Critical infrastructure protection: standardization to protect critical infrastructure objects

advertisement
ITU Workshop on “ICT Security Standardization
for Developing Countries”
(Geneva, Switzerland, 15-16 September 2014)
Critical infrastructure protection:
standardization to protect critical
infrastructure objects
Viacheslav Zolotnikov,
Sr.Technology Research Manager,
Kasperksy Lab,
Viacheslav.Zolotnikov@kaspersky.com
Geneva, Switzerland, 15-16 September 2014
Threats History
Slammer, Blaster and the Great
Blackout
January 2003, the Slammer worm knocked out 911
emergency telephone service in Bellevue, Wash.
The Blaster worm affected more than a million
computers running Windows during the days after Aug.
11 2003.
“critical to the blackout were a series of alarm
failures at FirstEnergy, a power company in Ohio”
computer hosting the control room's "alarm and
logging software" failed
status computer at the Midwest Independent
Transmission System Operator, a regional agency
that oversees power distribution, failed
Source : https://www.schneier.com/essays/archives/2003/12/blaster_and_the_grea.html
Geneva, Switzerland, 15-16 September 2014
2
Threats History
Stuxnet quickly propagated throughout
Natanz
A double agent used a typical USB drive carrying a deadly
payload to infect Iran's Natanz nuclear facility with the highly
destructive Stuxnet computer worm, according to a story by
ISSSource
“August 2010, Stuxnet, as a worm intended to hit critical
infrastructure companies left a back door that was meant to be
accessed remotely to allow outsiders to stealthily control the
plant”
“Malware includes a rootkit, which is software designed to hide
the fact that a computer has been compromised, and other
software that sneaks onto computers by using a digital
certificates signed two Asian chip manufacturers that are
based in the same industrial complex - RealTek and Jmicron”
Source : http://www.cnet.com/news/stuxnet-delivered-to-iranian-nuclear-plant-on-thumb-drive/
Geneva, Switzerland, 15-16 September 2014
3
Threats History
Jan.07 2014: Monju nuke power plant
facility PC infected with virus
“A computer being used at the Monju prototype fastbreeder reactor facility in Tsuruga, Fukui Prefecture, was
recently discovered to have contracted a virus, and
officials believe that some data from the computer may
have been leaked as a result”
“According to the Japan Atomic Energy Agency, which
operates the facility, the computer in question was being
used by on-duty facility employees to file company
paperwork when the virus was first detected on Jan 2”
“…the computer was infected with the virus when a
video playback program was attempting to perform a
regular software update”
Source : http://www.japantoday.com/category/national/view/monju-power-plant-facility-pc-infected-with-virus
Geneva, Switzerland, 15-16 September 2014
4
Threats History
Backdoor In Equipment Used For Traffic
Control, Railways Called “Huge Risk”
Security hole (back door account “factory”) in industrial
control software by the firm RuggedCom
Potentially affected wide range of critical infrastructure,
including rail lines, traffic control systems and electrical
substations
April 2011 to July 2011 – no actions from RuggedCom
February 2012 : US-CERT notified and “warning” issued
Source: http://threatpost.com/backdoor-equipment-used-traffic-control-railways-called-huge-risk-042512/76485
Geneva, Switzerland, 15-16 September 2014
5
Issues
Main issue – Do not “touch” the
working system.
How about computer system connected to
the internet ?
Hacking
Passwords complexity check bypass,
hardcoded passwords for systems
System’s regular maintenance, applying
patches
HMIs using mobile phone interfaces
Geneva, Switzerland, 15-16 September 2014
6
Kaspersky SCADA Honeypot
Run in September’13
SCADA computer with public IP
“acting as industrial system PC”
1294 unauthorized access attempts
422 succeded access cases
34 cases of access by the development
environment systems
7 cases of downloading the PLC
configuration
1 case of PLC reprogramming (!!!)
Geneva, Switzerland, 15-16 September 2014
7
Researchers Delivers
During talks on SCADA security problems at the KasperskyThreatpost Security Analyst Summit [in Feb’12], several
other researchers talked about the serious issues inherent
in these ICS installations, and the picture they painted is
one of systemic problems and a culture of naivete about
security in general. Terry McCorkle, an industry
researcher, discussed a research project he did with Billy
Rios in which they went looking for bugs in ICS systems,
hoping to find 100 bugs in 100 days. That turned out to be
a serious underestimation of the problem.
“It turns out they’re stuck in the Nineties. The SDL doesn’t
exist in ICS,” McCorkle said. “There are a lot of ActiveX and
file format bugs and we didn’t even bother looking at
problems with services. Ultimately what we found is the
state of ICS security is kind of laughable.”
Source: http://threatpost.com/state-scada-security-laughable-researchers-say-020312
Geneva, Switzerland, 15-16 September 2014
8
Researchers Conclusion
“Those ICS and SCADA systems
under research were developed in
last century by people from last
century using standards from last
century”
Geneva, Switzerland, 15-16 September 2014
9
Remarkable Standards in 2013-14
Under development
IEC 62443 (former ISA99, adopted ISA
2700x)
NIST DRAFT Guide to Industrial Control
Systems (ICS) Security SP 800-82
Rev.2
Released :
NIST Framework for Improving Critical
Infrastructure Cybersecurity
Geneva, Switzerland, 15-16 September 2014
10
Key principles of secured system
development to be standardized
Complete mediation
Components isolation (processes, resources)
All sensitive operations control
Tamperproof
Have trusted execution base minimal and structured
Resistance to external actions, incorrect queries, etc.
Security configuration protection
Verifiability
Structured, compact and tested
Formal/semi-formal methods
Platform
Flexibility in security policy definitions
Secured systems development methodology
Geneva, Switzerland, 15-16 September 2014
11
Recommendations
Create a collaborative working group of experts
within ITU-T to address nowadays Critical
Infrastructure Systems threats
Focus on secure systems development
standardization for critical infrastructures and ICS
Initiate the work for standards for ICS and
Critical Infrastructure Systems
Involve world-wide practitioners and make ICS
standards available for all countries to share best
practices enforced by standards
Geneva, Switzerland, 15-16 September 2014
12
Thank you
Geneva, Switzerland, 15-16 September 2014
13
Download