How do we keep the lights on when everyone has access to the switch?
16 July 2016 Saturday ISSA-COS Mini-Seminar Colorado Technical University Colorado Springs, CO
Wally Magda, SOHK WallyDotBiz LLC Industrial Control Systems: How do we keep the lights on…..?
• No animals were harmed in the making of this presentation!
2 WallyDotBiz LLC © 2016 Industrial Control Systems: How do we keep the lights on…..?
3 WallyDotBiz LLC © 2016 Cellphone, BB, PDA Advisory
• Please put alert generating devices into silent or vibrate mode if possible
• Be kind to your colleagues; please take phone conversation out in the hall
4 WallyDotBiz LLC © 2016 DISCLAIMER
• The author is not a lawyer and cannot give legal advice • The author does not endorse any specific product or entity • This presentation is simply the author’s professional perspective on Industrial Control Systems (ICS) Cyber and Physical Security • References used can be found in Helpful Links section
5 WallyDotBiz LLC © 2016 How do we keep the lights on when the switch is connected to the internet?
6 WallyDotBiz LLC © 2016 AGENDA
• SCADA overview
• Threat vectors into ICS devices
• Possible consequences once in control
• Horror stories and threat scenarios
• Actions to protect business and customers
7 WallyDotBiz LLC © 2016 SCADA overview
8 WallyDotBiz LLC © 2016 SCADA overview
• SCADA • Supervisory Control and Data Acquisition o “Typically” deployed across large geographic area like electric grid or natural gas pipelines o One type of many systems used to keep the lights on and energy flowing
9 WallyDotBiz LLC © 2016 SCADA overview
Typical SCADA Diagram
10 WallyDotBiz LLC © 2016 SCADA overview
Alphabet soup--Lots of acronyms for similar systems/devices We shall choose one for purposes of this presentation
11 WallyDotBiz LLC © 2016 SCADA overview
• ICS • Industrial Control System o Broad set of control systems o General term that encompasses all
12 WallyDotBiz LLC © 2016 SCADA overview
13 WallyDotBiz LLC © 2016 SCADA overview
14 WallyDotBiz LLC © 2016 SCADA overview
15 WallyDotBiz LLC © 2016 SCADA overview
• Typical ICS system found in many homes…
16 WallyDotBiz LLC © 2016 SCADA overview
Temperature Display LED/iPhone/Dial-up
Thermostat to set desired temp
Turn on/off Gas
Natural Gas Valve House temperature Igniter/Pilot Blower
Heat Exchanger Burner & Blower
Cold Air Hot Air Heat loss from home Natural Gas BTU Heat Content Typical Home Heating System Teenager
17 WallyDotBiz LLC © 2016 SCADA overview
• HVAC • PACS • Manufacturing • Vehicles • Airplanes • Sprinkler/Irrigation • Pharmaceutical--Remote drug injection • Pacemakers
18 WallyDotBiz LLC © 2016 Threat vectors into ICS devices
19 WallyDotBiz LLC © 2016 Threat vectors into ICS devices
FUD
The Good
The Bad
The Ugly
20 WallyDotBiz LLC © 2016 Threat vectors into ICS devices
!!!! This ain’t FUD !!!!
21 WallyDotBiz LLC © 2016 Threat vectors into ICS devices
22 WallyDotBiz LLC © 2016 Threat vectors into ICS devices
ISSSource.com about a report from Rockwell Automation about a ransomware attack from a file being made available on the internet (no source given) called ‘Allenbradleyupdate.zip’ (April 2016)
23 WallyDotBiz LLC © 2016 Threat vectors into ICS devices
24 WallyDotBiz LLC © 2016 Threat vectors into ICS devices
25 WallyDotBiz LLC © 2016 Threat vectors into ICS devices
26 WallyDotBiz LLC © 2016 Threat vectors into ICS devices
27 WallyDotBiz LLC © 2016 Threat vectors into ICS devices
Interdependencies
28 WallyDotBiz LLC © 2016 Threat vectors into ICS devices
29 WallyDotBiz LLC © 2016 Threat vectors into ICS devices
• Generation--coal, natural gas, oil, hydro, geo-thermal, wind, solar, steam, nuclear o Mix of natural gas exceeds 50% o No gas, no fuel supply, no electricity o Rinse, Lather and Repeat • Cyber attack can easily shut it down
30 WallyDotBiz LLC © 2016 31 WallyDotBiz LLC © 2016 Threat vectors into ICS devices
• FTP • Telnet • SNMPv1 (v3 available for 14 years) • Firewall misconfiguration • VLAN misconfiguration • Wireless (MIJI) • Spearphishing
32 WallyDotBiz LLC © 2016 Threat vectors into ICS devices
Sneaker Net
33 WallyDotBiz LLC © 2016 Threat vectors into ICS devices
• Social Engineering
34 WallyDotBiz LLC © 2016 Possible consequences once in control
35 WallyDotBiz LLC © 2016 Possible consequences once in control
Smart Grid home monitoring; connected to internet
36 WallyDotBiz LLC © 2016 Possible consequences once in control
37 WallyDotBiz LLC © 2016 Possible consequences once in control
• Project Aurora 2.25 MW generator (2007) • Remote cyberattack destroys generator
38 WallyDotBiz LLC © 2016 Possible consequences once in control
• Let the smoke out and it stops working!
39 WallyDotBiz LLC © 2016 Possible consequences once in control
• Not to be confused with Operation Aurora • 2010 hack stealing Intellectual Property
• 2003 Northeast electric grid outage, situational awareness lost in Ohio when computer systems slowed down • Not a hack but was contributing cyber component
40 WallyDotBiz LLC © 2016 Possible consequences once in control
• Ping sweep causes robotic arm to swing wildly
• Ping caused IC fab plant to hang • $50,000 worth of wafers destroyed
• IT performing pen test on corporate network • Unintentionally stumbles into SCADA • Locks up gas pipeline SCADA • 4 hours gas service shutdown
41 WallyDotBiz LLC © 2016 Possible consequences once in control
Feb 2016
42 WallyDotBiz LLC © 2016 Horror stories and threat scenarios
43 WallyDotBiz LLC © 2016 Horror stories and threat scenarios
Top 3 Public Enemies Electric
44 WallyDotBiz LLC © 2016 Horror stories and threat scenarios
45 WallyDotBiz LLC © 2016 Horror stories and threat scenarios
AIR GAP
International Space Station (ISS) 46 WallyDotBiz LLC © 2016 Horror stories and threat scenarios
• Houston! Windows Has Problems o 2008-Password Stealing Virus Infects Space Station Laptops (W32.Gammima.AG) o Not the first time o Payload laptops do NOT provide virus protection/detection software
47 WallyDotBiz LLC © 2016 Horror stories and threat scenarios
• NASA assures astronauts flight control systems were not in danger o But to be safe…. o Migrates all the computer systems related to the ISS over to Linux for . Security . Stability . Reliability reasons o Mistaken belief that Linux has no vulns
48 WallyDotBiz LLC © 2016 Horror stories and threat scenarios
49 WallyDotBiz LLC © 2016 Horror stories and threat scenarios
• 787 vulnerable to hackers o Common Core System (CCS) o Saves weight—less line units o Wireless computer controls o FAA raised security concerns o Boeing claims they have addressed issues o Maintenance crews--wireless laptops
50 WallyDotBiz LLC © 2016 Horror stories and threat scenarios
• Airports and airlines considered CI • Airlines do not have to report cyber attacks • Senator queries air industry about aircraft cybersecurity defenses • Oh my!!!! o Hack-able cars at risk in a cyber attack o Navigation, Wi-Fi, Bluetooth, cellular o Brakes & steering on Bluetooth!!!!
51 WallyDotBiz LLC © 2016 Horror stories and threat scenarios
• Stuxnet via sneakernet (June 2010) o Natanz Fuel Enrichment Plant o Digitally Signed malware o HMI spoofed (operator intuition) o Slow attack under radar o Destroy centrifuges • Variants out in wild
52 WallyDotBiz LLC © 2016 Horror stories and threat scenarios
o Stuxnet infected Chevron’s IT Network (Nov 8, 2012) o TELVENT hit by sophisticated cyber attack SCADA admin tool compromised (Sep 26, 2012) . Telvent supplies remote admin and monitoring tools . Intelligent transportation systems, train, metro, traffic lights . Warns customers of advanced persistent threat!!!!
53 WallyDotBiz LLC © 2016 Horror stories and threat scenarios
• Power generation facility • Malware discovered USB drive • Two engineering workstations • No backups
54 WallyDotBiz LLC © 2016 Horror stories and threat scenarios
• Turbine control system • Scheduled outage for maintenance • Third party tech USB for uploads • Mariposa botnet virus discovered USB drive • Delayed restart 3 weeks = $$$$$
55 WallyDotBiz LLC © 2016 Horror stories and threat scenarios
• Use case (optional) ICS-Cert Advisory (ICSA-10-090-01), revised 2014 o USUTIL2 notifies USUTIL1 of malware employee o Instructor shared at industry conference o Mariposa botnet-trojan . Username/passwords . Email o USUTIL1 malware tools did not detect o Windows system-still spreading but can’t phone home o Command & Control (C2) callbacks . hnox.org, socksa.com, ronpc.net . Initial contact 49 bytes, UDP 21039
56 WallyDotBiz LLC © 2016 Horror stories and threat scenarios
• Netherland o Dike controls on internet--Shodan o Veere county admin using password “Veere” o Server running SunOS 5.8 not patched for 6 years
57 WallyDotBiz LLC © 2016 Horror stories and threat scenarios
• Netherland o New low—Bavaria Beer Brewer site hacked o Large electronics company hacked o Dutch gov lost cyber security incident database . Backup tapes could not be read anymore
58 WallyDotBiz LLC © 2016 Horror stories and threat scenarios
Courtesy of SHODAN
59 WallyDotBiz LLC © 2016 Horror stories and threat scenarios
•FUD •Hacktivists •Specialized Search Engines • (SHODAN, SHINE, ERIPP) •Exploitation Tool Kits
60 WallyDotBiz LLC © 2016 Horror stories and threat scenarios
• 2012 Chines Hackers gain access to NASA’s Jet Propulsion Lab • Saudi Aramco Attack; 30,000+ computer systems data wiped (Shamoon-sneakernet) • 400% increase vuln reports since 2010 • Major spearphishing campaign US Oil & Natural Gas Pipelines
61 WallyDotBiz LLC © 2016 Horror stories and threat scenarios
62 WallyDotBiz LLC © 2016 Horror stories and threat scenarios
Metcalf Substation
Tuesday, April 16, 2013, 1:30 AM PDT Flashes lower left show round hitting fence 63 WallyDotBiz LLC © 2016 Web site encouraging followers to initiate “electronic jihad.”
64 WallyDotBiz LLC © 2016 65 WallyDotBiz LLC © 2016 66 WallyDotBiz LLC © 2016 Horror stories and threat scenarios
• ICS cyber attack scenario (INL) o Malicious code embedded in a PowerPoint presentation--corporate domain o Opens a covert channel from the victim’s computer through the corporate firewall to the attackers on the internet o Hijack sessions between the corporate domain and the ICS domain
67 WallyDotBiz LLC © 2016 Horror stories and threat scenarios
o Took control of pumps to overflow tanks
o Operator screens show all systems running normally
68 WallyDotBiz LLC © 2016 Horror stories and threat scenarios
• Vast majority of hacking incidents go unreported o Inability to detect attacks o Reasons of security o Avoid embarrassment o Affect stock prices o Affect CEO ROI
69 WallyDotBiz LLC © 2016 Actions to protect business and customers
70 WallyDotBiz LLC © 2016 Actions to protect business and customers
Regulate the heck out of it!!!!
71 WallyDotBiz LLC © 2016 Actions to protect business and customers
• Can’t afford to protect everything o Cost of doing nothing can be much greater o Regulatory and safety not negotiable • Human Safety is PARAMOUNT o Employees and Citizens • Protect equipment if possible o Not necessarily cost—lead time to replace
72 WallyDotBiz LLC © 2016 Actions to protect business and customers
Security Triad
73 WallyDotBiz LLC © 2016 Actions to protect business and customers
• You may be caught in the middle o Corporate and Operational wall coming down o IT and OT Converging o Physical Security and Logical Security converging o Exciting, challenging and downright scary
• Do the basic Security 101 stuff
74 WallyDotBiz LLC © 2016 Actions to protect business and customers
• Defense-in-depth approach • Redesign network layouts • Validate integrity of downloads/updates/patches • Deploy security patches AFTER testing • Work with vendor and control systems engineer • Restrict physical access (Physical Security) o One mouse can bring down the kingdom!
75 WallyDotBiz LLC © 2016 76 WallyDotBiz LLC © 2016 Actions to protect business and customers
• Restrict physical access (Physical Security) o Really now!!! o What is wrong with this picture?
77 WallyDotBiz LLC © 2016 Actions to protect business and customers
78 WallyDotBiz LLC © 2016 Actions to protect business and customers
• Good solution but….. • Logging is a problem • Daily clean up required • Insurance
79 WallyDotBiz LLC © 2016 Actions to protect business and customers WARNING I CAN MAKE IT TO THE FENCE IN 2.8 SECONDS
CAN YOU? 80 WallyDotBiz LLC © 2016 Actions to protect business and customers
• Customize traditional security for ICS environment • Least privilege (including vendor) • Password management (including vendor) • Account management (including vendor) • VPN-two factor (including vendor) • Who is taking care of HVAC? • What about building monitoring systems?
81 WallyDotBiz LLC © 2016 Actions to protect business and its customers
• Account lockout policy- (including vendor) • Caution!!! Do not lock out the operator • Application White listing • Data diodes • Current application updates • Separation of duties • Consider managed security services (MSS) • Your core business is not IT security
82 WallyDotBiz LLC © 2016 Actions to protect business and its customers
• Assume you will be hacked and lose everything • Ransomware = Game over!!! • Detect, contain, mitigate and investigate • PICERL • NIST SP 800-61r2 • Build in Resilience and Continuity of Operations • Do you have readily available & usable backup media? • Automate where it makes sense • Repeatable • Minimize human error
83 WallyDotBiz LLC © 2016 Actions to protect business and its customers
84 WallyDotBiz LLC © 2016 Actions to protect business and its customers
85 WallyDotBiz LLC © 2016 Actions to protect business and its customers
86 WallyDotBiz LLC © 2016 Actions to protect business and its customers
87 WallyDotBiz LLC © 2016 Actions to protect business and its customers
• What about the supply chain?
88 WallyDotBiz LLC © 2016 Actions to protect business and its customers
89 WallyDotBiz LLC © 2016 Summary
• ICS security testing adverse effects • Tools & Scans can cause machines to fail • Serious and drastic consequences o People can suffer serious injury or be killed o All security testing must be well planned, thought out and communicated to all business units involved • Cyber security testing can be done if planned out eg… tcpdump, netstat, wmic….
90 WallyDotBiz LLC © 2016 Summary
• SCADA overview • Threat vectors into ICS devices • Possible consequences once in control • Horror stories and threat scenarios • Actions to protect business and customer
91 WallyDotBiz LLC © 2016 Helpful Links (retrieved 12 July 2016)
92 WallyDotBiz LLC © 2016 Helpful Links (retrieved 12 July 2016)
• Guide to Industrial Control Systems (ICS) Security NIST SP 800-82 o http://dx.doi.org/10.6028/NIST.SP.800-82r2
• DHS ICS-CERT o https://ics-cert.us-cert.gov/ o https://ics-cert.us-cert.gov/advisories/ICSA-10-090-01
• Executive Order 13636: Cybersecurity Framework o http://www.nist.gov/cyberframework/ o http://www.nist.gov/cyberframework/upload/Workshop-Summary-2016.pdf
93 WallyDotBiz LLC © 2016 Helpful Links (retrieved 12 July 2016)
• Common Cyber Security Vulnerabilities in Industrial Control Systems o https://ics-cert.us-cert.gov/content/overview-cyber-vulnerabilities
• Seven Strategies to Defend ICS o https://ics-cert.us-cert.gov/sites/default/files/documents/Seven Steps to Effectively Defend Industrial Control Systems_S508C.pdf
• 21 Steps to Improve Cyber Security of SCADA Networks o http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf
• Defense in Depth Strategies o https://ics-cert.us- cert.gov/sites/default/files/recommended_practices/Defense_in_Depth_Oct09.pdf
94 WallyDotBiz LLC © 2016 Helpful Links (retrieved 12 July 2016)
• Supply chain o https://ics-cert.us- cert.gov/sites/default/files/documents/Procurement_Language_Rev4_100809_S508 C.pdf o http://www.energy.gov/sites/prod/files/2014/04/f15/CybersecProcurementLanguage- EnergyDeliverySystems_040714_fin.pdf o https://ics-cert.us- cert.gov/sites/default/files/documents/CatalogofRecommendationsVer7.pdf o http://www.ferc.gov/media/news-releases/2015/2015-3/07-16-15-E-1.asp
• Digital Bond o http://www.digitalbond.com
95 WallyDotBiz LLC © 2016 Helpful Links (retrieved 12 July 2016)
• Stuxnet, Duqu, Flame, Gausss o http://arstechnica.com/security/2013/03/the-worlds-most-mysterious-potentially- destructive-malware-is-not-stuxnet/ o http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
• DHS ICS-CERT Cyber Security Evaluation Tool o https://ics-cert.us-cert.gov/Assessments
96 WallyDotBiz LLC © 2016 Helpful Links (retrieved 12 July 2016)
• ICS-CERT Training o https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT o https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT#workshop
• ISA99 Industrial Automation and Control Systems Security-ISA/IEC 62443 o http://isa99.isa.org/ISA99%20Wiki/Home.aspx o https://www.isa.org/training-and-certifications/isa-certification/isa99iec- 62443/isa99iec-62443-certificate-program-requirements/ o https://www.isa.org/templates/two-column.aspx?pageid=121797
• SANS ICS o http://ics.sans.org/ o http://www.sans.org/course/ics-scada-cyber-security-essentials
97 WallyDotBiz LLC © 2016 Questions?
98 How do we keep the lights on when the switch is connected to the internet?
Thank You! 99 WallyDotBiz LLC © 2016