Cyber security Meetup Colombo, 26th September 2019...Even “Air gapped” system can be vulnerable...
Transcript of Cyber security Meetup Colombo, 26th September 2019...Even “Air gapped” system can be vulnerable...
CYBER SECURITY MEETUP
COLOMBO, 26TH SEPTEMBER 2019
Computer based systems that control physical devices:
Traffic lights,
Pumps,
Motors,
Electrical distribution switches
WHAT ARE INDUSTRIAL CONTROL SYSTEMS (ICS)?
WHERE TO FIND THEM IN SRI LANKA?
Electrical Grid
Power plants
Water systems (Water purification,
Waste water treatment, irrigation)
Industrial applications
Building managements
Data centers
Transportation systems (airport, trains,
traffic lights)
CRITICAL INFRASTRUCTURE IS INCREASINGLY IN FOCUS
What is critical infrastructure? US DHS: identifies
16 critical sectors:
Chemical
Communications
Dams
Emergency Services
Financial Services
Government Facilities
Information Technology
Transportation Systems
Commercial Facilities
Critical Manufacturing
Defense Industrial Base
Energy
Food and Agriculture
Healthcare and Public Health
Nuclear Reactors, Material and Waste
Water and Wastewater
Based on open protocols
Most are based on decades old designs
Security was never thought about
Inherently trusting of other devices on the control network
Often installed and left untouched for a long time (many years)
Few updates made as any change brings the risk of interrupting production
INDUSTRIAL CONTROLS ARE INHERENTLY VULNERABLE
VULNERABILITIES ARE EVERYWHERE
Recent advisories from the US
Department of Homeland Security ICS
CERT:
https://ics-cert.us-cert.gov/advisories
All these new disclosures are from the
month of September 2019.
Many IT / Operation managers believe their systems are “air gapped”. However, most systems are connected:
Directly to the outside world
Web servers
VPN for remote diagnostics /engineering
Indirectly via corporate networks:
Historians
MES systems
VPN
“Jump servers”
ICS ARE CONNECTED
ICS CONNECTIVITY WILL INCREASE
DRIVEN BY “PLANT DIGITIZATION” OR
“INDUSTRIAL IOT” ALSO CALLED “INDUSTRY 4.0
(4IR)”
THIS IS THE PROMISE OF EFFICIENCY GAIN IN
PRODUCTION PROCESSES VIA THE USE
OF “BIG DATA”.
DIRECT PROCESS EFFICIENCY GAINS DUE
TO PROCESS AND OPERATIONS
OPTIMIZATION
PREVENTATIVE AND PREDICTIVE
MAINTENANCE
CREATION OF NEW PRODUCTS
THIS IS BASED ON THE COLLECTION,
ANALYSIS, AND SHARING OF
INDUSTRIAL DATA
Linux vulnerability
TLS vulnerability
Probably many more
ICS ARE VULNERABLE TO IT ISSUES
SPECIFIC THREATS ALSO EXIST
CrashOverride malware represents a scalable, capable platform. The modules and
capabilities publically reported appear to focus on organizations using ICS protocols
IEC101, IEC104, and IEC61850
As CrashOverride is a second stage malware capability and has the ability to operate
independent of initial C2, traditional methods of detection may not be sufficient to detect
infections prior to the malware executing.
Source: ICS-CERT
THERE ARE MANY TYPES OF THREATS ACTORS
Internal threat (“disgruntled” employees, knowledgeable contractors, etc)
Hacktivist
“independent” hackers
Organized Crime
State actors: intelligence agencies, military organizations, state sponsored hacking groups, etc
NONE OF THEM CAN BE IGNORED!!!
You may not be a target of choice but your organization could be a target of opportunity or just collateral damage.
ICS contractor rejected for permanent job
Modified ICS system program repeatedly while company was trying to troubleshoot.
Dumped millions of liters of sewerage in parks, rivers and ground of a hotel.
2 years in Jail
INTERNAL: WASTE MANAGEMENT SYSTEM - AUSTRALIA
In 2006, a pair of LA traffic engineers hacked traffic lights to cause gridlock as part of a labor protest.
INTERNAL: LA TRAFFIC SYSTEM
HACKTIVISTS
Try to exert political pressure through cyber compromise.
Usually not ICS related, minimal damage.
• State of Michigan Website - Flint Water crisis
• North Carolina government website – transgender law
• City of Baton Rouge website – after fatal police shooting
This could change …
HACKERS
Just because they can…
Usually not targeting particular organization, just
looking for easy targets.
They can still do real damage.
ICS seen as an interesting “play ground” as they
are usually not so hard to penetrate.
ORGANIZED CRIME
“…the attackers used a spear phishing campaign
aimed at particular individuals in the company to
trick people into opening messages that sought
and grabbed login names and passwords.”
Operators lost control of the plant and were
asked to pay a ransom to get control back.
230,000 computers in 150+ counties infected within 24 hours
ORGANIZED CRIME: RANSOMWARE - WANNACRY
STATE ACTORS: LESSONS FROM STUXNETEven “Air gapped” system can be vulnerable
August 2008 -
“Hackers had shut
down alarms, cut off
communications and
super-pressurized the
crude oil in the line. The
main weapon at valve
station 30 on Aug. 5,
2008, was a keyboard.”
STUXNET WAS NOT THE FIRST CYBER WEAPON
STATE ACTORS: PETYA
STATE ACTORS: PETYA
TERRORISM IS A NEW CYBER SECURITY THREAT
NSA tools used for over a decade, then disclosed by “ShadowBroker”
Used a month later in Wannacry for ransomware and EternalRocks (worm demonstration ?
Doesn’t seem to cause real damage)
ADVANCED THREATS CAN BECOME COMMON QUICKLY
WEAPON IN FUTURE CONFLICTS
Future conflicts will use as many cyber “weapons” as “kinetic” ones.
Critical infrastructure is a target
No picking on the US, but typically documented information is coming from there. Russia, Iran,
North Korea and many other nations are all very active in this area.
FIVE MYTHS OF INDUSTRIAL CONTROL SYSTEMS SECURITY
We’re not connected to the internet
We’re secure because we have a firewall
Hackers don’t understand SCADA/DCS/PLC
Our facility is not a target
Our safety systems will prevent any harm
WHAT CAN BE DONE? BEST PRACTICE
We need to harden our systems so that inherent vulnerabilities
do not lead to large scale compromise: basic cyber hygiene
Patch management
End-point protection (Anti-virus)
Application whitelisting
Log monitoring (SIEM)
Backup management
But is not entirely realistic in an OT environment !
No “reboot time window” available
Hard to keep anti-virus patterns up to date
Requires IT skilled personnel
Old software may not have patches available.
Any change brings risk of stopping operations
IIOT CYBERSECURITY NATIONAL POLICY?
TICK TOCK?
https://www.youtube.com/watch?v=8ThgK1WXUgk
https://www.youtube.com/watch?v=bV47gBsrDkc