ultra electronics, 3eti from the newspaper to the … · ultra electronics, 3eti from the newspaper...
TRANSCRIPT
Nov 3rd-4th 2016
Matt Cowell GICSP CWNA
[email protected]+1 301 529 2801@m_p_cowell on twitter
Ultra Electronics, 3eTI
From the Newspaper to the Network: How Chronicled Cyber-Attacks Can Damage Nation’s Utilities
© 2016 Ultra Electronics
Ultra Electronics, 3eTISLIDE 2
• Introduction and overview: The utilities-security landscape
• Understanding the challenges: How utility systems are easily breached
• Appreciating the risk severity: Summarizing actual and potential results of cyber-attack
• Considerations in developing a cyber security plan
• Methods for efficiently implementing a utilities plan for cyber security:
• Understanding tactics, technologies, costs and timelines
Session Overview
© 2016 Ultra Electronics
Ultra Electronics, 3eTISLIDE 3
From the Newspaper to the Network
© 2016 Ultra Electronics
Ultra Electronics, 3eTISLIDE 4
Network UbiquityComputers are everywhere
Computers talking to other computers…
Power plants ~1000 computers
Buildings ~100 computers
Cars ~20 computers
Surveillance systems ~50 computersOperations are becoming
reliant on the IoT
The proliferation of the IoT is broadly enabling automation
Aircrafts ~100 computers
…creating a network of connected systems or the ‘Internet of Things’ (IoT)
SCADA systems~20 computers
© 2016 Ultra Electronics
Ultra Electronics, 3eTISLIDE 5
• M2M is computers talking to other computers without humans
• IoT is the natural extension of M2M
• Why connect them?– Increased performance – Lower spending– Better efficiency
• A lot of infrastructures and operations are reliant on reliable M2M systems
• Many M2M systems involve national security, or mission criticality
Machine to Machine (M2M) ProliferationHow it all connects back to you
© 2016 Ultra Electronics
Ultra Electronics, 3eTISLIDE 6
ICS Attacks Are Getting More Intense A growing issue for government and energy sectors
Disgruntled ex-employee hacks into the water system and floods the community of sewage.
INSIDER ATTACKMaroochy Water System - 2010
The Conficker worm infected the control network causing an instability in the communications.
ENTERPRISE INFECTION“Unnamed” Steel Mill - 2011
Hackers disrupted networks to access automation equipment resulted in massive damage.
INSIDER ATTACK“Unnamed” Steel Mill, Germany - 2014
SHODAN discovered over 21,000 miss-configured building automation systems.
MISS-CONFIGUREGoogle HQ, Wharf - 2013
The attackers backed their way into network by compromising a 3rd-party vendor to steal data.
BACKDOOR ATTACKTarget Retail Stores - 2013
Stuxnet infected the air-gapped control network bypassing causing damage to centrifuge..
SCADA MALWARENatanz Nuclear Facility - 2010
WHAT’S NEXT?
Networks infected with the Shamoon virus erased information causing enterprise network outages.
ENTERPRISE ATTACKSaudi Aramco & RasGas - 2012
A team used a penetration test on PLCs to realize how badly vulnerable their SCADA/ICS were .
PLC ATTACKProject Basecamp - 2012
Iranian hackers tried to open flood gates. Was this a dress rehearsal for something bigger?
BACKDOOR ATTACKNew York Dam - 2015
Left 225,000 customers in the dark. 1st successful cyber attack to knock a power grid offline..
SCADA ATTACKUkraine Utilities - 2015
Hack accessed hundreds of PLCs used to manipulate control applications altering chemicals.
PLC ATTACKKemuri Water Company - 2016
© 2016 Ultra Electronics
Ultra Electronics, 3eTISLIDE 7
ICS CERT Recommended Architecture
Figure 10. Complete defense-in-depth strategy with the intrusion detection system and SIEM
© 2016 Ultra Electronics
Ultra Electronics, 3eTISLIDE 8
• Nation states• Criminals• Activists• Employees• Children!
A World Full of Hackers Various Motivations
• Money• Political protest• Environmental
activism
• Industrial Espionage
• Retaliation• Job security• Fun
Unintentional Disasters
An attacker doesn’t even know what they are doing to cause a huge impact
Who Launches Cyber AttacksYou don’t need to be a hacker to hack
Admiral Michael Rogers, DirectorNSA & US Cyber Command
“… China along with ‘one or two’ other countries have the capability to successfully launch a cyber-attack that could shut down the electric grid in parts of the United States”.
NSA Director testimony to Congress, Nov. 2014
© 2016 Ultra Electronics
Ultra Electronics, 3eTISLIDE 9
AuthenticationServer
Mirrored Data Servers
Report/Alarm Server
HMI
Application Server
SCADA Server
Engineering Terminal
Wireless
PLC
Industrial Process
Infrastructure Automation
Facility MonitoringPLC
PLC
Data/Historian Server
External Networks
External Cyber Attacks
Support Network
ICS Network
How Are They Attacking?
An outsider/insider gains access to an external system and uses it to impact a more critical ICS network
Enterprise Networks
Remote Access
© 2016 Ultra Electronics
Ultra Electronics, 3eTISLIDE 10
Enterprise Networks
AuthenticationServer
Mirrored Data Servers
Report/Alarm Server
HMI
Application Server
SCADA Server
Engineering Terminal
Wireless
PLC
Industrial Process
Infrastructure Automation
Facility MonitoringPLC
PLC
Data/Historian Server
External Networks
External Cyber Attacks
Support Network
ICS Network
How Are They Attacking?
Unauthorized Device Connections
An outsider/insider introduces their own device into the network making your internal network externally accessible, and directly exploitable by the attacker
Remote Access
© 2016 Ultra Electronics
Ultra Electronics, 3eTISLIDE 11
Enterprise Networks
AuthenticationServer
Mirrored Data Servers
Report/Alarm Server
HMI
Application Server
SCADA Server
Engineering Terminal
Wireless
PLC
PLC
PLC
Data/Historian Server
External Networks
Support Network
ICS Network
Industrial Process
Infrastructure Automation
Facility Monitoring
How Are They Attacking?
Malware infects the control system and causes a dangerous or malicious action
External Cyber Attacks
Internal Host-based /Malware AttacksUnauthorized Device Connections
Remote Access
© 2016 Ultra Electronics
Ultra Electronics, 3eTISLIDE 12
Enterprise Networks
External Networks
AuthenticationServer
Mirrored Data Servers
Report/Alarm Server
HMI
Application Server
SCADA Server
Support Network
ICS Network
Engineering Terminal
Wireless
PLC
PLC
PLC
Data/Historian Server
Targeted malware utilizes a zero-day vulnerability to cause a specifically designed impact to the ICS network & devices
Industrial Process
Infrastructure Automation
Facility Monitoring
How Are They Attacking?
External Cyber Attacks
Internal Host-based /Malware AttacksUnauthorized Device Connections
Zero-day Attacks
Remote Access
© 2016 Ultra Electronics
Ultra Electronics, 3eTISLIDE 13
Post-Stuxnet Protections• Anti-virus on PCs & Servers
• Firewalls/data-diodes
• Configuration/patch management
Overlooked Security Gaps• PLCs
• RTUs
ICS Cyber Security GapThe IT/OT gap is a divide that must be bridged
Boundary Protections• Firewalls
• Network Intrusion Detection
• DMZ/Proxy Servers
Endpoint Protections • Host intrusion prevention
(anti-virus/firewall/application whitelisting)
• Policy enforcement
• Configuration management
• Device connection management
• Data transfer management
• External alerting & reporting
Pre-Stuxnet Protection• Firewalls
• DMZ/Proxy Servers
• Air Gaps
IT vs OT
© 2016 Ultra Electronics
Ultra Electronics, 3eTISLIDE 14
What Should We Be Doing?
1. Data manipulation2. Voice eavesdropping3. Physical manipulation4. Backdoor5. Intelligence gathering6. Hardware Trojans7. Man in the middle8. Network eavesdropping9. Spoofing
1. Insider attacks2. Data exfiltration3. Traffic rerouting4. Worm5. Trojan6. Virus7. Root-kits8. Web hacking9. Drive-by download10. Key logger11. Denial of service12. Phishing13. Hackers14. Spear phishing
1. Coordinated attack2. Advanced persistent treat3. Remote access tools4. Unpatched infrastructure5. Brute force cracking6. Proxied attack7. Vulnerability probing8. Credential impersonation9. Foreign agents
1. Federal Government2. DoD/Military3. Corporate/Financial4. Telecomms5. Healthcare6. Utilities7. Distribution8. Building Automation9. Industrial Facilities10. Energy Management
© 2016 Ultra Electronics
Ultra Electronics, 3eTISLIDE 15
Important questions to ask about your ICS
• What are ‘they’ able to do?
• Can my ICS differentiate between a fake/spoofed message and a legitimate one?
• How do my systems respond to intentionally invalid or corrupt information from a known and trusted source?
• Can my systems identify if the data it receives or reads has been intentionally modified?
• Will my systems respond to any undesired commands my implementation does not require?
• Can I identify when any changes to my system occur, what they are, and be able to revert to the original state if required?
© 2016 Ultra Electronics
Ultra Electronics, 3eTISLIDE 16What It Should Look Like
Effective implementation of ICS cyber security
Corporate LAN• Risk = External PC attack
• Mitigation = Agents on PCs, SIEM, Network Segmentation
Control System LAN• Risk = Internal PC attack
• Mitigation = Agents on PCs, SIEM, Network Segmentation
Field Locations• Risk = Internal device attack
• Mitigation = Device level firewalls with agent style IDS
Attack 2 Attack 3
Attack 1
Attack surface 1
Attack surface 2
Attack surface 3
© 2016 Ultra Electronics
Ultra Electronics, 3eTISLIDE 17
Application Whitelisting Detect and prevent attempted execution of malware uploaded by adversaries. Organizations need to consider new approaches.
Ensure Proper Configuration Management
Get installations from authenticated vendors and publish hashes via an out-of-bound communications path, and use these to authenticate.
Reducing Your Attack Surface Area
Isolate ICS networks from any untrusted networks. Lockdown all unused ports. Turn-off all unused services.
Build A Defendable Environment
Segment networks into logical enclaves and restrict host-to-host communications paths.
Manage Authentication Implement multi-factor authentication where possible. Reduce privileges to only those needed for a user’s duties.
Secure Remote Access Implement “monitoring only” access. Do not allow remote persistent vendor connections into the control network.
Monitor and Respond Establish monitoring programs to watch IP traffic on ICS boundaries, monitor IP traffic within the control network.
1234
567
DHS Strategies for a Secure ICS Seven essential steps
© 2016 Ultra Electronics
Ultra Electronics, 3eTISLIDE 18
Straight from the DHS
98% of incidents reported could have been prevented
In 2015, 295 incidents were reported to ICS-CERT
© 2016 Ultra Electronics
Ultra Electronics, 3eTISLIDE 19
Assume You Will Be Compromised!
2016 Observations• Shadow brokers - NSA breach – toolkit released• Rockwell MicroLogix1400 – Undocumented feature, No patch, 787 public
facing• Legacy malware still a threat therefore APT DEFINITELY a threat• Mirai IOT BOTNET.
Interesting Statistics20% increase in reported ICS incidents from 2014 to 2015 (Energy 2nd largest affected industry)1 1/3 of ICS
malware enters ICS via USB2
1/3 of published vulnerabilities are zero days with no patch available at time of disclosure3
5 instances of ICS vulnerabilitiesbeing exploited in wild were conducted by
nation states3
91% of public facing ICS is remotely exploitable4
1) ICS CERT 2) Honeywell 3) FireEye 4) Kaspersky
© 2016 Ultra Electronics
Ultra Electronics, 3eTISLIDE 20
Effectively implementing DID security in ICS/SCADA networks will
keep you out of the newspapers.
Key TakeawaysKeep out of the headlines!
1. Protect your networks
2. Authenticate / authorize devices on your network
3. Protect your endpoints
4. Monitor & analyze operations
© 2016 Ultra Electronics
Ultra Electronics, 3eTISLIDE 21
Final Thought
Matthew Cowell GICSP CWNADirector, Industrial Markets
Ultra Electronics, 3eTI+1 [email protected]
@m_p_cowell on Twitter