SANS raporunu ozetleyen guzel bir yazi. Belli basli kisimlari bu maile de aldim.
http://www.darkreading.com/vulnerabilities---threats/lessons-from-the-ukraine-electric-grid-hack/d/d-id/1324743 Lessons From The Ukraine Electric Grid Hack New SANS analysis on how the attackers broke in and took control of the industrial control systems at three regional power firms in the Ukraine and shut off the lights. ... For one thing, a cyberattack that results in a power outage takes some heavy lifting, and a bit of time, to pull off. “It took them six months or more to figure out these environments ... And it was only a partial outage,” says Lee, who notes that their methods weren’t necessarily sophisticated but were definitely coordinated. “We consistently see [the] theme for attackers who do the things we care about most in ICS networks ... it’s much more difficult” for them to do damage and it takes time, he says. And that’s lesson number one: if attackers need a sufficient period of time for reconnaissance and learning the environment in order to control industrial equipment, the good news is that there’s actually a window for detecting their activity -- and stopping them from doing damage. *Network security monitoring could have helped spot the attackersbefore they shut off the power.* ... *The attack punctuates the danger of remote access to ICS/SCADA networks.* VPN connections between the Ukraine power companies’ ICS and enterprise networks did not appear to use two-factor authentication, according to the report. “Additionally, the firewall allowed the adversary to remote admin out of the environment utilizing a remote access capability native to the systems,” the NERC SANS report says. Ralph Langner, founder of the Langner Group, says critical infrastructure operators shouldn’t allow remote access to these systems. “Limit remote access only to the people who need it,” SANS’ Lee says. The report recommends using multi-factor authentication for any remote access communications. ... *Uninterruptible power supplies need protection, too.* The attackers commandeered a remote management interface to the UPS systems to schedule an outage for power at the energy company’s own buildings or datacenters. “The online command interface to UPSes is another stupid flaw. These UPSes are located within the same building, so by controlling them via the network you just save five minutes for a maintenance job,” says Langner, who notes the CLI most likely would have been an embedded Web browser. He recommends disabling remote command interfaces <http://www.langner.com/en/2016/03/01/readers-digest-version-of-the-ukraine-story/> to UPS systems. The attackers also generated a DoS of thousands of phone calls to the energy company’s call center to derail restoration and communications. ... *Uninterruptible power supplies need protection, too.* The attackers commandeered a remote management interface to the UPS systems to schedule an outage for power at the energy company’s own buildings or datacenters. “The online command interface to UPSes is another stupid flaw. These UPSes are located within the same building, so by controlling them via the network you just save five minutes for a maintenance job,” says Langner, who notes the CLI most likely would have been an embedded Web browser. He recommends disabling remote command interfaces <http://www.langner.com/en/2016/03/01/readers-digest-version-of-the-ukraine-story/> to UPS systems. The attackers also generated a DoS of thousands of phone calls to the energy company’s call center to derail restoration and communications. ... *Attackers can install malicious firmware on industrial equipment.* SANS’ Lee says the the custom firmware installed on the Ukraine networks’ serial-to-Ethernet gateways to “brick” them and disrupt the restoration of power was most surprising element of the attack. “That was extremely clever and it hurt the restoration effort of the Ukrainians,” he says. “I didn’t think we’d see an adversary clicking the breakers open and with what happened with the firmware.” The gateways, or converters, basically translate communications between the serial protocols at physical substations and the overall Ethernet network that connects them. “By opening the breakers and modifying the firmware on those devices, it makes them unusable. In essence, they blew the bridges” up, Lee explains. ... *Without a ‘cyber’ element to incident response and disaster recovery, a cyberattack is a disaster.* The Ukrainian power companies had no way to maintain control of their ICS/SCADA environment after the attack. That was an “eye-opener,” Lee says, and shows the crucial need for a “cyber” element in incident response and disaster recovery plans. “You know they are opening breakers, so how do you quickly disable those features ... No one has that capability,” he says of ICS/SCADA operators. That type of contingency planning is a big piece of the security picture, and until now, there’s been no experience in fighting back and regaining control when the bad guys have taken over, he says. -- Ali Aydın Selçuk Dept. of Computer Engineering TOBB-ETU 06560, Ankara, Turkey
------------------- Siber Güvenlik Yaz Kampı 24 - 31 Temmuz 2016 tarihlerinde İzmir Yüksek Teknoloji Enstitüsü http://www.siberkamp.org/ -------------------
