Cyber Security Challenges in the Energy Context...Agent.btz Animal Farm Aurora Black Energy Carbanak...
Transcript of Cyber Security Challenges in the Energy Context...Agent.btz Animal Farm Aurora Black Energy Carbanak...
-
Cyber Security Challenges in the
Energy Context
Guido Gluschke
Institute for Security and Safety (ISS) at the Brandenburg University of Applied Sciences, Germany
NISS / NATO ENSE CoE
Kyiv, 17 March 2016
-
Introduction
Guido Gluschke
Co-Director Institute for Security and Safety at the Brandenburg University of Applied Sciences
30+ years experience in computer technology
15+ years experience in security management in critical infrastructures, in particular energy sector
7+ years experience in security management at nuclear power plants (NPP)
Program manager for joint activities with UN, IAEA, OSCE, EU and NATO
Member of the Energy Expert Cyber Security Platform - Expert Group of the European Commission DG-ENERGY
Member of IAEA International Nuclear Security Education Network (INSEN)
-
EC DG ENER
Cyber Security Expert Group
3.1.1. Mission and duties of the EECSP-Expert Group
The mission of the EECSP-Expert Group is to provide
guidance to the Commission on policy and regulatory
directions at European level, addressing the energy sector
key points including infrastructural issues, security of
supply, smart grids technologies as well as nuclear.
EECSP = Energy Expert Cyber Security Platform
-
International Cyber Activities
ISS Is Involved
Supporting international organisations with our expertise:
Cooperation with Think Tanks and NGOs:
-
Literature On The Cyber-Energy
and Cyber-Nuclear Complex
coming soon
-
Capacitity Building On Cyber
And Nuclear Security
Developed by
Brandenburg University
of Applied Sciences
together with IAEA.
-
Four Nuclear IT/Cyber Security
Professional Development Courses
-
Four Nuclear IT/Cyber Security
PDCs 2012-2014
4 Nuclear IT/Cyber Security PDCs
59 Participants
21 Countries
• Austria
• Canada
• Egypt
• Ghana
• Iraq
• Jamaica
• Jordan
• Kenya
• Malaysia
• Morocco
• Nigeria
• Poland
• Republic of Macedonia
• Russian Federation
• South Africa
• South Korea
• Tanzania
• Thailand
• UK
• Ukraine
• US
-
ISS Support of Locked Shields
Cyber Exercise 2015 at NATO
CCDCoE in Tallinn
The backup power generator was part of
an attack scenario in which generators
should be destroyed by a cyber attack.
virtualization /
simulation with
real ICS equipment
DHS / INL Aurora Project
-
Locked Shields 2015
Virtual Blue Team Environment:
Drone Research Facility
-
Focus
Energy sector - Electricity
-
Computer Security Domains Related
To A Nuclear Power Plant
Administration (Office IT)
Control Room (Office IT and I&C)
Nuclear section (Digital I&C)
Internet
IT = Information Technology
I&C = Instrumentation & Control
-
Computer Security Domains Related
To A Electricity Grid Infrastructure
Administration (Office IT)
Control Room (Office IT und ICS)
Grid (ICS)
Internet
IT = Information Technology
ICS = Industrial Control Systems
Transformer
Station
-
Detection and Identification of
Systems Relevant To Energy
-
Identified Systems
-
Trend of ICS Internet
Connectivity
Source: Collaborative research project with Berlin Free University 2012
to detect Industrial Control Systems connected to the Internet
-
Trend of Targeted Attacks with
Advanced Persitent Threats
Agent.btz
Animal Farm
Aurora
Black Energy
Carbanak
Cloud Atlas
CosmicDuke
Crouching Yeti
Dark hotel
Desert Falcons
Duqu
Epic Turla
Equation
FinSpy
Flame
Gauss
Hacking Team RCS
Icefog
Kimsuky
Machete
Madi
MiniDuke
MiniFlame
NetTraveler
Red October
Regin
SabPub
Shamoon
TeamSpy
The Mask / Careto
Winnti
Wiper Source: https://apt.securelist.com/#secondPage
-
Advanced Persistant Threats Against
Energy Sector
Source: Symantic Security Response Documents
Example Dragonfly: 3-phase attack over 14 months
-
In Nuclear: Design Basis Threat
(DBT) Methodology
A DBT is the State’s description of a representative set of
attributes and characteristics of adversaries, based upon
(but not necessarily limited to) a threat assessment, which
the State has decided to use as a basis for the design and
evaluation of a physical protection system.
A DBT is a description of the attributes and characteristics of
potential insider and outsider adversaries who might attempt
a malicious act, such as unauthorized removal or sabotage
against which a physical protection system for nuclear or
other radioactive material or associated facilities is designed
and evaluated.
Motivation, Willingness,
Intentions
Funding, Support structure,
Modes of transportation
Group Size, Tools,
Weapons, Explosives
Knowledge, Skills, Tactics,
Insider threat issues
-
Design Basis Threat (DBT)
Responsibilities
Low Threat Capabilities
High Threat Capabilities
Design Basis Threat
Maximum Threat Capability against which protection
will be reasonably ensured
Operator
Responsibility
State
Responsibility
beyond DBT
e.g. military attacks
e.g. terrorist attacks
e.g. attack by single person
-
How to handle cyber in DBT?
OR
Source: Michael Beaudette, WINS workshop Toronto March 2012
-
The ISS perspective
Cyber
Military
-
Cyber Military Threat Groups
The Nation State's Dilemma
In the western hemisphere military attacks against nuclear installations are typically beyond DBT
They are assigned to the nation state; in any case the licencee is not responsible for protecting his plant against this threats
This view can be argued by the following paradigms:
• Military weapons are controlled by nation-state
• Theft, as well as illigal movement, illigal import, or illigal use of military weapons should be detected/tracked by nation-state intelligence services
• In case of use, military activities has to be fended off by nation-states forces
-
Cyber As A Powerful Weapon
Feasibility
Pro
bab
ilit
y
nuclear
chemical
biological
conventional/
physical
high
low
difficult easy
radiological
cyber
-
Simple Model
Zone 1Zone 2Zone 3Zone 4
Internet
Untargeted
Targeted
Highly
TargetedA
B
C
A Highly targeted: Targeted against particular component/system
B Targeted: Targeted against particular organization/facility
C Untargeted: Not targeted against particular organization/facility
(Random target/Target of opportunity)
Administrative zone Operational zone/
Main Control Room
Reactor-near
zone
-
Characteristics
Zone 1Zone 2Zone 3Zone 4
Internet
Untargeted
Targeted
Highly
TargetedA
B
C
Motivation
Willingness
Intention
Funding
Support
Logistics
Planning
Knowledge
A Highly targeted: Military-style adversary
B Targeted: Traditional adversary groups
C Untargeted: Everyone else
A Highly targeted*: no prevention, advanced detection and response
B Targeted**: extended prevention, advanced detection and resp.
C Untargeted: standard prevention, detection and response
*State-of-the-art is definitly not be enough
**State-of-the-art is most likely not be enough
-
Consequences
Zone 1Zone 2Zone 3Zone 4
Internet
Untargeted
Targeted
Highly
TargetedA
B
C
A Highly targeted: can be understood through exercises/simulation
B Targeted: can be understood through incident analysis
C Untargeted: can be understood through technical press
A Highly targeted: Threat is not understood
B Targeted: Threat is basically understood
C Untargeted: Threat is well understood
New cyber weapons Come closer to nuclear
protection goals
Increased insider
knowledge
-
Highly Targeted: Beyond State?
Targeted: Beyond DBT?
• In the physical world 'physical threat bounderies' exists
• There is always something more
• In general, understanding/definition of this limit is necessary
Within License
for Nuclear Facility
Beyond DBT
Beyond State Level
-
Room For "Beyond DBT" and "Beyond
State" In Cyber
For cyber the "Maximum Threat Capability" could be
considered as "Threats, a nation state by itself is unable to
defeat", for example:
• DoS: When a state has no capability to handle massive DDoS
attacks
• Encryption: When a state has no capability to evaluate if an
encryption is strong enough for its intended purpose
• Malware: When a state has no detection mechanism for zero
day exploits or advanced malware
• Supply Chain: When a state is not able to detect if computer
systems within the supply chain are free of malware
-
Complexity x Malicous Intent Cyber Security =
Competency x Readyness
What Do We Need?
Cyber Security Education / Capacity Building
Cyber Security Exercises / Readyness
Cyber Security Expertise
Cyber Security Awareness / Culture
Trust / Transparency / Confidence Building Measures
International Cooperation
-
Trends and Research Areas
• Understanding the infrastructures and dependencies, modelling the threats and risks
• Digitalisation of analog elements in all relevant domains, such as physical protection systems
• New technology trends with increasing internet-dependency
• New operational models for energy sector, such as turn-key solutions or virtual power plants
• Cyber as a new domain of military actions
• Industrial Control Systems (ICS) as new targets
-
Thank you for your attention!
Guido Gluschke
www.uniss.org