Why Should You Care About Control System Cybersecurity. Tim Conway ICS.SANS.ORG

Transcription

1 Why Should You Care About Control System Cybersecurity Tim Conway ICS.SANS.ORG

2

3

4 Events

5 Example #1 Dec 23, 2015 Cyber attacks impacting Ukrainian Power Grid Targeted, synchronized, & multi faceted Three electrical distribution companies Cause outages affecting 225,000 customers Lasted hours System restored but degraded

6 Power System Element: Distribution

7 Lessons Observed Stage 1 Stage 1 will appear ITfocused and blend in with other IT related scans, probes, viruses, and general noise.

8 Attack Steps & Timeline STAGE 1 STEPS 1-3: Access campaign with infected Office attachment Adversary Foothold Host with BE Utility Business IT Infrastructure Access Campaign Mar Apr May June Jul Aug Sep Oct Nov Dec 23 Power Attack

9 Broad Access Campaign

10 Attack Steps & Timeline (Cont.) STAGE 1 STEPS 3-4: IT take over Adversary C2 & Freedom of Movement & Action Utility Business IT Infrastructure? Mar Apr May Access Campaign June Jul Aug Sep Oct Nov Dec 23 Power Attack

11 Attack Steps & Timeline (Cont.) STAGE 1 STEPS 5: Discover & Compromise SCADA VPNs Adversary SCADA Utility Business IT Infrastructure Discover using valid credentials Discover, Move, Learn, Act? Mar Apr May June Jul Aug Sep Oct Nov Access Campaign Dec 23 Power Attack

12 Lessons Observed Stage 2 Stage 2 will contain ICS specific indicators and objectives.

13 Concept: Hijack & ICS Damage VPN SCADA Server Rogue Client Remote SCADA Client Software Phantom Mouse Remote Amin Tools at OS-level The attackers develop two SCADA Hijack approaches (one custom and one agnostic) and successfully used them across different types of SCADA/DMS implementations at three companies

14 Attack Steps & Timeline (Cont.) STAGE 2 STEPS 1-3: Develop & Test VPN SCADA Server VPNs Rogue Client Remote SCADA Client Software Phantom Mouse Remote Amin Tools at OS-level KillDisk Firmware Adversary SCADA Utility Business IT Infrastructure Attack Concept Access Campaign Mar Apr May Develop & Test? June Jul Aug Sep Oct Nov Dec 23 Power Attack

15 Attack Steps & Timeline (Cont.) STAGE 2 STEP 4: Attack VPN SCADA Server VPNs Rogue Client Remote SCADA Client Software Phantom Mouse Remote Amin Tools at OS-level Adversary UPS Disconnect KillDisk A. Hijack HMI B. Firmware C. KillDisk D. UPS KillDisk SCADA Firmware Mar Apr May June Jul Aug Sep Oct Nov Dec 23 Power Attack

16 1 5 1 Reconnaissance Spear phish Foothold Credentials / Pivot VPN Access / Discovery Operations / firmware KillDisk, UPS, TDOS

17 Target and Position 1 2 Escalate & expand Leverage Trusted Comms & Develop SOE Execute operations & impair restoration 7

18 Opportunities to Disrupt IT Preparation Target selection Unobservable target mapping Malware development and testing Hunting and Gathering Lateral Movement and Discovery Credential Theft and VPN access Control system network and host mapping Sequence Pre Work Upload additional attack modules - KillDisk Schedule KillDisk wipe Schedule UPS load outage Attack Launch Issue breaker open commands Modify field device firmware Perform TDoS Scheduled UPS and KillDisk Hrs. Event min hrs. 6 mo 9 mo 12 mo Spear phishing Delivery of phishing Malware launch from infected office documents Establish foothold ICS Preparation Unobservable malicious firmware development Unobservable DMS environment research and familiarization Unobservable attack testing and tuning Attack Position Establish Remote connections to operator HMI s at target locations Prepare TDoS dialers Target Response Connection sever Manual mode / control inhibit Cyber asset restoration Electric system restoration Constrained operations Forensics Information sharing System hardening and prep

19 Grab Your Phone The Electric system is failing We have a procedure for that They have a plan for that Ummmmm

20 The Operator Perspective /story/russian hackersattack ukraine/

21 Example #2 Malware Discovery Associated with Electric Outages ics-community.sans.org

22 Malware Role Malware Role Highly Coordinated Electric System Impacts Ukraine Electric System Cyber Events Highly Targeted Modular and Customizable Significance Substations Customers 225K Portion of Capitol region MW Impact 135 MW 200 MW Significance ics-community.sans.org

23 FOR INDUSTRY 2 3 ics-community.sans.org

24 Key Risk Item Considerations and Mitigations RISK IMPACT SCADA Path Management Restrict to inuse protocols only. Implement protocol converters, Front End defenses, in line firewalls Risk #1 Protocol Implementation Organization is utilizing IEC 101, IEC 104, or IEC for operational control capability Vulnerability Management Remove devices not in use, implement patch management and firmware updates Risk #2 Protection Relays Unpatched Siemens SIPROTEC relays are being utilized Risk Mitigations Network Monitoring and Alerting Limit OPC to status only, Implement communications baselines, and anomaly detection Risk #3 OPC Protocol Environment utilizes OPC DA protocol Data Protection and Recovery Ensure configuration data backups, tested recovery, and encrypted storage Risk #4 Data Destruction Access to configuration data is achievable Current Detection Capabilities Deploy malware signature detection at host and network level Risk #5 Unknown Infection Inability to detect malware within environment Secure Access Only enable access when/as needed. Implement 2- factor authenticated, with local jump host environment Risk #6 Adversary Access Ability to remotely interact with the environment Risk Areas Reflect CrashOverride as of June 13 *as additional modules are discovered this will need to be reassessed RISK LIKELIHOOD ics-community.sans.org

25 Current Risk Ranking and Assessment of Potential Risk Current Risk Ranking was Determined based on the following key factors: Our organization does not use protocols identified Our organization does not use vendor products identified Operational architecture limits effects Likelihood of Occurrence High Med Low Current Risk Low Med High Consequences Future Risk Future Risk Ranking was Determined based on the following key factors: Malware modules discovered that impact protocols in use by our organization Malware modules discovered that exploit devices in use by our organization Adversary tactics discovered that could have greater operational effect ics-community.sans.org

26 ics-community.sans.org 26

27 Example #3 The Safety Team Needs to Expand ics-community.sans.org

28 Safety Programs Need ICS Security 1 Process remote access risk assessment 3 Path from IT to OT 2 Always available remote connectivity need 4 DCS and Safety Process Integration 5 Available SIS Engineering Work Station 6 Remote programming available As operational and support decisions are made that impact the ICS environment, consider the potential safety impacts if the system is misused ics-community.sans.org

29 PPE is Expanding! ics-community.sans.org

30 Stage 1 Discussion Conficker APT1 Iranian Actors Attack with Impact Attack with Impact Attack with Impact

31 Stage 2 Discussion BE3 HAVEX STUXNET UKRAINE BE3 BE3 BE3 BE3 BE3 Attack with Impact

32 Stage 1 Adversary has successfully performed the necessary elements of the Stage 1 Kill chain To have an ICS effect the adversary needs to move into the elements of the Stage 2 ICS Kill Chain Map Environment Understand ICS Operation Trusted connections Vendor access Support personnel remote access System backup or alternate site replication tasks System Mgmt. communications patching, monitoring, alerting, configuration and change Mgmt. Data historians Direct access dial up Waterholing attacks Social Engineering Stage 2 When the adversary has identified a path into the ICS environment the Stage 2 ICS Kill Chain elements can be acted upon

33 High ICS Payload Major Public ICS Incidents & Access Campaigns Stuxnet (all versions) TRISIS ICS Exploits ICS Delivery ICS Targeting ICS Recon ICS CUSTOMIZATION NY Dam Intrusion BlackEnergy 2 (various ICS modules) Havex (OPC module) Critical Infrastructure Data Exfiltration Stage One Stage Two BE3 Dec 2016 Ukraine Power Outage Dec 2015 Ukraine Power Outage Unspecified German Facility Low Low ICS IMPACTS (Nuisance) (Lost Productivity/Data) (Lost Value) High (Loss of Safety, Reliability, Assets) ics-community.sans.org

34 Defend

35 How Sophisticated Are the Attacks?

36 What will your attack look like 1. System Variables 2. Cyber Maturity Variables 3. Adversary Capabilities 4. Adversary Intent 5. External Drivers

37 Each organization is faced with many technology related decisions to make.

38 Your People, Process, and Technology decisions create a unique operating environment Each technology decision shapes the environment for both the adversary and the defender

39 Take Action! Reduce the effect of a successful attack.

40 Controls Program Various implementations Maturity Assessments Perspective of performers Regulation Focused Criteria based Risk Assessments Multiple models Exercise Focused Realistic attacks = realistic response Attack Trees Adversary action analysis

41 Controls Program Various implementations Maturity Assessments Perspective of performers Regulation Focused Criteria based Risk Assessments Multiple models Exercise Focused Realistic attacks = realistic response Attack Trees Adversary action analysis

42 Controls Program Various implementations Maturity Assessments Perspective of performers Regulation Focused Criteria based Risk Assessments Multiple models Exercise Focused Realistic attacks = realistic response Attack Trees Adversary action analysis

43 Controls Program Various implementations Maturity Assessments Perspective of performers Regulation Focused Criteria based Risk Assessments Multiple models Exercise Focused Realistic attacks = realistic response Attack Trees Adversary action analysis

44 Controls Program Various implementations Maturity Assessments Perspective of performers Regulation Focused Criteria based Risk Assessments Multiple models Exercise Focused Realistic attacks = realistic response Attack Trees Adversary action analysis

45 Controls Program Various implementations Maturity Assessments Perspective of performers Regulation Focused Criteria based Risk Assessments Multiple models Exercise Focused Realistic attacks = realistic response Attack Trees Adversary action analysis

46 What We Need YetiCorn s Unicorns Yeti s

47 Cyber Operators sans.org/ics456 giac.org/gcip

48 Questions? Join the Community that is defending our Critical Infrastructure