Our Turbine got Hacked! Performing Forensic Investigations of Industrial Control Systems

Similar documents
Managed Endpoint Defense

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

BIG DATA ANALYTICS IN FORENSIC AUDIT. Presented in Mombasa. Uphold public interest

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Fast Incident Investigation and Response with CylanceOPTICS

Continuous protection to reduce risk and maintain production availability

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

SIEM: Five Requirements that Solve the Bigger Business Issues

STAY ONE STEP AHEAD OF THE CRIMINAL MIND. F-Secure Rapid Detection & Response

Make IR Effective with Risk Evaluation and Reporting

Tools, Techniques, and Methodologies: A Survey of Digital Forensics for SCADA Systems

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

Towards an integrated regulation platform in Luxembourg. Information Security Education Day th of april

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

Intelligent and Secure Network

You will choose to study units from one of four specialist pathways depending on the career you wish to pursue. The four pathways are:

<Partner Name> <Partner Product> RSA NETWITNESS Logs Implementation Guide. Exabeam User Behavior Analytics 3.0

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

WHAT S NEW WITH OBSERVEIT: INSIDER THREAT MANAGEMENT VERSION 6.5

SIMATIC. WinCC Readme Runtime Professional. Validity 1. Improvements in Update 2 2. Improvements in Update 1 3

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

भ रत य ररज़र व ब क. Setting up and Operationalising Cyber Security Operation Centre (C-SOC)

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

SentinelOne Technical Brief

NCIRC Security Tools NIAPC Submission Summary Encase Enterprise Edition

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. Ralf Kaltenbach, Regional Director RSA Germany

Defending the Gibson in 2015

Behavioral Analytics A Closer Look

Orchestrating and Automating Trend Micro TippingPoint and IBM QRadar

Detect Cyber Threats with Securonix Proxy Traffic Analyzer

Security Information & Event Management (SIEM)

Securing Office 365 with SecureCloud

Unlocking the Power of the Cloud

NTP Software File Reporter

IBM Security technology and services for GDPR programs GIULIA CALIARI SECURITY ARCHITECT

SentinelOne Technical Brief

Proactive Defense with Automated First Responder (AFR) Anuj Soni Jason Losco

CLD100. Cloud for SAP COURSE OUTLINE. Course Version: 16 Course Duration: 2 Day(s)

BREACHES HAPPEN: BE PREPARED. Endpoint Detection & Response

SIMATIC. WinCC Readme Runtime Professional. Validity 1. Improvements in Update 7 2. Improvements in Update 6 3. Improvements in Update 5 4

White Paper. How to Write an MSSP RFP

SECURECHAIN BLOCKCHAIN-BASED SECURITY FOR SOFTWARE-DEFINED NETWORKS (SDN).

Kaspersky Industrial CyberSecurity. Kaspersky Industrial CyberSecurity: solution overview #truecybersecurity

Cybersecurity: latest threats in industrial environments and their solutions

Staffing Services UnderDefense your source of experienced professionals to solve security staffing challenges today

Intent Driven Network Operations with AppFormix Advanced Analytics Platform. Joseph Li

Digital Forensics as a Big Data Challenge

PROVIDING INVESTIGATIVE SOLUTIONS

Cyber Security Technologies

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Financial Forensic Accounting

McAfee Public Cloud Server Security Suite

Big Data and Object Storage

<Partner Name> RSA NETWITNESS Intel Feeds Implementation Guide. Kaspersky Threat Feed Service. <Partner Product>

Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

Cyber Security Update. Bennett L. Gaines Senior Vice President, Corporate Services, CIO, FirstEnergy 2012 Summer Seminar August 5-7, 2012

RSA Security Analytics

Neuromorphic Data Microscope

SentryWire Next generation packet capture and network security.

SentryWire Next generation packet capture and network security.

Cisco Advanced Malware Protection (AMP) for Endpoints Security Testing

ForeScout Extended Module for Splunk

Real-time, Unified Endpoint Protection

An Introduction to Incident Detection and Response Memory Forensic Analysis

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

Chapter 7 Forensic Duplication

DEFINITIONS AND REFERENCES

NETWORK FORENSIC ANALYSIS IN THE AGE OF CLOUD COMPUTING.

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

Managing BYOD Networks

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

Sofware & System Security. Group. Davide Balzarotti Aurélien Francillon

Legal Informatics, Privacy and Cyber Crime

New Generation SIEM. Solution Development

Fidelis Overview. 15 August 2016 ISC2 Cyber Defense Forum

CLOSING THE GAP IN MALWARE DETECTION DISRUPTING THE DETECTION-BASED DYNAMIC

Symantec Ransomware Protection

Moving from Prevention to Detection March 2017

CipherCloud CASB+ Connector for ServiceNow

Certified Information Security Manager (CISM) Course Overview

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

EU GENERAL DATA PROTECTION: TIME TO ACT. Laurent Vanderschrick Channel Manager Belgium & Luxembourg Stefaan Van Hoornick Technical Manager BeNeLux

Incident Response & Forensic Best Practice. Cyber Attack!

FOUNDATION CERTIFICATE IN INFORMATION SECURITY v2.0 INTRODUCING THE TOP 5 DISCIPLINES IN INFORMATION SECURITY SUMMARY

GRR Rapid Response. An exercise in failing to replace yourself with a small script.

A revolutionary visual security and analytics solution

A Cross-Sector Perspective on Product Cyber Security

JSgraph Enabling Reconstruction of Web Attacks via Efficient Tracking of Live In-Browser JavaScript Executions

MANAGED DETECTION AND RESPONSE

Speakers. Shellie Zavatsky Director of Internal Audit at Hurley Medical Center. Trent Long Director of Managed Privacy Services at FairWarning, Inc

Model-Driven Engineering in Digital Forensics. Jeroen van den Bos with Tijs van der Storm and Leon Aronson

MITIGATE CYBER ATTACK RISK

Siemens Drives & PLCs

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

PROTECT AND AUDIT SENSITIVE DATA

TRAPS ADVANCED ENDPOINT PROTECTION

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

SIEM Product Comparison

COURSE BROCHURE. Professional Cloud Service Manager Training & Certification

Transcription:

Siemens Our Turbine got Hacked! Performing Forensic Investigations of Industrial Control Systems Heiko Patzlaff Restricted Siemens AG 2013. All rights reserved

Page 2

The traditional approach to host forensics Request data Analyse data Acquire hard-drive image 1 day Forensics Process data 5-10 days User Transfer data per courier service ~100 GB (meta-data + full content) 5 days Total time per host analysis: 10-15 days! Page 3

The changing security landscape Page 5

The increasing need for data and for data analysis signature-based signatureless methods methods Detection = Protection FP free Fully automated Detection Protection Not FP free Requires human interpretation Need for data increase Need for analysis increases Cost per incident increases How can this cost increase be controlled? Page 6

The Zoo of Industrial Control Systems Page 12

Layout of a secured industrial network (example PCS 7) Stuxnet target: WinCC Server Page 13

Layout of a secured industrial network (example) Page 14

The CRISALIS FP7 Project Securing Critical Infrastructures Page 16

Constraints for forensic investigations in industrial settings Proprietary components, interfaces, data formats and protocols Remote and distributed installations, Firewalled/Air-gaped Availability/Always on Operational constraints (real-time, low processing power, old operating systems, low bandwith) Legal and regulatory restrictions Page 18

Goals 1. develop forensic capabilities for industrial systems 2. reduce cost of forensic investigations by a factor 100x Achieving these goals rests on three pillars: Data Reduction Forensic analysis is largly based on meta- and logging data. Content information is used only very selectively. Page 19 Automation Automation Data collection, processing and analysis is highly automated. Human input is not required. Analytics Analytics Forensic know-how is integrated into the system (forensic knowledge system). Requirement for human analyst is greatly reduced (Analyst Reviewer)

A new forensic platform Forensic Cloud 4. Processing 3. Automatic Data Transfer ~100MB (meta-data + selective content) 5. Review 15 minutes 2. Run agent on host computer 15 minutes Forensics Operator 1. Send agent executable collects data from attached PLCs Total time per analysis: 1 hour Page 20

A new forensic platform Remote System System Remote Live system Offline system EnCase extract Forensic Cloud Cloud Forensic... Filesystem meta-data Config data Log data Runtime data Suspicious executables convert combine External data sources (whitelist DB, reputation sources, ) analyze ASCII files Review Server Server Review Page 22 Command line Compromize Timeline Elasticsearch DB review Anomalies Web-frontend Risk Integrity

Page 23

Page 24

FERRET A platform for the investigation of security incidents in industrial systems. Semi-automated Cost-effecive Agent agnostic Scalable Forensic and Data-Analytics capabilities Page 25

Thank you for your attention Heiko Patzlaff Siemens Restricted Siemens AG 2013. All rights reserved

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback