Top Banner
Reducing the Risk of a Cyber Attack on Utilities Jim Girouard, Sr. Product Development Manager Corporate and Professional Education
51

Webinar - Reducing the Risk of a Cyber Attack on Utilities

Jan 08, 2017

Download

Technology

WPICPE
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Webinar - Reducing the Risk of a Cyber Attack on Utilities

Reducing the Risk of a Cyber Attack on Utilities

Jim Girouard, Sr. Product Development ManagerCorporate and Professional Education

Page 2: Webinar - Reducing the Risk of a Cyber Attack on Utilities

About WPI

Fully accredited, non-profit, top quartile national university*

Founded in 1865 to teach both “Theory and Practice”

Robust Computer Science, Power Systems Engineering and Business Departments

DHS/NSA Designated Center of Excellence in Information Security Research

*U.S. News and World Report

Page 3: Webinar - Reducing the Risk of a Cyber Attack on Utilities

Today’s Dialogue –Cybersecurity Education

Outline:

– The Growing Menace

– New vulnerabilities due to Smart Grid Technology

– National Framework for Cybersecurity Workforce Education

– Essentials of a cyber security education program

– How to craft a customized education program

– Discussion

Page 4: Webinar - Reducing the Risk of a Cyber Attack on Utilities

Bushehr Nuclear Facility - Iran

Page 5: Webinar - Reducing the Risk of a Cyber Attack on Utilities

Bushehr Centrifuges

Page 6: Webinar - Reducing the Risk of a Cyber Attack on Utilities

Stuxnet

Page 7: Webinar - Reducing the Risk of a Cyber Attack on Utilities

Stuxnet

• Infiltrates Microsoft Windows OS to infect SCADA Systems

Page 8: Webinar - Reducing the Risk of a Cyber Attack on Utilities

Stuxnet

• Infiltrates Microsoft Windows OS to infect SCADA Systems

• A Virus, Worm and Trojan

Page 9: Webinar - Reducing the Risk of a Cyber Attack on Utilities

Stuxnet

• Infiltrates Microsoft Windows OS to infect SCADA Systems

• A Virus, Worm and Trojan

• Evades Detection. Erases its path as it jumps to next system

Page 10: Webinar - Reducing the Risk of a Cyber Attack on Utilities

Stuxnet

• Infiltrates Microsoft Windows OS to infect SCADA Systems

• A Virus, Worm and Trojan

• Evades Detection. Erases its path as it jumps to next system

• Disables Safety systems

Page 11: Webinar - Reducing the Risk of a Cyber Attack on Utilities

Stuxnet

• Infiltrates Microsoft Windows OS to infect SCADA Systems

• A Virus, Worm and Trojan

• Evades Detection. Erases its path as it jumps to next system

• Disables Safety systems

• Utilizes “Man in the Middle” Attack Strategy

Page 12: Webinar - Reducing the Risk of a Cyber Attack on Utilities

Stuxnet

• Infiltrates Microsoft Windows OS to infect SCADA Systems

• A Virus, Worm and Trojan

• Evades Detection. Erases its path as it jumps to next system

• Disables Safety systems

• Utilizes “Man in the Middle” Attack Strategy

• Once it infects SCADA PLCs it waits, observes then acts

Page 13: Webinar - Reducing the Risk of a Cyber Attack on Utilities

Stuxnet

• Infiltrates Microsoft Windows OS to infect SCADA Systems

• A Virus, Worm and Trojan

• Evades Detection. Erases its path as it jumps to next system

• Disables Safety systems

• Utilizes “Man in the Middle” Attack Strategy

• Once it infects SCADA PLCs it waits, observes then acts

• Returns recording of normal operation to operators

Page 14: Webinar - Reducing the Risk of a Cyber Attack on Utilities

Stuxnet

• Infiltrates Microsoft Windows OS to infect SCADA Systems

• A Virus, Worm and Trojan

• Evades Detection. Erases its path as it jumps to next system

• Disables Safety systems

• Utilizes “Man in the Middle” Attack Strategy

• Once it infects SCADA PLCs it waits, observes then acts

• Returns recording of normal operation to operators

• Successfully destroyed ~1,000 centrifuges.

Page 15: Webinar - Reducing the Risk of a Cyber Attack on Utilities

Stuxnet

• Infiltrates Microsoft Windows OS to infect SCADA Systems

• A Virus, Worm and Trojan

• Evades Detection. Erases its path as it jumps to next system

• Disables Safety systems

• Utilizes “Man in the Middle” Attack Strategy

• Once it infects SCADA PLCs it waits, observes then acts

• Returns recording of normal operation to operators

• Successfully destroyed ~1,000 centrifuges. 30% of capacity

• Source code available on web for $150K

Page 16: Webinar - Reducing the Risk of a Cyber Attack on Utilities

BLACK ENERGY

Page 17: Webinar - Reducing the Risk of a Cyber Attack on Utilities

Black Energy

PowerSource

• Also a Virus, Worm and Trojan

• Reported in October 2014 but could have been around in 2011

• Suspected Country of Origin: Russia

• Infects Human-Machine Interfaces including: GE Cimplicity, Seimens WinCC and Advantech/Broadwin WebAccess

• Attempts to damage, modify, or otherwise disrupt the victim systems’ control processes

• Modular and difficult to detect

Page 18: Webinar - Reducing the Risk of a Cyber Attack on Utilities
Page 19: Webinar - Reducing the Risk of a Cyber Attack on Utilities

ICS-CERT 2014 Annual Report

• 245 Incidents Reported, including: – Unauthorized access and exploitation of internet

facing SCADA– Exploitation of zero-day vulnerabilities– Infections within “air gapped” control networks– SQL injection and exploitation– Network Scanning – Watering hole attacks– Spear-phishing campaigns

Page 20: Webinar - Reducing the Risk of a Cyber Attack on Utilities

Attacks by Sector

Page 21: Webinar - Reducing the Risk of a Cyber Attack on Utilities

Smart Grid Field Area Networks (FAN)

Patrick Grossetete, Cisco

Page 22: Webinar - Reducing the Risk of a Cyber Attack on Utilities

Attack Strategies on Utilities

PhysicalAttack

CyberAttack

Page 23: Webinar - Reducing the Risk of a Cyber Attack on Utilities

Anatomy of a SophisticatedCyber Attack

Domain Knowledge

PhysicalAttack

CyberAttack

Page 24: Webinar - Reducing the Risk of a Cyber Attack on Utilities

Anatomy of a SophisticatedCyber Attack

Domain Knowledge

PhysicalAttack

CyberAttack

Page 25: Webinar - Reducing the Risk of a Cyber Attack on Utilities

“There are two types of companies. Those that have been attacked and those that don’t know it yet”

Scott Aaronson, Senior DirectorEdison Electric Institute

Page 26: Webinar - Reducing the Risk of a Cyber Attack on Utilities

All Other Personnel

MIS & IT Professionals

Resiliencyvia secure softwaredesign

Resiliencyvia several barrier

defensestrategies

IntrusionDetection

ForensicsSoftwareEngineers

Cyber Defense Roles to prevent, detect and effectively respond

Human Firewall Training

Executive ResponseTraining

Graduate Cyber-CS Education

Certifications,Professional

Development&

Graduate Cyber-CS Education

Page 27: Webinar - Reducing the Risk of a Cyber Attack on Utilities

Scenario: A USB drive in the grass

Page 28: Webinar - Reducing the Risk of a Cyber Attack on Utilities

What it looks like to the typical finder

Page 29: Webinar - Reducing the Risk of a Cyber Attack on Utilities

What it represents to your network

Page 30: Webinar - Reducing the Risk of a Cyber Attack on Utilities

The National Cybersecurity Workforce Framework*

30*http://csrc.nist.gov/nice/framework/

• Issued by the National Initiative for Cybersecurity Education (NICE)

• Provides a common lexicon for cybersecurity work.

• A collaboration of federal agencies, academia and general industry.

• Constructed of “Categories” and “Specialty Areas” to group similar types of work.

• Provides tasks, knowledge, skills, and abilities (tKSAs) within each area.

• Version 2.0 is currently being drafted

Page 31: Webinar - Reducing the Risk of a Cyber Attack on Utilities

http://csrc.nist.gov/nice

Page 32: Webinar - Reducing the Risk of a Cyber Attack on Utilities

National Cybersecurity Workforce Framework

32

Category

Securely Provision

Operate and Maintain

Protect and Defend

Investigate

Collect and Operate

Analyze

Oversight and Development

Page 33: Webinar - Reducing the Risk of a Cyber Attack on Utilities

National Cybersecurity Workforce Framework

33

Category Specialty Areas Include:

Securely ProvisionSystems Security Architecture Secure Acquisition

Software Assurance and Security EngineeringTest and Evaluation Systems Development

Operate and Maintain System Administration Network Services Systems Security Analysis

Protect and Defend Incident Response Computer Network Defense AnalysisVulnerability Assessment and Management

Investigate Digital Forensics Cyber Investigation

Collect and Operate Federal Government RoleCollection Operations Cyber Operations and Planning

Cyber Intelligence Exploitation Analysis / Targets / Threat AnalysisAnalyze

Oversight and Development

Legal Advice and Advocacy Security Program ManagementStrategic Planning and Policy Development

Training, Education and Awareness Knowledge Management

Page 34: Webinar - Reducing the Risk of a Cyber Attack on Utilities

DHS Cyber Security Evaluation Tool

Page 35: Webinar - Reducing the Risk of a Cyber Attack on Utilities

What to Look For:Academic Partner

Page 37: Webinar - Reducing the Risk of a Cyber Attack on Utilities

What to Look For:Domain Knowledge

For example, at WPI:

NSA/DHS Designated Center of Excellence

Core Faculty Performing Current Research• Trusted Computing Platforms• Algorithms & Architectures for Cryptography• Analysis of Access-Control and Firewall Policies• Wireless Network Security• Cyber-Physical System Security

Power Systems Engineering – Utility technology, systems, equipment & culture

Page 38: Webinar - Reducing the Risk of a Cyber Attack on Utilities

What to Look For:Program Tailored to Your Needs

The Framework is Generic

To Maximize Your ROI, yourprogram must be relevant:• Address your unique requirements.• Address SCADA vulnerabilities• Include NERC CIP• Provide utility-based examples/case studies• Be convenient for your students

Page 39: Webinar - Reducing the Risk of a Cyber Attack on Utilities

Timeline to a Customized Program

The WPI Process:

Identify Customer Needs

Create Learning Objectives

Meet withExecutiveSponsor

Go/ NoGo

Page 40: Webinar - Reducing the Risk of a Cyber Attack on Utilities

Effective Learning Objectives

“ As a result of this course, the student will be able to …”

Verbs to Use Verbs to Avoid

Explain, estimate, design, solve,prepare, detect, assess, determine, infer, illustrate, complete, operate, employ, rank, test, visualize, lead, etc.

Appreciate, Understand, Learn,Cover, Believe, Study,

Comprehend, etc.

Page 41: Webinar - Reducing the Risk of a Cyber Attack on Utilities

The WPI Process:

Identify Customer Needs

Create Learning Objectives

Select Instructor(s)

Meet withExecutiveSponsor

Select Best DeliveryMethod

Develop Customized Curriculum

Launch Pilot Program

Assign Dedicated Support Team Survey Students

Mid End

Evaluate Surveys with Sponsor

Go/ NoGo

Timeline to a Customized Program

Page 42: Webinar - Reducing the Risk of a Cyber Attack on Utilities

Courses Customized for the Power Industry

Computer and Network Security Including SCADA Protection

and NERC CIP Standards

Operations Risk Management Focus on Social Media Phishing and

Embedded Malware Risks

Case Studies in Computer Security Including Power Industry Examples

Page 43: Webinar - Reducing the Risk of a Cyber Attack on Utilities

A Custom Graduate Cybersecurity Program

Framework Category Courses

Securely Provision Computer and Network SecuritySoftware Security Design and Analysis

Operate and Maintain Computer and Network Security

Protect and Defend Intruder Detection

Investigate Digital Forensics

Collect and OperateGovernment Role - Not in Program

AnalyzeOversight and Development

Operations Risk Management Case Studies in Computer Security

Modeled afterThe NationalCybersecurity

Workforce Framework

Page 44: Webinar - Reducing the Risk of a Cyber Attack on Utilities

In Summary

Page 45: Webinar - Reducing the Risk of a Cyber Attack on Utilities

“There are known knowns, things we know that we know; and there are known unknowns, things that we know we don't know. But there are also unknown unknowns, things we do not know we don't know.”

- Donald Rumsfeld

Page 46: Webinar - Reducing the Risk of a Cyber Attack on Utilities

“There are known knowns, things we know that we know; and there are known unknowns, things that we know we don't know. But there are also unkown unknowns, things we do not know we don't know.”

- Donald Rumsfeld

Page 47: Webinar - Reducing the Risk of a Cyber Attack on Utilities

In SummaryAttack Mode Counter Measures

• Maintain Robust Cyber Security Infrastructure• Maintain Physical Security Measures (NERC CIP)• Continue Secure Process Training (Human Firewall)

known knowns

known unknowns

unknown unknowns

Page 48: Webinar - Reducing the Risk of a Cyber Attack on Utilities

In SummaryAttack Mode Counter Measures

• Maintain Robust Cyber Security Infrastructure• Maintain Physical Security Measures (NERC CIP)• Continue Secure Process Training (Human Firewall)

• Evaluate Penetration Testing Results• Perform Cyber Security Gap Analysis (DHS CSET)• Practice Supply Chain Cyber Risk Management• Stay Informed on Evolving Vulnerability

Assessments

known knowns

known unknowns

unknown unknowns

Page 49: Webinar - Reducing the Risk of a Cyber Attack on Utilities

In SummaryAttack Mode Counter Measures

• Maintain Robust Cyber Security Infrastructure• Maintain Physical Security Measures • Continue Secure Process Training (Human Firewall)

• Conduct Penetration Testing & Analysis• Perform Cyber Security Gap Analysis (DHS CSET)• Practice Supply Chain Cyber Risk Management• Stay Informed on Evolving Vulnerability

Assessments• Prepare for “the day after”• Perform Incident Response and Analysis - Forensics• Develop Systems Behavior Modeling

• Invest in Continuing Education

known knowns

known unknowns

unknown unknowns

Page 51: Webinar - Reducing the Risk of a Cyber Attack on Utilities

Thank you

51