Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Emerging Threats… and how to address them
Dr Paul [email protected]
AIT Austrian Institute of TechnologyDigital Safety and Security Department
Advanced Persistent Cyber-Physical Threats
2
Internet
Anatomy of an Advance Cyber-Physical Threat
• Waterhole attacks
• Infected software• Stolen/insecure
username and password credentials
• Compromise from the internet
• Office PC• Third-party
remote maintenance
• Engineer’s laptop• BYOD
• Well known tools like nmap
• Havex, Stuxnet sniffed traffic
• RAT can keylogcredentials
• Vulnerable operating system
• Vulnerable services on SCADA server, data historian, etc.
• Vulnerable network devices
• Variety of known and unknown vulnerabilities in SCADA devices and software –CVEs, e.g. GE, Siemens, BroadWin
• Inherently vulnerable SCADA protocols
• Devices vulnerable to freeze, shutdown, etc.
Phishing email & social engineering
Phishing email & social engineering
Install Remote Access Trojan (RAT) in office PC
Install Remote Access Trojan (RAT) in office PC
Network mapping & lateral movement
Network mapping & lateral movement
Exploit vulnerability & pivot to SCADA network
Exploit vulnerability & pivot to SCADA network
Deploy SCADA attack payload
Deploy SCADA attack payload
Attack physical system functions
Attack physical system functions
3
Attacker’s controller
Attacker’s Web server
Office Network SCADA Network
Physical Systems
Windows 7Office PC Data
Historian
SCADAHMI PV
Inverter
Motivation: HighCapability: Sophisticated
Motivation: LowCapability: Sophisticated
Motivation: HighCapability: Sophisticated
Motivation: UnpredictableCapability: Limited
Threat Actors – Cyber Attacks
Cyber Criminals Hacktivists
State-Sponsored
ActorsInsiders
4
Motivation: LowCapability: High
Motivation: LowCapability: Sophisticated
Motivation: HighCapability: Sophisticated
Motivation: UnpredictableCapability: Limited
Threat Actors – Cyber-Physical Attacks
Cyber Criminals Hacktivists
State-Sponsored
ActorsInsiders
5
Could this change in the future and why?
A More Open Smart Grid
6
SCADA Communication Protocol Time – Towards Open Standards
More actors, more open interfaces
Standardised SCADA protocols and an increased number of interfaces to operational systems make smart grids vulnerable
to advanced cyber-physical threats
Ransomware of the Future
7
Addressing these Emerging Threats
8
Ris
k M
anag
emen
t
Secu
re A
rchi
tect
ure
Situ
atio
n Aw
aren
ess
Inci
dent
Res
pons
e
Closer IT and OT Integration
Resilience
Risk Management for the Smart Grid
9
ManipulatedQ(U) curve parameters
±5% of thenominal voltage (230V)
Overvoltagesituation
AIT Simulation Message Bus
Power Systems
Simulator
NetworkSimulator
ControlAlgorithm
SyncProxy
Risk assessment is essential to understand how bad can an attack be and how likely is it to happen
The consequences of an attack can be wide-ranging
Co-simulation can be used to identify operational consequence; however, there is a large initial overhead
Future direction: consequence catalogue for cyber-physical attacks to the smart grid
Situation Awareness Points to consider:
Monitoring and detection should be deployed in the IT and OT infrastructure
Open challenge: managing the data deluge
In addition to technology solutions, clear processes are required regarding how they should be used
Future direction: incorporating situation awareness information into the risk management process
10
Detection in Depth
Thre
at S
ophi
stic
atio
n
Limited
Highly Whitelists/Signatures
StatefulAnalysis
AnomalyDetection
KnownAttacks
UnknownAttacks
Attack KnowledgeInformation sharing and analysis is critical to situation awareness
Example Security Information Analytics Platform
Knowledge-based Deviation from set-point (grid specifications)
Rule violations (physical laws; system model)
Dead-sensor clustering (operator-selected time windows)
Data-driven Kullback–Leibler divergence (histogram
over full day)
Single-class SVM (classification – normal vs anomalous)
11
Incident Response
12
Points to consider: Use checklists to ensure incident
response plans are being followed
Practice makes perfect Consider third-party providers in
your incident response plan: everything is going to the Cloud
Incident response plans should include IT and OT departments
Future challenge: digital forensics for industrial control systems is a challenging open issue
Future Direction: Resilient Control
Adaptation of PV controller behaviour, based on security information
Evidential network used to determine system state Dempster-Shafer Theory used to address alert uncertainty
Demonstration in the AIT SmartEST Lab
13
CyberPhysical
Control
In some cases, it may be necessary to perform automatic infrastructure adaptation
Open questions about the optimal way to address cyber-attacks for cyber-physical systems (smart grids)
Conclusion
14
Smart grid stakeholders face new Advanced Persistent Cyber-physicalThreats
These threats are likely to become more prevalent and sophisticated Energy systems become more open Barrier to entry is reduced; attacker tools become commoditized Potential financial gains for cybercriminals – ransomware for systems, not
data Enabling situational awareness and resilience is critical A well-defined and rehearsed incident response plan is a must IT and OT integration is necessary to prepare for these emerging
threats
Symposium on Innovative Smart Grid Cybersecurity Solutions
Presentations on: Risk assessment, situational awareness, privacy issues, smart grid
resilience, … Live demonstrations 13th – 14th March, 2017 in Vienna
15
AIT Austrian Institute of Technologyyour ingenious partner
Dr Paul SmithSenior ScientistDigital Safety & Security Department
[email protected] | +43 664 883 90031 | www.ait.ac.at/it-security