1  

N-Dimension Solutions, Inc.

March 9, 2016

Monitoring and Vulnerability Assessment: Cybersecurity

Starts with Finding Out What You Don’t Know

Presented By Jeff Bridgland, NDSI Advisory Board Member and Business

Development Leader

• Why  Protec,on  and  Monitoring?  • Knowing  The  Differences  in  types  of  Cyber  Security  

• Solu,ons  Overview  • Q&A  

Today’s  Agenda  

3  

What cyber threats are lurking in your Utility

Networks?

The  following  are  reasons  why  you  need  a  protec,on  and  cyber  security  monitoring  program…  

4  

5  

6  

U.S. Power Infrastructure is vulnerable

•  “Power  u,li,es  experiencing  ‘daily’  and  ‘constant’  cyber  aPacks”  

•  Cyber  aPacks  among  top  u,lity  CEO  and  Board  concerns    

•  “Taking  out  9  of  the  country’s  substa,ons  would  result  in  a  blackout  of  most  of  the  U.S.”  

•  Smaller  power  companies  are  the  weakest  link  –  a  gateway  for  hackers  

7  

Average  annualized  cost  of  cyber  threats  in  the  energy  sector  is  forecast  to  be  the  highest  among  all  industries  in  2014  (in  $millions  of  U.S.  dollars)    

Source: “2014 Cost of Cybercrime Report”, Ponemon Institute

Energy Sector Cybercrime is Costly

8  

Energy Sector Cybercrime is Costly Average  annualized  cost  of  cyber  threats  in  the  energy  sector  is  among  the  highest  in  all  industries  in  2015  (in  $millions  of  U.S.  dollars)    

Source: “2015 Cost of Cybercrime Report”, Ponemon Institute

What should we be concerned about?

•  In  2012,  a  Midwestern  u,lity  passes  on  cyber  defense  system,  gets  hacked  and  is  out  over  $2M  so  far,  mul,ple  lawsuits  s,ll  pending.    

•  In  2014,  a  Southern  U,lity  is  hacked,  W2s  are  taken  from  HR  system,  hackers  fill  false  tax  returns  in  employees  names.    

•  In  2014,  a  Midwestern  u,lity  is  hacked  and  the  hackers  take  over  control  of  their  SCADA  system.    

•  In  2013,  a  Northeast  IOU  is  hacked  and  over  a  third  of  their  customers  records  are  taken  before  their  system  sees  the  aPack  and  blocks  it.  

•  In  2014,  a  Rural  Electric  Coopera,ve’s  (Co-­‐op)  IP-­‐based  phone  system  is  hacked.  System  programmed  so  that  every  ,me  a  customer  calls  the  customer  service  lines,  the  phone  system  would  dial  a  1-­‐900  number  and  the  Co-­‐op  customer  would  be  charge  for  the  call.    

 •  In  2014,  a  Rural  Electric  Coopera,ve  (Co-­‐op)  who  had  just  

installed  a  new  HVAC  system  at  their  Co-­‐op.  This  Co-­‐op  has  a  sharp  IT  group  and  they  no,ced  new  outbound  communica,ons  to  an  unknown  IP  address  soon  ajer  the  HVAC  system  was  installed.  They  traced  the  ac,vity  back  to  the  HVAC  system  and  the  IP  address  to  Russia.    

•  In  2014,  a  Rural  Electric  Coopera,ve  (Co-­‐op)  has  the  cryptolocker  virus  released  on  their  network.  In  the  process  of  cleaning  the  network  from  the  aPack,  they  discover  their  3rd  party  IT  company  was  not  performing  the  work  they  had  paid  them  to  do.  No  An,-­‐Virus  sojware  on  machines,  no  updates  to  firewalls,  etc.    

What should we be concerned about?

11  

Modern Cyber Attacks are Multi-Vectored

•  Today’s  available  technology  allows  hackers  to  use  several  means  of  aPack  simply  and  simultaneously.      

•  Reconnaissance  is  the  process  of  informa,on  collec,on  that  does  not  generally  interact  with  the  IT  system  in  ques,on.    This  can  be  achieved  by  DNS  queries,  Website  scraping,  Email  harves,ng,  and  Social  Engineering.  

•  Enumera-on  takes  place  to  map  the  network  being  evaluated.  It  aPempts  to  obtain  technical  informa,on  regarding  the  targeted  systems.    This  can  be  achieved  by  running,  for  example,  Port  scans,  Vulnerability  scanning,  Applica,on/OS  fingerprin,ng,  Network  mapping,  Service  mapping,  and  Packet  captures  

–  E.g.  NMAP,  AMAP,  ShodanHQ,  OpenVAS,  scanrand,  ParaTrace,  Search  Diggity,  and  others.  

12  

 •  Explora-on  is  a  phase  in  which  the  informa,on  gathered  

within  the  enumera,on  phase  is  put  to  use  in  naviga,ng  the  network  being  targeted  to  obtain  further  informa,on  about  it.  

•  Exploita-on  is  a  phase  in  which  the  vulnerabili,es  found  during  enumera,on  may  be  exploited.  •  E.g.  Online  Webserver  Stress  Tes,ng  tools  (Quantum  

Booter)    

Modern Cyber Attacks are Multi-Vectored

13  

Common Cyber Security Risks & Vulnerabilities

•  Lack  of  network  monitoring  and  defense-­‐in-­‐depth  protec,on  –  u,li,es  may  monitor  what  goes  in  and  out  of  the  firewall,  but    no  one  monitors  what  is  happening  within  their  internal  network.  

•  Lack  of  network  segrega,on  –  Poten,al  compromise  of  one  worksta,on  could  ul,mately  compromise  other  systems  in  the  network.  

•  Unencrypted  communica,on  between  remote  loca,ons  to/from  control  centers.  •  U,li,es  use  VLANs  to  segregate  networks  without  knowing  the  cyber  risks  

associated  with  them  if  not  properly  configured.  •  U,li,es’  staff  use  unauthorized  cloud  services  and  applica,ons  (such  as  P2P  

applica,ons),  and  also  connect  to  various  social  networking  sites  (e.g.  Facebook).  •  Usage  of  VMware  and/or  other  virtualiza,on  technologies  –  there  are  many  cyber  

security  vulnerabili,es  that  exist  within  the  virtualiza,on  technologies.    For  example,  missing  VMware  security  patches,  and  combining  weak-­‐security  VM  with  a  high  –security  VM.  

Common  Findings…  

14  

Common Cyber Security Risks & Vulnerabilities

•  Missing  security  patches  on  servers,  worksta,ons,  and  especially  on  networking  equipment  

•  Misconfigura,ons  on  networking  equipment  and  default  configura,ons      •  Lack  of  cyber  security  training  and  knowledge  with  experienced  resources  •  Unused  Ethernet  ports  enabled  /  ac,ve  in  the  network  switch  –  anyone  with  

physical  access  to  any  network  switch  connected  to  the  u,lity  network  can  access  the  u,lity’s  internal  network.  

•  No  network  access  control  to  prevent  unauthorized  devices  from  connec,ng  to  the  network.  

•  Weak  password  policy  in  the  Opera,ons  environment.  •  Lack  of  Inventory  List  of  Cyber  Assets  with  their  Risk  Classifica,on  •  Lack  of  Formally  Documented  Cyber  Security  Policies  &  Procedures  •  Neither  Informa,on  Security  Awareness  sessions  nor  training  program  

Common  Findings  …  

15  

To See The Value, KNOW The Differences

U,lity  Businesses  and  its  Opera,ons  have  different  requirements  than  regular  corpora,ons,  especially  with  SCADA  opera,ons.        The  following  slides  highlight  some  of  the  risks  in  industrial  control  systems  (ICS)  as  well  as  differences  in  cyber  security  requirements.  

Poor separation from enterprise Legacy OSes and applications

No security monitoring Inability to limit access

Poorly secured 3rd party access Inability to revoke access quickly

Dialup modems Unexamined system logs

Unpatched systems Accidental misconfiguration

Limited use of anti-virus Improperly secured devices

Limited use of host-based firewalls Lack of security features

Improper use of ICS workstations Improperly secured wireless

Unauthorized applications Unencrypted links to remote sites

Unnecessary applications Passwords sent in clear text

Open FTP, Telnet, SNMP, HTML ports Password management problems

Fragile control devices Default OS security configurations

Network scans by IT staff Unpatched routers / switches

Security Risks to Modern ICS

-­‐  16  -­‐  

COTS  +  IP  +  connec,vity    =    many  security  risks  All  of  these  in  addi,on  to  all  those  from  Enterprise  networks  

•  From  NISTIR  7628  (Chapter  7.2  EVIDENT  AND  SPECIFIC  CYBER  SECURITY  PROBLEMS)  –  7.2.1  Authen,ca,ng  and  Authorizing  Users  to  Substa,on  IEDs  –  7.2.2  Authen,ca,ng  and  Authorizing  Users  to  Outdoor  Field  Equipment  –  7.2.3  Authen,ca,ng  and  Authorizing  Maintenance  Personnel  to  Meters  –  7.2.4  Authen,ca,ng  and  Authorizing  Consumers  to  Meters  –  7.2.5  Authen,ca,ng  Meters  to/from  AMI  Head  Ends  –  7.2.6  Authen,ca,ng  HAN  Devices  to/from  HAN  Gateways  –  7.2.7  Authen,ca,ng  Meters  to/from  AMI  Networks  –  7.2.8  Securing  Serial  SCADA  Communica,ons  –  7.2.9  Securing  Engineering  Dial-­‐up  Access  –  7.2.10  Secure  End-­‐to-­‐End  Meter  to  Head  End  Communica,on  *****  –  7.2.11  Access  Logs  for  IEDs  –  7.2.12  Remote  APesta,on  of  Meters  –  7.2.13  Protec,on  of  Rou,ng  Protocols  in  AMI  Layer  2/3  Networks  –  7.2.14  Protec,on  of  Dial-­‐up  Meters  –  7.2.15  Outsourced  WAN  Links      *****  –  7.2.16  Unsecure  Firmware  Updates  –  7.2.17  Side  Channel  APacks  on  Smart  Grid  Field  Equipment  –  7.2.18  Securing  and  Valida,ng  Field  Device  Seungs  –  7.2.19  Absolute  &  Accurate  Time  Informa,on  *****  –  7.2.20  Personnel  Issues  in  Field  Service  of  Security  Technology  –  7.2.21  Weak  Authen,ca,on  of  Devices  in  Substa,ons  –  7.2.22  Weak  Security  for  Radio-­‐Controlled  Distribu,on  Devices  –  7.2.23  Weak  Protocol  Stack  Implementa,ons  –  7.2.24  Insecure  Protocols  –  7.2.25  License  Enforcement  Func,ons  –  7.2.26  Unmanaged  Call  Home  Func,ons   -­‐  17  -­‐  

Known Security Problems in the Power Grid

•  From  NISTIR  7628  -­‐  7.3  NONSPECIFIC  CYBER  SECURITY  ISSUES  –  7.3.1  IT  vs.  Smart  Grid  Security  –  7.3.2  Patch  Management  –  7.3.3  Authen,ca,on  –  7.3.4  System  Trust  Model  –  7.3.5  User  Trust  Model  –  7.3.6  Security  Levels  –  ...  –  7.3.33  Cyber  Security  Governance  

–  NISTIR  7628,  Guidelines  for  Smart  Grid  Cyber  Security,  Volume  3,  Chapter  7  

-­‐  18  -­‐  

Known  Security  Problems  in  the  Power  Grid  

19   -­‐  19  -­‐  

The  Three  Pillars  of  Data  Security  

AIC

Availability, Integrity & Confidentiality :

Ø  Availability– the information must be available when it is needed

Ø  Integrity–maintaining and assuring the accuracy and consistency of control signals and data transmissions and storage

Ø  Confidentiality– preventing disclosure of information to unauthorized individuals or systems

20   -­‐  20  -­‐  

Differences  in  A-­‐I-­‐C  Requirements  •  Enterprise  networks  –  Focus:  Intellectual  Property  

ü  Confiden,ality  of  intellectual  property  and  customer  informa,on  has  highest  priority  along  with  availability  for  business  func,ons  

ü  Integrity  less  vola,le  •  Industrial  Control  Systems  (SCADA)  –  Focus:  Reliability  

ü  Data  Availability  and  integrity  of  control  maPers  most  ü  Control  data  has  liPle  need  for  confiden,ality  ü  Data  decoupled  from  business  IP  or  personal  informa,on  

•  Ensuring  availability  is  difficult  with  compe,ng  network  needs  ü  Many  ICS  vendors  manufacture  to  a  standard  of  six  9’s  (99.9999%    

availability)  •  Typical  networking  gear  is  five  9’s  (99.999%)  

ü DDOS  protec,on,  rate  limi,ng,  resource  management,  QoS,  redundancy,  robust  hardware  with  high  Mean-­‐Time  Between  Failure  (MTBF)  

21  

Outsourcing Cyber Security Monitoring

•  You  may  need  to  implement  Security  Monitoring  and  Defense-­‐in-­‐Depth  protec,on  based  on  a  vulnerability  assessment  report  

•  You  may  want  to  learn  about  threats  to  u,li,es  in  advance  •  You  may  not  have  in-­‐house  staff  specializing  or  having  exper,se  

in  cyber  security,  or  the  capital  to  spend  on  effec,ve  coverage  •  You  do  not  have  the  luxury  of  ,me  to  look  ajer  all  cyber  security  

maPers  –  Avg.  of  3  IT  staff  for  50-­‐75  users  •  You  may  want  cyber  insurance  and  pay  less  for  it  •  You  have  compliance  requirements  to  meet  (NERC  CIP,  PCI,  etc)  

22  

ü  Hackers  are  increasingly  targe,ng  u,li,es  ü  Firewalls  are  not  enough  ü  Cybersecurity  is  complex  -­‐  requires  deep  exper,se  and  vigilance  ü  Compliance  Requirements  –  NERC  CIP,  PCI,  ISO,  etc.  ü  Mul,-­‐layered  cybersecurity  strategy  is  best  prac,ce  ü  Lack  of  Understanding  of  Cyber  Security  in  Power  &  Energy  Companies  ü  False  Sense  of  Cyber  Security    ü  The  basic  component  of  cybersecurity  best  prac,ces  and  Informa,on  Security  

Life  Cycle  Source:  NIST  SP800-­‐61r2  (Computer  Security  Incident  Handling  Guide)    

Why  is  Cyber  Security  Monitoring  Necessary?  

Knowing is the Key – From Start to Finish

23  

Knowing is the Key – From Start to Finish

Do  you  think  you  can  say  to  those  whose  data  is  compromised  that  you  “didn’t  know”?  

For  cybersecurity  professionals:  •  The  very  first  step  is  to  know  what  you  are  up  against.  •  The  next  step  is  to  know  what  is  happening  and  really  understand  the  

threat  and  how  to  mi,gate  in  order  to  address  in  a  ,mely  manner.      •  The  last  step  is  to  know  what  happened,  learn  from  it,  and  to  protect  for  

the  next  threat.  

In  Each  &  Every  Step,  Cyber  Security  Monitoring  is  highly  Recommended.  

24  

NERC  CIPv5:  •  CIP-­‐005-­‐5  R5.1.5  :  Have  one  or  more  methods  for  detec,ng  known  or  suspected  

malicious  communica,ons  for  both  inbound  and  outbound  communica,ons.    •  CIP-­‐007-­‐5  R7.4.2  :  Generate  alerts  for  security  events  that  the  Responsible  En,ty  

determines  necessitates  an  alert,  that  includes,  as  a  minimum,  each  of  the  following  types  of  events  (per  Cyber  Asset  or  BES  Cyber  System  capability)  

•  CIP-­‐007-­‐5  R7.4.4  :  Review  a  summariza,on  or  sampling  of  logged  events  as  determined  by  the  Responsible  En,ty  at  intervals  no  greater  than  15  calendar  days  to  iden,fy  undetected  Cyber  Security  Incidents.  

 PCI  Compliance:  •  Requirement  10  :  Track  and  monitor  all  access  to  network  resources  and  

cardholder  data  •  Requirement  11  :  Regularly  test  security  systems  and  processes  

Some  Cyber  Security  Monitoring  Compliance  Requirements  

Knowing is the “Key” – From Start to the End

25  

ISO-­‐27002:  •  10.6  :  Network  Security  Management  •  10.10  :  Monitoring  •  15.1  :  Compliance  with  Legal  Requirements  

 NIST  Cybersecurity  Framework:  •  ID.RA  :  Risk  Assessment  •  PR.AC  :  Access  Control  •  DE.CM  :  Security  Con,nuous  Monitoring    

MANAGEMENT  

IDENTIFY  

PROTECT  

DETECT  RESPOND  

RECOVER  

Some  Cyber  Security  Monitoring  Best  Prac`ce  Requirements  

Knowing is the “Key” – From Start to the End

26  

Unencrypted  Traffic,  like  customer’s  credit  card  numbers  or  

network  creden,als  

Exploitable  risks  in  virtualized  

infrastructure  

Unencrypted  Traffic,  like  SCADA  control  commands,  usernames  &  passwords  

27  

Unknown  Connec,ons  to  Outside  

P2P  File  Sharing  Programs  

No  An,-­‐malware  in  some  systems  used  for  

u,lity  opera,ons  

28  

Monitor  What  Goes  In  and  Out  of  the  Firewall  

Some  Solu`ons  Monitor  only  the  Network  Perimeter  

29  

Monitor  the  Corporate  Business  Networks  

Monitor  the  Opera,ons  Networks  

Monitor  the  Remote  Sta,ons’  Networks  

Important  to  Monitor  BOTH,  the  Perimeter  and  Internal  Networks  

30  

Key  Monitoring  Benefits  Monitoring  -­‐  for  cyber  security  intrusion  aPempts  at  both  perimeter  level  and  interior  network  level,  providing  layers  of  cyber  defense.        Comprehensive  IDS  Signatures  -­‐  using  a  complete  combina,on  of  IDS  signatures  –  Snort,  Emerging  Threats  and  Digital  Bond.  Providing  thorough  cybersecurity  monitoring  of  perimeter  and  internal  network  incidents  and  vulnerabili,es.    Aler`ng  -­‐  When  cri,cal  intrusion  aPempt  is  detected,  customer  is  alerted  such  that  immediate  ac,on  can  be  taken.    Also,  flash  aler,ng  for  a  proac,ve  approach  in  Cybersecurity  protec,on.    Intelligence  -­‐  Comprehensive  review  and  analysis  of  detected  cyber  intrusion,  including  the  source,  cause  and  effect.    Vulnerability  Assessment  –  to  ensure  regular  end  point  compliance    

31  

Repor`ng  -­‐  Detailed  repor,ng  on  detected  cyber  security  incidents  along  with  priori,za,on  and  plain  English  explana,ons  on  what  incidents  were,  with  helpful  recommenda,ons  on  what  you  should  be  checking  and  doing  to  mi,gate  these  detected  risks.    Security  analysis  and  review  of  alert  logs  with  selec,on  of  those  that  need  more  aPen,on.    Also,  dashboards  for  visualiza,on  of  key  informa,on  for  execu,ves.      Compliance  –  For  help  in  mee,ng  NERC  CIP  (mainly  CIP-­‐005  and  CIP-­‐007),  PCI  Requirements  (Mainly  Requirement  10  -­‐  Track  and  Monitor  all  access  to  network  resources  and  card  holder  data),  ISO-­‐27002  (mainly  10.6  Network  Security  Management  and  others)    SCADA  Communica`on  Protocol  Intrusion  Signatures  -­‐  DNP3,  Modbus,  and  ICCP    Expert  Support  -­‐  Access  to  security  experts  to  discuss  security  reports  over  phone  and/or  email.    Hands-­‐Off  Maintenance  of  Cyber  Security  Pladorm  -­‐  including  remote  signature  updates,  firmware  updates,  and  other  plazorm  maintenance    

Key  Monitoring  Benefits  

32   -­‐  32  -­‐  

Knowing is the “Key” – Vulnerability Assessment

Vulnerability  Assessments  take  a  proac,ve  approach  in  finding  risks  or  holes  in  your  systems  and  networks,  thus  complemen,ng    findings  from  a  threat  detec,on  solu,on.  

To  put  it  in  different  perspec,ve,  with  Threat  Detec`on  or  Monitoring,  alarms  will  be  triggered  because  the  thief  has  goPen  into  the  house.    With  Vulnerability  Detec`on,  it  will  detect  all  windows  and  doors    that  are  opened  and  unlocked  in  advance,  and  provide  the  report  on  the  risks  &  vulnerabili,es.  

33   -­‐  33  -­‐  

Knowing is the “Key” – Vulnerability Assessment

Vulnerability  Detec,on  /  Scan  /  Assessments  are  needed  for:    •  U,li,es  need  to  meet  NERC  CIPv5  standards  (e.g.  NERC  CIP-­‐010-­‐1  

R3)  and/or  PCI  requirements  •  It  is  part  of  cybersecurity  best  prac,ces  •  Intrusion  aPempt  was  detected  by  the  Intrusion  Detec,on  

System  (IDS)  •  To  define  system’s  baseline  and  to  discover  if  for  any  reason,  the  

baseline  has  been  changed.  •  To  ensure  that  newly  introduced  systems  do  not  have  

vulnerabili,es.  

34   -­‐  34  -­‐  

Knowing is the “Key” – Vulnerability Assessment

 1.  It’s  a  snapshot  of  ,me  

•  It  needs  to  be  run  frequently  to  ensure  that  there  are  no  unaccounted  devia,ons  from  ini,al  baseline.  

2.  Human  judgment  •  As  with  all  technology  applica,ons,  it  needs  

“human  touch”  –  For  example,  it  needs  to  be  configured  to  run  safely  for  different  systems.  

3.  Vulnerability  scan  can  discover  known  vulnerabili,es  only.      •  It  cannot  iden,fy  other  security  threats,  such  

as  zero-­‐day  vulnerabili,es  that  are  not  known  /  published,  and  those  related  to  physical,  opera,onal  or  procedural  maPers.  

General  Limita`ons  of  Vulnerability  Assessments  

35  

Ques,ons?