IBM Cyber Security Story - Smart Grid Research Consortium
Download
Report
Transcript IBM Cyber Security Story - Smart Grid Research Consortium
Cyber Security:
How Serious is the Threat?
Evaluating the Business Case for Smart Grid Investments
October 20-21 2011, Rosen Shingle Creek Resort, Orlando, FL
Peter Allor, [email protected]
Senior Cyber Security Strategist
v1.08
© 2011 IBM Corporation
Security is becoming a board room discussion
Business
results
Brand image
Supply chain
Legal
exposure
Impact of
hacktivism
Audit risk
Sony estimates
potential $1B
long term
impact –
$171M / 100
customers
HSBC data
breach
discloses 24K
private banking
customers
Epsilon breach
impacts 100
national brands
TJX estimates
$150M class
action
settlement in
release of
credit / debit
card info
Lulzsec 50-day
hack-at-will
spree impacts
Nintendo, CIA,
PBS, UK NHS,
UK SOCA,
Sony …
Zurich
Insurance PLc
fined £2.275M
($3.8M) for the
loss and
exposure of
46K customer
records
© 2011 IBM Corporation
An organization’s attack surface grows rapidly, increasing security
complexity and management concerns
People
Employees Consultants Hackers Terrorists Outsourcers Customers Suppliers
Data
Structured
Unstructured
At rest
In motion
Applications
Systems
applications
Web applications
Web 2.0
Mobile apps
Infrastructure
77% of firms feel cyber-attacks harder to detect and 34% low confidence to prevent
75% felt effectiveness would increase with end-to-end solutions
Source: Ponemon Institute, June 2011
© 2011 IBM Corporation
End to End Security in Utilities
ASSET & CONFIG
MGMT
FIRMWARE UPDATES
CONFIDENTIALITY, INTEGRITY
& AVAILABILITY
METER THEFT
CRITICAL ASSET
DISCOVERY &
IDENTIFICATION
KEY MANAGEMENT
METER DATA VALIDITY
METER AVAILABILITY
ACCURATE BILLING
PREVENT HAN DEVICES
FROM ATTACKING GRID
AMI & HAN
SECURITY
AMI MALWARE, CYBER
ATTACKS
CONTEXT SENSITIVE
ACCESS CONTROL
SERVICE AVAILABILITY
& PERFORMANCE
MGMT
INCIDENT MGMT
METER RELIABILITY
SECURE
COMMUNICATION LINKS
RELIABLE COMMUNICATION
CONFIDENTIALITY OF
CUSTOMER PERSONAL SECURELY MANAGE
PEAK DEMAND
INFORMATION
PROTECT SENSITIVE
ASSETS
UNAUTHORIZED METER
DISCONNECTS/ CONNECTS
SCADA SECURITY
DATA CENTER NETWORK,
SYSTEM, APPLICATION, DATA
SECURITY
OPERATIONS &
PROCESSES
EMPLOYEE BACKGROUND
CHECKS
PREVENT POWER
PILFERAGE
SCADA NETWORK
SECURITY
REGULATORY
GENERATING, TRANS & COMPLIANCE
DIST NETWORK
PREVENT
ACCIDENTS
PREVENT PHYSICAL
REMOTE SUBSTATION
ABUSE OF ASSETS
VIDEO SURVEILLANCE
PHYSICAL
SECURITY
* Not all intersections shown
4
© 2011 IBM Corporation
Energy & Utility Potential Problem Areas
Increased internal, industry,
and government security
policies, standards, and
regulations
Varied locations & sources
of identity information
(native systems)
Challenges and risks
inherent in next generation
intelligent networks
Protect security and
privacy of critical assets
Regulatory
requirements
• FERC
• NERC
• SOX
An increased number of
end users and devices
accessing your networks,
applications, and data
Unauthorized/undetected
use of applications &
systems
5
Improve operational
efficiency – manage
costs
Threats of viruses,
worms, and
Internet attacks
Logical and Physical
integration requirements
© 2011 IBM Corporation
Evolving Threats – Highlights for 2011 X-Force Mid-Year
An explosion of breaches has opened 2011 marking this year as
“The Year of the Security Breach.”
A secure Web presence has become the Achilles heel of
Corporate IT Security
IBM’s Rational Application Security Group research tested 678
sites (Fortune 500) – 40% contained client-side vulnerabilities
Mass endpoint exploitation happening not only through browser
vulnerabilities, but also malicious movies and documents
IBM Managed Security Services show favorite attacker methods
are SQL injection, and the brute forcing of passwords, databases,
and Windows shares
© 2011 IBM Corporation
Decline in web vulnerabilities
Total number of
vulnerabilities decline —
but it’s cyclical
Decline is in web
application vulnerabilities
© 2011 IBM Corporation
Patching improvement
Significant
improvement in
unpatched
vulnerabilities
Hasn’t dropped
below 44% in over
five years
© 2011 IBM Corporation
Multi-media & doc vulnerabilities increase
Significant increases
in both categories
Attackers have
zeroed in on software
that consumers are
running regardless of
the browser
Recent efforts to
sandbox these
applications are not
perfect
© 2011 IBM Corporation
Mobile OS exploits projected to double
Continued interest
in Mobile
vulnerabilities as
enterprise users
bring smartphones
and tablets into the
work place
Attackers finally
warming to the
opportunities these
devices represent
© 2011 IBM Corporation
2011: The Year of the Security Breach
Litany of significant, widely
reported breaches in first
half
– Most victims
presumed
operationally
competent
Boundaries of
infrastructure are being
extended and obliterated
– Cloud, mobility,
social business, big
data, more
Attacks are getting more
and more sophisticated.
© 2011 IBM Corporation
Who is attacking our networks?
© 2011 IBM Corporation
Who is attacking our networks?
© 2011 IBM Corporation
Highest volume signatures
© 2011 IBM Corporation
Who is attacking our networks?
© 2011 IBM Corporation
New exploit packs show up all the time
© 2011 IBM Corporation
Zeus Crimeware Service
Hosting for costs $50 for 3 months.
This includes the following:
# Fully set up ZeuS Trojan with configured FUD
binary.
# Log all information via internet explorer
# Log all FTP connections
# Steal banking data
# Steal credit cards
# Phish US, UK and RU banks
# Host file override
# All other ZeuS Trojan features
# Fully set up MalKit with stats viewer inter
graded.
# 10 IE 4/5/6/7 exploits
# 2 Firefox exploits
# 1 Opera exploit“
We also host normal ZeuS clients for
$10/month.
This includes a fully set up zeus panel/configured
binary
© 2011 IBM Corporation
Hacktivists are politically motivated
Lulz Security logo
"The world's leaders in high-quality
entertainment at your expense."
A member of Anonymous at the Occupy
Wall Street protest in New York*
One self-description is:
“We are Anonymous. We are Legion. We do not forgive.
We do not forget. Expect us.”**
*Source: David Shankbone
**Source: Yale Law and Technology, November 9, 2009
© 2011 IBM Corporation
19
© 2011 IBM Corporation
Anonymous proxies on the rise
About 4 times
the amount from
3 years ago
Some used to
hide attacks,
some used to
evade
censorship
© 2011 IBM Corporation
Who is attacking our networks?
© 2011 IBM Corporation
Advanced Persistent Threat
Example of e-mail with malicious PDF
© 2011 IBM Corporation
Internet Intelligence Collection
–Scan the corporate website, Google, and Google News
• Who works there? What are their titles?
• Write index cards with names and titles
–Search for Linkedin, Facebook, and Twitter Profiles
• Who do these people work with?
• Fill in blanks in the org chart
–Who works with the information we’d like to target?
• What is their reporting structure?
• Who are their friends?
• What are they interested in?
• What is their email address?
At work?
• Personal email?
23
© 2011 IBM Corporation
24
© 2011 IBM Corporation
Points of Access for Vulnerabilities
Regulators
Industrial Control System Vendors (SCADA)
Software (Operating Systems and Applications) Vendor Vulnerabilities
Security patches break product certification
Operator control via remote access (Modem and TCP/IP) for maintenance
and/or multiple site readiness
Any Interface (SW to SW or System to System) is a prime target
25
© 2011 IBM Corporation
PHYSICAL SECURITY CONTROLS
Security for Industrial Control Systems (SCADA)
- ICS Security based on IEC 62443
Air-gap
networks,
apps and
control data
with
firewalls,
proxies
CYBER SECURITY CONTROLS
SECURITY
CONTROLS
© 2011 IBM Corporation
©
Which Operational Technology (OT) systems are we talking about?
Contol Systems: Past & Present
– Field sensors
– IEDs
– T&D control systems (SCADA)
– Energy Management Systems
(EMS)
– Distribution Management Systems
(DMS)
– Outage Management Systems
(OMS)
– Demand Response Systems
– Smart Grid Communications
equipment (SCADA)
– Meter Data Management Systems
(MDMS)
– Asset Management (e.g.,
Maximo)
– Ops Centers (e.g., NOCs, SOCs)
– DCS and PLC systems in
generating plants
© 2011 IBM Corporation
A TCP/IP Enabled World
Process Control Systems (PCS) migrating to TCP/IP networks
SCADA and DCS typically rely upon “wrapped” protocols
– Analog control and reporting protocols embedded in digital protocols
– Encryption and command integrity limitations
– Poor selection of TCP/IP protocols
Problems with patching embedded
operating systems
– Controllers typically running outdated OS’s
– Security patches and updates not applied
– Difficulty patching the controllers
28
© 2011 IBM Corporation
Miniaturization and Bridging Networks
Professional attack tools are small enough
to fit on a standard Smartphone
Designed to “audit” and exploit
discovered vulnerabilities
handheld
hacking
devices
Wireless or wired attacks,
and remote control
Smartphones also
targeted
– Contact info.
– Bridge to network
29
© 2011 IBM Corporation
Bridging Networks
Softest targets appear to be the
control centers
– Greatest use of “PC”
systems
– Frequent external
connectivity
– Entry-point to critical plant
systems
Bridging control centers and the
plant operational framework
– Network connectivity for
ease of operational control
– Reliance on malware to
proxy remote attacks
30
© 2011 IBM Corporation
Proliferation of Networked Devices
Switch from analog to digital controls
Wireless
integration
Incorporation of network standards
– TCP/IP communications
– Wireless communications
Replacement SKU parts
include new features
“free”
– Additional features
may be “on” by
default
– May be turned on
by engineers
From analog
to digital
(+ networked)
31
© 2011 IBM Corporation
Wireless RF / WiFi Attacks
Increased use of wireless technologies
Large security research focus
– Common topic/stream at hacking conferences
Packet Radio Software
– New tools and software to attack &
eavesdrop on any RF transmission
– Community-based sharing of findings
Tools and guides on long-range
interception or wireless technologies
A 14.6 dBi Yagi
antenna that can make
a WiFi connection
from 10 miles
32
© 2011 IBM Corporation
ICS versus IT and Security
Industrial Control
Systems (ICS)
33
IT Systems
Protects the ability to operate
safely and securely
Protects the data on the client
and in transit
The end user is a computer
The end user is a human
A decentralized system to
ensure availability / reliability
A centralized system to
achieve economy of scale
Remote access is available to
field devices
Limited remote access
Source code is often sold with
the system
Source code is limited and
protected
Long life cycles
Relatively short life cycles
Not patchable
Patchable
© 2011 IBM Corporation
Finding Holes
Penetration Testing (remote)
and Security Assessment
(local)
National and International
15-20 unique security
assessments in the last 5 yrs
America’s Hackable Backbone
The first time Scott Lunsford offered to hack into a nuclear power station, he was told it would be
impossible. There was no way, the plant's owners claimed, that their critical components could be accessed
from the Internet. Lunsford, a researcher for IBM's Internet Security Systems, found otherwise.
"It turned out to be one of the easiest penetration tests I'd ever done," he says. "By the first day, we had
penetrated the network. Within a week, we were controlling a nuclear power plant. I thought, 'Gosh. This is
a big problem.‘”
Forbes
August 22nd 2007
34
© 2011 IBM Corporation
Common Security Assessment Findings
Weak protocols leave systems vulnerable
PCS networks lack overall segmentation
PCS networks lack antivirus protection
Standard operating systems leave the
device open to well known security vulnerabilities
Most IP-based communications within the PCS network are not encrypted
Most PCS systems have limited-to-no logging enabled
Many organizations still rely heavily on physical security measures
35
© 2011 IBM Corporation
Not a technical problem, but a business challenge
Many of the 2011 breaches could have been prevented
However, significant effort required to inventory, identify and close every vulnerability
Financial & operational resistance is always encountered, so how much of an investment is
enough?
© 2011 IBM Corporation
Questions?
© 2011 IBM Corporation
Thank you for your time today! Get engaged with IBM X-Force Research
and Development…
Follow us at @ibmsecurity
and @ibmxforce
Download X-Force
security trend & risk
reports
http://www935.ibm.com/services/us/iss/xforce/
Attend in-person
events
Join the Institute for
Advanced Security
http://www.ibm.com/events/calendar/
www.instituteforadvancedsecurity.com
Subscribe to X-Force alerts at
http://iss.net/rss.php or
Frequency X at
http://blogs.iss.net/rss.php
Subscribe to the security
channel for latest security
videos
www.youtube.com/ibmsecuritysolutions
© 2011 IBM Corporation