protecting critical infrastructure from cyber attacks presented by mark henderson cissp gcia l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Protecting Critical Infrastructure from Cyber Attacks Presented by Mark Henderson, CISSP, GCIA PowerPoint Presentation
Download Presentation
Protecting Critical Infrastructure from Cyber Attacks Presented by Mark Henderson, CISSP, GCIA

Loading in 2 Seconds...

play fullscreen
1 / 56

Protecting Critical Infrastructure from Cyber Attacks Presented by Mark Henderson, CISSP, GCIA - PowerPoint PPT Presentation


  • 269 Views
  • Uploaded on

Protecting Critical Infrastructure from Cyber Attacks Presented by Mark Henderson, CISSP, GCIA. Department of Homeland Security National Cyber Security Division United States Computer Emergency Readiness Team. Agenda. Overview of Critical Infrastructure

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Protecting Critical Infrastructure from Cyber Attacks Presented by Mark Henderson, CISSP, GCIA' - sheba


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
protecting critical infrastructure from cyber attacks presented by mark henderson cissp gcia

Protecting Critical Infrastructure from Cyber AttacksPresented by Mark Henderson, CISSP, GCIA

Department of Homeland Security

National Cyber Security Division

United States Computer Emergency Readiness Team

agenda
Agenda
  • Overview of Critical Infrastructure
  • Threat, Vulnerability and Attack Trends
  • Real World Incidents
  • Recommended Practices
  • US and Industry efforts
what is ci
What is CI?

“Critical infrastructure is a term used by governments to describe material assets that are essential for the functioning of a society and economy”

… but what is it?

ci is
CI is …
  • electricity generation and distribution;
  • telecommunication;
  • water supply;
  • agriculture, food production and distribution;
  • heating (natural gas, fuel oil);
  • public health;
  • transportation systems (fuel supply, railway network, airports);
  • financial services;
  • security services (police, military)
what is ci responsible for
What is CI responsible for?
  • Providing electricity at home and at work
  • Routing your phone calls
  • Delivering your drinking water
  • Delivering food from farm to fork
  • Heating your home
  • Providing healthcare and emergent care
  • Maintaining roads and building new ones
  • The management and allocation of financial assets, printing currency, etc.
  • Maintaining the public order
  • Protecting you at home and abroad
ci vs scada
CI vs. SCADA
  • SCADA (Supervisory Control And Data Acquisition) refers to a large-scale, distributed measurement (and control) system
  • Not all of CI is SCADA but all SCADA is CI
  • In the US, 85% of CI is owned by the private sector and roughly 50% of CI sectors are controlled by SCADA systems
  • Sometimes SCADA referred to as an Industrial Control System (ICS)
what is cip
What is CIP?

Critical Infrastructure Protection (CIP)

“… continuous efforts to secure information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems.”

CIP represents efforts to prevent, detect, and correct (recover) from CI attacks

the risk equation
The Risk Equation

Threat Any person, circumstance or event with the potential to cause loss or damage.

Vulnerability Any weakness that can be exploited by an adversary or through accident.

Consequence The amount of loss or damage that can be expected from a successful attack.

Risk = Threat x Vulnerability x Consequence

threats
Threats
  • Natural
  • Manmade (structured vs. unstructured)
natural threats to ci
Natural Threats to CI

Geographic hazards

  • Meteorological (hurricanes, tropical storms, floods, and ice storms)
  • Earthquakes and tsunamis
  • Infectious disease (e.g., H5N1)
examples of natural threats
Examples of Natural threats

Chilean earthquake [1960]

  • “Telecommunications to southern Chile were cut off“
  • “… an eight-meter wave struck the Chilean coast, mainly between Concepción and Chiloé”
  • “The electricity and water systems of Valdivia were totally destroyed”
  • “… the city was without a water supply”
  • “Two days after the earthquake, the Cordón Caulle erupted”
manmade threats
Manmade Threats
  • Structured
    • “adversaries with a formal methodology, a financial sponsor, and a defined objective” [Bejtlich]
    • Economic/industrial spies, organized criminals, terrorists
  • Unstructured
    • “lack the methodology, money, and objective of structured threats” [Bejtlich]
    • Recreational hackers, malware, malicious insiders
  • National Security threats
    • foreign intelligence agencies, information warriors
structured threats to ci
Structured threats to CI

GAO Threat Table

  • Bot-network operators
  • Criminal groups
  • Foreign intelligence services
  • Hackers
  • Insiders
  • Phishers
  • Spammers
  • Spyware/malware authors
  • Terrorists
  • Industrial spies
unstructured threats to ci
Unstructured threats to CI
  • Recreational hackers (“hacking for fun”)
  • Malware (viruses and worms)
  • Malicious insiders (disgruntled employees)
ci vulnerabilities
CI Vulnerabilities
  • Many sectors practice “security through obscurity”
  • Increased connectivity
  • Pervasive use of antiquated software/hardware
  • Geographic concentration of CI
  • Increasing visibility to blackhat community
security through obscurity
Security through obscurity
  • Remote locations are inaccessible

… unless they have an IP address

  • Proprietary protocols and architecture = secure

… unless someone studies the SW/HW

  • No one is interested in X system. Why protect it?

… unless someone wants to gain access to another network through that system

increased connectivity
Increased connectivity
  • Website provides “online presence” for company

… but leaves web and application servers vulnerable

  • Internet facing systems allow remote maintenance which saves money

… but opens systems to network-based attacks

  • Wireless architecture reduces network costs

… but opens internal network up to wireless attacks

antiquated sw hw
Antiquated SW/HW
  • “If it ain’t broke, don’t fix it” mentality

… so systems go unpatched

  • Extensive use of legacy hardware (e.g., modems)

… so hackers can use basic attacks

  • Customized applications are designed to simply work

… so they are not designed to be secure

  • Legacy SW/HW and/or protocols incompatible with newer security products

… so attacks cannot be detected easily, if at all

geographic concentration
Geographic concentration

“…critical assets in sufficient proximity to each other that they are vulnerable to disruption by the same, or successive, regional events”

  • 25% of freight cars pass through one city in the US (St. Louis, MO)
  • Approximately 28% of U.S. hog inventories are located in Iowa
  • Approximately 25% of U.S. pharmaceuticals are manufactured in Puerto Rico, primarily in the San Juan metropolitan area
increasing blackhat visibility
Increasing blackhat visibility

ISS conducted SCADA penetration tests on multiple sectors [2006]

  • Physical access (e.g., door unlocked at power substation)
  • Modems (e.g., war-dialing)
  • Default passwords (e.g., googling manuals of devices with banners)
threat trends

Era of Modern

InformationTechnology

Denial of Service

Current SCADA

Zone of Defense

GUI

Era of Legacy

Process Control

Technology

Threat Trends

Malicious Code

Morphing

High

“Stealth”/Advanced

Scanning Techniques

BOTS

Zombies

Network Management Diagnostics

Distributed Attack Tools

Sweepers

WWW Attacks

Attack Sophistication

Back Doors

Automated Probes/Scans

Intruder Knowledge

Disabling Audits

Packet Spoofing

Sniffers

Hijacking Sessions

Attackers

Exploiting Known Vulnerabilities

Password Cracking

Self-Replicating Code

Low

Password Guessing

1980 1985 1990 1995 2000 2005 2010

Lipson, H. F., Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues, Special Report CMS/SEI-2002-SR-009, November 2002, page 10.

how does all this affect me
How does all this affect me?

Your system could be compromised/infected and later used in an attack against CI or …

…if you work for a CI sector you could

  • be targeted in a “spear phishing” attack;
  • your laptop could be stolen to gain access to the private CI network or to private data;
  • you could inadvertently follow unsafe security practices and affect CI operations
real world incidents26
Real World Incidents
  • The following represent incidents of control systems or critical infrastructure being breached by cyber means
  • Most of the ‘cyber events’ are accidental, but the following represent more deliberate events
  • Unfortunately, few CI events are published in the open media
real world incidents27
Real World Incidents

For industrial security incidents there is the Industrial Security Incident Database (ISID)

electricity
Electricity

“…with sufficient resources, such as a foreign intelligence service or a well supported terrorist group, could conduct a structured attack on the electric power grid electronically, with a high degree of anonymity, and without having to set foot in the target nation”

electricity cont
Electricity (cont)

Davis-Besse Nuclear Power Plant [2003]

  • The Slammer worm penetrated a private computer network at Ohio's Davis-Besse nuclear power plant
  • Disabled a safety monitoring system for nearly five hours
  • Power plant was protected by a firewall
  • In 1998 the same plant was hit by a tornado (natural disaster)
telecommunication
Telecommunication

Attack on the root name servers [2007]

  • 3 out of 13 root DNS servers were attacked by a DDoS attack that lasted 12 hours
  • Less serious than attack in 2003 when all 13 servers were attacked
  • Some suggested that this was a bot operator’s “sales demo”
water supply
Water supply

Maroochy Shire Sewage Spill [2000]

  • First recorded instance of an intruder that “deliberately used a digital control system to attack public infrastructure”
  • Software on his laptop identified him as “Pumping Station 4” and after suppressing alarms controlled 300 SCADA nodes
  • Disgruntled engineer in Queensland, Australia sought to win the contract to clean up the very pollution he was causing
  • He made 46 separate attacks, releasing hundreds of thousands of gallons (264,000) of raw sewage into public waterways
heating natural gas fuel oil
Heating (natural gas, fuel oil)

GAZPROM Incident [1999]

  • Russian hackers penetrated GAZPROM security with help from insider
  • Gained control of central switchboard using Trojan Horse which controlled gas flows in pipelines
  • Claim later refuted by oil company

Chevron Incident [1992]

  • Disgruntled Chevron employee disabled emergency alert system in 22 States
public health
Public Health

Worcester Botnet [2005]

  • Attacker used a botnet to earn ad revenue
  • $150,000 in damages to the Northwest Hospital (Seattle, Washington). 150 of the hospital’s 1,100 systems affected over course of three days
  • The hospital's surgical, patient financing, information management, diagnostic imaging and laboratory systems were affected
    • Operating room doors wouldn't open, pagers were silenced, and computers in the intensive-care unit shut down
  • 441,000 computer systems hacked by attacker’s virus:
    • 104 country domains, 276 ".net" domains, 128 ".com" domains, and 28 ".edu" domains
    • 407 Defense Department locations were infected
transportation systems air
Transportation systems (air)

Worcester Air Traffic Communications [1997]

  • Hacker broke into a Bell Atlantic computer system, causing a crash that disabled the phone system at the airport for six hours (Worcester, Massachusetts)
  • Knocked out phone service at the control tower, airport security, the airport fire department, the weather service, and carriers that use the airport
  • Also, the tower's main radio transmitter and another transmitter that activates runway lights were shut down, as well as a printer that controllers use to monitor flight progress
  • Also knocked out phone service to 600 homes in the nearby town of Rutland
transportation rail
Transportation (rail)

CSX Train Signaling System [2003]

  • Sobig virus blamed for shutting down train signaling systems throughout the east coast of the U.S.
  • Virus infected Florida HQ shutting down signaling, dispatching, and other systems
  • Long-distance trains were delayed between four and six hours
transportation subway
Transportation (subway)

Toronto Subway [2006]

  • LED signs reprogrammed by hacker
  • Subway LEDs changed to read “Stephen Harper eats babies” (Canadian Prime Minister)

Russia Subway [2007]

  • Using insider data a hacker “managed to access the terminal’s system through the internet and steal $9,000”
financial services
Financial Services

Nordea Heist [2006]

  • Internet fraudsters stole around 8m kronor ($1.1m; £576,000) from account holders at Swedish bank Nordea
  • The criminals siphoned money from (~250) customers' accounts after obtaining login details using a malicious program (Haxdoor) that claimed to be anti-spam software
  • In August 2005, it was forced to temporarily shut down its online arm due to a sophisticated phishing attack
government services
Government services

Estonia DDoS attacks [2007]

  • “If a member state's communications centre is attacked with a missile, you call it an act of war. So what do you call it if the same installation is disabled with a cyber-attack?”
    • Estonia is a member of NATO and asked for assistance from its allies
  • Web page defacements and DDoS attacks (< 100 Mbps)
  • Targets included government ministries, news agencies, and two large banks
  • US-CERT worked with other CERTs worldwide to disable the hosts involved in the botnet
exposure
Exposure

System Exposure

  • Components
  • Networks
  • Operating Systems
  • Applications
  • Vulnerabilities
  • Advisories
  • Exploit Code
  • Advanced Tools
  • Mitigation
  • Block
  • Detect
  • Workaround
  • Fix
exposure41
Exposure

System Exposure

  • Components
  • Networks
  • Operating Systems
  • Applications
  • Vulnerabilities
  • Advisories
  • Exploit Code
  • Advanced Tools
  • Mitigation
  • Block
  • Detect
  • Workaround
  • Fix

GAP

identify vulnerable assets

Components

  • Networks
  • Operating Systems
  • Applications
Identify Vulnerable Assets
identify threat vectors

Vulnerabilities

  • Advisories
  • Exploit Code
  • Advanced Tools
Identify Threat Vectors
identify mitigations

Mitigation

  • Block
  • Detect
  • Workaround
  • Fix
Identify Mitigations
defense in depth security

7

6

5

1

4

2

3

Perimeter Controls –

Internet & Corporate Perimeter

1

2

Access Control,

People, Policies

3

4

5

Cyber Control

Network Architecture Components

Operating Systems

Host Security

Application Security

Core Operational Services

6

7

Defense in-Depth Security
recommendations
Recommendations
  • Identify your security requirements
  • Map requirements to security standards
  • Apply appropriate solutions
  • Work with CLCERT and others to stay informed of threats, vulnerabilities, and safeguards (“situational awareness”)
what has the us done
What has the US done?
  • Conducted cyber exercises (CyberStorm) involving CIP
  • Created the National SCADA test bed and Cyber Security test bed
  • Established the Control Systems Security Center
  • Linked the Oil and Gas Industry to discuss cyber threats (LOGIIC)
other initiatives
Other initiatives
  • Efforts underway “to enable faster, more accurate detection of SCADA-specific attacks” (i.e., Snort signatures)
  • US-CERT recently held an International SCADA conference in May (UFive)
  • DHS continues to collaborate with International partners (IWWN, CICTE, FIRST) in CI exercises, training, and awareness
questions
Questions?

For more information about US-CERT please visit:

www.us-cert.gov

US-CERT Security Operations Center

1-888-282-0870

soc@us-cert.gov

For more information about CSSP please visit:

www.us-cert.gov/control_systems

Control Systems Security Program

1-888-282-0870

cssp@dhs.gov