ICS Cyber Attacks: Fact vs. Fiction and Why it Matters

Transcription

1 ICS Cyber Attacks: Fact vs. Fiction and Why it Matters Presenter: Robert M.

2 Today s Agenda Fiction Fact: ICS Attacks Deconstructed What You Can Do About It

3 Read Coil Work Co Founder of Dragos Security SANS ICS 515 Active Defense and Incident Response course author SANS FOR 578 Cyber Threat Intelligence co author Background: Started in U.S. Intelligence Community as an Air Force Cyber Warfare Operations Officer Established/led first of its kind ICS threat intelligence and intrusion analysis mission Pursuing PhD at Kings College London with research into the cyber security of control systems

4 Fiction Little Bobby can be found at: and on

5 Chattanooga APT Bloomberg published A Decoy Computer Was Set Up Online. See Which Countries Attacked it the Most in Sept, 2014 Honeypot and recorded scans as attacks ICS honeypot saw 6,000 attacks from US CSO published Threat Intelligence Firm Mistakes Research for Nation State Attack in Oct, 2014 Stephen Hilt and other researchers performed scans for the Redpoint project/talk at DerbyCon Was not a real ICS honeypot See Kyle Wilhoit s research for a good example of a real ICS honeypot

6 2008 Turkey Pipeline Explosion Bloomberg published Mysterious 08 Turkey Pipeline Blast Opened New Cyberwar in Dec, 2014 Claimed the 2008 explosion at Baku Tbilisi Ceyhan pipeline was a Russian cyber attack according to anonymous Intelligence officials Reporter claimed anonymous ICS incident responders found the data SANS ICS Defense Use Case #1 Disputed Claims SANS ICS DUC: ICS IR data unlikely/unsupported Government reports identifying attack as a physical based terrorist attack SuedDeutsche article uncovered an internal report showing that the IP Cameras nor Wireless monitoring were installed until after the blast

7 Cyber Attacks on ICS by Iran Norse and AEI Published Reports on Iran attacking ICS Released public report with AEI with claims in April, 2015 AEI/Norse report made policy recommendations regarding Iran negotiations New York Times covered story highlighting the growing Iranian threat Disputed Claims The attacks were network scans against non ICS honeypots and unregistered IP addresses Expertise on Intelligence and ICS were lacking

8 Turkey 10 hour Blackout 10 Hour Power Failure in Majority of Turkey Bloomberg, CNN, and others hinted at reason potentially a cyber attack Multiple news agencies cited the Bloomberg 2008 Pipeline report and the Norse/AEI Iranian report as evidence of a potential cyber attack Claims surfaced that this threat could threaten European grids Result Turkey government officials identified faults at two power plants Izmir and Adana Cukurova which resulted in 5 10% capacity loss The faults were poorly executed maintenance on transmission lines The capacity loss had effects on the interconnected system and caused a shut down of systems in multiple areas

9 Fact: ICS Cyber Attacks Deconstructed

10 What s the Point? 7

11 How Hard Is It? 7

12 ICS Cyber Attack: Stage 1 7

13 ICS Cyber Attack: Stage 2 7

14 Real ICS Threats Cyber Incidents Stuxnet Campaign Recon (APT1 and OpCleaver) HAVEX BlackEnergy2 German Steelworks Incidental Malware The following slides (attack maps) were developed by Michael Assante

15 Observable Steps to an ICS Attack [STUXNET] STUXNET STAGE 1 Intrusion Reconnaissance Observable Steps www Weaponization Targeting Delivery External Network Hosts (Business or Plant Network) Common Protocols Exploit Install / Modify DMZ Applications Common Protocols C2 Act Supervisory Control Elements (Network, Applications, Servers) Common & Industrial Protocols STAGE 2 ICS Attack Develop Control Elements (PLCs, RTUs, SIS) Industrial Protocols Test Deliver Sensors & Actuators IO Fieldbus using Industrial Protocols Install / Modify Execute ICS Attack Attack with Impact

16 Observable Steps to an ICS Attack [APT1] APT1 STAGE 1 Intrusion Observable Steps Reconnaissance Weaponization Targeting E mail Delivery External Network Hosts (Business or Plant Network) Common Protocols Exploit Install / Modify DMZ Applications Common Protocols C2 Act Supervisory Control Elements (Network, Applications, Servers) Common & Industrial Protocols STAGE 2 ICS Attack Develop? Control Elements (PLCs, RTUs, SIS) Industrial Protocols Test Deliver Sensors & Actuators IO Fieldbus using Industrial Protocols Install / Modify Execute ICS Attack Attack with Impact

17 Observable Steps to an ICS Attack [OpCleaver] STAGE 1 Intrusion Observable Steps Iranian Actors Stage 1 only involving ICS users but no evidence of Stage 2 Intent Reconnaissance Weaponization Targeting Delivery Exploit External Network Hosts (Business or Plant Network) Common Protocols Install / Modify C2 DMZ Applications Common Protocols Act Supervisory Control Elements (Network, Applications, Servers) Common & Industrial Protocols STAGE 2 ICS Attack Develop Test Control Elements (PLCs, RTUs, SIS) Industrial Protocols Deliver Install / Modify Sensors & Actuators IO Fieldbus using Industrial Protocols Execute ICS Attack Attack with Impact

18 Observable Steps to an ICS Attack [BE3] BE3 STAGE 1 Intrusion Reconnaissance Observable Steps BE 3 Weaponization Targeting Delivery Exploit Install / Modify BE 3 BE 3 External Network Hosts (Business or Plant Network) DMZ Applications E mail Common Protocols Common Protocols C2 Act STAGE 2 ICS Attack BE 3 BE 3 Supervisory Control Elements (Network, Applications, Servers) Common & Industrial Protocols Develop Test Control Elements (PLCs, RTUs, SIS) Industrial Protocols Deliver Install / Modify Sensors & Actuators IO Fieldbus using Industrial Protocols Execute ICS Attack Attack with Impact

19 STOP 1:0 1 Bul.1764 LIGHT 0:0 0 Bul.1764 TIMER1/DN T4:0 DN START 1:0 0 Bul.1764 LIGHT 0:0 0 Bul.1764 TIMER2/DN T4:3 DN TIMER1 TON Timer On Delay Timer T4:0 Time Base 0:01 Preset 12000< Accum 0< TIMER2 TON Timer On Delay Timer T4:3 Time Base 0:01 Preset 18000< Accum 0< LIGHT 0:0 0 Bul.1764 EN DN EN DN Observable Steps to an ICS Attack [HAVEX] HAVEX STAGE 1 Intrusion Reconnaissance Observable Steps 0002 www ICS Files Weaponization Targeting E mail ICS Webpages Delivery External NetworkHosts (Business or Plant Network) Common Protocols Exploit Install / Modify DMZ Applications Common Protocols C2 Act Supervisory Control Elements (Network, Applications, Servers) Common & Industrial Protocols STAGE 2 ICS Attack Develop Control Elements (PLCs, RTUs, SIS) Industrial Protocols Test Deliver Sensors & Actuators IO Fieldbus using Industrial Protocols Install / Modify Execute ICS Attack Attack with Impact

20 Observable Steps to an ICS Attack [Reports] STAGE 1 Intrusion Reconnaissance Observable Steps Possible Iranian Actors Weaponization Targeting Delivery Exploit Install / Modify C2 Act STAGE 2 ICS Attack Develop Test Deliver Install / Modify Execute ICS Attack Attack with Impact

21 Observable Steps to an ICS Attack [German Iron Works] Furnace STAGE 1 Intrusion Observable Steps Reconnaissance Weaponization Targeting E mail Delivery Exploit External Network Hosts (Business or Plant Network) Common Protocols Install / Modify DMZ Applications Common Protocols C2 Act Supervisory Control Elements (Network, Applications, Servers) Common & Industrial Protocols STAGE 2 ICS Attack Develop Test Control Elements (PLCs, RTUs, SIS) Industrial Protocols Deliver Install / Modify Sensors & Actuators IO Fieldbus using Industrial Protocols Execute ICS Attack Attack with Impact

22 Observable Steps to an IT Attack that Impacted ICS [Conficker] STAGE 1 Intrusion Reconnaissance Weaponization Targeting Observable Steps Conficker Remote Access Infection Delivery Exploit Install / Modify C2 Act External Network Hosts (Business or Plant Network) DMZ Applications Supervisory Control Elements (Network, Applications, Servers) Common Protocols Common Protocols Common & Industrial Protocols Control Elements (PLCs, RTUs, SIS) Industrial Protocols Sensors & Actuators IO Fieldbus using Industrial Protocols Conficker infected Windows based Control Elements Attack with Impact

23 What You Can Do About It

24 The Sliding Scale of Cyber Security Offense: Legal countermeasures, hack back, etc. Intelligence: Collecting data, exploiting it into information, and producing Intelligence Active Defense: Analysts monitor for, respond to, and learn from adversaries internal to the network Passive Defense: Provide protection without constant human interaction Firewalls, IPS, AV, etc. Architecture:: Supply chain, architecting the network, maintaining/patching

25 Cyber Engineering to build security into the products during their design Supply Chain protection to ensure no tampering at the start or with updates Architect the network with security in mind Network Hygiene up kept with patching/maintenance where possible Collection points to gather data

26 7

27 7

28 7

29 Offense? No, that d be silly!

30 Questions? Visit us at SANS ICS to keep up with our latest research, classes, and more: