Embed Size (px)
Citation preview
Cyber-Security for Airports
Larry Jaffe, CISSP
2012 Public Safety & Security Fall Conference
August 13, 2012 - August 16, 2012 / Arlington, VA
Why Cyber Security?
• Intelligence Community, former Director of National
Intelligence Mike McConnell
– "A relatively small number of attackers with limited, but well-
positioned resources could disrupt […] the transportation system. If
they did it at the right time of the year -- freezing weather, for
example -- it would cause traffic disruption and if it were sustained for
some period of time, you could imagine the chaos that would ensue.“
History
• June 1982 – Devastating Explosion in Siberian Gas Pipeline Caused by Logic Bomb (CIA).
– The result, “was the most monumental non-nuclear explosion and fire ever seen from space”. Thomas Reed,
Former AF Secretary
• February 2000 – 264,000 gallons of sewage intentionally released.
– “insider” Vitek Boden who gained access into the controls of the sewer system of Australia’s Maroochy Shire
Council.
• 2003 – Slammer worm intrusion into Davis-Besse Ohio Nuclear Plant network.
– Rendered the network useless
• August 2003 – Worm infects CSX telecommunications network that supported both their signal system
and dispatch system.
– Passenger and freight train traffic halted in 23 states.
• April 2007– Estonia: Wide-Scale DDOS (Russia).
– A flood of internet traffic disabled the country’s main websites, briefly shutting down vital public services and
crippling businesses such as online banking
• August 2008 – Georgia Full Scale Cyber Attack (DDoS Russia)
– A website, called StopGeorgia, provided a utility called DoSHTTP. The attack was as simple as entering the
address and clicking a button labeled “Start Flood”.
Recent Example
• 2009 - 2010 – StuxNet Worm Attack Targets Iranian
Nuclear Program. Also, Infects India and Pakistan.
– SCADA Targeting Capability
– Stuxnet uses two compromised security certificates (stolen from
firms in Taiwan) and a previously unknown security hole in Windows
to launch itself automatically from a memory stick.
– Targets particular Seimens controllers and a specific configuration of
devices.
Current Threats
Copycat Attacks Based on Stuxnet
Stuxnet may be the most significant malware
development of the last decade.
"Stuxnet can attack factory systems and alter
automation processes, therefore making cyber
sabotage a reality by causing actual real-world
damage,” says Mikko Hypponen, Chief Research
Officer at F-Secure.
The financial and R&D investment required
combined with the fact that there's no obvious
money-making mechanism suggests only a terror
group or a nation-state could have created Stuxnet.
And it’s not likely that a terror group would have such
resources.
But now that the proverbial cat is out of the bag,
similar attacks can be engineered with less effort.
“And unfortunately it's likely that we
will see Stuxnet copycats in the
future," says Hypponen.
Airport specific targets But Airport Security systems are stand alone…. Or are they?
Threat Vectors
• Links between badging
systems and access control
• Links between video
systems and access control
• Internet facing badging
systems
• Links between security and
airport operational support
system
• Internet facing mobile
applications
• Federal agency interfacing
systems
• Internet facing
maintenance ports
• Source software viruses
• Physical interference
Threat Vectors to individual systems
• Unauthorized external
access
• Unauthorized internal
access
• Accidental system change
• Incorrect system
configuration
• Incorrect network
configuration
• Unprotected back doors
• Information leakage
• Environmental control
failures
• Physical access
• Social engineering
• Denial of wireless service
Mitigations
• Physical and environmental
security
• Physical separation
• Logical separation
• Firewalls
• Intrusion detection
• Source scanning
• Private RF networks.
Physical & Environmental Factors
Physical Security
• A major cause of downtime in the IT world is theft, either of
hardware or of information
– Servers, workstations, and all network equipment should be placed
in a secured area.
– Lock equipment huts, cabinets, closets, and servers..
– Lock or remove floppy and CD drives from workstations
– Disable unused USB ports to prevent memory sticks or other
uncontrolled devices from being connected to the system.
Environmental Security
• Protect from severe weather,
vandalism, accidents.
• Provide appropriate heating and
cooling for the equipment and
the location.
• Preventive maintenance
program.
– Batteries, generators, cooling
system
– Avoid “Run to Fail” scenario
• Protect power lines and sources.
• Provide an uninterruptible power
supply (UPS).
– If the site has an emergency
generator, the UPS battery life
may only need to be a few
seconds; however, if you rely
on external power, the UPS
probably needs several hours
supply.
• Place redundant equipment on
different UPSs or power sources.
• Monitor all back-up systems
remotely.
Defense in Depth
Defense in Depth
US-CERT: Control Systems - Recommended Practices
http://www.us-
cert.gov/control_systems/practices/Secure_Architecture_Design.html#nogo
Security Basics and Risk
Security Basics
• What is cybersecurity?
– Protecting your sensitive and valuable information and services are
from unauthorized publication, tampering or collapse by
unauthorized activities or untrustworthy individuals and unplanned
events.
• C.I.A.
– Confidentiality
– Integrity
– Availability
• Administrative Controls
– OPSEC
• Technical Controls
System C I A
Toll Pay High High Medium
Timecard Low High Medium
Traffic Light
Control
Low Medium High
Traffic
Cams
Low Low Medium
Risk Management
• Threat agents X threat
vectors = vulnerabilities
• Vulnerability X impact X
probability of occurrence =
Risk
• Risk – mitigations =
residual risk
• Transfer (insure, regulate)
or accept
Threat Agents
• State actors collecting
information for a possible
attack
• Malicious
groups/individuals looking
for notoriety
• Criminal organizations
intending to extort the state
or individuals
• Disgruntled employees
• Youths with too much time
on their hands
Threat Vectors
• Unauthorized external
access
• Unauthorized internal
access
• Accidental system change
• Incorrect configuration
• Viruses
• Trojans
• Back doors
• Information leakage
• Environmental control
failures
• Physical access
• Remote access
• Social engineering
• Denial of service
Mitigations
• Physical and environmental
security
– Access control
• Network and device
security
– Top 10 vulnerabilities
– Zero-day attacks
• Information Security
Physical & Environmental Factors
Physical Security
• A major cause of downtime in the IT world is hardware
theft, either of whole computers or of individual components
such as disks and memory chips
– Servers, workstations, and all network equipment should be placed
in a secured area.
– Lock equipment huts, cabinets, closets, and servers.
– Secure computers and monitors to furniture and lock the cases.
– Lock or remove floppy and CD drives.
– Disable unused USB ports to prevent memory sticks or other
uncontrolled devices from being connected to the system.
• Such devices may be used to introduce virus or other malware.
– Disable or physically protect the power button to prevent
unauthorized use.
– Use thin clients wherever possible.
Access Control
• Secure areas should be under
electronic access control security
with full audit capabilities and
video surveillance.
– Audit trail data should include the
date, time and individuals who
accessed the room.
• Hubs and cabinets should use
high security locks less
vulnerable to bumping &
picking.
• Manage access to keys. (Get
back Contractor’s Keys)
• Electronic security provides an
audit trail and a means to restrict
access without needing to
manage physical keys.
Animal Factor
• Limit the pathway in and out of cabling infrastructure.
• Use conduit plugging materials.
• Bait known location of animal infestation.
• Armor cabling may be required where historical problem areas occur.
Environmental Security
• Protect from severe weather,
vandalism, accidents.
• Provide appropriate heating and
cooling for the equipment and
the location.
• Preventive maintenance
program.
– Batteries, generators, cooling
system
– Avoid “Run to Fail” scenario
• Protect power lines and sources.
• Provide an uninterruptible power
supply (UPS).
– If the site has an emergency
generator, the UPS battery life
may only need to be a few
seconds; however, if you rely
on external power, the UPS
probably needs several hours
supply.
• Place redundant equipment on
different UPSs or power sources.
• Monitor all back-up systems
remotely.
Environmental Factors
• Dust - Equipment should be located in a filtered environment to prevent
the infiltration of dust, dirt and other contaminants.
• Vibration - The server or server rack should be mounted on rubber
isolation pads to prevent disk drive damage and wiring connection
problems in environments with structural vibration.
• Water – Equipment should be located in an area that is not susceptible
to flood or liquid seepage situations. It should be elevated above the
base floor level either by a raised floor or mounting pad. It should be
located in area with no overhead piping that could break or otherwise
leak into the equipment.
• Temperature and Humidity – The server should be located in an
appropriately conditioned space with stable temperature and humidity
conditions appropriate for the server, network equipment and stored
backup media.
Network and Device Security
Viruses and Malware
• Viruses, spyware, trojans,
rootkits, backdoors, and
worms
• Means of entry
– Internet, malicious and
compromised websites, etc.
– Business network (intranet)
– Email (spear phishing)
– External media: flash drives,
floppy, CD, DVD, etc.
Unpatched Software
• This is currently the primary
initial infection vector used to
compromise computers that have
Internet access.
• Spear phishing - targeted email
attacks exploiting client-side
vulnerabilities in commonly used
programs such as Adobe Reader
(PDF), QuickTime, Adobe Flash
and Microsoft Office.
• Infected web sites also target
client-side vulnerabilities.
Vulnerable Web Servers
• The largest proportion of
attack attempts
• SQL injection
– Specially formulated strings
used in web forms to change
the database content or dump
the database information like
credit card or passwords to the
attacker.
• Cross-site scripting (XSS)
– Attackers inject client-side
script into Web pages that are
used to bypass access
controls.
Accidental Changes
• This threat encompasses inadvertent changes to
executables or configuration files
Impact
• The intrusion of malicious
software agents can result
in:
– Performance degradation
– Loss of system availability
– The capture, modification, or
deletion of data
– Incorrect execution of controls
causing damage and mayhem
– Unauthorized control of ITS
components and systems
– Loss of prestige if the external
access becomes public
knowledge
Mitigation Techniques – Anti-Virus
• Use anti-virus and anti-malware on all server and client machines
• Ensure that your virus protection are up to date on all nodes in the ITS
and the systems connected to it
– Signature files need to be updated frequently without Administrator action
• Scan all media on a standalone system before introducing it to the
ITS network
• Testing for impact to ITS software on
non-production servers is highly
recommended
• Adopt an active virus scanning strategy
– Review scan reports regularly
Safeguards
• Keep software patches up to date
• Remove email clients from all control system computers
• Remove instant messaging clients from ITS computers
• Eliminate internet access from all control system computers
• Secure or eliminate remote access to ITS network nodes
• Use a firewall and DMZ for the administrative network to
control network access
• Do not allow any system to be connected to both the ITS
network and the business network simultaneously
Safeguards
• Set the minimum level of privilege for all
accounts
– Use group policy on Windows machines
• Enforce a strong password policy
• Use physical security for ITS systems
• Do not allow the use of unauthorized
removable media on your system
• Monitor system access
– Turn on audit trails and logging
– Review logs periodically
Turn Off Unused System Services
• System services are background processes started by the
system at boot time to provide functionality independently
of any logged on user
• Many of the Windows system default services are not
needed (YMMV)
Application Host Helper Service COM+ Event System
Application Information DCOM Server Process
Base Filtering Engine Distributed Link Tracking
Computer Browser DNS Client
Safeguards
• Prevent the use of unauthorized laptops on the ITS network
• Ensure strong access controls are in place on the file
system, directory, and file shares
• Set the BIOS to boot only from the C drive
• Set a BIOS password (check that this does not prevent
automatic startup)
• Secure wireless devices
• Disaster recovery planning
Network Equipment Mitigations
• Equipment should have a
unique name and be
secured by a strong
password or more
advanced security such as
RADIUS.
• Disable HTTP and Telnet
– Only enable them for
maintenance windows
• Disable unused physical
ports
• Use access control lists on
active ports
• See Cisco’s Security
Configuration Guide for
many more
recommendations
Field Device Mitigations
• Many ITS field devices are
intelligent programmable
controllers, with the ability
to be manipulated through
loader software running on
a laptop or similar
computer connected
directly to them
• Default passwords for
hardware devices should
be changed from their
default setting
• Protect network cables
from damage and
unauthorized connection
• Any laptop computers that
connect to the network
should have wireless cards
and Bluetooth disabled
– A physical LAN connection to
a laptop with unsecured
wireless cards and
broadcasting Wi-Fi can act as
a bridge to the entire network
Wireless Security
• Radio frequency survey
– Prior to deploying wireless devices, a radio frequency (RF) survey
should be carried out to determine:
• Areas where wireless access is needed
• Areas where wireless access should not be allowed or made available.
• The number and placement of Wireless Access Points (WAPs)
• Antenna strengths for each WAP.
Wireless Security – Configuring WAPs
• When configuring a wireless access point (WAP) it is
recommended that you:
– Configure a unique SSID. Do not use the default SSID.
– Disable SSID broadcast.
– Configure authentication for EAP authentication to the Network.
PEAP is preferred.
– Configure the RADIUS server address.
– Configure for WPA2 Enterprise.
– Change the WAP password. Do not use the default password.
– Configure 802.1x authentication.
– Enable MAC filtering and enter MAC addresses for wireless stations.
Vulnerability Testing
• Perform vulnerability scans on non-production
equipment only
– Tenable Network Security Nessus with SCADA
extensions
– Nmap
– GLEG Agora with SCADA+ Exploit Pack
– Metasploit
• Only allow port scanning at the perimeter of
your ITS, that is, from outside the firewall,
pointing into the DMZ.
• Do not allow port scanning of online systems
within the ITS, as this could lead not only to
performance degradation but to system failure
System Monitoring
• Set up and analyzing audit logs
– Enable auditing of file system and registry access
– Audit logs should be reviewed frequently by a
responsible person, who can take action if
unexpected activity is seen
• Detecting intrusion
– Network Intrusion Detection Systems scan incoming
network packets and look for unusual traffic or for
specific malformed packets known to be associated
with attacks
– Host Intrusion Detection does so at each host
– Intrusion Prevention Systems take action such as
blocking traffic or even disconnecting the computer
from the network
File System and Registry Protection
• Protect files, directories and registry keys with Access
Control Lists (ACLs).
– An ACL is a list of user accounts and groups, in which each entry
specifies a set of allowed or disallowed actions.
– In the case of a file, actions include open, read, write, modify
permissions, and so on.
– When applied to a directory, the permissions are, by default,
inherited by all subordinate files and directories. The inheritance can
be broken if required.
– Test for non-interference with system operations
• Consider encryption of data at rest
Vendor’s Specific security Features
• Investigate the security features of your equipment
• Ask potential vendors what they offer
• You drive vendor priorities so make security a top priority
for them
Information Security
Information Leakage
• Removable/portable media
• Official documents
• Remote access
• Misconfigured perimeter
security devices
• Equipment manuals
– Default passwords
Defense in Depth
Building Security Into the System
• System security engineering
– https://buildsecurityin.us-cert.gov/bsi/home.html
• Secure Architecture Design
Defense in Depth
US-CERT: Control Systems - Recommended Practices
http://www.us-
cert.gov/control_systems/practices/Secure_Architecture_Design.html#nogo
The Demilitarized Zone
• A demilitarized zone (DMZ) serves as a buffer zone between the ITS
Network and the business network. It is a separate network segment
connected directly to the firewall.
• Servers placed in the DMZ can be accessed by nodes at Level 3,
permitting the supply of data but preventing nodes at Level 3 from
having direct access to any systems on the levels below.
• It is recommended that direct access between the two networks is
avoided by having each network only access nodes in the DMZ. By
eliminating the direct connection between the nodes in the ITSN and
the business network, the security of each network is increased.
• With any external connections the minimum access should be
permitted through the firewall. Only identified ports required for specific
communication should be opened.
Building a Security Program in Your Organization
Forming a Security Team
• Define executive sponsors. It will
be easier to ensure the success
of security procedures if you
have the backing of senior
management.
• Executive sponsorship and a
formal team structure is a
recommendation for the security
program. The actual process
steps that follow are more critical
to the success of the program.
• Establish a cross-functional
security core team consisting of
representatives from:
– Building management (those
responsible for running and
maintaining the building HVAC,
fire and security subsystems)
– Business applications (those
responsible for applications
interfaced to the Building
Management system such as
Human Resources, Physical
Security etc.)
– IT system administration
– IT network administration
– IT security
Identifying Assets
• In this context the term asset implies anything of value to the company.
The term includes equipment, intellectual property such as historical
data and algorithms, and infrastructure such as network bandwidth and
computing power.
• In identifying assets that are at risk you need to consider:
– People, for example, your employees and the broader community to which
they and your enterprise belong.
– Equipment and assets, for example ITS equipment.
– Plant equipment: network equipment (routers, switches, firewalls) and
ancillary items used to build the system.
– Network configuration information (such as routing tables and ACL’s).
– Intangible assets such as bandwidth and speed.
– Computer equipment.
– Information on computing equipment (databases) and other intellectual
property.
Identifying and evaluating threats
• You need to consider the potential within your system for
unauthorized access to resources or information through
the use of a network, and the unauthorized manipulation
and alteration of information on a network.
• Potential threats to be considered include:
– People, for example, malicious users outside the company, malicious
users within the company, and uninformed employees.
– Inanimate threats, for example, natural disasters (such as floods,
earthquakes, fire) or malicious code such as a virus or denial of
service.
Identifying and evaluating vulnerabilities
• Potential vulnerabilities that should be addressed in your
security strategy include:
– The absence of security policies and procedures
– Inadequate physical security
– Gateways from the Internet to the corporation
– Gateways between the business LAN and Building Control Network
– The improper management of modems
– Out-of-date virus software
– Out-of-date security patches or inadequate security configuration
– Inadequate or infrequent backups
• You might also want to use failure mode analysis to assess
the robustness of your network architecture.
Identify and Evaluate Privacy Issues
• Consider the potential for unauthorized access to personal
data stored within your system.
• Any information which may be considered sensitive by an
individual should be protected and all their access
methods.
– Home address
– Tag number
– Credit card information
• Review to ensure correct authorization is applied.
• The EZPass system is a prime example of a database
holding personal information.
Create Security Policies
• As part of your plan of defense you need to write policies
and procedures to protect your assets from threats. The
policies and procedures should cover your networks, your
Windows nodes, and any other operating systems.
• You should also perform risk assessments on your ITS
equipment. A full inventory of your assets will help you to
identify threats and vulnerabilities.
• You are then in a better position to decide whether you can
accept, mitigate, or transfer the risk.
Implement Change Management
• A formal change management procedure is vital for
ensuring that any modifications to the ITS Network meet
the same security requirements as the components that
were included in the original asset evaluation and the
associated risk assessment and mitigation plans.
• Risk assessment should be performed on any change to
the ITS Network that could affect security, including:
– Configuration changes.
– Addition of network components and installation of software.
– Changes to policies and procedures.
Ongoing Maintenance
• Constant vigilance of your security position should involve:
– Regular monitoring of your system.
– Regular audits of your network security configuration.
– Regular security team meetings whose role it is to stay up to date
with the latest threats and with the latest technologies for dealing
with security issues.
– Ongoing risk assessments as new devices are placed on the
network.
– The creation of an Incident Response Team.
Security Response Team
• The responsibilities of a security response team (SRT)
might include:
– Monitoring vendor software update sites.
– Monitoring antivirus software updates.
– Risk assessment of each security update, antivirus update, and any
other update as it is made available.
– Determining the amount of verification required for any update and
how the verification is to be performed.
– Determining when the update is to be installed. Ensuring the
deployment of qualified security updates on the ITS servers and
clients.
– Review network infrastructure patches and configuration changes
that will help to secure the network against the latest methods of
attack.
Resources
Resources
• Certifying professional associations
– ISC2 (www.isc2.org)
– GIAC (www.giac.com)
• Governmental guidance
– DHS National Cyber Security Division's Control System Security Program
(http://www.us-cert.gov/control_systems/) Background & training
– NIST SP800-82 Guide to Industrial Control Systems (ICS) Security,
Certification agencies
– 21 Steps to Improve Cyber Security of SCADA Networks
(http://www.oe.netl.doe.gov/docs/prepare/21stepsbooklet.pdf)
– JTIC (jitc.fhu.disa.mil)
– CCEVS (www.niap-ccevs.org)
• Certification and accreditation processes
– NIACAP
Additional Security Resources
• You should also be proactive about security by reviewing
additional security resources, for example:
• Cisco: http://www.cisco.com
• Microsoft: http://www.microsoft.com/technet/security
• National Cyber Security Partnership:
http://www.cyberpartnership.org
• Computer Security Institute: http://www.gocsi.com
• SANS Internet Storm Centre: http://isc.sans.org
• CERT: http://www.cert.org
