37
Cyber-Attacks on Safety-Critical Industries? Prof. Chris Johnson, School of Computing Science, University of Glasgow, Scotland. http://www.dcs.gla.ac.uk/~johnson 27 th May 2013.
| Date post: | 15-Jan-2016 |
| Category: |
Documents |
| Upload: | victor-tant |
| View: | 224 times |
| Download: | 0 times |
Cyber-Attacks on Safety-Critical Industries?
Prof. Chris Johnson,
School of Computing Science, University of Glasgow, Scotland.
http://www.dcs.gla.ac.uk/~johnson
27th May 2013.
Right Now It Is a Mess
• Who covers cyber-safety?– ENISA (yes but not yet)– EPCIP (yes but indirectly, so far)– EASA (maybe…?)– EUROCONTROL (maybe…?)– SESAR (partially/poorly?).
• Issues of cross-modal security.
Copyright C.W. Johnson, 2012
Aim is to Provoke Discussion...
• Common software across European transport:– networks, Linux, VOIP, SBAS...
• Duqu, Stuxnet, Flame… – We have been very lucky so far.
• Partial Solutions:– 1. Extension and enforcement of Article 13a;– 2. ‘Telecoms inclusion’ for contingency planning;– 3. Urgent need for digital forensics in policing.
Copyright C.W. Johnson, 2012
Security Threats to GNSS (1)
• Dec. 1997, New Jersey approach: – Continental trans-Atlantic loses GPS signals; – US military test, 200km “interference zone”;– GPS antenna, 5-watt signal, steps frequencies.
• 2009 UK Ministry of Defence (MOD):– jamming over area of UK coastline;– disrupts integrated bridge systems/autopilot; – multiple alarms erode situation awareness; – shore-based Vessel Traffic Services lost.
Integrated Safety and Security Threats
G1: EGNOS SBAS is
acceptably safe
C1: SBAS performance requirements identified in EGNOS Service Defi nition Document – Open Service, Ref : EGN-SDD OS V1.1 – 30th October 2009 and ICAO Annex10 Vol I (Radio Navigation Aids) – 6th Ed July 2006 ver. 85, EC Reg 550/2004
S1: Initial tests on limited
geographical areas
G2: all identified hazards with accuracy, integrity, continuity and availability have been eliminated or mitigated to an acceptable level.
C2: Hazards and ‘feared events’
identified according to the EGNOS end-to-
end validation programme
G3: SBAS operations conducted
according to agreed SOPs.
C3: EGNOS Safety of Life Service
Definition Document European
Commission, DG Enterprise and
Industry Ref : EGN-SDD SoL, V1.0 also
RTCA/DO-229D
G4: Hazards to accuracy have been mitigated.
G8: Probability of deterministic
failure < 10{-5) per service hour
G9: Probability of random stochastic failure < 10{-5) per
service hour
G10: SBAS ops will be conducted following practices in European Cooperation for Space Standardization; Space Engineering –Verification;
ECSS-E-10-02A; 17 November 1998.
G11: SBAS ops meet detailed requirements
in Single European Sky Certification of ESSP
S4: Fault tree for EGNOS
components
S5: Evidence of Conformance from
Audit eg French NSA for EC, July 2010.
S6: Process evidence
from ESSP teams
S2: Real-time monitoring of
Signal-in-Space data
CE1: Excessive multipath
at RIMS level jeopardizes continuity
S3: Simulator data eg EGNOS
End to End Simulator (EETES)
G7: Hazards to, continuity have been
mitigated.
G5: Hazards to integrity have
been mitigated.
G6: Hazards to availability have been mitigated.
SC1: Localized jamming of GPS or spoofing invisible to ground
stations .
SC2: Concerns over insider threat to EGNOS ground
stations.
What are the Threats?
• ‘Mass market’ viruses.
• You cannot disconnect the Internet.– Virtual channels from USB sticks.
• Contractors violate security policies.
• Many policies only exist on paper.
• Huge problem with complacency.
Copyright C.W. Johnson, 2012
GAO Review of FAA CyberSecurity
“FAA is similarly ineffective in managing systems security for its operational systems and is in violation of its own policy”.
“performed the necessary analysis to determine system threats, vulnerabilities, and safeguards for only 3 of 90 operational ATC computer systems, or less than 4%”.
Intrusion detection in 11 of 300 ATM facilities.
Copyright C.W. Johnson, 2012
DoT Review of FAA CyberSecurity
DoT "unless effective action is taken quickly, it is likely to be a matter of when, not if, ATC systems encounter attacks that do serious harm to ATC operations."
“Attackers can take advantage of software vulnerabilities in commercial IP products to exploit ATC systems, when the Nation is facing increased threats from sophisticated nation-state-sponsored cyber attacks"
Copyright C.W. Johnson, 2012
Air Navigation Service Provider
• ANSP label on13 switches from eBay:– Flash memory for configuration data;– Not erased prior to sale.
• Supervisor login for local area network;– Upstream switch addresses/configs;– VTP trunk info and password;– SNMP community strings…
• Damage more to public relations?
What are the Threats?
• NIST’s Industrial Control System Security – Angry worker attacks US SCADA sewage system.– 46 radio orders to release 800k litres raw sewage.
• Arrested, found PC sewage application:– Connected to Motorola M120 two-way radio;– Serial numbers show ordered by the company; – Had PDS Compact 500 computer control device; – Address mimicked spoof pumping station;– Could test out the impact of his commands.
• Sub-contractor – disguised his attacks…
Copyright C.W. Johnson, 2012
Estonia, April-May 2007
• June 1940, Soviets annex Estonia.
• After independence:– Ethnic Russians lose Estonian citizenship;– Dispute over moves to Bronze Soldier of Tallinn;– Riots kill one and injur more than 150 people.
• Two phase attack:– Emotional ‘crowdsourcing’ (download scripts);– focused attacks using criminal infrastructures.
Copyright C.W. Johnson, 2012
Estonia and Paranoia?
Chatham House report:
“The severity of the attacks on one of NATO’s most electronically connected members put the alliance on guard.
If a highly wired small state could be brought to its knees then what type of havoc could be wrought upon larger states with more heterogeneous systems and critical infrastructure open to attack?”
Copyright C.W. Johnson, 2012
Georgia, August 2008
• Armed conflict between Georgia & Russia:– 1922 North Ossetia in Russia, South in Georgia;– 1990 S. Ossetia gains de facto independence..
• Cyber-attacks prior to armed conflict:– ICMP floods/HTTP ‘GET’ requests in July.
• But Georgian infrastructure vulnerable:– half of 13 interconnections through Russia;– Only 5 ISPs, 75% use Caucasus Network Tbilisi;– Prior to war, began building link via Bulgaria…
Copyright C.W. Johnson, 2012
“Go But You Will Never Work Here Again…”
Copyright C.W. Johnson, 2012
China, GhostNet and Shadow, March 2009
• Active defence and the attribution problem…– No definitive proof of Chinese state involvement
• Use of social media and Gmail:– Use of TOR annonymity server…
• Infection of Dalai Lama’s office: – Tailor email so recipient opens attachment;– Trojan horse onto victim’s machine;– Information forwarded to control servers.– Use genuine document on compromised
machine?
Copyright C.W. Johnson, 2012
Edsger W Dijkstra (1930-2002)
Testing can prove the presence of errors, but not their absence.
http://www.iaa.ie/files/2008/news/docs/20080919020223_ATM_Report_Final.pdf
The Real Impact
• "The problem here is that you have an autonomous semi-state monopoly which doesn't care about its customers or the disruption to passengers,"
Michael O'Leary, CEO Ryanair
The Real Impact
• "The problem here is that you have an autonomous semi-state monopoly which doesn't care about its customers or the disruption to passengers,"
• "Send the buggers to Shannon, if it was a commercial company they would have done so,“
Michael O'Leary, CEO Ryanair
The Real Impact
• "The problem here is that you have an autonomous semi-state monopoly which doesn't care about its customers or the disruption to passengers,"
• "Send the buggers to Shannon, if it was a commercial company they would have done so,“
• “They're not on top of the job. We're talking about 25 arrivals and departures per hour. The air traffic controllers should be capable of handling this volume of flights”.Michael O'Leary, CEO Ryanair
http://www.herald.ie/news/oleary-more-disruption-if-iaa-doesnt-clean-up-act-1431408.html
W32.STUXNET, March 2010
• W32.Stuxnet multi-component malware – Attacks Programmable Logic Controllers (PLCs);
• Stuxnet has up to 4 zero-day exploits:– ATM very vulnerable to this…– Unusual range of languages (C/C++) team?– Used 2 legit Taiwanese digital signatures…
• Command & control servers identified:– Located in Malaysia and Denmark;– 155 countries, 40,000 IP addresses.
Copyright C.W. Johnson, 2012
Recap: W32.STUXNET
• Triggers a state machine to hide ‘sabotage’;1. Wait13 days;
2. Set maximum frequency to 1410 Hz;
3. Wait 27 days
4. Set maximum frequency to 2 Hz;
5. Set maximum frequency to 1064 Hz;
6. Go to 1.
Copyright C.W. Johnson, 2012
W32.Duqu
• Written by the same ‘team’ as STUXNET?– Remote Access Trojan (RAT).
• Duqu will inject malware into:– Internet Explorer; Firefox;– Trend Micro PC-cillin AntiVirus Real-time Monitor.
• Checks for anti-viral products:– avp.exe, Mcshield.exe, avguard.exe, bdagent.exe,
UmxCfg.exe, fsdfwd.exe, rtvscan.exe, ccSvcHst.exe, ekrn.exe, tmproxy.exe, RavMonD.exe.
Edsger W Dijkstra (1930-2002)
Testing can prove the presence of errors, but not their absence.
Copyright C.W. Johnson, 2013
Must Learn About Recovery Actions…
Cyber-Security Answers?
Copyright C.W. Johnson, 2013
A Roadmap for CyberSafety
Improved Competency Assessment for
CyberSafety
Support for Multi-Party Exercises and
Drills
Organisational and Regulatory
Recognition of CyberSafety
Learning from Previous Incidents and
Information Sharing
Improved Tools for CyberSafety Risk
Assessment
Security Screening for Infrastructure
Engineers
Copyright C.W. Johnson, 2013
Federal Communications Commission
• Normal Outage Reporting.
• Disaster Information Reporting.
• Backed by significant fines.
• Detailed search tools for patterns.
• Free exchange of information with ENISA.
Solution 2: Telecoms Inclusion Principle
• Telecoms inclusion principle:– comms failures in ALL contingency plans.
• Why hold a cyber-safety exercise?– Reinforce security messages to staff;– Improve external communications;– (especially contractors);– Identify skill shortages;– Demonstration of competence to government…
• NATO MNE7 Exercise (Global Commons)
Copyright C.W. Johnson, 2012
Condition
Key
Violation
Vulnerability
Event
Continuation
Weak monitoring of security policy
implementation by sub-contractors
Sub-contractor introduces mass market’ malware
onto primary system using infected device (USB/CD-
ROM etc)
Lack of malware detection programmes on primary systems.
Sub-contractor introduces ‘mass
market’ malware onto primary system as part
of unverified utility.
Malware is latent in the
primary CNS applications.
Lack of performance monitoring applications
after acceptance testing.
Weak monitoring of security policy
implementation in all business areas.
Failure to detect malware latent in primary system.
‘Routine’ bug consumes CPU cycles in CNS.
Sudden degradation in CNS performance and
loss of primary systems.
Extreme difficulty in diagnosing causes of
failure from interactions between malware and the bug.
Sub-contractors reluctant to consider they might introduce
malware.
Lack of forensic engineering expertise in
the ANSP.
Local ATM facility lacks network monitoring
expertise
Central network monitoring by ATM IT department lacks local operational knowledge.
Safety concern
Uncertainty over when to
clear the skies
Roll-back fails.
Solution 2: Key Issues
• Cannot predict future modes of attack;– Can use previous incidents following 13a.
• Simulating an optimum level of challenge:– Too many vulnerabilities, disillusionment?
• When is it safe to resume operations?
• Involvement of different stakeholders:– CERTs; Regulators, Govt; Press; Public…
Solution 3: Digital Forensics for Safety
• US Department of Justice (2008) – “Immediately secure all electronic devices, including
personal devices. – Ensure that no unauthorized person has access to any
electronic devices at the crime scene.– Refuse offers of help or technical assistance from any
unauthorized persons.– Remove all persons from the crime scene or the
immediate area from which evidence is to be collected.– Ensure that condition of any electronic device is not
altered.– STOP! Leave a computer or electronic device off if it is
already turned off”.
Solution 3: Digital Forensics for Safety
• UK Association of Chief Police Officers:– No action taken by law enforcement agencies should change
data on a computer or storage which may be relied on in court;
– If a person has to access original data on a computer or storage media, they must be competent to do so and give evidence explaining their actions;
– An audit trail or record of all processes applied to computer-electronic evidence should be preserved. Independent 3rd party should examine those processes and achieve same result;
– Person in charge of investigation (the case officer) has overall responsibility for ensuring the law and these principles are followed.
Summary of Second Talk...
• Common software across European transport:– networks, Linux, VOIP, SBAS...
• Duqu, Stuxnet, Flame… – We have been very lucky so far.
• Partial Solutions:– 1. Extension and enforcement of Article 13a;– 2. ‘Telecoms inclusion’ for contingency planning;– 3. Urgent need for digital forensics in policing.
Copyright C.W. Johnson, 2012
Any Questions?
