Date post: | 08-Jan-2017 |
Category: |
Technology |
Upload: | wpicpe |
View: | 759 times |
Download: | 0 times |
Reducing the Risk of a Cyber Attack on Utilities
Jim Girouard, Sr. Product Development ManagerCorporate and Professional Education
About WPI
Fully accredited, non-profit, top quartile national university*
Founded in 1865 to teach both “Theory and Practice”
Robust Computer Science, Power Systems Engineering and Business Departments
DHS/NSA Designated Center of Excellence in Information Security Research
*U.S. News and World Report
Today’s Dialogue –Cybersecurity Education
Outline:
– The Growing Menace
– New vulnerabilities due to Smart Grid Technology
– National Framework for Cybersecurity Workforce Education
– Essentials of a cyber security education program
– How to craft a customized education program
– Discussion
Stuxnet
• Infiltrates Microsoft Windows OS to infect SCADA Systems
• A Virus, Worm and Trojan
• Evades Detection. Erases its path as it jumps to next system
Stuxnet
• Infiltrates Microsoft Windows OS to infect SCADA Systems
• A Virus, Worm and Trojan
• Evades Detection. Erases its path as it jumps to next system
• Disables Safety systems
Stuxnet
• Infiltrates Microsoft Windows OS to infect SCADA Systems
• A Virus, Worm and Trojan
• Evades Detection. Erases its path as it jumps to next system
• Disables Safety systems
• Utilizes “Man in the Middle” Attack Strategy
Stuxnet
• Infiltrates Microsoft Windows OS to infect SCADA Systems
• A Virus, Worm and Trojan
• Evades Detection. Erases its path as it jumps to next system
• Disables Safety systems
• Utilizes “Man in the Middle” Attack Strategy
• Once it infects SCADA PLCs it waits, observes then acts
Stuxnet
• Infiltrates Microsoft Windows OS to infect SCADA Systems
• A Virus, Worm and Trojan
• Evades Detection. Erases its path as it jumps to next system
• Disables Safety systems
• Utilizes “Man in the Middle” Attack Strategy
• Once it infects SCADA PLCs it waits, observes then acts
• Returns recording of normal operation to operators
Stuxnet
• Infiltrates Microsoft Windows OS to infect SCADA Systems
• A Virus, Worm and Trojan
• Evades Detection. Erases its path as it jumps to next system
• Disables Safety systems
• Utilizes “Man in the Middle” Attack Strategy
• Once it infects SCADA PLCs it waits, observes then acts
• Returns recording of normal operation to operators
• Successfully destroyed ~1,000 centrifuges.
Stuxnet
• Infiltrates Microsoft Windows OS to infect SCADA Systems
• A Virus, Worm and Trojan
• Evades Detection. Erases its path as it jumps to next system
• Disables Safety systems
• Utilizes “Man in the Middle” Attack Strategy
• Once it infects SCADA PLCs it waits, observes then acts
• Returns recording of normal operation to operators
• Successfully destroyed ~1,000 centrifuges. 30% of capacity
• Source code available on web for $150K
Black Energy
PowerSource
• Also a Virus, Worm and Trojan
• Reported in October 2014 but could have been around in 2011
• Suspected Country of Origin: Russia
• Infects Human-Machine Interfaces including: GE Cimplicity, Seimens WinCC and Advantech/Broadwin WebAccess
• Attempts to damage, modify, or otherwise disrupt the victim systems’ control processes
• Modular and difficult to detect
ICS-CERT 2014 Annual Report
• 245 Incidents Reported, including: – Unauthorized access and exploitation of internet
facing SCADA– Exploitation of zero-day vulnerabilities– Infections within “air gapped” control networks– SQL injection and exploitation– Network Scanning – Watering hole attacks– Spear-phishing campaigns
“There are two types of companies. Those that have been attacked and those that don’t know it yet”
Scott Aaronson, Senior DirectorEdison Electric Institute
All Other Personnel
MIS & IT Professionals
Resiliencyvia secure softwaredesign
Resiliencyvia several barrier
defensestrategies
IntrusionDetection
ForensicsSoftwareEngineers
Cyber Defense Roles to prevent, detect and effectively respond
Human Firewall Training
Executive ResponseTraining
Graduate Cyber-CS Education
Certifications,Professional
Development&
Graduate Cyber-CS Education
The National Cybersecurity Workforce Framework*
30*http://csrc.nist.gov/nice/framework/
• Issued by the National Initiative for Cybersecurity Education (NICE)
• Provides a common lexicon for cybersecurity work.
• A collaboration of federal agencies, academia and general industry.
• Constructed of “Categories” and “Specialty Areas” to group similar types of work.
• Provides tasks, knowledge, skills, and abilities (tKSAs) within each area.
• Version 2.0 is currently being drafted
National Cybersecurity Workforce Framework
32
Category
Securely Provision
Operate and Maintain
Protect and Defend
Investigate
Collect and Operate
Analyze
Oversight and Development
National Cybersecurity Workforce Framework
33
Category Specialty Areas Include:
Securely ProvisionSystems Security Architecture Secure Acquisition
Software Assurance and Security EngineeringTest and Evaluation Systems Development
Operate and Maintain System Administration Network Services Systems Security Analysis
Protect and Defend Incident Response Computer Network Defense AnalysisVulnerability Assessment and Management
Investigate Digital Forensics Cyber Investigation
Collect and Operate Federal Government RoleCollection Operations Cyber Operations and Planning
Cyber Intelligence Exploitation Analysis / Targets / Threat AnalysisAnalyze
Oversight and Development
Legal Advice and Advocacy Security Program ManagementStrategic Planning and Policy Development
Training, Education and Awareness Knowledge Management
What to Look For: Accreditations
Computer Science Engineering
Business Whole University
What to Look For:Domain Knowledge
For example, at WPI:
NSA/DHS Designated Center of Excellence
Core Faculty Performing Current Research• Trusted Computing Platforms• Algorithms & Architectures for Cryptography• Analysis of Access-Control and Firewall Policies• Wireless Network Security• Cyber-Physical System Security
Power Systems Engineering – Utility technology, systems, equipment & culture
What to Look For:Program Tailored to Your Needs
The Framework is Generic
To Maximize Your ROI, yourprogram must be relevant:• Address your unique requirements.• Address SCADA vulnerabilities• Include NERC CIP• Provide utility-based examples/case studies• Be convenient for your students
Timeline to a Customized Program
The WPI Process:
Identify Customer Needs
Create Learning Objectives
Meet withExecutiveSponsor
Go/ NoGo
Effective Learning Objectives
“ As a result of this course, the student will be able to …”
Verbs to Use Verbs to Avoid
Explain, estimate, design, solve,prepare, detect, assess, determine, infer, illustrate, complete, operate, employ, rank, test, visualize, lead, etc.
Appreciate, Understand, Learn,Cover, Believe, Study,
Comprehend, etc.
The WPI Process:
Identify Customer Needs
Create Learning Objectives
Select Instructor(s)
Meet withExecutiveSponsor
Select Best DeliveryMethod
Develop Customized Curriculum
Launch Pilot Program
Assign Dedicated Support Team Survey Students
Mid End
Evaluate Surveys with Sponsor
Go/ NoGo
Timeline to a Customized Program
Courses Customized for the Power Industry
Computer and Network Security Including SCADA Protection
and NERC CIP Standards
Operations Risk Management Focus on Social Media Phishing and
Embedded Malware Risks
Case Studies in Computer Security Including Power Industry Examples
A Custom Graduate Cybersecurity Program
Framework Category Courses
Securely Provision Computer and Network SecuritySoftware Security Design and Analysis
Operate and Maintain Computer and Network Security
Protect and Defend Intruder Detection
Investigate Digital Forensics
Collect and OperateGovernment Role - Not in Program
AnalyzeOversight and Development
Operations Risk Management Case Studies in Computer Security
Modeled afterThe NationalCybersecurity
Workforce Framework
“There are known knowns, things we know that we know; and there are known unknowns, things that we know we don't know. But there are also unknown unknowns, things we do not know we don't know.”
- Donald Rumsfeld
“There are known knowns, things we know that we know; and there are known unknowns, things that we know we don't know. But there are also unkown unknowns, things we do not know we don't know.”
- Donald Rumsfeld
In SummaryAttack Mode Counter Measures
• Maintain Robust Cyber Security Infrastructure• Maintain Physical Security Measures (NERC CIP)• Continue Secure Process Training (Human Firewall)
known knowns
known unknowns
unknown unknowns
In SummaryAttack Mode Counter Measures
• Maintain Robust Cyber Security Infrastructure• Maintain Physical Security Measures (NERC CIP)• Continue Secure Process Training (Human Firewall)
• Evaluate Penetration Testing Results• Perform Cyber Security Gap Analysis (DHS CSET)• Practice Supply Chain Cyber Risk Management• Stay Informed on Evolving Vulnerability
Assessments
known knowns
known unknowns
unknown unknowns
In SummaryAttack Mode Counter Measures
• Maintain Robust Cyber Security Infrastructure• Maintain Physical Security Measures • Continue Secure Process Training (Human Firewall)
• Conduct Penetration Testing & Analysis• Perform Cyber Security Gap Analysis (DHS CSET)• Practice Supply Chain Cyber Risk Management• Stay Informed on Evolving Vulnerability
Assessments• Prepare for “the day after”• Perform Incident Response and Analysis - Forensics• Develop Systems Behavior Modeling
• Invest in Continuing Education
known knowns
known unknowns
unknown unknowns
DiscussionWhat do you think?