1

Jonathan ShapiroDirector

Office of ResearchCybersecurity

ContactJonathan ShapiroDirector, Office of ResearchCyber Security Business DevelopmentThe University of Texas at DallasDirect 972-740-4339Office 972-883-4501Jon.Shapiro@UTDallas.eduPersonal Web Pagehttp://www.utdallas.edu/research/

Social MediaBlog - Cybersecurity at the University of Texas at Dallas

LinkedIn Group - Cybersecurity at the University of Texas at Dallas

Twitter - @CyberUTD

CybersecurityCybersecurity is one of the most serious economic and national security challenges we face as a nation.

The Cyber Initiative at UTD is a critically important public-private partnerships to develop new technologies and skills that will lead to secure computing, communications and control systems.

• University-wide initiative that involves faculty and students from six different departments and schools.

• UT Dallas' Cyber Security Research and Education Center was designated as the NSA/DHS Center for Excellence in Education

• Eight areas of research and development have been designated, encompassing range of technologies, industries and users.

• Focus– Performing research to enhance and strengthen the security of computer systems and

networks– Share our research results by publishing papers in premier journals and top conferences– Foster interaction between Government, Industry and Academia in the field of

Cybersecurity– Develop and teach a strong cyber security program which includes courses for cyber-

crime prevention, detection and analysis– Initiate interdisciplinary programs integrating social sciences and information sciences– Transfer the technologies from the university to commercial development efforts

Cybersecurity ResearchThe Cyber Initiative at UT Dallas

Cybersecurity Research Areas

Technical Research• Secure & Available Networks• Secure Cloud Computing• Security Of Control Systems• Software Security• Secure Silicon

Cross Functional Research • Cyber Security Risk

Management• Emergency Preparedness• Information Assurance • Business Risk Analysis &

Economic Implications • Public Policy Implications• Threat Analysis & Modeling• Criminology

The Cyber Initiative at UT Dallas

5

School of Management

School of Engineering and Computer Science

School of Economic, Political & Policy Sciences

Arts and Technology

• International Center for Decision and Risk Analysis

• Center for Information Technology and Management

• The Leadership Center

• Cyber Security Research Center• Cybersecurity and Emergency

Preparedness Institute• Electrical, Mechanical and

Computer Science

• Criminology• Economics

• Gaming and Simulation

6

Why Cybersecurity

Rapidly Expanding Market

• $55 billion cumulative Federal spending for cybersecurity between 2010 and 2015 at about 6.2% CAGR

• $10.5 billion Smart Grid Cyber Security• $7,455m Utility infrastructure security expenditure• $2.3 billion 2012 federal DOE budget for cyber resources and development• $6,902.4 million SCADA Security 2010 forecast to grow at 9.6% through

2016 forecast to $14 billion• $936.48 The Homeland Security Department million for infrastructure

protection and information security• $500 million for Defense Advanced Research Project Agency research and

development in cybersecurity• $300 million SFS funding over five years to fund up to 1,000 cybersecurity

scholarships per year

Great Career Opportunity• 700,000 new information security professionals in the Americas by 2015• Top 10 Best Jobs in America – US News and World Report• Acquisitions were mega-deals where public companies were taken private.

– Intel, for instance, bought McAfee for $7.68 billion– HP bought ArcSight for $1.6 billion. – Symantec bought security divisions of Verisign for $1.3 billion. – IDC expects the security tech market to grow at a 14 percent compound annual growth

rate to $82 billion in 2012. – Forrester says that security now accounts for 14 percent of the information technology

spending, compared to 8.2 percent in 2007.• Venture Capital takes notice

– "It's an area of huge interest to us," said Bill Maris, managing partner for Google Ventures– Venture investment in the information-technology security sector this year looks set to

exceed last year's $432.3 million – "There is absolutely no question that this sector is going to be at the focal point in the

future in terms of investments and IPO said Robert Francello, head of equity trading at Apex Capital in San Francisco.

Data Security Analyst vs. Database Analyst.

2 years ExperienceDallas, TX location

28% higher pay

11

Certifications• International Information Systems Security Certification

Consortium, Inc., (ISC)²– Certified Information Systems Security Professional (CISP)– Certified Information Systems Security Professional (CISSP )– Information Systems Security Architecture Professional (ISSAP)– Information Systems Security Management Professional (ISSMP)– Information Systems Security Engineering Professional (ISSEP)– Certification and Accreditation Professional (CAP CM)– Systems Security Certified Practitioner (SSCP )

• SANS Institute– SANS Cyber Ranges Computer & Network Security Challenges– SANS Cyber Guardian Program– DoDD 8570 and GIAC Certification

12

A Declaration of Cyber-WarStuxnet

• Last summer, the world’s top software-security experts were panicked by the discovery of a Self-Directed Stealth Drone radically different from and far more sophisticated than any they’d seen.

• A self-replicating computer virus, called a worm, was making its way through thousands of computers around the world, searching for small gray plastic boxes called programmable-logic controllers (PLC)—tiny computers about the size of a pack of crayons, which regulate the machinery in factories, power plants, and construction and engineering projects

• Stuxnet is the Hiroshima of cyber-war. That is its true significance, and all the speculation about its target and its source should not blind us to that larger reality. We have crossed a threshold, and there is no turning back.

13

What is Stuxnet• Stuxnet is an advanced malware worm that was

discovered in July 2010. It has attacked Siemens PCS7, S7 PLC, and WinCC systems around the world.

• The management of many industrial sites feel “safe” because they believe the Industrial Control Systems (ICS) network are not connected to the Internet.

• Some even believe their system is “air-gapped” from their corporate network.

• A part of the genius of Stuxnet is that it demonstrated how easy it is for an advanced cyber threat to go from a USB key, an external hard drive, an infected laptop or an infected project file to a control system network.

14

Buy your test equipment on eBay

15

Operation Shady Rat

• Unprecedented Cyber-espionage Campaign and Intellectual-Property Bonanza

• Infiltrated the computer systems of national governments, global corporations, nonprofits, and other organizations, with more than 70 victims in 14 countries.

• Lifted from these highly secure servers, among other sensitive property: countless government secrets, e-mail archives, legal contracts, and design schematics.

16

Operation Shady Rat• Malicious program—a remote-access tool, or

rat• Operation targeted a broad range of public-

and private-sector organizations in almost every country in Southeast Asia—but none in China

• Government agencies in the United States, Taiwan, South Korea, Vietnam, and Canada Japan, Switzerland, the United Kingdom, Indonesia, Denmark, Singapore, Hong Kong, Germany, and India

• The category most heavily targeted was defense contractors—13 in all

17

Operation Shady Rat

18

Operation Shady Rat

19

RSA Breach

• RSA is the security division of the high-tech company EMC

• Its products protect computer networks at the White House, the Central Intelligence Agency, the National Security Agency, the Pentagon, the Department of Homeland Security, most top defense contractors, and a majority of Fortune 500 corporations.

20

• That key fob, called a SecurID token, is RSA’s best-known product. The strings of numbers on its screen are generated by a microchip using the SecurID algorithm and a unique cryptographic seed.

• Company’s security system had identified “an extremely sophisticated cyber attack in progress,” an attack that “resulted in certain information being exported from RSA’s systems,” some of which was “specifically related to RSA’s SecurID two-factor authentication products

21

RSA Breach• Dmitri Alperovitch, vice president of threat

research at McAfee, “today we see pretty much any company that has valuable intellectual property or trade secrets of any kind being pilfered continually, all day long, every day, relentlessly.”

• On May 21, the computer systems of America’s largest military contractor, Lockheed Martin, detected an intruder

• L-3 Communications, which provides intelligence, surveillance, and reconnaissance technology to the U.S. government, had also been attacked

22

• Finnish security company F-Secure assumes an employee of RSA or its parent firm, EMC uploaded the malware to an online virus scanning site

• RSA had already revealed that it had been breached after attackers sent two different targeted phishing e-mails to four workers at its parent company EMC.

• The e-mails contained a malicious attachment that was identified in the subject line as “2011 Recruitment plan.xls.”

• The intruders succeeded in stealing information related to the company’s SecurID two-factor authentication products.

Cyber Security and Critical Infrastructure

• Networks and control systems are under repeated cyberattack, often from high-level adversaries like foreign nation-states

"Security systems are overmatched by the threat and very few companies are rising to the challenge posed by state-sponsored or terrorist infiltration and potential attack," said Jim Woolsey, former head of the Central Intelligence Agency (CIA). “The real answer is new technology, active cyber defense, and distributed generation."

http://www.csmonitor.com/USA/2010/0128/Corporations-cyber-security-under-widespread-attack-survey-finds

Critical Infrastructure Sectors

IT Systems Vs Control Systems• SCADA (supervisory control and data acquisition)

generally refers to industrial control systems (ICS): computer systems that monitor and control industrial, infrastructure, or facility-based processes

• Control Systems include SCADA, Program Control Logic, Motor Controls, Power Electronics, and Embedded Computing Systems

• They are everywhere, in every industry• Mostly ignored by IT Security due to complexity,

proprietary nature, and different management teams• Ripe for exploitation• Intel, Microsoft, and security vendors have not paid

attention• Many are NOT PC’s• Many can be infected, and the devices cannot be cleaned.

Malware embeds itself in semiconductor devices and memory

• The central SCADA master system.

• Communications network.

• RTU's. Remote Telemetry (or Terminal) Units.

• Field instrumentation.

26

Inherent Vulnerabilities

• Two-way communications• Distributed connectivity• Customer usage data• Weak authentication and access

control• Lack of adequate training• Lack of standards and

interoperability

27

Critical Infrastructure Problem• Vulnerability Assessments Have Not

Yet Completed • Industry and Government Lack

Guidance for Conducting Vulnerability Assessments

• Analysis of Public Works Infrastructure (Including Electricity) Has Not Completed

• Assessments to Date Do Not Consistently Consider Vulnerabilities to Longer-Term Power Disruptions

28

Summary Critical Infrastructure• Industrial Control Systems- SCADA and

PLCs are vulnerable to attack.• We have no clear inventory of the

extent of the risk.• Malware, infected silicon, and the uses

of hacking skills against Critical Infrastructure are growing.

• Weak spares inventory due to Just-in-Time manufacturing.

• Loss of Critical Infrastructure can cause large residual economic damage.

29

Von Neumann Machines• A self-replicating machine is an artificial construct that is

theoretically capable of autonomously manufacturing a copy of itself using raw materials taken from its environment

This year marks the 40th anniversary of Creeper, the world’s first computer virus. From Creeper to Stuxnet, the last four decades saw the number of malware instances boom from 1,300 in 1990, to 50,000 in 2000, to over 200 million in 2010

30

Future Issues

• Taboo Subject• Supply Chain “purity”• Skill shortages• Ignorance of potential “design risk” problems• Cyber terrorism and extortion• Polymorphic malware• Defender verse Attacker• Constant growth in complexity and risk• Government to the rescue?