SCADA Security Laboratory Cyber Kill Chain Preparation Intrusion Active Attack Payload Delivery Taking Control Actions on Objective Eliminate Manipulate Evidence Intrusion Initial Breach ID: 658366
Download Presentation The PPT/PDF document "Industrial Control System Cybersecurity" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Industrial Control System Cybersecurity
SCADA Security LaboratorySlide2
Cyber Kill Chain
Preparation
Intrusion
Active Attack
Payload Delivery / Taking Control
Actions on Objective
Eliminate / Manipulate Evidence
Intrusion / Initial Breach
Reconnaissance
WeaponizationSlide3
Attack
=
TARGET stores
Objectives
=
Theft - stealing credit card numbers
Vulnerabilities Exploited
Resources Needed by Attacker
What Happened ?
Attackers were able to gain remote access to Target’s business network and steal millions of credit card numbers.
$500M loss
Attackers used stolen credentials to remotely enter through the HVAC system, then pivot onto the business network and install credit card stealing malware on the
Point of Sale (PoS) systems
.
The malware installed by the attackers sent credit card numbers and other customer information back to the attackers
.
What Could Have Made the Attack Unsuccessful ?
Isolating non-business systems, such as HVAC, from critical business system
Proper management of user privileges
Using intrusion detection system inside the business network
Proper authentication
Stolen credentials allowed remote access
HVAC systems connected to business
network
Improper user privileges and access controls
Resources of a small group of individuals
2013Slide4
Attack
=
STUXNET – Iranian Nuclear Facility
Objectives
=
To cause physical damage to nuclear centrifuges in Iran
Vulnerabilities Exploited
Resources Needed by Attacker
What Happened ?
Attacker created a very specific set of complex tools, going after one unique target
The attack harmlessly infected any computer connected to the Internet then infected the victim computer via USB “thumb drive”
The attack covertly re-programmed the programmable logic controller (PLC) in the machine that controlled hundreds of centrifuges
The attack damaged or destroyed hundreds of centrifuges, causing a tremendous military/industrial setback for Iran.
What Could Have Made the Attack Unsuccessful ?
Rigorous patching of Windows and all application software
Rigorously following cybersecurity best practices (i.e. how
data is
moved onto a
mission-critical system
, use of USB drives, etc.)
Only allowing signed, authenticated code to execute
Strict isolation of control/safety systems
Multiple “zero day” exploits of Windows
Complex exploits of the PLC control software
Human behavior – using a USB drive unsafely
Top-tier nation-state
level
resources
Detailed technical intelligence
A great deal of patience and luck
2007Slide5
Attack
=
Rye Brook Dam on Bowman Ave. in NY
Objectives
=
Disruption of civil infrastructure
Vulnerabilities Exploited
Resources Needed by Attacker
What Happened ?
Seven Iranian men were indicted for performing a denial of service attack against several U.S. firms (including 46 of the nation’s largest financial institutions) and critical infrastructure, including a tiny flood-control dam in rural New York.
No physical damage because a system was disconnected for maintenance.
Perhaps the hackers mistook the tiny dam for a much larger dam with a similar name.
Perhaps this was practice for a larger scale attack on critical infrastructure.
What Could Have Made the Attack Unsuccessful ?
Proper access controls on the cellular modem used to communicate with the dam.
Proper authentication
Unauthorized remote access to the dam’s SCADA control system.
The resources of seven men
2016Slide6
Attack
=
Power Grid in Ukraine
Objectives
=
Disruption of civil infrastructure with physical damage
Vulnerabilities Exploited
Resources Needed by Attacker
What Happened ?
Attackers gained remote access to 3 Ukrainian regional electricity distributors, causing 225,000 customers to lose power
Well-coordinated attack on the power grid’s control system
Utilities forced to move to manual operation
post attack.
“First publicly acknowledged incidents to result in power outages.”
(NERC
report
)
A similar attack in the U.S. would have had much more severe consequences.
What Could Have Made the Attack Unsuccessful ?
A user’s mistake (clicking on a link) opened the door
Malware detection system
More careful management of user privileges
Better access controls to mission-critical
systems
Multi-factor authentication
Initial access through spear phishing
Installed malware via vulnerability in MS Office
Control systems accessible via Internet
Some “insider knowledge”
Capability to reuse malware developed by others
2015Slide7
Attack
=
Denial of Service Attack on DynDNS.com
Objectives
= Disruption of Internet services
Vulnerabilities Exploited
Resources Needed by Attacker
What Happened ?
DynDNS.com is a company that provides DNS services including monitoring, load balancing, geographic balancing, and security to other Internet companies.
On Oct 21, 2016, Dyn was the victim of a large scale distributed denial of service (DDoS) attack which slowed user access to many internet sites (Twitter, NetFlix, LinkedIn, etc.).
A very large botnet flooded Dyn with
“noise”
causing wide-spread disruption.
What Could Have Made the Attack Unsuccessful ?
Changing default passwords on internet appliances
Better capability to block “noise generators” (bots performing distributed denial of service attack) closer to the source.
Default passwords
Resources of a small group
Ability to create and manage a large botnet
Ability to hide using the “dark web” (TOR)
2016Slide8
What is UAH doing?
Modeling
and
simulationfor cybersecurityDiscover and analyze
vulnerabilitiesEvaluate Security ControlsOpenPLCResearch beyond the black boxSecure PLCNo more band aidsIntrusion detection and response
Physical Test Beds
Hardware-in-the-Loop Test Beds
Virtual Test BedsSlide9
OpenPLC - An Open Source Industrial Controller
Developed @ UAH
Emulate devices, investigate security concepts
http://www.openplcproject.comSlide10
Questions?Slide11
Contact Information
Name
Email
Tommy Morris, Ph.D.
Directortommy.morris@uah.edu
Phone: (256)824-6576Address: 200 Sparkman Dr.
Huntsville, AL 35805Web: http://www.uah.edu/ccre