Addressing CIP


Published on

Critical Infrastructure Protection Case Study
Presented in SecureAsia 2010 @Singapore July 2010

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Addressing CIP

  1. 1. Addressing CIP: A Thailand Case Study by Chaiyakorn Apiwathanokul CISSP, GCFA, IRCA:ISMS Chief Security Officer PTT ICT Solutions Co., Ltd. A Company of PTT Group Note: CIP = Critical Infrastructure Protection
  2. 2. Addressing CIP: A Thailand Case Study by Chaiyakorn Apiwathanokul, CISSP, GCFA, IRCA:ISMS Synopsis: In many countries where Critical Infrastructure Protection is not yet a regulatory requirement or is not taken into account seriously by their government; the perception, understanding, collaboration and qualified workforce is big challenge. Many misperceptions about securing those systems make it hard to convince management and stakeholders to support activities and investments. However, the legislation is not the only way to go; there are still many other factors that can be pulled into the scene ex. BCM, Risk Management and etc. to help attract the managements. As a security professional, how can we make things better? How can we utilize other mechanisms available to help addressing this challenge? In Thailand even though we do not explicitly issues a law specifically for CIP, we have done something to addressed CIP in some extents. We help raise awareness and understanding through trainings and seminars to demonstrate the vulnerability and exploitability of such systems. We introduce ISO27001 as a basic security management framework. Of course, there are many other things that need to be done to address this challenge.
  3. 3. About Speaker Name: Chaiyakorn Apiwathanokul ไชยกร อภิวัฒโนกุล Title: Chief Security Officer (CSO) Company: PTT ICT Solutions Company Limited A Company of PTT Group Certificates: ISC2:CISSP, IRCA:ISMS (ISO27001), SANS:GCFA • Contribute to Thailand Cyber Crime Act B.E.2550 • Security Sub-commission under Thailand Electronic Transaction Commission (ET Act B.E. 2544) • Workgroup for CA service standard development • Committee of national standard adoption of ISO27001/ISO27002 • Committee of Thailand Information Security Association (TISA) • Committee of Cybersecurity taskforce development, Division of Skill Development, Ministry of Labour
  4. 4. Disclaimer • I am not a representative of neither Thailand government nor any commission I have been involved. • I am not representing a spoke person for my company. • I am here as an infosec professional working and contributing in Thailand and would like to share some experience and Thailand circumstance for the sake of global professional community collaboration and contribution.
  5. 5. Agenda • Global perspective toward CIP • Thailand circumstance and challenges • Approaches
  6. 6. Transportation System From a movie
  7. 7. Italian Traffic Lights In the real world Event: Feb, 2009 Italian authorities investigating unauthorized changes to traffic enforcement system Impact: Rise of over 1,400 Lessons learned: traffic tickets costing > 250K  Do not underestimate the Euros in two month period insider threat Specifics: Engineer accused of  Ensure separation of conspiring with local authorities duties and auditing to rig traffic lights to have shorter yellow light causing spike in camera enforced traffic tickets
  8. 8. Transportation – Road Signs In the real world Event: Jan 2009, Texas road signs compromised Impact: Motorists distracted and provided false information Specifics: Some commercial road signs can be easily altered because their instrument panels are frequently Lessons learned: left unlocked and their default  Use robust physical access passwords are not changed. controls "Programming is as simple as  Change all default passwords scrolling down the menu selection," a  Work with manufacturers to blog reports. "Type whatever you want identify and protect password to display … In all likelihood, the crew reset procedures will not have changed [the password]." 8
  9. 9. Building Automation System (BAS) From a movie
  10. 10. Security Guard Busted For Hacking Hospital's HVAC, Patient Information Computers, July 2009 In the real world • "A former security guard for a Dallas hospital has been arrested by federal authorities for allegedly breaking into the facility's HVAC and confidential patient information computer systems. In a bizarre twist, he posted videos of his hacks on YouTube, and was trying to recruit other hackers to help him wage a massive DDoS attack on July 4 -- one day after his planned last day on the job. • Jesse William McGraw, 25, also known as "GhostExodus," "PhantomExodizzmo," as well as by a couple of false names, was charged with downloading malicious code onto a computer at the Carrell Clinic in order to cause damage and as a result, "threatened public health and safety," according to an affidavit filed by the FBI . McGraw worked as a night security guard for United Protection Services, which was on contract with hospital, which specializes in orthopedics and sports medicine."
  11. 11. In the real world CIA Admits Cyber attacks Blacked Out Cities • The disclosure was made at a New Orleans security conference Friday attended by international government officials, engineers, and security managers. • The CIA on Friday admitted that cyberattacks have caused at least one power outage affecting multiple cities outside the United States. By Thomas Claburn InformationWeek January 18, 2008 06:15 PM
  12. 12. A Black-out incident In the real world
  13. 13. In the real world TISA in Bangkok Post : When Hacking risks health TISA web site :
  14. 14. Commonly Claim: The system is isolated In the real world Virus Found On Computer In Space Station NASA confirmed on Wednesday that a computer virus was identified on a laptop computer aboard the International Space Station, which carries about 50 computers. The virus was stopped with virus protection software and posed no threat to ISS systems or operations, said NASA spokesperson Kelly Humphries. … The SpaceRef report suggested that a flash card or USB drive brought on board by an astronaut may have been the source of the laptop infection. InformationWeek August 27, 2008
  15. 15. Malicious code/ Virus/Worm Adversary/ Terrorist/ Disgruntled Hacker employee Vulnerabilities/ Weaknesses has Manufacture National Critical Plant Infrastructure Control Operation Systems Law/ Industry- Government Compliance/ specific Standard/ Regulator Guideline
  16. 16. Simplification Not only someone Someone Someone Someone (and someone but else) hate develop a someone has to do someone weapon else got something trouble
  17. 17. Activity Timeline of U.S. Critical Infrastructure Protection Initiative
  18. 18. What Big Brothers do? • US, 1996, Critical Infrastructure Protection (PCCIP) • US, 1998, FBI National Infrastructure Protection Center (NIPC) and the Critical Infrastructure Assurance Office (CIAO) • Communications and Information Sector Working Group (CISWG) • Partnership for Critical Infrastructure Security (PCIS) 9/11 • US, 2001, President’s Critical Infrastructure Board (PCIB) • US, 2003, National Infrastructure Advisory Council (NIAC) • Control Systems Security Program, National Cyber Security Division, US-DHS • United States Computer Emergency Readiness Team (US-CERT) Control Systems Security Center (CSSC)
  19. 19. Obama elevates the priority of Cybersecurity concerns May 29, 2009 U.S. President Barack Obama will appoint a government-wide cybersecurity coordinator and elevate cybersecurity concerns to a top management priority for the U.S. government, he announced Friday. The White House will also develop a new, comprehensive national cybersecurity strategy, with help from private experts, and it will invest in "cutting edge" cybersecurity research and development, Obama said in a short speech.
  20. 20. Common Characteristics • Tone from the top • Accountability • Across government agencies • Government and industries collaboration • Industry specific best practices vs. common best practices (share and collaborate) • Short/Mid/Long term plan • Review  Plan  Deploy  Monitor  Report
  21. 21. Challenges • Small number of security professional in the market • Misperceptions on the control system security – Security by obscurity – Separated network – Not an IT business – we have no secret • Low awareness among stakeholders
  22. 22. Qualified professional undersupply IT Professional Control Infosec System Prof. Prof. Control System Cybersecurity Prof.
  23. 23. The Implication • Only small number of professional with right competency to help you out • Collaboration and support from professional community is highly needed
  24. 24. InfoSec Professional Involvement • Law – ETC: Electronic Transaction Commission – Security Sub-commission – Electronic Transaction Act:2001 • Performance Appraisal Program (for State Enterprise) • National Standard Adoption (ISO27001/ISO27002) • Educate top management in healthcare industry • Annual conference: Cyber Defence Initiative Conference (CDIC) • Educate top management, mid-management and technical person involved
  25. 25. Key Influencer • Electronic Transaction Commission (ETC) • Thailand Information Security Association (TISA) • State Enterprise Policy Office (SEPO) • Ministry of ICT • NECTEC, Ministry of Science and Technology • ACIS Professional Center
  26. 26. Guideline on Securing the Electronic Transaction (Derive from ISMS Implementation Guideline)
  27. 27. Thailand Information Security Association 27 ACIS Professional Center 27-Jul-10
  28. 28. TISA Committees 28
  29. 29. ISMS Training 27-Jul-10
  30. 30. TISA Pilot Exam Summary: TISA ITS-EBK Model 30 27-Jul-10
  31. 31. Example of TISA TISET Report TISA Pilot Exam 2009-10-17 31
  32. 32. TISA Pilot Exam Summary: Certification Roadmap Audit Management Technical EXPERT ADVANCE International Certified IT & Information Security Professional Step to CISSP,SSCP, CISA,CISM FOUNDATION (Localized) TISA TISET Certification on IT / Information Security Competencies Test TISA TISET Exam 32 27-Jul-10
  33. 33. State Enterprise Policy Office (SEPO) • Incentive-base Performance Appraisal Program conducted annually • 50+ State Enterprises under this program which include: – Electricity Generation and distribution – Gas pipeline and energy – Water work – Telecommunication • IT Management – ISO27001 • Business Risk Management – Business Continuity Management (BCM)
  34. 34. ISO27001 Implementation Roadmap 2007 2008 2009 2011 Main System Start Plan Minor/ Main support System system 34
  35. 35. The growth of ISO27001 in Thailand Japan 3572 Philippines 15 Peru 3 India 490 Pakistan 14 Portugal 3 UK 448 Iceland 13 Argentina 2 Taiwan 373 Saudi Arabia 13 Belgium 2 China 373 Netherlands 12 Bosnia Herzegovina 2 Germany 138 Singapore 12 Cyprus 2 Korea 106 Indonesia 11 Isle of Man 2 USA 96 Bulgaria 10 Kazakhstan 2 Czech Republic 85 Norway 10 Morocco 2 Hungary 71 Russian Federation 10 Ukraine 2 Italy 61 Kuwait 9 Armenia 1 Poland 56 Sweden 9 Bangladesh 1 Spain 43 Colombia 8 Belarus 1 Malaysia 39 Iran 8 Denmark 1 Ireland 37 Bahrain 7 Dominican Republic 1 Austria 35 Switzerland 7 Kyrgyzstan 1 Croatia 6 Lebanon 1 Thailand 34 Hong Kong 32 Canada 5 Luxembourg 1 Romania 30 South Africa 5 Macedonia 1 Australia 29 Sri Lanka 5 Mauritius 1 Greece 28 Vietnam 5 Moldova 1 Mexico 24 Lithuania 4 New Zealand 1 Brazil 23 Oman 4 Sudan 1 Turkey 21 Qatar 4 Uruguay 1 UAE 20 Chile 3 Yemen 1 Slovakia 19 Egypt 3 France 18 Gibraltar 3 Slovenia 16 Macau 3 Total 6573 Number of Certificates Per Country @July 2010
  36. 36. Start with Awareness • Annual Security Event, CDIC (Public and Private sector) • Top Management • Involved Engineer and Technician
  37. 37. Educating the Engineering Department
  38. 38. Normal Operation HMI Web & DB Operator Operator Workstation PLC Server
  39. 39. Hacking on Operator workstation Scenario #1.1 Known local admin password HMI Web & DB Operator Workstation Operator PLC Server Connected Connect to GUI‘s Server Remote desktop  Remotely control GUI  Add new user  Open Share folder Hacker knows local admin password
  40. 40. Hacking on Operator workstation Summary Scenario #1.1 Known local admin password Required condition:  Local admin password is known (default password)  Remote Desktop is opened Consequence: Attacker can take over the system  Attacker can take over GUI  Attacker can add new user  Attacker can open share folder Remediation:  Change default password  Restrict access to Remote Desktop
  41. 41. Hacking on Operator workstation Scenario #1.2 unpatched HMI Web & DB Operator PLC Operator Server Workstation Unpatched GUI‘s Server Exploited server  Remotely control GUI  Add new user  Open Share folder Hacker attack on vulnerability’s server
  42. 42. Hacking on Operator workstation Summary Scenario #1.2 unpatched Required condition:  Operator workstation is not patched Consequence: Attacker can take over the system  Attacker can take over GUI  Attacker can add new user  Attacker can open share folder Remediation:  Regularly update the workstation  Monitor the system integrity  Consider intrusion detection system  Consider security perimeter
  43. 43. Hacking on Operator workstation Scenario #1.3 Password Sniffing password PLC HMI Web & DB Server Operator Work station Operator Sniff password in the network
  44. 44. Hacking on Operator workstation Summary Scenario #1.3 Password Sniffing Required condition:  Web-based HMI  Operator sends login password via HTTP Consequence:  Password is known to hacker  Hacker can login to Web-based HMI Remediation:  Use HTTPS instead of HTTP  Consider detection measure
  45. 45. Hacking on Operator workstation Scenario #1.4 Remember password PLC HMI Web & DB Server Operator Work station Operator Remember password Dump “remember password” Plug USB U3 Thumb drive
  46. 46. Hacking on Operator workstation Summary Scenario #1.4 Remember password Required condition:  Physically access to system  Autorun enabled Consequence:  Password is stolen Remediation:  Limit physical access to system  Disable Autorun (all drive)  Don’t use remember password feature
  47. 47. Hacking on HMI Web & DB server Scenario #2 SQL Injection HMI Web & DB Server Operator Work Operator PLC Injection flaw! station SQL Injection  Delete table  Modify data in table  Insert, Delete, Update
  48. 48. Hacking on HMI Web & DB Server Summary Scenario #2 SQL Injection Required condition:  Web-based HMI  SQL Injection flaw Consequence:  Direct database manipulation Remediation:  Input validation  Web Application security assessment  Web Application Firewall (WAF)
  49. 49. Hacking on PLC Scenario #3 Direct PLC Manipulation PLC HMI Web & DB Server Operator Work station Operator Open port 2222/TCP !  Control valve/pump  Change PLC Mode  system halt  Take control of PLC  Modify PLC data  Disrupt PLC operation
  50. 50. Hacking on PLC Summary Scenario #3 Direct PLC Manipulation Required condition:  Port 2222/TCP is opened (Allen Bradley)  No authentication  Network routable Consequence:  Access PLC’s data table Remediation:  Enable authentication where possible  Routing control/ Network isolation (verify)
  51. 51. Summary • Been doing – Help raise awareness – Informal gather up of industry leaders – Some laws and regulations issued • Future – Many things are lined up – Government is to work closely with industry – Collaboration and community across countries shall be considered – It will be a long journey
  52. 52. 52