SCADA Security: The Five Stages of Cyber Grief

Tom Cross Director of Security Research

Vulnerabilities I’m credited on…

•  MFSA2008-­‐37  Mozilla  Stack  Buffer  Overflow    •  cisco-­‐sa-­‐20070808-­‐IOS-­‐IPv6-­‐leak  InformaDon  Leakage  Using  IPv6  RouDng  Header  in  Cisco  IOS  and  Cisco  IOS-­‐XR    

•  MS07-­‐033  Internet  Explorer  COM  object  instanDaDon  •  CVE-­‐2007-­‐2388  Apple  QuickDme  for  Java  remote  code  execuDon    

•  MS06-­‐036  Windows  SMB  Denial  of  Service  •  X-­‐Force  Alert  228  Asterisk  PBX  Denial  of  Service  •  X-­‐Force  Alert  229  Asterisk  PBX  Traffic  AmplificaDon  

The 5 Stages of Cyber Grief

Its  not  connected  to  the  Internet.    

Stage 1: Denial

"In  our  experience  in  conduc.ng  hundreds  of  vulnerability  assessments  in  the  private  sector,  in  no  case  have  we  ever  found  the  opera.ons  network,  the  SCADA  system  or  energy  management  system  separated  from  the  enterprise  network.  On  average,  we  see  11  direct  connec.ons  between  those  networks.”      Source:  Sean  McGurk,  Verizon  The  Subcommi_ee  on  NaDonal  Security,  Homeland  Defense,  and  Foreign  OperaDons  May  25,  2011  hearing.    

Its connected to the Internet.

SHODAN

•  Project  STRIDE:  “To  date,  we  have  discovered  over  500,000  control  system  related  nodes  world-­‐wide  on  the  internet.  About  30%  are  from  the  US,  and  most  are  on  ISP  addresses.”      

ICS Cert •  In  February  2011,  independent  security  researcher  Ruben  Santamarta  

used  SHODAN  to  idenDfy  online  remote  access  links  to  mul0ple  u0lity  companies’  Supervisory  Control  and  Data  Acquisi0on  (SCADA)  systems.    

•  In  April  2011,  ICS-­‐CERT  received  reports  of  75  Internet  facing  control  system  devices,  mostly  in  the  water  sector.  Many  of  those  control  systems  had  their  remote  access  configured  with  default  logon  creden0als.    

•  In  September  2011,  independent  researcher  Eireann  Levere_  contacted  ICS-­‐CERT  to  report  several  thousand  Internet  facing  devices  that  he  discovered  using  SHODAN.  

 

Stage 2: Anger

Stage 3: Bargaining

Stage 3: Bargaining •  Stuxnet  

•  First  widely  reported  use  of  malware  to  destroy  a  physical  plant  •  Extremely  sophisDcated  •  Jumped  the  air-­‐gap  via  USB  keys  •  Widespread  infecDons  throughout  the  Internet    

•  Shamoon  •  Targeted  the  energy  sector  •  DestrucDve  

•  Over  writes  files  •  Destroys  the  Master  Boot  Record  

                                                                                   Stuxnet  infecDons,  source  Symantec:  

ICS Honeypot Results •  Kyle  Wilhoit  –  Trend  Micro  Threat  Research  Team  

 

DDOS  AFacks  More  Automated  &  Powerful  

•  Prolexic  Q2  2012  to  Q2  2013  –  33%  increase  in  a_acks  –  925%  increase  in  bandwidth  

•  4.47  Gbps  to  49.24  Gbps  –  1655%  increase  in  packets  per  second  

•  2.7  Mpps  to  47.4  Mpps  

Stage 4: Depression

Stage 4: Depression The  Patching  Treadmill  •  Control  systems  are  not  designed  to  be  shut  down  regularly  

•  EnDre  systems  may  need  to  be  shut  down  for  a  single  patch  install  •  Patching  may  mean  upgrading  

•  Upgrades  can  cascade  through  a  system  

•  Even  assessments  may  require  downDme!    

•  Patching  leads  to  InterconnecDvity  •  InterconnecDvity  leads  to  compromise  

•  SoluDons?  –  Third-­‐Party  Run-­‐Time  In-­‐Memory  Patching?  –  Intrusion  PrevenDon  Systems?    

Stage 5: Acceptance What  would  acceptance  mean?  •  Genng  serious  about  interconnecDvity  

•  We  need  to  find  new  ways  to  work  •  We  need  to  accept  some  inconvenience  

 •  Designing  systems  for  patchability  

•  Systems  that  can  be  patched  without  being  restarted  •  Hot  Standby  failover  

•  Patches  that  do  not  require  upgrades  •  Security  patches  that  can  be  accepted  without  performance  concerns  

•  Built  in  IDS  capability?  

•  Designing  systems  for  failure  

 

Lancope does Netflow

Network Visibility through Netflow

DMZ  

VPN  

Internal  Network  

Internet  NetFlow Packets

src and dst ip

src and dst port

start time

end time

mac address

byte count

- more - NetFlow  

3G  Internet  

3G  Internet  

NetFlow  

NetFlow  

NetFlow  

NetFlow  

NetFlow  Collector  

Intrusion Audit Trails

1:06:15  PM:  Internal  Host  Visits  Malicious  

Web  Site  

1:06:30  PM:    Malware  InfecDon  Complete,  Accesses  

Internet  Command  and  Control  

1:06:35  PM:  Malware  begins  scanning  internal  

network  

1:13:59  PM:  MulDple  internal  infected  hosts  

1:07:00  PM:    Gateway  malware  

analysis  idenDfies  the  transacDon  as  malicious  

1:14:00  PM:      Administrators  

manually  disconnect  the  iniDal  infected  host  

Do  you  know  what  went  on  while  you  were  miDgaDng?    

Behavioral Anomaly Detection

Thank you!

Tom Cross Director of Security Research