scada security: the five stages of cyber grief

32
SCADA Security: The Five Stages of Cyber Grief Tom Cross Director of Security Research

Upload: lancope-inc

Post on 21-May-2015

315 views

Category:

Documents


1 download

DESCRIPTION

Every time a new information technology finds its way into production, it seems as though we end up repeating the same process – security vulnerabilities will be discovered and disclosed in that technology, and users and vendors will deny that the risks are significant. Only after major attacks occur do we really start to see efforts to address the inherent risks in a systematic way. We’re falling into this exact same trap again with Industrial Control and SCADA systems, but in this case the problem is worse, because the inherent nature of control systems prevents us from applying many of the strategies that have been used to protect other kinds of computer networks. Join Lancope’s Director of Security Research, Tom Cross, for a look at the five stages of grief that organizations seem to pass through as they come to terms with security risks, and how far we’ve come regarding Industrial Control Systems. Hear about: The state of Control Systems security vulnerabilities Attack activity that is prompting a change in perspective The unique, long-term challenges associated with protecting SCADA networks How anomaly detection can play a key role in protecting SCADA systems now

TRANSCRIPT

Page 1: SCADA Security: The Five Stages of Cyber Grief

SCADA Security: The Five Stages of Cyber

Grief

Tom CrossDirector of Security Research

Page 2: SCADA Security: The Five Stages of Cyber Grief

Vulnerabilities I’m credited on…

• MFSA2008-37 Mozilla Stack Buffer Overflow • cisco-sa-20070808-IOS-IPv6-leak Information Leakage

Using IPv6 Routing Header in Cisco IOS and Cisco IOS-XR

• MS07-033 Internet Explorer COM object instantiation• CVE-2007-2388 Apple Quicktime for Java remote code

execution • MS06-036 Windows SMB Denial of Service• X-Force Alert 228 Asterisk PBX Denial of Service• X-Force Alert 229 Asterisk PBX Traffic Amplification

Page 3: SCADA Security: The Five Stages of Cyber Grief
Page 4: SCADA Security: The Five Stages of Cyber Grief

The 5 Stages of Cyber Grief

Page 5: SCADA Security: The Five Stages of Cyber Grief
Page 6: SCADA Security: The Five Stages of Cyber Grief

Its not connected to the Internet.

Stage 1: Denial

Page 7: SCADA Security: The Five Stages of Cyber Grief
Page 8: SCADA Security: The Five Stages of Cyber Grief

"In our experience in conducting hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network. On average, we see 11 direct connections between those networks.”

Source: Sean McGurk, VerizonThe Subcommittee on National Security, Homeland Defense, and Foreign Operations May 25, 2011 hearing.

Its connected to the Internet.

Page 9: SCADA Security: The Five Stages of Cyber Grief
Page 10: SCADA Security: The Five Stages of Cyber Grief
Page 11: SCADA Security: The Five Stages of Cyber Grief

SHODAN

• Project STRIDE: “To date, we have discovered over 500,000 control system related nodes world-wide on the internet. About 30% are from the US, and most are on ISP addresses.”

Page 12: SCADA Security: The Five Stages of Cyber Grief

ICS Cert• In February 2011, independent security researcher Ruben Santamarta

used SHODAN to identify online remote access links to multiple utility companies’ Supervisory Control and Data Acquisition (SCADA) systems.

• In April 2011, ICS-CERT received reports of 75 Internet facing control system devices, mostly in the water sector. Many of those control systems had their remote access configured with default logon credentials.

• In September 2011, independent researcher Eireann Leverett contacted ICS-CERT to report several thousand Internet facing devices that he discovered using SHODAN.

Page 13: SCADA Security: The Five Stages of Cyber Grief
Page 14: SCADA Security: The Five Stages of Cyber Grief

Stage 2: Anger

(> <)___

Page 15: SCADA Security: The Five Stages of Cyber Grief
Page 16: SCADA Security: The Five Stages of Cyber Grief

Stage 3: Bargaining

Page 17: SCADA Security: The Five Stages of Cyber Grief

Stage 3: Bargaining

• Stuxnet• First widely reported use of malware to destroy a physical plant• Extremely sophisticated• Jumped the air-gap via USB keys• Widespread infections throughout the Internet

• Shamoon• Targeted the energy sector• Destructive

• Over writes files• Destroys the Master Boot Record

Stuxnet infections, source Symantec:

Page 18: SCADA Security: The Five Stages of Cyber Grief

ICS Honeypot Results

• Kyle Wilhoit – Trend Micro Threat Research Team

Page 19: SCADA Security: The Five Stages of Cyber Grief
Page 20: SCADA Security: The Five Stages of Cyber Grief
Page 21: SCADA Security: The Five Stages of Cyber Grief

DDOS Attacks More Automated & Powerful

• Prolexic Q2 2012 to Q2 2013– 33% increase in attacks– 925% increase in bandwidth

• 4.47 Gbps to 49.24 Gbps– 1655% increase in packets per second

• 2.7 Mpps to 47.4 Mpps

Page 22: SCADA Security: The Five Stages of Cyber Grief
Page 23: SCADA Security: The Five Stages of Cyber Grief

Stage 4: Depression

Page 24: SCADA Security: The Five Stages of Cyber Grief

Stage 4: DepressionThe Patching Treadmill• Control systems are not designed to be shut down regularly

• Entire systems may need to be shut down for a single patch install• Patching may mean upgrading

• Upgrades can cascade through a system

• Even assessments may require downtime!

• Patching leads to Interconnectivity• Interconnectivity leads to compromise

• Solutions?– Third-Party Run-Time In-Memory Patching?– Intrusion Prevention Systems?

Page 25: SCADA Security: The Five Stages of Cyber Grief
Page 26: SCADA Security: The Five Stages of Cyber Grief

Stage 5: AcceptanceWhat would acceptance mean?• Getting serious about interconnectivity

• We need to find new ways to work• We need to accept some inconvenience

• Designing systems for patchability• Systems that can be patched without being restarted

• Hot Standby failover• Patches that do not require upgrades• Security patches that can be accepted without performance concerns

• Built in IDS capability?

• Designing systems for failure

Page 27: SCADA Security: The Five Stages of Cyber Grief

Lancope does Netflow

Page 28: SCADA Security: The Five Stages of Cyber Grief

Network Visibility through Netflow

DMZ

VPN

Internal Network

InternetNetFlow Packets

src and dst ip

src and dst port

start time

end time

mac address

byte count

- more -NetFlow

3GInternet

3G Internet

NetFlow

NetFlow

NetFlow

NetFlow

NetFlow Collector

Page 29: SCADA Security: The Five Stages of Cyber Grief

Intrusion Audit Trails

1:06:15 PM: Internal Host Visits

Malicious Web Site

1:06:30 PM: Malware Infection

Complete, Accesses Internet Command and

Control

1:06:35 PM:Malware begins

scanning internal network

1:13:59 PM:Multiple internal

infected hosts

1:07:00 PM: Gateway malware analysis identifies the transaction

as malicious

1:14:00 PM: Administrators

manually disconnect the initial infected host

Do you know what went on while you were mitigating?

Page 30: SCADA Security: The Five Stages of Cyber Grief

Behavioral Anomaly Detection

Page 31: SCADA Security: The Five Stages of Cyber Grief

Lancope: C1-11 in the Security Hall

Page 32: SCADA Security: The Five Stages of Cyber Grief

Thank you!

Tom CrossDirector of Security Research