Presentation for Industrial Control Systems Joint Working Group (ICSJWG).
This presentation will lend insight to IEEE 1711-2010, a standard for securing substation serial-based SCADA assets, and its applicability across industry sectors: electric, oil, gas, water, and chemical. Also addressed are the benefits of its implementation on legacy retrofits, SCADA link management, and integrating legacy systems and Ethernet IP SCADA networks.
Presenter: Mike Firstenberg, Waterfall Security Solutions
NIST, NERC CIP, the ISA/IEC and other authorities are adjusting their advice for secure industrial networks to include at least one layer of hardware-enforced unidirectional communications. Many security practitioners are familiar with specific applications of Unidirectional Security Gateway technology, but fewer have seen how widely the technology is being deployed throughout the electric sector.
Join us to review comprehensive unidirectional network architectures for generation, transmission, distribution, high-voltage substations, and control centers/TSO’s/balancing authorities. In each vertical we review use cases, examine NERC CIP compliance implications and cost savings, and compare the strength of each architecture with legacy firewall-based designs.
Presenter: Mike Firstenberg, Waterfall Security Solutions
NIST, NERC CIP, the ISA/IEC and other authorities are adjusting their advice for secure industrial networks to include at least one layer of hardware-enforced unidirectional communications. Many security practitioners are familiar with specific applications of Unidirectional Security Gateway technology, but fewer have seen how widely the technology is being deployed throughout the electric sector.
Join us to review comprehensive unidirectional network architectures for generation, transmission, distribution, high-voltage substations, and control centers/TSO’s/balancing authorities. In each vertical we review use cases, examine NERC CIP compliance implications and cost savings, and compare the strength of each architecture with legacy firewall-based designs.
Native Code Execution Control for Attack Mitigation on AndroidFraunhofer AISEC
In this talk, researchers from Fraunhofer AISEC demonstrate how Android can be made immune against all current local root exploits. The techniques detailed in this talk significantly raise the hurdles for successful potent attacks on Android devices and strongly limit the capabilities of malware. Currently, any app with Internet access can download code via the network at runtime and execute it, without the user or the system noticing. This includes malicious code such as root exploits. These flaws are addressed by the paper presented in this talk, entitled "Native Code Execution Control for Attack Mitigation on Android". The presentation was given at the 3rd Annual Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM'13), colocated with the ACM Conference on Computer and Communications Security 2013 (CCS'13) in Berlin, Germany.
If you are interested in our techreport "On the Effectiveness of Malware Protection on Android" please visit http://ais.ec/techreport
Using Machine Learning in Networks Intrusion Detection SystemsOmar Shaya
The internet and different computing devices from desktop computers to smartphones have raised many security and privacy concerns, and the need to automate systems that detect attacks on these networks has emerged in order to be able to protect these networks with scale. And while traditional intrusion detection methods may be able to detect previously known attacks, the issue of dealing with new unknown attacks arises and that brings machine learning as a strong candidate to solve these challenges.
In this report, we investigate the use of machine learning in detecting network attacks, intrusion detection, by looking at work that has been done in this field. Particularly we look at the work that has been done by Pasocal et al.
Webinar on identifying, preventing and securing against the unidentifiable at...Intergence Ltd.
In this webinar we look at how the majority of today’s networks are vulnerable to a set of advanced attacks which can go undetected by many security systems. Advanced Evasion Techniques exist which can pass through firewalls and intrusion prevention systems, allowing an attacker to deliver a malicious payload to a vulnerable device, undetected.
Stonesoft’s Alan Cottom will demonstrate a live attack on an IPS-protected system using their Predator tool and how this attack can be blocked via the Stonesoft security suite of products.
Intergence will be demonstrating their cutting edge 3D visualisation tool Hyperglance which integrates with a number of network management and security systems including the Stonesoft products. Hyperglance will be used to visualise the IT infrastructure and identify where systems are vulnerable and pinpoint real time attacks, allowing administrators to take immediate action to secure their network.
Make things come alive in a secure way - SigfoxSigfox
Trustworthiness, which encompasses security, privacy, reliability and reliance, is a key challenge for the IoT. Firstly, this is because the IoT is intimately linked to business-critical processes, and secondly because the IoT significantly broadens the surface of attack of business intelligence systems. Sigfox addresses this challenge through a systematic process that assumes that security is relative and will be adapted to the level of threat faced by the application at hand.
Sigfox has gathered a team with lengthy experience in the security industry that deals with all relevant aspects, from security by design to active operational measures. This addresses data protection in motion via measures built in to the protocol (authentication, integrity, encryption, anti-replay, anti-jamming), data protection at rest via cryptographic storage of data and credentials in devices, base stations, and Sigfox Core Network. Reliability and reliance are both native in Sigfox data centers and intrinsic to the Sigfox network architecture to protect against attacks such as DDoS or massive device cloning.
In an effort to support its ecosystem, Sigfox has developed partnerships with internationally recognized security experts to facilitate the introduction of hardware security in devices and provide security assessment schemes for the IoT.
This presentation was given at BSides Las Vegas 2015.
The modern times that we live in, the gentle shift that we are making towards the Internet of Things (IoT) is slowly but surely getting a grip on our day to day lives. The same goes for securing our Industrial Control Systems (ICS). We see that the demand for ICS security is raising and governmental regulations are being established and implement. However, this also means that the need for ICS security professionals is raising as well. More and more security professionals/firms are starting to perform security assessments such as penetration testing on an ICS level. Two years ago I got the question if I was up for the challenge, converting myself from a ‘normal’ security professional to a ICS specific security professional.
The purpose of this talk would be to provide a starting point for security professionals that want to make the shift towards ICS Security, just like I did two years ago. While the term starting point might be a bit misleading, the goal would be to provide an ICS 001 talk instead in contrast to an ICS 101 talk.
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...Jiunn-Jer Sun
Agenda
- The unknown truth of cyber threats
- The myths of network security
- Attack and defense analysis
- IEC 62443 standard and how it impacts on you
- IT vs. OT security and the golden rule of defense
- A foundation where technology meets humanity
Native Code Execution Control for Attack Mitigation on AndroidFraunhofer AISEC
In this talk, researchers from Fraunhofer AISEC demonstrate how Android can be made immune against all current local root exploits. The techniques detailed in this talk significantly raise the hurdles for successful potent attacks on Android devices and strongly limit the capabilities of malware. Currently, any app with Internet access can download code via the network at runtime and execute it, without the user or the system noticing. This includes malicious code such as root exploits. These flaws are addressed by the paper presented in this talk, entitled "Native Code Execution Control for Attack Mitigation on Android". The presentation was given at the 3rd Annual Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM'13), colocated with the ACM Conference on Computer and Communications Security 2013 (CCS'13) in Berlin, Germany.
If you are interested in our techreport "On the Effectiveness of Malware Protection on Android" please visit http://ais.ec/techreport
Using Machine Learning in Networks Intrusion Detection SystemsOmar Shaya
The internet and different computing devices from desktop computers to smartphones have raised many security and privacy concerns, and the need to automate systems that detect attacks on these networks has emerged in order to be able to protect these networks with scale. And while traditional intrusion detection methods may be able to detect previously known attacks, the issue of dealing with new unknown attacks arises and that brings machine learning as a strong candidate to solve these challenges.
In this report, we investigate the use of machine learning in detecting network attacks, intrusion detection, by looking at work that has been done in this field. Particularly we look at the work that has been done by Pasocal et al.
Webinar on identifying, preventing and securing against the unidentifiable at...Intergence Ltd.
In this webinar we look at how the majority of today’s networks are vulnerable to a set of advanced attacks which can go undetected by many security systems. Advanced Evasion Techniques exist which can pass through firewalls and intrusion prevention systems, allowing an attacker to deliver a malicious payload to a vulnerable device, undetected.
Stonesoft’s Alan Cottom will demonstrate a live attack on an IPS-protected system using their Predator tool and how this attack can be blocked via the Stonesoft security suite of products.
Intergence will be demonstrating their cutting edge 3D visualisation tool Hyperglance which integrates with a number of network management and security systems including the Stonesoft products. Hyperglance will be used to visualise the IT infrastructure and identify where systems are vulnerable and pinpoint real time attacks, allowing administrators to take immediate action to secure their network.
Make things come alive in a secure way - SigfoxSigfox
Trustworthiness, which encompasses security, privacy, reliability and reliance, is a key challenge for the IoT. Firstly, this is because the IoT is intimately linked to business-critical processes, and secondly because the IoT significantly broadens the surface of attack of business intelligence systems. Sigfox addresses this challenge through a systematic process that assumes that security is relative and will be adapted to the level of threat faced by the application at hand.
Sigfox has gathered a team with lengthy experience in the security industry that deals with all relevant aspects, from security by design to active operational measures. This addresses data protection in motion via measures built in to the protocol (authentication, integrity, encryption, anti-replay, anti-jamming), data protection at rest via cryptographic storage of data and credentials in devices, base stations, and Sigfox Core Network. Reliability and reliance are both native in Sigfox data centers and intrinsic to the Sigfox network architecture to protect against attacks such as DDoS or massive device cloning.
In an effort to support its ecosystem, Sigfox has developed partnerships with internationally recognized security experts to facilitate the introduction of hardware security in devices and provide security assessment schemes for the IoT.
This presentation was given at BSides Las Vegas 2015.
The modern times that we live in, the gentle shift that we are making towards the Internet of Things (IoT) is slowly but surely getting a grip on our day to day lives. The same goes for securing our Industrial Control Systems (ICS). We see that the demand for ICS security is raising and governmental regulations are being established and implement. However, this also means that the need for ICS security professionals is raising as well. More and more security professionals/firms are starting to perform security assessments such as penetration testing on an ICS level. Two years ago I got the question if I was up for the challenge, converting myself from a ‘normal’ security professional to a ICS specific security professional.
The purpose of this talk would be to provide a starting point for security professionals that want to make the shift towards ICS Security, just like I did two years ago. While the term starting point might be a bit misleading, the goal would be to provide an ICS 001 talk instead in contrast to an ICS 101 talk.
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...Jiunn-Jer Sun
Agenda
- The unknown truth of cyber threats
- The myths of network security
- Attack and defense analysis
- IEC 62443 standard and how it impacts on you
- IT vs. OT security and the golden rule of defense
- A foundation where technology meets humanity
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...CODE BLUE
Air-gapped networks are isolated, separated both logically and physically from public networks. For example, military, industrial, and financial networks. Although the feasibility of invading such systems has been demonstrated in recent years, communication of data to/from air-gapped networks is a challenging task to attackers to perpetrate, an even more difficult threat to defend against.
New methods of communicating with air gapped networks are currently being exposed, some advanced and difficult to mitigate. These new found vulnerabilities have wide reaching implications on what we considered to be a foolproof solution to network security –the placement of a physical air gap.
But it doesn’t stop there – new techniques of covertly getting information in and out of air gapped networks are being exposed. Thus it is important not only to publicize these vectors of attack, but their countermeasures and feasibility as well.
In this talk, we will outline the steps an attacker must take in order to bridge an air gapped network. We will review the state-of-the-art techniques over thermal, radio, and acoustic channels, and discuss each one’s countermeasures and feasibility. Most of techniques in this talk were discovered in our labs by researcher Mordichai Guri under the supervision of Prof. Yuval Elovici.
--- Mordechai Guri
Mordechai Guri is an accomplished computer scientist and security expert with over 20 years of practical research experience. He earned his Bsc and Msc Suma Cum Laude, from the computer science department at the Hebrew University of Jerusalem.
--- Yisroel Mirsky
Yisroel Mirsky is a Ph.D. candidate supervised by Prof. Bracha Shapira and Prof. Yuval Elovici, in the department of Information Systems Engineering in Ben-Gurion University.
--- Yuval Elovici
Yuval Elovici is the director of the Telekom Innovation Laboratories at Ben-Gurion University of the Negev (BGU), head of BGU Cyber Security Research Center, and a Professor in the Department of Information Systems Engineering at BGU.
Is your ICS breached? Are you sure? How do you know?
The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available. In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation will show how NSM should be part of ICS defense and response strategy, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS security program. Free tools such as Security Onion, Snort IDS, Bro IDS, NetworkMiner, and Wireshark will be used to look at the ICS environment for anomalies. It will be helpful if attendees have read these books (but they aren't required): The Cuckoo's Egg by Cliff Stoll, The Practice of Network Security Monitoring by Richard Bejtlich, and Applied Network Security Monitoring by Chris Sanders and Jason Smith.
What is PROFIsafe and how does it work? What do we mean by “Safety”?
“The condition of being safe; freedom from danger, risk, or injury.”
In the UK (and Europe) this can cover many areas and industries, for example:
Supply of Machinery (Safety) Regulations
Electromagnetic Compatibility Regulations
Electrical Equipment (Safety) Regulations
Pressure Equipment Regulations
Simple Pressure Vessels (Safety) Regulations
Equipment and Protective Systems Intended for Use in Potentially
Explosive Atmospheres Regulations
Lifts Regulations
Medical Devices Regulations
Gas Appliances (Safety) Regulations
Therefore:
Coexistence of standard and failsafe communication
Presenter: Chris Sistrunk
Why haven’t we seen more ICS-focused attacks? Perhaps it’s because we’re not looking for them. The current state of security in Industrial Control Systems is a widely publicized issue, but fixes to ICS security issues are long cycle, with some systems and devices that will unfortunately never have patches available.
In this environment, visibility into security threats to ICS is critical, and almost all of ICS monitoring has been focused on compliance, rather than looking for indicators/evidence of compromise. The non-intrusive nature of Network Security Monitoring (NSM) is a perfect fit for ICS. This presentation looks at using NSM as part of an incident response strategy in ICS, various options for implementing NSM, and some of the capabilities that NSM can bring to an ICS cyber security program.
Scada Industrial Control Systems Penetration Testing Yehia Mamdouh
Scada Industrial Control Systems Penetration Testing
Start from Types of Scada Networks, then Penetration testing, finally what Security should be follow
AMI architectural analysis, threat modelling and penetration test.
Definition of a threat model for AMI risks, in order to identify focus areas and prioritize detailed checks and eventually new countermeasures. Threat scenarios are: physical intrusion, hardware manipulation and firmware / software reversing, network intrusion etc.
The model considers business impact and threat likelihood, i.e. technical complexity, attacker skill level, etc.
Taking a closer look at level 0 and level 1 securityMatt Loong
Notwithstanding the importance of network monitoring in protecting industrial control systems, it is also important to understand the nuts and bolts of Level 0 and Level 1 devices to defend the system holistically. This presentation provides a brief introduction to process anomaly detection, which complements network anomaly detection.
In today’s connected world, cyber security is a topic that nobody can afford to ignore. In recent years the number and frequency of attacks on industrial devices and other critical infrastructure has risen dramatically. Recent news stories about hackers shutting down critical infrastructure have left many companies wondering if they are vulnerable to similar attacks. In this webinar we will discuss the most common security threats and unique challenges in securing industrial networks. We will introduce the current standards and share some useful resources and best practices for addressing industrial cyber security.
Key Takeaways:
1. Gain perspective regarding common security threats facing industrial networks.
2. Learn about the relevant standards governing industrial cyber security.
3. Increase understanding of some best practices for securing industrial networks.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
2. GENERAL INDUSTRIAL CONTROL SYSTEM (ICS)
■ Control Center Devices
Master Terminal Unit (MTU)/HMI Software/Data Historian
■ Remote Site Devices
Remote Terminal Unit (RTU)
Programmable Logic Controller (PLC)
Intelligent Electronic Device (IED)
3. ICS CHARACTERISTICS
■ Long operational life (10+ yrs)
■ Small to large geographic area
■ Highly complex and found everywhere
■ Field RTUs/PLCs are in the open, most are unprotected
■ Routable (TCP/IP)
■ Non-routable (serial) a.k.a. “legacy” equipment
Radio, leased line, dial-up, and multi-drop links
Low data throughput
Slow telemetry polling
Modbus, DNP3 protocols (MTU – RTU communications)
Difficult to add security to existing software
Little/no auditing, logging
4. FRONT DOOR ATTACK
A “front door” attack is via internet
– Attacks are often publicized
– Methods of attack are well-known and found in instructional materials, books & lectures
5. BACK DOOR ATTACK
What do we know about ICS serial communications?
– They use radio, leased line, dial-up, and/or multi-drop links
– They’re isolated, out in the open
– They’re unprotected
– They’re assumed safe because of a long-standing notion that’s based on security by obscurity:
Trusting that nobody will find out about the systems’ vulnerabilities
and those that do won’t exploit them!
6. SECURITY ISSUES…
…IN RELATION TO INSECURE LEGACY SYSTEMS
VULNERABILITIES
Use of dial up maintenance
port to diagnose, repair,
configure…
Use of single-frequency
licensed radios
No authentication or data
protection
THREAT
Attackers…
Motivation…
Obtaining back-door
access (eavesdropping,
data altering)
Is the threat real?
Is a back door attack
easy?
RISK
Risk = f (threat, vulnerability, cost)
Likelihood that a threat will exploit
a vulnerability that compromises
safety and availability
Cost = f (safety, availability)
Consequences: Liabilities,
financial loss, environmental,
public safety…
How much service would be lost and how vital is it?
7. BEFORE THE ATTACK
Attackers typically do three things before the attack:
“gather information”Reconnaissance
Scanning
Traffic Analysis
“discover vulnerabilities by passive listening”
“reverse engineer the protocol”
8. RECONNAISSANCE
Use Social Engineering
Victim is tricked into doing what attacker wants by intimidation,
helpfulness, name-dropping, technical assistance…
Caller ID spoofing (VOIP PBX, telespoof.com)
Experiment by Idaho National Lab (2008) found that 40% of employees provided
their passwords to a fake OpsCenter employee over the telephone
Miles McQueen. Human Vulnerabilities. ISRCS 2009: 2nd International Symposium on Resilient Control Systems
August 11 2009 https://secure.inl.gov/isrcs2009/docs/Tutorials/Session_3_McQueen.pdf
Search Publicly Available Information
Search engines (meta, deep web…) with key words
www.uwhois.com
Dumpster diving
Attacker Gathers As Much Information As Possible
10. SCANNING
Tools
War dialing software:
Freeware THC-Scan, RASUsers, TBA
Commercial PhoneSweep, TeleSweep
Unix PAW/PAWS, iWAR, THC-Scan NG, Telescan, ShokDial
Mac Assault Dialer
Upon active connection, the attacker can simply enter multiple returns, question marks, “Help” or “Hello” to
gain a login prompt and probe the connection further
Password cracking software:
Freeware/Open Source Cain & Abel, Dsniff, John the Ripper, Ophcrack
Commercial L0phtCrack, RainbowCrack, SAMInside
Default password list:
Search user manuals - may state no PWs are used and security is disabled!
Search online databases, e.g., Phenoelit hacking group (Germany) maintains a
database of default passwords www.phenoelit.de/dpl/dpl.html
Attacker Locates Systems and Discover Vulnerabilities
11. DEFAULT PASSWORD LIST
Vendor Model Version
Access
Type
Username Password Privileges Notes
3COM CoreBuilder 7000/6000/3500/2500 Telnet debug synnet
3COM CoreBuilder 7000/6000/3500/2500 Telnet tech tech
3COM HiPerARC v4.1.x Telnet adm (none)
3COM LANplex 2500 Telnet debug synnet
3COM LANplex 2500 Telnet tech tech
3COM LinkSwitch 2000/2700 Telnet tech tech
Huawei E960 admin admin Admin
3COM NetBuilder SNMP ILMI snmp-read
3COM Netbuilder Multi admin (none) Admin
3COM
Office Connect ISDN
Routers
5x0 Telnet n/a PASSWORD Admin
3COM SuperStack II Switch 2200 Telnet debug synnet
3COM SuperStack II Switch 2700 Telnet tech tech
3COM
OfficeConnect 812
ADSL
Multi adminttd adminttd Admin
3COM Wireless AP ANY Multi admin comcomcom Admin
Works on
all 3com
wireless
APs
12. SCANNING
Tools
Tapping:
Modem (FSK, PSK passive mode) – captures low baud data
CO Simulator – passes incoming calls & routes outgoing calls
Data Logger and GPRS cell modem – records/retrieves data
900MHz Radio Modem and Spectrum Analyzer – scans data
Radio Shack Mini Amplifier/Speaker – records DTMF
Attacker Locates Systems and Discovers Vulnerabilities
13. TRAFFIC ANALYSIS
Interpret SCADA clear data…
Consult user manuals and engineering support documents –
available and easily obtained
Attacker Reverse Engineers the Protocol
DNP3 [Header + Data] Max frame size: 292 bytes
Header = 0x05
1-byte
0x64
1-byte
Len
1-byte
Ctrl
1-byte
Dst
2-byte
Src
2-byte
CRC
2-byte
Modbus RTU Start
3.5 char time
Addr
1-byte
Func
1-byte
Data
0-252
CRC
2-byte
End
3.5 char time
Modbus ASCII Start
:
Addr
2-byte
Func
2-byte
Data
2x (0-252)
LRC
2-byte
End
CR LF
DNP3 has source and destination addresses that can be useful in Man-in-the-Middle attacks, such as:
Turn off unsolicited reporting to stifle specific alarms
Spoof unsolicited responses to the Master to falsify events and trick the operator into taking inappropriate actions
Issue unauthorized stops, restarts, or other functions that could disrupt specific operations
Modbus was designed to program controllers by sending Read and Write I/O registers commands, for example:
List defined points and their values
Request information about Modbus servers, PLC configurations…
Clear, erase, or reset diagnostic information
Force slave devices into “listen only” mode
14. COMMON TYPES OF ATTACK
Maintenance port
To install a malicious program
Denial of Service
To delay or block the flow of information
By physical destruction – but can be detected through fault-handling programs or CCTV
By radio jamming - no effective countermeasures exist!
(A cheap, limited range, jammer: cordless phone with modified oscillator + amplifier + coat
hanger)
Spoofing
To masquerade as another to initiate an unauthorized action
Replay
To record and retransmit valid data (manipulating time variable) to trigger
unpredictable results
Man-in-the-Middle (MITM)
To intercept, alter, and relay a communication message
A simple radio MITM can be setup by a combination of directional transmitter & jammer
15. RTU SPOOFING
Vulnerability Attack Attack Result
Master/slave cmd/rsp protocol
has no authentication
Slave has slow response time
Auto emergency shutdown
RTU spoofing: Send bogus status
before a valid RTU response, e.g.,
change threshold of safety parameters
Causes unpredictable outcome
leading to system disruption or
failure
17. MTU SPOOFING
Vulnerability Attack Attack Result
MTU has long polling
time, e.g., 2s x 100
devices
MTU spoofing: Send command to reprogram RTU,
e.g.,
• rhythmically turn on/off a high-voltage motor
• operate a valve hundreds of times per second
• premature shutdown of a process
• close a valve while pump is running
Causes system disruption
or failure
18. MTU SPOOFING EXAMPLE
Send periodically (if not sent as an automatic answer to a receive sequence)
Repeat sequence every 1 seconds
Attacker constructs a forged MTU command:
MTU → RTU → IED → Actuators
19. ATTACK TOOL: SIMULATOR SOFTWARE
Simulator software is downloadable from the web that can directly communicate
with protocols, such as DNP 3.0, Modbus, BACnet, LonWorks, and OPC
Modbus:
20. SECURITY ISSUES…
…IN RELATION TO INSECURE LEGACY SYSTEMS
VULNERABILITIES
Use of dial up maintenance
port to diagnose, repair,
configure…
Use of single-frequency
licensed radios
No authentication or data
protection
THREAT
Attackers…
Motivation…
Obtaining back-door
access (eavesdropping,
data altering)
Is the threat real?
Is a back door attack
easy?
RISK
Risk = f (threat, vulnerability, cost)
Likelihood that a threat will exploit
a vulnerability that compromises
safety and availability
Cost = f (safety, availability)
Consequences: Liabilities,
financial loss, environmental,
public safety…
The Threat is REAL.
A Back Door Attack is EASY.
Risk Management is
the NEXT STEP.
21. RISK MANAGEMENT OF LEGACY SYSTEMS
Taking Steps to Protect Assets
“Eliminate
back door”
(remove risk)
“Do nothing”
(accept risk and
budget for it)
“Take action”
(lessen the risk)
22. LEGACY RETROFIT ISSUES
Legacy Retrofit Issues What We Want
How do we plan for migration?
• To choose when & how much security to apply
• To have encrypted & clear communications on the same
channel
…Easy migration
Do we make changes to our ICS
software or equipment?
Not to change our existing ICS software or equipment
…Easy installation
Do we make changes to our
operational control?
Not to change our existing operational control
…Hassle-free
Will it impact performance?
Strong security without impacting performance
…No impact
Will it impact our existing
configuration?
Not to change our existing configuration
Should support the following:
• Modbus RTU/ASCII, DNP3
• Async 300 to 115200 bps
• Point-to-point and multi-drop
• Radio, dial-up, and leased line
…Flexibility
What encryption & authentication standard should we use?
23. IEEE 1711-2010 STANDARD
To Protect Against Eavesdropping, Message Replaying, and Data Altering
Began as AGA-12 in 2003
Originator: The American Gas Association (AGA)
Goal: To secure legacy serial communication links in SCADA systems
Key Players
• American Gas Association (AGA)
• Technical Support Working Group (TSWG) at Gas Technology Institute (GTI)
• American Water Works Association Research Foundation (AWWARF)
• The National Institute of Standards and Technology (NIST)
• U.S. Department of Energy (DOE)
• Idaho National Laboratories (INL)
• Sandia National Laboratories
• Pacific Northwest National Laboratory (PNNL)
• IEEE Power & Energy Society
• IEEE Committee: PE/SUB – Substations
Now the IEEE Approved Standard Related to Smart Grid*
IEEE 1711-2010
Trial Use Standard for a Cryptographic Protocol for Cyber Security of Substation Serial Links
* Applicable across industry sectors, e.g., electric, oil, gas, water, & chemical
24. STRONG SECURITY SOLUTION
Encryption
&
Authentication
Cipher suite 1: AES128 CTR-mode, HmacSHA1, with holdback
Cipher suite 2: AES128 PE-mode, HmacSHA1, no holdback
Cipher suite 3: Cleartext, SHA1, with holdback
Cipher suite 4: AES128 CTR-mode, HmacSHA256, with holdback
Cipher suite 5: AES128 PE-mode, HmacSHA256, no holdback
Cipher suite 6: Cleartext, SHA256, with holdback
Cipher suite 7: Cleartext, HmacSHA1, with holdback
Cipher suite 8: Cleartext, HmacSHA256, with holdback
Cipher suite 9: AES128 CBC-mode, HmacSHA1, with holdback
Cipher suite 10: AES128 CBC-mode, HmacSHA256, with holdback
Two-level keys:
• Pre-shared key
• Session key (always randomly generated)
Key
Management
25. EASY MIGRATION – ALL CLEAR
■ “Bump-in-the-wire” solution
Installed at Control Center
Set to pass-through all messages
26. EASY MIGRATION – CLEAR & ENCRYPTED
■ Mixed mode deployment
One encryption link at a time – while other links operate in the clear
27. EASY MIGRATION – ALL ENCRYPTED
■ Secure tunneling (IPSec-like)
Up to 65,533 tunnels
Each tunnel has its own Encryption Key and Authentication Key and
protects one or group of RTUs
28. EVERYBODY TALKS ABOUT…
1. …encryption delay!
What causes it?
– Block protocol encryption overhead: Header, Trailer, Message Authentication Code + Encryption processing
– The delay impact is greater for small messages
– To minimize delay:
1. You can select appropriate cipher suite, e.g., ENC, AUTH, holdback options, etc.
2. You can select a solution that has a hardware crypto engine (versus software encryption)
2. …key management!
What is the simplest and fastest way?
– Pre-shared key (used by IEEE 1711)
– IEEE 1711 employs additional security with two-layer keys
Layer 1: Pre-shared key (static)
Layer 2: Session keys (dynamic): Encryption key & Authentication key (both randomly generated)
– IEEE 1711 supports 65,533 uniquely shared keys
What is the disadvantage of a pre-shared key?
– Must agree on what the pre-shared key is before distributing it securely
Is there a better way other than pre-agreement of keys?
– Public Key Infrastructure (PKI)
Can PKI be used in SCADA?
– Yes, but it slows response time (computationally intensive, too much overhead over low bandwidth)
AND it’s expensive to implement
– Its peer-to-peer distribution makes it unsuitable for master/slave structure
– Could bring down the network when PKI Server is unavailable
29. LEGACY SYSTEMS GOING ETHERNET
■ The trend is to integrate serial SCADA protocols with
corporate network for effective management and real-time
business decisions
However:
Serial protocols remain insecure, lack authentication (they’re simply
wrapped inside TCP/IP packets!)
The backdoor risk is still there
TCP/IP has its own vulnerabilities (that are widely shared within the
computer underground!)
Numerous FREE scanning, vulnerability discovery, attack tools are available; see
Top 100 Network Security Tools: http://sectools.org/
Ex: nmap, TCPview, Nessus, Attacker Tool Kit (ATK), Sniffit, Netcat, Wireshark
32. IEEE 1711-2010 ENHANCEMENTS
Allows vendor-defined enhancements:
■ Management functions (e.g., audit logs, reports…)
■ P2P stream encryption: 8-Bit Cipher Feedback Mode
Advantage: 1-byte encryption delay AND protocol independent (Allen-Bradley DF-1, Bristol BSAP,
Fisher ROC & more)
■ Session key auto renewal
■ Secure Serial-over-Ethernet
■ Dial-up access control via session negotiation
■ Heartbeat “keepalive” from the Master to control how long the
secure link remains active before it is disabled (in the event the
remote device is stolen)
■ Interface to low-cost wireless (ZigBee® IEEE 802.15.4 )
34. DIAL-UP ACCESS CONTROL VIA SESSION NEGOTIATION
1. Receives an incoming call (RI toggle) and auto-answers (DCD active)
2. Transmits challenge data
3. Receives response data
4. If “failed” challenge, drop DTR
5. Modem disconnects call (DCD inactive)
Timing diagram for answering device:
35. VULNERABILITIES
Use of dial up maintenance
port to diagnose, repair,
configure…
Use of single-frequency
licensed radios
No authentication or data
protection
THREAT
Attackers…
Motivation…
Obtaining back-door
access (eavesdropping,
data altering)
Is the threat real?
Is a back door attack
easy?
RISK
Risk = f (threat, vulnerability, cost)
Likelihood that a threat will exploit
a vulnerability that compromises
safety and availability
Cost = f (safety, availability)
Consequences: Liabilities,
financial loss, environmental,
public safety…
CONCLUSION
Secure one link at a time with IEEE 1711
“Take Action”
36. 21 STEPS TO IMPROVE CYBER SECURITY OF SCADA NETWORKS
BY THE U.S. DEPARTMENT OF ENERGY
1. Identify all connections to SCADA networks
2. Disconnect unnecessary connections to the SCADA network
3. Evaluate and strengthen the security of any remaining connections to the SCADA network
4. Harden SCADA networks by removing or disabling unnecessary services
5. Do not rely on proprietary protocols to protect your system
6. Implement the security features provided by device and system vendors
7. Establish strong controls over any medium that is used as a backdoor into the
SCADA network
8. Implement internal and external intrusion detection systems and establish 24-hour-a-day incident monitoring
9. Perform technical audits of SCADA devices and networks, and any other connected networks, to identify security concerns
10. Conduct physical security surveys and assess all remote sites connected to the SCADA network to evaluate their security
11. Establish SCADA “Red Teams” to identify and evaluate possible attack scenarios
12. Clearly define cyber security roles, responsibilities, and authorities for managers, system administrators, and users
13. Document network architecture and identify systems that serve critical functions or contain sensitive information that require
additional levels of protection
14. Establish a rigorous, ongoing risk management process
15. Establish a network protection strategy based on the principle of defense-in-depth
16. Clearly identify cyber security requirements
17. Establish effective configuration management processes
18. Conduct routine self-assessments
19. Establish system backups and disaster recovery plans
20. Senior organizational leadership should establish expectations for cyber security performance and hold individuals accountable
for their performance
21. Establish policies and conduct training to minimize the likelihood that organizational personnel will inadvertently disclose
sensitive information regarding SCADA system design, operations, or security controls
Source: http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf
37. REFERENCES
Energy Sector Control Systems Working Group (ESCSWG). Roadmap to Achieve Energy Delivery Systems Cybersecurity.
September 2011. http://www.doe.gov/oe/downloads/roadmap-achieve-energy-delivery-systems-cybersecurity-2011
Idaho National Laboratory/DOE. Vulnerability Analysis of Energy Delivery Control Systems. September 2011.
http://www.doe.gov/oe/downloads/vulnerability-analysis-energy-delivery-control-systems
IEEE 1711-2010 Trial-Use Standard for a Cryptographic Protocol for Cyber Security of Substation Serial Links. September 2010.
http://ieeexplore.ieee.org/xpl/mostRecentIssue.jsp?punumber=5562693
NIST Special Publication 800-39 Managing Information Security Risk: Organization, Mission, and Information System View.
March 2011. http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf
NIST Special Publication 800-82 Guide to Industrial Control Systems (ICS) Security. June 2011.
http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf
Scientific American Magazine. Hacking the Lights Out: The Computer Virus Threat to the Electrical Grid. July 2011.
http://www.scientificamerican.com/article.cfm?id=hacking-the-lights-out
38. THANK YOU
Tracy Amaio, Ph.D. teamaio@sequi.com
Tien Van tvan@sequi.com
Please feel free to send your comments or questions