Industrial Control System Cybersecurity SCADA Security Laboratory CENTER

Industrial Control System Cybersecurity SCADA Security Laboratory CENTER FOR CYBERSECURITY RESEARCH AND EDUCATION

Cyber Kill Chain Reconnaissance Preparation Weaponization Intrusion / Initial Breach Intrusion Payload Delivery / Taking Control Active Attack CENTER FOR CYBERSECURITY RESEARCH AND EDUCATION Actions on Objective Eliminate / Manipulate Evidence

Attack = TARGET stores 2013 Objectives = Theft - stealing credit card numbers What Happened ? • • • Attackers were able to gain remote access to Target’s business network and steal millions of credit card numbers. $500 M loss Attackers used stolen credentials to remotely enter through the HVAC system, then pivot onto the business network and install credit card stealing malware on the Point of Sale (Po. S) systems. The malware installed by the attackers sent credit card numbers and other customer information back to the attackers. Vulnerabilities Exploited • • • Stolen credentials allowed remote access HVAC systems connected to business network Improper user privileges and access controls Resources Needed by Attacker • What Could Have Made the Attack Unsuccessful ? • • Resources of a small group of individuals Isolating non-business systems, such as HVAC, from critical business system Proper management of user privileges Using intrusion detection system inside the business network Proper authentication CENTER FOR CYBERSECURITY RESEARCH AND EDUCATION

Attack = STUXNET – Iranian Nuclear Facility 2007 Objectives = To cause physical damage to nuclear centrifuges in Iran What Happened ? • • Attacker created a very specific set of complex tools, going after one unique target The attack harmlessly infected any computer connected to the Internet then infected the victim computer via USB “thumb drive” The attack covertly re-programmed the programmable logic controller (PLC) in the machine that controlled hundreds of centrifuges The attack damaged or destroyed hundreds of centrifuges, causing a tremendous military/industrial setback for Iran. Vulnerabilities Exploited • • • Multiple “zero day” exploits of Windows Complex exploits of the PLC control software Human behavior – using a USB drive unsafely Resources Needed by Attacker • • • What Could Have Made the Attack Unsuccessful ? Top-tier nation-state level resources Detailed technical intelligence A great deal of patience and luck Rigorous patching of Windows and all application software Rigorously following cybersecurity best practices (i. e. how data is moved onto a mission-critical system, use of USB drives, etc. ) • Only allowing signed, authenticated code to execute CENTER FOR CYBERSECURITY • Strict RESEARCH ANDisolation EDUCATION of control/safety systems • •

Attack = Rye Brook Dam on Bowman Ave. in NY 2016 Objectives = Disruption of civil infrastructure What Happened ? • • Seven Iranian men were indicted for performing a denial of service attack against several U. S. firms (including 46 of the nation’s largest financial institutions) and critical infrastructure, including a tiny flood-control dam in rural New York. No physical damage because a system was disconnected for maintenance. Perhaps the hackers mistook the tiny dam for a much larger dam with a similar name. Perhaps this was practice for a larger scale attack on critical infrastructure. Vulnerabilities Exploited • Unauthorized remote access to the dam’s SCADA control system. Resources Needed by Attacker • What Could Have Made the Attack Unsuccessful ? • • The resources of seven men Proper access controls on the cellular modem used to communicate with the dam. Proper authentication CENTER FOR CYBERSECURITY RESEARCH AND EDUCATION

Attack = Power Grid in Ukraine 2015 Objectives = Disruption of civil infrastructure with physical damage What Happened ? • • • Attackers gained remote access to 3 Ukrainian regional electricity distributors, causing 225, 000 customers to lose power Well-coordinated attack on the power grid’s control system Utilities forced to move to manual operation post attack. “First publicly acknowledged incidents to result in power outages. ” (NERC report) A similar attack in the U. S. would have had much more severe consequences. Vulnerabilities Exploited • • • Initial access through spear phishing Installed malware via vulnerability in MS Office Control systems accessible via Internet Resources Needed by Attacker • • What Could Have Made the Attack Unsuccessful ? • A user’s mistake (clicking on a link) opened the door • Malware detection system • More careful management of user privileges • Better access controls to mission-critical systems CENTER FOR CYBERSECURITY • Multi-factor authentication RESEARCH AND EDUCATION Some “insider knowledge” Capability to reuse malware developed by others

Attack = Denial of Service Attack on Dyn. DNS. com 2016 Objectives = Disruption of Internet services What Happened ? • • • Dyn. DNS. com is a company that provides DNS services including monitoring, load balancing, geographic balancing, and security to other Internet companies. On Oct 21, 2016, Dyn was the victim of a large scale distributed denial of service (DDo. S) attack which slowed user access to many internet sites (Twitter, Net. Flix, Linked. In, etc. ). A very large botnet flooded Dyn with “noise” causing wide-spread disruption. Vulnerabilities Exploited • Default passwords Resources Needed by Attacker • • • What Could Have Made the Attack Unsuccessful ? • • Resources of a small group Ability to create and manage a large botnet Ability to hide using the “dark web” (TOR) Changing default passwords on internet appliances Better capability to block “noise generators” (bots performing distributed denial of service attack) closer to the source. CENTER FOR CYBERSECURITY RESEARCH AND EDUCATION

What is UAH doing? • Modeling and simulation for cybersecurity Physical Test Beds – Discover and analyze vulnerabilities – Evaluate Security Controls • Open. PLC – Research beyond the black box Virtual Test Beds • Secure PLC – No more band aids • Intrusion detection and response CENTER FOR CYBERSECURITY RESEARCH AND EDUCATION Hardware-in-the-Loop Test Beds

Open. PLC - An Open Source Industrial Controller http: //www. openplcproject. com • Developed @ UAH • Emulate devices, investigate security concepts CENTER FOR CYBERSECURITY RESEARCH AND EDUCATION

Questions? CENTER FOR CYBERSECURITY RESEARCH AND EDUCATION

Contact Information Name Email Tommy Morris, Ph. D. Director tommy. morris@uah. edu Phone: (256)824 -6576 Address: 200 Sparkman Dr. Huntsville, AL 35805 Web: http: //www. uah. edu/ccre CENTER FOR CYBERSECURITY RESEARCH AND EDUCATION