Critical Infrastructure Threat Protection1 2 / 1 6 / 2 0 1 7

Agenda

Introduction

What is Critical

Infrastructure

What are the Threat

Vectors

How do we protect

ourselves

Tools and

Resources

CEO of M11 26 Years of Network and information Security

M.Sc. in Applied Mathematics/ Electronics

Member of ITAC

CCDA, CSA, IT Security (CSE), (InfoSec)

CISSP

Fire Jumper and Black Hat Participant

SCADA/ ICS certified

Data Centre Security 3.0, ITIL, Six Sigma process, ITSM.

IBM TOP GUN Cyber security program certified.

Certified in CVP and BVP.

CEH

Certification in Aviation cyber Security.

Commercial Pilot

Who We Are M11 is in Cyber Security

Business for 14 plus Years

Our Team Includes

37 plus Highly skilled Cyber warfare experts

End to End Cyber Security Expertise

Ethical Hackers and Cyber warriors part of the ELITE RED TEAM

Airline Captains, Dr, Industry Engineers, with Cyber Security Expertise

Research and Development Specific to customized Tools and Systems development

What We DO!

Information Assurance; Real-time Situational Awareness

Cyber Intelligence

Cyber Counterintelligence (CYBINT)

Human Intelligence (HUMINT)

Open Source Intelligence (OSINT)

Geospatial Intelligence (GEOINT)

Measurement & Signature Intelligence

Biometrics, Forensics

Digital & Financial Forensics

Physical Security Systems, SAMC Support

Secure Network Operations (SPOC/NOC/SNOC/MSSP)_

Incident Preparedness Response and Forensics

Global Cyber Threat Intel Services

Asymmetric Warfare

Table Top Exercise

War Gaming

SCADA/ ICS Industrial Systems verification and testing

Who we work with…

Law Enforcement TPS, OPP, RCMP,

Arlington, Washington DC

Aviation Sunwing, Air Canada, Westjet,

GTAA

Power/ Distribution Hydro One, McCains,,

Healthcare LHSC, OTMH, Milton Hospital,

DI Clinics, QCH,

Cyber Attack

Chemical / Biological Attack

Nuclear Attack

Conventional warfare

Global Threat Priority

Everything we do today has something to do

with Cyber or its attached to Cyber world

Critical infrastructure is pervasive and impacts

everyone

Electrical Grid is the backbone of our modern

society which Impacts everything else.

Everything is Attached to Cyber/ Internet

In the middle of May- June your electrical grid gets

compromised

No electricity for days/ weeks

No water

No medical facilities functioning

According to a study that if you shut down a power Grid

for a long period of time, which includes water supply…

there will be significant loss of lives.

This can easily be accomplished by a malware

Lets review a real Life Scenario

In the midst of a deployment in a Armored

Vehicle, A soldier see a USB port and wanted

to listen to music and a video…..

That USB contained a Malicious Malware….

That Malware shut down the entire global Fire

Tactical System, which is connected via a

global network

Another Example

What is Critical Infrastructure as per Global Threat

Database

Attacks by the Industry sector

A little History

2003, US North East blacked out for two days causing 11 dead and 6B in damage

2007, Estonia's infrastructure crashed for multiple days

2010, Stuxnet (yes, 2010. That long ago)

2012 Saudi Aramco, one of the world's largest oil companies.

In a matter of hours, 35,000 computers were partially wiped or totally destroyed. Saudi Aramco's

ability to supply 10% of the world's oil was suddenly at risk.

2013, Rye Brook Dam in New York was compromised

Dec 2015, there was a massive power attack in Ukraine that took out power for 230,000 to

700,000 for hours.

Dec 2016, Pivichna Kiev was taken out for an hour.

2017, Kaspersky released their findings that "About 20,000 different malware samples were

revealed in industrial automation systems belonging to over 2,000 different malware families."(4)

Cellphone on a Water, SCADA attack

Infected email fishing on Nuclear power plant

Denial of Service Attacks (DDoS)

The tools for these attacks via the internet

already exist

Organized Cyber Crime

People will always be the weakest link

Methods of Compromise….Vectors:

The Director of the NSA and US Cyber Command says,

"It is only a matter of the when, not the if, that we are

going to see something traumatic"

May 2016, G7 Energy Ministers released a statement

that resilient energy systems were critical.

May 2016, 42% of power and utilities companies say it’s

unlikely they would be able to detect a sophisticated

attack.

So what's the word…

Its not the question of ‘if’ its when? If you know that you

are going to be Breached, would you do it differently?

Malware will get into your environment

95% of large companies

targeted by malicious traffic

60%of data stolen in hours

65%of organizations say attacks

evaded existing preventative

security tools

$5.9MAverage cost of a breach in the

United States

Once its Inside Organizations will struggle to deal

with it

15% of organizations take 2+ years

to discover breach

55%of organizations unable to

determine cause of a breach

45 daysAverage time to resolve

a cyber-attack

54%of breaches remain

undiscovered for months

Dynamic Threat Landscape

It is a Community

that hides in

plain sight

avoids detection, and

attacks swiftly

60%of data is

stolen in hours

54%of breaches

Remain

undiscovered

for months

100%of companies connect

to domains that host

malicious files or services

As an example Aviation Industry

The latest generation aircraft face a growing

cyber threat, as they are increasingly

connected to data networks and the internet

This emerging threat has no developed

standards for risk of airborne IT systems

Threat Landscape

The Scenario from the Film Die Hard 2 where Aircraft

was programmed to fly 200 Meters Higher than it really

is… “is no longer a fiction, it’s a reality” says IATA in

2012

“Very Concerned About threats to flying software and

aircraft are now in Need of cyber protection” Major

Aircraft Manufacturer rep

Threat Landscape

The researcher demonstrated that it is possible to hack

the on-board components eavesdropping the system’s

communications over its 1MBps link and injecting

specially crafted data.

“You can use this system to modify approximately

everything related to the navigation of the plane,”

explained Teso.

Operational Architecture

Threat Vectors

Flight Deck Electronic Flight Bag

Avionics Data Satcom, ACARS and avionics

Open Networking

Avionics interfaces, Servers, Terminal Wireless, Network appliances and Core Network

Maintenance Software Loading and Maintenance Access

Cabin and Airline Services FOQA Data, FA terminals and crew wireless

Passenger IFE, Wi-Fi and Cell phones

3G/4G Communication and security issues

Specific Vulnerabilities

Dispatch

Disruption of Communications resulting in

departure delays or cancellations

Navigation

Corrupted and Outdated Navigation Data

Performance

Incorrect Passenger and Cargo Data

Weather – Wind, Temperature – critical for

heavy aircraft

Operational Communications

Irregular Operations

Security Incident Reporting

Crew Control

Disruption of crew control systems will

prevent the timely departure of flights

Not all crewmembers have a firm grasp on

the concept of information security

Proprietary Processes and Data

Pricing models

Routes and Marketing

Passenger Data

Onboard Systems Vulnerabilities

FMS (Flight Management System) computer unit, control display unit

Control Display Unit (CDU) provides the primary human/machine interface

for data entry and information display

FMS provides: Navigation

Flight planning

Trajectory prediction

Performance computations

Flight Guidance

Exploit Vector

Goal: Exploit the FMS

Using ACARS to upload FMS data

Upload options

Software Defined Radio

Ground Service Providers

The path to the exploit

Audit aircraft code searching for vulnerabilities

What can be Done? AIRPORT

Audit

Identify Requirements

Risk Analysis

Priority Assignment

Operational plan of action

Recommendation

Testing

People

Process

Technology

Culture of Security

“Do whatever it takes to

Avoid Cyber Pearl Harbor”

Leon Panetta

Some of the Control Systems testing and systems

development

M11 brings some of the greatest minds to bear on SCADA/ICS issues

Deep understanding of ICS best practices, including NIST SP800-82 and NIST SP800-53

Coauthor of NISTIR 7628

Development team experienced in both offensive and defensive technologies

Vulnerability Research

Reverse Engineering Software and Hardware

Physical, Network, Web Penetration Testing

Architecture Review

M11 recommendations for SCADA/ICS

Architecture Review

Penetration Testing

Security Training

Tabletop Exercises

Consulting

Products

SCADA/ICS Penetration Testing

Identifying attack surface,

Coordinating with customers Hybrid-approach penetration-test

Where appropriate, existing N-day vulnerabilities and design weaknesses will be leveraged to gain access to systems.

Where appropriate, table-top style will be employed to reduce likelihood of adverse impact on ICS.

SCADA/ICS Security Training

Custom SCADA/ICS Training

Training and Presentation background

including SANS Training, SANS Summits,

BlackHat, DEFCON, and other domestic and

international venues

SCADA/ICS Architecture Review

Using Interviews and Documentation

Track through people/process/technology

Identify:

Breakdowns in coverage

Ability to identify compromise

Ability to respond to compromise

SCADA/ICS Tabletop Exercises

Scenario-based compromise response exercise

“SCADA Role-Playing Game”

Identifies weaknesses in response plans

Exercises the Response Plans

Establishes/Strengthens vital relationships

Introduces the different groups to constraints of other

groups

TOC

Assessments.

Architecture Review. White Box design review of documentation

and interviews: network cartography, configurations, etc. Because of

our experience, we are able to quickly provide an assessment

saving time and money, this is our preferred method.

Penetration Testing. Simulate adversarial threat-based approaches

to expose and exploit vulnerabilities to identify weaknesses and to

improve security posture and operational procedures with

vulnerability identification, enumeration, and purposeful exploitation;

and to determine the value and effectiveness of a network, system,

or application's security configuration.

TOC

Attributable and non-attributable targeted tests. Local technical testing will attempt to find radio networks for exploitation and access as well as use close access social engineering for direct network access

Open Systems focused Penetration test to provide insight into the extent of public presence

Technical – proprietary and open-source tools to conduct

TOC Support

Forensics

Identify, collect, examine, analyze, and preserve integrity of resources and information for computer forensics.

Perform root cause analysis of computer systems that failed or are not operating properly

Develop and train standard processes for conducting forensics for the help/service desk to ensure that incident handlers and first responders satisfy forensics requirements

Thank you for your Time.