Rita Wells

Idaho National Laboratory

Update on Threat/Vulnerability

Trends and Research for

Cybersecurity “Cybersecurity for Energy Delivery Systems (CEDS)”

Roadmap – Framework for Public-Private

Collaboration

• Originally published in January 2006

• New Version published September 2011

• Provides strategic framework to

– Build a Culture of Security

– Assess and Monitor Risk

– Develop and Implement New Protection

Measures to Reduce Risk

– Manage Incidents

– Sustain Security Improvements

https://www.controlsystemsroadmap.net/Pages/default.aspx

17 NSTB Facilities From 6 National Labs

IDAHO Critical Infrastructure Test Range

• SCADA/Control System Test Bed

• Cyber Security Test Bed

• Wireless Test Bed

• Power Grid Test Bed

• Modeling and Simulation Test Bed

• Control Systems Analysis Center

SANDIA Center for SCADA Security

• Distributed Energy Technology Laboratory (DETL)

• Network Laboratory

• Cryptographic Research Facility

• Red Team Facility

• Advanced Information Systems Laboratory

PACIFIC NORTHWEST Electricity Infrastructure

Operations Center

• SCADA Laboratory

• National Visualization and Analytics Center

• Critical Infrastructure Protection Analysis Laboratory

OAK RIDGE Cyber Security Program

• Large-Scale Cyber Security and Network Test Bed

• Extreme Measurement Communications Center

ARGONNE Infrastructure Assurance Center

LOS ALAMOS Cybersecurity Program

NSTB Assessment Findings by Component

•Poor Input / Output Validation

•Network Parsing Code

•ICCP Services and Protocol Stack

•Supervisory Control Protocol Services

•Control Protocol Services

• Database-Backed Applications

•Database-Backed Web Applications

•Web Applications

•Web HMI

•Failure to Secure Hosts

•Unneeded / Unused / Unsafe Services

•Password Policies

•Password Protection

•Permissions

•Vulnerable Remote Display Software

•Improper Authentication

•HMI Applications

•Supervisory Control Protocols

•Control Protocols

•Databases

•Web Services

•Poor Network Defenses

•Poor Network Segmentation

•Failure to Secure Network Devices

•Permissive Firewall Rules

•Poor IDS Monitoring

https://www.controlsystemsroadmap.net/Pages/default.aspx

Example of Common Vulnerability Scoring

System Scoring - Buffer Overflows

Metric

Remote Code

Execution

Possible

DoS Impact

Only

Base Metric Value Value

Access Vector Network Network

Access Complexity Low Low

Authentication None None

Confidentiality Impact Complete None

Integrity Impact Complete None

Availability Impact Complete Complete

Base Score 10 7.8

Temporal Metric

Exploitability Proof-of-Concept Unproven

Remediation Level Not Defined Not Defined

Report Confidence Not Defined Not Defined

Temporal Score 9.0 7.0

Environmental Metrics

Collateral Damage High High

Target Distribution Not Defined Not Defined

Availability Medium Medium

Integrity Requirement High High

Confidentiality Medium Medium

Environmental Score 9.5 8.5

Total Score 9.5 8.5

9.5

Metric

Value

SCADA Service Buffer Overflow Integrity Impact

Scenarios

None The buffer overflow can only be exploited to cause the

service to crash; remote code cannot be executed and

the attacker is not able to alter information on the host.

Protections have been built into many new processors,

operating systems, and compilers to help protect

against buffer overflow attacks. These protections can

prevent code execution aimed at gaining access to the

host.

Partial The SCADA service is running with limited

permissions. Code executed by overflowing the buffer

will run with the permissions of the SCADA service.

Information available to the SCADA service could be

disclosed to the attacker.

Complete Vulnerable SCADA services running with root or

administrator privileges may be exploited to gain full

control of the host. The attacker is able to read all of

the system's data (memory, files, etc.)

Remediate vulnerabilities in SCADA

services

NSTB - Top 10 Most Critical Vulnerabilities

What’s New? Government

• Government:

– PrECISE Act H.R. 3674

• Information Sharing

• Research and Training

– SECURE IT S. 2151

• Information Sharing

• Roles and Responsibilities

• 3-20 years if attack critical infrastructure

• Research and Training

– Cybersecurity Act of 2012 S. 2105

– Who has the lead? DHS NSA DOE Industry CYBERCOM

– Electric Sector Cyber Risk Management Maturity Initiative

http://energy.gov/oe/electric-sector-cybersecurity-risk-management-maturity-initiative

What’s New? – Incidents and Vulnerabilities

• Incidents

– DHS ICS-CERT Update - Working with FBI

• Increased activity

• Attackers in for long durations

• Better Malware Analysis less fly aways

• Active Monitoring key to better detection and incident response

• Vulnerabilities:

– Vulnerabilities are constant with changes in tools and techniques for

discovery and exploitation

– Disclosure Grace Periods:

• Rapid7 15-60 days to Zero Day Initiative 182 days

– Simultaneous Vulnerability and Exploit Disclosures - Project Basecamp

from Digital Bond

• GE D20ME, Schneider Electric Modicom Quantum and Control Microsystems

SCADAPack, RA Allen-Bradley ControlLogix, Koyo/DirectLOGIC H4-ES, SEL-2032

What’s New? Threats, Exploits and Risk

• Threats:

– Capabilities, motivation, intent

– Actors

– Advance Persistent, 0-days,

• Exploits:

– Russian Business Network SCADA Exploits

– Equal Vulnerabilities

• Risk

– NIST Process

– NERC Cyber Attack

– Whitehouse Risk Maturity

What’s New: Industry and Malware Analysis

• Asset Owners:

– NERC CIPC: Funds for compliance now shifting more toward

security – over 1000 violations being processed in 12 months

– Skills Development

– Incident Teams

– Trust and Involve One Source

– CFATS – 64% ACC Survey already had cybersecurity measures to

meet, 26% need to increase

• Malware Analysis

– Lots of Press

– Various degrees of sophistication

What’s New? Technology Trends

• Cloud technologies for GIS, modeling, and non-production

• Mobile applications for field support replacing laptops

• Cheap communications

– WiFi

– Cellular

• Advanced data management systems to connect field

input to operational situational awareness faster

– Advanced modeling

• Situational Awareness – Sophia, Intelligent Cyber Sensor, Mesh Mapper, Data Fusion, NetAPT

• High Level Language on Microcontrollers

• Frontier Research: SCADA Protocol, Host-Event based Network, EV chargers, Dynamic Analysis of Mobile Devices

• Research partners:

• Asset Owners

• Universities & Research Centers

• Vendors: Siemens, Honeywell,

ABB, Fujitsu, GE, OSISoft, Itron

12

What’s New? Research

Technologies – Host and End Devices

• Issues

– Unpatched and unused applications

– Configuration Control

– Silo Defenses

• Mitigations

– Harden hosts

– Patch

– Situational Awareness

• Research

– Instrumentation Control and Intelligent Systems

• Resilient – State Awareness – Operational Normalcy

– Forensics information for better incident response times

• Storage of data is cheap

– Link host events closer to network events for forensics data for better

incident response

Technologies – Defense in Depth

• Issues

– Same defense applied multiple layers is not depth

– Common rule sets applied across architectures

• Mitigations

– Ensure multiple techniques

– Tailor rule sets to specific configuration

• Research

– Sophia

• Creation of whitelists, blacklists and gray lists

• Validation of baseline configuration

Overview

• Passive Collection

– Real-time Fingerprinting

– Static Fingerprinting

• Distributed Architecture

• Real-time or historic

packet visualization

• Navigable virtual 3D

rendering of fingerprint

Beta Testing: Oct 2011 - Sept 1, 2012

Must sign up before June 1, 2012

Open to U.S. Energy Companies

https://sophiahome.inl.gov

Additional Use Cases

Configuration Management: Alarm may indicate the addition of a new component or process

triggering a configuration management review.

Fielding New Systems: Use a fingerprint developed as part of the factory acceptance test

(FAT) during the Site Acceptance Test (SAT) to identify required site specific communications.

Firewall Rule Validation/Development: The fingerprint represents only what is needed for ICS

operations, providing critical information necessary for simple quality firewall rules.

Switch and Router Configuration: Switches and routers can be configured based on what is

needed as identified in the fingerprint. Port security such as Access Control Lists (ACL) are

easily created and used.

Component Hardening: All necessary ports are identified in the fingerprint. All other ports are

not required for operation and can be disabled or blocked by a personal firewall reducing

exposure to cyber attack.

Patch Testing: When used on a quality system, changes in normal operational

communications will be quickly identified as patches are rolled out. Patches in some cases

re-open previously disabled ports and services. Configuration management issues are identified;

firewall rules may need changing, ACLs may need updating, etc.

Current Security Mantra

• Embrace the state - your connected, vulnerable,

exploitable, exploited, owned

• Skills are the key – not technology

• Focus on defense – Configuration Control, Monitoring,

Distinct Defense Layers

• Incident response, operating through degraded systems

and recovery – plan for bad

• Partner to keep up to date on threats and vulnerabilities

with industry and with other sources to different levels of

trust

Tools and other Help

• Procurement Language

• Cyber Security Evaluation

• Sophia

– Whitelist, Blacklist and

Graylist

• Vulnerability Reports

• Industrial Control System

Cyber Emergency

Response Team

– Alerts, Advisories,

Newsletters, Incident

Response

Challenges Remain

• Information Sharing

– Regulatory – CFATS DHS - TSA

– O&NG Coordination Council June 2004

• Who to Trust – Vendor, Integrator, Government

– Partnerships need mutual beneficial outcomes

• Active Monitoring

– Resource Issues – if actively monitoring can you respond

• Collection of Data for Incident Response

– Forensics plus quicker response if actively monitoring

– Storage is Cheap

• Prove Attackers Off System

• Next Generation Control with Resilient

– Brittle optimization vs Resilient agile and adaptive

Complex Standards Issues

• API 1164 liquid pipelines

– Management Policies, Procedures, Roles and Responsibilities

– Physical Security

– Communications Systems

– Technology: Network Design and management

– Risk and vulnerability assessments

– Business Continuity Plans

– Incident Response Plan

• TSA Pipeline Security Guidelines

• Chemical Facility Anti-Terrorist Standards CFR 6 part 27

Information Sharing and Analysis Center

• Oil and Natural Gas Sub-Sector • American Exploration & Production Council (AEPC)

• American Gas Association (AGA)

• American Petroleum Institute (API)

• American Public Gas Association (APGA)

• Association of Oil Pipe Lines (AOPL)

• Canadian Association of Petroleum Producers (CAPP)

• Canadian Energy Pipeline Association (CEPA)

• Energy Security Council (ESC)

• Gas Processors Association (GPA)

• International Liquid Terminals Association (ILTA)

• Interstate Natural Gas Association of America (INGAA)

• Independent Petroleum Association of America (IPAA)

• National Association of Convenience Stores (NACS)

• National Ocean Industries Association (NOIA)

• National Petrochemical & Refiners Association (NPRA)

• National Propane Gas Association (NPGA)

• Offshore Marine Service Association (OMSA)

• Offshore Operators Committee (OOC)

• Petroleum Marketers Association of America (PMAA)

• Society of Independent Gas Marketers Association (SIGMA)

• U.S. Oil & Gas Association (USOGA)

• Western States Petroleum Association (WSPA)

Other Challenges?

• How do you evaluate your cyber security posture?

• What new technologies are being deployed and relied

upon?

• How does your entity keep up with the changing

vulnerability, and threat landscape?

• What other pressures exist that are hampering cyber

security efforts?

– Audit focus

– Resource constraints

Contact:

US Department of Energy

Carol Hawk

Carol.Hawk@hq.doe.gov

202-586-3247

Diane Hooie

Diane.Hooie@netl.doe.gov

304-285-4524

Visit:

http://energy.gov/oe/services/cybersecurity

https://www.controlsystemsroadmap.net/Pages/default.aspx

For more information …

INL:

David Kuipers

David.Kuipers@inl.gov

208-526-4038

Rita Wells

Rita.Wells@inl.gov

208-526-3179