PIT,CS,PIT-CS,ICS,OT,SCADA,CPS, IoT, IIoT - George Mason University

UNCLASSIFIEDDoD Terminology Decision In Progress:PIT, CS, PIT-CS, ICS,OT, SCADA, CPS, IoT, IIoT PIT Platform Information Technology CS Control Systems PIT-CS PIT Control Systems ICS Industrial Control Systems OT Operational Technology SCADA Supervisory Control And DataAcquisition CPS Cyber Physical Systems IoT Internet of Things IIoT Industrial IoTPIT, CS,ICS, OT,SCADA,CPS, IoT,IIoTTypically Lack Any CyberDefenses; 75% Use WIN XPUNCLASSIFIED1

UNCLASSIFIEDBuildingsWeapon PlatformsPumps and MotorsElectrical and HVACVehicles/ChargingNuclearMedicalOperational EnergyTypical ControllerManufacturingSame Commercial Devices Installed Across DoD Enterprise

UNCLASSIFIEDTop 20 Attacks from Least to Most Sophisticated19. Nation-StateCrypto Compromise14.CompromisedVendor Website10. Cell-phone WIFI6. Ukrainian Attack1. ICS Insider2. IT Insider3. CommonRansomware4. TargetRansomware7. SophisticatedUkrainian Attack8. MarketManipulation11. Hijacked TwoFactor12. IIoT Pivot13. MaliciousOutsourcing9. SophisticatedMarketManipulation5. y.com/Top-20-ICS-Attacks.pdf15.CompromisedRemote Site16. Vendor BackDoor17. Stuxnet18. Hardware SupplyChain20.SophisticatedCredentialed ICSInsider

UNCLASSIFIEDWhat’s in Your ‘Smart Building?’ “Smart” / High Performance Green Buildings Since 2005 7,000 Example: 5,000 desks, 20 floors, 2M sqft50,000 Fire Sprinkler SystemInterior Lighting ControlIntrusion DetectionLand Mobile RadiosRenewable EnergyPhoto Voltaic SystemsShade Control SystemSmoke and PurgePhysical AccessControlVertical TransportSystem (Elevators andEscalators) Advanced Metering InfrastructureBuilding Automation SystemBuilding Management ControlCCTV Surveillance SystemCO2 MonitoringDigital Signage SystemsElectronic Security SystemEmergency Management SystemEnergy Management SystemExterior Lighting Control SystemsFire Alarm SystemInfo SysBASCS40,00030,00020,00010,000SECURITY3 Networks Independently Managed0

UNCLASSIFIEDSignificant Impacts; Tools EasilyAccessible and Unsophisticated WannaCry (May’17) – ransomware affecting Microsoft Windowsmillions of computers across 150 countries, halting manufacturing,transportation and telecommunications systems; many medicalsystems inoperable affecting health & safety NotPetya (Jun’17) – malware infected 10,000’s of internet connectedsystems across 65 countries [Maersk shipping company haltedoperations in most of its 76 port terminals; loses exceeded 300M,4,000 new servers, 45,000 new PCs, 2,500 new apps] Trisis (Aug’17) – virus sabotaging physical safety mechanisms ofSaudi Arabian oil, gas facility control systems [coding errorprevented potential catastrophe]Number Targeted Attacks Almost Doubled Since 2013;Urgent Need to Understand Your “Connectedness”5

UNCLASSIFIEDRussian State-Sponsored Cyber Actors TargetingNetwork Infrastructure Devices 16 April 2018 – DHS US CERT, FBI & UK’s National CyberSecurity Centre – Alert – Russian State-sponsored actorsestablishing worldwide cyber exploitation of network devices Targets primarily government and private-sector orgs, criticalinfrastructure providers & internet service providers.Exploiting: Routers Switches FirewallsFBI - actors are using compromisedrouters to conduct man-in-the-middleattacks to support espionage, extractintellectual property, maintainpersistent access to victim networks,and potentially lay a foundation forfuture offensive operations. Network-based Intrusion DetectionSystemsRussian “Trolling” ActivityUp 2,000% AfterSyrian StrikeMake sure that your router software is up-to-date and its password is secure

UNCLASSIFIEDCyber Threat to ICS Highest Yet – CS Threats72%Of Vulnerabilities Could Cause aLoss of View/Control63%Of Vulnerabilities from Late in KillChain Indicating ProlongedPresence, Pivot from OtherSystems63%Of Vulnerabilities Could BeLeveraged to Gain Initial AccessInto Control Network“We regrettably expect ICS operational losses and likely safety events tocontinue into 2018 and the foreseeable future”

UNCLASSIFIEDApril 2018 ReportKey findings over past 3 yrs: 90% of targeted attack groupsare motivated by intelligencegathering Most active groupscompromised an average of 42organizations 71% of groups use spearphishing emails as primaryinfection vector 29 % increase of recorded ICSvulnerabilities U.S. accounts for 27% of alltargeted attack activity (most)

60% have plain-text passwordsUNCLASSIFIEDtraversing their control networks 50% aren’t running any AV protection Nearly 50% have at least one unknownor rogue device 20% have wireless access points 28% of all devices in each site arevulnerable 82% of industrial sites are running375 OT networks overpast 18 months using itsautomated, passivevulnerability assessmenttechnologyremote management protocols“They’re testing out red lines, what they can get away with. You push and see if you’re pushedback. If not, you try the next step.” Thomas Rid, Professor of War Studies at King’s College London

UNCLASSIFIEDDefaultPasswords Found Again:370 Products /80 Vendors

ShodanUNCLASSIFIED“default password”

UNCLASSIFIEDNever Attribute Evil When Stupid is Still Available

UNCLASSIFIEDJust Because You Can Control via Mobile Devices .Top 5 security weaknesses: 94% code tampering 59% insecure authorization 53% reverse engineering 47% insecure data storage 38% insecurecommunication“Why should anyone have the power to control a 2 GW power plant, orthe entire production line of an automobile factory, from a cell phone,while stopped at a traffic light?”– Andrew Ginter, VP Industrial Security Waterfall Security Solutions

UNCLASSIFIED2015Strategies Good for theLong TermVision: By 2023, the Department of Homeland Security will have improvednational cybersecurity risk management by increasing security andresilience across government networks and critical infrastructure;decreasing illicit cyber activity; improving responses to cyber incidents; andfostering a more secure and reliable cyber ecosystem through a unifieddepartmental approach, strong leadership, and close partnership with otherfederal and nonfederal entities.14

UNCLASSIFIEDWho Defends FRCS? “U.S. Cyber Command is not“optimized” today to combatinformation operationsorchestrated by foreign powers” “NSA we’re focused externally, CyberCommand we’re largely focusedexternally. So I will monitor bots,infrastructure external to the U.S., butone of the phenomenon we’rebeginning to see is a migration ofcapabilities from externalinfrastructure — that we’ve beenaware of and observing for sometime — the way this is going to gonext in my mind is you’re going tosee this in domestic manipulation.And that is a part now that no, I amnot really involved with,” Rogers said.16 May 2017 SASC HearingUSCC’s Role Does NOT Include Securing ALL Control Systems15

DoD Budget MOT /CS150,000,000UNCLASSIFIEDDoD # of DevicesIT / IS8,000,000IT / IS30,000,000,000OT /CS2,000,000,000

UNCLASSIFIED

AFCEC Cybersecurity RFP 5/YearCE CSDesignReview2-4/MonthIntegrationProject andEstimateDevelopment2-5/MonthCS argeBase14 CECS/YearMaterialsAcquisitionRMF PackageDevelopment &MaintenanceControl SystemEnclave (CE)Deployment entsHelpDeskSupportUNCLASSIFIEDSmall Base3 CECS/YearMediumBase7 CECS/YearCS ThreatAwareness &Incident Response50-70 Advisories/Month1 CE Health Report/Month4-6 Hours Monitoring/Day2-4 Hours IntrusionDetection/Day 1 Hour Forensics/Month4 Technical Docs/Yr

UNCLASSIFIEDSCADA Security Scientific Symposium (S4)Target Network Corporate ZoneDomain ControllerFTP ServerWindows 7 WorkstationWindows XP WorkstationBACnet Controller DMZ Advantech OPC Server Proficy Historian Control ZoneiFix ServeriFix HMISchnider Electric Modicon PLCsAllen Bradley MicroLogix PLCADAM Advantech PLC

UNCLASSIFIEDCasino Hacked Via ThermometerThermometer in lobbyaquarium hacked to pull highroller database to the cloud

Ski Lift ControlPanelUnprotected April 26, 2018 – InnsbruckAustralia Ski Lift control panel –accessible to anyone on theinternet – could manipulate thelift’s speed, cable tension, &distance between passengercabins. Use Shodan to discover and classify OT devices!

UNCLASSIFIEDWhat’s Your Cyber ‘Risk’ or ‘Trust’ Score? BitsightRisk ReconSecurity ScorecardUpguardOthers upguard.com All use public information & network signatures for FICO score-like rating approximating relative risk Enables intelligence for evaluation of critical suppliers, vendors, and others in the industry Augments Business Intelligence Unit and Security Operations Center; ques alerts to potential cyber orphysical threats to our supply chains and internal infrastructure Each vendor's approach & scores roughly similar Need to verify accuracy – may detect one or more notables that were not really present in the enterpriseunder evaluation (e.g. a sub-domain or IP address not really associated with the target) Benefit / Objectives: Credibility when approaching supplier/partner with a security issue; avoidfalse positives & decrease time to investigate and mitigate

UNCLASSIFIED

UNCLASSIFIED

UNCLASSIFIEDBest Practices to Cyber Secure Control SystemsMission Assurance Senior Steering GroupControl Systems Working Group Develop Password PoliciesSecurity Awareness and TrainingPatch ManagementMaintenance ActivitiesModem ConnectionNetwork DesignSecuring Host SystemsAdvanced Cyber Industrial Control System Tactics, Techniques, ProceduresDetection Routine Monitoring, Inspection, Identification of adversarial presence,Documentation, NotificationsMitigation Protect the information network, Acquire and protect data for analysis, Maintainoperations during an active attackRecovery Identify mission priorities, Acquire and protect data for analysis, SystematicallyRecover each affected device, Systematically reintegrate devices, processes, andnetwork segments, Test and verify system to ensure devices are not re-infected

UNCLASSIFIEDDiscussion

UNCLASSIFIEDDoD & Commercial ResourcesDoD CIO Knowledge Service (requires CAC)https://rmfks.osd.mil/login.htmDepartment of Defense Advanced Control System Tactics, Techniques, and Procedures (TTPs) s.aspxUFC 4-010-06 CYBERSECURITY OF FACILITY-RELATED CONTROL SYSTEMS Sept iteria-ufc/ufc-4-010-06Strategic Environmental Research and Development Program (SERDP) and Environmental Security Technology CertificationProgram (ESTCP) [info & funding ersecurity-GuidelinesDoD OASD(EI&E) and Federal Facilities Council (FFC), under the National Research Council (NRC) sponsored a 3-dayBuilding Control System Cyber Resilience Forum in Nov PS 166792DoDI 5000.02 Cybersecurity in the Defense Acquisition System Jan 500002 dodi 2015.pdfWhole Building Design Guide website cyber S-TIP-12-146-01BWorkshops / Building Control Systems Cyber Security rial Control Systems Joint Working Group trol-Systems-Joint-Working-Group-ICSJWG

PIT Platform Information Technology CS Control Systems PIT-CS PIT Control Systems ICS Industrial Control Systems OT Operational Technology SCADA Supervisory ControlAnd Data Acquisition CPS Cyber Physical Systems IoT Internet of Things IIoT Industrial IoT 1 DoD Terminology Decision In Progress: PIT,CS,PIT-CS,ICS,OT,SCADA,CPS, IoT, IIoT