8447779800, Low rate Call girls in Saket Delhi NCR
Saxion Enschedé College Security 2010
1. Stuxnet:
It goan oan
Ir.drs. J. (Jurgen) van der Vlugt RE CISA
Noordbeek B.V.
Jurgen@Noordbeek.com
6 oktober 2010, Enschedé
2. College Stuxnet: It goan oan / Proces-IT 2010 10 06 2
Intro; ik =
• Bedrijfseconomie (Rotterdam, finbel)
• Technische Informatica (Delft; KI)
• KPMG EDP Auditors / IRM (WinNT, Y2K)
• Post-grad IT-auditing (VU)
• Sogeti
• ABN AMRO (Group Audit, Group Security; projects++,
outsourcing, security integration)
• Noordbeek
• VU, NOREA (VC, CHBr), ISACA, ISSA (NL, Int’l), PvIB
3. College Stuxnet: It goan oan / Proces-IT 2010 10 06 3
Agenda
• Maeslant en ڈژک
• Proces-IT
• Administratieve systemen en zo
• Ubiquitous information
6. College Stuxnet: It goan oan / Proces-IT 2010 10 06 6
Stuxnet
• Sinds juni (?) in omloop / in beeld
• Zeer veel kennis erin
• Team effort
• Niet uit op creditcard-info. Huh?
• Via USB-poort
• Siemens WinCC/PCS7, specifieke functies
• September:
• Vooral anti-Iran
• ‘Opstart kerncentrale uitgesteld’
• Round up the usual suspects
• Sporen van politieke boodschappen
• Israël ..? India? USoA? Wie?
7. College Stuxnet: It goan oan / Proces-IT 2010 10 06 7
It goat oan
• Probleem: Slechte beheersing proces-IT
• Al lang bekend
• Na bragging rights door defacing
• En na financieel gewin via banking trojans
• Nu third wave
• “Cyberwarfare”?
8. College Stuxnet: It goan oan / Proces-IT 2010 10 06 8
(Financieel gewin)
• Geen lonely wolves
• Industrie:
• Vuln-searchers
• Exploit developers
• CC harvesters
• CC brokers
• CC smurfers / mules
• Collectors
• Hosting / defense
• Botnets: same
• Sw is copyable…
9. College Stuxnet: It goan oan / Proces-IT 2010 10 06 9
Agenda
• Maeslant en ڈژک
• Proces-IT
• Administratieve systemen en zo
• Ubiquitous information
10. College Stuxnet: It goan oan / Proces-IT 2010 10 06 10
Proces-IT
• Vanuit de elektrotechniek
• Specialistisch
• Kritieke systemen!
13. College Stuxnet: It goan oan / Proces-IT 2010 10 06 13
Ook wel: SCADA
SCADA = supervisory control and data acquisition.
• Industrial control systems: computer systems that monitor and control
industrial, infrastructure, or facility-based processes, as described
below:
• Industrial processes: manufacturing, production, power generation,
fabrication, refining
Continuous, batch, repetitive, or discrete modes.
• Public or private, incl water treatment and distribution, wastewater
collection and treatment, oil and gas pipelines, electrical power
transmission and distribution, wind farms, civil defense sirens, and
large communication systems.
• Facilities public/ private, incl buildings, airports, ships, and space
stations. They monitor and control HVAC, access, and energy
consumption.
14. College Stuxnet: It goan oan / Proces-IT 2010 10 06 14
Elementen
• HMI: Human-Machine Interface
• Monitoring
• Control
• Supervisory (computer) system
• Data-acquisitie
• Control commands sturen
• RTUs: Remote Terminal Units
• Connect sensors in het proces
• Converteren sensorsignalen naar digitaal
• Zenden digitale signalen naar supervisory system
• PLCs: Programmable Logic Controllers
• ‘Field devices’: goedkoper en flexibeler dan special-purpose RTUs
• Communicatie-devices/kabels
15. College Stuxnet: It goan oan / Proces-IT 2010 10 06 15
SCADA
Nota bene:
• PLCs controllen standaardproces
• RTUs pakken afwijkingen op
• Mensen pakken afwijkingen op hoger niveau op
(iff)
• Tag db:
• Tags/points = gemonitorde I/O waarde
• Hard (1) / soft (combi)
• + Timestamp, + Metadata
21. College Stuxnet: It goan oan / Proces-IT 2010 10 06 21
P-roblemen
• Geen aandacht voor beveiliging en
autenticatie in ontwerp, uitrol, operations
in huidige generaties SCADA-netwerken
• (Geen) security through obscurity (meer)
• Vertrouwen op speciale protocollen,
proprietary interfaces (nog!)
• ‘Fysieke beveiliging is voldoende’
• ‘Hangen niet aan het Internet’
22. College Stuxnet: It goan oan / Proces-IT 2010 10 06 22
Wat als het misgaat
• Zichtbaar ?
• Positieve feedforward ?
• Te laat ?
• Ingrijpen mogelijk ?
23. College Stuxnet: It goan oan / Proces-IT 2010 10 06 23
Ook
Shattered Shield
'I Had A Funny Feeling in My Gut' By David Hoffman
Washington Post Foreign Service
Wednesday, February 10, 1999; Page A19
• It was just past midnight as Stanislav Petrov settled into the commander's chair inside the secret bunker at Serpukhov-
15, the installation where the Soviet Union monitored its early-warning satellites over the United States.
• Then the alarms went off. On the panel in front him was a red pulsating button. One word flashed: "Start."
• It was Sept. 26, 1983, and Petrov was playing a principal role in one of the most harrowing incidents of the nuclear age,
a false alarm signaling a U.S. missile attack. Although virtually unknown to the West at the time, the false alarm at the
closed military facility south of Moscow came during one of the most tense periods of the Cold War. And the episode
resonates today because Russia's early-warning system has fewer than half the satellites it did back then, raising the
specter of more such dangerous incidents.
• As Petrov described it in an interview, one of the Soviet satellites sent a signal to the bunker that a nuclear missile
attack was underway. The warning system's computer, weighing the signal against static, concluded that a missile had
been launched from a base in the United States.
• The responsibility fell to Petrov, then a 44-year-old lieutenant colonel, to make a decision: Was it for real? Petrov was
situated at a critical point in the chain of command, overseeing a staff that monitored incoming signals from the
satellites. He reported to superiors at warning-system headquarters; they, in turn, reported to the general staff, which
would consult with Soviet leader Yuri Andropov on the possibility of launching a retaliatory attack.
• Petrov's role was to evaluate the incoming data. At first, the satellite reported that one missile had been launched – then
another, and another. Soon, the system was "roaring," he recalled – five Minuteman intercontinental ballistic missiles
had been launched, it reported.
• Despite the electronic evidence, Petrov decided – and advised the others – that the satellite alert was a false alarm, a
call that may have averted a nuclear holocaust. But he was relentlessly interrogated afterward, was never rewarded for
his decision and today is a long-forgotten pensioner
24. College Stuxnet: It goan oan / Proces-IT 2010 10 06 24
Agenda
• Maeslant en ڈژک
• Proces-IT
• Administratieve systemen en zo
• Ubiquitous information
25. College Stuxnet: It goan oan / Proces-IT 2010 10 06 25
Traditioneel
‘Business’ Information Mgt IT
Strat
Tact
Oper
26. College Stuxnet: It goan oan / Proces-IT 2010 10 06 26
Informatiebeveiliging
‘Business’ Information Mgt IT
Strat
Tact
Oper
IT-beveiliging
27. College Stuxnet: It goan oan / Proces-IT 2010 10 06 27
Bedreigingen
… Sorry!
Overstroming
Windhoos
Aardbeving
Grieppandemie
Zonder opzet
Crackers
Fraudeurs
Actiegroepen
Tegenzin / Geen tijd
?Met opzet
Acts of Man
Acts of nature
(‘Acts of God’)
28. College Stuxnet: It goan oan / Proces-IT 2010 10 06 28
Bedreigingen
• Acts of Man
• Actief / Passief (blijven)
• I’m sorry-attacks
• Domheid
• ‘Operational risks’..!
29. College Stuxnet: It goan oan / Proces-IT 2010 10 06 29
En dan: Controls
= Maatregelen, bijsturingsmiddelen
• Organisatorisch (functiescheiding)
• Procedureel (afvinken rapporten)
• Fysiek (toegang)
• IT (…)
• Geld (verzekering)
• In combinatie (Er is geen silver bullet!)
30. College Stuxnet: It goan oan / Proces-IT 2010 10 06 30
Controls (bescherming?)
• Afschrikkende
• Preventieve,
• Detectieve,
• Repressieve,
• Beperkende en opvangende,
• Corrigerende en terugwinnende
• Hoe eerder hoe beter
• Net beter dan de buren
31. College Stuxnet: It goan oan / Proces-IT 2010 10 06 31
Controls (vervolg)
• Traditioneel: Accountantshobby,
Maar niet langer alleen t.b.v. jaarrekeningcontrole
• Taalprobleem:
Operationeel doen ↔
Op managementniveau uitleggen
• Modes
• RBAC
• Classificatie
• Architectuur
32. College Stuxnet: It goan oan / Proces-IT 2010 10 06 32
Controls: kosten, baten
• Schade ↔ kosten van controls
(direct, indirect, reputatie?)
• Vantevoren cijfers nodig!
• Frequentie / kans
• Impact, schade (2x)
• Kosten → continu → rapporteren (niks merkbaar?)
• Effectiviteit
• FUD werkt misschien toch beter
33. College Stuxnet: It goan oan / Proces-IT 2010 10 06 33
Waar is de control loop-gedachte?
• Nergens.
Administratievelingen kennen die niet
• Nou ja, helemaal nergens…
34. College Stuxnet: It goan oan / Proces-IT 2010 10 06 34
Evaluate design &
set-up
Analysis Monitor & react
Incident
Mgt
CLD
Insu-
rance
Mgt
KRI
(Mgt)
(K)ORC
(Mgt)
R(S)A
(+Audit)
Operational Risk
Management
ORAP
Designed,
Selected for
efficiency
Tuning,
Mandatory
Near
misses
KRI
values
Corrective
actions
Incidents Indemnities
Controls Risk indicators
Incidents
for analysis
(Problems)
Inherent
risks
Process
Problem
Mgt
Breach
36. College Stuxnet: It goan oan / Proces-IT 2010 10 06 36
Agenda
• Maeslant en ڈژک
• Proces-IT
• Administratieve systemen en zo
• Ubiquitous information
38. College Stuxnet: It goan oan / Proces-IT 2010 10 06 38
Ubi-problemen
• Wie zit er aan de
gegevens,
Wie is in control ?
• Privacy
• Trawling for patterns
(total surveillance)
• Where’s your data …?
(Cloud2),
Wie zorgt ervoor ?
39. College Stuxnet: It goan oan / Proces-IT 2010 10 06 39
Ubi-problemen (II)
• Herstelbaarheid fouten
• Waar moet je zijn ?
(Aansprakelijkheid voor schade ?)
• Wiens woord telt ?
• Location-based by default stemmen ?
40. College Stuxnet: It goan oan / Proces-IT 2010 10 06 40
Hoe nu beveiligen?
• Admin systemen: Easy in theorie
Maar: Theorie vs de mens ?
• Proces-IT: Dunno.
Maar: …? Actie nodig !
• Ubi Info: It goat oan
41. College Stuxnet: It goan oan / Proces-IT 2010 10 06 41
Iets meer in beeld
‘Business’ Information Mgt IT‘Overheid’?Burger
42. College Stuxnet: It goan oan / Proces-IT 2010 10 06 42
Agenda
• Maeslant en ڈژک
• Proces-IT
• Administratieve systemen en zo
• Ubiquitous information
• The End
43. College Stuxnet: It goan oan / Proces-IT 2010 10 06 43
Vragen …?
We gaan vooruit !