Security Presentation Topic : Smart Grid Security Lopamudra Roychoudhuri & Jayson G. Brown Summer Cyber Security Workshop 2014 Texas Tech University, Lubbock Texas Presentation Overview • Smart Grid Security • The Five W’s and H • Malware on SCADA • TAMU– CT Solar Project • Quick Overview • Relevance to Smart Grid Discussion • Syllabus Review Smart Grid Security • Definition – An electrical supply network that utilizes digital communications to detect and react to changes in usage. This helps increase efficiency and optimization, thus increasing the overall effect of the system reducing the electrical load and more. • AKA • Smart Grid = Physical Electric Resources + IT Support • Cyber Physical System Smart Grid Security • Who's Involved? • Government Entities • Private Sector • Individuals • Academia Smart Grid Security • What’s Required? • Generation • Distribution • Usage • IT Support Smart Grid Security • When did it become popular? • Energy Independence and Security Act of 2007 $100 Million/Year Matching Funds from 2008 to 2012 • American Recovery and Reinvestment Act of 2009 $11 Billion for Creation of a Smart Grid • Protocols Proposed in June 2009 by FERC Smart Grid Security • Where? • Everywhere!! • Over 300,000 Miles of Lines • Not just in USA! Smart Grid Security • Why Change Something that is Not Broken? • Smart Grid vs. Traditional • Efficiency & Optimization • Data Mining Potentials • Predicts Energy Needs and Usage for Frequency • Security Issues • StuxNet, Malware and Etc. Smart Grid Security • How Does This Work? Links and Monitors Usage Every Few Minutes Supervisory Control And Data Acquisition (SCADA) Electricity Has to Be Used the Moment Its Generated unless Stored SCADA System Generations • Early SCADA systems were independent, with no connectivity to other systems • Second generation SCADA systems were distributed, using local networks or leased lines • Third generation of SCADA systems are wide-area networked over the public Internet using industry standard protocols and security techniques Being on the Internet, they are potentially vulnerable to attack but by using standard protocols, then industry-wide security measures can be taken to protect the systems Cyber-attacks and Malware on SCADA Over the past few years, an alarming number of cyber attacks, viruses and data breaches have targeted critical infrastructure SCADA systems • Stuxnet • Flame • Shamoon • Red October • And very recently, DragonFly Reference: The Rise of Critical Infrastructure Attacks: Understanding the Privileged Connection and Common Thread Yariv Lenchner | Aug 16, 2013, intelligentutility http://www.intelligentutility.com/article/13/08/rise-critical-infrastructure-attacks-understanding-privileged-connection-andcommon-thread StuxNet A computer worm that was detected in June 2010, but allegedly has been around since 2007 Was designed to attack industrial Programmable Logic Controllers or PLCs of nuclear SCADA systems Compromised Iranian PLCs at Iran’s Natanz uranium enrichment facility, changing the speeds of the fast-spinning centrifuges, at the same time hiding the damage • Reportedly 1/5th of Iran’s nuclear centrifuges were ruined http://www.youtube.com/watch?v=6WmaZYJwJng StuxNet 60% of Stuxnet infected systems were in Iran But the attackers took great care to avoid catastrophic damage, not to blow cover – attack sequence executed approximately once a month Scary Part: Stuxnet’s design and architecture are not domainspecific and it could be tailored as a platform for attacking modern SCADA and PLC Source code publicly available http://www.laboratoryb.org/stuxnet-source-code-on-github/ StuxNet Functions by targeting machines using Windows, then seeking out Siemens S7300 systems Has three modules: a worm that executes all routines related to the main payload of the attack; a link file that automatically executes the propagated copies of the worm; and a rootkit component responsible for hiding all malicious files and processes, preventing detection of the presence of Stuxnet Introduced to the target environment by infected USB flash drive, system does not need to be connected to the Internet! Propagates across the network, scanning for Siemens Step7 software on PLCs Introduces infected rootkit onto the PLC and Step7 software, modifying the codes and giving unexpected commands to the PLC Other Similar Malware - Flame Detected in 2012 Attacks computers running the Windows Used for targeted cyber espionage in Middle Eastern countries Spread to other systems over a LAN or via USB stick Can record audio, screenshots, keyboard activity and network traffic, also records Skype conversations Reference: http://en.wikipedia.org/wiki/Flame_(malware) Other Similar Malware - Shamoon Also detected in 2012 Similar to Flame - attacks computers running the Windows Capable of spreading to other computers on the network, through exploitation of shared hard drives Once a system is infected, the virus continues to erase files from a file system Finally, the virus will overwrite the master boot record of the system to prevent it from booting The virus has hit companies within the oil and energy sectors On August 15, 2012, a group named "Cutting Sword of Justice" claimed responsibility for an attack on 30,000 workstations of Saudi Aramco, an oil company Reference: http://en.wikipedia.org/wiki/Shamoon Other Similar Malware – Red October Detected in January 2013 A sophisticated Remote Access Trojan (RAT) infrastructure utilizing a chain of > 60 command-and-control servers Silently gathering data from computers, smartphones, and external storage like USB sticks from high-profile targets around the world since 2007 Operation Red October: The top-secret global espionage campaign that's been running for five years By Chris Gayomali | January 15, 2013, The Week http://theweek.com/article/index/238764/operation-red-october-the-top-secret-global-espionagecampaign-thats-been-running-for-five-years Other Similar Malware – Red October Most of the targets in Eastern Europe and Central Asia, but more than 60 countries have been hit First infiltrates computers using email attachments such as Word and Excel files Data is beamed back to a command server, which assigns each victim a 20-hex digit code to identify it This foothold, more alarmingly, can spread to mobile devices Operation Red October: The top-secret global espionage campaign that's been running for five years By Chris Gayomali | January 15, 2013, The Week http://theweek.com/article/index/238764/operation-red-october-the-top-secret-global-espionagecampaign-thats-been-running-for-five-years Cyber-incidents against SCADA in 2012 Department of Homeland Security's Cyber Emergency Response Team for Industrial Control Systems (ICS-CERT) reported that during the fiscal year 2012, it "responded to 198 cyber incidents." 41% of the attacks were against the energy sector Followed by 15% that targeted the water sector Critical Infrastructure Malware Infections: From ICS-CERT report to SCADA Strangelove Ms. Smith, Dec 31, 2012, NEtworkWorld, http://www.networkworld.com/article/2223748/microsoft-subnet/critical-infrastructuremalware-infections--from-ics-cert-report-to-scada-strangelo.html Cyber-incidents against SCADA – ReVuln (Nov’12) ReVuln, a European company based in Malta, posted a video to promote nine 0-day SCADA exploits that target GE, Schneider Electric, Kaskad, Rockwell Automation, Eaton and Siemens. These vulnerabilities were for sale to governments or other highest bidders The 0-days would "allow attackers to remotely execute arbitrary code, download arbitrary files, execute arbitrary commands, open remote shells or hijack sessions on systems running the vulnerable SCADA software." Critical Infrastructure Malware Infections: From ICS-CERT report to SCADA Strangelove Ms. Smith, Dec 31, 2012, NEtworkWorld, http://www.networkworld.com/article/2223748/microsoft-subnet/critical-infrastructuremalware-infections--from-ics-cert-report-to-scada-strangelo.html Cyber-Incidents against SCADA - 2014 In warnings posted on its website from June 27 to July 1, 2014, ICS-CERT said it was watching an "ICS-focused malware campaign" wielding a multi-pronged assault on critical infrastructure providers The attacks could include phishing emails, redirection to compromised websites and trojanized update installers in watering hole-style attacks on at least 3 industrial control systems (ICS) vendor web sites The software installers for these vendors were infected with malware known as the Havex, a RAT According to analysis, these techniques could have allowed attackers to access the networks of these systems ICS-CERT sounds alarm on critical infrastructure attacks By Mark Rockwell, Jul 02, 2014, FCW http://fcw.com/articles/2014/07/02/dhs-warning-critical-infrastructure-attacks.aspx Cyber-incidents against SCADA – Dragonfly (July 2014) Symantec linked Havex to a loose association of attackers that energy suppliers call Dragonfly News reports in Europe said Dragonfly, backed by groups in Russia, could have hacked computer systems at more than 1,000 organizations in at least 84 countries in the past 18 months Majority of the victims have been in the US, Spain, France, Italy, Germany, Turkey and Poland Targets include energy grid, major electricity generation firms, petroleum pipeline operators and energy industrial equipment providers Dragonfly uses attack methods such as extracting and uploading stolen data, installing further malware onto systems, and running executable files on infected computers. TAMU – CT Solar Project In Collaboration with the Center for Solar Energy 50MW solar field on 800 Acres w/ $600 Million and Above Price Tag AKA : One of the World's Largest Powering ~50k Homes! Development with PPA Partners in Morgan Hill, CA Previous Project with Arizona Western College in Yuma Power Entire University and Sell Off Rest Possibly to Killeen/Ft Hood http://www.kwtx.com/home/headlines/-600-Million-Solar-Energy-Research-Center-To-Be-Built-Here-213365811.html TAMU – CT Solar Project Major Potential for Malicious Activities One of the Largest in World Military Vulnerability Activists This Stresses the Fact that We Must Have Protection! Research and Courses in Cyber Security if becomes Smart Grid One Step Closer to Achieving 1.21GWs! Only 24 More to Build! New Course Name: Computer and Network Security First course on Security under Computer Science Program Syllabus Objectives This course provides an in-depth look at the security risks and threats to an organization's computer, network and information systems, and an overview of components used in an enterprise security infrastructure. The course focuses on the Threat Environment, Security Policies, Planning and Solutions. The topics include detailed discussions on Vulnerabilities and Attacks, Cryptography, Secure Networks, Access Control, Firewalls, Host Hardening, Application Security, Data Protection and Incident Response. Course Modules Module 1: Introduction to Computer and Network Security Module 2: Vulnerabilities, Threats and Attacks One of Sub modules on SCADA and related attacks Module 3: Host, Data and Application Security Module 4: Elements of Cryptography Module 5: Cryptographic System Standards Module 6: Access Control Module 7: Firewalls Module 8: Intrusion Detection Systems Questions / Comments