Security Implications Associated with Mass Notification Systems

Cyber infrastructure: Includes electronic information and communications systems and services and the information contained in these systems and services. Information and communications systems and services are composed of all hardware and software that process, store, and communicate information, or any combination of all of these elements. Processing includes the creation, access, modification, and destruction of information. Storage includes paper, magnetic, electronic, and all other media types. Communications include sharing and distribution of information. For example: computer systems; control systems; networks, such as the Internet; and cyber services (e.g., managed security services) are part of cyber infrastructure.1

Cover Cyber risk challenges Components of security strategy MNS Security concerns Mechanisms that may be deployed to mitigate the risks to an MNS system. UL 2572 security measures Example : Electrical Grid recent cybersecurity history

Overview

1 National Infrastructure Protection Plan 2

Cyber Risk Challenges

2013 Target’s Hack – HVAC Service company’s authorized network access

3

Cyber Risk Challenges

At Blackhat USA 2013, several presentations were made of hacking into an automated home. Hacking Z-Wave Home Automation Systems - Behrang Fouladi and Sahand Ghanoun

4

Cyber Risk Challenges

Feb 2013, the emergency alert system at KRTV-TV in Great Falls, Montana was hacked during the "The Steve Wilkos Show" to send out a message that “zombies were getting up and residents should not try and apprehend them" in several counties.

5

Why Security?

Why did we put brakes in a car?

Primary impulse answer: TO STOP

Another answer: TO GO FASTER

Cybersecurity measures are like brakes, they can advance the use of products in a safe and secure manner.

The boundary of one thing is the beginning of another – Leonardo DaVinci

6

Threats, Vulnerabilities and Risks

Threat

Vulnerability Opportunity

Risk

A threat is any action whether intended or not, to infiltrate the

workings of a system

A general understanding of who might attack what assets

Nation-States

Professional – Usually performing theft, espionage or malicious activity

Hobbyist – Hack into products and systems without the intent to perform criminal or malicious activity outside of the hacking act itself.

Malware – automated attack software.

Employees

A defined flaw in security measures whether by design or how the

product or service is implemented that can be exploited.

Unpatched published vulnerabilities

Remote control protocols

Web services

Buffer overflows

Weak or improper Authentication mechanisms

Improper Authorization (access control)

Credential control

Messaging manipulation and injection

SQL injection into data historians

The asset to be appropriated

Control center control

Device control

Access to private/personal data

7

Components of a Security Strategy

Identify the security objectives of an MNS system Availability – disruption of access to information from an MNS Integrity – unauthorized modification of information from an MNS Confidentiality – unauthorized disclosure of information from an MNS

Defense in depth

8

MNS Security Concerns

9

Communication

s Protocol

Design

Vulnerabilities

in products

Implementation

Vulnerabilities

in use of

products

Secure

Communications

External

Infrastructure

Attacks

Internal

Infrastructure

Attacks

Availability and

Integrity

Mass Notification Security Concerns Communication

s Protocol Common Design Vulnerabilities

• Sensors/actuators have no inherent security.

• Control panels have limited untested security.

• Remote accessibility to control panels and server software.

• Non-secure firmware updates. • Open ports on devices and

services. • Tamper detection and/or

resistance is minimal • Web services • Poor coding practices

• Disable unused physical and logical ports.

• Fuzz testing on all ports. • All ports should require

authentication. • Test factory defaults while in

operation. • No “hard coded” passwords. • Firmware upgrades must be

secure - Digital signatures. • Include tamper detection

technologies. • Enforce secure coding practices. • Perform an independent security

source code audit. • Obfuscation

Common Counter Measures

10

Mass Notification Security Concerns Communication

s Protocol Implementation Vulnerabilities

• Limited patching and testing of new patches

• Use of default passwords • Incorrect configuration use • Networks are now “connected”

to the outside world

• Patch management • Secure workstations, servers

with known IT practices and policies

• Whitelisting and blacklisting • Auditing trails with alerts • Network penetration testing • Review of audit logs, security

policies • Independent vulnerability and

cyber-security assessments • Intrusion detection and

prevention reviews

Common Counter Measures

11

Mass Notification Security Concerns Communication

s Protocol Communications

Communication lines allow for • Line Sniffing(Eavesdropping) • Man in the middle injection • Denial of Service • Spoofing/Masquerading • Record and replay

Credentials that are not secured

• Cryptography and Credential security

• Test and implement against known standards – FIPS 140

• Secure Authentication/Non Repudiation

• Data filtering and discarding

Common Counter Measures

12

UL 2572 Data Security Measures 1. Security and Data Protection

Evidence of a certificate of compliance - Security functions shall be one or more of the following: Symmetric key encryption functions. Asymmetric key signature functions. Message Authentication functions. Hashing functions.

2. Communication Security Communication Security Level 1 - Independent Dedicated Network. Communication Security Level 2 - Non-Dedicated Private Network. Communication Security Level 3 - Non-Dedicated Public Network.

3. Stored Data Security Passwords. DRMNS contact data. System configuration data. Audit logs and reports. ECS/MNS messages. The stored data shall be protected by minimum security functions

4. Access Control Security Password/PIN with a minimum of 1000 combinations. Password/PIN minimum length of 8 characters, each of at least 10 options. Password/PIN minimum length of 12 characters, each of at least 10 options, or equivalent means (such as 2 factor authentication). The security means shall have a time out feature ("auto-log-out") The system shall disable a user account after a maximum of 5 unsuccessful consecutive login attempts.

13

Password Example

Passwords are stored: Username KEN Password PASSWORD

• Plaintext PASSWORD

• Hash form PASSWORD A3eeF%4zz5JJd

• Salted hashes PASSWORD + <unique> bbGtee$5%FgLopp

• Encrypted PASSWORD sf$%^&aQ

Passwords are attacked via:

• Brute force guessing – dependent on the system responding with a yes or no

• Password cracking – offline processing of a hash (approx hundreds of millions password guesses a second)

• Precomputed hash attack – rainbow and lookup tables of all possible hashes are searched

• Pass the hash – gain access to the hash or alter the hash

MD5, SHA1 – SHA 512 : good hash algorithm for integrity in a short time, but can be easily identify all hashes possible

MD5

MD5

AES

14

Common Attack Pattern Enumeration and Classification http://capec.mitre.org/

15

Description:

• Develop system-level security requirements for smart grid technology

Approach:

• Architectural team produce material

• Usability Analysis team assess effectiveness

• NIST, UtiliSec review, approve

Deliverables:

• Strategy & Guiding Principles white paper

• Security Profile Blueprint

• 6 Security Profiles – AMI Security Profile

• Usability Analysis

Example – Smart Grid Advanced Security Acceleration Project - SG

Schedule: June 2009 – June 2012

Budget: $3M/year

($1.5M Utilities + $1.5M DOE)

Performers: Utilities, EnerNex, Inguardians, SEI, ORNL

Partners: DOE, EPRI

Release Path: NIST, UCAIug

16

THANK YOU.

Ken Modeste Security and Global Communications Underwriters Laboratories Inc. Ken.modeste@ul.com