Practical Steps To Securing Process Control Networks

Transcription

1 Practical Steps To Securing Process Control Networks Villanova University Seminar Rich Mahler Director, Commercial Cyber Solutions Lockheed Martin Lockheed Martin Corporation All Rights Reserved. This document ] shall not be reproduced, modified, distributed or displayed without the prior written consent of the Lockheed Martin Corporation 1

2 Discussion Topics The Threat Landscape Security Challenges in the Operations Environment Four Practical Steps for Securing your Process Control Network 2

3 Threat Activity Significant Increase in ICS Vulnerabilities ( ) Industrial Control System (ICS) Computer Emergency Response Team (CERT) ICS CERT Incidents Increasing 3

4 The Threat Landscape Advanced Persistent Threats Understand your threat profile and who is targeting you! Cyber Crime Threats Hacktivism Threats Insider Threats Nuisance Threats Attack Profile: Targeted, organized and funded attacks potentially associated to Nation State sponsorship or other powerful entities. Opportunistic, broadbased, motivated by financial gain. Organized attacks associated to group of individuals with political, ethical, religious, or retaliatory motives. Legitimate internal user with hidden malicious intentions Unskilled attackers, scanners & crawlers, SPAM, worms/viruses, basic malware Primary Objectives: Typically medium to long term; exfiltration of intellectual property for purposes of eliminating years of R&D, competitive economic and/or nation state advantage Typically short term; Identity theft, credit card fraud, extortion, botnet creation & management Typically short term; cause havoc & chaos, disrupt operations, discredit and malign via disclosure of sensitive information. Short to long term; compromise of sensitive information, destruction, revenge, espionage, harassment Often unknown or irrelevant; recognition& status, reconnaissance, financial Attack Methods: Social engineering, spear phishing, watering hole and drive-by download attacks, espionage, focused perimeter breaches Phishing Attacks, Hosting Malware on Legitimate websites, SPAM related attacks, cyber extortion techniques. Distributed Denial of Service attacks (DDOS), traditional hacking techniques, spear phishing, etc. Access via legitimate credentials and privileges, data exfiltration, physical and logical sabotage, surveillance Automated scanners, public exploit kits, generic SPAM , propagating worms/viruses, adware, scareware 4

5 The Cyber Kill Chain TM Cyber Kill Chain Reconnaissance Intrusion Weaponization Delivery Sequel Exploitation Installation Campaign Command & Control Action on Objectives (C) Lockheed Martin Corporation

6 Indigo Qwerty Campaign Heatmap Campaign analysis is used to determine the patterns and behaviors of the intruders (C) Lockheed Martin Corporation

7 Measuring Success Framing metrics in context of the Cyber Kill Chain identifies gaps and informs investments (C) Lockheed Martin Corporation

8 IT vs. Operations Technology Information Technology (IT) ICS / Operations Technology (OT) Cyber Security Approach Cyber Security Priorities Confidentiality Integrity Availability Data Protection Availability, reliability, and human safety often trumps other concerns. Physical process control Lifecycles 3-5 year refresh cycle 10+ year refresh cycle Vendor Impact High degree of autonomy. Reliance on vendors for support (e.g. will not install patches without vendor approval) Visibility Assessment Techniques Industry Standards and Guidelines Intrusion Detection System (IDS)/ Intrusion Protection System (IPS), Centralized Logging, Security Incident and Event Management Active penetration testing. NIST 800 series and ISO Most traditional IT security visibility mechanisms do not exist. Passive testing or focus on lab and secondary/backup systems. NIST (ICS), ANSI/AWWA G430, NEI,NRC, NERC Successful Teams are Integrated and Bilingual in IT and OT 8

9 Process Control Network (PCN) Design (sample) Corporate IT Domain IT Corporate Network Plant Demilitarized Zone (DMZ) Operational Technology (OT) Domain Logical / Physical Separation of PCN 9

10 Challenges in Process Control Security Lack of visibility Information and organizational silos Limited ICS/PCN specific cyber threat intelligence 10

11 Step 1: Get Visibility Process Control Visibility Easy Wins Perimeter Firewall Logs Perimeter Netflow IDS Next Steps Field Firewall Logs Control Center Netflow Control Center Host Logs Network Whitelisting Logs Advanced Visibility Field Network Netflow Field Network Host Logs ICS Protocol Situational Awareness ICS Protocol Whitelisting Logs Field Device Logs Full Packet Capture (FPC) 11

12 Step 2: Find and Leverage Intelligence Sources Prerequisite: Effective Asset Inventory Intelligence Sources Open Source Intelligence (OSINT) Government-sponsored Efforts Industry Groups Vendor Subscriptions Private Collaboration Agreements 12

13 Step 3: Build Your Own Intelligence Full intrusion: Analysis to recreate the defense lifecycle Recon Weaponize Delivery Exploit Install Analyze C2 Detect Act on Objectives Pre-compromise Stages Post-compromise Stages Mitigated intrusion: Analysis and synthesis Analyze Detect Synthesize Recon Weaponize Delivery Exploit Install C2 Act on Objectives Gather intel regardless of attack success 13

14 Step 4: Apply and Track Intelligence Detections and Mitigations Perimeter Intrusion Detection System (IDS) Host IDS / Anti-Virus tools Perimeter firewalls Field firewalls Field device configurations Develop metrics to track effectiveness over time Business Resiliency System Availability Return on Investment Collaborate on intelligence and metrics between Business and Process Control Networks 14

15