WHITE PAPER. Vericlave The Kemuri Water Company Hack

Similar documents
Securing Industrial Control Systems

AKAMAI CLOUD SECURITY SOLUTIONS

Cyber Security Updates and Trends Affecting the Real Estate Industry

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Firewalls (IDS and IPS) MIS 5214 Week 6

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Methods for Reducing Cybersecurity Vulnerabilities of Power Substations Using Multi-Vendor Smart Devices in a Smart Grid Environment

Integrated Access Management Solutions. Access Televentures

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

IPM Secure Hardening Guidelines

CyberArk Privileged Threat Analytics

PrecisionAccess Trusted Access Control

Teradata and Protegrity High-Value Protection for High-Value Data

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

10 FOCUS AREAS FOR BREACH PREVENTION

Verizon Software Defined Perimeter (SDP).

Privileged Account Security: A Balanced Approach to Securing Unix Environments

6 Vulnerabilities of the Retail Payment Ecosystem

IC32E - Pre-Instructional Survey

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Segmentation for Security

PROTECTING MANUFACTURING and UTILITIES Industrial Control Systems

Using Smart Cards to Protect Against Advanced Persistent Threat

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

How CyberArk can help mitigate security vulnerabilities in Industrial Control Systems

Are we breached? Deloitte's Cyber Threat Hunting

IoT & SCADA Cyber Security Services

External Supplier Control Obligations. Cyber Security

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Security Solutions. Overview. Business Needs

Securing Your Most Sensitive Data

Protecting Control Systems from Cyber Attack: A Primer on How to Safeguard Your Utility May 15, 2012

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Getting over Ransomware - Plan your Strategy for more Advanced Threats

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

SECURE SYSTEMS, NETWORKS AND DEVICES SAFEGUARDING CRITICAL INFRASTRUCTURE OPERATIONS

Defense in Depth Security in the Enterprise

CyberP3i Course Module Series

2017 Annual Meeting of Members and Board of Directors Meeting

RSA INCIDENT RESPONSE SERVICES

Office 365 Buyers Guide: Best Practices for Securing Office 365

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

RSA INCIDENT RESPONSE SERVICES

5. Execute the attack and obtain unauthorized access to the system.

How Breaches Really Happen

Combating Cyber Risk in the Supply Chain

ABB Ability Cyber Security Services Protection against cyber threats takes ability

Privilege Security & Next-Generation Technology. Morey J. Haber Chief Technology Officer

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Achieving End-to-End Security in the Internet of Things (IoT)

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Understanding the Changing Cybersecurity Problem

NIST Revision 2: Guide to Industrial Control Systems (ICS) Security

FOR FINANCIAL SERVICES ORGANIZATIONS

WHITEPAPER ENDPOINT DETECTION AND RESPONSE BEYOND ANTIVIRUS PROACTIVE THREAT HUNTING AT THE ENDPOINT

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

ANATOMY OF AN ATTACK!

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

Cybersecurity Vulnerabilities and Process Frameworks for Oil and Gas

Building Resilience in a Digital Enterprise

Who Goes There? Access Control in Water/Wastewater Siemens AG All Rights Reserved. siemens.com/ruggedcom

NSTB Assessments Summary Report: Common Industrial Control System Cyber Security Weaknesses

To Audit Your IAM Program

2018 GLOBAL CHANNEL PARTNER SURVEY THYCOTIC CHANNEL PARTNER SURVEY REPORT

IBM Security Network Protection Solutions

Mobile Field Worker Security Advocate Series: Customer Conversation Guide. Research by IDC, 2015

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Instructor: Eric Rettke Phone: (every few days)

CYBER RESILIENCE & INCIDENT RESPONSE

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

LESSONS LEARNED IN SMART GRID CYBER SECURITY

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

align security instill confidence

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Product Overview Version 1.0. May 2018 Silent Circle Silent Circle. All Rights Reserved

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Comprehensive Database Security

DIGITAL TRUST Making digital work by making digital secure

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

The Art and Science of Deception Empowering Response Actions and Threat Intelligence

How NOT To Get Hacked

Cybersecurity The Evolving Landscape

Practical SCADA Cyber Security Lifecycle Steps

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

Automating the Top 20 CIS Critical Security Controls

Security in a Converging IT/OT World

Transcription:

WHITE PAPER Vericlave The Kemuri Water Company Hack

INTRODUCTION This case study analyzes the findings of Verizon Security Solutions security assessment of the Kemuri Water Company security breach. The hacking of this utility provider stands as an example of how vulnerable many utilities are to this type of security compromise. Also included in this study are Cyber Defense Labs insights from a cyber and risk perspective, in addition to Vericlave s observations and recommendations on improving industrial control and SCADA security. SUMMARY Verizon s Data Breach Digest for March 2016 describes several attacks investigated by the company, including one aimed at the systems of an unnamed water utility referred to by Verizon as the Kemuri Water Company (KWC). This attack was also highlighted by Sentryo (www.sentryo.com), a pioneer of industrial internet cybersecurity, in their Cyber Security Magazine Episode 5. KWC asked Verizon to conduct a cybersecurity assessment as part of their normal operations. As Verizon conducted that assessment they discovered a threat actor was at work stealing financial records and manipulating industrial control parameters used to purify water. Verizon found that KWC had a poor network and security architecture, with unsecured and outof-date systems plagued with known exploitable vulnerabilities and legacy operational technology (OT) systems. heavily on antiquated computer systems running operating systems from ten-plus years ago. Even more concerning, many critical IT and OT functions ran on a single AS400 system. KWC referred to this AS400 system as its SCADA platform. This system, which functioned as a router with direct connections into several networks, ran the water district s valve and flow control application that was responsible for manipulating hundreds of Programmable Logic Controllers (PLCs), housed customer PII and associated billing information, as well as KWC s financials. Moreover, only a single employee was capable of administering it. If a data breach were to occur at KWC, this SCADA platform would be the first place to look. The Verizon report stated: Behind the scenes, KWC was a likely candidate for a data breach. Its internet facing perimeter showed several highrisk vulnerabilities often seen being exploited in the wild. The OT end of the water district relied 2

ATTACK VECTOR While exact details were not publicly available, the engineers and scientists at Cyber Defense Labs (CDL) extrapolated several theories regarding the successful compromise causes. Reports indicated that SQL injection and phishing were the primary attack vectors deployed to gain access to the water company s payment portal website and the water district s internal AS400 system. Cyber Defense Labs believes that the attackers found the vulnerability by reviewing daily internet query results from searches processed to identify hackable opportunities (i.e. most victims are found by automated vulnerability searches, not by singling them out by name). Attackers then validated the vulnerabilities of interest by conducting a few tests on the website portal (most likely by SQL injection or other web-based attack vectors). In this case, CDL believes that an SQL injection vulnerability found in KWC s website payment portal was the primary focus, but the KWC website required some piece of information that forced the hackers to deploy a phishing scam and contact the water utility, either by phone or email, posing as a customer. With the necessary information obtained, the attacker was then able to advance their SQL injection attack, which led to a compromise of the web server where additional system credentials were found. These credentials from the web server eventually allowed the attackers to login/authenticate to the AS400 server on the internal network the server that managed KWC s payment system, customer data, and the water district s SCADA control applications. Attackers were thereby able to gain an understanding of KWC s internal network architecture and exploit the inherent weaknesses in KWC s controls pertaining to system authentication and network segmentation. Accessing the AS400 server provided attackers with approximately 2.5 million customer records, the ability to manipulate SCADA controls (valves, chemical mixtures, and water flow), additional password files, back-office system configuration settings, and other sensitive data. 3

WEAKNESSES EXPLOITED - WATER Once the attackers were in the IT system, they exploited critical weaknesses. The actions, in progression, leading to the compromise include: 1. The Web Server Compromise and Possible Initial Compromise of Customer Data The SQL injection vulnerabilities in the KWC website payment portal, as reported to the hackers by their automated internet search queries, were likely what caught the attention of these attackers. Ineffective security awareness training and/or network monitoring facilitated the attacker s social engineering success with phishing in this case, which aided in the use of SQL injection to gain access to the web server. 2. The Internal AS400 Server Compromise Internal server credentials in plaintext were found on the public facing web server. Perimeter network access controls allowed direct login from the internet to the internal AS400 server. 3. Customer Data Compromise The AS400 server hosted KWC s payment/financial system, which the attackers were able to authenticate due to coincidental and/or available credentials found on the server. 4. SCADA Systems Manipulation Lack of host and network segmentation allowed attackers to access the SCADA systems from the business/production network. The AS400 server hosted KWC s SCADA control applications, which the attackers were able to authenticate due to coincidental and/or available credentials found on the server. Insufficient corporate oversight of the lone administrator. Implementing basic network hygiene and best practices would reduce many of these contributing weaknesses, but not necessarily have prevented access to the critical systems if the attacker had still managed to gain a foothold in the business network. Vericlave s cost-effective, fire-and-forget isolation and containment solution would have prevented successful exfiltration. CDL summarized that a defensein-depth strategy could have detected the attack earlier, limiting its success or prevented it altogether. Encryption and isolation of critical communications and systems with Vericlave is a best first step in implementing a strong defensive posture. 4

THE VERICLAVE SOLUTION Providing deep, layered network security and data protection to existing environments requires a focus upon modular, reusable, easily managed, and cost-effective capabilities. To build and enable such asset protection abilities, it is critical for organizations to have a deep understanding of their environments and design their protective controls to provide functional segmentation, obfuscation, and independence from commonlyexecuted exploits. The Vericlave solution brings all of these requirements into alignment, providing the capability for multi-layered, system independent encryption, regardless of existing architectures, utilizing dedicated and self-contained capabilities empowered by a time-tested hardware root of trust technology. Vericlave s Solution 1 2 3 Systems: 1 2 3 4 5 6 7 8 Customer access to payment system External (internet) Firewall/Internal (corporate access) AS400 PLC management PLCs Finance access (PII access) IT management A B C D Enclaves: 5 4 7 7 8 A B C D ICS/SCADA AS400 central processing Customer Finance Systems Corporate IT 6 1 BorderGuard and RemoteShield are presented as part of the alliance between Vericlave and Blue Ridge Networks 5

Relying upon a proprietary key management solution and FIPS-compliant algorithms, the solution has served the United States intelligence and defense communities for years and provides an incredible reduction in attack surface for both common commercial and Internet of Everything networks. Providing point-to-point data protection and traffic shaping, the Vericlave solution provides technology-accelerated security while enabling improved vulnerability management efforts, driving attacker behavior away from critical assets, and restricting lateral traversal opportunities within and beyond protected networks. Using Vericlave s solution, endpoints of the network are protected by RemoteShield devices which, in coordination with the BorderGuard server, place the critical network within an unbreachable enclave. 1 Once in place, only devices that are members of the enclave can communicate with each other, using the encrypted tunnels formed by the BorderGuard. To those outside the enclave, the protected network is effectively invisible, and any IP addresses associated with the enclave will appear to be unused if queried. Using this technology, the enclave is effectively unbreachable. The most direct and secure approach to isolate OT systems is to use a drop-in RemoteShield device to securely isolate and contain OT systems, including remote systems in a SCADA network and privileged remote access into the OT systems over existing IT or internet connections. Only RemoteShield enabled end points can be part of the secure enclave. To protect the OT systems at a facility like KWC, one must first ensure OT related servers, applications, and other equipment are in an isolated zone and regulated with tightly controlled access by the corporate network and remote management functions. To achieve this, a RemoteShield device would sit between the core business router and the OT network, completely hiding the existence of the OT network from any attacker who managed to gain a foothold on the corporate network. Legitimate access to the OT network is achieved via a tightly controlled workstation or server in the corporate network that is sits behind a RemoteShield device, and remote access is only available to a user who has been granted a physical Vericlave remote appliance. Additionally, because outgoing traffic is regulated by a trusted RemoteShield device, Vericlave s solution only allows validated communications originating from a pre-configured device, thus halting exfiltration even if intrusion were able to occur in the first place. Cybersecurity could be further improved by following industry standards such as IEC-62443. From a network architecture perspective, this would include placing a firewall between the core router and the Vericlave appliance isolating the OT systems. Further safeguards include adding a demilitarized zone (DMZ) between the business network and the production network and creating zones in the OT network based on ICS equipment level (Advanced Control, Supervisory Control, Process Control) and functionality groupings. For instance, it is important to isolate the SIS (Safety Instrumented System) to prevent lateral movement of threats that might enter the OT network via a USB key. A good place to start is the IEC-62443-3-3 standard, with the addition of Vericlave solutions, which can be used in defining and protecting zones and conduits within the OT network. 6

CONCLUSION Vericlave represents an unparalleled cybersecurity solution that was originally developed, evolved, and proven in the U.S. Intelligence Community and Department of Defense. It has since been deployed to protect enterprise, government, and critical assets from a broad array of increasingly destructive and costly cyberattacks. Vericlave s solution works with minimal impact on existing OT or IT infrastructure in a wide variety of SCADA networks. It provides an additional transparent layer of security that adds to defense-in-depth strategies and reduces the SCADA network attack surface protecting networks from malicious threats to mission critical infrastructure. Contact Vericlave to discuss how to prevent system attacks without affecting existing infrastructure. Contact us now to learn more about Protecting Data. sales.vericlave@vericlave.com 800-766-2026 vericlave.com linkedin.com/company/vericlave @vericlave 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback