the 13th annual - iot & ics security
TRANSCRIPT
ics-community.sans.org
The 13th Annual ICS Security Summit
SAVE THE DATE
MARCH 20-21, 2018
Hyatt Regency Orlando
CALL FOR PAPERSTOPICS INCLUDE (NOT LIMITED TO):
• Understanding what an attack against your organization will look like• Vulnerability research: Statistics and vulnerability vectors
• Mitigations - Defenders, governance, and controls• Threats - Attacks, regulators, and auditors• Case studies and success stories
• Future attack vectors on ICSWatch ICS.SANS.ORG for more information
sans.org/ics
New Threat Vectors for ICS/SCADA Networks — and How to Prepare for Them
Industrial Control System Resources
ics-community.sans.org
Threats affecting ICS Environments – Mini-Case Studies
3
Insider Targeted Opportunistic
Failures
Revenge
Sabbotage
Process Attacks
Disruptions
Espionage
Data Theft
Hactivism
Resource Hijack
Botnet
Ransomware
Extortion
ics-community.sans.org
Attack Difficulty: Targeted
4
Typical Response/Recovery Time
• Low
• Medium
• High/Unknown
ics-community.sans.org
Attacker Goals
5
ics-community.sans.org
Targeted: Major Public ICS Incidents & Access Campaigns
6
Low HighICSIMPACTS
High
ICS
Recon
Stuxnet
(allversions)
(Nuisance) (LostProductivity/Data) (LostValue)
ICSTargeting
ICSDelivery
ICSExploits
ICSPayload
Low
Unspecified
GermanFacility
Havex
(OPCmodule)
OPCLEAVER
UglyGorilla
BlackEnergy2
(variousICSmodules)
NYDamIntrusion
BE3
ICSCUSTOMIZATION
(LossofSafety,Reliability,Assets)
Dec2016
UkrainePowerOutage
Dec2015
UkrainePowerOutage
Stage One
Stage Two
ics-community.sans.org
Malware Discovery Associated with Electric Outages
How an Entire Nation Became Russia’s Test
Lab for Cyberwar
ics-community.sans.org
Highly Coordinated
Malware Role Malware Role
Highly Targeted
Electric System Impacts
Modular and Customizable
Significance Significance2015 2016
Substations 50+ 1
Customers 225K Portion of Capitol region
MW Impact 135 MW 200 MW
Ukraine Electric System Cyber Events
2015 2016
ics-community.sans.org
RIS
K I
MP
AC
T
Secure Access
Only enable access when/as
needed. Implement 2-
factor authenticated, with local jump
host environment
Risk #6 Adversary
AccessAbility to
remotely interact with the
environment
Current Detection
Capabilities
Deploy malware signature
detection at host and network
level
Risk #5 Unknown Infection
Inability to detect malware
within environment
Data Protection and Recovery
Ensure configuration data backups,
tested recovery, and encrypted
storage
Risk #4 Data
Destruction
Access to configuration
data is achievable
Network Monitoring and
Alerting
Limit OPC to status only,Implement
communications baselines, and
anomaly detection
Risk #3 OPC Protocol
Environment utilizes OPC DA
protocol
Vulnerability Management
Remove devices not in use,
implement patch management and firmware
updates
Risk #2 Protection
Relays
Unpatched Siemens
SIPROTEC relays are being
utilized
SCADA Path Management
Restrict to in-use protocols
only. Implement protocol
converters, Front-end
defenses, in-line firewalls
Risk #1 Protocol
Implementation
Organization is utilizing IEC
101, IEC 104, or IEC 61850 for
operational control capability
RISK LIKELIHOOD
Risk MitigationsRisk Areas
Reflect CrashOverride as of June 13
*as additional modules are
discovered this will need to be
reassessed
Key Risk Item Considerations and Mitigations
ics-community.sans.org
Future
Risk
Current
Risk
Consequences
Like
lihoo
d of
Occ
urre
nce
Low
Med
High
Low Med High
Current Risk Ranking and Assessment of Potential Risk
Current Risk Ranking was Determined based on the following key factors:• Do not use protocols
identified• Do not use vendor
products identified• Operationally
architected in a manner that limits effects
Future Risk Ranking was Determined based on the following key factors:• Protocol modules
discovered that are in use
• Module exploits discovered that impact devices in use
• Adversary tactics discovered that could have greater operational effect
ics-community.sans.org
Data Theft on an Industrial Scale
11
2017 Data Breach Investigations ReportØ 620 data breach incidents in the Manufacturing Sector last year
Ø 94 percent could be defined as “Espionage” driven with indications of “State-affiliated” actors
Ø About 91 percent of material stolen considered proprietary and categorized as “Secret”
Digital Losses:
Designs, Formulas, Recipes, Processes, Production Data…
Tangible Impacts:
Time-to-market, Market position, Competitiveness, Financial…
ics-community.sans.org 12
Corporate AD Server
SCADA Network
• Attacker Possess SCADA related files
• Exfiltrated key files(data theft but also)
• Could control perimeter enforcement settings
• Has a direct path to SCADA
• Leveraging technology – w/o TRUST
Incident deconstruction:
Example: Leverage Files & Credentials on Corporate
ics-community.sans.org
The Rise of Industrial Ransomware
13
NSA Tools Leaked
(Unknown)
ShadowBrokersAuction Tools (Aug 2016)
Microsoft Issues MS17-010
(Mar 2017)
EternalBlueunveiled by
ShadowBrokers(April 2017)
WannaCry/WannaCrypt(12 May 2017)
Derivatives & Outbreaks
(future)
AFFECTED INDUSTRIES
• Automotive
• Government
• Healthcare
• Rail & Transport
• Telecommunications
• Logistics & Transportation
• Others still unreported (yet)
RANSOM RESULTS
• +150 countries
• +200,000 computers (and counting)
• +327 payments (as of 14 June 2017)
• +$130,000 (52 BTC)
IMPACTS
• Nuisance / Close-calls
• Loss of data & IP
• Disruption in Production
• Disruption in Service
• Increased production cost
• Reduced Productivity
• Other unreported impacts
ics-community.sans.org
Impacted Assets
ics-community.sans.org
What Your Next Attack Will Look Like
ics-community.sans.org
SANS 2016 ICS Survey: Cybersecurity Standards & Guidelines
16
47%
37%34%
27%
24%
Select all cybersecurity standards& guidelines you use…
NIST Guide to SCADA and Industrial Control Systems Security
20 Critical Security Controls
NERC CIP
ISO 27000 series including 27001 and others
ISA99 (Industrial Automation and Control Systems Security)
330+ participants68% of respondents in US
51% in Security-titled positions.
Responsibilities
46% hold IT+OT
22% pure IT 27% pure OT
Sum total >100% due to multiple
standards & guidelines being employed.
Note: SANS 2017 ICS Survey to be released July 11, 2017http://www.sans.org/u/sQo
ics-community.sans.org
NIST SP 800-82 Guide to ICS Security
• Guidelines for Establishing Secure ICS
– Supervisory Control and Data Acquisition (SCADA).
– Distributed Control Systems (DCS)
– Other systems performing control functions.
• Overview of systems, system risks & threats, vulnerabilities and recommended mitigations.
• Scope includes ICS that used across all sectors
17
ics-community.sans.org
Situational Awareness - Recommendations
• Real-time or near real-time cybersecurity monitoring can enhance resilience of operations.
• Situational awareness is a key element in ensuring visibility across all resources.
• Situational awareness is the ability to comprehensively identify and correlate anomalous conditions pertaining to industrial control systems, IT resources, access to buildings, facilities, and other business mission-essential resources.
• Potential business benefits of situational awareness reference design
– Improved ability to detect cyber-related breaches or anomalous behavior
– Faster monitoring, identification, and response to incidents
18
ics-community.sans.org
Cyber Security Framework (CSF) Guideline
19
ics-community.sans.org
Cyber Security Framework (CSF) Guideline
20
ics-community.sans.org
Questions or Follow up
21
CONTACTMike [email protected]
SANS INSTITUTE8120 Woodmont Ave., Suite 310Bethesda, MD 20814301.654.SANS(7267)
SANS EMAILGENERAL INQUIRIES: [email protected]/PR: [email protected]
ICS RESOURCESics.sans.orgTwitter: @sansicsCommunity Forum:https://ics-community.sans.org/signup