Upload
hoanganh
View
214
Download
0
Embed Size (px)
Citation preview
Agenda
Introduction
What is Critical
Infrastructure
What are the Threat
Vectors
How do we protect
ourselves
Tools and
Resources
CEO of M11 26 Years of Network and information Security
M.Sc. in Applied Mathematics/ Electronics
Member of ITAC
CCDA, CSA, IT Security (CSE), (InfoSec)
CISSP
Fire Jumper and Black Hat Participant
SCADA/ ICS certified
Data Centre Security 3.0, ITIL, Six Sigma process, ITSM.
IBM TOP GUN Cyber security program certified.
Certified in CVP and BVP.
CEH
Certification in Aviation cyber Security.
Commercial Pilot
Who We Are M11 is in Cyber Security
Business for 14 plus Years
Our Team Includes
37 plus Highly skilled Cyber warfare experts
End to End Cyber Security Expertise
Ethical Hackers and Cyber warriors part of the ELITE RED TEAM
Airline Captains, Dr, Industry Engineers, with Cyber Security Expertise
Research and Development Specific to customized Tools and Systems development
What We DO!
Information Assurance; Real-time Situational Awareness
Cyber Intelligence
Cyber Counterintelligence (CYBINT)
Human Intelligence (HUMINT)
Open Source Intelligence (OSINT)
Geospatial Intelligence (GEOINT)
Measurement & Signature Intelligence
Biometrics, Forensics
Digital & Financial Forensics
Physical Security Systems, SAMC Support
Secure Network Operations (SPOC/NOC/SNOC/MSSP)_
Incident Preparedness Response and Forensics
Global Cyber Threat Intel Services
Asymmetric Warfare
Table Top Exercise
War Gaming
SCADA/ ICS Industrial Systems verification and testing
Who we work with…
Law Enforcement TPS, OPP, RCMP,
Arlington, Washington DC
Aviation Sunwing, Air Canada, Westjet,
GTAA
Power/ Distribution Hydro One, McCains,,
Healthcare LHSC, OTMH, Milton Hospital,
DI Clinics, QCH,
Cyber Attack
Chemical / Biological Attack
Nuclear Attack
Conventional warfare
Global Threat Priority
Everything we do today has something to do
with Cyber or its attached to Cyber world
Critical infrastructure is pervasive and impacts
everyone
Electrical Grid is the backbone of our modern
society which Impacts everything else.
Everything is Attached to Cyber/ Internet
In the middle of May- June your electrical grid gets
compromised
No electricity for days/ weeks
No water
No medical facilities functioning
According to a study that if you shut down a power Grid
for a long period of time, which includes water supply…
there will be significant loss of lives.
This can easily be accomplished by a malware
Lets review a real Life Scenario
In the midst of a deployment in a Armored
Vehicle, A soldier see a USB port and wanted
to listen to music and a video…..
That USB contained a Malicious Malware….
That Malware shut down the entire global Fire
Tactical System, which is connected via a
global network
Another Example
A little History
2003, US North East blacked out for two days causing 11 dead and 6B in damage
2007, Estonia's infrastructure crashed for multiple days
2010, Stuxnet (yes, 2010. That long ago)
2012 Saudi Aramco, one of the world's largest oil companies.
In a matter of hours, 35,000 computers were partially wiped or totally destroyed. Saudi Aramco's
ability to supply 10% of the world's oil was suddenly at risk.
2013, Rye Brook Dam in New York was compromised
Dec 2015, there was a massive power attack in Ukraine that took out power for 230,000 to
700,000 for hours.
Dec 2016, Pivichna Kiev was taken out for an hour.
2017, Kaspersky released their findings that "About 20,000 different malware samples were
revealed in industrial automation systems belonging to over 2,000 different malware families."(4)
Cellphone on a Water, SCADA attack
Infected email fishing on Nuclear power plant
Denial of Service Attacks (DDoS)
The tools for these attacks via the internet
already exist
Organized Cyber Crime
People will always be the weakest link
Methods of Compromise….Vectors:
The Director of the NSA and US Cyber Command says,
"It is only a matter of the when, not the if, that we are
going to see something traumatic"
May 2016, G7 Energy Ministers released a statement
that resilient energy systems were critical.
May 2016, 42% of power and utilities companies say it’s
unlikely they would be able to detect a sophisticated
attack.
So what's the word…
Its not the question of ‘if’ its when? If you know that you
are going to be Breached, would you do it differently?
Malware will get into your environment
95% of large companies
targeted by malicious traffic
60%of data stolen in hours
65%of organizations say attacks
evaded existing preventative
security tools
$5.9MAverage cost of a breach in the
United States
Once its Inside Organizations will struggle to deal
with it
15% of organizations take 2+ years
to discover breach
55%of organizations unable to
determine cause of a breach
45 daysAverage time to resolve
a cyber-attack
54%of breaches remain
undiscovered for months
Dynamic Threat Landscape
It is a Community
that hides in
plain sight
avoids detection, and
attacks swiftly
60%of data is
stolen in hours
54%of breaches
Remain
undiscovered
for months
100%of companies connect
to domains that host
malicious files or services
As an example Aviation Industry
The latest generation aircraft face a growing
cyber threat, as they are increasingly
connected to data networks and the internet
This emerging threat has no developed
standards for risk of airborne IT systems
Threat Landscape
The Scenario from the Film Die Hard 2 where Aircraft
was programmed to fly 200 Meters Higher than it really
is… “is no longer a fiction, it’s a reality” says IATA in
2012
“Very Concerned About threats to flying software and
aircraft are now in Need of cyber protection” Major
Aircraft Manufacturer rep
Threat Landscape
The researcher demonstrated that it is possible to hack
the on-board components eavesdropping the system’s
communications over its 1MBps link and injecting
specially crafted data.
“You can use this system to modify approximately
everything related to the navigation of the plane,”
explained Teso.
Threat Vectors
Flight Deck Electronic Flight Bag
Avionics Data Satcom, ACARS and avionics
Open Networking
Avionics interfaces, Servers, Terminal Wireless, Network appliances and Core Network
Maintenance Software Loading and Maintenance Access
Cabin and Airline Services FOQA Data, FA terminals and crew wireless
Passenger IFE, Wi-Fi and Cell phones
3G/4G Communication and security issues
Specific Vulnerabilities
Dispatch
Disruption of Communications resulting in
departure delays or cancellations
Navigation
Corrupted and Outdated Navigation Data
Performance
Incorrect Passenger and Cargo Data
Weather – Wind, Temperature – critical for
heavy aircraft
Operational Communications
Irregular Operations
Security Incident Reporting
Crew Control
Disruption of crew control systems will
prevent the timely departure of flights
Not all crewmembers have a firm grasp on
the concept of information security
Proprietary Processes and Data
Pricing models
Routes and Marketing
Passenger Data
Onboard Systems Vulnerabilities
FMS (Flight Management System) computer unit, control display unit
Control Display Unit (CDU) provides the primary human/machine interface
for data entry and information display
FMS provides: Navigation
Flight planning
Trajectory prediction
Performance computations
Flight Guidance
Exploit Vector
Goal: Exploit the FMS
Using ACARS to upload FMS data
Upload options
Software Defined Radio
Ground Service Providers
The path to the exploit
Audit aircraft code searching for vulnerabilities
What can be Done? AIRPORT
Audit
Identify Requirements
Risk Analysis
Priority Assignment
Operational plan of action
Recommendation
Testing
People
Process
Technology
Culture of Security
Some of the Control Systems testing and systems
development
M11 brings some of the greatest minds to bear on SCADA/ICS issues
Deep understanding of ICS best practices, including NIST SP800-82 and NIST SP800-53
Coauthor of NISTIR 7628
Development team experienced in both offensive and defensive technologies
Vulnerability Research
Reverse Engineering Software and Hardware
Physical, Network, Web Penetration Testing
Architecture Review
M11 recommendations for SCADA/ICS
Architecture Review
Penetration Testing
Security Training
Tabletop Exercises
Consulting
Products
SCADA/ICS Penetration Testing
Identifying attack surface,
Coordinating with customers Hybrid-approach penetration-test
Where appropriate, existing N-day vulnerabilities and design weaknesses will be leveraged to gain access to systems.
Where appropriate, table-top style will be employed to reduce likelihood of adverse impact on ICS.
SCADA/ICS Security Training
Custom SCADA/ICS Training
Training and Presentation background
including SANS Training, SANS Summits,
BlackHat, DEFCON, and other domestic and
international venues
SCADA/ICS Architecture Review
Using Interviews and Documentation
Track through people/process/technology
Identify:
Breakdowns in coverage
Ability to identify compromise
Ability to respond to compromise
SCADA/ICS Tabletop Exercises
Scenario-based compromise response exercise
“SCADA Role-Playing Game”
Identifies weaknesses in response plans
Exercises the Response Plans
Establishes/Strengthens vital relationships
Introduces the different groups to constraints of other
groups
TOC
Assessments.
Architecture Review. White Box design review of documentation
and interviews: network cartography, configurations, etc. Because of
our experience, we are able to quickly provide an assessment
saving time and money, this is our preferred method.
Penetration Testing. Simulate adversarial threat-based approaches
to expose and exploit vulnerabilities to identify weaknesses and to
improve security posture and operational procedures with
vulnerability identification, enumeration, and purposeful exploitation;
and to determine the value and effectiveness of a network, system,
or application's security configuration.
TOC
Attributable and non-attributable targeted tests. Local technical testing will attempt to find radio networks for exploitation and access as well as use close access social engineering for direct network access
Open Systems focused Penetration test to provide insight into the extent of public presence
Technical – proprietary and open-source tools to conduct
TOC Support
Forensics
Identify, collect, examine, analyze, and preserve integrity of resources and information for computer forensics.
Perform root cause analysis of computer systems that failed or are not operating properly
Develop and train standard processes for conducting forensics for the help/service desk to ensure that incident handlers and first responders satisfy forensics requirements