Your Building Automation Network is Under Attack Mr

Your Building Automation Network is Under Attack Mr. Aaron Fansler This Briefing is Proprietary and Competition Sensitive

Introduction • Mr. Aaron Fansler – – B. S. Applied Mathematics M. S. Information Assurance M. S. Computer Science Ph. D Candidate. Computer Science w/Emphasis on Machine Learning • 10 years military (USAF & US Army) • Since 2002 working on Industrial Control Systems – SCADA, ICS, O. T. IIOT (acronym of day) • Previous Department of Energy National Laboratory • Chief Technologist at Ampex 2

What Are Building Automation Systems 3

Is it real or Hollywood • There was a time when the thought of hacking a heating, ventilation, and air conditioning (HVAC) system would have been more likely to be part of a fictional movie plot than a news story. • Google announced back in 2013 of a vulnerability in Google's building management system (BMS). • Target was attacked via the HVAC system 4

Who Would and Why Attack a BAS • Test - Using honeypots of control system devices in our laboratory over February. Multiple vendors with multiple infrastructures represented (power, water, CCTV, facility access, elevators, heating, we documented: – 54 attacks from 14 different countries – 46% originated in China. – 24% came from within the U. S • Almost two attacks a day every day for 28 days 5

Why Would they Attack a BAS • Why attack our simulation? – Simply, because we are there. We are a target of opportunity. • Zero strategic value but they still attacked • Like a mouse in a maze, we monitored everything they did, we saw where they went. • Most was non-destructive, some were not. • Can you honestly say that you have 100% network situational awareness of your control system / BAS network? • Can you afford an attack? 6

A Cybersecurity Approach for ICS – In the beginning…. . • Industrial control systems (ICS) security was much simpler before the web or before it became the “buzz” • Vendors designed control systems with automation and reliability in mind not security • Then the internet creeped in, and with it, the threat of connectivity-enabled attacks that don’t require physical access to plants or their systems • A. I. C vs C. I. A 7

Playing Catchup • Let’s be honest, I. T. Cybersecurity has a tremendous head start on ICS/O. T. Cybersecurity • Because of this, ICS/O. T. security must adapt quicker and come up with better solutions from the start • Not only do we need to worry about I. T. related threats but O. T. specific threats 8

We All Know The Challenges of OT Security o Industry never designed legacy systems for the Information Age o Cyber security not considered at install and adding on old tech is difficult o Vendor software often runs on unpatched or unsupported operating systems (Windows 95, 98, XP…etc) o Industry engineers are not trained to be cyber security experts. o Cyber security experts are not industrial engineers…. hard to find both o Information overload o Industry operators have exponentially more information to monitor. o Too much data. 9

Generic Control System Pyramid HMI (human machine interface) Databases Most cyber security emphasis is here Front End Processor Data concentrators Supervisory Devices Subordinate Devices (PLCs / RTUs / Embedded) Sensors Quadruple the amount of devices and zero protection Protection is focused at the top…proven threats also exist at the bottom Ampex Proprietary 10

Current Solutions for Critical Infrastructures Industries • Retread of IT capabilities for OT/ICS Proven it doesn’t work • Traditionally, cyber security relied on rules-based or signature-based pattern matching. – Find malware and generate signatures – Only detects malware that is known – it has to match a virus definition or signature • Most ICS/OT solutions focus on low hanging fruit – Log aggregation – Signature base • “AI”-powered cyber attacks are on the rise – Such attacks hide definitive characteristics and signatures – We will lose if we stick with the same defensive game plan The old IT way security does not protect ICS devices! OT/ICS Security is an arms race – we have to ADAPT Commercial-in-Confidence 11

Things I’ve been told on Assessments • It’s a “closed network” – In 2011 I demonstrated that I could shut down a power system by hacking the GPS. Imagine what I can do now. • Why would anyone want to attack me? – Pizza plot attack • I could tell if we were hacked because I watch my HMI – Ask the guys in Iran about spoofing attacks • We don’t have any modems on our networks – I found 78 on a fuel management systems that was connected to their corporate network for billing • I don’t care who’s on my network, as long as I can get my product from point “A” to point “B” 12

Art of the Possible 13

Ever Heard of the Dark Web • The “Dark Web” is a part of the world wide web that requires special software to access. • Much like the internet, the Dark Web is a network of websites, forums, and communication tools like email. • What differentiates the Dark Web from the internet is that users are required to run a suite of security tools that help anonymize web traffic. 14

The Dark Web • Though the name sounds ominous, the Dark Web did not hatch from some evil hacker lab. • The Dark Web is simply a network of websites that require basic encryption technologies to be enabled before users can load content. • These are the same technologies that protect passwords when users log on to bank portals and sites like Gmail and Facebook 15

Examples of What is Sold • Social Security number: $1 • Credit or debit card (credit cards are more popular): $5 -$110 • Online payment services login info (e. g. Paypal): $20 -$200 • Loyalty accounts: $20 • Subscription services: $1 -$10 • Diplomas: $100 -$400 • Driver’s license: $20 • Passports (US): $1000 -$2000 • Medical records: $1 -$1000* • Customized Exploits - Varies • A recent study by Carnegie Mellon researchers Soska and Christin has calculated that drug sales on the dark net total $100 M 16

Hacking is Easy - a caveman could do it • Buyers of these exploits don't need to be master hackers themselves. There are guides on how to spread your malware, and also phishing and carding tutorials. “ • Dark Web paying corporate workers to leak info or for access – staff at an unnamed bank were found to be helping hackers maintain a persistent presence on their corporate networks. 17

What’s on the “Clear. Net” - Shodan Tool • Simple search for devices running Modbus that are connected to internet in U. S. 18

Just found A Device • Default credentials passwords 19

Typical Approach • Nonintrusive fingerprinting phase. – This phase includes the ability to discover who owns the device, as well as what project the devices is being used for. • Not actively scanning for vulnerabilities at this point, just information on the device that allows us to passively identify whether the device is vulnerable. – Most interested in vulnerabilities that would allow us to take over the device • For this scan I didn’t even need to scan the network, it was there and already open. 20

Shodan makes life easy 21

22

23

24

25

26

27

28

Pretty Easy Right? • • This is the very first tool I use for Assessments People make mistakes People switch jobs – USAF example New systems get added Billing, maintenance, testing etc Acquisitions How many devices do I have…How many networks do I have? 29

I had no idea • All of that was 100% in the clear and very easy to do • BAS technician doesn’t have an IT background • Every BAS out there has had security vulnerabilities and they will continue to in the future • The reality is that people writing software are…. People • BAS device shouldn’t be exposed to the Internet but they are 30

How Do We Protect • IP-enabled industrial control systems should be isolated within a dedicated network segment and accessed over an encrypted, authenticated channel such as a VPN. – These systems typically have limited built-in security controls and need all the help they can get to operate in a secure manner. • Strong passwords, detailed logging, and frequent security updates can help protect these systems from unauthorized tempering. • The bad guys know and are trained on current defensive tools and strategies • Must be better than they are – Faster, Outside the Box thinking and solutions • Understand your “Digital Footprint” and do things to minimize it 31

Conclusion o Attack of some kind is inevitable. It’s just a matter of when o IT security solutions don’t work well for OT. o Good OT/ICS/BAS solutions are limited on the market. Most are just retread IT solutions or IT Techniques. “Out of the Box” thinking and approaches are needed o The way we approach cyber defense for ICS/OT networks must be different. Our attackers are adapting faster than we do o AGAIN…. Understand your “Digital Footprint” and do things to minimize it 32

Questions Commercial-in-Confidence 33