An Operational Cyber Security Perspective on Emerging Challenges Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)
Johns Hopkins University Applied Physics Lab (JHU/APL) University Affiliated Research Center Sponsors include DOD, NASA 6,500+ staff
Cyber Attack 2009 2 Weeks disconnected from the Internet 40 GB of unclassified data lost 5 malware versions, 13 accounts, 48 systems
Pre-Cyber Attack 2009 1. Completed risk assessment - Cross-APL team evaluated assets, assailants, tactics 2. Began distributing Application White Listing software - 2,000 systems by 6/11/09 3. Engaged Mandiant, preparing for a full network scan - 5,500 systems by 6/11/09, enterprise-wide scanning planned for 6/15/09
APL Unclassified Network 1. Analyzed network traffic, found command and control activity Internet 2. Remediated systems and accounts 3. Consultant recommendation - Attackers are A team - Slow data removal typical - High probability of layered, sophisticated intrusion tools - Partial measures drive the attackers deeper, making full remediation more difficult - Map attack via scanning without closing Internet access APL Public APL Internal 4. Decision to stay connected and map the attack
APL Unclassified Network 1. Analyzed network traffic, found command and control activity Internet 2. Remediated systems and accounts 3. Consultant recommendation - Attackers are A team - Slow data removal typical - High probability of layered, sophisticated intrusion tools - Partial measures drive the attackers deeper, making full remediation more difficult - Map attack via scanning without closing Internet access APL Public APL Internal 4. Decision to stay connected and map the attack
Timeline to Restore Internet Access Requirement Find all malware variants Secure all computers Malware types Systems impacted Login accounts Systems scanned Application white listing installed Notes Thu 6/11 1 3 1 2000 Attack discovered Fri 6/12 1 3 1 Sat 6/13 1 3 1 1000 5500 Sun 6/14 1 3 1 Mon 6/15 1 7 2 Tue 6/16 2 23 5 5000 Wed 6/17 2 25 6 Thu 6/18 3 31 8 Fri 6/19 3 34 11 7300 6500 Mon 6/22 3 37 13 Tue 6/23 3 37 13 Wed 6/24 3 37 13 Thu 6/25 3 40 13 Fri 6/26 * 5 *48 13 All All Internet access opened
Leveraging Synergy at APL Leveraging Synergy at JHU/APL Mission Systems Corporate Cyber Cyber Research
Unclassified Network Internet Public Internal
Unclassified Network Korea China Hong Kong Canada Internet Public VPN Internal
Unclassified Network Korea China Hong Kong Canada Internet Public VPN Internal Virtual Machines
Unclassified Network Korea China Hong Kong Canada Internet X Public VPN Internal Virtual Machines
Unclassified Network Korea China Hong Kong Canada Internet X Public X VPN Internal Virtual Machines
Unclassified Network Korea China Hong Kong Canada Internet Public VPN Social Networking Internal Virtual Machines
Unclassified Network Korea China Hong Kong Canada Internet Public VPN Internal Virtual Machines
Coordinating Regional Cyber Response Fusion Cell Cyber Communications Law Enforcement Legal Integrated Threat Analysis Cell Cyber Analysts Regional Defensive Teams Team 1 Team 2 Team 3 Team 4 Team 5 Team 6
Visualize the Battlespace: Galaxy Main View Filters for major event types, lets the analyst turn off noise Primary view is a node-link graph helping the analyst make sense of heterogeneous event data Interactive selection of the focal time window and playback Zoomable timeline shows all events, provides a sense of scale.
Visualize the Battlespace: Galaxy Replay Capability Replay capability helps illustrate sequences of events. Here, a malicious actor finds a vulnerability and spreads through a network.
Regional Cyber Response: Positive Exercise Outcomes 1. Increasing amount of threat information shared by defensive teams 2. Crowd-sourced intelligence leads to a broad view of adversary tactics 3. Adversaries shut down after first attack due to information sharing 4. Threat Analysts told to pause sharing Intelligence with Defensive Teams because they were too fast 5. Adversaries must bring increasing numbers of staff and infrastructure due to Intelligence-sharing capability
Information Technology (IT) Operations Technology (OT) ICS Plant / Manufacturing Systems
The scale, scope, and frequency of cyber attacks on digital and physical infrastructure systems is growing rapidly. Threats are escalating as more sophisticated and organized attackers are designing targeted attacks to damage or disrupt vital services and critical physical systems. - President s NIAC Report 8/2017 ICS Industrial Control Systems (ICS) are EVERYWHERE
IT vs ICS IT System Lifetime 3-5 years 10-30 years Control Systems (ICS) Owner CIO Technicians, operators, managers Purpose General computing, runs variety of applications Control machines, runs few applications at high availability Focus Preventing data loss Preventing operational disruption or damage Patches Security software, incident response and forensics IT staff; regularly scheduled, enterprise-wide, automated Commercial products and consulting available External vendor; nontrivial scheduling due to production impact and may break ICS functionality; ICS owners required to define acceptable risk Few solutions; forensics immature; requires good IT/ICS relationships; difficult to retrofit with security
Internet The greatest vulnerability to ICS occurs at any point of connection
Example: Fuel Delivery System 1. Phishing attack via the Internet 2. Reconnaissance to identify pump controller 3. Shutdown commands stop fuel delivery
Example Dependency Model: Fuel Delivery System Perform Operations Store Fuel Receive Fuel Distribute Fuel Provide cooling Transportation Provide safe working environment Perform preventative maintenance Perform corrective maintenance Fuel manager DB Automatic tank guage HVAC Water Treatment Building Automation Fuel handling systems Fire fighting equipment Diesel Generator Level Sensor 1 Level Sensor 2 Fuel Pump 1 Fuel Pump 2 Wireless Access Point 1 Wireless Access Point 2 Fuel Manager Server Windows Workstations
Example Assessment Findings ICS modernization has largely been ignored - Lots of end of life products (older hardware, software, expired warranties) - Operators are not fully aware of system interfaces - Systems have low funding priority (since they are so old), yet these elements directly impact the facility mission (not commonly understood) Increasing connectivity between systems - Allows a large attack surface for isolated systems to be exploited - Many systems have unencrypted wireless access System owners are not aware of cyber risks Ownership structure adds complications to management of systems - System owners and operators report to two separate chains of command
What does component failure mean for the overall system response? What does it mean for a multiple interacting systems? Overall economic impact? Potential to hold society at risk Vulnerability invites attack What about soft science consequences?
CyberWire 10/2017 30
Example Steps to Securing Control Systems (ICS) 1. Determine level of risk the organization will accept 2. Decide on cyber security ownership - Bring IT and OT together - Who owns protecting the asset? 3. Identify the ICS functions - Criticality to operations? - Common component across systems? 4. Implement ICS operational security - Baseline devices, apps, comms - Secure network connections - Harden system boundaries - Invest in detection tools - Focus on whitelisting - Create and exercise recovery options - Provide security training ICS From SANS Securing ICS 2017
Joint Defense and Red Teaming Government collaboration Consortium cyber response External red team New product penetration testing Cyber Defense is a Team Sport
Cross-Organization Response: Tabletop Lessons 1. Where to direct requests for resourcing to solve emergency needs 2. Different levels of classified communications, and staff classification levels 3. Sharing personal contacts/relationships to gather and disseminate information 4. Discussion of how we re informing the public 5. Coordinate external communications Building a CONOPS to guide restoration operations is vital