Evaluating the Business Case for Smart Grid Investments
October 20-21 2011 , Rosen Shingle Creek Resort, Orlando, FL
Peter Allor, pallor@us.ibm.com
Senior Cyber Security Strategist v1.08
© 2011 IBM Corporation

Security is becoming a board room discussion
Business results
Brand image Supply chain Legal exposure
Impact of hacktivism
Audit risk
Sony estimates potential $1B long term impact –
$171M / 100 customers
HSBC data breach discloses 24K private banking customers
Epsilon breach impacts 100 national brands
TJX estimates
$150M class action settlement in release of credit / debit card info
Lulzsec 50-day hack-at-will spree impacts
Nintendo, CIA,
PBS, UK NHS,
UK SOCA,
Sony …
Zurich
Insurance PLc fined £2.275M
($3.8M) for the loss and exposure of
46K customer records
© 2011 IBM Corporation

An organization ’ s attack surface grows rapidly, increasing security complexity and management concerns
People Employees Consultants Hackers Terrorists Outsourcers Customers Suppliers
Data Structured Unstructured At rest In motion
Applications
Systems applications
Web applications Web 2.0
Mobile apps
Infrastructure

77% of firms feel cyber-attacks harder to detect and 34% low confidence to prevent

75% felt effectiveness would increase with end-to-end solutions
Source: Ponemon Institute, June 2011
© 2011 IBM Corporation

4
End to End Security in Utilities
ASSET & CONFIG
MGMT
FIRMWARE UPDATES
CRITICAL ASSET
CONFIDENTIALITY, INTEGRITY DISCOVERY &
& AVAILABILITY METER THEFT IDENTIFICATION
METER DATA VALIDITY
KEY MANAGEMENT
SERVICE AVAILABILITY
& PERFORMANCE
MGMT
METER AVAILABILITY
PREVENT HAN DEVICES
FROM ATTACKING GRID
ACCURATE BILLING
INCIDENT MGMT
METER RELIABILITY
AMI & HAN
SECURITY SECURE
RELIABLE COMMUNICATION
COMMUNICATION LINKS
AMI MALWARE, CYBER
ATTACKS CONFIDENTIALITY OF
CUSTOMER PERSONAL
SECURELY MANAGE
INFORMATION
PEAK DEMAND
CONTEXT SENSITIVE
PROTECT SENSITIVE
ACCESS CONTROL
SECURITY
ASSETS
SYSTEM, APPLICATION, DATA
UNAUTHORIZED METER
DISCONNECTS/ CONNECTS
DATA CENTER NETWORK,
SCADA SECURITY
EMPLOYEE BACKGROUND
CHECKS
OPERATIONS &
PROCESSES
PREVENT POWER
PILFERAGE SCADA NETWORK
SECURITY
GENERATING, TRANS &
DIST NETWORK
REGULATORY
COMPLIANCE
PREVENT
ACCIDENTS
PREVENT PHYSICAL
ABUSE OF ASSETS
REMOTE SUBSTATION
VIDEO SURVEILLANCE
PHYSICAL
SECURITY
* Not all intersections shown
© 2011 IBM Corporation

Energy & Utility Potential Problem Areas
Challenges and risks inherent in next generation intelligent networks Increased internal, industry, and government security policies, standards , and regulations
Protect security and privacy of critical assets
Varied locations & sources of identity information
(native systems)
Regulatory requirements
• FERC
• NERC
• SOX
An increased number of end users and devices accessing your networks, applications, and data
Improve operational efficiency – manage costs
Threats of viruses, worms, and
Internet attacks
Logical and Physical integration requirements
© 2011 IBM Corporation 5
Unauthorized/undetected use of applications & systems

Evolving Threats – Highlights for 2011 X-Force Mid-Year
 An explosion of breaches has opened 2011 marking this year as
“ The Year of the Security Breach.
”
 A secure Web presence has become the Achilles heel of
Corporate IT Security
 IBM ’ s Rational Application Security Group research tested 678 sites (Fortune 500)
–
40% contained client-side vulnerabilities
 Mass endpoint exploitation happening not only through browser vulnerabilities, but also malicious movies and documents
 IBM Managed Security Services show favorite attacker methods are SQL injection , and the brute forcing of passwords , databases, and Windows shares
© 2011 IBM Corporation

Decline in web vulnerabilities

Total number of vulnerabilities decline — but it’s cyclical
 Decline is in web application vulnerabilities
© 2011 IBM Corporation

Patching improvement


© 2011 IBM Corporation

Multi-media & doc vulnerabilities increase
 Significant increases in both categories
 Attackers have zeroed in on software that consumers are running regardless of the browser
 Recent efforts to sandbox these applications are not perfect
© 2011 IBM Corporation

Mobile OS exploits projected to double
 Continued interest in Mobile vulnerabilities as enterprise users bring smartphones and tablets into the work place
 Attackers finally warming to the opportunities these devices represent
© 2011 IBM Corporation

2011: The Year of the Security Breach
 Litany of significant, widely reported breaches in first half
– Most victims presumed operationally competent
 Boundaries of infrastructure are being extended and obliterated
– Cloud, mobility, social business, big data, more
 Attacks are getting more and more sophisticated.
© 2011 IBM Corporation

Who is attacking our networks?
© 2011 IBM Corporation

Who is attacking our networks?
© 2011 IBM Corporation

Highest volume signatures
© 2011 IBM Corporation

Who is attacking our networks?
© 2011 IBM Corporation

New exploit packs show up all the time
© 2011 IBM Corporation

Zeus Crimeware Service
Hosting for costs $50 for 3 months.
This includes the following:
# Fully set up ZeuS Trojan with configured FUD binary.
# Log all information via internet explorer
# Log all FTP connections
# Steal banking data
# Steal credit cards
# Phish US, UK and RU banks
# Host file override
# All other ZeuS Trojan features
# Fully set up MalKit with stats viewer inter graded.
# 10 IE 4/5/6/7 exploits
# 2 Firefox exploits
# 1 Opera exploit“
We also host normal ZeuS clients for
$10/month.
This includes a fully set up zeus panel/configured binary
© 2011 IBM Corporation

Hacktivists are politically motivated
A member of Anonymous at the Occupy
Wall Street protest in New York*
One self-description is:
“We are Anonymous. We are Legion. We do not forgive.
We do not forget. Expect us.”**
Lulz Security logo
"The world's leaders in high-quality entertainment at your expense."
*Source: David Shankbone **Source: Yale Law and Technology, November 9, 2009
© 2011 IBM Corporation

19 © 2011 IBM Corporation

Anonymous proxies on the rise
 About 4 times the amount from
3 years ago
 Some used to hide attacks, some used to evade censorship
© 2011 IBM Corporation

Who is attacking our networks?
© 2011 IBM Corporation

Advanced Persistent Threat
 Example of e-mail with malicious PDF
© 2011 IBM Corporation

Internet Intelligence Collection
–Scan the corporate website, Google, and Google News
• Who works there? What are their titles?
• Write index cards with names and titles
–Search for Linkedin, Facebook, and Twitter Profiles
• Who do these people work with?
• Fill in blanks in the org chart
–Who works with the information we’d like to target?
• What is their reporting structure?
• Who are their friends?
• What are they interested in?
• What is their email address?
At work?
• Personal email?
23 © 2011 IBM Corporation

24 © 2011 IBM Corporation

25
 Regulators
 Industrial Control System Vendors (SCADA)
 Software (Operating Systems and Applications) Vendor Vulnerabilities
 Security patches break product certification
 Operator control via remote access (Modem and TCP/IP) for maintenance and/or multiple site readiness
 Any Interface (SW to SW or System to System) is a prime target
© 2011 IBM Corporation

Security for Industrial Control Systems (SCADA)
-
ICS Security based on IEC 62443
CYBER SECURITY CONTROLS
Air-gap networks, apps and control data with firewalls, proxies
SECURITY
CONTROLS
© 2011 IBM Corporation
©
AB

Which Operational Technology (OT) systems are we talking about?
Contol Systems: Past & Present
– Field sensors
– IEDs
– T&D control systems (SCADA)
– Energy Management Systems
(EMS)
– Distribution Management Systems
(DMS)
– Outage Management Systems
(OMS)
– Demand Response Systems
– Smart Grid Communications equipment (SCADA)
– Meter Data Management Systems
(MDMS)
– Asset Management (e.g.,
Maximo)
– Ops Centers (e.g., NOCs, SOCs)
– DCS and PLC systems in generating plants
© 2011 IBM Corporation

28
A TCP/IP Enabled World
 Process Control Systems (PCS) migrating to TCP/IP networks
 SCADA and DCS typically rely upon “wrapped” protocols
– Analog control and reporting protocols embedded in digital protocols
– Encryption and command integrity limitations
– Poor selection of TCP/IP protocols
 Problems with patching embedded operating systems
– Controllers typically running outdated OS’s
– Security patches and updates not applied
– Difficulty patching the controllers
© 2011 IBM Corporation

Miniaturization and Bridging Networks
 Professional attack tools are small enough to fit on a standard Smartphone
 Designed to “audit” and exploit discovered vulnerabilities
 Wireless or wired attacks, and remote control
 Smartphones also targeted
– Contact info.
– Bridge to network handheld hacking devices
29 © 2011 IBM Corporation

30
Bridging Networks
 Softest targets appear to be the control centers
– Greatest use of “PC” systems
– Frequent external connectivity
– Entry-point to critical plant systems
 Bridging control centers and the plant operational framework
– Network connectivity for ease of operational control
– Reliance on malware to proxy remote attacks
© 2011 IBM Corporation

Proliferation of Networked Devices
 Switch from analog to digital controls
 Incorporation of network standards
– TCP/IP communications
– Wireless communications
 Replacement SKU parts include new features
“free”
– Additional features may be “on” by default
– May be turned on by engineers
From analog to digital
(+ networked)
31
Wireless integration
© 2011 IBM Corporation

Wireless RF / WiFi Attacks
 Increased use of wireless technologies
 Large security research focus
– Common topic/stream at hacking conferences
 Packet Radio Software
– New tools and software to attack & eavesdrop on any RF transmission
– Community-based sharing of findings
 Tools and guides on long-range interception or wireless technologies
A 14.6 dBi Yagi antenna that can make a WiFi connection from 10 miles
32
© 2011 IBM Corporation

33
ICS versus IT and Security
Industrial Control
Systems (ICS)
Protects the ability to operate safely and securely
The end user is a computer
A decentralized system to ensure availability / reliability
Remote access is available to field devices
Source code is often sold with the system
Long life cycles
Not patchable
IT Systems
Protects the data on the client and in transit
The end user is a human
A centralized system to achieve economy of scale
Limited remote access
Source code is limited and protected
Relatively short life cycles
Patchable
© 2011 IBM Corporation

 Penetration Testing (remote) and Security Assessment
(local)
 National and International
 15-20 unique security assessments in the last 5 yrs
34
America’s Hackable Backbone
The first time Scott Lunsford offered to hack into a nuclear power station, he was told it would be impossible. There was no way, the plant's owners claimed, that their critical components could be accessed from the Internet. Lunsford, a researcher for IBM's Internet Security Systems, found otherwise.
"It turned out to be one of the easiest penetration tests I'd ever done," he says.
"By the first day, we had penetrated the network. Within a week, we were controlling a nuclear power plant. I thought, 'Gosh. This is a big problem.
‘”
Forbes
August 22 nd 2007
© 2011 IBM Corporation

35
Common Security Assessment Findings
 Weak protocols leave systems vulnerable
 PCS networks lack overall segmentation
 PCS networks lack antivirus protection
 Standard operating systems leave the device open to well known security vulnerabilities
 Most IP-based communications within the PCS network are not encrypted
 Most PCS systems have limited-to-no logging enabled
 Many organizations still rely heavily on physical security measures
© 2011 IBM Corporation

Not a technical problem, but a business challenge

Many of the 2011 breaches could have been prevented
 However, significant effort required to inventory, identify and close every vulnerability
 Financial & operational resistance is always encountered, so how much of an investment is enough?
© 2011 IBM Corporation

© 2011 IBM Corporation

Thank you for your time today! Get engaged with IBM X-Force Research and Development…
Follow us at @ibmsecurity and @ibmxforce
Download X-Force security trend & risk reports http://www-
935.ibm.com/services/us/iss/xforce/
Subscribe to X-Force alerts at http://iss.net/rss.php or
Frequency X at http://blogs.iss.net/rss.php
Attend in-person events http://www.ibm.com/events/calendar/
Join the Institute for
Advanced Security www.instituteforadvancedsecurity.com
Subscribe to the security channel for latest security videos www.youtube.com/ibmsecuritysolutions
© 2011 IBM Corporation