Jonathan Shapiro Director Office of Research Cybersecurity Contact Jonathan Shapiro Director, Office of Research Cyber Security Business Development The University of Texas at Dallas Direct 972-740-4339 Office 972-883-4501 Jon.Shapiro@UTDallas.edu Personal Web Page http://www.utdallas.edu/research/ Social Media Blog - Cybersecurity at the University of Texas at Dallas LinkedIn Group - Cybersecurity at the University of Texas at Dallas Twitter - @CyberUTD 1 Cybersecurity Cybersecurity is one of the most serious economic and national security challenges we face as a nation. The Cyber Initiative at UTD is a critically important public-private partnerships to develop new technologies and skills that will lead to secure computing, communications and control systems. Cybersecurity Research The Cyber Initiative at UT Dallas • University-wide initiative that involves faculty and students from six different departments and schools. • UT Dallas' Cyber Security Research and Education Center was designated as the NSA/DHS Center for Excellence in Education • Eight areas of research and development have been designated, encompassing range of technologies, industries and users. • Focus – Performing research to enhance and strengthen the security of computer systems and networks – Share our research results by publishing papers in premier journals and top conferences – Foster interaction between Government, Industry and Academia in the field of Cybersecurity – Develop and teach a strong cyber security program which includes courses for cybercrime prevention, detection and analysis – Initiate interdisciplinary programs integrating social sciences and information sciences – Transfer the technologies from the university to commercial development efforts Cybersecurity Research Areas The Cyber Initiative at UT Dallas Technical Research • Secure & Available Networks • Secure Cloud Computing • Security Of Control Systems • Software Security • Secure Silicon Cross Functional Research • Cyber Security Risk Management • Emergency Preparedness • Information Assurance • Business Risk Analysis & Economic Implications • Public Policy Implications • Threat Analysis & Modeling • Criminology School of Management • • • School of Engineering and Computer Science • • • School of Economic, Political & Policy Sciences Arts and Technology • • International Center for Decision and Risk Analysis Center for Information Technology and Management The Leadership Center Cyber Security Research Center Cybersecurity and Emergency Preparedness Institute Electrical, Mechanical and Computer Science Criminology Economics • Gaming and Simulation 5 Why Cybersecurity 6 Rapidly Expanding Market • $55 billion cumulative Federal spending for cybersecurity between 2010 and 2015 at about 6.2% CAGR • $10.5 billion Smart Grid Cyber Security • $7,455m Utility infrastructure security expenditure • $2.3 billion 2012 federal DOE budget for cyber resources and development • $6,902.4 million SCADA Security 2010 forecast to grow at 9.6% through 2016 forecast to $14 billion • $936.48 The Homeland Security Department million for infrastructure protection and information security • $500 million for Defense Advanced Research Project Agency research and development in cybersecurity • $300 million SFS funding over five years to fund up to 1,000 cybersecurity scholarships per year Great Career Opportunity • 700,000 new information security professionals in the Americas by 2015 • Top 10 Best Jobs in America – US News and World Report • Acquisitions were mega-deals where public companies were taken private. – – – – Intel, for instance, bought McAfee for $7.68 billion HP bought ArcSight for $1.6 billion. Symantec bought security divisions of Verisign for $1.3 billion. IDC expects the security tech market to grow at a 14 percent compound annual growth rate to $82 billion in 2012. – Forrester says that security now accounts for 14 percent of the information technology spending, compared to 8.2 percent in 2007. • Venture Capital takes notice – "It's an area of huge interest to us," said Bill Maris, managing partner for Google Ventures – Venture investment in the information-technology security sector this year looks set to exceed last year's $432.3 million – "There is absolutely no question that this sector is going to be at the focal point in the future in terms of investments and IPO said Robert Francello, head of equity trading at Apex Capital in San Francisco. Data Security Analyst vs. Database Analyst. 2 years Experience Dallas, TX location 28% higher pay Certifications • International Information Systems Security Certification Consortium, Inc., (ISC)² – – – – – – – Certified Information Systems Security Professional (CISP) Certified Information Systems Security Professional (CISSP ) Information Systems Security Architecture Professional (ISSAP) Information Systems Security Management Professional (ISSMP) Information Systems Security Engineering Professional (ISSEP) Certification and Accreditation Professional (CAP CM) Systems Security Certified Practitioner (SSCP ) • SANS Institute – SANS Cyber Ranges Computer & Network Security Challenges – SANS Cyber Guardian Program – DoDD 8570 and GIAC Certification 11 A Declaration of Cyber-War Stuxnet • Last summer, the world’s top software-security experts were panicked by the discovery of a Self-Directed Stealth Drone radically different from and far more sophisticated than any they’d seen. • A self-replicating computer virus, called a worm, was making its way through thousands of computers around the world, searching for small gray plastic boxes called programmable-logic controllers (PLC)—tiny computers about the size of a pack of crayons, which regulate the machinery in factories, power plants, and construction and engineering projects • Stuxnet is the Hiroshima of cyber-war. That is its true significance, and all the speculation about its target and its source should not blind us to that larger reality. We have crossed a threshold, and there is no turning back. 12 What is Stuxnet • Stuxnet is an advanced malware worm that was discovered in July 2010. It has attacked Siemens PCS7, S7 PLC, and WinCC systems around the world. • The management of many industrial sites feel “safe” because they believe the Industrial Control Systems (ICS) network are not connected to the Internet. • Some even believe their system is “air-gapped” from their corporate network. • A part of the genius of Stuxnet is that it demonstrated how easy it is for an advanced cyber threat to go from a USB key, an external hard drive, an infected laptop or an infected project file to a control system network. 13 Buy your test equipment on eBay 14 Operation Shady Rat • Unprecedented Cyber-espionage Campaign and Intellectual-Property Bonanza • Infiltrated the computer systems of national governments, global corporations, nonprofits, and other organizations, with more than 70 victims in 14 countries. • Lifted from these highly secure servers, among other sensitive property: countless government secrets, e-mail archives, legal contracts, and design schematics. 15 Operation Shady Rat • Malicious program—a remote-access tool, or rat • Operation targeted a broad range of publicand private-sector organizations in almost every country in Southeast Asia—but none in China • Government agencies in the United States, Taiwan, South Korea, Vietnam, and Canada Japan, Switzerland, the United Kingdom, Indonesia, Denmark, Singapore, Hong Kong, Germany, and India • The category most heavily targeted was defense contractors—13 in all 16 Operation Shady Rat 17 Operation Shady Rat 18 RSA Breach • RSA is the security division of the hightech company EMC • Its products protect computer networks at the White House, the Central Intelligence Agency, the National Security Agency, the Pentagon, the Department of Homeland Security, most top defense contractors, and a majority of Fortune 500 corporations. 19 • That key fob, called a SecurID token, is RSA’s bestknown product. The strings of numbers on its screen are generated by a microchip using the SecurID algorithm and a unique cryptographic seed. • Company’s security system had identified “an extremely sophisticated cyber attack in progress,” an attack that “resulted in certain information being exported from RSA’s systems,” some of which was “specifically related to RSA’s SecurID two-factor authentication products 20 RSA Breach • Dmitri Alperovitch, vice president of threat research at McAfee, “today we see pretty much any company that has valuable intellectual property or trade secrets of any kind being pilfered continually, all day long, every day, relentlessly.” • On May 21, the computer systems of America’s largest military contractor, Lockheed Martin, detected an intruder • L-3 Communications, which provides intelligence, surveillance, and reconnaissance technology to the U.S. government, had also been attacked 21 • Finnish security company F-Secure assumes an employee of RSA or its parent firm, EMC uploaded the malware to an online virus scanning site • RSA had already revealed that it had been breached after attackers sent two different targeted phishing e-mails to four workers at its parent company EMC. • The e-mails contained a malicious attachment that was identified in the subject line as “2011 Recruitment plan.xls.” • The intruders succeeded in stealing information related to the company’s SecurID two-factor authentication products. 22 Cyber Security and Critical Infrastructure • Networks and control systems are under repeated cyberattack, often from high-level adversaries like foreign nation-states "Security systems are overmatched by the threat and very few companies are rising to the challenge posed by state-sponsored or terrorist infiltration and potential attack," said Jim Woolsey, former head of the Central Intelligence Agency (CIA). “The real answer is new technology, active cyber defense, and distributed generation." http://www.csmonitor.com/USA/2010/0128/Corporations-cyber-security-under-widespread-attack-survey-finds Critical Infrastructure Sectors IT Systems Vs Control Systems • • • • • • • • SCADA (supervisory control and data acquisition) generally refers to industrial control systems (ICS): computer systems that monitor and control industrial, infrastructure, or facility-based processes Control Systems include SCADA, Program Control Logic, Motor Controls, Power Electronics, and Embedded Computing Systems They are everywhere, in every industry Mostly ignored by IT Security due to complexity, proprietary nature, and different management teams Ripe for exploitation Intel, Microsoft, and security vendors have not paid attention Many are NOT PC’s Many can be infected, and the devices cannot be cleaned. Malware embeds itself in semiconductor devices and memory • The central SCADA master system. • Communications network. • RTU's. Remote Telemetry (or Terminal) Units. • Field instrumentation. Inherent Vulnerabilities • • • • Two-way communications Distributed connectivity Customer usage data Weak authentication and access control • Lack of adequate training • Lack of standards and interoperability 26 Critical Infrastructure Problem • Vulnerability Assessments Have Not Yet Completed • Industry and Government Lack Guidance for Conducting Vulnerability Assessments • Analysis of Public Works Infrastructure (Including Electricity) Has Not Completed • Assessments to Date Do Not Consistently Consider Vulnerabilities to Longer-Term Power Disruptions 27 Summary Critical Infrastructure • Industrial Control Systems- SCADA and PLCs are vulnerable to attack. • We have no clear inventory of the extent of the risk. • Malware, infected silicon, and the uses of hacking skills against Critical Infrastructure are growing. • Weak spares inventory due to Justin-Time manufacturing. • Loss of Critical Infrastructure can cause large residual economic damage. 28 Von Neumann Machines • A self-replicating machine is an artificial construct that is theoretically capable of autonomously manufacturing a copy of itself using raw materials taken from its environment This year marks the 40th anniversary of Creeper, the world’s first computer virus. From Creeper to Stuxnet, the last four decades saw the number of malware instances boom from 1,300 in 1990, to 50,000 in 2000, to over 200 million in 2010 29 Future Issues • • • • • • • • • Taboo Subject Supply Chain “purity” Skill shortages Ignorance of potential “design risk” problems Cyber terrorism and extortion Polymorphic malware Defender verse Attacker Constant growth in complexity and risk Government to the rescue? 30