Headline Verdana Bold. Internet of Things Cyber threat intelligence

Transcription

1 Headline Verdana Bold Internet of Things Cyber threat intelligence Lajos Antal, Deloitte Hungary, January 2018

2 Electronic embedded devices connected to the Internet

3 They exist everywhere serving industrial purposes and consumers alike

4

5 Different scale of changes Image source: Samsung

6 As of today, these devices play a major role in the current cyber threat landscape. While different risks exist, lets be practical and approach them in 3 key categories. Sabotage/Fraud Privacy/Surveillance Cyber crime

7 PRIVACY/SURVEILLANCE

8 Lets see some examples and start with some videos.

9 «video embedded»

10 This is an energy monitoring solution from a main consumerproducts manufacturer. It helps understand utilities consumption cycles and provides optimization. It uses a single small device connected to a single power outlet.

11 But, how does this work? Deloitte Cyber Intelligence Centre 11

12 The technology uses Electro Magnetic Interference (EMI) signature analysis to identify different appliances and different operation modes for these appliances. This technology can distinguish between washing cycles of your washing machine! Deloitte Cyber Intelligence Centre 12

13 Think about it. What if I connected one of these to an external outlet (i.e. garage) and monitor it from the Internet? What if I connected one of these to an external outlet (i.e. garage) and monitor it from the Internet? Deloitte Cyber Intelligence Centre 13

14 Is the alarm system connected? Are there any surveillance cameras? Are there any laptops home? What are these laptop models? Deloitte Cyber Intelligence Centre 14

15 ... Yes, privacy... Deloitte Cyber Intelligence Centre 15

16 I wonder what could be built under a small, always on, Internet connected and machine learning enabled thermostat. Deloitte Cyber Intelligence Centre 16

17 SABOTAGE/FRAUD Deloitte Cyber Intelligence Centre 17

18 Lets talk about smart meters Deloitte Cyber Intelligence Centre 18

19 Sounds very hypothetical right? The harsh reality is that smart meters have been targeted for years now. Deloitte Cyber Intelligence Centre 19

20 Deloitte Cyber Intelligence Centre 20

21 Smart meters are a key future technology. As they play an increasing role in consumer s day-to-day, security standards need to evolve to protect both, consumers and the industry. Also important, protocols, processes and monitoring tools need to exist to protect against insider threats and supply chain attacks. Image source: wikipedia Deloitte Cyber Intelligence Centre 21

22 Another interesting areas are wind farms and power plant devices exposed to the Internet Deloitte Cyber Intelligence Centre 22

23 Huh? Can you really find these on the Internet?... It s pretty easy actually Deloitte Cyber Intelligence Centre 23

24 Check out shodan, an IoT search engine. They have a nice Industrial Control System (ICS) specific page. ndustrial-control-systems Deloitte Cyber Intelligence Centre 24

25 Device discovery is easy and weak security standards open the door to sabotage and other forms of attacks Deloitte Cyber Intelligence Centre 25

26 Advisory (ICSA ) XZERES 442SR Wind Turbine CSRF Vulnerability Deloitte Cyber Intelligence Centre 26

27 CYBER CRIME Deloitte Cyber Intelligence Centre 27

28 The digital transformation of the energy sector creates new opportunities for malicious actors. Most of these embedded devices are managed by some sort of application, usually designed for mobile devices. Generating more traditional opportunities for attacks against end-users among others. Deloitte Cyber Intelligence Centre 28

29 And of course a mass of unattended, unsecure, computing units generate a lot of risks Deloitte Cyber Intelligence Centre 29

30 Deloitte Cyber Intelligence Centre 30

31 But why? Well Deloitte Cyber Intelligence Centre 31

32 Regulation needs to be improved to account for industry specific needs. Security standards that are widely in effect in other areas need to be adopted (i.e. secure software development lifecycles, firmware source code analysis, log analysis and correlation ). Organizations need to be aware and recognize IoT devices as part of their threat s surface and specific threat models. The devices need to be context-aware and include self protection or security mechanisms against the threat model. Deloitte Cyber Intelligence Centre 32

33 23 December 2015 Cyber attack on the Ukraine power grid Affected area: Ivano-Frankivsk cca 230,000 people up to 6hrs +2 other energy distribution companies also affected spear phishing using BlackEnergy3 malware + KillDisk malware + DDoS on call centre 73MWh went off Deloitte Cyber Intelligence Centre 33

34 Stuxnet The first known malware to attack Industrial Computer Systems First reported in June 2010 by a security firm in Belarus 25 September, 2010 Iran discovered that approx 30k IP of ICSs were infected, including the power plant near Bushehr and the uranium enrichment facility at Natanz Deloitte Cyber Intelligence Centre 34

35 Farewell the biggest man-made non-nuke explosion in the history 1982 Владимир Ветров leaking documents, name of agents and the whish list Ottawa July 1981, Mitterrand shared the intelligence with Reagan On the whish list: the ICS to automate the operation of the new trans-siberian gas pipeline The explosion was estimated with the equivalent of 3 kilotons of TNT Deloitte Cyber Intelligence Centre 35

36 Cyber threat intelligence focus on events and information originating outside your organisation s perimeter and control 3 6 Deloitte Cyber Intelligence Centre 36

37 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see for a more detailed description of DTTL and its member firms. In Hungary, the services are provided by Deloitte Auditing and Consulting Limited (Deloitte Ltd.), Deloitte Advisory and Management Consulting Private Limited Company (Deloitte Co. Ltd.) and Deloitte CRS Limited (Deloitte CRS Ltd.), (jointly referred to as Deloitte Hungary ) which are affiliates of Deloitte Central Europe Holdings Limited. Deloitte Hungary is one of the leading professional services organizations in the country providing services in four professional areas - audit, tax, risk and advisory services - through more than 500 national and specialized expatriate professionals. (Legal services to clients are provided by cooperating law firm Deloitte Legal Erdős and Partners Law Firm.) These materials and the information contained herein are provided by Deloitte Hungary and are intended to provide general information on a particular subject or subjects and are not an exhaustive treatment of such subject(s). Accordingly, the information in these materials is not intended to constitute accounting, tax, legal, investment, consulting, or other professional advice or services. The information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before making any decision or taking any action that might affect your personal finances or business, you should consult a qualified professional adviser. These materials and the information contained therein are provided as is, and Deloitte Hungary makes no express or implied representations or warranties regarding these materials or the information contained therein. Without limiting the foregoing, Deloitte Hungary does not warrant that the materials or information contained therein will be error-free or will meet any particular criteria of performance or quality. Deloitte Hungary expressly disclaims all implied warranties, including, without limitation, warranties of merchantability, title, fitness for a particular purpose, non-infringement, compatibility, security, and accuracy. Your use of these materials and information contained therein is at your own risk, and you assume full responsibility and risk of loss resulting from the use thereof. Deloitte Hungary will not be liable for any special, indirect, incidental, consequential, or punitive damages or any other damages whatsoever, whether in an action of contract, statute, tort (including, without limitation, negligence), or otherwise, relating to the use of these materials or the information contained therein. Differently form the above written, in case the information and materials are expressly provided as final performance of a contract concluded between you and Deloitte Hungary, Deloitte Hungary takes liability that the service has been provided and the product - if any - has been prepared contractually. Deloitte Hungary declares that the materials and information serve the persons / entities assigned and are suitable for the purposes determined in the contract. Deloitte Hungary excludes all liability for damages arising out of or in connection with the documents, materials, information and data provided by you. For all the questions not ruled herein, the relating contract shall be applicable. If any of the foregoing is not fully enforceable for any reason, the remainder shall nonetheless continue to apply Deloitte Hungary