Quantitatively Assessing and Visualising Industrial System Attack Surfaces

More documents

Recommendations

Info

Declaration I, Éireann P. Leverett of Darwin College, being a candidate for the M. Phil in Advanced Computer Science, hereby declare that this report and the work described in it are my work, unaided except as may be specified below, and the report does not contain material that has already been used to any substantial extent for a comparable purpose. A small portion of this dissertation is derived from a paper submitted to USENIX WOOT’11. That text was written in collaboration with Frank Stajano, Jon Crowcroft, and Shailendra Fuloria in the course of my MPhil study. The project itself is my own work, and their effort is contained in the writing up and advising on that paper submission, rather than the execution of the MPhil project itself. This dissertation contains 14 006 words and does not exceed the regulation length of 15 000 words, including tables and footnotes. Signed: Date:
Quantitatively Assessing and Visualising Industrial System Attack Surfaces Éireann P. Leverett Supervisors: Dr. Frank Stajano & Prof. Jon Crowcroft Summary Any industrial control systems connected to the Internet are naturally exposed to online threats such as viruses, Denial of Service and targeted application or machine compromise. These threats may come from those seeking to inflict mischievous damage, make money, or sabotage national infrastructure remotely. Best practice, and indeed national regulatory standards such as NERC-CIP, mandates a strict electronic security perimeter, particularly since few devices used in control systems support default authentication 1 . Despite that, even though many utilities claim to comply with NERC-CIP, we have located on the Internet many industrial control devices available for connection. Examining results over a two year time window through the specialised historical search engine Shodan, we located, identified and categorised more than 7500 such devices— HVAC systems, building management systems, meters, and other industrial control devices or SCADA servers (supervisory control and data acquisition). In conjunction with information from exploit databases, this could be used to carry out remote attacks on se- lected devices or identify networks for further reconnaissance and exploitation. Malicious actors might already be doing this. To level the playing field for utility security professionals intent on re-perimeterisation, we built a visualisation tool that finds exposed systems on the Internet, visualises them on a time-dependent world map based on their city geolocation and presents details of potentially applicable remote exploits. This allows defenders to assess their attack surface and prioritise the required interventions in a timely manner. We expect it will also be useful to auditors called upon to evaluate whether a utility complies with the required security standards. 1 Evidence supporting this claim can be found within the dissertation.
Page 1: Quantitatively Assessing and Visual
Page 5 and 6: Contents 1 Introduction 9 1.1 Goals
Page 7 and 8: List of Figures 2.1 Example exposur
Page 9 and 10: Chapter 1 Introduction Security of
Page 11 and 12: CHAPTER 1. INTRODUCTION 11 1. Slamm
Page 13 and 14: CHAPTER 1. INTRODUCTION 13 This par
Page 15 and 16: CHAPTER 1. INTRODUCTION 15 Stuxnet
Page 17 and 18: Chapter 2 Methodology In this chapt
Page 19 and 20: CHAPTER 2. METHODOLOGY 19 4. Combin
Page 21 and 22: CHAPTER 2. METHODOLOGY 21 2. SCADA
Page 23 and 24: CHAPTER 2. METHODOLOGY 23 A banner
Page 25 and 26: CHAPTER 2. METHODOLOGY 25 Of course
Page 27 and 28: CHAPTER 2. METHODOLOGY 27 but it do
Page 29 and 30: CHAPTER 2. METHODOLOGY 29 Figure 2.
Page 31 and 32: Chapter 3 Exploring the Dataset In
Page 33 and 34: CHAPTER 3. EXPLORING THE DATASET 33
Page 41 and 42: CHAPTER 4. INDUSTRY FEEDBACK SESSIO
Page 43 and 44: CHAPTER 4. INDUSTRY FEEDBACK SESSIO
Page 45 and 46: CHAPTER 5. CONCLUSION 45 systems vi
Page 47 and 48: CHAPTER 5. CONCLUSION 47 5.2.5 Real
Page 49 and 50: CHAPTER 5. CONCLUSION 49 5.3 Critic
Page 51 and 52: CHAPTER 5. CONCLUSION 51 Of academi
Page 53 and 54:
Bibliography [1] Ross Anderson and
show all

Quantitatively Assessing and Visualising Industrial System Attack Surfaces

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?