Stories from the Trenches: Securing Industrial Control

Energy | Environment | National Security | Health | Critical Infrastructure

July 2011

Stories from the Trenches: Securing Industrial Control

Systems with Application Whitelisting and Change

Detection

Gib Sorebo, SAIC, Vice President/Chief Cybersecurity Technologist

©SAIC. All rights reserved.

SAIC.com

Overview

• The Challenges Unique to Critical

Infrastructure

• Need for Detecting and Controlling

Change

• Application Whitelisting

• Change Detection

2


SAIC.com

The Challenges Unique to Critical Infrastructure

3

Topic Information Technology Control Systems

Protection from malicious software Anti-virus tools, firewalls, intrusion detection system (IDS)

Physical segregation, firewalls, and very limited number of software packages

Support technology lifetime Three to five years Up to 20 years

Outsourcing Common and widely used Rarely used

Hardware/software maintenance Regular and scheduled software patches

Scheduled hardware maintenance but limited software maintenance

Change management Varies by organization

Well-defined procedures for process control system components; more limited for software changes on supervisory control and data acquisition (SCADA) workstations and servers

Time-critical content Generally delays accepted Critical because of safety

Availability Generally delays accepted 24/7/365 forever

Security awareness Good in private and public sector Poor except for physical

Security testing and audit Scheduled and mandated Occasional testing for outages

Physical security Secure in primary data centers Remote and unmanned at field operations; secure at control center


SAIC.com

The Need for Detecting and Controlling Change

4

• Control systems often highly sensitive to small changes

• Real-time nature means that any latency could have a dramatic effect

on operations

• Many process control networks not designed around connected

computer networks (often assume serial connections)

• May leverage public networks that are more vulnerable to infiltration or

bandwidth limitations

• Regulatory and business processes dictate strict change management

• NERC CIP auditors routinely ask for justification for all changes to

firewall rules or network port access

• Critical infrastructure businesses are designed around following

consistent processes that need authorization for changes

• In production operations, predictability is essential to maintaining

efficiency and reliability (can’t just reboot a server because a process is

misbehaving)

NERC CIP = North American Electric Reliability Corporation Critical Infrastructure Protection


SAIC.com

The Data Is Also Important

5

• Integrity of information is critical

• Using complex algorithms, renewable

resources such as solar and wind can be

dispatchable

• Tampering with or errors in algorithms can

lead to power outages when an expected

power resource is not available

• Protection of the software supply chain will

be critical


SAIC.com

Resources Are Limited

6

• Any solution must leverage automation

• Insufficient people or expertise available to

manually compare checksums or sort out

false positive from alerts

• Need solutions that can baseline operations

across multiple devices and quickly identify

anomalies and unauthorized changes

• Equally important, systems must be able to

limit the kinds of processes that are allowed

to run and what those processes can do


SAIC.com

• Limiting what applications can be used

– Highly granular controls that restrict not only installation, but execution of

software

– Enforces more secure updating methods to protect against supply chain

threats

– Protects against many improper uses of application if sufficiently defined

(for example, spawning shells)

– Generally offer some in-memory protection

• Logging and alerting

– Allows centralized management and alerting

– Can be used to detect trends in attacks not detected by network and host

intrusion detection tools

– Allows administrators to learn of needs for application rights changes

before users complain 7

Introduction to Application Whitelisting


SAIC.com

Popular Application Whitelisting Products

• McAfee® Application Control

• Bit9® Parity® Suite

• Windows® AppLocker®

• CoreTrace Bouncer®

• Lumension® Application Control

• Faronics® Anti-Executable®

• Savant™ Protection

8

Trademarks attributed on last slide


SAIC.com

Application Whitelisting Weaknesses and Challenges

• Frequent software updates (particularly internally developed) can

make managing deployment problematic

– Option in many whitelisting products to exclude certain directories

– Need to make sure excluded directories are not targeted by hackers

– Most whitelisting products can accept updates from approved sources

(for example, those with digital signatures)

• Very heterogeneous environments with ability for users to use a lot

of discretion in what programs they install and how they use them

present difficulties

• Memory protection often done “by proxy” because programs look

slightly different when running in memory; often whitelisting can be

complemented by host intrusion protection systems that identify

known exploit techniques like spawning “cmd.exe”

9


SAIC.com

Application Whitelisting Vulnerabilities*

• Adobe® Acrobat® attacks

– Testing showed ability to spawn cmd.exe, exploit Javascript® and embed an exe

• Microsoft Office® documents (VBScript™ and macros)

• Windows Powershell®

– DLL injection/shellcode injection

• Java® and Javascript

– Can spawn a meterpreter from applet

– Firefox® and Chrome™ extensions

– HTML5 Javascript

• Microsoft Windows® Help files (could spawn cmd.exe)

• Man-in-the-middle network attacks (for example, ARP poisoning)

10

*Based on research and ShmooCon presentation by Curt Shaffer (Foreground Security) and Chris Cuevas (Secure Ideas).

DLL = Dynamic Link Library, ARP = Address Resolution Protocol



SAIC.com

The Value of Change Detection

• Need for more global understanding of change

– Whitelisting tools focus largely on executables with less attention to data

and configuration files

– Offers ability to report on change over time

– Can be used to rollback to known good state

– Some offer option to detect acceptable and unacceptable changes based

on baselining across multiple devices

• Product examples

– Triumfant®

– Tripwire®

– Bit9® Parity™

11



SAIC.com

Value of Whitelisting and Change Detection for Critical

Infrastructure

• Scale back on potentially disruptive anti-virus and vulnerability scans

• Have centralized record of changes to demonstrate compliance with

change management processes and to prevent/alert on unauthorized

changes

• Limit frequency of patching and the need to reboot or take production

system offline

• Prevent future Stuxnet-like attacks by restricting changes to

production software even when there is a vulnerability in the software

12


SAIC.com

Lessons Learned

• Have a clear plan for how tools will be used

– Oil/gas customer chose to target control system environment

– Worked closely with system owners and operators to understand how

the product would be used and possible impact (such as implications for

scripts that change frequently)

• Test, test, and test some more

– Just like access control, whitelisting can prevent programs from running

correctly if not configured correctly

– Some seldom used functions could be blocked in production if not tested

first

13


SAIC.com

Lessons Learned (continued)

• Make sure you have the capability to monitor events

– For both whitelisting and change management, it is critical that staff are

tasked to routinely view events

– One customer was using a whitelisting product for months before they

discovered that one program on particular host wasn’t starting because

of whitelisting

– Don’t wait for users to complain!

• Allocate lots of time for testing, deployment, and tweaking

– Pick deployment windows that have plenty of slack

– Use iterative deployment approaches that, at first, selectively deploy the

products with later deployments applying knowledge gained because

every organization is different 14


SAIC.com

Conclusion

15

• There are inherent risks and vulnerabilities in control systems

• There are unique security challenges to overcome those

vulnerabilities

• Application whitelisting and change control can effectively lock

down and protect control systems

• When deployed correctly, application whitelisting and change

detection can operate seamlessly in critical infrastructure with little

administrative overhead or help desk support required


SAIC.com

Questions?

16

Thank You.

Gib Sorebo

SAIC Vice President

Chief Cybersecurity Technologist

tel: 703-676-2605 | email: [email protected]


SAIC.com

Trademarks

17

McAfee is a registered trademark of McAfee, Inc. in the U.S. and/or other countries.

Windows Powershell, VBScript, Microsoft Office, AppLocker, and Microsoft Windows are trademarks or

registered trademarks of Microsoft Corporation in the U.S. and/or other countries.

Triumfant is a registered trademark of Triumfant, Inc. in the U.S. and/or other countries.

Tripwire is a registered trademark of Tripwire, Inc. in the U.S. and/or other countries.

Bit9 and Parity are registered trademarks of Bit9, Inc. in the U.S. and/or other countries.

CoreTrace Bouncer is a registered trademark of CoreTrace Corporation in the U.S. and/or other

countries.

Adobe and Acrobat are registered trademarks of Adobe Systems, Inc. in the U.S. and/or other countries.

Lumension is a registered trademark of Lumension Security, Inc. in the U.S. and/or other countries.

Java and JavaScript are registered trademarks of Oracle America, Inc. in the U.S. and/or other countries.

Faronics and Anti-Executable are registered trademarks of Faronics Corporation in the U.S. and/or other

countries.

Chrome is a trademark of Google Inc. in the U.S. and/or other countries.

Savant is a trademark of Savant Protection in the U.S. and/or other countries.

Firefox is a registered trademark of the Mozilla Foundation in the U.S. and/or other countries.

Documents

Stories from the Trenches: Securing Industrial Control