Cybersecurity for Energy Delivery Systems. Michael Assante & Tim Conway (Under contract to DOE through Idaho National Laboratory)

Transcription

1 Cybersecurity for Energy Delivery Systems Michael Assante & Tim Conway (Under contract to DOE through Idaho National Laboratory) October, 2016

2 Agenda 1. Event deconstruction 2. Mitigations 3. Discussion 2

3 Ukraine Event December 23, 2015

4 Presentation Perspective An interagency team composed of representatives from the NCCIC/ICS-CERT, U.S. Computer Emergency Readiness Team(US-CERT), Department of Energy, Federal Bureau of Investigation, and the North American Electric Reliability Corporation traveled to Ukraine to collaborate and gain more insight. Mike Assante and Tim Conway as DOE INL subcontractors added to the team by DOE to bring their electricity sector and SANS experience to bear on this critical incident. This briefing is our post trip report. The mitigation guidance for consideration is our own and is offered as is, as general concepts to simply inform thinking 4

5 Geographic Orientation 5

6 Power System Orientation 6

7 Power System Element: Distribution Source: Modification of an image from the energy sector - specific plan

8 Event Summary Through interviews, the team concluded that a remote cyber attack caused power outages at three Ukrainian distribution entities (Oblenergos) impacting approximately 225,000 customers While power has been restored, all the impacted Oblenergos continue to operate in a degraded state The attack included elements to disrupt power flow and exaggerate the outage by damaging the SCADA DMS and communication infrastructure used to support power dispatching 8

9 Reconnaissance Spearphish Foothold Credentials / Pivot VPN Access / Discovery Operations / firmware Killdisk, UPS, TDOS

10 Attack Steps (x3) Infect, Foothold, C2 Harvest Credentials Achieve Persistence & IT Control Discover SCADA, Devices, Data Develop Attack CONOP Position Execute Attack - SCADA/DMS Dispatcher Client/WS Hijacking - Malicious firmware uploads - KillDisk Wiping of WS & Servers - UPS Disconnects & TDoS 11

11 ICS Kill Chain Mapping (Stage 1) 12

12 ICS Kill Chain Mapping (Stage 2) 13

13 14

14 Keeping Perspective The Ukraine cyber attacks are the first publicly acknowledged intentional cyber attacks to result in power outages. As future attacks occur it is important to scope the impacts of the incident being examined. Power outages should be measured in scale (number of customers and electricity infrastructure involved) and in duration to full restoration. These incidents impacted up to 225,000 customers in three different distribution level service territories lasting several hours. These incidents would be rated on a macro scale as low in terms of power system impacts as the outage impacted a very small number of overall power consumers in Ukraine and the duration was limited. We are confident that the companies impacted would have rated these incidents as high or critical to their business and reliability of their systems. 15

15 F

16 How Sophisticated Was It? 17 F

17 Rating this Attack Sophistication 1 CONOP 3 2 ICS Customization 2 Effect Summary Some sophistication in the SCADA/DMS hijacking method but the majority of it was not CONOP SOPHISTICATION CUSTOMIZATION Rogue client hijacking demonstrated some customization Electricity outage in three service territories restored in hours EFFECT A complex and successful attack plan 18

18 Guidance & Mitigation Concepts Published Advisories and SCADA/DMS mitigations

19 ICS-CERT Alert 20 F

20 E-ISAC Alert Level 2 NERC Alert (R ) that was released February 9, /api/documents/4199/p ublicdownload 21 1

21 Number One Question Can this happen in North America and doesn t NERC CIP protect us? An audience member at every Ukraine discussion 22 Two clarifying topics: 1. Applicability 2. Which NERC CIP?

22 Applicability of NERC CIP Strategic BES Reliability Standards Development Sufficiency Reviews Early Adopter Program Lessons Learned Program Tactical Compliance Audits Enforcement Determination Standards / RFI Approval FERC Fillings Event Analysis E-ISAC Investigations 23

23 Compliance and Security NERC: A House with many rooms In Support of a Common Mission 24

24 Energy Policy Act 25

25 Bulk Electric System Transmission Elements operated at 100 kv or higher and Real Power and Reactive Power resources connected at 100 kv or higher. This does not include facilities used in the local distribution of electric energy. Five inclusion statements Four exclusion statements 26 F

26 Applicability of NERC CIP For Balancing Authority (BA), Generator Operator (GOP), Generator Owner (GO), Interchange Coordinator or Interchange Authority, Reliability Coordinator (RC), Transmission Operator (TOP), Transmission Owner (TO) *All BES Facilities are in scope For Distribution Provider - UFLS or UVLS systems identified above - Special Protection Systems (SPS) or Remedial Action Schemes (RAS) identified above - Each Cranking Path and group of Elements identified above 27

27 NERC Registration? Source: Modification of an image from the energy sector - specific plan

28 The CIP of Old Critical Assets Bulk Electric System CCA s Covered by CIP Critical Cyber Assets Other Cyber Assets Covered by CIP 29

29 CIP 2 0 H M L

30 Applicability Variations 31

31 ES-C2M2 Model 32

32 Maturity Indicator Level Descriptions Level Name Description MIL0 Not Performed MIL1 has not been achieved in the domain MIL1 Initiated Initial practices are performed but may be ad hoc MIL2 Performed Practices are documented Stakeholders are involved Adequate resources are provided for the practices Standards or guidelines are used to guide practice implementation Practices are more complete or advanced than at MIL1 MIL3 Managed Domain activities are guided by policy (or other directives) Activities are periodically reviewed for conformance to policy Responsibility and authority for practices are clearly assigned to personnel with adequate skills and knowledge Practices are more complete or advanced than at MIL2 33

33 ES-C2M2 view of CIP H L

34 Qualified Answer Can this happen in North America and doesn t NERC CIP protect us? An audience member at every Ukraine discussion If the CIP High requirements were in place at the targeted location, and the adversary attempted the same attack actions without modification they would have been stopped. 35

35 Leverage What You Have Standards Regulation and enforcement Information sharing construct Exercises and Drills Training 36

36 Attack Elements Discussion Tools & Tech Spearphish Credential Theft Control & Operate Ukraine Event Significant Events based on publicly available reporting. VPN Access Workstation Remote 37 F

37 You are the Defensive Coordinator 38 38

38 Spearphish Targeted spearphish Timely Sense of urgency Well written Legitimacy Trusted sender Training Awareness training Phishing testing Spearphish Web based attacks Google rankings Page hijack DNS redirect Local system redirect Drive by downloads Anticipated Contested territory Isolate and control Filtering Detection Based Reputation Based 39

39 Credential Theft Targeted malware Malware variants Modular capabilities Keystroke logger Network capture Remediate YARA & AV Change PW Credential theft Pass the hash Pw cracking Privilege escalation Hash file attacks Credential Theft Anticipated Normalize net and directory activity Alert on the abnormal Defense in Depth Directory Segmentation Zones of Trust 40

40 VPN Access Trusted Access Authenticating as a trusted user Leveraging approved communication paths Strengthen Two factor Dedicated Tokens VPN Access Alternate remote access methods Target a trusted user with VPN access Target a trusted vendor with VPN access Anticipated Why is it there Activate at time of use Trust Jump Host No Split Tunneling 41

41 Remote Access Remote Capabilities Utilizing approved tools Appearing as an approved process Utilizing approved user credentials Harden Disable remote access Block at perimeter fw Workstation Remote Access Manipulating remote capabilities Scheduled tasks to call out Reverse shell Exploiting vulnerabilities to gain access Anticipated Conservative operations Sectionalizing Manage Configure Host FW Monitor config changes 42

42 Control Misuse of the Application Utilizing the technology in a way it was not intended Manipulating the data to cause a misoperation App Security Logic for confirmation AOR Control and Operate Integrity loss Manipulate data in transit Leverage the communications paths and unauthenticated protocols to initiate commands Anticipated Manual operations Load Shed Communication Path encryption Protocol encryption 43

43 Tools and Tech Cyber enabled everything IP reliant voice communications Network connected building control systems Field device manipulation Anticipated Blackstart plans Islanding Mutual Aid Eliminate Filter calls by source Disconnect BCS from net Disable remote mgmt Tools and Tech Availability / misuse Firmware level manipulation Impact power delivery internal to facility Impede restoration due to communication losses Device Disable remote FW updates ATS, Backup Gen Secondary Comms 44

44 Review the Tape of the Adversary Past Critical Infrastructure campaigns Data Breaches ICS Specific malware Kill Chain analysis 45 45

45 What will your attack look like 4. Adversary Intent 5. External Drivers 46

46 System Variables System Vendor In many cases, vendo specific design criteria will determine system requirements Applications Third p applica require operational Infrastructure Physical System Design Decisions Operating Procedures Control Philosophy System Management hing, change ol, monitoring, ng, malware ction, account anagement 47

47 Altering any element effects the overall security of the system. With each element having dependencies and effects on the security of the other elements of the overall system. Foundation Invest in People Foundation Develop sound policies and procedures 48

48 Take Action! 49

49 Moving From Stage 1 to Stage 2 Stage 1 Adversary has successfully performed the necessary elements of the Stage 1 Kill chain To have an ICS effect the adversary needs to move into the elements of the Stage 2 ICS Kill Chain The great unknown Map Environment Understand ICS Operation Trusted connections Vendor access Support personnel remote access System backup or alternate site replication tasks System Mgmt communications patching, monitoring, alerting, configuration and change mgmt Data historians Direct access dial up Waterholing attacks Social Engineering Stage 2 When the adversary has identified a path into the ICS environment the Stage 2 ICS Kill Chain elements can be acted upon

50 Opportunities to Disrupt IT Preparation Target selection Unobservable target mapping Malware development and testing Hunting and Gathering Lateral Movement and Discovery Credential Theft and VPN access Control system network and host mapping Sequence Pre Work Upload additional attack modules - KillDisk Schedule KillDisk wipe Schedule UPS load outage Attack Launch Issue breaker open commands Modify field device firmware Perform TDoS Scheduled UPS and KillDisk Hrs. Event min hrs. 6 mo 9 mo 12 mo Spear phishing Delivery of phishing Malware launch from infected office documents Establish foothold ICS Preparation Unobservable malicious firmware development Unobservable DMS environment research and familiarization Unobservable attack testing and tuning Attack Position Establish Remote connections to operator HMI s at target locations Prepare TDoS dialers Target Response Connection sever Manual mode / control inhibit Cyber asset restoration Electric system restoration Constrained operations Forensics Information sharing System hardening and prep

51 Lessons Learned Training Planning and Analysis Load Shed EOP Blackstart 52

52 Lessons Learned Translated Cyber contingency analysis (continuous analysis and preparing the system for the next event) Cyber failure planning (modeling and testing cyber system response to network and asset outages) Cyber conservative operations (Intentionally eliminating planned and unplanned changes, as well as stopping any potentially impactful processes) Cyber load shed (Eliminating all unnecessary network segments, communications, and cyber assets that are not operationally necessary) Cyber RCA (Root Cause Analysis forensics to determine how an impactful event occurred and ensure it is contained) Cyber blackstart (cyber asset base configurations and bare metal build capability to restore the cyber system to a critical service state) Cyber mutual aid (ability to utilize ISACs, peer utilities, law enforcement and intelligence agencies, as well as contractors and vendors to respond to large scale events) 53 F

53 Prepare to Defend the Effect Component Mitigation N Mitigation N+1 Mitigation N + X Spear phish Training Filter System Spec Credential Theft Remediate PW Defense in Depth Protection Devices VPN Access Strengthen Trust RCA / EOP Workstation Remote Access Control and Operate Harden Manage Conservative Operations / Sectionalizing App Security Communication Manual Operations / Load Shed Tools and Tech Eliminate Device Black Start / Mutual aid 54 F

54 Ten items for your to do list Register and test E-ISAC access Contact local FBI & ICS-CERT Review internal IR plans Review alerts, documents, and NERC Level 2 alert response progress Identify and review electronic access points Develop procedure to disconnect Review / develop full system restore capabilities Participate in exercises Work with NERC training staff to train operators Ask for help 55

55 питання Questions Attack

56 References & Products NCCIC/ICS-CERT INCIDENT ALERT: IR-Alert-H P UKRAINIAN POWER OUTAGE EVENT, February 12, 2016 (TLP=GREEN) High-level summary of the incident elements Mitigation guidance Detection pointers & indicators (IOCs) NERC E-ISAC: Mitigating Adversarial Manipulation of Industrial Control Systems as Evidenced By Recent International Events, February 9, 2016 (TLP=RED) Tactics used by actors with mitigation options ICS-CERT BlackEnergy YARA signature: Initial Findings of the US Delegation examining the events of December 23 rd 2015, Power Point Presentation, February 2016 E-ISAC & SANS Defense Use Case: 57

57 Guidance Documents Research & Development CEDS Incident Coordination Deployment 58

58 Cyber Incident Coordination Research & Development CEDS Incident Coordination Deployment Coordinate response with federal and industry partners. Share information and facilitate access to technical sector specific expertise while ensuring: Unity of effort; and Unity of message Collaboration with industry for participation in national and regional preparedness projects including cyber exercises. ESCC Playbook Exercise New York State Cybersecurity Exercise (NYSCE) Dams Sector Information Sharing Drill North American Electric Reliability Corporation (NERC) Grid Security Exercise (GridEx) 59

59 60 Office of Electricity Delivery & Energy Reliability U.S. Department of Energy