© 2011 IBM Corporation v1.08 Cyber Security: How Serious is the Threat? Evaluating the Business Case for Smart Grid Investments October 20-21 2011, Rosen

© 2011 IBM Corporation

v1.08v1.08

Cyber Security: How Serious is the Threat?

Evaluating the Business Case for Smart Grid InvestmentsOctober 20-21 2011, Rosen Shingle Creek Resort, Orlando, FLPeter Allor, [email protected] Cyber Security Strategist


Security is becoming a board room discussion

Business results

Sony estimates potential $1B long term impact – $171M / 100 customers

Supply chain

Epsilon breach impacts 100 national brands

Legal exposure

TJX estimates $150M class action settlement in release of credit / debit card info

Impact of hacktivism

Lulzsec 50-day hack-at-will spree impacts Nintendo, CIA, PBS, UK NHS, UK SOCA, Sony …

Audit risk

Zurich Insurance PLc fined £2.275M ($3.8M) for the loss and exposure of 46K customer records

Brand image

HSBC data breach discloses 24K private banking customers


An organization’s attack surface grows rapidly, increasing security complexity and management concerns

People

Data

Applications

Infrastructure

Employees Consultants Hackers Terrorists Outsourcers Customers Suppliers

Systems applications

Web applications Web 2.0 Mobile apps

Structured Unstructured At rest In motion

77% of firms feel cyber-attacks harder to detect and 34% low confidence to prevent 75% felt effectiveness would increase with end-to-end solutions 77% of firms feel cyber-attacks harder to detect and 34% low confidence to prevent 75% felt effectiveness would increase with end-to-end solutions

Source: Ponemon Institute, June 2011Source: Ponemon Institute, June 2011

© 2011 IBM Corporation4

End to End Security in Utilities

METER RELIABILITY

METER DATA VALIDITYMETER AVAILABILITY

CONFIDENTIALITY OF CUSTOMER PERSONAL INFORMATION

AMI MALWARE, CYBER ATTACKS

PREVENT HAN DEVICES FROM ATTACKING GRID

UNAUTHORIZED METER DISCONNECTS/ CONNECTS

PREVENT PHYSICAL ABUSE OF ASSETS REMOTE SUBSTATION

VIDEO SURVEILLANCE

SECURE COMMUNICATION LINKS

PREVENT POWER PILFERAGE

PROTECT SENSITIVE ASSETS

EMPLOYEE BACKGROUND CHECKS

PREVENT ACCIDENTS

METER THEFT

SECURELY MANAGE PEAK DEMAND

ACCURATE BILLING

SCADA NETWORK SECURITY

RELIABLE COMMUNICATION

GENERATING, TRANS & DIST NETWORK

CRITICAL ASSET DISCOVERY & IDENTIFICATION

DATA CENTER NETWORK, SYSTEM, APPLICATION, DATA SECURITY

CONTEXT SENSITIVE ACCESS CONTROL

ASSET & CONFIG MGMT

SERVICE AVAILABILITY & PERFORMANCE MGMT

CONFIDENTIALITY, INTEGRITY & AVAILABILITY

PHYSICAL SECURITY

OPERATIONS & PROCESSES

AMI & HAN SECURITY

INCIDENT MGMT

SCADA SECURITY

* Not all intersections shown

KEY MANAGEMENT

FIRMWARE UPDATES

REGULATORY COMPLIANCE


Increased internal, industry, and government security policies, standards, and regulations

Logical and Physical integration requirements

An increased number of end users and devices accessing your networks, applications, and data

Threats of viruses, worms, and Internet attacks

Regulatory requirements

• FERC

• NERC

• SOX

Varied locations & sources of identity information (native systems)

Unauthorized/undetected use of applications & systems

Challenges and risks inherent in next generation intelligent networks

Improve operational efficiency – manage costs

Protect security and privacy of critical assets

Energy & Utility Potential Problem Areas


An explosion of breaches has opened 2011 marking this year as “The Year of the Security Breach.”

A secure Web presence has become the Achilles heel of Corporate IT Security

IBM’s Rational Application Security Group research tested 678 sites (Fortune 500) – 40% contained client-side vulnerabilities

Mass endpoint exploitation happening not only through browser vulnerabilities, but also malicious movies and documents

IBM Managed Security Services show favorite attacker methods are SQL injection, and the brute forcing of passwords, databases, and Windows shares

Evolving Threats – Highlights for 2011 X-Force Mid-Year


Decline in web vulnerabilities

Total number of vulnerabilities decline — but it’s cyclical

Decline is in web application vulnerabilities


Patching improvement

Significant improvement in unpatched vulnerabilities

Hasn’t dropped below 44% in over five years


Multi-media & doc vulnerabilities increase

Significant increases in both categories

Attackers have zeroed in on software that consumers are running regardless of the browser

Recent efforts to sandbox these applications are not perfect


Continued interest in Mobile vulnerabilities as enterprise users bring smartphones and tablets into the work place

Attackers finally warming to the opportunities these devices represent

Mobile OS exploits projected to double


2011: The Year of the Security Breach

Litany of significant, widely reported breaches in first half

– Most victims presumed operationally competent

Boundaries of infrastructure are being extended and obliterated

– Cloud, mobility, social business, big data, more

Attacks are getting more and more sophisticated.


Who is attacking our networks?




Highest volume signatures




New exploit packs show up all the time


Zeus Crimeware Service

Hosting for costs $50 for 3 months. This includes the following:

# Fully set up ZeuS Trojan with configured FUD binary.# Log all information via internet explorer# Log all FTP connections# Steal banking data# Steal credit cards# Phish US, UK and RU banks# Host file override# All other ZeuS Trojan features# Fully set up MalKit with stats viewer inter graded.# 10 IE 4/5/6/7 exploits# 2 Firefox exploits# 1 Opera exploit“

We also host normal ZeuS clients for $10/month.This includes a fully set up zeus panel/configured binary

Hosting for costs $50 for 3 months. This includes the following:

# Fully set up ZeuS Trojan with configured FUD binary.# Log all information via internet explorer# Log all FTP connections# Steal banking data# Steal credit cards# Phish US, UK and RU banks# Host file override# All other ZeuS Trojan features# Fully set up MalKit with stats viewer inter graded.# 10 IE 4/5/6/7 exploits# 2 Firefox exploits# 1 Opera exploit“

We also host normal ZeuS clients for $10/month.This includes a fully set up zeus panel/configured binary


A member of Anonymous at the OccupyWall Street protest in New York*A member of Anonymous at the OccupyWall Street protest in New York*

*Source: David Shankbone*Source: David Shankbone

Lulz Security logoLulz Security logo

"The world's leaders in high-quality entertainment at your expense.""The world's leaders in high-quality entertainment at your expense."

Hacktivists are politically motivated

One self-description is: “We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us.”**

One self-description is: “We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us.”**

**Source: Yale Law and Technology, November 9, 2009**Source: Yale Law and Technology, November 9, 2009



Anonymous proxies on the rise

About 4 times the amount from 3 years ago

Some used to hide attacks, some used to evade censorship




Advanced Persistent Threat

Example of e-mail with malicious PDF


Internet Intelligence Collection

–Scan the corporate website, Google, and Google News• Who works there? What are their titles? • Write index cards with names and titles

–Search for Linkedin, Facebook, and Twitter Profiles• Who do these people work with?• Fill in blanks in the org chart

–Who works with the information we’d like to target? • What is their reporting structure? • Who are their friends?• What are they interested in? • What is their email address?

At work?• Personal email?

23



Points of Access for Vulnerabilities

Regulators

Industrial Control System Vendors (SCADA)

Software (Operating Systems and Applications) Vendor Vulnerabilities

Security patches break product certification

Operator control via remote access (Modem and TCP/IP) for maintenance and/or multiple site readiness

Any Interface (SW to SW or System to System) is a prime target

© 2011 IBM Corporation© ABB Inc. April 18, 2023 | Slide 26

CYBER SECURITY CONTROLS

PH

YS

ICA

L S

EC

UR

ITY

CO

NT

RO

LS

SECURITY CONTROLS

Security for Industrial Control Systems (SCADA)- ICS Security based on IEC 62443

Air-gap networks, apps and control data with firewalls, proxies


Which Operational Technology (OT) systems are we talking about?

– Field sensors– IEDs– T&D control systems (SCADA)– Energy Management Systems

(EMS)– Distribution Management Systems

(DMS)– Outage Management Systems

(OMS)– Demand Response Systems

– Smart Grid Communications equipment (SCADA)

– Meter Data Management Systems (MDMS)

– Asset Management (e.g., Maximo)

– Ops Centers (e.g., NOCs, SOCs)

– DCS and PLC systems in generating plants

Contol Systems: Past & Present


A TCP/IP Enabled WorldA TCP/IP Enabled World

Process Control Systems (PCS) migrating to TCP/IP networks

SCADA and DCS typically rely upon “wrapped” protocols– Analog control and reporting protocols embedded in digital protocols– Encryption and command integrity limitations– Poor selection of TCP/IP protocols

Problems with patching embeddedoperating systems– Controllers typically running outdated OS’s– Security patches and updates not applied– Difficulty patching the controllers

28


Miniaturization and Bridging NetworksMiniaturization and Bridging Networks

Professional attack tools are small enoughto fit on a standard Smartphone

Designed to “audit” and exploitdiscovered vulnerabilities

Wireless or wired attacks,and remote control

Smartphones alsotargeted– Contact info.– Bridge to network

handheld hacking devices

handheld hacking devices

29


Bridging NetworksBridging Networks

Softest targets appear to be the control centers– Greatest use of “PC”

systems– Frequent external

connectivity– Entry-point to critical plant

systems

Bridging control centers and the plant operational framework– Network connectivity for

ease of operational control– Reliance on malware to

proxy remote attacks

30


Proliferation of Networked DevicesProliferation of Networked Devices

Switch from analog to digital controls

Incorporation of network standards– TCP/IP communications– Wireless communications

Replacement SKU partsinclude new features“free”– Additional features

may be “on” bydefault

– May be turned onby engineers

From analog to digital

(+ networked)

From analog to digital

(+ networked)

Wireless integrationWireless

integration

31


Wireless RF / WiFi AttacksWireless RF / WiFi Attacks

Increased use of wireless technologies

Large security research focus– Common topic/stream at hacking conferences

Packet Radio Software– New tools and software to attack &

eavesdrop on any RF transmission– Community-based sharing of findings

Tools and guides on long-range interception or wireless technologies

A 14.6 dBi Yagi antenna that can make

a WiFi connection from 10 miles

A 14.6 dBi Yagi antenna that can make

a WiFi connection from 10 miles

32


ICS versus IT and SecurityICS versus IT and Security

Industrial Control Industrial Control Systems (ICS)Systems (ICS)

Protects the ability to operate Protects the ability to operate safely and securelysafely and securely

The end user is a computerThe end user is a computer

A decentralized system to A decentralized system to ensure availability / reliabilityensure availability / reliability

Remote access is available to Remote access is available to field devicesfield devices

Source code is often sold with Source code is often sold with the systemthe system

Long life cyclesLong life cycles

Not patchableNot patchable

IT Systems IT Systems

Protects the data on the client Protects the data on the client and in transitand in transit

The end user is a humanThe end user is a human

A centralized system to A centralized system to achieve economy of scaleachieve economy of scale

Limited remote accessLimited remote access

Source code is limited and Source code is limited and protectedprotected

Relatively short life cyclesRelatively short life cycles

PatchablePatchable

33


Finding HolesFinding Holes

Penetration Testing (remote)and Security Assessment(local)

National and International

15-20 unique security assessments in the last 5 yrs

America’s Hackable BackboneThe first time Scott Lunsford offered to hack into a nuclear power station, he was told it would be impossible. There was no way, the plant's owners claimed, that their critical components could be accessed from the Internet. Lunsford, a researcher for IBM's Internet Security Systems, found otherwise.

"It turned out to be one of the easiest penetration tests I'd ever done," he says. "By the first day, we had penetrated the network. Within a week, we were controlling a nuclear power plant. I thought, 'Gosh. This is a big problem.‘”

ForbesAugust 22nd 2007

America’s Hackable BackboneThe first time Scott Lunsford offered to hack into a nuclear power station, he was told it would be impossible. There was no way, the plant's owners claimed, that their critical components could be accessed from the Internet. Lunsford, a researcher for IBM's Internet Security Systems, found otherwise.

"It turned out to be one of the easiest penetration tests I'd ever done," he says. "By the first day, we had penetrated the network. Within a week, we were controlling a nuclear power plant. I thought, 'Gosh. This is a big problem.‘”

ForbesAugust 22nd 2007

34


Common Security Assessment FindingsCommon Security Assessment Findings

Weak protocols leave systems vulnerable

PCS networks lack overall segmentation

PCS networks lack antivirus protection

Standard operating systems leave the device open to well known security vulnerabilities

Most IP-based communications within the PCS network are not encrypted

Most PCS systems have limited-to-no logging enabled

Many organizations still rely heavily on physical security measures

35


Not a technical problem, but a business challenge

Many of the 2011 breaches could have been prevented

However, significant effort required to inventory, identify and close every vulnerability

Financial & operational resistance is always encountered, so how much of an investment is enough?


Questions?


Thank you for your time today! Get engaged with IBM X-Force Research and Development…

Follow us at @ibmsecurity and @ibmxforce

Download X-Force security trend & risk

reportshttp://www-935.ibm.com/services/

us/iss/xforce/

Subscribe to the security channel for latest security

videos www.youtube.com/ibmsecuritysolutions

Attend in-person events

http://www.ibm.com/events/calendar/

Subscribe to X-Force alerts at http://iss.net/rss.php or

Frequency X at http://blogs.iss.net/rss.php

Join the Institute for Advanced Security

www.instituteforadvancedsecurity.com

Documents

© 2011 IBM Corporation v1.08 Cyber Security: How Serious is the Threat? Evaluating the Business Case for Smart Grid Investments October 20-21 2011, Rosen