Overload: Critical Lessons from 15 Years of ICS Vulnerabilities
•Download as PPTX, PDF•
0 likes•781 views
In this presentation, FireEye's Allison Wong discusses the fundamentals of industrial cybersecurity and the evolving threat environment, while offering practical advice to protect industrial control systems, endpoints and networks.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Overload: Critical Lessons from 15 Years of ICS Vulnerabilities
Similar to Overload: Critical Lessons from 15 Years of ICS Vulnerabilities (20)
More from Tripwire
More from Tripwire (20)
Recently uploaded
Recently uploaded (20)
Overload: Critical Lessons from 15 Years of ICS Vulnerabilities
- 1. © 2013 Belden Inc. | belden.com | @BeldenInc 1Copyright © FireEye, Inc. All rights reserved.1 OVERLOAD CRITICAL LESSONS FROM 15 YEARS OF ICS VULNERABILITIES Presented by Allison Wong CISSP
- 2. © 2013 Belden Inc. | belden.com | @BeldenInc 7 • Security governance often not clear • Differing priorities − Physics vs Information − Reliability and predictability vs C-I-A − Safety vs Intellectual Property • Core technology challenges − No security visibility − Unauthenticated protocols − Unauthenticated firmware loads − Unauthenticated control logic Industrial Environments Face Unique Security Challenges Must maintain uptime of industrial processes being controlled Balance priorities 2 Must bring IT-OT together Complete 1 Must meet real challenges Practical 3
- 3. © 2013 Belden Inc. | belden.com | @BeldenInc 8 Industrial Security Incident Types • Misconfigurations – network, control logic • Lack of process visibility –sensor failure, alarm overload • Unintentional propagation of malware – USB, email, Web • Malicious Insiders – disgruntled or compromise employees/contractors • Intentional outside attack – Enthusiasts, Hacktivists, Competitors, Criminals, Nation- states
- 4. © 2013 Belden Inc. | belden.com | @BeldenInc 9 • Oil pipeline shut down for 6 hours after software is accidently uploaded to a PLC on the plant network instead of test network • 13 auto assembly plants were shut down by a simple Internet worm; 50,000 workers stop work for 1 hour while malware removed • Operators at a major USA nuclear power plant forced to “scram” the reactor after cooling drive controllers crashed due to “excessive network traffic” Financial Implications It’s the plant that makes the money
- 5. © 2013 Belden Inc. | belden.com | @BeldenInc 10 Common Mistakes and Misconfigurations Recent Mandiant ICS Healthchecks uncovered • Unpatched or misconfigured firewalls • BYOD/Guest Wi-Fi network with route to ICS zone • Evidence of web browsing in ICS zone • Unexplained Internet-bound requests • Traffic direct from business network to ICS zone • Limited segmentation between ICS zones
- 6. © 2013 Belden Inc. | belden.com | @BeldenInc 11 FireEye iSIGHT Intelligence
- 7. © 2013 Belden Inc. | belden.com | @BeldenInc 12 Intelligence Cycle 1. Identify Intelligence Requirements 2. Collect/Research 3. Analyze 4. Disseminate
- 8. © 2013 Belden Inc. | belden.com | @BeldenInc 13 ICS Threat History Timeline 2003: 1st SCADA security presentation at hacker conference 2004: 1st PLC vulnerability disclosures 2009: 1st verified ICS-specific malware (Stuxnet) 2012: Actors reconnoitering for SCADA – get *SCAD*.* 2012: 1st major ICS vendor compromise (Telvent) 2013: Reconnaissance of ICS ports/protocols (Shodan/others scanning) 2014: Malware enumeration of ICS – reading OPC tags (Koala) 2014: Targeting ICS engineers/integrators via watering holes (Koala) 2014: Exploitation of HMI vulnerabilities (Sandworm/GE reports) 2015: Actor selling access to compromised ICS 2015: Attacks with kinetic consequence (Sandworm/Ukraine utilities) Theoretical Actual
- 9. © 2013 Belden Inc. | belden.com | @BeldenInc 14 14 Overall increasing trend in ICS-specific vulnerability disclosures In 2015 we identified 371 disclosures. As of April 2016, we are tracking nearly 1600. Two large disclosures in 2015 August • 56 vulnerabilities in OSIsoft Data Archive September • 36 vulnerabilities in Yokogawa products 0 50 100 150 200 250 300 350 400 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
- 10. © 2013 Belden Inc. | belden.com | @BeldenInc 15 15 Espionage Activity During Q1 2016 we reported on 10 espionage actors from various geographies.
- 11. © 2013 Belden Inc. | belden.com | @BeldenInc 16 16 Activity Sample: Sandworm Team in Ukraine Sandworm team demonstrated moderate capability to attack industrial processes • First power outages recognized from intentional cyber attack • Disparate regions, separate companies • At least 57 substations, 339 towns and villages, 225,000 total customers
- 12. © 2013 Belden Inc. | belden.com | @BeldenInc 17 • Cyber Caliphate Army's claimed attack on surveillance cameras had the highest potential consequence. • The physical attacks at the Brussels airport and metro station in March lend additional credibility to such a scenario. 17 2016 Q1 Hacktivist Activity
- 13. © 2013 Belden Inc. | belden.com | @BeldenInc 18 • At organizations that operate ICS • Ransomware Masquerades as Allen-Bradley File • Cerber, Cryptowall, TorrentLocker, TeslaCrypt • “Stampado” ransomware offered inexpensively • FireEye Horizons: Nations Adopting Cyber Crime Extortion Tools for Compellence 18 Ransomware Activity Rising trend
- 14. © 2013 Belden Inc. | belden.com | @BeldenInc 19 • Researcher Details Vibration Attacks Against Industrial Facilities • Simple to Exploit Vulnerability in Schneider Electric Modicon PLCs Leads to Loss of Process Control • Default ICS Password List Marginally Increases Ease of Attack 19 2016 ICS Attack Research
- 15. © 2013 Belden Inc. | belden.com | @BeldenInc 20 • US Planned Cyber Attacks on Iranian Infrastructure • 'Intranet Framework' Seeks to Sell Remote Access to SCADA Systems • Actor Seeks Exploit for Rockwell Automation Software and Controllers 20 2016 ICS Threat Developments
- 16. © 2013 Belden Inc. | belden.com | @BeldenInc 21 • CPNI Releases Guidance for Improving Security in the Built Environment • Researcher Proposes ICS Patching Strategy • New Books Highlight ICS Defensive Strategies • FDA Releases Draft Guidance Focusing on Cyber Security in Postmarket Medical Devices 21 2016 ICS Defense Developments
- 17. © 2013 Belden Inc. | belden.com | @BeldenInc 22 • Get a plan and program for ICS security − Merge IT - OT governance efforts − Experts to assess and recommend • Inventory your control systems − Software − Controllers − Function/impact • Segment your network − Review firewall placement and rules − Review router configurations Lessons Learned? Reducing Your Risk Must maintain uptime of industrial processes being controlled Balance priorities 2 Must bring IT-OT together Complete 1 Must meet real challenges Practical 3
- 18. © 2013 Belden Inc. | belden.com | @BeldenInc 23 Simplified Purdue Model / ISA Reference Architecture L0L1L2L3L4
- 19. © 2013 Belden Inc. | belden.com | @BeldenInc 24
- 20. © 2013 Belden Inc. | belden.com | @BeldenInc 25 Tripwire Enterprise and FireEye AX
- 21. © 2013 Belden Inc. | belden.com | @BeldenInc 26 FireEye/Mandiant’s ICS Healthcheck Assessment Process: Activity 1: Architecture Workshops • Speak with plant Mgmt/Staff to gain an understanding of the ICS network • Draw a network diagram of the ICS • Overlay potential cyber security threats and attacks on the diagram Activity 2: Firewall configuration review • Obtain configurations of firewalls and switches at the site and go line by line • Perform automated and manual analysis on the configurations to look for security misconfigurations and flaws Activity 3: Analyze network traffic with FireEye PX • Collect full packet capture and flow data from ICS network (usually from site’s main switch) • Look for anomalous or undesirable connectivity to internet or business network Activity 4: Analyze log data with FireEye Threat Analytics Platform (TAP) • Collect any relevant log sources from the ICS environment (examples: VPN, Authentication, Firewall, Syslog, Windows Events) • Apply intelligence, rules, analytics, and frequency analysis to identify malicious or anomalous activity
- 22. © 2013 Belden Inc. | belden.com | @BeldenInc 27 Joint Customer Benefit Examples • Integration of Industry specific Threat Intel with ISIGHT and contextualization of logs from Belden industrial technology in TAP • Tripwire customers can integrate with MVX/AX • Hunt for IOCs across IT and ICS environments Belden ICS industrial cyber security and networking equipment • Tofino • GarrettCom • Hirschmann • Tripwire +Several other leading brands in the area of industrial networking and signal transmission equipment. FireEye Threat Intelligence Portfolio • FireEye’s Threat Intelligence • Mandiant services • iSight’s ICS expertise 27
- 23. © 2013 Belden Inc. | belden.com | @BeldenInc 28 Question & Answer Time
- 24. © 2013 Belden Belden.com | @BeldenInc
Editor's Notes
- Let me lay out a few things that are important to consider when you look at how you can protect your ICS environment: First – look for practical solutions. If you can not clearly see the actionable information you will get out of a system that will give you meaningful results, its not likely you are going to get real value out of it. Second – look for people, tools, and processes that understand the ICS environment, and the priorities of safety and reliability, above all else. Look for solutions that are established and proven to be non-disruptive. If you are on the IT side, before you start trying to educate your OT counter-parts about what it is they could or should be doing about security, start by spending time learning from them about what is important – and learn about how they have been able to operate systems with uptime and reliability levels that are frankly unheard of in the IT world. Third – we know this convergence between IT and OT is happening, so look for ways you can bring these two together. If you are coming from the OT side, think about what is it the IT security team needs from you, and if you are on the IT side, keep in mind the OT priorities and how you can layer security on without compromising those goals.
- For the purposes of our talk today and given our industrial audience, we’ll focus on outsider attacks, malicious insiders and insider errors because these are the top categories of concern we see most within our customer base.
- The point of this timeline is that it illustrates a continuum and where we are now is the requirement to address the very real physical implications of a cyber threat no matter what the source
- Create and maintain an accurate inventory of their industrial control systems Obtain structured vulnerability and patch feeds that cover a wide variety of sources Match asset inventories against vulnerability disclosures and patch announcements Track vulnerable and unpatched products currently used in their industrial environments Prioritize vulnerability remediation efforts by considering: ICS architecture location, simplicity of exploitation and possible impact on the controlled industrial process
- During Q1 2016, iSIGHT Partners continued to observe cyber espionage activity targeting a variety of entities within various critical infrastructure sectors. When compared with previous quarters, Q1 shows no discernable trends, indicating instead that cyber espionage actors from around the world are interested in firms that operate critical infrastructure also throughout the world.
- The most interesting activity was the Sandworm Team operating in Ukraine. We observed that power outages were caused by direct interaction with utility HMI software. The attackers demonstrated advanced planning and moderate process attack capability. Lacking security controls, including poor network segmentation, facilitated the outages. We believe other electricity distribution providers throughout the world are similarly vulnerable.
- Of the hacktivist items identified in Q1, the Cyber Caliphate Army's attack on surveillance cameras had the highest potential consequence. One can envision a cyber attack to shut down video surveillance systems with a simultaneous physical attack on the facilities. The physical attacks at the Brussels airport and metro station on March 22, 2016 lend additional credibility to such a scenario. We suggest that security forces serving high traffic areas examine the cyber security of their video surveillance systems and create contingency plans should those systems be unavailable.
- Image at right is a Schneider Electric Atlivar variable frequency drive (VFD). Reid Wightman described using unauthenticated ICS protocols to discover, then overwrite “skip” frequencies, potentially causing dangerous vibrations at an industrial facility.
- Image at right is a 25 horse power boiler control system that the actor “intranet framework” offered for sale at 1,000 USD in an underground forum. We are uncertain what process the boiler is part of. It is the second time we have seen an actor selling VNC access to SCADA systems. Both HMI screens he shared as examples were in French.
- Image at right is of CPNI’s guidance to secure building automation systems. It is by far the most comprehensive guidance we have observed to date for dealing with these widely-deployed, yet often-overlooked cyber-physical systems.
- Explain This is a reference architecture produced by academics at Purdue University, and adopted by the International Society of Automation (ISA) The entire purpose of industrial automation and control systems is to remove humans from the loop. Program the logic into the machines so people don’t have to be at each location taking measurements and making adjustments. Sensors and actuators operate at Level 0. Sensors measure things in the physical world; such as flow, temperature, pressure, level. Actuators move. Things like valves and connect/disconnect switches for motors They are wired into the controller They are generally not TCP/IP enabled, but this is changing Controllers are programmable devices found at Level 1 The programming specifies how the actuators move when the sensors provide certain readings. They can also include Variable Frequency Drives and Protective Relays Many of these are TCP/IP enabled Level 2 includes more standard computing and networking technology The SCADA stands for supervisory control and data acquisition. Supervisory means that it allows a human operator, normally seated at a human-machine interface screen to identify abnormalities (normally by viewing alarms that pop up on the screen), and step in and issue remote commands to the system. If a process loses SCADA, nothing is going to happen, at least for a while. The logic exists in the controllers themselves to regulate the process. The job of process operators has been described as 90% intense boredom, and 10% sheer panic. The engineering workstation is used to program the control logic. You can think of this as a software development environment. Instead of languages such as python, C, and VisualBasic, the languages used are called “ladder logic”, “Fuction block” and “structured text”. This machine would normally have the ability to talk to any PLC on the network to push new logic This layer also includes database technology called a process historian. The historian catalogs readings from the sensors and positions of the actuators to make available in other applications, such as predictive maintenance and process optimization efforts. The historian records data that is not displayed to the operator. Ideally the SCADA network is segmented from the business network by a dual firewall DMZ. This facilitates firewall management, while limiting ingress and egress.
- Leveraging FireEye ISIGHT Threat Intelligence and FireEye AX Advanced Malware analysis integrated with Tripwire Enterprise and the FireEye Threat Prevention Platform we are able to uniquely able to address threats to both IT and OT networks by bringing together Intel, detection, and prevention.