How Do We Keep the Lights on When Everyone Has Access to the Switch?

How do we keep the lights on when everyone has access to the switch?

16 July 2016 Saturday ISSA-COS Mini-Seminar Colorado Technical University Colorado Springs, CO

Wally Magda, SOHK WallyDotBiz LLC Industrial Control Systems: How do we keep the lights on…..?

• No animals were harmed in the making of this presentation!

• Please put alert generating devices into silent or vibrate mode if possible

• Be kind to your colleagues; please take phone conversation out in the hall

• The author is not a lawyer and cannot give legal advice • The author does not endorse any specific product or entity • This presentation is simply the author’s professional perspective on Industrial Control Systems (ICS) Cyber and Physical Security • References used can be found in Helpful Links section

• SCADA overview

• Threat vectors into ICS devices

• Possible consequences once in control

• Horror stories and threat scenarios

• Actions to protect business and customers

• SCADA • Supervisory Control and Data Acquisition o “Typically” deployed across large geographic area like electric grid or natural gas pipelines o One type of many systems used to keep the lights on and energy flowing

Typical SCADA Diagram

Alphabet soup--Lots of acronyms for similar systems/devices We shall choose one for purposes of this presentation

• ICS • Industrial Control System o Broad set of control systems o General term that encompasses all

• Typical ICS system found in many homes…

Temperature Display LED/iPhone/Dial-up

Thermostat to set desired temp

Turn on/off Gas

Natural Gas Valve House temperature Igniter/Pilot Blower

Heat Exchanger Burner & Blower

Cold Air Hot Air Heat loss from home Natural Gas BTU Heat Content Typical Home Heating System Teenager

• HVAC • PACS • Manufacturing • Vehicles • Airplanes • Sprinkler/Irrigation • Pharmaceutical--Remote drug injection • Pacemakers

FUD

The Good

The Bad

The Ugly

!!!! This ain’t FUD !!!!

ISSSource.com about a report from Rockwell Automation about a ransomware attack from a file being made available on the internet (no source given) called ‘Allenbradleyupdate.zip’ (April 2016)

Interdependencies

• Generation--coal, natural gas, oil, hydro, geo-thermal, wind, solar, steam, nuclear o Mix of natural gas exceeds 50% o No gas, no fuel supply, no electricity o Rinse, Lather and Repeat • Cyber attack can easily shut it down

• FTP • Telnet • SNMPv1 (v3 available for 14 years) • Firewall misconfiguration • VLAN misconfiguration • Wireless (MIJI) • Spearphishing

Sneaker Net

• Social Engineering

Smart Grid home monitoring; connected to internet

• Project Aurora 2.25 MW generator (2007) • Remote cyberattack destroys generator

• Let the smoke out and it stops working!

• Not to be confused with Operation Aurora • 2010 hack stealing Intellectual Property

• 2003 Northeast electric grid outage, situational awareness lost in Ohio when computer systems slowed down • Not a hack but was contributing cyber component

• Ping sweep causes robotic arm to swing wildly

• Ping caused IC fab plant to hang • $50,000 worth of wafers destroyed

• IT performing pen test on corporate network • Unintentionally stumbles into SCADA • Locks up gas pipeline SCADA • 4 hours gas service shutdown

Feb 2016

Top 3 Public Enemies Electric

AIR GAP

• Houston! Windows Has Problems o 2008-Password Stealing Virus Infects Space Station Laptops (W32.Gammima.AG) o Not the first time o Payload laptops do NOT provide virus protection/detection software

• NASA assures astronauts flight control systems were not in danger  o But to be safe…. o Migrates all the computer systems related to the ISS over to Linux for . Security . Stability . Reliability reasons o Mistaken belief that Linux has no vulns

• 787 vulnerable to hackers o Common Core System (CCS) o Saves weight—less line units o Wireless computer controls o FAA raised security concerns o Boeing claims they have addressed issues o Maintenance crews--wireless laptops

• Airports and airlines considered CI • Airlines do not have to report cyber attacks • Senator queries air industry about aircraft cybersecurity defenses • Oh my!!!! o Hack-able cars at risk in a cyber attack o Navigation, Wi-Fi, Bluetooth, cellular o Brakes & steering on Bluetooth!!!!

• Stuxnet via sneakernet (June 2010) o Natanz Fuel Enrichment Plant o Digitally Signed malware o HMI spoofed (operator intuition) o Slow attack under radar o Destroy centrifuges • Variants out in wild

o Stuxnet infected Chevron’s IT Network (Nov 8, 2012) o TELVENT hit by sophisticated cyber attack SCADA admin tool compromised (Sep 26, 2012) . Telvent supplies remote admin and monitoring tools . Intelligent transportation systems, train, metro, traffic lights . Warns customers of advanced persistent threat!!!!

• Power generation facility • Malware discovered USB drive • Two engineering workstations • No backups

• Turbine control system • Scheduled outage for maintenance • Third party tech USB for uploads • Mariposa botnet virus discovered USB drive • Delayed restart 3 weeks = $$$$$

• Use case (optional) ICS-Cert Advisory (ICSA-10-090-01), revised 2014 o USUTIL2 notifies USUTIL1 of malware employee o Instructor shared at industry conference o Mariposa botnet-trojan . Username/passwords . Email o USUTIL1 malware tools did not detect o Windows system-still spreading but can’t phone home o Command & Control (C2) callbacks . hnox.org, socksa.com, ronpc.net . Initial contact 49 bytes, UDP 21039

• Netherland o Dike controls on internet--Shodan o Veere county admin using password “Veere” o Server running SunOS 5.8 not patched for 6 years

• Netherland o New low—Bavaria Beer Brewer site hacked o Large electronics company hacked o Dutch gov lost cyber security incident database . Backup tapes could not be read anymore

Courtesy of SHODAN

•FUD •Hacktivists •Specialized Search Engines • (SHODAN, SHINE, ERIPP) •Exploitation Tool Kits

• 2012 Chines Hackers gain access to NASA’s Jet Propulsion Lab • Saudi Aramco Attack; 30,000+ computer systems data wiped (Shamoon-sneakernet) • 400% increase vuln reports since 2010 • Major spearphishing campaign US Oil & Natural Gas Pipelines

Metcalf Substation

• ICS cyber attack scenario (INL) o Malicious code embedded in a PowerPoint presentation--corporate domain o Opens a covert channel from the victim’s computer through the corporate firewall to the attackers on the internet o Hijack sessions between the corporate domain and the ICS domain

o Took control of pumps to overflow tanks

o Operator screens show all systems running normally

• Vast majority of hacking incidents go unreported o Inability to detect attacks o Reasons of security o Avoid embarrassment o Affect stock prices o Affect CEO ROI

Regulate the heck out of it!!!!

• Can’t afford to protect everything o Cost of doing nothing can be much greater o Regulatory and safety not negotiable • Human Safety is PARAMOUNT o Employees and Citizens • Protect equipment if possible o Not necessarily cost—lead time to replace

Security Triad

• You may be caught in the middle o Corporate and Operational wall coming down o IT and OT Converging o Physical Security and Logical Security converging o Exciting, challenging and downright scary

• Do the basic Security 101 stuff

• Defense-in-depth approach • Redesign network layouts • Validate integrity of downloads/updates/patches • Deploy security patches AFTER testing • Work with vendor and control systems engineer • Restrict physical access (Physical Security) o One mouse can bring down the kingdom!

• Restrict physical access (Physical Security) o Really now!!! o What is wrong with this picture?

• Good solution but….. • Logging is a problem • Daily clean up required • Insurance

• Customize traditional security for ICS environment • Least privilege (including vendor) • Password management (including vendor) • Account management (including vendor) • VPN-two factor (including vendor) • Who is taking care of HVAC? • What about building monitoring systems?

• Account lockout policy- (including vendor) • Caution!!! Do not lock out the operator • Application White listing • Data diodes • Current application updates • Separation of duties • Consider managed security services (MSS) • Your core business is not IT security

• Assume you will be hacked and lose everything • Ransomware = Game over!!! • Detect, contain, mitigate and investigate • PICERL • NIST SP 800-61r2 • Build in Resilience and Continuity of Operations • Do you have readily available & usable backup media? • Automate where it makes sense • Repeatable • Minimize human error

• What about the supply chain?

• ICS security testing adverse effects • Tools & Scans can cause machines to fail • Serious and drastic consequences o People can suffer serious injury or be killed o All security testing must be well planned, thought out and communicated to all business units involved • Cyber security testing can be done if planned out eg… tcpdump, netstat, wmic….

• SCADA overview • Threat vectors into ICS devices • Possible consequences once in control • Horror stories and threat scenarios • Actions to protect business and customer

• Guide to Industrial Control Systems (ICS) Security NIST SP 800-82 o http://dx.doi.org/10.6028/NIST.SP.800-82r2

• DHS ICS-CERT o https://ics-cert.us-cert.gov/ o https://ics-cert.us-cert.gov/advisories/ICSA-10-090-01

• Executive Order 13636: Cybersecurity Framework o http://www.nist.gov/cyberframework/ o http://www.nist.gov/cyberframework/upload/Workshop-Summary-2016.pdf

• Common Cyber Security Vulnerabilities in Industrial Control Systems o https://ics-cert.us-cert.gov/content/overview-cyber-vulnerabilities

• Seven Strategies to Defend ICS o https://ics-cert.us-cert.gov/sites/default/files/documents/Seven Steps to Effectively Defend Industrial Control Systems_S508C.pdf

• 21 Steps to Improve Cyber Security of SCADA Networks o http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf

• Defense in Depth Strategies o https://ics-cert.us- cert.gov/sites/default/files/recommended_practices/Defense_in_Depth_Oct09.pdf

• Supply chain o https://ics-cert.us- cert.gov/sites/default/files/documents/Procurement_Language_Rev4_100809_S508 C.pdf o http://www.energy.gov/sites/prod/files/2014/04/f15/CybersecProcurementLanguage- EnergyDeliverySystems_040714_fin.pdf o https://ics-cert.us- cert.gov/sites/default/files/documents/CatalogofRecommendationsVer7.pdf o http://www.ferc.gov/media/news-releases/2015/2015-3/07-16-15-E-1.asp

• Digital Bond o http://www.digitalbond.com

• Stuxnet, Duqu, Flame, Gausss o http://arstechnica.com/security/2013/03/the-worlds-most-mysterious-potentially- destructive-malware-is-not-stuxnet/ o http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet

• DHS ICS-CERT Cyber Security Evaluation Tool o https://ics-cert.us-cert.gov/Assessments

• ICS-CERT Training o https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT o https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT#workshop

• ISA99 Industrial Automation and Control Systems Security-ISA/IEC 62443 o http://isa99.isa.org/ISA99%20Wiki/Home.aspx o https://www.isa.org/training-and-certifications/isa-certification/isa99iec- 62443/isa99iec-62443-certificate-program-requirements/ o https://www.isa.org/templates/two-column.aspx?pageid=121797

• SANS ICS o http://ics.sans.org/ o http://www.sans.org/course/ics-scada-cyber-security-essentials

98 How do we keep the lights on when the switch is connected to the internet?