IBM Cyber Security Story - Smart Grid Research Consortium

advertisement

Cyber Security:

How Serious is the Threat?

Evaluating the Business Case for Smart Grid Investments

October 20-21 2011 , Rosen Shingle Creek Resort, Orlando, FL

Peter Allor, pallor@us.ibm.com

Senior Cyber Security Strategist v1.08

© 2011 IBM Corporation

Security is becoming a board room discussion

Business results

Brand image Supply chain Legal exposure

Impact of hacktivism

Audit risk

Sony estimates potential $1B long term impact –

$171M / 100 customers

HSBC data breach discloses 24K private banking customers

Epsilon breach impacts 100 national brands

TJX estimates

$150M class action settlement in release of credit / debit card info

Lulzsec 50-day hack-at-will spree impacts

Nintendo, CIA,

PBS, UK NHS,

UK SOCA,

Sony …

Zurich

Insurance PLc fined £2.275M

($3.8M) for the loss and exposure of

46K customer records

© 2011 IBM Corporation

An organization ’ s attack surface grows rapidly, increasing security complexity and management concerns

People Employees Consultants Hackers Terrorists Outsourcers Customers Suppliers

Data Structured Unstructured At rest In motion

Applications

Systems applications

Web applications Web 2.0

Mobile apps

Infrastructure

77% of firms feel cyber-attacks harder to detect and 34% low confidence to prevent

75% felt effectiveness would increase with end-to-end solutions

Source: Ponemon Institute, June 2011

© 2011 IBM Corporation

4

End to End Security in Utilities

ASSET & CONFIG

MGMT

FIRMWARE UPDATES

CRITICAL ASSET

CONFIDENTIALITY, INTEGRITY DISCOVERY &

& AVAILABILITY METER THEFT IDENTIFICATION

METER DATA VALIDITY

KEY MANAGEMENT

SERVICE AVAILABILITY

& PERFORMANCE

MGMT

METER AVAILABILITY

PREVENT HAN DEVICES

FROM ATTACKING GRID

ACCURATE BILLING

INCIDENT MGMT

METER RELIABILITY

AMI & HAN

SECURITY SECURE

RELIABLE COMMUNICATION

COMMUNICATION LINKS

AMI MALWARE, CYBER

ATTACKS CONFIDENTIALITY OF

CUSTOMER PERSONAL

SECURELY MANAGE

INFORMATION

PEAK DEMAND

CONTEXT SENSITIVE

PROTECT SENSITIVE

ACCESS CONTROL

SECURITY

ASSETS

SYSTEM, APPLICATION, DATA

UNAUTHORIZED METER

DISCONNECTS/ CONNECTS

DATA CENTER NETWORK,

SCADA SECURITY

EMPLOYEE BACKGROUND

CHECKS

OPERATIONS &

PROCESSES

PREVENT POWER

PILFERAGE SCADA NETWORK

SECURITY

GENERATING, TRANS &

DIST NETWORK

REGULATORY

COMPLIANCE

PREVENT

ACCIDENTS

PREVENT PHYSICAL

ABUSE OF ASSETS

REMOTE SUBSTATION

VIDEO SURVEILLANCE

PHYSICAL

SECURITY

* Not all intersections shown

© 2011 IBM Corporation

Energy & Utility Potential Problem Areas

Challenges and risks inherent in next generation intelligent networks Increased internal, industry, and government security policies, standards , and regulations

Protect security and privacy of critical assets

Varied locations & sources of identity information

(native systems)

Regulatory requirements

• FERC

• NERC

• SOX

An increased number of end users and devices accessing your networks, applications, and data

Improve operational efficiency – manage costs

Threats of viruses, worms, and

Internet attacks

Logical and Physical integration requirements

© 2011 IBM Corporation 5

Unauthorized/undetected use of applications & systems

Evolving Threats – Highlights for 2011 X-Force Mid-Year

 An explosion of breaches has opened 2011 marking this year as

“ The Year of the Security Breach.

 A secure Web presence has become the Achilles heel of

Corporate IT Security

 IBM ’ s Rational Application Security Group research tested 678 sites (Fortune 500)

40% contained client-side vulnerabilities

 Mass endpoint exploitation happening not only through browser vulnerabilities, but also malicious movies and documents

 IBM Managed Security Services show favorite attacker methods are SQL injection , and the brute forcing of passwords , databases, and Windows shares

© 2011 IBM Corporation

Decline in web vulnerabilities

Total number of vulnerabilities decline — but it’s cyclical

 Decline is in web application vulnerabilities

© 2011 IBM Corporation

Patching improvement

Significant improvement in unpatched vulnerabilities

Hasn’t dropped below 44% in over five years

© 2011 IBM Corporation

Multi-media & doc vulnerabilities increase

 Significant increases in both categories

 Attackers have zeroed in on software that consumers are running regardless of the browser

 Recent efforts to sandbox these applications are not perfect

© 2011 IBM Corporation

Mobile OS exploits projected to double

 Continued interest in Mobile vulnerabilities as enterprise users bring smartphones and tablets into the work place

 Attackers finally warming to the opportunities these devices represent

© 2011 IBM Corporation

2011: The Year of the Security Breach

 Litany of significant, widely reported breaches in first half

– Most victims presumed operationally competent

 Boundaries of infrastructure are being extended and obliterated

– Cloud, mobility, social business, big data, more

 Attacks are getting more and more sophisticated.

© 2011 IBM Corporation

Who is attacking our networks?

© 2011 IBM Corporation

Who is attacking our networks?

© 2011 IBM Corporation

Highest volume signatures

© 2011 IBM Corporation

Who is attacking our networks?

© 2011 IBM Corporation

New exploit packs show up all the time

© 2011 IBM Corporation

Zeus Crimeware Service

Hosting for costs $50 for 3 months.

This includes the following:

# Fully set up ZeuS Trojan with configured FUD binary.

# Log all information via internet explorer

# Log all FTP connections

# Steal banking data

# Steal credit cards

# Phish US, UK and RU banks

# Host file override

# All other ZeuS Trojan features

# Fully set up MalKit with stats viewer inter graded.

# 10 IE 4/5/6/7 exploits

# 2 Firefox exploits

# 1 Opera exploit“

We also host normal ZeuS clients for

$10/month.

This includes a fully set up zeus panel/configured binary

© 2011 IBM Corporation

Hacktivists are politically motivated

A member of Anonymous at the Occupy

Wall Street protest in New York*

One self-description is:

“We are Anonymous. We are Legion. We do not forgive.

We do not forget. Expect us.”**

Lulz Security logo

"The world's leaders in high-quality entertainment at your expense."

*Source: David Shankbone **Source: Yale Law and Technology, November 9, 2009

© 2011 IBM Corporation

19 © 2011 IBM Corporation

Anonymous proxies on the rise

 About 4 times the amount from

3 years ago

 Some used to hide attacks, some used to evade censorship

© 2011 IBM Corporation

Who is attacking our networks?

© 2011 IBM Corporation

Advanced Persistent Threat

 Example of e-mail with malicious PDF

© 2011 IBM Corporation

Internet Intelligence Collection

–Scan the corporate website, Google, and Google News

• Who works there? What are their titles?

• Write index cards with names and titles

–Search for Linkedin, Facebook, and Twitter Profiles

• Who do these people work with?

• Fill in blanks in the org chart

–Who works with the information we’d like to target?

• What is their reporting structure?

• Who are their friends?

• What are they interested in?

• What is their email address?

At work?

• Personal email?

23 © 2011 IBM Corporation

24 © 2011 IBM Corporation

25

Points of Access for Vulnerabilities

 Regulators

 Industrial Control System Vendors (SCADA)

 Software (Operating Systems and Applications) Vendor Vulnerabilities

 Security patches break product certification

 Operator control via remote access (Modem and TCP/IP) for maintenance and/or multiple site readiness

 Any Interface (SW to SW or System to System) is a prime target

© 2011 IBM Corporation

Security for Industrial Control Systems (SCADA)

-

ICS Security based on IEC 62443

CYBER SECURITY CONTROLS

Air-gap networks, apps and control data with firewalls, proxies

SECURITY

CONTROLS

© 2011 IBM Corporation

©

AB

Which Operational Technology (OT) systems are we talking about?

Contol Systems: Past & Present

– Field sensors

– IEDs

– T&D control systems (SCADA)

– Energy Management Systems

(EMS)

– Distribution Management Systems

(DMS)

– Outage Management Systems

(OMS)

– Demand Response Systems

– Smart Grid Communications equipment (SCADA)

– Meter Data Management Systems

(MDMS)

– Asset Management (e.g.,

Maximo)

– Ops Centers (e.g., NOCs, SOCs)

– DCS and PLC systems in generating plants

© 2011 IBM Corporation

28

A TCP/IP Enabled World

 Process Control Systems (PCS) migrating to TCP/IP networks

 SCADA and DCS typically rely upon “wrapped” protocols

– Analog control and reporting protocols embedded in digital protocols

– Encryption and command integrity limitations

– Poor selection of TCP/IP protocols

 Problems with patching embedded operating systems

– Controllers typically running outdated OS’s

– Security patches and updates not applied

– Difficulty patching the controllers

© 2011 IBM Corporation

Miniaturization and Bridging Networks

 Professional attack tools are small enough to fit on a standard Smartphone

 Designed to “audit” and exploit discovered vulnerabilities

 Wireless or wired attacks, and remote control

 Smartphones also targeted

– Contact info.

– Bridge to network handheld hacking devices

29 © 2011 IBM Corporation

30

Bridging Networks

 Softest targets appear to be the control centers

– Greatest use of “PC” systems

– Frequent external connectivity

– Entry-point to critical plant systems

 Bridging control centers and the plant operational framework

– Network connectivity for ease of operational control

– Reliance on malware to proxy remote attacks

© 2011 IBM Corporation

Proliferation of Networked Devices

 Switch from analog to digital controls

 Incorporation of network standards

– TCP/IP communications

– Wireless communications

 Replacement SKU parts include new features

“free”

– Additional features may be “on” by default

– May be turned on by engineers

From analog to digital

(+ networked)

31

Wireless integration

© 2011 IBM Corporation

Wireless RF / WiFi Attacks

 Increased use of wireless technologies

 Large security research focus

– Common topic/stream at hacking conferences

 Packet Radio Software

– New tools and software to attack & eavesdrop on any RF transmission

– Community-based sharing of findings

 Tools and guides on long-range interception or wireless technologies

A 14.6 dBi Yagi antenna that can make a WiFi connection from 10 miles

32

© 2011 IBM Corporation

33

ICS versus IT and Security

Industrial Control

Systems (ICS)

Protects the ability to operate safely and securely

The end user is a computer

A decentralized system to ensure availability / reliability

Remote access is available to field devices

Source code is often sold with the system

Long life cycles

Not patchable

IT Systems

Protects the data on the client and in transit

The end user is a human

A centralized system to achieve economy of scale

Limited remote access

Source code is limited and protected

Relatively short life cycles

Patchable

© 2011 IBM Corporation

Finding Holes

 Penetration Testing (remote) and Security Assessment

(local)

 National and International

 15-20 unique security assessments in the last 5 yrs

34

America’s Hackable Backbone

The first time Scott Lunsford offered to hack into a nuclear power station, he was told it would be impossible. There was no way, the plant's owners claimed, that their critical components could be accessed from the Internet. Lunsford, a researcher for IBM's Internet Security Systems, found otherwise.

"It turned out to be one of the easiest penetration tests I'd ever done," he says.

"By the first day, we had penetrated the network. Within a week, we were controlling a nuclear power plant. I thought, 'Gosh. This is a big problem.

‘”

Forbes

August 22 nd 2007

© 2011 IBM Corporation

35

Common Security Assessment Findings

 Weak protocols leave systems vulnerable

 PCS networks lack overall segmentation

 PCS networks lack antivirus protection

 Standard operating systems leave the device open to well known security vulnerabilities

 Most IP-based communications within the PCS network are not encrypted

 Most PCS systems have limited-to-no logging enabled

 Many organizations still rely heavily on physical security measures

© 2011 IBM Corporation

Not a technical problem, but a business challenge

Many of the 2011 breaches could have been prevented

 However, significant effort required to inventory, identify and close every vulnerability

 Financial & operational resistance is always encountered, so how much of an investment is enough?

© 2011 IBM Corporation

Questions?

© 2011 IBM Corporation

Thank you for your time today! Get engaged with IBM X-Force Research and Development…

Follow us at @ibmsecurity and @ibmxforce

Download X-Force security trend & risk reports http://www-

935.ibm.com/services/us/iss/xforce/

Subscribe to X-Force alerts at http://iss.net/rss.php or

Frequency X at http://blogs.iss.net/rss.php

Attend in-person events http://www.ibm.com/events/calendar/

Join the Institute for

Advanced Security www.instituteforadvancedsecurity.com

Subscribe to the security channel for latest security videos www.youtube.com/ibmsecuritysolutions

© 2011 IBM Corporation

Download