Cyber Shield Presented by: Dennis Murphy Director, SCADA Cybersecurity Elbit Systems Email: dennis.murphy@elbitsystems- us.com Phone: 603-886- 2154 TwiJer: @CyberMurphy Fides SCADA Anomaly Detection System Has Your Six February 2015
Elbit Systems Corporate Snapshot Elbit Systems of America is a wholly owned subsidiary of Elbit Systems Ltd. (ESL): A leading global source of innovaqve, technology- based systems for diverse defense and commercial applicaqons. q q q Israeli-based, multi-domestic defense electronics company Publicly traded on NASDAQ and Tel Aviv stock exchange (ESLT) Annual revenues: $2.9B q 13,000 employees across 13 countries Europe 25% Rest Of World 24% USA 30% Israel 21%
History repeats itself World War II A new dimension on the bajlefield
The evoluqon of protecqng against air warfare Comprehensive Defense Maturity THREAT IS RUNNING WILD INADEQUATE PREVENTION OUT OF CONTEXT, SILOED DETECTION INTEGRATED DETECTION, MITIGATION & CONTROL German Army Lu[waffe - launches high level bombers Barrage balloons of li7le use against high- level bombers Radar is able to warn but not defeat the threat Integrated War rooms with detec?on and mi?ga?on
The evoluqon of protecqng against advanced cyber threats Comprehensive Defense Maturity THREAT IS RUNNING WILD INADEQUATE PREVENTION OUT OF CONTEXT, SILOED DETECTION INTEGRATED DETECTION, MITIGATION & CONTROL APTs are well- targeted, with mul?- surface a7acks An?- virus, firewalls and tradi?onal preven?on techniques are inadequate Siloed detec?on capabili?es cannot effec?vely stop the threat in?me Centralized cyber opera?on that facilitate integrated early detec?on, effec?ve response, people and policies
Market Trends and Challenges
There is no such thing as 100% preven?on and there never will be Gartner 2014 Companies worldwide spend an es5mated $12 billion on basic cyber- crime preven5on Associa'on of Cer'fied Fraud Examiners
Stand alone prevenqon is inadequate ExisQng blocking and prevenqon capabiliqes are insufficient to protect against moqvated, advanced ajackers Too many high priority alerts 10,000 alerts per hour with no ac5onable insight 20 days alert went unchecked before breach announcement Those alarms [should] have been impossible to miss, they went off early enough that the hackers hadn t begun transmifng the stolen card data out of Target s network Source: Gartner; Bloomberg Business 13 March 2014
Why tradiqonal prevenqon doesn t work THE GREY ZONE Green Light Red Light APT they play in the grey Injec5ons Dropper Crea5ng new process Screen shots Close process Driver load
Why tradiqonal prevenqon doesn t work Hacker THE GREY ZONE Green Light Red Light APT they play in the grey Injec5ons Dropper Crea5ng new process Blacklist Screen shots Close process Driver load
There is a seismic shi[ to detecqon Enterprise informa5on security budgets allocated to rapid detecqon and response Enterprises with a security data warehouse 60% 40% 10% 5% Source: Gartner 2014 1 2014 2020 2015 2020 Over the next 5 years there will be a significant shi[ to rapid detecqon and response approaches
Elbit Cyber Security Porkolio
Context- aware detecqon & miqgaqon for acqonable insight Technologies & tools Policies, prac5ces, procedures Trained personnel Coopera5on, collabora5on, intelligence Advanced technology for full range of cyber threats Holis5c approach to protec5ng your organiza5on Trained professionals equipped for dynamic threat Leverage wider community for enhanced protec5on
Cyber Shield Porkolio Cyber Shield Training & SimulaQon Cyber Shield Analysis & DetecQon Cyber Shield MiQgaQon & Response Cyber Shield AnD for SCADA Cyber Shield AnD for IT
Context- aware cyber threat detecqon & miqgaqon for Cyber Shield acqonable insight Intelligent holis5c view of advanced cyber threats across mul5ple types of infrastructure for early detec5on and effec5ve response to protect isolated and semi- isolated networks
Cyber Shield Conceptual Architecture Cyber Shield TnS (Training and SimulaQon) Cyber Shield AnD (Analysis Detec5on) Anomalies detec5on of behavioral paxerns Cross domain correla5on Cyber Shield MnR (Mi5ga5on and Response) Event management Situa5onal awareness Contextual Impact Engine SOC Manager Cyber Shield Sensors Detect local anomalies Smart data collec5on CS- ICS (SCADA) PrevenQon CS- IT CS - Weapon Systems Mapping & Assessment CS- Mobiles Firewall Active Directory IT infrastructure SIEM External Info IT infrastructure enrichment
CyberShield AnD SCADA (Analysis & Detection) Protecting Critical Infrastructure
SCADA Networks Most critical networks are geographically dispersed. The applications and protocols used in the SCADA network were designed without security. All security measures are aimed to isolate the control network from the enterprise but in reality, interconnectivity is increasing. Good news SCADA networks tend to be more deterministic and predictable, especially at the protocol level.
SoluQon Goal Monitoring and APT detec5on system of Independent SCADA/DCS network Reliability Visibility Safety Control Security Cyber Shield AnD Compliance Cyber Shield AnD for SCADA
Cyber Shield AnD for SCADA - Module Overview BlackBox Appliance Insight Forensic & Analysis AlerQng NetMap A small- form blackbox that logs SCADA protocol traffic by passively monitoring the data communica5on between the field devices and the control center This module stores the blackbox collected data in a rela5onal database and allows to query, view, filter and run intelligent analysis in an ad- hoc fashion Applica5on- aware profiler that alerts of network anomalies, mainly to detect malicious ac5vi5es Inventory and load monitoring of the control network and its nodes, with visualiza5on and trending features
Cyber Shield AnD - SCADA sensors Cyber Shield SCADA sensors are small modular computing nodes Distributed architecture scalable up to hundreds of monitoring appliances per server installation Passively monitors the SCADA network traffic without reconfiguring or redesigning the existing network architecture The sensors are capable of monitoring RS-232 and RS-485 network protocols such as Profibus and IEC-101
Cyber Shield AnD for SCADA Typical Deployment Control Center HMI HMI Enterprise Management Corporate LAN Syslog \ SNMP Historian FEP SCADA Server CommunicaQon Backbone AnD Server Syslog \ SNMP SCADA Network Remote SCADA Network Switch Mirror\Tapping port Ethernet\Serial Vlan\Inline\Separate Physical Network SOC AnD Blackbox SIEM / Incident Management AnD Components RTU IED PLC ExisQng System
Cyber Shield AnD for SCADA OperaQon Network Forensics Built-in client application for network forensics All SCADA network traffic is logged in a central relational database for historical analysis and correlation Columns can be selected and advanced filters set in place to perform advanced network forensics Export capability to rebuild the pcap files for a defined event or time period SCADA Alerts Summary list of all alerts List can be filtered to find relevant alerts Allows for advanced analysis of suspicious traffic anomalies White List Rule Definition Enables the user to manually or automatically define rules on what transmissions are allowed in the network, a relatively simple definition in SCADA networks. Monitors on all layers from physical (MAC) to application-specific data (process data values)
Supported Protocols DF1 C37.118 UDH TCP/RTU/+ Cyber Shield leads the market with the most comprehensive support for SCADA protocols IEC60870-5-101/104 DNP3 / DNPi Profinet/Profibus, Teleperm XP, TIM MDLC / MDLC over IP
Cyber Shield AnD for SCADA Unique Offering AnD for SCADA a full suite of features Complete Packet logging for forensics Context aware alerts Passive Connectivity Core Inspection The only solution providing legacy serial inspection integrated with TCP/IP inspection Connectivity to CyberShield provides context aware intelligence driven response to enterprise cyber security
CyberShield TnS (Training & Simulation)
Cyber Shield Training and SimulaQon An Enterprise level trainer - enabling the organization to train the Cyber Defenders and simulate complex scenarios on the specific IT and SCADA networks Simulating multistage, highly advanced APT attacks Maximizing the awareness and improving the skills of the cyber workforce Automatic attack machine - generating real-life scenarios training all the various Cyber Defenders roles. Focused on accurately simulating multi-stages, multi-vectors, Cyber attacks on the enterprise. Reflecting the real - operational network environment, including IP and SCADA networks
Thank You! Presented by: Dennis Murphy Director, SCADA Cybersecurity Elbit Systems Email: dennis.murphy@elbitsystems- us.com Phone: 603-886- 2154 TwiJer: @CyberMurphy February 2015