Cyber Security Threats to Industrial Control Systems

Cyber Security in Real-Time Systems

Threats to SCADA and other real time systems an update from the coal face.

David Spinks – Independent Cyber Security Consultant

April 2015

CSIRSCyber Security in Real-Time Systems

CSIRSCyber Security in Real-Time Systems

Why me?

1970/75 – Glaxo Laboratories Cambois Northumberland -Worlds First Large Scale Automation

1990 - 2000

Railtrack Safety Critical Software

Sizewell B Software Emergency Shut Down code validation

UK Government assessment of Embedded Software Aviation

CSIRSCyber Security in Real-Time Systems

Industrial Control SystemsCurrent Business

Environments&

Drivers

“The Grey”

Traditional IT Industrial Control Systems

?

IT Tools, Methods, Culture ICS Culture, Tools

Very different and apparently no middle ground

“The Cavalry fast moving and flexible” The Cannons fixed, slow yet effective not changed much for centuries

Scada Hybrid Networks security comparison

CSIRSCyber Security in Real-Time Systems

Little or no action to close the gap?

CSIRSCyber Security in Real-Time Systems

Advanced :

Planned ahead of timeExecuted by individuals who have expertiseIntelligence gathered about “target” in advanceAdoption of social engineering techniquesCovering of entry and exit pointsMotive not always understoodPerpetrated by unknown agencies

Multiple points of entry technical and non-technicalComplex execution across a period of time may be months or yearsUse of multiple technologies, tools and techniquesInsider threat must be considered a possible entry point Will explore logical and physical security weaknessesMay extend to supply chain

Changes in education of IT and ICS engineers

Changes in culture in large organisations

Disclosure & Legislation & Regulation

Information exchange

Investments in ICS security

Changes in ICS vendor culture

Possible Actions

CSIRSCyber Security in Real-Time Systems

What do recent statics and surveys show us?

Trends impacting ICS Cyber Security

Business demands that data be passed from ICS to IT. Direct and indirect connections.

Sophistication of attacks (the ones we know about) is increasing.

75% of breaches are discovered by third parties.

Resulting impacts of each attack is growing exponentially.

Documented Attacks on ICS from US ICS Cert Report

The majority of incidents were categorized as having an “unknown” access vector. In these instances, the organization was confirmed to be compromised; however, forensic evidence did not point to a method used for intrusion because of a lack of detection and monitoring capabilities within the compromised network

CSIRSCyber Security in Real-Time Systems

Example of poor monitoring of a SCADA

system.

Information about the 8 November incident came to light via the blog of Joe Weiss who advises utilities on how to protect hardware against attack.Mr Weiss quoted from a short report by the Illinois Statewide Terrorism and Intelligence Center which said hackers obtained access using stolen login names and passwords. These were taken from a company which writes control software for industrial systems.The net address through which the attack was carried out was traced to Russia, according to Mr Weiss. The report said "glitches" in the remote access system for the pump had been noticed for months before the burn out, said Mr Weiss.

“I could have straightened it up with just one phone call, and this would all have been defused,” said Jim Mimlitz, founder and owner of Navionics Research, who helped set up the utility’s control system. “They assumed Mimlitz would never ever have been in Russia. They shouldn’t have assumed that.”

Mimlitz’s small integrator company helped set up the Supervisory Control and Data Acquisition system (SCADA) used by the Curran Gardner Public Water District outside of Springfield, Illinois, and provided occasional support to the district. His company specializes in SCADA systems, which are used to control and monitor infrastructure and manufacturing equipment.

Mimlitz says last June, he and his family were on vacation in Russia when someone from Curran Gardner called his cell phone seeking advice on a matter and asked Mimlitz to remotely examine some data-history charts stored on the SCADA computer.

CSIRSCyber Security in Real-Time Systems

Common ground might be the Security

Operations Centres?

Post Event Investigations:

Access to HR

Attendance records

Door access logs

Audit records

Phone logs

Systems logs

Potential Common Ground

Security

Operations Centre

IT ICS

Threats

Very few common methods such as NIST & Identity Management

Use Cases Mitigation

Impacts

DO-178C (avionics), ISO 26262 (automotive systems), IEC 62304 (medical devices), CENELEC EN 50128 (railway systems),

ISO 27001:2013Cobit 4.1ISFISO 20000

Tools

Risks

Investigations

Potential Solution:

Small team cross trained across IT and ICS

Adoption of common language and understanding of impacts

Shared understanding of Threats

Devise and plan for integrated tools ICS<>IT

Speak to bot camps

Common understanding of potential impacts

But would require commitment and proper funding

CSIRSCyber Security in Real-Time Systems

Information and White Papers

Lots of white papers and solutions are available

CSIRSCyber Security in Real-Time Systems

Highest and Serious Threats

Lessons still to be learnt

Insider threats

Social engineering

Prevent rather than respond

Effective intelligence and analysis

Planned and tested response to threats

Solution:

Understand what is “normal”

Monitor for unusual trends

Collect and analyse cyber intelligence

Investigate

Act accordingly

Actions

CSIRSCyber Security in Real-Time Systems

Recent media reports

of interest

CSIRSCyber Security in Real-Time Systems

Planned ahead of timeExecuted by individuals who have expertiseIntelligence gathered about “target” in advanceAdoption of social engineering techniquesCovering of entry and exit pointsMotive not always understoodPerpetrated by unknown agencies

Rail signal upgrade 'could be hacked to cause crashes'

Prof David Stupples told the BBC that plans to replace ageing signal lights with new computers could leave the rail network exposed to cyber-attacks.UK tests of the European Rail Traffic Management System are under way.Network Rail, which is in charge of the upgrade, acknowledges the threat.

http://www.bbc.co.uk/news/technology-32402481

CSIRSCyber Security in Real-Time Systems

Advanced :

Planned ahead of timeExecuted by individuals who have expertiseIntelligence gathered about “target” in advanceAdoption of social engineering techniquesCovering of entry and exit pointsMotive not always understoodPerpetrated by unknown agencies

The debate erupted after cybersecurity expert Chris Roberts, founder of One World Lab in Denver, sent a tweet while he was a passenger on a United Airlines flight suggesting he could hack into the airline’s onboard system to trigger the oxygen masks to drop.

When the plane landed in Syracuse, FBI agents were waiting to question him and confiscate his electronic devices, according to a statement from Roberts’ attorneys.

United Airlines also was not amused and banned Roberts from flying on the carrier.

On the 27th April 2015 …. Yesterday

CSIRSCyber Security in Real-Time Systems

Advanced :

Planned ahead of timeExecuted by individuals who have expertiseIntelligence gathered about “target” in advanceAdoption of social engineering techniquesCovering of entry and exit pointsMotive not always understoodPerpetrated by unknown agencies

Persistent :

Today - American Airlines planes grounded by iPad app error

CSIRSCyber Security in Real-Time Systems

Linkedin CSIRS :

http://www.linkedin.com/groupRegistration?gid=3623430

[email protected]

Questions?