• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Symposium 2011 Govcert.nl decade of challenges presentatie ronald heil kpmg
 

Symposium 2011 Govcert.nl decade of challenges presentatie ronald heil kpmg

on

  • 281 views

This year's theme was 'Decade of Challenges’. As Cyber Security and Incident Response Team, we have been making efforts for the last ten years to create a secure cyber society in cooperation with ...

This year's theme was 'Decade of Challenges’. As Cyber Security and Incident Response Team, we have been making efforts for the last ten years to create a secure cyber society in cooperation with the CERT community. The 'change' we have all been working so hard to achieve is now bearing fruit. The raison d'être of an organisation such as GOVCERT.NL is now undisputed.

Our 10th symposium, addressed the past, the present and the future of digital security. The programme itself provided something of interest to all attendees, from technicians and scientists to policymakers, through plenary and parallel sessions. The symposium offered a variety of topics, presented by inspiring speakers and leading experts in the field and a lot of opportunities to network with the national and international participants.

Statistics

Views

Total Views
281
Views on SlideShare
281
Embed Views
0

Actions

Likes
0
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Symposium 2011 Govcert.nl decade of challenges presentatie ronald heil kpmg Symposium 2011 Govcert.nl decade of challenges presentatie ronald heil kpmg Presentation Transcript

    • Process Control NetworksInsights in our experience and somesurprisingly unexpected “features”Rotterdam – 15 November 11.50 – 12.40Ronald Heil
    • Agenda  Speaker Introduction  Process Control Systems  Unexpected “features” – project Wall-E  Lessons learned  Q&A© 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (“KPMG International”), a Swiss entity.
    • Speaker IntroductionKPMG IT Advisory, The Netherlands Team ICT Security & Control (ISC)ir. Ronald Heil MSc. CISSP CISA − Senior Manager @ team ISC − Specialises in providing technical advisory and audit services, penetration tests and technical studies. − Helps companies with information protection and security monitoring − Security Awareness trainings / workshops Why me? − Involved as ethical hacker on “red cell” testing on large scale / multinational infrastructure environments that are thought to be “protected”. − Performed a complex penetration test at one of the world largest new built refinery in the Middle East, tested on all layers from the access domains (office to reporting servers), to all the 4 underlying PCD layers. − Expanding KPMG’s global effort on PCD security. − Involved with worldwide testing of retail systems that have a similar network and communication structure as PCD systems (as vendors are often expanding markets).© 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (“KPMG International”), a Swiss entity.
    • Process Control Systems – 101Assumption : you already have (some) knowledge about Process Control Systems?! Source: siemens.com© 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (“KPMG International”), a Swiss entity.
    • Process Control System (Failure) • These systems can be found throughout our industries and live – from power plants, refineries to water processing facilities, to for example traffic light controlling. • Despite the importance the state of security of those crucial components is often not (or should we say almost never) what should be expected.
    • Can that happen? in our real world? I was under the impression that those critical systems would be protected. Not? The state of security of the crucial process control networks and components is often not what should be expected. Caused by amongst others rapid innovation, technology integration, automation and a lack of security focus on the layers: people, process and technology© 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International 5Cooperative (“KPMG International”), a Swiss entity.
    • Lets start with insights from a different perspectiveProject “Wall-E”© 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (“KPMG International”), a Swiss entity.
    • New building© 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (“KPMG International”), a Swiss entity.
    • Advanced Building Management System[ removed in shared version ]© 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (“KPMG International”), a Swiss entity.
    • What is wrong with it? ? ? ? It has weak It controls It is connected to passwords like everything (let me the Internet admin/admin repeat everything) in the building© 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (“KPMG International”), a Swiss entity.
    • What is wrong with it? It is connected to It has weak It controls the Internet passwords like everything (let me admin/admin repeat everything) in the building© 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (“KPMG International”), a Swiss entity.
    • New building … we added some lines© 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (“KPMG International”), a Swiss entity.
    • Project “Wall-E” – phase 1Challenges:  The interface is a difficult Java applet  Communicating to a back-end Java environment We are ready to test at night!Solution:  Many hours of after office hours / night research  Dozens of pizzas, other food and gallons of coffee and more food and coffee  Basically rewriting a complete front-end engine but now with us in control© 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (“KPMG International”), a Swiss entity.
    • [ removed in shared version ]© 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (“KPMG International”), a Swiss entity.
    • Project “Wall-E” – phase 2Solution:  As we were full administrator we could have disabled the configured time limitations. But as ethical hacker, didn’t want to make changes to the actual configuration.  Another option was to focus on the administration interface that is always onChallenges:  We again had to deal with the difficult Java applets and underlying interfaces  It can’t control the lights directly but can read the status of everything  Could it also be “used” to control?Wait....  By setting the right circumstances we can directly communicate with the core building management digital bus (the network that controls lights, fans, heating, power, etc. in the building...) and that over the Internet! No? YES!!!© 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (“KPMG International”), a Swiss entity.
    • Project “Wall-E” – phase 2Solution:  As we were full administrator we could have disabled the configured time limitations. But as ethical hacker, didn’t want to make changes to the actual configuration.  Another option was to focus on the administration interface that is always onChallenges:  We again had to deal with the difficult Java applets and underlying interfaces  It can’t control the lights directly but can read the status of everything  Could it also be “used” to control?Wait....  By setting the right circumstances we can directly communicate with the core building management digital bus (the network that controls lights, fans, heating, power, etc. in the building...) and that over the Internet! No? YES!!!© 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (“KPMG International”), a Swiss entity.
    • 40000+ sensors and controls…you like puzzles? [ removed in shared version ] Verdieping Kamer 6 7 8 9_aan_uit 9_intensiteit 10 11 12 19 47445 44388 - - - - - 18 47363 en 47271 44296 en 44204 41321 38345 35278 32211 - 17 47197 44112 41229 38254 35187 32120 - 16 - - 41137 38162 35095 32028 27333 15 47087 44020 41045 38070 35003 31936 27242 14 46995 43928 - - - - 27151 13 46903 43836 40935 37978 34911 31844 27060 12 46811 43744 40861 37886 34819 31752 - 11 46719 43652 40769 38162 38150 34727 31660 26969 en 26878 10 46626 43559 40677 37702 37690 34635 31568 26787 en 26696 9 46534 43467 40585 37610 34543 31476 26605 8 46442 43375 40492 37518 37506 34451 31348 26514 7 46350 en 46258 43283 en 43191 40400 37425 34358 31291 26423 6 - 42363 40308 37333 37321 34266 31199 26332 5 46166 43099 40216 37241 37229 34174 31107 26241 4 46074 43007 40124 37149 37137 34082 31015 26150 3 45982 42915 40032 37057 37045 33990 30923 26059 2 45798 42731 39940 36965 33898 30831 25968 1 - - 39848 36873 33806 30739 25877© 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (“KPMG International”), a Swiss entity.
    • © 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (“KPMG International”), a Swiss entity.
    • © 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (“KPMG International”), a Swiss entity.
    • The Building Management System:What went wrong?• There was (initial) segregation of functionality but weak administration passwords• Security through obscurity?• The same interfaces used for reading data were also capable to send control messages• Despite “layers” of web and application server, the control bus is in effect directly connected to the Internet• No security monitoring• Not even part of (IT) security processes One of the most unexpected results was the fact that despite the multiple layers and access control, the layer with the control interfaces was reachable from the Internet© 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International 19Cooperative (“KPMG International”), a Swiss entity.
    • The building management system... ... and process control systems Do you see the similarity? We are still busy expanding awareness on Process Control Systems security, but we are actually not always aware where those systems are located. It is easy to forgot many important systems that are part of our daily lives...© 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International 20Cooperative (“KPMG International”), a Swiss entity.
    • Today’s threats are real and happening to all of us Global Energy Cyber attacks “Night Stuxnet Dragon” Dedicated malicious software to harm Starting in November 2009, specific PCD components, specifically coordinated covert and targeted nuclear centrifuges. cyberattacks have been conducted against global oil, energy, and Duqu petrochemical companies. These Duqu virus/malware aiming at Iran attacks have involved…. nuclear sites. By McAfee® Foundstone® Professional Services and McAfee Labs™ February 10, 2011 Who is next? You? More and more process control networks become (inter)connected More and more regular IT components Cybercrime is increasing Including dedicated state-of-the-art attacks on PCD (e.g. Stuxnet, Duqu)© 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International 21Cooperative (“KPMG International”), a Swiss entity.
    • New developments Functionality changes Wireless connectivity© 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (“KPMG International”), a Swiss entity.
    • New developments…connectivity old situation© 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (“KPMG International”), a Swiss entity.
    • New developments…connectivity new situation Risk Risk Risk Risk Risk Risk© 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG InternationalCooperative (“KPMG International”), a Swiss entity.
    • Insights… Missing patches  Security based on 64 character keys − MS08-067 provides direct administrative access − Why should we protect the mobile operator station (pda, laptop, etc.)? Weak passwords − Isn’t “admin” considered a strong password?  Vendors and on-site contractors − Have their own room…directly connected to level 1,2,3 and 4. − Maybe we should use space? Yes security! Unprotected interfaces − Have direct connections to level 1 devices for status, support − Why should you put a password on VNC or HMI application? and maintenance…but that is proprietary protocols…secure − Anything about LAC / RBAC?  Segmentation New technologies − Firewalls are based on inbound, not outbound security. Enabling a nice reverse exploit all the way from level 1 back to − Wireless? Directly connected to layer 1 (lets jeopardize the the office network crossing 6 layers investment of 5 security layers) − Sophisticated layers in place, but security between the layers − Dumb controllers become smart (read have Windows based on rough IP blocks with no limitation on service XP)…but we humans are not smart enough to recognise ports…that is equal to almost no security in place. Anti-virus / Malware  Development − 2004 outdated? Really? − Lets directly migrate from the − Malware doesn’t get here…but USB sticks and PDF does unprotected development lab to − Or even not allowed to install the field. Security based on certificates. Sounds good…. − But please do not store the private keys on a public share© 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International 25Cooperative (“KPMG International”), a Swiss entity.
    • Process Control Security – at the layers People, Process and Technology  Security is highly interdependent  No weak links allowed Proper People  Information security is a joint effort governance  Know what you need to monitor  Prevent information overload Monitoring and Process  Quick reaction is key follow-up  Protect all logical access paths Segmentation Technology  Apply network segmentation and endpoint  Endpoint protection is crucial protection© 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International 26Cooperative (“KPMG International”), a Swiss entity.
    • Question / Answers – KPMG Key Contact DetailsThank you for your attention!.Please feel free to contact us for further information on process control security, both audit and advisory. Ronald Heil Senior Manager KPMG IT Advisory Laan van Langerhuize 1 1186 DS Amstelveen The Netherlands Tel: +31 6 51369785 Email: heil.ronald@kpmg.nl© 2011 KPMG Advisory N.V., the Dutch member firm of KPMG International Cooperative (“KPMG International”), aSwiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International 27Cooperative (“KPMG International”), a Swiss entity.
    • © 2011 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. Printed in the Netherlands. The KPMG name, logo and ‘cutting through complexity’ are registered trademarks of KPMG International Cooperative.The KPMG name, logo and ‘cutting through complexity’ are registered trademarks or trademarks of KPMG International Cooperative (KPMG International).