Hype, Hope, andHappenstance: Cyber Threatsand Opportunities in an Age of        Automation   Georgia Distribution and Tran...
A Quote                                          Everybody talks                                                    about ...
A Question
A Hypothesis           We have yet to see a significant cyber           related outage in the North American           pow...
About Me   Security Professional by choice   Nextel Communications 1997-2000   US Bank Information Security 2000-2001 ...
I am not an Engineer
About EnergySec 7/2004: EnergySec founded as E-Sec NW 1/2008: SANS Information Sharing Award 12/2008: Incorporated as E...
The System       Greatest engineering achievement of 21st century       1 Trillion watts of generation       850 Billion w...
Smart Gridtopia           The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012...
But what can I do with it?       Distributed Generation       Demand Response       Market pricing at the consumer level  ...
Automation       Automated Generation Control       Special Protection Systems       Synchrophasor Applications       Load...
There’s an App for That       “Get mobile access to your       control system via an       iPhone, iPad, Android and      ...
To The Cloud!       “Use any standard browser on any       device to access HMI. No       downloads, no tedious installs, ...
The Double-edged Sword       Email                Fraud/Phishing       Facebook             Privacy       Online Banking  ...
Attack Surface       EMS                                               Communication       DMS                            ...
Logical Distance Increasing       Clicky-clicky                                                                           ...
Today’s Shiny Object       Headline presentations at       BlackHat/DefCon, DerbyCon, RootedCon, B       Sides …       Wal...
March 2012           The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012     ...
From Obscurity to Novelty       Smart Meter hacking       Hacking       cookbooks, fuzzers, sniffers, re       versing    ...
Current Events       Facebook Social Engineering Attack Strikes       NATO       http://www.informationweek.com/news/secur...
…To Name a Few           The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 ...
TwitBookBlogosphere            The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1...
Cybersecurity Landscape             The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergyS...
People are talking         6,750,000 results
Point, Click, Hack                                                                                                   “In s...
Vulnerability Disclosure             The National Electric Sector Cybersecurity Organization (NESCO) is operated by Energy...
Vulnerabilities
Air-Gaps, Unicorns and                  Bigfoot             The National Electric Sector Cybersecurity Organization (NESCO...
10,000 Reasons to Worry           Source: www.wired.com/threatlevel/2012/01/10000-control-systems-online                  ...
Technology Landscape     A new digital world order     Lingering legacy     Widespread connectivity     Hyper-embedded...
Advantage: Adversaries         Intelligent, adaptive        adversaries exist, and         they don’t follow the         r...
Advantage: Adversaries        Google search for “APT”           – 34 hits in Jul 09           – 169 hits in Jan 10       ...
What to do?           The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012    ...
Nothing New Under The Sun        Mature security practices; highly refined           –   Defense in Depth           –   P...
Compliance           The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012     ...
There ought to be a    Law…???       Laws are        reactionary, not        visionary.
Regulatory Landscape          Posse Comitatus Act, 18 U.S.C. 1385          Antitrust Laws          Sherman Antitrus Act...
Regulation is Futile        Regulation kills        creativity, innovation, a        nd passion, all of        which are n...
NERC CIP in 30 SecondsCIP-002 - Figure out what needs to beprotectedCIP-003 - Establish policy and programsCIP-004 - Addre...
Action vs. Attitude        You can prescribe        action, but not attitude
Activity vs. Outcome         Are we         doing/requiring the         right things?
Backwards?… Maybe soCompliance spending increasing sharply while security spending is increasing slowly.Companies find $$ ...
Leverage NERC CIP CIP spending 25% of IT security  budgets    Get Smarter about spending  Integrate Decisions (IT- Ops–  C...
MisthinkingIt Can’tHappen
It Can’t Happen This is nearly always FALSE Attackers are always seeking  (and finding) new ways to  compromise technolo...
DNS Exfiltration         If you can resolve a DNS         name on a system…         Technique is being actively         us...
Flank Attacks       RSA – Stolen 2-factor auth token data       Industrial Espionage/Supply Chain       Certificate Author...
Organized Attackers       Underground markets       Criminal infrastructure       Botnets       Attackers for hire        ...
It Won’t Happen  It most cases, this is   TRUE, but we don’t know   which ones  Somebody WILL be   compromised.  Everyb...
The Wildebeest Defense              Yes, there are lions, but              there are so many of us              that the c...
There may be more lions than               you think   HBGary   RSA   Sony   Lockheed Martin   NASDAQ
It won’t matterKinetic impactsEconomic impactsReputational impactsOthers?
What is Critical?
Culturing Security       Treat security like safety       The basics shouldn’t be magic       Distribute the load       Se...
No 100% Prevention           The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2...
And Finally                      “The rumors of my death have                      been greatly exaggerated.”             ...
Thank You!                                                                        Steven H Parker                         ...
Upcoming SlideShare
Loading in...5
×

Hype, Hope and Happenstance: Cyber Threats and Opportunities in an Age of Automation

672

Published on

Steve Parker presents to the Georgia Distribution and Transmission Automation Group starting off with a ficticious quote from Mark Twain and ending with a real one. Mr. parker's presentation hinges on his hyposthese: "We have yet to see a significant cyber related outage in the North American power grid because those who have the ability to cause such, lack the motivation to do so."

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
672
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • We don’t prevent the weather, we prepare for it. Likewise, cybersecurity is not a problem to be solved, it is a risk to be managed.
  • Which is it? Is the cyber threat overhyped, or under appreciated? The truth is probably somewhere in the middle.
  • Background is to provide context for my commentsTechnology since childhoodSecurity since 1996, officially since 2000Broad background across many technologiesGive brief description of each jobIntroduce background on EnergySec and NESCO
  • Everything is being made with a digital component.
  • Answer is 5.
  • Hype, Hope and Happenstance: Cyber Threats and Opportunities in an Age of Automation

    1. 1. Hype, Hope, andHappenstance: Cyber Threatsand Opportunities in an Age of Automation Georgia Distribution and Transmission Automation Group April 2, 2012 Forsyth, GA
    2. 2. A Quote Everybody talks about cybersecurity, but nobody does anything about it. -Mark Twain The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 2
    3. 3. A Question
    4. 4. A Hypothesis We have yet to see a significant cyber related outage in the North American power grid because those who have the ability to cause such, lack the motivation to do so. The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 4
    5. 5. About Me Security Professional by choice Nextel Communications 1997-2000 US Bank Information Security 2000-2001 PacifiCorp Security 2001-2009 WECC CIP Auditor 2009-2010 EnergySec (NESCO) 2010 - ?
    6. 6. I am not an Engineer
    7. 7. About EnergySec 7/2004: EnergySec founded as E-Sec NW 1/2008: SANS Information Sharing Award 12/2008: Incorporated as EnergySec 10/2009: 501(c)(3) nonprofit determination 4/2010: EnergySec applied for National Electric Sector Cybersecurity Organization (NESCO) FOA 7/2010: NESCO grant award from DOE 10/2010: NESCO became operational
    8. 8. The System Greatest engineering achievement of 21st century 1 Trillion watts of generation 850 Billion watts of transmission capacity 150,000 miles of high voltage transmission Ubiquitous Average uptime 99.995% (SAIDI = 244) The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 8
    9. 9. Smart Gridtopia The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 9
    10. 10. But what can I do with it? Distributed Generation Demand Response Market pricing at the consumer level Frequency Response (EVs) Renewables integration Micro Grids Energy Storage The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 10
    11. 11. Automation Automated Generation Control Special Protection Systems Synchrophasor Applications Load Shedding Advanced Metering Infrastructures Centralized Control Systems The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 11
    12. 12. There’s an App for That “Get mobile access to your control system via an iPhone, iPad, Android and other smartphones and tablet devices. The Ignition Mobile Module gives you instant access to any HMI / SCADA project created with the Ignition Vision Module.” The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy. 12
    13. 13. To The Cloud! “Use any standard browser on any device to access HMI. No downloads, no tedious installs, no plug-ins. Login and you have the HMI in your hands wherever you are: factory cafeteria, or parking lot, or on the beach, or even the golf course!” “GoToMyHMI provides Secure, Easy and Fast access from any Browser to InstantHMI 6.0, ready to serve you on the cloud today. Remotely Monitor, ACK Alarms and Control your HMI for one low flat fee.” The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy. 13
    14. 14. The Double-edged Sword Email Fraud/Phishing Facebook Privacy Online Banking Online Theft Computerized Trading Market Manipulation Smart Grid ??? The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 14
    15. 15. Attack Surface EMS Communication DMS Remote Access DCS Vendor Support E-Tagging Supply Chain Trading [HLWMV]ANs AGC The Cloud ICCP Mobile devices AMI SCADA The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 15
    16. 16. Logical Distance Increasing Clicky-clicky Whirly-whirly The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 16
    17. 17. Today’s Shiny Object Headline presentations at BlackHat/DefCon, DerbyCon, RootedCon, B Sides … Wall Street Journal, National Journal, CNN Too many IT trade publications to name Blockbuster films, prime time TV shows Person-on-the-street, Congress, White House The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy. 17
    18. 18. March 2012 The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 18
    19. 19. From Obscurity to Novelty Smart Meter hacking Hacking cookbooks, fuzzers, sniffers, re versing Metasploit, Core Impact, etc Supply chain attacks Manuals available in all languages on Internet The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy. 19
    20. 20. Current Events Facebook Social Engineering Attack Strikes NATO http://www.informationweek.com/news/security/government/232602419 "The top military commander in NATO has been targeted by attackers wielding fake Facebook pages.” Teen Exploits Three Zero-Day Vulns for $60K Win in Google Chrome Hack Contest http://www.wired.com/threatlevel/2012/03/zero-days-for-chrome/ "The tall teen, who asked to be identified only by his handle “Pinkie Pie” … spent just a week and a half to find the vulnerabilities and craft the exploit, achieving stability only in the last hours of the contest.” The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 20
    21. 21. …To Name a Few The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 21
    22. 22. TwitBookBlogosphere The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 22
    23. 23. Cybersecurity Landscape The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy. 23
    24. 24. People are talking 6,750,000 results
    25. 25. Point, Click, Hack “In some scarier than your average security news, thanks to several Program Logic Controllers (PLC) exploits that were added to Metasploit today, "hacking SCADA systems can be push of a button easy," tweeted HD Moore, CSO of Rapid7 and Source: Network World (http://goo.gl/K5xZ7) Chief Architect of Metasploit.” The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 25
    26. 26. Vulnerability Disclosure The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 26
    27. 27. Vulnerabilities
    28. 28. Air-Gaps, Unicorns and Bigfoot The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 28
    29. 29. 10,000 Reasons to Worry Source: www.wired.com/threatlevel/2012/01/10000-control-systems-online The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 29
    30. 30. Technology Landscape  A new digital world order  Lingering legacy  Widespread connectivity  Hyper-embeddedness  Cyber-kinetic impacts
    31. 31. Advantage: Adversaries Intelligent, adaptive adversaries exist, and they don’t follow the rules or compliance checklists
    32. 32. Advantage: Adversaries  Google search for “APT” – 34 hits in Jul 09 – 169 hits in Jan 10 – 1.2M+ hits June 11  Google search for “cyberwar” – 416 hits Dec 09 – 1.4M hits Feb 10 – 3.4M+ hits June 11  Welcome to the cyberarms race9/1/2012 The National Electric Sector Cybersecurity Organization is partially funded by the US Department of Energy 32
    33. 33. What to do? The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 33
    34. 34. Nothing New Under The Sun  Mature security practices; highly refined – Defense in Depth – Principle of Least Privilege – Segregation of Duties – Need to Know – Availability, Integrity and Confidentiality  No Silver Bullet, 100%, Total Security  Strong protection has never been easy, inexpensive or quick to implement (pick two) The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy. 34
    35. 35. Compliance The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 35
    36. 36. There ought to be a Law…???  Laws are reactionary, not visionary.
    37. 37. Regulatory Landscape  Posse Comitatus Act, 18 U.S.C. 1385  Antitrust Laws  Sherman Antitrus Act, 15 U.S.C. 1-7  Wilson Tariff Act 15, U.S.C. 8-11    Clayton Act 5 of the Federal Trade Commission (FTC), 15 U.S.C. 12-27 Clayton Act 5 of the Federal Trade Commission (FTC), 15 U.S.C. 45(a) National Institute of Standards and Technology (NIST), Act (p. 13) 15 U.S.C. 271 Yes, this is an eye-  chart to make a Radio Act of 1912  Federal Power Act (p. 13), 16 U.S.C. 791a et seq., 824 et seq.  Radio Act of 1927  Communications Act of 1934 (p.14), 47 U.S.C. 151 et seq.    National Security Act of 1947 (p. 15), 50 U.S.C. 401 et seq. US Information and Educational Exchange Act of 1948 (Smith-Mundt Act) (p. 15), 22 U.S.C. 1431 et seq. Defense Production Act of 1950, 50 U.S.C. App. 2061 et seq. point  State Department Basic Authorities Act of 1956 (p. 17), 22 U.S.C. 2651a  Brooks Automatic Data Processing Act  Freedom of Information Act (FOIA) (p. 17), 5 U.S.C. 552  Omnibus Crime Control and Safe Streets Act of 1968 (p. 19), 42 U.S.C. Chapter 46, 3701 to 3797ee-1  Racketeer Influenced and Corrupt Organizations Act (RICO) (p. 19), 18 U.S.C. Chapter 96, 1961-1968  Federal Advisory Committee Act (p. 20), 5 U.S.C. App., 1-16  War Powers Resolution, 50 U.S.C. Chapter 33, 1541-1548.  Privacy Act of 1974 (p. 20), 5 U.S.C. 552a  Foreign Intelligence Surveillance Act of 1978 (FISA), 18 U.S.C. 2511, 2518-9,  Foreign Intelligence Surveillance Act of 1978 (FISA), 50 U.S.C. Chapter 36, 1801-1885c  Privacy Protection Act of 1980, 42 U.S.C. Chapter 21A, 2000aa-5 to 2000aa-12  Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 (p. 21), 18 U.S.C. 1030  Computer Fraud and Abuse Act of 1986, 18 U.S.C. 1030  Electronic Communications Privacy Act of 1986 (ECPA) (p. 22), 18 U.S.C. 2510- 2522, 2701-2712, 3121-3126  Department of Defense Appropriations Act, 1987 (p. 24), 10 U.S.C. 167  Computer Security Act of 1987, 15 U.S.C. 272, 278g-3, 278g-4, 278h  Computer Matching and Privacy Protection Act of 1988, 5 U.S.C. 552a  High Performance Computing Act of 1991 (p. 24), 15 U.S.C. Chapter 81  Communications Assistance for Law Enforcement Act (CALEA) of 1994 (p. 26), 47 U.S.C. 1001 et seq.  Source: Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions, Eric A. Fischer, Senior Specialist in Science and Technology December 22, 2011 The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy. 37
    38. 38. Regulation is Futile Regulation kills creativity, innovation, a nd passion, all of which are needed to achieve success in cybersecurity.
    39. 39. NERC CIP in 30 SecondsCIP-002 - Figure out what needs to beprotectedCIP-003 - Establish policy and programsCIP-004 - Address personnel issuesCIP-005 - Create electronic perimetersCIP-006 - Create physical perimetersCIP-007 - Provide system level securityCIP-008 - Figure out how to respond toincidentsCIP-009 - Figure out how to recover from TM EnergySec The National Electric Sector Cybersecurity Organization (NESCO) is a DOE-funded EnergySec Program 3 9
    40. 40. Action vs. Attitude You can prescribe action, but not attitude
    41. 41. Activity vs. Outcome Are we doing/requiring the right things?
    42. 42. Backwards?… Maybe soCompliance spending increasing sharply while security spending is increasing slowly.Companies find $$ for compliance while cutting other critical areas.
    43. 43. Leverage NERC CIP CIP spending 25% of IT security budgets Get Smarter about spending Integrate Decisions (IT- Ops– Compliance) Secure solutions + Compliance
    44. 44. MisthinkingIt Can’tHappen
    45. 45. It Can’t Happen This is nearly always FALSE Attackers are always seeking (and finding) new ways to compromise technology Obscurity is not a defense.
    46. 46. DNS Exfiltration If you can resolve a DNS name on a system… Technique is being actively used in the wild In many cases, detection is the only defense
    47. 47. Flank Attacks RSA – Stolen 2-factor auth token data Industrial Espionage/Supply Chain Certificate Authorities Corporate Networks Partner Networks The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 47
    48. 48. Organized Attackers Underground markets Criminal infrastructure Botnets Attackers for hire The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 48
    49. 49. It Won’t Happen  It most cases, this is TRUE, but we don’t know which ones  Somebody WILL be compromised.  Everybody MIGHT be compromised  We are becoming a target
    50. 50. The Wildebeest Defense Yes, there are lions, but there are so many of us that the chances I’ll get eaten are small Can effective against isolated threats, but doesn’t help against common maladies Doesn’t work if you’re slow or weak
    51. 51. There may be more lions than you think HBGary RSA Sony Lockheed Martin NASDAQ
    52. 52. It won’t matterKinetic impactsEconomic impactsReputational impactsOthers?
    53. 53. What is Critical?
    54. 54. Culturing Security Treat security like safety The basics shouldn’t be magic Distribute the load Security is everyone’s job Social engineering is a waste of time Focus on the solution: training & awareness The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy. 54
    55. 55. No 100% Prevention The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 55
    56. 56. And Finally “The rumors of my death have been greatly exaggerated.” -Mark Twain The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 56
    57. 57. Thank You! Steven H Parker V.P. Technology Research and Projects, EnergySec Co-Principal Investigator, National Electric Sector Cybersecurity Organization steve@energysec.org 503.446.1214 (desk) @es_shp (twitter) www.energysec.org The National Electric Sector Cybersecurity Organization (NESCO) is operated by EnergySec9/1/2012 with funding assistance from the U.S. Department of Energy 57
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×