Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Understanding Cyber Industrial Controls in the Manufacturing and Utilities Environment


Published on

"Understanding Cyber Industrial Controls in the Manufacturing and Utilities Environment," By Dr. John Naber, Co-Founder & Partner in True Secure SCADA, which is KY-based and holds 2 key patents in this area. This was given at the TALK Cybersecurity Summit 2018 in Louisville, KY.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Understanding Cyber Industrial Controls in the Manufacturing and Utilities Environment

  1. 1. Understanding Cyber-Industrial Controls in the Manufacturing and Utilities Environment DR. JOHN NABER, DR. JIM GRAHAM AND DR. JEFF HIEB OF TRUE SECURE SCADA 6-14-18 Cybersecurity Summit
  2. 2. Background of True Secure – What we do 2 • Kentucky-based start-up incorporated in 2013 based on 10 years of research performed at UofL in cyber-security area • $1.5M in Federal and state grants in cyber-security research prior to 2013 • $200K in SBIR funding from DARPA and KY State Match program to develop current prototypes of advanced ICS firewalls for protecting manufacturing equipment and utilities
  3. 3. 3 Background of True Secure – Who we are • Dr. Jeff Hieb » Software & SCADA, • 10 yrs running a manufacturing plant • Custom software for secure microprocessors using seL4 • Full-time UofL Speed School of Engineering School (SSoE) • Dr. Jim Graham » Computers & SCADA • 4 yrs in industry working for GM • 20 yrs doing research in advanced cybersecurity using secure microprocessors • CEO, True Secure SCADA • Dr. John Naber » hardware • Founder of 6 startups, • 10 yrs in industry as chip designer • Assenti, IntelliRod , GE advanced projects, TSS … • Full-time SSoE
  4. 4. Problem Many active ICS and SCADA systems are vulnerable to cyber-attacks Attacks are increasing1 • 110% increase in ICS attacks from 2015 to 2016 • 636% increase in SCADA systems from 2012 to 2014 Some companies use industrial firewalls like ones sold by Tofino Most companies using ICS have serious cyber-security flaws2: • 33% of industrial sites are connected to the public Internet • 75% of ICS sites have legacy Windows boxes, which Microsoft is no longer providing security patches • 60% have passwords traversing process and control networks in plain-text • 50% of industrial sites aren’t running any antivirus protection • 82% are running remote management protocols (RDP, VNC, SSH, etc.), making it easier to perform cyber reconnaissance 1 David McMillan, IBM Managed Security Services, October 2015 2 SCADA Security Report from Cyberx-Labs, 2017 4
  5. 5. Control System Vulnerabilities • Networks are no longer isolated • Use of commercial hardware and software including TCP/IP, Windows and Linux • Especially unsupported OS’s like Windows XP • SCADA protocols lack security • Long deployment lifetime: Typical 10 to 30 year life cycle • Little intrusion detection/prevention at the field device level • Security patches not promptly applied if at all • Poor authentication: No passwords on many ICS installs
  6. 6. Example #1: ICS Attacks on Electric Utilities • On December 23, 2015 at around 5:00 P.M: • More than 200,000 people in Ukraine experienced a severe power blackout. • 80,000 people went without power for at least 10 hrs • The blackout was caused by a deliberate cyber attack on the control systems of the Ukrainian power utilities. • The malware used was called “Black Energy 3”. • It gained access to the process network through compromised credentials. • It allowed the external hackers control of the generators, which they then shut down.
  7. 7. Example #2: ICS Attacks on Dams 7 A Dam, Small and Unsung, Is Caught Up in an Iranian Hacking Case By JOSEPH BERGERMARCH 25, 2016 Reported March 25, 2016: 7 Iranians Charged in Dam Cyberattack of NY Dam • Hackers used 1000s of computers infected with malware to attack the dam and financial institutions with a Denial of Service (DoS) attack. • Windows and Linux operating systems can be vulnerable to this type of attack.
  8. 8. Example #3: ICS Attacks on Water & Sewage Plants 8 Maroochy Shire Sewage Plant (Australia): • Attack launched remotely in 2000 by disgruntled/fired technical employee. • Disabled SCADA control system and dumped untreated waste water directly into fresh water supply. Unidentified Water Plant in USA with 2,500,000 customers: • March 28, 2016 report: Hackers tied to Syria infiltrated water utility’s control system and changed chemicals used to treat water • Spear-phishing attack allowed hackers to obtain login credentials that were stored on the web server.
  9. 9. 9 Hacking of German Steel Mill (2014) SCADA Server Historian, Application servers Engineering Workstation Internet PLC PLC Operator Clients Terminal server Field communications Corporate External Firewall Communication Links: Leased Lines, Cellular Network, POTS, Radio Control Center Legacy Devices, 20-30 year lifespan German Steel Mill Corporate Network Field Site Communication Interface Equipment Tofino Industrial Firewal Eventually the attackers were able to keep a furnace from being shutdown properly, causing substantial Damage. Hackers use social Engineering to gain access to the corporate network, then worked their way to the control network Example #4: ICS Attacks on Manufacturing Plants (1) By Kim Zetter 01.08.15 • A Cyberattack Caused Confirmed Physical Damage for the Second Time Ever. • Hackers used spear-phishing attack from spoofed email to gain access to corporate network. • Once hackers were on the corporate network they were then able to bridge to the process or control network. • Hackers then took control of a blast furnace that caused significant damage.
  10. 10. 10 Example #5: ICS Attacks on Manufacturing Plants (2) “Assassin” Virus was downloaded to the network of a large local manufacturing company in 2017 Reported by WikiLeaks: Supposedly developed by the CIA and then stolen 1. Malware uses spoofed emails to trick users into connecting to a server • IT Admin for local company did by clicking on a link that looked like it came from the company’s own print server. 2. Server then gains access to all of the company’s data. 3. This particular version deleted all of the company configuration files for various pieces of manufacturing equipment. 4. All of the equipment had back-ups except for 2 pieces 5. These 2 pieces of manufacturing equipment had to be reconfigured, which brought the equipment off-line for 2 weeks.
  11. 11. 11 Stuxnet Disrupts Iranian Centrifuges Communication Interface Equipment SCADA Server Historian, Application servers Internet PLC PLC Operator Clients Terminal server Field communications Corporate External Firewall Internal Corporate Servers External (exposed) corporate servers/service Communication Links: Leased Lines, Cellular Network, POTS, Radio Control Center Legacy Devices, 20-30 year lifespan Centrifuges Controlled by Siemens PLCs Corporate Network Field Site Stuxnet arrives on jump drive, compromises workstation with Siemens software Stuxnet reprograms the PLCs to degrade centrifuge operation, and later to destroy the centrifuges. Example #6: ICS Attacks on Government Facilities • Stuxnet Discovered 2010 • Attack on Iranian centrifuge facility • Apparently from USB device plugged into a Windows machine • USB thumb drive placed in the parking lot. • Employee inadvertently loaded virus by plugging into PC on control network. • Caused destructive velocity deviations targeting specific PLCs and centrifuges. • Masked attack from central control computers
  12. 12. 12 Background on Industrial Control Systems (ICS) & SCADA SCADA: Supervisory Control and Data Acquisition A control system architecture using computers, networks and user interfaces to control industrial equipment and processes [Ref: Wikipedia].
  13. 13. SCADA Components • Human Machine Interface (HMI) • Master Terminal Unit MTU(s) • Connection Network • Remote Terminal Unit RTU(s)
  14. 14. ICS Security Solutions Best practices require security for the process network and the field devices Traditional IT Measures: ◦Network segmentation, NIDS, encryption ◦System Hardening (patches) ◦Important but not sufficient ICS specific security solutions: ◦Protocol enhancements ◦Field IDS ◦Security Hardened Field Devices
  15. 15. Current Industrial Firewalls rely primarily on a Linux-based OS 15 Firewalls with updated virus protection is the primary tool used to protect manufacturing and processing plants from cyber-attacks. • Some legacy equipment is 20-30 yrs old and doesn’t support a current OS • Some firewalls are designed specific for ICS (Tofino) • Symantec identified in 2008 over 1,000,000 computer viruses. Most target Windows. • Most ICS Firewalls are Linux-based • Linux has over 15 million lines of code and contains 37,000 files • Only 139,000 lines for the kernel
  16. 16. Security Hardened Field Device (SHFD) • Isolate security services and enforcement software from Digital and Analog IO drivers and from network facing software • Prevent Network Interfacing code from being able to directly access analog and digital I/O software or hardware • This is the focus of True Secure SCADA’s approach to ICS security
  17. 17. Security Hardened Field Device Architecture
  18. 18. ICS Secure Preprocessor Approach 18 TSS SCADA-Guard Secure Preprocessor using seL4 Control Network Port PLC Port Configuration Port
  19. 19. Advantage of using seL4 Microkernel 19 1. Provides only those primitives that must have privileged access to memory and the processor. 2. Microkernel Primitives: Address spaces chunks of memory, isolated from each other Threads (execution) Inter-process communication (IPC) 3. seL4 provides 3 systems calls with 8700 lines of code send, receive, and yield 4. Linux provides approximately 200 systems calls Key advantage of fewer system calls is to limit what hackers can do to create viruses
  20. 20. Water Treatment Protection Example using a SHFD Untreated water reservoir ◦Assumptions: Always has water available PLC controls the addition of treatment chemicals as water flows from reservoir to holding tank ◦Assumptions ◦Flow in and out will be equal ◦Will always be equally mixed ◦Flow in will not be greater than set volume
  21. 21. Water Treatment Simulation Interface
  22. 22. Simulation and Testing at Louisville Water Co. • Two main components of simulation • Water System (simulated in LabView™) • Water Treatment • Water Distribution • HMI/MTU – custom software • Simulation is connected to the prototype using a DAQ from National Instruments Options for Design & Testing: Laboratory SCADA systems ◦ Expensive and limited access Live SCADA systems ◦ Physical consequences Simulation approach ◦ Can realistically simulate field systems
  23. 23. Tested Prototype at Louisville Water Company* Water SystemSensors and ActuatorsRTU & DAQ TSS Device Goes here HMI/MTU Network * Tested under non-critical processes & control
  24. 24. 24 Dam Control Protection using SHFD Dam control center and corporate intranet SCADA RTU or PLC Dam turbine & gate control SCADA-GuardTM Provides Solution using secure seL4 from all 4 possible hacker entry points Firewall corporate network SCADA network = Possible Hacker Entry Points Firewall
  25. 25. 25 • Feb 2018 – Attack on safety computer in Middle East nuclear reactor revealed • March 2018 – NYT reports on attack on Saudia Arabia petro-chemical plant • March 2018 – DHS reveals concerns that Russians could impact US Power Grid Major ICS attacks in the first quarter of 2018
  26. 26. Thank You 26 Cybersecurity Summit