Rita Wells
Idaho National Laboratory
Update on Threat/Vulnerability
Trends and Research for
Cybersecurity “Cybersecurity for Energy Delivery Systems (CEDS)”
Roadmap – Framework for Public-Private
Collaboration
• Originally published in January 2006
• New Version published September 2011
• Provides strategic framework to
– Build a Culture of Security
– Assess and Monitor Risk
– Develop and Implement New Protection
Measures to Reduce Risk
– Manage Incidents
– Sustain Security Improvements
https://www.controlsystemsroadmap.net/Pages/default.aspx
17 NSTB Facilities From 6 National Labs
IDAHO Critical Infrastructure Test Range
• SCADA/Control System Test Bed
• Cyber Security Test Bed
• Wireless Test Bed
• Power Grid Test Bed
• Modeling and Simulation Test Bed
• Control Systems Analysis Center
SANDIA Center for SCADA Security
• Distributed Energy Technology Laboratory (DETL)
• Network Laboratory
• Cryptographic Research Facility
• Red Team Facility
• Advanced Information Systems Laboratory
PACIFIC NORTHWEST Electricity Infrastructure
Operations Center
• SCADA Laboratory
• National Visualization and Analytics Center
• Critical Infrastructure Protection Analysis Laboratory
OAK RIDGE Cyber Security Program
• Large-Scale Cyber Security and Network Test Bed
• Extreme Measurement Communications Center
ARGONNE Infrastructure Assurance Center
LOS ALAMOS Cybersecurity Program
NSTB Assessment Findings by Component
•Poor Input / Output Validation
•Network Parsing Code
•ICCP Services and Protocol Stack
•Supervisory Control Protocol Services
•Control Protocol Services
• Database-Backed Applications
•Database-Backed Web Applications
•Web Applications
•Web HMI
•Failure to Secure Hosts
•Unneeded / Unused / Unsafe Services
•Password Policies
•Password Protection
•Permissions
•Vulnerable Remote Display Software
•Improper Authentication
•HMI Applications
•Supervisory Control Protocols
•Control Protocols
•Databases
•Web Services
•Poor Network Defenses
•Poor Network Segmentation
•Failure to Secure Network Devices
•Permissive Firewall Rules
•Poor IDS Monitoring
https://www.controlsystemsroadmap.net/Pages/default.aspx
Example of Common Vulnerability Scoring
System Scoring - Buffer Overflows
Metric
Remote Code
Execution
Possible
DoS Impact
Only
Base Metric Value Value
Access Vector Network Network
Access Complexity Low Low
Authentication None None
Confidentiality Impact Complete None
Integrity Impact Complete None
Availability Impact Complete Complete
Base Score 10 7.8
Temporal Metric
Exploitability Proof-of-Concept Unproven
Remediation Level Not Defined Not Defined
Report Confidence Not Defined Not Defined
Temporal Score 9.0 7.0
Environmental Metrics
Collateral Damage High High
Target Distribution Not Defined Not Defined
Availability Medium Medium
Integrity Requirement High High
Confidentiality Medium Medium
Environmental Score 9.5 8.5
Total Score 9.5 8.5
9.5
Metric
Value
SCADA Service Buffer Overflow Integrity Impact
Scenarios
None The buffer overflow can only be exploited to cause the
service to crash; remote code cannot be executed and
the attacker is not able to alter information on the host.
Protections have been built into many new processors,
operating systems, and compilers to help protect
against buffer overflow attacks. These protections can
prevent code execution aimed at gaining access to the
host.
Partial The SCADA service is running with limited
permissions. Code executed by overflowing the buffer
will run with the permissions of the SCADA service.
Information available to the SCADA service could be
disclosed to the attacker.
Complete Vulnerable SCADA services running with root or
administrator privileges may be exploited to gain full
control of the host. The attacker is able to read all of
the system's data (memory, files, etc.)
Remediate vulnerabilities in SCADA
services
NSTB - Top 10 Most Critical Vulnerabilities
What’s New? Government
• Government:
– PrECISE Act H.R. 3674
• Information Sharing
• Research and Training
– SECURE IT S. 2151
• Information Sharing
• Roles and Responsibilities
• 3-20 years if attack critical infrastructure
• Research and Training
– Cybersecurity Act of 2012 S. 2105
– Who has the lead? DHS NSA DOE Industry CYBERCOM
– Electric Sector Cyber Risk Management Maturity Initiative
http://energy.gov/oe/electric-sector-cybersecurity-risk-management-maturity-initiative
What’s New? – Incidents and Vulnerabilities
• Incidents
– DHS ICS-CERT Update - Working with FBI
• Increased activity
• Attackers in for long durations
• Better Malware Analysis less fly aways
• Active Monitoring key to better detection and incident response
• Vulnerabilities:
– Vulnerabilities are constant with changes in tools and techniques for
discovery and exploitation
– Disclosure Grace Periods:
• Rapid7 15-60 days to Zero Day Initiative 182 days
– Simultaneous Vulnerability and Exploit Disclosures - Project Basecamp
from Digital Bond
• GE D20ME, Schneider Electric Modicom Quantum and Control Microsystems
SCADAPack, RA Allen-Bradley ControlLogix, Koyo/DirectLOGIC H4-ES, SEL-2032
What’s New? Threats, Exploits and Risk
• Threats:
– Capabilities, motivation, intent
– Actors
– Advance Persistent, 0-days,
• Exploits:
– Russian Business Network SCADA Exploits
– Equal Vulnerabilities
• Risk
– NIST Process
– NERC Cyber Attack
– Whitehouse Risk Maturity
What’s New: Industry and Malware Analysis
• Asset Owners:
– NERC CIPC: Funds for compliance now shifting more toward
security – over 1000 violations being processed in 12 months
– Skills Development
– Incident Teams
– Trust and Involve One Source
– CFATS – 64% ACC Survey already had cybersecurity measures to
meet, 26% need to increase
• Malware Analysis
– Lots of Press
– Various degrees of sophistication
What’s New? Technology Trends
• Cloud technologies for GIS, modeling, and non-production
• Mobile applications for field support replacing laptops
• Cheap communications
– WiFi
– Cellular
• Advanced data management systems to connect field
input to operational situational awareness faster
– Advanced modeling
• Situational Awareness – Sophia, Intelligent Cyber Sensor, Mesh Mapper, Data Fusion, NetAPT
• High Level Language on Microcontrollers
• Frontier Research: SCADA Protocol, Host-Event based Network, EV chargers, Dynamic Analysis of Mobile Devices
• Research partners:
• Asset Owners
• Universities & Research Centers
• Vendors: Siemens, Honeywell,
ABB, Fujitsu, GE, OSISoft, Itron
12
What’s New? Research
Technologies – Host and End Devices
• Issues
– Unpatched and unused applications
– Configuration Control
– Silo Defenses
• Mitigations
– Harden hosts
– Patch
– Situational Awareness
• Research
– Instrumentation Control and Intelligent Systems
• Resilient – State Awareness – Operational Normalcy
– Forensics information for better incident response times
• Storage of data is cheap
– Link host events closer to network events for forensics data for better
incident response
Technologies – Defense in Depth
• Issues
– Same defense applied multiple layers is not depth
– Common rule sets applied across architectures
• Mitigations
– Ensure multiple techniques
– Tailor rule sets to specific configuration
• Research
– Sophia
• Creation of whitelists, blacklists and gray lists
• Validation of baseline configuration
Overview
• Passive Collection
– Real-time Fingerprinting
– Static Fingerprinting
• Distributed Architecture
• Real-time or historic
packet visualization
• Navigable virtual 3D
rendering of fingerprint
Beta Testing: Oct 2011 - Sept 1, 2012
Must sign up before June 1, 2012
Open to U.S. Energy Companies
https://sophiahome.inl.gov
Additional Use Cases
Configuration Management: Alarm may indicate the addition of a new component or process
triggering a configuration management review.
Fielding New Systems: Use a fingerprint developed as part of the factory acceptance test
(FAT) during the Site Acceptance Test (SAT) to identify required site specific communications.
Firewall Rule Validation/Development: The fingerprint represents only what is needed for ICS
operations, providing critical information necessary for simple quality firewall rules.
Switch and Router Configuration: Switches and routers can be configured based on what is
needed as identified in the fingerprint. Port security such as Access Control Lists (ACL) are
easily created and used.
Component Hardening: All necessary ports are identified in the fingerprint. All other ports are
not required for operation and can be disabled or blocked by a personal firewall reducing
exposure to cyber attack.
Patch Testing: When used on a quality system, changes in normal operational
communications will be quickly identified as patches are rolled out. Patches in some cases
re-open previously disabled ports and services. Configuration management issues are identified;
firewall rules may need changing, ACLs may need updating, etc.
Current Security Mantra
• Embrace the state - your connected, vulnerable,
exploitable, exploited, owned
• Skills are the key – not technology
• Focus on defense – Configuration Control, Monitoring,
Distinct Defense Layers
• Incident response, operating through degraded systems
and recovery – plan for bad
• Partner to keep up to date on threats and vulnerabilities
with industry and with other sources to different levels of
trust
Tools and other Help
• Procurement Language
• Cyber Security Evaluation
• Sophia
– Whitelist, Blacklist and
Graylist
• Vulnerability Reports
• Industrial Control System
Cyber Emergency
Response Team
– Alerts, Advisories,
Newsletters, Incident
Response
Challenges Remain
• Information Sharing
– Regulatory – CFATS DHS - TSA
– O&NG Coordination Council June 2004
• Who to Trust – Vendor, Integrator, Government
– Partnerships need mutual beneficial outcomes
• Active Monitoring
– Resource Issues – if actively monitoring can you respond
• Collection of Data for Incident Response
– Forensics plus quicker response if actively monitoring
– Storage is Cheap
• Prove Attackers Off System
• Next Generation Control with Resilient
– Brittle optimization vs Resilient agile and adaptive
Complex Standards Issues
• API 1164 liquid pipelines
– Management Policies, Procedures, Roles and Responsibilities
– Physical Security
– Communications Systems
– Technology: Network Design and management
– Risk and vulnerability assessments
– Business Continuity Plans
– Incident Response Plan
• TSA Pipeline Security Guidelines
• Chemical Facility Anti-Terrorist Standards CFR 6 part 27
Information Sharing and Analysis Center
• Oil and Natural Gas Sub-Sector • American Exploration & Production Council (AEPC)
• American Gas Association (AGA)
• American Petroleum Institute (API)
• American Public Gas Association (APGA)
• Association of Oil Pipe Lines (AOPL)
• Canadian Association of Petroleum Producers (CAPP)
• Canadian Energy Pipeline Association (CEPA)
• Energy Security Council (ESC)
• Gas Processors Association (GPA)
• International Liquid Terminals Association (ILTA)
• Interstate Natural Gas Association of America (INGAA)
• Independent Petroleum Association of America (IPAA)
• National Association of Convenience Stores (NACS)
• National Ocean Industries Association (NOIA)
• National Petrochemical & Refiners Association (NPRA)
• National Propane Gas Association (NPGA)
• Offshore Marine Service Association (OMSA)
• Offshore Operators Committee (OOC)
• Petroleum Marketers Association of America (PMAA)
• Society of Independent Gas Marketers Association (SIGMA)
• U.S. Oil & Gas Association (USOGA)
• Western States Petroleum Association (WSPA)
Other Challenges?
• How do you evaluate your cyber security posture?
• What new technologies are being deployed and relied
upon?
• How does your entity keep up with the changing
vulnerability, and threat landscape?
• What other pressures exist that are hampering cyber
security efforts?
– Audit focus
– Resource constraints
Contact:
US Department of Energy
Carol Hawk
202-586-3247
Diane Hooie
304-285-4524
Visit:
http://energy.gov/oe/services/cybersecurity
https://www.controlsystemsroadmap.net/Pages/default.aspx
For more information …
INL:
David Kuipers
208-526-4038
Rita Wells
208-526-3179