Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
1 like644 views
The document discusses the critical importance of infrastructure systems like power plants, water treatment facilities, and transportation. It notes that these systems now face growing cybersecurity risks like Stuxnet and other attacks that could endanger lives and cause billions in damages. The document provides examples of past attacks on infrastructure systems dating back to the 1990s that impacted facilities like power plants and water treatment. It emphasizes that infrastructure systems are becoming more exposed to threats as they become more networked and integrated.
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
- 2. • THE INFRASTRUCTURE, WHAT IS IT AND WHY IS IT CRITICAL? • CYBER ATTACKS ON ICS INFRASTRUCTURES • TYPICAL DCS AND SCADA NETWORK • Live SCADA Hacking Demonstration • POSSIBLE SECURITY THREATS AND IMPACTS ON ICS • COMMON ICS VULNERABILITIES • RISK, WHAT IS IT AND HOW TO CALCULATED? • SECURITY STRATEGIES • ISO27001 12/03/2012 Protecting DCS and SCADA 2
- 3. • It is the basic physical and organizational structures needed for the operation of a society or enterprise (Wikipedia) • What makes the infrastructure – Electricity – Oil and gas plants – Telecommunications – Water treatment plants – Food productions – Medical and Health – Transportation – Traffic control – Banks – Government security • Why is it critical? – The national security and economy depends on it – Supports the modern human life – Sustains inhabitable environment – Hard to replace – Expensive repairs – Catastrophic impacts 12/03/2012 Protecting DCS and SCADA 3
- 4. • Obviously it is not new • Why it is becoming a pressing issue? – It impacts the whole nation, resulting in loss of life, environment, and billions of dollars. – Why fighting battles while you can from a single computer do more damage? – Structured cyber attacks are becoming easier as automated tools are emerging (backtrack, malware). – Becoming more exposed to threats. – Designed with poor security Incident events by date from 1982 to June 1, 2006 THE INDUSTRIAL ETHERNETBOOK, May 2007 12/03/2012 Protecting DCS and SCADA 4
- 5. 2010 Stuxnet worm The worm attacks windows machines and replaces a DLL file used by Siemens systems with a modified DLL file that provides the same functions but executes additional code which enables the attacker to spy on databases and projects and alter data sent to PLCs. The affected countries are Iran (58.85%), Indonesia (18.22%), India (8.31%), Azerbaijan (2.57%), United States (1.56%), Pakistan (1.28%), Others (9.2%) http://en.wikipedia.org/wiki/Stuxnet http://threatinfo.trendmicro.com/vinfo/web_attacks/Stuxnet% 20Malware%20Targeting%20SCADA%20Systems.html 12/03/2012 Protecting DCS and SCADA 5
- 6. 2009 Disgruntled Employee Former IT consultant intentionally tampered with California’s oil and gas company computer systems, one of them is the system used to detect gas leaks http://www.theregister.co.uk/2009/09/24/scada_tampering_gu ilty_plea/ 12/03/2012 Protecting DCS and SCADA 6
- 7. 2008 Network design After pushing software update from business network to SCADA network, the SCADA safety system forced an emergency shutdown causing Hatch nuclear power plant in Georgia millions of dollars and substantial expense of repair and restoration. The business network was in two-way communication with the plant's SCADA network and the update synchronized information on both systems which caused missing some data related to the cooling system. http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf 12/03/2012 Protecting DCS and SCADA 7
- 8. 2006 Hacker The hacker exploited Pennsylvania’s water treatment plant and injected virus and spyware into the computer systems and used them to distribute emails and pirated software which affected water treatment operations http://www.gao.gov/assets/270/268137.pdf 12/03/2012 Protecting DCS and SCADA 8
- 9. 2005 Zotob worm 13 DaimlerChrysler’s U.S. automobile manufacturing plant was knocked offline for almost an hour Computer outages at heavy-equipment maker Caterpillar Inc. Computer outages at aircraft maker Boeing http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf 12/03/2012 Protecting DCS and SCADA 9
- 10. 2003 Slammer worm Crashed the network and disabled the safety monitoring system of Davis-Besse nuclear power plant in Oak Harbor, Ohio for nearly 5 hours 13,000 ATMs knocked offline in U.S. 11,000 Postal knocked office offline in Italy 911 service stopped in Seattle SCADA of two U.S. utilities stopped Flights delayed or canceled at Huston http://virus.wikia.com/wiki/Slammer http://www.securityfocus.com/news/6767 12/03/2012 Protecting DCS and SCADA 10
- 11. 2003 Sobig email virus Knocked out the train signaling systems throughout the east coast of the U.S. http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf 12/03/2012 Protecting DCS and SCADA 11
- 12. 2000 Disgruntled contractor Through wireless link he broke into Maroochy’s Water Services SCADA system in Australia, and released 800,000 liters of raw sewage into local parks, rivers and even the grounds of a Hyatt Regency hotel. http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Marooc hy-Water-Services-Case-Study_report.pdf 12/03/2012 Protecting DCS and SCADA 12
- 13. 1999 Hacker Controlled the gas flows running in the pipelines of the Russian energy company, Gazprom, for a short time http://ciip.wordpress.com/tag/scada-incidents/ 12/03/2012 Protecting DCS and SCADA 13
- 14. 1997 Hacker Broke into the Bell Atlantic computer system in Worcester, Massachusetts, and disabled part of the public switched telephone network using a dial-up modem connected to the system. This attack disabled phone service at the control tower, airport security, the airport fire department, the weather service, and carriers that use the airport. The tower’s main radio transmitter and another transmitter that activates runway lights were shut down, as well as a printer that controllers use to monitor flight progress. The attack also knocked out phone service to 600 homes and businesses in the nearby town of Rutland http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf 12/03/2012 Protecting DCS and SCADA 14
- 15. Either • We are doing a better job than 1st and 2nd world countries who invented these technologies. • Every body is happy and we don’t have any enemies. • We don’t care about losses and we are good at covering up. 12/03/2012 Protecting DCS and SCADA 15
- 16. • Different networks Internet – Field Network DMZ Extranet – Control Network Internet Security Control – Corporate network Intranet – WAN • Three-tier architecture Em Ad En De • Challenges – Management Cor. Con. Corporate Servers – Security Server Server – Resources – Support Cor. DB Con. DB – Vendor – Budget • Trends Control Control Center Corporate Field – Cut cost Center – Integration Business Control and Automation Field Services – Centralization Services – Consolidation Corporate Service Production Production Information – Virtualization and Could Computing – Shared Services IT Services Control Control Data Information – Outsourcing • Different Security Zones Field Gaining Maintainin Covering Have Reconnaissance Scanning Access g Access Tracks FUN Network Penetration 12/03/2012 Protecting DCS and SCADA 16
- 17. Live SCADA Hacking Demonstration 12/03/2012 Protecting DCS and SCADA 17
- 18. Possible Threats Possible Impacts • Humans, always the weakest link in the chain • Loss • Natural disasters and extreme conditions. • Life • Cyber warfare • Money • Foreign intelligence services. • Trust • Identity theft. • Reputation • Malicious code. • Competition • Data and information leakage • Disruption • Denial of service. • Destruction • Criminals, Hacktivists, terrorists. • Disclosure • Industrial spies. • Violation Natural Impact Areas Human/Political • Life Environmental/Physical • Environment Logical/Technical • Technology You • Business 12/03/2012 Protecting DCS and SCADA 18
- 19. • Weak security controls (design, configuration) • Poor network design • Improper input validation – Buffer overflow – Injections (SQL injection) – Cross-site encryption – Path traversal • Poor access and identity control • Weak communication protocols • Poor authentication • Code flaws • Poor patch and change management • Weak encryption US National Vulnerability Database Open Source Vulnerability Database SecurityFocus Vulnerability Database Exploit-DB 12/03/2012 Protecting DCS and SCADA 19
- 20. Consequences Catastrophic Insignificant Moderate • Minor Major Follow a proven approach to risk management (AS/NZ 4360, OCTAVE, NIST SP 800-30, ISO27005) Likelihood 1 2 3 4 5 • Qualitative Risk analysis: Scenario based that describes the likelihood of threat/event and A (almost certain) H H E E E its impact on the business. B (likely) M H H E E • Qualitative Risk analysis: calculation of ALE, very difficult to put monetary value on C (possible) L M H E E unquantifiable variables such as reputation. D (unlikely) L L M H E E (rare) L L M H H Annual Loss Expectancy = Annual Rate of Occurrence X (Asset Value X Percent of Loss) E Extreme Risk, immediate action High Risk, action should be taken to H Identify Identify and compensate Select vulnerabiliti evaluate Moderate Risk, action should be taken Identify Identify the Analyse and control es that options for M Identify Assets threats to impacts on evaluate objectives assets might be the assets the risks. the and to monitor exploited by treatment controls the threats of risks L Low Risk, routine acceptance of risk Risk Weakness/ Counter Technical Business Threat Source Vulnerability Safeguards Assets Measures Impact Impact Threat Agent Attack / Exploit Exposure Compromised Asset Controls Threat Based OWSAP Model CC Risk Management Concept Flow 12/03/2012 Protecting DCS and SCADA 20
- 21. Board • National ICS Security Strategy – Establish Saudi ICS Cyber Emergency Response Team (Saudi ICS-CERT) based on US- CERT example, the ICS-CERT • Respond to and analyze control systems related incidents Steering Committee • Conduct vulnerability and malware analysis • Provide onsite support for incident response and forensic analysis SE • Provide situational awareness in the form of actionable intelligence • Coordinate the responsible disclosure of vulnerabilities/mitigations GM GM • Share and coordinate vulnerability information and threat analysis through GM GM information products and alerts – Coordinate with Saudi CERT (cert.gov.sa) Enterprise strategy • Corporate Security Strategy Part of enterprise governance – Establish security governance, read the Information Security Governance Guidance Executives’ responsibility for Boards of Directors and Executive Management, 2nd Edition Business requirement – Establish Audit Program (ISO 19011), Vulnerability Management, Pen-Tests Support commitment – Design with security in mind (Security Zones) Roles and responsibilities are defined – Follow a proven security framework (ISO27001) and carefully design the scope and Based on risk objectives. Enforced Awareness – Choose certified ICS vendors. Continuous review and enhancement 12/03/2012 Protecting DCS and SCADA 21
- 22. • Why the ISO27001? • It is applicable on any business or system. 1. Establish the ISMS 1. Get management support. 2. Define scope and objectives 3. Define ISMS policy 4. Define the risk assessment approach 5. Identify the risks 6. Analyse and evaluate the risks 7. Identify and evaluate options for the treatment of risks 8. Select control objectives and controls for the treatment of risks 9. Obtain management approval of the proposed residual risks 10. Prepare a Statement of Applicability 2. Implement and operate the ISMS 3. Monitor and review the ISMS 4. Maintain and improve the ISMS 12/03/2012 Protecting DCS and SCADA 22