How do we keep the lights on when everyone has access to the switch? 16 July 2016 Saturday ISSA-COS Mini-Seminar Colorado Technical University Colorado Springs, CO Wally Magda, SOHK WallyDotBiz LLC Industrial Control Systems: How do we keep the lights on…..? • No animals were harmed in the making of this presentation! 2 WallyDotBiz LLC © 2016 Industrial Control Systems: How do we keep the lights on…..? 3 WallyDotBiz LLC © 2016 Cellphone, BB, PDA Advisory • Please put alert generating devices into silent or vibrate mode if possible • Be kind to your colleagues; please take phone conversation out in the hall 4 WallyDotBiz LLC © 2016 DISCLAIMER • The author is not a lawyer and cannot give legal advice • The author does not endorse any specific product or entity • This presentation is simply the author’s professional perspective on Industrial Control Systems (ICS) Cyber and Physical Security • References used can be found in Helpful Links section 5 WallyDotBiz LLC © 2016 How do we keep the lights on when the switch is connected to the internet? 6 WallyDotBiz LLC © 2016 AGENDA • SCADA overview • Threat vectors into ICS devices • Possible consequences once in control • Horror stories and threat scenarios • Actions to protect business and customers 7 WallyDotBiz LLC © 2016 SCADA overview 8 WallyDotBiz LLC © 2016 SCADA overview • SCADA • Supervisory Control and Data Acquisition o “Typically” deployed across large geographic area like electric grid or natural gas pipelines o One type of many systems used to keep the lights on and energy flowing 9 WallyDotBiz LLC © 2016 SCADA overview Typical SCADA Diagram 10 WallyDotBiz LLC © 2016 SCADA overview Alphabet soup--Lots of acronyms for similar systems/devices We shall choose one for purposes of this presentation 11 WallyDotBiz LLC © 2016 SCADA overview • ICS • Industrial Control System o Broad set of control systems o General term that encompasses all 12 WallyDotBiz LLC © 2016 SCADA overview 13 WallyDotBiz LLC © 2016 SCADA overview 14 WallyDotBiz LLC © 2016 SCADA overview 15 WallyDotBiz LLC © 2016 SCADA overview • Typical ICS system found in many homes… 16 WallyDotBiz LLC © 2016 SCADA overview Temperature Display LED/iPhone/Dial-up Thermostat to set desired temp Turn on/off Gas Natural Gas Valve House temperature Igniter/Pilot Blower Heat Exchanger Burner & Blower Cold Air Hot Air Heat loss from home Natural Gas BTU Heat Content Typical Home Heating System Teenager 17 WallyDotBiz LLC © 2016 SCADA overview • HVAC • PACS • Manufacturing • Vehicles • Airplanes • Sprinkler/Irrigation • Pharmaceutical--Remote drug injection • Pacemakers 18 WallyDotBiz LLC © 2016 Threat vectors into ICS devices 19 WallyDotBiz LLC © 2016 Threat vectors into ICS devices FUD The Good The Bad The Ugly 20 WallyDotBiz LLC © 2016 Threat vectors into ICS devices !!!! This ain’t FUD !!!! 21 WallyDotBiz LLC © 2016 Threat vectors into ICS devices 22 WallyDotBiz LLC © 2016 Threat vectors into ICS devices ISSSource.com about a report from Rockwell Automation about a ransomware attack from a file being made available on the internet (no source given) called ‘Allenbradleyupdate.zip’ (April 2016) 23 WallyDotBiz LLC © 2016 Threat vectors into ICS devices 24 WallyDotBiz LLC © 2016 Threat vectors into ICS devices 25 WallyDotBiz LLC © 2016 Threat vectors into ICS devices 26 WallyDotBiz LLC © 2016 Threat vectors into ICS devices 27 WallyDotBiz LLC © 2016 Threat vectors into ICS devices Interdependencies 28 WallyDotBiz LLC © 2016 Threat vectors into ICS devices 29 WallyDotBiz LLC © 2016 Threat vectors into ICS devices • Generation--coal, natural gas, oil, hydro, geo-thermal, wind, solar, steam, nuclear o Mix of natural gas exceeds 50% o No gas, no fuel supply, no electricity o Rinse, Lather and Repeat • Cyber attack can easily shut it down 30 WallyDotBiz LLC © 2016 31 WallyDotBiz LLC © 2016 Threat vectors into ICS devices • FTP • Telnet • SNMPv1 (v3 available for 14 years) • Firewall misconfiguration • VLAN misconfiguration • Wireless (MIJI) • Spearphishing 32 WallyDotBiz LLC © 2016 Threat vectors into ICS devices Sneaker Net 33 WallyDotBiz LLC © 2016 Threat vectors into ICS devices • Social Engineering 34 WallyDotBiz LLC © 2016 Possible consequences once in control 35 WallyDotBiz LLC © 2016 Possible consequences once in control Smart Grid home monitoring; connected to internet 36 WallyDotBiz LLC © 2016 Possible consequences once in control 37 WallyDotBiz LLC © 2016 Possible consequences once in control • Project Aurora 2.25 MW generator (2007) • Remote cyberattack destroys generator 38 WallyDotBiz LLC © 2016 Possible consequences once in control • Let the smoke out and it stops working! 39 WallyDotBiz LLC © 2016 Possible consequences once in control • Not to be confused with Operation Aurora • 2010 hack stealing Intellectual Property • 2003 Northeast electric grid outage, situational awareness lost in Ohio when computer systems slowed down • Not a hack but was contributing cyber component 40 WallyDotBiz LLC © 2016 Possible consequences once in control • Ping sweep causes robotic arm to swing wildly • Ping caused IC fab plant to hang • $50,000 worth of wafers destroyed • IT performing pen test on corporate network • Unintentionally stumbles into SCADA • Locks up gas pipeline SCADA • 4 hours gas service shutdown 41 WallyDotBiz LLC © 2016 Possible consequences once in control Feb 2016 42 WallyDotBiz LLC © 2016 Horror stories and threat scenarios 43 WallyDotBiz LLC © 2016 Horror stories and threat scenarios Top 3 Public Enemies Electric 44 WallyDotBiz LLC © 2016 Horror stories and threat scenarios 45 WallyDotBiz LLC © 2016 Horror stories and threat scenarios AIR GAP International Space Station (ISS) 46 WallyDotBiz LLC © 2016 Horror stories and threat scenarios • Houston! Windows Has Problems o 2008-Password Stealing Virus Infects Space Station Laptops (W32.Gammima.AG) o Not the first time o Payload laptops do NOT provide virus protection/detection software 47 WallyDotBiz LLC © 2016 Horror stories and threat scenarios • NASA assures astronauts flight control systems were not in danger o But to be safe…. o Migrates all the computer systems related to the ISS over to Linux for . Security . Stability . Reliability reasons o Mistaken belief that Linux has no vulns 48 WallyDotBiz LLC © 2016 Horror stories and threat scenarios 49 WallyDotBiz LLC © 2016 Horror stories and threat scenarios • 787 vulnerable to hackers o Common Core System (CCS) o Saves weight—less line units o Wireless computer controls o FAA raised security concerns o Boeing claims they have addressed issues o Maintenance crews--wireless laptops 50 WallyDotBiz LLC © 2016 Horror stories and threat scenarios • Airports and airlines considered CI • Airlines do not have to report cyber attacks • Senator queries air industry about aircraft cybersecurity defenses • Oh my!!!! o Hack-able cars at risk in a cyber attack o Navigation, Wi-Fi, Bluetooth, cellular o Brakes & steering on Bluetooth!!!! 51 WallyDotBiz LLC © 2016 Horror stories and threat scenarios • Stuxnet via sneakernet (June 2010) o Natanz Fuel Enrichment Plant o Digitally Signed malware o HMI spoofed (operator intuition) o Slow attack under radar o Destroy centrifuges • Variants out in wild 52 WallyDotBiz LLC © 2016 Horror stories and threat scenarios o Stuxnet infected Chevron’s IT Network (Nov 8, 2012) o TELVENT hit by sophisticated cyber attack SCADA admin tool compromised (Sep 26, 2012) . Telvent supplies remote admin and monitoring tools . Intelligent transportation systems, train, metro, traffic lights . Warns customers of advanced persistent threat!!!! 53 WallyDotBiz LLC © 2016 Horror stories and threat scenarios • Power generation facility • Malware discovered USB drive • Two engineering workstations • No backups 54 WallyDotBiz LLC © 2016 Horror stories and threat scenarios • Turbine control system • Scheduled outage for maintenance • Third party tech USB for uploads • Mariposa botnet virus discovered USB drive • Delayed restart 3 weeks = $$$$$ 55 WallyDotBiz LLC © 2016 Horror stories and threat scenarios • Use case (optional) ICS-Cert Advisory (ICSA-10-090-01), revised 2014 o USUTIL2 notifies USUTIL1 of malware employee o Instructor shared at industry conference o Mariposa botnet-trojan . Username/passwords . Email o USUTIL1 malware tools did not detect o Windows system-still spreading but can’t phone home o Command & Control (C2) callbacks . hnox.org, socksa.com, ronpc.net . Initial contact 49 bytes, UDP 21039 56 WallyDotBiz LLC © 2016 Horror stories and threat scenarios • Netherland o Dike controls on internet--Shodan o Veere county admin using password “Veere” o Server running SunOS 5.8 not patched for 6 years 57 WallyDotBiz LLC © 2016 Horror stories and threat scenarios • Netherland o New low—Bavaria Beer Brewer site hacked o Large electronics company hacked o Dutch gov lost cyber security incident database . Backup tapes could not be read anymore 58 WallyDotBiz LLC © 2016 Horror stories and threat scenarios Courtesy of SHODAN 59 WallyDotBiz LLC © 2016 Horror stories and threat scenarios •FUD •Hacktivists •Specialized Search Engines • (SHODAN, SHINE, ERIPP) •Exploitation Tool Kits 60 WallyDotBiz LLC © 2016 Horror stories and threat scenarios • 2012 Chines Hackers gain access to NASA’s Jet Propulsion Lab • Saudi Aramco Attack; 30,000+ computer systems data wiped (Shamoon-sneakernet) • 400% increase vuln reports since 2010 • Major spearphishing campaign US Oil & Natural Gas Pipelines 61 WallyDotBiz LLC © 2016 Horror stories and threat scenarios 62 WallyDotBiz LLC © 2016 Horror stories and threat scenarios