STAYING CLEAN: CYBER HYGIENE & SOCIAL ENGINEERING WITHIN SCADA & INDUSTRIAL CONTROL SYSTEMS _______________ A Thesis Presented to the Faculty of San Diego State University _______________ In Partial Fulfillment of the Requirements for the Degree Master of Science in Homeland Security _______________ by Drew Kirk Facetti Summer 2018 iii Copyright © 2018 by Drew Kirk Facetti All Rights Reserved iv ABSTRACT OF THE THESIS Staying Clean: Cyber Hygiene & Social Engineering Within Scada & Industrial Control Systems by Drew Kirk Facetti Master of Science in Homeland Security San Diego State University, 2018 Critical infrastructure facilities allow the United States and other nations to run smoothly every day. Many critical infrastructure facilities that use Supervisory Control and Data Acquisition (SCADA) systems are susceptible to a cyber-attack. Among the plethora of facilities that use SCADA systems are: electric grids, nuclear power plants, water treatment facilities, transportation, etc. These Industrial Control Systems (ICS) then commonly feed into response and management systems mandated by the Department of Homeland Security for protecting United States assets and people and responding to natural and manmade events. Enhancing the US national SCADA/ICS protection is becoming more and more important as the interconnectivity of the national and the world is expanding with the Internet of Things (IoT) and Industrial Internet of Things (IIoT) with the known risks and threats continuing to rise. Creating and providing in-depth Cyber Security and Cyber Hygiene recommendations will allow privately owned Critical Infrastructure (CI) facilities using SCADA/ICS the tools to prevent cyber-attacks from occurring. Finding ways to further the Cybersecurity of SCADA and ICS systems will benefit the public and the owners of the systems, as more and more attacks continue to occur via the profoundly interconnected nature of today’s internet. New solutions are very promising such as enhancing major public- private partnerships like the FBI InfraGard and potentially new national bodies like the Department of Energy’s Office of Cybersecurity and Emergency Response or other specialized agencies. Private-sector and government professional organizations and conferences focused on SCADA and ICS are also leading the nation and world in being better prepared and learning from the attacks or mishaps that have impacted others. Turning security recommendations of SCADA/ICS provided by the National Institute of Standards and Technology (NIST) into requirements will better prepare the workers of CI facilities for cyber-attacks. Turning the recommendations into requirements will also strengthen the government contracts that are meant to perform security audits on the CI facilities. v TABLE OF CONTENTS PAGE ABSTRACT ............................................................................................................................. iv LIST OF FIGURES ................................................................................................................ vii CHAPTER 1 INTRODUCTION .........................................................................................................1 Problem Statement ...................................................................................................2 2 CYBER CRIME.............................................................................................................7 Cyberterrorism .........................................................................................................9 Cyber-Espionage ....................................................................................................15 Cyber war ...............................................................................................................18 3 ATTRIBUTION ...........................................................................................................20 4 CYBER WEAPONS ....................................................................................................22 Types of Attacks ....................................................................................................23 Malware ...........................................................................................................23 DDoS................................................................................................................23 Botnets .............................................................................................................24 Phishing and Spear-Phishing ...........................................................................24 Zero-Day Vulnerabilities .......................................................................................25 Ransomware .....................................................................................................26 5 NUCLEAR POWER PLANTS....................................................................................28 Electric Grid ...........................................................................................................29 Water Treatment Facilities .....................................................................................32 Fiber Optic Cables .................................................................................................33 6 NIST .............................................................................................................................36 Recommendations and Suggestions .......................................................................36 Requirements .........................................................................................................44 vi Relationships, Resources, and Collaborations .......................................................44 CESER .............................................................................................................44 Office of Intelligence and Counterintelligence ................................................45 InfraGard ..........................................................................................................46 USNORTHCOM..............................................................................................46 OSAC ...............................................................................................................48 Fusion Centers .................................................................................................48 ICSJWG ...........................................................................................................49 ISACs ...............................................................................................................49 7 FIBER OPTIC NETWORKS ......................................................................................51 Zero Days ...............................................................................................................52 Attribution ..............................................................................................................53 8 FINAL STATEMENT/CONCLUSION ......................................................................55 REFERENCES ........................................................................................................................56 APPENDIX SUPPLEMENTARY FIGURES ........................................................................................67 vii LIST OF FIGURES PAGE Figure 1. SCADA diagram.. ......................................................................................................2 Figure 2. Photograph depicting the US F-35, left, and the Chinese J-20, right. ......................16 Figure 3. Picture showing what computer screens looked like after the Sony Hack ...............21 Figure 4. Screenshot of a computer with the “WannaCry” Ransomware activated. The instructions within need to be followed or the encrypted files will be deleted.. ..........27 Figure 5. Map of the eight different power grids in the United States. ...................................31 Figure 6. Firewall diagram. ......................................................................................................38 Figure 7. Libelium smart world concept. .................................................................................43 Figure 8. Screenshot from Shodan.io which provides the user with information about a Verizon Wireless page for CI. ...................................................................................67 Figure 9. Screenshot showing the “http” which will allow anyone to connect to the login page for Verizon. ................................................................................................67 Figure 10. Screenshot of the login page to access crucial CI information. .............................68 1 CHAPTER 1 INTRODUCTION Cyberspace is ever growing and, there is no obvious indication that it will stop, so the vulnerability of our world to attacks using Cyberspace is also an ever-growing challenge. One such area of society around the world is critical infrastructure for having society function---attacks on our critical infrastructure (CI) through cyber-attacks has become a significant concern as once isolated systems are being added to the internet for ease of control and linkage to other CI systems, producing potentially cascading dangers from interconnectivity (Deibert, 2012). Everyday CI is used in the United States and around the world to manage parts of our life from providing water from water treatment facilities