The document summarizes the five stages of grief experienced by organizations when they realize their critical infrastructure systems are connected to the internet and vulnerable to cyber attacks: denial, anger, bargaining, depression, and acceptance. It provides examples to illustrate why each stage occurs, such as discoveries of thousands of exposed SCADA and ICS devices online using tools like SHODAN, high-profile attacks like Stuxnet targeting critical infrastructure systems, and challenges of keeping outdated systems patched against emerging threats. The document argues organizations must ultimately accept the interconnected nature of systems and find new ways to design and manage critical infrastructure that are more secure and resilient to cyber attacks.
2. Vulnerabilities I’m credited on…
• MFSA2008-‐37
Mozilla
Stack
Buffer
Overflow
• cisco-‐sa-‐20070808-‐IOS-‐IPv6-‐leak
InformaDon
Leakage
Using
IPv6
RouDng
Header
in
Cisco
IOS
and
Cisco
IOS-‐
XR
• MS07-‐033
Internet
Explorer
COM
object
instanDaDon
• CVE-‐2007-‐2388
Apple
QuickDme
for
Java
remote
code
execuDon
• MS06-‐036
Windows
SMB
Denial
of
Service
• X-‐Force
Alert
228
Asterisk
PBX
Denial
of
Service
• X-‐Force
Alert
229
Asterisk
PBX
Traffic
AmplificaDon
7. "In
our
experience
in
conduc.ng
hundreds
of
vulnerability
assessments
in
the
private
sector,
in
no
case
have
we
ever
found
the
opera.ons
network,
the
SCADA
system
or
energy
management
system
separated
from
the
enterprise
network.
On
average,
we
see
11
direct
connec.ons
between
those
networks.”
Source:
Sean
McGurk,
Verizon
The
Subcommi_ee
on
NaDonal
Security,
Homeland
Defense,
and
Foreign
OperaDons
May
25,
2011
hearing.
Its connected to the Internet.
8.
9.
10. SHODAN
• Project
STRIDE:
“To
date,
we
have
discovered
over
500,000
control
system
related
nodes
world-‐
wide
on
the
internet.
About
30%
are
from
the
US,
and
most
are
on
ISP
addresses.”
11. ICS Cert
• In
February
2011,
independent
security
researcher
Ruben
Santamarta
used
SHODAN
to
idenDfy
online
remote
access
links
to
mul0ple
u0lity
companies’
Supervisory
Control
and
Data
Acquisi0on
(SCADA)
systems.
• In
April
2011,
ICS-‐CERT
received
reports
of
75
Internet
facing
control
system
devices,
mostly
in
the
water
sector.
Many
of
those
control
systems
had
their
remote
access
configured
with
default
logon
creden0als.
• In
September
2011,
independent
researcher
Eireann
Levere_
contacted
ICS-‐CERT
to
report
several
thousand
Internet
facing
devices
that
he
discovered
using
SHODAN.
14. Stage 3: Bargaining
• Stuxnet
• First
widely
reported
use
of
malware
to
destroy
a
physical
plant
• Extremely
sophisDcated
• Jumped
the
air-‐gap
via
USB
keys
• Widespread
infecDons
throughout
the
Internet
• Shamoon
• Targeted
the
energy
sector
• DestrucDve
• Over
writes
files
• Destroys
the
Master
Boot
Record
Stuxnet
infecDons,
source
Symantec:
17. DDOS
AFacks
More
Automated
&
Powerful
• Prolexic
Q2
2012
to
Q2
2013
– 33%
increase
in
a_acks
– 925%
increase
in
bandwidth
• 4.47
Gbps
to
49.24
Gbps
– 1655%
increase
in
packets
per
second
• 2.7
Mpps
to
47.4
Mpps
20. Stage 4: Depression
The
Patching
Treadmill
• Control
systems
are
not
designed
to
be
shut
down
regularly
• EnDre
systems
may
need
to
be
shut
down
for
a
single
patch
install
• Patching
may
mean
upgrading
• Upgrades
can
cascade
through
a
system
• Even
assessments
may
require
downDme!
• Patching
leads
to
InterconnecDvity
• InterconnecDvity
leads
to
compromise
• SoluDons?
– Third-‐Party
Run-‐Time
In-‐Memory
Patching?
– Intrusion
PrevenDon
Systems?
21. Stage 5: Acceptance
What
would
acceptance
mean?
• Genng
serious
about
interconnecDvity
• We
need
to
find
new
ways
to
work
• We
need
to
accept
some
inconvenience
• Designing
systems
for
patchability
• Systems
that
can
be
patched
without
being
restarted
• Hot
Standby
failover
• Patches
that
do
not
require
upgrades
• Security
patches
that
can
be
accepted
without
performance
concerns
• Built
in
IDS
capability?
• Designing
systems
for
failure
23. Network Visibility through Netflow
DMZ
VPN
Internal
Network
Internet
NetFlow Packets
src and dst ip
src and dst port
start time
end time
mac address
byte count
- more -
NetFlow
3G
Internet
3G
Internet
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
Collector
24. Intrusion Audit Trails
1:06:15
PM:
Internal
Host
Visits
Malicious
Web
Site
1:06:30
PM:
Malware
InfecDon
Complete,
Accesses
Internet
Command
and
Control
1:06:35
PM:
Malware
begins
scanning
internal
network
1:13:59
PM:
MulDple
internal
infected
hosts
1:07:00
PM:
Gateway
malware
analysis
idenDfies
the
transacDon
as
malicious
1:14:00
PM:
Administrators
manually
disconnect
the
iniDal
infected
host
Do
you
know
what
went
on
while
you
were
miDgaDng?