monitoring and vulnerability assessment: cybersecurity ... › wp-content › uploads ›...
TRANSCRIPT
1
N-Dimension Solutions, Inc.
March 9, 2016
Monitoring and Vulnerability Assessment: Cybersecurity
Starts with Finding Out What You Don’t Know
Presented By Jeff Bridgland, NDSI Advisory Board Member and Business
Development Leader
• Why Protec,on and Monitoring? • Knowing The Differences in types of Cyber Security
• Solu,ons Overview • Q&A
Today’s Agenda
3
What cyber threats are lurking in your Utility
Networks?
The following are reasons why you need a protec,on and cyber security monitoring program…
4
5
6
U.S. Power Infrastructure is vulnerable
• “Power u,li,es experiencing ‘daily’ and ‘constant’ cyber aPacks”
• Cyber aPacks among top u,lity CEO and Board concerns
• “Taking out 9 of the country’s substa,ons would result in a blackout of most of the U.S.”
• Smaller power companies are the weakest link – a gateway for hackers
7
Average annualized cost of cyber threats in the energy sector is forecast to be the highest among all industries in 2014 (in $millions of U.S. dollars)
Source: “2014 Cost of Cybercrime Report”, Ponemon Institute
Energy Sector Cybercrime is Costly
8
Energy Sector Cybercrime is Costly Average annualized cost of cyber threats in the energy sector is among the highest in all industries in 2015 (in $millions of U.S. dollars)
Source: “2015 Cost of Cybercrime Report”, Ponemon Institute
What should we be concerned about?
• In 2012, a Midwestern u,lity passes on cyber defense system, gets hacked and is out over $2M so far, mul,ple lawsuits s,ll pending.
• In 2014, a Southern U,lity is hacked, W2s are taken from HR system, hackers fill false tax returns in employees names.
• In 2014, a Midwestern u,lity is hacked and the hackers take over control of their SCADA system.
• In 2013, a Northeast IOU is hacked and over a third of their customers records are taken before their system sees the aPack and blocks it.
• In 2014, a Rural Electric Coopera,ve’s (Co-‐op) IP-‐based phone system is hacked. System programmed so that every ,me a customer calls the customer service lines, the phone system would dial a 1-‐900 number and the Co-‐op customer would be charge for the call.
• In 2014, a Rural Electric Coopera,ve (Co-‐op) who had just
installed a new HVAC system at their Co-‐op. This Co-‐op has a sharp IT group and they no,ced new outbound communica,ons to an unknown IP address soon ajer the HVAC system was installed. They traced the ac,vity back to the HVAC system and the IP address to Russia.
• In 2014, a Rural Electric Coopera,ve (Co-‐op) has the cryptolocker virus released on their network. In the process of cleaning the network from the aPack, they discover their 3rd party IT company was not performing the work they had paid them to do. No An,-‐Virus sojware on machines, no updates to firewalls, etc.
What should we be concerned about?
11
Modern Cyber Attacks are Multi-Vectored
• Today’s available technology allows hackers to use several means of aPack simply and simultaneously.
• Reconnaissance is the process of informa,on collec,on that does not generally interact with the IT system in ques,on. This can be achieved by DNS queries, Website scraping, Email harves,ng, and Social Engineering.
• Enumera-on takes place to map the network being evaluated. It aPempts to obtain technical informa,on regarding the targeted systems. This can be achieved by running, for example, Port scans, Vulnerability scanning, Applica,on/OS fingerprin,ng, Network mapping, Service mapping, and Packet captures
– E.g. NMAP, AMAP, ShodanHQ, OpenVAS, scanrand, ParaTrace, Search Diggity, and others.
12
• Explora-on is a phase in which the informa,on gathered
within the enumera,on phase is put to use in naviga,ng the network being targeted to obtain further informa,on about it.
• Exploita-on is a phase in which the vulnerabili,es found during enumera,on may be exploited. • E.g. Online Webserver Stress Tes,ng tools (Quantum
Booter)
Modern Cyber Attacks are Multi-Vectored
13
Common Cyber Security Risks & Vulnerabilities
• Lack of network monitoring and defense-‐in-‐depth protec,on – u,li,es may monitor what goes in and out of the firewall, but no one monitors what is happening within their internal network.
• Lack of network segrega,on – Poten,al compromise of one worksta,on could ul,mately compromise other systems in the network.
• Unencrypted communica,on between remote loca,ons to/from control centers. • U,li,es use VLANs to segregate networks without knowing the cyber risks
associated with them if not properly configured. • U,li,es’ staff use unauthorized cloud services and applica,ons (such as P2P
applica,ons), and also connect to various social networking sites (e.g. Facebook). • Usage of VMware and/or other virtualiza,on technologies – there are many cyber
security vulnerabili,es that exist within the virtualiza,on technologies. For example, missing VMware security patches, and combining weak-‐security VM with a high –security VM.
Common Findings…
14
Common Cyber Security Risks & Vulnerabilities
• Missing security patches on servers, worksta,ons, and especially on networking equipment
• Misconfigura,ons on networking equipment and default configura,ons • Lack of cyber security training and knowledge with experienced resources • Unused Ethernet ports enabled / ac,ve in the network switch – anyone with
physical access to any network switch connected to the u,lity network can access the u,lity’s internal network.
• No network access control to prevent unauthorized devices from connec,ng to the network.
• Weak password policy in the Opera,ons environment. • Lack of Inventory List of Cyber Assets with their Risk Classifica,on • Lack of Formally Documented Cyber Security Policies & Procedures • Neither Informa,on Security Awareness sessions nor training program
Common Findings …
15
To See The Value, KNOW The Differences
U,lity Businesses and its Opera,ons have different requirements than regular corpora,ons, especially with SCADA opera,ons. The following slides highlight some of the risks in industrial control systems (ICS) as well as differences in cyber security requirements.
Poor separation from enterprise Legacy OSes and applications
No security monitoring Inability to limit access
Poorly secured 3rd party access Inability to revoke access quickly
Dialup modems Unexamined system logs
Unpatched systems Accidental misconfiguration
Limited use of anti-virus Improperly secured devices
Limited use of host-based firewalls Lack of security features
Improper use of ICS workstations Improperly secured wireless
Unauthorized applications Unencrypted links to remote sites
Unnecessary applications Passwords sent in clear text
Open FTP, Telnet, SNMP, HTML ports Password management problems
Fragile control devices Default OS security configurations
Network scans by IT staff Unpatched routers / switches
Security Risks to Modern ICS
-‐ 16 -‐
COTS + IP + connec,vity = many security risks All of these in addi,on to all those from Enterprise networks
• From NISTIR 7628 (Chapter 7.2 EVIDENT AND SPECIFIC CYBER SECURITY PROBLEMS) – 7.2.1 Authen,ca,ng and Authorizing Users to Substa,on IEDs – 7.2.2 Authen,ca,ng and Authorizing Users to Outdoor Field Equipment – 7.2.3 Authen,ca,ng and Authorizing Maintenance Personnel to Meters – 7.2.4 Authen,ca,ng and Authorizing Consumers to Meters – 7.2.5 Authen,ca,ng Meters to/from AMI Head Ends – 7.2.6 Authen,ca,ng HAN Devices to/from HAN Gateways – 7.2.7 Authen,ca,ng Meters to/from AMI Networks – 7.2.8 Securing Serial SCADA Communica,ons – 7.2.9 Securing Engineering Dial-‐up Access – 7.2.10 Secure End-‐to-‐End Meter to Head End Communica,on ***** – 7.2.11 Access Logs for IEDs – 7.2.12 Remote APesta,on of Meters – 7.2.13 Protec,on of Rou,ng Protocols in AMI Layer 2/3 Networks – 7.2.14 Protec,on of Dial-‐up Meters – 7.2.15 Outsourced WAN Links ***** – 7.2.16 Unsecure Firmware Updates – 7.2.17 Side Channel APacks on Smart Grid Field Equipment – 7.2.18 Securing and Valida,ng Field Device Seungs – 7.2.19 Absolute & Accurate Time Informa,on ***** – 7.2.20 Personnel Issues in Field Service of Security Technology – 7.2.21 Weak Authen,ca,on of Devices in Substa,ons – 7.2.22 Weak Security for Radio-‐Controlled Distribu,on Devices – 7.2.23 Weak Protocol Stack Implementa,ons – 7.2.24 Insecure Protocols – 7.2.25 License Enforcement Func,ons – 7.2.26 Unmanaged Call Home Func,ons -‐ 17 -‐
Known Security Problems in the Power Grid
• From NISTIR 7628 -‐ 7.3 NONSPECIFIC CYBER SECURITY ISSUES – 7.3.1 IT vs. Smart Grid Security – 7.3.2 Patch Management – 7.3.3 Authen,ca,on – 7.3.4 System Trust Model – 7.3.5 User Trust Model – 7.3.6 Security Levels – ... – 7.3.33 Cyber Security Governance
– NISTIR 7628, Guidelines for Smart Grid Cyber Security, Volume 3, Chapter 7
-‐ 18 -‐
Known Security Problems in the Power Grid
19 -‐ 19 -‐
The Three Pillars of Data Security
AIC
Availability, Integrity & Confidentiality :
Ø Availability– the information must be available when it is needed
Ø Integrity–maintaining and assuring the accuracy and consistency of control signals and data transmissions and storage
Ø Confidentiality– preventing disclosure of information to unauthorized individuals or systems
20 -‐ 20 -‐
Differences in A-‐I-‐C Requirements • Enterprise networks – Focus: Intellectual Property
ü Confiden,ality of intellectual property and customer informa,on has highest priority along with availability for business func,ons
ü Integrity less vola,le • Industrial Control Systems (SCADA) – Focus: Reliability
ü Data Availability and integrity of control maPers most ü Control data has liPle need for confiden,ality ü Data decoupled from business IP or personal informa,on
• Ensuring availability is difficult with compe,ng network needs ü Many ICS vendors manufacture to a standard of six 9’s (99.9999%
availability) • Typical networking gear is five 9’s (99.999%)
ü DDOS protec,on, rate limi,ng, resource management, QoS, redundancy, robust hardware with high Mean-‐Time Between Failure (MTBF)
21
Outsourcing Cyber Security Monitoring
• You may need to implement Security Monitoring and Defense-‐in-‐Depth protec,on based on a vulnerability assessment report
• You may want to learn about threats to u,li,es in advance • You may not have in-‐house staff specializing or having exper,se
in cyber security, or the capital to spend on effec,ve coverage • You do not have the luxury of ,me to look ajer all cyber security
maPers – Avg. of 3 IT staff for 50-‐75 users • You may want cyber insurance and pay less for it • You have compliance requirements to meet (NERC CIP, PCI, etc)
22
ü Hackers are increasingly targe,ng u,li,es ü Firewalls are not enough ü Cybersecurity is complex -‐ requires deep exper,se and vigilance ü Compliance Requirements – NERC CIP, PCI, ISO, etc. ü Mul,-‐layered cybersecurity strategy is best prac,ce ü Lack of Understanding of Cyber Security in Power & Energy Companies ü False Sense of Cyber Security ü The basic component of cybersecurity best prac,ces and Informa,on Security
Life Cycle Source: NIST SP800-‐61r2 (Computer Security Incident Handling Guide)
Why is Cyber Security Monitoring Necessary?
Knowing is the Key – From Start to Finish
23
Knowing is the Key – From Start to Finish
Do you think you can say to those whose data is compromised that you “didn’t know”?
For cybersecurity professionals: • The very first step is to know what you are up against. • The next step is to know what is happening and really understand the
threat and how to mi,gate in order to address in a ,mely manner. • The last step is to know what happened, learn from it, and to protect for
the next threat.
In Each & Every Step, Cyber Security Monitoring is highly Recommended.
24
NERC CIPv5: • CIP-‐005-‐5 R5.1.5 : Have one or more methods for detec,ng known or suspected
malicious communica,ons for both inbound and outbound communica,ons. • CIP-‐007-‐5 R7.4.2 : Generate alerts for security events that the Responsible En,ty
determines necessitates an alert, that includes, as a minimum, each of the following types of events (per Cyber Asset or BES Cyber System capability)
• CIP-‐007-‐5 R7.4.4 : Review a summariza,on or sampling of logged events as determined by the Responsible En,ty at intervals no greater than 15 calendar days to iden,fy undetected Cyber Security Incidents.
PCI Compliance: • Requirement 10 : Track and monitor all access to network resources and
cardholder data • Requirement 11 : Regularly test security systems and processes
Some Cyber Security Monitoring Compliance Requirements
Knowing is the “Key” – From Start to the End
25
ISO-‐27002: • 10.6 : Network Security Management • 10.10 : Monitoring • 15.1 : Compliance with Legal Requirements
NIST Cybersecurity Framework: • ID.RA : Risk Assessment • PR.AC : Access Control • DE.CM : Security Con,nuous Monitoring
MANAGEMENT
IDENTIFY
PROTECT
DETECT RESPOND
RECOVER
Some Cyber Security Monitoring Best Prac`ce Requirements
Knowing is the “Key” – From Start to the End
26
Unencrypted Traffic, like customer’s credit card numbers or
network creden,als
Exploitable risks in virtualized
infrastructure
Unencrypted Traffic, like SCADA control commands, usernames & passwords
27
Unknown Connec,ons to Outside
P2P File Sharing Programs
No An,-‐malware in some systems used for
u,lity opera,ons
28
Monitor What Goes In and Out of the Firewall
Some Solu`ons Monitor only the Network Perimeter
29
Monitor the Corporate Business Networks
Monitor the Opera,ons Networks
Monitor the Remote Sta,ons’ Networks
Important to Monitor BOTH, the Perimeter and Internal Networks
30
Key Monitoring Benefits Monitoring -‐ for cyber security intrusion aPempts at both perimeter level and interior network level, providing layers of cyber defense. Comprehensive IDS Signatures -‐ using a complete combina,on of IDS signatures – Snort, Emerging Threats and Digital Bond. Providing thorough cybersecurity monitoring of perimeter and internal network incidents and vulnerabili,es. Aler`ng -‐ When cri,cal intrusion aPempt is detected, customer is alerted such that immediate ac,on can be taken. Also, flash aler,ng for a proac,ve approach in Cybersecurity protec,on. Intelligence -‐ Comprehensive review and analysis of detected cyber intrusion, including the source, cause and effect. Vulnerability Assessment – to ensure regular end point compliance
31
Repor`ng -‐ Detailed repor,ng on detected cyber security incidents along with priori,za,on and plain English explana,ons on what incidents were, with helpful recommenda,ons on what you should be checking and doing to mi,gate these detected risks. Security analysis and review of alert logs with selec,on of those that need more aPen,on. Also, dashboards for visualiza,on of key informa,on for execu,ves. Compliance – For help in mee,ng NERC CIP (mainly CIP-‐005 and CIP-‐007), PCI Requirements (Mainly Requirement 10 -‐ Track and Monitor all access to network resources and card holder data), ISO-‐27002 (mainly 10.6 Network Security Management and others) SCADA Communica`on Protocol Intrusion Signatures -‐ DNP3, Modbus, and ICCP Expert Support -‐ Access to security experts to discuss security reports over phone and/or email. Hands-‐Off Maintenance of Cyber Security Pladorm -‐ including remote signature updates, firmware updates, and other plazorm maintenance
Key Monitoring Benefits
32 -‐ 32 -‐
Knowing is the “Key” – Vulnerability Assessment
Vulnerability Assessments take a proac,ve approach in finding risks or holes in your systems and networks, thus complemen,ng findings from a threat detec,on solu,on.
To put it in different perspec,ve, with Threat Detec`on or Monitoring, alarms will be triggered because the thief has goPen into the house. With Vulnerability Detec`on, it will detect all windows and doors that are opened and unlocked in advance, and provide the report on the risks & vulnerabili,es.
33 -‐ 33 -‐
Knowing is the “Key” – Vulnerability Assessment
Vulnerability Detec,on / Scan / Assessments are needed for: • U,li,es need to meet NERC CIPv5 standards (e.g. NERC CIP-‐010-‐1
R3) and/or PCI requirements • It is part of cybersecurity best prac,ces • Intrusion aPempt was detected by the Intrusion Detec,on
System (IDS) • To define system’s baseline and to discover if for any reason, the
baseline has been changed. • To ensure that newly introduced systems do not have
vulnerabili,es.
34 -‐ 34 -‐
Knowing is the “Key” – Vulnerability Assessment
1. It’s a snapshot of ,me
• It needs to be run frequently to ensure that there are no unaccounted devia,ons from ini,al baseline.
2. Human judgment • As with all technology applica,ons, it needs
“human touch” – For example, it needs to be configured to run safely for different systems.
3. Vulnerability scan can discover known vulnerabili,es only. • It cannot iden,fy other security threats, such
as zero-‐day vulnerabili,es that are not known / published, and those related to physical, opera,onal or procedural maPers.
General Limita`ons of Vulnerability Assessments
35
Ques,ons?