From WannaCry to the Roadmap of

Industry 4.0

Hong Kong Computer Emergency Response Team Coordination Centre

• Established in 2001

• Funded by the HKSAR Government

• Operated by Hong Kong Productivity

Council (香港生產力促進局)

• Mission

– As the coordination of local cyber security incidents,

serving Internet Users and SMEs in Hong Kong

– As the Point of Contact of cyber security incidents

across the border

香港電腦保安事故協調中心

Timeline of WannaCry Handling

12 May (Fri) AM 13 May (Sat)

PM 13 May

PM 14 May (Sun)

WannaCryNo killswitch

HKPC mailed to SMEs & org

HKCERTMicrosoftPress Rel.

HKCERTSecurityBulletin

WinXPSpecial Patch

Attacks reported on Twitter: Telefónica, Vodafone, and Banco Bilbao Vizcaya Argentaria

May 1211:00 UTC19:00 HK Time

Killswitch domain in place

May 1217:00 UTC

May 13 01:00 HK Time

HKCERT Started Response in AM 13 May

HKCERTITFC LegislatorInfoSec ExpertsPress Conf

Alerted 1000 schools via EDB and on TID web

15 May (Mon)

HKCERTOGCIOHKPFPress Conf

Hong Kong

UK

US

WannaCry

11 May

12 May

15 May

16 May

Google Trend

of

• Hong Kong response lagged UK/US by 1 day.• Hong Kong attention kept going up in the

weekend 13-14 May.

• The peak is on 15 May (Mon) for 3 places• Dropped significantly on 16 May to 38%

WannaCry (2017 May)

WannaCry (2017 May)

It spread in form of network

worm, scanning and attacking

any online devices.

VulnerabilityA Windows loophole published in

MS17-010.

WannaCry (2017 May)

It spread in form of network

worm, scanning and attacking

any online devices.

VulnerabilityA Windows loophole published in

MS17-010.

HKCERT received

Over 500 enquiries

Over 30 infection reports

High Risk Area 1Connecting directly to Internet

Having no security update

High Risk Area 2

One infected computer connected to local

network with many unpatched Win computers

France: Renault forced to halt production at sites in France,

Slovenia and Romania

Japan: Nissan Motor Co. confirmed some units had been targeted, but there was no major impact on its business.

11

High Risk Area 3

Legacy systems that cannot be patched

because of interoperability reasons.

12

WannaCry affected Container Terminal Operation

New Zealand: Lyttelton Port, Christchurch suspended operations

for 8 hours

Attacks to critical infrastructure / services not

only bring about service disruption, but

hazard to human life.

Healthcare a major victim

• Britain: National Health Service disrupted. Hospitals and clinics turn away patients after computers got infected.

• USA: Wannacry hit at least two Bayer medical devices

• Remote attack only requires

– A device exposed to the Internet;

– … with unpatched security vulnerability

• No user interaction is required.

• It might affect critical systems and impact human life

Lesson from WannaCry

15

Shadow Broker leaked NSA Hacking Tools and Exploits

• 2017 April Shadow Broker released password for encrypted cache of NSA files.

– Windows exploits

– Protocols SMB, RDP, IMAP, HTTP

– Tools for monitoring SWIFT interbank payments

Code Name Solution

EternalBlue SMB1, SMB2 Addressed by MS17-010

EmeraldThread Print Spooler Addressed by MS10-061

EternalChampion SMB1 Addressed by CVE-2017-0146 & CVE-2017-0147

ErraticGopher SMB1WXP, WS2003

Addressed prior to the release of Windows Vista

EskimoRoll Kerberos WS2000/2003/2008/2008R2

Addressed by MS14-068

EternalRomance SMB1WXP/W7/W8, WS2003/2003/2008/2008R2

Addressed by MS17-010

EducatedScholar SMB2 Addressed by MS09-050

EternalSynergy SMB1, SMB3W8, WS2012

Addressed by MS17-010

EclipsedWing Server RPC TCP/135 Addressed by MS08-067

EsteemAudit RDPWXP, WS2003

Addressed by CVE-2017-0176 SA4025685

EnglishmanDentist Exchange Outlook WebAccessWXP

Addressed by CVE-2017-8487 SA4025685

ExplodingCAN IIS6 with WebDAV WS2003

Addressed by CVE-2017-7269 SA4025685

Relief to the big risk

Common ports used in ICS

• Modbus (port 502)

• DNP3 (port 20000)

• Bacnet (port 47808)

• EtherNet/IP (port 44818)

• Niagara Fox (ports 1911 and 4911)

• IEC-104 (port 2404)

• Red Lion (port 789)

• Siemens S7 (port 102)

Source: https://icsmap.shodan.io

Internet Devices Search Engine• Shodan Map

– 58,000+ Industrial Control Systems (ICS) in Hong Kong found exposed

to the Internet (June 2017)

20

The “Google” of IoT

Who are scanning the Internet?

• Commercial

– Search engines: Google, Bing, …

• Government

– HACIENDA (NSA/GCHQ), leaked in 2014

• Security researchers

– OpenResolver

– IoT scanners

• Botnet, malware (like WannaCry)

– Scan for vulnerabilities

22

“Internet of Things” Hacking

Large DDoS attacks (1.2 Tbps)

Targeted DYN

“Mirai” (未來) IoT botnet

(IP cam, DVR, routers)

Image credit: CNN

HKIX current max throughput = 600 Gbps

• A Highly connected and digitized

• Smart factories

– Cyber-physical systems (CPS) are connected together for automation and process control

• Responsive Supply Networks

– Partners in the value chain are connected together to exchange production data through external network

• Tailored (customer) Products

Industry 4.0

24

Vertical Integration for automation of Smart Factory

Horizontal Integration of Supply Chain

Image credits:https://www.poscoict.co.kr

http://www.slideshare.net/sarathygurushankar1/shaping-towards-a-connected-world-of-supply-chain-industrie-40

Past Attacks to Industrial Systems

Arabian Gulf

Shamoontrojan

attack on energy

company

IranStuxnet

attack on nuclear

enrichment facility

USAUnauthorized

software damaged the

California canal system

2000 2010 20122003 2007 2008 2011 2015

PolandTeenager

hacked into the Tram rail

tracking system

AustraliaSewage SCADA

hacked to leak sewage

Duqu Trojan discovered

to target ICS

USANetwork attack on Davis BasseNuclear Power

Station

27Adopted graphics by (c) 2016 PwC

28Adopted graphics by (c) 2016 PwC

29Adopted graphics by (c) 2016 PwC

30Adopted graphics by (c) 2016 PwC

31Adopted graphics by (c) 2016 PwC

32Adopted graphics by (c) 2016 PwC

Compare IT Systems and ICSIT Systems ICS

System OS COTS Proprietary OS COTS

Network Access Highly connected Isolated and remote. More connected paths

Communication protocols

Standard protocol (TCPIP) Proprietary and standard protocol (Modbus, DNP3…)

Lifetime 3-5 years 15-20 years

System patch Always, straight forward Seldom, compatibility be tested

System default Easy to change Difficult, some hard-coded

Security features Encryption, authentication Usually no encryption, no authentication

Risk management Confidentiality and integrity Human safety is paramount

Availability Downtime & reboot acceptable Downtime / reboot not acceptable

Eco-system Competitive Few players

34Source: German Trade & Invest 2013

• ISO 27001 Information Security Management

• ISA/IEC 62443 Security for Industrial Automation and

Control Systems (originally ISA99)

• ISO/IEC 29192 for lightweight cryptography used in IoT

where there us limited memory, battery life and restricted

processors

• Others are in progress.

Standards

35

• OneM2M

– manufacturers, service providers, end‐users, and regional standards bodies from North America, Europe and East Asia. It has developed a suite of standards for M2M and other IoT applications, including a set of security solutions.

• Industrial Internet Consortium

– Large IT companies such as AT&T, Cisco, General Electric, IBM, and Intel -- develop use cases, reference architectures and frameworks, and aims to influence global standards processes

• AllSeen Alliance

– a consortium for developing the open source AllJoyn software and services framework. Members include consumer electronics companies such as Canon, Electrolux, LG, Panasonic and Sharp, as well as technology companies such as Microsoft and Qualcomm.

• GSMA

– The mobile industry association which drives M2M standardization

Industrial consortiums

36

The Industrial IoT: Connectivity Framework THE INDUSTRIAL INTERNET CONSORTIUM

(Feb 2017)

37

Cyber Security Guidelines for Smart City Technology Adoption

Cloud Security Alliance (2015)

Basic Security Requirements of Smart City Solutions

Strong Encryption

Strong Authentication

Authorization

Auto & Secure Update

Fail-safe

Secure configuration by default

Minimal service by default

Anti-tampering

Secure by Design

Audit, Alert & LoggingNo backdoor

Source: CSA Guideline for Smart City Technology Adoption

Life

Cyc

le A

pp

roac

h

Embedding Cyber Security in Project Management

40

Risk Assessment for Project

Financial Risk – risk with financial structure?

✓

Schedule Risk – can deliver on time?

✓

Capability Risk – have the technology and skill?

✓

Compliance Risk – need to comply to regulation?

✓

Cyber Security Risk- system and data resilient to cyber attacks?

✓

Other risk– site safety, etc.?

✓

Zone 2A Single Source of Truth / Site Manuf. Oper. & Control

Zone 2B Supervisory Control

Zone 1 Basic Control

Zone 0 Process

Cyber Security Purdue Model for Industry 4.0

Machines, robot, sensors, actuators

Smart Connect, PLC

MES

PLM, ERP, APS

Vertical integration

Zone 2A Single Source of Truth / Site Manuf. Oper. & Control

Zone 2B Supervisory Control

Zone 1 Basic Control

Zone 0 Process

Zone 3 Operation DMZ

Zone 4 Smart Factory / Enterprise

Data Analytics

Zone 5 Internet DMZ (IoS)

SRM

Internet

Cyber Security Purdue Model for Industry 4.0

T1 supplier

SRM

Remote User

Cyber layer

Physical layer

VPN Server

CRM/ASN/EDI

T2 customer

CRM/ASN/EDI

Machines, robot, sensors, actuators

Smart Connect, PLC

MES

PLM, ERP, APS

T2 supplier

SRM CRM/ASN/EDI

T1 customer

Vertical integration

Horizontal integration

Firewall2-factor authenticationLegend

Why cyber security becomes your job now?

Source: “How to Get into ICS Security” by Chris Sistrunk @ RSA Conference 2016 San Francisco

Different in Priorities of IT and OT personnel

IT System

• Confidentiality

• Integrity

• Availability

ICS

• Availability

• Integrity

• Confidentiality

Pri

ori

ty

• Safety

• Internal: IT & OT Staff

• External

– IT and OT experts in the industry

– Your company with your partners

– Industry-wide norms and practice?

Relationships to deal with in the Industry 4.0 migration

45

• Still not enough awareness on Industry 4.0, and for

cyber security even lower.

• Global industrial buyers will gradually incorporate

Industry 4.0 requirements in the contracts.

• For quality / competence sake, or for protection of local

industry sake, these will descend to the upper tier

customers of SMEs. If local SMEs cannot cope with

these requirements, they will be marginalized from the

global market.

Challenges

46

About HKPC

1. Industry Awareness Conference (23 Jun 2017)

2. International Technical Conference (21-22 Nov 2017)

3. Cyber Security Demonstration Corner in Smart Industry One

– Demonstrate potential attacks on industrial systems.

– Demonstrate cyber security solutions defending against the attacks

HKPC Promotion Progamme of Cyber Security for Industry 4.0

Bridging the Gap of IT and OT People

• Promote Security by Design in the whole Supply Chain

• Bridge the Gap of Manufacturers and IT Security

• Facilitate the collaboration of manufacturers, security

providers, researchers and users

OT IT

Road Map

Capability Building

Security Strategy Consultant Implementer

Assessment Remediation Advisory

Situational Awareness Building (technology, best practice, supply chain requirement)

Industrial Collaboration

Expertise

Thank You

50