Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
-
Upload
360mnbsu -
Category
Technology
-
view
463 -
download
5
Transcript of Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Internet of Things: Manufacturing Panacea or Hacker’s Dream?
Brian Isle, P. E.
Adventium Labs & University of Minnesota Technology Leadership
Institute (TLI)
www.360mn.org
Internet of Things: Manufacturing Panacea or Hacker’s
Dream?
© 2014 Adventium Labs 2
Brian Isle Senior Fellow
Adventium Labs &
University of Minnesota
612-716-5604 [email protected]
Agenda
• Setting the stage.
• Scope & scale of IoT security issues.
• Impact of cyber exploits on business.
• What you can do. A ray of hope.
© 2014 Adventium Labs 3
Goal of the presentation: Raise your awareness of IoT security issues, scare you a bit, & give you some hope.
Setting the Stage – Cyber War
• Criminal and Nation-State exploitation for financial gain, collection of intellectual property, and exploitation of U.S. infrastructure is where the “game” will be played over the next 5 years.
• Cyber space is a level playing field.
• The adversary is good at the “game”, adapts quickly, and is in it for financial gain and positioning for the future.
“The Nation-States will attack the C-level, and they will succeed! Put plans in place to mitigate the damage.” FBI Section Chief Peter Trahon, Section Chief of the Cyber National Security Section
© 2014 Adventium 4
Internet of “every”-Thing
Internet of Things is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment. (Gartner)
– Any device that is IP addressable, has CPU, memory, & firmware. (BAI)
– Often Edge-devices
© 2014 Adventium Labs 5
http://en.wikipedia.org/wiki/Internet_of_Things#mediaviewer/File:Internet_of_Things.jpg
Everything from your toothbrush to your speedometer will be IoT.
IoT Example: Oil Infrastructure
Jet Fuel High
Residual Fuel Oil
High
Motor Gasoline
High
Other High
Liquefied Petroleum
Gases High
Distillate Fuel Oil
High
High
Refined Products Supplied
Low Natural
Gas Liquids
Meter/ Valve
High
Refinery High
Import Medium
Export Low
Refined Products
Unfinished Oils and Blending
Components Imports Low
Pumping Stations
High
Crude Oil Exports
Low
Crude Oil Imports
Low
Domestic Crude Oil
Low
Strategic Petroleum Reserve
High
Pipeline Barge Rail
Truck High
Distribution Center
High
Chemical Plants High
Modified from: Securing Oil & Natural Gas Infrastructures NPC June 2001
IoT includes everything in the oil infrastructure.
© 2014 Adventium 6
IoT: Why is Security so Difficult?
The security vulnerabilities for the entire class of industrial control are broadly known, and have been known for 2 decades.
© 2014 Adventium Labs 7
High Assurance
Legacy Products
New Products
Consumer Grade
- 20 yr life - Designed for safety, not security
Vendors slow to adopt security best practices
Quick, get it to market mentality
No means to upgrade firmware
Overarching issue: New technologies are being integrated with out consideration for system security. Wireless, cloud, cell phones, IP enabled components …
Why Is Securing SCADA so Hard?
Control Systems are Unique and different from IT
• Control systems are often viable for 20 or 30 years.
• Controls are integrated into a larger system by a third party.
• Security is not a core competency of control engineers nor integrators – the folks who specify, design, assemble, and operate the systems.
• The overall system will change continuously for the life of the plant.
• There is no tolerance for a blue-screen due to a software patch.
• The often cited security approach of “air gap” is a myth.
© 2014 Adventium 8
Manufacturing & Data Security - CIA
Common security framework for data security:
• Availability: “Ensuring timely and reliable access to and use of
information...” A loss of availability is the disruption of access to or use
of information or an information system.
• Integrity: “Guarding against improper information modification or
destruction, and includes ensuring information non-repudiation and
authenticity...” A loss of integrity is the unauthorized modification or
destruction of information.
• Confidentiality: “Preserving authorized restrictions on information
access and disclosure, including means for protecting personal privacy
and proprietary information...” A loss of confidentiality is the
unauthorized disclosure of information.
FISMA Definition [44 U.S.C., Sec. 3542] FIPS 199 Definition
© 2014 Adventium 9
Broadly accepted in the manufacturing & process industry is
that plant safety, efficiency, and effectiveness dictate that
data Integrity and Availability are paramount.
But Wait – What About Confidentiality?
“…U.S. companies lose some $250 billion to
intellectual property theft every year….
Internationally, $114 billion was lost to cybercrimes,
but that number could be as high as $388 billion if
the value of time and business opportunities lost is
included. McAfee, the computer software and
security company, gives an even higher number,
saying $1 trillion is spent globally in remediation
efforts.” – Gen. Keith Alexander, National Security Agency
Director
© 2014 Adventium 10
Intellectual Property is contained in the plant design, operation, and product recipes.
Think About Your Critical Assets
A critical asset is the part of the system or
infrastructure that is essential to the mission
of the organization, plant, or facility.
– Manufacturing: intellectual property, trade
secrets, customer data, controls & equipment
– DoD Industrial company: intellectual property,
trade secrets, SCIFs
– Small business: client information, financial
information, trade secrets & IP
Ask yourself: “What & where are my critical assets? How are IoT security issues jeopardizing those assets?”
CRIMINAL & NATION STATE
ATTACKS
When the big bad wolf knocks on your door.
© 2014 Adventium Labs 12
China: Overwhelming Evidence
“The sheer scale and duration of sustained
attacks against such a wide set of industries from
a singularly identified group based in China
leaves little doubt about the organization behind
APT1. …”
© 2014 Adventium Labs 13
MANDIANT: APT1 Exposing One of China’s Cyber Espionage Units
“Our observations confirm that
APT1 has targeted at least four of
the seven strategic emerging
industries that China identified in
its 12th Five Year Plan”
Who Would Steal Intellectual Property?
Secret formula stolen on USB device
“Between 2008 and 2009, a chemist with Valspar Corporation named David Yen Lee used his access to an internal computer network to download 160 secret documents related to paints and coatings. Lee intended to bring this information to his new company with Nippon Paint in Shanghai, China.” (http://www.justice.gov/usao/iln/pr/chicago/2009/pr0626_01a.pdf)
© 2014 Adventium 14
Case Study – Night Dragon
Hackers Breach Tech Systems of Oil Companies
NY Times, 10 Feb 2011: At least five multinational oil and gas companies suffered computer network intrusions from a persistent group of computer hackers based in China, …. Computer security researchers at McAfee Inc. said the attacks, …, appeared to be aimed at corporate espionage.
Operating from what was a base apparently in Beijing, the intruders established control servers in the United States and Nether-lands to break into computers in Kazakhstan, Taiwan, Greece and the United States, according to a report, “Global Energy Cyber attacks: ‘Night Dragon.’ ” The focus of the intrusions was on oil and gas field production systems as well as financial documents related to field exploration and bidding for new oil and gas leases, according to the report.
Source: http://www.nytimes.com/2011/02/10/business/global/10hack.html
© 2014 Adventium 15
IoT: Nation States & Criminals Are Looking
ICS Honeypot experiment: Two dummy
industrial control systems (ICS) and one real
one to the Internet
• First attack in 18 hours.
• 12 unique attacks that could be classified
as "targeted,"
• 13 attacks repeated by same actors.
• Attackers used automated tools that
search out industrial.
• Hackers probed the site and manipulate
devices if possible.
• Attacks included modifying settings to
change water pressure and stop the flow
on a water pump.
• Attacks used techniques specific to
industrial control systems.
• Attacks involved sending emails to the
administrator address.
www.waterworld.com/articles/iww/print/volume-13/issue-3/columns/industrial-control-systems-targeted-by-hackers.html?goback=.gde_1222087_member_251346148
© 2014 Adventium 16
Adventium Honeypot Experiment
The following is geek speak for “we set up a phony target” • ssh server setup and listening on port 22
• Nov 1 16:52:49 adv-test sshd[3957]: Server listening on :: port 22. • Nov 1 16:52:49 adv-test sshd[3946]: Starting SSH daemon..done
• First brute force attack attempt • Nov 1 21:34:02 adv-test sshd[6711]: Invalid user oracle from 111.74.82.33 • Nov 1 21:34:04 adv-test sshd[6715]: Invalid user test from 111.74.82.33 • Nov 1 21:36:10 adv-test sshd[6897]: Invalid user oracle from 111.74.82.33 • Nov 1 21:36:12 adv-test sshd[6901]: Invalid user oracle from 111.74.82.33
111.74.82.33 is... China!
• Number of unique IP's engaged in brute force ssh attacks against honeypot.
• 18 GeoIP Country CN, China • 6 GeoIP Country HK, Hong Kong • 1754 GeoIP Country US, United States
The first attack was from China in less than 5 hours. 5,000 attacks in 10 days from 18 nations.
© 2014 Adventium Labs 17
Capabilities of Criminal & Nation State
Anatomy of Criminal/Nation State Attack
1.Establish an attack infrastructure (tools, methods, techniques)
2.Conduct recon on target
3.Draft a spear-phishing email
4.Compromise the end-point
5.Obtain valid credentials
6.Map out victim's network
7.Set up hidden directory for data capture
8.Compress / encrypt data for transfer Source: FBI Section Chief Peter Trahon, Cyber National
Security Section, 13 March 2012, MN InfraGard meeting on Electronic Espionage
© 2014 Adventium Labs 18
“Most of the victims were notified by the USG / FBI” Peter Tahron
“External agents have created economies of scale by refining standardized, automated, and highly repeatable attacks directed at smaller, vulnerable, and largely homogenous targets.” (Verizon)
Four APT Examples
• Stuxnet – Identified June 2010
– Believed built on the Flame platform
– Infects by USB drives
• Duqu – Identified September 2011
– Designed to capture key strokes and system information
• Flame – Identified May 2012
– Believed the original malware dates to 2006
– “Scout” for Stuxnet
– Largest malware program ever seen (20 MB)
• Red October – Discovered October 2012
– Advanced cyber espionage targeted diplomatic, governmental and scientific research organizations worldwide
– Operated 6+ years
– Auto shut-down after discovery
© 2014 Adventium Labs 19
Repurposing of APT Cyber Attacks
BAI – “ Howard, please
comment on the repurposing of
Duqu, Flame, and Stuxnet by
criminal organizations”
© 2014 Adventium Labs 20
HS – “Yes, you are correct. We are seeing a massive reuse
of the components of these sophisticated attacks. Once the
malware was discovered and dissected, the reuse started in
a matter of weeks.” Howard Schmidt, former Special Assistant to the President and Cyber Security
Coordinator, Cyber Security Summit, Oct. 9th 2012
MOBILE DEVICES IN THE
WORK ENVIRONMENT
I have a great idea, lets write an app to access
the IoT devices on the plant floor. Cool idea!
© 2014 Adventium Labs 21
Top Mobile Device Issues
Mobile devices:
– Are promiscuous if configured incorrectly
– Easily cross boundaries
• Wi-Fi, cell, text, internal networks, web, social media,
and physically go everywhere
– Are being used for business
• Email, presentations, contracts, banking ….
– Are the big-target for new malware
• Root exploit attacks
• Attack of the zombies
• Bogus anti-virus apps
• Data leakage
© 2014 Adventium Labs 22
Mobile device invade corporate America
© 2014 Adventium Labs 23
The impact of mobile devices on Information Security: A Survey of IT Professionals
Android – 80% of Mobile Malware
Chinese CERT Reports Increases in Mobile Malware - 80% on Android (July 4, 2013)
According to data from CNCERT/CC, China experienced a 25-fold increase in detected mobile malware samples between 2011 and 2012. More than 80 percent of the malware samples targeted Android devices. .. in 2012, 73,000 Trojan and botnet command-and-control servers hijacked 14.2 million host machines in that country. http://www.computerworld.com/s/article/9240574/China_sees_increase_in_Trojan_and_botnet_attacks_from_other_countries?taxonomyId=17
http://www.zdnet.com/cn/mobile-malware-rises-more-than-25-times-in-china-7000017678/s
http://www.pcworld.com/article/2043663/china-sees-increase-in-trojan-and-botnet-attacks-from-other-countries.html
[Editor's Note (Skoudis): Wow! Predicted for years, the age of mobile malware is finally upon us as the bad guys have perfected reliable ways to make good money by attacking mobile devices. …]
© 2014 Adventium Labs 24
Androids Flaw Bypasses Safeguards
Critical Android Flaw Lets Attackers Insert Code Into Signed Apps (July 2, 3 & 4, 2013)
A critical vulnerability that affects every version of the Android operating system since 2009 can be exploited to allow attackers complete access to Android devices. Hackers could steal data from the phones, use them to send spam, or eavesdrop on communications. The flaw …allows malicious code to evade the operating system's mechanism that checks cryptographic signatures to make sure they are trusted.
http://www.h-online.com/security/news/item/Android-s-code-signing-can-be-bypassed-1911409.html
http://www.bbc.co.uk/news/technology-23179522
http://arstechnica.com/security/2013/07/android-flaw-allows-hackers-to-surreptitiously-modify-apps/
© 2014 Adventium Labs 25
Galaxy Knox is Vulnerable
Researchers report security flaw in
Samsung's Galaxy S4 - December 24, 2013
An Israeli security team says a vulnerability
in Samsung's Knox security platform
enables malicious software to track e-mails
and record data communications.
http://www.cnet.com/news/researchers-report-security-
flaw-in-samsungs-galaxy-s4/
© 2014 Adventium Labs 26
iPhone Users: Don’t be too Smug
iPhones are great tools for business, but don’t let down your defenses!
– 45 security flaws uncovered in just September 2014
– 7 of the 45 are critical security flaws http://www.cvedetails.com/vulnerability-list/vendor_id-49/product_id-15556/Apple-Iphone-Os.html
© 2014 Adventium Labs 27
Mobile Devices & Cloud
iCloud Data Breach: Hacking & Celebrity Photos
• Defective access/authentication control mechanism
– Script queries iCloud services via the “Find My iPhone” API to guess username and password combinations. No limit on the number of queries.
• Smart phone has automatic backup to iCloud
– Pictures, email, data, everything http://www.forbes.com/sites/davelewis/2014/09/02/icloud-data-breach-hacking-and-nude-celebrity-photos/
© 2014 Adventium Labs 28
What if the data on the iCloud was private client email that you had on your smart phone?
IOT VULNERABILITIES ARE
WELL KNOW
After 20 years in the security game: Everything
old, is new again.
© 2014 Adventium Labs 29
DHS Current ICS Vulnerabilities 2009 - 2010
“Current vulnerabilities in
ICS product assessments
continue to be improper
input validation by ICS
code. Through bad coding
practices and improper
input validation, access can
be granted to an attacker
allowing them to have
unintended functionality or
privilege escalation on the
systems”
© 2014 Adventium 30
DHS, Common Cybersecurity Vulnerabilities in Industrial Control Systems, May 2011, Figure 3.
Security Issues Are Well Known
Digital Bond’s Basecamp study
– “The goal of Project Basecamp is to make the
risk of these fragile and insecure devices so
apparent and easy to demonstrate that a
decade of industry inaction on improving
controllers and industrial protocols will end”
© 2014 Adventium Labs 31
Basecamp Testing: “it was a bloodbath”. As everyone expected, the PLC’s crashed, had typical vulnerabilities such as overflows and XSS, and had product features that could be used against the device.
http://www.digitalbond.com/tools/basecamp/
IoT: Can’t We Just Hide?
Scariest Search Engine on the Internet Just Got Scarier
• Project SHINE (SHodan INtelligence Extraction) from Bob
Radvanovsky and Jake Brodsky of Infracritical. Its purpose is to use
Shodan to locate SCADA devices connected to the internet.
• "The average number of new SCADA/ICS devices found every day is
between 2000 and 8000. So far we have collected over 1,000,000
unique IP addresses that appear to belong to either SCADA and
control systems devices or related software products."
© 2014 Adventium Labs 32
http://www.infosecurity-magazine.com/news/scariest-search-engine-on-the-internet-just-got/
Security by obscurity is not an option if you are exposed to the internet.
SHODAN – Computer Search Engine: Search for computers based on software, geography, operating system, IP address and more. www.shodanhq.com/
IoT: Can’t We Just Hide? Part 2
What Happened When One Man Pinged the Whole Internet
• .. sending simple, automated messages to each one of the 3.7 billion IP addresses assigned to devices connected to the Internet around the world... Moore received replies from 310 million IPs indicated that they came from devices vulnerable to well-known flaws, or configured in a way that could let anyone take control of them.
• HD Moore published results on a particularly troubling segment of those vulnerable devices: ones that appear to be used for business and industrial systems. Over 114,000 of those control connections were logged as being on the Internet with known security flaws. Many could be accessed using default passwords and 13,000 offered direct access through a command prompt without a password at all
© 2014 Adventium Labs 33
http://www.technologyreview.com/news/514066/what-happened-when-one-man-pinged-the-whole-internet/
Security by obscurity is not an option if you are exposed to the internet.
IoT: Can’t We Just Hide? Part 3
Hackers gain 'full control' of critical SCADA systems
• Over 60,000 exposed control systems found online. Russian researchers have found vulnerabilities in industrial control systems that they say grant full control of systems running energy, chemical and transportation systems.
• "We don’t have big experience in nuclear industry, but for energy, oil and gas, chemical and transportation sectors during our assessments project we demonstrated to owners how to get full control [of] industrial infrastructure with all the attendant risks," Gordeychik told SC Magazine….
– … allowed attackers to gain full access to Programmable Logic
Controllers (PLCs) using attacks described as dangerous and easy to launch.
© 2014 Adventium Labs 34
http://www.itnews.com.au/News/369200,hackers-gain-full-control-of-critical-scada-systems.aspx
EXAMPLE IOT
VULNERABILITIES &
EXPLOITS
Malware that might be in your future.
© 2014 Adventium Labs 35
Your Router is Out to Get You
LAS VEGAS: Black Hat information security conference In-Q-Tel Chief Information Security Officer Dan Geer expressed concern about the growing threat of botnets powered by home and small office routers.
…inexpensive routers were an example of the security risk of the "Internet of Things," because of their use of long-lived embedded software with no automatic way for vendors to distribute patches. http://arstechnica.com/security/2014/08/security-expert-calls-home-routers-a-clear-and-present-danger/
© 2014 Adventium Labs 36
Edge devices are the last to be patched, if patched at all.
Malware Actions
© 2014 Adventium Labs 37
2013 Verizon Breach Investigation Report
Malware is focused on financial gain and espionage to gather intellectual property.
• The attack works against
LIFX smart light bulbs, which
can be turned on and off and
adjusted using iOS- and
Android-based devices.
Crypto weakness in smart LED light bulbs
exposes Wi-Fi passwords
• LIFX has updated the firmware … after researchers
discovered a weakness that allowed hackers within about 30
meters to obtain the passwords used to secure the
connected Wi-Fi network. … the underlying pre-shared key
never changed, making it easy for the attacker to decipher
the payload.
© 2014 Adventium Labs 38
Product developers often lack a background in securing systems.
http://arstechnica.com/security/2014/07/crypto-weakness-in-smart-led-lightbulbs-exposes-wi-fi-passwords/
IoT: Security Cameras
“Yesterday I stumbled
onto a site indexing
73,011 locations with
unsecured security
cameras in 256 countries
…unsecured as in
“secured” with default
usernames and
passwords. The site, with
an IP address from
Russia,…” (Network World)
© 2014 Adventium Labs 39
http://www.networkworld.com/article/2844283/microsoft-subnet/peeping-into-73-000-unsecured-security-cameras-thanks-to-default-passwords.html
IoT products are often sold in un-secured default mode.
IoT: Now where did I leave those keys?
“On Christmas Eve not long ago, a call was made from a prison warden: all of the cells on death row popped open. Not sure how or if it could happen again, the prison warden requested security experts to investigate. Many prisons and jails use SCADA systems with PLCs to open and close doors. As a result of Stuxnet academic research, we have discovered significant vulnerabilities in PLCs used in correctional facilities by being able to remotely flip the switches to “open” or “locked closed” on cell doors and gates. ……..”
SCADA & IoT is everywhere, including your local jail.
SCADA & PLC VULNERABILITIES IN CORRECTIONAL FACILITIES White Paper, Newman, Rad, LLC, Strauchs, LLC, 7/30/2011
© 2014 Adventium 40
SCADA Vulnerabilities
“In general, ICS vulnerabilities continue to make news. On Thanksgiving Day in the US, Aaron Portnoy, the VP of research at Exodus Intelligence, was able to uncover no fewer than 23 vulnerabilities in SCADA systems in just a few hours. The first exploitable zero-day took a mere seven minutes to discover. “I had a morning’s worth of time to wait for a turkey to cook, so I decided to take a shot at finding as many SCADA 0day vulnerabilities as possible,” he explained. “For someone who has spent a lot of time auditing software used in the enterprise and consumer space, SCADA was absurdly simple in comparison.” http://www.infosecurity-magazine.com/view/31203/another-honeywell-ics-vulnerability-rears-its-head-in-building-control/?goback=.gde_1222087_member_222594055
© 2014 Adventium 41
The above story sums up my observations over 25 years.
"Stuxnet is a new class and
dimension of malware. Not only for
its complexity and sophistication
(eg by the combination of exploiting
four different vulnerabilities in
Windows, and by using two stolen
certificates) and from there
attacking complex Siemens SCADA
systems. The attackers have
invested a substantial amount of
time and money to build such a
complex attack tool." Dr Udo Helmbrecht, executive director of ENISA
Stuxnet removed all remaining doubt about ability of cyber attack to cause physical damage
IoT: What Else Can They Do?
The Stuxnet Worm, Paul Mueller and Babaki Yadegar www.cs.arizona.edu/~collberg/.../report.pdf
THE COST OF A DATA
BREACH
If you have to ask, you can’t afford it.
© 2014 Adventium Labs 43
The Headlines
Target Puts Data Breach Costs at $148 Million
The New York Times
Aug 5, 2014 - Target, still feeling the pain from a huge data
breach last year, said in a security filing on Tuesday that
costs associated with the episode ...
© 2014 Adventium Labs 44
Home Depot data breach was bigger than Target's
Christian Science Monitor
Target's breach compromised 40 million credit and debit
cards. ... Still, the breach's ultimate cost to the company
remains unknown.
You are probably thinking you are safe because you are a small business. You would be wrong.
Small Biz, Big Target, Big Impact
According to a recent study cited by the U.S.
House Small Business Subcommittee on
Health and Technology, nearly 20% of all
cyber attacks hit small businesses with 250
or fewer employees. Roughly 60% of small
businesses close within six months of a
cyber attack. http://www.forbes.com/sites/forbesleadershipforum/2013/05
/13/your-business-is-never-too-small-for-a-cyber-attack-
heres-how-to-protect-yourself/
© 2014 Adventium Labs 45
Why Attack Small Businesses?
According to the National Cyber Security Alliance, one in five small businesses falls victim to cybercrime each year. And of those, some 60 percent go out of business within six months after an attack.
• Smaller companies don’t fight back like bigger companies.
• “Small businesses typically lack the monitoring, forensics, logs, audits, reviews, penetration testing, and other security defenses and warning systems that would alert them to a breach.”
• Often, a breach against a small fry can yield useful data for attackers seeking to target bigger fish. … valuable spoils—ranging from employee data and cloud logins to customer data and banking credentials—from the smaller players along the way.
http://www.pcworld.com/article/2046300/hackers-put-a-bulls-eye-on-small-business.html
© 2014 Adventium Labs 46
If your security negligent leads to a breach at a major corporation, what do you suppose is going to happen next?
What do the Bad Guys Like? Your Creds
Billions of Digital Credentials Stolen (August 2014)
A group of Russian thieves has collected a
stash of Internet account credentials: 1.2
billion user name and password combinations
and 500 million email addresses. The data
were taken from more than 420,000 websites. http://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-email-
accounts/ ]
http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-
more-than-a-billion-stolen-internet-credentials.html?
© 2014 Adventium Labs 47
Cost of Data Breach Study: Global Study
• Ponemon Institute data set
– 314 companies representing 10 countries
– Data breach ranging from 2,415 to 100,000 compromised records.
• Findings for US Data Breach:
– $5.85 million - Average total cost of a US data breach.
– $195 - Average cost paid for each US record containing sensitive and confidential information.
– You are more likely to have a breach of 10,000 or fewer records than a mega breach of 100,000 records.
– The most costly data breaches were malicious and criminal attacks.
© 2014 Adventium Labs 48
2014 Cost of Data Breach Study, Ponemon Institute LLC
Calculating the Cost of Data Breach
Estimate includes direct and indirect
expenses incurred by the organization.
– Direct expenses include engaging forensic
experts, outsourcing hotline support and
providing free credit monitoring subscriptions
and discounts for future products and services.
– Indirect costs include in-house investigations
and communication, as well as the extrapolated
value of customer loss resulting from turnover
or diminished customer acquisition rates.
© 2014 Adventium Labs 49
• Ponemon Institute 2014 Research Report
Industrial Sector is 6th Most Costly
© 2014 Adventium Labs 50
Ponemon Institute 2014 Research Report
Total of 16 sectors
Data Breaches Cause Lost Business
US avg. lost business due to breach = $3.3M
© 2014 Adventium Labs 51
• Ponemon Institute 2014 Research Report Total of 16 sectors
HOW NOT TO SECURE YOUR
COMPANY
The wrong ways to secure IoT are also well known.
In the words of the great philosopher Homer (Simpson)
“DUH?”
© 2014 Adventium Labs 52
IoT: The Need for Software Updates
“The Shamoon attack was a wake up call for the oil and
gas industry on several fronts; not only did it manage to
destroy data from over 30,000 computers at the worlds
largest oil producer, Saudi Aramco, but according to
experts the virus could have been designed by a second
year computer science student.”
“The low sophistication of the Shamoon virus software is
not only worrying because it would be very easy to copy,
but it also highlighted huge vulnerabilities and gaps in not
just the energy sector, but the entire critical infrastructure
space.” Oil & Gas Industry News 6/2013
© 2014 Adventium 53
Brian’s hint: Shamoon attacks computers running MS NT operating systems.
How Not to Secure Your Company
Home Depot Ignored Security Concerns
Former Home Depot employees say that management ignored warnings from the company's computer security team that its systems were vulnerable to attack. Some team members even quit in frustration over the company's slow response to warnings of serious problems. The company was using outdated antivirus software and did not regularly scan critical systems. An engineer hired to work on the security team is now in prison for sabotaging his previous employer's network.
http://www.nytimes.com/2014/09/20/business/ex-employees-say-home-depot-left-data-vulnerable.html http://www.theregister.co.uk/2014/09/22/home_depot_ignored_staff_warnings_of_security_fail_laundry_list/ http://arstechnica.com/security/2014/09/home-depot-ignored-security-warnings-for-years-employees-say/
© 2014 Adventium Labs 54
Home Depot: Not so Unique PoS Attack
Home Depot Breach Affected 56 Million Cards
Home Depot acknowledged that the breach of its point-of-sale systems affected an estimated 56 million payment cards. Is a press release, the company said that the attackers used "unique, custom-built malware." Additional information about the data breach at Home Depot suggests that it affects mainly cards used in self checkout lanes.
[Editor's Note (Pescatore): Lesson learned in these recent PoS attacks is why in the world aren't you using white listing on the PCs attached to payment devices? There is absolutely no business need to allow arbitrary software to run on tills/registers. SANS(Newsbites September 18, 2014)
http://krebsonsecurity.com/2014/09/in-home-depot-breach-investigation-focuses-on-self-checkout-lanes/
http://www.scmagazine.com/home-depot-breach-risks-56m-payment-cards-unique-malware-used/article/372426/
© 2014 Adventium Labs 55
77% of Agencies Run Unsupported Java
Only a handful of U.S.
government computers are
using the latest version of
Java while more than three
quarters of them are running
unsupported versions of the
software, which has been a
common target for malware
since 2010, according to an
analysis by the Web
security company
Websense.
© 2014 Adventium Labs 56
There are 52 update versions of Java in use, but as of this month, Oracle will update only versions of Java 7. That leaves a lot of unsupported versions on government and other computers.
JAVA ON THE .GOV DOMAIN
• 6.38 percent using latest update of Java 7.
• 23 percent using some version of Java 7.
• 77 percent using unsupported versions of Java 6 or earlier.
JAVA GLOBALLY
• 5.17 percent using latest update of Java 7.
• 21 percent using some version of Java 7.
• 79 percent using unsupported versions of Java 6 or earlier.
Source: Websence and Oracle. http://gcn.com/articles/2013/03/27/java-vulnerabilities-goverment-unspported-versions.aspx?admgarea=TC_SecCybersSec
IoT: Can’t We Just Transfer the Liability?
Lloyd's of London Declines Infosec Cover For
Energy Companies
"In the last year or so we have seen a huge
increase in demand from energy and utility
companies," Laila Khudari, an underwriter at the
Kiln Syndicate, which offers cover via Lloyd's of
London, told the BBC. "They are all worried about
their reliance on computer systems and how they
can offset that with insurance."
© 2014 Adventium Labs 57
http://www.infosecurity-magazine.com/news/lloyds-of-london-declines-infosec-cover-for/
The insurance companies know who is being naughty and nice.
IoT: HVAC Systems in Buildings
Google’s Building Management System Hack Highlights SCADA Security Challenges • …. recent disclosure of a vulnerability in Google's building management
system (BMS) has served as another example of a real-life security gap that may be a bigger concern than some organizations realize.
• "It seems that there has been a dramatic uptick against SCADA systems," says Billy Rios, technical director and director of consulting at Cylance. "It's difficult to pinpoint exactly why, but I'm guessing that the ability to easily discover these devices on the Internet plays a larger part here.“
• .. they discovered Google was using an unpatched version of Tridium Niagara AX, a software platform that integrates different systems and devices for management at its Google Wharf 7 building in Australia.
© 2014 Adventium Labs 58
http://www.darkreading.com/vulnerabilities---threats/google-building-management-system-hack-highlights-scada-security-challenges/d/d-id/1139722?
Brian’s experience: • All modern HVAC controls are IP addressable. • Building’s HVAC control system will eventually be connected to the enterprise network. • HVAC controls are the last to be patched. • HVAC system integrators are not “cyber people”.
DON’T PANIC
The answer to “Internet of Things:
Manufacturing Panacea or Hacker’s
Dream?” is: YES
© 2014 Adventium Labs 59
Ok: What Do We Know About IoT Security?
We have established that:
– You can’t hide from the problem.
– Old and new devices have vulnerabilities.
– The vulnerabilities are well known.
– The bad actors are exploiting the vulnerabilities
for financial gain and espionage.
– Security has the “weakest link in chain”
problem.
– Even well run companies can/will be breached.
© 2014 Adventium Labs 60
Technology is Not the Problem
LOGIIC 2007
Standard IT Defenses
• Network Segment Firewalls
• Host Firewalls
• Network Intrusion Detection
Systems (IDS)
• Network Devices (switches, routers,
wireless devices)
Control System Event Sources
• Standard IT network IDS using
signatures for a control system
protocol (Modbus)
• Alarms from SCADA and DCS
systems
• Alarms from a flow computer
© 2014 Adventium 61
http://www.logiic.org
LOGIIC and other programs showed that SOA IT technology can detect and deter attacks in ICS/SCADA systems.
The Security Path Forward
是故勝兵先勝而後求戰,敗兵先戰而後求勝。
Victorious warriors win first and then go
to war, while defeated warriors go to war
first and then seek to win.
© 2014 Adventium 62
http://en.wikiquote.org/wiki/Sun_Tzu
Know What’s Important to Your Business
You may not be a cyber expert, but you do know
your business.
1. What are your critical assets?
• Where are they located?
• Who needs access? Are they security savvy?
• What impact if compromised or lost?
• Consider the full life-cycle of the critical asset.
2. Who do you consider the threat?
• What are their motives and capabilities?
3. Who has responsibility for your business’ security?
4. Periodically review these steps.
© 2014 Adventium Labs 63
Security is a process that leads to action. Security should not be a reaction to bad things happening.
Build Your Security Organization
• Follow well established standards & best practices for your domain.
– NIST security standard (start with 800-30)
– ISA 99/IEC 62443
• Example best practice: Eric Byers “7 Steps to ICS & SCADA
Security”
1. Assess Existing Systems
2. Document Policies & Procedures
3. Train Personnel & Contractors
4. Segment the Control System Network
5. Control the Access to the System
6. Harden the Components of the System
7. Monitor & Maintain System Security
© 2014 Adventium Labs 64
No amount of technology will make up for a lack of policy, procedures, process, and training!
Brian’s Opinion: Key Security Policy
• Define clear roles & responsibilities for security organization.
• Procurement: – Buy from vendors who “build security in” and deliver in
“secure mode”.
– Standard “security language” for RFPs and POs.
• Engineering: – Specify only products that are cyber tested and certified.
– Network segmentation & controlled access.
• Adopt a “full life cycle view” of security. – Strict control and testing before integrating new technology.
– Protect/harden your legacy systems.
• Mobile devices – What apps, who decides, who owns device, walk-about.
© 2014 Adventium Labs 65
Conversation With Process Control Industry Leader
• Never depend on the system integrator – or – end user to be
able to correctly configure for security.
• Design all products to be secure by design.
– Shipped with least privileges
– Minimum Role-based-access define
• Separation of roles and duties
• Each component has at least two roles:
– Commissioning role
– User role
• Make security simple for everyone who touches the product.
• Easy to commission, Easy to update, Easy to maintain.
© 2014 Adventium 66
“Security must be in the DNA of all aspects of the company from R&D to procurement.”
SDLC: Security Considerations
CISSP: All-in-One Exam Guide (6th Edition) by Shon Harris pg 1094
System Development Life Cycle - Initiation - Acquisition /
Development - Implementation /
Commissioning - Operation /
Maintenance - Decommissioning /
Disposal
© 2014 Adventium 67
System/Software Lifecycle Development Process
Software Lifecycle Standards, Tools & Resources (examples)
– ISA Secure
• Software development lifecycle
• System Security Assurance (SSA)
– http://www.isasecure.org/ISASecure-Program/SSA-
Certification.aspx
– Building Security In Maturity Model http://bsimm.com/
– Microsoft Security Development Lifecycle (SDL) – Process
Guidance
• http://msdn.microsoft.com/en-
us/library/windows/desktop/84aed186-1d75-4366-8e61-
8d258746bopq.aspx
– SAFECode organization - software security practices
(www.safecode.org)
– Software Engineering Institute (ISO 12207, ISO 15288, DHS-CBK)
http://www.sei.cmu.edu/solutions/softwaredev/
© 2014 Adventium 68
Do not re-invent this wheel.
System/Software Cyber Testing/Certification
Test and certify cyber readiness (examples) – Wurldtech Achilles certification
http://www.wurldtech.com/product_services/
– ISA Secure – certification program for components and
system.
– Veracode - security verification of mobile, web,
developed, purchased or outsourced software
applications and third-party components.
http://www.veracode.com/solutions
– Fortify On Demand https://trial.hpfod.com/services-
and-solutions
© 2014 Adventium 69
Conclusion – There is Hope
“The latest round of evidence leads us to the same conclusion as before: your security woes are not caused by the lack of something new. They almost surely have more to do with not using, under using, or misusing something old.” (Verizon DBR)
© 2014 Adventium Labs 70
(Verizon)
This is not rocket science. However winning will require persistence, alertness, and agility.
Questions?