Upload
unisys-corporation
View
698
Download
1
Embed Size (px)
Citation preview
Potential Impact of Cyber Attacks on Critical Infrastructure John S Kendall
Director of Public Sector and Security Programs
Unisys Asia-Pacific
© 2012 Unisys Corporation. All rights reserved. 2
Outline
What all the fuss about?
What are the real threats?
Who is responsible for taking what actions?
Cyber Attacks on Critical Infrastructure
© 2012 Unisys Corporation. All rights reserved. 3
What is “critical infrastructure”?
The Australian, State and Territory governments define critical infrastructure as:
“Those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security.”
Source: Australian Government Critical Infrastructure Resilience Strategy
© 2012 Unisys Corporation. All rights reserved. 4
What is “critical infrastructure” for business?
Physical facilities
IT facilities
Networks
Services
Assets
Health
Safety
Security
Economic well-being
Effective functioning
For which extended disruption or destruction
would seriously impact or jeopardise
of the business, employees, channel partners or customers
© 2012 Unisys Corporation. All rights reserved. 5
What is “critical infrastructure”?
Physical Infrastructure
• Power production/distribution
• Refineries and critical manufacturing
• Water supplies
• Transportation systems
• Communication networks
Cyber Infrastructure
• Internet
• Critical information systems
• Online business/financial services
Physical Threats
• Armed attacks
• Bombs
• Sabotage
Cyber Threats
• Malware
• Denial of Service
• Data Breach
© 2012 Unisys Corporation. All rights reserved. 6
What is “critical infrastructure”?
Physical Infrastructure
• Power production/distribution
• Refineries and critical manufacturing
• Water supplies
• Transportation systems
• Communication networks
Cyber Infrastructure
• Internet
• Critical information systems
• Online business/financial services
Cyber-Physical Infrastructure
• Power production / distribution
• Refineries and critical manufacturing
• Water Supplies
• Transportation systems
• Communication networks
• Cars
• Airplanes
• Medical devices / systems
Physical Threats
• Armed attacks
• Bombs
• Sabotage
Cyber Threats
• Malware
• Denial of Service
• Data Breach
© 2012 Unisys Corporation. All rights reserved. 7
Impact of Critical Infrastructure Outages
Public Concerns
Source: Unisys Security Index Research 2012
Infrastructure Major impact from
2-day outage
Electricity supply in your city/region 84%
Water supply in your city/region 80%
Banking systems such as ATM & EFTPOS 60%
Mobile phone network 46%
Internet 46%
Public transport network 27%
Major thoroughfare such as Sydney Harbour Bridge 20%
Capital city airport 17%
© 2012 Unisys Corporation. All rights reserved. 8
Impact of Critical Infrastructure Outages
Public Concerns
Government Concerns
– National security
– National economy
© 2012 Unisys Corporation. All rights reserved. 9
Impact of Critical Infrastructure Outages
Public Concerns
Government Concerns
Business Concerns
– Business Operations Impact
– Financial Impact
– Supply Chain Impact
– Business Reputation Impact
© 2012 Unisys Corporation. All rights reserved. 10
Impact of Critical Infrastructure Outages
Public Concerns
Government Concerns
Business Concerns
Cascade Effect
– Interconnectedness of systems creates risk of cascade effect. For example…
Extended power failure
Gas and oil pipeline outage
Petrol supply shortfall
Transportation / logistics shutdown
Exhaust just-in-time inventories for hospitals, manufacturers…
© 2012 Unisys Corporation. All rights reserved. 11
What are the threats to your infrastructure?
• Traditional Physical Threats
– Destruction / Damage / Disruption
– Natural disaster / Accidental / Deliberate
© 2012 Unisys Corporation. All rights reserved. 12
What are the threats to your infrastructure?
• Traditional Physical Threats
– Destruction / Damage / Disruption
– Natural disaster / Accidental / Deliberate
• Traditional Cyber Threats
– Accidental breaches
– External hacks
– Denial of Service
– Virus / worm infiltration
© 2012 Unisys Corporation. All rights reserved. 13
What are the threats to your infrastructure?
• Traditional Physical Threats
– Destruction / Damage / Disruption
– Natural disaster / Accidental / Deliberate
• Traditional Cyber Threats
– Accidental breaches
– External hacks
– Denial of Service
– Virus / worm infiltration
• Cyber-Physical Threats
– All of the above
– Often more susceptible to physical and cyber attacks than purely physical or purely cyber infrastructures
© 2012 Unisys Corporation. All rights reserved. 14
What makes Cyber-Physical systems so vulnerable?
• Tempting Target:
– Fragility of cyber-physical systems
– Ability to “strike from afar”
– Low “cost of entry”
• Inadequate security practices
– “Poor cousin” to both physical and cyber specialists
– Careless inattention to the basics (authentication practices)
– Lack of user security training
• Intentional interconnectedness Unintended vulnerabilities
– Internet access for remote support/maintenance can be exploited by hackers
– Integration of systems across facilities, companies, locations – often using insecure networking protocols (e.g., MODBUS)
• Long system lifespans without modernising security mechanisms:
– Lack of upgrades may be due to limited memory / processor capability
– Original system supplier may no longer exist – so no ongoing support
– Need for continuous operations prevents system changes or upgrades
© 2012 Unisys Corporation. All rights reserved. 15
Evidence to support this fear
0
50
100
150
200
250
300
350
400
20102011
20122013*
Reported Attacks on US Critical Infrastructure
Energy 54%
Critical Mfg 16% Transportation
5%
Communications 5%
InfoTech 4%
Water 4%
Govt Facilities 4%
Nuclear 3%
Commercial Facilities
3%
Postal/Shipping 1%
Public Health 1%
Source: US Dept of Homeland Security ICS-CERT
* Projection based on
6 months data
US Critical Infrastructure Targets
© 2012 Unisys Corporation. All rights reserved. 16
Evidence to support this fear: “Honeypot” test
“Honeypot” emulates several types of ICS/SCADA devices and mimics those that are commonly internet facing – with traditional vulnerabilities found across similar systems.
First attack occurred 18 hours after the honeypot was activated.
And over the next 28 days, attacks originated from the following countries
Source: Trend Micro Incorporated Research Paper “Who’s Really Attacking your ICS Equipment”, Author Kyle Wilhoit
China, 35%
US, 19%
Laos, 12% UK, 8%
Russia, 6%
Brazil, 4%
Netherlands, 2%
Japan, 2%
Poland, 2%
Vietman, 2%
Palestinian Territory, 2%
Chile, 2%
Croatia, 2%
North Korea, 2%
© 2012 Unisys Corporation. All rights reserved. 17
Recent cyber attacks on Critical Infrastructure
Stuxnet Malware (2010-2012)
• Sophisticated attack on nuclear manufacturing facilities in Iran
• US/Israel malware exploits vulnerabilities in Microsoft Windows
Power Plant (2012)
• Plant shut down for three days after technician unknowingly inserts virus infected USB disk
• US Dept of Homeland Security declines to share additional information
Water Supply (2011)
• Critical pump damaged by Russian hackers
• Cycled pump on/off until it burned out
Rail Network (2011)
• Hackers manipulated railway company computer systems
• Disrupted rail service – could have been much worse
Chemical Plant (2011)
• PoisonIvy malware infected systems at more than 48 chemical and defense companies
• Source of attack traced back to China
© 2012 Unisys Corporation. All rights reserved. 18
Who is responsible for fixing this?
• Government?
– Regulations / Legislations / Standards
– Information Sharing
– Research
• Suppliers of CPS systems?
– Address/fix security vulnerabilities
– Best practices for implementation
– Design enhanced security into new releases
• Organisations that implement and use CPS!!
– Primary responsibility!
© 2012 Unisys Corporation. All rights reserved. 19
What actions does my company need to take?
• Assume someone is actively attempting to infiltrate your systems (both information systems and cyber-physical systems)
• Identify vulnerabilities with security assessments of all systems
– Internet connections / VPN access
– Aging operating systems and applications
– “Auto run” settings for USB devices
– Poorly configured firewalls
– Inadequate access controls
• Include security as key design feature in new/updated systems
• Don’t work in isolation
– Government-Business Partnership: Trusted Information Sharing Network (TISN) and Critical Infrastructure Advisory Council (CIAG)
– Industry Segment User Groups
• Education/training
– Awareness of the threat and individual responsibilities
© 2012 Unisys Corporation. All rights reserved. 20
Thank you and Good Luck!
John S Kendall Public Sector and Security Program Director Asia-Pacific Region
Unisys Unisys Australia Pty Limited Office: 1300 088 833 Equinox 2, Level 1 Direct: +61 2 6274 3571 70 Kent Street Mobile: +61 424 152 034 Deakin ACT 2600 Australia Fax: +61 2 6274 3533 [email protected]