Emerging SCADA and Security...
14
Emerging SCADA and Security Solutions July 25, 2014 Presented by; Michael F. Graves, P.E. Chris Murphy, CISSP
Transcript of Emerging SCADA and Security...
Emerging SCADA and Security Solutions
July 25, 2014
Presented by; Michael F. Graves, P.E.
Chris Murphy, CISSP
• Improved 4G Communications • Mobile Devices • Cyber Security Threats • Cyber Security Guidance
Topics
• When is 4G Acceptable – Urban Areas with 4G Service – Fiber is not available – Cost is an issue – Some video is needed
• Not necessarily a more secure communication approach. – Secure endpoints with Firewalls, etc.
4G Communications
Presenter
Presentation Notes
Discuss Chris will present more on the security aspects later.�
• Single modem with single service provider • Relatively simple to install • Relatively low cost way to extend networks to
remote locations • Point to Point connectivity • Can handle data and a couple of cameras • Uptime availability is relatively low (about 97% to
99%)
Typical Modem Installations
Presenter
Presentation Notes
Point to Point - Sender and Receiver modems with specific IP address or protocol. Enhances security by making it more difficult for other devices to communicate with the modem. 4G LTE bandwidth about 10 Mbs to 1 Gbs � �
• Multiple Provider Networking – Uses typical 4G modem or modems – System uses multiple providers to increase uptime reliability to over
99.99% – Requires 3rd Party Device to Monitor Signals, Switch Providers, and
Auto-Reboot – Increases data usage about 10%
Newer Installation Method
4G Modem(s) SIM SIM
Cameras PLCs Access Control
Access Control
3rd Party Monitoring Device
• SCADA systems are undergoing a shift – Makes them easier to use – Makes them less secure
• Major Vendors have Mobile Apps for Apple and Android devices
• Some offer extensions to customer apps for customers to monitor smart meters and contact customer service
• Data monitoring versus Control configurations • Virtualization technologies are upcoming.
Mobile Devices
• Can use 4G and Wi-Fi connectivity – 4G if mobility outside of plant is needed – Wi-Fi for use inside the plant
• Security Concerns – Guidelines – Hacking – Theft or Loss of Device – Social Engineering
• 3rd Party Review
Connectivity and Security
Presenter
Presentation Notes
Hand off from Mike to Chris �
• SCADA systems are more vulnerable than in the past. – Unprecedented connectivity allows for new risks
• Not just hackers in basements – Disgruntled staff – State sponsored actors – Organized crime (foreign and domestic)
SCADA/ICS Cyber Security
Presenter
Presentation Notes
Forensic evidence indicates that the hackers may have been in the system as early as September, according to the “Public Water District Cyber Intrusion” report, released by the Illinois Statewide Terrorism and Intelligence Center on Nov. 10. The intruders launched their attack from IP addresses based in Russia and gained access by first hacking into the network of a software vendor that makes the SCADA system used by the utility. The hackers stole usernames and passwords that the vendor maintained for its customers, and then used those credentials to gain remote access to the utility’s network. http://www.wired.com/2011/11/hackers-destroy-water-pump/ Two U.S. Water Utilities Hacked in the Same Month It is believed that the attackers breached the IT systems of the company that either manages or makes the SCADA systems used at Curran-Gardner and stole customer usernames and passwords. The attackers then used this information to infiltrate the Curran-Gardner SCADA system. The ink wasn’t dry on Joe’s news when a twenty-something hacker using the name “pr0f” or “@pr0f_srs” published information of a successful penetration of the South Houston Water Utility. This attacker used an unrelated technique to gain access to the water utility and then posted several screenshots of the control system on PasteBin, including this one:
• Managed to compromise a number of strategically important organizations for spying purposes
• If they had used the sabotage capabilities open to them, could have caused damage or disruption to energy supplies in affected countries.
• Targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers.
Example: Cybersecurity Threat Intelligence
Campaigns against energy sector by group called Energetic Bear or Dragonfly
Presenter
Presentation Notes
The majority of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland. ENERGETIC BEAR / Dragonfly is an adversary group with a nexus to the Russian Federation that conducts intelligence collection operations against a variety of global victims with a primary focus on the energy sector. CrowdStrike Intelligence has tracked this adversary since August 2012; public reports in September 2013 brought additional campaigns from this adversary to light in the form of an SWC operation targeting organizations in the energy sector.4 Subsequent investigation revealed that the SWC tactic appears to be this adversary’s preferred delivery vector; however, there is also evidence that it leverages exploits for popular document readers such as Adobe Reader. http://www.crowdstrike.com/sites/all/themes/crowdstrike2/css/imgs/platform/CrowdStrike_Global_Threat_Report_2013.pdf
Havex Malware –Remote Access Trojan (RAT) – Used by Dragonfly – Samples found that were customized to enumerate SCADA
networks – Distributed by email to specific employees as PDF attachment – Compromised legitimate and vendor websites
• Actually supplanted vendor ICS software available on their sites with altered Havex embedded software
Everyone is Vulnerable
Firewalls, antivirus, and intrusion detection are good but hackers are clever.
Presenter
Presentation Notes
Custom code in Havex = capability to query OLE for Process Control (OPC) servers Backdoor.Oldrea, which is also known as Havex or the Energetic Bear RAT Infected emails had one of two subject lines: “The account” or “Settlement of delivery problem”. All of the emails were from a single Gmail address F-Secure and ICS-CERT identified and analyzed one payload that enumerates all connected network resources such as computers or shared resources, and uses the classic DCOM-based (Distributed Component Object Model) version of the Open Platform Communications (OPC) standard to gather information about connected control system resources within the network. The known components of the identified Havex payload do not appear to target devices using the newer OPC Unified Architecture (UA) standard. In particular, the payload gathers server information that includes Class Identification (CLSID), server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. In addition to more generic OPC server information, the Havex payload also has the capability of enumerating OPC tags. Specifically the server is queried for tag name, type, access, and id. ICS-CERT is currently analyzing this payload; at this time ICS-CERT has not found any additional functionality to control or make changes to the connected hardware. It is important to note that ICS-CERT testing has determined that the Havex payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications. OPC provides an open standard specification that is widely used in process control, manufacturing automation, and other applications. The technology facilitates open connectivity and vendor equipment interoperability. The original version of the OPC specification, referred to as OPC classic, was implemented using Microsoft’s COM/DCOM (Distributed Component Object Model) technology. In 2006, the OPC Foundation released a new standard, referred to as OPC Unified Architecture (UA), which does not use COM/DCOM. The known components of the identified Havex payload do not appear to target devices using the newer OPC UA standard. http://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-176-02A
Software Defined Radios (SDR) • Traditionally implemented by expensive hardware • Now instead software-defined components • Makes RF hacking very affordable ($50 - $400) • SCADA systems vulnerable (especially older
hardware)
Emerging Threats
Presenter
Presentation Notes
Smart meters, which use the Zigbee standard, are particularly vulnerable to signal capture, the consultants claim. Chosen for its energy efficiency, Zigbee has been routinely compromised. Keys are transmitted in the clear, transmissions are prone to interference, and in the event of a signal jam, frequency hopping capabilities are poor. Attempts have been made to secure Zigbee through authorisation and pre-configured security keys but both require additional system management SDR works by capturing radio frequency signals using a high-speed ADC (Analogue to Digital Converter) enabling the direct digitisation of the radio frequency signal which can then be analysed by a DSP (Digital Signal Processor) before being converted into output data stream. The user can analyse slices of spectrum at their leisure, looking for carriers and modulated signals and go on to isolate the preamble and the payload, or message headers if searching for data streams, for instance. There are a variety of SDRs on the market but the USRP (Universal Software Radio Peripheral) is the tool of choice as it allows both reception and transmission which, when coupled with open source software such as GNU Radio, allows the creation of advanced radio systems. This uses a USB 2.0 interface, an FPGA and high-speed ADCs and DACs, to generate a sampling and synthesis bandwidth a thousand times that of a PC sound card, extending the reach of the equipment and enabling wideband operation. The only way of protecting a wireless device from an SDR attack at present is to ensure that it has been designed, configured and deployed to resist over-the-air attacks. Very few vendors of such equipment will give this type of assurance so independent testing is currently the only option until the industry applies itself to developing a solution. Understanding exactly what radio systems have been deployed and ensuring adequate risk assessments have been conducted is an essential first step.” [BeMasher] was dissatisfied with the cost of other solutions to read his smart meter, so he made a project to read it himself using an rtl-sdr dongle. Using his hacking and reverse engineering skills along with a $20 RTL-SDR dongle, [BeMasher] wrote rtlamr to automatically detect and report the consumption information reported by smart meters within range. Though designed for his Itron C1SR, [BeMasher] claims that any electronic receiver transmitter (ERT) capable smart meter should work. [BeMasher]‘s Itron C1SR smart meter broadcasts both interval data and standard consumption in the 915MHz ISM band using a Manchester encoded, frequency hopping spread spectrum protocol. [BeMasher] used the RTL-SDR dongle to do the signal capture and analysed the resulting signal in software afterwards. [BeMasher] did a great job of going through the theory and implementation of analysing the resulting data capture, so be sure to check it for an in-depth analysis.
Executive Order 13636: Improving Critical Infrastructure Cybersecurity • Develop a technology-neutral voluntary cybersecurity framework • Promote and incentivize the adoption of cybersecurity practices • Increase the volume, timeliness and quality of cyber threat information sharing • Incorporate strong privacy and civil liberties protections into every initiative to
secure our critical infrastructure • Explore the use of existing regulation to promote cyber security
Presidential Policy Directive-21: Critical Infrastructure Security and Resilience directs the Executive Branch to: • Develop a situational awareness capability that addresses both physical and cyber
aspects of how infrastructure is functioning in near-real time • Understand the cascading consequences of infrastructure failures • Evaluate and mature the public-private partnership • Update the National Infrastructure Protection Plan • Develop comprehensive research and development plan
Cybersecurity Policy and Guidance
Presenter
Presentation Notes
Major push and initiatives by the federal government Presidential Policy Directive-21 FEMA providing over 11,000,000 in grants for organizations to get cybersecurity training.
NIST Cybersecurity Framework -Technology neutral guide for critical infrastructure sectors to organize cybersecurity initiatives and programs NIST SP 800-53 - Guidelines for selecting and specifying security controls for federal government. Many organizations in private industry use NIST SP 800-53 as a guide for their own security management. NIST SP 800-82 rev. 2 - Guide to Industrial Control Systems (ICS) Security Supervisory Control and Data Acquisition (SCADA) Systems, Distributed Control Systems (DCS), and Other Control System Configurations such as Programmable Logic Controllers (PLC) ISO/IEC 27001 - This standard is a specification for an information security management system (ISMS). Catalogs a wide range of controls and other measures relevant to information security. ISA-62443 series – Expands on ISO/IEC 27001 with more specific guidance such as business and ICS network segregation strategies
Cybersecurity Guidance
Presenter
Presentation Notes
Plenty of help and guidance out there. Each of these documents offers various levels of guidance and standards to secure various networks. All are still generic and do not take into account specific business needs or vendor equipment.
Questions?
