Threats to Industrial Control         Networks    Defensive Network Security     Consultants (DNSC), LLC         17 Octobe...
Contact Information    Angel E. Avila    CISSP, CISA, CEPT, C|EH, CompTIA Sec+    E-mail: angel.e.avila@dnsc-cyber.com    ...
DNSC Background    • Computer Security Professionals (8 years)       – Specializing in Penetration Testing, Vulnerability ...
Objective    • The intent of this brief is to raise awareness among      the energy community of some of the current threa...
Why should we care?    • “An aggressor nation or extremist group could use      these kinds of cyber tools to gain control...
IC Network Overview    Figure adapted from: Eric D. Knapp, Industrial Network Security: Securing Critical Infrastructure N...
Common Mistakes    • Overconfidence: Systems 100% secure    • Refusal to recognize threats: It can’t happen      to me    ...
Adversary    • Cyber Threat Expertise      – Novice: An adversary with no training, only using        open-source (freely ...
Threats to IC Networks    • Advance Persistent Threat (APT)      – Adversary with sophisticated levels of expertise       ...
Threats to IC Networks (cont.)     • Cyber Threats       – Identified as malicious efforts directed in gaining         acc...
Threats to IC Networks (cont.)     • Outsider Threat       – No credentials, no physical access to the target         netw...
IC Network OverviewOutsider/Cyber   Threats                                                                               ...
Attack Vectors     • Web       – SQL Injection       – Broken authentication and session management          • https://www...
Attack Vectors (cont.)     • SCADA Protocols       – Lack of authentication       – Lack of encryption     • SCADA Systems...
Attack Vectors (cont.)     • How can I traverse through the Smart Grid?       – Advanced Meter Infrastructure (AMI) Smart ...
Attack Vectors (cont.)                                    • AMI provides the ability to                                   ...
Conclusion     • Real-world threats are constantly trying to       exploit various IC installations     • Reliability vs. ...
Questions     • ??18
Contact Information     • Angel E. Avila CISSP, CISA, C|EH, CEPT, CompTIA Security +       angel.e.avila@dnsc-cyber.com   ...
Backup20
Attack Vectors (cont.)• ZigBee Overview  – Low Power (Long Battery Life), low data rate wireless    protocol  – 250 Kbps t...
Attack Vectors (cont.)• ZigBee Exploitation using KillerBee[1]           - zbid–list available ZigBee devices connected to...
Attack Vectors (cont.)• ZigBee Security    – KillerBee[1] open source software is a tool suite used to      test and explo...
Attack Vectors (cont.)                               • Problem: Demand for power                                 exceeds t...
Attack Vectors (cont.)• ZigBee   – Exploitation using KillerBee[1]      - zbid–list available ZigBee devices connected to ...
Upcoming SlideShare
Loading in...5
×

2012 Reenergize the Americas 3B: Angel Avila

826

Published on

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
826
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "2012 Reenergize the Americas 3B: Angel Avila"

  1. 1. Threats to Industrial Control Networks Defensive Network Security Consultants (DNSC), LLC 17 October 2012
  2. 2. Contact Information Angel E. Avila CISSP, CISA, CEPT, C|EH, CompTIA Sec+ E-mail: angel.e.avila@dnsc-cyber.com http://www.dnsc-cyber.com PH: 915-247-89782
  3. 3. DNSC Background • Computer Security Professionals (8 years) – Specializing in Penetration Testing, Vulnerability Assessments, Compliance and Auditing • Experience working on Government (DoD) and Private Industry systems • Certifications: – Certified Information Systems Security Professional (CISSP), – Certified Information Systems Auditor (CISA), – Certified Ethical Hacker (C|EH), – Certified Ethical Penetration Tester (CEPT), – Certified Information Systems Manager (CISM), – Certified Penetration Tester (CPT), – CompTIA Security +3
  4. 4. Objective • The intent of this brief is to raise awareness among the energy community of some of the current threats that are targeting Industrial Control (IC) networks including the Smart Grid and the importance of developing secure critical infrastructure.4
  5. 5. Why should we care? • “An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches,” Mr. Panetta said. “They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.” [1] • Successful attacks against critical infrastructure assets can potentially lead to loss of life, and life as we know it. 1. Bumiller, Elisabeth; Shanker, Thomas. “Panetta Warns of Dire Threat of Cyberattack on U.S." New York Times on the Web 11 Oct. 2012. 15 Oct. 2012 <http://www.nytimes.com/2012/10/12/world/panetta-warns-of- dire-threat-of-cyberattack.html?_r=0s>5
  6. 6. IC Network Overview Figure adapted from: Eric D. Knapp, Industrial Network Security: Securing Critical Infrastructure Networks for6 Smart Grid, SCADA, and Other Industrial Control Systems, Syngress, 2011.
  7. 7. Common Mistakes • Overconfidence: Systems 100% secure • Refusal to recognize threats: It can’t happen to me • Air Gap myth: Systems not connected to IT network/Internet • Executive override – “Intentional” security holes for legitimate business purposes. ‘Set it and forget it • Default accounts & passwords • Lack of authentication • Inbound/outbound traffic • Compliance != Secure7
  8. 8. Adversary • Cyber Threat Expertise – Novice: An adversary with no training, only using open-source (freely available) tools – Intermediate: An adversary with some training, some level of funding, uses tools either purchased or traded on-line – Expert: An adversary with a mature skill set and uses custom, open source, and purchased tools • Foreign sponsored • Hacktivist8
  9. 9. Threats to IC Networks • Advance Persistent Threat (APT) – Adversary with sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception) • Maintain a foothold in order to conduct directed malicious objectives against the target • EX: Stuxnet-Worm targeting Iranian nuclear reactor machinery – Driven by either government agencies or terrorist organizations • APT’s pursues its objectives repeatedly over an extended period of time while countering victim’s mitigating attempts9 As defined in NIST Special Publication 800-39, Managing Information Security Risk
  10. 10. Threats to IC Networks (cont.) • Cyber Threats – Identified as malicious efforts directed in gaining access to, exfiltration, data manipulation, and denial of service towards information systems (IS) – Directed attacks against confidentiality, integrity, and availability (CIA) – Cyber threats can come from anyone • Supply Chain Threat – Referred to embedded code being inserted into devices – Do you know who is developing your devices?10
  11. 11. Threats to IC Networks (cont.) • Outsider Threat – No credentials, no physical access to the target network – Ex: Hacktavists, Foreign State, Terrorists Organizations, Script Kiddies • Nearsider Threat – No credentials, but has access to the target network – Ex: Cleaning crew, delivery personnel • Insider Threat – Having user and/or root-level credentials to the target network11 – Ex: Disgruntle Employee (users/administrators)
  12. 12. IC Network OverviewOutsider/Cyber Threats Insider/Nearsider ThreatsInsider/Nearsider Threats Advanced Persistent Threat Figure adapted from: Eric D. Knapp, Industrial Network Security: Securing Critical Infrastructure Networks for 12 Smart Grid, SCADA, and Other Industrial Control Systems, Syngress, 2011.
  13. 13. Attack Vectors • Web – SQL Injection – Broken authentication and session management • https://www.owasp.org/index.php/Top_10_2010-Main • Wireless – Use of weak wireless algorithms WEP and WPA • Bad Security Practices – HBGary and Anonymous incident • http://arstechnica.com/tech- policy/2011/02/anonymous-speaks-the-inside-story-of- the-hbgary-hack/ • Social Networking – Facebook13
  14. 14. Attack Vectors (cont.) • SCADA Protocols – Lack of authentication – Lack of encryption • SCADA Systems – Sinapsi eSolar Light Photovotaic System Monitor – Bypass authentication using hard-coded credentials and vulnerable to SQL injection • Also affects other Solar panel control systems • ICS-ALERT-12-284-01 • Control systems – A search engine, Shodan, that used to identify internet facing Control systems14 • ICS-ALERT-11-343-01
  15. 15. Attack Vectors (cont.) • How can I traverse through the Smart Grid? – Advanced Meter Infrastructure (AMI) Smart Meters shutdown meters through Optical port • D. Weber, “Looking into the Eye of the Meter”. BlackHat 2012. – Over 40+ million ZigBee electric meters are deployed with concentration in Texas, California, Texas, Michigan, and Virginia. • Zigbee Alliance: Heile, Bob, https://docs.zigbee.org/zigbee-docs/dcn/10-6056.pdf15
  16. 16. Attack Vectors (cont.) • AMI provides the ability to remotely control devices in the HAN - Turn off lights, Raise Tstat, etc... • Detailed energy use collected over regular time intervals. - Consumers can view energy usage real time • ZigBee is being used in HANs within the Smart Grid • Sniffing traffic • Replay attacks • Denial-of-Service Smart Grid using ZigBee Home16 Area Network (HAN)
  17. 17. Conclusion • Real-world threats are constantly trying to exploit various IC installations • Reliability vs. Security • Awareness and being proactive helps reduce the risk of your network being exploited17
  18. 18. Questions • ??18
  19. 19. Contact Information • Angel E. Avila CISSP, CISA, C|EH, CEPT, CompTIA Security + angel.e.avila@dnsc-cyber.com • Richard G. Coy CISSP, CISA, C|EH, CPT, CEPT richard.g.coy@dnsc-cyber.com • Francisco J. Leyva CISSP, CISA, C|EH, CISM, CEPT francisco.j.leyva@dnsc-cyber.com • Humberto Mendoza CISSP, CISA, C|EH, CISM, CEPT humberto.mendoza@dnsc-cyber.com • Daniel Chacon CISSP, CISSA, C|EH, CISM, CEPT daniel.chacon@dnsc-cyber.com http://www.dnsc-cyber.com19
  20. 20. Backup20
  21. 21. Attack Vectors (cont.)• ZigBee Overview – Low Power (Long Battery Life), low data rate wireless protocol – 250 Kbps throughput rate (low data rate) – Short Range (10 – 100 meters) – Supports star and mesh network topology – Easily add and remove nodes to the network• Why Zigbee ? – WIFI transceivers are too expensive, more power to operate – Bluetooth as a Frequency Hopping Spread Spectrum requires more power to operate – Zigbee consumes less power than WIFI and Bluetooth – Zigbee designed specifically for monitoring and automation – Zigbee is good solution for smart meters in Advanced Meter Infrastructure(AMI)
  22. 22. Attack Vectors (cont.)• ZigBee Exploitation using KillerBee[1] - zbid–list available ZigBee devices connected to PC - zbdump–"tcpdump-w" clone for capturing ZigBee traffic - zbconvert–convert capture file formats - zbreplay–Replay attack - zdsniff–over-the-air (OTA) crypto key sniffer - zbfind–GUI for locating ZigBee networks - zbgoodfind–search memory dump for crypto key - zbassocflood–association flood attack (DoS) - spoofing attacks when used with Software Defined Radio 1. KillerBee : Wright, Joshua, http://www.willhackforsushi.com/presentations/toorcon11-wright.pdf
  23. 23. Attack Vectors (cont.)• ZigBee Security – KillerBee[1] open source software is a tool suite used to test and exploit ZigBee networks – Hacker community has made many software modifications to the KillerBee[1] tool suite – KillerBee[1] tool suite is flashed on a RZUSB ($40.00) through Joint Test Action Group (JTAG) interface. • AVR JTAG ICE mkII ($300.00) used to flash RZUSB AVR JTAG ICE RZUSB Programmer 1. KillerBee : Wright, Joshua, http://www.willhackforsushi.com/presentations/toorcon11-wright.pdf
  24. 24. Attack Vectors (cont.) • Problem: Demand for power exceeds the supply • AMI provides the ability to remotely control devices in the HAN - Turn off lights, Raise Tstat, etc... • Detailed energy use collected over regular time intervals - Consumers can view energy usage real time • Consumers can adjust power to reduce cost • Utility companies can better manage supply and demandSmart Grid using ZigBee Home Area Network (HAN)
  25. 25. Attack Vectors (cont.)• ZigBee – Exploitation using KillerBee[1] - zbid–list available ZigBee devices connected to PC - zbdump–"tcpdump-w" clone for capturing ZigBee traffic - zbconvert–convert capture file formats - zbreplay–Replay attack - zdsniff–over-the-air (OTA) crypto key sniffer - zbfind–GUI for locating ZigBee networks - zbgoodfind–search memory dump for crypto key - zbassocflood–association flood attack (DoS) - spoofing attacks when used with Software Defined Radio 1. KillerBee : Wright, Joshua, http://www.willhackforsushi.com/presentations/toorcon11-wright.pdf

×