PROTECTING MANUFACTURING and UTILITIES Industrial Control Systems Mati Epstein Global Sales Lead, Critical Infrastructure and ICS [Internal Use] for Check Point employees 1
Industrial Control Systems (ICS)/SCADA are All Around Us Water & Sewage Electricity Transportation Critical manufacturing Industrial Automation Oil & Gas and we rely on it every day for our basic functions and needs. [Restricted] ONLY for designated groups and individuals 2
Critical Infrastructure and ICS are under constant attack 2016 RANSOMWARE LOCKS TICKET MACHINES OF SAN FRANCISCO S MUNI TRANSIT [Internal Use] for Check Point employees 3
Most recent news July 18 th, 2017 The UK energy sector is likely to have been targeted and probably compromised by nation-state hackers, according to a memo from Britain s National Cybersecurity Centre (by NCSC, a subsidiary of GCHQ) July 15 th, 2017 Senior engineers at Ireland s Electricity Supply Board (ESB) were targeted last month by a group understood to have ties to the Kremlin s GRU intelligence agency (The Sunday Times) July 16 th, 2017 Energy sector hacking campaign targeted more than 15 U.S. firms (Cyberscoop) 2016 Check Point Software Technologies Ltd. [Restricted] ONLY for designated groups and individuals 4
Market Trends US - NERC-CIP, NIST Cyber Security Framework Regulation European Union - Directive on security of network and information systems (NIS Directive July-2016), local initiatives, etc. Applicable Utilities (Electric, Water & Sewage) Critical Manufacturing Initial phase in APAC Smart Grid IoT and Smart Cities Growing Awareness Distribution Automation Smart Metering Globally Recent attacks [Internal Use] for Check Point employees 5
ICS-CERT Report: United States Critical Infrastructure Increasingly Targeted The Most Targeted Sectors Integrated Threat Prevention Manufacturing, then Energy Most Common Method of Attack Spear Phishing Boundary Protection Boundary Protection was the single most common ICS weakness discovered during assessments. Effective Boundary Protection is a pillar of the cybersecurity Defensein-Depth concept. ICS-CERT: These attacks were enabled by insufficiently architected ICS networks [Internal Use] for Check Point employees 6
Best Practices for Securing OT Secure Both OT and IT Environments Protect IT with Advanced Threat Prevention Technologies Clear Segmentation between OT and IT/Internet Deploy Specialized ICS/SCADA Security Technologies [Internal Use] for Check Point employees 7
Security Solutions for Industrial Control Systems/SCADA/IoT Visibility Granular Control of ICS/SCADA Traffic Virtual patching Stops exploits of known vulnerabilities Ruggedized Appliances for Harsh Environments Unified IT and OT Management Deep SCADA Protocol Inspection IPS/IDS 1200R Customized Visibility > 25 Protocols > 900 Commands > Values, Registers > 300 dedicated signatures Unified Policy Integration with SIEM systems [Internal Use] for Check Point employees 8
Multi-site customers: Electricity, Wind, O&G, Water 9
Manufacturing Factory Micro Segmentation in OT Management Facility Main Control Center SCADA Historian SmartEvent Control & monitor SCADA VPN Control Monitor PLC1 PLC2 PLC3 PLC4 Shop Floor / Substation Shop Floor / Substation 10
Manufacturing Factory Full IT/OT Convergence [Restricted] ONLY for designated groups and individuals 11
CrashOverride/Industroyer New ICS attack platform to Electric Grid Operations CrashOverride (called Industroyer as well) malware was the malware employed in the December 17th, 2016 cyberattack on the Kiev, Ukraine transmission substation which resulted in electric grid operations impact. (As reported by ESET and Dragos) ICS-CERT reported on June 14, 2017 https://www.us-cert.gov/ncas/alerts/ta17-163a The tactics, techniques, and procedures (TTPs) described as part of the CrashOverride malware could be modified to target U.S. critical information networks and systems. CrashOverride malware is an extensible platform that could be used to target critical infrastructure sectors, specifically using IEC104 and IEC61850 protocols. The malware issues valid commands directly to RTU s. Using Check Point protocols visibility and baselining would detect and alert on None-Baseline protocols and commands Could exploit Siemens SIPROTEC relay denial-of-service (DoS) vulnerability, leading to a shutdown of the relay. Using CVE-2015-5374 to Hamper Protective Relays Check Point published on June 20 th an IPS signature for virtual patching protection of the DoS vulnerability [Restricted] ONLY for designated groups and individuals 12
Industrial Security Process Independently log all SCADA activity: Protocols, Commands, Values Define Baseline Set Rules based on Known / Unknown / Not Allowed Identify Deviations and Attacks Based on the defined rules, time of day, attack patterns Alert / Prevent Based on topology In-line or Tap and configuration [Internal Use] for Check Point employees 13
Thank you.. Any Question? [Internal Use] for Check Point employees 14
THANK YOU [Internal Use] for Check Point employees 15