Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
-
Upload
ahmed-al-enizi -
Category
Documents
-
view
553 -
download
0
description
Transcript of Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
• THE INFRASTRUCTURE, WHAT IS IT AND WHY IS IT CRITICAL?
• CYBER ATTACKS ON ICS INFRASTRUCTURES
• TYPICAL DCS AND SCADA NETWORK
• Live SCADA Hacking Demonstration
• POSSIBLE SECURITY THREATS AND IMPACTS ON ICS
• COMMON ICS VULNERABILITIES
• RISK, WHAT IS IT AND HOW TO CALCULATED?
• SECURITY STRATEGIES
• ISO27001
12/03/2012 2 Protecting DCS and SCADA
• It is the basic physical and organizational structures needed for the operation of a society or enterprise (Wikipedia)
• What makes the infrastructure
– Electricity
– Oil and gas plants
– Telecommunications
– Water treatment plants
– Food productions
– Medical and Health
– Transportation
– Traffic control
– Banks
– Government security
• Why is it critical?
– The national security and economy depends on it
– Supports the modern human life
– Sustains inhabitable environment
– Hard to replace
– Expensive repairs
– Catastrophic impacts
12/03/2012 Protecting DCS and SCADA 3
• Obviously it is not new
• Why it is becoming a pressing issue?
– It impacts the whole nation, resulting in loss of life, environment, and billions of dollars.
– Why fighting battles while you can from a single computer do more damage?
– Structured cyber attacks are becoming easier as automated tools are emerging (backtrack, malware).
– Becoming more exposed to threats.
– Designed with poor security
12/03/2012 Protecting DCS and SCADA 4
Incident events by date from 1982 to June 1, 2006 THE INDUSTRIAL ETHERNETBOOK, May 2007
12/03/2012 Protecting DCS and SCADA 5
The worm attacks windows machines and replaces a DLL file used by Siemens systems with a modified DLL file that provides the same functions but executes additional code which enables the attacker to spy on databases and projects and alter data sent to PLCs.
The affected countries are Iran (58.85%), Indonesia (18.22%), India (8.31%), Azerbaijan (2.57%), United States (1.56%), Pakistan (1.28%), Others (9.2%)
http://en.wikipedia.org/wiki/Stuxnet
http://threatinfo.trendmicro.com/vinfo/web_attacks/Stuxnet%20Malware%20Targeting%20SCADA%20Systems.html
2010
Stuxnet worm
12/03/2012 Protecting DCS and SCADA 6
Former IT consultant intentionally tampered with California’s oil and gas company computer systems, one of them is the system used to detect gas leaks
http://www.theregister.co.uk/2009/09/24/scada_tampering_guilty_plea/
2009
Disgruntled Employee
12/03/2012 Protecting DCS and SCADA 7
After pushing software update from business network to SCADA network, the SCADA safety system forced an emergency shutdown causing Hatch nuclear power plant in Georgia millions of dollars and substantial expense of repair and restoration. The business network was in two-way communication with the plant's SCADA network and the update synchronized information on both systems which caused missing some data related to the cooling system.
http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf
2008
Network design
12/03/2012 Protecting DCS and SCADA 8
The hacker exploited Pennsylvania’s water treatment plant and injected virus and spyware into the computer systems and used them to distribute emails and pirated software which affected water treatment operations
http://www.gao.gov/assets/270/268137.pdf
2006
Hacker
12/03/2012 Protecting DCS and SCADA 9
13 DaimlerChrysler’s U.S. automobile manufacturing plant was knocked offline for almost an hour
Computer outages at heavy-equipment maker Caterpillar Inc.
Computer outages at aircraft maker Boeing
http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf
2005
Zotob worm
12/03/2012 Protecting DCS and SCADA 10
Crashed the network and disabled the safety monitoring system of Davis-Besse nuclear power plant in Oak Harbor, Ohio for nearly 5 hours
13,000 ATMs knocked offline in U.S.
11,000 Postal knocked office offline in Italy
911 service stopped in Seattle
SCADA of two U.S. utilities stopped
Flights delayed or canceled at Huston
http://virus.wikia.com/wiki/Slammer
http://www.securityfocus.com/news/6767
2003 Slammer
worm
12/03/2012 Protecting DCS and SCADA 11
Knocked out the train signaling systems throughout the east coast of the U.S.
http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf
2003
Sobig email virus
12/03/2012 Protecting DCS and SCADA 12
Through wireless link he broke into Maroochy’s Water Services SCADA system in Australia, and released 800,000 liters of raw sewage into local parks, rivers and even the grounds of a Hyatt Regency hotel.
http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Maroochy-Water-Services-Case-Study_report.pdf
2000 Disgruntled contractor
12/03/2012 Protecting DCS and SCADA 13
Controlled the gas flows running in the pipelines of the Russian energy company, Gazprom, for a short time
http://ciip.wordpress.com/tag/scada-incidents/
1999
Hacker
12/03/2012 Protecting DCS and SCADA 14
Broke into the Bell Atlantic computer system in Worcester, Massachusetts, and disabled part of the public switched telephone network using a dial-up modem connected to the system. This attack disabled phone service at the control tower, airport security, the airport fire department, the weather service, and carriers that use the airport. The tower’s main radio transmitter and another transmitter that activates runway lights were shut down, as well as a printer that controllers use to monitor flight progress. The attack also knocked out phone service to 600 homes and businesses in the nearby town of Rutland
http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf
1997
Hacker
12/03/2012 Protecting DCS and SCADA 15
Either
• We are doing a better job than 1st and 2nd world countries who invented these technologies.
• Every body is happy and we don’t have any enemies.
• We don’t care about losses and we are good at covering up.
12/03/2012 Protecting DCS and SCADA 16
• Different networks – Field Network – Control Network – Corporate network – WAN
• Three-tier architecture • Challenges
– Management – Security – Resources – Support – Vendor – Budget
• Trends – Cut cost – Integration – Centralization – Consolidation – Virtualization and Could Computing – Shared Services – Outsourcing
• Different Security Zones
Internet
DMZ
Intranet
Em
Extranet
Security C
on
trol
Serv
ers
En Ad De
Cor. Server
Con. Server
Cor. DB Con. DB
Field
Control Center
Corporate
Internet
Corporate
Business
Corporate Service
IT Services
Control Center
Control and Automation
Services
Production Information
Control Information
Field
Field Services
Production
Control Data
Reconnaissance Scanning Gaining Access
Maintaining Access
Covering
Tracks
Have
FUN
Network Penetration
Live SCADA Hacking Demonstration
12/03/2012 Protecting DCS and SCADA 17
Possible Threats
• Humans, always the weakest link in the chain
• Natural disasters and extreme conditions.
• Cyber warfare
• Foreign intelligence services.
• Identity theft.
• Malicious code.
• Data and information leakage
• Denial of service.
• Criminals, Hacktivists, terrorists.
• Industrial spies.
12/03/2012 Protecting DCS and SCADA 18
Possible Impacts
• Loss
• Life
• Money
• Trust
• Reputation
• Competition
• Disruption
• Destruction
• Disclosure
• Violation
Impact Areas
• Life
• Environment
• Technology
• Business
Natural
Human/Political
Environmental/Physical
Logical/Technical
You
• Weak security controls (design, configuration)
• Poor network design
• Improper input validation
– Buffer overflow
– Injections (SQL injection)
– Cross-site encryption
– Path traversal
• Poor access and identity control
• Weak communication protocols
• Poor authentication
• Code flaws
• Poor patch and change management
• Weak encryption
12/03/2012 Protecting DCS and SCADA 19
US National Vulnerability Database Open Source Vulnerability Database SecurityFocus Vulnerability Database Exploit-DB
12/03/2012 Protecting DCS and SCADA 20
• Follow a proven approach to risk management (AS/NZ 4360, OCTAVE, NIST SP 800-30, ISO27005)
• Qualitative Risk analysis: Scenario based that describes the likelihood of threat/event and its impact on the business.
• Qualitative Risk analysis: calculation of ALE, very difficult to put monetary value on unquantifiable variables such as reputation.
Attack / Exploit Exposure Threat Agent
Threat
Compromised Asset
Threat Source Weakness/
Vulnerability Safeguards Assets
Counter Measures
Technical Impact
Business Impact
Risk
Controls
Based OWSAP Model
Annual Loss Expectancy = Annual Rate of Occurrence X (Asset Value X Percent of Loss)
CC Risk Management Concept Flow
Consequences
Insi
gnif
ican
t
Min
or
Mo
der
ate
Maj
or
Cat
astr
op
hic
Likelihood 1 2 3 4 5
A (almost certain) H H E E E
B (likely) M H H E E
C (possible) L M H E E
D (unlikely) L L M H E
E (rare) L L M H H
E Extreme Risk, immediate action
H High Risk, action should be taken to
compensate
M Moderate Risk, action should be taken
to monitor
L Low Risk, routine acceptance of risk
Identify Assets Identify
threats to assets
Identify vulnerabiliti
es that might be
exploited by the threats
Identify the impacts on the assets
Analyse and evaluate the risks.
Identify and evaluate
options for the
treatment of risks
Select control
objectives and
controls
• National ICS Security Strategy
– Establish Saudi ICS Cyber Emergency Response Team (Saudi ICS-CERT) based on US-CERT example, the ICS-CERT
• Respond to and analyze control systems related incidents
• Conduct vulnerability and malware analysis
• Provide onsite support for incident response and forensic analysis
• Provide situational awareness in the form of actionable intelligence
• Coordinate the responsible disclosure of vulnerabilities/mitigations
• Share and coordinate vulnerability information and threat analysis through information products and alerts
– Coordinate with Saudi CERT (cert.gov.sa)
• Corporate Security Strategy
– Establish security governance, read the Information Security Governance Guidance for Boards of Directors and Executive Management, 2nd Edition
– Establish Audit Program (ISO 19011), Vulnerability Management, Pen-Tests
– Design with security in mind (Security Zones)
– Follow a proven security framework (ISO27001) and carefully design the scope and objectives.
– Choose certified ICS vendors.
12/03/2012 Protecting DCS and SCADA 21
Steering Committee
GM
GM GM
GM
SE
Board
Enterprise strategy Part of enterprise governance
Executives’ responsibility Business requirement Support commitment
Roles and responsibilities are defined Based on risk
Enforced Awareness
Continuous review and enhancement
12/03/2012 Protecting DCS and SCADA 22
• Why the ISO27001?
• It is applicable on any business or system.
1. Establish the ISMS
1. Get management support.
2. Define scope and objectives
3. Define ISMS policy
4. Define the risk assessment approach
5. Identify the risks
6. Analyse and evaluate the risks
7. Identify and evaluate options for the treatment of risks
8. Select control objectives and controls for the treatment of risks
9. Obtain management approval of the proposed residual risks
10. Prepare a Statement of Applicability
2. Implement and operate the ISMS
3. Monitor and review the ISMS
4. Maintain and improve the ISMS