FOUNDATIONS OF
OPERATIONAL RISK
IMT 556
Week #6
Autumn 2013
2
Administrative Details
• You should all have your papers back by now
• You should name every paper you write with a title –
• Paper #1 is not a title
• Following the instructions gets you a higher grade
• Watch the video to see how to read my comments
• Come talk to me if you don’t understand the comments
• Next week’s speakers =Christopher Dahl, Deloitte; and
Chris Rivinus, Tullow Oil (Africa’s leading independent oil
company)
• Next week’s “Real World” = Third Party/Human Risk
News of the week
• Federal Prosecutors, in a Policy Shift, Cite
Warrantless Wiretaps as Evidence
• Spying Known at Top Levels, Officials Say
• NSA bills set up a choice in Congress: End bulk
collection of phone records or endorse it
• NSA infiltrates links to Yahoo, Google data
centers worldwide, Snowden documents say
System
Processes
• Flaws and
security holes
• Access to IP
• Lack of effective
controls
• Looking in the
wrong place
External Events
People
• Vulnerability to
social
engineering
• Contractors
Cyber
Threat
Hacks from other
entities (criminal,
Anonymous)
Hacks by other
governments
(Ponemon Rpt)
Cyber security breakdowns
• NY Times and Wall Street Journal – Jan 2013
• Impact: 450,000 usernames and passwords
compromised
• Twitter – February 2013
• Impact: Inappropriate messages were posted through
Burger King’s account posing as McDonald’s
• Adobe – October 2013
• Impact: As many as 38 million customers affected
Risk to the Nation’s Critical Infrastructure
• Vulnerabilities inherent in industrial control systems
(ICS) and supervisory control and data acquisition
(SCADA) systems (primarily in the private sector) which
govern networks including power, water, and chemical
production among other vital operations.
• Risks to confidential databases held by the
government: Social Security, Medicare, Internal Revenue
Service that include private information on its citizens.
• Global risks to national credibility and reputation that are a
result of either government activity or a lack of information
sharing between government and the private sector.
The Department of Homeland Security released this map showing the
locations of 7,200 key industrial control systems that appear to be directly
linked to the Internet and vulnerable to attack
SCADA Systems
• Supervisory control and data acquisition is a type of industrial
•
•
•
•
control system (ICS).
Includes manufacturing, production, power generation, water
treatment and distribution, wastewater collection
and treatment, oil and gas pipelines, electrical power
transmission, heating, ventilation, and air conditioning systems
(HVAC), access, and energy consumption.
Not designed with security in mind.
Can not differentiate between legitimate requests and
malicious responses.
SCADA systems were traditionally on isolated networks that
would require an attacker to first gain physical access to the
target facility, but not anymore.
Natanz Nuclear Facility in Iran attacked by
the Stuxnet worm
• Stuxnet is a computer worm discovered in June 2010 that
is believed to have been created by the United
States and Israel to attack Iran's nuclear facilities.
• Affected 1000 out of 5000 uranium purifier centrifuges
• Justification: Iran was suspected to be pursuing a nuclear
weapons program
Saudi Aramco Hack – August 15, 2012
• The virus — called Shamoon after a word embedded in its
code — was designed to do two things:
• replace the data on hard drives with an image of a burning
American flag
• report the addresses of infected computers — a bragging list of
sorts — back to a computer inside the company’s network.
Telvent Security Hack – Sept 10, 2012
• Internal firewall and security systems breach
• SCADA Admin Tool OASyS SCADA Compromised - a
product that helps energy firms mesh older IT assets with
more advanced “smart grid” technologies
• Attacker(s) installed malicious software and stole project
files
• The digital fingerprints left behind by the attackers point to
a Chinese hacking team known as the ‘Comment Group’
Mitigating Cyber Threats
• Resilience
• Strengthen digital and network infrastructure to be more resistant to
attacks
• Quick recovery
• Reduce cyber threats
• Information about the intentions of cyber adversaries
• counter-social engineering training.
• Make potentially critical cyber-security information available to law
enforcers, government, intelligence agencies
Cyber Intelligence Sharing and Protection
Act (CISPA)
Would have allowed for the sharing of Internet traffic
information between the U.S. government and certain
technology and manufacturing companies.
The stated aim of the bill was to help the U.S government
investigate cyber threats and ensure the security of
networks against cyber attack.
Currently “dying a quiet death” in the Senate
Trust issues very high between government and private
sector
Failed Attempts at Cyber Legislation
• SOPA
• PIPA
• Cyber Security Act of 2010
• CISPA
SOPA, PIPA, CISMA and CISPA were all met with
widespread protest due to privacy concerns:
• US government would be able to read Americans’ personal e-mails,
online chat conversations, and other personal information that only
private companies and servers might have access to.