1

Linking Critical

Infrastructure Protection

and Industrial

Cybersecurity: Is there a

Cyber-Tsunami in waiting?

Samuel LinaresIndustrial Cybersecurity Center (CCI)

Director

Earthquake Research Institute, University of Tokyo

1960 Chile Great Earthquake Mw9.5

1964 Alaska Earthquake Mw 9.2

1957 Andreanof Islands Earthquaker Mw9.1

1952 Kamchatka Earthquake Mw9.0

2011 East Japan Great Earthquake Mw 9.0

2004 Indian Ocean Earthquake Mw9.0

2010 Chile Earthquake Mw8.8

Changing

Environment?

Convergence

Consequences: Intangible

Web Portal unavailable

No email

Consequences: Tangible, Concrete

Production Losses

Environmental Damages

Public Health

Lower Company Valuation

Physical & Cyber Worlds Convergence

8

IT in the Industrial World

Convergence

IT in the Industrial World

Industrial devices have inherited

all problems from IT

Industrial Control

Systems are NOT

isolated anymore.

They have moved

from using

dedicated serial

lines to Ethernet or

WiFi

Now, most of

industrial protocols

are running over

TCP/IP

Industrial Control

Systems use general

purpose operating

systems

10

IT in the Industrial World

Convergence

Different Cultures

Plant vs IT vs Security

Plant / IT Conflict:

– “Watertight” environments. “Don’t get

into my lot, and I won’t into yours”

– Attention is not paid to communication

interfaces between both worlds

– Connection interfaces are no man’s land,

and many times, unknown (others

WWW… Wild Wild West ☺)

12

IT in the Industrial World

Convergence

Different Cultures

¿Security?

¿Cyber Security?Industrial Safety

Physical Security

Environmental

Safety

SECURITY

14

Stuxnet

Stuxnet

16

Project Basecamp

& Project Robus

Project Basecamp

SCADA Security

Scientific

Symposium (S4)

18

Project Robus: Master Serial Killer

• Objective: Analysis of Implementation of

Industrial Protocols (First: DNP3)

• DNP3: 15 advisories, 28 tickets reported

• Fuzzing techniques

• All devices analyzed vulnerables: only 2 ok!

• Implementaciones se limitan a garantizar

funcionalidad, pero no la seguridad

• Hundreds of thousands vulnerable devices:

much of them connected to Internet

19

Smart Grid and

Internet of Things are coming…

Smart Grid

Internet de las CosasInternet of Things

22

Cybersecurity

Strategies and Regulations

European Cyber Security Strategy

CYBERSECURITY

FRAMEWORK

CIP Regulations

24

Shodan

Shodan (www.shodanhq.com)

• Internet search engine that indexes internet-

connected services response (FTP, SSH, Telnet,

HTTP, HTTPS, SNMP, uPNP, SMB…)

• Provide cccess to millions of Internet-

connected devices

26

27

28

Internet-facing

Industrial Systems+2.000.000Located in

United States30%ISP’s Dynamic

Addresses80%

Project SHINESHodan INtelligence Extraction

30

Shodan

Demo

33

34

35

Who's Really Attacking

our ICS Devices?

• ONLY attacks that were targeted

• ONLY attempted modification of

pump system

• ONLY attempted modification via

Modbus/DNP3

• DoS/DDoS were considered attacks

Kyle Wilhoit

(Trendmicro)

…on the look-out

RRRR

“C3R: Collaboration, Coordination and Commitment based

Relationships”

Collaboration

CoordinationCommitment

Industrial Cyber Security

Tsunami is here…

Will you keep

watching?

Thank youSamuel Linares - @infosecmanblog – samuel.linares@cci-es.org