Honey, I Hacked the SCADA! :Industrial CONTROLLED Systems!

Transcription

1 Honey, I Hacked the SCADA! :Industrial CONTROLLED Systems! Jon L. Korecki Executive Director Cyber Security and Information Assurance ViaSat Inc. - Carlsbad, CA jon.korecki@viasat.com

2 Agenda History of ICS/SCADA Vulnerabilities and Attacks Attack Disclosures Vectors of Attack and Rationale History and Purpose of HoneyNet Design and Architecture Criteria Interaction Levels Actual System as Deployed Actual Attack Data Advanced Deception Technology Concepts Next Steps

3 August 14, The Saga begins.. FirstEnergy Corporation Transmission Line Foliage Race Condition in GE XA/21 EMS Software Bug! Not an Attack Blaster August 11, 2003? 265 Generating Stations 28.7 GW Load Shed 50 Million Customers 8 States and Canada

4 Timeline Industrial Control Systems Attacks

5 Full Disclosure

6 SCADA/ICS System Vulnerabilities What s connected? Few testing environments Compliance = FIREWALLS protection $$$$$ Legacy equipment Hacker highways Goodbye security by obscurity

7 Not to mention.physical Access!

8 (SCADA) InfoSec Triad CISO - Security Team Security! Multifactor Authentication Encryption Change Control Regulations ACLS, Firewalls and Red Tape Technicians - Analysts Features! Remote Access Historian, Corporate Data Access Tablet, iphone, Android Access EZ Authentication Operations Availability! Availability Availability!

9 In a Perfect World?

10 What are we trying to prove? SCADA Operational Intelligence Program Validate System Attacks Identify Nature of Attacks Actual Damages Quantify Impact

11 Requirements Real system appearance Interaction levels Attacker profile information Full Packet Capture (FPC) Tor or Not to Tor?

12 SCADA Intelligence Gathering Cycle Initialize Intelligence Sensors (HoneyNet) SCADA Intelligence Continuous Monitoring Sensor Upgrades Intelligence Correlation and Reporting Cyber Security Systems Engagement Attack Analytics

13 Myth or Reality?

14 SCADA Intelligence System Architecture Deployment Options: DMZ with BackChannels DMZ Landing Page DNS Record

15 Low Interaction plcscan.py

16 Medium and High Interaction

17 I-Frame High Interaction

18 And we have liftoff...

19 GeoLocation, HMI, Web, TOR Exit Nodes! Map

20 Attack Profile - Russian Federation SEV 2782

21 Anybody Home?

22 Not that we re keeping score Graphs Attacks US China Thailand Taiwan France

23 Top Internet Service Providers Y1

24 Top Internet Service Providers Y2-3 Get off of my cloud!

25 Correlation

26 Rankings Packet Exchanges Recon Coordinated Attack

27 Details, Evidence and Attacker Profiling

28 Findings - Attack Intelligence Correlation Real and malicious attacks directed at Critical Infrastructure Attack count and severity spiked on 9/11 Legacy systems are extremely vulnerable Cloud provider sourcing rapidly increasing Only sophisticated attacks utilize evasion techniques (e.g. TOR) Diversity in attack tools (Simple scanners >> Professional tools)

29 Next Steps All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near. Sun Tzu, The Art of War

30 All warfare is based on deception Sun Tzu, The Art of War We re convinced that deception is a necessary part of any network defense Not limited to ICS/SCADA; All industries, Enterprise IT, and even consumers could benefit from deception based anomaly detection But the cost of deploying and maintaining deception needs to be low

31 Deception In Depth Deception Funnel Lure Attackers Deeper With Multiple Layers of Deception Lures/Baits/Breadcrumbs Many Low Interaction Some Medium Interaction Few High Interaction Fewer Super High Interaction

32 Automation Automated Deployment Public/Private Cloud Deployment Automated Response Software Defined Networking

33 Automated Deployment

34 Public/Private Cloud Deployment

35 Automated Discovery and Deployment

36 Automated Discovery and Deployment

37 Automated Deception Response Automated Response with Software Defined Networking NSA Active Cyber Defense (ACD) is a component of the Department of Defense's (DoD) overall approach to defensive cyber operations Only 2 approved Trusted Cyber Sensor vendors Keep adversaries engaged and collect intelligence Learn Tactics Techniques and Procedures (TTP) and apply to cyber-response playbooks

38 Cover All Your Bases Known-Known: IDS/IPS and Trusted Cyber Sensor Known-Unknown: Deception Technology Unknown-Unknown: Behavioral Machine Learning

39 Takeaways

40 Consider deception as an early warning system Key to success is automation In Summary Use SDN to redirect attacks away from real to deception systems Use a multi-layered deployment Keep adversaries occupied and confused Use analytics to consume output from deception nodes

41 Thank You!

42 Honey, I Hacked the SCADA! :Industrial CONTROLLED Systems! Jon L. Korecki Executive Director Cyber Security and Information Assurance ViaSat Inc. - Carlsbad, CA jon.korecki@viasat.com