third Cyber Security Assessment Netherlands - NCSC

More documents

Recommendations

Info

car park will not open. It is annoying that staff and visitors have to park somewhere else or that employees feel cold or hot, but it generally does not mean anything worse than that. Year # Reports # Investigations 2010 39 57 Local/Regional 2011 204 70 (for example traffic installations, sewer pump and 2012 138 89 bridge operation, individual windmills) Digital incidents at this level can have a major impact, but the Table 11. Developments in number of reports in the US damage remains limited to a local or regional level and is primarily practical and financial in nature. An example is a bridge that stays opens so that traffic comes to a halt or a company that suffers major financial harm because one of its factory’s systems fails bringing production to a stop for a few days. National (vital infrastructure, for example the energy and drinking water supply) Digital incidents in the vital sectors may lead to social instability and therefore affect national security. There could be many victims and/or severe economic damage and recover may be lengthy, while these products and services are essential. IT, telecommunications (fixed and mobile) and electricity are crucial for society’s vital sectors to function. Failure of these can lead to harmful effects in other sectors and the impact of an incident may intensify even further. These incidents are the most relevant to the CSAN because they can have a direct impact on large groups of citizens, companies The number of investigations continues to rise, which indicates an increasing number of incidents. Based on the limited detailed information about ICS-related incidents, these are ranked in the three categories below. Incidents caused by internet connectivity Since 2011, various researchers have been focusing attention on systems which, by using Shodan [219] and other search engines, can be reached through the internet [220] . Smaller companies, local authorities and private individuals in particular are not sufficiently aware that their systems (generally SOHO and private applications) are directly accessible on the internet. The combination of vulnerabilities in the software and the use of weak passwords, etc. means that in many cases unauthorised access can be obtained to these systems. These vulnerabilities often arise because of insufficient agreements regarding security with third parties taking care of the installation and/or management. and governments. 9.3 Incidents involving ICSs Particularly at the beginning of 2012 there was increased focus on the risks of connecting ICSs to the internet that resulted in many It is impossible to provide proper statistics about ICS-related incidents in the Netherlands. Organisations involved are still reticent about sharing information on this subject. In the period from June 2011 to November 2012, NCSC.nl received just 11 reports. Because of this low number, the American ICS-CERT has been reviewed as one of the few available public sources. Furthermore, a public incident reports. All the reports concerned systems that could be found through the internet using the Shodan search engine. [221] Although this category of vulnerabilities attracts by far the most attention and publicity, this is not where the biggest risks to national security currently lies because the vast majority of these fall in the SOHO category. broad reporting period was assessed to give insight into the gradual developments. The ICS-CERT annual overview with reports of 218 There is no report as to whether these are truly ICS incidents. Following investigation, it may emerge that there was no security incident (simply a disruption) or that no ICS/SCADA was involved. There may also have been multiple reports of the same incident. 219 SHODAN is an internet search engine that facilitates targeted searching of computers that are connected to the internet. 220 Examples include: Eirann Leverett: http://www.blackhat.com/usa/speakers/Eireann-Leverett. html, Project SHINE: http://ics-cert.us-cert.gov/pdf/ICS-CERT_Monthly_Monitor_Oct- Dec2012.pdf and HD Moore: https://community.rapid7.com/community/metasploit/ blog/2013/04/23/serial-offenders-widespread-flaws-in-serial-port-servers 221 The (few) cases reported to the Netherlands because of these cases proved not to be related to vital infrastructures. 96 Incidents caused by vulnerabilities in generic IT tools (collateral damage category) General IT tools, known as Commercial Off-The-Shelf (COTS) products, are increasingly being used in IT environments. This applies not just to hardware, but primarily also to software such as operating systems, web technologies and databases. Use of these COTS products undoubtedly has many advantages (such as lower costs), but it also gives vulnerabilities in these products a stepping stone to ultimately manipulate process controls. It also makes ICS environments more susceptible to malware that is actually (only) intended for standard IT facilities. For example outbreaks of the computer worms Slammer and Conficker in factory networks meant that production had to be halted. Key loggers, banking trojans and other generic malware that unintentionally infect ICS environments can also lead to failures. Incidents caused by the ‘human factor’ Around half of the investigations cited by ICS-CERT relate to cases of spear phishing, possibly with the intention of penetrating the ICS
Detailed section » 9 Industrial Control Systems environment or looking for and/or manipulating ICS-related information. This was not proven in any of the incidents investigated. In the autumn of 2012 there was a targeted spear phishing attack in the United Stated directed at the energy sector. Employees were approached in a targeted way after information had been obtained by Open Source Intelligence (OSINT). In this specific case it emerged that penetration had not in fact been successful. [222] Although in the Netherlands there have not yet been any known attacks on OCS environments using spear phishing, it is something organisations need to consider. 9.4 Developments in vulnerabilities in ICS Vulnerabilities are based on the ‘National Vulnerability Database’ (NVD [223] ) from the National Institute of Standards and Technology (NIST). This database focuses on discovered software flaws, i.e. on errors in the software. Issues such as misconfigurations and incorrect applications of products are not included. The NVD currently contains 84 ICS-related vulnerabilities despite the fact that the NVD is not complete. [224] Dozens of known vulnerabilities are not (yet) recorded in the NVD. Furthermore, ICS-CERT is in possession of large number of reports of potential vulnerabilities that must still be investigated. Year Total # ICS-related vulnerabilities in NVD # ICS-CERT information products [225] 2006 1 - 2007 1 - 2008 4 - 2009 14 0 (ICS-CERT was publicly launched in November 2009.) 2010 19 138 2011 46 283 2012 79 343 2013 84 (to Q1) 41 (to Q1) Table 12. Developments in number of ICS-related vulnerabilities. [225] Table 12 clearly shows that with the increasing interest in ICSsecurity, the number of vulnerabilities discovered/reported is also increasing, possibly intensified by the discovery of ‘Stuxnet’ in 2010 and the establishment of ICS-CERT at the end of 2009. Compared with the total number of system vulnerabilities in the NVD database (around 55,000 over a 15-year period), the number of ICS-related vulnerabilities is, however, marginal (approximately 2 per cent). also used for generic IT, for example fuzzing tools. Use of these tools by developers can result in software with fewer vulnerabilities. Another explanation is perhaps the scale of perspective of different investigators; proving the umpteenth ‘buffer overflow in just another HMI’ does not deliver so much added value. Finally, some providers do not communicate publicly about vulnerabilities in their products and bring out new versions without announcing what vulnerabilities have been resolved as a result. Part of the risk posed in relation to a vulnerability is to do with the ease, or the knowledge needed, to exploit a vulnerability. In the recent period, the number of publicly available exploits has again increased. For example the exploit pack GLEG agora SCADA+ now includes 143 ICS-related exploits. There is a known CVE number for only 67 of the associated vulnerabilities. It is also notable that there have been virtually no CVEs and alerts for the 35 most recent exploits. This makes it difficult for the parties affected to remain properly up-to-date about the latest vulnerabilities. 9.5 Actors In the Dutch context there is a limited number of actors involved in threats in the ICS domain: »» Multiple states are working on establishing offensive cyber capabilities. It can be assumed that at the same time knowledge of ICS is being developed so that vital processes can be disrupted. »» The results from cyber researchers in the ICS domain lead to new vulnerabilities and tooling. For example exploit code is regularly added to test tools and exploit packs. Information also appears about where connected systems can be found on the internet, which can be abused by other people, for example script kiddies. »» Last year ICS-CERT highlighted that different groupings (including hacktivists and anarchists) were demonstrating growing interest in ICSs accessible on the internet. [226] Apart from a limited number of reports about knowledge gathering by hacktivists/terrorists, there have to date been no known attacks directed at ICSs. It is clear that a number of actors are increasingly accumulating more knowledge about ICS-related security problems. Up until now, actors’ activities have been well intentioned (although the ‘victims’ do not always agree), sometimes motivated by the (direct) application of full disclosure in the case of a discovery. Looking at developments around generic IT security, it is expected that actors will also use the available knowledge/tooling against ICS. Furthermore, several categories of actors already pose an indirect threat because malware intended for other (IT) applications can cause collateral damage in ICS environments. » Following a sharp increase in the period from 2010 to 2012, the number of vulnerabilities published levelled off in Q1 of 2013. However it is still too early to draw any conclusions from this. This is for example because in the past, a number of hacker conferences in the second half of the year has always exposed new problems. In addition, vulnerabilities were discovered with the use of the tooling 222 http://ics-cert.us-cert.gov/pdf/ICS-CERT_Monitor_Jan-Mar2013.pdf 223 http://nvd.nist.gov 224 Status as per 25 March 2013. The search term used was SCADA. Figures may vary from other published summaries because some ICS-related vulnerabilities do not come up under the search term SCADA. 225 These figures are from the ICS-CERT year in review 2012. Updates to a publication are counted separately. 226 ICS-CERT Alert 15 February 2012, http://ics-cert.us.gov/pdf/ICS-ALERT-12-046-01.pdf 97
Page 1:
Cyber Security Assessment Netherlan
Page 4 and 5:
National Cyber Security Centre The
Page 7:
Contents Foreword 3 Summary 7 Intro
Page 10 and 11:
on governmental organisations and b
Page 12 and 13:
However, it is assumed that they ar
Page 15 and 16:
Introduction Information Technology
Page 17:
Core assessment 1 Interests 17 2 Th
Page 20 and 21:
1.2 Dependency IT dependency contin
Page 22 and 23:
Increased IT dependency in electric
Page 24 and 25:
on the internet such as an electric
Page 26 and 27:
approached or incited by states for
Page 28 and 29:
Actor Intentions Skills Targets Sta
Page 30 and 31:
get the script kiddies started. One
Page 32 and 33:
location’, there is no one single
Page 34 and 35:
Furthermore, business information c
Page 36 and 37:
environments often arise from the i
Page 38 and 39:
not only smart phones, tablets or c
Page 40 and 41:
5.3 Technology Norms, guidelines an
Page 42 and 43:
ACM seeks active collaboration with
Page 45 and 46:
Core assessment » 6 Manifestations
Page 47 and 48: Core assessment » 6 Manifestations
Page 53: Core assessment » 6 Manifestations
Page 57 and 58: Detailed section » 1 Cyber crime
Page 59: Detailed section » 1 Cyber crime
Page 62 and 63: magnitude of digital espionage inci
Page 65 and 66: Detailed section » 3 Botnets 3 Bot
Page 67 and 68: Detailed section » 3 Botnets » Do
Page 69 and 70: Detailed section » 4 DDoS 4 DDoS
Page 71: Detailed section » 4 DDoS 4.3 Resi
Page 74 and 75: An attacker can abuse devices linke
Page 77 and 78: Detailed section » 6 Grip on infor
Page 79 and 80: Detailed section » 6 Grip on infor
Page 81 and 82: Detailed section » 7 Vulnerability
Page 91: Detailed section » 7 Vulnerability
Page 94 and 95: Leak in the Humannet website belong
Page 96 and 97: In 2012, ACM received a total of 14
Page 100 and 101: 9.6 The resilience of ICS Security
Page 102 and 103: 100 [22: McAfee 2013-2] McAfee: Thr
Page 104 and 105: 102
Page 106 and 107: Incidents Types of government incid
Page 108 and 109: Classification Classified data Clou
Page 110 and 111: Information Information security In
Page 112 and 113: Spoofing/IP spoofing SQL injection
Page 114: 112
show all

third Cyber Security Assessment Netherlands - NCSC

Create successful ePaper yourself

Delete template?

Save as template?