Upload
jeffry-shields
View
212
Download
0
Embed Size (px)
Citation preview
© 2011 IBM Corporation
v1.08v1.08
Cyber Security: How Serious is the Threat?
Evaluating the Business Case for Smart Grid InvestmentsOctober 20-21 2011, Rosen Shingle Creek Resort, Orlando, FLPeter Allor, [email protected] Cyber Security Strategist
© 2011 IBM Corporation
Security is becoming a board room discussion
Business results
Sony estimates potential $1B long term impact – $171M / 100 customers
Supply chain
Epsilon breach impacts 100 national brands
Legal exposure
TJX estimates $150M class action settlement in release of credit / debit card info
Impact of hacktivism
Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony …
Audit risk
Zurich Insurance PLc fined £2.275M ($3.8M) for the loss and exposure of 46K customer records
Brand image
HSBC data breach discloses 24K private banking customers
© 2011 IBM Corporation
An organization’s attack surface grows rapidly, increasing security complexity and management concerns
People
Data
Applications
Infrastructure
Employees Consultants Hackers Terrorists Outsourcers Customers Suppliers
Systems applications
Web applications Web 2.0 Mobile apps
Structured Unstructured At rest In motion
77% of firms feel cyber-attacks harder to detect and 34% low confidence to prevent 75% felt effectiveness would increase with end-to-end solutions 77% of firms feel cyber-attacks harder to detect and 34% low confidence to prevent 75% felt effectiveness would increase with end-to-end solutions
Source: Ponemon Institute, June 2011Source: Ponemon Institute, June 2011
© 2011 IBM Corporation4
End to End Security in Utilities
METER RELIABILITY
METER DATA VALIDITYMETER AVAILABILITY
CONFIDENTIALITY OF CUSTOMER PERSONAL INFORMATION
AMI MALWARE, CYBER ATTACKS
PREVENT HAN DEVICES FROM ATTACKING GRID
UNAUTHORIZED METER DISCONNECTS/ CONNECTS
PREVENT PHYSICAL ABUSE OF ASSETS REMOTE SUBSTATION
VIDEO SURVEILLANCE
SECURE COMMUNICATION LINKS
PREVENT POWER PILFERAGE
PROTECT SENSITIVE ASSETS
EMPLOYEE BACKGROUND CHECKS
PREVENT ACCIDENTS
METER THEFT
SECURELY MANAGE PEAK DEMAND
ACCURATE BILLING
SCADA NETWORK SECURITY
RELIABLE COMMUNICATION
GENERATING, TRANS & DIST NETWORK
CRITICAL ASSET DISCOVERY & IDENTIFICATION
DATA CENTER NETWORK, SYSTEM, APPLICATION, DATA SECURITY
CONTEXT SENSITIVE ACCESS CONTROL
ASSET & CONFIG MGMT
SERVICE AVAILABILITY & PERFORMANCE MGMT
CONFIDENTIALITY, INTEGRITY & AVAILABILITY
PHYSICAL SECURITY
OPERATIONS & PROCESSES
AMI & HAN SECURITY
INCIDENT MGMT
SCADA SECURITY
* Not all intersections shown
KEY MANAGEMENT
FIRMWARE UPDATES
REGULATORY COMPLIANCE
© 2011 IBM Corporation5
Increased internal, industry, and government security policies, standards, and regulations
Logical and Physical integration requirements
An increased number of end users and devices accessing your networks, applications, and data
Threats of viruses, worms, and Internet attacks
Regulatory requirements
• FERC
• NERC
• SOX
Varied locations & sources of identity information (native systems)
Unauthorized/undetected use of applications & systems
Challenges and risks inherent in next generation intelligent networks
Improve operational efficiency – manage costs
Protect security and privacy of critical assets
Energy & Utility Potential Problem Areas
© 2011 IBM Corporation
An explosion of breaches has opened 2011 marking this year as “The Year of the Security Breach.”
A secure Web presence has become the Achilles heel of Corporate IT Security
IBM’s Rational Application Security Group research tested 678 sites (Fortune 500) – 40% contained client-side vulnerabilities
Mass endpoint exploitation happening not only through browser vulnerabilities, but also malicious movies and documents
IBM Managed Security Services show favorite attacker methods are SQL injection, and the brute forcing of passwords, databases, and Windows shares
Evolving Threats – Highlights for 2011 X-Force Mid-Year
© 2011 IBM Corporation
Decline in web vulnerabilities
Total number of vulnerabilities decline — but it’s cyclical
Decline is in web application vulnerabilities
© 2011 IBM Corporation
Patching improvement
Significant improvement in unpatched vulnerabilities
Hasn’t dropped below 44% in over five years
© 2011 IBM Corporation
Multi-media & doc vulnerabilities increase
Significant increases in both categories
Attackers have zeroed in on software that consumers are running regardless of the browser
Recent efforts to sandbox these applications are not perfect
© 2011 IBM Corporation
Continued interest in Mobile vulnerabilities as enterprise users bring smartphones and tablets into the work place
Attackers finally warming to the opportunities these devices represent
Mobile OS exploits projected to double
© 2011 IBM Corporation
2011: The Year of the Security Breach
Litany of significant, widely reported breaches in first half
– Most victims presumed operationally competent
Boundaries of infrastructure are being extended and obliterated
– Cloud, mobility, social business, big data, more
Attacks are getting more and more sophisticated.
© 2011 IBM Corporation
Who is attacking our networks?
© 2011 IBM Corporation
Who is attacking our networks?
© 2011 IBM Corporation
Highest volume signatures
© 2011 IBM Corporation
Who is attacking our networks?
© 2011 IBM Corporation
New exploit packs show up all the time
© 2011 IBM Corporation
Zeus Crimeware Service
Hosting for costs $50 for 3 months. This includes the following:
# Fully set up ZeuS Trojan with configured FUD binary.# Log all information via internet explorer# Log all FTP connections# Steal banking data# Steal credit cards# Phish US, UK and RU banks# Host file override# All other ZeuS Trojan features# Fully set up MalKit with stats viewer inter graded.# 10 IE 4/5/6/7 exploits# 2 Firefox exploits# 1 Opera exploit“
We also host normal ZeuS clients for $10/month.This includes a fully set up zeus panel/configured binary
Hosting for costs $50 for 3 months. This includes the following:
# Fully set up ZeuS Trojan with configured FUD binary.# Log all information via internet explorer# Log all FTP connections# Steal banking data# Steal credit cards# Phish US, UK and RU banks# Host file override# All other ZeuS Trojan features# Fully set up MalKit with stats viewer inter graded.# 10 IE 4/5/6/7 exploits# 2 Firefox exploits# 1 Opera exploit“
We also host normal ZeuS clients for $10/month.This includes a fully set up zeus panel/configured binary
© 2011 IBM Corporation
A member of Anonymous at the OccupyWall Street protest in New York*A member of Anonymous at the OccupyWall Street protest in New York*
*Source: David Shankbone*Source: David Shankbone
Lulz Security logoLulz Security logo
"The world's leaders in high-quality entertainment at your expense.""The world's leaders in high-quality entertainment at your expense."
Hacktivists are politically motivated
One self-description is: “We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us.”**
One self-description is: “We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us.”**
**Source: Yale Law and Technology, November 9, 2009**Source: Yale Law and Technology, November 9, 2009
© 2011 IBM Corporation19
© 2011 IBM Corporation
Anonymous proxies on the rise
About 4 times the amount from 3 years ago
Some used to hide attacks, some used to evade censorship
© 2011 IBM Corporation
Who is attacking our networks?
© 2011 IBM Corporation
Advanced Persistent Threat
Example of e-mail with malicious PDF
© 2011 IBM Corporation
Internet Intelligence Collection
–Scan the corporate website, Google, and Google News• Who works there? What are their titles? • Write index cards with names and titles
–Search for Linkedin, Facebook, and Twitter Profiles• Who do these people work with?• Fill in blanks in the org chart
–Who works with the information we’d like to target? • What is their reporting structure? • Who are their friends?• What are they interested in? • What is their email address?
At work?• Personal email?
23
© 2011 IBM Corporation24
© 2011 IBM Corporation25
Points of Access for Vulnerabilities
Regulators
Industrial Control System Vendors (SCADA)
Software (Operating Systems and Applications) Vendor Vulnerabilities
Security patches break product certification
Operator control via remote access (Modem and TCP/IP) for maintenance and/or multiple site readiness
Any Interface (SW to SW or System to System) is a prime target
© 2011 IBM Corporation© ABB Inc. April 18, 2023 | Slide 26
CYBER SECURITY CONTROLS
PH
YS
ICA
L S
EC
UR
ITY
CO
NT
RO
LS
SECURITY CONTROLS
Security for Industrial Control Systems (SCADA)- ICS Security based on IEC 62443
Air-gap networks, apps and control data with firewalls, proxies
© 2011 IBM Corporation
Which Operational Technology (OT) systems are we talking about?
– Field sensors– IEDs– T&D control systems (SCADA)– Energy Management Systems
(EMS)– Distribution Management Systems
(DMS)– Outage Management Systems
(OMS)– Demand Response Systems
– Smart Grid Communications equipment (SCADA)
– Meter Data Management Systems (MDMS)
– Asset Management (e.g., Maximo)
– Ops Centers (e.g., NOCs, SOCs)
– DCS and PLC systems in generating plants
Contol Systems: Past & Present
© 2011 IBM Corporation
A TCP/IP Enabled WorldA TCP/IP Enabled World
Process Control Systems (PCS) migrating to TCP/IP networks
SCADA and DCS typically rely upon “wrapped” protocols– Analog control and reporting protocols embedded in digital protocols– Encryption and command integrity limitations– Poor selection of TCP/IP protocols
Problems with patching embeddedoperating systems– Controllers typically running outdated OS’s– Security patches and updates not applied– Difficulty patching the controllers
28
© 2011 IBM Corporation
Miniaturization and Bridging NetworksMiniaturization and Bridging Networks
Professional attack tools are small enoughto fit on a standard Smartphone
Designed to “audit” and exploitdiscovered vulnerabilities
Wireless or wired attacks,and remote control
Smartphones alsotargeted– Contact info.– Bridge to network
handheld hacking devices
handheld hacking devices
29
© 2011 IBM Corporation
Bridging NetworksBridging Networks
Softest targets appear to be the control centers– Greatest use of “PC”
systems– Frequent external
connectivity– Entry-point to critical plant
systems
Bridging control centers and the plant operational framework– Network connectivity for
ease of operational control– Reliance on malware to
proxy remote attacks
30
© 2011 IBM Corporation
Proliferation of Networked DevicesProliferation of Networked Devices
Switch from analog to digital controls
Incorporation of network standards– TCP/IP communications– Wireless communications
Replacement SKU partsinclude new features“free”– Additional features
may be “on” bydefault
– May be turned onby engineers
From analog to digital
(+ networked)
From analog to digital
(+ networked)
Wireless integrationWireless
integration
31
© 2011 IBM Corporation
Wireless RF / WiFi AttacksWireless RF / WiFi Attacks
Increased use of wireless technologies
Large security research focus– Common topic/stream at hacking conferences
Packet Radio Software– New tools and software to attack &
eavesdrop on any RF transmission– Community-based sharing of findings
Tools and guides on long-range interception or wireless technologies
A 14.6 dBi Yagi antenna that can make
a WiFi connection from 10 miles
A 14.6 dBi Yagi antenna that can make
a WiFi connection from 10 miles
32
© 2011 IBM Corporation
ICS versus IT and SecurityICS versus IT and Security
Industrial Control Industrial Control Systems (ICS)Systems (ICS)
Protects the ability to operate Protects the ability to operate safely and securelysafely and securely
The end user is a computerThe end user is a computer
A decentralized system to A decentralized system to ensure availability / reliabilityensure availability / reliability
Remote access is available to Remote access is available to field devicesfield devices
Source code is often sold with Source code is often sold with the systemthe system
Long life cyclesLong life cycles
Not patchableNot patchable
IT Systems IT Systems
Protects the data on the client Protects the data on the client and in transitand in transit
The end user is a humanThe end user is a human
A centralized system to A centralized system to achieve economy of scaleachieve economy of scale
Limited remote accessLimited remote access
Source code is limited and Source code is limited and protectedprotected
Relatively short life cyclesRelatively short life cycles
PatchablePatchable
33
© 2011 IBM Corporation
Finding HolesFinding Holes
Penetration Testing (remote)and Security Assessment(local)
National and International
15-20 unique security assessments in the last 5 yrs
America’s Hackable BackboneThe first time Scott Lunsford offered to hack into a nuclear power station, he was told it would be impossible. There was no way, the plant's owners claimed, that their critical components could be accessed from the Internet. Lunsford, a researcher for IBM's Internet Security Systems, found otherwise.
"It turned out to be one of the easiest penetration tests I'd ever done," he says. "By the first day, we had penetrated the network. Within a week, we were controlling a nuclear power plant. I thought, 'Gosh. This is a big problem.‘”
ForbesAugust 22nd 2007
America’s Hackable BackboneThe first time Scott Lunsford offered to hack into a nuclear power station, he was told it would be impossible. There was no way, the plant's owners claimed, that their critical components could be accessed from the Internet. Lunsford, a researcher for IBM's Internet Security Systems, found otherwise.
"It turned out to be one of the easiest penetration tests I'd ever done," he says. "By the first day, we had penetrated the network. Within a week, we were controlling a nuclear power plant. I thought, 'Gosh. This is a big problem.‘”
ForbesAugust 22nd 2007
34
© 2011 IBM Corporation
Common Security Assessment FindingsCommon Security Assessment Findings
Weak protocols leave systems vulnerable
PCS networks lack overall segmentation
PCS networks lack antivirus protection
Standard operating systems leave the device open to well known security vulnerabilities
Most IP-based communications within the PCS network are not encrypted
Most PCS systems have limited-to-no logging enabled
Many organizations still rely heavily on physical security measures
35
© 2011 IBM Corporation
Not a technical problem, but a business challenge
Many of the 2011 breaches could have been prevented
However, significant effort required to inventory, identify and close every vulnerability
Financial & operational resistance is always encountered, so how much of an investment is enough?
© 2011 IBM Corporation
Questions?
© 2011 IBM Corporation
Thank you for your time today! Get engaged with IBM X-Force Research and Development…
Follow us at @ibmsecurity and @ibmxforce
Download X-Force security trend & risk
reportshttp://www-935.ibm.com/services/
us/iss/xforce/
Subscribe to the security channel for latest security
videos www.youtube.com/ibmsecuritysolutions
Attend in-person events
http://www.ibm.com/events/calendar/
Subscribe to X-Force alerts at http://iss.net/rss.php or
Frequency X at http://blogs.iss.net/rss.php
Join the Institute for Advanced Security
www.instituteforadvancedsecurity.com