SCADA Right Now Betsy Woudenberg, Co-founder 1 15 August 2012 This presentation is © 2012 by IntelligenceArts, LLC. Thank you for your interest in this

SCADA Right NowBetsy Woudenberg, Co-founder

115 August 2012

This presentation is © 2012 by IntelligenceArts, LLC.

Thank you for your interest in this presentation! These slides combine my original research with data sources

as cited in the slide notes area. You are welcome to cite my work, but please do not re-post this presentation online without my permission.

Thank you!Betsy Woudenberg

[email protected]

2

What we’re talking aboutControl systems

Other control systemsIndustrial control systems (ICS)

Critical infrastructure Facility controlManufacturing

SCADASupervisory Control and Data

Acquisition

DCSDistributed Control Systems

WaterOil & gasPower

3

The SCADA industry•People are expensive, but computers are cheap.▫Commercial and profit-driven▫A truly global industry

• Idiosyncratic▫Few standards▫New processes bolted on to existing facilities

•Pragmatic and functional▫Built to last▫Early systems are still running

4

The process: Many thousands of valves, switches, and sensors (temperature, pressure, flow, etc)

Many Programmable Logic Controllers (PLC)(watching system and making routine decisions)

A few Human-Machine Interfaces (HMI)(computer screens and buttons for people)

Hundreds of Remote Terminal Units (RTU)(reading sensors and controlling valves and switches)

Basic SCADA structure

HMI “Lightboard”HMI device

RTUPLC

RTU

HMI software

5

Valves, switches, and sensors

Programmable Logic Controllers (PLC)

Human-Machine Interface (HMI)

Remote Terminal Units (RTU)

Modern enterprise SCADA

“Support services”

Facility front office

Regional office

Corporate headquarters

Engineers and vendors with dial-in or Internet access

Executives, salespeople,

travelers

Business or Corporate network

Operations or

SCADA network(“SCADAland”)Field

devices

6


SCADA systems today: Two worlds


Regional office





7

Part 2How to attack SCADA systems

What you will need

8

The capability to issue commands to the SCADA system

Proficiency with the SCADA system to produce an effect

• Hack into the system• Recruit an insider• Steal an insider’s credentials• Place a software tool• Place modified equipment

• Survey the system• Select an effect you can produce• Experiment and practice• Defeat countermeasures• Stay hidden?

Access Expertise+

9

Access: Technical targets

Support services


Regional office


Remote access modems

Remote users

Corporate network• Microsoft Windows• Internet protocol• Email and HTTP• Passwords, encryption

SCADAland• Analog and digital

signals• Wired and wireless

transport• Proprietary protocols• Clear-text

communications• Serial interfaces

• Element-level security

• Perimeter security





10

A question of prioritiesInformation security SCADA

• Confidentiality• Integrity• Authenticity

• Integrity• Availability• Resilience• ...• …• Authenticity• Confidentiality

Worst case scenario:Loss of View

Loss of Control

Worst case scenario:Data Loss

Security Breach

11

Access: Human targets


Regional office


People who built it

People who own it

People who run it

Designers & suppliersPlanning engineersProcess engineersSCADA engineersConstruction co.Supply chain vendorsSCADA system vendor

The ownersExecutives

InvestorsAdministrators

ManagersIT security

The operatorsManagersEngineers

MaintenanceSecurity





12

Access in review•SCADA systems rely on perimeter security. ▫SCADA systems and equipment do not follow

“standard” security conventions.▫Most (anecdotally, all) SCADA systems have some

communications channel to the outside world.•SCADA systems are surrounded by people.▫Owners: At the corporate level▫Operators: Hands-on access▫Designers: Schematics and equipment lists▫Don’t forget the SCADA system vendors, supply chain,

maintenance, security…

13

Expertise

Se-ries1

DamageClandestinity

The more damage you do, the more likely you’ll get caught.

Nation-state actors, crafty insiders, and other people

who don’t want to get

caught

Terrorists

Hackers, amateurs, and other people

who don’t think they will

get caught

14

Expertise: Selecting a process

Objective:Shut off power to this city

15

Expertise: Achieving your objective•The process: What you’re going to do•The SCADA system: How you’re going to do it•The environment: When you’re going to do it

16

Expertise: Managing human factors•Every place has a culture.▫Culture derives from and determines human behavior▫Small problems versus Big Problems

Be a small problem!•People can help or hinder your attack.▫Understand the culture at your target facility▫Will “blame the human” work?

•Culture is hard to read from a distance.▫Find and recruit an insider… there are many!

17

Expertise in summary•The more damage you do, the more likely you will be

caught.▫Many human and technical factors work against you

•Controlling SCADA requires a lot of information about your target.▫What to do: The processes you need to affect▫How to do it: The commands you need to issue▫When to do it: The external factors outside your control

•People can defeat your SCADA attack… or help you.▫Insider knowledge is critical to managing human factors

18

Remember…

Access makes the attack possible

Expertise makes the attack successful

19

What’s out thereAn overview of known cyber incidents involving critical infrastructure control systems

Who is targeting SCADA?

20

To take control

To get information

For destructive attack

To demonstrate capabilities

For economic advantageTo case a target

Intent

Goal

Evidence

Actor

21

Stuxnet• Trojan active since 2008, discovered “in the wild” in June 2010▫ “Escaped” from its intended target in 2009

• Very effective Microsoft Windows-based “missile” carrying a highly targeted SCADA “warhead”

Rides a USB drive, CD, or DVD…

USB drive

Is carried onto the Siemens PLC…

Siemens SCADA

equipment

Looks for HMI software, PLCs, and device codes…

Siemens SCADA software

Issues commands to the speed controllers…

Motor speed

controllers

… and modifies the rate of spin of the centrifuges.

Centrifuge cascades

Lands on a PC network and spreads…

Windows PCs

MissileDelivery system

WarheadProduces SCADA effect

22


Stuxnet in the structure

Centrifuge processes



Regional office


Programmable Logic Controllers (PLC)Loss of View

andLoss of Control

Enters at Windows PC running HMI software

Modifies programming on the PLC

PLC directs RTUs to direct controllers to

change speed of centrifuge motors

Stuxnet’s effects on centrifuge spin

0200400600800

1000120014001600

Observation of normal range (807-1210 Hz)

Phase I~ 12.8 days

Phase II ~ 27 days

Phase III 15 or 50 minutes

Phase IV~ 27 days

Driv

e sp

eed

in H

z

Reset to higher than normal speed

(1410 Hz)

Catastrophic crash

from 1410 to 2 to 1064 Hz

Reset to new normal

(1064 Hz)

Phase II~ 27 days

Reset toHigher than

normal speed (1410 Hz)

Stress New Normal Stress

Initial infection

Normal

Quick note for Stuxnet fans: This is 315 code, not 417 code.

23

24

The Stuxnet operation

0102030405060

Capacity: Total number of cascades in place

Cascades at Natanz, 2007-2012

Success: Cascades up and running

2008 2009 – mid 20102007

Decision to targetAccess development

Technical surveyTool development

Survey tool: Flame?

Stuxnet Version 1.0 Stuxnet Version 2.0

June 2010Public discovery

of Stuxnet

Mid-2009Escape of code

to wild

Preparation

Post-Stuxnet

Feb-07 Mar-09 Aug-09 Jan-10 Jun-10 Nov-10 Apr-11 Sep-11 Feb-12Oct-08May-08Dec-07Jul-07


25

To take control

To get information




Intent

Goal

Evidence

Actor

Stuxnet

Nation-state actors

Flame

26

South Houston•November 2011: Springfield, Illinois announces

destruction of a water utility pump by Russian hackers

•Subsequently proved to be mundane pump failure▫FBI and DHS investigated: “Russian hack” was remote

access by SCADA engineer on vacation• Lesson learned: Examining cyber logs without

understanding SCADA culture leads to mistaken assumptions

•But this is not our story!

“Second water utility reportedly hit by hack attack”• 18 November 2011: Hacker “pr0f” posts a message to pastebin.com

▫ Offended by FBI and DHS downplaying the Springfield “hack”▫ Sought to highlight the vulnerabilities of control systems

27

28

South Houston: Yep, he got in

29

pr0f: Conscientious hacker?

•Opportunistic target▫No grudge against South Houston▫Likely used Shodan search tool to look for connected

and responsive devices▫South Houston had no real security set up

This is an expression of human culture!• “No damage was done”?

30

Shodan: “Google for hackers”


31

To take control

To get information




Nation-state actors

Intent

Goal

Evidence

Actor

Stuxnet Flame

Hackers

South Houston

32

Brazil power outages• “Hacker extortionists” behind multiple power outages in

Brazil▫ January 2005: North of Rio de Janeiro, “tens of thousands of

people”▫September 2007: Espirito Santo, 3 million people

• Brazil continues to deny hacking▫ “Our systems are not connected to the Internet”▫Blamed 2007 outage on weather and “sooty insulators”

• If true…▫Hackers followed through on threats and disrupted the power

grid Were outages demonstrations or escalations?

▫Were insiders involved?


33

To take control

To get information




Hackers Nation-state actors

Intent

Goal

Evidence

Actor

StuxnetSouth Houston Flame

Criminals

Brazil

China and global oil & gas companies•China is conducting a series of espionage operations

to collect information from U.S. and foreign energy companies.▫Short-term: Advantage in energy deals▫Long-term: Less energy dependence

•Two recent well-known cyber attacks against energy industry targets demonstrate this.▫Shady RAT (2006-2010)▫Night Dragon (2009-2011)

34

Shady RAT

“A spear-phishing email … a download of the implant malware… backdoor communication channel … live intruders jumping on to the infected machine … targeting for quick exfiltration the key data they came for.”

– Dmitri Alperovitch, McAfee

Who they targeted

What they stole

How they stole it

“… A historically unprecedented transfer of wealth—[including] negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, supervisory control and data acquisition (SCADA) configurations, design schematics, and much more …”

From 2006 to 2011, 70 global entities including a U.S. natural gas wholesaler from February to December 2009.

35

Night Dragon

“Files of interest focused on operational oil and gas field production systems and financial documents related to field exploration and bidding…”

From November 2009 to early 2011, “attackers using several locations in China … [waged] attacks against global oil, gas, and petrochemical companies, as well as individuals and executives in Kazakhstan, Taiwan, Greece, and the United States to acquire proprietary and highly confidential information.”

“… social engineering, spear- phishing attacks, exploitation of Microsoft Windows operating systems vulnerabilities, Microsoft Active Directory compromises, and the use of remote administration tools (RATs) … In certain cases, the attackers collected data from SCADA systems.”

–McAfee

Who they targeted

What they stole

How they stole it

36

Framework for LNG deal with Russia

LNG deal with Uzbekistan

LNG deal with Australia

LNG deal with Australia

LNG deal with France

Finalization of South Pars Phase 11 with Iran

LNG deal with QatarGas



LNG deal with Shell

LNG deal with Exxon

Shale gas deal with Chesapeake Energy in Texas

Aggressive bidding on multiple Iraqi oil fields at auction

Purchase of major stake in a second Kazakh oil company

China-Taiwan trade deal for petrochemicals

Purchase of Rumaila oil field, Iraq, at auction

McKay River and Dover oil sands deal with Athabasca, Canada

Development of Iran’s Masjed Soleyman oil field

Oil development deal with Afghanistan

Purchase of major stake in Kazakh oil company

China’s foreign oil/gas deals and cyber attacks

2012201120102009 20132008

37

Shady RAT ( U.S. natural

gas wholesaler)

Night Dragon

(Kazakhstan, Taiwan, Greece, U.S.)


38

To take control

To get information




Hackers Criminals Nation-state actors

Intent

Goal

Evidence

Actor

StuxnetSouth Houston FlameBrazil China’s

cyber theft

China(Economic espionage)

What’s the scariest thing on here?

39

To case a target

To take control

To get information



For economic advantage

Hackers Criminals Nation-state actors

China(Economic espionage)

Intent

Goal

Evidence

Actor

Stuxnet China’s cyber theft

South Houston FlameBrazil

40

Who is/could be casing SCADA systems?

• Everyone.▫ Terrorists

Al Qa’ida▫ Competitors

Economic espionage▫ Hackers

For the lulz▫ Criminals

For profit▫ Nation-state actors

For covert action▫ China

For economic espionage

• SCADA casing is…▫ Difficult to detect▫ Difficult to prevent▫ Difficult to characterize

“Dual use” Illegal? Precursor to SCADA attack?

▫ Impossible to quantify Relies on victim to report it

41

Key indicators• What’s the target?▫ Corporate entity: The target, or a means to an end?▫ SCADA vendor: Look at the customers▫ Facility: One place, or the whole sector?▫ Opportunistic exploration: Because it was there

• Who’s the attacker?▫ Not just where it came from, but what they did

Did the cyber activity penetrate SCADAland? What data did the attacker exfiltrate? How well does the attacker know the target?

• How far along are things?▫ Early stages

Access: Target research and selection▫ Later stages

Expertise: Drilling down to data to shape the attack What other information sources have been hit?

42

In conclusion•SCADA vulnerability is a consequence of its priorities.▫Integrity, availability, and resilience

•For effective attack, you need access and expertise.▫Technology targets and human targets

• Lots of cyber activity appears to touch SCADA …▫Stuxnet▫Hackers and criminals▫Economic espionage

•… But it’s hard to determine precursors to SCADA attack.▫Control access and monitor expertise sources▫Look for indicators of serious capability and intent

43

Thank you!Betsy [email protected]

The entirety of this presentation is © 2012 by IntelligenceArts, LLC. The information and insights herein are solely those of IntelligenceArts, LLC and do not derive from or represent the U.S. Government.

44

Backup slides

45

Index to backup slides•More on Stuxnet•Duqu and Stuxnet•What’s next?•Why culture matters

46

Stuxnet facts• What it is

▫ A worm/trojan detected “in the wild” in June 2010

• What it targeted▫ Windows PCs running Siemens

WinCC and Step7 SCADA software WinCC is a Windows-based

HMI Step7 (S7) runs on the PC to

configure Siemens PLCs▫ Siemens PLCs that control two

specific high-frequency converter drives Vacon (Finland) and Fararo

Paya (Iran)

• How it spread▫ Propagates by USB thumb drive,

LAN, and other close-range techniques

▫ Four zero-day exploits for propagation between Windows machines

• What it did▫ Late September 2010: 100,000

infected PC hosts worldwide 60% in Iran

Forensic data and credited diagrams taken from Symantec’s W32.Stuxnet Dossier, February 2011

47

Stuxnet’s purpose• Stuxnet was a destructive clandestine attack on the uranium

enrichment centrifuge cascades at Natanz, Iran.• Stuxnet looks for Siemens PLCs

controlling an array of 31 Vacon or Fararo Paya converter drives▫ Must operate between

807-1210 Hz for ~13 days

• It then modifies the frequency output from the drives in a repeating cycle▫ Normal 1410 Hz 2 1064 Hz ▫ Resets timer for next round

• And it hides the drive speed changes from the HMI

Uranium gas (UF6) centrifuge

The frequency converter drive controls the speed of the motor that spins the centrifuge rotor

48

Stuxnet’s code

Lands on PC Establish Spread Infect Implement

Thumb driveCheck OS version .INF or .LNK

Look for WinCC and S7 software

Monitor drive output values

LANGet admin privileges Network shares

Look for specific PLCs by ID code

Initiate timed sequences

Digital certificates

Decrypt and load files

Print spooler vulnerability

Modify S7 code on PC

Intercept 16 of 109 routines

Phone home and send profile

WinCC DB and project files

Peer-to-peer update

Inject code onto PLCs

Issue spoofed data to HMI

MissileDelivery system

WarheadProduces effect

49

Phase I: Planning•2006-2007: Planning and tool development▫Study of Iran’s centrifuges

Based on P-1 and P-2 Pakistani design▫Data collection on SCADA system inside Natanz

Was this Flame?

0102030405060

In 2006, Iran set up, tested, and began operating its first UF6 cascade of 164 linked centrifuges.

By November 2007, Iran had assembled and was operating its first “unit” of 18 linked cascades with a total of 2,952 working centrifuges.

Feb-07 Aug-07

50

Phase II: Covert attack•2008: First attacks▫Tool placed in the Natanz control network▫Moderate success but “no wholesale destruction”

“The Iranians had grown so distrustful of their own instruments that they had assigned people to sit in the plant and radio back what they saw.”

0102030405060

Iran quickly began assembling additional cascades based on the first successful unit.

However, the second unit was not operating at full capacity. By late 2008, only 24 of the 36 total cascades were operating.

Feb-07 Aug-08Feb-08Aug-07

51

Phase III: Success and escape• 2008 – mid 2010: Repeated operations▫Additional versions inserted into Natanz

Improvements to propagation mechanism•Mid to late 2009: Critical period▫Significant disruption of Iran’s program▫Emergence of first virus samples in the wild

0102030405060 Iran built a third

unit, for a total of 54 cascades.

But the number of working cascades remained stalled at 20-30.

Feb-07 Aug-09 Feb-10 Aug-10Feb-09Aug-08Feb-08Aug-07

52

Phase III: Success…

0

5

10

15

20

0

10

20

Operating with UF6

Under vacuum, but not operating

Idle, not under vacuum

Centrifuges disconnected

0

5

10

15

20

August 2009

August 2010

November-December 2009

A24

A26

A28

Pilot unit, no major problems

Can’t bring these new cascades into service

Serious problems starting late 2009

Phase III: Escape?

• Symantec found versions in the wild dating back to three “waves”▫ June 2009▫ March 2010▫ April 2010

• Initially thought to be insertions into Natanz

• Now look like evidence of escape from Natanz

53

Credit to Symantec, W32.Stuxnet Dossier, February 2011

Domain E

Domain D

Domain C

Domain B

Domain A

Domain A

Domain B

Domain B

54

Phase IV: Discovery and aftermath• Mid-2010: Public discovery

▫ June: Stuxnet found by VirusBlokada▫ July: Stuxnet characterized as SCADA attack

Intensive public forensics begin▫ August: AEOI meets to discuss ramifications▫ September: Symantec counts 100,000 global infections▫ November: Iran begins to admit infection at Natanz

0102030405060

Discovery


55

How did Stuxnet get out of control?• “An error in the code… had led [Stuxnet] to spread to an engineer’s computer

when it was hooked up to the centrifuges … We think there was a modification done by the Israelis and we don’t know if we were part of that activity.”

• Symantec’s data seems to indicate two versions in the wild by mid-2009 ▫ Error persisted across multiple versions of the virus

• September 2010: 100,000 infections worldwide▫ Counted by samples and callbacks to the same C&C servers

0102030405060

Covert Escape 1 Escapes 2 & 3 Data

100,000 infections


56

Did the Iranians know?• At least two years of suffering in silence

• Post-Stuxnet Barrage of press about Iranian cyber expertise Arrests of “nuclear spies,” October 2010 Stars virus, April 2011 DigiNotar compromise, September 2011

What was going on?

0

20

40

60


Stuxnet’s sources for information

57

Cyber targeting

International Atomic Energy Agency (IAEA)

No access to detailed information

Computers at Natanz No inbound Internet accessNatanz engineers Low likelihood of chatter

Passive methods High security

Human targeting

SCADA system vendor Siemens

People who own it Atomic Energy Organization of Iran (AEOI)

People who run it Most direct, highly protected

People who built it Less direct, less protected

Humans certainly provided physical access to Natanz, and likely provided information as well.

58

Unintended consequences

Duqu

Stuxnet

Flame

What will they find next?

Gauss?

59

Unanswered question #1•Why did Stuxnet evolve?

Wave 1June 2009

Waves 2 and 3Mar – May 2010

• AUTORUN.INF exploit requires human enablement

• Encrypted payload• .LNK exploit needs no

human enablement• Signed, legitimate

digital certificates

Nov – Dec 2009: Iran starts

dismantling centrifuges

Could it be that… Wave 1 code been found and removed? The Iranians were tightening network security? The attackers didn’t know whether Wave 1 was working?

60

Unanswered question #2• Did Stuxnet contain unused code?▫ Sequences A (Vacon) and B (Fararo Paya), aka the 315 code,

appeared operational▫ To Symantec, Sequence C (the 417 code) was not functional

More sophisticated randomized effects = more clandestine Inactive due to missing piece of code

Not copied onto PLC Possibly unfinished

▫ No agreement between experts that 417 was not operational

But… Why launch with unnecessary code? Where would the missing activation code come from? Are there other variants out there that haven’t been found?

Stuxnet’s fatal flaw?

61

62

Summary•Stuxnet relied on humans and technology.▫Hard targets can be penetrated by a combination of

technical and human targeting.▫Strengthening SCADA perimeter security against cyber

intrusion won’t necessarily protect a high-value facility.•The Iranians unwittingly helped Stuxnet.▫Humans will defy common sense according to cultural

factors.• “Cyber covert action” is becoming an oxymoron.▫Partnering multiplies risk.▫The global hunt is on.

63

Duqu• Timeline: Active since 2007▫ Discovered September 2011 by CrySyS (Budapest University of

Technology and Economics)• Targets: Variety▫ Variety of corporate targets in Iran, Sudan, India, Vietnam, Ukraine,

Switzerland, France and the Netherlands• Tactics: Trojan Infostealer• Perpetrator: Unknown▫ Driver files similar or identical to Stuxnet

Same missile, different warhead• Effects▫ Capable of stealing information about control systems, but no code to

command a control system▫ No consensus about purpose or targets

• Is this a SCADA attack?

64

Duqu, “Son of Stuxnet”• What it is

▫ A trojan announced by Symantec on 20 October 2011

• What it targets▫ Microsoft Windows

• How it spreads▫ Zero-day exploit in Microsoft

Word documents

• What it does▫ System profiler and info-stealer

Exfiltrates data to C&C servers

▫ Unspecified companies in France, Netherlands, Switzerland, Ukraine, India, Iran, Sudan, Vietnam, UK, Austria, Hungary, Indonesia…

• Who did it▫ No attribution to date

Forensic data and credited diagrams taken from Symantec’s W32.Stuxnet Dossier, February 2011

Why “Son of Stuxnet”? Methodology and portions of code identical to Stuxnet Effects and purpose appear different

Stuxnet and Duqu, side by side

Stuxnet Duqu

Earliest apparent creation date of virus June 2009 2007

Operational period June 2009 – July 2010 December 2010 through 17 October 2011; re-emergence in February 2012

Variants Four Seven

Propagation Four zero-day exploits; LAN/thumb drive/etc; self-propagation

One zero-day (so far); no self-propagation

Payload Code for Siemens WinCC and PLCs; written in Microsoft Visual C++

Infostealer, backdoor; written in a custom “Object Oriented C dialect”

Command and control Malaysia, Denmark; no activity observed India, Belgium; active executable code transmitted via .JPGs and encrypted data

Time limits 3 offspring per infection; drop-dead in June 2012

8-day window; 36 days per infection; can be extended via downloaded files

Digital certificates JMicron and Realtek in Hsinchu City, Taiwan

C-Media Electronics in Taipei, Taiwan

Intended targets Natanz uranium enrichment facility Unknown

65

66

Duqu versus StuxnetHow they are the same How Duqu is different

• Identical functionality in Duqu’s netp191.dll and Stuxnet’s oem7a.dll

• Duqu’s Jminet7.sys/smi4432.sys drivers are “binary match to” Stuxnet’s mrxcls.sys

• Identical code in Duqu’s .zdata and Stuxnet’s .xdata

• Same processes hooked in ntdll.dll• Same use of hashes/checksums to

lookup functions• “Magic keys” such as “AE” in both• Same startup processes and RPC logic• Signed and unsigned versions of drivers• Signed versions use certificate from a

Taiwanese firm • Multiple variants over time

• Exfiltrates data• Not targeting control systems• Infection vehicle is MS Word document

(so far)• “Object Oriented C dialect” programming

language• Controlled propagation• Active use of C&C to pass code• Relies on Internet for spread• First samples compiled circa 2007• Active as of March 2012

Same missile Different warhead

Spread

Signed digital certificates

Duqu’s code

67

Lands on PC Establish Infect Implement

Microsoft Word vulnerability

Check OS version

Method 1:Template .exe

Contact C&C

Get admin privileges

Method 2: CreateProcessAsUser

Receive AES-encrypted data

Decrypt and load files

Method 3:Use existing process

Install infostealer?

Resource 302 loads .zdata

Server Message Block (SMB)

8-day window in August 2011

Duqu: The reality•No code to target control systems▫Sets up backdoor access via Internet C&C

•No evidence of targeting of industrial control system companies

•Most likely…▫Reuse of “missile” by Stuxnet’s creators?▫Repurposing of Stuxnet missile against other targets?

68

69

We are Post-Stuxnet.•The Iranian nuke program is stronger than ever.▫Productivity improved▫Technical hardening▫Cultural hardening

•U.S. critical infrastructure is slowly getting more secure.▫Efforts to set up security standards▫Focus on strengthening inherent SCADA qualities, not

introducing new protocols Perimeter security Defense-in-depth

70

We know we have problems.

Level 4: Enterprise systems


Regional office



11%

16%

53%

20%

0%

Level 3: Operations management

Level 2: Supervisory control

Level 1: Local or basic control

Level 0: Process equipment

Source: DHS Common Cybersecurity Vulnerabilities in Industrial Control Systems, May 2011.




71

Cybersecurity: Forcing change•Vulnerability disclosures▫“Amateurs” describing hundreds of flaws/quirks in

hardware and software•Community activism▫Digital Bond’s “Project Basecamp”

Release of Metasploit modules for exploitation of several major control system types

•Ralph Langner’s insight: Design flaws versus vulnerabilities

72

Cybersecurity: The scary stuff• Looking for “Son of Stuxnet”▫Command and control of SCADA▫Penetration of SCADA without command and control▫Attempts to penetrate SCADA▫Exfiltration of data from within SCADA▫Theft of SCADA data from operator’s corporate network▫Theft of proprietary non-SCADA data from operators▫Theft of proprietary non-SCADA customer data from

vendors▫Theft of proprietary SCADA product data from vendors▫Run-of-the-mill pings against all of the above

73

Looking for Son of Stuxnet

Severity

Mal

ign

inte

nt

Command and control of SCADAPenetration of SCADA without

command and control

Attempts to penetrate SCADA

Exfiltration of data from within SCADATheft of SCADA data from

operator’s corporate network

Theft of proprietary non-SCADA data from operator

Theft of proprietary non-SCADA customer data from

vendor

Theft of proprietary SCADA product data from vendor

Run-of-the-mill pings against corporate networks

SCADAland

Exploration

Targeting

Operation

Here’s what Ralph Langner thinks

74

• “‘Son of Stuxnet’ is a misnomer. What’s really worrying are the concepts that Stuxnet gives hackers… Before, a Stuxnet-type attack could have been created by maybe five people. Now it’s more like 500 who could do this.”

• Missile/warhead structure• Code is available to the public

▫ Extensive public forensics by respected IT firms

• Methodology is on display

“What you still hear today from all kinds of people is how a Stuxnet-type attack requires so much insider knowledge. I finally had to publish a [simple and damaging] attack just to make sure no smart-guy tells his boss that this is impossible.”

“You just have to know how to copy parts of [Stuxnet]. After that, you just need a little more knowledge to make a simple but effective digital dirty bomb.”

“A little more knowledge”? Access Expertise

Interviewed by the Christian Science Monitor, 24 September 2011

Sustained clandestine attack requires significant expertise

Brute attack does not, but how effective would it be? Terrorists and criminals may not

need a predictable outcome to be successful

Ralph says… My take on it is…

75

Things to think about•What is a SCADA attack?▫Is it the target?▫Is it the intention?

•Was Stuxnet a successful operation?▫How do you define success?

•What will Son of Stuxnet be?▫How will this operation be used against us?

76

Why human culture matters

Series1

Series1

Series1

“Normal” security culture High security cultureLow security culture

More opportunity to do damage before you are detected

Quicker detection means you can’t stay below the radar for long

Documents

SCADA Right Now Betsy Woudenberg, Co-founder 1 15 August 2012 This presentation is © 2012 by IntelligenceArts, LLC. Thank you for your interest in this