Security Intelligence for Energy Control Systems

Chris PoulinQ1 Labs, CSO

David Swift Accuvant, Solutions Architect

Twitter: #Q1energy

#Q1energy

Agenda

Introductions and Housekeeping

When Refrigerators Attack

Smart Grid – Vulnerabilities and Security Concerns

Energy Sector Zero Days and Logs

Compliance – Best Practices

Q&A

#Q1energy

A man is stuck in traffic on his way to work.

#Q1energy

He takes his eyes off the road to glance at his phone.

#Q1energy

Did I leave the fridge open?

#Q1energy

The man taps an app on his smart phone labeled “Home Automation”

#Q1energy

#Q1energy

#Q1energy

Man rolls his eyes and grins at his own obsessive concern

#Q1energy

#Q1energy

#Q1energy

#Q1energy

#Q1energy

Level Setting: What is the Power Grid?

Power generation

Power transmission

Power Distribution

Consumer

Plug stuff in, turn stuff on

Flows from point ofgeneration to ground

Stored in batteries

#Q1energy

Smart Grid Goals

Better interconnection of generators, all sizes & techReduce environmental impact of electric supply system

#Q1energy

Smart Grid Goals

Consumers play a part in optimizing the system

Provide consumers with greater info for supply choices

Improve reliability, quality, and security of supply

#Q1energy

Smart Grid Goals

Demand response and demand-side resources

Reduce peak demand(demand leveling)

Identify trends to makesmarter upgrade decisions

#Q1energy

Smart Grid

More accurate and frequent telemetry

Smart meters, Advanced Metering Infrastructure (AMI)

vs traditional meters and Automated Meter Reading (AMR)

2 way communication

Talk to each other RF to RF, eventually to/from a pole

#Q1energy

Smart Grid

Distribution side power generation - 2 way energy flowIntermittent availability (wind, micro-grids, etc)

#Q1energy

Smart Grid

No one really knows what the smart grid will look like in the future

Smart Grid = The Cloud

#Q1energy

Smart Grid Benefits—Utility Side

Wide-area situational awareness

Enrich measurement data from synchrophasors

Overlay geographic, demographic, weather, intelligence data

Operational: Detect & mitigate problems before consumer is affected (regional transmission organization, public utilities commissions, ISOs)

Security: DHS, MI5

#Q1energy

Smart Grid Benefits—Utility Side

Better control of energy distribution

Bring on distribution side power as needed

Regulate A/C units on cloudy days when less energy is generated and don’t need as much A/C

Prepare for 5pm in affluent neighborhoods where all residents plug in their PEVs at the same time

Reduce power outages, rolling blackouts—shut off pri 3 devices, like pool pumps, as needed

#Q1energy

Extending the Grid—Into Every Home

Smart meters

Data sent back to the utility companies

Smart appliances

Home Area Networks (HANs)

Plug-in Electric Vehicle (PEV)Twice the power of A/C unitPlus an actual A/C unit

Profiles, cost conscious, most green, etc.

3rd party utility monitoring & management services

#Q1energy

Smart Grid Benefits—Consumer Control

Demand Response / Time of use rates

PEV charge off hours or even put energy back in the grid

Delay dishwasher until 2am

Delay refrigerator defrost cycle when A/C usage is lower

Let’s you pick where you get your energy

Neighborhood all have solar panels

Green choice

Integrate with smart home systems

HANs, Zigbee, X10

Energy controller, firewall between HAN & smart grid

#Q1energy

Smart Grid Attacks / Vulnerabilities

Consumer fraudSwapping meters with yourneighbor on holiday

Coffee cans, EMF / Faraday sacs

Meter bypass—jumper cables

Magnet on the side of the meter

No meter data? Charge based on historical average.

Meter usage drop? Correlate with payment history

#Q1energy

Smart Grid Attacks / Vulnerabilities

#Q1energy

Notable CIP Security Incidents

2000: Australia water services hack spilled raw sewage

into waterways, parks, and grounds of a hotel

#Q1energy

Notable CIP Security Incidents: Stuxnet

Virus targeting Iran’s uranium enrichment program.

Thought to be introduced through removable drives

Relies upon new Windows vulnerabilities to propagate

Displays all well to operators whiledestroying equipment

Reported 100K+ computers infected

“cyberweapon”

Extends beyond the virtual to attack the physical

#Q1energy

Notable CIP Security Incidents

CIA claimed in 2008 multiple regions hacked and outage followed by extortion demands

Sep 2007, major disruptions affecting more than 3 million people in dozens of cities in the Brazilian state of Espirito Santo (sooty insulators?)

Jan 2005, cyber attack knocked out power in three cities north of Rio De Janeiro, affecting tens of thousands of people

#Q1energy

Notable CIP Security Incidents

April 2009, informal report cyber spies penetrated US electrical grid and left behind time bomb software

#Q1energy

Smart Grid Attacks / Vulnerabilities

IOActive

created smart

meter worm &

owned a cadre

#Q1energy

Smart Meter Event Monitoring

#Q1energy

Smart Meter Event Monitoring

#Q1energy

Increased Risk @ Energy Companies

Data from smart meters, HANs

More personal information

Are used to protecting physical things, infrastructure

Now consumers are participating

New point of entry: smart meters, HANs

Think of all the bots on home computers

Consumer awareness is a key component of smart grid security

#Q1energy

CIA? No, AIC

What are utilities doing about security?

Confidentiality, Integrity, Availability

Traditionally, utilities are used to providing ‘A’

To some extent, ‘I’:

Data accuracy: “if line is energized, don’t touch!”

Now, data tampering from smart meters:

e.g., Fake usage data can put a huge load on grid

Confidentiality:

Privacy—who’s using what

Even now, side-channel attacks possible

#Q1energy

Side Channel Security Information

Monitor usage and determine:

When fridge is running its defrost cycle

When the coffee maker kicks on

When you run your electric razor

What you’re watching on TV

To some extent, this can be done now

Smart meters give much more granular information

#Q1energy

3rd Party Power Monitoring

Google PowerMeterNow retired

Google in power industry?

Bought bulk of power from NextEra—wind power

Other 3rd party power monitoring services:AlertMe

Blue Ridge Electric

Cooperative

Blueline Innovations

Current Cost

Digi

Energy Hub

First:utility

Minnesota Valley

Electric

Cooperative

Powerhouse Dynamics,

Inc.

San Diego Gas &

Electric

TED

WattsUp

Wattvision

White River Valley

Electric Cooperative

Wisconsin Public

Service

#Q1energy

Physical Security Information

Awareness—Consumer education

Centralize Security Governance—wildfires, cyber attacks, etc.

Decentralization of infrastructure—things are moving to the field

Information equipment to substations, telephone poles, etc.

SIEM, VA, etc

Physical security concerns

Smart meters can be point of entry

#Q1energy

Takeaways

Critical infrastructure is a hot target; Stuxnet proof of vulnerability

The Smart Grid has benefits, but introduces new risks

Utilities are entering a new & unfamiliar role

Expanding beyond physically controlled boundaries is a risk

Now in the information protection business

Consumers are at risk from the Smart Grid

More information = increased intelligence gathering opportunity

… and the Smart Grid is at risk from consumers

Consumer tampering, hacking, & cyber warfare

New points of entry: Smart meters, HANs / consumer network

Smart grid vendors need to build in real security

Subject gear to design & code review, and pen testing

SIEM ServicesEnergy & Utilities

David SwiftSolutions Architect

Accuvant

#Q1energy

Energy Sector Top Concerns

APTs – Advanced Persistent Threats

Morphing code, DNS fast flux changing Command and Control

Channels, Google searches for new C&C hosts

May be state or terrorist sponsored, lots of money and

resources behind some of these attacks

Compliance – NERC/FERC/NRC/SOX/PCI

Log, review, report and DOCUMENT

#Q1energy

How do you find Zero Days and APTs?

Add Context to Events

Use the network hierarchy and remote networks to overly quick

source network and destination network NAMES, not just IP

addresses.

Use GEO IP information for quick wins and situational

awareness.

Use Reference Lists to check for known attackers, known

terminated employees, contractors logging in after hours…

#Q1energy

Review Logs

Analyze Volume and Variety

Firewall

Even when signatures don’t trigger, firewalls (when configured to

log accepts), provide a record.

Attacks are sloppy, not single event, look for the spray of bullets,

Offender Source IP scans the network or target first with lots of

drops.

IDS/IPS

Log Everything

Filter and eliminate in SIEM by comparing Vulnerability

Scan/Asset data and Known Attacker/Remote Networks

#Q1energy

Review Logs

Look for patterns

Instant messaging logon (IDS event)

IM download (IDS Event)

Anti-Virus/HIPS/FIC event – EVIL FILE

Now we know the source.

Fuzz the logic– Look for anyone else talking to the same source /24 CIDR– Look for the same file name to have been modified on another host

Any Traffic to/from a Known Attacker (remote network or

reference list)

Traffic outbound may indicate an already infected system calling home

Any traffic from that is allowed should open an offense

#Q1energy

Review Logs

Everything counts in large amounts

Single firewall drop – who cares?

100 firewall drops in 1 minute – Why?

Misconfigurations – noise, chaff that has to be culled

Reconnaissance – phase one of the attack

One IDS event – IM Login – Who cares?

IM Login + File Transfer + Buffer Overflow Attempt – I CARE!

#Q1energy

Improve Defenses Iteratively

Review Events by Signature

Count of HOW MANY this month by signature

And, how many unique hosts triggered the sig

10 from one host – hmm, block it, won’t break anything, might

help, and check the host

1,000,000 – disable logging, crappy signature– Unless – 1Million from < 10 hosts

0 events for a given signature – block it, won’t hurt

Repeat the process each month for each device

#Q1energy

Compliance Strategy

A successful log management strategy involves a logging tool, documentation, processes,

and procedures.

Key Steps:

Define your Scope

Document which devices are in scope for each compliance regulation

Define your Events of Interest (EOI) – and create appropriate reports and alerts to

monitor for them

Define an Incident Handling Policy (IH) and process to follow for each EOI

Define Standard Operating Procedures (SOPs) with Service Level Agreements

(SLAs), for each EOI and follow up IH process

Create and Maintain an Audit trail showing both EOI’s and IH responses, tracking the

mean time to detect (MTD) and mean time to remediate (MTR)

Define the Record of Authority (RoA) for each device in scope for an audit

Document IP’s in scope and where the authoritative log source is for each.

Document the retention period, and the auto-destroy policy followed. 

More info: info@Q1Labs.comTwitter: @q1labs @accuvantBlog: blog.q1labs.com

Thank You!