Remote Access Considered Dangerous

Andrew Ginter, VP Industrial Security

Waterfall Security Solutions

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 2015

"Secure" Remote Access
● Behind lots of firewalls, and a through a gazillion-bit-encrypted VPN. “I
have a firewall. I have encryption. I must be safe!”
● Split tunnelling disabled – all Internet traffic goes through IT network
and IT security
● Enabled: Host Check/Security-Enforced Client/Endpoint Security
● Intermediate “jump” host completely up to date with anti-virus &
security updates
● Two-factor authentication
● Network intrusion detection deployed into and out of jump host
Firewall /
Jump VPN Svr
Firewall

Firewall

Firewall
Plant IT Hotel
Host Internet
Network Network WIFI
DMZ
Jump Jump
Host Host

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 2

 To defeat remote access …

Firewall /
Jump VPN Svr
Firewall

Firewall

Firewall
Plant IT Hotel
Host Internet
Network Network WIFI
DMZ
Jump Jump
Host Host

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 3

 To defeat remote access …
Write some malware
● It’s a simple matter of programming

Firewall /
Jump VPN Svr
Firewall

Firewall

Firewall
Plant IT Hotel
Host Internet
Network Network WIFI
DMZ
Jump Jump
Host Host

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 4

 To defeat remote access …
Write some malware
● It’s a simple matter of programming …
● W ait till the user starts the VPN and gives the VPN
passw d

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 5

 To defeat remote access …
Write some malware
● Wait till the user starts the VPN and give the VPN passwd
● W ait m ore till he starts Rem ote Desk top w ith the 2-
factor dongle

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 6

 To defeat remote access …
Write some malware
● Wait more till he starts Remote Desktop with the 2-factor
dongle
● M ove the Rem ote Desk top w indow to an invisible
screen

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 7

 To defeat remote access …
Write some malware
● Move the Remote Desktop window to an invisible screen
● Show the user a deceptive error m essage

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 8

 To defeat remote access …
Write some malware
● Show the user a deceptive error message
● Give the attack er rem ote control of the invisible
Rem ote Desk top
Attacker

Firewall /
Jump VPN Svr
Firewall

Firewall

Firewall
Plant IT Hotel
Host Internet
Network Network WIFI
DMZ
Jump Jump
Host Host

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 9

But How Did You … ?
● Get the m alw are on the rem ote laptop? Spear phishing.
● Defeat anti-virus? Wrote the malware myself.
● Escalate privilege? Told the user he was installing a CODEC and
asked him politely for admin privileges
● Defeat 2-factor authentication? Waited to take over the window
until the user logged in with the RSA dongle
● Defeat VP N protection profiles? Didn’t have to – laptop’s AV and
security updates were right up to date.
● Defeat split tunneling? Direct access to networking hardware.
● Defeat Security Updates? Didn’t have to – no vulnerabilities were
exploited.
● Defeat N I DS? Hotel room has no NIDS. And the plant NIDS saw only
legitimate user logging in, legitimately reprogramming ICS

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 10

IT-Style Remote Access Cybersabotage Attack Model

Disable Disable Local Disable Disable Compromised

safeties safeties misoperation safeties safeties insider

Rem targeted Remote Physical Remote Remote Autonomous

misoperation misoperation Vandalism misoperation misoperation malware

Rem targeted Remote Drop Erase hard Erase hard Sleeper

ransomware shutdown malware drives drives malware

Vandalism – Remote Remote Remote Remote

Ransomware
delete files misoperation shutdown shutdown misoperation

Virus triggers Drop Remote Embarrass Sleeper Erase hard

shutdown malware shutdown Business malware drives

Organized Intelligence
IT Insider ICS Insider Hacktivist Military
Crime Agency

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 11

OT Protection: Unidirectional Security Gateways

Disable Disable Local Disable Disable Compromised

safeties safeties misoperation safeties safeties insider

Rem targeted Remote Physical Remote Remote Autonomous

misoperation misoperation Vandalism misoperation misoperation malware

Rem targeted Remote Drop Erase hard Erase hard Sleeper

ransomware shutdown malware drives drives malware

Vandalism – Remote Remote Remote Remote

Ransomware
delete files misoperation shutdown shutdown misoperation

Virus triggers Drop Remote Embarrass Sleeper Erase hard

shutdown malware shutdown Business malware drives

Organized Intelligence
IT Insider ICS Insider Hacktivist Military
Crime Agency

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 12

We Can’t Restore A Turbine From Backup
● IT security prevents data theft, not sabotage of physical processes
● Remote control is the modern attack pattern – compromising remote
access is only the most obvious remote-control attack
● Attacks only become more sophisticated – we need to think ahead
when protecting our industrial networks
● Unidirectional Security Gateways are modern protection for OT –
absolute protection from attacks from external networks
● Unidirectional Gateways defeat interactive
remote access

W hich of our industrial processes

and control system s
are ex pendable enough
to protect w ith firew alls?

Proprietary Information -- Copyright © 2015 by Waterfall Security Solutions 13