1. Addressing CIP: A Thailand Case Study
by Chaiyakorn Apiwathanokul
CISSP, GCFA, IRCA:ISMS
Chief Security Officer
PTT ICT Solutions Co., Ltd.
A Company of PTT Group
Note: CIP = Critical Infrastructure Protection
2. Addressing CIP: A Thailand Case Study
by Chaiyakorn Apiwathanokul, CISSP, GCFA, IRCA:ISMS
Synopsis:
In many countries where Critical Infrastructure Protection is not yet a
regulatory requirement or is not taken into account seriously by their
government; the perception, understanding, collaboration and qualified
workforce is big challenge. Many misperceptions about securing those
systems make it hard to convince management and stakeholders to support
activities and investments. However, the legislation is not the only way to go;
there are still many other factors that can be pulled into the scene ex. BCM,
Risk Management and etc. to help attract the managements. As a security
professional, how can we make things better? How can we utilize other
mechanisms available to help addressing this challenge?
In Thailand even though we do not explicitly issues a law specifically for CIP,
we have done something to addressed CIP in some extents. We help raise
awareness and understanding through trainings and seminars to demonstrate
the vulnerability and exploitability of such systems. We introduce ISO27001
as a basic security management framework. Of course, there are many other
things that need to be done to address this challenge.
3. About Speaker
Name: Chaiyakorn Apiwathanokul
ไชยกร อภิวัฒโนกุล
Title: Chief Security Officer (CSO)
Company: PTT ICT Solutions Company Limited
A Company of PTT Group
Certificates: ISC2:CISSP, IRCA:ISMS (ISO27001), SANS:GCFA
• Contribute to Thailand Cyber Crime Act B.E.2550
• Security Sub-commission under Thailand Electronic Transaction Commission
(ET Act B.E. 2544)
• Workgroup for CA service standard development
• Committee of national standard adoption of ISO27001/ISO27002
• Committee of Thailand Information Security Association (TISA)
• Committee of Cybersecurity taskforce development, Division of Skill
Development, Ministry of Labour
4. Disclaimer
• I am not a representative of neither Thailand
government nor any commission I have been
involved.
• I am not representing a spoke person for my
company.
• I am here as an infosec professional working and
contributing in Thailand and would like to share
some experience and Thailand circumstance for
the sake of global professional community
collaboration and contribution.
7. Italian Traffic Lights In the real world
Event: Feb, 2009 Italian
authorities investigating
unauthorized changes to traffic
enforcement system
Impact: Rise of over 1,400
Lessons learned:
traffic tickets costing > 250K
Do not underestimate the
Euros in two month period insider threat
Specifics: Engineer accused of Ensure separation of
conspiring with local authorities duties and auditing
to rig traffic lights to have
shorter yellow light causing
spike in camera enforced traffic
tickets
8. Transportation – Road Signs In the real world
Event: Jan 2009, Texas road
signs compromised
Impact: Motorists distracted and
provided false information
Specifics: Some commercial road
signs can be easily altered because
their instrument panels are frequently
Lessons learned:
left unlocked and their default
Use robust physical access passwords are not changed.
controls
"Programming is as simple as
Change all default passwords scrolling down the menu selection," a
Work with manufacturers to blog reports. "Type whatever you want
identify and protect password to display … In all likelihood, the crew
reset procedures will not have changed [the password]."
8
10. Security Guard Busted For Hacking Hospital's HVAC,
Patient Information Computers, July 2009 In the real world
• "A former security guard for a Dallas hospital has
been arrested by federal authorities for allegedly
breaking into the facility's HVAC and confidential
patient information computer systems. In a bizarre
twist, he posted videos of his hacks on YouTube,
and was trying to recruit other hackers to help him
wage a massive DDoS attack on July 4 -- one day
after his planned last day on the job.
• Jesse William McGraw, 25, also known as
"GhostExodus," "PhantomExodizzmo," as well as by
a couple of false names, was charged with
downloading malicious code onto a computer at
the Carrell Clinic in order to cause damage and as a
result, "threatened public health and safety,"
according to an affidavit filed by the FBI . McGraw
worked as a night security guard for United
Protection Services, which was on contract with
hospital, which specializes in orthopedics and
sports medicine."
11. In the real world
CIA Admits Cyber attacks Blacked Out Cities
• The disclosure was made at a New Orleans
security conference Friday attended by
international government officials, engineers,
and security managers.
• The CIA on Friday admitted that cyberattacks
have caused at least one power outage affecting
multiple cities outside the United States. By Thomas
Claburn InformationWeek January 18, 2008 06:15 PM
13. In the real world
TISA in Bangkok Post : When Hacking risks health
TISA web site : http://www.tisa.or.th
14. Commonly Claim: The system is isolated In the real world
Virus Found On Computer In Space Station
NASA confirmed on Wednesday that a
computer virus was identified on a laptop
computer aboard the International Space
Station, which carries about 50 computers. The
virus was stopped with virus protection
software and posed no threat to ISS systems or
operations, said NASA spokesperson Kelly
Humphries. …
The SpaceRef report suggested that a flash card or USB drive brought
on board by an astronaut may have been the source of the laptop
infection.
InformationWeek August 27, 2008
15. Malicious code/
Virus/Worm
Adversary/
Terrorist/ Disgruntled
Hacker employee
Vulnerabilities/
Weaknesses
has Manufacture
National
Critical Plant
Infrastructure Control Operation
Systems
Law/
Industry-
Government Compliance/
specific
Standard/ Regulator
Guideline
16. Simplification
Not only
someone Someone
Someone Someone (and someone
but else)
hate develop a
someone has to do
someone weapon
else got something
trouble
18. What Big Brothers do?
• US, 1996, Critical Infrastructure Protection (PCCIP)
• US, 1998, FBI National Infrastructure Protection Center (NIPC) and
the Critical Infrastructure Assurance Office (CIAO)
• Communications and Information Sector Working Group (CISWG)
• Partnership for Critical Infrastructure Security (PCIS)
9/11
• US, 2001, President’s Critical Infrastructure Board (PCIB)
• US, 2003, National Infrastructure Advisory Council (NIAC)
• Control Systems Security Program, National Cyber Security Division,
US-DHS
• United States Computer Emergency Readiness Team (US-CERT)
Control Systems Security Center (CSSC)
19. Obama elevates the priority of
Cybersecurity concerns
May 29, 2009
U.S. President Barack Obama will
appoint a government-wide
cybersecurity coordinator and
elevate cybersecurity concerns to a
top management priority for the
U.S. government, he announced
Friday.
The White House will also develop a
new, comprehensive national
cybersecurity strategy, with help
from private experts, and it will
invest in "cutting edge"
cybersecurity research and
development, Obama said in a short
speech.
20. Common Characteristics
• Tone from the top
• Accountability
• Across government agencies
• Government and industries collaboration
• Industry specific best practices vs. common best
practices (share and collaborate)
• Short/Mid/Long term plan
• Review Plan Deploy Monitor Report
21. Challenges
• Small number of security professional in the
market
• Misperceptions on the control system security
– Security by obscurity
– Separated network
– Not an IT business
– we have no secret
• Low awareness among stakeholders
23. The Implication
• Only small number of professional with right
competency to help you out
• Collaboration and support from professional
community is highly needed
24. InfoSec Professional Involvement
• Law
– ETC: Electronic Transaction Commission
– Security Sub-commission
– Electronic Transaction Act:2001
• Performance Appraisal Program (for State Enterprise)
• National Standard Adoption (ISO27001/ISO27002)
• Educate top management in healthcare industry
• Annual conference: Cyber Defence Initiative Conference
(CDIC)
• Educate top management, mid-management and technical
person involved
25. Key Influencer
• Electronic Transaction Commission (ETC)
• Thailand Information Security Association (TISA)
• State Enterprise Policy Office (SEPO)
• Ministry of ICT
• NECTEC, Ministry of Science and Technology
• ACIS Professional Center
26. Guideline on Securing the Electronic Transaction
(Derive from ISMS Implementation Guideline)
32. TISA Pilot Exam Summary: Certification Roadmap
Audit Management Technical
EXPERT
ADVANCE
International Certified IT & Information Security Professional
Step to CISSP,SSCP, CISA,CISM
FOUNDATION (Localized) TISA TISET Certification
on IT / Information Security
Competencies Test TISA TISET Exam
32 27-Jul-10
33. State Enterprise Policy Office (SEPO)
• Incentive-base Performance Appraisal Program conducted
annually
• 50+ State Enterprises under this program which include:
– Electricity Generation and distribution
– Gas pipeline and energy
– Water work
– Telecommunication
• IT Management
– ISO27001
• Business Risk Management
– Business Continuity Management (BCM)
35. The growth of ISO27001 in Thailand
Japan 3572 Philippines 15 Peru 3
India 490 Pakistan 14 Portugal 3
UK 448 Iceland 13 Argentina 2
Taiwan 373 Saudi Arabia 13 Belgium 2
China 373 Netherlands 12 Bosnia Herzegovina 2
Germany 138 Singapore 12 Cyprus 2
Korea 106 Indonesia 11 Isle of Man 2
USA 96 Bulgaria 10 Kazakhstan 2
Czech Republic 85 Norway 10 Morocco 2
Hungary 71 Russian Federation 10 Ukraine 2
Italy 61 Kuwait 9 Armenia 1
Poland 56 Sweden 9 Bangladesh 1
Spain 43 Colombia 8 Belarus 1
Malaysia 39 Iran 8 Denmark 1
Ireland 37 Bahrain 7 Dominican Republic 1
Austria 35 Switzerland 7 Kyrgyzstan 1
Croatia 6 Lebanon 1
Thailand 34
Hong Kong 32 Canada 5 Luxembourg 1
Romania 30 South Africa 5 Macedonia 1
Australia 29 Sri Lanka 5 Mauritius 1
Greece 28 Vietnam 5 Moldova 1
Mexico 24 Lithuania 4 New Zealand 1
Brazil 23 Oman 4 Sudan 1
Turkey 21 Qatar 4 Uruguay 1
UAE 20 Chile 3 Yemen 1
Slovakia 19 Egypt 3
France 18 Gibraltar 3
Slovenia 16 Macau 3 Total 6573
Number of Certificates Per Country @July 2010 http://www.iso27001certificates.com/Register%20Search.htm
36. Start with Awareness
• Annual Security Event, CDIC (Public and
Private sector)
• Top Management
• Involved Engineer and Technician
38. Normal Operation
HMI Web & DB Operator
Operator Workstation
PLC Server
39. Hacking on Operator workstation
Scenario #1.1 Known local admin password
HMI Web & DB Operator Workstation Operator
PLC Server
Connected Connect to
GUI‘s Server Remote desktop
Remotely control GUI
Add new user
Open Share folder
Hacker knows local admin password
40. Hacking on Operator workstation
Summary Scenario #1.1 Known local admin password
Required condition:
Local admin password is known (default password)
Remote Desktop is opened
Consequence:
Attacker can take over the system
Attacker can take over GUI
Attacker can add new user
Attacker can open share folder
Remediation:
Change default password
Restrict access to Remote Desktop
41. Hacking on Operator workstation
Scenario #1.2 unpatched
HMI Web & DB Operator
PLC Operator
Server Workstation
Unpatched
GUI‘s Server Exploited server
Remotely control GUI
Add new user
Open Share folder
Hacker attack on vulnerability’s server
42. Hacking on Operator workstation
Summary Scenario #1.2 unpatched
Required condition:
Operator workstation is not patched
Consequence:
Attacker can take over the system
Attacker can take over GUI
Attacker can add new user
Attacker can open share folder
Remediation:
Regularly update the workstation
Monitor the system integrity
Consider intrusion detection system
Consider security perimeter
43. Hacking on Operator workstation
Scenario #1.3 Password Sniffing
password
PLC HMI Web & DB Server Operator Work station Operator
Sniff password
in the network
44. Hacking on Operator workstation
Summary Scenario #1.3 Password Sniffing
Required condition:
Web-based HMI
Operator sends login password via HTTP
Consequence:
Password is known to hacker
Hacker can login to Web-based HMI
Remediation:
Use HTTPS instead of HTTP
Consider detection measure
45. Hacking on Operator workstation
Scenario #1.4 Remember password
PLC HMI Web & DB Server Operator Work station Operator
Remember password
Dump “remember password” Plug USB U3
Thumb drive
46. Hacking on Operator workstation
Summary Scenario #1.4 Remember password
Required condition:
Physically access to system
Autorun enabled
Consequence:
Password is stolen
Remediation:
Limit physical access to system
Disable Autorun (all drive)
Don’t use remember password feature
47. Hacking on HMI Web & DB server
Scenario #2 SQL Injection
HMI Web & DB Server Operator Work Operator
PLC
Injection flaw! station
SQL Injection
Delete table
Modify data in table
Insert, Delete, Update
48. Hacking on HMI Web & DB Server
Summary Scenario #2 SQL Injection
Required condition:
Web-based HMI
SQL Injection flaw
Consequence:
Direct database manipulation
Remediation:
Input validation
Web Application security assessment
Web Application Firewall (WAF)
49. Hacking on PLC
Scenario #3 Direct PLC Manipulation
PLC HMI Web & DB Server Operator Work station Operator
Open port 2222/TCP !
Control valve/pump
Change PLC Mode system halt
Take control of PLC
Modify PLC data
Disrupt PLC operation
50. Hacking on PLC
Summary Scenario #3 Direct PLC Manipulation
Required condition:
Port 2222/TCP is opened (Allen Bradley)
No authentication
Network routable
Consequence:
Access PLC’s data table
Remediation:
Enable authentication where possible
Routing control/ Network isolation (verify)
51. Summary
• Been doing
– Help raise awareness
– Informal gather up of industry leaders
– Some laws and regulations issued
• Future
– Many things are lined up
– Government is to work closely with industry
– Collaboration and community across countries shall be considered
– It will be a long journey