Why Should You Care About Control System Cybersecurity. Tim Conway ICS.SANS.ORG

Similar documents
Cybersecurity for Energy Delivery Systems. Michael Assante & Tim Conway (Under contract to DOE through Idaho National Laboratory)

ANATOMY OF AN ATTACK!

An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

Cyber security for digital substations. IEC Europe Conference 2017

Addressing Cyber Threats in Power Generation and Distribution

Multistage Cyber-physical Attack and SCADA Intrusion Detection

Sharing What Matters. Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data

Methods for Reducing Cybersecurity Vulnerabilities of Power Substations Using Multi-Vendor Smart Devices in a Smart Grid Environment

PROTECTING MANUFACTURING and UTILITIES Industrial Control Systems

Safety System Cyber Security A Practical Approach

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

SCADA Security: How Do I Know If I ve Already Been Owned?

Securing IEDs against Cyber Threats in Critical Substation Automation and Industrial Control Systems

ДОБРО ПОЖАЛОВАТЬ SIEMENS AG ENERGY MANAGEMENT

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

ABB Ability Cyber Security Services Protection against cyber threats takes ability

BILLING CODE P DEPARTMENT OF ENERGY Federal Energy Regulatory Commission. [Docket No. RM ] Cyber Systems in Control Centers

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Building Resilience in a Digital Enterprise

SECURING THE SUPPLY CHAIN

Security+ SY0-501 Study Guide Table of Contents

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Industry Best Practices for Securing Critical Infrastructure

NERC Monitoring and Situational Awareness Conference: Loss of Control Center Procedures and Testing Practices

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

ICS Security Innovation Asia Pacific ICS Security Summit. Singapore 2013

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Cyber Security of Industrial Control Systems (ICSs)

THE CYBERX PLATFORM: PROTECT YOUR PEOPLE, PRODUCTION, AND PROFITS HIGHLIGHTS SOLUTION BRIEF

Industrial Security - Protecting productivity. Industrial Security in Pharmaanlagen

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

BOLSTERING DETECTION ABILITIES KENT KNUDSEN JUNE 23, 2016

CompTIA CSA+ Cybersecurity Analyst

A YEAR OF PURPLE. By Ryan Shepherd

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

CLICK TO EDIT MASTER TITLE RECENT STYLE APT CAMPAIGN TARGETING ENERGY SECTOR ASSETS

Best Practices in Healthcare Risk Management. Balancing Frameworks/Compliance and Practical Security

T22 - Industrial Control System Security

RiskSense Attack Surface Validation for IoT Systems

Endpoint Protection : Last line of defense?

Business continuity management and cyber resiliency

Ransomware A case study of the impact, recovery and remediation events

Cyber Security Solutions Mitigating risk and enhancing plant reliability

RSA NetWitness Suite Respond in Minutes, Not Months

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Advanced Endpoint Protection

AUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response

Dell EMC Isolated Recovery

How CyberArk can help mitigate security vulnerabilities in Industrial Control Systems

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Digital Wind Cyber Security from GE Renewable Energy

Cyber and Physical Security: Lessons Learned From the Electric Industry. Joel dejesus Dinsmore & Shohl LLP Washington, DC

How AlienVault ICS SIEM Supports Compliance with CFATS

Expanding Cyber Security Management for Critical Infrastructure

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

CYBERSECURITY RISK LOWERING CHECKLIST

CONTROLLING YOUR OWN BATTLESPACE. From Threat Response Teams To Threat Intelligence Teams

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

Ransomware A case study of the impact, recovery and remediation events

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

Exercise of FERC Authority for Cybersecurity of the North American Electric Grid

Cyber Resiliency. Felicity March. May 2018

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Practical SCADA Cyber Security Lifecycle Steps

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

CompTIA Cybersecurity Analyst+

Bird of a Feather Automated Responses

Port Facility Cyber Security

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

The GenCyber Program. By Chris Ralph

Security Standardization and Regulation An Industry Perspective

EFFECTIVE DEFENCE In a connected world. Philippe COTELLE, Airbus Defence and Space 2016, Nov 4th

Securing Industrial Control Systems

Managing an Active Incident Response Case. Paul Underwood, COO

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

CCISO Blueprint v1. EC-Council

Incident Responder Field Guide: Lessons from a Fortune 100 Incident Responder

Detecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC

Building a Threat-Based Cyber Team

Cyber Threat Intelligence Standards - A high-level overview

Cyber Security Brian Bostwick OSIsoft Market Principal for Cyber Security

Industrial Control System Cyber Security

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Getting Security Operations Right with TTP0

WHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS

NW NATURAL CYBER SECURITY 2016.JUNE.16

RSA INCIDENT RESPONSE SERVICES

ENTERPRISE ENDPOINT PROTECTION BUYER S GUIDE

Cyber Security Stress Test SUMMARY REPORT

Transcription:

Why Should You Care About Control System Cybersecurity Tim Conway ICS.SANS.ORG

Events

Example #1 Dec 23, 2015 Cyber attacks impacting Ukrainian Power Grid Targeted, synchronized, & multi faceted Three electrical distribution companies Cause outages affecting 225,000 customers Lasted hours System restored but degraded

Power System Element: Distribution

Lessons Observed Stage 1 Stage 1 will appear ITfocused and blend in with other IT related scans, probes, viruses, and general noise.

Attack Steps & Timeline STAGE 1 STEPS 1-3: Access campaign E-mail with infected Office attachment Adversary Foothold Host with BE Utility Business IT Infrastructure Access Campaign Mar Apr May June Jul Aug Sep Oct Nov Dec 23 Power Attack

Broad Access Campaign

Attack Steps & Timeline (Cont.) STAGE 1 STEPS 3-4: IT take over Adversary C2 & Freedom of Movement & Action Utility Business IT Infrastructure? Mar Apr May Access Campaign June Jul Aug Sep Oct Nov Dec 23 Power Attack

Attack Steps & Timeline (Cont.) STAGE 1 STEPS 5: Discover & Compromise SCADA VPNs Adversary SCADA Utility Business IT Infrastructure Discover using valid credentials Discover, Move, Learn, Act? Mar Apr May June Jul Aug Sep Oct Nov Access Campaign Dec 23 Power Attack

Lessons Observed Stage 2 Stage 2 will contain ICS specific indicators and objectives.

Concept: Hijack & ICS Damage VPN SCADA Server Rogue Client Remote SCADA Client Software Phantom Mouse Remote Amin Tools at OS-level The attackers develop two SCADA Hijack approaches (one custom and one agnostic) and successfully used them across different types of SCADA/DMS implementations at three companies

Attack Steps & Timeline (Cont.) STAGE 2 STEPS 1-3: Develop & Test VPN SCADA Server VPNs Rogue Client Remote SCADA Client Software Phantom Mouse Remote Amin Tools at OS-level KillDisk Firmware Adversary SCADA Utility Business IT Infrastructure Attack Concept Access Campaign Mar Apr May Develop & Test? June Jul Aug Sep Oct Nov Dec 23 Power Attack

Attack Steps & Timeline (Cont.) STAGE 2 STEP 4: Attack VPN SCADA Server VPNs Rogue Client Remote SCADA Client Software Phantom Mouse Remote Amin Tools at OS-level Adversary UPS Disconnect KillDisk A. Hijack HMI B. Firmware C. KillDisk D. UPS KillDisk SCADA Firmware Mar Apr May June Jul Aug Sep Oct Nov Dec 23 Power Attack

1 5 1 Reconnaissance 2 3 4 5 6 7 Spear phish Foothold Credentials / Pivot VPN Access / Discovery Operations / firmware KillDisk, UPS, TDOS 4 7 6 7 4 2 7 7 3 6 4 7 4 7 7 6 7 7 7 7 6

Target and Position 1 2 Escalate & expand Leverage Trusted Comms & Develop SOE 3 4 5 6 Execute operations & impair restoration 7

Opportunities to Disrupt IT Preparation Target selection Unobservable target mapping Malware development and testing Hunting and Gathering Lateral Movement and Discovery Credential Theft and VPN access Control system network and host mapping Sequence Pre Work Upload additional attack modules - KillDisk Schedule KillDisk wipe Schedule UPS load outage Attack Launch Issue breaker open commands Modify field device firmware Perform TDoS Scheduled UPS and KillDisk Hrs. Event min hrs. 6 mo 9 mo 12 mo Spear phishing Delivery of phishing email Malware launch from infected office documents Establish foothold ICS Preparation Unobservable malicious firmware development Unobservable DMS environment research and familiarization Unobservable attack testing and tuning Attack Position Establish Remote connections to operator HMI s at target locations Prepare TDoS dialers Target Response Connection sever Manual mode / control inhibit Cyber asset restoration Electric system restoration Constrained operations Forensics Information sharing System hardening and prep

Grab Your Phone The Electric system is failing We have a procedure for that They have a plan for that Ummmmm

The Operator Perspective https://www.wired.com /story/russian hackersattack ukraine/

Example #2 Malware Discovery Associated with Electric Outages ics-community.sans.org

Malware Role 2015 2016 Malware Role Highly Coordinated Electric System Impacts Ukraine Electric System Cyber Events Highly Targeted Modular and Customizable Significance 2015 2016 Substations 50+ 1 Customers 225K Portion of Capitol region MW Impact 135 MW 200 MW Significance ics-community.sans.org

FOR INDUSTRY 2 3 ics-community.sans.org

Key Risk Item Considerations and Mitigations RISK IMPACT SCADA Path Management Restrict to inuse protocols only. Implement protocol converters, Front End defenses, in line firewalls Risk #1 Protocol Implementation Organization is utilizing IEC 101, IEC 104, or IEC 61850 for operational control capability Vulnerability Management Remove devices not in use, implement patch management and firmware updates Risk #2 Protection Relays Unpatched Siemens SIPROTEC relays are being utilized Risk Mitigations Network Monitoring and Alerting Limit OPC to status only, Implement communications baselines, and anomaly detection Risk #3 OPC Protocol Environment utilizes OPC DA protocol Data Protection and Recovery Ensure configuration data backups, tested recovery, and encrypted storage Risk #4 Data Destruction Access to configuration data is achievable Current Detection Capabilities Deploy malware signature detection at host and network level Risk #5 Unknown Infection Inability to detect malware within environment Secure Access Only enable access when/as needed. Implement 2- factor authenticated, with local jump host environment Risk #6 Adversary Access Ability to remotely interact with the environment Risk Areas Reflect CrashOverride as of June 13 *as additional modules are discovered this will need to be reassessed RISK LIKELIHOOD ics-community.sans.org

Current Risk Ranking and Assessment of Potential Risk Current Risk Ranking was Determined based on the following key factors: Our organization does not use protocols identified Our organization does not use vendor products identified Operational architecture limits effects Likelihood of Occurrence High Med Low Current Risk Low Med High Consequences Future Risk Future Risk Ranking was Determined based on the following key factors: Malware modules discovered that impact protocols in use by our organization Malware modules discovered that exploit devices in use by our organization Adversary tactics discovered that could have greater operational effect ics-community.sans.org

ics-community.sans.org 26

Example #3 The Safety Team Needs to Expand ics-community.sans.org

Safety Programs Need ICS Security 1 Process remote access risk assessment 3 Path from IT to OT 2 Always available remote connectivity need 4 DCS and Safety Process Integration 5 Available SIS Engineering Work Station 6 Remote programming available As operational and support decisions are made that impact the ICS environment, consider the potential safety impacts if the system is misused ics-community.sans.org

PPE is Expanding! ics-community.sans.org

Stage 1 Discussion Conficker APT1 Iranian Actors Attack with Impact Attack with Impact Attack with Impact

Stage 2 Discussion BE3 HAVEX STUXNET UKRAINE BE3 BE3 BE3 BE3 BE3 Attack with Impact

Stage 1 Adversary has successfully performed the necessary elements of the Stage 1 Kill chain To have an ICS effect the adversary needs to move into the elements of the Stage 2 ICS Kill Chain Map Environment Understand ICS Operation Trusted connections Vendor access Support personnel remote access System backup or alternate site replication tasks System Mgmt. communications patching, monitoring, alerting, configuration and change Mgmt. Data historians Direct access dial up Waterholing attacks Social Engineering Stage 2 When the adversary has identified a path into the ICS environment the Stage 2 ICS Kill Chain elements can be acted upon

High ICS Payload Major Public ICS Incidents & Access Campaigns Stuxnet (all versions) TRISIS ICS Exploits ICS Delivery ICS Targeting ICS Recon ICS CUSTOMIZATION NY Dam Intrusion BlackEnergy 2 (various ICS modules) Havex (OPC module) Critical Infrastructure Data Exfiltration Stage One Stage Two BE3 Dec 2016 Ukraine Power Outage Dec 2015 Ukraine Power Outage Unspecified German Facility Low Low ICS IMPACTS (Nuisance) (Lost Productivity/Data) (Lost Value) High (Loss of Safety, Reliability, Assets) ics-community.sans.org

Defend

How Sophisticated Are the Attacks?

What will your attack look like 1. System Variables 2. Cyber Maturity Variables 3. Adversary Capabilities 4. Adversary Intent 5. External Drivers

Each organization is faced with many technology related decisions to make.

Your People, Process, and Technology decisions create a unique operating environment Each technology decision shapes the environment for both the adversary and the defender

Take Action! Reduce the effect of a successful attack.

Controls Program Various implementations Maturity Assessments Perspective of performers Regulation Focused Criteria based Risk Assessments Multiple models Exercise Focused Realistic attacks = realistic response Attack Trees Adversary action analysis

Controls Program Various implementations Maturity Assessments Perspective of performers Regulation Focused Criteria based Risk Assessments Multiple models Exercise Focused Realistic attacks = realistic response Attack Trees Adversary action analysis

Controls Program Various implementations Maturity Assessments Perspective of performers Regulation Focused Criteria based Risk Assessments Multiple models Exercise Focused Realistic attacks = realistic response Attack Trees Adversary action analysis

Controls Program Various implementations Maturity Assessments Perspective of performers Regulation Focused Criteria based Risk Assessments Multiple models Exercise Focused Realistic attacks = realistic response Attack Trees Adversary action analysis

Controls Program Various implementations Maturity Assessments Perspective of performers Regulation Focused Criteria based Risk Assessments Multiple models Exercise Focused Realistic attacks = realistic response Attack Trees Adversary action analysis

Controls Program Various implementations Maturity Assessments Perspective of performers Regulation Focused Criteria based Risk Assessments Multiple models Exercise Focused Realistic attacks = realistic response Attack Trees Adversary action analysis

What We Need YetiCorn s Unicorns Yeti s

Cyber Operators sans.org/ics456 giac.org/gcip

Questions? Join the Community that is defending our Critical Infrastructure

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback