Cybersecurity Basics for Energy Managers Cybersecurity: Hope is Not a Strategy Daryl Haegley GISCP, OCP OASD EI&E / ODASD IE August 15, 2017 Tampa Convention Center Tampa, Florida
Smart Phones UNCLASSIFIED 2
Smart Medical Devices UNCLASSIFIED 3
Smart Home Devices UNCLASSIFIED 4
Smart Transportation Capability 5
Smart Energy Devices UNCLASSIFIED 6
Facility-Related Control Systems (FRCS) Definition: A subset of control systems that are used to monitor and control equipment and systems related to DoD real property facilities (e.g. building control systems, utility control systems, electronic security systems, and fire and life safety systems). DoD inventory: 500 Installations 4,000 Sites 250,000 Buildings 200,000 Structures Potentially 1,000s of FRCS in each building / structure 7
Cybersecurity Skills Crisis UNCLASSIFIED 8
SHODAN What s On You re Network? Smart Meters default password Default passwords commonly used in control systems 9
How Critical to Mission is Your System? YOU START HERE 10
Know Mission Dependencies to Assure Mission 11
Policy and Guidance UNCLASSIFIED ASD EIE memos 12, 14, 16 directs implementation plans DoDI 4170 Energy Management (update in progress) DoDI 8500 Cybersecurity; 8510 Risk Management Framework; 8530 Cybersecurity Activities Support (CIO) Cybersecuring Facility Related Control Systems Unified Facilities Criteria 4-010- 06 Risk Management Framework KS Portal; ESTCP/SERDP website Secretary of Defense Scorecard; National Defense Authorization Act 1650 https://serdp-estcp.org/investigator-resources/estcp-resources/demonstration-plans/cybersecurity-guidelines 12
Best Practices for Securing Control Systems Mission Assurance Senior Steering Group Control Systems Working Group Develop Password Policies Security Awareness and Training Patch Management Maintenance Activities Modem Connection Network Design Securing Host Systems Advanced Cyber ICS Tactics, Techniques, and Procedures Detection Routine Monitoring, Inspection, Identification of adversarial presence, Documentation, Notifications Mitigation Protect the information network, Acquire and protect data for analysis, Maintain operations during an active attack Recovery Identify mission priorities, Acquire and protect data for analysis, Systematically Recover each affected device, Systematically reintegrate devices, processes, and network segments, Test and verify system to ensure devices are not re-infected NSA 13
14
15
16
What Does it Take to Cybersecure FRCS? Inventory Network Segregation and Segmentation User and Password Management Vulnerability Management Host-based Security Non-essential Hardware & Software removed Access Control Encryption Situational Awareness Routine Patching 17 More than Hope! If Not You re Job. Who s? Backups Connectivity Remote Maintenance On-site Maintenance Disposal Response and Recovery Physical Access Training/Awareness Continuous Monitoring Cloud Services Tactics, Techniques, and Procedures Preventing Exploitation?
Need a Patch? Wait 150 Days.. Research revealed SCADA vendors take ~ 150 days to release security patches Most ICS CERT advisories were easily preventable with better coding and fit in four main categories Memory corruption (20%) Credential management (19%) Authentication issues (23%) Code injection (9%) Urged to adopt the more secure development practices now widely used by mainstream OS and app developers Basic fuzzing techniques, or auditing for banned APIs could help improve security Highlights importance of operational testing prior to patching. Many FRCS do not have maintenance contracts or warranties with vendors and if those do exist, they don t include patching or testing patches. Many legacy FRCS were not designed for cybersecurity and are intended (and budgeted) to be in place for many years. 18
Target Data Breach 2013 UNCLASSIFIED Breach cost Target over $200M Hackers stole 40M credit card #s Exploit via HVAC contractor access to Target s network How similar to Office of Personnel Management (OPM) breach? SSNs of 21.5M individuals stolen 19.7M individuals that applied for background investigation 1.8M non-applicants, primarily spouses or co-habitants of applicants; 5.6M fingerprints Usernames and passwords for their forms also stolen Who ensures DoD energy, facility, & utility privatization contracts don t inadvertently allow similar via smart meters and control systems? 19
Ransomware UNCLASSIFIED 'WannaCry' affecting multiple global entities Increase our collective defenses across the Department and Federal networks: Do not click on links or download files in emails unless you know for sure they are intended for you Ensure your personal devices are updated and patched Backup your data so you can recover your systems if they become infected Microsoft released a patch in March; Not Implemented by Many 20
Vaping & e-cigarettes A Cyber Threat? Smoking-cessation aids can be used to hack An e-cigarette could be used to intercept network traffic or control the computer by making it think the e-cig is a keyboard Many e-cigarettes can be charged over USB, and takes just a few simple tweaks to the vaporizer enabling ability to download malicious payloads from the web Limitation: e-cigs don t have much memory, so complex code is a no-go Many enterprises today block the use of USB ports, which would prevent an attack like this but some do not, so users should beware FRCS: if logical blocking USB ports isn t feasible, physical means should be used to secure access (e.g., locked, tamper-evident cabinets/enclosures in secured facilities, 21 glue-on port blockers for unused ports). Do not use USB port to charge a battery.
Fish Tank Hacks Casino UNCLASSIFIED Hackers attempted to acquire data from a North American casino via an Internetconnected fish tank Tank had sensors connected to a PC that regulated temperature, food and cleanliness Educate yourselves about IoT products Use security protection product offers Use latest operating systems and software and constantly update them 22
23
Key Takeaways UNCLASSIFIED Identify mission dependency on your system Connect with IT, operations, INTEL experts Verify hardware and software configurations, update schedule, sustainment requirements Ensure all new / updated energy projects use Unified Facilities Criteria (UFC) as a guide (& ESTCP website) Include cyber language in contracts Identify & verify how you handle energy data Ensure basic cyber hygiene: PASSWORD, Access, Patches, etc. 24
Who has the first question? Backups: Examples & Resources 25
A mysterious botnet has hijacked 300,000 devices, but nobody knows why (April 26, 2017) The Hajime botnet has so far infected 300,000 internetconnected devices since its inception, bringing digital video recorders, webcams, and routers under its control -- though it's careful not to target several specific networks, including the US Dept. of Defense Energy Managers can REACTIVELY look up (or ensure security staff are on it) what systems are affected and what the detection/mitigations are. For Hajime, it s blocking certain TCP ports, and UDP packet and Telnet session content. To be PROACTIVE, they need to apply the basic security practice of removing all unused code/applications/software, such as telnet, and employ a deny-all policy on hosts (in this case, IP cameras, DVRs, CCTV) and networking equipment (routers, firewalls and switches). Host-based firewalls are a good, additional layer of defense here to augment network protections. Energy managers can make sure suppliers/admins are applying host-based protections. 26
New Russian Cyber Weapon Industroyer / CrashOverRide Targeting ICS Capable of causing power failures. Biggest threat to ICS since Stuxnet. It s the culmination of over a decade of theory and attack scenarios, Caltagirone warned. It s a game changer. This attack targets electric grids. It s really important to account for all system components and have complete network diagrams/scans to be aware of interconnections and evaluate security. Physical and logical isolation of FRCS is best, plus whitelisting especially application whitelisting so that unauthorized programs cannot be executed. FRCS must be monitored! This attack tool collapses the timeline from access to impact. Quick detection is a must. 27
Hackers Are Targeting Nuclear Facilities The hackers appeared determined to map out computer networks for the future. The origins of the hackers are not known. But the report indicated that an advanced persistent threat actor was responsible, which is the language security specialists often use to describe hackers backed by governments. This attack is early in the cyber kill chain where nuclear facilities are being targeted to gather intelligence of the systems and networks. Phishing emails are sent with attachments with malicious code, so cybersecurity awareness training for all FRCS operators (anyone with credentials) is critical to prevent unauthorized access. Again, it s crucial to monitor to detect unauthorized traffic/access and isolation of FRCS/networks, and to ensure there are no pivot points from corporate/operations networks to FRCS. 28
Remotely Hacking Ships UNCLASSIFIED The configuration of certain ships' satellite antenna systems leaves them wide open to attack. Anyone who gained access to the system in question could manually change a ship's GPS coordinates or possibly even brick the boat's navigation system entirely by uploading new firmware. The default login credentials, which are easily found online, remain unchanged on at least some devices. 29
Devil s Ivy UNCLASSIFIED "Devil's Ivy" is a vulnerability in a piece of code called gsoap widely used in physical security products, potentially allowing faraway attackers to fully disable or take over thousands of models of internet-connected devices from security cameras to sensors to access-card readers. A patch has been released, however patching can be so spotty in the internet of things that it could persist unfixed in a large swath of devices. 30
Experts are calling the WannaCry ransomware incident the largest cyber-attack in history WannaCry takes over computer systems, shutting them down and demanding a ransom payment of $300 in bitcoin to have the computer unlocked. The ransomware attack hit more than 200,000 computers in 150 countries, crippling hospitals, governments and businesses. XP is still in use in energy control systems. Patches should be identified, tested and applied on these systems. Testing is particularly important, as patches may impact system operations. An assessment with passive scanning should be done to ensure there are not connections to other networks or the internet. XP systems should only be used as standalone or in physically air-gapped networks. 31
Resources UNCLASSIFIED Strategic Environmental Research and Development Program (SERDP) and Environmental Security Technology Certification Program (ESTCP) [info & funding solicitations] https://serdp-estcp.org/investigator-resources/estcp-resources/demonstration-plans/cybersecurity-guidelines Risk Management Framework (RMF) Knowledge Service (KS) -DoD's official site for enterprise RMF policy and implementation guidelines https://rmfks.osd.mil/ Department of Defense Advanced Control System Tactics, Techniques, and Procedures (TTPs) Revision 1, 2017: https://www.cybercom.mil/pages/publications.aspx UFC 4-010-06 CYBERSECURITY OF FACILITY-RELATED CONTROL SYSTEMS Sept 2016 https://wbdg.org/ffc/dod/unified-facilities-criteria-ufc/ufc-4-010-06 UFGS-25 50 00.00 20 CYBERSECURITY OF FACILITY-RELATED CONTROL SYSTEMS Feb 2017 http://www.wbdg.org/ffc/dod/unified-facilities-guide-specificationsufgs/ufgs-25-50-00-00-20 DoD OASD(EI&E) and Federal Facilities Council (FFC), under the National Research Council (NRC) sponsored a 3-day Building Control System Cyber Resilience Forum in Nov '15. http://sites.nationalacademies.org/deps/ffc/deps_166792 DoDI 5000.02 Cybersecurity in the Defense Acquisition System Jan 2017 http://www.dtic.mil/whs/directives/corres/pdf/500002_dodi_2015.pdf Office of the Assistant Secretary of Defense for Energy, Installations, and Environment Installation Energy (IE) http://www.acq.osd.mil/eie/ie/fep_index.html IEC 62443 STANDARDS AND ISASECURER CERTIFICATION: APPLICABILITY TO BUILDING CONTROL SYSTEMS www.isasecure.org https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/index.cfm: each subpage offers a PDF document: https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/assess-the-mess.cfm https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/a-framework-for-assessing-and-improving-the-security-posture.cfm https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/securely-managing-ics-networks.cfm https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/securing-assets-within-closed-ics-network-perimeter.cfm https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/seven-steps-to-effectively-defend-ics.cfm https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/position-zero-integrity-checking-windows-based-ics-scada-systems.cfm https://www.iad.gov/iad/library/ia-guidance/security-configuration/industrial-control-systems/guidelines-for-application-whitelisting-industrial-control-systems.cfm Audit of Industrial Control System Security within NASA's Critical and Supporting Infrastructure (IG-17-011) https://oig.nasa.gov/audits/reports/fy17/ig-17-011.pdf Whole Building Design Guide website cyber references http://www.wbdg.org/resources/cybersecurity National Initiative for Cybersecurity Careers and Studies - free cyber training https://niccs.us-cert.gov/ Industrial Control Systems Joint Working Group (ICSJWG) https://ics-cert.us-cert.gov/industrial-control-systems-joint-working-group-icsjwg DHS Cyber Security Evaluation Tool: https://ics-cert.us-cert.gov/downloading-and-installing-cset DoDI 8500.01 Cybersecurity 14 March 2014 http://www.dtic.mil/whs/directives/corres/pdf/850001_2014.pdf DoDI 8510.01 Risk Management Framework 12 March 2014 http://www.dtic.mil/whs/directives/corres/pdf/851001_2014.pdf DoDI 8530.01 Cybersecurity Activities Support to DoD Information Network Operations 7 March 2016 http://www.dtic.mil/whs/directives/corres/pdf/853001p.pdf NIST SP 800-82r2 Guide to Industrial Control Systems (ICS) Security May 2015 http://csrc.nist.gov/publications/pubsdrafts.html#800-82r2 GAO 15-749 Improvements in DOD Reporting and Cybersecurity Implementation Needed to Enhance Utility Resilience Planning http://www.gao.gov/products/gao-15-749 GAO 15-6 DHS and GSA Should Address Cyber Risk to Building and Access Control Systems http://www.gao.gov/products/gao-15-6 GAO-14-404SU Defense Cybersecurity: DOD Needs to Better Plan for Continuity of Operations in a Degraded Cyber Environment and Increased Oversight (For Official Use Only) Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure https://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal 32