Industrial Control System Cyber Situational Awareness. Robert M. Lee* June 10 th, 2015

Transcription

1 Industrial Control System Cyber Situational Awareness Robert M. Lee* June 10 th, 2015 Executive Summary Cyber situational awareness is the concept of understanding and visualizing the networked environment and its individual elements to identify changes across time. Industrial control system (ICS) networks are relatively small and static compared to business and enterprise environments. This unique situation allows cyber situational awareness in the ICS environment to be more easily obtained, maintained, and useful towards the safety and reliability of operations. This whitepaper discusses the concept of cyber situational awareness and highlights Dragos Security s CyberLens as an effective method for ICS owners, operators, and security personnel to gain this knowledge. *Robert M. Lee is a co-founder of Dragos Security LLC where he has a passion for ICS traffic analysis, threat intelligence research, and incident response. Robert is an Adjunct Lecturer at Utica College in their M.S. Cybersecurity program and a course author and instructor at the SANS Institute for ICS 515 Active Defense and Incident Response and FOR 578 Cyber Threat Intelligence. He gained his start in security in the U.S. Intelligence Community as an Air Force Cyber Warfare Operations Officer where he established and led a first of its kind ICS threat intelligence and intrusion analysis mission. Robert is the author of SCADA and Me and is currently pursuing his PhD at Kings College London with research into the cyber security of control systems. 1

2 Cyber Situational Awareness Situational awareness in the physical world is understood as the perception of the elements in the environment within a volume of time and space, the comprehension of their meaning and the projection of their status in the near future. It is a field of study that encompasses the ability to make decisions in dynamically changing environments whether it be for control engineering and automation or incident response and military command and control. The U.S. Marine Corps defines and uses situational awareness as an informational perspective and skill that foster an ability to determine quickly the context and relevance of events that are unfolding and U.S. Air Force strategist and fighter pilot Colonel John Boyd used situational awareness as a major component of his widely applied observe, orient, decide, act (OODA) loop model. Neville Moray stated it most simply though when he defined situational awareness in the context of human-machine systems and control theory: keeping track of what is going on around you in a complex, dynamic environment. Cyber situational awareness can be defined using these foundational concepts as: the visibility and comprehension of networked environments and their individual elements so that their dynamic nature can be understood relevant to time and change. The security of information systems and their individual components is critical to much of modern society the discussion of this fact and the relevance of security threats has been appropriately covered in other publications. However, more noteworthy is the applicability of cyber situational awareness to providing security for these systems and taking advantage of the native strengths offered to security personnel. Chief of these strengths is an understanding of the environment and its normal conditions. Adversaries spend a significant portion of their efforts to perform information gathering, reconnaissance, and initial intelligence gathering through network penetrations. During these phases of an adversary s cyber kill chain the network defenders should already have this information and use it to identify the abnormal behavior resulting from the adversary s interaction with the network. These network and system abnormalities are the goal for defense to move past singular signature-based detection mechanisms and to the point of sustained security. 1 M.R. Endlsey, Design and Evaluation for Situation Awareness Enhancement (1988) 2 U.S. Marine Corps Marine Corps Supplement to the DOD Dictionary of Military and Associated Terms (1998) 3 Colonel (USAF) John Boyd The Essence of Winning and Losing (1995) 4 Neville Moray, Ou sont les neiges d'antan? in D.A. Vincenzi, M. Mouloua & P.A. Hancock (Eds), Human Performance, Situational Awareness and Automation: Current Research and Trends (2004) 5 Eric M. Hutchins, Michael J. Cloppert, & Rohan M. Amin, Ph.D Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains 2

3 Cyber Situational Awareness and ICS Networks ICS networks are often far smaller and more static than business and enterprise Information Technology (IT) networks. Internet Protocol (IP) connected operations technology (OT) such as human-machine interfaces (HMI), programmable logic controllers (PLCs), data historians, supervisory control and data acquisition (SCADA) servers, and distributed control systems (DCS) also pose challenges to adversaries to fully understand. Significant investments in reconnaissance and information gathering as well as the validation of capabilities against test systems are required to perform specific targeted actions. This was made apparent with threats such as Stuxnet and reinforced with the identification of ICS tailored versions of the HAVEX and BlackEnergy2 malware. However, while Stuxnet, HAVEX, and BlackEnergy2 were targeted threats to ICS it is not always specific targeted actions that impact operations. It is far more common that incidental malware introduced to environments from infected systems such as engineering laptops or universal serial bus (USB) drives cause impact. One significant threat that has caused the disruption of numerous documented and undocumented ICS assets is the Conficker malware. This piece of malware targeted Windows XP operating systems and was identified and remedied in Nearly a decade later this threat is still causing disruption in environments due to legacy and unprotected systems. Asset owners and operators often care about what threat they are facing but all can agree that the safety and reliability of operations is paramount regardless of the targeted or untargeted nature of the threat. Luckily, due to the unique and often smaller static nature of an ICS network both targeted and untargeted threats are identified in similar ways. Cyber situational awareness in an ICS network requires that personnel know their assets, the network ports and protocols in use, the data flows, and have the ability to understand this with a concept of time to detect changes. Additionally, it is useful for personnel to be able to integrate other datasets from internal or third party sources into this information to make it more useful. With cyber situational awareness security personnel can quickly identify changes that indicate the presence of a threat whether it is incidental malware such as Conficker or targeted threats such as HAVEX. This information is also vital to ensuring proper configuration of the network and aiding in the identification of failing devices, design flaws, and the presence of rogue assets. It is a fundamental requirement for the efficient leveraging of passive defenses such as firewalls and anti-malware systems and for the sustainable application of active defenses such as network security monitoring and incident response. Defenders should always have and utilize an understanding of their environment whereas their adversaries should have to struggle to gain this information. 3

4 CyberLens and Achieving Cyber Situational Awareness CyberLens is developed by Dragos Security and was specifically designed to help ICS asset owners, operators, and security personnel gain cyber situational awareness in their environments. The software may be placed onto existing systems using its standalone installer or deployed as a virtual machine appliance. This may be done directly on the network or disconnected from the environment. On the network, CyberLens receives raw network data from privileged points such as a mirrored port on a network switch. Off the network, personnel input network data in the form of one or more packet captures into CyberLens. In both use-cases the tool performs entirely passive traffic analysis without any interaction or impact to the network to quickly provide personnel with the information they need. Temporal Asset Identification and Visualization Through traffic analysis, sometimes identified as passive scanning, CyberLens processes network data and creates an asset inventory with respect to the time the assets were seen on the network. This allows personnel to use the sliding timeline to visualize changes over time respective to the assets and their communication methods. The information CyberLens uses from the packet captures is stored as metadata which is less than 1% the normal storage requirements of packet captures. Figure 1: Interactive Map View in CyberLens of a test ICS network 4

5 The interactive map allows personnel to visualize the data in the manner to which they would like and to see the assets, their logical location on the network, and the data flows between the assets. Ethernet carried commands sent to ICS devices and their I/O are identified as well through deep packet inspection of protocols such as ModbusTCP, DNP3, Ethernet/IP, AB-PCCC, and more. Figure 2: Data Table View in CyberLens Showing AB-PCCC Records and Flow Data The understanding of the networked environment also allows users to designate zones to logically group assets together and understand the protocols, ports, and data flows in those specific zones. Comparison of those data sets to other zones can help quickly identify misconfigured devices such as Internet connected assets, abnormal behavior, and opportunities for efficiencies in passive defenses such as firewalls. Figure 1: Interactive Map View in CyberLens of a test ICS network Figure 3: Zone to Zone Communications Including Devices and Protocols 5

6 Understanding and Identifying Changes The visual and easy to use nature of the interactive map in CyberLens allows changes to be detected easily. However, for sustained use and for larger sets of data an automated detection method is needed. CyberLens uses the concept of snapshots to fulfill this need. Snapshots capture the unique nature of the network including the assets, their ports and protocols, and the data flows and stores this as a baseline. This baseline can be compared to the data at any time and identify changes. This granular view of changes to the environment, including when changes occurred, empower analysts to easily detect threats, more efficiently perform incident response, and scope the impact to the ICS. Figure 4: Detection of Baseline Changes to Include New Assets and Communications Cyber situational awareness is made more useful when it is integrated with internal or third party data sets. Through the use of open application programming interfaces (APIs) developers can extend the functionality of CyberLens by incorporating networked based data and security information from other databases or tools in the environment and overlay it on the interactive network map. This allows analysts to quickly visualize and correlate this data in combination with the knowledge of the networked environment. These extensions are identified as Lenses and can be developed by customers or made available from the Dragos Security development team and corporate partners. Additionally, the data stored within CyberLens is openly available through the APIs to be sent to other security systems and data aggregators on the network. Sharing the data between tools allows organizations to make the most of this information and ensure that IT and OT security teams can work together effectively to secure the organization. 6

7 Organization Wide Buy-in The security of systems is an organization-wide issue. People and processes are as integral, if not more so, than technology. The passive and easy to understand interactive map in CyberLens allows non-security personnel to identify changes to the environment when it is displayed on a screen in locations such as control centers. Simple visual alerts in the form of changed baselines can be reported to security personnel to investigate when not already aggregated elsewhere. Additionally, executives and C-suite personnel can equally have access to the network map. While they will not be the personnel responsible for investigating changes or monitoring the networks they can have the intangible made tangible for them and have confidence that their organization has the cyber situational awareness it needs to maintain the security and reliability of operations. Conclusion Cyber situational awareness is a requirement for organizations to truly understand their networked environments. In ICS networks this information is much more useful and easily maintained given the relatively static nature of the system. Achieving cyber situational awareness allows organizations to properly maintain the systems and monitor for security threats. This information also serves as a foundation for the better utilization of passive and active defenses. Dragos Security s CyberLens has been developed specifically for ICS and critical infrastructure networks to provide an entirely passive and safe method of gaining cyber situational awareness. 7