Cyber Security Seminar KTH

Transcription

1 Cyber Security Seminar KTH Defending the Smart Grid Appropriate Footer Information Here

2 Table of content Business Drivers Compliance APT; Stuxnet and Night Dragon The Short Term Future Readiness Improves Change in Defense Strategies What About Privacy and Integrity? What We Are Doing Right Now Current Cyber Security Posture Upcoming Technology External Engagements Challenges That Remain Cyber Security as Business Case (awareness and acceptance) How Do We Measure Success? Unified Vision Governments, Owners and Vendors 2

3 Business Drivers Defending the Smart Grid 3

4 Business Drivers Compliance NERC-CIP in NAM is still a strong driver Proposed changes of NERC-CIP will effect DMS systems (300 MW load shedding capabilities instead of 69 KV voltage level) Complex and manual audit compliance process Auditors require more and more detail IS Group moving into the EMS space Causing some conflicts as office IT security doesn t have availability as first priority Cyber War Hype in Media Recent incidents have put Cyber Security in headline news 4

5 Business Drivers APT Advanced Persistent Threat Well orchestrated industries rather than ad hoc hackers May be used to attack critical infrastructure Stuxnet Eye opener for many system owners First public appearance of the Hacker SCADA skills combo Interesting as defense strategy benchmark Night Dragon Companies in the oil and energy industry have been the victims of attempts to steal and other sensitive information from hackers believed to be in China 5

6 Business Drivers Not really driving business, but help set the stage CSPLCS Cyber Security Procurement Language for Control System remains a solid reference for traditional defenses (Also Teknisk Riktlinje TR4-02 from SvK) NISTIR 7628 Guidelines for Smart Grid Cyber Security follows up with a comprehensive effort to detail the Cyber Security challenges in a Smart Grid Standards like ISA-99, NIST SGIP-CSWG, IEC 62351, IEEE 1686, ISO 27002, Common Criteria etc Requirements expressed by system owners, usually when tendering for a new system or upgrade 6

7 The Short Term Future Defending the Smart Grid 7

8 The Short Term Future Readiness Improves The recent incidents and the regulatory enforcements in NAM help increase awareness of the absolutely real threat against critical infrastructure, but it is slow Iran is far away, right? Stakeholders still need help to quantify the risks in order to justify investments necessary to mitigate the threats Change in Defense Strategies APT clearly show us that the existing blacklisting technologies are ineffective. Avoiding Anti-Virus is part of the QA process of malware development (yes, malware is an industry!) Whitelisting technologies show a lot of promise as they don t have to scale, especially for slow changing environments like control systems 8

9 The Short Term Future Privacy and Integrity Integrating consumer meters and home energy management or automation system pose new problems Privacy is at risk as sensitive consumer data is exposed with the increase in information exchange between utilities and consumers. It is necessary to protect the data entities themselves rather than the transfer mechanism With the increased information exchange over public communication media expected in a Smart Grid, keeping the data intact and protected from manipulation becomes a challenge Non-repudiation becomes a necessity in a Smart Grid environment due to the large number of legal entities exchanging information with each other 9

10 What We Are Doing Right Now Defending the Smart Grid 10

11 What We Are Doing Right Now Our Current Cyber Security Posture We o Manage cyber security throughout the full lifecycle of our products, from tendering to development to deployment to governance o Evolve the products themselves to make them more and more secure following defense in-depth security principles like least privilege, default deny, privileged initiation, authentication, network partitioning, access control, auditability and accountability o Minimize and protect the environment in which the products operates o Have our products assessed by well-known and respected third-part cyber security researchers o Engage in cyber security working groups and committees o Have signed an OEM agreement with Industrial Defender, a third-party vendor of cyber security products and services o Do research and development of security functions tailored for control systems and associated support systems (GIS, planning, asset management, crew management, meter management, LOB etc) o Have excelled our CERT function in real life and in Cyber Storm III o Are developing training courses for cyber security governance, incident response and recovery 11

12 Existing Features in Network Manager VPN IPSec Security Zones Default Deny NIDS/HIDS Malware Prot VPN IPSec SIEM External Exchange Remote Access LOB Exchange Authentication Access Control Accountability Auditability Hardening Least Privilege Conf Mgmt Patch Mgmt Malware Prot Mgmt Quality Assurance Training Office Exchange 12

13 Analysis of Existing Mitigation Techniques Stuxnet as a benchmark Proven to penetrate systems protected according to best practices, Stuxnet can be used as a benchmark for defense strategies and technologies Attack Types Untargeted attacks (called Noise in this presentation) o Untargeted attacks are those that seek to infect any host for a generic purpose, for example to recruit members for botnets. Commonly staged by criminal organizations for monetary purposes alone. Targeted attacks (represented by Stuxnet in this presentation) o An attack is called targeted if it seeks out specific companies or organizations, or a specific software or IT-infrastructure o Operation Aurora is another example of a targeted attack, primarily aimed at theft of intellectual property from e.g. Adobe, Juniper and Rackspace

14 Analysis of Existing Mitigation Techniques Hardening Insure all hosts run at a minimum level. Only mission critical software, services, ports and devices are allowed. For example, the print spooler service exploited by Stuxnet is both disabled and filtered out by a host based firewall and removable media are prohibited in all hosts. Highly effective against Noise, significantly reduces the attack surface for Stuxnet Access Control Strong authentication and Role Based Access Control (RBAC) is a natural requirement in any security architecture, but is never stronger than the implementation. Stuxnet exploited two previously unknown vulnerabilities for privilege escalation, which effectively circumvented the access controls. Effective against Noise, ineffective against Stuxnet 14

15 Analysis of Existing Mitigation Techniques Network Partitioning Insure cyber assets are isolated, categorized by criticality, external interfaces and physical location. Highly effective against Noise (deny Internet access), significantly reduces the attack surface for Stuxnet. (The most common attack vectors today are client side, internet enabled applications like Acrobat Reader and IE) Intrusion Detection/Prevention Deploy sensors or agents on all hosts, perform log management of all devices, and use security information and event management (SIEM) to detect and possibly respond to anomalies in the system. Effective against Noise, would probably have detected Stuxnet 15

16 Analysis of Existing Mitigation Techniques Patch Management Processes and technology to insure that all available security updates that are verified not to interfere with system operation are installed in all hosts. Highly effective against Noise, did not stop Stuxnet Anti-Virus Employs blacklist, heuristic, and behavioral detection and prevention of malware. Works well with Noise, ineffective against Stuxnet. Increasingly intrusive and resource intensive Application Whitelisting Only allows pre-approved software to execute. Less intrusive than Anti-Virus. Effective against both Noise and Stuxnet. 16

17 Analysis of Existing Mitigation Techniques Traffic Whitelisting Only accepts pre-approved traffic through stateful and deep packet inspection. Effective against both Noise and Stuxnet Compliance Management Centralized collection of the current state of the system with respect to enforced policies. Provide easy to mange executive summary of the compliance level Does not provide protection, but can give a dashboard overview of the full system state and the necessary reports to satisfy auditors 17

18 Analysis of Existing Mitigation Techniques Security Management Controls The Foundation for all soft aspects of cyber security with respect to personnel and information. Required for successful deployment and governance of security architectures as it implements the blue prints for both organizational and technological activities. Security Assessments Verifies and validates the blue prints realized by the security management controls. Typically conducted by external parties. Useful for both vendors and asset owners. Wide range of scope, from penetration tests of a selected software components, to source code reviews, to assessment of the security architecture, to the full scope of a security policy. May result in activities that can limit the effectiveness of targeted attacks. 18

19 Analysis of Existing Mitigation Techniques Technology Mitigation Mitigates Noise Mitigates Stuxnet Supported in NM5.0 Supported in NM5.4 Hardening Yes Partly Yes Yes Access Control Yes No Yes Yes Network Partitioning Yes Partly Yes Yes Intrusion Detection/Prevention Yes Partly No Yes Patch Management Yes No Yes Yes Anti Virus Mostly 1 No Yes Yes Application White-listing Yes Yes No Yes Traffic White-listing Yes Yes No Yes Compliance Management No No No Yes 1 Trusteer analysis show that AV only stops 23% of the Zeus malware permutations 19

20 Upcoming Technologies IEC Hardening Authentication Access Control App Whitelisting Compliance Mgmt Traffic Whitelisting Malware Protection Data Diodes 20

21 External Engagements OEM agreement with Industrial Defender, highlights ABB has made a strategic investment in Industrial Defender Integrated Industrial Defender Solutions have been tested and validated in ABB Labs Globally ABB will sell ID technology into installed base and quote on new system bids ABB acquires access to best of breed security technology to sell into their account base Industrial Defender obtains access to ABB sales channel and account base Dedicated Sales and Systems Engineering Support for ABB Sales Channels 21

22 External Engagements Key cyber security initiatives supported and driven by ABB Status NIST SGIP-CSWG NERC CIP Smart Grid Interoperability Panel Cyber Security Working Group Cyber Security regulation for North American Power Utilities On-going Released, On-going Partly IEC Data and Communications Security released, On-going IEEE PSRC H13 IEEE 1686 ISA S99 Cyber Security Requirements for Substation Automation, Protection and Control Systems IEEE Standard for Substation Intelligent Electronic Devices (IEDs) Cyber Security Capabilities Industrial Automation and Control System Security On-going Finalized Partly released, On-going ICSJWG Industrial Control System Joint Working Group On-going 22

23 External Engagements Resilience working group within IEEE A new working group is brewing focusing on control system resilience, which include cyber security and safety aspects Third party assessments We continue our collaborations with third party well known and respected cyber security researchers with domain expertise to assess the posture of our products Software Development Lifecycle and Secure Coding We engage well known and respected domain experts on secure software development and deployment Third party vendors of Smart Grid Components In addition to Smart Grid functionality like Demand Response, Cyber Security will be by design 23

24 Challenges that Remain Defending the Smart Grid 24

25 Challenges that Remain Cyber Security as Business Case Key problem that inhibit the progress of mitigation No return of investment Up-time used as key performance indicator Risk assessments are based on known threats, and are true until there is an incident There is a fundamental problem in identifying threats as they are either: o Untargeted noise attacks that are relatively easy to filter out assuming that your system isn t a fingerprinted target. There are proven technologies to help mitigate these, and may be considered a justified insurance o Targeted attacks which will bypass the traditional defenses and is therefore very difficult if not impossible to defend against today. Does that mean we shouldn t try? 25

26 Challenges that Remain How Do We Measure Success? After producing a mitigation strategy and the implementation of mitigation technologies and processes, how do we know we are successful? Up-time? No of dropped attacks? No of installed technologies? No of red team assessments? No of quarantined items? No of security alerts in the SIEM? Suggestions? 26

27 Challenges that Remain Unified Vision Governments, Owners, Vendors and Researchers Cyber Security is a challenge to the whole industry, and should be our joint concern We all want to have the best possible protection of our critical infrastructure The Smart Grid pilots in Sweden pose an excellent opportunity for us all to use our combined visions and experiences to reach the most secure solution Let us use these pilots, and possibly other forums as well, to find and agree on common strategies for Cyber Security rather than battling them out during tendering for new systems or upgrades 27

28 References Defending the Smart Grid 28

29 References NERC-CIP: 20 NISTIR 7628: CSPLCS: TEKNISK RIKTLINJE TR4-02: STUXNET: OPERATION AURORA: Advanced Persistent Threat (APT): Night Dragon: Industrial Defender: