33
Cyber & Process Attack Scenarios for ICS Jim Gilsinn Kenexis Security 8/5-6/2014 Information Revolution 2014 1
| Date post: | 18-Jan-2015 |
| Category: |
Technology |
| Upload: | jim-gilsinn |
| View: | 624 times |
| Download: | 0 times |
Information Revolution 2014 1
Cyber & Process Attack Scenarios for ICS
Jim GilsinnKenexis Security
8/5-6/2014
Information Revolution 2014 2
Overview• If You Live Here…• The Situation• Cyber & Process Attack Methodology• Cyber & Process Attack Examples• What Can You Do?• Questions
8/5-6/2014
Information Revolution 2014 3
If You Live Here…
8/5-6/2014
Information Revolution 2014 4
If You Live Here…
8/5-6/2014
Information Revolution 2014 5
If You Live Here…
8/5-6/2014
Information Revolution 2014 6
If You Live Here…
8/5-6/2014
Information Revolution 2014 7
If You Live Here…
8/5-6/2014
Information Revolution 2014 8
THE SITUATION
8/5-6/2014
Information Revolution 2014 9
Background• Security of IT systems is increasingly important• Industrial Control Systems (ICS) are a subset of IT
utilized to control industrial processes– Systems referred to with the terms SCADA, DCS, PLC
• ICS cyber-attacks represent a real risk as ICS become more integrated with other IT systems– Successful cyber attacks already being made – Stuxnet,
Flame, Duqu, Gauss, Shamoon, Havex
8/5-6/2014
Information Revolution 2014 10
IT & ICS Priorities Differ
8/5-6/2014
Prio
rity
Traditional IT Lower-Level ICS
Confidentiality
Integrity
Availability
Safety
Availability
Integrity
Confidentiality
Information Revolution 2014 11
IT & ICS Priorities Differ
8/5-6/2014
Prio
rity
Traditional IT Higher-Level ICS
Confidentiality
Integrity
Availability
Safety
Integrity
Availability
Confidentiality
Information Revolution 2014 12
Traditional Defense-In-Depth Model
8/5-6/2014
Information Revolution 2014 13
What It Probably Looks Like in Reality
8/5-6/2014
Information Revolution 2014 14
What it Probably Should Look Like
8/5-6/2014
Information Revolution 2014 15
CYBER & PROCESS ATTACK METHODOLOGY
8/5-6/2014
Information Revolution 2014 16
Methods & Likelihood of ICS Cyber-AttackDirect Attack to ICS Equipment• Exploit vulnerability in specific device• Limited impact
Denial of Service and/or Denial of Control• Executed with limited knowledge/resources• Moderate impact – not expected to be catastrophic
Complex Process Attack• Combine knowledge of ICS, processes, and cyber-security• Sophisticated and persistent attack• Potentially catastrophic impact
8/5-6/2014
Information Revolution 2014 17
Attack Modes for ICSLoss of View (LoV)
Manipulation of View (MoV)
Denial of Control (DoC)
Manipulation of Control (MoC)
Loss of Control (LoC)
8/5-6/2014
Information Revolution 2014 18
Complex Cyber-Attack ProcessSurveillance
System Mapping
Initial Infection & Compromise
Information Exfiltration
Preparing the Final Attack
Testing Incident Detection & Response
Launch the Attack
8/5-6/2014
Information Revolution 2014 19
CYBER & PROCESS ATTACK EXAMPLES
8/5-6/2014
Information Revolution 2014 20
Stuxnet• Successful complex cyber-
attack• Discovered = 2010• Earliest Evidence = 2005• Target = Iranian nuclear
industry• Deployment = infected
memory sticks• Physical attack = enrichment
centrifuge drive frequencies• Cyber attack = MITM between
eng. workstation and PLC8/5-6/2014
Information Revolution 2014 21
Havex• Also known as Dragonfly• Newest Variant June 2014• RAT = Remote Access Trojan– “Watering Hole Attack”– Used ICS vendor sites to distribute RAT– Replaced legitimate software installers– Malicious installers leave backdoor open to C&C
server• “Energetic Bear” group attacking energy sector
since 20118/5-6/2014
Information Revolution 2014 22
Havex (cont’d)• Collects Info About OPC Classic Servers, Not
OPC-UA• Uses DCOM features to identify potential
servers on network• Collects information about server• Capable of Enumerating OPC Tags• ICS-CERT testing indicated server crashes• Sources ICS-CERT, Symantec, CrowdStrike,
F-Secure, FireEye, DigitalBond8/5-6/2014
Information Revolution 2014 23
Hypothetical Cyber-Attack ScenariosTurbine Overspeed – Power Generation• Disable overspeed shutdowns, disconnect load• Phishing scam posing as ICS cyber-security research firm
Ammonia Plant Explosion• Manipulate heating during process, disable alarms and safety
system, increase CO in methanator• Disgruntled employee
Boiler Explosion• Stop feedwater, overheat drum, reintroduce feedwater• Weaponized proof-of-concept exploit from white-hat
researcher
8/5-6/2014
Information Revolution 2014 24
Boiler Explosion• Proof of Concept
– White-hat hacker finds vulnerability and develops POC exploit
– Releases POC exploit publically
• Public Participation– Black-hat hackers weaponize
exploit– Attack code actively
searches for specific equipment
• Introducing Malware
– Attackers drop infected USB drives outside industrial facilities
• Mapping High-Value Targets– Establish C&C center– Collect information– Select targets
• Preparing Attack– List of targets based upon
potential consequences– Send command to execute
at particular date/time• Launch Attack
8/5-6/2014
Information Revolution 2014 25
Ammonia Plant Explosion• Gaining Access
– Disgruntled employee terminated with cause
– Previously built home lab of ICS equipment
– Privileged access– Creates admin accounts
prior to termination• System Mapping
– Privileged access through VPN using admin accounts
– Leverages Citrix & terminal services to gather HMI data
– Creates additional accounts to hide actions
• Preparing & Testing Final Attack– Essentially another HMI
operator– Uses MITM tools to hijack
HMI communications from operators
– Develops custom scripts– Makes small system
changes to test• Launch Attack
8/5-6/2014
Information Revolution 2014 26
WHAT CAN YOU DO?
8/5-6/2014
Information Revolution 2014 27
ICS Security Is Nothing New!• Don’t reinvent the
wheel!• Safety, financial,
physical security have all been around for a long time
• Beg, borrow, steal everything you can
8/5-6/2014
Information Revolution 2014 28
ICS Security: Now• Risk Management– Consequences are many
times already identified
• Network Segmentation– Ingress/egress monitoring
and limitation through zone boundaries
– Technology helps, architecture is more important
8/5-6/2014
Information Revolution 2014 29
ICS Security: Now• Access Control– Manage user accounts as roles change
• Monitoring– Firewalls and IDS are good,
unless rules and logs arenot monitored
• Patching– Patch where and when
possible to reduce attacksurface
8/5-6/2014
Information Revolution 2014 30
ICS Security: Future• Whitelisting– Monitor applications
and memory-spacefor changes
• Secure ICS Protocols– OPC-UA is incorporating security from ground
up– DNP3 has security– EtherNet/IP is adding security now
8/5-6/2014
Information Revolution 2014 318/5-6/2014
Information Revolution 2014 32
QUESTIONS
8/5-6/2014
Information Revolution 2014 33
Questions• Contact Information– Jim Gilsinn– Senior Investigator, Kenexis Security– Email: [email protected]– Website: http://www.kenexis.com– Phone: +1-614-323-2254– Twitter: @JimGilsinn– LinkedIn: http://www.linkedin.com/in/jimgilsinn– SlideShare: http://www.slideshare.com/gilsinnj
8/5-6/2014
