Threat modeling of SCADA cyber attacks

Transcription

1 KTH ROYAL INSTITUTE OF TECHNOLOGY Threat modeling of SCADA cyber attacks Margus Välja 2018

2 Outline Motivation for threat modeling Threat modeling basics SCADA threat model example - Reference model - Model analysis Process and insights

3 Motivation for threat modeling Increasing number of attacks against SCADA systems* Attacks from remote sources resulting in disruption and information disclosure* Recent examples The Ukranian attacks USA critical infrastructure infiltrated *Bill Miller and Dale Rowe A survey SCADA of and critical infrastructure incidents. In Proceedings of the 1st Annual conference on Research in information technology (RIIT '12). ACM, New York, NY, USA,

4 Motivation for threat modeling: contributing factors* SCADA systems are operating as large distributed computing platforms Commercial off-the-shelf hardware, software for ICS services ICS knowledge and documentation on ICS services available (incl. SCADA protocols and their weaknesses) ICS networks connected to public networks such as the internet ICS security testing frameworks are publicly available *Luiijf E. (2016) Threats in Industrial Control Systems. In: Colbert E., Kott A. (eds) Cyber-security of SCADA and Other Industrial Control Systems. Advances in Information Security, vol 66. Springer, Cham

5 Threat modeling A system (of systems) with goals 1. Enforce a policy (goal) like CIA 2. Threat model is a set of assumptions about a threat agent 3. Mechanism to achieve the goal - like CIS* Threat agent Mitigation strategies should take into account the motivation, tactics, and capabilities *

6 Dumb embedded controllers SANS Securing Industrial Control Systems-2017 survey Threat modeling A system (of systems) with goals 1. Enforce a policy (goal) Reliability and Availability dominate 2. Threat model is a set of assumptions about a threat agent Can guess default 3. Mechanism to achieve the goal and popular passwords NIST: Framework for Improving Critical Infrastructure Cybersecurity: - PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties - DE.AE-3: Event data are collected and correlated from multiple sources and sensors

7 Threat modeling Four step approach * : 1. Model system 2. Find threats 3. Address threats 4. Validate * Shostack, Adam. Threat modeling: Designing for security. John Wiley & Sons, 2014.

8 Find threats and mitigations* 1. Brainstorming incl. literature review 2. Structured approach Attack Libraries (CAPEC, OWASP attack libraries) Cyber security failure scenarios and good practices (Energisäkerhetsportalen, NESCOR, ENISA, SANS framework, CIS) STRIDE (identify), DREAD (rate) ICS-CERT advisories Cover breadth first! * Shostack, Adam. Threat modeling: Designing for security. John Wiley & Sons, 2014.

9 Find threats and mitigations: Attack graphs Formal methodical way of describing dependencies in complex systems Dependencies of attacks ADVISE, securicad

10 securicad attacks and defences

11 SCADA threat analysis example securicad* For attack simulations Incorporates structural and technical vulnerabilities Probabilistic attack graph generation Taxonomy of attacks and mitigation Reference model of load balancing setup** Configuration and attack scenarios * **

12 SCADA threat analysis example: Reference model Covers IT and OT 50 Data flows Technical and structural assumptions With and without a replicated SCADA setup (DMZ) Security controls secure, unsecure

13 SCADA threat analysis example: Reference model

14 SCADA threat analysis example: Authentication view

15 SCADA threat analysis example Attacker positions Internet Software vendor Energy supplier Smart Meter in a household Targets Central SCADA System RTUs in the primary & secondary substations RTUs in DER substations

16 Attack graph

17 SCADA threat analysis example Attack at the vendor

18 Results

19 Threats in ICS landscape* 1. Organizational aspects related to the organization 2. Subcontractors involved in the deployment, use, and maintenance of ICS; 3. ICS architecture and ICS technology; 4. Networking and telecommunications; 5. Human factors; 6. Operational maintenance; 7. The environment of ICS systems and communications. *Luiijf E. (2016) Threats in Industrial Control Systems. In: Colbert E., Kott A. (eds) Cyber-security of SCADA and Other Industrial Control Systems. Advances in Information Security, vol 66. Springer, Cham

20 Threat modeling in an organization: Process* Integrating threat modeling into deployment processes involves the maintenance of models of the system Finding threats against a system is a matter of understanding the changes that occur as systems are operated or modified The (acceptance or deployment) testing of a change should include any planned mitigations * Shostack, Adam. Threat modeling: Designing for security. John Wiley & Sons, 2014.

21 Threat modeling in an organization: Responsibilities* There are roughly three approaches that can be employed: - Everyone threat models. - Experts within the business are consulted. - Consultants (internal or external) are used. * Shostack, Adam. Threat modeling: Designing for security. John Wiley & Sons, 2014.

22 Insights* There s More Than One Way to Threat Model The Right Way Is the Way That Finds Good Threats Threat Modeling Is Like Version Control (prevalent) Threat Modeling Is Also Like Playing a Violin (gradual progress) The Interplay of Attacks, Mitigations, & Requirements * Shostack, Adam. Threat modeling: Designing for security. John Wiley & Sons, 2014.

23 Questions?