ronnie rahman 2019 cyber threat landscape april 18, 2019 · 2019 cyber predictions* •increase in...

April 18, 20192019 CYBER THREAT LANDSCAPE Ronnie Rahman

Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.


1

The Rapid Proliferation of IIoT Devices Exponentially Increases Risks

Industrial Cybersecurity Customer Challenges

Industrial Control System Complexity

• Multiple sites

• Increasing number of IIoTdevices and connections

• Multiple vendors and users requiring access to assets and/or data

• Mix of legacy and proprietary equipment

• Data security vs loss of view, loss of control

• Immediate patching vs batched patching

• Partial data on assets; no proper discovery & inventory

• Multiple remote access points

IT/OT Misalignment

• Hard to find industrial cyber security expertise

• Cannot place experts at every site

• Manual processes don’t scale; provide limited security

• Multiple security solutions partially utilized

Skilled Resources Shortfall and Budget Limitation


Source: LNS ResearchPutting Industrial Cybersecurityat the Top of the CEO Agenda

53%of industrials experienced

a cyber attack in last 12 months*

Increasing Pace of Industrial Cyber Attacks

Attacks on Industrial Control

Systems on the Rise SEPT 9, 2018

Concern Rises About Cyber-Attacks Physically Damaging Industries APRIL 26, 2018

New Type of Cyberattack

Targets Factory Safety Systems JANUARY 19, 2018

More than half of major malware attack’s

victims are industrial targets JUNE 29, 2017

2


Which cyber loss scenarios present the

greatest potential impact to your

organization?*

Source: Marsh Research report 2018

76%of energy executives citedbusiness interruption (BI)

as the most impactful cyber loss scenario for their

organization.

Increasing awareness of potential impact

Source: Marsh-Microsoft Cyber Perception Survey


Planning ICS Attacks Now Easier Than Ever

4


2019 Cyber Predictions*

• Increase in ICS targeted cyber ransomware

• Targeted Phishing attacks continue as

number #1 threat vector

• USBs continue to be top threat vector (#2)

• Nation state sponsored attacks will continue

(more to come … other stolen malware still not

used yet)

• Shortage of cyber skills continues

*Source: various web sites (E.g. CIO.com)

5


But Threat Level Remains Higher than Ever!

RA

NS

OM

WA

RE

CR

YP

TO

JA

CK

ING

VIR

US

TR

OJA

N


ATTACK REPORT

Nuclear Power Plant Data

7

• Date Reported: Nov 2018

• Company based in France

• Vector: Hack

• Type: Exfiltration

• Industry: Construction

• Result:

- 11,000 files from a dozen projects

were accessed.

- 65 GB data relating to nuclear

power plants and other projects

- Cost unreported


ATTACK REPORT

Public Cable Car

8

• Date Reported: Dec 2018

• Company based in Russia

• Vector: Ransomware

• Type: Unknown

• Industry: Public transport

• Result:

- System taken offline for 24 hours

- Cost unreported


ATTACK REPORT

LockerGoga Ransomware Allegedly Used in Attack

• Date Reported: Jan 24th 2019

• Company Based France

• Vector: Phishing/Ransomware

• Type: LockerGoga

• Industry: Engineering

• Result

- Manual shut down of network and

applications. Est. cost unknown

9


ATTACK REPORT

LockerGoga Strikes Again

• Date Reported: Mar 19th 2019

• Company Based in Norway



• Industry: Aluminum and energy

company

• Result

- Switch to manual operations.

- Est. impact $40M+

10


ATTACK REPORT

And LockerGoga Hits Again…

• Date Reported: Mar 19th 2019

• Company Based USA



• Industry: Chemical Production

• Result

- Replacement of infected computers

- Cost unreported

11


LockerGoga

• A form of ransomware which targets

industrial systems

• The Norway attack infected multiple

systems through copying to the shared

directory and subsequent lateral

movement, affecting the entire

organization.

• This lateral movement is a technique that

hasn't been used commonly in other

attacks

12

RA

NS

OM

WA

RE


ATTACK REPORT

Cryptojacking Manufacturing Resources

• Date Reported: Late Feb 2019

• Company Based in

Japan/Thailand

• Vector: Virus/Cryptojacking

• Type: Unknown

• Industry: Manufacturing

• Result

- Partial shutdown of production – 3

days

- Cost unreported

13


Cryptojacking

• Cryptojacking is a way for cybercriminals

to make free money with minimal effort.

• Cybercriminals can simply hijack

someone else’s machine with just a few

lines of code.

• This leaves the victim bearing the cost of

the computations and electricity that are

necessary to mine cryptocurrency. The

criminals get away with the tokens.

14

CR

YP

TO

JA

CK

ING


ATTACK REPORT

New Shamoon Cyber-attack on oil targets in ME

• Date Reported: Dec 2018

• Company Based in Italy/Middle

East

• Vector: Virus

• Type: Shamoon

• Industry: Oil services

• Result

- Minor shutdown 400 plus servers

effected

- Cost unreported

15


New Shamoon Variant

• Shamoon disables computers by

overwriting the master boot record,

making it impossible for devices to start

up.

• These latest Shamoon attacks are doubly

destructive, since they involve a new

wiper (Trojan.Filerase) that deletes files

from infected computers before the

Shamoon malware wipes the master boot

record.

16

VIR

US


ATTACK REPORT

Electricity Utlility

• Date Reported: Feb 2019

• Company Based in South Africa

• Vector: Breach, downloader

• Type: Azorult Trojan

• Industry: Power/Electricity

• Result

- Impact currently unknown

- Cost unreported

17


AZORult

• AZORult is a Trojan stealer that collects

various data on infected computers and

sends it to the command & control server

• Designed to exfiltrate files, passwords,

banking credentials and cryptocurrency

wallets

• It is also known to act as a downloader for

other malware payloads in multi-stage

campaigns including ransomware, data

and cryptocurrency stealing malware.

18

TR

OJA

N


ATTACK REPORT

Deep Dive: TRITON

• A petrochemical company with

a plant in ME was hit in August

2017 by a cyberattack aimed

at sabotaging the firm’s

operations and triggering an

explosion

• Reported that within minutes

of the attack, the hard drives

inside the company’s

computers were destroyed

and their data wiped clean

19


ATTACK REPORT

The TRITON cyber attack

• The malware burrows into a target’s networks and sabotage their industrial control systems

• Triton is designed to tamper with or even disable Triconex products, which are known as "safety-instrumented systems," as well as "distributed control systems"

20

POTENTIAL DISASTER HOW IT WORKS


The TRITON cyber attack

• Researchers revealed more about how the hackers work.

• Their findings showed the hackers could spend close to a year after their initial

compromise of a facility’s network before launching a deeper assault, taking the time to

prioritize their understanding of how the network looked and how to pivot from one system

to another.

• The hackers’ goal is to quietly gain access to the facility’s safety instrumented system, an

autonomous monitor that ensures physical systems don’t operate outside of their normal

operational state.

• These critical systems are strictly segmented from the rest of the network to prevent any

damage in the event of a cyberattack.

• By gaining access to the critical safety system, the hackers focused on finding a way to

effectively deploy Triton’s payloads to carry out their mission without causing the systems

to enter into a safe fail-over state.

21

DE

EP

DIV

E

Source https://techcrunch.com/2019/04/09/triton-malware-strike/

https://techcrunch.com/2019/04/09/triton-malware-strike/


Hackers Behind Triton ICS Malware Hit Additional Critical

Infrastructure Facility

22

•A highly capable hacker group reportedly behind a

failed plot to blow up a petrochemical plant has now

been found in a second facility.

•According to researchers the cybercriminals behind

Triton have once again targeted industrial control

systems this time at an undisclosed company in the

Middle East.

Source: Techcrunch

Update: April 10 2019

https://techcrunch.com/2019/04/09/triton-malware-strike/


Plant Cyber Security – Site Offerings

Target

Solution

Cyber Vantage

Consulting Services

Secure Media

Exchange (SMX)

Secure Network

Refresh (SNR)Cyber Security

Risk Manager

Application

Whitelisting

Cyber Security

Technology

Centers

Addresses

Business

Problem

• Uncertain of existing security posture

• Lack security expertise• Desire to be assessed by

an independent, third party ICS cyber security consultant

• Removable media need for file transfer & PCN maintenance

• Risk of USB-borne threats (malware, code injection, Bad USB machine takeover, etc.)

• PCN does not meet modern security requirements due to vulnerable, unsupported network infrastructure and lack of segmentation (flat network)

• Unable to consistently report current PCN cyber security risks

• Incorrect & inefficient workflow to lower cyber risk

• Prevention of industrial cyber-attacks by denying any applications that have not been previously identified as 'non-malicious'.

• Offers customers safe environment for custom configuration, validation, testing, qualification and support to deploy a secure layer of industrial cyber security defense

Opportunities

Look Like

• Early in addressing cyber requirements

• New projects needing security architecture

• Ongoing need for 3rd party security reviews

• Customer interest incontrolling USB usage

• Heavy contractoractivity on site

• Multiple physical plant locations

• New projects & PCN migrations/ upgrades

• Funded digital transformation initiatives

• Multiple sites & defined security policies

• Need to report• Poor or inefficient

security management

• Customer is looking for additional protection beyond anti-virus to increase their defense-in-depth strategy

• Customer interested in validating new solutions faster in a variety of scenarios to increase defenses against threat of cyber attacks

23


Multi Site Cyber Security – Offerings

Target

Solution

ICS ShieldCyber Security Risk

Manager

Managed Security

Services (MSS)

Network

Operations Center

Security

Operations

Center

Cyber Security

Technology

Centers

Addresses

Business

Problem

• Inability to patch systemscost-effectively

• Slow patch upkeep• Limited remote site

maintenance• No visibility across multi-

vendor assets

• Unable to consistently report current PCN cyber security risks

• Incorrect & inefficient workflow to lower cyber risk

• Lack skilled resources to maintain (patch & AV), monitor and report out on PCN security posture.

• Need secure way for personnel & 3rd parties to connect to PCN remotely

• Provides comprehensive OT solution to enterprise-wide cyber security; supportsvendor neutral PCN security

• Overcome customer challenges in developing and maintaining an enterprise SOC; consistent enterprise-wide cyber security

• Offers customers safe environment for custom configuration, validation, testing, qualification and support to deploy a secure layer of industrial cyber security defense

Opportunities

Look Like

• Many plants across dispersed locations

• High-cost labor markets• Industrial assets from

many vendors

• Multiple sites & defined security policies

• Need to report• Poor or inefficient

security management

• Remote locations with limited staff to maintain PCN. Define capability in prequalification and FEED documents

• Customer has multiple sites andcontrol system vendors not connected with consistent cyber security policies

• Customer has limited cyber security capabilities but is looking to improve centralization of security

• Customer interested in validating new solutions faster in a variety of scenarios to increase defenses against threat of cyber attacks

24


Security Controls / Tools

Integrated Cyber Security Management

25

Security Management

Intrusion Protection & Threat Intelligence

Application & Endpoint Security

Next Generation Firewall

Network Security


Centers of Excellence: Innovation & Security Service Hubs

26

Cyber Security Centers of Excellence Around the World

Solutions Development

Training and Certification

Customer Demonstrations

Research Labs& Testing

Houston

Managed Security Service Center

Singapore

Bucharest

Cyber Security Innovation Center

Dubai

Atlanta

Managed Security Services

Cyber Security Research Lab

Edmonton

Phoenix

Amsterdam

Bangalore

Atlanta Cyber Security Innovation Center


Honeywell Provides Full Solutions for Industrial Cyber Security

27

Comprehensive, Proven and Trusted End-to-End Solutions

- Whitelisting

- Antivirus

- Next-generation Firewall

- IDS/IPS

- Security Information & Event Management (SIEM)

- Threat Intelligence

- Industrial security program development

- Assessment services

- Architecture and design

- Implementation and systems integration

- Operational service and support

- Compliance audit & reporting

INDUSTRIALSECURITY

CONSULTING

Adaptive

Emergent

Se

curity

Ma

turity

- Secure remote access

- Continuous monitoring and alerting

- Automated patch & antivirus updates

- Incident response & recovery/back up

- Security device co-management

- Hosting, management and operation of ICS Shield®

- OT SOC management & operations

INTEGRATED SECURITY

TECHNOLOGY

CYBER SECURITY

SOFTWARE

- ICS Shield® platform forcyber security operations

- Industrial Cyber SecurityRisk Manager: Enterprise and Site

- Secure Media Exchange (SMX)

- Advanced Threat Intelligence Exchange (ATIX)

- Industrial assessment software & tools

MANAGED SECURITY SERVICES


28

Award Winning Cyber Security Solutions

Best Product of the Year

Control Engineering China

Winner – Safety – Process

Safety, Intrinsic Safety

Control Engineering 2018

Engineers’ Choice Awards

Frost & Sullivan

Global Industrial Cybersecurity

Solutions Customer Value

Leadership Award 2018


29

THANK YOU

Visit www.becybersecure.com to know more

http://www.becybersecure.com/

ronnie rahman 2019 cyber threat landscape april 18, 2019 · 2019 cyber predictions* •increase in...

Documents