1 / 33

Your Building Automation Network is Under Attack

Learn about potential cyber threats faced by Building Automation Systems (BAS) and strategies to safeguard them. Understand the challenges, security vulnerabilities, and current solutions for ensuring the integrity of critical infrastructure industries.

monicak
Download Presentation

Your Building Automation Network is Under Attack

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mr. Aaron Fansler Your Building Automation Network is Under Attack This Briefing is Proprietary and Competition Sensitive

  2. Introduction • Mr. Aaron Fansler • B.S. Applied Mathematics • M.S. Information Assurance • M.S. Computer Science • PhD Candidate. Computer Science w/Emphasis on Machine Learning • 10 years military (USAF & US Army) • Since 2002 working on Industrial Control Systems • SCADA, ICS, O.T. IIOT (acronym of day) • Previous Department of Energy National Laboratory • Chief Technologist at Ampex

  3. What Are Building Automation Systems

  4. Is it real or Hollywood • There was a time when the thought of hacking a heating, ventilation, and air conditioning (HVAC) system would have been more likely to be part of a fictional movie plot than a news story. • Google announced back in 2013 of a vulnerability in Google's building management system (BMS). • Target was attacked via the HVAC system

  5. Who Would and Why Attack a BAS • Test - Using honeypots of control system devices in our laboratory over February. Multiple vendors with multiple infrastructures represented (power, water, CCTV, facility access, elevators, heating, we documented: • 54 attacks from 14 different countries • 46% originated in China. • 24% came from within the U.S • Almost two attacks a day every day for 28 days

  6. Why Would they Attack a BAS • Why attack our simulation? • Simply, because we are there. We are a target of opportunity. • Zero strategic value but they still attacked • Like a mouse in a maze, we monitored everything they did, we saw where they went. • Most was non-destructive, some were not. • Can you honestly say that you have 100% network situational awareness of your control system / BAS network? • Can you afford an attack?

  7. A Cybersecurity Approach for ICS – In the beginning….. • Industrial control systems (ICS) security was much simpler before the web or before it became the “buzz” • Vendors designed control systems with automation and reliability in mind not security • Then the internet creeped in, and with it, the threat of connectivity-enabled attacks that don’t require physical access to plants or their systems • A.I.C vs C.I.A

  8. Playing Catchup • Let’s be honest, I.T. Cybersecurity has a tremendous head start on ICS/O.T. Cybersecurity • Because of this, ICS/O.T. security must adapt quicker and come up with better solutions from the start • Not only do we need to worry about I.T. related threats but O.T. specific threats

  9. We All Know The Challenges of OT Security • Industry never designed legacy systems for the Information Age • Cyber security not considered at install and adding on old tech is difficult • Vendor software often runs on unpatched or unsupported operating systems (Windows 95, 98, XP…etc) • Industry engineers are not trained to be cyber security experts. • Cyber security experts are not industrial engineers….hard to find both • Information overload • Industry operators have exponentially more information to monitor. • Too much data.

  10. Generic Control System Pyramid (human machine interface) Most cyber security emphasis is here Quadruple the amount of devices and zero protection Protection is focused at the top…proven threats also exist at the bottom Ampex Proprietary

  11. Current Solutions for Critical Infrastructures Industries • Retread of IT capabilities for OT/ICS  Proven it doesn’t work • Traditionally, cyber security relied on rules-based or signature-based pattern matching. • Find malware and generate signatures • Only detects malware that is known – it has to match a virus definition or signature • Most ICS/OT solutions focus on low hanging fruit • Log aggregation • Signature base • “AI”-powered cyber attacks are on the rise • Such attacks hide definitive characteristics and signatures • We will lose if we stick with the same defensive game plan The old IT way security does not protect ICS devices! OT/ICS Security is an arms race – we have to ADAPT Commercial-in-Confidence

  12. Things I’ve been told on Assessments • It’s a “closed network” • In 2011 I demonstrated that I could shut down a power system by hacking the GPS. Imagine what I can do now. • Why would anyone want to attack me? • Pizza plot attack • I could tell if we were hacked because I watch my HMI • Ask the guys in Iran about spoofing attacks • We don’t have any modems on our networks • I found 78 on a fuel management systems that was connected to their corporate network for billing • I don’t care who’s on my network, as long as I can get my product from point “A” to point “B”

  13. Art of the Possible

  14. Ever Heard of the Dark Web • The “Dark Web” is a part of the world wide web that requires special software to access. • Much like the internet, the Dark Web is a network of websites, forums, and communication tools like email. • What differentiates the Dark Web from the internet is that users are required to run a suite of security tools that help anonymize web traffic.

  15. The Dark Web • Though the name sounds ominous, the Dark Web did not hatch from some evil hacker lab. • The Dark Web is simply a network of websites that require basic encryption technologies to be enabled before users can load content. • These are the same technologies that protect passwords when users log on to bank portals and sites like Gmail and Facebook

  16. Examples of What is Sold • Social Security number: $1 • Credit or debit card (credit cards are more popular): $5-$110 • Online payment services login info (e.g. Paypal): $20-$200 • Loyalty accounts: $20 • Subscription services: $1-$10 • Diplomas: $100-$400 • Driver’s license: $20 • Passports (US): $1000-$2000 • Medical records: $1-$1000* • Customized Exploits - Varies • A recent study by Carnegie Mellon researchers Soska and Christin has calculated that drug sales on the dark net total $100M

  17. Hacking is Easy - a caveman could do it • Buyers of these exploits don't need to be master hackers themselves. There are guides on how to spread your malware, and also phishing and carding tutorials.“ • Dark Web paying corporate workers to leak info or for access • staff at an unnamed bank were found to be helping hackers maintain a persistent presence on their corporate networks.

  18. What’s on the “ClearNet” - Shodan Tool • Simple search for devices running Modbus that are connected to internet in U.S.

  19. Just found A Device • Default credentials passwords

  20. Typical Approach • Nonintrusive fingerprinting phase. • This phase includes the ability to discover who owns the device, as well as what project the devices is being used for. • Not actively scanning for vulnerabilities at this point, just information on the device that allows us to passively identify whether the device is vulnerable. • Most interested in vulnerabilities that would allow us to take over the device • For this scan I didn’t even need to scan the network, it was there and already open.

  21. Shodan makes life easy

  22. Pretty Easy Right? • This is the very first tool I use for Assessments • People make mistakes • People switch jobs – USAF example • New systems get added • Billing, maintenance, testing etc • Acquisitions • How many devices do I have…How many networks do I have?

  23. I had no idea • All of that was 100% in the clear and very easy to do • BAS technician doesn’t have an IT background • Every BAS out there has had security vulnerabilities and they will continue to in the future • The reality is that people writing software are…. People • BAS device shouldn’t be exposed to the Internet but they are

  24. How Do We Protect • IP-enabled industrial control systems should be isolated within a dedicated network segment and accessed over an encrypted, authenticated channel such as a VPN. • These systems typically have limited built-in security controls and need all the help they can get to operate in a secure manner. • Strong passwords, detailed logging, and frequent security updates can help protect these systems from unauthorized tempering. • The bad guys know and are trained on current defensive tools and strategies • Must be better than they are • Faster, Outside the Box thinking and solutions • Understand your “Digital Footprint” and do things to minimize it

  25. Conclusion • Attack of some kind is inevitable. It’s just a matter of when • IT security solutions don’t work well for OT. • Good OT/ICS/BAS solutions are limited on the market. Most are just retread IT solutions or IT Techniques. “Out of the Box” thinking and approaches are needed • The way we approach cyber defense for ICS/OT networks must be different. Our attackers are adapting faster than we do • AGAIN….Understand your “Digital Footprint” and do things to minimize it

  26. Questions Commercial-in-Confidence

More Related