FOUNDATIONS OF OPERATIONAL RISK IMT 556 Week #6 Autumn 2013

Administrative Details You should all have your papers back by now You should name every paper you write with a title – Paper #1 is not a title Following the instructions gets you a higher grade Watch the video to see how to read my comments Come talk to me if you don’t understand the comments Next week’s speakers =Christopher Dahl, Deloitte; and Chris Rivinus, Tullow Oil (Africa’s leading independent oil company) Next week’s “Real World” = Third Party/Human Risk

News of the week Federal Prosecutors, in a Policy Shift, Cite Warrantless Wiretaps as Evidence Spying Known at Top Levels, Officials Say NSA bills set up a choice in Congress: End bulk collection of phone records or endorse it NSA infiltrates links to Yahoo, Google data centers worldwide, Snowden documents say

Cyber Threat People System Processes External Events Vulnerability to social engineering Contractors System Flaws and security holes Access to IP Processes Lack of effective controls Looking in the wrong place External Events Hacks from other entities (criminal, Anonymous) Hacks by other governments (Ponemon Rpt)

Cyber security breakdowns NY Times and Wall Street Journal – Jan 2013 Impact: 450,000 usernames and passwords compromised Twitter – February 2013 Impact: Inappropriate messages were posted through Burger King’s account posing as McDonald’s Adobe – October 2013 Impact: As many as 38 million customers affected

Risk to the Nation’s Critical Infrastructure Vulnerabilities inherent in industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems (primarily in the private sector) which govern networks including power, water, and chemical production among other vital operations. Risks to confidential databases held by the government: Social Security, Medicare, Internal Revenue Service that include private information on its citizens. Global risks to national credibility and reputation that are a result of either government activity or a lack of information sharing between government and the private sector.

The Department of Homeland Security released this map showing the locations of 7,200 key industrial control systems that appear to be directly linked to the Internet and vulnerable to attack

SCADA Systems Supervisory control and data acquisition is a type of industrial control system (ICS). Includes manufacturing, production, power generation,  water treatment and distribution, wastewater collection and  treatment, oil and gas pipelines, electrical power transmission,  heating, ventilation, and air conditioning systems (HVAC), access, and energy consumption. Not designed with security in mind. Can not differentiate between legitimate requests and malicious responses. SCADA systems were traditionally on isolated networks that would require an attacker to first gain physical access to the target facility, but not anymore.

Natanz Nuclear Facility in Iran attacked by the Stuxnet worm Stuxnet is a computer worm discovered in June 2010 that is believed to have been created by the United States and Israel to attack Iran's nuclear facilities. Affected 1000 out of 5000 uranium purifier centrifuges Justification: Iran was suspected to be pursuing a nuclear weapons program

Saudi Aramco Hack – August 15, 2012 The virus — called Shamoon after a word embedded in its code — was designed to do two things: replace the data on hard drives with an image of a burning American flag report the addresses of infected computers — a bragging list of sorts — back to a computer inside the company’s network.

Telvent Security Hack – Sept 10, 2012 Internal firewall and security systems breach SCADA Admin Tool OASyS SCADA Compromised - a product that helps energy firms mesh older IT assets with more advanced “smart grid” technologies Attacker(s) installed malicious software and stole project files The digital fingerprints left behind by the attackers point to a Chinese hacking team known as the ‘Comment Group’

Mitigating Cyber Threats Resilience Strengthen digital and network infrastructure to be more resistant to attacks Quick recovery Reduce cyber threats Information about the intentions of cyber adversaries counter-social engineering training. Make potentially critical cyber-security information available to law enforcers, government, intelligence agencies

Cyber Intelligence Sharing and Protection Act (CISPA) Would have allowed for the sharing of Internet traffic information between the U.S. government and certain technology and manufacturing companies. The stated aim of the bill was to help the U.S government investigate cyber threats and ensure the security of networks against cyber attack. Currently “dying a quiet death” in the Senate Trust issues very high between government and private sector

Failed Attempts at Cyber Legislation SOPA PIPA Cyber Security Act of 2010 CISPA SOPA, PIPA, CISMA and CISPA were all met with widespread protest due to privacy concerns: US government would be able to read Americans’ personal e-mails, online chat conversations, and other personal information that only private companies and servers might have access to.