Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
1 www.limessecurity.com
Industrial Security
5 years post-Stuxnet
Industrial Security
5 years post-Stuxnet
2
Company Introduction
Vendor-independent security consulting
Founded in 2012, part of Softwarepark Hagenberg
Operating in DACH, Northern Europe
2 Major Business fields
Secure Software
Development
Industrial Security
Consulting
3
“Everything changed with Stuxnet”
4
A quick recap. In 2010…
The automation world considered itself to be peaceful, due to
The success of automation engineers shielding their systems from
enterprise IT
The belief that the automation systems were closely isolated or even
air-gapped
Nobody outside automation would understand its proprietary workings
The usage of OEM software components
was not seen as a security issue
Security practices/technologies were
commonly not applied in industrial control
systems (ICS)
Safety
5
What was Stuxnet about?
A major, professionally developed cyber security threat
Targeted automation systems with a very specific
configuration on the automation side
Received large public attention due to
the usage of 4 0-day vulnerabilities
multiple infection/persistence vectors
its abilities to inflict physical damage through cyber operation
manipulations of an industrial process
its political “cyber-warfare” connotation
6
The day when I “met” Stuxnet: July
15th, 2010:
Small group of Eastern AV experts had found malware
containing references to Siemens WinCC and Step7:
…
SOFTWARE\Microsoft\MSSQLServer
pdl
GracS\
2WSXcder
WinCCConnect
master
.\WinCC
sqloledb
GracS\cc_tlg7.sav
Step7\Example
…
7
July 13th: First details of preliminary analysis
were published
8
On July 14th, a German AV researcher took a
deeper look and noticed the SCADA part
9
Coming back to when Stuxnet began
for me: July 15th, 2010
Initial question: Why might malware carry names of an
industrial vendor’s product inside?
What’s the purpose and application fields of these products:
WinCC, STEP7?
Who would be able to explain?
Most importantly: How do I find this guy within 350k+
employees?
My secret weapon: Office phone & org chart
10
Most important task: Finding out what
this was all about
More light was shed on the general purpose of the software
by specialists, leading to different security speculations
Next step: Getting our hands on the relevant software
(without a P.O.!)
Setting the software up in a contained environment including
system monitoring capabilities
Offline analysis of the malware (reverse engineering)
Runtime analysis of the malware (behavioural monitoring)
Goal: Come up with indications of the malware’s functions
and what exactly it is after
11
Some early learnings
I learned the necessary difference between incident
coordination & incident handling the hard way from the first
day
Having CERT-like capabilities at hand including deep
malware reverse engineering know-how really was more
than helpful
Splitting analysis of a threat into offline & online analysis in
parallel is more than helpful – each approach sees different
aspects
During crisis, even large organizations can react fast – on
the second day a diverse, professional crisis team was
established
12
Already on the 3rd day,
a website on how to
detect and remove
Stuxnet, was
established and
improved over time,
reflecting the state of
analysis and research
Scaling status information distribution: The
famous support website on Stuxnet
Source: http://support.automation.siemens.com/
WW/llisapi.dll?func=ll&objid=43876783&nodeid0=10805583
13
Challenges and personal learnings when
handling Stuxnet
Incident handling is really difficult if you have to start from
scratch with security basics in the ICS world
Cyber security crash course for ICS engineers would
have helped
Authorities were also still learning back then
Judging the extent of a problem
Takes time – ~700 kB of code (doesn’t help if all
good malware reversers hang out at Blackhat in
Vegas)
Is difficult when you’re the victim – or even if you’re
not sure if you are the victim – information release
Finding reliable IOCs of determining the extent and how to
detect an attack may be challenging
14
For critical incidents, resource-wise separation between
incident coordination and incident handling necessary
Informing customers is not as straightforward as it may
seem, only works if you know your customers, nearly
impossible in an OEM business
Industrial safety is priority number one, but necessary
compatibility tests delay release of any (security) software
updates
Informational duties vs. giving unwanted hints may be a
tightrope walk if a threat is still active
Targeted threats may require anti-virus-like actions from
industrial vendors
Challenges and personal learnings when
handling Stuxnet
15
And to: „Stuxnet was so cool and James-Bond-like, it
brought cyber security finally to the real world“
Handling a crisis like Stuxnet is much less cool if you‘re
forced into the driving seat – vague assumptions &
decisions with large impact
No rogue female agents trying to seduce me
Still driving the same Audi – no Aston Martin
On the other hand: Best chance to learn in my entire
career
16
Stuxnet consequences
17
Industrial software vendors were under scrutiny of
researchers, as a direct consequence after 2010
Security researchers started to
analyze industrial software in
2011:
Billy Rios & Terry McCorkle
Luigi Auriemma
Dillon Beresford
…Beresford's Blackhat presentation on S7
industrial control system vulnerabilities.
(Credit: Seth Rosenblatt/CNET)
18
Industrial vulnerability research and
disclosure jumped to high level
90 6 1 7 7
1731 28
43
172
240
176 182
0
50
100
150
200
250
300
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Dis
clo
sure
s
Year
ICS (SCADA/DCS) Disclosures by year
ICS (SCADA/DCS) Disclosures by year
Estimation,
final
numbers not
yet
publishedData obtained from the Open-Source Vulnerability Database (OSVDB)
19
The motivation of ICS vulnerability researchers
changed over time
Do the right thing to make the world a
safer/more secure place (becoming less
important)
Publicity to gain reputation (always a
good reason)
Financial benefit due to exploit creation
(becoming more important)
20
Industrial Security Weakness Presentations became
“Mainstream” at Hacker Conferences
Large number of SCADA security presentations
e.g. at Blackhat Conference
“How to own an industrial facility from 40 miles
away”
“Why Control System
Cyber-Security Sucks”
“How I Will PWN Your
ERP Through 4-20
mA Current Loop”
21
New activities at industrial vendors resulted,
e.g. public vulnerability handling posture
Source: http://www.siemens.com/innovation/pool/innovations/technologiefokus/it-software/siemens_vulnerability_handling.pdf
22
ICS Vendors rethought their security posture,
following initial SDL-programs 10 years later
Common protection technologies quickly adapted to ICS: Application-
Level Firewalls, AntiVirus, Application Whitelisting, IDS, SIEM, …
Existing security schemes (e.g. airgaps) get deprecated
23
Researchers developed better tools to easily
find insecurely operated ICS systems
Security community shows strong interest in (ab)using
SHODANHQ, Google and other search engines for
finding insecure ICS systems connected to the internet
Source: SHODANHQ / IRAM
24
The number of security breaches is increasing, 1/3rd
do happen in ICS industries
2012-2013: 42% increase in breaches, ~35% of targeted breaches
affect ICS-industries
Supply chain breaches increasingly attractive
Transparent market prices for cyber crime services have developed
ICS resource abuse likely, extortion attempts possible
Industries affected by security breaches / targetted breaches according to Symantec and Mandiant
25
Baseline security assumptions slowly
changed, ICS stakeholders need to catch up
Assumption of being able to maintain a clean
system environment during operation is
deprecated
Since 2013 a large number of security vendors
offer “threat intelligence” services
Selling information on “indicators of compromise”
How shall industrial operators incorporate threat
intelligence?
26
Consumeration of IT endangers industrial
systems
Trend of interacting with ICS systems through
consumer IT devices
Trend of bring-your-own-device (BYOD) has not
reached its peak yet
BYOD leads to additional weak points in the
supply chain of critical infrastructures
Security solutions for BYOD-scenarios currently
not geared toward industrial sites
27
Nation-state funded hacking has become
mainstream
Since 2013, many publications document
offensive operations in different regions of the
world
Russia (Since early September 2013)
China (e.g. APT1 through Mandiant report)
Middle-East (e.g. Syrian Electronic Army, Iran)
“Tailored access operations” by NSA & partners
Nation-state actors have strong interest in learning
about foreign ICS
28
A recent attack example from the ICS world:
The Havex malware found in 2014
Havex is a Remote Access Tool (RAT) used in
targeted attacks, that was used in the
“Crouching Yeti” malware campaign
After infection of a host, it scans the system
and connected resources for information that
may be of use in later attacks.
The collected data is forwarded to remote
servers.
Why is it special?
Targeted attack
Uses ICS-specific attack techniques
29
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf
Spear phishing (emails with DF attachments)
Havex: a closer look (1)
• Timeline Havex Waterholing attacks
30
Havex: a closer look (2)
Targets:
Identified targets of the Havex malware / campaign
were mainly US and UK organizations within the
energy sector
But spread across several other countries:
• Spain, France, Italy, Germany, Turkey, …
Further Malware activity:
Web browser recovery tool
Cleaning up of traces
Enumerates all connected network resources:
Computers, shared resources
Scan for ICS related software
31
Havex: ICS related Activity
Havex uses the Open Platform
Communications (OPC) Standard to retrieve
information:
Class Identification (CLSID), server name, Program
ID, OPC version, vendor information, running state,
group count, server bandwidth
Enumerate OPC tags: tag name, type, access, and
id
Havex causes multiple common OPC platforms
to intermittently crash (unfortunately)
32
Statistics on Infected Hosts
Infected host statistics provided by Securelist, see
http://securelist.com/blog/research/69293/yeti-still-crouching-in-the-forest/
33
What was the goal?
A specific target:
A victim (industrial operator?) should download the
compromised/trojanized ICS software
Proof of concept / preparation:
How effective is such an attack? How many devices
that speak OPC can be found?
Preparation for other attacks that are OPC related
A/multiple customers of the three compromised
ICS vendors
34
Security strongly relies on physical security & cell
concept
Strong Trust between systems
The „legacy“ technology & patching problem
Operators are process experts but usually not
security experts
Security state is often unknown at sites which are
operational since decades
Vendor vs. integrator vs. operator duties
Inability to see threats on the industrial the network
For most companies, Stuxnet is not the biggest
issue – a list from our field project experience
35
So what did change with Stuxnet?
Some statements
True / false?
My friends and neighbors now understand what I do for a living as an
industrial cyber security guy
Industrial site operators no longer have to justify their annual budget for
ICS cybersecurity
Vendors no longer tell their clients its their own problem to secure the
system
Vendors no longer tell their clients their warranty is voided if they try to
secure their systems
There is only one global ICS cybersecurity standard that everyone
follows and certifies to
The industrial world has become more secure because Stuxnet was
discovered
Partly taken from Walter Sikora, ICSJWG 2010
36
Thank you!
Questions?