scada security: the 5 stages of cyber grief

SCADA Security: The Five Stages of Cyber Grief

Tom Cross Director of Security Research


The 5 Stages of Cyber Grief


Its not connected to the Internet.

Stage 1: Denial


"In our experience in conducting hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network. On average, we see 11 direct connections between those networks.” Source: Sean McGurk, Verizon The Subcommittee on National Security, Homeland Defense, and Foreign Operations May 25, 2011 hearing.

Its connected to the Internet.


ICS Cert • In February 2011, independent security researcher Ruben Santamarta

used SHODAN to identify online remote access links to multiple utility companies’ Supervisory Control and Data Acquisition (SCADA) systems.

• In April 2011, ICS-CERT received reports of 75 Internet facing control system devices, mostly in the water sector. Many of those control systems had their remote access configured with default logon credentials.

• In September 2011, independent researcher Eireann Leverett contacted ICS-CERT to report several thousand Internet facing devices that he discovered using SHODAN.


SHODAN

• Project STRIDE: “To date, we have discovered over 500,000 control system related nodes world-wide on the internet. About 30% are from the US, and most are on ISP addresses.”


Stage 2: Anger


Stage 3: Bargaining


Stage 3: Bargaining

• Stuxnet • First widely reported use of malware to destroy a physical plant • Extremely sophisticated • Jumped the air-gap via USB keys • Widespread infections throughout the Internet

• Shamoon • Targeted the energy sector • Destructive

• Over writes files • Destroys the Master Boot Record

Stuxnet infections, source Symantec:


Stage 4: Depression


Stage 4: Depression The Patching Treadmill • Control systems are not designed to be shut down regularly

• Entire systems may need to be shut down for a single patch install • Patching may mean upgrading

• Upgrades can cascade through a system

• Even assessments may require downtime!

• Patching leads to Interconnectivity • Interconnectivity leads to compromise

• Solutions?

– Third-Party Run-Time In-Memory Patching? – Intrusion Prevention Systems?


Stage 5: Acceptance What would acceptance mean? • Getting serious about interconnectivity

• We need to find new ways to work • We need to accept some inconvenience

• Designing systems for patchability

• Systems that can be patched without being restarted • Hot Standby failover

• Patches that do not require upgrades • Security patches that can be accepted without performance concerns

• Built in IDS capability?

• Designing systems for failure


Lancope does Netflow


Network Visibility through Netflow

DMZ

VPN

Internal Network

Internet NetFlow Packets

src and dst ip

src and dst port

start time

end time

mac address

byte count

- more - NetFlow

3G Internet

3G Internet

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow Collector


Intrusion Audit Trails

1:06:15 PM: Internal Host

Visits Malicious Web Site

1:06:30 PM: Malware Infection

Complete, Accesses Internet Command and

Control

1:06:35 PM: Malware begins

scanning internal network

1:13:59 PM: Multiple internal

infected hosts

1:07:00 PM: Gateway malware analysis identifies the transaction

as malicious

1:14:00 PM: Administrators

manually disconnect the initial infected host

Do you know what went on while you were mitigating?


Behavioral Anomaly Detection


Get Engaged with Lancope!

@Lancope @NetFlowNinjas

Subscribe Join Discussion Download

@stealth_labs

Access StealthWatch

Labs Intelligence Center (SLIC) Reports

Security Research


Lancope at Cisco Live 2013 Return of the famous Lancope Ninja Sword!

• Visit booth #737

• Email [email protected] to request a private demo at the event.

mailto:[email protected]


Thank you!

Tom Cross Director of Security Research

scada security: the 5 stages of cyber grief

Technology