Effects-based Targeting for Critical Infrastructure

Similar documents
Practical Steps To Securing Process Control Networks

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Protecting Organizations from Cyber Attack

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

Advanced Persistent Threats

What Risk Managers need to know about ICS Cyber Security

PENETRATION TESTING GUIDE. 1

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

Vulnerability Assessment & Compliance

OPC & Security Agenda

Advanced Analytics For Real-Time Incident Response A REVIEW OF THREE KNOWN CASES AND THE IMPACT OF INVESTIGATIVE ANALYTICS

Getting real about cyber threats: where are you headed?

Evolution of Cyber Security and Cyber Threats with focus on Cloud Computing

SCADA City of Raleigh. Martin Petherbridge, CPA, CIA Internal Audit Manager Shirley McFadden, CPA, CIA Senior Internal Auditor

CIP Supply Chain Risk Management (RM ) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016

N-Dimension Solutions Cyber Security for Utilities

67% 61% STATE OF CLOUD SECURITY BULLETIN. Information Security in the Energy Sector. Summer 2013 FROM APR SEP 2012

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.

Perspectives on Cybersecurity in Healthcare June 2015

How Secure is Your SCADA System?

Energy Cybersecurity Regulatory Brief

a Post-Stuxnet World The Future of Critical Infrastructure Security Eric Byres, P.Eng.

New York State Energy Planning Board. Cyber Security and the Energy Infrastructure

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

Research Note Engaging in Cyber Warfare

Advancing Cyber Security Using System Dynamics Simulation Modeling for System Resilience, Patching, and Software Development

ICS Cyber Attacks: Fact vs. Fiction and Why it Matters

Defending Against Data Beaches: Internal Controls for Cybersecurity

The Four-Step Guide to Understanding Cyber Risk

Data Breach Response Planning: Laying the Right Foundation

Cyber Security and the Canadian Nuclear Industry a Canadian Regulatory Perspective

Incident Response. Proactive Incident Management. Sean Curran Director

Dragonfly: Energy Companies Under Sabotage Threat Symantec Security Response

The State-of-the-State of Control System Cyber Security

CYBER SECURITY INFORMATION SHARING & COLLABORATION

SPEAR PHISHING UNDERSTANDING THE THREAT

ICS-CERT Incident Response Summary Report

Advanced & Persistent Threat Analysis - I

Cyber security: Practical Utility Programs that Work

Operational Lessons from the RSA/EMC CIRC: People, Process, & Threat Intel

Keeping the Lights On

Document ID. Cyber security for substation automation products and systems

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES. By James Christiansen, VP, Information Risk Management

San Diego Gas & Electric Company FERC Order 717 Transmission Function Employee Job Descriptions June 4, Electric Grid Operations

Protecting against cyber threats and security breaches

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

PREVENTING ZERO-DAY ATTACKS IN MOBILE DEVICES

Some Thoughts on the Future of Cyber-security

Nuclear Security Requires Cyber Security

ONLINE RECONNAISSANCE

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Penetration Testing The Red Pill

Accenture Cyber Security Transformation. October 2015

After the Attack. The Transformation of EMC Security Operations

Entity Name ( Acronym) NCRnnnnn Risk Assessment Questionnaire

Cyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015

San Diego Gas & Electric Company FERC Order 717 Transmission Function Employee Job Descriptions August 10, Electric Grid Operations

Cyber Security for Nuclear Power Plants Matthew Bowman Director of Operations, ATC Nuclear IEEE NPEC Meeting July 2012

Certification Programs

Developing Secure Software in the Age of Advanced Persistent Threats

SCADA Security: Challenges and Solutions

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Roadmaps to Securing Industrial Control Systems

Industrial Cyber Security 101. Mike Spear

PFP Technology White Paper

Defense Security Service

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

Medical Device Security: The Transition From Patient Privacy To Patient Safety. Scott Erven

What is Cyber Liability

Including Threat Actor Capability and Motivation in Risk Assessment for Smart Grids

Robert Malmgren. Smart Grid. Security Challenges - Legacy and Infrastructure Burdens

8/27/2015. Brad Schuette IT Manager City of Punta Gorda (941) Don t Wait Another Day

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

Combatting the Biggest Cyber Threats to the Financial Services Industry. A White Paper Presented by: Lockheed Martin Corporation

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

Today s Global Cyber Security Status and Trustworthy Systems That Leverage Distrust Amongst Sovereigns

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Utility Telecom Forum. Robert Sill, CEO & President Aegis Technologies February 4, 2008

Resilient and Secure Solutions for the Water/Wastewater Industry

RE: Experience with the Framework for Improving Critical Infrastructure Cybersecurity

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

ABB Power Generation Cyber Security Users Group

Statement for the Record. Richard Bejtlich. Chief Security Strategist. FireEye, Inc. Before the. U.S. House of Representatives

Update On Smart Grid Cyber Security

Network Cyber Security. Presented by: Motty Anavi RFL Electronics

ISACA rudens konference

SEMANTIC SECURITY ANALYSIS OF SCADA NETWORKS TO DETECT MALICIOUS CONTROL COMMANDS IN POWER GRID

NATIONAL CYBER SECURITY AWARENESS MONTH

Advanced Threat Protection with Dell SecureWorks Security Services

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Transcription:

Effects-based Targeting for Critical Infrastructure SESSION ID: HT-T09 Sean McBride Director of Analysis Critical Intelligence www.critical-intelligence.com

How would you infiltrate/attack/affect a wide swath of critical infrastructure facilities in the United States?

Targeting Targeting is the process for selecting and prioritizing targets and matching appropriate actions to those targets to create specific desired effects that achieve objectives, taking account of operational requirements and capabilities. - Targeting: Air Force Doctrine Document

Substations

Generating facilities

Steel plants

Massive BP Refinery

Massive BP Refinery

Software

Software

What if I had: Photo Work location Email address Job description Professional history

Targeting Targets are areas, complexes, installations, forces, equipment, capabilities, functions, individuals, groups, systems, or behaviors identified for possible action to support the commander s objectives, guidance, and intent. - Targeting: Air Force Doctrine Document

Target Development Target development is the systematic evaluation and analysis of target systems, system components, and component elements to determine high value targets (HVTs) for potential lethal or non-lethal attack. - U.S. Army Open Source Intelligence Manual

High Value Targets HVT points that maximize payoff for attacker Defenders often at disadvantage due to differing perceptions of risk: Subsidiary: Utility of an energy holding company Enterprise: Entire organization Nation: Entire country Community/location: national capital area Up and down-stream dependencies

HVT victim vs vector Utility as victim Desired effect: make money Means: power outage to extort utility Utility as vector Desired effect: greater economic influence Means: power outage affecting major competitive export sector (steel, automotive, oil, etc.)

Target Chaining Each piece of information may be used to achieve an objective in another campaign What do you need to exploit in order to exploit what you ultimately want to exploit? Example: RSA SecureID compromise rumored to be used against LMCo, Northup, L3

System of Systems Analysis Functions Assets Firms The Electric Grid Customers Models

SOSA Simplification of Electric Grid Functions Assets Models Customers Firms Generation Plants lists Residential Asset owners Transmission Distribution Market ops Substations Lines Control cntrs Support equip ONDs Interconnects Pricing Capacity Commercial Industrial Regulators Engineering/I ntegration Vendors

SOSA Simplification of Electric Grid Firms Asset owners Areas served Employees Customers Vendors Market Share Product Type Employees Cloud services Asset owners Regulators Areas Served Work groups Members Compliance Information Employees Engineering/I ntegration Customers Areas Served Employees Asset owners

SOSA leads to HVT identification Asset owners Areas served Employees Vendors Market Share Product Type Employees Cloud services Engineering/I ntegration Customers Areas Served Employees Asset types Plants Lines Substations Cntrl cntrs Computers RTU PLC EWS SCADA/HMI Protctv equip What Integration firm employee has access to the EWS used to configure the protective equipment for the target area served?

SOSA leads to HVT identification Asset owners Areas served Employees Vendors Market Share Product Type Employees Cloud services Web site Engineering/I ntegration Customers Areas Served Employees Asset types Plants Lines Substations Cntrl cntrs Computers RTU PLC EWS SCADA/HMI Protctv equip What Web site is he likely to visit? (maybe to get the latest firmware from the vendor?)

SOSA leads to HVT identification Vendors Functions Market Share Product Type Employees Cloud services Generation Transmission Distribution Market ops What vendors have cloud services for market operations?

SOSA leads to HVT identification Asset owners Areas served Employees Regulators Areas Served Work groups Members Compliance Information Employees What regulator maintains information about asset owner control centers, and employees who work there? Fnctl Assets Plants Lines Lines Cntrl cntrs Substations Substations Bk up Cntrl

Internet-Derived Targeting Using the Internet as a targeting platform Base target lists off what information is readily available Benefits: low cost, low risk approach, favorable for cyber operations Drawbacks: information may be dated or misleading, not as favorable for kinetic operations Not necessarily exclusive of other intelligence/targeting methods Example: IDT can inform HUMIT targeting; multiple intelligence collection methods can be used as sanity checks

How would you infiltrate an Iranian nuclear enrichment facility?

Army War College: Checking Iran s Nuclear Ambitions Jan. 2004 Covert action would probably be the most politically expedient way for the United States to disrupt Iran s nuclear program. It might include one or more of the following: harassment or murder of key Iranian scientists disruption or interdiction of key technology or material transfers on land, in the air, or at sea introduction of destructive viruses into Iranian computer systems controlling the production of components or the operation of facilities The challenges of U.S. Preventative Military Action Michael Einstadt

NYT Article Jan. 2009 The covert American program, started in early 2008, includes renewed American efforts to penetrate Iran s nuclear supply chain abroad, along with new efforts, some of them experimental, to undermine electrical systems, computer systems and other networks on which Iran relies. It is aimed at delaying the day that Iran can produce the weapons-grade fuel and designs it needs to produce a workable nuclear weapon.

Aviation Week Article Feb. 2010 The vanguard of Israel s cyber-warfare efforts is focused on blocking Iran s nuclear ambitions. A U.S. expert said recently that malware could be inserted, disrupting the controls of sensitive sites like uranium enrichment plants. Israeli intelligence has tried to insert malware that can damage information systems within Iran s nuclear program. The systems are not connected to the Internet, but to equipment sold to the Iranian government

Q1 2011: Stuxnet Consensus NYT article: Tested at Oak Ridge and Dimona INL: Siemens portion? USB vector

Was it really (just) via USB?

Leveraging existing capabilities: Customs Nov. 2008

Leveraging existing capabilities: Customs Apr. 2009

Siemens support forum Jul. 2009

Blog and Resume

Stuxnet OSINT

NEDA & Siemens

Neda article in Control Magazine Jul. 2012

NEDA added to Department Of Commerce Entity list Sep. 2008

Indictments link NEDA to Iran s Military Procurement

NEDA sanctioned for Natanz Dec. 2012 Neda Industrial Group (Neda) is an Iranian entity with strong links to the Iranian nuclear program, including the manufacture and procurement of proscribed equipment and material for use at Iran s Natanz Uranium Enrichment Facility. Since at least 2011, Neda has attempted to procure from foreign entities sensitive centrifuge-related components that have direct application in Iran s nuclear program. The companies placed under sanctions were Pouya Control, Iran Pooya, Aria Nikan Marine Industry, Faratech, Neda Industrial Group, Tarh O Palayesh and Towlid Abzar Boreshi Iran.

NEDA Timeline

How would you infiltrate/attack/affect a wide swath of critical infrastructure facilities in the United States?

SOSA leads to HVT identification Asset owners Areas served Employees Vendors Market Share Product Type Employees Cloud services Engineering/I ntegration Customers Areas Served Employees Asset types Plants Lines Substations Cntrl cntrs Computers RTU PLC EWS SCADA/HMI Protctv equip What Integration firm employee has access to the EWS used to configure the protective equipment for the target area served?

Internet Derived Targeting: Major Integrators in USA 2013: Wood Group Mustang; SI revs: $95 MM Maverick Technologies: $ 65 MM Prime Controls: $46 MM 2012: Mustang Engineering; SI revs: $90 MM Keller Technology; SI revs: $65 MM Maverick Technologies; SI revs: $58 MM

Customer Lists!

Pivoting for employee information Validate email addresses Craft highly targeted malicious emails Wait for phone home

Actual results of spear phishing simulation clicks from these titles: Control Room Supervisor Instrument Technician Automation Technician Pipeline Controller Process Controls Engineer Senior VP Operations and Maintenance Equipment Diagnostics Lead 10 other various engineers

SOSA leads to HVT identification Vendors Functions Market Share Product Type Employees Cloud services Generation Transmission Distribution Market ops What vendors have cloud services for market operations?

Web services for market operations

SOSA leads to HVT identification Asset owners Areas served Employees Regulators Areas Served Work groups Members Compliance Information Employees What regulator maintains information about asset owner control centers, and employees who work there? Fnctl Assets Plants Lines Lines Cntrl cntrs Substations Substations Bk up Cntrl

Regulatory/Reliability Environment Just monitor Web pages!

Example: Standards of conduct FERC Standards of Conduct, Section 358.7(f)(1): A transmission provider must post on its Internet website the job titles and job descriptions of its transmission function employees. Organizational charts Job descriptions Names, usernames (email), phone numbers of people holding those positions

Example: Info on backup control centers Several presentations from a working group on system reliability were shared to a public Sharepoint site (meant to be shared to privately). Critical Intelligence noted potential impact to our customers, and reported to offending party, which removed them quickly Who else grabbed these? Were other affected parties notified? What prevents this from happening again? NOTHING! It Did!

Example: State regulatory filings State bodies regulate investor owned utilities Utilities commissions Environmental regulators (air and water quality) Photographs Engineering diagrams Employee contact information

Defense: Reconnaissance Surface Management

Reconnaissance Surface Management Toolset OPSEC Whitewash Honey/canaries Deception Back hacking

Defense: OPSEC Intelligence collection and analysis is very much like assembling a picture puzzle. Intelligence collectors are fully aware of the importance of obtaining small bits of information (or pieces of a puzzle) from many sources and assembling them to form the overall picture.

Example information from NERC PSIG Function and physical location of assets Network topology (cyber and physical) Contingency facilities, emergency response plans Communications assets Key suppliers and customers Risk assessment results, audit results, impact assessments Security operating procedures

No SCADA selfies!

RSM operational elements 1. Disclosure Prevention Information classification, Policies, Training, Pre-release scanning 2. OPEC Assessment: What have you already disclosed? How do you deal with existing disclosures? 3. Continual Monitoring: What are you (your employees) disclosing now? Regulatory filings, job postings Social media

Anti-IDT Recommendations Obtain threat intelligence with specific ICS focus These are your crown jewels! You were getting commercial threat intel for IT stuff but not for ICS stuff??? Government-provided intel is good, but insufficient OSINT black box Internet-derived targeting for all critical infrastructure asset owners More than standard penetration test must consider possible operational **kinetic** impacts

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information