One infected computer connected to local
network with many unpatched Win computers
France: Renault forced to halt production at sites in France,
Slovenia and Romania
Japan: Nissan Motor Co. confirmed some units had been targeted, but there was no major impact on its business.
11
High Risk Area 3
Legacy systems that cannot be patched
because of interoperability reasons.
12
WannaCry affected Container Terminal Operation
New Zealand: Lyttelton Port, Christchurch suspended operations
for 8 hours
Attacks to critical infrastructure / services not
only bring about service disruption, but
hazard to human life.
Healthcare a major victim
• Britain: National Health Service disrupted. Hospitals and clinics turn away patients after computers got infected.
• USA: Wannacry hit at least two Bayer medical devices
• Remote attack only requires
– A device exposed to the Internet;
– … with unpatched security vulnerability
• No user interaction is required.
• It might affect critical systems and impact human life
Lesson from WannaCry
15
Shadow Broker leaked NSA Hacking Tools and Exploits
• 2017 April Shadow Broker released password for encrypted cache of NSA files.
– Windows exploits
– Protocols SMB, RDP, IMAP, HTTP
– Tools for monitoring SWIFT interbank payments
Code Name Solution
EternalBlue SMB1, SMB2 Addressed by MS17-010
EmeraldThread Print Spooler Addressed by MS10-061
EternalChampion SMB1 Addressed by CVE-2017-0146 & CVE-2017-0147
ErraticGopher SMB1WXP, WS2003
Addressed prior to the release of Windows Vista
EskimoRoll Kerberos WS2000/2003/2008/2008R2
Addressed by MS14-068
EternalRomance SMB1WXP/W7/W8, WS2003/2003/2008/2008R2
Addressed by MS17-010
EducatedScholar SMB2 Addressed by MS09-050
EternalSynergy SMB1, SMB3W8, WS2012
Addressed by MS17-010
EclipsedWing Server RPC TCP/135 Addressed by MS08-067
EsteemAudit RDPWXP, WS2003
Addressed by CVE-2017-0176 SA4025685
EnglishmanDentist Exchange Outlook WebAccessWXP
Addressed by CVE-2017-8487 SA4025685
ExplodingCAN IIS6 with WebDAV WS2003
Addressed by CVE-2017-7269 SA4025685
Relief to the big risk
Common ports used in ICS
• Modbus (port 502)
• DNP3 (port 20000)
• Bacnet (port 47808)
• EtherNet/IP (port 44818)
• Niagara Fox (ports 1911 and 4911)
• IEC-104 (port 2404)
• Red Lion (port 789)
• Siemens S7 (port 102)
Source: https://icsmap.shodan.io
Internet Devices Search Engine• Shodan Map
– 58,000+ Industrial Control Systems (ICS) in Hong Kong found exposed
to the Internet (June 2017)
20
The “Google” of IoT
Who are scanning the Internet?
• Commercial
– Search engines: Google, Bing, …
• Government
– HACIENDA (NSA/GCHQ), leaked in 2014
• Security researchers
– OpenResolver
– IoT scanners
• Botnet, malware (like WannaCry)
– Scan for vulnerabilities
22
“Internet of Things” Hacking
Large DDoS attacks (1.2 Tbps)
Targeted DYN
“Mirai” (未來) IoT botnet
(IP cam, DVR, routers)
Image credit: CNN
HKIX current max throughput = 600 Gbps
• A Highly connected and digitized
• Smart factories
– Cyber-physical systems (CPS) are connected together for automation and process control
• Responsive Supply Networks
– Partners in the value chain are connected together to exchange production data through external network
• Tailored (customer) Products
Industry 4.0
24
Vertical Integration for automation of Smart Factory
Horizontal Integration of Supply Chain
Image credits:https://www.poscoict.co.kr
http://www.slideshare.net/sarathygurushankar1/shaping-towards-a-connected-world-of-supply-chain-industrie-40
Past Attacks to Industrial Systems
Arabian Gulf
Shamoontrojan
attack on energy
company
IranStuxnet
attack on nuclear
enrichment facility
USAUnauthorized
software damaged the
California canal system
2000 2010 20122003 2007 2008 2011 2015
PolandTeenager
hacked into the Tram rail
tracking system
AustraliaSewage SCADA
hacked to leak sewage
Duqu Trojan discovered
to target ICS
USANetwork attack on Davis BasseNuclear Power
Station
27Adopted graphics by (c) 2016 PwC
28Adopted graphics by (c) 2016 PwC
29Adopted graphics by (c) 2016 PwC
30Adopted graphics by (c) 2016 PwC
31Adopted graphics by (c) 2016 PwC
32Adopted graphics by (c) 2016 PwC
Compare IT Systems and ICSIT Systems ICS
System OS COTS Proprietary OS COTS
Network Access Highly connected Isolated and remote. More connected paths
Communication protocols
Standard protocol (TCPIP) Proprietary and standard protocol (Modbus, DNP3…)
Lifetime 3-5 years 15-20 years
System patch Always, straight forward Seldom, compatibility be tested
System default Easy to change Difficult, some hard-coded
Security features Encryption, authentication Usually no encryption, no authentication
Risk management Confidentiality and integrity Human safety is paramount
Availability Downtime & reboot acceptable Downtime / reboot not acceptable
Eco-system Competitive Few players
34Source: German Trade & Invest 2013
• ISO 27001 Information Security Management
• ISA/IEC 62443 Security for Industrial Automation and
Control Systems (originally ISA99)
• ISO/IEC 29192 for lightweight cryptography used in IoT
where there us limited memory, battery life and restricted
processors
• Others are in progress.
Standards
35
• OneM2M
– manufacturers, service providers, end‐users, and regional standards bodies from North America, Europe and East Asia. It has developed a suite of standards for M2M and other IoT applications, including a set of security solutions.
• Industrial Internet Consortium
– Large IT companies such as AT&T, Cisco, General Electric, IBM, and Intel -- develop use cases, reference architectures and frameworks, and aims to influence global standards processes
• AllSeen Alliance
– a consortium for developing the open source AllJoyn software and services framework. Members include consumer electronics companies such as Canon, Electrolux, LG, Panasonic and Sharp, as well as technology companies such as Microsoft and Qualcomm.
• GSMA
– The mobile industry association which drives M2M standardization
Industrial consortiums
36
The Industrial IoT: Connectivity Framework THE INDUSTRIAL INTERNET CONSORTIUM
(Feb 2017)
37
Cyber Security Guidelines for Smart City Technology Adoption
Cloud Security Alliance (2015)
Basic Security Requirements of Smart City Solutions
Strong Encryption
Strong Authentication
Authorization
Auto & Secure Update
Fail-safe
Secure configuration by default
Minimal service by default
Anti-tampering
Secure by Design
Audit, Alert & LoggingNo backdoor
Source: CSA Guideline for Smart City Technology Adoption
Life
Cyc
le A
pp
roac
h
Embedding Cyber Security in Project Management
40
Risk Assessment for Project
Financial Risk – risk with financial structure?
✓
Schedule Risk – can deliver on time?
✓
Capability Risk – have the technology and skill?
✓
Compliance Risk – need to comply to regulation?
✓
Cyber Security Risk- system and data resilient to cyber attacks?
✓
Other risk– site safety, etc.?
✓
Zone 2A Single Source of Truth / Site Manuf. Oper. & Control
Zone 2B Supervisory Control
Zone 1 Basic Control
Zone 0 Process
Cyber Security Purdue Model for Industry 4.0
Machines, robot, sensors, actuators
Smart Connect, PLC
MES
PLM, ERP, APS
Vertical integration
Zone 2A Single Source of Truth / Site Manuf. Oper. & Control
Zone 2B Supervisory Control
Zone 1 Basic Control
Zone 0 Process
Zone 3 Operation DMZ
Zone 4 Smart Factory / Enterprise
Data Analytics
Zone 5 Internet DMZ (IoS)
SRM
Internet
Cyber Security Purdue Model for Industry 4.0
T1 supplier
SRM
Remote User
Cyber layer
Physical layer
VPN Server
CRM/ASN/EDI
T2 customer
CRM/ASN/EDI
Machines, robot, sensors, actuators
Smart Connect, PLC
MES
PLM, ERP, APS
T2 supplier
SRM CRM/ASN/EDI
T1 customer
Vertical integration
Horizontal integration
Firewall2-factor authenticationLegend
Why cyber security becomes your job now?
Source: “How to Get into ICS Security” by Chris Sistrunk @ RSA Conference 2016 San Francisco
Different in Priorities of IT and OT personnel
IT System
• Confidentiality
• Integrity
• Availability
ICS
• Availability
• Integrity
• Confidentiality
Pri
ori
ty
• Safety
• Internal: IT & OT Staff
• External
– IT and OT experts in the industry
– Your company with your partners
– Industry-wide norms and practice?
Relationships to deal with in the Industry 4.0 migration
45
• Still not enough awareness on Industry 4.0, and for
cyber security even lower.
• Global industrial buyers will gradually incorporate
Industry 4.0 requirements in the contracts.
• For quality / competence sake, or for protection of local
industry sake, these will descend to the upper tier
customers of SMEs. If local SMEs cannot cope with
these requirements, they will be marginalized from the
global market.
Challenges
46
About HKPC
1. Industry Awareness Conference (23 Jun 2017)
2. International Technical Conference (21-22 Nov 2017)
3. Cyber Security Demonstration Corner in Smart Industry One
– Demonstrate potential attacks on industrial systems.
– Demonstrate cyber security solutions defending against the attacks
HKPC Promotion Progamme of Cyber Security for Industry 4.0
Bridging the Gap of IT and OT People
• Promote Security by Design in the whole Supply Chain
• Bridge the Gap of Manufacturers and IT Security
• Facilitate the collaboration of manufacturers, security
providers, researchers and users
OT IT
Road Map
Capability Building
Security Strategy Consultant Implementer
Assessment Remediation Advisory
Situational Awareness Building (technology, best practice, supply chain requirement)
Industrial Collaboration
Expertise
Thank You
50