cyber security threats to industrial control systems
TRANSCRIPT
Cyber Security in Real-Time Systems
Threats to SCADA and other real time systems an update from the coal face.
David Spinks – Independent Cyber Security Consultant
April 2015
CSIRSCyber Security in Real-Time Systems
1990 - 2000
Railtrack Safety Critical Software
Sizewell B Software Emergency Shut Down code validation
UK Government assessment of Embedded Software Aviation
CSIRSCyber Security in Real-Time Systems
Industrial Control SystemsCurrent Business
Environments&
Drivers
IT Tools, Methods, Culture ICS Culture, Tools
Very different and apparently no middle ground
“The Cavalry fast moving and flexible” The Cannons fixed, slow yet effective not changed much for centuries
CSIRSCyber Security in Real-Time Systems
Advanced :
Planned ahead of timeExecuted by individuals who have expertiseIntelligence gathered about “target” in advanceAdoption of social engineering techniquesCovering of entry and exit pointsMotive not always understoodPerpetrated by unknown agencies
Multiple points of entry technical and non-technicalComplex execution across a period of time may be months or yearsUse of multiple technologies, tools and techniquesInsider threat must be considered a possible entry point Will explore logical and physical security weaknessesMay extend to supply chain
Changes in education of IT and ICS engineers
Changes in culture in large organisations
Disclosure & Legislation & Regulation
Information exchange
Investments in ICS security
Changes in ICS vendor culture
Possible Actions
Trends impacting ICS Cyber Security
Business demands that data be passed from ICS to IT. Direct and indirect connections.
Sophistication of attacks (the ones we know about) is increasing.
75% of breaches are discovered by third parties.
Resulting impacts of each attack is growing exponentially.
The majority of incidents were categorized as having an “unknown” access vector. In these instances, the organization was confirmed to be compromised; however, forensic evidence did not point to a method used for intrusion because of a lack of detection and monitoring capabilities within the compromised network
Information about the 8 November incident came to light via the blog of Joe Weiss who advises utilities on how to protect hardware against attack.Mr Weiss quoted from a short report by the Illinois Statewide Terrorism and Intelligence Center which said hackers obtained access using stolen login names and passwords. These were taken from a company which writes control software for industrial systems.The net address through which the attack was carried out was traced to Russia, according to Mr Weiss. The report said "glitches" in the remote access system for the pump had been noticed for months before the burn out, said Mr Weiss.
“I could have straightened it up with just one phone call, and this would all have been defused,” said Jim Mimlitz, founder and owner of Navionics Research, who helped set up the utility’s control system. “They assumed Mimlitz would never ever have been in Russia. They shouldn’t have assumed that.”
Mimlitz’s small integrator company helped set up the Supervisory Control and Data Acquisition system (SCADA) used by the Curran Gardner Public Water District outside of Springfield, Illinois, and provided occasional support to the district. His company specializes in SCADA systems, which are used to control and monitor infrastructure and manufacturing equipment.
Mimlitz says last June, he and his family were on vacation in Russia when someone from Curran Gardner called his cell phone seeking advice on a matter and asked Mimlitz to remotely examine some data-history charts stored on the SCADA computer.
Post Event Investigations:
Access to HR
Attendance records
Door access logs
Audit records
Phone logs
Systems logs
Potential Common Ground
Security
Operations Centre
IT ICS
Threats
Very few common methods such as NIST & Identity Management
Use Cases Mitigation
Impacts
DO-178C (avionics), ISO 26262 (automotive systems), IEC 62304 (medical devices), CENELEC EN 50128 (railway systems),
ISO 27001:2013Cobit 4.1ISFISO 20000
Tools
Risks
Investigations
Potential Solution:
Small team cross trained across IT and ICS
Adoption of common language and understanding of impacts
Shared understanding of Threats
Devise and plan for integrated tools ICS<>IT
Speak to bot camps
Common understanding of potential impacts
But would require commitment and proper funding
Lessons still to be learnt
Insider threats
Social engineering
Prevent rather than respond
Effective intelligence and analysis
Planned and tested response to threats
Solution:
Understand what is “normal”
Monitor for unusual trends
Collect and analyse cyber intelligence
Investigate
Act accordingly
Actions
CSIRSCyber Security in Real-Time Systems
Planned ahead of timeExecuted by individuals who have expertiseIntelligence gathered about “target” in advanceAdoption of social engineering techniquesCovering of entry and exit pointsMotive not always understoodPerpetrated by unknown agencies
Rail signal upgrade 'could be hacked to cause crashes'
Prof David Stupples told the BBC that plans to replace ageing signal lights with new computers could leave the rail network exposed to cyber-attacks.UK tests of the European Rail Traffic Management System are under way.Network Rail, which is in charge of the upgrade, acknowledges the threat.
http://www.bbc.co.uk/news/technology-32402481
CSIRSCyber Security in Real-Time Systems
Advanced :
Planned ahead of timeExecuted by individuals who have expertiseIntelligence gathered about “target” in advanceAdoption of social engineering techniquesCovering of entry and exit pointsMotive not always understoodPerpetrated by unknown agencies
The debate erupted after cybersecurity expert Chris Roberts, founder of One World Lab in Denver, sent a tweet while he was a passenger on a United Airlines flight suggesting he could hack into the airline’s onboard system to trigger the oxygen masks to drop.
When the plane landed in Syracuse, FBI agents were waiting to question him and confiscate his electronic devices, according to a statement from Roberts’ attorneys.
United Airlines also was not amused and banned Roberts from flying on the carrier.
On the 27th April 2015 …. Yesterday
CSIRSCyber Security in Real-Time Systems
Advanced :
Planned ahead of timeExecuted by individuals who have expertiseIntelligence gathered about “target” in advanceAdoption of social engineering techniquesCovering of entry and exit pointsMotive not always understoodPerpetrated by unknown agencies
Persistent :
Today - American Airlines planes grounded by iPad app error
CSIRSCyber Security in Real-Time Systems
Linkedin CSIRS :
http://www.linkedin.com/groupRegistration?gid=3623430
Questions?