addressing cip
DESCRIPTION
Critical Infrastructure Protection Case StudyPresented in SecureAsia 2010 @Singapore July 2010TRANSCRIPT
![Page 1: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/1.jpg)
Addressing CIP: A Thailand Case Study
by Chaiyakorn ApiwathanokulCISSP, GCFA, IRCA:ISMS
Chief Security Officer
PTT ICT Solutions Co., Ltd.A Company of PTT Group
Note: CIP = Critical Infrastructure Protection
![Page 2: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/2.jpg)
Addressing CIP: A Thailand Case Studyby Chaiyakorn Apiwathanokul, CISSP, GCFA, IRCA:ISMS
Synopsis:In many countries where Critical Infrastructure Protection is not yet a regulatory requirement or is not taken into account seriously by their government; the perception, understanding, collaboration and qualified workforce is big challenge. Many misperceptions about securing those systems make it hard to convince management and stakeholders to support activities and investments. However, the legislation is not the only way to go; there are still many other factors that can be pulled into the scene ex. BCM, Risk Management and etc. to help attract the managements. As a security professional, how can we make things better? How can we utilize other mechanisms available to help addressing this challenge?
In Thailand even though we do not explicitly issues a law specifically for CIP, we have done something to addressed CIP in some extents. We help raise awareness and understanding through trainings and seminars to demonstrate the vulnerability and exploitability of such systems. We introduce ISO27001 as a basic security management framework. Of course, there are many other things that need to be done to address this challenge.
![Page 3: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/3.jpg)
About Speaker
• Contribute to Thailand Cyber Crime Act B.E.2550• Security Sub-commission under Thailand Electronic Transaction Commission
(ET Act B.E. 2544)• Workgroup for CA service standard development• Committee of national standard adoption of ISO27001/ISO27002• Committee of Thailand Information Security Association (TISA)• Committee of Cybersecurity taskforce development, Division of Skill
Development, Ministry of Labour
Name:
Title:
Company:
Certificates:
Chaiyakorn Apiwathanokul
ไชยกร อภิวัฒโนกุลChief Security Officer (CSO)
PTT ICT Solutions Company Limited
A Company of PTT GroupISC2:CISSP, IRCA:ISMS (ISO27001), SANS:GCFA
![Page 4: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/4.jpg)
Disclaimer
• I am not a representative of neither Thailandgovernment nor any commission I have beeninvolved.
• I am not representing a spoke person for mycompany.
• I am here as an infosec professional working andcontributing in Thailand and would like to sharesome experience and Thailand circumstance forthe sake of global professional communitycollaboration and contribution.
![Page 5: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/5.jpg)
Agenda
• Global perspective toward CIP
• Thailand circumstance and challenges
• Approaches
![Page 6: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/6.jpg)
Transportation System From a movie
![Page 7: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/7.jpg)
Italian Traffic Lights
Event: Feb, 2009 Italian
authorities investigating unauthorized changes to traffic enforcement system
Impact: Rise of over 1,400 traffic tickets costing > 250K Euros in two month period
Specifics: Engineer accused of conspiring with local authorities to rig traffic lights to have shorter yellow light causing spike in camera enforced traffic tickets
Lessons learned:
Do not underestimate the insider threat
Ensure separation of duties and auditing
In the real world
![Page 8: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/8.jpg)
Transportation – Road Signs
8
Lessons learned:
Use robust physical access controls
Change all default passwords
Work with manufacturers to identify and protect password reset procedures
Event: Jan 2009, Texas road
signs compromised
Impact: Motorists distracted and
provided false information
Specifics: Some commercial road
signs can be easily altered because
their instrument panels are frequently
left unlocked and their default
passwords are not changed.
"Programming is as simple as
scrolling down the menu selection," a
blog reports. "Type whatever you want
to display … In all likelihood, the crew
will not have changed [the password]."
In the real world
![Page 9: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/9.jpg)
Building Automation System (BAS) From a movie
![Page 10: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/10.jpg)
Security Guard Busted For Hacking Hospital's HVAC,
Patient Information Computers, July 2009
• "A former security guard for a Dallas hospital hasbeen arrested by federal authorities for allegedlybreaking into the facility's HVAC and confidentialpatient information computer systems. In a bizarretwist, he posted videos of his hacks on YouTube,and was trying to recruit other hackers to help himwage a massive DDoS attack on July 4 -- one dayafter his planned last day on the job.
• Jesse William McGraw, 25, also known as"GhostExodus," "PhantomExodizzmo," as well as bya couple of false names, was charged withdownloading malicious code onto a computer atthe Carrell Clinic in order to cause damage and as aresult, "threatened public health and safety,"according to an affidavit filed by the FBI . McGrawworked as a night security guard for UnitedProtection Services, which was on contract withhospital, which specializes in orthopedics andsports medicine."
In the real world
![Page 11: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/11.jpg)
CIA Admits Cyber attacks Blacked Out Cities
• The disclosure was made at a New Orleans security conference Friday attended by international government officials, engineers, and security managers.
• The CIA on Friday admitted that cyberattackshave caused at least one power outage affecting multiple cities outside the United States. By Thomas
Claburn InformationWeek January 18, 2008 06:15 PM
In the real world
![Page 12: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/12.jpg)
A Black-out incident
In the real world
![Page 13: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/13.jpg)
TISA in Bangkok Post : When Hacking risks health
TISA web site : http://www.tisa.or.th
In the real world
![Page 14: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/14.jpg)
Commonly Claim: The system is isolated
Virus Found On Computer In Space Station NASA confirmed on Wednesday that a computer virus was identified on a laptop computer aboard the International Space Station, which carries about 50 computers. The virus was stopped with virus protection software and posed no threat to ISS systems or operations, said NASA spokesperson Kelly Humphries. …
The SpaceRef report suggested that a flash card or USB drive brought on board by an astronaut may have been the source of the laptop infection.
InformationWeek August 27, 2008
In the real world
![Page 15: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/15.jpg)
has Manufacture
PlantOperationControl
Systems
National Critical
Infrastructure
Adversary/Disgruntled employee
Government
Malicious code/Virus/Worm
Vulnerabilities/Weaknesses
Terrorist/Hacker
Law/Compliance/
Standard/Guideline
Industry-specific
Regulator
![Page 16: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/16.jpg)
Simplification
Someone hate
someone
Someone develop a weapon
Not only someone
but someone else got trouble
Someone (and someone
else)
has to do something
![Page 17: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/17.jpg)
Activity Timeline of U.S.Critical Infrastructure Protection Initiative
![Page 18: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/18.jpg)
What Big Brothers do?• US, 1996, Critical Infrastructure Protection (PCCIP)
• US, 1998, FBI National Infrastructure Protection Center (NIPC) and the Critical Infrastructure Assurance Office (CIAO)
• Communications and Information Sector Working Group (CISWG)
• Partnership for Critical Infrastructure Security (PCIS)
• US, 2001, President’s Critical Infrastructure Board (PCIB)
• US, 2003, National Infrastructure Advisory Council (NIAC)
• Control Systems Security Program, National Cyber Security Division, US-DHS
• United States Computer Emergency Readiness Team (US-CERT) Control Systems Security Center (CSSC)
9/11
![Page 19: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/19.jpg)
Obama elevates the priority of Cybersecurity concerns
May 29, 2009U.S. President Barack Obama will appoint a government-wide cybersecurity coordinator and elevate cybersecurity concerns to a top management priority for the U.S. government, he announced Friday. The White House will also develop a new, comprehensive national cybersecurity strategy, with help from private experts, and it will invest in "cutting edge" cybersecurity research and development, Obama said in a short speech.
![Page 20: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/20.jpg)
Common Characteristics
• Tone from the top
• Accountability
• Across government agencies
• Government and industries collaboration
• Industry specific best practices vs. common best practices (share and collaborate)
• Short/Mid/Long term plan
• Review Plan Deploy Monitor Report
![Page 21: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/21.jpg)
Challenges
• Small number of security professional in the market
• Misperceptions on the control system security
– Security by obscurity
– Separated network
– Not an IT business
– we have no secret
• Low awareness among stakeholders
![Page 22: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/22.jpg)
Qualified professional undersupply
IT Professional
InfosecProf.
Control System
Prof.
Control System Cybersecurity Prof.
![Page 23: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/23.jpg)
The Implication
• Only small number of professional with right competency to help you out
• Collaboration and support from professional community is highly needed
![Page 24: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/24.jpg)
InfoSec Professional Involvement
• Law– ETC: Electronic Transaction Commission
– Security Sub-commission
– Electronic Transaction Act:2001
• Performance Appraisal Program (for State Enterprise)
• National Standard Adoption (ISO27001/ISO27002)
• Educate top management in healthcare industry
• Annual conference: Cyber Defence Initiative Conference (CDIC)
• Educate top management, mid-management and technical person involved
![Page 25: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/25.jpg)
Key Influencer
• Electronic Transaction Commission (ETC)
• Thailand Information Security Association (TISA)
• State Enterprise Policy Office (SEPO)
• Ministry of ICT
• NECTEC, Ministry of Science and Technology
• ACIS Professional Center
![Page 26: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/26.jpg)
Guideline on Securing the Electronic Transaction(Derive from ISMS Implementation Guideline)
![Page 27: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/27.jpg)
Thailand Information Security Association
27-Jul-10
http://www.tisa.or.th
27 ACIS Professional Center
![Page 28: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/28.jpg)
TISA Committees
28
![Page 29: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/29.jpg)
ISMS Training
27-Jul-10
![Page 30: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/30.jpg)
TISA Pilot Exam Summary: TISA ITS-EBK Model
27-Jul-1030
![Page 31: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/31.jpg)
Example of TISA TISET Report
TISA Pilot Exam 2009-10-17 31
![Page 32: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/32.jpg)
TISA Pilot Exam Summary: Certification Roadmap
27-Jul-10
TISA TISET Exam
FOUNDATION (Localized)on IT / Information Security Competencies Test
TISA TISET Certification
International Certified IT & Information Security Professional
ManagementAudit Technical
ADVANCE
EXPERT
32
Step to CISSP,SSCP, CISA,CISM
![Page 33: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/33.jpg)
State Enterprise Policy Office (SEPO)• Incentive-base Performance Appraisal Program conducted
annually
• 50+ State Enterprises under this program which include:– Electricity Generation and distribution
– Gas pipeline and energy
– Water work
– Telecommunication
• IT Management– ISO27001
• Business Risk Management– Business Continuity Management (BCM)
![Page 34: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/34.jpg)
34
2007 2008 2009 2011
Plan
Main System
Minor/support system
Main System
Start
ISO27001 Implementation Roadmap
![Page 35: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/35.jpg)
The growth of ISO27001 in Thailand
Number of Certificates Per Country @July 2010 http://www.iso27001certificates.com/Register%20Search.htm
Japan 3572 Philippines 15 Peru 3
India 490 Pakistan 14 Portugal 3
UK 448 Iceland 13 Argentina 2
Taiwan 373 Saudi Arabia 13 Belgium 2
China 373 Netherlands 12 Bosnia Herzegovina 2
Germany 138 Singapore 12 Cyprus 2
Korea 106 Indonesia 11 Isle of Man 2
USA 96 Bulgaria 10 Kazakhstan 2
Czech Republic 85 Norway 10 Morocco 2
Hungary 71 Russian Federation 10 Ukraine 2
Italy 61 Kuwait 9 Armenia 1
Poland 56 Sweden 9 Bangladesh 1
Spain 43 Colombia 8 Belarus 1
Malaysia 39 Iran 8 Denmark 1
Ireland 37 Bahrain 7 Dominican Republic 1
Austria 35 Switzerland 7 Kyrgyzstan 1
Thailand 34 Croatia 6 Lebanon 1
Hong Kong 32 Canada 5 Luxembourg 1
Romania 30 South Africa 5 Macedonia 1
Australia 29 Sri Lanka 5 Mauritius 1
Greece 28 Vietnam 5 Moldova 1 Mexico 24 Lithuania 4 New Zealand 1 Brazil 23 Oman 4 Sudan 1
Turkey 21 Qatar 4 Uruguay 1
UAE 20 Chile 3 Yemen 1
Slovakia 19 Egypt 3
France 18 Gibraltar 3
Slovenia 16 Macau 3 Total 6573
![Page 36: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/36.jpg)
Start with Awareness
• Annual Security Event, CDIC (Public and Private sector)
• Top Management
• Involved Engineer and Technician
![Page 37: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/37.jpg)
Educating the Engineering Department
![Page 38: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/38.jpg)
Normal Operation
HMI Web & DB ServerPLC
Operator WorkstationOperator
![Page 39: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/39.jpg)
Hacker knows local admin password
Connect to Remote desktop
Remotely control GUI Add new user Open Share folder
Connected GUI‘s Server
Scenario #1.1 Known local admin password
Hacking on Operator workstation
HMI Web & DB ServerPLC
Operator Workstation Operator
![Page 40: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/40.jpg)
Summary Scenario #1.1 Known local admin password
Required condition:
Local admin password is known (default password)
Remote Desktop is openedConsequence:
Attacker can take over the system Attacker can take over GUI Attacker can add new user Attacker can open share folder
Remediation: Change default password Restrict access to Remote Desktop
Hacking on Operator workstation
![Page 41: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/41.jpg)
Hacker attack on vulnerability’s server
Unpatched
Exploited server
Remotely control GUI Add new user Open Share folder
GUI‘s Server
Scenario #1.2 unpatched
Hacking on Operator workstation
HMI Web & DB ServerPLC
Operator Workstation
Operator
![Page 42: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/42.jpg)
Summary Scenario #1.2 unpatched
Required condition: Operator workstation is not patched
Consequence:Attacker can take over the system Attacker can take over GUI Attacker can add new user Attacker can open share folder
Remediation: Regularly update the workstation Monitor the system integrity Consider intrusion detection system Consider security perimeter
Hacking on Operator workstation
![Page 43: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/43.jpg)
Operator Work stationPLC HMI Web & DB Server Operator
Sniff password in the network
password
Scenario #1.3 Password Sniffing
Hacking on Operator workstation
![Page 44: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/44.jpg)
Summary Scenario #1.3 Password Sniffing
Required condition:Web-based HMI Operator sends login password via HTTP
Consequence: Password is known to hacker Hacker can login to Web-based HMI
Remediation: Use HTTPS instead of HTTP Consider detection measure
Hacking on Operator workstation
![Page 45: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/45.jpg)
Operator Work stationPLC HMI Web & DB Server Operator
Remember password
Dump “remember password” Plug USB U3 Thumb drive
Scenario #1.4 Remember password
Hacking on Operator workstation
![Page 46: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/46.jpg)
Summary Scenario #1.4 Remember password
Required condition:
Physically access to system Autorun enabled
Consequence: Password is stolen
Remediation: Limit physical access to system Disable Autorun (all drive) Don’t use remember password feature
Hacking on Operator workstation
![Page 47: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/47.jpg)
Operator Work station
PLC HMI Web & DB Server Operator
SQL Injection
Injection flaw!
Delete table Modify data in table
Insert, Delete, Update
Scenario #2 SQL Injection
Hacking on HMI Web & DB server
![Page 48: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/48.jpg)
Summary Scenario #2 SQL Injection
Required condition:Web-based HMI SQL Injection flaw
Consequence: Direct database manipulation
Remediation: Input validation Web Application security assessment Web Application Firewall (WAF)
Hacking on HMI Web & DB Server
![Page 49: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/49.jpg)
Operator Work stationPLC
Open port 2222/TCP!HMI Web & DB Server Operator
Take control of PLC Modify PLC data Disrupt PLC operation
Scenario #3 Direct PLC Manipulation
Hacking on PLC
Control valve/pump Change PLC Mode system halt
![Page 50: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/50.jpg)
Summary Scenario #3 Direct PLC Manipulation
Required condition: Port 2222/TCP is opened (Allen Bradley) No authentication Network routable
Consequence:
Access PLC’s data tableRemediation:
Enable authentication where possible Routing control/ Network isolation (verify)
Hacking on PLC
![Page 51: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/51.jpg)
Summary
• Been doing– Help raise awareness– Informal gather up of industry leaders– Some laws and regulations issued
• Future– Many things are lined up– Government is to work closely with industry– Collaboration and community across countries shall be considered– It will be a long journey
![Page 52: Addressing CIP](https://reader031.vdocuments.mx/reader031/viewer/2022020713/547e1cb8b4af9fb9158b5601/html5/thumbnails/52.jpg)
52