Post on 26-Jun-2015
Security Intelligence for Energy Control Systems
Chris PoulinQ1 Labs, CSO
David Swift Accuvant, Solutions Architect
Twitter: #Q1energy
#Q1energy
Agenda
Introductions and Housekeeping
When Refrigerators Attack
Smart Grid – Vulnerabilities and Security Concerns
Energy Sector Zero Days and Logs
Compliance – Best Practices
Q&A
#Q1energy
A man is stuck in traffic on his way to work.
#Q1energy
He takes his eyes off the road to glance at his phone.
#Q1energy
Did I leave the fridge open?
#Q1energy
The man taps an app on his smart phone labeled “Home Automation”
#Q1energy
#Q1energy
#Q1energy
Man rolls his eyes and grins at his own obsessive concern
#Q1energy
#Q1energy
#Q1energy
#Q1energy
#Q1energy
Level Setting: What is the Power Grid?
Power generation
Power transmission
Power Distribution
Consumer
Plug stuff in, turn stuff on
Flows from point ofgeneration to ground
Stored in batteries
#Q1energy
Smart Grid Goals
Better interconnection of generators, all sizes & techReduce environmental impact of electric supply system
#Q1energy
Smart Grid Goals
Consumers play a part in optimizing the system
Provide consumers with greater info for supply choices
Improve reliability, quality, and security of supply
#Q1energy
Smart Grid Goals
Demand response and demand-side resources
Reduce peak demand(demand leveling)
Identify trends to makesmarter upgrade decisions
#Q1energy
Smart Grid
More accurate and frequent telemetry
Smart meters, Advanced Metering Infrastructure (AMI)
vs traditional meters and Automated Meter Reading (AMR)
2 way communication
Talk to each other RF to RF, eventually to/from a pole
#Q1energy
Smart Grid
Distribution side power generation - 2 way energy flowIntermittent availability (wind, micro-grids, etc)
#Q1energy
Smart Grid
No one really knows what the smart grid will look like in the future
Smart Grid = The Cloud
#Q1energy
Smart Grid Benefits—Utility Side
Wide-area situational awareness
Enrich measurement data from synchrophasors
Overlay geographic, demographic, weather, intelligence data
Operational: Detect & mitigate problems before consumer is affected (regional transmission organization, public utilities commissions, ISOs)
Security: DHS, MI5
#Q1energy
Smart Grid Benefits—Utility Side
Better control of energy distribution
Bring on distribution side power as needed
Regulate A/C units on cloudy days when less energy is generated and don’t need as much A/C
Prepare for 5pm in affluent neighborhoods where all residents plug in their PEVs at the same time
Reduce power outages, rolling blackouts—shut off pri 3 devices, like pool pumps, as needed
#Q1energy
Extending the Grid—Into Every Home
Smart meters
Data sent back to the utility companies
Smart appliances
Home Area Networks (HANs)
Plug-in Electric Vehicle (PEV)Twice the power of A/C unitPlus an actual A/C unit
Profiles, cost conscious, most green, etc.
3rd party utility monitoring & management services
#Q1energy
Smart Grid Benefits—Consumer Control
Demand Response / Time of use rates
PEV charge off hours or even put energy back in the grid
Delay dishwasher until 2am
Delay refrigerator defrost cycle when A/C usage is lower
Let’s you pick where you get your energy
Neighborhood all have solar panels
Green choice
Integrate with smart home systems
HANs, Zigbee, X10
Energy controller, firewall between HAN & smart grid
#Q1energy
Smart Grid Attacks / Vulnerabilities
Consumer fraudSwapping meters with yourneighbor on holiday
Coffee cans, EMF / Faraday sacs
Meter bypass—jumper cables
Magnet on the side of the meter
No meter data? Charge based on historical average.
Meter usage drop? Correlate with payment history
#Q1energy
Smart Grid Attacks / Vulnerabilities
#Q1energy
Notable CIP Security Incidents
2000: Australia water services hack spilled raw sewage
into waterways, parks, and grounds of a hotel
#Q1energy
Notable CIP Security Incidents: Stuxnet
Virus targeting Iran’s uranium enrichment program.
Thought to be introduced through removable drives
Relies upon new Windows vulnerabilities to propagate
Displays all well to operators whiledestroying equipment
Reported 100K+ computers infected
“cyberweapon”
Extends beyond the virtual to attack the physical
#Q1energy
Notable CIP Security Incidents
CIA claimed in 2008 multiple regions hacked and outage followed by extortion demands
Sep 2007, major disruptions affecting more than 3 million people in dozens of cities in the Brazilian state of Espirito Santo (sooty insulators?)
Jan 2005, cyber attack knocked out power in three cities north of Rio De Janeiro, affecting tens of thousands of people
#Q1energy
Notable CIP Security Incidents
April 2009, informal report cyber spies penetrated US electrical grid and left behind time bomb software
#Q1energy
Smart Grid Attacks / Vulnerabilities
IOActive
created smart
meter worm &
owned a cadre
#Q1energy
Smart Meter Event Monitoring
#Q1energy
Smart Meter Event Monitoring
#Q1energy
Increased Risk @ Energy Companies
Data from smart meters, HANs
More personal information
Are used to protecting physical things, infrastructure
Now consumers are participating
New point of entry: smart meters, HANs
Think of all the bots on home computers
Consumer awareness is a key component of smart grid security
#Q1energy
CIA? No, AIC
What are utilities doing about security?
Confidentiality, Integrity, Availability
Traditionally, utilities are used to providing ‘A’
To some extent, ‘I’:
Data accuracy: “if line is energized, don’t touch!”
Now, data tampering from smart meters:
e.g., Fake usage data can put a huge load on grid
Confidentiality:
Privacy—who’s using what
Even now, side-channel attacks possible
#Q1energy
Side Channel Security Information
Monitor usage and determine:
When fridge is running its defrost cycle
When the coffee maker kicks on
When you run your electric razor
What you’re watching on TV
To some extent, this can be done now
Smart meters give much more granular information
#Q1energy
3rd Party Power Monitoring
Google PowerMeterNow retired
Google in power industry?
Bought bulk of power from NextEra—wind power
Other 3rd party power monitoring services:AlertMe
Blue Ridge Electric
Cooperative
Blueline Innovations
Current Cost
Digi
Energy Hub
First:utility
Minnesota Valley
Electric
Cooperative
Powerhouse Dynamics,
Inc.
San Diego Gas &
Electric
TED
WattsUp
Wattvision
White River Valley
Electric Cooperative
Wisconsin Public
Service
#Q1energy
Physical Security Information
Awareness—Consumer education
Centralize Security Governance—wildfires, cyber attacks, etc.
Decentralization of infrastructure—things are moving to the field
Information equipment to substations, telephone poles, etc.
SIEM, VA, etc
Physical security concerns
Smart meters can be point of entry
#Q1energy
Takeaways
Critical infrastructure is a hot target; Stuxnet proof of vulnerability
The Smart Grid has benefits, but introduces new risks
Utilities are entering a new & unfamiliar role
Expanding beyond physically controlled boundaries is a risk
Now in the information protection business
Consumers are at risk from the Smart Grid
More information = increased intelligence gathering opportunity
… and the Smart Grid is at risk from consumers
Consumer tampering, hacking, & cyber warfare
New points of entry: Smart meters, HANs / consumer network
Smart grid vendors need to build in real security
Subject gear to design & code review, and pen testing
SIEM ServicesEnergy & Utilities
David SwiftSolutions Architect
Accuvant
#Q1energy
Energy Sector Top Concerns
APTs – Advanced Persistent Threats
Morphing code, DNS fast flux changing Command and Control
Channels, Google searches for new C&C hosts
May be state or terrorist sponsored, lots of money and
resources behind some of these attacks
Compliance – NERC/FERC/NRC/SOX/PCI
Log, review, report and DOCUMENT
#Q1energy
How do you find Zero Days and APTs?
Add Context to Events
Use the network hierarchy and remote networks to overly quick
source network and destination network NAMES, not just IP
addresses.
Use GEO IP information for quick wins and situational
awareness.
Use Reference Lists to check for known attackers, known
terminated employees, contractors logging in after hours…
#Q1energy
Review Logs
Analyze Volume and Variety
Firewall
Even when signatures don’t trigger, firewalls (when configured to
log accepts), provide a record.
Attacks are sloppy, not single event, look for the spray of bullets,
Offender Source IP scans the network or target first with lots of
drops.
IDS/IPS
Log Everything
Filter and eliminate in SIEM by comparing Vulnerability
Scan/Asset data and Known Attacker/Remote Networks
#Q1energy
Review Logs
Look for patterns
Instant messaging logon (IDS event)
IM download (IDS Event)
Anti-Virus/HIPS/FIC event – EVIL FILE
Now we know the source.
Fuzz the logic– Look for anyone else talking to the same source /24 CIDR– Look for the same file name to have been modified on another host
Any Traffic to/from a Known Attacker (remote network or
reference list)
Traffic outbound may indicate an already infected system calling home
Any traffic from that is allowed should open an offense
#Q1energy
Review Logs
Everything counts in large amounts
Single firewall drop – who cares?
100 firewall drops in 1 minute – Why?
Misconfigurations – noise, chaff that has to be culled
Reconnaissance – phase one of the attack
One IDS event – IM Login – Who cares?
IM Login + File Transfer + Buffer Overflow Attempt – I CARE!
#Q1energy
Improve Defenses Iteratively
Review Events by Signature
Count of HOW MANY this month by signature
And, how many unique hosts triggered the sig
10 from one host – hmm, block it, won’t break anything, might
help, and check the host
1,000,000 – disable logging, crappy signature– Unless – 1Million from < 10 hosts
0 events for a given signature – block it, won’t hurt
Repeat the process each month for each device
#Q1energy
Compliance Strategy
A successful log management strategy involves a logging tool, documentation, processes,
and procedures.
Key Steps:
Define your Scope
Document which devices are in scope for each compliance regulation
Define your Events of Interest (EOI) – and create appropriate reports and alerts to
monitor for them
Define an Incident Handling Policy (IH) and process to follow for each EOI
Define Standard Operating Procedures (SOPs) with Service Level Agreements
(SLAs), for each EOI and follow up IH process
Create and Maintain an Audit trail showing both EOI’s and IH responses, tracking the
mean time to detect (MTD) and mean time to remediate (MTR)
Define the Record of Authority (RoA) for each device in scope for an audit
Document IP’s in scope and where the authoritative log source is for each.
Document the retention period, and the auto-destroy policy followed.
More info: info@Q1Labs.comTwitter: @q1labs @accuvantBlog: blog.q1labs.com
Thank You!