Different from many of the presentations you have heard this week. Purely educational. Lee Tech and Schneider do not offer products or services directly related to addressing cyber vulnerabilities in data center infrastructure.This is a subject that I became interested in in 2010. I’ve done a lot of research, published a few articles and I’m presenting to you a summary of my research on the subject.Purpose of this presentation is to raise awareness of an emerging trend. Hacking and malware designed to target physical infrastructure.
Who would target a data center? In security-speak, what are the “threat agents”?Recommendations. No technical deep dive on recommendations. System architectures and degree of convergence are too diverse to have a meaningful conversation with out knowing more about system particulars.Discuss convergence and the trend of ICS-SCADA systems migrating to IP6
Most of what you see in this aerial photo is admin and concrete manufacturing buildings. The bulk of the facility is deep underground. Looks a bit like Nevada (Ha, ha)A bit about enrichment of Uranium. U235 is 99.25% of naturally occurring Uranium. The remainder is an isotope, U238. Separating U235 from U238 is very delicate, very tricky work.
The first “cyber super weapon”Crossing the barrier between Cyber and Real. This is one of the key differences between cyber security for ICS and security for traditional IT. Traditional IT threats don’t cause physical effects that destroy hardware and potentially hurts people. Set up discussion of differences between traditional IT security and ICS security.
Infrastructure of National Interest such as power generation and distribution, water purification, oil and gas refinement etc..Briefly discuss how data centers often are infrastructure of national interest. Setting up more in depth conversation later in the presentation.
System consists of…there are slight variations in terms and device types depending on the system application. However, this is a good summary.System consists of…Each of the devices listed has unique cyber vulnerabilitiesCommunication Infrastructure. Discuss how this aspect of ICS systems is rapidly converging on IP6 and how this convergence is one of the reasons that ICS systems are becoming more vulnerable. Also, how convergence to IP is making ICS more useful and powerful.
Reiterate that regardless of the application and the manufacturer of the ICS the vulnerabilities are the same. All systems softwares run on vulnerable Windows (rarely Unix) platforms, all communicate using vulnerable unauthenticated MODBUS (or PROFIBUS) protocol, all run on vulnerable off the shelf (OTS) PCs. etc..Photo shows a data center SCADA system. Through the window is the data centers generators being controlled and monitored by the SCADA system.
Who is Ralph LangnerDiscuss Langners TED talk as an informative resourceDiscuss the probability that infrastructure such as the electrical grid will probably get their act together before falling victim to a cyber attack. However, as ICS weapons proliferate , an increasing number of lower profile facilities will become viable targets.
Phantom Menace..not Star Wars Episode I (chuckle)
Most likely malware to adversely effect an ICS is currently unintentional fallout from one of these types of crimes. Corporate assets are attacked by cybercriminals and networked ICS assets are infected almost by accident. Discuss how important it is that ICS systems operate in as close to real time as possible. Discuss how infection of the SCADA controller by a botnet or virus would slow system thus preventing timely response to changing system conditions.
Anarchist hacker collective, “Anonymous” has been actively seeking skills and information relative to ICS-SCADA hackingGroups like Greenpeace have a history of aggressively going after targets that they feel are egrigious polluters. Greenpeace has identfied data centers and energy hogs and the dust up between Greenpeace and Facebook has been well covered by industry newsOccupy would undoubtedly love to take down financial sector data centers such as the NY Stock Exchange
Majority of malware isn’t written from scratch with a specific purpose in mind. Most use existing viruses that have been tweaked (hacked) by amateurs (the proverbial Kid-in-his-parent’s-basement). This has led to the huge numbers of viruses and worms currently in circulation. Security experts expect ICS targeted attacks to follow a similar proliferation path. From relatively rare to increasingly prevalent as more groups develop expertise and tools to exploit security flaws.
Discuss The Gap. How facilities teams often have little understanding of cybersecurity and how IT teams with strong cybersecurity skill don’t know that vulnerable systems can be found in the gray space.Discuss the priorities of IT professionals are Confidentiality, Integrity, Availability (CIA) in that order. ICS on the other hand flips those priorities 100% to have Availability an absolute must have and Confidentiality is relatively low.
Highly complex systems with a variety of interconnections.
Each component has multiple vulnerabilitiesFirewalls and Read Only devices may adequately patch some vulnerabilities. But a defense in depth strategy is needed for good security.Thanks to Joel Langill at SCADAhacker.com for the graphicDiscuss how this network architecture is vastly different from traditional IT architecture
Physical security is vital. If I can walk up to your generator (for example) because the generator yard is unsecure or using a social hack you have a vulnerability that should be fixed before you address cyber vulnerabilities.Dedicated Networks The story of the Facility Manager that got fed up with having two identical PCs on his desk and simply loaded his SCADA system on his corproate email PC.White listing vs. black listing. Slow system response during tradition AV protection scanningValue of ICS-CERT bullitinsDiscuss “threats from” and “threats to”
2012 02 14 Afcom Presentation
Cyber Security for Data Center Infrastructure AFCOM Data Center World Las Vegas 2012 Presenter: Eric Gallant
Agenda:• Emergence of cyber weapons that target Industrial Control Systems (ICS/DCS/SCADA).• Why should Data Centers care?• Who would target a Data Center?• Challenges to securing ICS-SCADA systems.• Recommendations.• Summary.
Natanz Nuclear Fuel Enrichment Plant (FEP)• Key facility in Iranian nuclear program• Extremely secure facility• Located in a rugged, rural area• Centrifuges located in hardened bunkers under 22 meters of soil.• No Internet connection• In 2010, a cyber-weapon called STUXNET infected ICS- SCADA systems and caused catastrophic physical damage to centrifuges.
STUXNET was a “game changer”• Groundbreaking features: – First SCADA “worm” – Crossed the barrier between the “cyber” and the “real” – Crossed the “air gap” to infect un-networked systems – First PLC rootkit – Sent false data to HMI
Stuxnet was a game changer• The STUXNET cyber attack was of great interest to: – Cyber security community – Homeland Security and Intelligence communities – Providers of Infrastructure of National interest• But data center infrastructure?
Why should data centers care?• What is ICS-SCADA? – ICS Industrial Control System – SCADA Supervisory Control and Data Acquisition – DCS Distributed Control System• Systems consist of: – SCADA controller (Windows or Linux PC) – Human Machine Interface (HMI) – Programmable Logic Controllers (PLC) – Field Devices (Sensors) – Communication Infrastructure
Why should data centers care?• How are ICS-SCADA systems used? – At Natanz to control centrifuge speed – At electrical utilities to control flow of current – At water purification plant to control flow and process• How are ICS-SCADA systems used in data centers? – Switchgear – Mechanical Systems – Building Automation
Why should data centers care?• Langner’s prediction, “The next cyber weapon will be considerably cheaper, since much of the attack vector and the specifics of how to use automation equipment will simply be copied. Sabotage with the motivation of extortion will get a commonplace scenario. At this time targets are no longer limited to critical infrastructure but will especially cover the private sector — a TARGET-RICH AREA where it cannot be assumed that organizations will install countermeasures large scale in a reasonable amount of time.”
Why should data centers care?• Most data centers use some type of ICS-SCADA to monitor and control their electrical and/or mechanical infrastructure.• Data center ICS-SCADA systems have precisely the same vulnerabilities as the systems at Natanz.• Since STUXNET, cyber weapons that target physical infrastructure through ICS-SCADA vulnerabilities have proliferated.• ICS-SCADA malware, malware development tools and exploits are becoming more common and a wide variety of bad actors are developing capabilities.• More Advanced Persistent Threats (APT) similar to STUXNET have been discovered.• ICS-CERT has issued alerts for every major ICS manufacturer. Including: GE, Schneider, Siemens, Koyo, ABB, Rockwell/Allen Bradley
Who would attack a data center’s ICS-SCADA?• National Agencies – Disrupt Banking and Commerce – Disrupt Intelligence Gathering – Disrupt Communication Infrastructure• In 2007 a Blue Horizons paper, titled, “State Actor Threats in 2025” was prepared by the US Air Force. The paper identified a number of scenarios that could threaten the United States in the future. The scenario with “the highest potential for a state actor to inflict catastrophic damage to the US” is known as Phantom Menace. In this scenario, cyber attacks are used, “against the enemy so that the civilian electricity network, traffic dispatching network, financial transaction network, telephone communications network, and mass media network are completely paralyzed, this will cause the enemy nation to fall into social panic, street riots, and a political crisis.”
Who would attack a data center’s ICS-SCADA?• Cybercriminals – Many Data Centers have deep pockets and are vulnerable to extortion
Who would attack a data center’s ICS-SCADA?• Corporate Espionage – Gain a competitive advantage• Operation Aurora: Google, Adobe Systems, Juniper Networks and Rackspace have publicly confirmed that they were targeted. According to media reports, Yahoo, Symantec, Northrop Grumman, Morgan Stanley and Dow Chemical were also among the targets.
Who would attack a data center’s ICS-SCADA?• Hacktivists – Anonymous – Radical Environmentalists – Occupy Movement
Who would attack a data center’s ICS-SCADA?• Script Kiddies
Challenges to securing ICS-SCADA systems• ICS-SCADA systems are squarely in the gap between facilities and IT• Awareness of vulnerability is low among IT and Facilities teams• Security is assumed• Standard cyber security tactics are ineffective and often counterproductive• No authentication in communication protocols• ICS-SCADA systems have very complex attack surface
Recommendations• Physical Security• Dedicated Networks• Ban Removable Storage Devices• Training• 3rd Party Penetration/Vulnerability Testing• White Listing
Summary• Theres a cyberwar raging all around us. – Nation vs. nation – Nation vs. corporation – Corporation vs. corporation – Extremists vs. everyone• ICS-SCADA systems are now on the battlefield• Hackers and malware have the motivation and capability to strike data centers• Yesterday’s security strategies are no longer effective
Questions? Eric Gallant Schneider Electric Eric.email@example.com M: 404-431-1986