27 Information Security.pptx [Read-Only] - sandia.gov · 27 - Information Security The...
Transcript of 27 Information Security.pptx [Read-Only] - sandia.gov · 27 - Information Security The...
27 - Information Security
The Twenty-Seventh International Training CoursePage 1
27. In fo rmat ion Secur i ty
April 29 – May 18, 2018Albuquerque, New Mexico, USA
SAND2016-8421 TR
Sandia National Laboratories is a multimission laboratory managed and operated by National Technology and Engineering Solutionsof Sandia LLC, a wholly owned subsidiary of Honeywell International Inc. for the U.S. Department of Energy’s National NuclearSecurity Administration under contract DE-NA0003525.
Information Security
Learn ing Object ives
After completing this module, you should be able to:• Identify information systems associated with nuclear
materials, nuclear facilities, and physical protection systems
• Recognize threats against information systems including adversary goals and potential attack points
• State the process and guidelines for establishing computer and information security
2
27 - Information Security
The Twenty-Seventh International Training CoursePage 2
Information Security
IAEA Nuclear Secur i ty Ser ies 13 (NSS-13)
• 4.10 Computer based systems used for physical protection, nuclear safety and nuclear material accountancy and control should be protected against compromise (e.g. cyber attack, manipulation or falsification) consistent with the threat assessment or Design Basis Threat
3
Information Security
Mot ivat ion
4
• Information “insecurity” Boeing Lockheed Martin Corporation Amazon Yahoo Target Ashley Madison JP Morgan HBO Hilton Hotel etc.
“There are two types of companies: those that have been hacked, and those who don't know they have been hacked.” - John Chambers
27 - Information Security
The Twenty-Seventh International Training CoursePage 3
Information Security
Types of Informat ion Systems
5
Systems where information is stored, used, or transmitted
Mode People Physical Cyber
Types
• Knowledge• Skills
• Paper• Equipment
• Networks• Communications• Stored Data• Digital Control Systems
Examples
• Where arematerials located
• How to handle nuclear materials
• Policies• Procedures• Entry control lists• Security plans• System design• Schedules (i.e.,
material movements)
• Sensor network systems• Entry control system• Material inventories• Safety control systems• Plant configuration• Smart cameras / motion
sensors
Information Security
Information Age
6
27 - Information Security
The Twenty-Seventh International Training CoursePage 4
Information Security
What could go wrong?
Information Age Cyber-Physical System
Information Age Cyber-Physical Age
Cyber-Security Problems
7
Information Security
Threat Trend• Cyber threat actors are increasingly expanding capabilities
to impact physical world with high-consequence results• Examples
2010 – Stuxnet, example of weaponized cyberwarfare 2012 – Shamoon, destructive malware that wiped 30,000 to
55,000 workstations of Saudi Aramco 2014 – Korea Hydro & Nuclear Power attacked, stole blueprints of
nuclear reactor, employee information 2015 and 2016 – Ukrainian Power Grid cyber attack, first known
examples of shutting down civil infrastructure• State-sponsored Advanced Persistent Threat (APT)• Cyberterrorism – Cyber-Physical System (CPS) enabled
kinetic attacks8
27 - Information Security
The Twenty-Seventh International Training CoursePage 5
Information Security
9
How Is Cyber-Phys ica l Threat Di fferent?
Information Age Cyber‐Physical Age
Propaganda Critical Infrastructure
Disruption to information, theft of intellectual property (i.e., Sony) and money
Disruption to critical infrastructure service, can result in significant loss of lives and physical assets
Terrorism enabled by moving “electrons”
Terrorism enabled by moving physical masses ‐ “cyber jihad”with airplanes, cars, and robots
Information Security
Computer Systems in Nuclear Fac i l i t iesSafety Systems
• Protection systems for automatically initiated reactor and plant protection actions
• Safety actuation systems (initiated by protection systems)
• Emergency power
Safety-related Systems• Process control• Control room - controls and alarms• Fuel handling and storage• Fire protection systems
Non-Plant Equipment• Office automation• External connectivity
Security-related Systems• Access control systems• Voice and data communication• Clearance database• Alarm monitoring and control
Computer and network security• Nuclear accountancy• Heating, ventilation, and air
conditioning (HVAC)• Industrial control systems (ICS)
10
27 - Information Security
The Twenty-Seventh International Training CoursePage 6
Information Security
Cybersecur i ty and Phys ica l Secur i ty Risks
• Central servers and workstations Usually run Windows operating systems
current as of installation, rarely receive security updates, and are not always in protected zones
• Field panels Usually run embedded operating system,
rarely receive security updates, and may be physically accessible
• Communications network Moving almost exclusively to Ethernet and IP
(Internet Protocol)• Wide variety of attack tools already exist• Require little knowledge
How are these located and protected?
An attacker that gains access at any point can use well-known tools to manipulate or deny monitoring
11
Information Security
Potent ia l Adversary Goals• Information gathering for planning further
malicious acts (reconnaissance)• Attack disabling or compromising
computers or security / safety control systems For example, adding an identity
• Compromise of computers or digital control systems combined with other modes of attack, such as physical intrusion For example, degrading a sensor sensitivity Remotely deny or enable access to physical
assets12
27 - Information Security
The Twenty-Seventh International Training CoursePage 7
Information Security
Contro ls for E lectr ic Power Distr ibut ion
13
A local electrical power supply is typically protected but it is only as reliable as the control signals
A distribution utility may not control or fully understand its telecommunications infrastructure
Remote, Protected Local, Protected?????????
Information Security
Supply Chain Attack Model
Attractive, targeted attacks
Specific attackspossible
Untargeted attacks possible
Component designers
FoundriesSuppliersSuppliersSuppliers
Contracted manufacturers
Designers
AssemblersPhysicalProduct
Integration & Testing
Firmware and software developers
Warehousing(Vendor or Contract)
Shipping & Cross Docking
Customer Installation
Contractors AdministratorsMfg Upgrades & Maintenance (Hardware or via Network)
Firmware/Software Storage & Mfg Installation Network
Existing installation
A generic supply chain is shown. Although an operating facility is the goal, supply chain attacks are possible during subcomponent
design, integration, testing, and installation 14
27 - Information Security
The Twenty-Seventh International Training CoursePage 8
Information Security
Computer Attack Phases
• Goal identification• Reconnaissance
• System access / compromise• Attack execution• Covering of tracks to maintain
deniability
15
Not within the awareness or control of the defender so active defense must anticipate adversary and limit information
Increasingly, control system attacks and tools are becoming more sophisticated
Information Security
Attack Sophist icat ion Graph from NSS-17
16
27 - Information Security
The Twenty-Seventh International Training CoursePage 9
Information Security
Energy Companies Compromised • Dragonfly / Energetic Bear
Windows-based but targeted energy companies Successfully exploited thousands of power plants Install malware, steal data, run executable files
• Blackenergy In development since 2007! Trojan malware and root kit (gain foothold and download other
malware, such as KillDisk) Linked to wide-scale power outages in the Ukraine
• Nuclear Power Plant Target December 14, South Korea’s Korea Hydro and Nuclear Power (KHNP)
successfully hacked. Nuclear power plant design information stolen• Not New, Not Hypothetical!
17
Information Security
Attacker Tools
• Attack tools can be purchased openly
• Malware targets control systems
• Agora Software – Offers “unpatched” vulnerabilities, not detectable by existing virus scanning or malware protection
18
27 - Information Security
The Twenty-Seventh International Training CoursePage 10
Information Security
S tuxnet – Advanced Attack Sophist icat ion
• Successful attack against the “closed” network of a nuclear facility
• Targeted specific machinery, so it was informed by insider reconnaissance
• Software used encrypted network traffic for external command and control
• Software passed standard trust policies (used driver signing keys of two companies)
• Self‐propagation ‐ infects additional hosts via 3 alternate paths
19
Information Security
A Process for Improving Computer Secur i ty• Requirements
Follow national legal and regulatory requirements Apply relevant IAEA and other international guidance Use graded approach
• Ensure senior management support / adequate resources Identify interactions between computer security and facility
operation, nuclear safety, and other aspects of site security Perform risk assessment Create a computer security policy
• Define a computer security perimeter• Integrate computer security within the facility’s management system
(regularly audit, review and improve the system)• Select, design, implement protective computer security measures
• Anticipate threat (DBT) 20
27 - Information Security
The Twenty-Seventh International Training CoursePage 11
Information Security
Defense in Depth
• Protection requirements should reflect the concept of multiple layers and methods of protection (physical, technical, and administrative)
• Graded approach
21
Information Security
Arch i tecture and Design Pr inc ip les
• Prevent loss of integrity• Maintain availability• Ensure confidentiality
22
Design Considerations• Protection levels• Access levels• External connectivity• System interfaces
• Zone borders enforced with decoupling mechanisms
• Prevents unauthorized access and error propagation
• Technical and administrative measures ensure decoupling
27 - Information Security
The Twenty-Seventh International Training CoursePage 12
Information Security
P rotect ion Measure Opt ions
• Administrative Controls Training Policies and procedures (example, password management) Principle of Least Privilege
• Physical Protection of Information System Assets Lock rooms or cabinets where computer systems or digital
control systems are located Limit access to areas where computer systems or network
components, particularly servers, are located, such as outdoor wiring cabinets
• Mitigation / Recovery Periodic backups made, protected at same level as original Recovery from backups is tested
23
Information Security
Technica l Contro ls
• Network design and configuration management
• Detection and logging• Firewalls and routers• Zone enforcement with
firewalls, data diodes, or air gap
24
Virus Protection – For analyzing data for malicious signature
Encryption – For data in storage and during transport
Authentication – For knowing who is doing what and attribution
State of Health – Validating technical controls are functioning as expected
27 - Information Security
The Twenty-Seventh International Training CoursePage 13
Information Security
Key Takeaways
• Various types of information systems and cyber-physical systems exist and all of them need to be protected
• Adversaries can use a number of different cyber tools to attack a system
• Access to any part of the system can cause systems to not function as intended
• Create and use a graded approach to require different sets of protection measures to satisfy security requirements for information system at a given level
• Use DBT model to anticipate threat actors
25