Security Implications Associated with Mass Notification Systems
Overview Cyber infrastructure: Includes electronic information and communications systems and services and the information contained in these systems and services. Information and communications systems and services are composed of all hardware and software that process, store, and communicate information, or any combination of all of these elements. Processing includes the creation, access, modification, and destruction of information. Storage includes paper, magnetic, electronic, and all other media types. Communications include sharing and distribution of information. For example: computer systems; control systems; networks, such as the Internet; and cyber services (e.g., managed security services) are part of cyber infrastructure. 1 Cover Cyber risk challenges Components of security strategy MNS Security concerns Mechanisms that may be deployed to mitigate the risks to an MNS system. UL 2572 security measures Example : Electrical Grid recent cybersecurity history 1 National Infrastructure Protection Plan 2
Cyber Risk Challenges 2013 Target s Hack HVAC Service company s authorized network access 3
Cyber Risk Challenges At Blackhat USA 2013, several presentations were made of hacking into an automated home. Hacking Z-Wave Home Automation Systems - Behrang Fouladi and Sahand Ghanoun 4
Cyber Risk Challenges Feb 2013, the emergency alert system at KRTV-TV in Great Falls, Montana was hacked during the "The Steve Wilkos Show" to send out a message that zombies were getting up and residents should not try and apprehend them" in several counties. 5
Why Security? Why did we put brakes in a car? Primary impulse answer: Another answer: TO STOP TO GO FASTER Cybersecurity measures are like brakes, they can advance the use of products in a safe and secure manner. The boundary of one thing is the beginning of another Leonardo DaVinci 6
Threats, Vulnerabilities and Risks Threat A threat is any action whether intended or not, to infiltrate the workings of a system A general understanding of who might attack what assets Nation-States Professional Usually performing theft, espionage or malicious activity Hobbyist Hack into products and systems without the intent to perform criminal or malicious activity outside of the hacking act itself. Malware automated attack software. Employees Risk Opportunity The asset to be appropriated Vulnerability Control center control Device control Access to private/personal data A defined flaw in security measures whether by design or how the product or service is implemented that can be exploited. Unpatched published vulnerabilities Remote control protocols Web services Buffer overflows Weak or improper Authentication mechanisms Improper Authorization (access control) Credential control Messaging manipulation and injection SQL injection into data historians 7
Components of a Security Strategy Identify the security objectives of an MNS system Availability disruption of access to information from an MNS Integrity unauthorized modification of information from an MNS Confidentiality unauthorized disclosure of information from an MNS Defense in depth 8
MNS Security Concerns Communication s Protocol Design Vulnerabilities in products Implementation Vulnerabilities in use of products Availability and Integrity Secure Communications Internal Infrastructure Attacks External Infrastructure Attacks 9
Mass Notification Security Concerns Common Design Vulnerabilities Sensors/actuators have no inherent security. Control panels have limited untested security. Remote accessibility to control panels and server software. Non-secure firmware updates. Open ports on devices and services. Tamper detection and/or resistance is minimal Web services Poor coding practices Communication s Protocol Common Counter Measures Disable unused physical and logical ports. Fuzz testing on all ports. All ports should require authentication. Test factory defaults while in operation. No hard coded passwords. Firmware upgrades must be secure - Digital signatures. Include tamper detection technologies. Enforce secure coding practices. Perform an independent security source code audit. Obfuscation 10
Mass Notification Security Concerns Implementation Vulnerabilities Limited patching and testing of new patches Use of default passwords Incorrect configuration use Networks are now connected to the outside world Common Counter Measures Patch management Secure workstations, servers with known IT practices and policies Whitelisting and blacklisting Auditing trails with alerts Network penetration testing Review of audit logs, security policies Independent vulnerability and cyber-security assessments Intrusion detection and prevention reviews Communication s Protocol 11
Mass Notification Security Concerns Communications Communication lines allow for Line Sniffing(Eavesdropping) Man in the middle injection Denial of Service Spoofing/Masquerading Record and replay Credentials that are not secured Common Counter Measures Cryptography and Credential security Test and implement against known standards FIPS 140 Secure Authentication/Non Repudiation Data filtering and discarding Communication s Protocol 12
UL 2572 Data Security Measures 1. Security and Data Protection Evidence of a certificate of compliance - Security functions shall be one or more of the following: Symmetric key encryption functions. Asymmetric key signature functions. Message Authentication functions. Hashing functions. 2. Communication Security Communication Security Level 1 - Independent Dedicated Network. Communication Security Level 2 - Non-Dedicated Private Network. Communication Security Level 3 - Non-Dedicated Public Network. 3. Stored Data Security Passwords. DRMNS contact data. System configuration data. Audit logs and reports. ECS/MNS messages. The stored data shall be protected by minimum security functions 4. Access Control Security Password/PIN with a minimum of 1000 combinations. Password/PIN minimum length of 8 characters, each of at least 10 options. Password/PIN minimum length of 12 characters, each of at least 10 options, or equivalent means (such as 2 factor authentication). The security means shall have a time out feature ("auto-log-out") The system shall disable a user account after a maximum of 5 unsuccessful consecutive login attempts. 13
Password Example Passwords are stored: Username KEN Password PASSWORD Plaintext PASSWORD Hash form PASSWORD MD5 A3eeF%4zz5JJd Salted hashes PASSWORD + <unique> MD5 bbgtee$5%fglopp Encrypted PASSWORD AES sf$%^&aq Passwords are attacked via: Brute force guessing dependent on the system responding with a yes or no Password cracking offline processing of a hash (approx hundreds of millions password guesses a second) Precomputed hash attack rainbow and lookup tables of all possible hashes are searched Pass the hash gain access to the hash or alter the hash MD5, SHA1 SHA 512 : good hash algorithm for integrity in a short time, but can be easily identify all hashes possible 14
Common Attack Pattern Enumeration and Classification http://capec.mitre.org/ 15
Example Smart Grid Advanced Security Acceleration Project - SG Description: Develop system-level security requirements for smart grid technology Approach: Architectural team produce material Usability Analysis team assess effectiveness NIST, UtiliSec review, approve Deliverables: Strategy & Guiding Principles white paper Security Profile Blueprint 6 Security Profiles AMI Security Profile Usability Analysis Schedule: June 2009 June 2012 Budget: $3M/year ($1.5M Utilities + $1.5M DOE) Performers: Utilities, EnerNex, Inguardians, SEI, ORNL Partners: DOE, EPRI Release Path: NIST, UCAIug 16
THANK YOU. Ken Modeste Security and Global Communications Underwriters Laboratories Inc. Ken.modeste@ul.com