the 13th annual - iot & ics security

ics-community.sans.org

The 13th Annual ICS Security Summit

SAVE THE DATE

MARCH 20-21, 2018

Hyatt Regency Orlando

CALL FOR PAPERSTOPICS INCLUDE (NOT LIMITED TO):

• Understanding what an attack against your organization will look like• Vulnerability research: Statistics and vulnerability vectors

• Mitigations - Defenders, governance, and controls• Threats - Attacks, regulators, and auditors• Case studies and success stories

• Future attack vectors on ICSWatch ICS.SANS.ORG for more information

sans.org/ics

New Threat Vectors for ICS/SCADA Networks — and How to Prepare for Them

Industrial Control System Resources


Threats affecting ICS Environments – Mini-Case Studies

3

Insider Targeted Opportunistic

Failures

Revenge

Sabbotage

Process Attacks

Disruptions

Espionage

Data Theft

Hactivism

Resource Hijack

Botnet

Ransomware

Extortion


Attack Difficulty: Targeted

4

Typical Response/Recovery Time

• Low

• Medium

• High/Unknown


Attacker Goals

5


Targeted: Major Public ICS Incidents & Access Campaigns

6

Low HighICSIMPACTS

High

ICS

Recon

Stuxnet

(allversions)

(Nuisance) (LostProductivity/Data) (LostValue)

ICSTargeting

ICSDelivery

ICSExploits

ICSPayload

Low

Unspecified

GermanFacility

Havex

(OPCmodule)

OPCLEAVER

UglyGorilla

BlackEnergy2

(variousICSmodules)

NYDamIntrusion

BE3

ICSCUSTOMIZATION

(LossofSafety,Reliability,Assets)

Dec2016

UkrainePowerOutage

Dec2015

UkrainePowerOutage

Stage One

Stage Two


Malware Discovery Associated with Electric Outages

How an Entire Nation Became Russia’s Test

Lab for Cyberwar


Highly Coordinated

Malware Role Malware Role

Highly Targeted

Electric System Impacts

Modular and Customizable

Significance Significance2015 2016

Substations 50+ 1

Customers 225K Portion of Capitol region

MW Impact 135 MW 200 MW

Ukraine Electric System Cyber Events

2015 2016


RIS

K I

MP

AC

T

Secure Access

Only enable access when/as

needed. Implement 2-

factor authenticated, with local jump

host environment

Risk #6 Adversary

AccessAbility to

remotely interact with the

environment

Current Detection

Capabilities

Deploy malware signature

detection at host and network

level

Risk #5 Unknown Infection

Inability to detect malware

within environment

Data Protection and Recovery

Ensure configuration data backups,

tested recovery, and encrypted

storage

Risk #4 Data

Destruction

Access to configuration

data is achievable

Network Monitoring and

Alerting

Limit OPC to status only,Implement

communications baselines, and

anomaly detection

Risk #3 OPC Protocol

Environment utilizes OPC DA

protocol

Vulnerability Management

Remove devices not in use,

implement patch management and firmware

updates

Risk #2 Protection

Relays

Unpatched Siemens

SIPROTEC relays are being

utilized

SCADA Path Management

Restrict to in-use protocols

only. Implement protocol

converters, Front-end

defenses, in-line firewalls

Risk #1 Protocol

Implementation

Organization is utilizing IEC

101, IEC 104, or IEC 61850 for

operational control capability

RISK LIKELIHOOD

Risk MitigationsRisk Areas

Reflect CrashOverride as of June 13

*as additional modules are

discovered this will need to be

reassessed

Key Risk Item Considerations and Mitigations


Future

Risk

Current

Risk

Consequences

Like

lihoo

d of

Occ

urre

nce

Low

Med

High

Low Med High

Current Risk Ranking and Assessment of Potential Risk

Current Risk Ranking was Determined based on the following key factors:• Do not use protocols

identified• Do not use vendor

products identified• Operationally

architected in a manner that limits effects

Future Risk Ranking was Determined based on the following key factors:• Protocol modules

discovered that are in use

• Module exploits discovered that impact devices in use

• Adversary tactics discovered that could have greater operational effect


Data Theft on an Industrial Scale

11

2017 Data Breach Investigations ReportØ 620 data breach incidents in the Manufacturing Sector last year

Ø 94 percent could be defined as “Espionage” driven with indications of “State-affiliated” actors

Ø About 91 percent of material stolen considered proprietary and categorized as “Secret”

Digital Losses:

Designs, Formulas, Recipes, Processes, Production Data…

Tangible Impacts:

Time-to-market, Market position, Competitiveness, Financial…

ics-community.sans.org 12

Corporate AD Server

SCADA Network

• Attacker Possess SCADA related files

• Exfiltrated key files(data theft but also)

• Could control perimeter enforcement settings

• Has a direct path to SCADA

• Leveraging technology – w/o TRUST

Incident deconstruction:

Example: Leverage Files & Credentials on Corporate


The Rise of Industrial Ransomware

13

NSA Tools Leaked

(Unknown)

ShadowBrokersAuction Tools (Aug 2016)

Microsoft Issues MS17-010

(Mar 2017)

EternalBlueunveiled by

ShadowBrokers(April 2017)

WannaCry/WannaCrypt(12 May 2017)

Derivatives & Outbreaks

(future)

AFFECTED INDUSTRIES

• Automotive

• Government

• Healthcare

• Rail & Transport

• Telecommunications

• Logistics & Transportation

• Others still unreported (yet)

RANSOM RESULTS

• +150 countries

• +200,000 computers (and counting)

• +327 payments (as of 14 June 2017)

• +$130,000 (52 BTC)

IMPACTS

• Nuisance / Close-calls

• Loss of data & IP

• Disruption in Production

• Disruption in Service

• Increased production cost

• Reduced Productivity

• Other unreported impacts


Impacted Assets


What Your Next Attack Will Look Like


SANS 2016 ICS Survey: Cybersecurity Standards & Guidelines

16

47%

37%34%

27%

24%

Select all cybersecurity standards& guidelines you use…

NIST Guide to SCADA and Industrial Control Systems Security

20 Critical Security Controls

NERC CIP

ISO 27000 series including 27001 and others

ISA99 (Industrial Automation and Control Systems Security)

330+ participants68% of respondents in US

51% in Security-titled positions.

Responsibilities

46% hold IT+OT

22% pure IT 27% pure OT

Sum total >100% due to multiple

standards & guidelines being employed.

Note: SANS 2017 ICS Survey to be released July 11, 2017http://www.sans.org/u/sQo


NIST SP 800-82 Guide to ICS Security

• Guidelines for Establishing Secure ICS

– Supervisory Control and Data Acquisition (SCADA).

– Distributed Control Systems (DCS)

– Other systems performing control functions.

• Overview of systems, system risks & threats, vulnerabilities and recommended mitigations.

• Scope includes ICS that used across all sectors

17


Situational Awareness - Recommendations

• Real-time or near real-time cybersecurity monitoring can enhance resilience of operations.

• Situational awareness is a key element in ensuring visibility across all resources.

• Situational awareness is the ability to comprehensively identify and correlate anomalous conditions pertaining to industrial control systems, IT resources, access to buildings, facilities, and other business mission-essential resources.

• Potential business benefits of situational awareness reference design

– Improved ability to detect cyber-related breaches or anomalous behavior

– Faster monitoring, identification, and response to incidents

18


Cyber Security Framework (CSF) Guideline

19


Cyber Security Framework (CSF) Guideline

20


Questions or Follow up

21

CONTACTMike [email protected]

Tim [email protected]

SANS INSTITUTE8120 Woodmont Ave., Suite 310Bethesda, MD 20814301.654.SANS(7267)

SANS EMAILGENERAL INQUIRIES: [email protected]/PR: [email protected]

ICS RESOURCESics.sans.orgTwitter: @sansicsCommunity Forum:https://ics-community.sans.org/signup

the 13th annual - iot & ics security

Documents