Every time a new information technology finds its way into production, it seems as though we end up repeating the same process – security vulnerabilities will be discovered and disclosed in that technology, and users and vendors will deny that the risks are significant. Only after major attacks occur do we really start to see efforts to address the inherent risks in a systematic way.
We’re falling into this exact same trap again with Industrial Control and SCADA systems, but in this case the problem is worse, because the inherent nature of control systems prevents us from applying many of the strategies that have been used to protect other kinds of computer networks.
Join Lancope’s Director of Security Research, Tom Cross, for a look at the five stages of grief that organizations seem to pass through as they come to terms with security risks, and how far we’ve come regarding Industrial Control Systems.
Hear about:
The state of Control Systems security vulnerabilities
Attack activity that is prompting a change in perspective
The unique, long-term challenges associated with protecting SCADA networks
How anomaly detection can play a key role in protecting SCADA systems now
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
SCADA Security: The Five Stages of Cyber Grief
1. SCADA Security:
The Five Stages of Cyber Grief
Tom Cross
Director of Security Research
2. Vulnerabilities I’m credited on…
• MFSA2008-37 Mozilla Stack Buffer Overflow
• cisco-sa-20070808-IOS-IPv6-leak Information Leakage
Using IPv6 Routing Header in Cisco IOS and Cisco IOS-XR
• MS07-033 Internet Explorer COM object instantiation
• CVE-2007-2388 Apple Quicktime for Java remote code
execution
• MS06-036 Windows SMB Denial of Service
• X-Force Alert 228 Asterisk PBX Denial of Service
• X-Force Alert 229 Asterisk PBX Traffic Amplification
8. Its connected to the Internet.
"In our experience in conducting hundreds of vulnerability
assessments in the private sector, in no case have we ever
found the operations network, the SCADA system or energy
management system separated from the enterprise network.
On average, we see 11 direct connections between those
networks.”
Source: Sean McGurk, Verizon
The Subcommittee on National Security, Homeland Defense,
and Foreign Operations May 25, 2011 hearing.
9.
10.
11. SHODAN
• Project STRIDE: “To date,
we have discovered over
500,000 control system
related nodes world-wide
on the internet.
About 30% are from the
US, and most are on ISP
addresses.”
12. ICS Cert
• In February 2011, independent security researcher Ruben Santamarta
used SHODAN to identify online remote access links to multiple
utility companies’ Supervisory Control and Data Acquisition (SCADA)
systems.
• In April 2011, ICS-CERT received reports of 75 Internet facing control
system devices, mostly in the water sector. Many of those control
systems had their remote access configured with default logon
credentials.
• In September 2011, independent researcher Eireann Leverett
contacted ICS-CERT to report several thousand Internet facing
devices that he discovered using SHODAN.
17. Stage 3: Bargaining
• Stuxnet
• First widely reported use of malware to destroy a physical plant
• Extremely sophisticated
• Jumped the air-gap via USB keys
• Widespread infections throughout the Internet
• Shamoon
• Targeted the energy sector
• Destructive
• Over writes files
• Destroys the Master Boot Record
Stuxnet infections, source Symantec:
21. DDOS Attacks More Automated & Powerful
• Prolexic Q2 2012 to Q2 2013
– 33% increase in attacks
– 925% increase in bandwidth
• 4.47 Gbps to 49.24 Gbps
– 1655% increase in packets per second
• 2.7 Mpps to 47.4 Mpps
24. Stage 4: Depression
The Patching Treadmill
• Control systems are not designed to be shut down regularly
• Entire systems may need to be shut down for a single patch install
• Patching may mean upgrading
• Upgrades can cascade through a system
• Even assessments may require downtime!
• Patching leads to Interconnectivity
• Interconnectivity leads to compromise
• Solutions?
– Third-Party Run-Time In-Memory Patching?
– Intrusion Prevention Systems?
25.
26. Stage 5: Acceptance
What would acceptance mean?
• Getting serious about interconnectivity
• We need to find new ways to work
• We need to accept some inconvenience
• Designing systems for patchability
• Systems that can be patched without being restarted
• Hot Standby failover
• Patches that do not require upgrades
• Security patches that can be accepted without performance concerns
• Built in IDS capability?
• Designing systems for failure
28. Network Visibility through Netflow
DMZ
VPN
Internal
Network
Internet
NetFlow Packets
src and dst ip
src and dst port
start time
end time
mac address
byte count
- more -
NetFlow
3G
Internet
3G
Internet
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow Collector
29. Intrusion Audit Trails
Do you know what went on while you were mitigating?
1:06:15 PM:
Internal Host
Visits Malicious
Web Site
1:06:30 PM:
Malware Infection
Complete, Accesses
Internet Command and
Control
1:06:35 PM:
Malware begins
scanning internal
network
1:13:59 PM:
Multiple internal
infected hosts
1:07:00 PM:
Gateway malware analysis
identifies the transaction
as malicious
1:14:00 PM:
Administrators
manually disconnect
the initial infected host