Documente Academic
Documente Profesional
Documente Cultură
Cyber Security
a brief introduction
http://www.nerc.com/docs/docs/blackout/NERC_Final_Blackout_Report_07_13_04.pdf
1
28/4/2013
http://www.nerc.com/docs/docs/blackout/NERC_Final_Blackout_Report_07_13_04.pdf
• Stuxnet
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
2
28/4/2013
• Stuxnet
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
• Stuxnet
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
3
28/4/2013
Stuxnet originally
spread
Why through
is cyberUSB security a problem?
drives
Studies* show
30-80% success
rates..
Siemens S7 PLCs are
everywhere…
• Stuxnet
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
4
28/4/2013
It is of national interest
5
28/4/2013
SCADA components
Man"
Process" Machine
Interface
Communication
Interface
system
Process
Central" Operator
Local
System
systems
6
28/4/2013
Company
Company
CRM System
Meteorological
System
Governmental
Reporting System
Market System
7
28/4/2013
Layered defense
Soft!
Hardened office
Keep ”offline”!
environment!
Hardened external
services!
The DMZ
DMZ Control
Office
center
8
28/4/2013
•
9
28/4/2013
Power companies
Government
•
Equipment
Control systems
Power flow…
The threats
•
10
28/4/2013
Components to consider
Bzzz…
11
28/4/2013
Bzzz…
• Wild threats
(standard internet viruses, spam botnets etc)
• Competitors
(for espionage, damage etc)
• Insiders
(current or former employees, contractors, vendors)
• Organized criminals
(for black mail, revenge etc)
• Terrorists and activist groups
(al Qaida, environmental groups etc)
• Foreign states
(as acts of war, espionage etc)
12
28/4/2013
Adversary background!
Turk, R.L., Cyber Incidents Involving Control Systems, Idaho National Laboratory, 2005
Motivation!
Turk, R.L., Cyber Incidents Involving Control Systems, Idaho National Laboratory, 2005
13
28/4/2013
Attacker goals
• Confidentiality
- Assurance that information is shared only among
authorised persons or organisations.
• Integrity
- Assurance that the information is authentic and
complete.
• Availability
- Assurance that the systems responsible for delivering,
storing and processing information are accessible when
needed, by those who need them.
14
28/4/2013
• Wild threats
(standard internet viruses, spam botnets etc)
• Competitors
(for espionage, damage etc)
• Insiders
(current or former employees, contractors, vendors)
• Organized criminals
(for black mail, revenge etc)
• Terrorists and activist groups
(al Qaida, environmental groups etc)
• Foreign states
(as acts of war, espionage etc)
The consequences
•
15
28/4/2013
Consequences?
Consequences?
• Equipment failure
• Loss of visibility
• Loss of control
• Production disturbances
• Recovery efforts
• Cascading effects
• Blackouts
• .
• .
• .
16
28/4/2013
17
28/4/2013
The vulnerabilities
•
Precondition (6)
• Life-cycle of a vulnerability
http://ask-leo.com/whats_a_zeroday_attack.html
18
28/4/2013
Bzzz…
Vulnerabilities
19
28/4/2013
Bzzz…
20
28/4/2013
• Physical access
• Unnecessary services activated
• Unpatched OS and software
• Antivirus software, security functionality inactivated
• Passwords and access control
• Authorization
• Rogue connections
21
28/4/2013
• Access control
• Network segmentation
• Firewall configurations
• Access control (passwords/keys)
• Rogue connections
• And everything else
22
28/4/2013
. .
. 7 .
. .
The countermeasures
•
23
28/4/2013
Countermeasures…
Bzzz…
• What countermeasures do you think utilities
should focus on?
Communication protection
Packet filters
Security awareness Anti-virus software Perimeter protection
Separation of duties
Recovery planning Cryptography
Mandatory access control
Intrusion detection Access logs
Personnel screening Information security policy
Forensics
Media access control Alarm systems
Defense-in-depth Security Architecture Biometrics
Network segregation Monitoring and assessment Discretional access control
Security domains DMZ
Identity management IDS Honeypots Log retention Access tokens
Patch updating System hardening Authentication
Access control Password qualities Procedures
Gateways
Information classification Privacy
Digital signatures Passwords policies
Response planning Media disposal Video recording
Attack surface Continuity planning Authorization Device authentication
Security training Smartcards Physical protection
Firewalls Media redeployment Certificates
24
28/4/2013
Often recommended
countermeasures
• Get control of connections in and out
- Only allow the ones that are really needed
- Use strong authentication
• Separate networks appropriately
- Use a Demilitarized Zone (DMZ)
- Configure firewalls correctly
• Assess security routinely
• Harden computers & devices
• Activate security functionality
• Use intrusion detection systems
• Clarify roles and responsibilities
• Define policies for access
25
28/4/2013
Summary 1/2
Summary 2/2
• Owners are:
- Governments
- Power utilities
• Threats are:
- Somewhat unknown to the public
- Probably advanced and persistent
• Consequences (risks) are:
- Blackouts (and uncertainty in general) cost money
• Vulnerabilities
- Human mistakes
- Physical access
- All these remote connections
- Unpatched computers
• Countermeasures
- Similar to security in general
- The network part is important
- Encryption is not that important
26
28/4/2013
Questions?
27