• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Saxion Enschedé College Security 2010

on

  • 412 views

 

Statistics

Views

Total Views
412
Views on SlideShare
410
Embed Views
2

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 2

http://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Saxion Enschedé College Security 2010 Saxion Enschedé College Security 2010 Presentation Transcript

    • Stuxnet: It goan oan Ir.drs. J. (Jurgen) van der Vlugt RE CISA Noordbeek B.V. Jurgen@Noordbeek.com 6 oktober 2010, Enschedé
    • Intro; ik = • Bedrijfseconomie (Rotterdam, finbel) • Technische Informatica (Delft; KI) • KPMG EDP Auditors / IRM (WinNT, Y2K) • Post-grad IT-auditing (VU) • Sogeti • ABN AMRO (Group Audit, Group Security; projects++, outsourcing, security integration) • Noordbeek • VU, NOREA (VC, CHBr), ISACA, ISSA (NL, Int’l), PvIB College Stuxnet: It goan oan / Proces-IT 2010 10 06 2
    • Agenda • Maeslant en • Proces-IT • Administratieve systemen en zo • Ubiquitous information College Stuxnet: It goan oan / Proces-IT 2010 10 06 3
    • Neerlands Trots College Stuxnet: It goan oan / Proces-IT 2010 10 06 4
    • College Stuxnet: It goan oan / Proces-IT 2010 10 06 5
    • Stuxnet • Sinds juni (?) in omloop / in beeld • Zeer veel kennis erin • Team effort • Niet uit op creditcard-info. Huh? • Via USB-poort • Siemens WinCC/PCS7, specifieke functies • September: • Vooral anti-Iran • ‘Opstart kerncentrale uitgesteld’ • Round up the usual suspects • Sporen van politieke boodschappen • Israël ..? India? USoA? Wie? College Stuxnet: It goan oan / Proces-IT 2010 10 06 6
    • It goat oan • Probleem: Slechte beheersing proces-IT • Al lang bekend • Na bragging rights door defacing • En na financieel gewin via banking trojans • Nu third wave • “Cyberwarfare”? College Stuxnet: It goan oan / Proces-IT 2010 10 06 7
    • (Financieel gewin) • Geen lonely wolves • Industrie: • Vuln-searchers • Exploit developers • CC harvesters • CC brokers • CC smurfers / mules • Collectors • Hosting / defense • Botnets: same • Sw is copyable… College Stuxnet: It goan oan / Proces-IT 2010 10 06 8
    • Agenda • Maeslant en • Proces-IT • Administratieve systemen en zo • Ubiquitous information College Stuxnet: It goan oan / Proces-IT 2010 10 06 9
    • Proces-IT • Vanuit de elektrotechniek • Specialistisch • Kritieke systemen! College Stuxnet: It goan oan / Proces-IT 2010 10 06 10
    • Meer College Stuxnet: It goan oan / Proces-IT 2010 10 06 11
    • Control College Stuxnet: It goan oan / Proces-IT 2010 10 06 12
    • Ook wel: SCADA SCADA = supervisory control and data acquisition. • Industrial control systems: computer systems that monitor and control industrial, infrastructure, or facility-based processes, as described below: • Industrial processes: manufacturing, production, power generation, fabrication, refining Continuous, batch, repetitive, or discrete modes. • Public or private, incl water treatment and distribution, wastewater collection and treatment, oil and gas pipelines, electrical power transmission and distribution, wind farms, civil defense sirens, and large communication systems. • Facilities public/ private, incl buildings, airports, ships, and space stations. They monitor and control HVAC, access, and energy consumption. College Stuxnet: It goan oan / Proces-IT 2010 10 06 13
    • Elementen • HMI: Human-Machine Interface • Monitoring • Control • Supervisory (computer) system • Data-acquisitie • Control commands sturen • RTUs: Remote Terminal Units • Connect sensors in het proces • Converteren sensorsignalen naar digitaal • Zenden digitale signalen naar supervisory system • PLCs: Programmable Logic Controllers • ‘Field devices’: goedkoper en flexibeler dan special-purpose RTUs • Communicatie-devices/kabels College Stuxnet: It goan oan / Proces-IT 2010 10 06 14
    • SCADA Nota bene: • PLCs controllen standaardproces • RTUs pakken afwijkingen op • Mensen pakken afwijkingen op hoger niveau op (iff) • Tag db: • Tags/points = gemonitorde I/O waarde • Hard (1) / soft (combi) • + Timestamp, + Metadata College Stuxnet: It goan oan / Proces-IT 2010 10 06 15
    • Plaatje (Historian) College Stuxnet: It goan oan / Proces-IT 2010 10 06 16
    • College Stuxnet: It goan oan / Proces-IT 2010 10 06 17
    • College Stuxnet: It goan oan / Proces-IT 2010 10 06 18
    • College Stuxnet: It goan oan / Proces-IT 2010 10 06 19
    • College Stuxnet: It goan oan / Proces-IT 2010 10 06 20
    • P-roblemen • Geen aandacht voor beveiliging en autenticatie in ontwerp, uitrol, operations in huidige generaties SCADA-netwerken • (Geen) security through obscurity (meer) • Vertrouwen op speciale protocollen, proprietary interfaces (nog!) • ‘Fysieke beveiliging is voldoende’ • ‘Hangen niet aan het Internet’ College Stuxnet: It goan oan / Proces-IT 2010 10 06 21
    • Wat als het misgaat • Zichtbaar ? • Positieve feedforward ? • Te laat ? • Ingrijpen mogelijk ? College Stuxnet: It goan oan / Proces-IT 2010 10 06 22
    • Ook Shattered Shield 'I Had A Funny Feeling in My Gut' By David Hoffman Washington Post Foreign Service Wednesday, February 10, 1999; Page A19 • It was just past midnight as Stanislav Petrov settled into the commander's chair inside the secret bunker at Serpukhov- 15, the installation where the Soviet Union monitored its early-warning satellites over the United States. • Then the alarms went off. On the panel in front him was a red pulsating button. One word flashed: "Start." • It was Sept. 26, 1983, and Petrov was playing a principal role in one of the most harrowing incidents of the nuclear age, a false alarm signaling a U.S. missile attack. Although virtually unknown to the West at the time, the false alarm at the closed military facility south of Moscow came during one of the most tense periods of the Cold War. And the episode resonates today because Russia's early-warning system has fewer than half the satellites it did back then, raising the specter of more such dangerous incidents. • As Petrov described it in an interview, one of the Soviet satellites sent a signal to the bunker that a nuclear missile attack was underway. The warning system's computer, weighing the signal against static, concluded that a missile had been launched from a base in the United States. • The responsibility fell to Petrov, then a 44-year-old lieutenant colonel, to make a decision: Was it for real? Petrov was situated at a critical point in the chain of command, overseeing a staff that monitored incoming signals from the satellites. He reported to superiors at warning-system headquarters; they, in turn, reported to the general staff, which would consult with Soviet leader Yuri Andropov on the possibility of launching a retaliatory attack. • Petrov's role was to evaluate the incoming data. At first, the satellite reported that one missile had been launched – then another, and another. Soon, the system was "roaring," he recalled – five Minuteman intercontinental ballistic missiles had been launched, it reported. • Despite the electronic evidence, Petrov decided – and advised the others – that the satellite alert was a false alarm, a call that may have averted a nuclear holocaust. But he was relentlessly interrogated afterward, was never rewarded for his decision and today is a long-forgotten pensioner College Stuxnet: It goan oan / Proces-IT 2010 10 06 23
    • Agenda • Maeslant en • Proces-IT • Administratieve systemen en zo • Ubiquitous information College Stuxnet: It goan oan / Proces-IT 2010 10 06 24
    • Traditioneel ‘Business’ Information Mgt IT Strat Tact Oper College Stuxnet: It goan oan / Proces-IT 2010 10 06 25
    • Informatiebeveiliging ‘Business’ Information Mgt IT IT-beveiliging Strat Tact Oper College Stuxnet: It goan oan / Proces-IT 2010 10 06 26
    • Bedreigingen Acts of nature (‘Acts of God’) Acts of Man Crackers Fraudeurs Met opzet ? Actiegroepen Tegenzin / Geen tijd Overstroming Windhoos Zonder opzet Aardbeving … Sorry! Grieppandemie College Stuxnet: It goan oan / Proces-IT 2010 10 06 27
    • Bedreigingen • Acts of Man • Actief / Passief (blijven) • I’m sorry-attacks • Domheid • ‘Operational risks’..! College Stuxnet: It goan oan / Proces-IT 2010 10 06 28
    • En dan: Controls = Maatregelen, bijsturingsmiddelen • Organisatorisch (functiescheiding) • Procedureel (afvinken rapporten) • Fysiek (toegang) • IT (…) • Geld (verzekering) • In combinatie (Er is geen silver bullet!) College Stuxnet: It goan oan / Proces-IT 2010 10 06 29
    • Controls (bescherming?) • Afschrikkende • Preventieve, • Detectieve, • Repressieve, • Beperkende en opvangende, • Corrigerende en terugwinnende • Hoe eerder hoe beter • Net beter dan de buren College Stuxnet: It goan oan / Proces-IT 2010 10 06 30
    • Controls (vervolg) • Traditioneel: Accountantshobby, Maar niet langer alleen t.b.v. jaarrekeningcontrole • Taalprobleem: Operationeel doen ↔ Op managementniveau uitleggen • Modes • RBAC • Classificatie • Architectuur College Stuxnet: It goan oan / Proces-IT 2010 10 06 31
    • Controls: kosten, baten • Schade ↔ kosten van controls (direct, indirect, reputatie?) • Vantevoren cijfers nodig! • Frequentie / kans • Impact, schade (2x) • Kosten → continu → rapporteren (niks merkbaar?) • Effectiviteit • FUD werkt misschien toch beter College Stuxnet: It goan oan / Proces-IT 2010 10 06 32
    • Waar is de control loop-gedachte? • Nergens. Administratievelingen kennen die niet • Nou ja, helemaal nergens… College Stuxnet: It goan oan / Proces-IT 2010 10 06 33
    • Evaluate design & Analysis Monitor & react set-up Operational Risk Problem Management Mgt Incidents ORAP Inherent for analysis Controls Risk indicators risks (Problems) R(S)A (K)ORC KRI Incident (+Audit) (Mgt) (Mgt) Mgt Insu- Near rance Designed, Tuning, Selected for Mandatory misses CLD Mgt efficiency Corrective KRI actions values Incidents Indemnities Process Breach College Stuxnet: It goan oan / Proces-IT 2010 10 06 34
    • Controls ontwerpen College Stuxnet: It goan oan / Proces-IT 2010 10 06 35
    • Agenda • Maeslant en • Proces-IT • Administratieve systemen en zo • Ubiquitous information College Stuxnet: It goan oan / Proces-IT 2010 10 06 36
    • Ubicomp / Ubi Info College Stuxnet: It goan oan / Proces-IT 2010 10 06 37
    • Ubi-problemen • Wie zit er aan de gegevens, Wie is in control ? • Privacy • Trawling for patterns (total surveillance) • Where’s your data …? (Cloud2), Wie zorgt ervoor ? College Stuxnet: It goan oan / Proces-IT 2010 10 06 38
    • Ubi-problemen (II) • Herstelbaarheid fouten • Waar moet je zijn ? (Aansprakelijkheid voor schade ?) • Wiens woord telt ? • Location-based by default stemmen ? College Stuxnet: It goan oan / Proces-IT 2010 10 06 39
    • Hoe nu beveiligen? • Admin systemen: Easy in theorie Maar: Theorie vs de mens ? • Proces-IT: Dunno. Maar: …? Actie nodig ! • Ubi Info: It goat oan College Stuxnet: It goan oan / Proces-IT 2010 10 06 40
    • Iets meer in beeld Burger ‘Overheid’? ‘Business’ Information Mgt IT College Stuxnet: It goan oan / Proces-IT 2010 10 06 41
    • Agenda • Maeslant en • Proces-IT • Administratieve systemen en zo • Ubiquitous information • The End College Stuxnet: It goan oan / Proces-IT 2010 10 06 42
    • We gaan vooruit ! Vragen …? College Stuxnet: It goan oan / Proces-IT 2010 10 06 43
    • The End College Stuxnet: It goan oan / Proces-IT 2010 10 06 44