ot security - mena isc 2019 security pov.pdfattack against an ics industry –saudi aramco roughly...
TRANSCRIPT
w w w . m e n a i s c . c o m
UNDERSTANDING OT SECURITY THREATS, CHALLENGES & MITIGATIONS
OT SECURITY
TONY EL HAIBYASSOCIATE PARTNER-CROSS COMPETENCY MEA
2
DIFFERENT WORLDS
…YET THEY ARE CONVERGING
DIFFERENT SKILLS
DIFFERENT METHODS
● OT & IT security overview
● OT security trends & threats
● Our Security approach at IBM
Agen
da
IT
OT
3 Introduction to OT
3
4
IT
PLC DCS
IED RTU
ICS
SIS/ PROTECTION/ ESD
What is OT
Operational Technology (OT) is hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices such as valves, pumps, temperature sensors, gas sensors, etc. within industrial processes.
Industrial Control Systems (ICS) are an element of OT that are used to control valves, engines, conveyors, smelters, mixers, and other machines to regulate various process values, such as temperature, pressure, flow, chemical mixtures, and are also used to monitor them to prevent hazardous conditions.
SCADA
OT
5
OT Security Standards Taxonomy
PHARMACEUTICAL OIL & GAS ENERGY (ELECTRICITY, ALTERNATIVE)
BUILDING MANAGEMENT
SYSTEM
LOGISTICS &TRANSPORTATION
MANUFACTURING• AUTOMOTIVE
MANUFACTURING• ELECTRONICS• INDUSTRIAL PRODUCTS
WATER
Industries using
OT
6
Data Warehouse
ERP/ Finance
VPN Remote Access & Corporate Internet Access Email
ENTR
EPRI
SE Z
ON
E CORPORATE IT SECURITY LEVEL 4 & 5
IT INFRASTRUCTURE SYSTEMS & APPLICATIONS
DMZFirewall
[DMS]Distribution Management Systems
OPERATIONAL TECHNOLOGY SECURITY
MAN
UFA
CTU
RIN
G ZO
NE
[MES] [EMS] Plant Historian
Manufacturing LEVEL 3SITE MANUFACTURING OPERATONS AND CONTROL
Execution Systems
3rd Party Remote or Physical Access
LEVEL 2AREA SUPERVISORY CONTROLS
Digital Bus Control Room Process
HMI Supervision Workstation Acquisition Historian
CELL
/ A
REA
ZON
E
RTU PLC Digital Bus
Industrial SIS DCS LEVEL 1BASIC CONTROLS (Process & Automation Control Equipment)
Industrial PC wireless Point to point connection
Digital Bus PLC PLC
Point-to point connection
Actuators Engine Actuators LEVEL 0PROCESS / FIELD DEVICES (Control Manufacturing Process)
Sensor Remote systems
Energy Management System
Purdue Logical Framework Model forIT / OT Security ConvergenceLEVEL 3 - 1 CHALLENGES
● Legacy communications networks interfaces● Unmanaged Ethernet switches/ lack of
available ports● Latency introduction due to SPAN● Legacy unsupported OS● ICS/OT system vendor certification
requirements for changes● Attacks from IT into OT● 3rd Party Access to OT● Limited asset Information accuracy
LEVEL 0 -1 CHALLENGES● Legacy systems using proprietary log
messages and event triggers● Hard wired interfaces for signaling ● Serial messaging / signal-based OT protocols
7
OT Incidents vs IT Incidents
OT INCIDENTSPOWER OUTAGE • Unauthorized control commands to IEDs
cause multiple breaker trips, isolating substations, and cascading power failure.
PRODUCTION OUTAGE • Malicious malware that changes PLC
programming causes outage.
LOSS OF LIFE • Safety control PLCs (emergency shutdown systems) take offline by malware downloaded to engineering workstation. Part of a coordinated malicious attack. Explosion occurs when threshold temperatures exceeded.
IT INCIDENTSDENIAL OF SERVICE• Infected computers on the internet
request services from a website. Website shuts down due to extreme load.
SENSITIVE DATA LOSS• Phishing of CEO’s laptop leads to theft
of financial data, resulting in reputation loss, and stock price fall.
COMPANY IT ASSETS DELETED • Malicious insider attains unauthorized
access to Windows domain controller, and sends malware to corrupt/wipe all computing resources. Users, call center, partners, and clients loss all services.
8
OT Security trends & threats
8
9
BILLIONS OF RECORDS AND HUNDREDS OF GIGABYTESOver the last three years, more than 11.7 billion records and over 11 Terabytes of data were leaked or stolen in publicly disclosed incidents.
Figure:Sampling of the Impact of Security Incidents by records and Cache Files Compromised, Time and Impact, 2016 through 2018Source IBM X-Force
2016 2017 2018
IN IT ENVIRONMENTS, ATTACKER’S FOCUSING ON STEALING DATA
10
DECEMBER
JUNE
Shamoon infects Saudi Aramco and RasGas in Qatar. Also known as W32. DisTrack, it overwrites MBR making disks unusable. Believed to be a state sponsored attack.
Confidential SCADA system data for a hydroelectric generator exposed on the Dark Web
2012First ever malware-enabled blackout in history (Ukraine)(BlackEnergy) SCADA system
for a New York dam hacked
DECEMBER
OT Threat landscape
2015
Impact:
National securityMarket disruption
Physical Infra damageFinancial lossHuman harm
11
Ransomware phishing on a Michigan-based electric and water utility
MAY
JANURAY DECEMBER
Ransomware encrypts unpatched E&U process control systems(WannaCry)
Attack on Emergency Shutdown Systems made public(TRISIS)
Ransomware email delivered to the Israeli Electricity Authority
2016 2017 Malwaretaking offline substation in Ukraine(Industroyer)
“NotPetya” malware stopping e.g. Chernobylradiation sensors
Shamoon 2 devastates oil &
gas companiesand crosses into OT. Wipes disks
and leaves political messages
JUNE
MARCH
DECEMBER
discovered on a fuel system at a Bavaria-based nuclear power plant
Hackers breach a water company’s SCADA system, controlling water flow and chemical levels
MAY
OT Threat landscape Impact:
National securityMarket disruption
Physical Infra damageFinancial lossHuman harm
12
OT Threat landscape
DECEMBER
MARCH Shamoon 3 cripples Saipem and impacts many IT & across the Gulf
Advisory on attacks (since 2014) using staging targets on critical infrastructure published by US-CERT
MARCH
2018 2019 Backdoor discovered which links BlackEnergy, Industroyer and NotPetya to same source
LockerGoga impacts Norsk Hydro OT & ITglobal operations. Financial impact in excess of 30M
OCTOBER
Impact:
National securityMarket disruption
Physical Infra damageFinancial lossHuman harm
13
SHODAN THE WORLDS MOST DANGEROUS SEARCH ENGINE
Our Cities and Countries Critical Infrastructures can be searched…easily!shodanhq.com Like google searches the internet for publicly accessible devices. SHODAN focused primarily on ICS devices, like city traffic lights, building/city cameras, water/power stations, nuclear stations. Anyone can use it, it’s free and newly discovered devices are mapped daily!
14
SHODANINDUSTRIAL CONTROL SYSTEM
15
FIND
SEARCH
2
1
VULNERABLE ICS EXAMPLE
16
VULNERABLE ICS EXAMPLE
HACK
RESEARCH
Default passwords available at:https://www.perle.com/support_services/documentation_pdfs/iolan_ ds-ts_ug_v4.5.pdf
3 4
17
GLOBAL NAVIGATION SATELLITE SYSTEMS FIND
RESEARCH
1 2
18
GLOBAL NAVIGATION SATELLITE SYSTEMS
HACK
3
19
ELECTRIC APC EXAMPLE
19
20
PLC – EXAMPLE
21
PLC – EXAMPLE
22
MYTH 1
MYTH 4
MYTH 2 MYTH 3
MYTH 5
MOST COMMON OT CYBERSECURITY MYTHS
We don’t connect to the Internet
Control systems are behind a firewall
Hackers don’t understand control systems
Our facility is not a target
Our safety systems will protect us
22
23
WHY ARE THESE ATTACKS POSSIBLE?
LEGACY SYSTEM
DEFAULT CONFIGURATION
LESS/NO UPDATES
NO POLICIES & PROCEDURES
LESS/NO SEGMENTATION
LATENCY CONCERNS
ENCRYPTIONLESS/NO
IT
Security Goals
Confidentiality
Integrity
Availability Confidentiality
Integrity
Availability
Highest
Priority
Lowest
Priority
OT
24
ATTACK VECTORS REACHING THE OT NETWORKS
REMOVABLE MEDIA
EMAIL PHISHING AND ATTACHMENTS
REMOTE TECHNICIANS - VPN
LACK OF NETWORK SEGMENTATION
SOFTWARE VULNERABILITIES
GUEST NETWORKS UNPROTECTED SOCKETS
25
Successful attacks on OT do not necessarily need to exploit OT-specific vulnerabilities
Used 4 Windows 0-days for replication and privilege escalation
LNK/PIF auto execution, Print Spooler, RPC remote execution, privilege escalation
Used rootkit to hide and persist code in PLCs
Very specific to a particular Siemens PLC configuration, would not fire unless present
Early version contained MitM code, actual effective attack did not need to
PLC code modified
Part of a campaign against ICS vendors and their customers, particularly in the EU
“Watering-hole” type of attack, where malware was embedded into legitimate ICS vendor software, to be executed when downloaded
Has components of a general purpose Remote Access Trojan (RAT), including Command & Control, as well as exfiltration capability
Stuxnet
Opportunistic scanning of vulnerable Internet-connected HMIs
General purpose “toolkit” with rootkit and plugin modules
Part of a large, multi-faceted campaign also targeting government, academia, NATO, energy, and telecom
ICS attack module utilized a 0-day (CVE-2014-0751) against GE Cimplicity HMI
Reports of attacks against Siemens WinCC and Advantech WebAccess
Havex
Not ICS specific, but used in largest attack against an ICS industry – Saudi Aramco
Roughly 35,000 Windows computerswere rendered inoperable within hours
Sophisticated malware which spreads rapidly via Windows shares and reports back to a C&C server
Built for 32- and 64-bit versions of Windows
Blackenergy 2/3 Shamoon
Commonalities and Key takeaway
26 Our IBM Security Approach
26
27
IT INFORMATION TECHNOLOGY
OT OPERATION
TECHNOLOGY
CONVERGENCEIT & OT
IT vs OT and Convergence?
INFORMATION TECHNOLOGY • Data Center Equipment • ERP / SAP Systems • Various Client-Server
Technology (Mail etc.) • Home of CIO & CISO
OPERATIONAL TECHNOLOGY • Control Room• Plant Execution Systems• SCADA / Historian Systems• Human Machine Interfaces• Safety systems• Engineering Workstations PLC’s,
RTU’s, DCS’s, IED’s• Home of Operator, Electrical
Engineer. In COO/CFO focus. MAJOR SECURITY RISKS• Loss of Data • Confidentiality• Loss of Data Integrity• Loss of Data Availability MAJOR SECURITY RISKS
• System & Data Reliability• System & Process Availability
OT & IT SECURITY RISKSIT Security issues in OT with Industrial Impacts
IT & OT COLLABORATION
28
Source: Gartner**, International Data Corporation (IDC)*
Inevitable Move Towards IT-OT Integration
By 2022, 30% of asset-centric
enterprises will adopt a hybrid model with traditional security deployed alongside
specialist OT security technology**
The OT Security Annual Spend will be
1,115 million USD while expected OT
security spend is 380 million USD in
2019**
The expected OT Security spend is to grow at 45.7%
Compound Annual Growth
Rate (CAGR) from 2016-
2022**
49.4% of the Respondents suggest that
security is their major concern for IT-OT Integration *
57.7% of respondents say that
in 3 years they will have an integrated IT-OT Governance
Model *
29
Coordination Process Governance Risk Management Technology
Increased coordination efforts across
IT and OT environments
Development of Enterprise Security Framework, Policies
and Procedures
Design of security operating model to
enable coordination, efficiency and effectiveness
of security capabilities across the enterprise
Integrated cyber risk
management
Leverage traditional security and adopt
specialized OT security tools and
technologies
The Convergence is Putting Pressure for Integrated Cyber Security
30
Creating IT-OT security strategy will enable organizations define the IT-OT security vision and direction
Current state assessment • Control Assessment
for remaining plants
• Security policy review
• Network Security Architecture review
Cyber security Framework• Alignment to
standards• Operating Model• IT-OT Converged
Framework• Security policy• Risk management
framework
Technology capabilities• Identify security
capabilities that support the cyber security framework created. Among others the capabilities include OT SOC, IAM, Data Security etc.
IT-OT Security roadmap• Develop a 2-3 year
strategic security roadmap with projects that are prioritized for business needs
Continuous Improvements• Design governance
framework to define maturity levels, security metrics to ensure adherence and continuously improve security Closely monitor the IT-OT Integration
THE NEED IS TO CREATE AN IT-OT SECURITY VISION AND DIRECTION
ASSESS DEFINE IDENTIFY SECURITY CAPABILITIES
BUILD STRATEGIC ROADMAP
CONTINUOUS IMPROVEMENT
1 2 3 4 5
IT – OT Security Strategy
31
TRANSFORM YOUR IT AND OT SECURITY PROGRAMS
BUILD A SECURITY STRATEGY THAT ACCELERATES NEW IT TRENDS● BYoD, Cloud, Mobile, IoT● SaaS and Cloud based services● ICS/OT security strategy now. Do not
be the low hanging fruit
IT AND OT SECURITY POLICIES AND PROCEDURES ● What is the configuration or standards
used for equipment or people who work in OT?
OPTIMIZE SECURITY PROGRAMS (DATA, IDENTITIES, NETWORK DESIGN) ● Manage identities NOW, particularly
privilege accounts● Know where the critical data is before
someone else does. If you do not own your critical data, someone else will.
● Design OT environment
BUILD AN OT & IT SOCYou know what how much oil you refine and the ROI. You should know if you are being attacked, being compromised, or scanned for a path into your environment
ASSESS THE OT AND IT ENVIRONMENTYou need to know now if you are vulnerable and to fix it quicklyAssessing the OT environment is and improving security is critical. Imagine an attack that takes down your OT.Test it
When was the last time you tested if you could phish one of our executives, admins, or plant engineers.
IT & OT SECURITY AWARENESS
RUNManaged Security
Systems integration
BUILD
PLANManagement
Consulting
32 THANK YOU