Cyber Attack Slide Store

Download Report

Transcript Cyber Attack Slide Store

Cyber Threat Evolution
With a focus on SCADA attacks
Anant Shivraj
May 9th 2011
Agenda
 Cyber Attacks
 Increasing sophistication of cyber attacks
 Private Sector as target of, and medium of attacks
 Vulnerability of the Oil & Gas Industry to Cyber Attacks
 Profile of risks faced by SCADA systems in Oil & Gas
 Risk Mitigation Strategies and Effectiveness
 Recommendations
Cyberspace is more than the Internet
Data
System
Data
System
Data
System
System
Data
Communications network
Infrastructure network
Cyberspace: The interdependent network of information technology
infrastructures, and includes telecommunications networks, the Internet,
computer systems, and embedded processors and controllers in critical industries.
Source: National Security Presidential Directive 54, January 2008
Key takeaways from recent incidents
Changing Ends
Cyber attacks have
evolved from
operational events to
strategic events, with
the aim to disrupt a
target’s freedom in
the real world, not
just on the Internet
Increasingly
Sophisticated
Means
To impact strategic
capability and
assets
Traversing
multiple networks
and infrastructures
To impede business
operations
Precision targeting
To target physical
assets and mission
critical
information
Multi-stage attacks
to avoid attribution
Cyber attacks are
employing new
techniques such as
spear phishing,
rootkit for specialist
devices and
networks, and multistage phased attacks
to accomplish these
aims
Stuxnet demonstrates a new level of
cyber attack capability
 Stuxnet was a worm targeted at industrial control systems (ICS) discovered by
July 2010. By then, it had infected upwards of 100K systems in Iran, Indonesia,
India and other countries
 Widely believed to have been developed with state support and targeted at
Iran’s Busheshr nuclear reactor
Symantec W32 Stuxnet Dossier:
“ Stuxnet is a threat that was primarily written to target an industrial
control system or set of similar systems…. Its final goal is to reprogram
industrial control systems (ICS) by modifying code on programmable logic controllers
(PLCs) to make them work in a manner the attacker intended…. In order to achieve this
goal the creators amassed a vast array of components to increase their
chances of success. This includes zero-day exploits, aWindows rootkit, the first ever PLC
rootkit, antivirus evasion techniques, complex process injection and hooking code, network
infection routines, peer-to-peer updates, and a command and control interface”
Source: Symantec W32.Stuxnet Dossier, November 2010
Understanding the Stuxnet attack
mechanism
Target Map
Field PG
Programmable Logic
Controller (PLC)
Industrial Control System environment (non-networked)
Attack Vector
Step 0. Check for
OS and anti-virus
specifications of
host. If met,
introduce itself as
digitally signed
driver.
Step 1. Connect to
command server,
propagate on
corporate network
and to removable
drives.
Jump to ICS
environment
through LAN/
thumb drives
Step 2. Check if
Siemens Step 7 is
installed to manage
PLC devices.
Obtain root access
and take control of
Step 7
Step 3. Detect whether
PLC uses the target
communication
protocol. If so, detect
the manufacturer of
frequency controller
drives to determine
type of attack.
Step 4. Send malicious
instructions to change
the execution of
various states, and to
modify the instructions
sent to frequency
controllers to slow or
speed them up. This
will change the speed
of the actual industrial
devices.
Stuxnet demonstrates capability of
cyber attacks to harm physical assets
Feature
Comments
Impact
Ability to attack and impair physical infrastructure –
industrial data, industrial output, industrial operations
in critical infrastructure
Stuxnet managed to delay the startup of Bushehr
Key Lesson
Persistent connection to grid / IP network not essential to be a
cyber target
Key Innovations
Precise target selection and anti-virus evasion
First PLC rootkit (allowing admin access to PLC functions)
P2P self-update capabilities (sleeper Stuxnet worm can autoupdate to suddenly attack a host at a later date)
Professional,
Coordinated
Development*
Projected six months development cycle, 5-10 developers, QA
and management
Theft of digital certificates, and the need to understand and
construct a worm for Industrial Control Systems suggests
involvement of multi-disciplinary team
*Estimated by Symantec
Two key determinants of cyber attack
pathways
 Mission Statement
 What the attacker wants to accomplish
 Depends on who the attacker is
 Cyber criminals looking for financial gains
 Non-state actors affiliated with a particular cause
 State actors trying to accomplish strategic goals
 Technical Capabilities
 What capabilities are available to the attacker
 Resources and budget
 Experience
 Again, can depend on who the attacker is
Given that developing technical capabilities has become easier,
mission statement is the primary determinant of the attack pathway
Mission statement key to which cyber
attack pathway is used
Mission Statement
Target of cyber attack
Gain Strategic
Advantage
Specific Asset Targeting
e.g. data theft operations:
quick asset identification,
infrastructure should not
be disrupted during
exfiltration process
Deny Operational
Freedon
Infrastructure and
Network Targeting
e.g. capacity degradation
operations, disruption of
communications
Primary Target
Secondary Target
Seven phases of a cyber attack
7.Retreat
3. Command
5.Target identification
and Removal
and Control
6.Attack Event
2.Payload Introduction 4.Footprint Expansion
1.Planning
 Starting from the earliest documented worm (“Internet worm 1988”), most
cyber attacks have followed a subset of these seven steps
 Most of the above sequence followed by some of the most successful attacks
 SQL Slammer (January 2003), which slowed global Internet traffic
dramatically
 Conficker (November 2008), which infected 15 million computers and
continues to, in spite of industry efforts (and $250K reward from
Microsoft)
Visualizing attack pathways
Internet,
Strategic,
Physical and
focus on target
External
Operational,
focus on
attack vector
development
Internet
malware
1.Planning
Tight control,
ability to
operate APTs
“Fire and
forget”
strategy
3. Command
and Control
2.Payload Introduction
Targeted
expansion
Opportunistic
expansion
Based on host
functionality
and value
Layered ,
custom built
attack vector
Self-upgrade
and stealth
presence
Based on
existence of
vulnerabilities
Standard IPbased attack
vectors
Weak deletion
methods
7.Retreat and
Removal
5.Target identification
4.Footprint Expansion
6.Attack Event
Visualizing recent cyber incidents on
attack pathways
Internet,
Strategic,
Physical and
focus on target
External
Tight control,
ability to
operate APTs
Targeted
expansion
Based on host
functionality
and value
Layered ,
custom built
attack vector
Self-upgrade
and stealth
presence
Based on
existence of
vulnerabilities
Standard IPbased attack
vectors
Weak deletion
methods
Aurora
GhostNet
Stuxnet
Conficker
Operational,
focus on
attack vector
development
Internet
malware
1.Planning
“Fire and
forget”
strategy
3. Command
and Control
2.Payload Introduction
Indicates increasingly seen characteristics
Opportunistic
expansion
7.Retreat and
Removal
5.Target identification
4.Footprint Expansion
6.Attack Event
Agenda
 Cyber Attacks
 Increasing sophistication of cyber attacks
 Private Sector as target of, and medium of attacks
 Vulnerability of the Oil & Gas Industry to Cyber Attacks
 Profile of risks faced by SCADA systems in Oil & Gas
 Risk Mitigation Strategies and Effectiveness
 Recommendations
Stuxnet used private sector capabilities
and targets in its attack on state entity
Targeted
• Siemens Step 7 software compromised via rootkit
• Specifications for frequency controllers from Vacon
(Finland) and Fararo Paya (Iran)
Exploited
• Digital certificates stolen from Realtek and Jmicron,
which are located in close proximity to each other
• Microsoft Windows access gained via rootkit
• Two Internet Explorer zero day exploits
• Domain name servers in Malaysia and Denmark
Evaded
• Detected and adapted to signature-based and
behavorial detection capabilities of 11 anti-virus
products including Symantec, McAfee and Trend
Micro
Increasing use of a new capability –
spear phishing
Use of highly contextual phishing properties, often sent by known acquaintances,
and taking into account real world or online identities, to reduce detection rates
Target
Sent To
Claims to legitimacy
Marathon Oil,
ExxonMobil and
ConocoPhillips
C-level leadership
Email subject: “Re: Emergency Economic
Stabilization Act”
(sent after plan had been announced)
Booz Allen
VP for International Military
Assistance Prog.
Email subject: “India MCRA Request for
Proposal”
(India had released RFP a week ago)
Sender: from the office of the Air Force
Secretary
Increasing spear phishing implies that both signature-based and behavioral virus
detection softwares are losing effectiveness, catching only 20% of malware
Source: Business Week, Northrop Grumman, Information
Agenda
 Cyber Attacks
 Increasing sophistication of cyber attacks
 Private Sector as target of, and medium of attacks
 Vulnerability of the Oil & Gas Industry to Cyber
Attacks
 Profile of risks faced by SCADA systems in Oil & Gas
 Risk Mitigation Strategies and Effectiveness
 Recommendations
Oil and gas sector officially identified
as a critical infrastructure
 Critical infrastructure: “systems and assets, whether physical
or virtual, so vital to the United States that the incapacity or
destruction of such systems and assets would have a
debilitation impact on security, national economic security,
national public health or safety, or any combination of those
matters.”
 18 sectors identified as critical infrastructure by the
Homeland Security Presidential Directive 7
Agriculture &
Food
Banking &
Finance
Chemical
Dams
Communications
Defense
Industrial Base
Energy
Government
Facilities
Emergency
Services
Healthcare &
Public Health
Information
Technology
Nuclear
Reactors
Postal &
Shipping
Transportation
Water
Commercial
Facilities
National
Monuments
Critical
Manufacturing
Electricity, Petroleum & Natural Gas
Source: Critical Infrastructure Protection Act of 2001 (Section 106, Patriot Act)
Oil & gas cyber attacks already higher
than in other critical infrastructures
McAfee survey
 71% companies report stealthy infiltration (e.g.
APTs), as opposed to average of 54% for all
critical infrastructure (CI)
 1/3rd companies report multiple infiltrations per
month
 2/3rd companies report DDoS attacks (1/3rd
report multiple attacks per month), highest
amongst all CI
 Highest web extortion victimization rate
amongst all CIs
Critical
breakdown
Minor IT, no Ops
disruption
Serious effect
on Ops
 E.g. Employee tampering with control system
software at Pacific Energy Resources,
September 2009
 Unlike other CI, most attacks (56%) focused on
control systems
 Highest self-estimated losses amongst all CI
(from a 24-hr service outage), avg. $8.4M/day
Source: McAfee
Effect on Ops
Serious IT, some Ops
disruption
SCADA operated systems in natural gas
infrastructure – compressors (I)
 A main component of gas transportation are the more than 1200
compressors installed along pipeline routes
 Compressors used to restore/maintain gas pressure and pump gas
forward
 24-hr/365-day unmanned systems monitored by SCADA
Source: EIA
Image copyright and courtesy
of EIA/Southern Natural Gas
Company, El Paso
Corporation
SCADA operated systems in natural gas
infrastructure – compressors (II)
Interstate pipeline compressor systems, 2006
Source: EIA
Control systems are a key
infrastructure in oil & gas networks
SCADA (Supervisory Control and Data Acquisition) systems are process control
systems that enable monitoring and control of processes distributed amongst various
remote sites. They are a form of Industrial Control Systems (ICS)
Components of a SCADA system
HMI (Human machine
Interface) equipped with
SCADA software:
interface for operator
control and system
management
RTU (RemoteTerminal Unit): Data
acquisition from field devices, execution of
MTU instructions, automatic process
control if equipped with programmable
logic controllers (PLCs)
MTU (Master Terminal Unit):
monitoring/control of field devices
Field
devices e.g.
pumps and
valves,
alarms etc.
Communication Protocol: Modbus, TCP/IP. Can be
sent over dedicated cable lines, wireless transmission
(spread spectrum, microwave and VHF/UHF radio),
DSL, satellite communications)
Economic contribution of the natural
gas distribution network
 Value as intermediate input to 418 industries =
$54.6B (2002 dollars)
 Consumption as final good = $38.5B (2002 dollars)
Total Direct Annual GDP contribution:
$110.8B (2010 dollars)
Total Indirect Annual GDP contribution: $229.7B
Total Annual GDP contribution: $340B
Source: Bureau of Economic Analysis, 2002 Benchmark input-output tables, “Use of commodities by industries”, purchaser prices. Figures adjusted for inflation
Notes: Values calculated using commodity code 221200 (natural gas distribution).
For indirect contribution, the value added from top 25 industries of use of natural gas distribution were considered. These industries represented 35% of total
GDP contribution of natural gas distribution. See Appendix for details
Attack scenario: defining a mission
Mission statement: Disrupt a continental US gas pipeline system
Motive: Explore weaknesses, demonstration of power, political statement etc.
Mission Statement
Target of cyber attack
Gain Strategic
Advantage
Specific Asset Targeting
Core assets such as
business assets and IP
are left alone
Deny Operational
Freedom
Infrastructure and
Network Targeting
Key infrastructure is
the distribution
network
Compressor systems represent an attractive infrastructure target
Attack scenario: identifying cyber
attack pathway
Internet,
Strategic,
Physical and
focus on target
External
Need to
attack nonIP network
Tight control,
ability to
operate APTs
Targeted
expansion
Based on host
functionality
and value
RTUs and
MTUs
One-time
attack
Operational,
focus on
attack vector
development
Internet
malware
1.Planning
“Fire and
forget”
strategy
3. Command
and Control
2.Payload Introduction
Opportunistic
expansion
Based on
existence of
vulnerabilities
Layered ,
custom built
attack vector
Attack
Modbus
protocol
Standard IPbased attack
vectors
Weak deletion
methods
7.Retreat and
Removal
5.Target identification
4.Footprint Expansion
Self-upgrade
and stealth
presence
6.Attack Event
Economic impact of the attack
scenario: a simple estimation
 Consider an attack on one of the top 10 pipeline systems
(which together account for 62% of output and have 498
compressors between them)
 The Natural Gas PL Co. pipeline system represents the
average characteristics of the top 10 systems
 Route: Begins Southwest, ends Midwest
 Has 50 compressor stations with an total throughput rating of
49,785 MMcf (spread over 10,000 miles of pipelines)
 Accounts for a daily GDP contribution of approx.
$54.5M
Note: Assumes that GDP contribution from natural gas distribution can be spread across compressors. True division should be across
compressor+pipeline segments, but this is a reasonable assumptions, since every pipeline segment depends upon the starting compressor for flow.
Note: NGPL is owned by Kinder Morgan
The economic impact of attack
scenario can be huge
++
Total cost will be worse:
1. Cost and time of replacing compromised SCADA network
and bringing the infrastructure online
2. Price shocks in economy, higher insurance risk premiums
in industry
3. Reputation damage, risk of losing bids, increased insurance
4. Some industries will be unable to product output
altogether if gas supply is choked
A 100% capacity degradation for a day on the average large
pipeline system can lead up to an estimated losses of about $54M
_
Immediate costs may be less:
1. Other pipeline systems may respond to shortages
2. Reserves can be used to meet immediate demand so impact
may lead to reserve shortage rather than supply shock
3. Stations don’t operate at full capacity rating in summer
months
Compare this number to
the industry’s self
estimates of losses of
$8.4M/day. Total
economic loss much
higher than firm loss
Note: Assumes that GDP contribution from natural gas distribution can be spread across compressors. True division should be across
compressor+pipeline segments, but this is a reasonable assumptions, since every pipeline segment depends upon the starting compressor for flow.
Incidents show that disruptions to oil
and gas infrastructure are very costly
 Three week disruption in gas supplies from Russia in 2009
cost Bulgaria cost €250M ($330M), or 1% of GDP
 Gas plant accident in Western Australia in 2008 cost the
region $6.7B in total
 Terrorist strike on Mexico gas pipelines at Veracruz resulted
in $90-200M in losses
 Shutdown of almost all of French oil refineries in pension
strikes in October 2010 cost the French economy up
to$500M per day
Losses typically run in millions of dollars per day
Sources: Media reports - http://www.cges.co.uk/resources/articles/2009/08/06/rescuing-russia-europe-gas-relations,
http://www.usatoday.com/news/world/2007-09-10-mexico-pipeline_N.htm,
http://www.cbsnews.com/stories/2010/10/25/world/main6991577.shtml
Agenda
 Cyber Attacks
 Increasing sophistication of cyber attacks
 Private Sector as target of, and medium of attacks
 Vulnerability of the Oil & Gas Industry to Cyber
Attacks
 Profile of risks faced by SCADA systems in Oil & Gas
 Risk Mitigation Strategies and Effectiveness
 Recommendations
Risk mitigation by SCADA owners
largely based on IT tools
Percentage of companies implementing
Firewalls (IT, SCADA)
Most common measures,
yet often circumvented
by using trusted
connections
Network behavior
analysis (IT, SCADA)
Patching / updating
of SCADA networks
is much more rare
Patching / updating
(Mostly IT)
Security information
(IT, SCADA)
Event notification (IT)
Important measure,
yet not often
implemented
Removable disk
restrictions / ban
Application white
listing (IT, SCADA)
Note:
SCADA – SCADA network
IT – IT network
0%
10%
20%
30%
40%
50%
60%
70%
Just perimeter defense is not enough for SCADA networks, what is
required is defense-in-depth (defenses embedded in the network)
Source: “Critical Infrastructure in the Age of Cyber War”, McAfee, 2010
Network and decision systems for
SCADA security are being built
 LOGIIC (Linking Oil & Gas Industry to Improve Cyber Security)
 What: Main function is to perform facility level monitoring of SCADA/ICS
networks and integrate threat reports to develop firm level situational
awareness of SCADA/ICS security
 How: Adds process control intrusion detection and alarm capability from
SCADA networks to standard network security
 By: Partnership involving government (DHS), oil & gas majors (Chevron, BP
etc.), research labs, security vendors (3Com, Symantec etc.) and process
control vendors (e.g. Honeywell)
 See Appendix for LOGIIC network design
 Consulting services and custom solutions
 Developed by security vendors (Cisco, Symantec, McAfee etc.)
 Developed by process control security firms (Wurldtech, Industrial
Defender etc.)
 RiskMap
 Used to identify and map operational risks in oil & gas (including disruptions
from cyber attacks) to business decision making
The energy sector has started to
respond to the growing cyber threat
 Is leading to a number of industry initiatives such as the “Roadmap to




Secure Control Systems in the Energy Sector”
Initiative between oil & gas, electricity and telecom sector
10 year roadmap launched in 2006, and sponsored by DoE and DHS
Vision: “In 10 years, control systems for critical applications will be designed,
installed, operated, and maintained to survive an intentional cyber assault with
no loss of critical function.”
Participants:
 Commercial entities – system integrators, component suppliers, technology
developers, IT and telecom providers
 Industry organizations from the oil & gas and electricity sector
 Research institutes
 Government agencies
 Successes: More than 100 projects from 21 private and public sector entities
under implementation or identified for implementation by 2009
Yet, there are number of challenges in
meeting the energy roadmap
Goals:
2015 Desired End State:
Current Challenges Relate To:
Measure and assess
security posture
Ability of energy asset owners to
understand process control security
needs and use automated, realtime monitoring to determine
where vulnerabilities exist
A. Measuring progress :
 Consensus on definition of key terms
 Comprehensiveness and reliability of
measures
 Insufficient collaboration
Develop and integrate
proactive measures
Protective measures to reduce
system vulnerabilities and threats.
Ability to deploy control systems
with end-to-end security when
changing from legacy system
B. Vulnerability disclosure:
 Standard assessment methods
 Communication and disclosure channels
 Regulatory and legal framework
Energy asset owners to operate
networks that automatically
provide contingency and
remedial actions in response to
attempted intrusions
C. Innovative Partnerships:
 Business case for management engagement
Training of SCADA personnel in security
Time and resources to invest in partnership
Energy asset owners and operators to
work collaboratively within the
sector and with government on
policy and implementation progress
D. Technology Gaps and Advancement:
 System complexity and vulnerabilities
 Impact of newer and innovative attacks
 Ability to replace technology
Detect intrusion and
implement response
strategies
Sustain security
improvements
Source: “Roadmap to Secure Control Systems in the Energy Sector”, 2006. “Roadmap Update Workshop Summaries”, Jan 2011
Security vendors developing
frameworks for risk management
Example of a SCADA risk management framework
 Define critical assets and identify risks
 Define an electronic security perimeter around process control
 Main SCADA network + SCADA administration network
 Manage SCADA assets from behind the perimeter
 SCADA Administration network should be separate from corporate network
 Consider the corporate network as untrusted
 Corporate network should be outside the perimeter
 Two-factor authentication for any systems outside the perimeter to
gain access
 Will remove the risk of automated attacks, and leave a trail for attacks
 Develop a security policy for critical assets
 Create policies based on regulations and standards
 Assess compliance to policies
 Measure compliance and address deviations from policy
Source: Gary Sevounts, Symantec
Policies/standards at various levels
play important role in risk mitigation
National policy
guidance:
HSPD-7, others
Economy
Industry
Firm
Business Goals
Evolving industry
standards from the
Energy roadmap
Compliance, Audit:
Sarbanes-Oxley,
others
IT resources and infrastructure
Corporate Network
Operations resources and infrastructure
SCADA Control
Cyber security:
ISO/IEC 17799
RTU
SCADA Admin
IT governance &
management:
COBIT
MTU
SCADA Field
HMI
Notes: AGA 12 by the American Gas Association, and API 1164 by American Petroleum Institute
Devices
SCADA security:
AGA 12, API 1164
Agenda
 Cyber Attacks
 Increasing sophistication of cyber attacks
 Private Sector as target of, and medium of attacks
 Vulnerability of the Oil & Gas Industry to Cyber Attacks
 Profile of risks faced by SCADA systems in Oil & Gas
 Risk Mitigation Strategies and Effectiveness
 Recommendations
Recommendations for private sector
 Understand that cyber attack pathways can greatly differ, based on
the mission of the cyber attackers (technology not a limiting factor
for most attackers
 Identify which cyber attack pathway is most likely and most harmful
for your organization to decide where to invest
 Develop information sharing and coordinated response mechanisms
with private sector companies that may provide the attack medium
Be aware of the common footprints of
asset attacks
Strategic,
resource
intensive
Internet,
Physical and
External
Tight control,
ability to
operate APTs
Targeted
expansion
Based on host
functionality
and value
Layered ,
custom built
attack vector
Self-upgrade
and stealth
presence
Aurora
Consider strong
security for high
value users and
assets e.g. twofactor
authentication
GhostNet
Deploy intrusion
detection systems,
engage security
firms for threat
updates
Monitor not just
inbound but also
outbound
connections
Internet
malware
1.Planning
“Fire and
forget”
strategy
3. Command
and Control
2.Payload Introduction
Opportunistic
expansion
Based on
existence of
vulnerabilities
Standard IPbased attack
vectors
7.Retreat and
Removal
5.Target identification
4.Footprint Expansion
Weak deletion
methods
6.Attack Event
However, the footprint of infrastructure
attacks may be very diverse
Strategic,
resource
intensive
Internet,
Physical and
External
Tight control,
ability to
operate APTs
Targeted
expansion
Based on host
functionality
and value
Layered ,
custom built
attack vector
Self-upgrade
and stealth
presence
Standard IPbased attack
vectors
Weak deletion
methods
Need to think differently about
attacks on the SCADA network
IP-based DDoS attacks can take
a very different approach from
process control network attacks
Stuxnet
Conficker
Operational,
focused on
attack vector
rather than
goals
Internet
malware
1.Planning
“Fire and
forget”
strategy
3. Command
and Control
2.Payload Introduction
Opportunistic
expansion
Based on
existence of
vulnerabilities
7.Retreat and
Removal
5.Target identification
4.Footprint Expansion
6.Attack Event
Recommendations for the oil & gas
industry
 All of the ones before, plus:
 Know that attacks on SCADA assets are already happening and can




be expected to increase
Attack on SCADA assets can create large magnitude of losses
quickly (running into millions of dollars per day)
Work with security vendors and process control security firms to
deploy both perimeter and defense-in-depth solutions
Share vulnerability information and collaborate in industry
projects to monitor, detect and remedy cyber attacks
Take advantage of policies and protocols to strengthen security
and organizational policies (e.g. training of SCADA operators in
security)
Recommendations for policy makers
 Help overcome challenges in implementing the energy
roadmap
 Information sharing
 Innovative partnerships
 Regulatory environment
 Keep cyber security on private sectors’ priority list through
education and standards development
 Help build a case for justifying investment in cyber security
by critical infrastructure firms
Selected References / Readings



















Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure, for the Executive Office of The President,
2009
The command structure of the Aurora Botnet, Damballa, 2010
Natural gas compressor stations on the interstate pipeline network: Developments since 1996, Energy Information Administration, Office of Oil and Gas,
November 2007
A Comparison of oil and gas segment cyber security standards, Idaho National Engineering and Environment Laboratory, November 2004
DCS virus infection, investigation and response: A case study, ICSJWG Fall 2010 Conference
Berk V., Cybenko G. and Gray R., Early Detection of Active Internet Worms, Massive Computing, 2005, Volume 5, Part III, 147-180
Roadmap to Secure Control Systems in the Energy Sector, Energetics Inc., January 2006
Roadmap Update Workshop Series, Energy Sector Control Systems Working Group, January 2011
Haimes Y. and Jiang P., Leontief-based Model of Risk in Complex Interconnected Infrastructure, Journal of Infrastructure Systems, Vol. 7, No. 1, March
2001, pp. 1-12
LOGIIC cyber security system, Sandia National Laboratories, September2006
Haimes Y., Santos J., Crowther K., Henry M., Lian C. and Yan Z., Risk Analysis in Interdependent Infrastructures, IFIP International Federation for
Information Processing, 2007, Volume 253/2007, 297-310
Protecting Your Critical Assets: Lessons learnt from Operation Aurora, McAfee 2010
In the Crossfire: Cyber Infrastructure in the Age of Cyberwar, McAfee 2010
Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation, for the US China Economic and Security
Commission, Northrop Grumman Corporation
Cyber Attacks against SCADA and Control Systems, Byres E. and Paller A., Sans Institute Webinar, 2006
W32.Stuxnet Dossier, Symantec, November 2010
State of Enterprise Security 2010, Symantec, 2010
David W. Crain, Stan Abraham, (2008), Using value-chain analysis to discover customers' strategic needs, Strategy & Leadership, Vol. 36 Iss: 4, pp.29
– 39
Tracking Ghostnet: Investigating a Cyber Espionage Network, Information Warfare Monitor, Canada , March 29, 2009
Selected Web References

Attack on US oil industry: http://www.csmonitor.com/USA/2010/0125/US-oil-industry-hit-by-cyberattacks-Was-Chinainvolved/(page)/2

Attacks on Dept. of Defense: http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm

SCADA basics: http://www.free-engineering.com/ar-scada.htm

Impact of Russia’s oil disruption: http://www.cges.co.uk/resources/articles/2009/08/06/rescuing-russia-europe-gas-relations

Impact on Mexico’s pipeline incident: http://www.usatoday.com/news/world/2007-09-10-mexico-pipeline_N.htm

Cost of French air strikes: http://www.cbsnews.com/stories/2010/10/25/world/main6991577.shtml
All images used are the copyright of their respective owners
Resources and Support
Interviews
 Laurie Burnham, I3P, Dartmouth College
 Davil Nicols, Information Trust Institute
 Nicola Secomandi, Carnegie Mellon Tepper School of Business
About the study
 Independent Study at Tuck School of Business
 Advisors: Professors Eric Johnson, Brian Tomlin
 Part of the Cyber Code of Conduct project, Fletcher School
of Law & Diplomacy
 Principal Investigator: Professor William Martel
Appendix
Select glossary of terms not explained
elsewhere














IP: Internet Protocol
Zero-day vulnerability: A vulnerability that is not closed/addressed by developers when a software is released
Exfiltration: stealth removal of information from target network (in context of cyber attacks)
DNS: Domain Name System servers, which translate machine names to IP addresses. DNS query refers to
querying these servers for machine information. DNS poisoning refers to deliberately introducing translation data
to DNS servers
Active Directory: Windows directory that maintains user names and passwords for a corporate network
Rootkit: A program that aims to gain root control (right to operate as administrator) without revealing itself
SQL injection: Subverting/crashing a database-based website by using illegal database queries
Vishing: Exploiting telephony networks to obtain user information, such as credit card numbers
Botnets/Zombies: Computers which have been compromised by malware and are used by it to target other
computers
DoS: Denial of Service, refers to crashing a web server by bombarding it with web queries. When this is done by
using multiple botnets, it is called distributed DoS (or DDoS)
Logic bomb: Internet attacks that are set to happen at a particular date or time in the future, or if some condition
is met
Two factor authentication: The requirement of passing two tests before obtaining access. For instance, entering a
password and then using a fingerprint before access is given
VPN: Virtual Private Network
P2P: Peer-to-peer communication protocol