Evaluating the Business Case for Smart Grid Investments
October 20-21 2011 , Rosen Shingle Creek Resort, Orlando, FL
Peter Allor, pallor@us.ibm.com
Senior Cyber Security Strategist v1.08
© 2011 IBM Corporation
Security is becoming a board room discussion
Business results
Brand image Supply chain Legal exposure
Impact of hacktivism
Audit risk
Sony estimates potential $1B long term impact –
$171M / 100 customers
HSBC data breach discloses 24K private banking customers
Epsilon breach impacts 100 national brands
TJX estimates
$150M class action settlement in release of credit / debit card info
Lulzsec 50-day hack-at-will spree impacts
Nintendo, CIA,
PBS, UK NHS,
UK SOCA,
Sony …
Zurich
Insurance PLc fined £2.275M
($3.8M) for the loss and exposure of
46K customer records
© 2011 IBM Corporation
An organization ’ s attack surface grows rapidly, increasing security complexity and management concerns
People Employees Consultants Hackers Terrorists Outsourcers Customers Suppliers
Data Structured Unstructured At rest In motion
Applications
Systems applications
Web applications Web 2.0
Mobile apps
Infrastructure
77% of firms feel cyber-attacks harder to detect and 34% low confidence to prevent
75% felt effectiveness would increase with end-to-end solutions
Source: Ponemon Institute, June 2011
© 2011 IBM Corporation
4
End to End Security in Utilities
ASSET & CONFIG
MGMT
FIRMWARE UPDATES
CRITICAL ASSET
CONFIDENTIALITY, INTEGRITY DISCOVERY &
& AVAILABILITY METER THEFT IDENTIFICATION
METER DATA VALIDITY
KEY MANAGEMENT
SERVICE AVAILABILITY
& PERFORMANCE
MGMT
METER AVAILABILITY
PREVENT HAN DEVICES
FROM ATTACKING GRID
ACCURATE BILLING
INCIDENT MGMT
METER RELIABILITY
AMI & HAN
SECURITY SECURE
RELIABLE COMMUNICATION
COMMUNICATION LINKS
AMI MALWARE, CYBER
ATTACKS CONFIDENTIALITY OF
CUSTOMER PERSONAL
SECURELY MANAGE
INFORMATION
PEAK DEMAND
CONTEXT SENSITIVE
PROTECT SENSITIVE
ACCESS CONTROL
SECURITY
ASSETS
SYSTEM, APPLICATION, DATA
UNAUTHORIZED METER
DISCONNECTS/ CONNECTS
DATA CENTER NETWORK,
SCADA SECURITY
EMPLOYEE BACKGROUND
CHECKS
OPERATIONS &
PROCESSES
PREVENT POWER
PILFERAGE SCADA NETWORK
SECURITY
GENERATING, TRANS &
DIST NETWORK
REGULATORY
COMPLIANCE
PREVENT
ACCIDENTS
PREVENT PHYSICAL
ABUSE OF ASSETS
REMOTE SUBSTATION
VIDEO SURVEILLANCE
PHYSICAL
SECURITY
* Not all intersections shown
© 2011 IBM Corporation
Energy & Utility Potential Problem Areas
Challenges and risks inherent in next generation intelligent networks Increased internal, industry, and government security policies, standards , and regulations
Protect security and privacy of critical assets
Varied locations & sources of identity information
(native systems)
Regulatory requirements
• FERC
• NERC
• SOX
An increased number of end users and devices accessing your networks, applications, and data
Improve operational efficiency – manage costs
Threats of viruses, worms, and
Internet attacks
Logical and Physical integration requirements
© 2011 IBM Corporation 5
Unauthorized/undetected use of applications & systems
Evolving Threats – Highlights for 2011 X-Force Mid-Year
An explosion of breaches has opened 2011 marking this year as
“ The Year of the Security Breach.
”
A secure Web presence has become the Achilles heel of
Corporate IT Security
IBM ’ s Rational Application Security Group research tested 678 sites (Fortune 500)
–
40% contained client-side vulnerabilities
Mass endpoint exploitation happening not only through browser vulnerabilities, but also malicious movies and documents
IBM Managed Security Services show favorite attacker methods are SQL injection , and the brute forcing of passwords , databases, and Windows shares
© 2011 IBM Corporation
Decline in web vulnerabilities
Total number of vulnerabilities decline — but it’s cyclical
Decline is in web application vulnerabilities
© 2011 IBM Corporation
Patching improvement
© 2011 IBM Corporation
Multi-media & doc vulnerabilities increase
Significant increases in both categories
Attackers have zeroed in on software that consumers are running regardless of the browser
Recent efforts to sandbox these applications are not perfect
© 2011 IBM Corporation
Mobile OS exploits projected to double
Continued interest in Mobile vulnerabilities as enterprise users bring smartphones and tablets into the work place
Attackers finally warming to the opportunities these devices represent
© 2011 IBM Corporation
2011: The Year of the Security Breach
Litany of significant, widely reported breaches in first half
– Most victims presumed operationally competent
Boundaries of infrastructure are being extended and obliterated
– Cloud, mobility, social business, big data, more
Attacks are getting more and more sophisticated.
© 2011 IBM Corporation
Who is attacking our networks?
© 2011 IBM Corporation
Who is attacking our networks?
© 2011 IBM Corporation
Highest volume signatures
© 2011 IBM Corporation
Who is attacking our networks?
© 2011 IBM Corporation
New exploit packs show up all the time
© 2011 IBM Corporation
Zeus Crimeware Service
Hosting for costs $50 for 3 months.
This includes the following:
# Fully set up ZeuS Trojan with configured FUD binary.
# Log all information via internet explorer
# Log all FTP connections
# Steal banking data
# Steal credit cards
# Phish US, UK and RU banks
# Host file override
# All other ZeuS Trojan features
# Fully set up MalKit with stats viewer inter graded.
# 10 IE 4/5/6/7 exploits
# 2 Firefox exploits
# 1 Opera exploit“
We also host normal ZeuS clients for
$10/month.
This includes a fully set up zeus panel/configured binary
© 2011 IBM Corporation
Hacktivists are politically motivated
A member of Anonymous at the Occupy
Wall Street protest in New York*
One self-description is:
“We are Anonymous. We are Legion. We do not forgive.
We do not forget. Expect us.”**
Lulz Security logo
"The world's leaders in high-quality entertainment at your expense."
*Source: David Shankbone **Source: Yale Law and Technology, November 9, 2009
© 2011 IBM Corporation
19 © 2011 IBM Corporation
Anonymous proxies on the rise
About 4 times the amount from
3 years ago
Some used to hide attacks, some used to evade censorship
© 2011 IBM Corporation
Who is attacking our networks?
© 2011 IBM Corporation
Advanced Persistent Threat
Example of e-mail with malicious PDF
© 2011 IBM Corporation
Internet Intelligence Collection
–Scan the corporate website, Google, and Google News
• Who works there? What are their titles?
• Write index cards with names and titles
–Search for Linkedin, Facebook, and Twitter Profiles
• Who do these people work with?
• Fill in blanks in the org chart
–Who works with the information we’d like to target?
• What is their reporting structure?
• Who are their friends?
• What are they interested in?
• What is their email address?
At work?
• Personal email?
23 © 2011 IBM Corporation
24 © 2011 IBM Corporation
25
Regulators
Industrial Control System Vendors (SCADA)
Software (Operating Systems and Applications) Vendor Vulnerabilities
Security patches break product certification
Operator control via remote access (Modem and TCP/IP) for maintenance and/or multiple site readiness
Any Interface (SW to SW or System to System) is a prime target
© 2011 IBM Corporation
Security for Industrial Control Systems (SCADA)
-
ICS Security based on IEC 62443
CYBER SECURITY CONTROLS
Air-gap networks, apps and control data with firewalls, proxies
SECURITY
CONTROLS
© 2011 IBM Corporation
©
AB
Which Operational Technology (OT) systems are we talking about?
Contol Systems: Past & Present
– Field sensors
– IEDs
– T&D control systems (SCADA)
– Energy Management Systems
(EMS)
– Distribution Management Systems
(DMS)
– Outage Management Systems
(OMS)
– Demand Response Systems
– Smart Grid Communications equipment (SCADA)
– Meter Data Management Systems
(MDMS)
– Asset Management (e.g.,
Maximo)
– Ops Centers (e.g., NOCs, SOCs)
– DCS and PLC systems in generating plants
© 2011 IBM Corporation
28
A TCP/IP Enabled World
Process Control Systems (PCS) migrating to TCP/IP networks
SCADA and DCS typically rely upon “wrapped” protocols
– Analog control and reporting protocols embedded in digital protocols
– Encryption and command integrity limitations
– Poor selection of TCP/IP protocols
Problems with patching embedded operating systems
– Controllers typically running outdated OS’s
– Security patches and updates not applied
– Difficulty patching the controllers
© 2011 IBM Corporation
Miniaturization and Bridging Networks
Professional attack tools are small enough to fit on a standard Smartphone
Designed to “audit” and exploit discovered vulnerabilities
Wireless or wired attacks, and remote control
Smartphones also targeted
– Contact info.
– Bridge to network handheld hacking devices
29 © 2011 IBM Corporation
30
Bridging Networks
Softest targets appear to be the control centers
– Greatest use of “PC” systems
– Frequent external connectivity
– Entry-point to critical plant systems
Bridging control centers and the plant operational framework
– Network connectivity for ease of operational control
– Reliance on malware to proxy remote attacks
© 2011 IBM Corporation
Proliferation of Networked Devices
Switch from analog to digital controls
Incorporation of network standards
– TCP/IP communications
– Wireless communications
Replacement SKU parts include new features
“free”
– Additional features may be “on” by default
– May be turned on by engineers
From analog to digital
(+ networked)
31
Wireless integration
© 2011 IBM Corporation
Wireless RF / WiFi Attacks
Increased use of wireless technologies
Large security research focus
– Common topic/stream at hacking conferences
Packet Radio Software
– New tools and software to attack & eavesdrop on any RF transmission
– Community-based sharing of findings
Tools and guides on long-range interception or wireless technologies
A 14.6 dBi Yagi antenna that can make a WiFi connection from 10 miles
32
© 2011 IBM Corporation
33
ICS versus IT and Security
Industrial Control
Systems (ICS)
Protects the ability to operate safely and securely
The end user is a computer
A decentralized system to ensure availability / reliability
Remote access is available to field devices
Source code is often sold with the system
Long life cycles
Not patchable
IT Systems
Protects the data on the client and in transit
The end user is a human
A centralized system to achieve economy of scale
Limited remote access
Source code is limited and protected
Relatively short life cycles
Patchable
© 2011 IBM Corporation
Penetration Testing (remote) and Security Assessment
(local)
National and International
15-20 unique security assessments in the last 5 yrs
34
America’s Hackable Backbone
The first time Scott Lunsford offered to hack into a nuclear power station, he was told it would be impossible. There was no way, the plant's owners claimed, that their critical components could be accessed from the Internet. Lunsford, a researcher for IBM's Internet Security Systems, found otherwise.
"It turned out to be one of the easiest penetration tests I'd ever done," he says.
"By the first day, we had penetrated the network. Within a week, we were controlling a nuclear power plant. I thought, 'Gosh. This is a big problem.
‘”
Forbes
August 22 nd 2007
© 2011 IBM Corporation
35
Common Security Assessment Findings
Weak protocols leave systems vulnerable
PCS networks lack overall segmentation
PCS networks lack antivirus protection
Standard operating systems leave the device open to well known security vulnerabilities
Most IP-based communications within the PCS network are not encrypted
Most PCS systems have limited-to-no logging enabled
Many organizations still rely heavily on physical security measures
© 2011 IBM Corporation
Not a technical problem, but a business challenge
Many of the 2011 breaches could have been prevented
However, significant effort required to inventory, identify and close every vulnerability
Financial & operational resistance is always encountered, so how much of an investment is enough?
© 2011 IBM Corporation
© 2011 IBM Corporation
Thank you for your time today! Get engaged with IBM X-Force Research and Development…
Follow us at @ibmsecurity and @ibmxforce
Download X-Force security trend & risk reports http://www-
935.ibm.com/services/us/iss/xforce/
Subscribe to X-Force alerts at http://iss.net/rss.php or
Frequency X at http://blogs.iss.net/rss.php
Attend in-person events http://www.ibm.com/events/calendar/
Join the Institute for
Advanced Security www.instituteforadvancedsecurity.com
Subscribe to the security channel for latest security videos www.youtube.com/ibmsecuritysolutions
© 2011 IBM Corporation