Overload: Critical Lessons from 15 Years of ICS Vulnerabilities

© 2013 Belden Inc. | belden.com | @BeldenInc 1Copyright © FireEye, Inc. All rights reserved.1

OVERLOADCRITICAL LESSONS FROM 15 YEARS OF ICS VULNERABILITIES

Presented by Allison Wong CISSP

© 2013 Belden Inc. | belden.com | @BeldenInc 7

• Security governance often not clear

• Differing priorities− Physics vs Information− Reliability and predictability vs C-I-A− Safety vs Intellectual Property

• Core technology challenges− No security visibility− Unauthenticated protocols− Unauthenticated firmware loads− Unauthenticated control logic

Industrial Environments Face Unique Security Challenges

Must maintain uptime of industrial processes being controlled

Balance priorities

2

Must bring IT-OT together

Complete1

Must meet real challenges

Practical3

3 Keys to Success


Industrial Security Incident Types• Misconfigurations – network, control logic

• Lack of process visibility –sensor failure, alarm overload

• Unintentional propagation of malware – USB, email, Web

• Malicious Insiders – disgruntled or compromise employees/contractors

• Intentional outside attack – Enthusiasts, Hacktivists, Competitors, Criminals, Nation-states


• Oil pipeline shut down for 6 hours after software is accidently uploaded to a PLC on the plant network instead of test network

• 13 auto assembly plants were shut down by a simple Internet worm; 50,000 workers stop work for 1 hour while malware removed

• Operators at a major USA nuclear power plant forced to “scram” the reactor after cooling drive controllers crashed due to “excessive network traffic”

Financial ImplicationsIt’s the plant that makes the money

NET Impact:

$250K

NET Impact:

$14M

NET Impact:

$2M


Common Mistakes and Misconfigurations

Recent Mandiant ICS Healthchecks uncovered

• Unpatched or misconfigured firewalls• BYOD/Guest Wi-Fi network with route to ICS zone• Evidence of web browsing in ICS zone• Unexplained Internet-bound requests• Traffic direct from business network to ICS zone• Limited segmentation between ICS zones


FireEye iSIGHT Intelligence


Intelligence Cycle

1. Identify Intelligence Requirements

2. Collect/Research

3. Analyze

4. Disseminate


ICS Threat History Timeline2003: 1st SCADA security presentation at hacker conference2004: 1st PLC vulnerability disclosures2009: 1st verified ICS-specific malware (Stuxnet)2012: Actors reconnoitering for SCADA – get *SCAD*.*2012: 1st major ICS vendor compromise (Telvent)2013: Reconnaissance of ICS ports/protocols (Shodan/others scanning)2014: Malware enumeration of ICS – reading OPC tags (Koala)2014: Targeting ICS engineers/integrators via watering holes (Koala)2014: Exploitation of HMI vulnerabilities (Sandworm/GE reports)2015: Actor selling access to compromised ICS2015: Attacks with kinetic consequence (Sandworm/Ukraine utilities)

Theoretical

Actual


Overall increasing trend in ICS-specific vulnerability disclosuresIn 2015 we identified 371 disclosures. As of April 2016, we are tracking nearly 1600.

Two large disclosures in 2015August• 56 vulnerabilities in

OSIsoft Data Archive

September• 36 vulnerabilities in

Yokogawa products

2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 20150

50

100

150

200

250

300

350

400


Espionage ActivityDuring Q1 2016 we reported on 10 espionage actors from various geographies.


Activity Sample: Sandworm Team in UkraineSandworm team demonstrated moderate capability to attack industrial processes

• First power outages recognized from intentional cyber attack

• Disparate regions, separate companies

• At least 57 substations, 339 towns and villages, 225,000 total customers


• Cyber Caliphate Army's claimed attack on surveillance cameras had the highest potential consequence.

• The physical attacks at the Brussels airport and metro station in March lend additional credibility to such a scenario.

2016 Q1 Hacktivist Activity


• At organizations that operate ICS• Ransomware Masquerades as

Allen-Bradley File• Cerber, Cryptowall, TorrentLocker,

TeslaCrypt• “Stampado” ransomware offered

inexpensively• FireEye Horizons: Nations

Adopting Cyber Crime Extortion Tools for Compellence

Ransomware ActivityRising trend


• Researcher Details Vibration Attacks Against Industrial Facilities

• Simple to Exploit Vulnerability in Schneider Electric Modicon PLCs Leads to Loss of Process Control

• Default ICS Password List Marginally Increases Ease of Attack

2016 ICS Attack Research


• US Planned Cyber Attacks on Iranian Infrastructure

• 'Intranet Framework' Seeks to Sell Remote Access to SCADA Systems

• Actor Seeks Exploit for Rockwell Automation Software and Controllers

2016 ICS Threat Developments


• CPNI Releases Guidance for Improving Security in the Built Environment

• Researcher Proposes ICS Patching Strategy

• New Books Highlight ICS Defensive Strategies

• FDA Releases Draft Guidance Focusing on Cyber Security in Postmarket Medical Devices

2016 ICS Defense Developments


• Get a plan and program for ICS security− Merge IT - OT governance efforts− Experts to assess and recommend

• Inventory your control systems− Software− Controllers− Function/impact

• Segment your network− Review firewall placement and rules− Review router configurations

Lessons Learned?Reducing Your Risk

Must maintain uptime of industrial processes being controlled

Balance priorities

2

Must bring IT-OT together

Complete1

Must meet real challenges

Practical3

3 Keys to Success


Simplified Purdue Model / ISA Reference Architecture

L0L1L2L3L4


Tripwire Enterprise and FireEye AX


FireEye/Mandiant’s ICS Healthcheck Assessment Process:Activity 1: Architecture Workshops• Speak with plant Mgmt/Staff to gain an understanding of the ICS network• Draw a network diagram of the ICS• Overlay potential cyber security threats and attacks on the diagram

Activity 2: Firewall configuration review• Obtain configurations of firewalls and switches at the site and go line by line• Perform automated and manual analysis on the configurations to look for security

misconfigurations and flaws

Activity 3: Analyze network traffic with FireEye PX• Collect full packet capture and flow data from ICS network (usually from site’s main

switch)• Look for anomalous or undesirable connectivity to internet or business networkActivity 4: Analyze log data with FireEye Threat Analytics Platform (TAP)• Collect any relevant log sources from the ICS environment (examples: VPN,

Authentication, Firewall, Syslog, Windows Events)• Apply intelligence, rules, analytics, and frequency analysis to identify malicious or

anomalous activity


Joint Customer Benefit Examples• Integration of Industry specific Threat Intel with

ISIGHT and contextualization of logs from Belden industrial technology in TAP

• Tripwire customers can integrate with MVX/AX• Hunt for IOCs across IT and ICS environments

Belden ICS industrial cyber security and networking equipment• Tofino• GarrettCom• Hirschmann• Tripwire+Several other leading brands in the area of industrial networking and signal transmission equipment.

FireEye Threat Intelligence Portfolio• FireEye’s Threat Intelligence• Mandiant services • iSight’s ICS expertise


Question & Answer Time

Overload: Critical Lessons from 15 Years of ICS Vulnerabilities

Technology

Transcript of Overload: Critical Lessons from 15 Years of ICS Vulnerabilities