www.pwc.

com/me

Cyber Security Presentation

LSEC 11 March 2013

Agenda
1 2 3 4 Cyber security global problem Cyber security attacks and threats in the utilities/energy sector The Saudi Aramco case Questions & Answers

LSEC Confidential & Proprietary All Rights Reserved PwC 2013

March 2013 2

Cyber security is a global problem

Cyber security is a global problem nowadays. The purpose of today's advanced cyber attacks is two-fold: steal the target data and maintain access to the environment for as long as possible .
2000 2001 2002 2007 2010 2012

Cyber Attacks

Different organizations and countries were affected.

X X X

Formation of organized cyber attacks and hacking groups (e.g. anonymous). Foreign governments heavily invested in malicious codes development.
Announcement of at least 45.7 million consumer credit and debit cards numbers stolen. Stuxnet malware, with the purpose of targeting Irans nuclear programme, is discovered.

The I Love You warm infected millions of computers worldwide.

The Code Red worms widespread infection caused billions of dollars in damage.

shatterattack is a process by which Windows security can be bypassed.

Several cyber attacks targeted the Middle East.

March 2013 3

LSEC Confidential & Proprietary All Rights Reserved PwC 2013

Attackers and motivation

Different organizations often have their own specific way of categorizing cyber threats. In our view, there are five main types of cyber attacks, each with its own distinct though sometimes overlapping methods and objectives. Those are: 1 Financial Crime & Fraud Espionage This involves criminals often highly organized and wellfunded using technology as a tool to steal money and other assets. Theft of IP is a persistent threat carried out by commercial competitors or state intelligence services seeking to use the IP to advance their R&D or gain business intelligence. This can take place between states, or may involve states attacking private sectors organizations, especially critical national infrastructure such as energy & telecoms. This threat overlaps with warfare. Attacks are undertaken by (possibly state-backed) terrorist groups, again targeting either state or private assets. Again this may overlap with some other categories, but the attacks are undertaken by supporters of an idealistic cause most recently the supporters of WikiLeaks. Attacks in Middle East Recent attacks against the Middle East are believed to be originated from regional countries with an objective of causing damage and/or stealing sensitive information Some attacks were performed by supporters of regimes or revolutionaries Other attacks targeted the financial sector
March 2013 4

Warfare

Terrorism

Activism

LSEC Confidential & Proprietary All Rights Reserved PwC 2013

Financial impact of cyber security breaches

PwC analysed the results of the information security breaches survey carried out in Europe in 2012. Results have shown that: Cyber Security breaches can have many different types of impact Direct costs, such as downtime and effort to remediate, are easy to estimate Indirect costs are harder to determine

93% 67%
in 2012.

of large organizations had a

54

is the median number of significant

security breach during 2012.

attacks by an unauthorized outsider on each large organization in Europe in 2012.

of large organizations expect

80%

of large organizations do not

more security breaches next year.

evaluate ROI on their security expenditure.

$9m - $21m
LSEC Confidential & Proprietary All Rights Reserved PwC 2013

is the average financial loss of large organizations (250 - 500 employees)

considering 54 attacks per year. March 2013 5

Many critical cyber security incidents were recently reported

Saudi Aramco, Saudi Arabias national oil company and the largest in the world, has confirmed that is has been hit by a cyber attack that resulted in malware infecting around 30,000 user workstations.
Security Week

In 2011, someone hacked into the Curran-Gardner Water District network in Illinois and manipulated the supervisory control and data acquisition (SCADA) network resulting in destroying one of the pumps.
Business Insider

In August 2012 the information technology systems of RasGas were seriously damaged by cyber attacks. The attacks damaged the website and communications networks; however, they failed to harm the organizations production systems and capabilities.
Reuters

Online attackers successfully penetrated the Department of Energy (DOE) network in the middle of January 2013 and obtained copies of personally identifiable information (PII) pertaining to several hundred of the agency's employees and contractors in preparation for further attacks.. U.S. officials said that Iranian hackers renewed a campaign of cyber attacks against U.S. banks, targeting Capital One Financial Corp. and BB&T Corp.

informationweek

The Arabic website of news network Al-Jazeera has been defaced, apparently by pro-Syrian hackers.
BBC News LSEC Confidential & Proprietary All Rights Reserved PwC 2013

Washington March 2013 6

Many critical cyber security incidents were recently reported

Sony suffered a massive breach in its video game online network that led to the theft of names, addresses and possibly credit card data belonging to 77 million user accounts in what is one of the largest-ever Internet security Reuters break-ins. Security experts have uncovered a new computer virus designed to steal information from banks in the Middle East. The virus has infected more that 2,500 computers, mainly in Lebanon, according to the Russian security firm The Telegraph Kaspersky Lab The computer security vendor RSA announced on March 17, 2011 that its network had been hacked by an Advanced Persistent Threat (APT) by a highly skilled, well-funded group with a specific agenda.
Business Insider LSEC Confidential & Proprietary All Rights Reserved PwC 2013

Google became the target of a phishing campaign originating in Jinan, China, and aimed at gaining access to the accounts of senior officials in the U.S., Korea and other governments, as well as those of The Wall Street Journal Chinese activists A quarter of a million Twitter users have had their accounts hacked in the latest in a string of high-profile security breaches at internet firms.

The Guardian

Middle East

In January 2012 hackers from the Middle East began a cyber exchange that resulted in the release of personal data for tens of thousands of individuals and damage to the cyber infrastructures of several regional Reuters financial institutions.
March 2013 7

Cyber incidents in SCADA & industrial control systems environments in 2012

Cyber Incidents
Health Care; 5; 3% IT; 1; 0% Nuclear; 6; 3% Transportation; 5; 2% Food; 2; 1% Government; 7; 4%

The energy sector was targeted by 41% of the cyber attacks against the ICS environment in 2012.

Internet-Facing, 21, 10%

Energy, 82, 41%

Water, 29, 14% Banking & Finance; 1; 0%

Chemical; 7; 4% Communications; 4; 2% Dams; 1; 0%

LSEC Confidential & Proprietary All Rights Reserved PwC 2013

Commercial, 19, 10% Critical Manuf; 8; 4%

Source: Industrial Control systems Cyber Emergency Response Team US Department of Homeland Security March 2013 8

Common cyber security vulnerabilities in SCADA & industrial control systems in 2011
50%
42% 47%

40%

Improper input validation (e.g. SQL Injection, Cross Site Scripting) and credentials management are the key cyber security threats in the ICS environments in 2011.
Improper Input Validation
20% 18% 15% 15% 21%

30%

30%

20%
12%

ICS Security Configuration & Maintenance Credentials Management Improper Authentication

5%

11% 6% 5% 3%

10%
6%

Permissions, Privileges and Access Controls

0% ICS-CERT Published Vulnerabilities 2009-2010 CSSP ICS Product Assessments 2004-2008 CSSP ICS Source: Common Cybersecurity Vulnerabilities in Assessments Industrial control Systems, May 2011 US
Department of Homeland Security March 2013 9

LSEC Confidential & Proprietary All Rights Reserved PwC 2013

Attackers use different entry points to attack utilities and energy companies
Preparing for the attacks may take months where hackers silently install Trojans and gain control over internal networks. Hackers use various entry points to gain control over internal networks and prepare for their attacks and data thefts. Wireless & Mobile Social Media Hackers Websites & eServices Trojans Vendors Disgruntled Employee Removable Media
Unauthorized access to internal network Personal information

External Vulnerabilities

Installed on internal computers Default configuration Facilitate access to intruders Installation of malicious code on the private network

Having gained access to internal systems, hackers can attack SCADA systems and damage power generation, transmission, and distribution systems leading to damage to engines, transmission systems and causing massive power outages.
LSEC Confidential & Proprietary All Rights Reserved PwC 2013 March 2013 10

Potential cyber attacks scenarios against utilities and energy companies

Hacker may utilize the connectivity between the vendor and the isolated SCADA network to get access over it and control the generation, transport and distribution components which may lead to wide electricity outage and power failure.
LSEC Confidential & Proprietary All Rights Reserved PwC 2013 March 2013 11

Potential cyber attacks scenarios against utilities and energy companies

Hacker may send malicious code into one of the internal SEC users which uses his laptop or removable media inside SCADA network. Such action may result in spreading the malicious code inside the SCADA network.
LSEC Confidential & Proprietary All Rights Reserved PwC 2013 March 2013 12

The Saudi Aramco Case

Saudi Aramco is the Saudi government-owned oil company. It has the world's largest daily production of oil and an annual output of about 8bn barrels. It is estimated to be worth about $781bn, more than twice as much as Apple or Exxon, the most valuable public companies. Saudi Aramco provides various services to its employees, the community, government agencies and private companies: Voluntary programs and cultural activities Traffic safety and fire prevention Private security force (Elite Security) Air transport (private fleet and airports) Education and development (graduate, Master, PhD) Healthcare (SAMSO) Saudi Aramco Medical Services Organization (SAMSO) is a network of private hospitals, supporting health-care excellence and helping to give communities access to world-class medical facilities. In 2011, 82 medical facilities received development support from SAMSO.

LSEC Confidential & Proprietary All Rights Reserved PwC 2013

March 2013 13

Saudi Aramco The incident

Saudi Aramco computers were attacked on 15th August 2012
As first response, Aramco isolated its computer network and issued a public announcement, creating lots of buzz in the media. Production was not affected.
15th Aug 16th Aug
On Wednesday, Aug.15, 2012, an official at Saudi Aramco confirmed that the company has isolated all its electronic systems from outside access as an early precautionary measure that was taken following a sudden disruption that affected some of the sectors of its electronic network. The disruption was suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network. Saudi Aramco confirmed the integrity of all of its electronic network that manages its core business and that the interruption has had no impact whatsoever on any of the company's production operations. The company employs a series of precautionary procedures and multiple redundant systems within its advanced and complex system that are used to protect its operational and database systems. Saudi Aramco IT experts anticipate resuming normal operations of its network soon.

17th Aug

Saudi Aramco issued an statement on 26th August 2012, announcing that main internal network services had been re-established. 30.000 workstations had been affected. As a precaution, remote Internet access to online resources was restricted. The company issued a follow-up report on the 10th September 2012, announcing that its electronic network was functioning normally following a complete and thorough scanning.
LSEC Confidential & Proprietary All Rights Reserved PwC 2013 March 2013 14

Saudi Aramco Aftermath analysis

The attack was performed using the Shamoon malware. Destructive malware Collects files from specific locations on the system. Erase the files and send information to the attacker Spread to other computers on the network. Overwrites the master boot record.
unsure about what information was stolen Who did it? First claims indicated Islamic groups. Controversy around the code professional or amateur? State-sponsored , lone wolf, disgruntled insider? unsure about what information was lost complete isolation for +10 days

Between 30k and 55k computers were affected.

Staged approach towards normal situation And why?

1 Financial Crime & Fraud 4 2

Massive loss of data records (HR , EPR)

Espionage 5

Warfare

Terrorism

Activism

LSEC Confidential & Proprietary All Rights Reserved PwC 2013

March 2013 15

End-User Experience in SAMSO

A nurse/doctor goes to work as usual. At the start of the shift, the IT systems are not available. No patient status No patient history No medication register Patients need to be identified: Who are they? Where they are? What do they have? Once identified, they can be treated but No communication systems No way to order medicines No patient history check is possible Alternative communication methods Mobilization of technical and human resources. Information gathering Manual checks required. Manual book-keeping. Complete disruption leading to a lifethreatening situation. Emergency protocols activated Patient prioritization.

This situation lasted for the +10 days of complete isolation A selection of Electronic Patient Records (EPR) were recovered 2-3 weeks after the start of the incident
LSEC Confidential & Proprietary All Rights Reserved PwC 2013 March 2013 16

Questions & Answers

Thank you
We look forward to working with you

LSEC Confidential & Proprietary All Rights Reserved PwC 2013

March 2013 17

We add value pwc.com/me

This document contains information that is proprietary and confidential to PwC, As such, the addressee should not disclose this document or any attachments in whole or in part to any third party without the prior written consent of PwC. The addressee also acknowledges that information shared here within is the intellectual property of PwC and is subject to a non disclosure agreement as recognised by the copyright and intellectual property regulations. 2013 PricewaterhouseCoopers. All rights reserved. "PricewaterhouseCoopers" and PwC refer to the network of member firms of PricewaterhouseCoopers International Limited (PwCIL). Each member firm is a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of their professional judgment or bind them in any way. No member firm is responsible or liable for the acts or omissions of any other member firm nor can it control the exercise of another member firms professional judgment or bind another member firm or PwCIL in any way.

Backup Slides

LSEC Confidential & Proprietary All Rights Reserved PwC 2013

March 2013 19

Global cyber threats require a global team

PwC has significant experience in helping organizations from different industries including utilities, financial sector, government and national security agencies to solve their cyber security issues. Our firm has:

1 2

Performed cyber security assessments and/or implementations at 78% of the Fortune 500. Provided cyber security services to regional government entities in the Middle East.

3 4

Perform over 100 cyber security assessment annually Received recognition by market influencers as a leader in Security solutions

Strategic Alliances & Partnerships with Security Vendors

PwC was one of the establisher of the ISF (International Security Forum) and is managing ISF on behalf of its members, we have a long tradition of contributing to and making use of the ISF material.

LSEC Confidential & Proprietary All Rights Reserved PwC 2013

March 2013 20

PwC cyber security core services

Setting direction Security strategy development, organization design, management reporting. Creating sound framework of control Risk, policy and privacy review, regulatory compliance assessment, data loss prevention, awareness programs. Managing Exposure Penetration testing, vulnerability scanning and remediation, continuous and global threat monitoring. Building secure systems and infrastructures Security architecture, network security, cloud computing security, identity and access management solutions and ERP Security. Managing Incidents Incident response review, Corporate and regulatory investigations, forensic investigations and readiness and curses response. Building in Resilience Business continuity management, disaster recovery and crises management.
March 2013 21

1 2 3 4 5 6

Security Strategy

Security Governance & Control Threat & Vulnerability Management Architecture, Network Security & Identity Incident Response & Forensic Investigation Business Continuity Management

LSEC Confidential & Proprietary All Rights Reserved PwC 2013

PwC cyber security point of view

Cyber Security is an evolution of risk management
Most large organizations have well-established traditional risk strategies which support clear lines of responsibility up to the board-level. This can often lull senior executives into a false sense of security. As traditional risks converge with the new risks, organizations are often exposed to security and risk gaps that are not being managed. This is principally because business functions are operating in silos and focusing on ensuring their area of responsibility is secure or protected (the not in my back-yard mentality) or because they are unaware of such risks.
Convergence of Security Risks

Fraud Physical Theft Social Engineering Brand Infringement Industrial Espionage Threats to People Data Loss

Strategic risk

Cyber Resilience: Brand & reputational resilience IP protection Intelligence based risk management Security as a competitive advantage Protecting information assets: Information Security Information Risk Management

Value
LSEC Confidential & Proprietary All Rights Reserved PwC 2013 March 2013 22

Key expected recommendations

Clarify roles & responsibilities from the top down Reassess security functions readiness for cyber world Achieve 360-degree situational awareness Create a cyber incident response team Nurture and share skills Take a more active and transparent stance towards threats Leadership realizing the strategic importance of managing cyber risks. This may require the creation of new roles at boardroom level Upgrading existing security capabilities to address cyber security threats. Understand the realities of the cyber world for well-informed and prioritized cyber security actions & processes. A well-functioning cyber incident response team means an incident in the business will be tracked, risk-assessed & escalated.

Invest more in cyber skills.

Adopting a more active stance towards attackers & pursuing them more actively through legal means.
March 2013 23

LSEC Confidential & Proprietary All Rights Reserved PwC 2013

PwC cyber security point of view

Information Security Cyber Resilience

Threat Intelligence

Transform

Enterprise Crisis Management

Cyber Security Resilience

Cyber Security Resilience Protect Identity and Enterprise Access Security Management Architecture and Governance Cyber Security Resilience Ddqdqdqd Manage

Threat & Vulnerability Management

Security Ready Organization

LSEC Confidential & Proprietary All Rights Reserved PwC 2013

Cyber Security Ready Dqdqdq Organization

dqddqdq

Cyber Security Resilient Organization

March 2013 24

What does it take to protect you

Effective governance, clear accountability & connections in the territory and across the global network need to reflect that cyber security is a global issue. Within the organization, it becomes important to identify and appropriately secure the data that matters most. The ability to respond to inevitable incidents quickly and effectively and in a way which protects the global brand becomes crucial. A security conscious culture, accountability and associated behavior is one of the most important aspects of improving security. The cyber threat landscape is changing at an alarming rate. Organizations need the capability to acquire and act on threat intelligence. As perimeters become more porous, attackers more sophisticated and compromises inevitable, monitoring & detection become arguably the most effective defence.
March 2013 25

Organisation, Strategy 1 and Governance

2 Data Centric Security

Cyber Security Resiliency Readiness Assessment

3 Cyber Incident Response & Crisis Management 4 Security Culture and Behaviours 5 Threat Intelligence

Monitoring and 6 Detection

LSEC Confidential & Proprietary All Rights Reserved PwC 2013