DEFENSE REPORT: TASK 2 1 Western Governors University Joseph Mulwa Cyberwarfare Defense Report Task 2: SCADA Network Evaluation and Defense-in-Depth Strategies Course Number: Cyberwarfare-688 Date: September 19, 2017 DEFENSE REPORT: TASK 2 2 To: CIO - U.S Department of Defense From: Analyst, Red Cell 637 Defense Subject: Defense Report Introduction In the recent years, there have been increased global risks of cyber-attacks against both governmental and non-governmental organizations’ basic frameworks causing both a growing awareness and anxiety amongst the potential victims of these attacks. The network systems of these organizations have similarly been exposed to various security risks as a result of the mounting SCADA network interconnection. Sheldon et al (2003) argue that most of the existing systems are linked not only to the firms' organizational frameworks but the open Internet as well. This report aims at evaluating the SCADA networks vulnerabilities that are common for example the power grid of Western interconnection, and subsequently relate the Cyber Kill Chain in order to find out the manner in which the enemy could have abused the weaknesses to attack the system. Additionally, the report will, through use of an in-depth defense strategy relating to the computer networks of the power grid, make recommendations for the implementation of tougher actions and measures that will result in the safeguarding of the system against prospective cyber-attacks. A. ICS Vulnerabilities and Cyber Kill Chain 1. Reconnaissance In this phase the adversary uses various techniques to gather background data on the potential targets. Once the adversary identifies the target, they embark on establishing DEFENSE REPORT: TASK 2 3 vulnerabilities in the system that can be exploited. The adversary could have made use of either or both passive and active gathering methodologies to attain information on the target. Passive techniques involve probing the system without having direct contact with it by use of information that is readily available. Examples of ways in which the attacker could have done this in the given scenario is through use of social networks such as Facebook and LinkedIn to obtain information on Western interconnection’s key employees and the organization itself. According to Pernet (2014), these networks allow for anonymous search of employees information for a given company. Another example is tapping which is the monitoring of communication that is not encrypted for example telephone calls and emails. Active techniques are those in which the attacker interacts/engages with the system through manipulation of data. This could be done through port scanning in order to locate UDP/TCP ports that are not securely configured in order to gain access in to the system’s network. The attacker could also use fingerprinting to probe the server to determine the operating system in use and after carrying out research on the particular operating system’s vulnerabilities, use them to attack the system. Another active technique is use of password crackers that enable the attacker to find passwords that are weak and use them to access the system. 2. Weaponization and Delivery Once the attacker gathers intelligence on the network/system through the techniques aforementioned, they could use the data to produce a malicious payload. The adversary DEFENSE REPORT: TASK 2 4 designs the payload based on the vulnerabilities of the operating system or less secure ports and disguises it using a file considered to be harmless. Weaponization in this case may involve modifying a file used in everyday business for example a Microsoft office document or PDF file and attaching the exploit to it. This file when opened by the target enables the adversary to gain access into the system. The attacker can deliver the malicious payload using email attachments or URL links to the employees at the power grid and once they open the attachments or click on the links, the malicious payload automatically installs itself into the system. The attacker can also use administrator passwords obtained during the reconnaissance phase to directly upload the payload into the system. 3. Exploitation and Installation As soon as the email containing the malicious payload is sent to an employee with a personal computer connected to the network, the unsuspecting will then open and download the infected attachment containing a code previously written, that will search the system for vulnerabilities. Should the system not be frequently updated with patches, the exploit will discover this and use this vulnerability to introduce the malware into the computer and system as a whole. Once it establishes a connection back to the attacker, it makes it possible for them to control the system and achieve their goals. Once the malicious payload is delivered and it embeds itself into the system, it can create a connection with the adversary within the system to enable the attacker manipulate the system in whichever malicious way they please. This suggests after the network has been compromised and the malware is introduced, at that point the purpose of the assault is done in the rest of the phases under the aggressor’s control. DEFENSE REPORT: TASK 2 5 4. Command & Control The adversary is able to send exploit commands to system once a connection is established with the network at Western Interconnection power grid. The backdoor created by the adversary is then used to transfer information and commands from the command and control servers. In order to transfer information and go undetected, the adversary will then use the organization’s router through port 80. A visual representation of the attack: 5. Actions Information on open ports and information on the server services will enable the attacker to infiltrate the network by use of the trusting packet and learn about the control system’s process under. . The attacker can access the human-machine interfaces and DEFENSE REPORT: TASK 2 6 databases containing information on how the system works, therefore enabling the attacker to take control of it. The attacker can then use these control to shut down power in the eleven targeted states. Useful information including set points, descriptions, and point data type are contained in the databases. The Human Machine Interface describes the equipment and operator relationship and is very easily understood. The system, now under the attacker’s control, can be used to find and extract data on the states served by the power grid. The attacker can use this information to determine how and what time to shut off the power supply for the targeted states. B. "Defense in Depth” Recommendations 1. People Policies and procedures aimed at safeguarding the network should be created and enforced. Recommendations for procedures and policies include: Training on Security – It is recommended that the administrators of the power grid’s network be continuously trained on security matters that may affect the organizations network. New threats are constantly emerging and therefore continuous training will is necessary to keep them updated of the same so that they can update the securities of the network as well. Every employee and management, including the administrators of the system ought to be trained to safeguard against security issues like email phishing attacks. The trainings will raise information assurance levels by raising conscience and alerting all system users on likely attacks schemes and enable them to identify the diverse threats within the network. DEFENSE REPORT: TASK 2 7 Policies on Passwords– A strict policy prohibiting sharing of passwords between users of the system should be enforced. Also different network entry points should have different passwords so that if one password is compromised, some parts of the network still remain secure. The passwords for each user should also be set to expire after a given period such that users are prompted to change their passwords every period. This policy will raise information assurance levels by making sure that information is not accessed by unauthorized persons. Procedures on Incident response – Procedures should be put in place to help users understand what to do in case of an incidence. This will enable swift actions that will result in the protection of critical data within the systems. Physical Security – Policies that limit access to facilities housing network equipment and computers should be established in order to control movement of unauthorized persons who can easily compromise the network systems. Additionally facilities should be under constant surveillance so that action can be quickly taken in case an intruder is seen within the premises. Ways in which management can ensure security is through barricades, doors only accessible using key cards, security perimeters, gates and fences. Similarly within the premises, there should be controlled areas in which equipment are stored, that can be accessed by very few authorized personnel. The management can also make use of asset and personnel tracking devices to ensure that items and employees remain within their authorized spaces. The control center should be specially secured to prevent an authorized physical access. This can be done through use of biometrics so that only particular persons can access the room. This DEFENSE REPORT: TASK 2 8 policy will also raise information assurance levels by making sure that information is not accessed by unauthorized persons. 2. Technology It is recommended that the organization establishes effective processes and policies that are founded on the security specifications and requirements for acquisition of technology so that the right technology is procured and deployed. An assessment of acquisitions should be carried out to make sure that the systems being procured are not posing a security risk to the internal systems, networks, and critical data. The procurement team and process should actively include Information Systems experts. The policy on security, standards and architectures on system level information, principles on Information Assurance, and products acquisition from reputable suppliers, guidance on configuration and risk assessment need to be established and enforced. The policy on acquisitions ought to include a mandatory testing and review of all procured equipment before installation and use by the organization. These equipment include servers, personal computers, firewalls, and human machine interfaces. The equipment ought to undergo a rigorous testing and evaluation process for security purposes. A list of approved equipment vendors can be created after this testing is carried out. Their supplied equipment should be in line with the standards set in the technology policy. Any servicing needed on these equipment should be carried out by these approved suppliers. Only equipment that have gone through this rigorous testing should be allowed to connect to the SCADA Network. Vulnerabilities can also be DEFENSE REPORT: TASK 2 9 reduced by having these suppliers disable services in the equipment that are not necessary to improve security. The power grid’s SCADA network can be partitioned numerous routers and installing of firewalls that safeguard the system’s network. Intrusion detection capabilities should be used when designing the firewalls. Krutz (2005) argues that the use of these partitions will protect the network from hopping attacks and exploitation. Additionally, the power grid should set up response systems once an intrusion is detected. The power grid should set up structures aimed at detecting invasions, investigating them, and connect the results in addition to reacting properly. These structures will assist the responsible staff to establish whether there is an attack in the system. 3. Operations This refers to the daily running and maintenance of the networks security. It involves establishing policies of security, installation and updating of database of viruses, assessments of the system’s security, observing the system for threats and responding to the threats. These would raise information assurance levels by making sure that information stealing malwares do not find their way into the system by detecting and deleting them on time. Recommended daily operations would include regular scanning of the system to remove any unauthorized applications that may access critical information and reviewing of security policies to ensure they are up to date so that they maintain an operational environment safeguarding information, audits implementation to ensure that policies and procedures relating to the system are being complied with to make sure no individual or equipment is compromising critical information and continuous assessment of the system to establish vulnerabilities that can lead to DEFENSE REPORT: TASK 2 10 information being stolen. These vulnerabilities are then addressed immediately to raise information assurance levels. Additionally, according to Jones (2005), quick identification and removal of intruders in the system is helpful in preventing damage in the future. Therefore constant monitoring of network traffic is recommended to enable the identification of these intruders looking to steal information therefore raising assurance levels. DEFENSE REPORT: TASK 2 11 References Jones, B. (2005). Global Information Assurance Certification Paper. Retrieved from https://www.giac.org/paper/gsec/4235/overview-dod-defense-in-depthstrategy/106802 Krutz, R.L. (2005). Securing SCADA Systems, 1st ed. Wiley Pub. Pernet, C. (2014). APT Kill chain - Part 3: Reconnaissance. Retrieved from http://blog.airbuscybersecurity.com/post/2014/05/APT-Kill-chain-Part-3-%3AReconnaissance Sheldon, F.T., Batsell, S.G., P. S. J., & Langston M, A. (2003). Cryptographic protection of SCADA communications – part 1: Background, policies and test plan, Prepared by AGA 12 task group, Draft 6, no. 12
Purchase answer to see full attachment