scada security: the 5 stages of cyber grief
DESCRIPTION
Lancope’s Director of Security Research, Tom Cross, examines the five stages of grief that organizations seem to pass through as they come to terms with security risks, and how far we’ve come regarding Industrial Control Systems. Hear about: * The state of Control System security vulnerabilities * Attack activity that is prompting a change in perspective * The unique, long term challenges associated with protecting SCADA networks * How anomaly detection can play a key role in protecting SCADA systems nowTRANSCRIPT
SCADA Security: The Five Stages of Cyber Grief
Tom Cross Director of Security Research
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
The 5 Stages of Cyber Grief
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Its not connected to the Internet.
Stage 1: Denial
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
"In our experience in conducting hundreds of vulnerability assessments in the private sector, in no case have we ever found the operations network, the SCADA system or energy management system separated from the enterprise network. On average, we see 11 direct connections between those networks.” Source: Sean McGurk, Verizon The Subcommittee on National Security, Homeland Defense, and Foreign Operations May 25, 2011 hearing.
Its connected to the Internet.
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
ICS Cert • In February 2011, independent security researcher Ruben Santamarta
used SHODAN to identify online remote access links to multiple utility companies’ Supervisory Control and Data Acquisition (SCADA) systems.
• In April 2011, ICS-CERT received reports of 75 Internet facing control system devices, mostly in the water sector. Many of those control systems had their remote access configured with default logon credentials.
• In September 2011, independent researcher Eireann Leverett contacted ICS-CERT to report several thousand Internet facing devices that he discovered using SHODAN.
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
SHODAN
• Project STRIDE: “To date, we have discovered over 500,000 control system related nodes world-wide on the internet. About 30% are from the US, and most are on ISP addresses.”
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Stage 2: Anger
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Stage 3: Bargaining
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Stage 3: Bargaining
• Stuxnet • First widely reported use of malware to destroy a physical plant • Extremely sophisticated • Jumped the air-gap via USB keys • Widespread infections throughout the Internet
• Shamoon • Targeted the energy sector • Destructive
• Over writes files • Destroys the Master Boot Record
Stuxnet infections, source Symantec:
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Stage 4: Depression
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Stage 4: Depression The Patching Treadmill • Control systems are not designed to be shut down regularly
• Entire systems may need to be shut down for a single patch install • Patching may mean upgrading
• Upgrades can cascade through a system
• Even assessments may require downtime!
• Patching leads to Interconnectivity • Interconnectivity leads to compromise
• Solutions?
– Third-Party Run-Time In-Memory Patching? – Intrusion Prevention Systems?
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Stage 5: Acceptance What would acceptance mean? • Getting serious about interconnectivity
• We need to find new ways to work • We need to accept some inconvenience
• Designing systems for patchability
• Systems that can be patched without being restarted • Hot Standby failover
• Patches that do not require upgrades • Security patches that can be accepted without performance concerns
• Built in IDS capability?
• Designing systems for failure
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Lancope does Netflow
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Network Visibility through Netflow
DMZ
VPN
Internal Network
Internet NetFlow Packets
src and dst ip
src and dst port
start time
end time
mac address
byte count
- more - NetFlow
3G Internet
3G Internet
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow Collector
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Intrusion Audit Trails
1:06:15 PM: Internal Host
Visits Malicious Web Site
1:06:30 PM: Malware Infection
Complete, Accesses Internet Command and
Control
1:06:35 PM: Malware begins
scanning internal network
1:13:59 PM: Multiple internal
infected hosts
1:07:00 PM: Gateway malware analysis identifies the transaction
as malicious
1:14:00 PM: Administrators
manually disconnect the initial infected host
Do you know what went on while you were mitigating?
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Behavioral Anomaly Detection
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Get Engaged with Lancope!
@Lancope @NetFlowNinjas
Subscribe Join Discussion Download
@stealth_labs
Access StealthWatch
Labs Intelligence Center (SLIC) Reports
Security Research
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Lancope at Cisco Live 2013 Return of the famous Lancope Ninja Sword!
• Visit booth #737
• Email [email protected] to request a private demo at the event.
©2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
Thank you!
Tom Cross Director of Security Research