Download
1 / 56
590 likes | 1.02k Views
Protecting Critical Infrastructure from Cyber Attacks Presented by Mark Henderson, CISSP, GCIA. Department of Homeland Security National Cyber Security Division United States Computer Emergency Readiness Team. Agenda. Overview of Critical Infrastructure
E N D
Protecting Critical Infrastructure from Cyber AttacksPresented by Mark Henderson, CISSP, GCIA Department of Homeland Security National Cyber Security Division United States Computer Emergency Readiness Team
Agenda • Overview of Critical Infrastructure • Threat, Vulnerability and Attack Trends • Real World Incidents • Recommended Practices • US and Industry efforts
What is CI? “Critical infrastructure is a term used by governments to describe material assets that are essential for the functioning of a society and economy” … but what is it?
CI is … • electricity generation and distribution; • telecommunication; • water supply; • agriculture, food production and distribution; • heating (natural gas, fuel oil); • public health; • transportation systems (fuel supply, railway network, airports); • financial services; • security services (police, military)
What is CI responsible for? • Providing electricity at home and at work • Routing your phone calls • Delivering your drinking water • Delivering food from farm to fork • Heating your home • Providing healthcare and emergent care • Maintaining roads and building new ones • The management and allocation of financial assets, printing currency, etc. • Maintaining the public order • Protecting you at home and abroad
CI vs. SCADA • SCADA (Supervisory Control And Data Acquisition) refers to a large-scale, distributed measurement (and control) system • Not all of CI is SCADA but all SCADA is CI • In the US, 85% of CI is owned by the private sector and roughly 50% of CI sectors are controlled by SCADA systems • Sometimes SCADA referred to as an Industrial Control System (ICS)
What is CIP? Critical Infrastructure Protection (CIP) “… continuous efforts to secure information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems.” CIP represents efforts to prevent, detect, and correct (recover) from CI attacks
The Risk Equation Threat Any person, circumstance or event with the potential to cause loss or damage. Vulnerability Any weakness that can be exploited by an adversary or through accident. Consequence The amount of loss or damage that can be expected from a successful attack. Risk = Threat x Vulnerability x Consequence
Threats • Natural • Manmade (structured vs. unstructured)
Natural Threats to CI Geographic hazards • Meteorological (hurricanes, tropical storms, floods, and ice storms) • Earthquakes and tsunamis • Infectious disease (e.g., H5N1)
Examples of Natural threats Chilean earthquake [1960] • “Telecommunications to southern Chile were cut off“ • “… an eight-meter wave struck the Chilean coast, mainly between Concepción and Chiloé” • “The electricity and water systems of Valdivia were totally destroyed” • “… the city was without a water supply” • “Two days after the earthquake, the Cordón Caulle erupted”
Manmade Threats • Structured • “adversaries with a formal methodology, a financial sponsor, and a defined objective” [Bejtlich] • Economic/industrial spies, organized criminals, terrorists • Unstructured • “lack the methodology, money, and objective of structured threats” [Bejtlich] • Recreational hackers, malware, malicious insiders • National Security threats • foreign intelligence agencies, information warriors
Structured threats to CI GAO Threat Table • Bot-network operators • Criminal groups • Foreign intelligence services • Hackers • Insiders • Phishers • Spammers • Spyware/malware authors • Terrorists • Industrial spies
Unstructured threats to CI • Recreational hackers (“hacking for fun”) • Malware (viruses and worms) • Malicious insiders (disgruntled employees)
CI Vulnerabilities • Many sectors practice “security through obscurity” • Increased connectivity • Pervasive use of antiquated software/hardware • Geographic concentration of CI • Increasing visibility to blackhat community
Security through obscurity • Remote locations are inaccessible … unless they have an IP address • Proprietary protocols and architecture = secure … unless someone studies the SW/HW • No one is interested in X system. Why protect it? … unless someone wants to gain access to another network through that system
Increased connectivity • Website provides “online presence” for company … but leaves web and application servers vulnerable • Internet facing systems allow remote maintenance which saves money … but opens systems to network-based attacks • Wireless architecture reduces network costs … but opens internal network up to wireless attacks
Antiquated SW/HW • “If it ain’t broke, don’t fix it” mentality … so systems go unpatched • Extensive use of legacy hardware (e.g., modems) … so hackers can use basic attacks • Customized applications are designed to simply work … so they are not designed to be secure • Legacy SW/HW and/or protocols incompatible with newer security products … so attacks cannot be detected easily, if at all
Geographic concentration “…critical assets in sufficient proximity to each other that they are vulnerable to disruption by the same, or successive, regional events” • 25% of freight cars pass through one city in the US (St. Louis, MO) • Approximately 28% of U.S. hog inventories are located in Iowa • Approximately 25% of U.S. pharmaceuticals are manufactured in Puerto Rico, primarily in the San Juan metropolitan area
Increasing blackhat visibility ISS conducted SCADA penetration tests on multiple sectors [2006] • Physical access (e.g., door unlocked at power substation) • Modems (e.g., war-dialing) • Default passwords (e.g., googling manuals of devices with banners)
Era of Modern InformationTechnology Denial of Service Current SCADA Zone of Defense GUI Era of Legacy Process Control Technology Threat Trends Malicious Code Morphing High “Stealth”/Advanced Scanning Techniques BOTS Zombies Network Management Diagnostics Distributed Attack Tools Sweepers WWW Attacks Attack Sophistication Back Doors Automated Probes/Scans Intruder Knowledge Disabling Audits Packet Spoofing Sniffers Hijacking Sessions Attackers Exploiting Known Vulnerabilities Password Cracking Self-Replicating Code Low Password Guessing 1980 1985 1990 1995 2000 2005 2010 Lipson, H. F., Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues, Special Report CMS/SEI-2002-SR-009, November 2002, page 10.
How does all this affect me? Your system could be compromised/infected and later used in an attack against CI or … …if you work for a CI sector you could • be targeted in a “spear phishing” attack; • your laptop could be stolen to gain access to the private CI network or to private data; • you could inadvertently follow unsafe security practices and affect CI operations
Real World Incidents • The following represent incidents of control systems or critical infrastructure being breached by cyber means • Most of the ‘cyber events’ are accidental, but the following represent more deliberate events • Unfortunately, few CI events are published in the open media
Real World Incidents For industrial security incidents there is the Industrial Security Incident Database (ISID)
Electricity “…with sufficient resources, such as a foreign intelligence service or a well supported terrorist group, could conduct a structured attack on the electric power grid electronically, with a high degree of anonymity, and without having to set foot in the target nation”
Electricity (cont) Davis-Besse Nuclear Power Plant [2003] • The Slammer worm penetrated a private computer network at Ohio's Davis-Besse nuclear power plant • Disabled a safety monitoring system for nearly five hours • Power plant was protected by a firewall • In 1998 the same plant was hit by a tornado (natural disaster)
Telecommunication Attack on the root name servers [2007] • 3 out of 13 root DNS servers were attacked by a DDoS attack that lasted 12 hours • Less serious than attack in 2003 when all 13 servers were attacked • Some suggested that this was a bot operator’s “sales demo”
Water supply Maroochy Shire Sewage Spill [2000] • First recorded instance of an intruder that “deliberately used a digital control system to attack public infrastructure” • Software on his laptop identified him as “Pumping Station 4” and after suppressing alarms controlled 300 SCADA nodes • Disgruntled engineer in Queensland, Australia sought to win the contract to clean up the very pollution he was causing • He made 46 separate attacks, releasing hundreds of thousands of gallons (264,000) of raw sewage into public waterways
Heating (natural gas, fuel oil) GAZPROM Incident [1999] • Russian hackers penetrated GAZPROM security with help from insider • Gained control of central switchboard using Trojan Horse which controlled gas flows in pipelines • Claim later refuted by oil company Chevron Incident [1992] • Disgruntled Chevron employee disabled emergency alert system in 22 States
Public Health Worcester Botnet [2005] • Attacker used a botnet to earn ad revenue • $150,000 in damages to the Northwest Hospital (Seattle, Washington). 150 of the hospital’s 1,100 systems affected over course of three days • The hospital's surgical, patient financing, information management, diagnostic imaging and laboratory systems were affected • Operating room doors wouldn't open, pagers were silenced, and computers in the intensive-care unit shut down • 441,000 computer systems hacked by attacker’s virus: • 104 country domains, 276 ".net" domains, 128 ".com" domains, and 28 ".edu" domains • 407 Defense Department locations were infected
Transportation systems (air) Worcester Air Traffic Communications [1997] • Hacker broke into a Bell Atlantic computer system, causing a crash that disabled the phone system at the airport for six hours (Worcester, Massachusetts) • Knocked out phone service at the control tower, airport security, the airport fire department, the weather service, and carriers that use the airport • Also, the tower's main radio transmitter and another transmitter that activates runway lights were shut down, as well as a printer that controllers use to monitor flight progress • Also knocked out phone service to 600 homes in the nearby town of Rutland
Transportation (rail) CSX Train Signaling System [2003] • Sobig virus blamed for shutting down train signaling systems throughout the east coast of the U.S. • Virus infected Florida HQ shutting down signaling, dispatching, and other systems • Long-distance trains were delayed between four and six hours
Transportation (subway) Toronto Subway [2006] • LED signs reprogrammed by hacker • Subway LEDs changed to read “Stephen Harper eats babies” (Canadian Prime Minister) Russia Subway [2007] • Using insider data a hacker “managed to access the terminal’s system through the internet and steal $9,000”
Financial Services Nordea Heist [2006] • Internet fraudsters stole around 8m kronor ($1.1m; £576,000) from account holders at Swedish bank Nordea • The criminals siphoned money from (~250) customers' accounts after obtaining login details using a malicious program (Haxdoor) that claimed to be anti-spam software • In August 2005, it was forced to temporarily shut down its online arm due to a sophisticated phishing attack
Government services Estonia DDoS attacks [2007] • “If a member state's communications centre is attacked with a missile, you call it an act of war. So what do you call it if the same installation is disabled with a cyber-attack?” • Estonia is a member of NATO and asked for assistance from its allies • Web page defacements and DDoS attacks (< 100 Mbps) • Targets included government ministries, news agencies, and two large banks • US-CERT worked with other CERTs worldwide to disable the hosts involved in the botnet
Exposure System Exposure • Components • Networks • Operating Systems • Applications • Vulnerabilities • Advisories • Exploit Code • Advanced Tools • Mitigation • Block • Detect • Workaround • Fix
Exposure System Exposure • Components • Networks • Operating Systems • Applications • Vulnerabilities • Advisories • Exploit Code • Advanced Tools • Mitigation • Block • Detect • Workaround • Fix GAP
Components • Networks • Operating Systems • Applications Identify Vulnerable Assets
Vulnerabilities • Advisories • Exploit Code • Advanced Tools Identify Threat Vectors
Mitigation • Block • Detect • Workaround • Fix Identify Mitigations
7 6 5 1 4 2 3 Perimeter Controls – Internet & Corporate Perimeter 1 2 Access Control, People, Policies 3 4 5 Cyber Control Network Architecture Components Operating Systems Host Security Application Security Core Operational Services 6 7 Defense in-Depth Security
Recommendations • Identify your security requirements • Map requirements to security standards • Apply appropriate solutions • Work with CLCERT and others to stay informed of threats, vulnerabilities, and safeguards (“situational awareness”)
What has the US done? • Conducted cyber exercises (CyberStorm) involving CIP • Created the National SCADA test bed and Cyber Security test bed • Established the Control Systems Security Center • Linked the Oil and Gas Industry to discuss cyber threats (LOGIIC)
