Why Should You Care About Control System Cybersecurity Tim Conway ICS.SANS.ORG
Events
Example #1 Dec 23, 2015 Cyber attacks impacting Ukrainian Power Grid Targeted, synchronized, & multi faceted Three electrical distribution companies Cause outages affecting 225,000 customers Lasted hours System restored but degraded
Power System Element: Distribution
Lessons Observed Stage 1 Stage 1 will appear ITfocused and blend in with other IT related scans, probes, viruses, and general noise.
Attack Steps & Timeline STAGE 1 STEPS 1-3: Access campaign E-mail with infected Office attachment Adversary Foothold Host with BE Utility Business IT Infrastructure Access Campaign Mar Apr May June Jul Aug Sep Oct Nov Dec 23 Power Attack
Broad Access Campaign
Attack Steps & Timeline (Cont.) STAGE 1 STEPS 3-4: IT take over Adversary C2 & Freedom of Movement & Action Utility Business IT Infrastructure? Mar Apr May Access Campaign June Jul Aug Sep Oct Nov Dec 23 Power Attack
Attack Steps & Timeline (Cont.) STAGE 1 STEPS 5: Discover & Compromise SCADA VPNs Adversary SCADA Utility Business IT Infrastructure Discover using valid credentials Discover, Move, Learn, Act? Mar Apr May June Jul Aug Sep Oct Nov Access Campaign Dec 23 Power Attack
Lessons Observed Stage 2 Stage 2 will contain ICS specific indicators and objectives.
Concept: Hijack & ICS Damage VPN SCADA Server Rogue Client Remote SCADA Client Software Phantom Mouse Remote Amin Tools at OS-level The attackers develop two SCADA Hijack approaches (one custom and one agnostic) and successfully used them across different types of SCADA/DMS implementations at three companies
Attack Steps & Timeline (Cont.) STAGE 2 STEPS 1-3: Develop & Test VPN SCADA Server VPNs Rogue Client Remote SCADA Client Software Phantom Mouse Remote Amin Tools at OS-level KillDisk Firmware Adversary SCADA Utility Business IT Infrastructure Attack Concept Access Campaign Mar Apr May Develop & Test? June Jul Aug Sep Oct Nov Dec 23 Power Attack
Attack Steps & Timeline (Cont.) STAGE 2 STEP 4: Attack VPN SCADA Server VPNs Rogue Client Remote SCADA Client Software Phantom Mouse Remote Amin Tools at OS-level Adversary UPS Disconnect KillDisk A. Hijack HMI B. Firmware C. KillDisk D. UPS KillDisk SCADA Firmware Mar Apr May June Jul Aug Sep Oct Nov Dec 23 Power Attack
1 5 1 Reconnaissance 2 3 4 5 6 7 Spear phish Foothold Credentials / Pivot VPN Access / Discovery Operations / firmware KillDisk, UPS, TDOS 4 7 6 7 4 2 7 7 3 6 4 7 4 7 7 6 7 7 7 7 6
Target and Position 1 2 Escalate & expand Leverage Trusted Comms & Develop SOE 3 4 5 6 Execute operations & impair restoration 7
Opportunities to Disrupt IT Preparation Target selection Unobservable target mapping Malware development and testing Hunting and Gathering Lateral Movement and Discovery Credential Theft and VPN access Control system network and host mapping Sequence Pre Work Upload additional attack modules - KillDisk Schedule KillDisk wipe Schedule UPS load outage Attack Launch Issue breaker open commands Modify field device firmware Perform TDoS Scheduled UPS and KillDisk Hrs. Event min hrs. 6 mo 9 mo 12 mo Spear phishing Delivery of phishing email Malware launch from infected office documents Establish foothold ICS Preparation Unobservable malicious firmware development Unobservable DMS environment research and familiarization Unobservable attack testing and tuning Attack Position Establish Remote connections to operator HMI s at target locations Prepare TDoS dialers Target Response Connection sever Manual mode / control inhibit Cyber asset restoration Electric system restoration Constrained operations Forensics Information sharing System hardening and prep
Grab Your Phone The Electric system is failing We have a procedure for that They have a plan for that Ummmmm
The Operator Perspective https://www.wired.com /story/russian hackersattack ukraine/
Example #2 Malware Discovery Associated with Electric Outages ics-community.sans.org
Malware Role 2015 2016 Malware Role Highly Coordinated Electric System Impacts Ukraine Electric System Cyber Events Highly Targeted Modular and Customizable Significance 2015 2016 Substations 50+ 1 Customers 225K Portion of Capitol region MW Impact 135 MW 200 MW Significance ics-community.sans.org
FOR INDUSTRY 2 3 ics-community.sans.org
Key Risk Item Considerations and Mitigations RISK IMPACT SCADA Path Management Restrict to inuse protocols only. Implement protocol converters, Front End defenses, in line firewalls Risk #1 Protocol Implementation Organization is utilizing IEC 101, IEC 104, or IEC 61850 for operational control capability Vulnerability Management Remove devices not in use, implement patch management and firmware updates Risk #2 Protection Relays Unpatched Siemens SIPROTEC relays are being utilized Risk Mitigations Network Monitoring and Alerting Limit OPC to status only, Implement communications baselines, and anomaly detection Risk #3 OPC Protocol Environment utilizes OPC DA protocol Data Protection and Recovery Ensure configuration data backups, tested recovery, and encrypted storage Risk #4 Data Destruction Access to configuration data is achievable Current Detection Capabilities Deploy malware signature detection at host and network level Risk #5 Unknown Infection Inability to detect malware within environment Secure Access Only enable access when/as needed. Implement 2- factor authenticated, with local jump host environment Risk #6 Adversary Access Ability to remotely interact with the environment Risk Areas Reflect CrashOverride as of June 13 *as additional modules are discovered this will need to be reassessed RISK LIKELIHOOD ics-community.sans.org
Current Risk Ranking and Assessment of Potential Risk Current Risk Ranking was Determined based on the following key factors: Our organization does not use protocols identified Our organization does not use vendor products identified Operational architecture limits effects Likelihood of Occurrence High Med Low Current Risk Low Med High Consequences Future Risk Future Risk Ranking was Determined based on the following key factors: Malware modules discovered that impact protocols in use by our organization Malware modules discovered that exploit devices in use by our organization Adversary tactics discovered that could have greater operational effect ics-community.sans.org
ics-community.sans.org 26
Example #3 The Safety Team Needs to Expand ics-community.sans.org
Safety Programs Need ICS Security 1 Process remote access risk assessment 3 Path from IT to OT 2 Always available remote connectivity need 4 DCS and Safety Process Integration 5 Available SIS Engineering Work Station 6 Remote programming available As operational and support decisions are made that impact the ICS environment, consider the potential safety impacts if the system is misused ics-community.sans.org
PPE is Expanding! ics-community.sans.org
Stage 1 Discussion Conficker APT1 Iranian Actors Attack with Impact Attack with Impact Attack with Impact
Stage 2 Discussion BE3 HAVEX STUXNET UKRAINE BE3 BE3 BE3 BE3 BE3 Attack with Impact
Stage 1 Adversary has successfully performed the necessary elements of the Stage 1 Kill chain To have an ICS effect the adversary needs to move into the elements of the Stage 2 ICS Kill Chain Map Environment Understand ICS Operation Trusted connections Vendor access Support personnel remote access System backup or alternate site replication tasks System Mgmt. communications patching, monitoring, alerting, configuration and change Mgmt. Data historians Direct access dial up Waterholing attacks Social Engineering Stage 2 When the adversary has identified a path into the ICS environment the Stage 2 ICS Kill Chain elements can be acted upon
High ICS Payload Major Public ICS Incidents & Access Campaigns Stuxnet (all versions) TRISIS ICS Exploits ICS Delivery ICS Targeting ICS Recon ICS CUSTOMIZATION NY Dam Intrusion BlackEnergy 2 (various ICS modules) Havex (OPC module) Critical Infrastructure Data Exfiltration Stage One Stage Two BE3 Dec 2016 Ukraine Power Outage Dec 2015 Ukraine Power Outage Unspecified German Facility Low Low ICS IMPACTS (Nuisance) (Lost Productivity/Data) (Lost Value) High (Loss of Safety, Reliability, Assets) ics-community.sans.org
Defend
How Sophisticated Are the Attacks?
What will your attack look like 1. System Variables 2. Cyber Maturity Variables 3. Adversary Capabilities 4. Adversary Intent 5. External Drivers
Each organization is faced with many technology related decisions to make.
Your People, Process, and Technology decisions create a unique operating environment Each technology decision shapes the environment for both the adversary and the defender
Take Action! Reduce the effect of a successful attack.
Controls Program Various implementations Maturity Assessments Perspective of performers Regulation Focused Criteria based Risk Assessments Multiple models Exercise Focused Realistic attacks = realistic response Attack Trees Adversary action analysis
Controls Program Various implementations Maturity Assessments Perspective of performers Regulation Focused Criteria based Risk Assessments Multiple models Exercise Focused Realistic attacks = realistic response Attack Trees Adversary action analysis
Controls Program Various implementations Maturity Assessments Perspective of performers Regulation Focused Criteria based Risk Assessments Multiple models Exercise Focused Realistic attacks = realistic response Attack Trees Adversary action analysis
Controls Program Various implementations Maturity Assessments Perspective of performers Regulation Focused Criteria based Risk Assessments Multiple models Exercise Focused Realistic attacks = realistic response Attack Trees Adversary action analysis
Controls Program Various implementations Maturity Assessments Perspective of performers Regulation Focused Criteria based Risk Assessments Multiple models Exercise Focused Realistic attacks = realistic response Attack Trees Adversary action analysis
Controls Program Various implementations Maturity Assessments Perspective of performers Regulation Focused Criteria based Risk Assessments Multiple models Exercise Focused Realistic attacks = realistic response Attack Trees Adversary action analysis
What We Need YetiCorn s Unicorns Yeti s
Cyber Operators sans.org/ics456 giac.org/gcip
Questions? Join the Community that is defending our Critical Infrastructure