1. Industrial Control System Cybersecurity
SCADA Security Laboratory

2. Cyber Kill Chain Reconnaissance Preparation Weaponization
Payload Delivery / Taking Control
Actions on Objective
Eliminate / Manipulate Evidence
Intrusion / Initial Breach
Reconnaissance
Weaponization
Preparation
Intrusion
Active Attack

3. Objectives = Theft - stealing credit card numbers
Attack = TARGET stores
2013
Objectives = Theft - stealing credit card numbers
What Happened ?
Attackers were able to gain remote access to Target’s business network and steal millions of credit card numbers. $500M loss
Attackers used stolen credentials to remotely enter through the HVAC system, then pivot onto the business network and install credit card stealing malware on the Point of Sale (PoS) systems.
The malware installed by the attackers sent credit card numbers and other customer information back to the attackers.
Vulnerabilities Exploited
Resources Needed by Attacker
Stolen credentials allowed remote access
HVAC systems connected to business network
Improper user privileges and access controls
Resources of a small group of individuals
What Could Have Made the Attack Unsuccessful ?
Isolating non-business systems, such as HVAC, from critical business system
Proper management of user privileges
Using intrusion detection system inside the business network
Proper authentication

4. Attack = STUXNET – Iranian Nuclear Facility 2007
Objectives = To cause physical damage to nuclear centrifuges in Iran
What Happened ?
Attacker created a very specific set of complex tools, going after one unique target
The attack harmlessly infected any computer connected to the Internet then infected the victim computer via USB “thumb drive”
The attack covertly re-programmed the programmable logic controller (PLC) in the machine that controlled hundreds of centrifuges
The attack damaged or destroyed hundreds of centrifuges, causing a tremendous military/industrial setback for Iran.
Vulnerabilities Exploited
Resources Needed by Attacker
Multiple “zero day” exploits of Windows
Complex exploits of the PLC control software
Human behavior – using a USB drive unsafely
Top-tier nation-state level resources
Detailed technical intelligence
A great deal of patience and luck
What Could Have Made the Attack Unsuccessful ?
Rigorous patching of Windows and all application software
Rigorously following cybersecurity best practices (i.e. how data is moved onto a mission-critical system, use of USB drives, etc.)
Only allowing signed, authenticated code to execute
Strict isolation of control/safety systems

5. Attack = Rye Brook Dam on Bowman Ave. in NY 2016
Objectives = Disruption of civil infrastructure
What Happened ?
Seven Iranian men were indicted for performing a denial of service attack against several U.S. firms (including 46 of the nation’s largest financial institutions) and critical infrastructure, including a tiny flood-control dam in rural New York.
No physical damage because a system was disconnected for maintenance.
Perhaps the hackers mistook the tiny dam for a much larger dam with a similar name.
Perhaps this was practice for a larger scale attack on critical infrastructure.
Vulnerabilities Exploited
Resources Needed by Attacker
Unauthorized remote access to the dam’s SCADA control system.
The resources of seven men
What Could Have Made the Attack Unsuccessful ?
Proper access controls on the cellular modem used to communicate with the dam.
Proper authentication

6. Attack = Power Grid in Ukraine 2015
Objectives = Disruption of civil infrastructure with physical damage
What Happened ?
Attackers gained remote access to 3 Ukrainian regional electricity distributors, causing 225,000 customers to lose power
Well-coordinated attack on the power grid’s control system
Utilities forced to move to manual operation post attack.
“First publicly acknowledged incidents to result in power outages.” (NERC report)
A similar attack in the U.S. would have had much more severe consequences.
Vulnerabilities Exploited
Resources Needed by Attacker
Initial access through spear phishing
Installed malware via vulnerability in MS Office
Control systems accessible via Internet
Some “insider knowledge”
Capability to reuse malware developed by others
What Could Have Made the Attack Unsuccessful ?
A user’s mistake (clicking on a link) opened the door
Malware detection system
More careful management of user privileges
Better access controls to mission-critical systems
Multi-factor authentication

7. Attack = Denial of Service Attack on DynDNS.com 2016
Objectives = Disruption of Internet services
What Happened ?
DynDNS.com is a company that provides DNS services including monitoring, load balancing, geographic balancing, and security to other Internet companies.
On Oct 21, 2016, Dyn was the victim of a large scale distributed denial of service (DDoS) attack which slowed user access to many internet sites (Twitter, NetFlix, LinkedIn, etc.).
A very large botnet flooded Dyn with “noise” causing wide-spread disruption.
Vulnerabilities Exploited
Resources Needed by Attacker
Default passwords
Resources of a small group
Ability to create and manage a large botnet
Ability to hide using the “dark web” (TOR)
What Could Have Made the Attack Unsuccessful ?
Changing default passwords on internet appliances
Better capability to block “noise generators” (bots performing distributed denial of service attack) closer to the source.

8. Hardware-in-the-Loop Test Beds
What is UAH doing?
Physical Test Beds
Modeling and simulation for cybersecurity
Discover and analyze vulnerabilities
Evaluate Security Controls
OpenPLC
Research beyond the black box
Secure PLC
No more band aids
Intrusion detection and response
Virtual Test Beds
Hardware-in-the-Loop Test Beds

9. OpenPLC - An Open Source Industrial Controller
Developed @ UAH
Emulate devices, investigate security concepts

10. Questions?

11. Contact Information
Name
Tommy Morris, Ph.D.
Director
Phone: (256)
Address:
200 Sparkman Dr.
Huntsville, AL 35805
Web: