roadmap in industrial cybersecurity · private & confidential + 2 companies affected: 225,000...
TRANSCRIPT
www.s21sec.com www.nextel.es
Roadmap in Industrial Cybersecurity February 2019
The information provided in this document is the property of S21sec | Nextel, and any modification or use of all
or part of the content of this document without the express written consent of S21sec is strictly prohibited. Failure
to reply to a request for consent shall in no case be understood as tacit authorization for the use thereof.
© Grupo S21sec Gestión, S.A.
PRIVATE & CONFIDENTIAL
IT vs. OT Cybersecurity
Critical
Infrastructures
Industrial
Infrastructures
Not all critical infrastructures make use of IACS and not all
IACS are part of a critical infrastructure
Commission of the European Communities (2005), Green Paper on a European Programme
for Critical Infrastructure Protection. COM (2005) 576 Final
PRIVATE & CONFIDENTIAL
IT vs. OT Cybersecurity
PRIVATE & CONFIDENTIAL
OT Systems | Vulnerabilities
Security by obscurity
Undefined network perimeter
Unsecured physical ports
Default configurations
Lack of patching
Unnecessary applications &
services
Comm. protocols lacking
security mechanisms
Lack of security logs
Lack of an access control
0-day vulnerabilities
PRIVATE & CONFIDENTIAL
OT Systems | Risk Factors
Connection with corporate IT
systems
Access to process data from
any location
ICS devices directly connected
to the Internet
IT security technology cannot
always be applied
Lack of a regulatory framework
on industrial cybersecurity
Security professionals not
involved in the design phase
Use of general purpose
technology/IT: COTS, TCP/IP,
etc.
RISK FACTOR
PRIVATE & CONFIDENTIAL
IT vs. OT Cybersecurity
Information Technologies (IT) Industrial Control Systems
Requisitos de rendimiento
Respuesta consistente
Ancho de banda elevado
Retardos y jitter elevados aceptables
Tiempo de respuesta crítico
Anchos de banda modestos
Retardos o jitter bajos
Interacción crítica en emergencias
Requisitos de fiabilidad Reinicios son aceptables
Deficiencias en la disponibilidad tolerables
Reinicio puede no ser acceptable
Disponibilidad require sistemas redundados
Paros planificados
Gestión de riesgos Confidencialidad + Integridad Disponibilidad + Integridad
Seguridad de las personas y equipamiento
Operación del sistema SO comerciales
Actualizaciones sencillas y automatizadas
SO comerciales y propietarios
Actualizaciones planificadas, probadas y con fabricante
Limitación de recursos Diseñados con exceso de capacidad Diseñados con capacidades limitadas para cumplir su
función
Comunicaciones Protocolos y networking conocidos Protocolos y medios específicos, muchas veces
propietarios
Tiempos de vida 3-5 años 15-20 años
Localización de equipos Confinados a áreas de oficina/controladas Remotos, aislados en ocasiones
Cybersecurity Incidents & Cyber Attacks
PRIVATE & CONFIDENTIAL
Cybersecurity Incidents | Statistics
(Source: ScadaHacker y Open-Source
Vulnerability Database – January 2016)
PRIVATE & CONFIDENTIAL
Cybersecurity Incidents | Cyberattacks & Malware
STUXNET (2010)
DUQU (2011)
FLAME (2011)
SHAMOON (2012)
UKRAINE/BLACKENERGY (2015)
CRASHOVERRIDE (2016)
TRITON/TRISIS/Hatman (2017)
PRIVATE & CONFIDENTIAL
+ 2 companies affected: 225,000 affected consumers globally.
Kyivoblnergo: 3 hours of blackout, 80,000 consumers affected, disconnection of 7 substations of 110kV and
23 of 35 KV. The Call Center was down.
The 3 companies used heterogeneous ICS (e.g. Different DMS).
At least six months from the reconnaissance stage to the time of the attack.
23/12/2015
Full recovery of telecontrol took more than 1 year
Coordinated attack: SandWorm Team
(Russian criminal band).
UKRAINE | Attack on the electricity distribution system
It was needed to change to manual operation of breakers.
PRIVATE & CONFIDENTIAL
STAGE 1 INTRUSION
Phishing emails
BlackEnergy 3: Remote access, side movements
and information theft
Stealing of VPN Credentials: "Legitimate" access to the IT network
Discovery of networks, equipment, access routes
to ICS
STAGE 2 ATTACK ON OT
SYSTEMS
Malicious FW for Series-Ethernet gateways
DMS/SCADA hijack (HMI/Cliente) – RAT
Remote breaker opening from HMI
FW upload to gateways
UPS manipulation
KillDisk in DMS/SCADA
DoS to call center
BLACK-OUT
UKRAINE | Attack on the electricity distribution system
PRIVATE & CONFIDENTIAL
CrashOverride – Claves del ataque
Autenticación con proxy Squid local (instalado por ELECTRUM) antes de
instalar backdoor
Canal HTTP con C2 a través del proxy (vía nodos TOR)
Recepción de comandos vía C2
Sobrescritura de servicio para apuntar a la puerta trasera y persistir
Carga de payloads (específicos de SCI y wiper)
Se lanza como servicio (ocultación)
Lanza el payload y espera 1-2 horas para lanzar el wiper
Sobreescribe con 0’s las claves de registro asociadas a la inicialización de servicios
Mata procesos en ejección
Sobreescribe ficheros de configuración de SCI y Windows
Inutiliza el sistema
Extensiones de
ficheros
Dispositivos que los usan
.pcmp PCM600 Project (ABB)
.pcmi PCM600 IEC File (ABB)
.pcmt PCM600 Template IED File
.CIN ABB MicroScada
.PL Programmable Logic File
.paf PLC Archive File
.SCL Substation Configuration Language
.cid Configured IED Description
.scd Substation Configuration Description
PRIVATE & CONFIDENTIAL
CrashOverride – Claves del ataque
Lectura de fichero de configuración para identificar
objetivos.
Si no hay fichero enumera la red local para identificar
objetivos potenciales
Se comunica con los objetivos para
verificar si controlan un interruptor/disyuntor de circuito
Cambia el estado generando un fichero de log
Lectura de fichero de configuración
Mata al proceso maestro legítimo que corre en el equipo víctima.
Se enmascara como el nuevo “master”
4 modos de operación: i) secuencia, ii) alcance, iii) desplazamiento, iv) persistente.
El modo secuencia establece a abierto continuamente el estado de las IOAs de las RTUs
El modo alcance interroga cada RTU para IOAs válidas y después alterna su estado entre abierto y cerrado.
MÓDULO DE DOS DE SIPROTECT
Envío de paquetes UDP al puerto 50.000 para explotar
la vulnerabilidad CVE-2015-5374
Denegación de servicio contra el relé digital.
Cybersecurity Strategy on IACS Security – Some Key Points
PRIVATE & CONFIDENTIAL
Restricciones de los SCI y Algunas medidas de seguridad
• Sistema de Detección de Intrusiones:
• Detección de anomalías en base a una línea base
• IoC: IP del C2, hashes de payloads, etc.
• Doble factor de autenticación en conexiones VPN
• Aplicación de parches de seguridad que corrijan CVEs
• Whitelisting de aplicaciones y sandboxing
• Segmentación: Cortafuegos industriales, diodos de datos, etc.
• Honeypots/honeynets y defensa activa
PRIVATE & CONFIDENTIAL
Good Practices | Security Posture Assessment
Governance Evaluation of cybersecurity-oriented organizational aspects (roles and responsibilities),
internal control processes (audits/certification), security policies, incident management,
etc.
Risk-based High and/or low level overview on which business processes supported by the IACS
are at a higher risk. Threat & vulnerability identification and business impact evaluation.
Compliance
“Gap analysis" against a framework or regulation considering cybersecurity maturity
levels
Technical Analysis of adherence to best practices from a technical stand-point and its adherence
to defense-in-depth principles: identification (HW/SW inventory under control),
protection (network segregation/segmentation, antimalware, remote access, data
security, maintenance procedures…), detection (anomalies and events at host and
network level), respond (contention/mitigation strategies) and recover (redundancy at
network/host level)
References: ISA-99/IEC 62443, NIST SP 800-82 & 800-53 rev. 3, NRC RG 5.71/NEI 08-09,
CPNI Process Control and SCADA Security GPG
Vulnerability testing
Risky in a production environment
Follow a zero-risk methodology
1. Use a test environment (e.g.
engineering, backup, …) for
intrusive active analysis
2. Make use of non-intrusive tests
3. Make use of passive techniques
4. White box audits for networking
equipment
In industrial environments the key
objective is to guarantee the availability
of assets under scope.
In corporate environments the key
objective is to guarantee confidentiality
of information.
PRIVATE & CONFIDENTIAL
Good Practices | Defence-In-Depth Architecture
Policies, procedures and knowledge
Physical security
Host security
Intrusion prevention
AV protection
Host firewall
Device hardening
Data Security
Applications and data
Patch management
Strong passwords, ACLs
End-point & comm. security (SSL, TLS, IPSec, …)
Security updates management
0-day attack protection
AV updates
TCP/IP port control
OS hardening, authentication, accounting
Network segmentation, NIDS
Firewalls, Routers with ACLs, VPN
Guards, locks, access control
Security policies (e.g. remote access), procedures,
back-up and restore strategies
Internal network
Perimeter security
PRIVATE & CONFIDENTIAL
Good Practices | Defence-In-Depth Architecture
Vendor Comments
Unidirectional
gateways
Good alternative to perimeter firewalls for network
segregation in highly critical environments
Industrial firewalls
Aggressive environmental conditions.
Support for industrial control protocols: OPC,
Modbus/TCP, Ethernet/lP, IEC 104, ICCP, DNP3, OPC,
Ethernet/IP, etc.
Anomaly
detection/NlDS
SilentDefence provides situational awareness,
continuous network assessment, access monitoring and
validation, DPI (with multiple industrial protocol support),
etc.
Change
management and
disaster recovery
Programming changes control (versions), automated
backups and restoration, program diff. check. Great variety
of industrial vendors are supported.
IAM/Access control
Isolate, control and monitor all privileged administrator
sessions to protect databases, virtual environments,
network devices and servers from insider threats and
external cyber attacks
PRIVATE & CONFIDENTIAL
Good Practices | Threat hunting
Castle protection • Perimeter barriers
• Water pit
• Walls
• Active defence (archery, hot oil, …)
Analysis focus on IoCs to validate that
enemy has already invaded the perimeter
IoAs are mostly handled by Intelligence
specialists and preventive in nature
Deception, and other
technologies
Deception methodology • Empty houses
• Doors connected to pit
• Man traps
Deception
Detection of intruders, saboteurs and spies • Broken doors
• Ladders in outer walls
• Alarms from guards
• Cooperation from citizens
Detection of enemies’ arrival • Explorers
• Spies abroad
• Watch guards
In depth
defense
IOC´s IOA´s
Traditional methods for protecting the
castle are not enough anymore
PRIVATE & CONFIDENTIAL
Good Practices | Threat hunting – Internal sources
Source: Hervé Debar, IBM Research, Zurich Research Laboratory.
Security gear: IDS, FW,
UTM…
Servers: SCADA, DCS,
MES, historians…
Network activity: protocols,
communications matrix, flows…
Embedded: RTUs, PLCs, IEDs…
Application activity
Configurations
Network gear: switches, routers,
VPN, gateway…
Users and identities
Event correlation:
• Logs/Events
• Flows
• IP/Domain reputation
• Geolocation
Anomaly detection:
• Asset inventory
• User activity
• DB activity
• Application activity
• Network activity
Security management:
• Security alerts & Use case Id.
• Incident Id. & management
• Risk evaluation • Specialized forensics
Event collection:
• Specific product license
• Reverse engineering (e.g. DLL)
• Test environment prior to
deployment
• SIEM integration
PRIVATE & CONFIDENTIAL
Good Practices | Training & Awareness
Target: IT and OT managers/directors
Face-to-face or reduced groups session(s)
Help understand cyber risks affecting IACS: review real incidents, vulnerabilities and risk factors
Differences between protecting IT and OT
Teach good practices to reduce these risks in their daily tasks
Target: IT and OT technical staff
Combine both theory and practical exercises
Technical background on:
• Deep understanding on IACS
• Understand attack methods and vulnerabilities
• Technologies to defend IACS
• Cybersecurity best practices
• Strategies: vendors, organizations, etc.
AWARENESS
RAISING SESSIONS
TRAINING ON
DEFENSE
STRATEGIES IN IACS
PRIVATE & CONFIDENTIAL
ICS Cybersecurity by S21sec | Roadmap proposal
Identify & Assess Protect & Prevent Monitor & Detect Analyze & Respond Recover & Learn
Awareness raising session for mid-
range management on ICS
cybersecurity
Quick ICS cyber security
assessment: gap analysis &
quick technical audit
Ea
rly S
tag
e
Quick ICS Security Architecture Redesign (SAR) focused on Identify &
protect and on the network
Training for IT/OT
professionals on industrial
cybersecurity
Industrial
cybersec.
strategy:
gap & risk
assessment,
roadmap.
Full ICS
vulnerability
assessment on
key
infrastructures Full ICS S.A.R. covering all
functions of NIST FW Inte
rme
dia
te
Sta
ge
Deployment, tuning and maintenance of cyber security technology for ICS: industrial IDS, internal FWs, antimalware (e.g. whitelisting), SIEM
with ICS support, backup automation, etc. Development
of policies,
standards and
procedures on
ICS
cybersecurity
IT/OT SOC: Integration of new security event sources in existing IT SOC.
Managed security, advisory services on ICS, threat hunting, DFIR, etc.
Ad
van
ce
d
Sta
ge
Deployment, tuning and maintenance of
ICS network security technologies:
industrial IDS & perimeter FWs, remote
access
Blue-Team/Read-Team training based
on a Cyber Range and focused on ICS
PRIVATE & CONFIDENTIAL
ICS Cybersecurity by S21sec | Service portfolio & Exp.
• Vulnerability assessment and penetration testing services
• Security architecture redesign
• Deployment of security technologies
• Compliance services: gap analysis, risk assessment, development of security policies, procedures and guidelines
• Awareness raising sessions
• Advanced training on defence strategies against cyber-attacks in IACS
• Support to other business units: managed security services, advanced cyber security services and technology
linkedin.com/company/s21sec
facebook.com/pages/S21sec
twitter.com/@S21sec
SOCIAL MEDIA
OFFICES
S21sec Spain
Madrid
C/Valgrande, 6, CP 28108 | T: +34 902 222 521 | F: +43 916 616 679
Barcelona
C/Tarragona, 141-157, Piso 14, CP 08007 | T: +34 902 222 521 | F: +43 936 746 144
San Sebastián P.E. Zuatzu, Ed. Urgull, 2º, CP 20018 | T: +34 902 222 521 | F: +43 936 746 144
Pamplona P.E. La Muga, CP 31160, Orcoyen | T: +34 902 222 521 | F: +43 936 746 144
Pamplona
P.E. La Muga, CP 31160, Orcoyen | T: +34 902 222 521 | F: +43 936 746 144
Nextel Spain Madrid
C/ Marie Curie 7, 1ª planta Edificio Beta | T: +34 91 499 49 69
Bilbao
C/ Camino de Laida Edificio 207, Bloque B 1º planta | T: +34 944 035 555
San Sebastián Portuetxe Bidea 83, Planta 2ª – 9 | T: +34 943 317 083
Vitoria - Gasteiz
Edificio AzucareraAvda. de los Huetos 75, oficina 38 | T: +34 900 840 730
S21sec Portugal
Lisboa Rua do Viriato, 13B, 4º Andar. 1050-233, PT | T: +351 220107120 | F: +351 220107121 Porto Lugar do Espido, via norte. 4470-177. Maia | T: +351 220107120 | F: +351 220107121
S21sec Mexico
Ciudad de Mexico
Calle Río Pánuco, 108. Colonia Renacimiento, Ciudad de México | T +52 78 22 01 27 | +52 78 22 01 29
Nextel Mexico
Ciudad de Mexico
C/ Montecito 38, Piso 5, Oficina 21 Col. Nápoles Del. Benito Juárez | (+52) 55 6719 8700
www.s21sec.com www.nextel.es