Access Considered Dangerous Andrew Ginter, VP Industrial Security Waterfall Security Solutions Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 2015
"Secure" Access Behind lots of firewalls, and a through a gazillion-bit-encrypted VPN. I have a firewall. I have encryption. I must be safe! Split tunnelling disabled all Internet traffic goes through IT network and IT security Enabled: Check/Security-Enforced Client/Endpoint Security Intermediate jump host completely up to date with anti-virus & security updates Two-factor authentication intrusion detection deployed into and out of jump host Plant DMZ IT / VPN Svr Internet Hotel WIFI Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 2
Plant DMZ IT / VPN Svr Internet Hotel WIFI Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 3
Write some It s a simple matter of programming Plant DMZ IT / VPN Svr Internet Hotel WIFI Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 4
Write some It s a simple matter of programming Wait till the user starts the VPN and gives the VPN passwd Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 5
Write some Wait till the user starts the VPN and give the VPN passwd Wait more till he starts Desktop with the 2- factor dongle Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 6
Write some Wait more till he starts Desktop with the 2-factor dongle Move the Desktop window to an invisible screen Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 7
Write some Move the Desktop window to an invisible screen Show the user a deceptive error message Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 8
Write some Show the user a deceptive error message Give the attacker remote control of the invisible Desktop Attacker Plant DMZ IT / VPN Svr Internet Hotel WIFI Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 9
But How Did You? Get the on the remote laptop? Spear phishing. Defeat anti-virus? Wrote the myself. Escalate privilege? Told the user he was installing a CODEC and asked him politely for admin privileges Defeat 2-factor authentication? Waited to take over the window until the user logged in with the RSA dongle Defeat VPN protection profiles? Didn t have to laptop s AV and security updates were right up to date. Defeat split tunneling? Direct access to networking hardware. Defeat Security Updates? Didn t have to no vulnerabilities were exploited. Defeat NIDS? Hotel room has no NIDS. And the plant NIDS saw only legitimate user logging in, legitimately reprogramming ICS Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 10
IT-Style Access Cybersabotage Attack Model Local Compromised insider Rem targeted Physical Vandalism Autonomous Rem targeted ransomware Drop Erase hard drives Erase hard drives Sleeper Ransomware Vandalism delete files Virus triggers Drop Embarrass Business Sleeper Erase hard drives Organized Crime IT Insider ICS Insider Hacktivist Intelligence Agency Military Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 11
OT Protection: Unidirectional Security Gateways Local Compromised insider Rem targeted Physical Vandalism Autonomous Rem targeted ransomware Drop Erase hard drives Erase hard drives Sleeper Ransomware Vandalism delete files Virus triggers Drop Embarrass Business Sleeper Erase hard drives Organized Crime IT Insider ICS Insider Hacktivist Intelligence Agency Military Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 12
We Can t Restore A Turbine From Backup IT security prevents data theft, not sabotage of physical processes control is the modern attack pattern compromising remote access is only the most obvious remote-control attack Attacks only become more sophisticated we need to think ahead when protecting our industrial networks Unidirectional Security Gateways are modern protection for OT absolute protection from attacks from external networks Unidirectional Gateways defeat interactive remote access Which of our industrial processes and control systems are expendable enough to protect with firewalls? Proprietary Information -- Copyright 2015 by Waterfall Security Solutions 13