Defending against industrial malware


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Defending against industrial malware

  1. 1. Defending Against Industrial Malware Ayed Alqarta | Arabesque Group
  2. 2. Agenda The emergence of new cyber weapons Case Study: Stuxnet Industrial malware mitigations SCADA security standards Conclusions 2
  3. 3. The emergence of new cyber weapons 3
  4. 4. Stuxnet 4
  5. 5. “Worlds First Cyber Weapon” Targets Siemens S7/WinCC products, compromises S7 PLCs to sabotage physical process Exploited 4 Windows zero-day vulnerabilities Spreads via: • USB/Removable Media • 3 Network Techniques • S7 Project Files • WinCC Database Connections Drivers digitally signed with legitimate (stolen) RealTek and JMicron certificates Installs cleanly on W2K through Win7/2008R2 Conventional OS rootkit, detects and avoids major anti-virus products Advanced reverse-engineering protections 5
  6. 6. How Stuxnet Spreads 6
  7. 7. Damaging Impact in Four StepsTo develop protective measures against Stuxnet-like attacks, a basicunderstanding of the worm’s activities is essential. It unfolds its damaging impactin four steps on different layers:1. Infection of Windows PCs: Stuxnet utilizes a total of four zero-day exploits of previously unknown vulnerabilities2. Abuse and Manipulation of Automation Software: Stuxnet abuses and manipulates any found WinCC databases and STEP 7 project files. It also renames (s7otbxdx.dll) to (s7otbxdsx.dll) and replaces it with a DLL of its own.3. Injection of Malicious Code into Controllers: This manipulated DLL enables Stuxnet to infiltrate malicious code into the projected PLCs. The malicious code is combining denial-of-control and denial-of-view techniques.4. Communication with Command & Control Servers on the Internet: Infected computers will contact C&C servers to upload collected information from the target and its environment to those servers as well as new instructions and updates to the worm can be received and executed. 7
  8. 8. Industrial Malware Mitigations 8
  9. 9. Industrial Malware MitigationsSecure EnclavesLogically group networks, assets, the operations that they perform, and eventhe users who are responsible for those operations.Perimeter defenses like firewalls, Network IDS, and IPS, Router Access ControlLists can be configured to isolate the defined members of an enclave.Enclaves protect the internal systems from insider attacks/or an attack thatsomehow circumvents the established perimeter defenses (USB Flash drives) 9
  10. 10. Industrial Malware Mitigations - ContPatch ManagementEstablish a patch management enclave, to provide an additionalbarrier between online patch management and the systems requiringupgradesThe patch management methodology: Download required vendor/applications patches Verify the integrity of these patches and scan them for viruses Archive the validated files to a read-only media Install patches on test systems to verify the ramifications of the update Install on production systems 10
  11. 11. Patch Management - Cont Patch Management Methodology 11
  12. 12. Patch Management - Cont 12
  13. 13. Industrial Malware Mitigations - ContBlacklistingA “blacklist” solution compares the monitored object to a list ofwhat is known to be bad. Traditional HIDs, Antivirus, IPS dependon blacklistingTwo Issues with blacklisting: A blacklist must be continuously updated as new threats are discovered There is no way to detect or block certain attack such as zero- days (Stuxnet) 13
  14. 14. Industrial Malware Mitigations - ContApplication Whitelisting (AWL)Creates a list of what is known to be good and applies verysimple logic: if it is not on the list block itNo signatures or virus definitions (Stuxnet lived for a year beforeit was detected by AV vendors)AWL can block zero-day industrial malware like Stuxnet 14
  15. 15. AWL - Cont 15Symantec Security Response: W32.Stuxnet Dossier v1.4
  16. 16. Industrial Malware MitigationsFirewalls• Block access to Internet from workstations which configure and control PLCs (This prevent any interaction with C&C servers)• Block access to Internet hosts with bad reputation (Threat Intelligence feed and IP Blacklists)• Block IP addresses which generate abnormal network traffic until you investigate the incident (External/Internal)• Block connections to un-used protocol or service• Implement SCADA-aware firewalls to control traffic 16
  17. 17. SCADA Security Standards 17
  18. 18. Standards OrganizationsNorth American Reliability Corporation (NERC)The North American Reliability Corporation is tasked by the Federal Energy RegulatoryCommission (FERC) to ensure the reliability of the bulk power system in NorthAmerica. NERC enforces several reliability standards, including the reliability standardfor Critical Infrastructure Protection (NERC CIP). In addition to these standards, NERCpublishes information, assessments and trends concerning bulk power reliability,including research of reliability events as they occur. The NERC CIP standards arecomprised of nine standards documents, all of which are available from NERC’swebsite at:|20 18
  19. 19. Standards Organizations - ContThe United States Nuclear RegulatoryCommission (NRC)The United States Nuclear Regulatory Commission is responsible for the safe use ofradioactive materials, including nuclear power generation and medical applications ofradiation. The NRC publishes standards and guidelines for Information Security, as wellas general information and resources about nuclear materials and products, nuclearwaste materials, and other concerns.NRC Title 10 CFR 73.54NRC Title 10 of the Code of Federal Regulations, Part 73.54 regulates the “Protectionof digital computer and communication systems and networks” used in memberNuclear Facilities. More information on CFR 73.54 is available from NRC’s website at: 19
  20. 20. Standards Organizations - ContThe United States Nuclear RegulatoryCommission (NRC)NRC RG 5.71The United States Nuclear Regulatory Commission’s Regulatory Guide 5.71 offersguidance on how to protect digital computer and communication systems andnetworks. RG 5.71 is not a regulatory standard but rather guidance on how to complywith the standard, which is Title 10 of the Code of Federal Regulations, Part 73.54.Information on RG 5.71 is available from NRC’s website at: 20
  21. 21. Standards Organizations - ContUnited States Department of Homeland Security (DHS)The Department of Homeland Security’s (NHS) mission is to protect the United Statesfrom a variety of threats including (but not limited to) counter-terrorism and cybersecurity. One area where cyber security concerns and anti-terrorism overlap is in theprotection of chemical facilities, which are regulated under the Chemical FacilitiesAnti-Terrorism Standards (CFATSs). CFATS includes a wide range of security controls,which can be measured against a set of Risk-Based Performance Standards (RBPSs).Chemical Facilities Anti-Terrorism StandardThe Chemical Facility Anti-Terrorism Standards (CFATSs) are published by the UnitedStates Department of Homeland Security, and they encompass many areas of chemicalmanufacturing, distribution and use including cyber security concerns. Moreinformation on CFATS can be found on the DHS’s website at: 21
  22. 22. Standards Organizations - ContUnited States Department of HomelandSecurity (DHS)CFATS Risk-Based Performance StandardsThe United States Department of Homeland Security also publishes recommendationsin the form of Risk-Based Performance Standards (RBPSs) for CFATS. These standardsprovide guidance for the compliance to the Chemical Facility Anti-Terrorism Standards.More information on the CFATS RBPS can be found on the DHS’s website at: 22
  23. 23. Standards Organizations - ContInternational Standards Association (ISA)The International Standards Association (ISA) and the American National StandardsInstitute (ANSI) have published three documents concerning industrial networksecurity under the umbrella of ISA-99. These documents are: ANSI/ISA-99.02.01-2009,“Security for Industrial Automation and Control Systems: Establishing an IndustrialAutomation and Control Systems Security Program”; ANSI/ISA-99.00.01-2007,“Security for Industrial Automation and Control Systems: Concepts, Terminology andModels”; and ANSI/ISA-TR99.00.01-2007, “Security Technologies for Manufacturingand Control Systems.”These documents, as well as additional information and resources relevant to ISA-99are available at the ISA website, at: 23
  24. 24. Standards Organizations - ContThe International Standards Organization (ISO)and International Electrotechnical Commission(IEC)The International Standards Organization (ISO) and the International ElectrotechnicalCommission (IEC) produced the ISO/IEC 27002:2005 standard for “Informationtechnology—Security techniques—Code of practice for information securitymanagement.” While ISO/IEC 27002:2005 does not apply exclusively to SCADA orindustrial process control networks, it provides a useful basis for implementingsecurity in industrial networks, and is also heavily referenced by a variety ofinternational standards and guidelines. More information on the ISO/IEC 27002:2005can be found on the ISO website at: 24
  25. 25. Conclusions Security through obscurity no longer works with SCADA The belief that PLCs are not vulnerable because they are not connected to the Internet is not true SCADA security standards and industrial security solutions can decrease attacks Stuxnet cyberweapon looks to be one on a production line 25
  26. 26. 26
  27. 27. 27
  28. 28. Thank YouEmail: @aqarta 28
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.