Roychoudhuri-Brown - Texas Tech University Departments

advertisement
Security Presentation
Topic : Smart Grid Security
Lopamudra Roychoudhuri & Jayson G. Brown
Summer Cyber Security Workshop 2014
Texas Tech University, Lubbock Texas
Presentation Overview
• Smart Grid Security
• The Five W’s and H
• Malware on SCADA
• TAMU– CT Solar Project
• Quick Overview
• Relevance to Smart Grid Discussion
• Syllabus Review
Smart Grid Security
• Definition – An electrical supply network that utilizes
digital communications to detect and react to changes in
usage. This helps increase efficiency and optimization, thus
increasing the overall effect of the system reducing the
electrical load and more.
• AKA
• Smart Grid = Physical Electric Resources + IT Support
• Cyber Physical System
Smart Grid Security
• Who's Involved?
• Government Entities
• Private Sector
• Individuals
• Academia
Smart Grid Security
• What’s Required?
• Generation
• Distribution
• Usage
• IT Support
Smart Grid Security
• When did it become popular?
• Energy Independence and Security Act of 2007

$100 Million/Year Matching Funds from 2008 to 2012
• American Recovery and Reinvestment Act of 2009

$11 Billion for Creation of a Smart Grid
• Protocols Proposed in June 2009 by FERC
Smart Grid Security
• Where?
• Everywhere!!
• Over 300,000 Miles of Lines
• Not just in USA!
Smart Grid Security
• Why Change Something that is Not Broken?
• Smart Grid vs. Traditional
• Efficiency & Optimization
• Data Mining Potentials
• Predicts Energy Needs and Usage for Frequency
• Security Issues
• StuxNet, Malware and Etc.
Smart Grid Security
• How Does This Work?

Links and Monitors Usage Every Few Minutes

Supervisory Control And Data Acquisition (SCADA)

Electricity Has to Be Used the Moment Its Generated

unless Stored
SCADA System Generations
• Early SCADA systems were independent, with no connectivity
to other systems
• Second generation SCADA systems were distributed, using
local networks or leased lines
• Third generation of SCADA systems are wide-area networked
over the public Internet using industry standard protocols
and security techniques
Being on the Internet, they are potentially vulnerable to
attack but by using standard protocols, then industry-wide
security measures can be taken to protect the systems
Cyber-attacks and Malware on SCADA
Over the past few years, an alarming number of cyber attacks,
viruses and data breaches have targeted critical infrastructure
SCADA systems
• Stuxnet
• Flame
• Shamoon
• Red October
• And very recently, DragonFly
Reference: The Rise of Critical Infrastructure Attacks: Understanding the Privileged Connection and Common Thread
Yariv Lenchner | Aug 16, 2013, intelligentutility
http://www.intelligentutility.com/article/13/08/rise-critical-infrastructure-attacks-understanding-privileged-connection-andcommon-thread
StuxNet
A computer worm that was detected in June 2010, but allegedly has
been around since 2007
Was designed to attack industrial Programmable Logic Controllers or
PLCs of nuclear SCADA systems
Compromised Iranian PLCs at Iran’s Natanz uranium enrichment facility,
changing the speeds of the fast-spinning centrifuges, at the same
time hiding the damage
• Reportedly 1/5th of Iran’s nuclear centrifuges were ruined
http://www.youtube.com/watch?v=6WmaZYJwJng
StuxNet
60% of Stuxnet infected systems were in Iran
But the attackers took great care to avoid catastrophic damage,
not to blow cover – attack sequence executed approximately
once a month
Scary Part: Stuxnet’s design and architecture are not domainspecific and it could be tailored as a platform for attacking
modern SCADA and PLC
Source code publicly available
http://www.laboratoryb.org/stuxnet-source-code-on-github/
StuxNet
Functions by targeting machines using Windows, then seeking out Siemens S7300 systems
Has three modules:
a worm that executes all routines related to the main payload of the attack;
a link file that automatically executes the propagated copies of the worm;
and a rootkit component responsible for hiding all malicious files and
processes, preventing detection of the presence of Stuxnet
Introduced to the target environment by infected USB flash drive, system does
not need to be connected to the Internet!
Propagates across the network, scanning for Siemens Step7 software on PLCs
Introduces infected rootkit onto the PLC and Step7 software, modifying the
codes and giving unexpected commands to the PLC
Other Similar Malware - Flame
Detected in 2012
Attacks computers running the Windows
Used for targeted cyber espionage in Middle Eastern
countries
Spread to other systems over a LAN or via USB stick
Can record audio, screenshots, keyboard activity and
network traffic, also records Skype conversations
Reference: http://en.wikipedia.org/wiki/Flame_(malware)
Other Similar Malware - Shamoon
Also detected in 2012
Similar to Flame - attacks computers running the Windows
Capable of spreading to other computers on the network, through
exploitation of shared hard drives
Once a system is infected, the virus continues to erase files from a file system
Finally, the virus will overwrite the master boot record of the system to
prevent it from booting
The virus has hit companies within the oil and energy sectors
On August 15, 2012, a group named "Cutting Sword of Justice" claimed
responsibility for an attack on 30,000 workstations of Saudi Aramco, an oil
company
Reference: http://en.wikipedia.org/wiki/Shamoon
Other Similar Malware – Red October
Detected in January 2013
A sophisticated Remote Access Trojan (RAT) infrastructure
utilizing a chain of > 60 command-and-control servers
Silently gathering data from computers, smartphones, and
external storage like USB sticks from high-profile targets
around the world since 2007
Operation Red October: The top-secret global espionage campaign that's been running for five years
By Chris Gayomali | January 15, 2013, The Week
http://theweek.com/article/index/238764/operation-red-october-the-top-secret-global-espionagecampaign-thats-been-running-for-five-years
Other Similar Malware – Red October
Most of the targets in Eastern Europe and Central Asia, but more than
60 countries have been hit
First infiltrates computers using email attachments such as Word and
Excel files
Data is beamed back to a command server, which assigns each victim
a 20-hex digit code to identify it
This foothold, more alarmingly, can spread to mobile devices
Operation Red October: The top-secret global espionage campaign that's been running for five years
By Chris Gayomali | January 15, 2013, The Week
http://theweek.com/article/index/238764/operation-red-october-the-top-secret-global-espionagecampaign-thats-been-running-for-five-years
Cyber-incidents against SCADA in 2012
Department of Homeland Security's Cyber Emergency
Response Team for Industrial Control Systems (ICS-CERT)
reported that during the fiscal year 2012, it "responded
to 198 cyber incidents."
41% of the attacks were against the energy sector
Followed by 15% that targeted the water sector
Critical Infrastructure Malware Infections: From ICS-CERT report to SCADA Strangelove
Ms. Smith, Dec 31, 2012, NEtworkWorld,
http://www.networkworld.com/article/2223748/microsoft-subnet/critical-infrastructuremalware-infections--from-ics-cert-report-to-scada-strangelo.html
Cyber-incidents against SCADA – ReVuln (Nov’12)
ReVuln, a European company based in Malta, posted a video to promote
nine 0-day SCADA exploits that target GE, Schneider Electric, Kaskad,
Rockwell Automation, Eaton and Siemens.
These vulnerabilities were for sale to governments or other highest
bidders
The 0-days would "allow attackers to remotely execute arbitrary code,
download arbitrary files, execute arbitrary commands, open remote
shells or hijack sessions on systems running the vulnerable SCADA
software."
Critical Infrastructure Malware Infections: From ICS-CERT report to SCADA Strangelove
Ms. Smith, Dec 31, 2012, NEtworkWorld,
http://www.networkworld.com/article/2223748/microsoft-subnet/critical-infrastructuremalware-infections--from-ics-cert-report-to-scada-strangelo.html
Cyber-Incidents against SCADA - 2014
In warnings posted on its website from June 27 to July 1, 2014, ICS-CERT said it was
watching an "ICS-focused malware campaign" wielding a multi-pronged assault on
critical infrastructure providers
The attacks could include phishing emails, redirection to compromised websites and
trojanized update installers in watering hole-style attacks on at least 3 industrial
control systems (ICS) vendor web sites
The software installers for these vendors were infected with malware known as the
Havex, a RAT
According to analysis, these techniques could have allowed attackers to access the
networks of these systems
ICS-CERT sounds alarm on critical infrastructure attacks
By Mark Rockwell, Jul 02, 2014, FCW
http://fcw.com/articles/2014/07/02/dhs-warning-critical-infrastructure-attacks.aspx
Cyber-incidents against SCADA – Dragonfly (July 2014)
Symantec linked Havex to a loose association of attackers that energy
suppliers call Dragonfly
News reports in Europe said Dragonfly, backed by groups in Russia, could
have hacked computer systems at more than 1,000 organizations in at
least 84 countries in the past 18 months
Majority of the victims have been in the US, Spain, France, Italy, Germany,
Turkey and Poland
Targets include energy grid, major electricity generation firms, petroleum
pipeline operators and energy industrial equipment providers
Dragonfly uses attack methods such as
extracting and uploading stolen data,
installing further malware onto systems,
and running executable files on infected computers.
TAMU – CT Solar Project
In Collaboration with the Center for Solar Energy
50MW solar field on 800 Acres w/ $600 Million and Above Price Tag
AKA : One of the World's Largest Powering ~50k Homes!
Development with PPA Partners in Morgan Hill, CA
Previous Project with Arizona Western College in Yuma
Power Entire University and Sell Off Rest Possibly to Killeen/Ft Hood
http://www.kwtx.com/home/headlines/-600-Million-Solar-Energy-Research-Center-To-Be-Built-Here-213365811.html
TAMU – CT Solar Project
Major Potential for Malicious Activities

One of the Largest in World

Military Vulnerability

Activists
This Stresses the Fact that We Must Have Protection!
Research and Courses in Cyber Security if becomes Smart Grid
One Step Closer to Achieving 1.21GWs! Only 24 More to Build!
New Course
Name: Computer and Network Security
First course on Security under Computer Science Program
Syllabus Objectives
This course provides an in-depth look at the security risks and threats to
an organization's computer, network and information systems, and an
overview of components used in an enterprise security infrastructure.
The course focuses on the Threat Environment, Security Policies, Planning
and Solutions. The topics include detailed discussions on Vulnerabilities
and Attacks, Cryptography, Secure Networks, Access Control, Firewalls,
Host Hardening, Application Security, Data Protection and Incident
Response.
Course Modules
Module 1: Introduction to Computer and Network Security
Module 2: Vulnerabilities, Threats and Attacks
One of Sub modules on SCADA and related attacks
Module 3: Host, Data and Application Security
Module 4: Elements of Cryptography
Module 5: Cryptographic System Standards
Module 6: Access Control
Module 7: Firewalls
Module 8: Intrusion Detection Systems
Questions / Comments
Download