ICS Cyber Attacks: Fact vs. Fiction and Why it Matters



Similar documents
Industrial Control System Cyber Situational Awareness. Robert M. Lee* June 10 th, 2015

ICS CP/PE (Cyber-to-Physical or Process Effects) case study paper German Steel Mill Cyber Attack

SCADA Security Training

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Cybersecurity & International Relations. Assist. Prof. D. ARIKAN AÇAR, Ph.D. Department of International Relations, Yaşar University, Turkey.

ICS, SCADA, and Non-Traditional Incident Response. Kyle Wilhoit Threat Researcher, Trend Micro

The State-of-the-State of Control System Cyber Security

Advanced & Persistent Threat Analysis - I

SCADA/ICS Security in an.

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

Cyber Security Metrics Dashboards & Analytics

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Advanced Threat Protection with Dell SecureWorks Security Services

CHAPTER 3 : INCIDENT RESPONSE THREAT INTELLIGENCE GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

N-Dimension Solutions Cyber Security for Utilities

You Don t Know What You Can t See: Network Security Monitoring in ICS Rob Caldwell

How Secure is Your SCADA System?

Maritime Insurance Cyber Security Framing the Exposure. Tony Cowie May 2015

Practical Steps To Securing Process Control Networks

OPC & Security Agenda

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

Defending Against Data Beaches: Internal Controls for Cybersecurity

EMERGING THREATS & STRATEGIES FOR DEFENSE. Stephen Coty Chief Security

The Internet of Things (IoT) Opportunities and Risks

The Cyber OODA Loop: How Your Attacker Should Help You Design Your Defense. Tony Sager The Center for Internet Security

Security Analytics for Smart Grid

Are you prepared to be next? Invensys Cyber Security

Bellevue University Cybersecurity Programs & Courses

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

Session 14: Functional Security in a Process Environment

Analytic and Predictive Modeling of Cyber Threat Entities J. Wesley Regian, Ph.D.

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

Cybersecurity: An Innovative Approach to Advanced Persistent Threats

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

Cyber Security for SCADA/ICS Networks

SCADA and Security Are they Mutually Exclusive? Terry M. Draper, PE, PMP

Security Testing in Critical Systems

Protecting critical infrastructure from Cyber-attack

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

Speaker Info Tal Be ery

How To Protect Water Utilities From Cyber Attack

Protecting against cyber threats and security breaches

The Four-Step Guide to Understanding Cyber Risk

Oil & Gas Cybersecurity

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Holistic View of Industrial Control Cyber Security

Statement for the Record. Richard Bejtlich. Chief Security Strategist. FireEye, Inc. Before the. U.S. House of Representatives

Breakthrough Cyber Security Strategies. Introducing Honeywell Risk Manager

PROJECT BOEING SGS. Interim Technology Performance Report 1. Company Name: The Boeing Company. Contract ID: DE-OE

7/23/2015. Tales of a Real-Life Hacker. Jon Miller. Vice President of Strategy Former ethical hacker of energy company operations.

Industrial Cyber Security 101. Mike Spear

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

The SCADA That Didn t Cry Wolf: Who s Really Attacking Your SCADA Devices

Incident Response. Six Best Practices for Managing Cyber Breaches.

Federal Bureau of Investigation

FedVTE Training Catalog SUMMER advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

Including Threat Actor Capability and Motivation in Risk Assessment for Smart Grids

SIMPLIFYING THE PATCH MANAGEMENT PROCESS

A Biologically Inspired Approach to Network Vulnerability Identification

AUP28 - Implementing Security and IP Protection

The Importance of Cybersecurity Monitoring for Utilities

Defense Security Service

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

NTT R&D s anti-malware technologies

Threat Intelligence & Analytics Cyber Threat Intelligence and how to best understand the adversary s operations

Claes Rytoft, ABB, Security in Power Systems. ABB Group October 29, 2009 Slide 1

FedVTE Training Catalog SPRING advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

PROJECT BOEING SGS. Interim Technology Performance Report 3. Company Name: The Boeing Company. Contract ID: DE-OE

Software that provides secure access to technology, everywhere.

ABB Power Generation Cyber Security Users Group

Roger W. Kuhn, Jr. Advisory Director Education Fellow Cyber Security Forum Initiative

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Cloak and Secure Your Critical Infrastructure, ICS and SCADA Systems

67% 61% STATE OF CLOUD SECURITY BULLETIN. Information Security in the Energy Sector. Summer 2013 FROM APR SEP 2012

Beyond the Hype: Advanced Persistent Threats

idata Improving Defences Against Targeted Attack

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

On the use of Honeypots for Detecting Cyber Attacks on Industrial Control Networks

Effective Defense in Depth Strategies

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Unified Security Management and Open Threat Exchange

Advanced Analytics For Real-Time Incident Response A REVIEW OF THREE KNOWN CASES AND THE IMPACT OF INVESTIGATIVE ANALYTICS

Critical IT-Infrastructure (like Pipeline SCADA systems) require cyber-attack protection

Update On Smart Grid Cyber Security

Cyber Security Operations: Building or Outsourcing

National Cyber League Certified Ethical Hacker (CEH) TM Syllabus

AUDITOR GENERAL S REPORT. Protection of Critical Infrastructure Control Systems. Report 5 August 2005

Glasnost or Tyranny? You Can Have Secure and Open Networks!

Cyber Security. An Executive Imperative for Business Owners. 77 Westport Plaza, St. Louis, MO p f

Using ISA/IEC Standards to Improve Control System Security

Transcription:

ICS Cyber Attacks: Fact vs. Fiction and Why it Matters Presenter: Robert M. Lee www.sans.org/ics @RobertMLee @SANSICS

Today s Agenda Fiction Fact: ICS Attacks Deconstructed What You Can Do About It

Read Coil Work Co Founder of Dragos Security SANS ICS 515 Active Defense and Incident Response course author SANS FOR 578 Cyber Threat Intelligence co author Background: Started in U.S. Intelligence Community as an Air Force Cyber Warfare Operations Officer Established/led first of its kind ICS threat intelligence and intrusion analysis mission Pursuing PhD at Kings College London with research into the cyber security of control systems

Fiction Little Bobby can be found at: www.littlebobbycomic.com and on Twitter @_LittleBobby_

Chattanooga APT Bloomberg published A Decoy Computer Was Set Up Online. See Which Countries Attacked it the Most in Sept, 2014 Honeypot and recorded scans as attacks ICS honeypot saw 6,000 attacks from US CSO published Threat Intelligence Firm Mistakes Research for Nation State Attack in Oct, 2014 Stephen Hilt and other researchers performed scans for the Redpoint project/talk at DerbyCon Was not a real ICS honeypot See Kyle Wilhoit s research for a good example of a real ICS honeypot

2008 Turkey Pipeline Explosion Bloomberg published Mysterious 08 Turkey Pipeline Blast Opened New Cyberwar in Dec, 2014 Claimed the 2008 explosion at Baku Tbilisi Ceyhan pipeline was a Russian cyber attack according to anonymous Intelligence officials Reporter claimed anonymous ICS incident responders found the data SANS ICS Defense Use Case #1 Disputed Claims SANS ICS DUC: http://ics.sans.org/resources/duc ICS IR data unlikely/unsupported Government reports identifying attack as a physical based terrorist attack SuedDeutsche article uncovered an internal report showing that the IP Cameras nor Wireless monitoring were installed until after the blast

Cyber Attacks on ICS by Iran Norse and AEI Published Reports on Iran attacking ICS Released public report with AEI with claims in April, 2015 AEI/Norse report made policy recommendations regarding Iran negotiations New York Times covered story highlighting the growing Iranian threat Disputed Claims The attacks were network scans against non ICS honeypots and unregistered IP addresses Expertise on Intelligence and ICS were lacking

Turkey 10 hour Blackout 10 Hour Power Failure in Majority of Turkey Bloomberg, CNN, and others hinted at reason potentially a cyber attack Multiple news agencies cited the Bloomberg 2008 Pipeline report and the Norse/AEI Iranian report as evidence of a potential cyber attack Claims surfaced that this threat could threaten European grids Result Turkey government officials identified faults at two power plants Izmir and Adana Cukurova which resulted in 5 10% capacity loss The faults were poorly executed maintenance on transmission lines The capacity loss had effects on the interconnected system and caused a shut down of systems in multiple areas

Fact: ICS Cyber Attacks Deconstructed

What s the Point? 7

How Hard Is It? 7

ICS Cyber Attack: Stage 1 7

ICS Cyber Attack: Stage 2 7

Real ICS Threats Cyber Incidents Stuxnet Campaign Recon (APT1 and OpCleaver) HAVEX BlackEnergy2 German Steelworks Incidental Malware The following slides (attack maps) were developed by Michael Assante

Observable Steps to an ICS Attack [STUXNET] STUXNET STAGE 1 Intrusion Reconnaissance Observable Steps www Weaponization Targeting Delivery External Network Hosts (Business or Plant Network) Common Protocols Exploit Install / Modify DMZ Applications Common Protocols C2 Act Supervisory Control Elements (Network, Applications, Servers) Common & Industrial Protocols STAGE 2 ICS Attack Develop Control Elements (PLCs, RTUs, SIS) Industrial Protocols Test Deliver Sensors & Actuators IO Fieldbus using Industrial Protocols Install / Modify Execute ICS Attack Attack with Impact

Observable Steps to an ICS Attack [APT1] APT1 STAGE 1 Intrusion Observable Steps Reconnaissance Weaponization Targeting E mail Delivery External Network Hosts (Business or Plant Network) Common Protocols Exploit Install / Modify DMZ Applications Common Protocols C2 Act Supervisory Control Elements (Network, Applications, Servers) Common & Industrial Protocols STAGE 2 ICS Attack Develop? Control Elements (PLCs, RTUs, SIS) Industrial Protocols Test Deliver Sensors & Actuators IO Fieldbus using Industrial Protocols Install / Modify Execute ICS Attack Attack with Impact

Observable Steps to an ICS Attack [OpCleaver] STAGE 1 Intrusion Observable Steps Iranian Actors Stage 1 only involving ICS users but no evidence of Stage 2 Intent Reconnaissance Weaponization Targeting Delivery Exploit External Network Hosts (Business or Plant Network) Common Protocols Install / Modify C2 DMZ Applications Common Protocols Act Supervisory Control Elements (Network, Applications, Servers) Common & Industrial Protocols STAGE 2 ICS Attack Develop Test Control Elements (PLCs, RTUs, SIS) Industrial Protocols Deliver Install / Modify Sensors & Actuators IO Fieldbus using Industrial Protocols Execute ICS Attack Attack with Impact

Observable Steps to an ICS Attack [BE3] BE3 STAGE 1 Intrusion Reconnaissance Observable Steps BE 3 Weaponization Targeting Delivery Exploit Install / Modify BE 3 BE 3 External Network Hosts (Business or Plant Network) DMZ Applications E mail Common Protocols Common Protocols C2 Act STAGE 2 ICS Attack BE 3 BE 3 Supervisory Control Elements (Network, Applications, Servers) Common & Industrial Protocols Develop Test Control Elements (PLCs, RTUs, SIS) Industrial Protocols Deliver Install / Modify Sensors & Actuators IO Fieldbus using Industrial Protocols Execute ICS Attack Attack with Impact

0000 0001 STOP 1:0 1 Bul.1764 LIGHT 0:0 0 Bul.1764 TIMER1/DN T4:0 DN START 1:0 0 Bul.1764 LIGHT 0:0 0 Bul.1764 TIMER2/DN T4:3 DN TIMER1 TON Timer On Delay Timer T4:0 Time Base 0:01 Preset 12000< Accum 0< TIMER2 TON Timer On Delay Timer T4:3 Time Base 0:01 Preset 18000< Accum 0< LIGHT 0:0 0 Bul.1764 EN DN EN DN Observable Steps to an ICS Attack [HAVEX] HAVEX STAGE 1 Intrusion Reconnaissance Observable Steps 0002 www ICS Files Weaponization Targeting E mail ICS Webpages Delivery External NetworkHosts (Business or Plant Network) Common Protocols Exploit Install / Modify DMZ Applications Common Protocols C2 Act Supervisory Control Elements (Network, Applications, Servers) Common & Industrial Protocols STAGE 2 ICS Attack Develop Control Elements (PLCs, RTUs, SIS) Industrial Protocols Test Deliver Sensors & Actuators IO Fieldbus using Industrial Protocols Install / Modify Execute ICS Attack Attack with Impact

Observable Steps to an ICS Attack [Reports] STAGE 1 Intrusion Reconnaissance Observable Steps Possible Iranian Actors Weaponization Targeting Delivery Exploit Install / Modify C2 Act STAGE 2 ICS Attack Develop Test Deliver Install / Modify Execute ICS Attack Attack with Impact

Observable Steps to an ICS Attack [German Iron Works] Furnace STAGE 1 Intrusion Observable Steps Reconnaissance Weaponization Targeting E mail Delivery Exploit External Network Hosts (Business or Plant Network) Common Protocols Install / Modify DMZ Applications Common Protocols C2 Act Supervisory Control Elements (Network, Applications, Servers) Common & Industrial Protocols STAGE 2 ICS Attack Develop Test Control Elements (PLCs, RTUs, SIS) Industrial Protocols Deliver Install / Modify Sensors & Actuators IO Fieldbus using Industrial Protocols Execute ICS Attack Attack with Impact

Observable Steps to an IT Attack that Impacted ICS [Conficker] STAGE 1 Intrusion Reconnaissance Weaponization Targeting Observable Steps Conficker Remote Access Infection Delivery Exploit Install / Modify C2 Act External Network Hosts (Business or Plant Network) DMZ Applications Supervisory Control Elements (Network, Applications, Servers) Common Protocols Common Protocols Common & Industrial Protocols Control Elements (PLCs, RTUs, SIS) Industrial Protocols Sensors & Actuators IO Fieldbus using Industrial Protocols Conficker infected Windows based Control Elements Attack with Impact

What You Can Do About It

The Sliding Scale of Cyber Security Offense: Legal countermeasures, hack back, etc. Intelligence: Collecting data, exploiting it into information, and producing Intelligence Active Defense: Analysts monitor for, respond to, and learn from adversaries internal to the network Passive Defense: Provide protection without constant human interaction Firewalls, IPS, AV, etc. Architecture:: Supply chain, architecting the network, maintaining/patching

Cyber Engineering to build security into the products during their design Supply Chain protection to ensure no tampering at the start or with updates Architect the network with security in mind Network Hygiene up kept with patching/maintenance where possible Collection points to gather data

7

7

7

Offense? No, that d be silly!

Questions? Visit us at SANS ICS to keep up with our latest research, classes, and more: http://ics.sans.org/

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information