InfoSec120804 web 2

100 %
0 %
Information about InfoSec120804 web 2

Published on February 4, 2008

Author: Donato


Critical Infrastructure Protection Trends in SCADA Cyber Threats:  Critical Infrastructure Protection Trends in SCADA Cyber Threats December 8, 2004 Presentation to InfoSec 04 Brian Isle Agenda:  Agenda SCADA definition Is the Cyber threat real? Current Cyber exploits & trends Recommendations for SCADA security R&D Supervisory Control and Data Acquisition (SCADA):  Supervisory Control and Data Acquisition (SCADA) General Definition Industrial measurement and control system consisting of: central host or master (MTU); one or more field data gathering and control units or remotes (RTU's) collection of standard and/or custom software used to monitor and control remotely located field data elements. Generally cover larger geographic areas Predominantly open-loop control characteristics (may have some elements of closed-loop control and/or short distance communications) Use variety of communications systems (LAN, wireless, microwave, bus, point-to-point) Distributed Control Systems (DCS):  Distributed Control Systems (DCS) General Definition Similar to SCADA systems, used predominately in factories, treatment plants etc. Similar functions to SCADA, but the field data gathering or control units are usually located within a more confined area. Communications often via a reliable and high speed local area network (LAN). DCS system usually employs significant amounts of closed loop control. Oil Transportation Supply Chain:  Oil Transportation Supply Chain Tanker Ships (Ship & Sub Sea) Terminal Collection Tank Farm Refinery Tank Farm Pipeline Distribution Center End-user Pipeline Well Heads Floating Platforms Offshore Platforms Sub Sea Pipeline Pipeline Petro Chem Plant Distribution Center Truck End-user Truck Well Heads Tanker Ships Distribution Center Rail End-user SCADA users have the “weakest link” in the chain problem. -----Collection-------------------- -------Manufacturing---------- -----Storage & Distribution-------- Rail Rail Byproducts Raw Mat’l Nat’l Gas (pipeline) Water (pipeline) Waste Water (pipeline) Rail e.g. Ethanol Chemical Plant Think of Your Facility as a Link in a Chain:  Think of Your Facility as a Link in a Chain Command Control Communication External Cyber & Physical attacks Hand-off Control & Responsibility Trusted source Integrity, accuracy, & track-ability of information Internal Cyber & Physical attacks Upstream & Downstream Communication Trusted source Integrity of information Control Status Emergency Hand-off Control & Responsibility Trusted source Integrity, accuracy, & track-ability of information Each element of the chain faces security issues. Is the SCADA Cyber threat real?:  Is the SCADA Cyber threat real? The threat is real and proven: A disgruntled ex-employee used a port scan and ping-sweep program to identify active system ports and network IP addresses belonging to an oil company. On finding an active connection and an open port, he initiated communication using various software tools downloaded from the Internet. He subsequently issued instructions to the remote system and deleted sensitive system related to process control flow. SECURING CRITICAL OIL INFRASTRUCTURE FROM CYBER THREATS, Asian School of Cyber Laws, August 2002, Rohas Nagpal, Debasis Nayak Australia March 2000, a failure at a pumping station caused up to 264,000 gallons of raw sewage to flow onto the grounds of a local tourist resort and eventually into a storm sewer. The problems were traced to disruptions in the community’s new computerized sewage control system. On 23 April 2000, police intercepted former employee Vitek Boden, less than an hour after another control system malfunction. A search of his vehicle found a two-way radio and antennae, a remote telemetry system, and a laptop computer. National Infrastructure Protection Highlights, Issue 3-02, June 15, 2002, Editors: Linda Garrison, Martin Grand Is the SCADA Cyber threat real?:  Is the SCADA Cyber threat real? In August 2003, the Nuclear Regulatory Commission confirmed that in January 2003, the Microsoft SQL Server worm known as Slammer—infected a private computer network at the Davis-Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety monitoring system for nearly 5 hours. – Note: the plant was off-line at the time. Is the SCADA Cyber threat real?:  Is the SCADA Cyber threat real? “Hackers Cracked Gazprom Security World's Largest Natural Gas Company Lost Control of Gas Flows 'For Some Time” MSNBC STAFF AND WIRE REPORTS MOSCOW, April 26 [1999] - Gazprom, Russia's huge gas monopoly, was one of a growing number of targets hit last year by computer hackers, who controlled the company's gas flows for a short time, a law enforcement official said Wednesday. ACTING with a Gazprom insider, hackers were able to get past the company's security and break into the system controlling gas flows in pipelines… The central switchboard of gas flows was "for some time“ under the control of external users…. The Bad News:  The Bad News Time & Money Sophistication of Cyber Defenses It is only a matter of time and money, they will get in! Difficulty in Hacking a System Is the Terrorist Threat Real?:  Is the Terrorist Threat Real? The NIPC report also stated that U.S. law  enforcement and intelligence agencies had received indications that Al  Qaeda members had sought information about control systems from multiple Web sites, specifically on water supply and wastewater management practices in the United States and abroad “The same SCADA systems that are used to manage the U.S. power grid also control the grids in Iraq, Saudi Arabia, Indonesia, and Iran. So it should come as no surprise that SCADA documents turned up in Al Qaeda safe houses in Afghanistan.” Slide12:  Source :   Is the Terrorist Threat Real?:  Is the Terrorist Threat Real? Yes, the Terrorist threat is real! The mid-East Terrorist have: Means to carry out an attack Motivation Ability to access our systems Access to technical documentation Low barriers to success Is the Terrorist Threat Real? The Good News:  Is the Terrorist Threat Real? The Good News A cyber SCADA attack by itself does not meet the mid-East Terrorist’s main goals: 24X7news coverage Kill civilians Hinder the military No evidence of a Terrorist cyber attack in the US – yet. However, a cyber SCADA attack makes a very good diversion for a more typical Terrorist attack. Cyber Trends:  Cyber Trends Overview of Attack Trends :  Overview of Attack Trends Trend 1 – Automation; speed of attack tools A. Scanning for potential victims. B. Compromising vulnerable systems C. Propagate the attack.. D. Coordinated management of attack tools. Trend 2 – Increasing sophistication of attack tools A. Anti-forensics. B. Dynamic behavior. C. Modularity of attack tools. Trend 3 – Faster discovery of vulnerabilities Trend 4 – Increasing permeability of firewalls IPP (the Internet Printing Protocol) and WebDAV (Web-based Distributed Authoring and Versioning) · ActiveX controls, Java, and JavaScript . (See Trend 5 – Increasingly asymmetric threat Trend 6 – Increasing threat from infrastructure attacks Attack 1 – Distributed denial of service Attack 2 – Worms Attack 3 – Attacks on the Internet Domain Name System Cache poisoning Compromised data Denial of service Domain hijacking Attack 4 – Attacks against or using routers Routers as attack platforms Denial of service. Exploitation of trust relationship between routers. SCADA is susceptible to all the IT threats because of enterprise integration and a move to MS based SCADA. CERT® Coordination Center Cyber Attack Trends: More Bad News:  Cyber Attack Trends: More Bad News Some wireless data links that were designed for short range can be extended considerably LAS VEGAS -- … teens from Cincinnati got an ovation at the DefCon hacker conference here Sunday when organizers announced that the winners of this year's Wi-Fi shootout might have broken a world record for ground distance in establishing a 55.1-mile Wi-Fi connection.,1284,64440,00.html?tw=wn_tophead_2 Bluetooth sniffing over 1 mile has been demonstrated Cyber Attack Trends: More Bad News:  Cyber Attack Trends: More Bad News Virus writers are now focusing on smart cell phones & microcode “Mosquito virus bites smart phones”, Ben Charny, Special to ZDNet India, August 13, 2004 The Mosquito virus forces some cell phones based on the Symbian operating system to generate pricey text messages without the user's approval or knowledge.. .. first worm to target smart phones dubbed Cabir, apparently uses the Bluetooth short-range wireless feature of smart phones that run the Symbian operating system to detect other Symbian phones, and then transfers itself to the new host as a package file. In mid-July, a virus that infects Windows CE was developed--the first such bug discovered for the handheld operating system. "Malware, Fighting Malicious Code”, Ed Skoudis, Lenny Zelter, 2004 Microcode trojans may be able to attach to the closely held microcode programming that runs internal to a CPU, by exploiting the ability to modify it in the field. Leading to a form of subversion almost impossible to detect. Why care? Because the embedded systems in the RTUs are largely unprotected. Policy vs. Cyber Attacks:  Policy vs. Cyber Attacks “Sound policy is a core element of the cyber security management system. Without it, extensive implementations of routers, firewalls and intrusion detection systems are misguided. Indeed, policy steers the application of technology within this system.” (1) 80% of attacks show weakness in internal processes (2) (3) Unauthorized modems Disgruntled employee You hired a terrorist Unauthorized access In-sufficient attention to security (leave the door open) Security assessment is viewed as a one-time-event that lacks a metric to allow comparison over time nor assess readiness Initial vigilance degrades over time Doesn’t keep up with changing cyber threats No amount of technology will make up for lack of sound policy. Recommended Long Term R&D for SCADA:  Recommended Long Term R&D for SCADA CIP SCADA/IT Workshop:  CIP SCADA/IT Workshop 20-21 October 2003 in Minneapolis Goal: Develop multi-year roadmap Identify near term technology solutions and the longer-term research to secure the U.S. industrial infrastructure. Keynote Speakers: Rep. Gil Gutknecht, Vice Chair of House S&T Committee Dr. Arden Bement, Director, NIST Dr. John Hoyt, HSARPA/DHS Dr. Helen Gill, NSF Details at Needed SCADA R&D:  Needed SCADA R&D Standards and Methodology: Issue: Inability to test the security of infrastructure systems and to describe the industry’s security readiness in a consistent manner. R&D Focus: Develop SCADA/process control security standards and methodologies to enable assessment of security readiness over time. Needed SCADA R&D:  Needed SCADA R&D Modeling and Analysis: Issue: Inability to model the entire infrastructure and represent the interdependences R&D Focus : Develop scalable and extensible models of the critical infrastructure to enable planning, simulation, and predictions of response to changes and anomalies. Models should enable analysis of the impacts of: economics, human interaction, organizational structure, technology development accidental & malicious faults Needed SCADA R&D:  Needed SCADA R&D Next Generation SCADA Platforms: Issue: Multiple generation of legacy systems control the Nation’s infrastructures. Realities of low industrial investments in both capital improvements and research and development (R&D). R&D Focus: Develop strategies to drive the rapid evolution of SCADA/process control solutions. R&D must provide a robust, scalable, evolvable and secure solution. Needed SCADA R&D:  Needed SCADA R&D Sensing Infrastructure Anomalies: Issue: Current sensing approaches are inadequate to detect malicious faults and a determined enemy. Historically, sensing in industrial infrastructures has been driven by process optimization and detection of accidental or non-malicious faults. R&D Focus: Situation awareness based on real time, trusted, and timely data, is critical to the ability to detect, understand, and respond to anomalies in the infrastructure. Summary:  Summary The cyber threat is real & proven The Terrorist threat is real, they are poised, and ready, but SCADA by itself doesn’t fit their M.O. There are SCADA vulnerabilities, but a diligent and methodical approach to security can make your plant too costly a target for the attacker Longer term issues are known and R&D is underway (but don’t wait!) Other References:  Other References (1)The Cyber Security Management System: A Conceptual Mapping John H. Dexter, January 28, 2002 (2) SECURING CRITICAL OIL INFRASTRUCTURE FROM CYBER THREATS, Asian School of Cyber Laws, August 2002, Rohas Nagpal, Debasis Nayak (3) Protecting America’s Critical Infrastructure - Preventing an Electronic Pearl Harbor, Edward Badolato Technology Roadmap for the Petroleum Industry. American Petroleum Institute (API) February 2000. Technology Vision 2020: A Technology Vision for the US Petroleum Industry. API October 1999. Critical Infrastructure Assurance Group (CIAG) MatthewFranz SECURING CRITICAL OIL INFRASTRUCTURE FROM CYBER THREATS, Asian School of Cyber Laws, August 2002, Rohas Nagpal, Debasis Nayak Securing Oil & Natural Gas Infrastructures NPC June 2001

Add a comment

Related presentations

Related pages

Guest Blog Post: The Future of Malware? | StopBadware is glad to welcome Jon Kibler,the Chief Technical Officer of Advanced Systems Engineering Technology, Inc., to author a blog post on the ...
Read more