Detecting Cyber Intrusion in SCADA System

How to recognize intrusion?

One of the axioms of cyber security is that although it is extremely important to try to prevent intrusions into one’s systems and databases, it is essential that intrusions be detected if they do occur.

An intruder who gains control of a substation computer can modify the computer code or insert a new program. The new software can be programmed to quietly gather data (possibly including the log-on passwords of legitimate users) and send the data to the intruder at a later time.

It can be programmed to operate power system devices at some future time or upon the recognition of a future event. It can set up a mechanism (sometimes called a ‘‘backdoor’’) that will allow the intruder to easily gain access at a future time.

For example, if the goal of the intrusion was to gain unauthorized access to utility data, the fact that another party is reading confidential data may never be noticed. Even when the intrusion does result in damage (e.g., intentionally opening a circuit breaker on a critical circuit), it may not be at all obvious that the false operation was due to a security breach rather than some other failure (e.g., a voltage transient, a relay failure, or a software bug).

For these reasons, it is important to strive to detect intrusions when they occur. To this end, a number of IT security system manufacturers have developed intrusion detection systems (IDS).

These systems are designed to recognize intrusions based on a variety of factors, including primarily:

• Communications attempted from unauthorized or unusual addresses and
• An unusual pattern of activity.

They generate logs of suspicious events. The owners of the systems then have to inspect the logs manually and determine which represent true intrusions and which are false alarms.

To make the situation more difficult, hackers have learned to disguise their network probes so they do not arouse suspicion. In addition, it should be recognized that there is as much a danger of having too many events flagged as suspicious as having too few.

Users will soon learn to ignore the output of an IDS that announces too many spurious events. There are outside organizations however that offer the service of studying the output of IDSs and reporting the results to the owner. They will also help the system owner to tune the parameters of the IDS and to incorporate stronger protective features in the network to be safeguarded.

Making matters more difficult, most IDSs have been developed for corporate networks with publicly accessible internet services. More research is necessary to investigate what would constitute unusual activity in a SCADA=SA environment.

In general, SA and other control systems do not have logging functions to identify who is attempting to obtain access to these systems. Efforts are underway in the commercial arena and with the National Laboratories to develop intrusion detection capabilities for control systems.

Summary

In summary, the art of detecting intrusions into substation control and diagnostic systems is still in its infancy.

Until dependable automatic tools are developed, system owners will have to place their major efforts in two areas:

• Preventing intrusions from occurring, and
• Recovering from them when they occur.

Intrusion Detection for Embedded Control Systems

Digital Bond's SCADA Security Scientific Symposium (S4)

S4 did include one paper from academia, IDS for Embedded Control Systems presented by Jason Reeves of Dartmouth College and the TCIPG effort. Jason and a TCIPG team had previously developed a research product called Autoscopy and have recently enhanced it in Autoscopy Jr.

The primary purpose of Autoscopy Jr. is to detect rootkits on embedded control systems while limiting the overhead to less than 5%. The primary method is to monitor the sequence of executed instructions in a learning phase and then detect behavior that is indicative of rootkits. Jason refers to it as something akin to function level whitelisting.

It’s a detailed technical talk worth watching if you are interested in the future of IDS in PLC’s, RTU’s and other field devices. The performance testing showed it was under the 5% threshold and there were ways to improve the performance further by identifying the most resource intensive Kprobes.

The effectiveness is an open question. The team did test this against 15 rootkits that attempted control flow hijacking, but there was not a set of real world embedded system rootkits to test against.

Refer here to watch the presentation video.

10 Domains of Cloud Security Services

Computer Security Alliance Foresees Security as a Service

Security poses a major challenge to the widespread adoption of cloud computing, yet an association of cloud users and vendors sees the cloud as a provider of information security services.

The Security-as-a-Service Working Group of the Cloud Security Alliance, a not-for-profit association formed by cloud-computing stakeholders, issued a report Monday that defines 10 categories of security services that can be offered over the cloud.

The alliance said its report is aimed at providing cloud users and providers greater clarity on security as a service in order to ease its adoption while limiting the financial burden security presents to organizations. The 10 security-as-a-service categories are:

1. Identity and Access Management should provide controls for assured identities and access management. Identity and access management includes people, processes and systems that are used to manage access to enterprise resources by assuring the identity of an entity is verified and is granted the correct level of access based on this assured identity.
   
   Audit logs of activity such as successful and failed authentication and access attempts should be kept by the application/solution.
   
   
2. Data Loss Prevention is the monitoring, protecting and verifying the security of data at rest, in motion and in use in the cloud and on-premises. Data loss prevention services offer protection of data usually by running as some sort of client on desktops/servers and running rules around what can be done.
   
   Within the cloud, data loss prevention services could be offered as something that is provided as part of the build, such that all servers built for that client get the data loss prevention software installed with an agreed set of rules deployed.
   
   
3. Web Security is real-time protection offered either on-premise through software/appliance installation or via the cloud by proxying or redirecting web traffic to the cloud provider.
   
   This provides an added layer of protection on top of things like AV to prevent malware from entering the enterprise via activities such as web browsing. Policy rules around the types of web access and the times this is acceptable also can be enforced via these web security technologies.
   
   
4. E-mail Security should provide control over inbound and outbound e-mail, thereby protecting the organization from phishing and malicious attachments, enforcing corporate policies such as acceptable use and spam and providing business continuity options.
   
   The solution should allow for policy-based encryption of e-mails as well as integrating with various e-mail server offerings. Digital signatures enabling identification and non-repudiation are features of many cloud e-mail security solutions.
   
   
5. Security Assessments are third-party audits of cloud services or assessments of on-premises systems based on industry standards. Traditional security assessments for infrastructure and applications and compliance audits are well defined and supported by multiple standards such as NIST, ISO and CIS. A relatively mature toolset exists, and a number of tools have been implemented using the SaaS delivery model.
   
   In the SaaS delivery model, subscribers get the typical benefits of this cloud computing variant elasticity, negligible setup time, low administration overhead and pay-per-use with low initial investments.
   
   
6. Intrusion Management is the process of using pattern recognition to detect and react to statistically unusual events. This may include reconfiguring system components in real time to stop/prevent an intrusion.
   
   The methods of intrusion detection, prevention and response in physical environments are mature; however, the growth of virtualization and massive multi-tenancy is creating new targets for intrusion and raises many questions about the implementation of the same protection in cloud environments.
   
   
7. Security Information and Event Management systems accept log and event information. This information is then correlated and analyzed to provide real-time reporting and alerting on incidents/events that may require intervention.
   
   The logs are likely to be kept in a manner that prevents tampering to enable their use as evidence in any investigations.
   
   
8. Encryption systems typically consist of algorithms that are computationally difficult or infeasible to break, along with the processes and procedures to manage encryption and decryption, hashing, digital signatures, certificate generation and renewal and key exchange.
   
   
9. Business Continuity and Disaster Recovery are the measures designed and implemented to ensure operational resiliency in the event of any service interruptions.
   
   Business continuity and disaster recovery provides flexible and reliable failover for required services in the event of any service interruptions, including those caused by natural or man-made disasters or disruptions. Cloud-centric business continuity and disaster recovery makes use of the cloud's flexibility to minimize cost and maximize benefits.
   
   
10. Network Security consists of security services that allocate access, distribute, monitor and protect the underlying resource services. Architecturally, network security provides services that address security controls at the network in aggregate or specifically addressed at the individual network of each underlying resource.
    
    In a cloud/virtual environment, network security is likely to be provided by virtual devices alongside traditional physical devices.

Singapore Airport enhances airfield security with fibre-optic sensors

No system is fool-proof and perfect

Changi Airport will be the world's first airport to reinforce its perimeter fences with fibre-optic sensors to detect intruders.

More cameras will also be installed at airport boundaries, which will be integrated with the new multi-million-dollar defence system called AgilFence, made by Singapore Technologies (ST) Electronics.

Said Changi Airport Group's executive vice-president (airport management) Foo Sek Min: "No system is fool-proof and perfect."

"And as we review our existing perimeter protection, the introduction of this perimeter intrusion detection system will help us to have a better and faster response if there are any signs of intrusion."

The pressure-sensitive sensors are protected by an armoured casing to prevent tampering and for easy maintenance.

ST Electronics said the system is expected to last a decade, adding that it is immune to electromagnetic and radio frequency interferences, making it effective for deployment in an airfield.

The system is expected to be fully operational by end-2012.

US-CERT: Security Recommendations to Prevent Cyber Intrusion

Good practice guidelines to prevent cyber intrusion attacks

US-CERT is providing this Technical Security Alert in response to recent, well-publicized intrusions into several government and private sector computer networks. Network administrators and technical managers should not only follow the recommended security controls information systems outlined in NIST 800-53 but also consider the following measures. These measures include both tactical and strategic mitigations and are intended to enhance existing security programs.

Recommendations

• Deploy a Host Intrusion Detection System (HIDS) to help block and identify common attacks.
• Use an application proxy in front of web servers to filter out malicious requests.
• Ensure that the "allow URL_fopen" is disabled on the web server to help limit PHP vulnerabilities from remote file inclusion attacks.
• Limit the use of dynamic SQL code by using prepared statements, queries with parameters, or stored procedures whenever possible. Information on SQL injections is available at http://www.us-cert.gov/reading_room/sql200901.pdf.
• Follow the best practices for secure coding and input validation; use the secure coding guidelines available at: https://www.owasp.org/index.php/Top_10_2010 and https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/coding/305-BSI.html.
• Review US-CERT documentation regarding distributed denial-of-service attacks: http://www.us-cert.gov/cas/tips/ST04-015.html and http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf.
• Disable active scripting support in email attachments unless required to perform daily duties.
• Consider adding the following measures to your password and account protection plan.

Use a two factor authentication method for accessing privileged root level accounts.

Use minimum password length of 15 characters for administrator accounts.

Require the use of alphanumeric passwords and symbols.

Enable password history limits to prevent the reuse of previous passwords.

Prevent the use of personal information as password such as phone numbers and dates of birth.

Deploy NTLMv2 as the minimum authentication method and disable the use of LAN Managed passwords.

Use minimum password length of 8 characters for standard users.

Disable local machine credential caching if not required through the use of Group Policy Object (GPO).

Deploy a secure password storage policy that provides password encryption.

• If an administrator account is compromised, change the password immediately to prevent continued exploitation. Changes to administrator account passwords should only be made from systems that are verified to be clean and free from malware.
• Implement guidance and policy to restrict the use of personal equipment for processing or accessing official data or systems (e.g., working from home or using a personal device while at the office).
• Develop policies to carefully limit the use of all removable media devices, except where there is a documented valid business case for its use. These business cases should be approved by the organization with guidelines for their use.
• Implement guidance and policies to limit the use of social networking services at work, such as personal email, instant messaging, Facebook, Twitter, etc., except where there is a valid approved business case for its use.
• Adhere to network security best practices. See http://www.cert.org/governance/ for more information.
• Implement recurrent training to educate users about the dangers involved in opening unsolicited emails and clicking on links or attachments from unknown sources. Refer to NIST SP 800-50 for additional guidance.
• Require users to complete the agency's "acceptable use policy" training course (to include social engineering sites and non-work related uses) on a recurring basis.
• Ensure that all systems have up-to-date patches from reliable sources. Remember to scan or hash validate for viruses or modifications as part of the update process.