Geneva, Switzerland, 15-16 September 2014*Threats HistorySlammer, Blaster and the Great BlackoutJanuary 2003, the Slammer worm knocked out 911 emergency telephone service in Bellevue, Wash.The Blaster worm affected more than a million computers running Windows during the days after Aug. 11 2003.critical to the blackout were a series of alarm failures at FirstEnergy, a power company in Ohiocomputer hosting the control room's "alarm and logging software" failedstatus computer at the Midwest Independent Transmission System Operator, a regional agency that oversees power distribution, failedSource : https://www.schneier.com/essays/archives/2003/12/blaster_and_the_grea.html

Geneva, Switzerland, 15-16 September 2014*Threats HistoryStuxnet quickly propagated throughout NatanzA double agent used a typical USB drive carrying a deadly payload to infect Iran's Natanz nuclear facility with the highly destructive Stuxnet computer worm, according to a story by ISSSourceAugust 2010, Stuxnet, as a worm intended to hit critical infrastructure companies left a back door that was meant to be accessed remotely to allow outsiders to stealthily control the plantMalware includes a rootkit, which is software designed to hide the fact that a computer has been compromised, and other software that sneaks onto computers by using a digital certificates signed two Asian chip manufacturers that are based in the same industrial complex - RealTek and JmicronSource : http://www.cnet.com/news/stuxnet-delivered-to-iranian-nuclear-plant-on-thumb-drive/

Geneva, Switzerland, 15-16 September 2014*Threats HistoryJan.07 2014: Monju nuke power plant facility PC infected with virusA computer being used at the Monju prototype fast-breeder reactor facility in Tsuruga, Fukui Prefecture, was recently discovered to have contracted a virus, and officials believe that some data from the computer may have been leaked as a resultAccording to the Japan Atomic Energy Agency, which operates the facility, the computer in question was being used by on-duty facility employees to file company paperwork when the virus was first detected on Jan 2the computer was infected with the virus when a video playback program was attempting to perform a regular software updateSource : http://www.japantoday.com/category/national/view/monju-power-plant-facility-pc-infected-with-virus

Geneva, Switzerland, 15-16 September 2014*Threats HistoryBackdoor In Equipment Used For Traffic Control, Railways Called Huge RiskSecurity hole (back door account factory) in industrial control software by the firm RuggedComPotentially affected wide range of critical infrastructure, including rail lines, traffic control systems and electrical substationsApril 2011 to July 2011 no actions from RuggedComFebruary 2012 : US-CERT notified and warning issued Source: http://threatpost.com/backdoor-equipment-used-traffic-control-railways-called-huge-risk-042512/76485

Geneva, Switzerland, 15-16 September 2014*IssuesMain issue Do not touch the working system. How about computer system connected to the internet ?HackingPasswords complexity check bypass, hardcoded passwords for systemsSystems regular maintenance, applying patchesHMIs using mobile phone interfaces

Geneva, Switzerland, 15-16 September 2014*Kaspersky SCADA HoneypotRun in September13SCADA computer with public IP acting as industrial system PC1294 unauthorized access attempts422 succeded access cases34 cases of access by the development environment systems7 cases of downloading the PLC configuration1 case of PLC reprogramming (!!!)

Geneva, Switzerland, 15-16 September 2014*Researchers DeliversDuring talks on SCADA security problems at the Kaspersky-Threatpost Security Analyst Summit [in Feb12], several other researchers talked about the serious issues inherent in these ICS installations, and the picture they painted is one of systemic problems and a culture of naivete about security in general. Terry McCorkle, an industry researcher, discussed a research project he did with Billy Rios in which they went looking for bugs in ICS systems, hoping to find 100 bugs in 100 days. That turned out to be a serious underestimation of the problem.

It turns out theyre stuck in the Nineties. The SDL doesnt exist in ICS, McCorkle said. There are a lot of ActiveX and file format bugs and we didnt even bother looking at problems with services. Ultimately what we found is the state of ICS security is kind of laughable.Source: http://threatpost.com/state-scada-security-laughable-researchers-say-020312

Geneva, Switzerland, 15-16 September 2014*Researchers ConclusionThose ICS and SCADA systems under research were developed in last century by people from last century using standards from last century

Geneva, Switzerland, 15-16 September 2014*Remarkable Standards in 2013-14Under developmentIEC 62443 (former ISA99, adopted ISA 2700x)NIST DRAFT Guide to Industrial Control Systems (ICS) Security SP 800-82 Rev.2Released :NIST Framework for Improving Critical Infrastructure Cybersecurity

Geneva, Switzerland, 15-16 September 2014*Key principles of secured system development to be standardizedComplete mediationComponents isolation (processes, resources)All sensitive operations controlTamperproofHave trusted execution base minimal and structuredResistance to external actions, incorrect queries, etc.Security configuration protectionVerifiabilityStructured, compact and testedFormal/semi-formal methodsPlatformFlexibility in security policy definitionsSecured systems development methodology

Geneva, Switzerland, 15-16 September 2014*RecommendationsCreate a collaborative working group of experts within ITU-T to address nowadays Critical Infrastructure Systems threatsFocus on secure systems development standardization for critical infrastructures and ICSInitiate the work for standards for ICS and Critical Infrastructure SystemsInvolve world-wide practitioners and make ICS standards available for all countries to share best practices enforced by standards

Geneva, Switzerland, 15-16 September 2014*Thank you

*******supervisory control and data acquisition honeypot******