SlideShare a Scribd company logo

Law seminars intl cybersecurity in the power industry

Download as PPTX, PDF
Kevin Murphy
Kevin Murphy

This document discusses the challenges that critical infrastructure organizations face with the increasing adoption of internet of things (IoT) technologies. It notes that while IoT will dramatically increase the amount of data collected, organizations are already struggling to extract useful, timely information from their existing data. The mass expansion of endpoints and legacy systems introduces new vulnerabilities that could overwhelm operators during incidents. Regulatory requirements and outsourcing practices also increase compliance risks. However, new technologies may help address some issues if properly implemented. The document calls utilities to evaluate cybersecurity risks, test defenses, and learn from other sectors' experiences to help secure their operations in an evolving threat landscape.

1 of 17
IOActive, Inc. Copyright ©2017. All Rights Reserved. Cybersecurity: Preparing for Persistent Attacks from Foreign Governments; The Internet of Things, and How it Plays as an Additional Risk Factor IOActive is the only global security consultancy with a state-of-the-art hardware lab and deep expertise spanning hardware, software and security services. Bryan L Singer, CISSP, CAP Kevin Murphy, CISSP, CISM, CGEIT Jan 23, 2018
IOActive, Inc. Copyright ©2018. All Rights Reserved. Agenda (Interactive discussion-ask questions) • The Curse of Too Much Data • IoT Challenges: Legacy verses Modernization • Regulatory and Compliance Risk • Some Positives and Opportunities • Looking ahead….. • Call to Action • Questions?
IOActive, Inc. Copyright ©2018. All Rights Reserved. Why do we Care? • Who would do that to us? • Cyber threats and cyber-physical threats are threats to grid reliability • Complex legal environment** resulting in increased costs, difficult legal situations with limited precedent, and regulatory actions based on imprecise criteria. • **IANL
IOActive, Inc. Copyright ©2018. All Rights Reserved. Drowning in Data, Starved for Information • Average plant is tens of thousands of data and I/O points, IoT will increase that number dramatically • Aging workforce, and the loss of “tribal knowledge” • Replacing engineering knowledge with screen knowledge • We are creating a scenario in which we can easily recreate an event that occurred, but real time operations may be impeded due to overwhelming the operator • Key is relevant, timely, and ACTIONABLE intelligence
IOActive, Inc. Copyright ©2018. All Rights Reserved. When Information Overwhelms • 1994 Texaco Refinery Explosion • 2005 Texas City Refinery Explosion • Aug 14, 2003 Northeast Power Outage • Target Hack • Equifax • In all of these scenarios, the “data” was there, but overwhelmed the operators • Data good for incident recreation, not so much for live response
IOActive, Inc. Copyright ©2018. All Rights Reserved. Technical Challenges to IoT • Much of critical infrastructure is on non Ethernet networking, and solidly on IPV4 • Massive data point expansion of IoT will drive IPv6 to the plant floor faster than it can be safely implemented • This will result in “value add” hosted cloud/fog services, but they may come at a cost • In utilities, the “last mile” data services goes anywhere from 10gB fiber to 900mhz wireless, to tin can and string – creates a time of check/time of use issue
IOActive, Inc. Copyright ©2018. All Rights Reserved. The IoT Push to Technology • Usually represents a geometric expansion of vulnerabilities in the near to mid-term – AMI/Smart Metering – IOActive research into worm-able attack surface – ATM – Systemic weaknesses in ATM and threats due to skimming, shimming, and malware – Financial/Bank mobile applications – IOActive research in 2017 shows massive insecurity – Web apps – rapid expansion and rise of XSS – IoT – millions of devices, millions of weak points? http://blog.ioactive.com/ 2014/01/personal- banking-apps-leak-info- through.html
IOActive, Inc. Copyright ©2018. All Rights Reserved. Case Study • Smart Meter Provider provided their own “hosting” solution that included the meters and tower devices, and data services back to servers at respective utilities • Private networking solution, but was integrated with various utilities IP based networking solutions, and relied upon trust and security of everyone involved • Provided used Java JOSSO single sign on, allowing us as attackers to gain access to one tower device, and subsequently navigate to every other utility in the globe on this supposedly “private” backbone
IOActive, Inc. Copyright ©2018. All Rights Reserved. Regulatory Pressure • Who owns the “cloud,” and who owns the “data?” • NERC CIP 002-009 • Fine first, ask questions later • Often called to defend utilities for violations/failed audits • Outsourced data, hosted infrastructure, and third party value add services may pose regulatory challenges for both safety and cyber security. • OSHA 1910.119 and Mechanical Integrity – what if I don’t control all the data? http://www.nerc.com/pa/c omp/Pages/default.aspx
IOActive, Inc. Copyright ©2018. All Rights Reserved. The IoT Data Paradox • Leverage a military analogy of High Value and High Payoff targets • The more information we generate about a system, the higher value it is to us, and the attacker • More data = High Value Target • Less data = less attractive target, but less capability
IOActive, Inc. Copyright ©2018. All Rights Reserved. “But, we Don’t store Credit Cards in Power Utilities” • Attackers (eco-terrorists) on the east coast gained access to environmental monitoring systems, and used it in various attempts at legal action against the utility • When they were unsuccessful, they distributed the data to people living around the plant • This resulted in the utility spending over $200k USD to combat the public awareness problem created
IOActive, Inc. Copyright ©2018. All Rights Reserved. Some Positives and Opportunities • Ebay recently was “exposed” in a data breach. They used big data to prove that the release of card data was false • The new trend in data services more closely matches the engineering talent and skills emerging from schools today. • Blockchain type technologies can enable message authentication and traceability previously not available
IOActive, Inc. Copyright ©2018. All Rights Reserved. Looking Ahead to Protect your Operation • Learn from the attacks and response from other industries • Add the risk of outage from a Cybersecurity attack to your overall risk management plan • Ask the tough security questions of your supply chain • Have a vulnerability management program – Patch mgmt. plan – Vulnerability isolation for your SCADA systems that can’t be patched • Upgrade legacy systems that are vulnerable • Regulation and Compliance can be your friend – NIST Cyber Security Framework is “real” security
IOActive, Inc. Copyright ©2018. All Rights Reserved. NIST Cyber Security Framework
IOActive, Inc. Copyright ©2018. All Rights Reserved. Cyber Security Framework Scorecard KPIs Top 5 Risks
IOActive, Inc. Copyright ©2018. All Rights Reserved. Call to Action: • Add Cybersecurity Risks to the Board of Director’s Risk Score Card. (That’s how you get budget.) • Evaluate your threat models with the latest attack vectors • Know your perimeter and endpoints • Test your BCM plans • Red team your network and your IdM systems • Learn from other industries as they might get hit before yours.
IOActive, Inc. Copyright ©2017. All Rights Reserved. 17 Email: Bryan.Singer@IOActive.com Kevin.murphy@ioactive.com Thank You

More Related Content

Law seminars intl cybersecurity in the power industry

  • 1. IOActive, Inc. Copyright ©2017. All Rights Reserved. Cybersecurity: Preparing for Persistent Attacks from Foreign Governments; The Internet of Things, and How it Plays as an Additional Risk Factor IOActive is the only global security consultancy with a state-of-the-art hardware lab and deep expertise spanning hardware, software and security services. Bryan L Singer, CISSP, CAP Kevin Murphy, CISSP, CISM, CGEIT Jan 23, 2018
  • 2. IOActive, Inc. Copyright ©2018. All Rights Reserved. Agenda (Interactive discussion-ask questions) • The Curse of Too Much Data • IoT Challenges: Legacy verses Modernization • Regulatory and Compliance Risk • Some Positives and Opportunities • Looking ahead….. • Call to Action • Questions?
  • 3. IOActive, Inc. Copyright ©2018. All Rights Reserved. Why do we Care? • Who would do that to us? • Cyber threats and cyber-physical threats are threats to grid reliability • Complex legal environment** resulting in increased costs, difficult legal situations with limited precedent, and regulatory actions based on imprecise criteria. • **IANL
  • 4. IOActive, Inc. Copyright ©2018. All Rights Reserved. Drowning in Data, Starved for Information • Average plant is tens of thousands of data and I/O points, IoT will increase that number dramatically • Aging workforce, and the loss of “tribal knowledge” • Replacing engineering knowledge with screen knowledge • We are creating a scenario in which we can easily recreate an event that occurred, but real time operations may be impeded due to overwhelming the operator • Key is relevant, timely, and ACTIONABLE intelligence
  • 5. IOActive, Inc. Copyright ©2018. All Rights Reserved. When Information Overwhelms • 1994 Texaco Refinery Explosion • 2005 Texas City Refinery Explosion • Aug 14, 2003 Northeast Power Outage • Target Hack • Equifax • In all of these scenarios, the “data” was there, but overwhelmed the operators • Data good for incident recreation, not so much for live response
  • 6. IOActive, Inc. Copyright ©2018. All Rights Reserved. Technical Challenges to IoT • Much of critical infrastructure is on non Ethernet networking, and solidly on IPV4 • Massive data point expansion of IoT will drive IPv6 to the plant floor faster than it can be safely implemented • This will result in “value add” hosted cloud/fog services, but they may come at a cost • In utilities, the “last mile” data services goes anywhere from 10gB fiber to 900mhz wireless, to tin can and string – creates a time of check/time of use issue
  • 7. IOActive, Inc. Copyright ©2018. All Rights Reserved. The IoT Push to Technology • Usually represents a geometric expansion of vulnerabilities in the near to mid-term – AMI/Smart Metering – IOActive research into worm-able attack surface – ATM – Systemic weaknesses in ATM and threats due to skimming, shimming, and malware – Financial/Bank mobile applications – IOActive research in 2017 shows massive insecurity – Web apps – rapid expansion and rise of XSS – IoT – millions of devices, millions of weak points? http://blog.ioactive.com/ 2014/01/personal- banking-apps-leak-info- through.html
  • 8. IOActive, Inc. Copyright ©2018. All Rights Reserved. Case Study • Smart Meter Provider provided their own “hosting” solution that included the meters and tower devices, and data services back to servers at respective utilities • Private networking solution, but was integrated with various utilities IP based networking solutions, and relied upon trust and security of everyone involved • Provided used Java JOSSO single sign on, allowing us as attackers to gain access to one tower device, and subsequently navigate to every other utility in the globe on this supposedly “private” backbone
  • 9. IOActive, Inc. Copyright ©2018. All Rights Reserved. Regulatory Pressure • Who owns the “cloud,” and who owns the “data?” • NERC CIP 002-009 • Fine first, ask questions later • Often called to defend utilities for violations/failed audits • Outsourced data, hosted infrastructure, and third party value add services may pose regulatory challenges for both safety and cyber security. • OSHA 1910.119 and Mechanical Integrity – what if I don’t control all the data? http://www.nerc.com/pa/c omp/Pages/default.aspx
  • 10. IOActive, Inc. Copyright ©2018. All Rights Reserved. The IoT Data Paradox • Leverage a military analogy of High Value and High Payoff targets • The more information we generate about a system, the higher value it is to us, and the attacker • More data = High Value Target • Less data = less attractive target, but less capability
  • 11. IOActive, Inc. Copyright ©2018. All Rights Reserved. “But, we Don’t store Credit Cards in Power Utilities” • Attackers (eco-terrorists) on the east coast gained access to environmental monitoring systems, and used it in various attempts at legal action against the utility • When they were unsuccessful, they distributed the data to people living around the plant • This resulted in the utility spending over $200k USD to combat the public awareness problem created
  • 12. IOActive, Inc. Copyright ©2018. All Rights Reserved. Some Positives and Opportunities • Ebay recently was “exposed” in a data breach. They used big data to prove that the release of card data was false • The new trend in data services more closely matches the engineering talent and skills emerging from schools today. • Blockchain type technologies can enable message authentication and traceability previously not available
  • 13. IOActive, Inc. Copyright ©2018. All Rights Reserved. Looking Ahead to Protect your Operation • Learn from the attacks and response from other industries • Add the risk of outage from a Cybersecurity attack to your overall risk management plan • Ask the tough security questions of your supply chain • Have a vulnerability management program – Patch mgmt. plan – Vulnerability isolation for your SCADA systems that can’t be patched • Upgrade legacy systems that are vulnerable • Regulation and Compliance can be your friend – NIST Cyber Security Framework is “real” security
  • 14. IOActive, Inc. Copyright ©2018. All Rights Reserved. NIST Cyber Security Framework
  • 15. IOActive, Inc. Copyright ©2018. All Rights Reserved. Cyber Security Framework Scorecard KPIs Top 5 Risks
  • 16. IOActive, Inc. Copyright ©2018. All Rights Reserved. Call to Action: • Add Cybersecurity Risks to the Board of Director’s Risk Score Card. (That’s how you get budget.) • Evaluate your threat models with the latest attack vectors • Know your perimeter and endpoints • Test your BCM plans • Red team your network and your IdM systems • Learn from other industries as they might get hit before yours.
  • 17. IOActive, Inc. Copyright ©2017. All Rights Reserved. 17 Email: Bryan.Singer@IOActive.com Kevin.murphy@ioactive.com Thank You