Industrial Control System Cyber Situational Awareness. Robert M. Lee* June 10 th, 2015



Similar documents
ICS Cyber Attacks: Fact vs. Fiction and Why it Matters

New Era in Cyber Security. Technology Development

idata Improving Defences Against Targeted Attack

You Don t Know What You Can t See: Network Security Monitoring in ICS Rob Caldwell

Defending Against Data Beaches: Internal Controls for Cybersecurity

SANS Top 20 Critical Controls for Effective Cyber Defense

Carbon Black and Palo Alto Networks

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Roger W. Kuhn, Jr. Advisory Director Education Fellow Cyber Security Forum Initiative

Seven Strategies to Defend ICSs

Advanced Threat Protection with Dell SecureWorks Security Services

The Four-Step Guide to Understanding Cyber Risk

How To Monitor Your Entire It Environment

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

BlackRidge Technology Transport Access Control: Overview

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Obtaining Enterprise Cybersituational

The Case for Support: The Center for Cyber Security Studies at the U. S. Naval Academy

Applying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events

Bio-inspired cyber security for your enterprise

Missing the Obvious: Network Security Monitoring for ICS

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Secure Networks for Process Control

Secure Networking for Critical Infrastructure Using Service-aware switches for Defense-in-Depth deployment

Detecting Threats Via Network Anomalies. Paul Martini Cofounder and CEO iboss Cybersecurity

The Protection Mission a constant endeavor

Verve Security Center

Concierge SIEM Reporting Overview

Practical Steps To Securing Process Control Networks

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Enterprise Security Platform for Government

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

ADVANCED KILL CHAIN DISRUPTION. Enabling deception networks

Looking at the SANS 20 Critical Security Controls

Holistic View of Industrial Control Cyber Security

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

IT Security and OT Security. Understanding the Challenges

Waterfall for NERC-CIP Compliance

Securing Industrial Control Systems in the Chemical Sector. Roadmap Awareness Initiative Making the Business Case

Security Event Monitoring (SEM) Working Group

Secure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco

Cyber Watch. Written by Peter Buxbaum

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Cyber Security for NERC CIP Version 5 Compliance

Orchestrating Software Defined Networks (SDN) to Disrupt the APT Kill Chain

OFFICE OF THE SECRETARY OF DEFENSE 1700 DEFENSE PENTAGON WASHINGTON, DC

The Comprehensive National Cybersecurity Initiative

SCADA Security Training

Cybersecurity and internal audit. August 15, 2014

Security Testing in Critical Systems

Advance Malware protection in distribution and manufacturing environments. Rob Dolci, April 2016, copyright aizoon USA.

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

OPC & Security Agenda

How To Manage Sourcefire From A Command Console

White Paper An Enterprise Security Program and Architecture to Support Business Drivers

NAVFAC EXWC Platform Information Technology (PIT) Cyber Security Initiatives

Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014

Using Tofino to control the spread of Stuxnet Malware

Using ISA/IEC Standards to Improve Control System Security

Unified Security, ATP and more

Top 20 Critical Security Controls

Advanced & Persistent Threat Analysis - I

End-user Security Analytics Strengthens Protection with ArcSight

The Importance of Cybersecurity Monitoring for Utilities

PLC Security for Water / Wastewater Systems

Vulnerability Management

White Paper: Consensus Audit Guidelines and Symantec RAS

The Future Is SECURITY THAT MAKES A DIFFERENCE. Overview of the 20 Critical Controls. Dr. Eric Cole

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

Perspectives on Cybersecurity in Healthcare June 2015

Optimizing and Securing an Industrial DCS with VMware

DoD Strategy for Defending Networks, Systems, and Data

Larry Wilson Version 1.0 November, University Cyber-security Program Controls Book

APPLICATION OF MULTI-AGENT SYSTEMS FOR NETWORK AND INFORMATION PROTECTION

The SIEM Evaluator s Guide

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Floodgate Security Framework

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

NitroView. Content Aware SIEM TM. Unified Security and Compliance Unmatched Speed and Scale. Application Data Monitoring. Database Monitoring

Enterprise Computing Solutions

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Defense Security Service

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

ICS CYBER SECURITY RKNEAL, INC. Protecting Industrial Control Systems: An Integrated Approach. Critical Infrastructure Protection

Cisco Cyber Threat Defense Solution: Delivering Visibility into Stealthy, Advanced Network Threats

The Purview Solution Integration With Splunk

Breaking the Cyber Attack Lifecycle

D. Grzetich 6/26/2013. The Problem We Face Today

Defending Against Cyber Attacks with SessionLevel Network Security

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Out-of-Band Security Solution // Solutions Overview

Jumpstarting Your Security Awareness Program

I D C A N A L Y S T C O N N E C T I O N

Critical Security Controls

SITUATIONAL AWARENESS MITIGATE CYBERTHREATS

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

Transcription:

Industrial Control System Cyber Situational Awareness Robert M. Lee* June 10 th, 2015 Executive Summary Cyber situational awareness is the concept of understanding and visualizing the networked environment and its individual elements to identify changes across time. Industrial control system (ICS) networks are relatively small and static compared to business and enterprise environments. This unique situation allows cyber situational awareness in the ICS environment to be more easily obtained, maintained, and useful towards the safety and reliability of operations. This whitepaper discusses the concept of cyber situational awareness and highlights Dragos Security s CyberLens as an effective method for ICS owners, operators, and security personnel to gain this knowledge. *Robert M. Lee is a co-founder of Dragos Security LLC where he has a passion for ICS traffic analysis, threat intelligence research, and incident response. Robert is an Adjunct Lecturer at Utica College in their M.S. Cybersecurity program and a course author and instructor at the SANS Institute for ICS 515 Active Defense and Incident Response and FOR 578 Cyber Threat Intelligence. He gained his start in security in the U.S. Intelligence Community as an Air Force Cyber Warfare Operations Officer where he established and led a first of its kind ICS threat intelligence and intrusion analysis mission. Robert is the author of SCADA and Me and is currently pursuing his PhD at Kings College London with research into the cyber security of control systems. 1

Cyber Situational Awareness Situational awareness in the physical world is understood as the perception of the elements in the environment within a volume of time and space, the comprehension of their meaning and the projection of their status in the near future. It is a field of study that encompasses the ability to make decisions in dynamically changing environments whether it be for control engineering and automation or incident response and military command and control. The U.S. Marine Corps defines and uses situational awareness as an informational perspective and skill that foster an ability to determine quickly the context and relevance of events that are unfolding and U.S. Air Force strategist and fighter pilot Colonel John Boyd used situational awareness as a major component of his widely applied observe, orient, decide, act (OODA) loop model. Neville Moray stated it most simply though when he defined situational awareness in the context of human-machine systems and control theory: keeping track of what is going on around you in a complex, dynamic environment. Cyber situational awareness can be defined using these foundational concepts as: the visibility and comprehension of networked environments and their individual elements so that their dynamic nature can be understood relevant to time and change. The security of information systems and their individual components is critical to much of modern society the discussion of this fact and the relevance of security threats has been appropriately covered in other publications. However, more noteworthy is the applicability of cyber situational awareness to providing security for these systems and taking advantage of the native strengths offered to security personnel. Chief of these strengths is an understanding of the environment and its normal conditions. Adversaries spend a significant portion of their efforts to perform information gathering, reconnaissance, and initial intelligence gathering through network penetrations. During these phases of an adversary s cyber kill chain the network defenders should already have this information and use it to identify the abnormal behavior resulting from the adversary s interaction with the network. These network and system abnormalities are the goal for defense to move past singular signature-based detection mechanisms and to the point of sustained security. 1 M.R. Endlsey, Design and Evaluation for Situation Awareness Enhancement (1988) 2 U.S. Marine Corps Marine Corps Supplement to the DOD Dictionary of Military and Associated Terms (1998) 3 Colonel (USAF) John Boyd The Essence of Winning and Losing (1995) 4 Neville Moray, Ou sont les neiges d'antan? in D.A. Vincenzi, M. Mouloua & P.A. Hancock (Eds), Human Performance, Situational Awareness and Automation: Current Research and Trends (2004) 5 Eric M. Hutchins, Michael J. Cloppert, & Rohan M. Amin, Ph.D Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains 2

Cyber Situational Awareness and ICS Networks ICS networks are often far smaller and more static than business and enterprise Information Technology (IT) networks. Internet Protocol (IP) connected operations technology (OT) such as human-machine interfaces (HMI), programmable logic controllers (PLCs), data historians, supervisory control and data acquisition (SCADA) servers, and distributed control systems (DCS) also pose challenges to adversaries to fully understand. Significant investments in reconnaissance and information gathering as well as the validation of capabilities against test systems are required to perform specific targeted actions. This was made apparent with threats such as Stuxnet and reinforced with the identification of ICS tailored versions of the HAVEX and BlackEnergy2 malware. However, while Stuxnet, HAVEX, and BlackEnergy2 were targeted threats to ICS it is not always specific targeted actions that impact operations. It is far more common that incidental malware introduced to environments from infected systems such as engineering laptops or universal serial bus (USB) drives cause impact. One significant threat that has caused the disruption of numerous documented and undocumented ICS assets is the Conficker malware. This piece of malware targeted Windows XP operating systems and was identified and remedied in 2008. Nearly a decade later this threat is still causing disruption in environments due to legacy and unprotected systems. Asset owners and operators often care about what threat they are facing but all can agree that the safety and reliability of operations is paramount regardless of the targeted or untargeted nature of the threat. Luckily, due to the unique and often smaller static nature of an ICS network both targeted and untargeted threats are identified in similar ways. Cyber situational awareness in an ICS network requires that personnel know their assets, the network ports and protocols in use, the data flows, and have the ability to understand this with a concept of time to detect changes. Additionally, it is useful for personnel to be able to integrate other datasets from internal or third party sources into this information to make it more useful. With cyber situational awareness security personnel can quickly identify changes that indicate the presence of a threat whether it is incidental malware such as Conficker or targeted threats such as HAVEX. This information is also vital to ensuring proper configuration of the network and aiding in the identification of failing devices, design flaws, and the presence of rogue assets. It is a fundamental requirement for the efficient leveraging of passive defenses such as firewalls and anti-malware systems and for the sustainable application of active defenses such as network security monitoring and incident response. Defenders should always have and utilize an understanding of their environment whereas their adversaries should have to struggle to gain this information. 3

CyberLens and Achieving Cyber Situational Awareness CyberLens is developed by Dragos Security and was specifically designed to help ICS asset owners, operators, and security personnel gain cyber situational awareness in their environments. The software may be placed onto existing systems using its standalone installer or deployed as a virtual machine appliance. This may be done directly on the network or disconnected from the environment. On the network, CyberLens receives raw network data from privileged points such as a mirrored port on a network switch. Off the network, personnel input network data in the form of one or more packet captures into CyberLens. In both use-cases the tool performs entirely passive traffic analysis without any interaction or impact to the network to quickly provide personnel with the information they need. Temporal Asset Identification and Visualization Through traffic analysis, sometimes identified as passive scanning, CyberLens processes network data and creates an asset inventory with respect to the time the assets were seen on the network. This allows personnel to use the sliding timeline to visualize changes over time respective to the assets and their communication methods. The information CyberLens uses from the packet captures is stored as metadata which is less than 1% the normal storage requirements of packet captures. Figure 1: Interactive Map View in CyberLens of a test ICS network 4

The interactive map allows personnel to visualize the data in the manner to which they would like and to see the assets, their logical location on the network, and the data flows between the assets. Ethernet carried commands sent to ICS devices and their I/O are identified as well through deep packet inspection of protocols such as ModbusTCP, DNP3, Ethernet/IP, AB-PCCC, and more. Figure 2: Data Table View in CyberLens Showing AB-PCCC Records and Flow Data The understanding of the networked environment also allows users to designate zones to logically group assets together and understand the protocols, ports, and data flows in those specific zones. Comparison of those data sets to other zones can help quickly identify misconfigured devices such as Internet connected assets, abnormal behavior, and opportunities for efficiencies in passive defenses such as firewalls. Figure 1: Interactive Map View in CyberLens of a test ICS network Figure 3: Zone to Zone Communications Including Devices and Protocols 5

Understanding and Identifying Changes The visual and easy to use nature of the interactive map in CyberLens allows changes to be detected easily. However, for sustained use and for larger sets of data an automated detection method is needed. CyberLens uses the concept of snapshots to fulfill this need. Snapshots capture the unique nature of the network including the assets, their ports and protocols, and the data flows and stores this as a baseline. This baseline can be compared to the data at any time and identify changes. This granular view of changes to the environment, including when changes occurred, empower analysts to easily detect threats, more efficiently perform incident response, and scope the impact to the ICS. Figure 4: Detection of Baseline Changes to Include New Assets and Communications Cyber situational awareness is made more useful when it is integrated with internal or third party data sets. Through the use of open application programming interfaces (APIs) developers can extend the functionality of CyberLens by incorporating networked based data and security information from other databases or tools in the environment and overlay it on the interactive network map. This allows analysts to quickly visualize and correlate this data in combination with the knowledge of the networked environment. These extensions are identified as Lenses and can be developed by customers or made available from the Dragos Security development team and corporate partners. Additionally, the data stored within CyberLens is openly available through the APIs to be sent to other security systems and data aggregators on the network. Sharing the data between tools allows organizations to make the most of this information and ensure that IT and OT security teams can work together effectively to secure the organization. 6

Organization Wide Buy-in The security of systems is an organization-wide issue. People and processes are as integral, if not more so, than technology. The passive and easy to understand interactive map in CyberLens allows non-security personnel to identify changes to the environment when it is displayed on a screen in locations such as control centers. Simple visual alerts in the form of changed baselines can be reported to security personnel to investigate when not already aggregated elsewhere. Additionally, executives and C-suite personnel can equally have access to the network map. While they will not be the personnel responsible for investigating changes or monitoring the networks they can have the intangible made tangible for them and have confidence that their organization has the cyber situational awareness it needs to maintain the security and reliability of operations. Conclusion Cyber situational awareness is a requirement for organizations to truly understand their networked environments. In ICS networks this information is much more useful and easily maintained given the relatively static nature of the system. Achieving cyber situational awareness allows organizations to properly maintain the systems and monitor for security threats. This information also serves as a foundation for the better utilization of passive and active defenses. Dragos Security s CyberLens has been developed specifically for ICS and critical infrastructure networks to provide an entirely passive and safe method of gaining cyber situational awareness. 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information