Geneva, Switzerland, September 2014 Critical infrastructure protection: standardization to protect critical infrastructure objects Viacheslav Zolotnikov, Sr.Technology Research Manager, Kasperksy Lab, ITU Workshop on “ICT Security Standardization for Developing Countries” (Geneva, Switzerland, September 2014)

Geneva, Switzerland, September Threats History Slammer, Blaster and the Great Blackout January 2003, the Slammer worm knocked out 911 emergency telephone service in Bellevue, Wash. The Blaster worm affected more than a million computers running Windows during the days after Aug “critical to the blackout were a series of alarm failures at FirstEnergy, a power company in Ohio” computer hosting the control room's "alarm and logging software" failed status computer at the Midwest Independent Transmission System Operator, a regional agency that oversees power distribution, failed Source :

Geneva, Switzerland, September Threats History Stuxnet quickly propagated throughout Natanz A double agent used a typical USB drive carrying a deadly payload to infect Iran's Natanz nuclear facility with the highly destructive Stuxnet computer worm, according to a story by ISSSource “August 2010, Stuxnet, as a worm intended to hit critical infrastructure companies left a back door that was meant to be accessed remotely to allow outsiders to stealthily control the plant” “Malware includes a rootkit, which is software designed to hide the fact that a computer has been compromised, and other software that sneaks onto computers by using a digital certificates signed two Asian chip manufacturers that are based in the same industrial complex - RealTek and Jmicron” Source :

Geneva, Switzerland, September Threats History Jan : Monju nuke power plant facility PC infected with virus “A computer being used at the Monju prototype fast- breeder reactor facility in Tsuruga, Fukui Prefecture, was recently discovered to have contracted a virus, and officials believe that some data from the computer may have been leaked as a result” “According to the Japan Atomic Energy Agency, which operates the facility, the computer in question was being used by on-duty facility employees to file company paperwork when the virus was first detected on Jan 2” “…the computer was infected with the virus when a video playback program was attempting to perform a regular software update” Source :

Geneva, Switzerland, September Threats History Backdoor In Equipment Used For Traffic Control, Railways Called “Huge Risk” Security hole (back door account “factory”) in industrial control software by the firm RuggedCom Potentially affected wide range of critical infrastructure, including rail lines, traffic control systems and electrical substations April 2011 to July 2011 – no actions from RuggedCom February 2012 : US-CERT notified and “warning” issued Source:

Geneva, Switzerland, September Issues Main issue – Do not “touch” the working system. How about computer system connected to the internet ? Hacking Passwords complexity check bypass, hardcoded passwords for systems System’s regular maintenance, applying patches HMIs using mobile phone interfaces

Geneva, Switzerland, September Kaspersky SCADA Honeypot Run in September’13 SCADA computer with public IP “acting as industrial system PC” 1294 unauthorized access attempts 422 succeded access cases 34 cases of access by the development environment systems 7 cases of downloading the PLC configuration 1 case of PLC reprogramming (!!!)

Geneva, Switzerland, September Researchers Delivers During talks on SCADA security problems at the Kaspersky- Threatpost Security Analyst Summit [in Feb’12], several other researchers talked about the serious issues inherent in these ICS installations, and the picture they painted is one of systemic problems and a culture of naivete about security in general. Terry McCorkle, an industry researcher, discussed a research project he did with Billy Rios in which they went looking for bugs in ICS systems, hoping to find 100 bugs in 100 days. That turned out to be a serious underestimation of the problem. “It turns out they’re stuck in the Nineties. The SDL doesn’t exist in ICS,” McCorkle said. “There are a lot of ActiveX and file format bugs and we didn’t even bother looking at problems with services. Ultimately what we found is the state of ICS security is kind of laughable.” Source:

Geneva, Switzerland, September Researchers Conclusion “Those ICS and SCADA systems under research were developed in last century by people from last century using standards from last century”

Geneva, Switzerland, September Remarkable Standards in Under development IEC (former ISA99, adopted ISA 2700x) NIST DRAFT Guide to Industrial Control Systems (ICS) Security SP Rev.2 Released : NIST Framework for Improving Critical Infrastructure Cybersecurity

Geneva, Switzerland, September Key principles of secured system development to be standardized Complete mediation Components isolation (processes, resources) All sensitive operations control Tamperproof Have trusted execution base minimal and structured Resistance to external actions, incorrect queries, etc. Security configuration protection Verifiability Structured, compact and tested Formal/semi-formal methods Platform Flexibility in security policy definitions Secured systems development methodology

Geneva, Switzerland, September Recommendations Create a collaborative working group of experts within ITU-T to address nowadays Critical Infrastructure Systems threats Focus on secure systems development standardization for critical infrastructures and ICS Initiate the work for standards for ICS and Critical Infrastructure Systems Involve world-wide practitioners and make ICS standards available for all countries to share best practices enforced by standards

Geneva, Switzerland, September Thank you