Post on 08-Feb-2017
The Internet of Things Everything: Cyber-defense In an Age of
Ubiquitous Vulnerability
EnergySec Hawaii Educational SessionsFebruary 24, 2016
Steven ParkerPresident
2
I’m Getting Old
3
It’s getting weird out there!
4
Introduction The Internet of Things Everything– Planes, trains, and automobiles– Home electronics, smart meters, light bulbs– Kids toys, smart phones, home security– Refrigerators, washing machines– Transformers, Traffic Lights, Drones–What’s left?
Attack pathways surround us. What’s next?
Let’s provoke thought, not fear!
5
Approach and Goals Discuss technology that falls outside
the normal scope of protection for mission critical systems, yet could be used tactically to impact critical operations
Explore possible attack methods utilizing these technologies
Discuss possible actions to mitigate the impact of the scenarios
6
ThesisIn the near future, “cyber attacks” will be used to support nearly every traditional attack tactic from the non-cyber world.
To paraphrase Jack Whitsitt, Cybersecurity isn’t about cyber, or security, or technology. It is about your mission.
7
We Can’t Protect Everything
Protection Paradigms– Air Gaps– Layered Defense– ”Borderless” networks– Resiliency– Impact Levels
8
Scoping – NERC CIP StyleA Cyber Asset that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which, if destroyed, degraded, or otherwise rendered unavailable when needed, would affect the reliable operation of the Bulk Electric System. Redundancy of affected Facilities, systems, and equipment shall not be considered when determining adverse impact. Each BES Cyber Asset is included in one or more BES Cyber Systems. A Transient Cyber System is not a BES Cyber Asset.
9
But We Must Protect the Mission
Survival Paradigms– Redundancy – Backup Systems– Recovery–Manual Operation– Alternative Procedures– People?
10
Resiliency – NERC CIP StyleEach Responsible Entity shall have one or more documented recovery plans that collectively include each of the applicable requirement parts in CIP‐009‐5 Table R1 – Recovery Plan Specifications. [Violation Risk Factor: Medium] [Time Horizon: Long Term Planning].
11
Roadmap to Achieve Energy Delivery Systems Cybersecurity
By 2020, resilient energy delivery systems are designed, installed, operated, and maintained to survive a cyber incident while sustaining critical functions.
12
Dependencies Things we choose not to protect, or protect less
– Corporate/Business Networks– HVAC– Email– Support Systems– Others?
Things outside of our control– Power– Water– Internet– GPS– Telecommunications– Certificate Authorities– Supply Chain– Others?
13
PowerWithout Power, nearly everything breaks.
Do you own manual can opener?
Gas pipeline/power generation interdependency (ERCOT issue)
How long will your generator run?
Are you on a well?
Is your iPhone charged?
14
Water
15
Internet/Communications Do you depend on cloud services?– Is your recovery plan on a hosted instance of
Sharepoint? Internet based VPN tunnels? Cellular backhaul?– Metering, Operations, ???
Facebook/Twitter/National Weather Service Operational coordination, SCADA, Customer
interactions What else?
16
GPS
17
Certificate Authorities
18
Supply Chain
19
Tactical Cyber Attacks
20
Tactical Cyber Attacks
21
Tactical Cyber Attacks
Deli.Meat.Scale.
22
Tactical Cyber Attacks
For western intelligence agencies, the blowout was a watershed event. Hackers had shut down alarms, cut off communications and super-pressurized the crude oil in the line, according to four people familiar with the incident who asked not to be identified because details of the investigation are confidential. The main weapon at valve station 30 on Aug. 5, 2008, was a keyboard.
23
ScenariosWould you like to play a game?
Brainstorm plausible-ish scenarios in which cyber attacks can impact mission critical operations
Electric Power Airlines Manufacturing Roll your own
Thank You
Steven H ParkerPresident, EnergySecsteve@energysec.org503.905.2923 (desk)
@es_shp (twitter)www.energysec.org