Protecting SCADA In the Cyber Battlefield MARK WILSON NETWORK ANALYST EASTERN MUNICIPAL WATER DISTRICT February 12, 2013 Executive Order, IMPROVING CRITICAL INFRASTRUCTURE CYBER SECURITY Homeland Security Presidential Directive-7 was revoked and replaced with (Presidential Policy Directive)-21
https://www.dhs.gov /sites/default/files/publications/dhs-eo13636-analytic-report-cybersecurity-incentives-study.pdf What is PPD-21?
Homeland Security Presidential Directive 7 (HSPD-7) established the U.S. national policy for identification of and prioritization for protection of critical infrastructure. Signed by George W. Bush on December 17, 2003 it modified previous policy for a post-9/11 country.
HSPD-7 was revoked by the Presidential Policy Directive 21 (PPD-21) on Critical Infrastructure Security and Resilience on February 12, 2013. PPD-21 states that "Plans developed pursuant to HSPD-7 shall remain in effect until specifically revoked or superseded."[1]Multiple changes came out of PPD-21, including a six actions with specific deadlines. One of those actions was to update the National Infrastructure Protection Plan within 240 days.
PPD-21 added agriculture to the list of industries for critical infrastructure protection in December 2003. HSPD-7 replaces the 1998 Presidential Decision Directive 63 (PDD-63) that omitted agriculture and food. These directives designate the physical systems that are vulnerable to terrorist attack and are essential for the minimal operation of the economy and the government. Federal agencies are to develop plans to prepare for and counter the threat. In terms of combating terrorism and weapons of mass destruction (WMD), agriculture was included in the National Security Council’s WMD preparedness group formed by Presidential Decision Directive 62 (PDD-62) in 1998. Agro terrorism preparedness is more directly addressed by HSPD-9.
https://en.wikipedia.org/wiki/Homeland_Security_Presidential_Directive_7 You MUST Become the Warrior Those who Believe this Philosophy… “But this is the way we have always done it”
Then here is your next office system upgrade.
Computer Phone THOSE WHO BELIEVE THIS PHILOSOPHY… “BUT THIS IS THE WAY WE HAVE DONE IT FOR THE LAST 30 YEARS.”
Then here is your next office system upgrade.
Computer Phone The connection A word ….. Don’t skimp on hardware! No Alexa enabled Firewalls please. THE CIA TRIAD Not this CIA THE CIA TRIAD
Confidentiality Confidentiality is roughly equivalent to privacy. Measures undertaken to ensure confidentiality are designed to prevent sensitive information from reaching the wrong people, while making sure that the right people can in fact get it THE CIA TRIAD Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle . Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people. These measures include file permissions and user access controls. Version control maybe used to prevent erroneous changes or accidental deletion by authorized users becoming a problem. THE CIA TRIAD Availability is best ensured by rigorously maintaining all hardware, performing hardware repairs immediately when needed and maintaining a correctly functioning operating system environment that is free of software conflicts.
You have 7 OSI layers to reference. Do not forget the Physical layer through the application layer.
So what… I’m a small utility, why would anyone attack me? My equipment is protected. So I’m told by the contractor. Nobody connects to my network. It’s too old. And on… And on… And on… And on… And on…
https://www.hackers-arise.com/scada-hacking https://www.shodan.io/explore/category/industrial-control- systems Misconceptions:
1. My SCADA system is Air gapped. 2. I only trust my employees. 3. I have full control of my network. 4. Nobody wants to hack me. 5. My equipment is secure because it uses Obscure Protocols 6. Social Engineering is not an issue. Misconceptions:
1. My SCADA system is Air gapped.
Definition: Anair gap, air wall or air gapping is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network.
How is your network upgraded and maintained? Although Air gapped disconnects you from another network, Contractors or employees must hav e access to the system to do maintenance. Air-Gap Vs Non Air-gap
Air Gap. (Does not connect to another network, Period.) Isolates physically from other networks.
Do you really know that what is on your machines ? Malware can come in on USB devices or through connected laptops etc. How do you monitor what is actually sitting in your network ? Contractors plug in on the backside to do work, how do you know they are safe? STUXNET was deployed by USB devices.
Non Air-Gap (connected networks via router etc)
Uses systems and processes to constantly monitor traffic flow for viruses, malware, odd traffic and the connected machines on the network. Networks. SCADA – Supervisory, Control and Data Acquisition. Simple in design. Static in it’s setup. Not very dynamic. Very little administration. Minimal Protocols Redundancy relies usually on hardware. Should be fairly easy to diagram Enterprise Complex design Very dynamic. Administration on all fronts. Redundancy is based on hardware and software. Every protocol and port running Wil d, Wil d West of traffic. Can be difficult to diagram being dynamic. Misconceptions:
1. My SCADA system is Air gapped. 2. I only trust my employees. Ok, you have to trust employees to do work. What happens normally is that the ingress is not intentional. Usually a USB, laptop with malware.
FUN FACT.
Many intentional ingresses and hacks to networks are the result of disgruntled employees. Misconceptions:
1. My SCADA system is Air gapped. 2. I only trust my employees. 3. I have full control of my network. Do you regularly walk your network? Are you certain about what has been connected to it is truly locked down? Do you have HVAC systems tied to your SCADA network? Wireless devices lurking in the midst? Misconceptions:
1. My SCADA system is Air gapped. 2. I only trust my employees. 3. I have full control of my network. 4. Nobody wants to hack me. Nobody will want to attack us. To be sure, the majority of hackers choose targets that present some opportunity for monetary gain, and very few of these adversaries would wish to cause physical harm to people or property. However, we live in a time where vandals, disgruntled employees, terrorist organizations, and even nation states have interest in attacking our critical infrastructure. These attacks occur all too frequently, and threaten to increase as our adversaries become more skilled and our systems more open. I’m a Target yes. But collaterally • There were 19 known vulnerabilities to industrial control systems in 2010, in 2015 that figure has rose to 189. As yet, we can’t be sure how that number has changed over the past two years, however, what we can be sure of is that the threats to ICS will continueto grow as adv ersaries gain a more adv anced knowledge of these systems as well as access to better hacking equipment. • In 2017, only 1.7% of all reported vulnerabilities were found in SCADA products. Down from 2.8% in 2016. 52.2% of the issues have no known solution. 443 of the reported v ulnerabilities were found to hav e no risk due to inaccurate disclosures.
Our reliance on industrial control systems to driv e the technologies that make our liv es better will only produce more and more of them. ICS component manufacturers will have to keep up and quickly spot the v ulnerabilities and resolv e them. We may also see more embedded security coming into the industrial control systems in future. Close collaboration and continuous cross communication between critical infrastructure authorities, cyber security software dev elopers and the ICS hardware OEM´s will be required in order to beat the tools of sophisticated attackers. A robust ICS Cyber Security system stands between a chaos and a cyber attack, and since all of the critical infrastructures relies on the ICS systems, it is therefore imperativ e on the industries and relev ant government bodies that comprehensiv e compliance procedures are updated regularly to keep up with ev olving threats. Misconceptions:
1. My SCADA system is Air gapped. 2. I only trust my employees. 3. I have full control of my network. 4. Nobody wants to hack me. 5. My equipment is secure because it uses Obscure Protocols In the past this may have been true, but today utilities rely on a multitude of commercial technologies. From communication protocols, operating systems like Microsoft and Linux, to common databases, utilities have turned to common software and hardware tools to save money and create efficiencies. Unfortunately these systems are often well understood by hackers, and provide an easier target of entry than a truly proprietary system. IOT devices use the same principles and protocols. This market it growing very rapidly. IoT (Internet of Things is using the same protocols and base hardware) Misconceptions:
1. My SCADA system is Air gapped. 2. I only trust my employees. 3. I have full control of my network. 4. Nobody wants to hack me. 5. My equipment is secure because it uses Obscure Protocols 6. Social Engineering is not an issue. (in the context of information security) The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Misconceptions:
1. My SCADA system is Air gapped. 2. I only trust my employees. 3. I have full control of my network. 4. Nobody wants to hack me. 5. My equipment is secure because it uses Obscure Protocols 6. Social Engineering is not an issue. 7. It’s Encrypted: It’s protected. Encryption and cryptography are essential tools of protection for utilities, and used for data security, integrity, and non-repudiation. Cryptography essentially removes risk from the data and systems and places it on the sensitive cryptographic keys used to sign, encrypt, decrypt, etc. Misconceptions:
1. My SCADA system is Air gapped. 2. I only trust my employees. 3. I have full control of my network. 4. Nobody wants to hack me. 5. My equipment is secure because it uses Obscure Protocols 6. Social Engineering is not an issue. 7. It’s Encrypted: It’s protected. 8. Physical Security Screens left open, access to devices, Locked Cabinets, Locked rooms. Game Change
STUXNET: Revealed in 2010, Stuxnet was one of the most devastating cyber-attacks in history, and is considered a game changer in how the world viewed the security of industrial systems. A highly sophisticated, state-sponsored cyber weapon designed to attack industrial control systems, Stuxnet made headlines as it wreaked havoc on the Iranian nuclear program, leading to serious accidents and even loss of life at an Iranian nuclear power plant.
RANSOMWARE: Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the "WannaCry worm", traveled automatically between computers without user interaction. SSL Inspection
Most of us are familiar with HTTPS and how it protects a variety of activities on the Internet by applying SSL encryption to the web traffic.
Using HTTPS provides the benefit of using encryption keeps your private data safe from prying eyes. However, there are risks associated with its use, since encrypted traffic can be used to get around your normal defenses.
For example, you might download a file containing a virus during an e-commerce session. Or you could receive a phishing email containing a seemingly harmless downloader file that, when launched, creates an encrypted session to a server and downloads malware onto your computer. Because the sessions in these attacks are encrypted, they might get past your network’s security measures.
To protect your network from these threats, SSL inspection is the key your Firewall uses to unlock encrypted sessions, see into encrypted packets, find threats, and block them. SSL inspection not only protects you from attacks that use HTTPS, but also from other commonly used encrypted protocols, such as SMTPS, POP3S, IMAPS, and FTPS. Control of what you do and own.
Contractors building systems. Little or no supplied documentation. No ownership handoff. Keeping it close to them. Write into any RFP that you will get documentation and control. What do you do with old hardware. E.g. harddrives, switches, routers, radios ?
TAKE OWNERSHIP OF YOUR PROJECTS AND SYSTEMS! Good Firewall/Proxy/DMZ
• Get a system that works for everything that you need. • Get training on that system. Good training. • Develop a Security Team that has SCADA, IT and Risk Management representatives • Do not rely on one person holding the keys to the Castle. • Use Password encryption software to hold passwords with a key.
https://ready.fortinet.com/q2-2018-threat-landscape-report/q2- 2018-threat-landscape- report?utm_source=display&utm_medium=adroll- rt&utm_campaign=marquee&utm_term=q2-2018-threat-landscape- report Original WASTEWATER Air-Gapped
Data was entered by hand on a sheet. It was then transferred to a spreadsheet. Multiple people entering data led to multiple and frequent input errors. Data was transferred with spreadsheet to Enterprise Network. Data was then re-transcribed to a Database. Real Data was not maintained leading to issue with compliance.
5686 5868 Historians needed
Say goodbye to the air-gap system
Say hello to a migration of SCADA and the Enterprise
Needed more secure design to get data real time from Plants. Historians
Historians put in at the physical plants. Hardware failures. Not secure (Physically and Cyber) Ownership was questionable.
Request for Remote Access after hours so plant staffing could be reduced. Define the basic requirements
Define where the Source will come from. Define where the Destination is going. Define what is to be used. (Application) Define HOW the traffic will get there. Authenticate only those people to those specific work sites. IDS/IPS/Malware/Virus Scanning
Basic Firewall rules. DENY ALL then PERMIT NEEDED. Design 1
Issues occurred with contractors making changes to the network.
The GRE’s security was based on ACL’s in our core.
Our contractor would make changes that affected this. Design 2 Why vpn? And why ssl?
Designed internally by Staff More Secure Client software for most platforms. (Clientless) More Reliable. Fully Encrypted and best attempt and being secure. Logging, Monitoring SSL easy to use on the client side. Easy to include the Historian. VPN routers became SCADA Gateway. Application and Threat Analysis
Most FW systems provide a global view into enterprise application usage and the cyber threat landscape. Is summarized network traffic assessments conducted across more than 5,500 organizations worldwide Analyzes the relationship between threats and their application vectors. Geographic blocking Blocking Traffic Based Upon Countries. Role mapping roles for the endpoints Hvac addition What the client sees Design 3+ Network Diagram Cloudflare Content Delivery, DDoS mitigation, Internet security, Domain name server services. Sits between you and the Cloudflare user's hosting provider, acting as a reverse proxy for websites.
DDoS Mitigates Layer 7 attacks Web Application Firewall using rulesets Authoritative DNS. Fastest DNS lookup speeds worldwide. Public DNS Resolver. 1.1.1.1 / 1.0.0.1 Reverse Proxy supporting SPDY and HTTP/2 Content Delivery (CDN), all request are reverse proxied with cached content. Uses 100 Lava Lamps to generate encryption. Lava Lamps and Random Stuff.
Instead of relying on code to generate these numbers for cryptographic purposes, the lava lamps and the random lights, swirling blobs and movements are recorded and photographs are taken.
This footage is then turned into a "stream of random, unpredictable bytes," according to Sullivan.
"This unpredictable data is what we use to help create the keys that encrypt the traffic that flows through Cloudflare's network," the executive added.
The information is then fed into a data center and Linux kernels which then seed random number generators used to create keys to encrypt traffic.
"Every time you take a picture with a camera there's going to be some sort of static, some sort of noise," Sullivan said. "So it's not only just where the bubbles are flowing through the lava lamp; it is the state of the air, the ambient light -- every tiny change impacts the stream of data."
This is not the only way that Cloudflare generates randomness. In the firm's London office, there is something called a "chaotic pendulum" which has three components that unpredictably twist and turn together, and in Singapore, the company uses a radioactive source.
Whether or not anything is truly random is up for debate, but the more random a cryptographic key, the more difficult it is to brute-force, guess, or crack -- especially if you use out-of-the-box ideas like lava lamp movements which are almost impossible to replicate. Lamps Securing your Data Thought:
You only know what you know Work with IT to develop a plan. Get an Audit done. Don’t hold back. Walk your network on a regular basis. Do scans Don’t assume anything. Hold contractors responsible to get the documented information you need, when you need it. Develop a plan, Security committee Workload can deter success with Security
Hopping workloads lead to mistakes. Mistakes lead to undocumented changes. Undocumented Changes lead to exploits.
OSI Layer. Beware the unlisted “Layer 8” The Management layer. Lets talk about Supervisors and Managers for a moment.
Are they up to speed on security? Do they understand that they have to be proactive and think about the welfare of the business? Do they audit work properly that is being done by a contractor? Do they make sure that the contractor delivers the proper documentation. Is there insurance that access to the system has been removed after a project? Is there communication outside the project to the operations staff for support, documentation, access etc.? Do they understand the security risks and follow a regiments with passing of sensitive code and project Dinformation? What do you do with the AdHoc changes during projects that affect your Operational support? DO THEY SUPPORT YOUR EFFORTS FULLY? Summary
Step 1 Block Geography except those needed. Step 2 Block all sites except those needed. Step 3 Block all ports except those needed. Step 4 Block all protocols not needed. Step 5 Only allow those users access to what is needed. Step 6 Monitor and log all traffic. Step 7 Use whatever you can for malware, virus, traffic and threats. (NAC, Host Identity etc.) Summary
At some point you will need to relinquish your air-gap method due to the business and security needs. Anti-virus and anti-malware alone is not a solution. Zero-Day and Targeted malware is what you need to worry about. Collateral Damage from targeted malware will more than likely take you down. Due Diligence and Education. https://ics-cert.us-cert.gov is the best resource out there. It is free training and the most comprehensive you will get. Getting harder to get in. Top 10
Maintain an Accurate Inventory of Control System Devices and Eliminate Any Exposure of this Equipment to External Networks Implement Network Segmentation and Apply Firewalls Use Secure Remote Access Methods Establish Role-Based Access Controls and Implement System Logging Use Only Strong Passwords, Change Default Passwords, and Consider Other Access Controls Maintain Awareness of Vulnerabilities and Implement Necessary Patches and Updates Develop and Enforce Policies on Mobile Devices Implement an Employee Cybersecurity Training Program Involve Executives in Cybersecurity and get support from them. Implement Measures for Detecting Compromises and Develop a Cybersecurity Incident Response Plan .