SCADA Security: The Five Stages of Cyber Grief

Daniel Tulen Sr. Channel SE Europe

The 5 Stages of Cyber Grief

Its not connected to the Internet.

Stage 1: Denial

Example: Wifi at a power plant

Power Plant SCADA

Network

SCADA Network

controller

Office Network Lab

Network

"In our experience in conducting hundreds of

vulnerability assessments in the private sector, in no

case have we ever found the operations network, the

SCADA system or energy management system

separated from the enterprise network. On average, we

see 11 direct connections between those networks.”

Source: Sean McGurk, Verizon

The Subcommittee on National Security, Homeland

Defense, and Foreign Operations May 25, 2011

hearing.

Its connected to the Internet.

SANS Survey Feb 2013

Feedback from the respondents:

• 70% of them thinks that the risks are high to severe

• 33% them already had a security incident related to SCADA

• 40% thinks, had or doesn’t know if they are compromised.

• 29% takes Cyber Security into consideration in their procurement process

Top 3 risks by respondents:

1. Malware (Stuxnet etc.)

2. Internal Threats

3. External Threats (Hacking, Government Espionage etc.)

#1 reason for investing in Security: Avoid Service Interruption.

ICS CERT • In February 2011, independent security researcher Ruben Santamarta used

SHODAN to identify online remote access links to multiple utility companies’ Supervisory Control and Data Acquisition (SCADA) systems.

• In April 2011, ICS-CERT received reports of 75 Internet facing control system devices, mostly in the water sector. Many of those control systems had their remote access configured with default logon credentials.

• In September 2011, independent researcher Eireann Leverett contacted ICS-CERT to report several thousand Internet facing devices that he discovered using SHODAN.

• In 2012 ICS-CERT reported 198 Cyber Incidents regarding SCADA. 23 of them were targeted attacks. A rise of 264% compared to 2011!

Stage 2: Anger

Stage 3: Bargaining

Stage 3: Bargaining • Stuxnet

• First widely reported use of malware to destroy a physical plant • Extremely sophisticated • Jumped the air-gap via USB keys • Widespread infections throughout the Internet

• Shamoon • Targeted the energy sector • Destructive

• Over writes files • Destroys the Master Boot Record

ICS Honeypot Results • Kyle Wilhoit – Trend Micro Threat Research Team

DDOS Attacks More Automated &

Powerful

• Prolexic Q2 2012 to Q2 2013

– 33% increase in attacks

– 925% increase in bandwidth

• 4.47 Gbps to 49.24 Gbps

– 1655% increase in pps

• 2.7 Mpps to 47.4 Mpps

Stage 4: Depression

Stage 4: Depression The Patching Treadmill

• Control systems are not designed to be shut down regularly • Entire systems may need to be shut down for a single patch install

• Patching may mean upgrading • Upgrades can cascade through a system

• Even assessments may require downtime!

• Patching leads to Interconnectivity • Interconnectivity leads to compromise

• Solutions? – Third-Party Run-Time In-Memory Patching?

– Intrusion Prevention Systems?

Stage 5: Acceptance What would acceptance mean?

• Getting serious about interconnectivity • We need to find new ways to work

• We need to accept some inconvenience

• Designing systems for patchability • Systems that can be patched without being restarted

• Hot Standby failover

• Patches that do not require upgrades

• Security patches that can be accepted without performance concerns

• Built in IDS capability?

• Designing systems for failure

Cisco Confidential 21 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

You Can’t Protect What You Can’t See The Network Gives Deep and Broad Visibility

0101

0100

1011

0101

0100

1011

0101

0100

1011

0101

0100

1011

Video

Cisco Confidential 22 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

What Can The Network Do For You?

Detect Anomalous Traffic Flows, Malware e.g. Communication with Malicious Hosts, Internal Malware Propagation, Data Exfiltration

Detect App Usage, User Access Policy Violations e.g. Maintenance Contractor Accessing Financial Data

Detect Utilization, Baseline Behavior e.g. Utilization of Uplinks, Discover Odd User Behavior

Cisco Confidential 23 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Behavioral Detection Model

As flows are collected, behavioral algorithms are applied to build “Security Events”. Security Events will add points to an alarm category to allow for easy summarization higher degree of confidence of the type of activity detected:

• 100% LAN accountability

• 90+ days flow storage average

• 365+ days summary data stored

• Profile over 1M internal hosts

Continuous Network Monitoring Apply Network Segmentation

Outside - Internet

• Geo Location

• Business Partners

• Cloud Providers

• Social Media

Inside - Internal

• Location – Site - Branch

• Datacenter

• Function - Application

• Business Unit

• Sensitivity - Compliance

Build logical boundaries

Command & Control

• New Malware Families

• Point-of-Sale malware

• Banking malware

• Keylogger, Exfil data

• DDOS

Cisco Confidential 24 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

Who, What, When Where and How?

Devices

Catalyst 3850/3650

Catalyst® 4500 Sup7E/LE/8E

Catalyst® 4500 Sup7E/LE/8E

Access Point

Access Point

Access Dist/Core

Catalyst 4500-X

Nexus 7K M-Series

Catalyst® 6800/6500

Sup2T

Edge

Site-to-Site VPN

Remote

Access

ASA With

FirePOWER

ESA StealthWatch FlowSensor

WSA with CWS redirect

WCCP

FirePOWER

Bra

nch

C

am

pu

s

Identity

ISR-G2/ISR40

00/ ASR1K

Catalyst 3850/3650

Visibility:

There is a need to

understand what is

connecting to the network,

including software resident on

trusted endpoints. NetFlow

Heynen werkt voor vernieuwers

Mocht u meer informatie willen, neem dan

contract op met Heynen.

Heynen is de Lancope partner voor de

Benelux en verzorgt graag een demo.

http://www.heynen.com of

Heynen@Heynen.nl

Thank you!

Daniel Tulen Sr. Channel SE Europe