Compounded Vulnerabilities in Social Institutions: Vulnerabilities as Kinds
Overload: Critical Lessons from 15 Years of ICS Vulnerabilities
-
Upload
tripwire -
Category
Technology
-
view
191 -
download
1
Transcript of Overload: Critical Lessons from 15 Years of ICS Vulnerabilities
© 2013 Belden Inc. | belden.com | @BeldenInc 1Copyright © FireEye, Inc. All rights reserved.1
OVERLOADCRITICAL LESSONS FROM 15 YEARS OF ICS VULNERABILITIES
Presented by Allison Wong CISSP
© 2013 Belden Inc. | belden.com | @BeldenInc 7
• Security governance often not clear
• Differing priorities− Physics vs Information− Reliability and predictability vs C-I-A− Safety vs Intellectual Property
• Core technology challenges− No security visibility− Unauthenticated protocols− Unauthenticated firmware loads− Unauthenticated control logic
Industrial Environments Face Unique Security Challenges
Must maintain uptime of industrial processes being controlled
Balance priorities
2
Must bring IT-OT together
Complete1
Must meet real challenges
Practical3
3 Keys to Success
© 2013 Belden Inc. | belden.com | @BeldenInc 8
Industrial Security Incident Types• Misconfigurations – network, control logic
• Lack of process visibility –sensor failure, alarm overload
• Unintentional propagation of malware – USB, email, Web
• Malicious Insiders – disgruntled or compromise employees/contractors
• Intentional outside attack – Enthusiasts, Hacktivists, Competitors, Criminals, Nation-states
© 2013 Belden Inc. | belden.com | @BeldenInc 9
• Oil pipeline shut down for 6 hours after software is accidently uploaded to a PLC on the plant network instead of test network
• 13 auto assembly plants were shut down by a simple Internet worm; 50,000 workers stop work for 1 hour while malware removed
• Operators at a major USA nuclear power plant forced to “scram” the reactor after cooling drive controllers crashed due to “excessive network traffic”
Financial ImplicationsIt’s the plant that makes the money
NET Impact:
$250K
NET Impact:
$14M
NET Impact:
$2M
© 2013 Belden Inc. | belden.com | @BeldenInc 10
Common Mistakes and Misconfigurations
Recent Mandiant ICS Healthchecks uncovered
• Unpatched or misconfigured firewalls• BYOD/Guest Wi-Fi network with route to ICS zone• Evidence of web browsing in ICS zone• Unexplained Internet-bound requests• Traffic direct from business network to ICS zone• Limited segmentation between ICS zones
© 2013 Belden Inc. | belden.com | @BeldenInc 12
Intelligence Cycle
1. Identify Intelligence Requirements
2. Collect/Research
3. Analyze
4. Disseminate
© 2013 Belden Inc. | belden.com | @BeldenInc 13
ICS Threat History Timeline2003: 1st SCADA security presentation at hacker conference2004: 1st PLC vulnerability disclosures2009: 1st verified ICS-specific malware (Stuxnet)2012: Actors reconnoitering for SCADA – get *SCAD*.*2012: 1st major ICS vendor compromise (Telvent)2013: Reconnaissance of ICS ports/protocols (Shodan/others scanning)2014: Malware enumeration of ICS – reading OPC tags (Koala)2014: Targeting ICS engineers/integrators via watering holes (Koala)2014: Exploitation of HMI vulnerabilities (Sandworm/GE reports)2015: Actor selling access to compromised ICS2015: Attacks with kinetic consequence (Sandworm/Ukraine utilities)
Theoretical
Actual
© 2013 Belden Inc. | belden.com | @BeldenInc 1414
Overall increasing trend in ICS-specific vulnerability disclosuresIn 2015 we identified 371 disclosures. As of April 2016, we are tracking nearly 1600.
Two large disclosures in 2015August• 56 vulnerabilities in
OSIsoft Data Archive
September• 36 vulnerabilities in
Yokogawa products
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 20150
50
100
150
200
250
300
350
400
© 2013 Belden Inc. | belden.com | @BeldenInc 1515
Espionage ActivityDuring Q1 2016 we reported on 10 espionage actors from various geographies.
© 2013 Belden Inc. | belden.com | @BeldenInc 1616
Activity Sample: Sandworm Team in UkraineSandworm team demonstrated moderate capability to attack industrial processes
• First power outages recognized from intentional cyber attack
• Disparate regions, separate companies
• At least 57 substations, 339 towns and villages, 225,000 total customers
© 2013 Belden Inc. | belden.com | @BeldenInc 1717
• Cyber Caliphate Army's claimed attack on surveillance cameras had the highest potential consequence.
• The physical attacks at the Brussels airport and metro station in March lend additional credibility to such a scenario.
2016 Q1 Hacktivist Activity
© 2013 Belden Inc. | belden.com | @BeldenInc 1818
• At organizations that operate ICS• Ransomware Masquerades as
Allen-Bradley File• Cerber, Cryptowall, TorrentLocker,
TeslaCrypt• “Stampado” ransomware offered
inexpensively• FireEye Horizons: Nations
Adopting Cyber Crime Extortion Tools for Compellence
Ransomware ActivityRising trend
© 2013 Belden Inc. | belden.com | @BeldenInc 1919
• Researcher Details Vibration Attacks Against Industrial Facilities
• Simple to Exploit Vulnerability in Schneider Electric Modicon PLCs Leads to Loss of Process Control
• Default ICS Password List Marginally Increases Ease of Attack
2016 ICS Attack Research
© 2013 Belden Inc. | belden.com | @BeldenInc 2020
• US Planned Cyber Attacks on Iranian Infrastructure
• 'Intranet Framework' Seeks to Sell Remote Access to SCADA Systems
• Actor Seeks Exploit for Rockwell Automation Software and Controllers
2016 ICS Threat Developments
© 2013 Belden Inc. | belden.com | @BeldenInc 2121
• CPNI Releases Guidance for Improving Security in the Built Environment
• Researcher Proposes ICS Patching Strategy
• New Books Highlight ICS Defensive Strategies
• FDA Releases Draft Guidance Focusing on Cyber Security in Postmarket Medical Devices
2016 ICS Defense Developments
© 2013 Belden Inc. | belden.com | @BeldenInc 22
• Get a plan and program for ICS security− Merge IT - OT governance efforts− Experts to assess and recommend
• Inventory your control systems− Software− Controllers− Function/impact
• Segment your network− Review firewall placement and rules− Review router configurations
Lessons Learned?Reducing Your Risk
Must maintain uptime of industrial processes being controlled
Balance priorities
2
Must bring IT-OT together
Complete1
Must meet real challenges
Practical3
3 Keys to Success
© 2013 Belden Inc. | belden.com | @BeldenInc 23
Simplified Purdue Model / ISA Reference Architecture
L0L1L2L3L4
© 2013 Belden Inc. | belden.com | @BeldenInc 26
FireEye/Mandiant’s ICS Healthcheck Assessment Process:Activity 1: Architecture Workshops• Speak with plant Mgmt/Staff to gain an understanding of the ICS network• Draw a network diagram of the ICS• Overlay potential cyber security threats and attacks on the diagram
Activity 2: Firewall configuration review• Obtain configurations of firewalls and switches at the site and go line by line• Perform automated and manual analysis on the configurations to look for security
misconfigurations and flaws
Activity 3: Analyze network traffic with FireEye PX• Collect full packet capture and flow data from ICS network (usually from site’s main
switch)• Look for anomalous or undesirable connectivity to internet or business networkActivity 4: Analyze log data with FireEye Threat Analytics Platform (TAP)• Collect any relevant log sources from the ICS environment (examples: VPN,
Authentication, Firewall, Syslog, Windows Events)• Apply intelligence, rules, analytics, and frequency analysis to identify malicious or
anomalous activity
© 2013 Belden Inc. | belden.com | @BeldenInc 2727
Joint Customer Benefit Examples• Integration of Industry specific Threat Intel with
ISIGHT and contextualization of logs from Belden industrial technology in TAP
• Tripwire customers can integrate with MVX/AX• Hunt for IOCs across IT and ICS environments
Belden ICS industrial cyber security and networking equipment• Tofino• GarrettCom• Hirschmann• Tripwire+Several other leading brands in the area of industrial networking and signal transmission equipment.
FireEye Threat Intelligence Portfolio• FireEye’s Threat Intelligence• Mandiant services • iSight’s ICS expertise