SlideShare uma empresa Scribd logo

SCADA Security Presentation

Filip Maertens
Filip Maertens

Presentation on the growing challenge of information security in critical infrastructures.

1 de 48
Baixar para ler offline
ECSA Lecture – 15.06.2006 Cyber threats to critical infrastructures. A summary on emerging contemporary national threats.
ECSA Lecture – 15.06.2006 About. CYBER THREATS TO CRITICAL INFRASTRUCTURESCYBER THREATS TO CRITICAL INFRASTRUCTURESCYBER THREATS TO CRITICAL INFRASTRUCTURESCYBER THREATS TO CRITICAL INFRASTRUCTURES Filip MAERTENS Partner Uniskill, Audit & Assessment Services CISA, CISSP filip.maertens@uniskill.com
ECSA Lecture – 15.06.2006 Agenda. • The Fear Factor • What are the components ? • Emerging threats and vulnerabilities • Risk mitigating practices
ECSA Lecture – 15.06.2006 The Fear Factor. • ChevronChevronChevronChevron (1992).... Emergency system was sabotaged by disgruntled employee in over 22 states. • Worchester AirportWorchester AirportWorchester AirportWorchester Airport (1997).... External hacker shut down the air and ground traffic communication system for six hours. • GazpromGazpromGazpromGazprom (1998).... Foreign hackers seize control of the main EU gas pipelines using trojan horse attacks. • Queensland, AustraliaQueensland, AustraliaQueensland, AustraliaQueensland, Australia (2000).... Disgruntled employee hacks into sewage system and releases over a million liters of raw sewage into the coastal waters.
ECSA Lecture – 15.06.2006 The Fear Factor. (cont’d) • Venezuela PortVenezuela PortVenezuela PortVenezuela Port (2002).... Hackers disable PLC components during a national unrest and general workers strike, disabled the country’s main port. • Ohio DavisOhio DavisOhio DavisOhio Davis----BesseBesseBesseBesse Nuclear PlantNuclear PlantNuclear PlantNuclear Plant (2003).... Plant safety monitoring system was shut down by the Slammer worm for over five hours. • Israel Electric CorporationIsrael Electric CorporationIsrael Electric CorporationIsrael Electric Corporation (2003).... Iran originating cyber attacks penetrate IEC, but fail to shut down the power grid using DoS attacks. • DaimlerChryslerDaimlerChryslerDaimlerChryslerDaimlerChrysler (2005).... 13 U.S. manufacturing plants were shut down due to multiple internet worm infections (Zotob, RBot, IRCBot).
ECSA Lecture – 15.06.2006 Some first hand experiences. • International Energy CompanyInternational Energy CompanyInternational Energy CompanyInternational Energy Company (2005).... Malware infected HMI system disabled the emergency stop of equipment under heavy weather conditions. • Middle East Sea PortMiddle East Sea PortMiddle East Sea PortMiddle East Sea Port (2006).... Intrusion test gone wrong. ARP spoofing attacks shut down port signaling system. • International Petrochemical CompanyInternational Petrochemical CompanyInternational Petrochemical CompanyInternational Petrochemical Company (2006).... Extremist propaganda was found together with text files containing usernames & passwords of control systems.
ECSA Lecture – 15.06.2006 False stories. Yet… • U.S. East Coast blackoutU.S. East Coast blackoutU.S. East Coast blackoutU.S. East Coast blackout (2003).... A worm did not cause the blackout, yet the Blaster worm did significantly infect all systems that were related to the large scale power blackout. • Al Qaeda plans worldwide attacks on SCADA technologyAl Qaeda plans worldwide attacks on SCADA technologyAl Qaeda plans worldwide attacks on SCADA technologyAl Qaeda plans worldwide attacks on SCADA technology (2003).... Computers and manuals seized in Al Qaeda training camps did contain information on dams and related infrastructures, yet no clear evidence of near future attacks is present. • ““““Beware. Cyber terrorism is near !Beware. Cyber terrorism is near !Beware. Cyber terrorism is near !Beware. Cyber terrorism is near !”””” (2003).... IDC research publications appears to be based on strong coffee rather than factual research ?
ECSA Lecture – 15.06.2006 The US Blackout in pictures.
ECSA Lecture – 15.06.2006 So far, so good ? • No human beings have been known to be killed by cyber attacks : – Dorothy Denning, “ Unless people are injured, there is less drama and emotional appeal “ • Operations personnel is highly trained for emergencies : – Safety is paramount. But do we know how to respond to cyber attacks ? • Cyber terrorism does not scare the public as much as 9/11 type of attacks : – Large scale ignorance and the main public remains oblivious for cyber threats to our critical infrastructure components
ECSA Lecture – 15.06.2006 Agenda. • The Fear Factor • What are the components ? • Emerging threats and vulnerabilities • Risk mitigating practices
ECSA Lecture – 15.06.2006 The NCI playground. • National Critical Infrastructures (NCI) include, amongst others, the following players : – Energy, Communications, Emergency Services, Finance, Government & Public Services, Water, Transportation, Food, Health services and Public Safety • These industries use Supervisory Control and Data Acquisition (SCADA) systems to monitor and control industrial processes through the collection and analysis of real time data. • National infrastructures depend on SCADA technologies / systems !
ECSA Lecture – 15.06.2006 Reliance on SCADA. • Advancements in control systems require less manual / operator interventions and allow more automated controls. • Master station software analyzes more internally and presents less to operator. • HMI / operator software must meet stringent safety requirements for some markets, but no specifics on security.
ECSA Lecture – 15.06.2006 How does SCADA affect me ? • SCADA is a wide and generic term to indicate the whole of industrial control and monitoring systems that : – Provide power to your home – Bring water into your life – Control traffic lights onto the way to your office – Control the commuter train you are on every day – Handle the air conditioning in your office – Allow you to call your wife to tell her you’ll be late • I’d say it pretty much affects everyone of us, won’t you ?
ECSA Lecture – 15.06.2006 The SCADA components. • Multi-tier SCADA terminology crash course : – Control endpoints, such as Remote Terminal Units (RTURTURTURTU) and Programmable Logic Controllers (PLCPLCPLCPLC) to measure voltage, adjust valve, flip switches, … – Human Machine Interface or HMIHMIHMIHMI (often windows based GUI’s) – Intermediate control systems (based on commercial 3rd party OS’s) • Extensive usage of open networking and data communication standards, such as MODBUS, Distributed Network Protocol (DNP) and Utility Communication Architecture (UCA). – Wide variety of communication carriers; serial, wireless, radio, analogue, … – Raw Data Transmission Protocols, e.g. MODBUS, DNP3, … • designed for radio serial/links but tunneled to read alerts and send commands – High Level Data Protocols, e.g. ICCP, OPC / DCOM, … • designed to provide information to humans and take commands
ECSA Lecture – 15.06.2006 The SCADA components. (cont’d) • Building blocks of SCADA : – Operating & Monitoring Systems • open systems (microsoft, linux, solaris, …) • operating system vulnerabilities (e.g. vulndev, bugtraq, fulldisclosure, …) – Communication network • ethernet, fiber or wireless tcp/ip based transmissions • tcp/ip vulnerabilities (e.g. arp spoofing, tcp/isn generation, …) • opc / dcom / iccp / modbus / uca / dnp3 / … vulnerabilities – Instrumentation & Industrial systems • no authentication, …
ECSA Lecture – 15.06.2006 Sample SCADA components. OPC ICCP DNP3 OPC : optimized for making it easy to program HMI applications DNP3 : optimized for collecting data from simple devices ICCP : optimized for passing bulk data to systems, e.g. databases, trading or other systems HMI : presenting data and pushing commands. Where is your human located ?
ECSA Lecture – 15.06.2006 A simple network overview.
ECSA Lecture – 15.06.2006 Some visuals.
ECSA Lecture – 15.06.2006 Some visuals.
ECSA Lecture – 15.06.2006 The SCADA requirements. • Determinism : – Quality of Service of data communication services – Precise Interrupt Timing – Reliability and latency are more important than throughput • Minimal computing resources : – Legacy equipment (pre 486 era) – Bandwidth issues including noise, accessibility, etc. – Little “extra features” possible, e.g. encryption, authentication, etc. • Real time operating systems : – Lacking encryption, authentication (AuthN, AuthZ)
ECSA Lecture – 15.06.2006 General INFOSEC concepts. • Applied to modern SCADA environments : 1. AvailabilityAvailabilityAvailabilityAvailability – easy to perform attacks & multiple attack vectors ! 2. IntegrityIntegrityIntegrityIntegrity – multiple attacks & high risks ! 3. ConfidentialityConfidentialityConfidentialityConfidentiality – multiple attacks & medium risks.
ECSA Lecture – 15.06.2006 Known attack motives. • Industrial sabotage : – Disgruntled employees – Black-hat Hackers & criminals for personal gain • Coordinated terrorism / eco – terrorists / “ hacktivism “ : – Joint physical and cyber attacks – Vendor compromise • LetLetLetLet’’’’s not forgets not forgets not forgets not forget. Operator error : – Human errors (“forgetting procedures”) and operational failures
ECSA Lecture – 15.06.2006 Agenda. • The Fear Factor • What are the components ? • Emerging threats and vulnerabilities • Risk mitigating practices
ECSA Lecture – 15.06.2006 Emerging threats & vulnerabilities. • Convergence of technology equalsequalsequalsequals convergence of risk : – Migration of proprietary systems to open systems (“security by obscurity”) – Usage of TCP/IP Ethernet networks – Traditionally built to be safe and reliable. But what about secure ? • Main drivers and trends : – Convergence of corporate IT with industrial operations – Migration towards open protocols, e.g. MODBUS, DNP3, … over Ethernet carriers – Wireless technology increasingly used – Remote access for maintenance and support facilities
ECSA Lecture – 15.06.2006 Layers of cyber security attacks.
ECSA Lecture – 15.06.2006 Layers of risk. • Network (Inter)Connectivity & General Access Risks : entry vectors – Local Area Network / Corporate Networks – Internet Connections – Direct access connections – Out of band access connections • Network Protocol Risks : attack vectors – Known TCP/IP Ethernet based vulnerabilities – Wireless connectivity problems – Open SCADA protocol vulnerabilities • Monitoring and Command Systems Risks : attack vectors – Known open system vulnerabilities (e.g. Microsoft, Linux, Solaris, …)
ECSA Lecture – 15.06.2006 Connectivity & Access. • LAN & Corporate Network interconnectivity : – Using simple, or even non existent, packet filters – Threats from corporate environments (e.g. virusses, hackers, …) can easily jump to industrial networks => huge risk propagation factor. • A BCIT survey on incidents by internal entry points :
ECSA Lecture – 15.06.2006 Connectivity & Access. (cont’d) • Internet connectivity => uncontrolled, a huge risk in its own – Major threat for HMI and other operator systems ! – Increasing number of external attacks over the Internet • A BCIT survey on incidents by external entry points :
ECSA Lecture – 15.06.2006 Connectivity & Access. (cont’d) • Direct Access connections : – 3rd party vendor access often needed for remote support and maintenance – Remote access often preferred for “remote management” purposes – Direct Access connections : • dial-in • xDSL and direct cable connections with remote management software (cfr. Internet access) • wireless – Direct access often used with low or no identification and authentication controls in place. • Problems with third-party contractors, suppliers and vendors
ECSA Lecture – 15.06.2006 Connectivity & Access. (cont’d) • Out of band connections : – All of the above, but … now without anyone knowing it ! – Common types of out of band connections : • rogue access points, • uncontrolled dial-up modems • uncontrolled connection tunnels (e.g. vpn, …) – Problem : Network traffic is bidirectional ! *sigh*
ECSA Lecture – 15.06.2006 Protocol risks & vulnerabilities. • Supporting network protocols are Ethernet & TCP/IP Based : – Designed for reliable packet transport, but known for insecurity ! – Foremost threats and risks are : Denial of Service, ARP attacks, Manipulation of packet data, Man in the middle, Identity Theft • Technology and knowledge becomes very accessible : – Clear evidence that common hackers showing a growing interest in SCADA protocols and technology ! • Open SCADA protocols are designed for reliability and speed, but security ?
ECSA Lecture – 15.06.2006 Protocol risks & vulnerabilities. (cont’d) • MODBUS(+) has known vulnerabilities : countermeasures are being put in place as we speak. – Reminder : MODBUS is used for … – Common attacks on MODBUS(+) protocols : • generates network broadcast storms => interruption of service • manipulating command data => reset system, disrupt component, reprogram • DNP3 has multiple vulnerabilities : no current countermeasures. – Reminder : DNP3 is used for … – Common attacks on DNP3 protocols : • degrade system performance (“IIN1.4 bit attack”) • manipulating command data => reset system, overwrite configuration file, • file manipulating on the industrial component
ECSA Lecture – 15.06.2006 Protocol risks & vulnerabilities. (cont’d) • UCA / SMART GOOSE has vulnerabilities : more research is spent in investigating into new vulnerabilities. – Reminder : SMART GOOSE is used for high speed multi-device communications – Common attacks on UCA / SMART GOOSE protocols : • interception of devices during “mentoring phase” (identification phase) • ARP table manipulations resulting in Denial of Service condition ! • OPC has multiple vulnerabilities : authentication ?
ECSA Lecture – 15.06.2006 Protocol risks & vulnerabilities. (cont’d) • Multiple wireless connections => multiple attacks ! – No longer physical presence required, attack zone depends on wireless range – Wireless in a real-time communication environment ? Beware ! • Bluetooth (IEEE 802.15.1). Insecure. – Known attacks to send AT commands, download address books and break pairing mechanisms • WLAN (IEEE 802.11). Insecure. – Multiple attacks including encryption key breaking (WEP/WPA), MAC bypass attacks, Access Point denial of service attacks
ECSA Lecture – 15.06.2006 Protocol risks & vulnerabilities. (cont’d) • Zigbee (IEEE 802.15.4). Low power radio transmission. – Frequency disruption attacks => denial of service or alert mode • WiMAX (IEEE 802.16). Untested. – Huge area span (> 50 km coverage), equals your attack range :-)
ECSA Lecture – 15.06.2006 Systems. • Most systems run COTS / 3rd party operating systems, including Microsoft Windows, Linux, VMS and Solaris. • Shift from proprietary systems to open systems has led to a widespread interest in underground research communities to investigate into SCADA component vulnerabilities. – No more security by obscurity • And… Where are they deployed ? What are they actually used for ? – Infested with malware, worm and virus infections ? – Backdoored using root kits ? – Member of botnets ?
ECSA Lecture – 15.06.2006 Systems. (cont’d) • BCIT 2005 Findings on system attacks :
ECSA Lecture – 15.06.2006 Summary of risks scenarios. • SCADA command systems can be hijacked, disrupted using widely available knowledge and open source tools. • SCADA protocols offer no authentication mechanisms. • SCADA protocols have no encryption capabilities. • SCADA systems have “ different ” patch cycles than IT systems : – Often is patching production SCADA systems simply out of the question ! • Uncontrolled connectivity of SCADA systems and related components to untrusted networks.
ECSA Lecture – 15.06.2006 So, technically speaking… • Uncontrolled SCADA environments are easily prone to : – Disruption of services, bringing the industrial process to a halt; – Manipulation of data that might disrupt industrial processes or seriously sabotage the environment; – External intrusions using Internet, dial-in or remote management software; • Question. How does all this apply to youryouryouryour infrastructure ? – You do the math…
ECSA Lecture – 15.06.2006 What did we see already ? • Frankly put. Too much : – Remote access software (Microsoft RDP) using one-letter passwords – Direct dial in for control of pumps without authentication – Corporate networks directly connected with industrial control network segments – Unprotected wireless access points “because its faster” – Lost PDA’s with service software for industrial food processing components – 0 day OPC/DNP3 exploit code circulating underground hacking networks – Malware infected HMI systems used for browsing “non work related” websites – …
ECSA Lecture – 15.06.2006 Agenda. • The Fear Factor • What are the components ? • Emerging threats and vulnerabilities • Risk mitigating practices
ECSA Lecture – 15.06.2006 Some risk mitigation practices. • Apply a layered security approach / Defense in Depth principle ! • Cyber security for process control : – Performance (real-time, critical response, no delay allowed) – Availability (outage is not acceptable, fault tolerant, pre-deployment testing) – Security scope (controllers, field devices, stations, servers, protocols) – Time critical interaction (response to human emergency action is crucial) – Communications (proprietary protocols, diverse communication carriers) – Software updates (strictly controlled updates)
ECSA Lecture – 15.06.2006 Some risk mitigation practices. (cont’d) • Your control environment security mission : – CYBER SECURITY FOR INDUSTRIAL CONTROL SYSTEMS IS TO DESIGN, BUILD AND MAINTAIN SYSTEMS TO BE AVAILABLE, TO ASCERTAIN THAT OPERATORS ARE IN CONTROL AND THAT THE PROCESSES OF THE PLANT ARE SECURED. • Ensure that the plant’s requirements are met in terms of availability, integrity and confidentiality • Ensure that staff / operators are given proper security training and awareness • Embed security as an integral part in the life cycle process of your environment
ECSA Lecture – 15.06.2006 Some risk mitigation practices. (cont’d) • Venues where INFOSEC principles apply : – Enforcement of Security Policies and procedures – Risk Management principles applied to process control environments – Security and Contingency planning – Incident response planning – Physical and Personnel security – Awareness and Training • Technology applied principles : – Access control mechanisms – Identification and strong authentication protocols – Auditing, IDS and logging mechanisms – Encryption technology – Specialized Firewall technologies
ECSA Lecture – 15.06.2006 Some risk mitigation practices. (cont’d) • Where to start ? Guiding documents ?
ECSA Lecture – 15.06.2006 Some risk mitigation practices. (cont’d) • Where to find more information and advisory : – NISCC / BCIT Good Practices Whitepaper • http://www.niscc.gov.uk/niscc/docs/re-20050223-00157.pdf – US Department of Energy • http://www.ea.doe.gov/pdfs/21stepsbooklet.pdf – Multiple Industry Organizations involved with security best practices : SANDIA, NERC, AGA, API, CIGRE, IEC, ISA, IEEE, NIST, CIAO
ECSA Lecture – 15.06.2006 Questions ? Debate. CYBER THREATS TO CRITICAL INFRASTRUCTURESCYBER THREATS TO CRITICAL INFRASTRUCTURESCYBER THREATS TO CRITICAL INFRASTRUCTURESCYBER THREATS TO CRITICAL INFRASTRUCTURES Filip MAERTENS Partner Uniskill, Audit & Assessment Services CISA, CISSP filip.maertens@uniskill.com
ECSA Lecture – 15.06.2006 Corporate Information. For more information, please visit http://www.uniskill.com.

Recomendados

Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Joan Figueras Tugas
 
Scada security
Scada securityScada security
Scada securitysommerville-videos
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
Industrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptIndustrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptDelforChacnCornejo
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 

Recomendados

Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Cybersecurity in Industrial Control Systems (ICS)
Cybersecurity in Industrial Control Systems (ICS)Joan Figueras Tugas
 
Scada security
Scada securityScada security
Scada securitysommerville-videos
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
 
SCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsSCADA deep inside: protocols and security mechanisms
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
 
Industrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptIndustrial control systems cybersecurity.ppt
Industrial control systems cybersecurity.pptDelforChacnCornejo
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA Jeffrey Wang , P.Eng
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control SystemHemanth M
 
Network security
Network securityNetwork security
Network securityChristalin Nelson
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Yokogawa1
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & BuildSameer Paradia
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Securityamiable_indian
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
Data Center Security
Data Center SecurityData Center Security
Data Center SecurityCisco Canada
 
Soc
SocSoc
SocMukesh Chaudhari
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToJim Gilsinn
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Introduction to ICS/SCADA security
Introduction to ICS/SCADA securityIntroduction to ICS/SCADA security
Introduction to ICS/SCADA securityCysinfo Cyber Security Community
 
Open source SOC Tools for Home-Lab
Open source SOC Tools for Home-LabOpen source SOC Tools for Home-Lab
Open source SOC Tools for Home-LabBoni Yeamin
 
CISO's first 100 days
CISO's first 100 daysCISO's first 100 days
CISO's first 100 daysMichaelSadeghiPhDABD
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Edureka!
 
Introduction to Operational Technology 0.1
Introduction to Operational Technology 0.1Introduction to Operational Technology 0.1
Introduction to Operational Technology 0.1Richard Hudson
 
Iot Security
Iot SecurityIot Security
Iot SecurityMAITREYA MISRA
 
2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation2012 02 14 Afcom Presentation
2012 02 14 Afcom PresentationEric Gallant
 
American Bar Assoc. ISC 2009
American Bar Assoc. ISC 2009American Bar Assoc. ISC 2009
American Bar Assoc. ISC 2009infracritical
 

Mais conteúdo relacionado

Mais procurados

Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control SystemHemanth M
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Yokogawa1
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & BuildSameer Paradia
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
Data Center Security
Data Center SecurityData Center Security
Data Center SecurityCisco Canada
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToJim Gilsinn
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Open source SOC Tools for Home-Lab
Open source SOC Tools for Home-LabOpen source SOC Tools for Home-Lab
Open source SOC Tools for Home-LabBoni Yeamin
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Edureka!
 
Introduction to Operational Technology 0.1
Introduction to Operational Technology 0.1Introduction to Operational Technology 0.1
Introduction to Operational Technology 0.1Richard Hudson
 

Mais procurados (20)

Securing SCADA
Securing SCADA Securing SCADA
Securing SCADA
 
Securing Industrial Control System
Securing Industrial Control SystemSecuring Industrial Control System
Securing Industrial Control System
 
Network security
Network securityNetwork security
Network security
 
Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443Secure Systems Security and ISA99- IEC62443
Secure Systems Security and ISA99- IEC62443
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
SCADA Security
SCADA SecuritySCADA Security
SCADA Security
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
Data Center Security
Data Center SecurityData Center Security
Data Center Security
 
Soc
SocSoc
Soc
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How To
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
Introduction to ICS/SCADA security
Introduction to ICS/SCADA securityIntroduction to ICS/SCADA security
Introduction to ICS/SCADA security
 
Open source SOC Tools for Home-Lab
Open source SOC Tools for Home-LabOpen source SOC Tools for Home-Lab
Open source SOC Tools for Home-Lab
 
CISO's first 100 days
CISO's first 100 daysCISO's first 100 days
CISO's first 100 days
 
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
Cybersecurity Fundamentals | Understanding Cybersecurity Basics | Cybersecuri...
 
Introduction to Operational Technology 0.1
Introduction to Operational Technology 0.1Introduction to Operational Technology 0.1
Introduction to Operational Technology 0.1
 
Iot Security
Iot SecurityIot Security
Iot Security
 

Semelhante a SCADA Security Presentation

2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation2012 02 14 Afcom Presentation
2012 02 14 Afcom PresentationEric Gallant
 
American Bar Assoc. ISC 2009
American Bar Assoc. ISC 2009American Bar Assoc. ISC 2009
American Bar Assoc. ISC 2009infracritical
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos, Inc.
 
Infrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfosec Europe
 
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Abhishek Goel
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...Muhammad FAHAD
 
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks
 
313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - MEEQS Group
 
Securing Critical Infrastructures with a cybersecurity digital twin
Securing Critical Infrastructures with a cybersecurity digital twin Securing Critical Infrastructures with a cybersecurity digital twin
Securing Critical Infrastructures with a cybersecurity digital twin Massimiliano Masi
 
SECURITY IN LARGE, STRATEGIC AND COMPLEX SYSTEMS
SECURITY IN LARGE, STRATEGIC AND COMPLEX SYSTEMSSECURITY IN LARGE, STRATEGIC AND COMPLEX SYSTEMS
SECURITY IN LARGE, STRATEGIC AND COMPLEX SYSTEMSMarco Lisi
 
Automotive Cyber-Security Insights learned from IT and ICS/SCADA
Automotive Cyber-Security Insights learned from IT and ICS/SCADAAutomotive Cyber-Security Insights learned from IT and ICS/SCADA
Automotive Cyber-Security Insights learned from IT and ICS/SCADAGilad Bandel
 
Cyber Security Lecture at Rah Rah 7
Cyber Security Lecture at Rah Rah 7Cyber Security Lecture at Rah Rah 7
Cyber Security Lecture at Rah Rah 7Filip Maertens
 
Booz Allen Industrial Cybersecurity Threat Briefing
Booz Allen Industrial Cybersecurity Threat BriefingBooz Allen Industrial Cybersecurity Threat Briefing
Booz Allen Industrial Cybersecurity Threat BriefingBooz Allen Hamilton
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Jim Gilsinn
 
Cps security bitsworkshopdec15.2012 (1)
Cps security bitsworkshopdec15.2012 (1)Cps security bitsworkshopdec15.2012 (1)
Cps security bitsworkshopdec15.2012 (1)shanshicn
 

Semelhante a SCADA Security Presentation (20)

2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation
 
American Bar Assoc. ISC 2009
American Bar Assoc. ISC 2009American Bar Assoc. ISC 2009
American Bar Assoc. ISC 2009
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware
 
Infrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLC
 
SCADA Security in CDIC 2009
SCADA Security in CDIC 2009SCADA Security in CDIC 2009
SCADA Security in CDIC 2009
 
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
 
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company Introduction
 
S C A D A Security Keynote C K
S C A D A Security Keynote C KS C A D A Security Keynote C K
S C A D A Security Keynote C K
 
Scada slide
Scada slideScada slide
Scada slide
 
313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME313 – Security Challenges in Healthcare IoT - ME
313 – Security Challenges in Healthcare IoT - ME
 
Cyber security colombo meetup
Cyber security colombo meetupCyber security colombo meetup
Cyber security colombo meetup
 
Securing Critical Infrastructures with a cybersecurity digital twin
Securing Critical Infrastructures with a cybersecurity digital twin Securing Critical Infrastructures with a cybersecurity digital twin
Securing Critical Infrastructures with a cybersecurity digital twin
 
Securing SCADA
Securing SCADASecuring SCADA
Securing SCADA
 
SECURITY IN LARGE, STRATEGIC AND COMPLEX SYSTEMS
SECURITY IN LARGE, STRATEGIC AND COMPLEX SYSTEMSSECURITY IN LARGE, STRATEGIC AND COMPLEX SYSTEMS
SECURITY IN LARGE, STRATEGIC AND COMPLEX SYSTEMS
 
Automotive Cyber-Security Insights learned from IT and ICS/SCADA
Automotive Cyber-Security Insights learned from IT and ICS/SCADAAutomotive Cyber-Security Insights learned from IT and ICS/SCADA
Automotive Cyber-Security Insights learned from IT and ICS/SCADA
 
Cyber Security Lecture at Rah Rah 7
Cyber Security Lecture at Rah Rah 7Cyber Security Lecture at Rah Rah 7
Cyber Security Lecture at Rah Rah 7
 
Booz Allen Industrial Cybersecurity Threat Briefing
Booz Allen Industrial Cybersecurity Threat BriefingBooz Allen Industrial Cybersecurity Threat Briefing
Booz Allen Industrial Cybersecurity Threat Briefing
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
 
Cps security bitsworkshopdec15.2012 (1)
Cps security bitsworkshopdec15.2012 (1)Cps security bitsworkshopdec15.2012 (1)
Cps security bitsworkshopdec15.2012 (1)
 

Mais de Filip Maertens

Cannes Lions Innovation, unlocking mobile personalisation using sensors
Cannes Lions Innovation, unlocking mobile personalisation using sensorsCannes Lions Innovation, unlocking mobile personalisation using sensors
Cannes Lions Innovation, unlocking mobile personalisation using sensorsFilip Maertens
 
Ad:Tech Conference 2014
Ad:Tech Conference 2014Ad:Tech Conference 2014
Ad:Tech Conference 2014Filip Maertens
 
Startups.be Tech Days 2014
Startups.be Tech Days 2014Startups.be Tech Days 2014
Startups.be Tech Days 2014Filip Maertens
 
The Age of Empathic Devices - Beyond Fusion 2014 Conference
The Age of Empathic Devices - Beyond Fusion 2014 ConferenceThe Age of Empathic Devices - Beyond Fusion 2014 Conference
The Age of Empathic Devices - Beyond Fusion 2014 ConferenceFilip Maertens
 
On Mining Bitcoins - Fundamentals & Outlooks
On Mining Bitcoins - Fundamentals & OutlooksOn Mining Bitcoins - Fundamentals & Outlooks
On Mining Bitcoins - Fundamentals & OutlooksFilip Maertens
 
FLYSE Kick Off Event Presentation
FLYSE Kick Off Event PresentationFLYSE Kick Off Event Presentation
FLYSE Kick Off Event PresentationFilip Maertens
 
TEDx UHasselt Salon 2013
TEDx UHasselt Salon 2013TEDx UHasselt Salon 2013
TEDx UHasselt Salon 2013Filip Maertens
 
Mobile Premier Awards 2013
Mobile Premier Awards 2013Mobile Premier Awards 2013
Mobile Premier Awards 2013Filip Maertens
 
LeWeb 2012 Paris Startup Competition Pitch
LeWeb 2012 Paris Startup Competition PitchLeWeb 2012 Paris Startup Competition Pitch
LeWeb 2012 Paris Startup Competition PitchFilip Maertens
 
VOKA BRYO Keynote Speech
VOKA BRYO Keynote SpeechVOKA BRYO Keynote Speech
VOKA BRYO Keynote SpeechFilip Maertens
 
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011Filip Maertens
 
Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011Filip Maertens
 
Media Marketing Days 2011
Media Marketing Days 2011Media Marketing Days 2011
Media Marketing Days 2011Filip Maertens
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsFilip Maertens
 

Mais de Filip Maertens (18)

Cannes Lions Innovation, unlocking mobile personalisation using sensors
Cannes Lions Innovation, unlocking mobile personalisation using sensorsCannes Lions Innovation, unlocking mobile personalisation using sensors
Cannes Lions Innovation, unlocking mobile personalisation using sensors
 
Ad:Tech Conference 2014
Ad:Tech Conference 2014Ad:Tech Conference 2014
Ad:Tech Conference 2014
 
Startups.be Tech Days 2014
Startups.be Tech Days 2014Startups.be Tech Days 2014
Startups.be Tech Days 2014
 
The Age of Empathic Devices - Beyond Fusion 2014 Conference
The Age of Empathic Devices - Beyond Fusion 2014 ConferenceThe Age of Empathic Devices - Beyond Fusion 2014 Conference
The Age of Empathic Devices - Beyond Fusion 2014 Conference
 
On Mining Bitcoins - Fundamentals & Outlooks
On Mining Bitcoins - Fundamentals & OutlooksOn Mining Bitcoins - Fundamentals & Outlooks
On Mining Bitcoins - Fundamentals & Outlooks
 
On Leadership
On LeadershipOn Leadership
On Leadership
 
FLYSE Kick Off Event Presentation
FLYSE Kick Off Event PresentationFLYSE Kick Off Event Presentation
FLYSE Kick Off Event Presentation
 
TEDx UHasselt Salon 2013
TEDx UHasselt Salon 2013TEDx UHasselt Salon 2013
TEDx UHasselt Salon 2013
 
Mobile Premier Awards 2013
Mobile Premier Awards 2013Mobile Premier Awards 2013
Mobile Premier Awards 2013
 
LeWeb 2012 Paris Startup Competition Pitch
LeWeb 2012 Paris Startup Competition PitchLeWeb 2012 Paris Startup Competition Pitch
LeWeb 2012 Paris Startup Competition Pitch
 
VOKA BRYO Keynote Speech
VOKA BRYO Keynote SpeechVOKA BRYO Keynote Speech
VOKA BRYO Keynote Speech
 
Fail Con 2012
Fail Con 2012Fail Con 2012
Fail Con 2012
 
Apps Marathon 2012
Apps Marathon 2012Apps Marathon 2012
Apps Marathon 2012
 
TEDx Leuven 2012
TEDx Leuven 2012TEDx Leuven 2012
TEDx Leuven 2012
 
ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011ECSA Cyber Security Conference 2011
ECSA Cyber Security Conference 2011
 
Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011Mobile Banking Channel Security - Cyber Security Conference 2011
Mobile Banking Channel Security - Cyber Security Conference 2011
 
Media Marketing Days 2011
Media Marketing Days 2011Media Marketing Days 2011
Media Marketing Days 2011
 
Digital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic InvestigationsDigital Evidence in Computer Forensic Investigations
Digital Evidence in Computer Forensic Investigations
 

SCADA Security Presentation

  • 1. ECSA Lecture – 15.06.2006 Cyber threats to critical infrastructures. A summary on emerging contemporary national threats.
  • 2. ECSA Lecture – 15.06.2006 About. CYBER THREATS TO CRITICAL INFRASTRUCTURESCYBER THREATS TO CRITICAL INFRASTRUCTURESCYBER THREATS TO CRITICAL INFRASTRUCTURESCYBER THREATS TO CRITICAL INFRASTRUCTURES Filip MAERTENS Partner Uniskill, Audit & Assessment Services CISA, CISSP filip.maertens@uniskill.com
  • 3. ECSA Lecture – 15.06.2006 Agenda. • The Fear Factor • What are the components ? • Emerging threats and vulnerabilities • Risk mitigating practices
  • 4. ECSA Lecture – 15.06.2006 The Fear Factor. • ChevronChevronChevronChevron (1992).... Emergency system was sabotaged by disgruntled employee in over 22 states. • Worchester AirportWorchester AirportWorchester AirportWorchester Airport (1997).... External hacker shut down the air and ground traffic communication system for six hours. • GazpromGazpromGazpromGazprom (1998).... Foreign hackers seize control of the main EU gas pipelines using trojan horse attacks. • Queensland, AustraliaQueensland, AustraliaQueensland, AustraliaQueensland, Australia (2000).... Disgruntled employee hacks into sewage system and releases over a million liters of raw sewage into the coastal waters.
  • 5. ECSA Lecture – 15.06.2006 The Fear Factor. (cont’d) • Venezuela PortVenezuela PortVenezuela PortVenezuela Port (2002).... Hackers disable PLC components during a national unrest and general workers strike, disabled the country’s main port. • Ohio DavisOhio DavisOhio DavisOhio Davis----BesseBesseBesseBesse Nuclear PlantNuclear PlantNuclear PlantNuclear Plant (2003).... Plant safety monitoring system was shut down by the Slammer worm for over five hours. • Israel Electric CorporationIsrael Electric CorporationIsrael Electric CorporationIsrael Electric Corporation (2003).... Iran originating cyber attacks penetrate IEC, but fail to shut down the power grid using DoS attacks. • DaimlerChryslerDaimlerChryslerDaimlerChryslerDaimlerChrysler (2005).... 13 U.S. manufacturing plants were shut down due to multiple internet worm infections (Zotob, RBot, IRCBot).
  • 6. ECSA Lecture – 15.06.2006 Some first hand experiences. • International Energy CompanyInternational Energy CompanyInternational Energy CompanyInternational Energy Company (2005).... Malware infected HMI system disabled the emergency stop of equipment under heavy weather conditions. • Middle East Sea PortMiddle East Sea PortMiddle East Sea PortMiddle East Sea Port (2006).... Intrusion test gone wrong. ARP spoofing attacks shut down port signaling system. • International Petrochemical CompanyInternational Petrochemical CompanyInternational Petrochemical CompanyInternational Petrochemical Company (2006).... Extremist propaganda was found together with text files containing usernames & passwords of control systems.
  • 7. ECSA Lecture – 15.06.2006 False stories. Yet… • U.S. East Coast blackoutU.S. East Coast blackoutU.S. East Coast blackoutU.S. East Coast blackout (2003).... A worm did not cause the blackout, yet the Blaster worm did significantly infect all systems that were related to the large scale power blackout. • Al Qaeda plans worldwide attacks on SCADA technologyAl Qaeda plans worldwide attacks on SCADA technologyAl Qaeda plans worldwide attacks on SCADA technologyAl Qaeda plans worldwide attacks on SCADA technology (2003).... Computers and manuals seized in Al Qaeda training camps did contain information on dams and related infrastructures, yet no clear evidence of near future attacks is present. • ““““Beware. Cyber terrorism is near !Beware. Cyber terrorism is near !Beware. Cyber terrorism is near !Beware. Cyber terrorism is near !”””” (2003).... IDC research publications appears to be based on strong coffee rather than factual research ?
  • 8. ECSA Lecture – 15.06.2006 The US Blackout in pictures.
  • 9. ECSA Lecture – 15.06.2006 So far, so good ? • No human beings have been known to be killed by cyber attacks : – Dorothy Denning, “ Unless people are injured, there is less drama and emotional appeal “ • Operations personnel is highly trained for emergencies : – Safety is paramount. But do we know how to respond to cyber attacks ? • Cyber terrorism does not scare the public as much as 9/11 type of attacks : – Large scale ignorance and the main public remains oblivious for cyber threats to our critical infrastructure components
  • 10. ECSA Lecture – 15.06.2006 Agenda. • The Fear Factor • What are the components ? • Emerging threats and vulnerabilities • Risk mitigating practices
  • 11. ECSA Lecture – 15.06.2006 The NCI playground. • National Critical Infrastructures (NCI) include, amongst others, the following players : – Energy, Communications, Emergency Services, Finance, Government & Public Services, Water, Transportation, Food, Health services and Public Safety • These industries use Supervisory Control and Data Acquisition (SCADA) systems to monitor and control industrial processes through the collection and analysis of real time data. • National infrastructures depend on SCADA technologies / systems !
  • 12. ECSA Lecture – 15.06.2006 Reliance on SCADA. • Advancements in control systems require less manual / operator interventions and allow more automated controls. • Master station software analyzes more internally and presents less to operator. • HMI / operator software must meet stringent safety requirements for some markets, but no specifics on security.
  • 13. ECSA Lecture – 15.06.2006 How does SCADA affect me ? • SCADA is a wide and generic term to indicate the whole of industrial control and monitoring systems that : – Provide power to your home – Bring water into your life – Control traffic lights onto the way to your office – Control the commuter train you are on every day – Handle the air conditioning in your office – Allow you to call your wife to tell her you’ll be late • I’d say it pretty much affects everyone of us, won’t you ?
  • 14. ECSA Lecture – 15.06.2006 The SCADA components. • Multi-tier SCADA terminology crash course : – Control endpoints, such as Remote Terminal Units (RTURTURTURTU) and Programmable Logic Controllers (PLCPLCPLCPLC) to measure voltage, adjust valve, flip switches, … – Human Machine Interface or HMIHMIHMIHMI (often windows based GUI’s) – Intermediate control systems (based on commercial 3rd party OS’s) • Extensive usage of open networking and data communication standards, such as MODBUS, Distributed Network Protocol (DNP) and Utility Communication Architecture (UCA). – Wide variety of communication carriers; serial, wireless, radio, analogue, … – Raw Data Transmission Protocols, e.g. MODBUS, DNP3, … • designed for radio serial/links but tunneled to read alerts and send commands – High Level Data Protocols, e.g. ICCP, OPC / DCOM, … • designed to provide information to humans and take commands
  • 15. ECSA Lecture – 15.06.2006 The SCADA components. (cont’d) • Building blocks of SCADA : – Operating & Monitoring Systems • open systems (microsoft, linux, solaris, …) • operating system vulnerabilities (e.g. vulndev, bugtraq, fulldisclosure, …) – Communication network • ethernet, fiber or wireless tcp/ip based transmissions • tcp/ip vulnerabilities (e.g. arp spoofing, tcp/isn generation, …) • opc / dcom / iccp / modbus / uca / dnp3 / … vulnerabilities – Instrumentation & Industrial systems • no authentication, …
  • 16. ECSA Lecture – 15.06.2006 Sample SCADA components. OPC ICCP DNP3 OPC : optimized for making it easy to program HMI applications DNP3 : optimized for collecting data from simple devices ICCP : optimized for passing bulk data to systems, e.g. databases, trading or other systems HMI : presenting data and pushing commands. Where is your human located ?
  • 17. ECSA Lecture – 15.06.2006 A simple network overview.
  • 18. ECSA Lecture – 15.06.2006 Some visuals.
  • 19. ECSA Lecture – 15.06.2006 Some visuals.
  • 20. ECSA Lecture – 15.06.2006 The SCADA requirements. • Determinism : – Quality of Service of data communication services – Precise Interrupt Timing – Reliability and latency are more important than throughput • Minimal computing resources : – Legacy equipment (pre 486 era) – Bandwidth issues including noise, accessibility, etc. – Little “extra features” possible, e.g. encryption, authentication, etc. • Real time operating systems : – Lacking encryption, authentication (AuthN, AuthZ)
  • 21. ECSA Lecture – 15.06.2006 General INFOSEC concepts. • Applied to modern SCADA environments : 1. AvailabilityAvailabilityAvailabilityAvailability – easy to perform attacks & multiple attack vectors ! 2. IntegrityIntegrityIntegrityIntegrity – multiple attacks & high risks ! 3. ConfidentialityConfidentialityConfidentialityConfidentiality – multiple attacks & medium risks.
  • 22. ECSA Lecture – 15.06.2006 Known attack motives. • Industrial sabotage : – Disgruntled employees – Black-hat Hackers & criminals for personal gain • Coordinated terrorism / eco – terrorists / “ hacktivism “ : – Joint physical and cyber attacks – Vendor compromise • LetLetLetLet’’’’s not forgets not forgets not forgets not forget. Operator error : – Human errors (“forgetting procedures”) and operational failures
  • 23. ECSA Lecture – 15.06.2006 Agenda. • The Fear Factor • What are the components ? • Emerging threats and vulnerabilities • Risk mitigating practices
  • 24. ECSA Lecture – 15.06.2006 Emerging threats & vulnerabilities. • Convergence of technology equalsequalsequalsequals convergence of risk : – Migration of proprietary systems to open systems (“security by obscurity”) – Usage of TCP/IP Ethernet networks – Traditionally built to be safe and reliable. But what about secure ? • Main drivers and trends : – Convergence of corporate IT with industrial operations – Migration towards open protocols, e.g. MODBUS, DNP3, … over Ethernet carriers – Wireless technology increasingly used – Remote access for maintenance and support facilities
  • 25. ECSA Lecture – 15.06.2006 Layers of cyber security attacks.
  • 26. ECSA Lecture – 15.06.2006 Layers of risk. • Network (Inter)Connectivity & General Access Risks : entry vectors – Local Area Network / Corporate Networks – Internet Connections – Direct access connections – Out of band access connections • Network Protocol Risks : attack vectors – Known TCP/IP Ethernet based vulnerabilities – Wireless connectivity problems – Open SCADA protocol vulnerabilities • Monitoring and Command Systems Risks : attack vectors – Known open system vulnerabilities (e.g. Microsoft, Linux, Solaris, …)
  • 27. ECSA Lecture – 15.06.2006 Connectivity & Access. • LAN & Corporate Network interconnectivity : – Using simple, or even non existent, packet filters – Threats from corporate environments (e.g. virusses, hackers, …) can easily jump to industrial networks => huge risk propagation factor. • A BCIT survey on incidents by internal entry points :
  • 28. ECSA Lecture – 15.06.2006 Connectivity & Access. (cont’d) • Internet connectivity => uncontrolled, a huge risk in its own – Major threat for HMI and other operator systems ! – Increasing number of external attacks over the Internet • A BCIT survey on incidents by external entry points :
  • 29. ECSA Lecture – 15.06.2006 Connectivity & Access. (cont’d) • Direct Access connections : – 3rd party vendor access often needed for remote support and maintenance – Remote access often preferred for “remote management” purposes – Direct Access connections : • dial-in • xDSL and direct cable connections with remote management software (cfr. Internet access) • wireless – Direct access often used with low or no identification and authentication controls in place. • Problems with third-party contractors, suppliers and vendors
  • 30. ECSA Lecture – 15.06.2006 Connectivity & Access. (cont’d) • Out of band connections : – All of the above, but … now without anyone knowing it ! – Common types of out of band connections : • rogue access points, • uncontrolled dial-up modems • uncontrolled connection tunnels (e.g. vpn, …) – Problem : Network traffic is bidirectional ! *sigh*
  • 31. ECSA Lecture – 15.06.2006 Protocol risks & vulnerabilities. • Supporting network protocols are Ethernet & TCP/IP Based : – Designed for reliable packet transport, but known for insecurity ! – Foremost threats and risks are : Denial of Service, ARP attacks, Manipulation of packet data, Man in the middle, Identity Theft • Technology and knowledge becomes very accessible : – Clear evidence that common hackers showing a growing interest in SCADA protocols and technology ! • Open SCADA protocols are designed for reliability and speed, but security ?
  • 32. ECSA Lecture – 15.06.2006 Protocol risks & vulnerabilities. (cont’d) • MODBUS(+) has known vulnerabilities : countermeasures are being put in place as we speak. – Reminder : MODBUS is used for … – Common attacks on MODBUS(+) protocols : • generates network broadcast storms => interruption of service • manipulating command data => reset system, disrupt component, reprogram • DNP3 has multiple vulnerabilities : no current countermeasures. – Reminder : DNP3 is used for … – Common attacks on DNP3 protocols : • degrade system performance (“IIN1.4 bit attack”) • manipulating command data => reset system, overwrite configuration file, • file manipulating on the industrial component
  • 33. ECSA Lecture – 15.06.2006 Protocol risks & vulnerabilities. (cont’d) • UCA / SMART GOOSE has vulnerabilities : more research is spent in investigating into new vulnerabilities. – Reminder : SMART GOOSE is used for high speed multi-device communications – Common attacks on UCA / SMART GOOSE protocols : • interception of devices during “mentoring phase” (identification phase) • ARP table manipulations resulting in Denial of Service condition ! • OPC has multiple vulnerabilities : authentication ?
  • 34. ECSA Lecture – 15.06.2006 Protocol risks & vulnerabilities. (cont’d) • Multiple wireless connections => multiple attacks ! – No longer physical presence required, attack zone depends on wireless range – Wireless in a real-time communication environment ? Beware ! • Bluetooth (IEEE 802.15.1). Insecure. – Known attacks to send AT commands, download address books and break pairing mechanisms • WLAN (IEEE 802.11). Insecure. – Multiple attacks including encryption key breaking (WEP/WPA), MAC bypass attacks, Access Point denial of service attacks
  • 35. ECSA Lecture – 15.06.2006 Protocol risks & vulnerabilities. (cont’d) • Zigbee (IEEE 802.15.4). Low power radio transmission. – Frequency disruption attacks => denial of service or alert mode • WiMAX (IEEE 802.16). Untested. – Huge area span (> 50 km coverage), equals your attack range :-)
  • 36. ECSA Lecture – 15.06.2006 Systems. • Most systems run COTS / 3rd party operating systems, including Microsoft Windows, Linux, VMS and Solaris. • Shift from proprietary systems to open systems has led to a widespread interest in underground research communities to investigate into SCADA component vulnerabilities. – No more security by obscurity • And… Where are they deployed ? What are they actually used for ? – Infested with malware, worm and virus infections ? – Backdoored using root kits ? – Member of botnets ?
  • 37. ECSA Lecture – 15.06.2006 Systems. (cont’d) • BCIT 2005 Findings on system attacks :
  • 38. ECSA Lecture – 15.06.2006 Summary of risks scenarios. • SCADA command systems can be hijacked, disrupted using widely available knowledge and open source tools. • SCADA protocols offer no authentication mechanisms. • SCADA protocols have no encryption capabilities. • SCADA systems have “ different ” patch cycles than IT systems : – Often is patching production SCADA systems simply out of the question ! • Uncontrolled connectivity of SCADA systems and related components to untrusted networks.
  • 39. ECSA Lecture – 15.06.2006 So, technically speaking… • Uncontrolled SCADA environments are easily prone to : – Disruption of services, bringing the industrial process to a halt; – Manipulation of data that might disrupt industrial processes or seriously sabotage the environment; – External intrusions using Internet, dial-in or remote management software; • Question. How does all this apply to youryouryouryour infrastructure ? – You do the math…
  • 40. ECSA Lecture – 15.06.2006 What did we see already ? • Frankly put. Too much : – Remote access software (Microsoft RDP) using one-letter passwords – Direct dial in for control of pumps without authentication – Corporate networks directly connected with industrial control network segments – Unprotected wireless access points “because its faster” – Lost PDA’s with service software for industrial food processing components – 0 day OPC/DNP3 exploit code circulating underground hacking networks – Malware infected HMI systems used for browsing “non work related” websites – …
  • 41. ECSA Lecture – 15.06.2006 Agenda. • The Fear Factor • What are the components ? • Emerging threats and vulnerabilities • Risk mitigating practices
  • 42. ECSA Lecture – 15.06.2006 Some risk mitigation practices. • Apply a layered security approach / Defense in Depth principle ! • Cyber security for process control : – Performance (real-time, critical response, no delay allowed) – Availability (outage is not acceptable, fault tolerant, pre-deployment testing) – Security scope (controllers, field devices, stations, servers, protocols) – Time critical interaction (response to human emergency action is crucial) – Communications (proprietary protocols, diverse communication carriers) – Software updates (strictly controlled updates)
  • 43. ECSA Lecture – 15.06.2006 Some risk mitigation practices. (cont’d) • Your control environment security mission : – CYBER SECURITY FOR INDUSTRIAL CONTROL SYSTEMS IS TO DESIGN, BUILD AND MAINTAIN SYSTEMS TO BE AVAILABLE, TO ASCERTAIN THAT OPERATORS ARE IN CONTROL AND THAT THE PROCESSES OF THE PLANT ARE SECURED. • Ensure that the plant’s requirements are met in terms of availability, integrity and confidentiality • Ensure that staff / operators are given proper security training and awareness • Embed security as an integral part in the life cycle process of your environment
  • 44. ECSA Lecture – 15.06.2006 Some risk mitigation practices. (cont’d) • Venues where INFOSEC principles apply : – Enforcement of Security Policies and procedures – Risk Management principles applied to process control environments – Security and Contingency planning – Incident response planning – Physical and Personnel security – Awareness and Training • Technology applied principles : – Access control mechanisms – Identification and strong authentication protocols – Auditing, IDS and logging mechanisms – Encryption technology – Specialized Firewall technologies
  • 45. ECSA Lecture – 15.06.2006 Some risk mitigation practices. (cont’d) • Where to start ? Guiding documents ?
  • 46. ECSA Lecture – 15.06.2006 Some risk mitigation practices. (cont’d) • Where to find more information and advisory : – NISCC / BCIT Good Practices Whitepaper • http://www.niscc.gov.uk/niscc/docs/re-20050223-00157.pdf – US Department of Energy • http://www.ea.doe.gov/pdfs/21stepsbooklet.pdf – Multiple Industry Organizations involved with security best practices : SANDIA, NERC, AGA, API, CIGRE, IEC, ISA, IEEE, NIST, CIAO
  • 47. ECSA Lecture – 15.06.2006 Questions ? Debate. CYBER THREATS TO CRITICAL INFRASTRUCTURESCYBER THREATS TO CRITICAL INFRASTRUCTURESCYBER THREATS TO CRITICAL INFRASTRUCTURESCYBER THREATS TO CRITICAL INFRASTRUCTURES Filip MAERTENS Partner Uniskill, Audit & Assessment Services CISA, CISSP filip.maertens@uniskill.com
  • 48. ECSA Lecture – 15.06.2006 Corporate Information. For more information, please visit http://www.uniskill.com.