cyber security threats and defense for protecting ... · cyber security threats and defense for...

1

SCCE

Presented by Daniel Ehrenreich, SCCE, [email protected] is strictly prohibited. © Copyright SCCE 2017

Cyber Security Threats and Defense for Protecting Industrial Operations

1

SCCE

Presented by Daniel Ehrenreich, SCCE, [email protected]

Duplication is strictly prohibited. © Copyright SCCE 2017

Presented by:

Daniel Ehrenreich

SCCE- Secure Communications and Control

Experts

Meeting 13-9-2017

Cyber Security

Threats and Defense

Measures for

Protecting Industrial

Operations


2

SCCE



……. Introduction

• 1976 -1990 Tadiran Inc.

• 1991 - 2011 Motorola Ltd,

• 2011 - 2013 Siemens - Ltd

• 2014 - 2014 Waterfall Security

• 2014 - SCCE Consulting

• 2014 - SCCE Training

Daniel Ehrenreich

SCCESecure Communication and Control Experts

Tel: +972-54-9151594

[email protected]

Over 40 years of industrial activity


3

SCCE



Critical Infrastructure

• Water and Waste Water

• Electricity Distribution

• Early Flood Warning

• Water Distribution

• Oil and Gas Pipelines

• Communication Monitoring

• Public Safety and Security

• Transportation Monitoring

• Environment Monitoring


4

SCCE



Risks on Industrial Control and IT Systems

Organizations which already were under cyber attack- and already took actions ☺☺☺☺

Organizations which does not know, but they are under attack. The Virus is already sitting there !

Organizations which will be under cyber-attack as soon as tomorrow !!

OT- Operation Technology ICS - Industrial Control SystemsSCADA - Supervisory Control and Data Acquisition

2

SCCE



5

SCCE



• Prevent damaged equipment from hurting people

– Mechanical fault, faulty control process

• Prevent people causing damage to assets

– Wrong action, lack of training, sabotage

• Seamless operation and high productivity

– Consistent, cost effective and quality water supply

ICS must assure Safety & Reliability


6

SCCE



Remember the IT and ICS Differences

Confidentiality

Integrity Availability

IT Security Challenges

Safety

Reliability Productivity

ICS Security Challenges

You can not handle ICS security as you handle IT security!

Every change in ICS is a potential risk to safety and reliability of the critical infrastructure operation.


7

SCCE



Layers in Customer Organization

Enter-

prise

Production Process Control

Control Operation

Production Level and Machinery control

IT Section

OT Section

Air-gap Isolation

Aimed to Prevent

External Cyber Attack

But it is not enough

Internet/Cloud


8

SCCE



Public

Internet

firewal

l

CORPORATE NETWORK

CONTROL NETWORK

OT SYSTEM

Service

Eng.

SOFTWARE TEST LAB

VENDOR EXPERT CENTER

Eng.

Station

View Consoles

Typical ICS System Structure

3

SCCE



9

SCCE



Technical Malfunctions and Force Majeure

• Events can be interpreted as an attack!

• Faulty Sensor / Hardware / Program Bug

– May be interpreted as a cyber attack

• Incorrect action of an Authorized person

– May cause unstable-difficult to analyze condition

• Action by Unauthorized person – Attack on ICS

– Internally or externally generated attack


10

SCCE



ICS Attacks (same as IT but differently)

• Man-in-the-Middle attack

– Attackers monitor/alter messages

• Denial of Service (DoS)

– The attacker can “make is busy”

• Stealing Business Data

– Part of MitM process after access

• Damage to equipment

– Last but most Critical

• Sniff Information

• Replay message

• Modify feedback data

• Fake ping to OT

• Caused by MitM

• May boost to DDoS

• Competitor interest

• Nation funded

• Reputation Damage

• Remember Stuxnet

Defense: Complementing and Compensating Cyber Defense measures


11

SCCE



Infection Spread Across IT-OT Systems 2/2

Public

Internet

firewal

l

CORPORATE NETWORK

CONTROL NETWORK

OT SYSTEM

Service

Eng.

SOFTWARE TEST LAB

VENDOR EXPERT CENTER

Eng.

Station

View Consoles


12

SCCE



MitM Attack

Public

Internet

firew

all

CORPORATE NETWORK

CONTROL NETWORK

1 2

3

4

5

6

SCADASYSTE

M MitM Attack

Service

Eng.

7

8

SOFTWARE TEST LAB

VENDOR EXPERT

CENTER

Eng.

Station

View Consoles

Delivering Malware via Ext. Media

The hacker approaches the control system by using a USB stick (1) or

wireless backdoor (2,4) or through infecting an HMI (3)

4

SCCE



13

SCCE



Data flow from the ICS to IT network

for purpose of boosting productivity

and operation cost reduction

Sensors Actuators IEDs

PLC Control

Control SystemSecured

Data Network

OT, DCS

Business Network

InternetNetwork

ICS & Business Networks’ Interconnection


14

SCCE



• Harvest email addresses, company information, etc.Reconnaissance

• Couple exploit with backdoor into deliverable payloadWeaponization

• Deliver weaponized bundle via email, web, usb, etc.Delivery

• Exploit vulnerability to execute code on victim systemExploitation

• Install malware on the assetInstallation

• Command channel for remote manipulation of victimCommand & Control

• With “Hands on Keyboard” access, intruders accomplish their original goal

Actions on Objectives

Source: Lockheed Martin Cyber Kill Chain

Malware Infection via network

• The Lockheed Martin Cyber Kill Chain (CKC)

14


15

SCCE



Attacking ICS via Authorized Access

• Potential threat scenarios

– Authorized remote access is common for ICS ��

• Poorly defended access e.g. via default passwords or

even hardcoded passwords is a major vulnerability.

– Lack of strong authentication and authorization measures

• Service people use the same ID and access methods.

– External service providers perform updates for devices.

• Additional challenges for cyber defense

– Use of VPN is provided only to a specific device

• Additional devices are accessible via light security


16

SCCE



GPS Time Reference Spoofing

• Outcome of the attack

– Nor synchronized operation > Outage > Damage

• Detection and Mitigation Efforts

– Compare the signal strength to the expected strength.

– Alert if a deviation from normal is detected.

5

SCCE



17

SCCE



Cyber attack damages to BEMS

• Energy control

– Alter the power meter

reading/wring billing

– Re-setting the air-

condition temperature

– Resetting the operation

hours (heating-cooling)

– Re-setting the light

control timer

– Causing power outage in

the building

• Safety-security control

– Start fire alarm to

evacuate offices

– Activate fire-fight

sprinklers in rooms

– Stealing data on

authorized people

– Changing the biometric

setting and access

– Slowing down the

system response


18

SCCE



Bring Your Own Device (BYOD)

• 90 % of people use private smartphones at work

• BYOD policies not enforced-cause vulnerabilities

– Can be stolen

– Can be hacked-compromised

– Can be manipulated to create attack

– Can serve for preparing a BIG one

BYOH(Bring your own Hacker!)


19

SCCE



Duqu and Flame - follow the Stuxnet

• Stuxnet (June 2010)

– Virus - Internally generated Cyber Attack with USB (?)

– Aimed to destroy Centrifuges by resonance speed

– Operators were misled seeing normal conditions

• Duqu (Sept 2011)

– Malware with large similarities with Stuxnet

– Trojan horse aiming to capture and exfiltrate information

• Ukraine Power Grid (December 2015)

– Residents of Western Ukraine City were affected

– 80,000 – 250,000 (?) people we in dark ~ 6 hours (?)


20

SCCE



Malware Infection via network

• Is there a way to minimize damage?

– Behavior of People

• Training, drills, careful behavior, reporting, use

of Authentication Proxy Access

– Deployment of Technology

• Privilege account defense, Industrial IDS

detecting process/communication anomalies

– Enforcement of Policy

• Proper procedure for detected alarms

• Employing strong SIEM for analyzing events

6

SCCE



21

SCCE



• Controls of the traffic

– Filters external access to OT

– Slow down worm spreading

• Segregation spots:

– Internal from External

– Different Hierarchy

– Minimal linked nodes

– Highly secured zones

• Data flow direction

– The malware blocked from receiving instructions

Separation into Zones

Application

HMI-ENG level

CorporateIntranet

Automation

DMZ

UnsecuredInternet


22

SCCE



DMZ Basic Principles

• Preventing direct In/Out path to OT

– Limited inbound traffic to Control Zone

– Controlled outbound traffic from OT

– No direct connection between In/Out

– Emergency disconnect; inside or outside

– Altering the protocol in the DMZ

– No DMZ management from outside

– Conducting deep packet inspection

DMZ – Demilitarized Zone

IT - Lower Security

Section

OT- Higher

Security Section


23

SCCE



Data Sanitizing Kiosk

• Preforms file’s inspection to detect

malware in documents and software

– Extra defense against zero day attacks

– Performs sort of “Sandbox process”

• Transfer of files to the Network

– Manually, on transferable media

– Through direct connection to network

• Special Challenges

– The “Kiosk” must be periodically updated

with new signatures supplied by AV vendors

Incoming Data

Certified

Data

Scanning


24

SCCE



• Learning the Network Topology: Devices, Links

– Detecting devices

– Detecting topology changes

– Learning device Sampling time

• Passive Machine Profiling

– Detecting out-of-order commands

– Detecting PLC scanning attacks

• Detecting abnormal memory access to devices

– Preventing un-authorized Firmware upgrade.

Anomaly Detection

7

SCCE



25

SCCE



Application Control / Whitelisting

• Maintain list of all programs and data libraries

– Allow only recognized files / programs to be executed

– Programs which are not listed can not run

• White listing is actually

– Must be protected from modification

– If compromised… you have no defense

• Good fit for SCADA:

– No virus signatures update

– Predictable execution costs

Every software based cyber defense can be compromised and cause severe cyber attack


26

SCCE



• Diode performs One way data transfer

• Historian Server is seamlessly copied to the H-Copy

• External attack can not infiltrate to the ICS

– Leaving it 100% safe

ICS defense through Data Diode

OT

Historian

Server

Historian

Server

Historian

ServerHistorian

Copy

Corporate NetworkIndustrial Network

Optical

Transmit

Optical

Receive

Data

1 way

Fiber


27

SCCE



• Downloadable Access Control rules

– Who Can access the site

– Which devices can be accessed

– What action can be performed

– Time slot for service execution

• Benefits of the APA

– Well documented pre-set process

– Using updated AAA processes

• Audit Trail

– More granular post event Forensic

Authenticated Proxy Access (APA)


28

SCCE



Anomaly Detection

• Learning the Network Topology: Devices, Links

– Detecting devices

– Detecting topology changes

– Learning device Sampling time

• Passive Machine Profiling

– Detecting out-of-order commands

– Detecting PLC scanning attacks

• Detecting abnormal memory access to devices

– Preventing un-authorized Firmware upgrade.

8

SCCE



29

SCCE



SIEM Provide Network-Wide Detection

• Collection of information from multiple sites

– For large organizations having geographically spread OT

– Reliable and comprehensive detection of cyber attacks

Security Information and Event Management (SIEM)


30

SCCE



Linking the IDS to SIEM

• IDS- Intrusion Detection System

– IDS is suitable for ICS monitoring

– Collects data from range of field devices

– Input from Anomaly detection computers

• IPS can not (!) be used for OT

– Unpredictable condition if process stops

– Impossible test all possibilities prior stop

– Operation SAFETY is most important

IDS IDS

SIE

M

SIEM provides a broad view on the entire system operated by a large corporation


31

SCCE



SW Updates fort ICS: How? When?

• Every OS is introducing a patching code!!

– Risk of incompatibility with the system shall be mitigated

• Security update programs are mandatory, but the

implementation must be careful

– The new software must be tested, certified and accredited

• Testing for safe and reliable operation of new code is

extremely costly & takes time

– Occasional spectacular failures might stall

the application programs

– The process may take many weeks !!


32

SCCE



Top 10 Cyber Attacks on ICS

1. Social Engineering and Phishing as a start action

2. Delivering Malware to ICS via External Media

3. Malware Infection via connected network

4. Attacking ICS via Authorized Remote Access

5. Attack through Human Error and Sabotage

6. Attack of IIoT devices connected to Internet

7. Technical Malfunctions and Force Majeure

8. Compromising ICS through Cloud Access

9. Deployment of DDoS Attacks on the ICS

10. Compromise of Smartphones controlling ICS

9

SCCE



33

SCCE



5 cyber defense actions you must do?

• Conduct periodic cyber drills and exercises

– Employees, contractors, suppliers…

• You must train your technical staff and users

– Understanding specific defense for ICS and IT

• Become and experts on analyzing cyber events

– Refer to specific sections in both IT and ICS

• Establish security policy for all operation levels

– Without policy people may not act carefully

• Remember to be prepared for new challenges

– Expect the Unexpected !


34

SCCE



10 things which you Can NOT do? 1/2

• Do not deploy a solution which interfere with the

ICS control process

• Do not deploy an IPS unless you got approval from

committee involving ICS and Cyber experts

• Do not install software programs, patches or

updates prior significant safety tasting

• Do not allow remote connection to the ICS unless

you got approval ICS and Cyber experts

• Do not allow backdoor connection to ICS unless you

got approval ICS and Cyber experts


35

SCCE



10 things which you Can NOT do? 2/2

• Do not use unsecured communication network

between the remote and central sites

• Do not allow using default identical access password

for all PLC/RTU at remote sites

• Do not allow direct connection between ICS

segments having different rank of security

• Do not justify/explain ROI to your management for

obtaining budget for ICS cyber defense

• Do not allow panic interrupting of the ICS operation

using not approved and not tested methods.


36

SCCE



Questions Please…..

Presented by:

Daniel EhrenreichSecure Communication and Control ExpertsMail: [email protected]: 054-9151594

SCADA

Cyber security?

cyber security threats and defense for protecting ... · cyber security threats and defense for...

Documents