Anant Shivraj May 9 th 2011 Cyber Threat Evolution With a focus
on SCADA attacks
Slide 2
Agenda Cyber Attacks Increasing sophistication of cyber attacks
Private Sector as target of, and medium of attacks Vulnerability of
the Oil & Gas Industry to Cyber Attacks Profile of risks faced
by SCADA systems in Oil & Gas Risk Mitigation Strategies and
Effectiveness Recommendations
Slide 3
Cyberspace is more than the Internet Data Infrastructure
network System Communications network Data Cyberspace: The
interdependent network of information technology infrastructures,
and includes telecommunications networks, the Internet, computer
systems, and embedded processors and controllers in critical
industries. Source: National Security Presidential Directive 54,
January 2008
Slide 4
Key takeaways from recent incidents Changing Ends To impact
strategic capability and assets To impede business operations To
target physical assets and mission critical information
Increasingly Sophisticated Means Traversing multiple networks and
infrastructures Precision targeting Multi-stage attacks to avoid
attribution Cyber attacks have evolved from operational events to
strategic events, with the aim to disrupt a targets freedom in the
real world, not just on the Internet Cyber attacks are employing
new techniques such as spear phishing, rootkit for specialist
devices and networks, and multi- stage phased attacks to accomplish
these aims
Slide 5
Stuxnet demonstrates a new level of cyber attack capability
Stuxnet was a worm targeted at industrial control systems (ICS)
discovered by July 2010. By then, it had infected upwards of 100K
systems in Iran, Indonesia, India and other countries Widely
believed to have been developed with state support and targeted at
Irans Busheshr nuclear reactor Symantec W32 Stuxnet Dossier:
Stuxnet is a threat that was primarily written to target an
industrial control system or set of similar systems. Its final goal
is to reprogram industrial control systems (ICS) by modifying code
on programmable logic controllers (PLCs) to make them work in a
manner the attacker intended. In order to achieve this goal the
creators amassed a vast array of components to increase their
chances of success. This includes zero-day exploits, a Windows
rootkit, the first ever PLC rootkit, antivirus evasion techniques,
complex process injection and hooking code, network infection
routines, peer-to-peer updates, and a command and control interface
Source: Symantec W32.Stuxnet Dossier, November 2010
Slide 6
Understanding the Stuxnet attack mechanism Industrial Control
System environment (non-networked) Programmable Logic Controller
(PLC) Field PG Attack Vector Target Map Step 0. Check for OS and
anti-virus specifications of host. If met, introduce itself as
digitally signed driver. Step 1. Connect to command server,
propagate on corporate network and to removable drives. Jump to ICS
environment through LAN/ thumb drives Step 2. Check if Siemens Step
7 is installed to manage PLC devices. Obtain root access and take
control of Step 7 Step 3. Detect whether PLC uses the target
communication protocol. If so, detect the manufacturer of frequency
controller drives to determine type of attack. Step 4. Send
malicious instructions to change the execution of various states,
and to modify the instructions sent to frequency controllers to
slow or speed them up. This will change the speed of the actual
industrial devices.
Slide 7
Stuxnet demonstrates capability of cyber attacks to harm
physical assets FeatureComments ImpactAbility to attack and impair
physical infrastructure industrial data, industrial output,
industrial operations in critical infrastructure Stuxnet managed to
delay the startup of Bushehr Key LessonPersistent connection to
grid / IP network not essential to be a cyber target Key
InnovationsPrecise target selection and anti-virus evasion First
PLC rootkit (allowing admin access to PLC functions) P2P
self-update capabilities (sleeper Stuxnet worm can auto- update to
suddenly attack a host at a later date) Professional, Coordinated
Development * Projected six months development cycle, 5-10
developers, QA and management Theft of digital certificates, and
the need to understand and construct a worm for Industrial Control
Systems suggests involvement of multi-disciplinary team *Estimated
by Symantec
Slide 8
Two key determinants of cyber attack pathways Mission Statement
What the attacker wants to accomplish Depends on who the attacker
is Cyber criminals looking for financial gains Non-state actors
affiliated with a particular cause State actors trying to
accomplish strategic goals Technical Capabilities What capabilities
are available to the attacker Resources and budget Experience
Again, can depend on who the attacker is Given that developing
technical capabilities has become easier, mission statement is the
primary determinant of the attack pathway
Slide 9
Mission statement key to which cyber attack pathway is used
Gain Strategic Advantage Specific Asset Targeting Deny Operational
Freedon Infrastructure and Network Targeting e.g. data theft
operations: quick asset identification, infrastructure should not
be disrupted during exfiltration process e.g. capacity degradation
operations, disruption of communications Primary Target Secondary
Target Mission Statement Target of cyber attack
Slide 10
Seven phases of a cyber attack 1.Planning 2.Payload
Introduction 3. Command and Control 4.Footprint Expansion 5.Target
identification 6.Attack Event 7.Retreat and Removal Starting from
the earliest documented worm (Internet worm 1988), most cyber
attacks have followed a subset of these seven steps Most of the
above sequence followed by some of the most successful attacks SQL
Slammer (January 2003), which slowed global Internet traffic
dramatically Conficker (November 2008), which infected 15 million
computers and continues to, in spite of industry efforts (and $250K
reward from Microsoft)
Slide 11
Visualizing attack pathways 1.Planning 2.Payload Introduction
3. Command and Control 4.Footprint Expansion 5.Target
identification 6.Attack Event 7.Retreat and Removal Strategic,
focus on target Operational, focus on attack vector development
Internet, Physical and External Internet malware Tight control,
ability to operate APTs Fire and forget strategy Targeted expansion
Opportunistic expansion Based on host functionality and value Based
on existence of vulnerabilities Layered, custom built attack vector
Standard IP- based attack vectors Self-upgrade and stealth presence
Weak deletion methods
Slide 12
Visualizing recent cyber incidents on attack pathways
1.Planning 2.Payload Introduction 3. Command and Control
4.Footprint Expansion 5.Target identification 6.Attack Event
7.Retreat and Removal Strategic, focus on target Operational, focus
on attack vector development Internet, Physical and External
Internet malware Tight control, ability to operate APTs Fire and
forget strategy Targeted expansion Opportunistic expansion Based on
host functionality and value Based on existence of vulnerabilities
Layered, custom built attack vector Standard IP- based attack
vectors Self-upgrade and stealth presence Weak deletion methods
Aurora Stuxnet GhostNet Conficker Indicates increasingly seen
characteristics
Slide 13
Agenda Cyber Attacks Increasing sophistication of cyber attacks
Private Sector as target of, and medium of attacks Vulnerability of
the Oil & Gas Industry to Cyber Attacks Profile of risks faced
by SCADA systems in Oil & Gas Risk Mitigation Strategies and
Effectiveness Recommendations
Slide 14
Stuxnet used private sector capabilities and targets in its
attack on state entity Targeted Exploited Evaded Siemens Step 7
software compromised via rootkit Specifications for frequency
controllers from Vacon (Finland) and Fararo Paya (Iran) Digital
certificates stolen from Realtek and Jmicron, which are located in
close proximity to each other Microsoft Windows access gained via
rootkit Two Internet Explorer zero day exploits Domain name servers
in Malaysia and Denmark Detected and adapted to signature-based and
behavorial detection capabilities of 11 anti-virus products
including Symantec, McAfee and Trend Micro
Slide 15
Increasing use of a new capability spear phishing Use of highly
contextual phishing properties, often sent by known acquaintances,
and taking into account real world or online identities, to reduce
detection rates TargetSent ToClaims to legitimacy Marathon Oil,
ExxonMobil and ConocoPhillips C-level leadershipEmail subject: Re:
Emergency Economic Stabilization Act (sent after plan had been
announced) Booz AllenVP for International Military Assistance Prog.
Email subject: India MCRA Request for Proposal (India had released
RFP a week ago) Sender: from the office of the Air Force Secretary
Increasing spear phishing implies that both signature-based and
behavioral virus detection softwares are losing effectiveness,
catching only 20% of malware Source: Business Week, Northrop
Grumman, Information
Slide 16
Agenda Cyber Attacks Increasing sophistication of cyber attacks
Private Sector as target of, and medium of attacks Vulnerability of
the Oil & Gas Industry to Cyber Attacks Profile of risks faced
by SCADA systems in Oil & Gas Risk Mitigation Strategies and
Effectiveness Recommendations
Slide 17
Oil and gas sector officially identified as a critical
infrastructure Critical infrastructure: systems and assets, whether
physical or virtual, so vital to the United States that the
incapacity or destruction of such systems and assets would have a
debilitation impact on security, national economic security,
national public health or safety, or any combination of those
matters. 18 sectors identified as critical infrastructure by the
Homeland Security Presidential Directive 7 Agriculture & Food
Banking & Finance ChemicalDamsCommunicationsDefense Industrial
Base EnergyGovernment Facilities Emergency Services Healthcare
& Public Health Information Technology Nuclear Reactors Postal
& Shipping TransportationWaterCommercial Facilities National
Monuments Critical Manufacturing Electricity, Petroleum &
Natural Gas Source: Critical Infrastructure Protection Act of 2001
(Section 106, Patriot Act)
Slide 18
Oil & gas cyber attacks already higher than in other
critical infrastructures McAfee survey 71% companies report
stealthy infiltration (e.g. APTs), as opposed to average of 54% for
all critical infrastructure (CI) 1/3 rd companies report multiple
infiltrations per month 2/3 rd companies report DDoS attacks (1/3
rd report multiple attacks per month), highest amongst all CI
Highest web extortion victimization rate amongst all CIs E.g.
Employee tampering with control system software at Pacific Energy
Resources, September 2009 Unlike other CI, most attacks (56%)
focused on control systems Highest self-estimated losses amongst
all CI (from a 24-hr service outage), avg. $8.4M/day Minor IT, no
Ops disruption Serious IT, some Ops disruption Effect on Ops
Serious effect on Ops Critical breakdown Source: McAfee
Slide 19
SCADA operated systems in natural gas infrastructure
compressors (I) A main component of gas transportation are the more
than 1200 compressors installed along pipeline routes Compressors
used to restore/maintain gas pressure and pump gas forward
24-hr/365-day unmanned systems monitored by SCADA Image copyright
and courtesy of EIA/Southern Natural Gas Company, El Paso
Corporation Source: EIA
Slide 20
SCADA operated systems in natural gas infrastructure
compressors (II) Interstate pipeline compressor systems, 2006
Source: EIA
Slide 21
Control systems are a key infrastructure in oil & gas
networks SCADA (Supervisory Control and Data Acquisition) systems
are process control systems that enable monitoring and control of
processes distributed amongst various remote sites. They are a form
of Industrial Control Systems (ICS) MTU (Master Terminal Unit):
monitoring/control of field devices RTU (RemoteTerminal Unit): Data
acquisition from field devices, execution of MTU instructions,
automatic process control if equipped with programmable logic
controllers (PLCs) Field devices e.g. pumps and valves, alarms etc.
HMI (Human machine Interface) equipped with SCADA software:
interface for operator control and system management Communication
Protocol: Modbus, TCP/IP. Can be sent over dedicated cable lines,
wireless transmission (spread spectrum, microwave and VHF/UHF
radio), DSL, satellite communications) Components of a SCADA
system
Slide 22
Economic contribution of the natural gas distribution network
Value as intermediate input to 418 industries = $54.6B (2002
dollars) Consumption as final good = $38.5B (2002 dollars) Total
Direct Annual GDP contribution: $110.8B (2010 dollars) Total
Indirect Annual GDP contribution: $229.7B Total Annual GDP
contribution: $340B Source: Bureau of Economic Analysis, 2002
Benchmark input-output tables, Use of commodities by industries,
purchaser prices. Figures adjusted for inflation Notes: Values
calculated using commodity code 221200 (natural gas distribution).
For indirect contribution, the value added from top 25 industries
of use of natural gas distribution were considered. These
industries represented 35% of total GDP contribution of natural gas
distribution. See Appendix for details
Slide 23
Attack scenario: defining a mission Gain Strategic Advantage
Specific Asset Targeting Deny Operational Freedom Infrastructure
and Network Targeting Mission Statement Target of cyber attack
Mission statement: Disrupt a continental US gas pipeline system
Motive: Explore weaknesses, demonstration of power, political
statement etc. Core assets such as business assets and IP are left
alone Key infrastructure is the distribution network Compressor
systems represent an attractive infrastructure target
Slide 24
Attack scenario: identifying cyber attack pathway 1.Planning
2.Payload Introduction 3. Command and Control 4.Footprint Expansion
5.Target identification 6.Attack Event 7.Retreat and Removal
Internet, Physical and External Internet malware Tight control,
ability to operate APTs Fire and forget strategy Targeted expansion
Opportunistic expansion Based on host functionality and value Based
on existence of vulnerabilities Layered, custom built attack vector
Standard IP- based attack vectors Self-upgrade and stealth presence
Weak deletion methods Need to attack non- IP network One-time
attack RTUs and MTUs Attack Modbus protocol Strategic, focus on
target Operational, focus on attack vector development
Slide 25
Economic impact of the attack scenario: a simple estimation
Consider an attack on one of the top 10 pipeline systems (which
together account for 62% of output and have 498 compressors between
them) The Natural Gas PL Co. pipeline system represents the average
characteristics of the top 10 systems Route: Begins Southwest, ends
Midwest Has 50 compressor stations with an total throughput rating
of 49,785 MMcf (spread over 10,000 miles of pipelines) Accounts for
a daily GDP contribution of approx. $54.5M Note: Assumes that GDP
contribution from natural gas distribution can be spread across
compressors. True division should be across compressor+pipeline
segments, but this is a reasonable assumptions, since every
pipeline segment depends upon the starting compressor for flow.
Note: NGPL is owned by Kinder Morgan
Slide 26
The economic impact of attack scenario can be huge Note:
Assumes that GDP contribution from natural gas distribution can be
spread across compressors. True division should be across
compressor+pipeline segments, but this is a reasonable assumptions,
since every pipeline segment depends upon the starting compressor
for flow. A 100% capacity degradation for a day on the average
large pipeline system can lead up to an estimated losses of about
$54M Total cost will be worse: 1.Cost and time of replacing
compromised SCADA network and bringing the infrastructure online 2.
Price shocks in economy, higher insurance risk premiums in industry
3.Reputation damage, risk of losing bids, increased insurance
4.Some industries will be unable to product output altogether if
gas supply is choked Immediate costs may be less: 1.Other pipeline
systems may respond to shortages 2.Reserves can be used to meet
immediate demand so impact may lead to reserve shortage rather than
supply shock 3.Stations dont operate at full capacity rating in
summer months ++ _ Compare this number to the industrys self
estimates of losses of $8.4M/day. Total economic loss much higher
than firm loss
Slide 27
Incidents show that disruptions to oil and gas infrastructure
are very costly Three week disruption in gas supplies from Russia
in 2009 cost Bulgaria cost 250M ($330M), or 1% of GDP Gas plant
accident in Western Australia in 2008 cost the region $6.7B in
total Terrorist strike on Mexico gas pipelines at Veracruz resulted
in $90-200M in losses Shutdown of almost all of French oil
refineries in pension strikes in October 2010 cost the French
economy up to$500M per day Sources: Media reports -
http://www.cges.co.uk/resources/articles/2009/08/06/rescuing-russia-europe-gas-relations,
http://www.usatoday.com/news/world/2007-09-10-mexico-pipeline_N.htm,
http://www.cbsnews.com/stories/2010/10/25/world/main6991577.shtmlhttp://www.cges.co.uk/resources/articles/2009/08/06/rescuing-russia-europe-gas-relations
http://www.usatoday.com/news/world/2007-09-10-mexico-pipeline_N.htm
http://www.cbsnews.com/stories/2010/10/25/world/main6991577.shtml
Losses typically run in millions of dollars per day
Slide 28
Agenda Cyber Attacks Increasing sophistication of cyber attacks
Private Sector as target of, and medium of attacks Vulnerability of
the Oil & Gas Industry to Cyber Attacks Profile of risks faced
by SCADA systems in Oil & Gas Risk Mitigation Strategies and
Effectiveness Recommendations
Slide 29
Risk mitigation by SCADA owners largely based on IT tools Most
common measures, yet often circumvented by using trusted
connections Patching / updating of SCADA networks is much more rare
Important measure, yet not often implemented Source: Critical
Infrastructure in the Age of Cyber War, McAfee, 2010 Note: SCADA
SCADA network IT IT network Just perimeter defense is not enough
for SCADA networks, what is required is defense-in-depth (defenses
embedded in the network)
Slide 30
Network and decision systems for SCADA security are being built
LOGIIC (Linking Oil & Gas Industry to Improve Cyber Security)
What: Main function is to perform facility level monitoring of
SCADA/ICS networks and integrate threat reports to develop firm
level situational awareness of SCADA/ICS security How: Adds process
control intrusion detection and alarm capability from SCADA
networks to standard network security By: Partnership involving
government (DHS), oil & gas majors (Chevron, BP etc.), research
labs, security vendors (3Com, Symantec etc.) and process control
vendors (e.g. Honeywell) See Appendix for LOGIIC network design
Consulting services and custom solutions Developed by security
vendors (Cisco, Symantec, McAfee etc.) Developed by process control
security firms (Wurldtech, Industrial Defender etc.) RiskMap Used
to identify and map operational risks in oil & gas (including
disruptions from cyber attacks) to business decision making
Slide 31
The energy sector has started to respond to the growing cyber
threat Is leading to a number of industry initiatives such as the
Roadmap to Secure Control Systems in the Energy Sector Initiative
between oil & gas, electricity and telecom sector 10 year
roadmap launched in 2006, and sponsored by DoE and DHS Vision: In
10 years, control systems for critical applications will be
designed, installed, operated, and maintained to survive an
intentional cyber assault with no loss of critical function.
Participants: Commercial entities system integrators, component
suppliers, technology developers, IT and telecom providers Industry
organizations from the oil & gas and electricity sector
Research institutes Government agencies Successes: More than 100
projects from 21 private and public sector entities under
implementation or identified for implementation by 2009
Slide 32
Yet, there are number of challenges in meeting the energy
roadmap Sustain security improvements Detect intrusion and
implement response strategies Measure and assess security posture
Develop and integrate proactive measures Goals:2015 Desired End
State:Current Challenges Relate To: Ability of energy asset owners
to understand process control security needs and use automated,
real- time monitoring to determine where vulnerabilities exist B.
Vulnerability disclosure: Standard assessment methods Communication
and disclosure channels Regulatory and legal framework Protective
measures to reduce system vulnerabilities and threats. Ability to
deploy control systems with end-to-end security when changing from
legacy system A. Measuring progress : Consensus on definition of
key terms Comprehensiveness and reliability of measures
Insufficient collaboration C. Innovative Partnerships: Business
case for management engagement Training of SCADA personnel in
security Time and resources to invest in partnership Energy asset
owners to operate networks that automatically provide contingency
and remedial actions in response to attempted intrusions Energy
asset owners and operators to work collaboratively within the
sector and with government on policy and implementation progress D.
Technology Gaps and Advancement: System complexity and
vulnerabilities Impact of newer and innovative attacks Ability to
replace technology Source: Roadmap to Secure Control Systems in the
Energy Sector, 2006. Roadmap Update Workshop Summaries, Jan
2011
Slide 33
Security vendors developing frameworks for risk management
Define critical assets and identify risks Define an electronic
security perimeter around process control Main SCADA network +
SCADA administration network Manage SCADA assets from behind the
perimeter SCADA Administration network should be separate from
corporate network Consider the corporate network as untrusted
Corporate network should be outside the perimeter Two-factor
authentication for any systems outside the perimeter to gain access
Will remove the risk of automated attacks, and leave a trail for
attacks Develop a security policy for critical assets Create
policies based on regulations and standards Assess compliance to
policies Measure compliance and address deviations from policy
Source: Gary Sevounts, Symantec Example of a SCADA risk management
framework
Slide 34
Policies/standards at various levels play important role in
risk mitigation Firm Industry Corporate Network SCADA Admin SCADA
Control MTUHMI SCADA Field RTU Devices IT resources and
infrastructureOperations resources and infrastructure Business
Goals Economy SCADA security: AGA 12, API 1164 Cyber security:
ISO/IEC 17799 IT governance & management: COBIT Compliance,
Audit: Sarbanes-Oxley, others National policy guidance: HSPD-7,
others Evolving industry standards from the Energy roadmap Notes:
AGA 12 by the American Gas Association, and API 1164 by American
Petroleum Institute
Slide 35
Agenda Cyber Attacks Increasing sophistication of cyber attacks
Private Sector as target of, and medium of attacks Vulnerability of
the Oil & Gas Industry to Cyber Attacks Profile of risks faced
by SCADA systems in Oil & Gas Risk Mitigation Strategies and
Effectiveness Recommendations
Slide 36
Recommendations for private sector Understand that cyber attack
pathways can greatly differ, based on the mission of the cyber
attackers (technology not a limiting factor for most attackers
Identify which cyber attack pathway is most likely and most harmful
for your organization to decide where to invest Develop information
sharing and coordinated response mechanisms with private sector
companies that may provide the attack medium
Slide 37
Be aware of the common footprints of asset attacks Strategic,
resource intensive Internet, Physical and External Internet malware
Tight control, ability to operate APTs Fire and forget strategy
Targeted expansion Opportunistic expansion Based on host
functionality and value Based on existence of vulnerabilities
Layered, custom built attack vector Standard IP- based attack
vectors Self-upgrade and stealth presence Weak deletion methods
Aurora GhostNet 1.Planning 2.Payload Introduction 3. Command and
Control 4.Footprint Expansion 5.Target identification 6.Attack
Event 7.Retreat and Removal Monitor not just inbound but also
outbound connections Deploy intrusion detection systems, engage
security firms for threat updates Consider strong security for high
value users and assets e.g. two- factor authentication
Slide 38
However, the footprint of infrastructure attacks may be very
diverse 1.Planning 2.Payload Introduction 3. Command and Control
4.Footprint Expansion 5.Target identification 6.Attack Event
7.Retreat and Removal Strategic, resource intensive Operational,
focused on attack vector rather than goals Internet, Physical and
External Internet malware Tight control, ability to operate APTs
Fire and forget strategy Targeted expansion Opportunistic expansion
Based on host functionality and value Based on existence of
vulnerabilities Layered, custom built attack vector Standard IP-
based attack vectors Self-upgrade and stealth presence Weak
deletion methods Stuxnet Conficker IP-based DDoS attacks can take a
very different approach from process control network attacks Need
to think differently about attacks on the SCADA network
Slide 39
Recommendations for the oil & gas industry All of the ones
before, plus: Know that attacks on SCADA assets are already
happening and can be expected to increase Attack on SCADA assets
can create large magnitude of losses quickly (running into millions
of dollars per day) Work with security vendors and process control
security firms to deploy both perimeter and defense-in-depth
solutions Share vulnerability information and collaborate in
industry projects to monitor, detect and remedy cyber attacks Take
advantage of policies and protocols to strengthen security and
organizational policies (e.g. training of SCADA operators in
security)
Slide 40
Recommendations for policy makers Help overcome challenges in
implementing the energy roadmap Information sharing Innovative
partnerships Regulatory environment Keep cyber security on private
sectors priority list through education and standards development
Help build a case for justifying investment in cyber security by
critical infrastructure firms
Slide 41
Selected References / Readings Cyberspace Policy Review:
Assuring a Trusted and Resilient Information and Communications
Infrastructure, for the Executive Office of The President, 2009 The
command structure of the Aurora Botnet, Damballa, 2010 Natural gas
compressor stations on the interstate pipeline network:
Developments since 1996, Energy Information Administration, Office
of Oil and Gas, November 2007 A Comparison of oil and gas segment
cyber security standards, Idaho National Engineering and
Environment Laboratory, November 2004 DCS virus infection,
investigation and response: A case study, ICSJWG Fall 2010
Conference Berk V., Cybenko G. and Gray R., Early Detection of
Active Internet Worms, Massive Computing, 2005, Volume 5, Part III,
147-180 Roadmap to Secure Control Systems in the Energy Sector,
Energetics Inc., January 2006 Roadmap Update Workshop Series,
Energy Sector Control Systems Working Group, January 2011 Haimes Y.
and Jiang P., Leontief-based Model of Risk in Complex
Interconnected Infrastructure, Journal of Infrastructure Systems,
Vol. 7, No. 1, March 2001, pp. 1-12 LOGIIC cyber security system,
Sandia National Laboratories, September2006 Haimes Y., Santos J.,
Crowther K., Henry M., Lian C. and Yan Z., Risk Analysis in
Interdependent Infrastructures, IFIP International Federation for
Information Processing, 2007, Volume 253/2007, 297-310 Protecting
Your Critical Assets: Lessons learnt from Operation Aurora, McAfee
2010 In the Crossfire: Cyber Infrastructure in the Age of Cyberwar,
McAfee 2010 Capability of the Peoples Republic of China to Conduct
Cyber Warfare and Computer Network Exploitation, for the US China
Economic and Security Commission, Northrop Grumman Corporation
Cyber Attacks against SCADA and Control Systems, Byres E. and
Paller A., Sans Institute Webinar, 2006 W32.Stuxnet Dossier,
Symantec, November 2010 State of Enterprise Security 2010,
Symantec, 2010 David W. Crain, Stan Abraham, (2008), Using
value-chain analysis to discover customers' strategic needs,
Strategy & Leadership, Vol. 36 Iss: 4, pp.29 39 Tracking
Ghostnet: Investigating a Cyber Espionage Network, Information
Warfare Monitor, Canada, March 29, 2009
Slide 42
Selected Web References Attack on US oil industry:
http://www.csmonitor.com/USA/2010/0125/US-oil-industry-hit-by-cyberattacks-Was-China-
involved/(page)/2 Attacks on Dept. of Defense:
http://www.businessweek.com/magazine/content/08_16/b4080032218430.htm
SCADA basics: http://www.free-engineering.com/ar-scada.htm Impact
of Russias oil disruption:
http://www.cges.co.uk/resources/articles/2009/08/06/rescuing-russia-europe-gas-relations
Impact on Mexicos pipeline incident:
http://www.usatoday.com/news/world/2007-09-10-mexico-pipeline_N.htm
Cost of French air strikes:
http://www.cbsnews.com/stories/2010/10/25/world/main6991577.shtml
All images used are the copyright of their respective owners
Slide 43
Resources and Support Interviews Laurie Burnham, I3P, Dartmouth
College Davil Nicols, Information Trust Institute Nicola Secomandi,
Carnegie Mellon Tepper School of Business
Slide 44
About the study Independent Study at Tuck School of Business
Advisors: Professors Eric Johnson, Brian Tomlin Part of the Cyber
Code of Conduct project, Fletcher School of Law & Diplomacy
Principal Investigator: Professor William Martel
Slide 45
Appendix
Slide 46
Select glossary of terms not explained elsewhere IP: Internet
Protocol Zero-day vulnerability: A vulnerability that is not
closed/addressed by developers when a software is released
Exfiltration: stealth removal of information from target network
(in context of cyber attacks) DNS: Domain Name System servers,
which translate machine names to IP addresses. DNS query refers to
querying these servers for machine information. DNS poisoning
refers to deliberately introducing translation data to DNS servers
Active Directory: Windows directory that maintains user names and
passwords for a corporate network Rootkit: A program that aims to
gain root control (right to operate as administrator) without
revealing itself SQL injection: Subverting/crashing a
database-based website by using illegal database queries Vishing:
Exploiting telephony networks to obtain user information, such as
credit card numbers Botnets/Zombies: Computers which have been
compromised by malware and are used by it to target other computers
DoS: Denial of Service, refers to crashing a web server by
bombarding it with web queries. When this is done by using multiple
botnets, it is called distributed DoS (or DDoS) Logic bomb:
Internet attacks that are set to happen at a particular date or
time in the future, or if some condition is met Two factor
authentication: The requirement of passing two tests before
obtaining access. For instance, entering a password and then using
a fingerprint before access is given VPN: Virtual Private Network
P2P: Peer-to-peer communication protocol