SCADA Security: How Do I Know If I ve Already Been Owned?

Similar documents
Building Resilience in a Digital Enterprise

The Art and Science of Deception Empowering Response Actions and Threat Intelligence

ARC VIEW. Critical Industries Need Continuous ICS Security Monitoring. Keywords. Summary. By Sid Snitkin

Why Should You Care About Control System Cybersecurity. Tim Conway ICS.SANS.ORG

Part 2: How to Detect Insider Threats

RSA INCIDENT RESPONSE SERVICES

Sobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.

RSA INCIDENT RESPONSE SERVICES

How CyberArk can help mitigate security vulnerabilities in Industrial Control Systems

Automated Threat Management - in Real Time. Vectra Networks

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

The Future of Threat Prevention

Cyber Resilience Solution for Smart Buildings

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Industrial Defender ASM. for Automation Systems Management

Managing the Unmanageable: A Risk Model for the Internet of Things

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Behavioral Analytics A Closer Look

Indegy. Industrial Cyber Security. The Anatomy of an Industrial Cyber Attack

Introduction, Overview and Capabilities. Revision Date: 01/11/13 Copyright MicroSolved, Inc., 2013 All Rights Reserved.

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Microsoft Advance Threat Analytics (ATA) at LLNL NLIT Summit 2018

Meaningful Use or Meltdown: Is Your Electronic Health Record System Secure?

How AlienVault ICS SIEM Supports Compliance with CFATS

How Breaches Really Happen

SIEM: Five Requirements that Solve the Bigger Business Issues

Sharing What Matters. Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Teradata and Protegrity High-Value Protection for High-Value Data

ARC VIEW. Critical Industries Need Active Defense and Intelligence-driven Cybersecurity. Keywords. Summary. By Sid Snitkin

RSA NetWitness Suite Respond in Minutes, Not Months

THE ACCENTURE CYBER DEFENSE SOLUTION

securing your network perimeter with SIEM

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Integrated McAfee and Cisco Fabrics Demolish Enterprise Boundaries

with Advanced Protection

CyberArk Privileged Threat Analytics

The Future of Industrial Control Systems Security

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Un SOC avanzato per una efficace risposta al cybercrime

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

10 FOCUS AREAS FOR BREACH PREVENTION

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

RiskSense Attack Surface Validation for IoT Systems

esendpoint Next-gen endpoint threat detection and response

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

empow s Security Platform The SIEM that Gives SIEM a Good Name

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

CloudSOC and Security.cloud for Microsoft Office 365

Introduction to Threat Deception for Modern Cyber Warfare

Advanced Threat Intelligence to Detect Advanced Malware Jim Deerman

Emerging Threat Intelligence using IDS/IPS. Chris Arman Kiloyan

SIEM (Security Information Event Management)

align security instill confidence

Multistage Cyber-physical Attack and SCADA Intrusion Detection

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

Practical SCADA Cyber Security Lifecycle Steps

Machine Learning and Advanced Analytics to Address Today s Security Challenges

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

Introducing Cyber Observer

Not your Father s SIEM

Enhancing Threat Intelligence Data. 05/24/2017 DC416

Expanding Cyber Security Management for Critical Infrastructure

WHY SIEMS WITH ADVANCED NETWORK- TRAFFIC ANALYTICS IS A POWERFUL COMBINATION. A Novetta Cyber Analytics Brief

68 Insider Threat Red Flags

INFORMATION ASSURANCE DIRECTORATE

Best Practices in Securing a Multicloud World

Manufacturing security: Bridging the gap between IT and OT

THE EVOLUTION OF SIEM

THE TRIPWIRE NERC SOLUTION SUITE

Reserve Bank of India Cyber Security Framework

Tripwire State of Cyber Hygiene Report

Comprehensive Database Security

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Managed Endpoint Defense

Automating the Top 20 CIS Critical Security Controls

CYBERSECURITY RISK LOWERING CHECKLIST

Threat Intel for All: There s More to Your Data than Meets the Eye

Technology Incident Response and Impact Reduction. May 9, David Litton

T22 - Industrial Control System Security

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Acalvio Deception and the NIST Cybersecurity Framework 1.1

Petroleum Refiner Overhauls Security Infrastructure

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

The Gartner Security Information and Event Management Magic Quadrant 2010: Dealing with Targeted Attacks

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald

ENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

One Hospital s Cybersecurity Journey

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Transcription:

SESSION ID: SOP-W04 SCADA Security: How Do I Know If I ve Already Been Owned? Gib Sorebo Chief Cybersecurity Technologist Leidos @gibsorebo 17-Leidos-0918-1850

Overview Reasons for Concern Cybersecurity Challenges within Industrial Controls Systems (ICS) The Undiscovered Breach The Attack Lifecycle Current State of Control System Cybersecurity Monitoring Options for Greater Visibility Potential Ecosystem 2

3 Reasons for Concern: Supply Chain, Network Attacks, and Accidents Soviet Trans-Siberian Pipeline Sabotage (1982) Taum Sauk (2005) Federal Energy Regulatory Image. Used by permission. Turkish Pipeline (2008) Stuxnet (2010) German Steel Mill (2014) Ukraine Grid (2015 & 2016) WannCry / NotPetya (2017)

HMI = Human Machine Interface 4 Anatomy of an Attack: Ukraine Electric Grid 2015 Attacker sends phishing e-mail with pdf containing malicious macro Attacker uses credentials log into utility s VPN User clicks infected pdf Macro captures user credentials and returns them to attacker Attacker maneuvers to HMI and logs in with same credentials Attacker begins switching off power at various substations around country

Cybersecurity challenges within ICS Limited Visibility Lack of Cybersecurity Expertise/Culture IT/OT Divide Long Update Cycle 5

The Undiscovered Breach 99*. Median number of days attackers were present on a victim s network before being discovered in 2016..Excellus discovered the attack on Aug. 5 [2015] and an investigation determined that it occurred on Dec. 23, 2013. Source: 2017 Mandiant M-Trends Report *Note: Much of the recent dwell time decline is due to attacks designed to attract immediate attention such as ransomware and data wiping malware. 6

Typical IT Attack Lifecycle 1. Conduct Reconnaissance 2. Establish Foothold 7 3. Move Laterally and Gain Privileges 4. Accomplish Mission 1. Conduct Reconnaissance: Attacker analyzes the intended victim to identify a way to get in and what they want to get once they penetrate the network 2. Establish Foothold: Attacker gains control of a single computer inside the perimeter generally a server or a personal computer and then load tools onto that computer for remote control 3. Move Laterally and Gain Privileges: Attacker moves around the network to get closer to the computers that they want to access, and obtains privileged credentials to access them 4. Accomplish Mission: Attacker accomplishes their mission, stealing data (confidentiality), changing data (integrity) or destroying data (availability)

The Purdue Model An OT Attack Lifecycle Goal is to control or disrupt here Proprietary Technology OT = Operational Technology 8

Current State of Industrial Security Monitoring No security data; only control & performance information Security Operations Center Traditional IT Actuator HMI = Human Machine Interface WAN = Wide Area Network SIEM = Security Information and Event Management SOC = Security Operations Center PLC = Programmable Logic Controller 9 Monitored Unmonitored

Covering All Layers of the Software/Device Field devices (Purdue layer 0) Sensors (current state) Actuators (current state) HMIs and Engineering workstations (Purdue layer 2) Variable data (e.g., set points) Start/Stop Alarm setting Underlying HMI code Controller programming code Binaries/configuration files PLC - Controller (Purdue layer 1) Programming logic (e.g., ladder logic, structured text, instruction lists) Variable data (e.g., set points) Higher layers (Purdue layers 3-5) Application level settings (e.g., analytics, alarms, triggers) Access control settings Application and workstation configuration 10

Control Systems Options for Greater Visibility Look for power and frequency changes on actuators & sensors Consider network honeypots where appropriate Packet capture and parsing of proprietary protocols Where feasible, install monitoring agent on controllers 11

Outcomes for Monitoring Scenarios Network & Serial Data Captures Power and frequency measurements Parse log files Software Monitoring Agent Honeypots Detect anomalies Identify performance issues Build baseline Identify authorized changes Compare with intended input Detect anomalies Build baseline Detect performance issues Correlate across multiple log sources Build baseline Identify anomalies Block prohibited operations (optional) Real-time reporting of anomalies Compare with intended input On perimeter, get early insights on potential threats Internally, quickly validate intrusions 12

Example Architecture SIEM Packet collection/ids Endpoint agents Log parser Honeypots Data Aggregator Power monitoring 13

Building Custom Parsers Original Log device_id=6, state_time=2017-6- 20 16:43:10.970, device_state=1, teststat=0 Post Parsing Event Time = 2017-6-20 16:43:10 Device ID = Pump 3 Device State = Turning Pump On Status = OK Set correlation rule to trigger when unexpected events occur Logs Read Like a sentence. Making logs human readable allows for anyone to understand exactly what happened Increases readability of reports on historical data 14

Options for Tools SIEM and Aggregators OSSIM Simple Event Correlator Parsers and Analytics OpenSOC Metron Skyline Packet Collection Bro Suricata Moloch Endpoint Agents OSSEC Samhain Conpot Power Monitoring Some commercial options available Honeypots Conpot 15

How the Defenses Address Each Layer 1. Conduct Reconnaissance 2. Establish Foothold 3. Move Laterally and Gain Privileges 4. Accomplish Mission Honeypots offer early warning of scans and other reconnaissance Endpoint agents detect initial landing point (e.g., via phishing of IT side) Internal honeypots alert when touched the pieces together 16 Packet collection & IDS sensors alert on lateral movement Agents on HMIs and other OT systems detect suspicious connections and programs SIEMs and other backend platforms pull all OT aware packet analysis tools detect set point and other changes sent to controllers OT-aware honeypots detect attempts to change OT components Log parser detects changes to controllers Power monitoring on actuators & sensors offer final detection option

Putting it All Together Conduct Hardware and Software Inventory While many OT environments are good at keeping track of the physical inventory, software, and particularly their version, are often missed 17

Putting it All Together Conduct Hardware and Software Inventory Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity, endpoint configuration files) Often referred to as a Kill Chain Analysis, this is where one might find evidence of an attack 18

Putting it All Together Conduct Hardware and Software Inventory Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity) Identify commercial, ICS vendor-provided, and open source tools Be creative; some of the best tools may not even be considered security tools (e.g., configuration management, data historians) 19

Putting it All Together Conduct Hardware and Software Inventory Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity) Identify commercial, ICS vendor-provided, and open source tools Build and implement test environment to demonstrate capabilities Many control system vendors offer virtual twins for testing and modeling; other comparable environments are freely available 20

Putting it All Together Conduct Hardware and Software Inventory Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity) Identify commercial, ICS vendor-provided, and open source tools Build and implement test environment to demonstrate capabilities Coordinate with production team for access to data and tool deployment Be patient and conscious of IT/OT culture differences; help OT understand why this help them 21

Putting it All Together Conduct Hardware and Software Inventory Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity) Identify commercial, ICS vendor-provided, and open source tools Build and implement test environment to demonstrate capabilities Coordinate with production team for access to data and tool deployment Build use cases and develop analytics and correlation rules Focus on what the bad guys would want to do and how they would want to accomplish it (e.g., tactics, techniques, and procedures) 22

Putting it All Together Conduct Hardware and Software Inventory Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity) Identify commercial, ICS vendor-provided, and open source tools Build and implement test environment to demonstrate capabilities Coordinate with production team for access to data and tool deployment This will be an iterative process based on tool feasibility, budget, time, and skills. Build use cases and develop analytics and correlation rules Deploy tools and collect data 23

Putting it All Together Conduct Hardware and Software Inventory Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity) Identify commercial, ICS vendor-provided, and open source tools Build and implement test environment to demonstrate capabilities Coordinate with production team for access to data and tool deployment Build use cases and develop analytics and correlation rules Start small with low risk environments less sensitive to disruption working with tabletop environments first Deploy tools and collect data Test by simulating threats 24

What Else? Alignment with Control Processes Staffing Levels for Security Operations Center Other Considerations Coverage of All Attack Stages False Positives No Disruption to Operations 25

Apply What You ve Learned Today Next Week You Should: Review the architectures for your control system environments Talk to process control engineers and managers about feasibility of gaining more visibility and explain how that helps them Inquire about virtual environments and modeling tools available In the Next Three Months You Should: Acquire and gain familiarity with tools in a test environment based on kill chain analysis of your control system environments Demonstrate operating model in a virtual environment Develop use cases 26

Apply What You ve Learned Today In the Next Six Months You Should: Develop and present deployment plan based on research and testing performed and coordination with OT teams and gain approval Deploy tools and data collection processes to low risk control system environments Simulate threats at multiple locations in OT environment Analyze data collected to determine ability to detect threats Iterate exercises and migrate approach to progressively higher risk environments (will likely take longer than six months to complete) 27

Questions For more information contact: Gib Sorebo Leidos Chief Cybersecurity Technologist phone: 703-318-4553 email: sorebog@leidos.com 28

Tools Reference SIEM and Aggregators Packet Collection Parsers and Analytics Endpoint Agents Power Monitoring Can leverage enterprise SIEM with some customizations; open source and commercial options also available. Open source: OSSIM: https://www.alienvault.com/products/ossim/download Simple Event Correlator: http://simple-evcorr.sourceforge.net/ Multiple commercial options for both collection and analysis for ICS Open source: Wireshark: https://www.wireshark.org/download.html Bro: https://www.bro.org/download/index.html Suricata: https://suricata-ids.org/download/ Moloch: https://github.com/aol/moloch Included with SIEM and tools to build custom parsers Open source: OpenSOC: http://opensoc.github.io/ Apache Metron: http://metron.apache.org/ Skyline (anomaly detection): https://github.com/etsy/skyline Most are targeted at enterprise, but can be customized for ICS environments Open source: OSSEC (host-based IDS): https://github.com/ossec/ossec-hids Samhain: http://la-samhna.de/samhain/ Conpot (Control System Honeypot): http://conpot.org/ Some commercial options available 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback