Presented at the OPC Foundation's "The Information Revolution 2014" in Redmond, WA August 5-6, 2014 This presentation discusses the modes and methodologies an attacker may use against an industrial control system in order to create a complex process attack. The presentation then discusses some specific examples, both real and hypothetical. The presentation finishes with a description of some common ways in which an organization could defend itself against these types of attacks.

1. Cyber & Process Attack
Scenarios for ICS
Jim Gilsinn
Kenexis Security
8/5-6/2014Information Revolution 2014 1

2. Overview
• If You Live Here…
• The Situation
• Cyber & Process Attack Methodology
• Cyber & Process Attack Examples
• What Can You Do?
• Questions
8/5-6/2014Information Revolution 2014 2

3. If You Live Here…
8/5-6/2014Information Revolution 2014 3

4. If You Live Here…
8/5-6/2014Information Revolution 2014 4

5. If You Live Here…
8/5-6/2014Information Revolution 2014 5

6. If You Live Here…
8/5-6/2014Information Revolution 2014 6

7. If You Live Here…
8/5-6/2014Information Revolution 2014 7

8. THE SITUATION
8/5-6/2014Information Revolution 2014 8

9. Background
• Security of IT systems is increasingly important
• Industrial Control Systems (ICS) are a subset of IT
utilized to control industrial processes
– Systems referred to with the terms SCADA, DCS, PLC
• ICS cyber-attacks represent a real risk as ICS
become more integrated with other IT systems
– Successful cyber attacks already being made –
Stuxnet, Flame, Duqu, Gauss, Shamoon, Havex
8/5-6/2014Information Revolution 2014 9

10. IT & ICS Priorities Differ
8/5-6/2014Information Revolution 2014 10
Priority
Traditional IT Lower-Level ICS
Confidentiality
Integrity
Availability
Safety
Availability
Integrity
Confidentiality

11. IT & ICS Priorities Differ
8/5-6/2014Information Revolution 2014 11
Priority
Traditional IT Higher-Level ICS
Confidentiality
Integrity
Availability
Safety
Integrity
Availability
Confidentiality

12. Traditional Defense-In-Depth Model
8/5-6/2014Information Revolution 2014 12

13. What It Probably Looks Like in Reality
8/5-6/2014Information Revolution 2014 13

14. What it Probably Should Look Like
8/5-6/2014Information Revolution 2014 14

15. CYBER & PROCESS ATTACK
METHODOLOGY
8/5-6/2014Information Revolution 2014 15

16. Methods & Likelihood of ICS Cyber-
Attack
Direct Attack to ICS Equipment
• Exploit vulnerability in specific device
• Limited impact
Denial of Service and/or Denial of Control
• Executed with limited knowledge/resources
• Moderate impact – not expected to be catastrophic
Complex Process Attack
• Combine knowledge of ICS, processes, and cyber-security
• Sophisticated and persistent attack
• Potentially catastrophic impact
8/5-6/2014Information Revolution 2014 16

17. Attack Modes for ICS
Loss of View (LoV)
Manipulation of View (MoV)
Denial of Control (DoC)
Manipulation of Control (MoC)
Loss of Control (LoC)
8/5-6/2014Information Revolution 2014 17

18. Complex Cyber-Attack Process
Surveillance
System Mapping
Initial Infection & Compromise
Information Exfiltration
Preparing the Final Attack
Testing Incident Detection & Response
Launch the Attack
8/5-6/2014Information Revolution 2014 18

19. CYBER & PROCESS ATTACK
EXAMPLES
8/5-6/2014Information Revolution 2014 19

20. Stuxnet
• Successful complex cyber-
attack
• Discovered = 2010
• Earliest Evidence = 2005
• Target = Iranian nuclear
industry
• Deployment = infected
memory sticks
• Physical attack = enrichment
centrifuge drive frequencies
• Cyber attack = MITM
between eng. workstation
and PLC
8/5-6/2014Information Revolution 2014 20

21. Havex
• Also known as Dragonfly
• Newest Variant June 2014
• RAT = Remote Access Trojan
– “Watering Hole Attack”
– Used ICS vendor sites to distribute RAT
– Replaced legitimate software installers
– Malicious installers leave backdoor open to C&C
server
• “Energetic Bear” group attacking energy
sector since 2011
8/5-6/2014Information Revolution 2014 21

22. Havex (cont’d)
• Collects Info About OPC Classic Servers, Not
OPC-UA
• Uses DCOM features to identify potential
servers on network
• Collects information about server
• Capable of Enumerating OPC Tags
• ICS-CERT testing indicated server crashes
• Sources ICS-CERT, Symantec, CrowdStrike,
F-Secure, FireEye, DigitalBond
8/5-6/2014Information Revolution 2014 22

23. Hypothetical Cyber-Attack Scenarios
Turbine Overspeed – Power Generation
• Disable overspeed shutdowns, disconnect load
• Phishing scam posing as ICS cyber-security research firm
Ammonia Plant Explosion
• Manipulate heating during process, disable alarms and safety
system, increase CO in methanator
• Disgruntled employee
Boiler Explosion
• Stop feedwater, overheat drum, reintroduce feedwater
• Weaponized proof-of-concept exploit from white-hat
researcher
8/5-6/2014Information Revolution 2014 23

24. Boiler Explosion
• Proof of Concept
– White-hat hacker finds
vulnerability and develops
POC exploit
– Releases POC exploit
publically
• Public Participation
– Black-hat hackers
weaponize exploit
– Attack code actively
searches for specific
equipment
• Introducing Malware
– Attackers drop infected USB
drives outside industrial
facilities
• Mapping High-Value Targets
– Establish C&C center
– Collect information
– Select targets
• Preparing Attack
– List of targets based upon
potential consequences
– Send command to execute
at particular date/time
• Launch Attack
8/5-6/2014Information Revolution 2014 24

25. Ammonia Plant Explosion
• Gaining Access
– Disgruntled employee
terminated with cause
– Previously built home lab of
ICS equipment
– Privileged access
– Creates admin accounts
prior to termination
• System Mapping
– Privileged access through
VPN using admin accounts
– Leverages Citrix & terminal
services to gather HMI data
– Creates additional accounts
to hide actions
• Preparing & Testing Final
Attack
– Essentially another HMI
operator
– Uses MITM tools to hijack
HMI communications from
operators
– Develops custom scripts
– Makes small system
changes to test
• Launch Attack
8/5-6/2014Information Revolution 2014 25

26. WHAT CAN YOU DO?
8/5-6/2014Information Revolution 2014 26

27. ICS Security Is Nothing New!
• Don’t reinvent the
wheel!
• Safety, financial,
physical security
have all been around
for a long time
• Beg, borrow, steal
everything you can
8/5-6/2014Information Revolution 2014 27

28. ICS Security: Now
• Risk Management
– Consequences are many
times already identified
• Network Segmentation
– Ingress/egress monitoring
and limitation through
zone boundaries
– Technology helps,
architecture is more
important
8/5-6/2014Information Revolution 2014 28

29. ICS Security: Now
• Access Control
– Manage user accounts as roles change
• Monitoring
– Firewalls and IDS are good,
unless rules and logs are
not monitored
• Patching
– Patch where and when
possible to reduce attack
surface
8/5-6/2014Information Revolution 2014 29

30. ICS Security: Future
• Whitelisting
– Monitor applications
and memory-space
for changes
• Secure ICS Protocols
– OPC-UA is incorporating security from
ground up
– DNP3 has security
– EtherNet/IP is adding security now
8/5-6/2014Information Revolution 2014 30

31. 8/5-6/2014Information Revolution 2014 31

32. QUESTIONS
8/5-6/2014Information Revolution 2014 32

33. Questions
• Contact Information
– Jim Gilsinn
– Senior Investigator, Kenexis Security
– Email: jim.gilsinn@kenexis.com
– Website: http://www.kenexis.com
– Phone: +1-614-323-2254
– Twitter: @JimGilsinn
– LinkedIn: http://www.linkedin.com/in/jimgilsinn
– SlideShare: http://www.slideshare.com/gilsinnj
8/5-6/2014Information Revolution 2014 33