Stuxnet:
It goan oan
Ir.drs. J. (Jurgen) van der Vlugt RE CISA
Noordbeek B.V.
Jurgen@Noordbeek.com
6 oktober 2010, Enschedé
College Stuxnet: It goan oan / Proces-IT 2010 10 06 2
Intro; ik =
• Bedrijfseconomie (Rotterdam, finbel)
• Technische Info...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 3
Agenda
• Maeslant en ‫ڈژک‬
• Proces-IT
• Administratieve systemen en...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 4
Neerlands Trots
College Stuxnet: It goan oan / Proces-IT 2010 10 06 5
College Stuxnet: It goan oan / Proces-IT 2010 10 06 6
Stuxnet
• Sinds juni (?) in omloop / in beeld
• Zeer veel kennis eri...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 7
It goat oan
• Probleem: Slechte beheersing proces-IT
• Al lang beken...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 8
(Financieel gewin)
• Geen lonely wolves
• Industrie:
• Vuln-searcher...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 9
Agenda
• Maeslant en ‫ڈژک‬
• Proces-IT
• Administratieve systemen en...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 10
Proces-IT
• Vanuit de elektrotechniek
• Specialistisch
• Kritieke s...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 11
Meer
College Stuxnet: It goan oan / Proces-IT 2010 10 06 12
Control
College Stuxnet: It goan oan / Proces-IT 2010 10 06 13
Ook wel: SCADA
SCADA = supervisory control and data acquisition.
• ...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 14
Elementen
• HMI: Human-Machine Interface
• Monitoring
• Control
• S...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 15
SCADA
Nota bene:
• PLCs controllen standaardproces
• RTUs pakken af...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 16
Plaatje
(Historian)
College Stuxnet: It goan oan / Proces-IT 2010 10 06 17
College Stuxnet: It goan oan / Proces-IT 2010 10 06 18
College Stuxnet: It goan oan / Proces-IT 2010 10 06 19
College Stuxnet: It goan oan / Proces-IT 2010 10 06 20
College Stuxnet: It goan oan / Proces-IT 2010 10 06 21
P-roblemen
• Geen aandacht voor beveiliging en
autenticatie in ontw...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 22
Wat als het misgaat
• Zichtbaar ?
• Positieve feedforward ?
• Te la...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 23
Ook
Shattered Shield
'I Had A Funny Feeling in My Gut' By David Hof...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 24
Agenda
• Maeslant en ‫ڈژک‬
• Proces-IT
• Administratieve systemen e...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 25
Traditioneel
‘Business’ Information Mgt IT
Strat
Tact
Oper
College Stuxnet: It goan oan / Proces-IT 2010 10 06 26
Informatiebeveiliging
‘Business’ Information Mgt IT
Strat
Tact
Oper...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 27
Bedreigingen
… Sorry!
Overstroming
Windhoos
Aardbeving
Grieppandemi...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 28
Bedreigingen
• Acts of Man
• Actief / Passief (blijven)
• I’m sorry...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 29
En dan: Controls
= Maatregelen, bijsturingsmiddelen
• Organisatoris...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 30
Controls (bescherming?)
• Afschrikkende
• Preventieve,
• Detectieve...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 31
Controls (vervolg)
• Traditioneel: Accountantshobby,
Maar niet lang...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 32
Controls: kosten, baten
• Schade ↔ kosten van controls
(direct, ind...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 33
Waar is de control loop-gedachte?
• Nergens.
Administratievelingen ...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 34
Evaluate design &
set-up
Analysis Monitor & react
Incident
Mgt
CLD
...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 35
Controls ontwerpen
College Stuxnet: It goan oan / Proces-IT 2010 10 06 36
Agenda
• Maeslant en ‫ڈژک‬
• Proces-IT
• Administratieve systemen e...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 37
Ubicomp / Ubi Info
College Stuxnet: It goan oan / Proces-IT 2010 10 06 38
Ubi-problemen
• Wie zit er aan de
gegevens,
Wie is in control ?
• P...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 39
Ubi-problemen (II)
• Herstelbaarheid fouten
• Waar moet je zijn ?
(...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 40
Hoe nu beveiligen?
• Admin systemen: Easy in theorie
Maar: Theorie ...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 41
Iets meer in beeld
‘Business’ Information Mgt IT‘Overheid’?Burger
College Stuxnet: It goan oan / Proces-IT 2010 10 06 42
Agenda
• Maeslant en ‫ڈژک‬
• Proces-IT
• Administratieve systemen e...
College Stuxnet: It goan oan / Proces-IT 2010 10 06 43
Vragen …?
We gaan vooruit !
College Stuxnet: It goan oan / Proces-IT 2010 10 06 44
The End
Upcoming SlideShare
Loading in...5
×

Saxion Enschedé College Security 2010

315

Published on

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
315
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Saxion Enschedé College Security 2010"

  1. 1. Stuxnet: It goan oan Ir.drs. J. (Jurgen) van der Vlugt RE CISA Noordbeek B.V. Jurgen@Noordbeek.com 6 oktober 2010, Enschedé
  2. 2. College Stuxnet: It goan oan / Proces-IT 2010 10 06 2 Intro; ik = • Bedrijfseconomie (Rotterdam, finbel) • Technische Informatica (Delft; KI) • KPMG EDP Auditors / IRM (WinNT, Y2K) • Post-grad IT-auditing (VU) • Sogeti • ABN AMRO (Group Audit, Group Security; projects++, outsourcing, security integration) • Noordbeek • VU, NOREA (VC, CHBr), ISACA, ISSA (NL, Int’l), PvIB
  3. 3. College Stuxnet: It goan oan / Proces-IT 2010 10 06 3 Agenda • Maeslant en ‫ڈژک‬ • Proces-IT • Administratieve systemen en zo • Ubiquitous information
  4. 4. College Stuxnet: It goan oan / Proces-IT 2010 10 06 4 Neerlands Trots
  5. 5. College Stuxnet: It goan oan / Proces-IT 2010 10 06 5
  6. 6. College Stuxnet: It goan oan / Proces-IT 2010 10 06 6 Stuxnet • Sinds juni (?) in omloop / in beeld • Zeer veel kennis erin • Team effort • Niet uit op creditcard-info. Huh? • Via USB-poort • Siemens WinCC/PCS7, specifieke functies • September: • Vooral anti-Iran • ‘Opstart kerncentrale uitgesteld’ • Round up the usual suspects • Sporen van politieke boodschappen • Israël ..? India? USoA? Wie?
  7. 7. College Stuxnet: It goan oan / Proces-IT 2010 10 06 7 It goat oan • Probleem: Slechte beheersing proces-IT • Al lang bekend • Na bragging rights door defacing • En na financieel gewin via banking trojans • Nu third wave • “Cyberwarfare”?
  8. 8. College Stuxnet: It goan oan / Proces-IT 2010 10 06 8 (Financieel gewin) • Geen lonely wolves • Industrie: • Vuln-searchers • Exploit developers • CC harvesters • CC brokers • CC smurfers / mules • Collectors • Hosting / defense • Botnets: same • Sw is copyable…
  9. 9. College Stuxnet: It goan oan / Proces-IT 2010 10 06 9 Agenda • Maeslant en ‫ڈژک‬ • Proces-IT • Administratieve systemen en zo • Ubiquitous information
  10. 10. College Stuxnet: It goan oan / Proces-IT 2010 10 06 10 Proces-IT • Vanuit de elektrotechniek • Specialistisch • Kritieke systemen!
  11. 11. College Stuxnet: It goan oan / Proces-IT 2010 10 06 11 Meer
  12. 12. College Stuxnet: It goan oan / Proces-IT 2010 10 06 12 Control
  13. 13. College Stuxnet: It goan oan / Proces-IT 2010 10 06 13 Ook wel: SCADA SCADA = supervisory control and data acquisition. • Industrial control systems: computer systems that monitor and control industrial, infrastructure, or facility-based processes, as described below: • Industrial processes: manufacturing, production, power generation, fabrication, refining Continuous, batch, repetitive, or discrete modes. • Public or private, incl water treatment and distribution, wastewater collection and treatment, oil and gas pipelines, electrical power transmission and distribution, wind farms, civil defense sirens, and large communication systems. • Facilities public/ private, incl buildings, airports, ships, and space stations. They monitor and control HVAC, access, and energy consumption.
  14. 14. College Stuxnet: It goan oan / Proces-IT 2010 10 06 14 Elementen • HMI: Human-Machine Interface • Monitoring • Control • Supervisory (computer) system • Data-acquisitie • Control commands sturen • RTUs: Remote Terminal Units • Connect sensors in het proces • Converteren sensorsignalen naar digitaal • Zenden digitale signalen naar supervisory system • PLCs: Programmable Logic Controllers • ‘Field devices’: goedkoper en flexibeler dan special-purpose RTUs • Communicatie-devices/kabels
  15. 15. College Stuxnet: It goan oan / Proces-IT 2010 10 06 15 SCADA Nota bene: • PLCs controllen standaardproces • RTUs pakken afwijkingen op • Mensen pakken afwijkingen op hoger niveau op (iff) • Tag db: • Tags/points = gemonitorde I/O waarde • Hard (1) / soft (combi) • + Timestamp, + Metadata
  16. 16. College Stuxnet: It goan oan / Proces-IT 2010 10 06 16 Plaatje (Historian)
  17. 17. College Stuxnet: It goan oan / Proces-IT 2010 10 06 17
  18. 18. College Stuxnet: It goan oan / Proces-IT 2010 10 06 18
  19. 19. College Stuxnet: It goan oan / Proces-IT 2010 10 06 19
  20. 20. College Stuxnet: It goan oan / Proces-IT 2010 10 06 20
  21. 21. College Stuxnet: It goan oan / Proces-IT 2010 10 06 21 P-roblemen • Geen aandacht voor beveiliging en autenticatie in ontwerp, uitrol, operations in huidige generaties SCADA-netwerken • (Geen) security through obscurity (meer) • Vertrouwen op speciale protocollen, proprietary interfaces (nog!) • ‘Fysieke beveiliging is voldoende’ • ‘Hangen niet aan het Internet’
  22. 22. College Stuxnet: It goan oan / Proces-IT 2010 10 06 22 Wat als het misgaat • Zichtbaar ? • Positieve feedforward ? • Te laat ? • Ingrijpen mogelijk ?
  23. 23. College Stuxnet: It goan oan / Proces-IT 2010 10 06 23 Ook Shattered Shield 'I Had A Funny Feeling in My Gut' By David Hoffman Washington Post Foreign Service Wednesday, February 10, 1999; Page A19 • It was just past midnight as Stanislav Petrov settled into the commander's chair inside the secret bunker at Serpukhov- 15, the installation where the Soviet Union monitored its early-warning satellites over the United States. • Then the alarms went off. On the panel in front him was a red pulsating button. One word flashed: "Start." • It was Sept. 26, 1983, and Petrov was playing a principal role in one of the most harrowing incidents of the nuclear age, a false alarm signaling a U.S. missile attack. Although virtually unknown to the West at the time, the false alarm at the closed military facility south of Moscow came during one of the most tense periods of the Cold War. And the episode resonates today because Russia's early-warning system has fewer than half the satellites it did back then, raising the specter of more such dangerous incidents. • As Petrov described it in an interview, one of the Soviet satellites sent a signal to the bunker that a nuclear missile attack was underway. The warning system's computer, weighing the signal against static, concluded that a missile had been launched from a base in the United States. • The responsibility fell to Petrov, then a 44-year-old lieutenant colonel, to make a decision: Was it for real? Petrov was situated at a critical point in the chain of command, overseeing a staff that monitored incoming signals from the satellites. He reported to superiors at warning-system headquarters; they, in turn, reported to the general staff, which would consult with Soviet leader Yuri Andropov on the possibility of launching a retaliatory attack. • Petrov's role was to evaluate the incoming data. At first, the satellite reported that one missile had been launched – then another, and another. Soon, the system was "roaring," he recalled – five Minuteman intercontinental ballistic missiles had been launched, it reported. • Despite the electronic evidence, Petrov decided – and advised the others – that the satellite alert was a false alarm, a call that may have averted a nuclear holocaust. But he was relentlessly interrogated afterward, was never rewarded for his decision and today is a long-forgotten pensioner
  24. 24. College Stuxnet: It goan oan / Proces-IT 2010 10 06 24 Agenda • Maeslant en ‫ڈژک‬ • Proces-IT • Administratieve systemen en zo • Ubiquitous information
  25. 25. College Stuxnet: It goan oan / Proces-IT 2010 10 06 25 Traditioneel ‘Business’ Information Mgt IT Strat Tact Oper
  26. 26. College Stuxnet: It goan oan / Proces-IT 2010 10 06 26 Informatiebeveiliging ‘Business’ Information Mgt IT Strat Tact Oper IT-beveiliging
  27. 27. College Stuxnet: It goan oan / Proces-IT 2010 10 06 27 Bedreigingen … Sorry! Overstroming Windhoos Aardbeving Grieppandemie Zonder opzet Crackers Fraudeurs Actiegroepen Tegenzin / Geen tijd ?Met opzet Acts of Man Acts of nature (‘Acts of God’)
  28. 28. College Stuxnet: It goan oan / Proces-IT 2010 10 06 28 Bedreigingen • Acts of Man • Actief / Passief (blijven) • I’m sorry-attacks • Domheid • ‘Operational risks’..!
  29. 29. College Stuxnet: It goan oan / Proces-IT 2010 10 06 29 En dan: Controls = Maatregelen, bijsturingsmiddelen • Organisatorisch (functiescheiding) • Procedureel (afvinken rapporten) • Fysiek (toegang) • IT (…) • Geld (verzekering) • In combinatie (Er is geen silver bullet!)
  30. 30. College Stuxnet: It goan oan / Proces-IT 2010 10 06 30 Controls (bescherming?) • Afschrikkende • Preventieve, • Detectieve, • Repressieve, • Beperkende en opvangende, • Corrigerende en terugwinnende • Hoe eerder hoe beter • Net beter dan de buren
  31. 31. College Stuxnet: It goan oan / Proces-IT 2010 10 06 31 Controls (vervolg) • Traditioneel: Accountantshobby, Maar niet langer alleen t.b.v. jaarrekeningcontrole • Taalprobleem: Operationeel doen ↔ Op managementniveau uitleggen • Modes • RBAC • Classificatie • Architectuur
  32. 32. College Stuxnet: It goan oan / Proces-IT 2010 10 06 32 Controls: kosten, baten • Schade ↔ kosten van controls (direct, indirect, reputatie?) • Vantevoren cijfers nodig! • Frequentie / kans • Impact, schade (2x) • Kosten → continu → rapporteren (niks merkbaar?) • Effectiviteit • FUD werkt misschien toch beter
  33. 33. College Stuxnet: It goan oan / Proces-IT 2010 10 06 33 Waar is de control loop-gedachte? • Nergens. Administratievelingen kennen die niet • Nou ja, helemaal nergens…
  34. 34. College Stuxnet: It goan oan / Proces-IT 2010 10 06 34 Evaluate design & set-up Analysis Monitor & react Incident Mgt CLD Insu- rance Mgt KRI (Mgt) (K)ORC (Mgt) R(S)A (+Audit) Operational Risk Management ORAP Designed, Selected for efficiency Tuning, Mandatory Near misses KRI values Corrective actions Incidents Indemnities Controls Risk indicators Incidents for analysis (Problems) Inherent risks Process Problem Mgt Breach
  35. 35. College Stuxnet: It goan oan / Proces-IT 2010 10 06 35 Controls ontwerpen
  36. 36. College Stuxnet: It goan oan / Proces-IT 2010 10 06 36 Agenda • Maeslant en ‫ڈژک‬ • Proces-IT • Administratieve systemen en zo • Ubiquitous information
  37. 37. College Stuxnet: It goan oan / Proces-IT 2010 10 06 37 Ubicomp / Ubi Info
  38. 38. College Stuxnet: It goan oan / Proces-IT 2010 10 06 38 Ubi-problemen • Wie zit er aan de gegevens, Wie is in control ? • Privacy • Trawling for patterns (total surveillance) • Where’s your data …? (Cloud2), Wie zorgt ervoor ?
  39. 39. College Stuxnet: It goan oan / Proces-IT 2010 10 06 39 Ubi-problemen (II) • Herstelbaarheid fouten • Waar moet je zijn ? (Aansprakelijkheid voor schade ?) • Wiens woord telt ? • Location-based by default stemmen ?
  40. 40. College Stuxnet: It goan oan / Proces-IT 2010 10 06 40 Hoe nu beveiligen? • Admin systemen: Easy in theorie Maar: Theorie vs de mens ? • Proces-IT: Dunno. Maar: …? Actie nodig ! • Ubi Info: It goat oan
  41. 41. College Stuxnet: It goan oan / Proces-IT 2010 10 06 41 Iets meer in beeld ‘Business’ Information Mgt IT‘Overheid’?Burger
  42. 42. College Stuxnet: It goan oan / Proces-IT 2010 10 06 42 Agenda • Maeslant en ‫ڈژک‬ • Proces-IT • Administratieve systemen en zo • Ubiquitous information • The End
  43. 43. College Stuxnet: It goan oan / Proces-IT 2010 10 06 43 Vragen …? We gaan vooruit !
  44. 44. College Stuxnet: It goan oan / Proces-IT 2010 10 06 44 The End

×