Monday, 2 May 2016

Introduction to Nuclear Cyber Security

Introduction

The development of nuclear energy accompanied the invention of the computers, which brought about a development that we would call the Third Industrial Revolutio. This development generated a complex of economic, political, social effects that is in some cases like in the case of power plant safety, considered national security. In this content, power plants belong to the ICS category.  Industrial control system (ICS) is a vague term to describe several types of control systems used in industrial production such as in electric, gas or water plants, as well as supervisory control and data acquisition (SCADA) systems, distributed control systems [use fully qualified domain names (FQDN) ](DCS), and other control systems (Wikipedia, 2011). All of these are defined as critical infrastructures and are considered national security objects. These infrastructures need to be protected for cyber incidents, which is defined by the NIST as: “an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability (CIA) of an information system or the information the system processes, stores, or transmits (FIBS PUB, 2006).[2] These threads might be intentional melisouse ? attacks or unintentional by caused by untrained or careless employees. In addition modern networking and communication technologies used to improve also create new cyber vulnerabilities. Care must be exercised in the selection, implementation, and operation of cyber-vulnerable ICS technologies.

 What is Nuclear Plant Security and how is it defined

Nuclear plant security involves the securing of critical business and operational functions performed by cyber assets affecting the bulk electric system necessitate having security management controls. To protect critical cyber assets, (these assets should be defined by each company individually), companies should design and implement an information protection, employee roles and responsibilities as well as security training. In this contentd we need to look at some of the possible threads and attacks. One such attack is the SCADA attack. SCADA HacksSCADA attacks or system vulnerabilities pose significant threats to power plants. The combine traditional exploits with industrial control systems which allows attackers to weaponries malicious code, as demonstrated with Stuxnet worm in 2010 to attack the Iranian power plant which using Simetic 7 from Siemens.  SCADA systems control everything from valves on oil and gas pipeline to energy grids, heat sensors in power plants, but they are usually not connected to the internet. “SCADA systems run in small private networks hidden away from the rest of the world, usually perfectly secure against reasonably determined hackers. Ergo, SCADA software and hardware by its very nature is not as secure, because it's nowhere near as well known or scrutinized and is heavily dependent on physical security to keep it safe. However, the environments that SCADA systems monitor are usually mission critical; their failure would have serious or even catastrophic consequences” (Wiley & Sons, 2008).

So what does an attacker need for a successful attack? This is a legidemid ? question to ask, if considering ways of preventing an attack. There are two ways to attack a SCADA system. One, if the system is connected to the internet for vendor updates and maintenance, finding leaks and security holes in the connection and network structure and second, the intruder attacks by collecting  information about what SCADA systems are being used (software and hardware), which vendor they use and preferably the locations of the terminals and them implanting the attack.

A SCADA hack can be remote access hacks. Gathering information about the system over social networking and asking untrained employees on security, intruders can collect valuable information bit by bit to bring down the system. Sometimes WebPages of vendors give out a great deal of information about the clients they take on, and the system software used. With a little research and reading through press releases, hackers can find out the hardware used. Next step is social engineering over the phone or in person. With this information, remote control stations can be broken in, networks from the remote access point used and a SCADA hack made possible.  

I came to the conclusion that it is not important how these attacks happen, lets assume for a minute that they do happen. With this in mind, I would rather I like to emphasize on what to do and how to prevent these attacks.

One way to protect power plants from intruders is to harden the system. Here I don’t just talk about hardening the operating system, but the system as a whole. Writing and applying security policies is one of the major steps of IT-security. The second and perhaps even more important step is to implement these policies. Employee training is crucial, since the human element will always be the weakest element. It is much easier to obtain information from a friendly employee that had no conscious understanding of IT-security than trying to find a weak point in a computer system and penetrating it for the wanted information. The following are suggestions for prevention measures where mentioned in Allsopp’s book of unauthorized access.

Prevention measuresInformation Protection

·        Document and implement a process for the protection of information pertaining to or used by critical cyber assets. The roles of whom should write these policies and who should implement them on site should be clearly defined.
·        Identification. In a security plan, all assets, mechanical equipments that are identified computer operated need to be identified.
·        Classification. These equipments and systems then need to be assigned a security level and a security zone.
·        Protection. A plan that drafts the constant maintenance and ongoing protection should be drafted.  

Roles and Responsibilities
Roles and responsibilities of employees should be well defined and briefed. Responsible managers should document and direct SCADA security. This can be done with the help of the company’s employee and mechanical system architecture. The most important part is to define these roles and responsibilities on the vendor’s side as well as on the nuclear plant side.      

Physical SecurityOne might argue that physical security has nothing to do with IT-security. I believe it has everything to do with it. If I can’t penetrate a local remote access station, how can I penetrate the system in the first place? First, I have to beat the physical security before I can get to the systems. The biggest challenge is to convince IT-security managers, that have little training or no knowledge of real life threads. The implementation of processes, tools and procedures to monitor physical access to the power plant and its critical cyber assets as well as all access points to the computer systems should be clear. Security measures could include identification:

·        Bio-metric, keypad, token, or other devices that are used to control access to the cyber asset through personnel authentication. ·        Surveillance cameras
·        Alarm systems inside the building and outside.
·        Maintenance and testing of the implemented security measures as well as software and hardware used.
·        Electronic media control. No unnecessary technology allowed in to the plants, like cell phones, cameras ect.(nuclear plant security, 2009)

Cyber asset security          

The main concern should be the implementation of the security measures and a regular check of the implemented methods.  It is important to:
·     Keeping the system updated and patched
·     Account and password management
·     Software integrity checks
·     Employee training
·     Acting according to international standers
·     Being always inspection ready and up to par
·     Identifying and handling vulnerabilities

Conclusion

It is very critical that all power plant operations as well as to other ICSs are protected from cyber attacks to maintain the mission of the systems. SCADA systems are often believed to be safe, but several lab tests have shown vulnerabilities that could cause tremendous financial and physical damage to a nuclear plant. Threads come from the inside as well as outside, intentional and unintentional, but the key is to have clear defined rules, regulations and policies in place. Identifying system vulnerabilities, training employees and having an incident prevention as well as incident response plan is of great importance. Of course any advice looks good on paper, but a good security manager knows that there is no system that is complete secure or no system that can’t be penetrated. The job is to keep testing the system, finding weak points and exploit them and preferably catalog them and not to hide them or ignore them.

Read more - http://nuclearcybersecurity.blogspot.com/2013/02/introduction-to-nuclear-cyber-security.html

Android Security 2015 Annual Report

Today, for the second year in a row, we’re releasing our Android Security Annual report. This detailed summary includes: a look at how Google services protect the Android ecosystem, an overview of new security protections introduced in 2015, and our work with Android partners and the security research community at large. The full report is here, and an overview is below.
One important goal of releasing this report is to drive an informed conversation about Android security. We hope to accomplish this by providing more information about what we are doing, and what we see happening in the ecosystem. We strongly believe that rigorous, data-driven discussion about security will help guide our efforts to make the Android ecosystem safer.
Enhancing Google's services to protect Android users
In the last year, we’ve significantly improved our machine learning and event correlation to detect potentially harmful behavior.
We protected users from malware and other Potentially Harmful Apps (PHAs), checking over 6 billion installed applications per day.
We protected users from network-based and on-device threats by scanning 400 million devices per day.
And we protected hundreds of millions of Chrome users on Android from unsafe websites with Safe Browsing.
We continued to make it even more difficult to get PHAs into Google Play. Last year’s enhancements reduced the probability of installing a PHA from Google Play by over 40% compared to 2014. Within Google Play, install attempts of most categories of PHAs declined including:
Data Collection: decreased over 40% to 0.08% of installs
Spyware: decreased 60% to 0.02% of installs
Hostile Downloader: decreased 50% to 0.01% of installs
Overall, PHAs were installed on fewer than 0.15% of devices that only get apps from Google Play. About 0.5% of devices that install apps from both Play and other sources had a PHA installed during 2015, similar to the data in last year’s report.
It’s critical that we also protect users that install apps from sources other than Google Play. Our Verify Apps service protects these users and we improved the effectiveness of the PHA warnings provided by Verify Apps by over 50%. In 2015, we saw an increase in the number of PHA install attempts outside of Google Play, and we disrupted several coordinated efforts to install PHAs onto user devices from outside of Google Play.
New security features in the Android platform
Last year, we launched Android 6.0 Marshmallow, introducing a variety of new security protections and controls:
Full disk encryption is now a requirement for all new Marshmallow devices with adequate hardware capabilities and is also extended to allow encryption of data on SD cards.
Updated app permissions enable you to manage the data they share with specific apps with more granularity and precision.
New verified boot ensures your phone is healthy from the bootloader all the way up to the operating system.
Android security patch level enables you to check and make sure your device has the most recent security updates.
And much more, including support for fingerprint scanners, and SELinux enhancements.
Deeper engagement with the Android ecosystem
We’re working to foster Android security research and making investments to strengthen protections across the ecosystem now and in the long run.
In June, Android joined Google’s Vulnerability Rewards Program, which pays security researchers when they find and report bugs to us. We fixed over 100 vulnerabilities reported this way and paid researchers more than $200,000 for their findings.
In August, we launched our monthly public security update program to the Android Open Source Project, as well as a security update lifecycle for Nexus devices. We intend the update lifecycle for Nexus devices to be a model for all Android manufacturers going forward and have been actively working with ecosystem partners to facilitate similar programs. Since then, manufacturers have provided monthly security updates for hundreds of unique Android device models and hundreds of millions of users have installed monthly security updates to their devices. Despite this progress, many Android devices are still not receiving monthly updates—we are increasing our efforts to help partners update more devices in a timely manner.
Greater transparency, well-informed discussions about security, and ongoing innovation will help keep users safe. We'll continue our ongoing efforts to improve Android’s protections, and we look forward to engaging with the ecosystem and security community in 2016 and beyond.

Visit - https://security.googleblog.com/2016/04/android-security-2015-annual-report.html

Security Governance Ripples from Target Breach

You know the saying, if you want a different result, best not to keep doing the same thing. In this case, the result was the massive data loss breach involving loss of the records of 40 million customers at mega retailer Target.

In its wake, CEO Gregg Steinhafel stated that he is "elevating the role" of its chief information security officer and hiring outside the company to fill the position.  According to this NY Times article from early March, bringing on a new CISO will help Target centralize the company's security responsibilities.

And while the timing is coincidental, I owe Schweitzer Engineering Laboratories' Sharla Artz thanks for pointing out that Wisconsin based electric utility Alliant Energy Corp just made a similar move. For me, there are several promising parts to Alliant's announcement at the recent EnergyBiz conference that it had just:
Created an executive-level opening ... for overseeing cyber and physical security. The position was designed to bring cyber issues out of the weeds of the IT shop, where CEOs generally don't tread.
What I like best about this is:
The company didn't have to endure a huge security incident to justify this change to the org chart
The position is clearly not going to be buried in an IT silo, so it should have authority to set security policy across IT and OT
Reflecting a convergence that's happening in many energy enterprises, this new security exec will oversee both cyber and physical security
Hopefully we'll see more utilities make similar moves ... and soon.

Credit - http://smartgridsecurity.blogspot.com/2014/03/security-governance-ripples-from-target.html