Transcript US-CERT_Chile_2007

Protecting Critical Infrastructure from
Cyber Attacks
Presented by
Mark Henderson, CISSP, GCIA
Department of Homeland Security
National Cyber Security Division
United States Computer Emergency Readiness Team
Agenda
•
•
•
•
•
Overview of Critical Infrastructure
Threat, Vulnerability and Attack Trends
Real World Incidents
Recommended Practices
US and Industry efforts
Overview of Critical Infrastructure
What is CI?
“Critical infrastructure is a term used by
governments to describe material
assets that are essential for the
functioning of a society and economy”
… but what is it?
CI is …
•
•
•
•
•
•
•
electricity generation and distribution;
telecommunication;
water supply;
agriculture, food production and distribution;
heating (natural gas, fuel oil);
public health;
transportation systems (fuel supply, railway
network, airports);
• financial services;
• security services (police, military)
What is CI responsible for?
•
•
•
•
•
•
•
•
Providing electricity at home and at work
Routing your phone calls
Delivering your drinking water
Delivering food from farm to fork
Heating your home
Providing healthcare and emergent care
Maintaining roads and building new ones
The management and allocation of financial assets,
printing currency, etc.
• Maintaining the public order
• Protecting you at home and abroad
CI vs. SCADA
• SCADA (Supervisory Control And Data
Acquisition) refers to a large-scale, distributed
measurement (and control) system
• Not all of CI is SCADA but all SCADA is CI
• In the US, 85% of CI is owned by the private
sector and roughly 50% of CI sectors are
controlled by SCADA systems
• Sometimes SCADA referred to as an
Industrial Control System (ICS)
What is CIP?
Critical Infrastructure Protection (CIP)
“… continuous efforts to secure information
systems for critical infrastructure, including
emergency preparedness communications,
and the physical assets that support such
systems.”
CIP represents efforts to prevent, detect, and
correct (recover) from CI attacks
Threat, Vulnerability
and Attack Trends
The Risk Equation
Risk = Threat x Vulnerability x Consequence
Threat
Any person, circumstance or event with the
potential to cause loss or damage.
Vulnerability
Any weakness that can be exploited by an
adversary or through accident.
Consequence The amount of loss or damage that can be
expected from a successful attack.
Threats
• Natural
• Manmade (structured vs. unstructured)
Natural Threats to CI
Geographic hazards
• Meteorological (hurricanes, tropical
storms, floods, and ice storms)
• Earthquakes and tsunamis
• Infectious disease (e.g., H5N1)
Examples of Natural threats
Chilean earthquake [1960]
– “Telecommunications to southern Chile were cut
off“
– “… an eight-meter wave struck the Chilean coast,
mainly between Concepción and Chiloé”
– “The electricity and water systems of Valdivia were
totally destroyed”
– “… the city was without a water supply”
– “Two days after the earthquake, the Cordón Caulle
erupted”
Manmade Threats
• Structured
– “adversaries with a formal methodology, a financial
sponsor, and a defined objective” [Bejtlich]
– Economic/industrial spies, organized criminals,
terrorists
• Unstructured
– “lack the methodology, money, and objective of
structured threats” [Bejtlich]
– Recreational hackers, malware, malicious insiders
• National Security threats
– foreign intelligence agencies, information warriors
Structured threats to CI
•
•
•
•
•
•
•
•
•
•
GAO Threat Table
Bot-network operators
Criminal groups
Foreign intelligence services
Hackers
Insiders
Phishers
Spammers
Spyware/malware authors
Terrorists
Industrial spies
Unstructured threats to CI
• Recreational hackers (“hacking for fun”)
• Malware (viruses and worms)
• Malicious insiders (disgruntled
employees)
CI Vulnerabilities
• Many sectors practice “security through
obscurity”
• Increased connectivity
• Pervasive use of antiquated
software/hardware
• Geographic concentration of CI
• Increasing visibility to blackhat
community
Security through obscurity
• Remote locations are inaccessible
… unless they have an IP address
• Proprietary protocols and architecture =
secure
… unless someone studies the SW/HW
• No one is interested in X system. Why
protect it?
… unless someone wants to gain access to
another network through that system
Increased connectivity
• Website provides “online presence” for company
… but leaves web and application servers vulnerable
• Internet facing systems allow remote maintenance
which saves money
… but opens systems to network-based attacks
• Wireless architecture reduces network costs
… but opens internal network up to wireless attacks
Antiquated SW/HW
• “If it ain’t broke, don’t fix it” mentality
… so systems go unpatched
• Extensive use of legacy hardware (e.g., modems)
… so hackers can use basic attacks
• Customized applications are designed to simply work
… so they are not designed to be secure
• Legacy SW/HW and/or protocols incompatible with
newer security products
… so attacks cannot be detected easily, if at all
Geographic concentration
“…critical assets in sufficient proximity to each other
that they are vulnerable to disruption by the same, or
successive, regional events”
• 25% of freight cars pass through one city in the US
(St. Louis, MO)
• Approximately 28% of U.S. hog inventories are
located in Iowa
• Approximately 25% of U.S. pharmaceuticals are
manufactured in Puerto Rico, primarily in the San
Juan metropolitan area
Increasing blackhat visibility
ISS conducted SCADA penetration tests
on multiple sectors [2006]
• Physical access (e.g., door unlocked at
power substation)
• Modems (e.g., war-dialing)
• Default passwords (e.g., googling
manuals of devices with banners)
Threat Trends
“Stealth”/Advanced
Scanning Techniques
Intruder Knowledge
Attack Sophistication
High
Denial of Service
Network Management Diagnostics
Sweepers
Back Doors
Disabling Audits
Low
1980
Malicious Code
Morphing
BOTS
Era of Modern
InformationZombies
Distributed Attack Tools
Technology
Current SCADA WWW Attacks
Automated Probes/Scans
Zone of Defense
GUI
Packet Spoofing
Era of Legacy
Sniffers
Process Control
Hijacking Sessions
Attackers
Exploiting
Known
Vulnerabilities
Technology
Password Cracking
Self-Replicating Code
Password Guessing
1985
1990
1995
2000
2005
2010
Lipson, H. F., Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues, Special Report CMS/SEI-2002-SR-009, November 2002, page 10.
Real World Incidents
How does all this affect me?
Your system could be compromised/infected
and later used in an attack against CI or …
…if you work for a CI sector you could
• be targeted in a “spear phishing” attack;
• your laptop could be stolen to gain access to
the private CI network or to private data;
• you could inadvertently follow unsafe security
practices and affect CI operations
Real World Incidents
• The following represent incidents of
control systems or critical infrastructure
being breached by cyber means
• Most of the ‘cyber events’ are
accidental, but the following represent
more deliberate events
• Unfortunately, few CI events are
published in the open media
Real World Incidents
For industrial security incidents there is
the Industrial Security Incident
Database (ISID)
Electricity
“…with sufficient resources, such as a
foreign intelligence service or a well
supported terrorist group, could conduct
a structured attack on the electric power
grid electronically, with a high degree of
anonymity, and without having to set
foot in the target nation”
Electricity (cont)
Davis-Besse Nuclear Power Plant [2003]
• The Slammer worm penetrated a private
computer network at Ohio's Davis-Besse
nuclear power plant
• Disabled a safety monitoring system for
nearly five hours
• Power plant was protected by a firewall
• In 1998 the same plant was hit by a tornado
(natural disaster)
Telecommunication
Attack on the root name servers [2007]
• 3 out of 13 root DNS servers were attacked
by a DDoS attack that lasted 12 hours
• Less serious than attack in 2003 when all 13
servers were attacked
• Some suggested that this was a bot
operator’s “sales demo”
Water supply
Maroochy Shire Sewage Spill [2000]
• First recorded instance of an intruder that
“deliberately used a digital control system to attack
public infrastructure”
• Software on his laptop identified him as “Pumping
Station 4” and after suppressing alarms controlled
300 SCADA nodes
• Disgruntled engineer in Queensland, Australia sought
to win the contract to clean up the very pollution he
was causing
• He made 46 separate attacks, releasing hundreds of
thousands of gallons (264,000) of raw sewage into
public waterways
Heating (natural gas, fuel oil)
GAZPROM Incident [1999]
• Russian hackers penetrated GAZPROM security with
help from insider
• Gained control of central switchboard using Trojan
Horse which controlled gas flows in pipelines
• Claim later refuted by oil company
Chevron Incident [1992]
• Disgruntled Chevron employee disabled emergency
alert system in 22 States
Public Health
Worcester Botnet [2005]
• Attacker used a botnet to earn ad revenue
• $150,000 in damages to the Northwest Hospital (Seattle,
Washington). 150 of the hospital’s 1,100 systems affected over
course of three days
• The hospital's surgical, patient financing, information
management, diagnostic imaging and laboratory systems were
affected
– Operating room doors wouldn't open, pagers were silenced,
and computers in the intensive-care unit shut down
• 441,000 computer systems hacked by attacker’s virus:
– 104 country domains, 276 ".net" domains, 128 ".com"
domains, and 28 ".edu" domains
– 407 Defense Department locations were infected
Transportation systems (air)
Worcester Air Traffic Communications [1997]
• Hacker broke into a Bell Atlantic computer system,
causing a crash that disabled the phone system at
the airport for six hours (Worcester, Massachusetts)
• Knocked out phone service at the control tower,
airport security, the airport fire department, the
weather service, and carriers that use the airport
• Also, the tower's main radio transmitter and another
transmitter that activates runway lights were shut
down, as well as a printer that controllers use to
monitor flight progress
• Also knocked out phone service to 600 homes in the
nearby town of Rutland
Transportation (rail)
CSX Train Signaling System [2003]
• Sobig virus blamed for shutting down train
signaling systems throughout the east coast
of the U.S.
• Virus infected Florida HQ shutting down
signaling, dispatching, and other systems
• Long-distance trains were delayed between
four and six hours
Transportation (subway)
Toronto Subway [2006]
• LED signs reprogrammed by hacker
• Subway LEDs changed to read “Stephen Harper eats
babies” (Canadian Prime Minister)
Russia Subway [2007]
• Using insider data a hacker “managed to access the
terminal’s system through the internet and steal
$9,000”
Financial Services
Nordea Heist [2006]
• Internet fraudsters stole around 8m kronor ($1.1m;
£576,000) from account holders at Swedish bank
Nordea
• The criminals siphoned money from (~250)
customers' accounts after obtaining login details
using a malicious program (Haxdoor) that claimed to
be anti-spam software
• In August 2005, it was forced to temporarily shut
down its online arm due to a sophisticated phishing
attack
Government services
Estonia DDoS attacks [2007]
• “If a member state's communications centre is
attacked with a missile, you call it an act of war. So
what do you call it if the same installation is disabled
with a cyber-attack?”
– Estonia is a member of NATO and asked for assistance from
its allies
• Web page defacements and DDoS attacks (< 100
Mbps)
• Targets included government ministries, news
agencies, and two large banks
• US-CERT worked with other CERTs worldwide to
disable the hosts involved in the botnet
Recommended Practices
Exposure
System Exposure
Components
Vulnerabilities
• Networks
• Operating Systems
• Applications
• Advisories
• Exploit Code
• Advanced Tools
Mitigation
• Block
• Detect
• Workaround
• Fix
Exposure
System Exposure
Components
Vulnerabilities
• Networks
• Operating Systems
• Applications
• Advisories
• Exploit Code
• Advanced Tools
Mitigation
GAP
• Block
• Detect
• Workaround
• Fix
Identify Vulnerable Assets
Vendor
Modem
Front End
Processor
Applications
Server
Configuration
Server
Database
Server
Historian
HMI
Computers
Engineering
Workstation
`
SCADA LAN
MODEM
Pool
Components
Network
Communications
Networks
Operating Systems
Applications
Operating
Systems
•
•
• Applications
ICCP
Server
Historian
Corporate
PBX
DMZ LAN
SCADA
Firewall
Communications
Servers
Business
Servers
Web
Applications
Business
Servers
Workstations
`
Attacker
WWW
Server
CORPORATE LAN
Communications
Corporate
Firewall
DNS
Server
Identify Threat Vectors
Vendor
Modem
Front End
Processor
Applications
Server
Configuration
Server
Database
Server
Historian
HMI
Computers
Engineering
Workstation
`
SCADA LAN
MODEM
Pool
Vulnerabilities
Advisories
Exploit Code
• Advisories
Advanced Tools
• Exploit Code
• Advanced Tools
ICCP
Server
Historian
Corporate
PBX
DMZ LAN
SCADA
Firewall
Communications
Servers
Business
Servers
Web
Applications
Business
Servers
Workstations
`
Attacker
WWW
Server
CORPORATE LAN
Communications
Corporate
Firewall
DNS
Server
Identify Mitigations
Vendor
Modem
Front End
Processor
Applications
Server
Configuration
Server
Database
Server
Historian
HMI
Computers
Engineering
Workstation
`
SCADA LAN
MODEM
Pool
Mitigation
Fix
• Block Block
Detect
• Detect
Workaround
• Workaround
• Fix
ICCP
Server
Historian
Corporate
PBX
DMZ LAN
SCADA
Firewall
Communications
Servers
Business
Servers
Web
Applications
Business
Servers
Workstations
`
Attacker
WWW
Server
CORPORATE LAN
Communications
Corporate
Firewall
DNS
Server
Defense in-Depth Security
1 Perimeter Controls –
4
6
3
2
1
Internet & Corporate Perimeter
2 Access Control,
People, Policies
5
Cyber Control
7
3
Network Architecture Components
4
5
Operating Systems
6
7
Application Security
Host Security
Core Operational Services
Recommendations
•
•
•
•
Identify your security requirements
Map requirements to security standards
Apply appropriate solutions
Work with CLCERT and others to stay
informed of threats, vulnerabilities, and
safeguards (“situational awareness”)
US and Industry Efforts
What has the US done?
• Conducted cyber exercises
(CyberStorm) involving CIP
• Created the National SCADA test bed
and Cyber Security test bed
• Established the Control Systems
Security Center
• Linked the Oil and Gas Industry to
discuss cyber threats (LOGIIC)
NIST 800-82
Procurement Process
Common Control System Vulnerability
Cyber Assessment Methods for SCADA Security
CS2SAT
Other initiatives
• Efforts underway “to enable faster, more
accurate detection of SCADA-specific
attacks” (i.e., Snort signatures)
• US-CERT recently held an International
SCADA conference in May (UFive)
• DHS continues to collaborate with
International partners (IWWN, CICTE,
FIRST) in CI exercises, training, and
awareness
Questions?
For more information about US-CERT please visit:
www.us-cert.gov
US-CERT Security Operations Center
1-888-282-0870
[email protected]
For more information about CSSP please visit:
www.us-cert.gov/control_systems
Control Systems Security Program
1-888-282-0870
[email protected]