Honey, I Hacked the SCADA! :Industrial CONTROLLED Systems! Jon L. Korecki Executive Director Cyber Security and Information Assurance ViaSat Inc. - Carlsbad, CA jon.korecki@viasat.com
Agenda History of ICS/SCADA Vulnerabilities and Attacks Attack Disclosures Vectors of Attack and Rationale History and Purpose of HoneyNet Design and Architecture Criteria Interaction Levels Actual System as Deployed Actual Attack Data Advanced Deception Technology Concepts Next Steps
August 14, 2003 - The Saga begins.. FirstEnergy Corporation Transmission Line Foliage Race Condition in GE XA/21 EMS Software Bug! Not an Attack Blaster August 11, 2003? 265 Generating Stations 28.7 GW Load Shed 50 Million Customers 8 States and Canada
Timeline Industrial Control Systems Attacks
Full Disclosure
SCADA/ICS System Vulnerabilities What s connected? Few testing environments Compliance = FIREWALLS protection $$$$$ Legacy equipment Hacker highways Goodbye security by obscurity
Not to mention.physical Access!
(SCADA) InfoSec Triad CISO - Security Team Security! Multifactor Authentication Encryption Change Control Regulations ACLS, Firewalls and Red Tape Technicians - Analysts Features! Remote Access Historian, Corporate Data Access Tablet, iphone, Android Access EZ Authentication Operations Availability! Availability Availability!
In a Perfect World?
What are we trying to prove? SCADA Operational Intelligence Program Validate System Attacks Identify Nature of Attacks Actual Damages Quantify Impact
Requirements Real system appearance Interaction levels Attacker profile information Full Packet Capture (FPC) Tor or Not to Tor?
SCADA Intelligence Gathering Cycle Initialize Intelligence Sensors (HoneyNet) SCADA Intelligence Continuous Monitoring Sensor Upgrades Intelligence Correlation and Reporting Cyber Security Systems Engagement Attack Analytics
Myth or Reality?
SCADA Intelligence System Architecture Deployment Options: DMZ with BackChannels DMZ Landing Page DNS Record
Low Interaction plcscan.py
Medium and High Interaction
I-Frame High Interaction
And we have liftoff...
GeoLocation, HMI, Web, TOR Exit Nodes! Map
Attack Profile - Russian Federation SEV 2782
Anybody Home?
Not that we re keeping score Graphs Attacks US China Thailand Taiwan France
Top Internet Service Providers Y1
Top Internet Service Providers Y2-3 Get off of my cloud!
Correlation
Rankings 16748 Packet Exchanges Recon Coordinated Attack
Details, Evidence and Attacker Profiling
Findings - Attack Intelligence Correlation Real and malicious attacks directed at Critical Infrastructure Attack count and severity spiked on 9/11 Legacy systems are extremely vulnerable Cloud provider sourcing rapidly increasing Only sophisticated attacks utilize evasion techniques (e.g. TOR) Diversity in attack tools (Simple scanners >> Professional tools)
Next Steps All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near. Sun Tzu, The Art of War
All warfare is based on deception Sun Tzu, The Art of War We re convinced that deception is a necessary part of any network defense Not limited to ICS/SCADA; All industries, Enterprise IT, and even consumers could benefit from deception based anomaly detection But the cost of deploying and maintaining deception needs to be low http://i.imgur.com/pl0a3fp.jpg
Deception In Depth Deception Funnel Lure Attackers Deeper With Multiple Layers of Deception Lures/Baits/Breadcrumbs Many Low Interaction Some Medium Interaction Few High Interaction Fewer Super High Interaction
Automation Automated Deployment Public/Private Cloud Deployment Automated Response Software Defined Networking
Automated Deployment
Public/Private Cloud Deployment
Automated Discovery and Deployment
Automated Discovery and Deployment
Automated Deception Response Automated Response with Software Defined Networking NSA Active Cyber Defense (ACD) is a component of the Department of Defense's (DoD) overall approach to defensive cyber operations Only 2 approved Trusted Cyber Sensor vendors Keep adversaries engaged and collect intelligence Learn Tactics Techniques and Procedures (TTP) and apply to cyber-response playbooks
Cover All Your Bases Known-Known: IDS/IPS and Trusted Cyber Sensor Known-Unknown: Deception Technology Unknown-Unknown: Behavioral Machine Learning
Takeaways
Consider deception as an early warning system Key to success is automation In Summary Use SDN to redirect attacks away from real to deception systems Use a multi-layered deployment Keep adversaries occupied and confused Use analytics to consume output from deception nodes
Thank You!
Honey, I Hacked the SCADA! :Industrial CONTROLLED Systems! Jon L. Korecki Executive Director Cyber Security and Information Assurance ViaSat Inc. - Carlsbad, CA jon.korecki@viasat.com