This document discusses the challenges that critical infrastructure organizations face with the increasing adoption of internet of things (IoT) technologies. It notes that while IoT will dramatically increase the amount of data collected, organizations are already struggling to extract useful, timely information from their existing data. The mass expansion of endpoints and legacy systems introduces new vulnerabilities that could overwhelm operators during incidents. Regulatory requirements and outsourcing practices also increase compliance risks. However, new technologies may help address some issues if properly implemented. The document calls utilities to evaluate cybersecurity risks, test defenses, and learn from other sectors' experiences to help secure their operations in an evolving threat landscape.

1. IOActive, Inc. Copyright ©2017. All Rights Reserved.
Cybersecurity: Preparing for Persistent
Attacks from Foreign Governments; The
Internet of Things, and How it Plays as an
Additional Risk Factor
IOActive is the only global security
consultancy with a state-of-the-art
hardware lab and deep expertise
spanning hardware, software and
security services.
Bryan L Singer, CISSP, CAP
Kevin Murphy, CISSP, CISM, CGEIT
Jan 23, 2018

2. IOActive, Inc. Copyright ©2018. All Rights Reserved.
Agenda (Interactive discussion-ask questions)
• The Curse of Too Much Data
• IoT Challenges: Legacy verses
Modernization
• Regulatory and Compliance Risk
• Some Positives and Opportunities
• Looking ahead…..
• Call to Action
• Questions?

3. IOActive, Inc. Copyright ©2018. All Rights Reserved.
Why do we Care?
• Who would do that to us?
• Cyber threats and cyber-physical
threats are threats to grid reliability
• Complex legal environment**
resulting in increased costs, difficult
legal situations with limited
precedent, and regulatory actions
based on imprecise criteria.
• **IANL

4. IOActive, Inc. Copyright ©2018. All Rights Reserved.
Drowning in Data, Starved for
Information
• Average plant is tens of thousands of data and
I/O points, IoT will increase that number
dramatically
• Aging workforce, and the loss of “tribal
knowledge”
• Replacing engineering knowledge with screen
knowledge
• We are creating a scenario in which we can
easily recreate an event that occurred, but real
time operations may be impeded due to
overwhelming the operator
• Key is relevant, timely, and ACTIONABLE
intelligence

5. IOActive, Inc. Copyright ©2018. All Rights Reserved.
When Information Overwhelms
• 1994 Texaco Refinery Explosion
• 2005 Texas City Refinery Explosion
• Aug 14, 2003 Northeast Power Outage
• Target Hack
• Equifax
• In all of these scenarios, the “data” was
there, but overwhelmed the operators
• Data good for incident recreation, not so
much for live response

6. IOActive, Inc. Copyright ©2018. All Rights Reserved.
Technical Challenges to IoT
• Much of critical infrastructure is on non
Ethernet networking, and solidly on IPV4
• Massive data point expansion of IoT will
drive IPv6 to the plant floor faster than it
can be safely implemented
• This will result in “value add” hosted
cloud/fog services, but they may come at a
cost
• In utilities, the “last mile” data services goes
anywhere from 10gB fiber to 900mhz
wireless, to tin can and string – creates a
time of check/time of use issue

7. IOActive, Inc. Copyright ©2018. All Rights Reserved.
The IoT Push to Technology
• Usually represents a geometric expansion of
vulnerabilities in the near to mid-term
– AMI/Smart Metering – IOActive research into
worm-able attack surface
– ATM – Systemic weaknesses in ATM and
threats due to skimming, shimming, and
malware
– Financial/Bank mobile applications – IOActive
research in 2017 shows massive insecurity
– Web apps – rapid expansion and rise of XSS
– IoT – millions of devices, millions of weak
points?
http://blog.ioactive.com/
2014/01/personal-
banking-apps-leak-info-
through.html

8. IOActive, Inc. Copyright ©2018. All Rights Reserved.
Case Study
• Smart Meter Provider provided their own “hosting”
solution that included the meters and tower devices,
and data services back to servers at respective utilities
• Private networking solution, but was integrated with
various utilities IP based networking solutions, and
relied upon trust and security of everyone involved
• Provided used Java JOSSO single sign on, allowing us
as attackers to gain access to one tower device, and
subsequently navigate to every other utility in the globe
on this supposedly “private” backbone

9. IOActive, Inc. Copyright ©2018. All Rights Reserved.
Regulatory Pressure
• Who owns the “cloud,” and who owns the
“data?”
• NERC CIP 002-009
• Fine first, ask questions later
• Often called to defend utilities for
violations/failed audits
• Outsourced data, hosted infrastructure, and
third party value add services may pose
regulatory challenges for both safety and
cyber security.
• OSHA 1910.119 and Mechanical Integrity –
what if I don’t control all the data?
http://www.nerc.com/pa/c
omp/Pages/default.aspx

10. IOActive, Inc. Copyright ©2018. All Rights Reserved.
The IoT Data Paradox
• Leverage a military analogy of High
Value and High Payoff targets
• The more information we generate
about a system, the higher value it is
to us, and the attacker
• More data = High Value Target
• Less data = less attractive target, but
less capability

11. IOActive, Inc. Copyright ©2018. All Rights Reserved.
“But, we Don’t store Credit Cards in
Power Utilities”
• Attackers (eco-terrorists) on the east coast gained
access to environmental monitoring systems, and used
it in various attempts at legal action against the utility
• When they were unsuccessful, they distributed the data
to people living around the plant
• This resulted in the utility spending over $200k USD to
combat the public awareness problem created

12. IOActive, Inc. Copyright ©2018. All Rights Reserved.
Some Positives and Opportunities
• Ebay recently was “exposed” in a data
breach. They used big data to prove that
the release of card data was false
• The new trend in data services more
closely matches the engineering talent and
skills emerging from schools today.
• Blockchain type technologies can enable
message authentication and traceability
previously not available

13. IOActive, Inc. Copyright ©2018. All Rights Reserved.
Looking Ahead to Protect your Operation
• Learn from the attacks and response from other industries
• Add the risk of outage from a Cybersecurity attack to your
overall risk management plan
• Ask the tough security questions of your supply chain
• Have a vulnerability management program
– Patch mgmt. plan
– Vulnerability isolation for your SCADA systems that can’t be
patched
• Upgrade legacy systems that are vulnerable
• Regulation and Compliance can be your friend
– NIST Cyber Security Framework is “real” security

14. IOActive, Inc. Copyright ©2018. All Rights Reserved.
NIST Cyber Security Framework

15. IOActive, Inc. Copyright ©2018. All Rights Reserved.
Cyber Security Framework Scorecard
KPIs
Top 5 Risks

16. IOActive, Inc. Copyright ©2018. All Rights Reserved.
Call to Action:
• Add Cybersecurity Risks to the Board of Director’s Risk
Score Card. (That’s how you get budget.)
• Evaluate your threat models with the latest attack vectors
• Know your perimeter and endpoints
• Test your BCM plans
• Red team your network and your IdM systems
• Learn from other industries as they might get hit before
yours.

17. IOActive, Inc. Copyright ©2017. All Rights Reserved.
17
Email:
Bryan.Singer@IOActive.com
Kevin.murphy@ioactive.com
Thank You