roadmap in industrial cybersecurity · private & confidential + 2 companies affected: 225,000...

www.s21sec.com www.nextel.es

Roadmap in Industrial Cybersecurity February 2019

The information provided in this document is the property of S21sec | Nextel, and any modification or use of all

or part of the content of this document without the express written consent of S21sec is strictly prohibited. Failure

to reply to a request for consent shall in no case be understood as tacit authorization for the use thereof.

© Grupo S21sec Gestión, S.A.

PRIVATE & CONFIDENTIAL

IT vs. OT Cybersecurity

Critical

Infrastructures

Industrial

Infrastructures

Not all critical infrastructures make use of IACS and not all

IACS are part of a critical infrastructure

Commission of the European Communities (2005), Green Paper on a European Programme

for Critical Infrastructure Protection. COM (2005) 576 Final


OT Systems | Vulnerabilities

Security by obscurity

Undefined network perimeter

Unsecured physical ports

Default configurations

Lack of patching

Unnecessary applications &

services

Comm. protocols lacking

security mechanisms

Lack of security logs

Lack of an access control

0-day vulnerabilities


OT Systems | Risk Factors

Connection with corporate IT

systems

Access to process data from

any location

ICS devices directly connected

to the Internet

IT security technology cannot

always be applied

Lack of a regulatory framework

on industrial cybersecurity

Security professionals not

involved in the design phase

Use of general purpose

technology/IT: COTS, TCP/IP,

etc.

RISK FACTOR



Information Technologies (IT) Industrial Control Systems

Requisitos de rendimiento

Respuesta consistente

Ancho de banda elevado

Retardos y jitter elevados aceptables

Tiempo de respuesta crítico

Anchos de banda modestos

Retardos o jitter bajos

Interacción crítica en emergencias

Requisitos de fiabilidad Reinicios son aceptables

Deficiencias en la disponibilidad tolerables

Reinicio puede no ser acceptable

Disponibilidad require sistemas redundados

Paros planificados

Gestión de riesgos Confidencialidad + Integridad Disponibilidad + Integridad

Seguridad de las personas y equipamiento

Operación del sistema SO comerciales

Actualizaciones sencillas y automatizadas

SO comerciales y propietarios

Actualizaciones planificadas, probadas y con fabricante

Limitación de recursos Diseñados con exceso de capacidad Diseñados con capacidades limitadas para cumplir su

función

Comunicaciones Protocolos y networking conocidos Protocolos y medios específicos, muchas veces

propietarios

Tiempos de vida 3-5 años 15-20 años

Localización de equipos Confinados a áreas de oficina/controladas Remotos, aislados en ocasiones

Cybersecurity Incidents & Cyber Attacks


Cybersecurity Incidents | Statistics

(Source: ScadaHacker y Open-Source

Vulnerability Database – January 2016)


Cybersecurity Incidents | Cyberattacks & Malware

STUXNET (2010)

DUQU (2011)

FLAME (2011)

SHAMOON (2012)

UKRAINE/BLACKENERGY (2015)

CRASHOVERRIDE (2016)

TRITON/TRISIS/Hatman (2017)


+ 2 companies affected: 225,000 affected consumers globally.

Kyivoblnergo: 3 hours of blackout, 80,000 consumers affected, disconnection of 7 substations of 110kV and

23 of 35 KV. The Call Center was down.

The 3 companies used heterogeneous ICS (e.g. Different DMS).

At least six months from the reconnaissance stage to the time of the attack.

23/12/2015

Full recovery of telecontrol took more than 1 year

Coordinated attack: SandWorm Team

(Russian criminal band).

UKRAINE | Attack on the electricity distribution system

It was needed to change to manual operation of breakers.


STAGE 1 INTRUSION

Phishing emails

BlackEnergy 3: Remote access, side movements

and information theft

Stealing of VPN Credentials: "Legitimate" access to the IT network

Discovery of networks, equipment, access routes

to ICS

STAGE 2 ATTACK ON OT

SYSTEMS

Malicious FW for Series-Ethernet gateways

DMS/SCADA hijack (HMI/Cliente) – RAT

Remote breaker opening from HMI

FW upload to gateways

UPS manipulation

KillDisk in DMS/SCADA

DoS to call center

BLACK-OUT

UKRAINE | Attack on the electricity distribution system


CrashOverride – Claves del ataque

Autenticación con proxy Squid local (instalado por ELECTRUM) antes de

instalar backdoor

Canal HTTP con C2 a través del proxy (vía nodos TOR)

Recepción de comandos vía C2

Sobrescritura de servicio para apuntar a la puerta trasera y persistir

Carga de payloads (específicos de SCI y wiper)

Se lanza como servicio (ocultación)

Lanza el payload y espera 1-2 horas para lanzar el wiper

Sobreescribe con 0’s las claves de registro asociadas a la inicialización de servicios

Mata procesos en ejección

Sobreescribe ficheros de configuración de SCI y Windows

Inutiliza el sistema

Extensiones de

ficheros

Dispositivos que los usan

.pcmp PCM600 Project (ABB)

.pcmi PCM600 IEC File (ABB)

.pcmt PCM600 Template IED File

.CIN ABB MicroScada

.PL Programmable Logic File

.paf PLC Archive File

.SCL Substation Configuration Language

.cid Configured IED Description

.scd Substation Configuration Description


CrashOverride – Claves del ataque

Lectura de fichero de configuración para identificar

objetivos.

Si no hay fichero enumera la red local para identificar

objetivos potenciales

Se comunica con los objetivos para

verificar si controlan un interruptor/disyuntor de circuito

Cambia el estado generando un fichero de log

Lectura de fichero de configuración

Mata al proceso maestro legítimo que corre en el equipo víctima.

Se enmascara como el nuevo “master”

4 modos de operación: i) secuencia, ii) alcance, iii) desplazamiento, iv) persistente.

El modo secuencia establece a abierto continuamente el estado de las IOAs de las RTUs

El modo alcance interroga cada RTU para IOAs válidas y después alterna su estado entre abierto y cerrado.

MÓDULO DE DOS DE SIPROTECT

Envío de paquetes UDP al puerto 50.000 para explotar

la vulnerabilidad CVE-2015-5374

Denegación de servicio contra el relé digital.

Cybersecurity Strategy on IACS Security – Some Key Points


Restricciones de los SCI y Algunas medidas de seguridad

• Sistema de Detección de Intrusiones:

• Detección de anomalías en base a una línea base

• IoC: IP del C2, hashes de payloads, etc.

• Doble factor de autenticación en conexiones VPN

• Aplicación de parches de seguridad que corrijan CVEs

• Whitelisting de aplicaciones y sandboxing

• Segmentación: Cortafuegos industriales, diodos de datos, etc.

• Honeypots/honeynets y defensa activa


Good Practices | Security Posture Assessment

Governance Evaluation of cybersecurity-oriented organizational aspects (roles and responsibilities),

internal control processes (audits/certification), security policies, incident management,

etc.

Risk-based High and/or low level overview on which business processes supported by the IACS

are at a higher risk. Threat & vulnerability identification and business impact evaluation.

Compliance

“Gap analysis" against a framework or regulation considering cybersecurity maturity

levels

Technical Analysis of adherence to best practices from a technical stand-point and its adherence

to defense-in-depth principles: identification (HW/SW inventory under control),

protection (network segregation/segmentation, antimalware, remote access, data

security, maintenance procedures…), detection (anomalies and events at host and

network level), respond (contention/mitigation strategies) and recover (redundancy at

network/host level)

References: ISA-99/IEC 62443, NIST SP 800-82 & 800-53 rev. 3, NRC RG 5.71/NEI 08-09,

CPNI Process Control and SCADA Security GPG

Vulnerability testing

Risky in a production environment

Follow a zero-risk methodology

1. Use a test environment (e.g.

engineering, backup, …) for

intrusive active analysis

2. Make use of non-intrusive tests

3. Make use of passive techniques

4. White box audits for networking

equipment

In industrial environments the key

objective is to guarantee the availability

of assets under scope.

In corporate environments the key

objective is to guarantee confidentiality

of information.


Good Practices | Defence-In-Depth Architecture

Policies, procedures and knowledge

Physical security

Host security

Intrusion prevention

AV protection

Host firewall

Device hardening

Data Security

Applications and data

Patch management

Strong passwords, ACLs

End-point & comm. security (SSL, TLS, IPSec, …)

Security updates management

0-day attack protection

AV updates

TCP/IP port control

OS hardening, authentication, accounting

Network segmentation, NIDS

Firewalls, Routers with ACLs, VPN

Guards, locks, access control

Security policies (e.g. remote access), procedures,

back-up and restore strategies

Internal network

Perimeter security


Good Practices | Defence-In-Depth Architecture

Vendor Comments

Unidirectional

gateways

Good alternative to perimeter firewalls for network

segregation in highly critical environments

Industrial firewalls

Aggressive environmental conditions.

Support for industrial control protocols: OPC,

Modbus/TCP, Ethernet/lP, IEC 104, ICCP, DNP3, OPC,

Ethernet/IP, etc.

Anomaly

detection/NlDS

SilentDefence provides situational awareness,

continuous network assessment, access monitoring and

validation, DPI (with multiple industrial protocol support),

etc.

Change

management and

disaster recovery

Programming changes control (versions), automated

backups and restoration, program diff. check. Great variety

of industrial vendors are supported.

IAM/Access control

Isolate, control and monitor all privileged administrator

sessions to protect databases, virtual environments,

network devices and servers from insider threats and

external cyber attacks


Good Practices | Threat hunting

Castle protection • Perimeter barriers

• Water pit

• Walls

• Active defence (archery, hot oil, …)

Analysis focus on IoCs to validate that

enemy has already invaded the perimeter

IoAs are mostly handled by Intelligence

specialists and preventive in nature

Deception, and other

technologies

Deception methodology • Empty houses

• Doors connected to pit

• Man traps

Deception

Detection of intruders, saboteurs and spies • Broken doors

• Ladders in outer walls

• Alarms from guards

• Cooperation from citizens

Detection of enemies’ arrival • Explorers

• Spies abroad

• Watch guards

In depth

defense

IOC´s IOA´s

Traditional methods for protecting the

castle are not enough anymore


Good Practices | Threat hunting – Internal sources

Source: Hervé Debar, IBM Research, Zurich Research Laboratory.

Security gear: IDS, FW,

UTM…

Servers: SCADA, DCS,

MES, historians…

Network activity: protocols,

communications matrix, flows…

Embedded: RTUs, PLCs, IEDs…

Application activity

Configurations

Network gear: switches, routers,

VPN, gateway…

Users and identities

Event correlation:

• Logs/Events

• Flows

• IP/Domain reputation

• Geolocation

Anomaly detection:

• Asset inventory

• User activity

• DB activity

• Application activity

• Network activity

Security management:

• Security alerts & Use case Id.

• Incident Id. & management

• Risk evaluation • Specialized forensics

Event collection:

• Specific product license

• Reverse engineering (e.g. DLL)

• Test environment prior to

deployment

• SIEM integration


Good Practices | Training & Awareness

Target: IT and OT managers/directors

Face-to-face or reduced groups session(s)

Help understand cyber risks affecting IACS: review real incidents, vulnerabilities and risk factors

Differences between protecting IT and OT

Teach good practices to reduce these risks in their daily tasks

Target: IT and OT technical staff

Combine both theory and practical exercises

Technical background on:

• Deep understanding on IACS

• Understand attack methods and vulnerabilities

• Technologies to defend IACS

• Cybersecurity best practices

• Strategies: vendors, organizations, etc.

AWARENESS

RAISING SESSIONS

TRAINING ON

DEFENSE

STRATEGIES IN IACS


ICS Cybersecurity by S21sec | Roadmap proposal

Identify & Assess Protect & Prevent Monitor & Detect Analyze & Respond Recover & Learn

Awareness raising session for mid-

range management on ICS

cybersecurity

Quick ICS cyber security

assessment: gap analysis &

quick technical audit

Ea

rly S

tag

e

Quick ICS Security Architecture Redesign (SAR) focused on Identify &

protect and on the network

Training for IT/OT

professionals on industrial

cybersecurity

Industrial

cybersec.

strategy:

gap & risk

assessment,

roadmap.

Full ICS

vulnerability

assessment on

key

infrastructures Full ICS S.A.R. covering all

functions of NIST FW Inte

rme

dia

te

Sta

ge

Deployment, tuning and maintenance of cyber security technology for ICS: industrial IDS, internal FWs, antimalware (e.g. whitelisting), SIEM

with ICS support, backup automation, etc. Development

of policies,

standards and

procedures on

ICS

cybersecurity

IT/OT SOC: Integration of new security event sources in existing IT SOC.

Managed security, advisory services on ICS, threat hunting, DFIR, etc.

Ad

van

ce

d

Sta

ge

Deployment, tuning and maintenance of

ICS network security technologies:

industrial IDS & perimeter FWs, remote

access

Blue-Team/Read-Team training based

on a Cyber Range and focused on ICS


ICS Cybersecurity by S21sec | Service portfolio & Exp.

• Vulnerability assessment and penetration testing services

• Security architecture redesign

• Deployment of security technologies

• Compliance services: gap analysis, risk assessment, development of security policies, procedures and guidelines

• Awareness raising sessions

• Advanced training on defence strategies against cyber-attacks in IACS

• Support to other business units: managed security services, advanced cyber security services and technology

linkedin.com/company/s21sec

facebook.com/pages/S21sec

twitter.com/@S21sec

SOCIAL MEDIA

OFFICES

S21sec Spain

Madrid

C/Valgrande, 6, CP 28108 | T: +34 902 222 521 | F: +43 916 616 679

Barcelona

C/Tarragona, 141-157, Piso 14, CP 08007 | T: +34 902 222 521 | F: +43 936 746 144

San Sebastián P.E. Zuatzu, Ed. Urgull, 2º, CP 20018 | T: +34 902 222 521 | F: +43 936 746 144

Pamplona P.E. La Muga, CP 31160, Orcoyen | T: +34 902 222 521 | F: +43 936 746 144

Pamplona

P.E. La Muga, CP 31160, Orcoyen | T: +34 902 222 521 | F: +43 936 746 144

Nextel Spain Madrid

C/ Marie Curie 7, 1ª planta Edificio Beta | T: +34 91 499 49 69

Bilbao

C/ Camino de Laida Edificio 207, Bloque B 1º planta | T: +34 944 035 555

San Sebastián Portuetxe Bidea 83, Planta 2ª – 9 | T: +34 943 317 083

Vitoria - Gasteiz

Edificio AzucareraAvda. de los Huetos 75, oficina 38 | T: +34 900 840 730

S21sec Portugal

Lisboa Rua do Viriato, 13B, 4º Andar. 1050-233, PT | T: +351 220107120 | F: +351 220107121 Porto Lugar do Espido, via norte. 4470-177. Maia | T: +351 220107120 | F: +351 220107121

S21sec Mexico

Ciudad de Mexico

Calle Río Pánuco, 108. Colonia Renacimiento, Ciudad de México | T +52 78 22 01 27 | +52 78 22 01 29

Nextel Mexico

Ciudad de Mexico

C/ Montecito 38, Piso 5, Oficina 21 Col. Nápoles Del. Benito Juárez | (+52) 55 6719 8700

www.s21sec.com www.nextel.es

roadmap in industrial cybersecurity · private & confidential + 2 companies affected: 225,000...

Documents