SlideShare ist ein Scribd-Unternehmen logo

Addressing CIP

Narinrit Prem-apiwathanokul
Narinrit Prem-apiwathanokul

Critical Infrastructure Protection Case Study Presented in SecureAsia 2010 @Singapore July 2010

1 von 52
Downloaden Sie, um offline zu lesen
Addressing CIP: A Thailand Case Study by Chaiyakorn Apiwathanokul CISSP, GCFA, IRCA:ISMS Chief Security Officer PTT ICT Solutions Co., Ltd. A Company of PTT Group Note: CIP = Critical Infrastructure Protection
Addressing CIP: A Thailand Case Study by Chaiyakorn Apiwathanokul, CISSP, GCFA, IRCA:ISMS Synopsis: In many countries where Critical Infrastructure Protection is not yet a regulatory requirement or is not taken into account seriously by their government; the perception, understanding, collaboration and qualified workforce is big challenge. Many misperceptions about securing those systems make it hard to convince management and stakeholders to support activities and investments. However, the legislation is not the only way to go; there are still many other factors that can be pulled into the scene ex. BCM, Risk Management and etc. to help attract the managements. As a security professional, how can we make things better? How can we utilize other mechanisms available to help addressing this challenge? In Thailand even though we do not explicitly issues a law specifically for CIP, we have done something to addressed CIP in some extents. We help raise awareness and understanding through trainings and seminars to demonstrate the vulnerability and exploitability of such systems. We introduce ISO27001 as a basic security management framework. Of course, there are many other things that need to be done to address this challenge.
About Speaker Name: Chaiyakorn Apiwathanokul ไชยกร อภิวัฒโนกุล Title: Chief Security Officer (CSO) Company: PTT ICT Solutions Company Limited A Company of PTT Group Certificates: ISC2:CISSP, IRCA:ISMS (ISO27001), SANS:GCFA • Contribute to Thailand Cyber Crime Act B.E.2550 • Security Sub-commission under Thailand Electronic Transaction Commission (ET Act B.E. 2544) • Workgroup for CA service standard development • Committee of national standard adoption of ISO27001/ISO27002 • Committee of Thailand Information Security Association (TISA) • Committee of Cybersecurity taskforce development, Division of Skill Development, Ministry of Labour
Disclaimer • I am not a representative of neither Thailand government nor any commission I have been involved. • I am not representing a spoke person for my company. • I am here as an infosec professional working and contributing in Thailand and would like to share some experience and Thailand circumstance for the sake of global professional community collaboration and contribution.
Agenda • Global perspective toward CIP • Thailand circumstance and challenges • Approaches
Transportation System From a movie
Italian Traffic Lights In the real world Event: Feb, 2009 Italian authorities investigating unauthorized changes to traffic enforcement system Impact: Rise of over 1,400 Lessons learned: traffic tickets costing > 250K  Do not underestimate the Euros in two month period insider threat Specifics: Engineer accused of  Ensure separation of conspiring with local authorities duties and auditing to rig traffic lights to have shorter yellow light causing spike in camera enforced traffic tickets
Transportation – Road Signs In the real world Event: Jan 2009, Texas road signs compromised Impact: Motorists distracted and provided false information Specifics: Some commercial road signs can be easily altered because their instrument panels are frequently Lessons learned: left unlocked and their default  Use robust physical access passwords are not changed. controls "Programming is as simple as  Change all default passwords scrolling down the menu selection," a  Work with manufacturers to blog reports. "Type whatever you want identify and protect password to display … In all likelihood, the crew reset procedures will not have changed [the password]." 8
Building Automation System (BAS) From a movie
Security Guard Busted For Hacking Hospital's HVAC, Patient Information Computers, July 2009 In the real world • "A former security guard for a Dallas hospital has been arrested by federal authorities for allegedly breaking into the facility's HVAC and confidential patient information computer systems. In a bizarre twist, he posted videos of his hacks on YouTube, and was trying to recruit other hackers to help him wage a massive DDoS attack on July 4 -- one day after his planned last day on the job. • Jesse William McGraw, 25, also known as "GhostExodus," "PhantomExodizzmo," as well as by a couple of false names, was charged with downloading malicious code onto a computer at the Carrell Clinic in order to cause damage and as a result, "threatened public health and safety," according to an affidavit filed by the FBI . McGraw worked as a night security guard for United Protection Services, which was on contract with hospital, which specializes in orthopedics and sports medicine."
In the real world CIA Admits Cyber attacks Blacked Out Cities • The disclosure was made at a New Orleans security conference Friday attended by international government officials, engineers, and security managers. • The CIA on Friday admitted that cyberattacks have caused at least one power outage affecting multiple cities outside the United States. By Thomas Claburn InformationWeek January 18, 2008 06:15 PM
A Black-out incident In the real world
In the real world TISA in Bangkok Post : When Hacking risks health TISA web site : http://www.tisa.or.th
Commonly Claim: The system is isolated In the real world Virus Found On Computer In Space Station NASA confirmed on Wednesday that a computer virus was identified on a laptop computer aboard the International Space Station, which carries about 50 computers. The virus was stopped with virus protection software and posed no threat to ISS systems or operations, said NASA spokesperson Kelly Humphries. … The SpaceRef report suggested that a flash card or USB drive brought on board by an astronaut may have been the source of the laptop infection. InformationWeek August 27, 2008
Malicious code/ Virus/Worm Adversary/ Terrorist/ Disgruntled Hacker employee Vulnerabilities/ Weaknesses has Manufacture National Critical Plant Infrastructure Control Operation Systems Law/ Industry- Government Compliance/ specific Standard/ Regulator Guideline
Simplification Not only someone Someone Someone Someone (and someone but else) hate develop a someone has to do someone weapon else got something trouble
Activity Timeline of U.S. Critical Infrastructure Protection Initiative
What Big Brothers do? • US, 1996, Critical Infrastructure Protection (PCCIP) • US, 1998, FBI National Infrastructure Protection Center (NIPC) and the Critical Infrastructure Assurance Office (CIAO) • Communications and Information Sector Working Group (CISWG) • Partnership for Critical Infrastructure Security (PCIS) 9/11 • US, 2001, President’s Critical Infrastructure Board (PCIB) • US, 2003, National Infrastructure Advisory Council (NIAC) • Control Systems Security Program, National Cyber Security Division, US-DHS • United States Computer Emergency Readiness Team (US-CERT) Control Systems Security Center (CSSC)
Obama elevates the priority of Cybersecurity concerns May 29, 2009 U.S. President Barack Obama will appoint a government-wide cybersecurity coordinator and elevate cybersecurity concerns to a top management priority for the U.S. government, he announced Friday. The White House will also develop a new, comprehensive national cybersecurity strategy, with help from private experts, and it will invest in "cutting edge" cybersecurity research and development, Obama said in a short speech.
Common Characteristics • Tone from the top • Accountability • Across government agencies • Government and industries collaboration • Industry specific best practices vs. common best practices (share and collaborate) • Short/Mid/Long term plan • Review  Plan  Deploy  Monitor  Report
Challenges • Small number of security professional in the market • Misperceptions on the control system security – Security by obscurity – Separated network – Not an IT business – we have no secret • Low awareness among stakeholders
Qualified professional undersupply IT Professional Control Infosec System Prof. Prof. Control System Cybersecurity Prof.
The Implication • Only small number of professional with right competency to help you out • Collaboration and support from professional community is highly needed
InfoSec Professional Involvement • Law – ETC: Electronic Transaction Commission – Security Sub-commission – Electronic Transaction Act:2001 • Performance Appraisal Program (for State Enterprise) • National Standard Adoption (ISO27001/ISO27002) • Educate top management in healthcare industry • Annual conference: Cyber Defence Initiative Conference (CDIC) • Educate top management, mid-management and technical person involved
Key Influencer • Electronic Transaction Commission (ETC) • Thailand Information Security Association (TISA) • State Enterprise Policy Office (SEPO) • Ministry of ICT • NECTEC, Ministry of Science and Technology • ACIS Professional Center
Guideline on Securing the Electronic Transaction (Derive from ISMS Implementation Guideline)
Thailand Information Security Association http://www.tisa.or.th 27 ACIS Professional Center 27-Jul-10
TISA Committees 28
ISMS Training 27-Jul-10
TISA Pilot Exam Summary: TISA ITS-EBK Model 30 27-Jul-10
Example of TISA TISET Report TISA Pilot Exam 2009-10-17 31
TISA Pilot Exam Summary: Certification Roadmap Audit Management Technical EXPERT ADVANCE International Certified IT & Information Security Professional Step to CISSP,SSCP, CISA,CISM FOUNDATION (Localized) TISA TISET Certification on IT / Information Security Competencies Test TISA TISET Exam 32 27-Jul-10
State Enterprise Policy Office (SEPO) • Incentive-base Performance Appraisal Program conducted annually • 50+ State Enterprises under this program which include: – Electricity Generation and distribution – Gas pipeline and energy – Water work – Telecommunication • IT Management – ISO27001 • Business Risk Management – Business Continuity Management (BCM)
ISO27001 Implementation Roadmap 2007 2008 2009 2011 Main System Start Plan Minor/ Main support System system 34
The growth of ISO27001 in Thailand Japan 3572 Philippines 15 Peru 3 India 490 Pakistan 14 Portugal 3 UK 448 Iceland 13 Argentina 2 Taiwan 373 Saudi Arabia 13 Belgium 2 China 373 Netherlands 12 Bosnia Herzegovina 2 Germany 138 Singapore 12 Cyprus 2 Korea 106 Indonesia 11 Isle of Man 2 USA 96 Bulgaria 10 Kazakhstan 2 Czech Republic 85 Norway 10 Morocco 2 Hungary 71 Russian Federation 10 Ukraine 2 Italy 61 Kuwait 9 Armenia 1 Poland 56 Sweden 9 Bangladesh 1 Spain 43 Colombia 8 Belarus 1 Malaysia 39 Iran 8 Denmark 1 Ireland 37 Bahrain 7 Dominican Republic 1 Austria 35 Switzerland 7 Kyrgyzstan 1 Croatia 6 Lebanon 1 Thailand 34 Hong Kong 32 Canada 5 Luxembourg 1 Romania 30 South Africa 5 Macedonia 1 Australia 29 Sri Lanka 5 Mauritius 1 Greece 28 Vietnam 5 Moldova 1 Mexico 24 Lithuania 4 New Zealand 1 Brazil 23 Oman 4 Sudan 1 Turkey 21 Qatar 4 Uruguay 1 UAE 20 Chile 3 Yemen 1 Slovakia 19 Egypt 3 France 18 Gibraltar 3 Slovenia 16 Macau 3 Total 6573 Number of Certificates Per Country @July 2010 http://www.iso27001certificates.com/Register%20Search.htm
Start with Awareness • Annual Security Event, CDIC (Public and Private sector) • Top Management • Involved Engineer and Technician
Educating the Engineering Department
Normal Operation HMI Web & DB Operator Operator Workstation PLC Server
Hacking on Operator workstation Scenario #1.1 Known local admin password HMI Web & DB Operator Workstation Operator PLC Server Connected Connect to GUI‘s Server Remote desktop  Remotely control GUI  Add new user  Open Share folder Hacker knows local admin password
Hacking on Operator workstation Summary Scenario #1.1 Known local admin password Required condition:  Local admin password is known (default password)  Remote Desktop is opened Consequence: Attacker can take over the system  Attacker can take over GUI  Attacker can add new user  Attacker can open share folder Remediation:  Change default password  Restrict access to Remote Desktop
Hacking on Operator workstation Scenario #1.2 unpatched HMI Web & DB Operator PLC Operator Server Workstation Unpatched GUI‘s Server Exploited server  Remotely control GUI  Add new user  Open Share folder Hacker attack on vulnerability’s server
Hacking on Operator workstation Summary Scenario #1.2 unpatched Required condition:  Operator workstation is not patched Consequence: Attacker can take over the system  Attacker can take over GUI  Attacker can add new user  Attacker can open share folder Remediation:  Regularly update the workstation  Monitor the system integrity  Consider intrusion detection system  Consider security perimeter
Hacking on Operator workstation Scenario #1.3 Password Sniffing password PLC HMI Web & DB Server Operator Work station Operator Sniff password in the network
Hacking on Operator workstation Summary Scenario #1.3 Password Sniffing Required condition:  Web-based HMI  Operator sends login password via HTTP Consequence:  Password is known to hacker  Hacker can login to Web-based HMI Remediation:  Use HTTPS instead of HTTP  Consider detection measure
Hacking on Operator workstation Scenario #1.4 Remember password PLC HMI Web & DB Server Operator Work station Operator Remember password Dump “remember password” Plug USB U3 Thumb drive
Hacking on Operator workstation Summary Scenario #1.4 Remember password Required condition:  Physically access to system  Autorun enabled Consequence:  Password is stolen Remediation:  Limit physical access to system  Disable Autorun (all drive)  Don’t use remember password feature
Hacking on HMI Web & DB server Scenario #2 SQL Injection HMI Web & DB Server Operator Work Operator PLC Injection flaw! station SQL Injection  Delete table  Modify data in table  Insert, Delete, Update
Hacking on HMI Web & DB Server Summary Scenario #2 SQL Injection Required condition:  Web-based HMI  SQL Injection flaw Consequence:  Direct database manipulation Remediation:  Input validation  Web Application security assessment  Web Application Firewall (WAF)
Hacking on PLC Scenario #3 Direct PLC Manipulation PLC HMI Web & DB Server Operator Work station Operator Open port 2222/TCP !  Control valve/pump  Change PLC Mode  system halt  Take control of PLC  Modify PLC data  Disrupt PLC operation
Hacking on PLC Summary Scenario #3 Direct PLC Manipulation Required condition:  Port 2222/TCP is opened (Allen Bradley)  No authentication  Network routable Consequence:  Access PLC’s data table Remediation:  Enable authentication where possible  Routing control/ Network isolation (verify)
Summary • Been doing – Help raise awareness – Informal gather up of industry leaders – Some laws and regulations issued • Future – Many things are lined up – Government is to work closely with industry – Collaboration and community across countries shall be considered – It will be a long journey
52

Empfohlen

Cscu module 01 foundations of security
Cscu module 01 foundations of securityCscu module 01 foundations of security
Cscu module 01 foundations of securitySejahtera Affif
 
Ht r32
Ht r32Ht r32
Ht r32SelectedPresentations
 
CSFI Stuxnet Report
CSFI Stuxnet ReportCSFI Stuxnet Report
CSFI Stuxnet ReportAmr Ali
 
Protecting legitimate software users’ interest in designing a piracy preventi...
Protecting legitimate software users’ interest in designing a piracy preventi...Protecting legitimate software users’ interest in designing a piracy preventi...
Protecting legitimate software users’ interest in designing a piracy preventi...Alexander Decker
 
IT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceIT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceJeff Lemmermann
 
Computer Security Policy D
Computer Security Policy DComputer Security Policy D
Computer Security Policy Dguest34b014
 
Cisco ccna security
Cisco ccna securityCisco ccna security
Cisco ccna securityMt Mostafa
 
Balancing Your Internet Cyber-Life with Privacy and Security
Balancing Your Internet Cyber-Life with Privacy and SecurityBalancing Your Internet Cyber-Life with Privacy and Security
Balancing Your Internet Cyber-Life with Privacy and Securityevolutionaryit
 

Empfohlen

Cscu module 01 foundations of security
Cscu module 01 foundations of securityCscu module 01 foundations of security
Cscu module 01 foundations of securitySejahtera Affif
 
Ht r32
Ht r32Ht r32
Ht r32SelectedPresentations
 
CSFI Stuxnet Report
CSFI Stuxnet ReportCSFI Stuxnet Report
CSFI Stuxnet ReportAmr Ali
 
Protecting legitimate software users’ interest in designing a piracy preventi...
Protecting legitimate software users’ interest in designing a piracy preventi...Protecting legitimate software users’ interest in designing a piracy preventi...
Protecting legitimate software users’ interest in designing a piracy preventi...Alexander Decker
 
IT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceIT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceJeff Lemmermann
 
Computer Security Policy D
Computer Security Policy DComputer Security Policy D
Computer Security Policy Dguest34b014
 
Cisco ccna security
Cisco ccna securityCisco ccna security
Cisco ccna securityMt Mostafa
 
Balancing Your Internet Cyber-Life with Privacy and Security
Balancing Your Internet Cyber-Life with Privacy and SecurityBalancing Your Internet Cyber-Life with Privacy and Security
Balancing Your Internet Cyber-Life with Privacy and Securityevolutionaryit
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing ProfessionalsTechWell
 
IT Security for the Physical Security Professional
IT Security for the Physical Security ProfessionalIT Security for the Physical Security Professional
IT Security for the Physical Security Professionalciso_insights
 
Cyber Security for Critical Infrastrucutre-ppt
Cyber Security for Critical Infrastrucutre-pptCyber Security for Critical Infrastrucutre-ppt
Cyber Security for Critical Infrastrucutre-pptMohit Rampal
 
Week 13 ch14 c
Week 13 ch14 cWeek 13 ch14 c
Week 13 ch14 cZahir Reza
 
ISACA SLOVENIA CHAPTER October 2016 - Lubiana
ISACA SLOVENIA CHAPTER October 2016 - LubianaISACA SLOVENIA CHAPTER October 2016 - Lubiana
ISACA SLOVENIA CHAPTER October 2016 - LubianaLuca Moroni ✔✔
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate ITPeter Wood
 
Is your data at risk? Why physical security is insufficient for laptop computers
Is your data at risk? Why physical security is insufficient for laptop computersIs your data at risk? Why physical security is insufficient for laptop computers
Is your data at risk? Why physical security is insufficient for laptop computersFindWhitePapers
 
Mobile threat-report-mid-year-2018 en-us-1.0
Mobile threat-report-mid-year-2018 en-us-1.0Mobile threat-report-mid-year-2018 en-us-1.0
Mobile threat-report-mid-year-2018 en-us-1.0mobileironmarketing
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity GroupsDragos, Inc.
 
Buyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection PlatformsBuyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection PlatformsFindWhitePapers
 
Information security
Information securityInformation security
Information securityAppin Faridabad
 
Learn How to Detect, Prevent, and Replace the Use of USB Drives
Learn How to Detect, Prevent, and Replace the Use of USB DrivesLearn How to Detect, Prevent, and Replace the Use of USB Drives
Learn How to Detect, Prevent, and Replace the Use of USB DrivesSolarWinds
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
 
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9Amanda Case
 
Ite pc v40_chapter9_edited_h
Ite pc v40_chapter9_edited_hIte pc v40_chapter9_edited_h
Ite pc v40_chapter9_edited_hDave Arvin
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing ProfessionalsTechWell
 
Bring your own-computer_to work
Bring your own-computer_to workBring your own-computer_to work
Bring your own-computer_to workNetIQ
 
Uit9 ppt ch09_au_rev
Uit9 ppt ch09_au_revUit9 ppt ch09_au_rev
Uit9 ppt ch09_au_revidrissss dddd
 
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Luca Moroni ✔✔
 
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive DataX-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive DataIBM Security
 
Cyber security for Developers
Cyber security for DevelopersCyber security for Developers
Cyber security for Developerstechtutorus
 
Consensus Audit Guidelines 2008
Consensus Audit Guidelines 2008Consensus Audit Guidelines 2008
Consensus Audit Guidelines 2008John Gilligan
 

Weitere ähnliche Inhalte

Was ist angesagt?

Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing ProfessionalsTechWell
 
IT Security for the Physical Security Professional
IT Security for the Physical Security ProfessionalIT Security for the Physical Security Professional
IT Security for the Physical Security Professionalciso_insights
 
Cyber Security for Critical Infrastrucutre-ppt
Cyber Security for Critical Infrastrucutre-pptCyber Security for Critical Infrastrucutre-ppt
Cyber Security for Critical Infrastrucutre-pptMohit Rampal
 
Week 13 ch14 c
Week 13 ch14 cWeek 13 ch14 c
Week 13 ch14 cZahir Reza
 
ISACA SLOVENIA CHAPTER October 2016 - Lubiana
ISACA SLOVENIA CHAPTER October 2016 - LubianaISACA SLOVENIA CHAPTER October 2016 - Lubiana
ISACA SLOVENIA CHAPTER October 2016 - LubianaLuca Moroni ✔✔
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate ITPeter Wood
 
Is your data at risk? Why physical security is insufficient for laptop computers
Is your data at risk? Why physical security is insufficient for laptop computersIs your data at risk? Why physical security is insufficient for laptop computers
Is your data at risk? Why physical security is insufficient for laptop computersFindWhitePapers
 
Mobile threat-report-mid-year-2018 en-us-1.0
Mobile threat-report-mid-year-2018 en-us-1.0Mobile threat-report-mid-year-2018 en-us-1.0
Mobile threat-report-mid-year-2018 en-us-1.0mobileironmarketing
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity GroupsDragos, Inc.
 
Buyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection PlatformsBuyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection PlatformsFindWhitePapers
 
Learn How to Detect, Prevent, and Replace the Use of USB Drives
Learn How to Detect, Prevent, and Replace the Use of USB DrivesLearn How to Detect, Prevent, and Replace the Use of USB Drives
Learn How to Detect, Prevent, and Replace the Use of USB DrivesSolarWinds
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
 
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9Amanda Case
 
Ite pc v40_chapter9_edited_h
Ite pc v40_chapter9_edited_hIte pc v40_chapter9_edited_h
Ite pc v40_chapter9_edited_hDave Arvin
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing ProfessionalsTechWell
 
Bring your own-computer_to work
Bring your own-computer_to workBring your own-computer_to work
Bring your own-computer_to workNetIQ
 
Uit9 ppt ch09_au_rev
Uit9 ppt ch09_au_revUit9 ppt ch09_au_rev
Uit9 ppt ch09_au_revidrissss dddd
 
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Luca Moroni ✔✔
 
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive DataX-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive DataIBM Security
 

Was ist angesagt? (20)

Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
 
IT Security for the Physical Security Professional
IT Security for the Physical Security ProfessionalIT Security for the Physical Security Professional
IT Security for the Physical Security Professional
 
Cyber Security for Critical Infrastrucutre-ppt
Cyber Security for Critical Infrastrucutre-pptCyber Security for Critical Infrastrucutre-ppt
Cyber Security for Critical Infrastrucutre-ppt
 
Week 13 ch14 c
Week 13 ch14 cWeek 13 ch14 c
Week 13 ch14 c
 
ISACA SLOVENIA CHAPTER October 2016 - Lubiana
ISACA SLOVENIA CHAPTER October 2016 - LubianaISACA SLOVENIA CHAPTER October 2016 - Lubiana
ISACA SLOVENIA CHAPTER October 2016 - Lubiana
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
 
Is your data at risk? Why physical security is insufficient for laptop computers
Is your data at risk? Why physical security is insufficient for laptop computersIs your data at risk? Why physical security is insufficient for laptop computers
Is your data at risk? Why physical security is insufficient for laptop computers
 
Mobile threat-report-mid-year-2018 en-us-1.0
Mobile threat-report-mid-year-2018 en-us-1.0Mobile threat-report-mid-year-2018 en-us-1.0
Mobile threat-report-mid-year-2018 en-us-1.0
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups
 
Buyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection PlatformsBuyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection Platforms
 
Information security
Information securityInformation security
Information security
 
Learn How to Detect, Prevent, and Replace the Use of USB Drives
Learn How to Detect, Prevent, and Replace the Use of USB DrivesLearn How to Detect, Prevent, and Replace the Use of USB Drives
Learn How to Detect, Prevent, and Replace the Use of USB Drives
 
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...
 
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9
 
Ite pc v40_chapter9_edited_h
Ite pc v40_chapter9_edited_hIte pc v40_chapter9_edited_h
Ite pc v40_chapter9_edited_h
 
Security Testing for Testing Professionals
Security Testing for Testing ProfessionalsSecurity Testing for Testing Professionals
Security Testing for Testing Professionals
 
Bring your own-computer_to work
Bring your own-computer_to workBring your own-computer_to work
Bring your own-computer_to work
 
Uit9 ppt ch09_au_rev
Uit9 ppt ch09_au_revUit9 ppt ch09_au_rev
Uit9 ppt ch09_au_rev
 
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
Cyber Security Awareness of Critical Infrastructures in North East of Italy S...
 
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive DataX-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
X-Force Threat Intelligence: Fight Insider Threats & Protect Your Sensitive Data
 

Ähnlich wie Addressing CIP

Cyber security for Developers
Cyber security for DevelopersCyber security for Developers
Cyber security for Developerstechtutorus
 
Consensus Audit Guidelines 2008
Consensus Audit Guidelines 2008Consensus Audit Guidelines 2008
Consensus Audit Guidelines 2008John Gilligan
 
State of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry InsiderState of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry InsiderBen Johnson
 
December ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security PresentationDecember ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security Presentationwhmillerjr
 
The Breach at Limetree Updated November 18, 2017 Bac.docx
The Breach at Limetree Updated November 18, 2017 Bac.docxThe Breach at Limetree Updated November 18, 2017 Bac.docx
The Breach at Limetree Updated November 18, 2017 Bac.docxmehek4
 
Cybersecurity and continuous intelligence
Cybersecurity and continuous intelligenceCybersecurity and continuous intelligence
Cybersecurity and continuous intelligenceNISIInstituut
 
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxchristiandean12115
 
Lesson2.9 o u2l6 who cares about encryption
Lesson2.9 o u2l6 who cares about encryptionLesson2.9 o u2l6 who cares about encryption
Lesson2.9 o u2l6 who cares about encryptionLexume1
 
Risk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedRisk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedTiffany Graham
 
AI: The New Player in Cybersecurity (Nov. 08, 2023)
AI: The New Player in Cybersecurity (Nov. 08, 2023)AI: The New Player in Cybersecurity (Nov. 08, 2023)
AI: The New Player in Cybersecurity (Nov. 08, 2023)Takeshi Takahashi
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environmentsamiable_indian
 
CCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityCCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityAhmed Habib
 
The Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesThe Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesGFI Software
 

Ähnlich wie Addressing CIP (20)

Cyber security for Developers
Cyber security for DevelopersCyber security for Developers
Cyber security for Developers
 
Consensus Audit Guidelines 2008
Consensus Audit Guidelines 2008Consensus Audit Guidelines 2008
Consensus Audit Guidelines 2008
 
State of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry InsiderState of Cyber: Views from an Industry Insider
State of Cyber: Views from an Industry Insider
 
Secure your Space: The Internet of Things
Secure your Space: The Internet of ThingsSecure your Space: The Internet of Things
Secure your Space: The Internet of Things
 
The Cybersecurity Mess
The Cybersecurity MessThe Cybersecurity Mess
The Cybersecurity Mess
 
Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletter
 
December ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security PresentationDecember ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security Presentation
 
Bulletproof IT Security
Bulletproof IT SecurityBulletproof IT Security
Bulletproof IT Security
 
The Breach at Limetree Updated November 18, 2017 Bac.docx
The Breach at Limetree Updated November 18, 2017 Bac.docxThe Breach at Limetree Updated November 18, 2017 Bac.docx
The Breach at Limetree Updated November 18, 2017 Bac.docx
 
Cybersecurity and continuous intelligence
Cybersecurity and continuous intelligenceCybersecurity and continuous intelligence
Cybersecurity and continuous intelligence
 
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
 
Lesson2.9 o u2l6 who cares about encryption
Lesson2.9 o u2l6 who cares about encryptionLesson2.9 o u2l6 who cares about encryption
Lesson2.9 o u2l6 who cares about encryption
 
Risk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedRisk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs Provided
 
AI: The New Player in Cybersecurity (Nov. 08, 2023)
AI: The New Player in Cybersecurity (Nov. 08, 2023)AI: The New Player in Cybersecurity (Nov. 08, 2023)
AI: The New Player in Cybersecurity (Nov. 08, 2023)
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environments
 
CCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network securityCCNA Security 02- fundamentals of network security
CCNA Security 02- fundamentals of network security
 
The Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage DevicesThe Threats Posed by Portable Storage Devices
The Threats Posed by Portable Storage Devices
 
Butler
ButlerButler
Butler
 
Cyber security colombo meetup
Cyber security colombo meetupCyber security colombo meetup
Cyber security colombo meetup
 

Mehr von Narinrit Prem-apiwathanokul

Infosec Workforce Development Framework For Thailand
Infosec Workforce Development Framework For ThailandInfosec Workforce Development Framework For Thailand
Infosec Workforce Development Framework For ThailandNarinrit Prem-apiwathanokul
 

Mehr von Narinrit Prem-apiwathanokul (14)

How to address C-Level properly?
How to address C-Level properly?How to address C-Level properly?
How to address C-Level properly?
 
IMC: risk base security
IMC: risk base securityIMC: risk base security
IMC: risk base security
 
Cloud Security by CK
Cloud Security by CKCloud Security by CK
Cloud Security by CK
 
Tt 06-ck
Tt 06-ckTt 06-ck
Tt 06-ck
 
U S Embassy Event - Today’S Cyber Threats
U S Embassy Event - Today’S Cyber ThreatsU S Embassy Event - Today’S Cyber Threats
U S Embassy Event - Today’S Cyber Threats
 
Introduction to INFOSEC Professional
Introduction to INFOSEC ProfessionalIntroduction to INFOSEC Professional
Introduction to INFOSEC Professional
 
Infosec Workforce Development Framework For Thailand
Infosec Workforce Development Framework For ThailandInfosec Workforce Development Framework For Thailand
Infosec Workforce Development Framework For Thailand
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA Security
 
SCADA Security in CDIC 2009
SCADA Security in CDIC 2009SCADA Security in CDIC 2009
SCADA Security in CDIC 2009
 
S C A D A Security Keynote C K
S C A D A Security Keynote C KS C A D A Security Keynote C K
S C A D A Security Keynote C K
 
SecurityExchange2009-Key Note
SecurityExchange2009-Key NoteSecurityExchange2009-Key Note
SecurityExchange2009-Key Note
 
Chaiyakorn
ChaiyakornChaiyakorn
Chaiyakorn
 
CCA Preparation for Organization
CCA Preparation for OrganizationCCA Preparation for Organization
CCA Preparation for Organization
 
IT Security EBK2008 Summary
IT Security EBK2008 SummaryIT Security EBK2008 Summary
IT Security EBK2008 Summary
 

Addressing CIP

  • 1. Addressing CIP: A Thailand Case Study by Chaiyakorn Apiwathanokul CISSP, GCFA, IRCA:ISMS Chief Security Officer PTT ICT Solutions Co., Ltd. A Company of PTT Group Note: CIP = Critical Infrastructure Protection
  • 2. Addressing CIP: A Thailand Case Study by Chaiyakorn Apiwathanokul, CISSP, GCFA, IRCA:ISMS Synopsis: In many countries where Critical Infrastructure Protection is not yet a regulatory requirement or is not taken into account seriously by their government; the perception, understanding, collaboration and qualified workforce is big challenge. Many misperceptions about securing those systems make it hard to convince management and stakeholders to support activities and investments. However, the legislation is not the only way to go; there are still many other factors that can be pulled into the scene ex. BCM, Risk Management and etc. to help attract the managements. As a security professional, how can we make things better? How can we utilize other mechanisms available to help addressing this challenge? In Thailand even though we do not explicitly issues a law specifically for CIP, we have done something to addressed CIP in some extents. We help raise awareness and understanding through trainings and seminars to demonstrate the vulnerability and exploitability of such systems. We introduce ISO27001 as a basic security management framework. Of course, there are many other things that need to be done to address this challenge.
  • 3. About Speaker Name: Chaiyakorn Apiwathanokul ไชยกร อภิวัฒโนกุล Title: Chief Security Officer (CSO) Company: PTT ICT Solutions Company Limited A Company of PTT Group Certificates: ISC2:CISSP, IRCA:ISMS (ISO27001), SANS:GCFA • Contribute to Thailand Cyber Crime Act B.E.2550 • Security Sub-commission under Thailand Electronic Transaction Commission (ET Act B.E. 2544) • Workgroup for CA service standard development • Committee of national standard adoption of ISO27001/ISO27002 • Committee of Thailand Information Security Association (TISA) • Committee of Cybersecurity taskforce development, Division of Skill Development, Ministry of Labour
  • 4. Disclaimer • I am not a representative of neither Thailand government nor any commission I have been involved. • I am not representing a spoke person for my company. • I am here as an infosec professional working and contributing in Thailand and would like to share some experience and Thailand circumstance for the sake of global professional community collaboration and contribution.
  • 5. Agenda • Global perspective toward CIP • Thailand circumstance and challenges • Approaches
  • 6. Transportation System From a movie
  • 7. Italian Traffic Lights In the real world Event: Feb, 2009 Italian authorities investigating unauthorized changes to traffic enforcement system Impact: Rise of over 1,400 Lessons learned: traffic tickets costing > 250K  Do not underestimate the Euros in two month period insider threat Specifics: Engineer accused of  Ensure separation of conspiring with local authorities duties and auditing to rig traffic lights to have shorter yellow light causing spike in camera enforced traffic tickets
  • 8. Transportation – Road Signs In the real world Event: Jan 2009, Texas road signs compromised Impact: Motorists distracted and provided false information Specifics: Some commercial road signs can be easily altered because their instrument panels are frequently Lessons learned: left unlocked and their default  Use robust physical access passwords are not changed. controls "Programming is as simple as  Change all default passwords scrolling down the menu selection," a  Work with manufacturers to blog reports. "Type whatever you want identify and protect password to display … In all likelihood, the crew reset procedures will not have changed [the password]." 8
  • 9. Building Automation System (BAS) From a movie
  • 10. Security Guard Busted For Hacking Hospital's HVAC, Patient Information Computers, July 2009 In the real world • "A former security guard for a Dallas hospital has been arrested by federal authorities for allegedly breaking into the facility's HVAC and confidential patient information computer systems. In a bizarre twist, he posted videos of his hacks on YouTube, and was trying to recruit other hackers to help him wage a massive DDoS attack on July 4 -- one day after his planned last day on the job. • Jesse William McGraw, 25, also known as "GhostExodus," "PhantomExodizzmo," as well as by a couple of false names, was charged with downloading malicious code onto a computer at the Carrell Clinic in order to cause damage and as a result, "threatened public health and safety," according to an affidavit filed by the FBI . McGraw worked as a night security guard for United Protection Services, which was on contract with hospital, which specializes in orthopedics and sports medicine."
  • 11. In the real world CIA Admits Cyber attacks Blacked Out Cities • The disclosure was made at a New Orleans security conference Friday attended by international government officials, engineers, and security managers. • The CIA on Friday admitted that cyberattacks have caused at least one power outage affecting multiple cities outside the United States. By Thomas Claburn InformationWeek January 18, 2008 06:15 PM
  • 12. A Black-out incident In the real world
  • 13. In the real world TISA in Bangkok Post : When Hacking risks health TISA web site : http://www.tisa.or.th
  • 14. Commonly Claim: The system is isolated In the real world Virus Found On Computer In Space Station NASA confirmed on Wednesday that a computer virus was identified on a laptop computer aboard the International Space Station, which carries about 50 computers. The virus was stopped with virus protection software and posed no threat to ISS systems or operations, said NASA spokesperson Kelly Humphries. … The SpaceRef report suggested that a flash card or USB drive brought on board by an astronaut may have been the source of the laptop infection. InformationWeek August 27, 2008
  • 15. Malicious code/ Virus/Worm Adversary/ Terrorist/ Disgruntled Hacker employee Vulnerabilities/ Weaknesses has Manufacture National Critical Plant Infrastructure Control Operation Systems Law/ Industry- Government Compliance/ specific Standard/ Regulator Guideline
  • 16. Simplification Not only someone Someone Someone Someone (and someone but else) hate develop a someone has to do someone weapon else got something trouble
  • 17. Activity Timeline of U.S. Critical Infrastructure Protection Initiative
  • 18. What Big Brothers do? • US, 1996, Critical Infrastructure Protection (PCCIP) • US, 1998, FBI National Infrastructure Protection Center (NIPC) and the Critical Infrastructure Assurance Office (CIAO) • Communications and Information Sector Working Group (CISWG) • Partnership for Critical Infrastructure Security (PCIS) 9/11 • US, 2001, President’s Critical Infrastructure Board (PCIB) • US, 2003, National Infrastructure Advisory Council (NIAC) • Control Systems Security Program, National Cyber Security Division, US-DHS • United States Computer Emergency Readiness Team (US-CERT) Control Systems Security Center (CSSC)
  • 19. Obama elevates the priority of Cybersecurity concerns May 29, 2009 U.S. President Barack Obama will appoint a government-wide cybersecurity coordinator and elevate cybersecurity concerns to a top management priority for the U.S. government, he announced Friday. The White House will also develop a new, comprehensive national cybersecurity strategy, with help from private experts, and it will invest in "cutting edge" cybersecurity research and development, Obama said in a short speech.
  • 20. Common Characteristics • Tone from the top • Accountability • Across government agencies • Government and industries collaboration • Industry specific best practices vs. common best practices (share and collaborate) • Short/Mid/Long term plan • Review  Plan  Deploy  Monitor  Report
  • 21. Challenges • Small number of security professional in the market • Misperceptions on the control system security – Security by obscurity – Separated network – Not an IT business – we have no secret • Low awareness among stakeholders
  • 22. Qualified professional undersupply IT Professional Control Infosec System Prof. Prof. Control System Cybersecurity Prof.
  • 23. The Implication • Only small number of professional with right competency to help you out • Collaboration and support from professional community is highly needed
  • 24. InfoSec Professional Involvement • Law – ETC: Electronic Transaction Commission – Security Sub-commission – Electronic Transaction Act:2001 • Performance Appraisal Program (for State Enterprise) • National Standard Adoption (ISO27001/ISO27002) • Educate top management in healthcare industry • Annual conference: Cyber Defence Initiative Conference (CDIC) • Educate top management, mid-management and technical person involved
  • 25. Key Influencer • Electronic Transaction Commission (ETC) • Thailand Information Security Association (TISA) • State Enterprise Policy Office (SEPO) • Ministry of ICT • NECTEC, Ministry of Science and Technology • ACIS Professional Center
  • 26. Guideline on Securing the Electronic Transaction (Derive from ISMS Implementation Guideline)
  • 27. Thailand Information Security Association http://www.tisa.or.th 27 ACIS Professional Center 27-Jul-10
  • 29. ISMS Training 27-Jul-10
  • 30. TISA Pilot Exam Summary: TISA ITS-EBK Model 30 27-Jul-10
  • 31. Example of TISA TISET Report TISA Pilot Exam 2009-10-17 31
  • 32. TISA Pilot Exam Summary: Certification Roadmap Audit Management Technical EXPERT ADVANCE International Certified IT & Information Security Professional Step to CISSP,SSCP, CISA,CISM FOUNDATION (Localized) TISA TISET Certification on IT / Information Security Competencies Test TISA TISET Exam 32 27-Jul-10
  • 33. State Enterprise Policy Office (SEPO) • Incentive-base Performance Appraisal Program conducted annually • 50+ State Enterprises under this program which include: – Electricity Generation and distribution – Gas pipeline and energy – Water work – Telecommunication • IT Management – ISO27001 • Business Risk Management – Business Continuity Management (BCM)
  • 34. ISO27001 Implementation Roadmap 2007 2008 2009 2011 Main System Start Plan Minor/ Main support System system 34
  • 35. The growth of ISO27001 in Thailand Japan 3572 Philippines 15 Peru 3 India 490 Pakistan 14 Portugal 3 UK 448 Iceland 13 Argentina 2 Taiwan 373 Saudi Arabia 13 Belgium 2 China 373 Netherlands 12 Bosnia Herzegovina 2 Germany 138 Singapore 12 Cyprus 2 Korea 106 Indonesia 11 Isle of Man 2 USA 96 Bulgaria 10 Kazakhstan 2 Czech Republic 85 Norway 10 Morocco 2 Hungary 71 Russian Federation 10 Ukraine 2 Italy 61 Kuwait 9 Armenia 1 Poland 56 Sweden 9 Bangladesh 1 Spain 43 Colombia 8 Belarus 1 Malaysia 39 Iran 8 Denmark 1 Ireland 37 Bahrain 7 Dominican Republic 1 Austria 35 Switzerland 7 Kyrgyzstan 1 Croatia 6 Lebanon 1 Thailand 34 Hong Kong 32 Canada 5 Luxembourg 1 Romania 30 South Africa 5 Macedonia 1 Australia 29 Sri Lanka 5 Mauritius 1 Greece 28 Vietnam 5 Moldova 1 Mexico 24 Lithuania 4 New Zealand 1 Brazil 23 Oman 4 Sudan 1 Turkey 21 Qatar 4 Uruguay 1 UAE 20 Chile 3 Yemen 1 Slovakia 19 Egypt 3 France 18 Gibraltar 3 Slovenia 16 Macau 3 Total 6573 Number of Certificates Per Country @July 2010 http://www.iso27001certificates.com/Register%20Search.htm
  • 36. Start with Awareness • Annual Security Event, CDIC (Public and Private sector) • Top Management • Involved Engineer and Technician
  • 38. Normal Operation HMI Web & DB Operator Operator Workstation PLC Server
  • 39. Hacking on Operator workstation Scenario #1.1 Known local admin password HMI Web & DB Operator Workstation Operator PLC Server Connected Connect to GUI‘s Server Remote desktop  Remotely control GUI  Add new user  Open Share folder Hacker knows local admin password
  • 40. Hacking on Operator workstation Summary Scenario #1.1 Known local admin password Required condition:  Local admin password is known (default password)  Remote Desktop is opened Consequence: Attacker can take over the system  Attacker can take over GUI  Attacker can add new user  Attacker can open share folder Remediation:  Change default password  Restrict access to Remote Desktop
  • 41. Hacking on Operator workstation Scenario #1.2 unpatched HMI Web & DB Operator PLC Operator Server Workstation Unpatched GUI‘s Server Exploited server  Remotely control GUI  Add new user  Open Share folder Hacker attack on vulnerability’s server
  • 42. Hacking on Operator workstation Summary Scenario #1.2 unpatched Required condition:  Operator workstation is not patched Consequence: Attacker can take over the system  Attacker can take over GUI  Attacker can add new user  Attacker can open share folder Remediation:  Regularly update the workstation  Monitor the system integrity  Consider intrusion detection system  Consider security perimeter
  • 43. Hacking on Operator workstation Scenario #1.3 Password Sniffing password PLC HMI Web & DB Server Operator Work station Operator Sniff password in the network
  • 44. Hacking on Operator workstation Summary Scenario #1.3 Password Sniffing Required condition:  Web-based HMI  Operator sends login password via HTTP Consequence:  Password is known to hacker  Hacker can login to Web-based HMI Remediation:  Use HTTPS instead of HTTP  Consider detection measure
  • 45. Hacking on Operator workstation Scenario #1.4 Remember password PLC HMI Web & DB Server Operator Work station Operator Remember password Dump “remember password” Plug USB U3 Thumb drive
  • 46. Hacking on Operator workstation Summary Scenario #1.4 Remember password Required condition:  Physically access to system  Autorun enabled Consequence:  Password is stolen Remediation:  Limit physical access to system  Disable Autorun (all drive)  Don’t use remember password feature
  • 47. Hacking on HMI Web & DB server Scenario #2 SQL Injection HMI Web & DB Server Operator Work Operator PLC Injection flaw! station SQL Injection  Delete table  Modify data in table  Insert, Delete, Update
  • 48. Hacking on HMI Web & DB Server Summary Scenario #2 SQL Injection Required condition:  Web-based HMI  SQL Injection flaw Consequence:  Direct database manipulation Remediation:  Input validation  Web Application security assessment  Web Application Firewall (WAF)
  • 49. Hacking on PLC Scenario #3 Direct PLC Manipulation PLC HMI Web & DB Server Operator Work station Operator Open port 2222/TCP !  Control valve/pump  Change PLC Mode  system halt  Take control of PLC  Modify PLC data  Disrupt PLC operation
  • 50. Hacking on PLC Summary Scenario #3 Direct PLC Manipulation Required condition:  Port 2222/TCP is opened (Allen Bradley)  No authentication  Network routable Consequence:  Access PLC’s data table Remediation:  Enable authentication where possible  Routing control/ Network isolation (verify)
  • 51. Summary • Been doing – Help raise awareness – Informal gather up of industry leaders – Some laws and regulations issued • Future – Many things are lined up – Government is to work closely with industry – Collaboration and community across countries shall be considered – It will be a long journey
  • 52. 52