Hacking the Industrial SCADA Network II The Latest Threats to Automated Production and Process Management Networks



Similar documents
The Four-Step Guide to Understanding Cyber Risk

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs

Energy Cybersecurity Regulatory Brief

N-Dimension Solutions Cyber Security for Utilities

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

67% 61% STATE OF CLOUD SECURITY BULLETIN. Information Security in the Energy Sector. Summer 2013 FROM APR SEP 2012

New York State Energy Planning Board. Cyber Security and the Energy Infrastructure

DeltaV System Cyber-Security

Protecting Organizations from Cyber Attack

Cyber Security Where Do I Begin?

SCADA City of Raleigh. Martin Petherbridge, CPA, CIA Internal Audit Manager Shirley McFadden, CPA, CIA Senior Internal Auditor

Innovative Defense Strategies for Securing SCADA & Control Systems

Critical Infrastructure & Supervisory Control and Data Acquisition (SCADA) CYBER PROTECTION

What is Cyber Liability

Cyber security and critical national infrastructure

Are you prepared to be next? Invensys Cyber Security

Security Testing in Critical Systems

SCADA SYSTEMS AND SECURITY WHITEPAPER

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

Advanced & Persistent Threat Analysis - I

SCADA Security: Challenges and Solutions

Beyond the Hype: Advanced Persistent Threats

A Case for Managed Security

Anti-exploit tools: The next wave of enterprise security

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

What is Really Needed to Secure the Internet of Things?

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

Industrial Security Solutions

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Getting real about cyber threats: where are you headed?

Effective Defense in Depth Strategies

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Using Tofino to control the spread of Stuxnet Malware

Fighting Advanced Threats

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management.

ADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper

The Advantages of an Integrated Factory Acceptance Test in an ICS Environment

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

Agenda. Introduction to SCADA. Importance of SCADA security. Recommended steps

Designing a security policy to protect your automation solution

SCADA/ICS Security in an.

Security & SMEs. An Introduction by Jan Gessin. Introduction to the problem

24/7 Visibility into Advanced Malware on Networks and Endpoints

Statement for the Record. Richard Bejtlich. Chief Security Strategist. FireEye, Inc. Before the. U.S. House of Representatives

Advanced Analytics For Real-Time Incident Response A REVIEW OF THREE KNOWN CASES AND THE IMPACT OF INVESTIGATIVE ANALYTICS

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

Safety and security are simply good business.

The Christian Science Monitor

White Paper. Information Security -- Network Assessment

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

ICS CYBER SECURITY RKNEAL, INC. Protecting Industrial Control Systems: An Integrated Approach. Critical Infrastructure Protection

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

OPC & Security Agenda

How Secure is Your SCADA System?

Protecting Your Data, Intellectual Property, and Brand from Cyber Attacks

Oil and Gas Industry A Comprehensive Security Risk Management Approach.

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Integrated Threat & Security Management.

Frost & Sullivan s. Aerospace, Defence & Security Practice. Global Industrial Cyber Security Trends

Scott Lucas: I m Scott Lucas. I m the Director of Product Marketing for the Branch Solutions Business Unit.

Defending Against Cyber Attacks with SessionLevel Network Security

Network/Cyber Security

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect SCADA & MES Schneider-Electric

Building A Secure Microsoft Exchange Continuity Appliance

Today s Cybersecurity Technology: Is Your Business Getting Full Protection?

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

Optimizing and Securing an Industrial DCS with VMware

Seven Strategies to Defend ICSs

Secure access to a water treatment plant s SCADA network

Types of cyber-attacks. And how to prevent them

Holistic View of Industrial Control Cyber Security

A 360 degree approach to security

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Deploying Firewalls Throughout Your Organization

Post-Stuxnet Industrial Security: Zero-Day Discovery and Risk Containment of Industrial Malware

The SCADA Security Challenge: The Race Is On

Cyber Security for SCADA/ICS Networks

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID

Keeping the Lights On

Unknown threats in Sweden. Study publication August 27, 2014

Using ISA/IEC Standards to Improve Control System Security

Transcription:

SCADA Threat Assessment: Hacking the Industrial SCADA Network II The Latest Threats to Automated Production and Process Management Networks Highly Automated Production Networks Editor s Note: The original Hacking the Industrial SCADA Network (Part I) aritcle was first published in 2009. This article, Part II, is the summary of what has happened since the original publication, and the outcome of predictions which first appeared in Part I. See full copies of the actual whitepapers for complete details. The Secret War: Stuxnet, Duqu and Flame The highly complex computer worm called Stuxnet, targeted at sophisticated industrial control systems, was first identified in July of 2010. The arrival of Stuxnet changed everything as it was a harbinger of the shape of things to come. Stuxnet sparked international press coverage and exposed to the business community the digital face of cyber espionage, cyber warfare, sabotage and electronic diplomatic sanctions. For industry leaders, it raised the specter of international industrial competition fueled by the theft of proprietary trade secrets, intellectual property, business, government and military secrets, and the potential loss of all the advantages of an advanced technological society. Stuxnet targeted SCADA (Supervisory Control and Data Acquisition) control systems. SCADA and other legacy control systems have been used for decades in power plants and distribution grids, oil and gas refineries, air traffic and railroad management, pipeline pumping stations, pharmaceutical production, chemical plants, industrial processes,

automotive assembly lines, automated food and beverage lines, water treatment plants, major dams, and many other forms of automation and production. Stuxnet was likely released a full year before its discovery. It was designed to replicate itself while searching for very specific industrial software applications that run behind Microsoft Windows operating systems. Stuxnet was followed in 2012 by the discovery of two closely related forms of malware, the Duqu worm and Flame. Duqu searches for information that could be useful in attacking industrial control networks and smuggles password information back to its command and control center. Flame existed several years before being discovered, and can also record Bluetooth communications. A Clear and Present Danger The worms Stuxnet, Duqu and Flame have been captured, quarantined, dissected and studied in captivity. The worm segments have been analyzed and published in reports, whitepapers, blogs, chats and bulletin boards. Unfortunately, the result of all the published scrutiny is that the building blocks of Stuxnet exploit code are out there and available to be used to potentially harm the rest of us. A knowledgeable hacker can use those bits and pieces like modular building blocks to create newer, better malware. Summary of Critical Infrastructure Incident Reports to ICS-CERT, 2012 The hacking incidents listed in Hacking the Industrial Network (Part I) spanned 12 years and contained 29 publically reported incidents. The hacking incidents specifically listed here in Part II span only 4 years and contains over 55 notably disturbing incidents affecting thousands of companies. The pandemic rate of infection is accelerating. SCADA Threat Assessment: Hacking the Industrial SCADA Network II 2

SCADA Threat Assessment: Hacking the Industrial SCADA Network II 3

Why Industrial Networks are Vulnerable Some may still believe that their SCADA networks are not susceptible to eavesdropping, hacking or virus propagation because industrial SCADA systems are difficult for an outsider to understand - or that their networks are air-gapped to separate them from the Internet. It is not true. Access to the Programmable Logic Controllers (PLCs) used throughout your industrial network, including critical U.S. infrastructure, is possible from indeterminate remote locations outside the country, without ever visiting your site, through multiple routes into the heart of your network. August 2011 A McAfee whitepaper exposes Operation Shady RAT, a fiveyear targeted operation that includes attacks on natural gas distribution, federal, state and county government, defense and construction. The majority of intrusions were occurring in the United States and continued for months and years without discovery. The whitepaper s author, McAfee s Vice-President of Threat Research, Dmitri Alperovitch, writes that he now divides Fortune 2000 companies into only two categories; those who know they have been compromised, and those who are blissfully unaware they have already been compromised. October 2011 The U. S. Department of Homeland Security issues a bulletin warning of ongoing gas, oil, chemical, water and sewage hacks. November 2011 Hackers attack Norway s oil, gas and defense businesses. Access is obtained through carefully crafted, targeted emails that appear to come from legitimate sources, but contain a virus which does not trigger anti-malware defenses. Norway s National Security Agency (NSM) states that industrial drawings, contracts and current negotiation documents were extracted, a loss of closely held secrets and intellectual property to cyber thieves. April 2012 The Department of Homeland Security announces that attacks on oil and natural gas organizations began five months earlier in December 2011. They report that the 200,000 mile U.S. natural gas pipeline network has been under a persistent intrusion campaign that begins with tightly focused spear-phishing email attacks. Industry Recommendations The existing SCADA vulnerabilities and some precautionary measures are well described in whitepapers by Idaho and Lawrence Livermore National Labs. A simple solution involves implementing layers of defense referred to as defense in depth. Network segmentation, departmental firewalls, anti-virus and intrusion detection methodologies protect departments and systems. SCADA Threat Assessment: Hacking the Industrial SCADA Network II 4

Idaho National Laboratory: Complete Defense in Depth Leading commercial antivirus software can work fairly well to create layers of protection in the front office of an organization, an area not adversely affected by the continuous updating of virus signatures needed to keep up with new virus variants created every few seconds. Some IT routers and switches can also provide Virtual Private Network (VPN) protection when installed in clean, air-conditioned rooms within production areas. In harsh environments, however, with heat, dirt, moisture and vibration, standard telecommunications equipment fails rapidly. And at the lower echelons of production, the very basic PLCs and legacy industrial controls do not have the chip sets and processing capability to authenticate commands or identify malware. In a 24/7 production environment, it is risky to allow third-party software to constantly introduce updates that have not been vetted in isolation before being implemented, as these may produce other unintended consequences. As identified in Hacking the Industrial Network (Part I), four years ago there were listed a handful of companies offering potential solutions applicable to the factory floor. Most of these have not updated their products or advanced technically and have not succeeded in significant market penetration. I consider only two of the listed products to be the most viable as they offer the kind of security features that would be required. These are the Innnominate mguard system, now also available from Phoenix Contact and the Tofino SCADA Threat Assessment: Hacking the Industrial SCADA Network II 5

device, now available from Hirschmann. The mguard industrial module was able to detect, divert and alert administrators to illicit zero-day probes by Stuxnet malware, as shown in independent laboratory tests at an IT University. Unlike anti-virus software, it could do so without any prior knowledge of Stuxnet s existence, capabilities or viral signature. Let s run down the checklist of desired security features quickly. The following table contains a summary. Other technical reasons for selecting security equipment for industrial applications are explained in greater detail in Part I. List of Required Industrial Network Security Equipment Capabilities SCADA Security Outlook State-sponsored theft of proprietary trade secrets, intellectual property, business, economic, government and military secrets, and all the advantages of a technological society are already being siphoned away at an alarming rate, with the losses measured in billions of dollars as we hemorrhage away the advanced products of our intellect. Hacking is the current province of criminal organizations, nation states, foreign competitors, and potential cyber terrorists. There is no reason for this lack of implementation of industrial network security other than inertia. The security technology already exists, and simple, economical solutions are readily available and easily implemented. The risks are clear, and the activity is escalating. We can either act now to prepare for the next wave, or delay and SCADA Threat Assessment: Hacking the Industrial SCADA Network II 6

procrastinate, and be perpetually behind the curve when the next bad thing occurs and those other procrastinators are overtaken by events for which there is no time to respond. A detailed study of specific recommendations and technical solutions is contained in the full white paper Hacking the Industrial Network (Part I) and the full version of this white paper (Part II). Complete copies, including footnotes, clickable Internet links and detailed research references can be downloaded from the International Society of Automation (www.isa.org) and from www.innominate.com. About the Author Frank Dickman, BSMAE, RCDD, is a widely experienced engineering consultant and former delegate to NEMA, TIA/EIA, ISO, CENELEC and the BICSI Codes & Standards Committees. He is a technical consultant to a number of leading data communications firms and is a recognized expert on U.S. and International physical infrastructure network standards. Beyond telecommunications, his experience includes consulting engineering work for petroleum refineries, chemical plants, conventional and nuclear power plants, auto manufacturers and the aerospace industry. He can be reached at frankdickman@yahoo.com. Editor Summary: 1,382 word article, plus 85 word biography, 5 color illustrations.. SCADA Threat Assessment: Hacking the Industrial SCADA Network II 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information