Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?

Internet of Things: Manufacturing Panacea or Hacker’s Dream?

Brian Isle, P. E.

Adventium Labs & University of Minnesota Technology Leadership

Institute (TLI)

www.360mn.org

Internet of Things: Manufacturing Panacea or Hacker’s

Dream?

© 2014 Adventium Labs 2

Brian Isle Senior Fellow

Adventium Labs &

University of Minnesota

612-716-5604 [email protected]

mailto:[email protected]

Agenda

• Setting the stage.

• Scope & scale of IoT security issues.

• Impact of cyber exploits on business.

• What you can do. A ray of hope.


Goal of the presentation: Raise your awareness of IoT security issues, scare you a bit, & give you some hope.

Setting the Stage – Cyber War

• Criminal and Nation-State exploitation for financial gain, collection of intellectual property, and exploitation of U.S. infrastructure is where the “game” will be played over the next 5 years.

• Cyber space is a level playing field.

• The adversary is good at the “game”, adapts quickly, and is in it for financial gain and positioning for the future.

“The Nation-States will attack the C-level, and they will succeed! Put plans in place to mitigate the damage.” FBI Section Chief Peter Trahon, Section Chief of the Cyber National Security Section

© 2014 Adventium 4

Internet of “every”-Thing

Internet of Things is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment. (Gartner)

– Any device that is IP addressable, has CPU, memory, & firmware. (BAI)

– Often Edge-devices


http://en.wikipedia.org/wiki/Internet_of_Things#mediaviewer/File:Internet_of_Things.jpg

Everything from your toothbrush to your speedometer will be IoT.

IoT Example: Oil Infrastructure

Jet Fuel High

Residual Fuel Oil

High

Motor Gasoline

High

Other High

Liquefied Petroleum

Gases High

Distillate Fuel Oil

High

High

Refined Products Supplied

Low Natural

Gas Liquids

Meter/ Valve

High

Refinery High

Import Medium

Export Low

Refined Products

Unfinished Oils and Blending

Components Imports Low

Pumping Stations

High

Crude Oil Exports

Low

Crude Oil Imports

Low

Domestic Crude Oil

Low

Strategic Petroleum Reserve

High

Pipeline Barge Rail

Truck High

Distribution Center

High

Chemical Plants High

Modified from: Securing Oil & Natural Gas Infrastructures NPC June 2001

IoT includes everything in the oil infrastructure.

© 2014 Adventium 6

IoT: Why is Security so Difficult?

The security vulnerabilities for the entire class of industrial control are broadly known, and have been known for 2 decades.


High Assurance

Legacy Products

New Products

Consumer Grade

- 20 yr life - Designed for safety, not security

Vendors slow to adopt security best practices

Quick, get it to market mentality

No means to upgrade firmware

Overarching issue: New technologies are being integrated with out consideration for system security. Wireless, cloud, cell phones, IP enabled components …

Why Is Securing SCADA so Hard?

Control Systems are Unique and different from IT

• Control systems are often viable for 20 or 30 years.

• Controls are integrated into a larger system by a third party.

• Security is not a core competency of control engineers nor integrators – the folks who specify, design, assemble, and operate the systems.

• The overall system will change continuously for the life of the plant.

• There is no tolerance for a blue-screen due to a software patch.

• The often cited security approach of “air gap” is a myth.

© 2014 Adventium 8

Manufacturing & Data Security - CIA

Common security framework for data security:

• Availability: “Ensuring timely and reliable access to and use of

information...” A loss of availability is the disruption of access to or use

of information or an information system.

• Integrity: “Guarding against improper information modification or

destruction, and includes ensuring information non-repudiation and

authenticity...” A loss of integrity is the unauthorized modification or

destruction of information.

• Confidentiality: “Preserving authorized restrictions on information

access and disclosure, including means for protecting personal privacy

and proprietary information...” A loss of confidentiality is the

unauthorized disclosure of information.

FISMA Definition [44 U.S.C., Sec. 3542] FIPS 199 Definition

© 2014 Adventium 9

Broadly accepted in the manufacturing & process industry is

that plant safety, efficiency, and effectiveness dictate that

data Integrity and Availability are paramount.

But Wait – What About Confidentiality?

“…U.S. companies lose some $250 billion to

intellectual property theft every year….

Internationally, $114 billion was lost to cybercrimes,

but that number could be as high as $388 billion if

the value of time and business opportunities lost is

included. McAfee, the computer software and

security company, gives an even higher number,

saying $1 trillion is spent globally in remediation

efforts.” – Gen. Keith Alexander, National Security Agency

Director

© 2014 Adventium 10

Intellectual Property is contained in the plant design, operation, and product recipes.

Think About Your Critical Assets

A critical asset is the part of the system or

infrastructure that is essential to the mission

of the organization, plant, or facility.

– Manufacturing: intellectual property, trade

secrets, customer data, controls & equipment

– DoD Industrial company: intellectual property,

trade secrets, SCIFs

– Small business: client information, financial

information, trade secrets & IP

Ask yourself: “What & where are my critical assets? How are IoT security issues jeopardizing those assets?”

CRIMINAL & NATION STATE

ATTACKS

When the big bad wolf knocks on your door.


China: Overwhelming Evidence

“The sheer scale and duration of sustained

attacks against such a wide set of industries from

a singularly identified group based in China

leaves little doubt about the organization behind

APT1. …”


MANDIANT: APT1 Exposing One of China’s Cyber Espionage Units

“Our observations confirm that

APT1 has targeted at least four of

the seven strategic emerging

industries that China identified in

its 12th Five Year Plan”

Who Would Steal Intellectual Property?

Secret formula stolen on USB device

“Between 2008 and 2009, a chemist with Valspar Corporation named David Yen Lee used his access to an internal computer network to download 160 secret documents related to paints and coatings. Lee intended to bring this information to his new company with Nippon Paint in Shanghai, China.” (http://www.justice.gov/usao/iln/pr/chicago/2009/pr0626_01a.pdf)


http://www.justice.gov/usao/iln/pr/chicago/2009/pr0626_01a.pdf

http://www.justice.gov/usao/iln/pr/chicago/2009/pr0626_01a.pdf

Case Study – Night Dragon

Hackers Breach Tech Systems of Oil Companies

NY Times, 10 Feb 2011: At least five multinational oil and gas companies suffered computer network intrusions from a persistent group of computer hackers based in China, …. Computer security researchers at McAfee Inc. said the attacks, …, appeared to be aimed at corporate espionage.

Operating from what was a base apparently in Beijing, the intruders established control servers in the United States and Nether-lands to break into computers in Kazakhstan, Taiwan, Greece and the United States, according to a report, “Global Energy Cyber attacks: ‘Night Dragon.’ ” The focus of the intrusions was on oil and gas field production systems as well as financial documents related to field exploration and bidding for new oil and gas leases, according to the report.

Source: http://www.nytimes.com/2011/02/10/business/global/10hack.html


http://www.nytimes.com/2011/02/10/business/global/10hack.html

http://www.nytimes.com/2011/02/10/business/global/10hack.html

IoT: Nation States & Criminals Are Looking

ICS Honeypot experiment: Two dummy

industrial control systems (ICS) and one real

one to the Internet

• First attack in 18 hours.

• 12 unique attacks that could be classified

as "targeted,"

• 13 attacks repeated by same actors.

• Attackers used automated tools that

search out industrial.

• Hackers probed the site and manipulate

devices if possible.

• Attacks included modifying settings to

change water pressure and stop the flow

on a water pump.

• Attacks used techniques specific to

industrial control systems.

• Attacks involved sending emails to the

administrator address.

www.waterworld.com/articles/iww/print/volume-13/issue-3/columns/industrial-control-systems-targeted-by-hackers.html?goback=.gde_1222087_member_251346148


Adventium Honeypot Experiment

The following is geek speak for “we set up a phony target” • ssh server setup and listening on port 22

• Nov 1 16:52:49 adv-test sshd[3957]: Server listening on :: port 22. • Nov 1 16:52:49 adv-test sshd[3946]: Starting SSH daemon..done

• First brute force attack attempt • Nov 1 21:34:02 adv-test sshd[6711]: Invalid user oracle from 111.74.82.33 • Nov 1 21:34:04 adv-test sshd[6715]: Invalid user test from 111.74.82.33 • Nov 1 21:36:10 adv-test sshd[6897]: Invalid user oracle from 111.74.82.33 • Nov 1 21:36:12 adv-test sshd[6901]: Invalid user oracle from 111.74.82.33

111.74.82.33 is... China!

• Number of unique IP's engaged in brute force ssh attacks against honeypot.

• 18 GeoIP Country CN, China • 6 GeoIP Country HK, Hong Kong • 1754 GeoIP Country US, United States

The first attack was from China in less than 5 hours. 5,000 attacks in 10 days from 18 nations.


Capabilities of Criminal & Nation State

Anatomy of Criminal/Nation State Attack

1.Establish an attack infrastructure (tools, methods, techniques)

2.Conduct recon on target

3.Draft a spear-phishing email

4.Compromise the end-point

5.Obtain valid credentials

6.Map out victim's network

7.Set up hidden directory for data capture

8.Compress / encrypt data for transfer Source: FBI Section Chief Peter Trahon, Cyber National

Security Section, 13 March 2012, MN InfraGard meeting on Electronic Espionage


“Most of the victims were notified by the USG / FBI” Peter Tahron

“External agents have created economies of scale by refining standardized, automated, and highly repeatable attacks directed at smaller, vulnerable, and largely homogenous targets.” (Verizon)

Four APT Examples

• Stuxnet – Identified June 2010

– Believed built on the Flame platform

– Infects by USB drives

• Duqu – Identified September 2011

– Designed to capture key strokes and system information

• Flame – Identified May 2012

– Believed the original malware dates to 2006

– “Scout” for Stuxnet

– Largest malware program ever seen (20 MB)

• Red October – Discovered October 2012

– Advanced cyber espionage targeted diplomatic, governmental and scientific research organizations worldwide

– Operated 6+ years

– Auto shut-down after discovery


Repurposing of APT Cyber Attacks

BAI – “ Howard, please

comment on the repurposing of

Duqu, Flame, and Stuxnet by

criminal organizations”


HS – “Yes, you are correct. We are seeing a massive reuse

of the components of these sophisticated attacks. Once the

malware was discovered and dissected, the reuse started in

a matter of weeks.” Howard Schmidt, former Special Assistant to the President and Cyber Security

Coordinator, Cyber Security Summit, Oct. 9th 2012

MOBILE DEVICES IN THE

WORK ENVIRONMENT

I have a great idea, lets write an app to access

the IoT devices on the plant floor. Cool idea!


Top Mobile Device Issues

Mobile devices:

– Are promiscuous if configured incorrectly

– Easily cross boundaries

• Wi-Fi, cell, text, internal networks, web, social media,

and physically go everywhere

– Are being used for business

• Email, presentations, contracts, banking ….

– Are the big-target for new malware

• Root exploit attacks

• Attack of the zombies

• Bogus anti-virus apps

• Data leakage


Mobile device invade corporate America


The impact of mobile devices on Information Security: A Survey of IT Professionals

Android – 80% of Mobile Malware

Chinese CERT Reports Increases in Mobile Malware - 80% on Android (July 4, 2013)

According to data from CNCERT/CC, China experienced a 25-fold increase in detected mobile malware samples between 2011 and 2012. More than 80 percent of the malware samples targeted Android devices. .. in 2012, 73,000 Trojan and botnet command-and-control servers hijacked 14.2 million host machines in that country. http://www.computerworld.com/s/article/9240574/China_sees_increase_in_Trojan_and_botnet_attacks_from_other_countries?taxonomyId=17

http://www.zdnet.com/cn/mobile-malware-rises-more-than-25-times-in-china-7000017678/s

http://www.pcworld.com/article/2043663/china-sees-increase-in-trojan-and-botnet-attacks-from-other-countries.html

[Editor's Note (Skoudis): Wow! Predicted for years, the age of mobile malware is finally upon us as the bad guys have perfected reliable ways to make good money by attacking mobile devices. …]


http://www.computerworld.com/s/article/9240574/China_sees_increase_in_Trojan_and_botnet_attacks_from_other_countries?taxonomyId=17

http://www.computerworld.com/s/article/9240574/China_sees_increase_in_Trojan_and_botnet_attacks_from_other_countries?taxonomyId=17











































Androids Flaw Bypasses Safeguards

Critical Android Flaw Lets Attackers Insert Code Into Signed Apps (July 2, 3 & 4, 2013)

A critical vulnerability that affects every version of the Android operating system since 2009 can be exploited to allow attackers complete access to Android devices. Hackers could steal data from the phones, use them to send spam, or eavesdrop on communications. The flaw …allows malicious code to evade the operating system's mechanism that checks cryptographic signatures to make sure they are trusted.

http://www.h-online.com/security/news/item/Android-s-code-signing-can-be-bypassed-1911409.html

http://www.bbc.co.uk/news/technology-23179522

http://arstechnica.com/security/2013/07/android-flaw-allows-hackers-to-surreptitiously-modify-apps/









































Galaxy Knox is Vulnerable

Researchers report security flaw in

Samsung's Galaxy S4 - December 24, 2013

An Israeli security team says a vulnerability

in Samsung's Knox security platform

enables malicious software to track e-mails

and record data communications.

http://www.cnet.com/news/researchers-report-security-

flaw-in-samsungs-galaxy-s4/


http://www.cnet.com/news/researchers-report-security-flaw-in-samsungs-galaxy-s4/

















iPhone Users: Don’t be too Smug

iPhones are great tools for business, but don’t let down your defenses!

– 45 security flaws uncovered in just September 2014

– 7 of the 45 are critical security flaws http://www.cvedetails.com/vulnerability-list/vendor_id-49/product_id-15556/Apple-Iphone-Os.html


http://www.cvedetails.com/vulnerability-list/vendor_id-49/product_id-15556/Apple-Iphone-Os.html












Mobile Devices & Cloud

iCloud Data Breach: Hacking & Celebrity Photos

• Defective access/authentication control mechanism

– Script queries iCloud services via the “Find My iPhone” API to guess username and password combinations. No limit on the number of queries.

• Smart phone has automatic backup to iCloud

– Pictures, email, data, everything http://www.forbes.com/sites/davelewis/2014/09/02/icloud-data-breach-hacking-and-nude-celebrity-photos/


What if the data on the iCloud was private client email that you had on your smart phone?

IOT VULNERABILITIES ARE

WELL KNOW

After 20 years in the security game: Everything

old, is new again.


DHS Current ICS Vulnerabilities 2009 - 2010

“Current vulnerabilities in

ICS product assessments

continue to be improper

input validation by ICS

code. Through bad coding

practices and improper

input validation, access can

be granted to an attacker

allowing them to have

unintended functionality or

privilege escalation on the

systems”


DHS, Common Cybersecurity Vulnerabilities in Industrial Control Systems, May 2011, Figure 3.

Security Issues Are Well Known

Digital Bond’s Basecamp study

– “The goal of Project Basecamp is to make the

risk of these fragile and insecure devices so

apparent and easy to demonstrate that a

decade of industry inaction on improving

controllers and industrial protocols will end”


Basecamp Testing: “it was a bloodbath”. As everyone expected, the PLC’s crashed, had typical vulnerabilities such as overflows and XSS, and had product features that could be used against the device.

http://www.digitalbond.com/tools/basecamp/

IoT: Can’t We Just Hide?

Scariest Search Engine on the Internet Just Got Scarier

• Project SHINE (SHodan INtelligence Extraction) from Bob

Radvanovsky and Jake Brodsky of Infracritical. Its purpose is to use

Shodan to locate SCADA devices connected to the internet.

• "The average number of new SCADA/ICS devices found every day is

between 2000 and 8000. So far we have collected over 1,000,000

unique IP addresses that appear to belong to either SCADA and

control systems devices or related software products."


http://www.infosecurity-magazine.com/news/scariest-search-engine-on-the-internet-just-got/

Security by obscurity is not an option if you are exposed to the internet.

SHODAN – Computer Search Engine: Search for computers based on software, geography, operating system, IP address and more. www.shodanhq.com/

IoT: Can’t We Just Hide? Part 2

What Happened When One Man Pinged the Whole Internet

• .. sending simple, automated messages to each one of the 3.7 billion IP addresses assigned to devices connected to the Internet around the world... Moore received replies from 310 million IPs indicated that they came from devices vulnerable to well-known flaws, or configured in a way that could let anyone take control of them.

• HD Moore published results on a particularly troubling segment of those vulnerable devices: ones that appear to be used for business and industrial systems. Over 114,000 of those control connections were logged as being on the Internet with known security flaws. Many could be accessed using default passwords and 13,000 offered direct access through a command prompt without a password at all


http://www.technologyreview.com/news/514066/what-happened-when-one-man-pinged-the-whole-internet/

Security by obscurity is not an option if you are exposed to the internet.

IoT: Can’t We Just Hide? Part 3

Hackers gain 'full control' of critical SCADA systems

• Over 60,000 exposed control systems found online. Russian researchers have found vulnerabilities in industrial control systems that they say grant full control of systems running energy, chemical and transportation systems.

• "We don’t have big experience in nuclear industry, but for energy, oil and gas, chemical and transportation sectors during our assessments project we demonstrated to owners how to get full control [of] industrial infrastructure with all the attendant risks," Gordeychik told SC Magazine….

– … allowed attackers to gain full access to Programmable Logic

Controllers (PLCs) using attacks described as dangerous and easy to launch.


http://www.itnews.com.au/News/369200,hackers-gain-full-control-of-critical-scada-systems.aspx

EXAMPLE IOT

VULNERABILITIES &

EXPLOITS

Malware that might be in your future.


Your Router is Out to Get You

LAS VEGAS: Black Hat information security conference In-Q-Tel Chief Information Security Officer Dan Geer expressed concern about the growing threat of botnets powered by home and small office routers.

…inexpensive routers were an example of the security risk of the "Internet of Things," because of their use of long-lived embedded software with no automatic way for vendors to distribute patches. http://arstechnica.com/security/2014/08/security-expert-calls-home-routers-a-clear-and-present-danger/


Edge devices are the last to be patched, if patched at all.

http://arstechnica.com/security/2014/08/security-expert-calls-home-routers-a-clear-and-present-danger/





















Malware Actions


2013 Verizon Breach Investigation Report

Malware is focused on financial gain and espionage to gather intellectual property.

• The attack works against

LIFX smart light bulbs, which

can be turned on and off and

adjusted using iOS- and

Android-based devices.

Crypto weakness in smart LED light bulbs

exposes Wi-Fi passwords

• LIFX has updated the firmware … after researchers

discovered a weakness that allowed hackers within about 30

meters to obtain the passwords used to secure the

connected Wi-Fi network. … the underlying pre-shared key

never changed, making it easy for the attacker to decipher

the payload.


Product developers often lack a background in securing systems.

http://arstechnica.com/security/2014/07/crypto-weakness-in-smart-led-lightbulbs-exposes-wi-fi-passwords/

IoT: Security Cameras

“Yesterday I stumbled

onto a site indexing

73,011 locations with

unsecured security

cameras in 256 countries

…unsecured as in

“secured” with default

usernames and

passwords. The site, with

an IP address from

Russia,…” (Network World)


http://www.networkworld.com/article/2844283/microsoft-subnet/peeping-into-73-000-unsecured-security-cameras-thanks-to-default-passwords.html

IoT products are often sold in un-secured default mode.

IoT: Now where did I leave those keys?

“On Christmas Eve not long ago, a call was made from a prison warden: all of the cells on death row popped open. Not sure how or if it could happen again, the prison warden requested security experts to investigate. Many prisons and jails use SCADA systems with PLCs to open and close doors. As a result of Stuxnet academic research, we have discovered significant vulnerabilities in PLCs used in correctional facilities by being able to remotely flip the switches to “open” or “locked closed” on cell doors and gates. ……..”

SCADA & IoT is everywhere, including your local jail.

SCADA & PLC VULNERABILITIES IN CORRECTIONAL FACILITIES White Paper, Newman, Rad, LLC, Strauchs, LLC, 7/30/2011


SCADA Vulnerabilities

“In general, ICS vulnerabilities continue to make news. On Thanksgiving Day in the US, Aaron Portnoy, the VP of research at Exodus Intelligence, was able to uncover no fewer than 23 vulnerabilities in SCADA systems in just a few hours. The first exploitable zero-day took a mere seven minutes to discover. “I had a morning’s worth of time to wait for a turkey to cook, so I decided to take a shot at finding as many SCADA 0day vulnerabilities as possible,” he explained. “For someone who has spent a lot of time auditing software used in the enterprise and consumer space, SCADA was absurdly simple in comparison.” http://www.infosecurity-magazine.com/view/31203/another-honeywell-ics-vulnerability-rears-its-head-in-building-control/?goback=.gde_1222087_member_222594055


The above story sums up my observations over 25 years.

http://www.infosecurity-magazine.com/view/29544/critical-infrastructure-at-risk-from-scada-vulnerabilities-/

http://www.infosecurity-magazine.com/view/29544/critical-infrastructure-at-risk-from-scada-vulnerabilities-/

"Stuxnet is a new class and

dimension of malware. Not only for

its complexity and sophistication

(eg by the combination of exploiting

four different vulnerabilities in

Windows, and by using two stolen

certificates) and from there

attacking complex Siemens SCADA

systems. The attackers have

invested a substantial amount of

time and money to build such a

complex attack tool." Dr Udo Helmbrecht, executive director of ENISA

Stuxnet removed all remaining doubt about ability of cyber attack to cause physical damage

IoT: What Else Can They Do?

The Stuxnet Worm, Paul Mueller and Babaki Yadegar www.cs.arizona.edu/~collberg/.../report.pdf

http://www.cs.arizona.edu/~collberg/.../report.pdf




THE COST OF A DATA

BREACH

If you have to ask, you can’t afford it.


The Headlines

Target Puts Data Breach Costs at $148 Million

The New York Times

Aug 5, 2014 - Target, still feeling the pain from a huge data

breach last year, said in a security filing on Tuesday that

costs associated with the episode ...


Home Depot data breach was bigger than Target's

Christian Science Monitor

Target's breach compromised 40 million credit and debit

cards. ... Still, the breach's ultimate cost to the company

remains unknown.

You are probably thinking you are safe because you are a small business. You would be wrong.

Small Biz, Big Target, Big Impact

According to a recent study cited by the U.S.

House Small Business Subcommittee on

Health and Technology, nearly 20% of all

cyber attacks hit small businesses with 250

or fewer employees. Roughly 60% of small

businesses close within six months of a

cyber attack. http://www.forbes.com/sites/forbesleadershipforum/2013/05

/13/your-business-is-never-too-small-for-a-cyber-attack-

heres-how-to-protect-yourself/


Why Attack Small Businesses?

According to the National Cyber Security Alliance, one in five small businesses falls victim to cybercrime each year. And of those, some 60 percent go out of business within six months after an attack.

• Smaller companies don’t fight back like bigger companies.

• “Small businesses typically lack the monitoring, forensics, logs, audits, reviews, penetration testing, and other security defenses and warning systems that would alert them to a breach.”

• Often, a breach against a small fry can yield useful data for attackers seeking to target bigger fish. … valuable spoils—ranging from employee data and cloud logins to customer data and banking credentials—from the smaller players along the way.

http://www.pcworld.com/article/2046300/hackers-put-a-bulls-eye-on-small-business.html


If your security negligent leads to a breach at a major corporation, what do you suppose is going to happen next?

http://www.staysafeonline.org/


















What do the Bad Guys Like? Your Creds

Billions of Digital Credentials Stolen (August 2014)

A group of Russian thieves has collected a

stash of Internet account credentials: 1.2

billion user name and password combinations

and 500 million email addresses. The data

were taken from more than 420,000 websites. http://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-email-

accounts/ ]

http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-

more-than-a-billion-stolen-internet-credentials.html?


http://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-email-accounts/




















http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html
























Cost of Data Breach Study: Global Study

• Ponemon Institute data set

– 314 companies representing 10 countries

– Data breach ranging from 2,415 to 100,000 compromised records.

• Findings for US Data Breach:

– $5.85 million - Average total cost of a US data breach.

– $195 - Average cost paid for each US record containing sensitive and confidential information.

– You are more likely to have a breach of 10,000 or fewer records than a mega breach of 100,000 records.

– The most costly data breaches were malicious and criminal attacks.


2014 Cost of Data Breach Study, Ponemon Institute LLC

Calculating the Cost of Data Breach

Estimate includes direct and indirect

expenses incurred by the organization.

– Direct expenses include engaging forensic

experts, outsourcing hotline support and

providing free credit monitoring subscriptions

and discounts for future products and services.

– Indirect costs include in-house investigations

and communication, as well as the extrapolated

value of customer loss resulting from turnover

or diminished customer acquisition rates.


• Ponemon Institute 2014 Research Report

Industrial Sector is 6th Most Costly


Ponemon Institute 2014 Research Report

Total of 16 sectors

Data Breaches Cause Lost Business

US avg. lost business due to breach = $3.3M


• Ponemon Institute 2014 Research Report Total of 16 sectors

HOW NOT TO SECURE YOUR

COMPANY

The wrong ways to secure IoT are also well known.

In the words of the great philosopher Homer (Simpson)

“DUH?”


IoT: The Need for Software Updates

“The Shamoon attack was a wake up call for the oil and

gas industry on several fronts; not only did it manage to

destroy data from over 30,000 computers at the worlds

largest oil producer, Saudi Aramco, but according to

experts the virus could have been designed by a second

year computer science student.”

“The low sophistication of the Shamoon virus software is

not only worrying because it would be very easy to copy,

but it also highlighted huge vulnerabilities and gaps in not

just the energy sector, but the entire critical infrastructure

space.” Oil & Gas Industry News 6/2013


Brian’s hint: Shamoon attacks computers running MS NT operating systems.

How Not to Secure Your Company

Home Depot Ignored Security Concerns

Former Home Depot employees say that management ignored warnings from the company's computer security team that its systems were vulnerable to attack. Some team members even quit in frustration over the company's slow response to warnings of serious problems. The company was using outdated antivirus software and did not regularly scan critical systems. An engineer hired to work on the security team is now in prison for sabotaging his previous employer's network.

http://www.nytimes.com/2014/09/20/business/ex-employees-say-home-depot-left-data-vulnerable.html http://www.theregister.co.uk/2014/09/22/home_depot_ignored_staff_warnings_of_security_fail_laundry_list/ http://arstechnica.com/security/2014/09/home-depot-ignored-security-warnings-for-years-employees-say/


http://www.nytimes.com/2014/09/20/business/ex-employees-say-home-depot-left-data-vulnerable.html
















http://www.theregister.co.uk/2014/09/22/home_depot_ignored_staff_warnings_of_security_fail_laundry_list/

http://www.theregister.co.uk/2014/09/22/home_depot_ignored_staff_warnings_of_security_fail_laundry_list/

http://arstechnica.com/security/2014/09/home-depot-ignored-security-warnings-for-years-employees-say/


















Home Depot: Not so Unique PoS Attack

Home Depot Breach Affected 56 Million Cards

Home Depot acknowledged that the breach of its point-of-sale systems affected an estimated 56 million payment cards. Is a press release, the company said that the attackers used "unique, custom-built malware." Additional information about the data breach at Home Depot suggests that it affects mainly cards used in self checkout lanes.

[Editor's Note (Pescatore): Lesson learned in these recent PoS attacks is why in the world aren't you using white listing on the PCs attached to payment devices? There is absolutely no business need to allow arbitrary software to run on tills/registers. SANS(Newsbites September 18, 2014)

http://krebsonsecurity.com/2014/09/in-home-depot-breach-investigation-focuses-on-self-checkout-lanes/

http://www.scmagazine.com/home-depot-breach-risks-56m-payment-cards-unique-malware-used/article/372426/













































77% of Agencies Run Unsupported Java

Only a handful of U.S.

government computers are

using the latest version of

Java while more than three

quarters of them are running

unsupported versions of the

software, which has been a

common target for malware

since 2010, according to an

analysis by the Web

security company

Websense.


There are 52 update versions of Java in use, but as of this month, Oracle will update only versions of Java 7. That leaves a lot of unsupported versions on government and other computers.

JAVA ON THE .GOV DOMAIN

• 6.38 percent using latest update of Java 7.

• 23 percent using some version of Java 7.

• 77 percent using unsupported versions of Java 6 or earlier.

JAVA GLOBALLY

• 5.17 percent using latest update of Java 7.

• 21 percent using some version of Java 7.

• 79 percent using unsupported versions of Java 6 or earlier.

Source: Websence and Oracle. http://gcn.com/articles/2013/03/27/java-vulnerabilities-goverment-unspported-versions.aspx?admgarea=TC_SecCybersSec

IoT: Can’t We Just Transfer the Liability?

Lloyd's of London Declines Infosec Cover For

Energy Companies

"In the last year or so we have seen a huge

increase in demand from energy and utility

companies," Laila Khudari, an underwriter at the

Kiln Syndicate, which offers cover via Lloyd's of

London, told the BBC. "They are all worried about

their reliance on computer systems and how they

can offset that with insurance."


http://www.infosecurity-magazine.com/news/lloyds-of-london-declines-infosec-cover-for/

The insurance companies know who is being naughty and nice.

IoT: HVAC Systems in Buildings

Google’s Building Management System Hack Highlights SCADA Security Challenges • …. recent disclosure of a vulnerability in Google's building management

system (BMS) has served as another example of a real-life security gap that may be a bigger concern than some organizations realize.

• "It seems that there has been a dramatic uptick against SCADA systems," says Billy Rios, technical director and director of consulting at Cylance. "It's difficult to pinpoint exactly why, but I'm guessing that the ability to easily discover these devices on the Internet plays a larger part here.“

• .. they discovered Google was using an unpatched version of Tridium Niagara AX, a software platform that integrates different systems and devices for management at its Google Wharf 7 building in Australia.


http://www.darkreading.com/vulnerabilities---threats/google-building-management-system-hack-highlights-scada-security-challenges/d/d-id/1139722?

Brian’s experience: • All modern HVAC controls are IP addressable. • Building’s HVAC control system will eventually be connected to the enterprise network. • HVAC controls are the last to be patched. • HVAC system integrators are not “cyber people”.

DON’T PANIC

The answer to “Internet of Things:

Manufacturing Panacea or Hacker’s

Dream?” is: YES


Ok: What Do We Know About IoT Security?

We have established that:

– You can’t hide from the problem.

– Old and new devices have vulnerabilities.

– The vulnerabilities are well known.

– The bad actors are exploiting the vulnerabilities

for financial gain and espionage.

– Security has the “weakest link in chain”

problem.

– Even well run companies can/will be breached.


Technology is Not the Problem

LOGIIC 2007

Standard IT Defenses

• Network Segment Firewalls

• Host Firewalls

• Network Intrusion Detection

Systems (IDS)

• Network Devices (switches, routers,

wireless devices)

Control System Event Sources

• Standard IT network IDS using

signatures for a control system

protocol (Modbus)

• Alarms from SCADA and DCS

systems

• Alarms from a flow computer


http://www.logiic.org

LOGIIC and other programs showed that SOA IT technology can detect and deter attacks in ICS/SCADA systems.

http://www.logiic.org/

The Security Path Forward

是故勝兵先勝而後求戰，敗兵先戰而後求勝。

Victorious warriors win first and then go

to war, while defeated warriors go to war

first and then seek to win.


http://en.wikiquote.org/wiki/Sun_Tzu

Know What’s Important to Your Business

You may not be a cyber expert, but you do know

your business.

1. What are your critical assets?

• Where are they located?

• Who needs access? Are they security savvy?

• What impact if compromised or lost?

• Consider the full life-cycle of the critical asset.

2. Who do you consider the threat?

• What are their motives and capabilities?

3. Who has responsibility for your business’ security?

4. Periodically review these steps.


Security is a process that leads to action. Security should not be a reaction to bad things happening.

Build Your Security Organization

• Follow well established standards & best practices for your domain.

– NIST security standard (start with 800-30)

– ISA 99/IEC 62443

• Example best practice: Eric Byers “7 Steps to ICS & SCADA

Security”

1. Assess Existing Systems

2. Document Policies & Procedures

3. Train Personnel & Contractors

4. Segment the Control System Network

5. Control the Access to the System

6. Harden the Components of the System

7. Monitor & Maintain System Security


No amount of technology will make up for a lack of policy, procedures, process, and training!

Brian’s Opinion: Key Security Policy

• Define clear roles & responsibilities for security organization.

• Procurement: – Buy from vendors who “build security in” and deliver in

“secure mode”.

– Standard “security language” for RFPs and POs.

• Engineering: – Specify only products that are cyber tested and certified.

– Network segmentation & controlled access.

• Adopt a “full life cycle view” of security. – Strict control and testing before integrating new technology.

– Protect/harden your legacy systems.

• Mobile devices – What apps, who decides, who owns device, walk-about.


Conversation With Process Control Industry Leader

• Never depend on the system integrator – or – end user to be

able to correctly configure for security.

• Design all products to be secure by design.

– Shipped with least privileges

– Minimum Role-based-access define

• Separation of roles and duties

• Each component has at least two roles:

– Commissioning role

– User role

• Make security simple for everyone who touches the product.

• Easy to commission, Easy to update, Easy to maintain.


“Security must be in the DNA of all aspects of the company from R&D to procurement.”

SDLC: Security Considerations

CISSP: All-in-One Exam Guide (6th Edition) by Shon Harris pg 1094

System Development Life Cycle - Initiation - Acquisition /

Development - Implementation /

Commissioning - Operation /

Maintenance - Decommissioning /

Disposal


System/Software Lifecycle Development Process

Software Lifecycle Standards, Tools & Resources (examples)

– ISA Secure

• Software development lifecycle

• System Security Assurance (SSA)

– http://www.isasecure.org/ISASecure-Program/SSA-

Certification.aspx

– Building Security In Maturity Model http://bsimm.com/

– Microsoft Security Development Lifecycle (SDL) – Process

Guidance

• http://msdn.microsoft.com/en-

us/library/windows/desktop/84aed186-1d75-4366-8e61-

8d258746bopq.aspx

– SAFECode organization - software security practices

(www.safecode.org)

– Software Engineering Institute (ISO 12207, ISO 15288, DHS-CBK)

http://www.sei.cmu.edu/solutions/softwaredev/


Do not re-invent this wheel.

http://bsimm.com/

http://msdn.microsoft.com/en-us/library/windows/desktop/84aed186-1d75-4366-8e61-8d258746bopq.aspx











System/Software Cyber Testing/Certification

Test and certify cyber readiness (examples) – Wurldtech Achilles certification

http://www.wurldtech.com/product_services/

– ISA Secure – certification program for components and

system.

– Veracode - security verification of mobile, web,

developed, purchased or outsourced software

applications and third-party components.

http://www.veracode.com/solutions

– Fortify On Demand https://trial.hpfod.com/services-

and-solutions


http://www.wurldtech.com/product_services/

http://www.veracode.com/solutions

https://trial.hpfod.com/services-and-solutions





Conclusion – There is Hope

“The latest round of evidence leads us to the same conclusion as before: your security woes are not caused by the lack of something new. They almost surely have more to do with not using, under using, or misusing something old.” (Verizon DBR)


(Verizon)

This is not rocket science. However winning will require persistence, alertness, and agility.

Questions?

Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?

Technology

Transcript of Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?