ICS, SCADA, and Non-Traditional Incident Response. Kyle Wilhoit Threat Researcher, Trend Micro

Similar documents
The SCADA That Didn t Cry Wolf: Who s Really Attacking Your SCADA Devices

Who s Really Attacking Your ICS Equipment?

IT Security and OT Security. Understanding the Challenges

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology. Project Proposal 1

Security Testing in Critical Systems

Digital Advisory Services Professional Service Description Network Assessment

Practical Steps To Securing Process Control Networks

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

ICS Cyber Attacks: Fact vs. Fiction and Why it Matters

On the use of Honeypots for Detecting Cyber Attacks on Industrial Control Networks

Analyzing HTTP/HTTPS Traffic Logs

Enterprise Security Platform for Government

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Defending Against Data Beaches: Internal Controls for Cybersecurity

Stephen Coty Director, Threat Research

Cyber Security for SCADA/ICS Networks

Verve Security Center

OPC & Security Agenda

An Introduction to SCADA-ICS System Security. Document Number IG-101 Document Issue 0.1 Issue date 03 February 2015

UNCLASSIFIED CPA SECURITY CHARACTERISTIC REMOTE DESKTOP. Version 1.0. Crown Copyright 2011 All Rights Reserved

Zak Khan Director, Advanced Cyber Defence

Network Based Intrusion Detection Using Honey pot Deception

Agenda. Introduction to SCADA. Importance of SCADA security. Recommended steps

SPEAR PHISHING UNDERSTANDING THE THREAT

Roger W. Kuhn, Jr. Advisory Director Education Fellow Cyber Security Forum Initiative

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Innovative Defense Strategies for Securing SCADA & Control Systems

SEMANTIC SECURITY ANALYSIS OF SCADA NETWORKS TO DETECT MALICIOUS CONTROL COMMANDS IN POWER GRID

Are you prepared to be next? Invensys Cyber Security

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

APT Advanced Persistent Threat Time to rethink?

NAVFAC EXWC Platform Information Technology (PIT) Cyber Security Initiatives

Department of Management Services. Request for Information

I N T E L L I G E N C E A S S E S S M E N T

Hunting for Indicators of Compromise

RESILIENCE AGAINST CYBER ATTACKS Protecting Critical Infrastructure Information

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention

Industrial Control Systems Vulnerabilities and Security Issues and Future Enhancements

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

Endpoint Security - HIPS. egambit, your defensive cyber-weapon system. You have the players. We have the game.

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

ORGANIZADOR: APOIANTE PRINCIPAL:

TRIPWIRE NERC SOLUTION SUITE

External Supplier Control Requirements

Honeypot as the Intruder Detection System

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Holistic View of Industrial Control Cyber Security

Security Event Management. February 7, 2007 (Revision 5)

Enterprise Cybersecurity: Building an Effective Defense

Industrial Cyber Security 101. Mike Spear

Nuclear Plant Information Security A Management Overview

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

Agenda , Palo Alto Networks. Confidential and Proprietary.

EMERGING THREATS & STRATEGIES FOR DEFENSE. Stephen Coty Chief Security

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Who is Watching You? Video Conferencing Security

CHAPTER 3 : INCIDENT RESPONSE THREAT INTELLIGENCE GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

From SCADA and ICS to the Internet of Things. Andy Swift Infrastructure Team Lead CNS Group

SCADA. The Heart of an Energy Management System. Presented by: Doug Van Slyke SCADA Specialist

ISACA rudens konference

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

HEY! YOU! GET OFF MY CLOUD! ATTACKS AGAINST CLOUD HONEYPOTS. Martin Lee Neil Rankin

Concierge SIEM Reporting Overview

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

FROM PRODUCT TO PLATFORM

Basics of Internet Security

Cyber Security for NERC CIP Version 5 Compliance

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

New York State Energy Planning Board. Cyber Security and the Energy Infrastructure

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment

Breach Found. Did It Hurt?

Goals. Understanding security testing

Εmerging Ways to Protect your Network

Network Security Administrator

ICS/SCADA Security Analysis of a Beckhoff CX5020 PLC

Missing the Obvious: Network Security Monitoring for ICS

IT Networking and Security

Network & Information Security Policy

SCADA Security Training

Is it Time to Trust the Cloud? Unpacking the Notorious Nine

The Critical Infrastructure: To be or not to be Secure. European Network for Cyber Security. Fred Streefland Director Education & Training

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Securing and Accelerating Databases In Minutes using GreenSQL

Solutions and IT services for Oil-Gas & Energy markets

Transcription:

ICS, SCADA, and Non-Traditional Incident Response Kyle Wilhoit Threat Researcher, Trend Micro 1

$whoami Threat Researcher, FTR, Trend Micro Threat Researcher at Trend Micro- research and blogger on criminal underground, advanced persistent threats, and vulnerabilities/exploits. Research: Malware detection/reversing Persistent Threats (Malware based espionage) ICS/SCADA Security Vulnerabilities and the Underground Offensive Exploitation 2

Agenda 3

What are ICS devices? Used in production of virtually anything Used in water, gas, energy, automobile manufacturing, etc. Notoriously insecure in every way Software is sometimes embedded, sometimes not Typically proprietary 4

Glossary HMI: Human Machine Interface IED: Intelligent Electronic Device SCADA: Supervisory Control And Data Aquisition RTU: Remote Terminal Unit Historian: Data Historian Modbus: Most common ICS Protocol DNP3: Very common ICS Protocol 5

Typical ICS Environment 6

Security Concerns- ICS vs. Traditional IT Systems ICS Correct Commands Issued (Integrity) Up-time (Availability) Protection of data (Confidentiality) IT Protect the data (Confidentiality) Protect communication (Integrity) Limit interruptions (Availability) 7

ICS Vulnerabilities In 2012, 171 unique vulnerabilities affecting ICS products. 55 Vendors 8

Unique ICS Concerns- Incident Response Remote Lack of INFOSEC knowledge Lack of engineer knowledge of INFOSEC Unknown embedded/proprietary OS Lack of network layout knowledge Lack of logical access 9

Unique ICS Concerns- Forensics Remote Imaging?!?!? Embedded/Proprietary operating systems WAN/LAN Links 10

BUT WHAT CAN WE DO? 11

Story Time Small town in rural America Water pump controlling water pressure/ availability Population 18,000~ 12

Story Time Water pressure system Internet facing No firewalls/security measures in place Could cause catastrophic water pressure failures First accessed Dec. 2012 13

Story Time Attacked several times During Q3-Q4 Attackers successfully gained access Has not been made public This is not a story Real life event.. 14

This Happened. 15

Story Time In my basement 16

Enter Pro-Active Incident Response 17

Honeypot Overview Two low-interaction One high-interaction Ran for 28 days in total One Windows Server 08 Two Ubuntu 12.04 Servers 18

What They See 19

What is an Attack? ONLY attacks that were targeted ONLY attempted modification of pump system (FTP, Telnet, etc.) ONLY attempted modification via Modbus/DNP3 DoS/DDoS will be considered attacks 20

Attacks CHILE, 1 CROATIA, 1 NORTH PALESTINE, 1 KOREA, 1 RUSSIA, 3 VIETNAM, 1 US, 9 POLAND, 1 BRAZIL, 2 JAPAN, 1 NETHERLAND S, 1 LAOS, 6 CHINA, 17 UK, 4 1 Spear Phishing Attempt 21

Attacks Vxworks exploitation attempt Attempt to shutdown pump system Modify temperature output Modify pump pressure Count Secured area access attempt Modbus traffic modification Modification of CPU fan speed 0 2 4 6 8 10 12 14 22

Need for ICS Incident Response No focused interest seen anywhere Needed to understand attacks. Are we even attacked??? Need to understand differences Security event Engineering event Hardware event Etc. Educated response leads to decreased risk CRITICIAL INFRASTRUCTURE!!! 23

Traditional Incident Response 24

ICS/SCADA Incident Response Must include forensics Must be dynamic enough to diversify Must have SME s Must follow documented process Must have a wide range of expertise Muse utilize threat intelligence 25

ICS INCIDENT RESPONSE APPROACHES 26

Proposed ICS IR Flow Asset Identification Recovery Pro-active Identification Forensic Capture and Analysis Incident Identification Containment Investigation/ Assessment Threat Actor Identification 27

Asset Identification Identify all assets deemed ICS Perform criticality assessment Logically map all equipment Map connectivity points to LAN/WAN segments Identify make, model, and manufacturer or ICS equipment 28

Pro-Active Identification Honeypots IDS (Not IPS in active mode!) Must be placed parallel to other ICS equipment IOC s Threat Intelligence (HUMINT, SIGINT) Offensive Incident Response Network Segmentation 29

Incident Identification/Investigation Identify Incident Engineering mistake? Security Incident? Hardware Incident? In the ICS world- take off network (Likely) Primary business priority- get back online 30

Threat-Actor Identification Why care? Especially during incident. Helps look for parallel attackers Can help planning of offensive IR (Offensive countermeasures) Use OSINT!!! 31

OSINT Case Study 32

Containment Typical Containment Methods: Firewalls IPS/IDS Take device off net ACL s Bastion hosts Whitelisting IOC development Increased logging Sniffer deployment The list goes on 33

ICS Forensics Done to understand incident on micro level Will allow classification of future events Asset retrieval (If applicable) Interpret and draw inferences Chain of custody established Analyze forensic data (String search, data carving, artifact analysis, etc) Forensic imaging (Physical, Logical, and Memory) Capture of forensic network data (Where Applicable) 34

Recommendations Implement forensics and incident response into ICS environments Have SME s for threat intelligence, malware, incident response, and forensics Have pro-active protections in place Utilize logging!!! Take devices off the Internet Utilize network segmentation 35

Thanks! kylewilhoit@gmail.com Kyle_wilhoit@trendmicro.com @lowcalspam 36

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information