Cyber ICS/OT CapabilitiesMOSAICS May 18-19th 2021
Engineers and ScientistsCage Code 7APF2DUNS: 02807945
Small Business
Cybersecurity-as-a-Service
MAY 2021
Proactive Security Operations And Holistic Threat ProtectionEnd to End protection for ICS/OT and IT Infrastructure
TM
Engineers + Scientistswww.waterleafinternational.com
WATERLEAF AT-A-GLANCEConnecting, Securing and Informing Your World – 1 Bit at a Time
Connect
3
Engineer, Furnish, Install & Test (EFI&T)
Design, engineering, deployment of Fiber, IT, DAS/Small Cell, 4G/5G and other communications infrastructure• Project management, QA/QC, construction
management, and related services• RF Services: Planning, engineering, management,
testing, R&D, surveys and licensing• Neutral Host / pLTE Solutions
IT engineering, modernization and sustainment
SME’s on low latency, OTH, SDR and antenna development, interference analysis and mitigation, spectrum analysis, and RF security
SecureCybersecurity-as-a-Service
Proactive and Reactive support
Holistic cyber defense providing enhanced threat identification and remediation• Leading edge cyber tools with SIEM / SOAR & AI/ML • Deep cybersecurity technical expertise• 24x7x365 security operations and remediation
Fast time to deployment – weeks not years
Reactive incident response and forensic investigation
Minimal up-front capital investment
Low lifetime total cost
Elevated board level reporting
CMMC compliance enabler
InformData Science & Knowledge Management
Data Management• Information architecture• Enterprise knowledge management• Data warehousing
Analytics & Visualization• Business intelligence• Big data and analytics services• Probabilistic, statistical, and operational research• Data visualization
Machine Learning / Artificial Intelligence• Process automation and optimization• Data extraction• Software development
WATERLEAF BACKGROUND
• Founded 2010 - Operations in Fort Myers, FL, Washington, DC and Atlanta, GA• Built for rapid implementation of customer engagements• Small business backed with resources to scale operations• Core technical competencies in cybersecurity, network and data science
• RF / Wireless / Fiber (dense and distributed) • Low latency communications – custom radio/modem development, SDRs
• Cybersecurity - Design, develop, integrate, maintain, train and staffing• - SIEM/SOAR/SOC – Cybersecurity as a Service (CaaS)• CMMC – Certified RPO & C3PAO. Compliance advisory and assessors.• Forensic Cybersecurity, Offensive/Defensive postures• Vulnerability test, scan and R&D focused on IoT, IC, PLC
• Contract Vehicles: Seaport NxG; GSA MAS 54151S. Sub-contracts on major vehicles. • TS / Secret FCL
Provider of end-to-end Advanced Network, Cybersecurity, Data Science, and Engineering Solutions for Federal / DoD, Municipal, Carrier and Commercial clients in North America and OCONUS.
Applying small business agility with large business resources and capabilities
Cage Code:7APF2 DUNS:02807945
THE TRUE COST OF CYBERSECURITY• Capital Investment – Hardware, Software• Investment In Training And Staff Hours • 24x7x365 Monitoring• Expertise to Keep Up With Evolving New Threats• Ensuring Compliance
• Organization’s Security Policies• Industry Requirements and
Regulations• NAVFACINST11000.2.• HIPAA, GDPR, CMMC, FINRA, FISMA, PCI, etc.
• Organizational Costs Of Potential Breaches• Remediation• Restoration• Operations• Reputation Damage• Mission Compromise
Page 5
“Cyber is an ever-evolving game, and exploits are always found. But some are better positioned to respond than others.
We’re moving to a battlefield where we’ll have the ‘haves,’ who are using modern, more securable, cloud-based architectures and can rely on embedded security experts continuously monitoring that
infrastructure, and ‘have nots’ who strain to patch aging ‘on-premise’ servers 9-5, M-F in addition to their other duties.”
Cyber Consulting Expert at MSFT
Proactive, Holistic Cyber Protection Through A Simple Subscription Service‘As a Service’ protection for the ICS/OT Environment
Suite of leading cyber tools, monitoring and remediation support via service model• Mitigate threats and breaches via enhanced cyber defense• Faster breach identification and remediation• Enables Access to
Leading edge cyber toolsScarce cybersecurity technical expertise24x7x365 security operations and remediation support
• Custom dashboards for improved visibility and awareness• Elevated compliance reporting• CMMC and ‘other’ compliance enabler• Proactive cyber defense at <50% of the cost to do it yourself
Minimal up-front capital investmentLower lifetime total cost
Pg 6
Cybersecurity as a Service
HOLISTIC CYBER PROTECTION10 KEY CYBERSECURITY COMPONENTS
BACKUP & RESTORATIONBackup policies (algorithms) and systems to enable
business continuity. Insure timely restoration.
SIEM / SOARSecurity Information And Event Management (SIEM)
monitors the activity on the devices in your networkto detect unwanted activity while SecurityOrchestration, Automation and Response (SOAR)provides automated, real time responses andactions to protect your information.
RMM & PATCH MANAGEMENTEnables remote monitoring and management of your computers and ensures your software is up to date with the latest patches.
24x7 SECURITY OPERATIONS CENTER (SOC)Continuous monitoring of security systems to provide notifications
and coordinate responses to threats and incidents
FIREWALLControl what traffic passes in and out of your network.
Connected to our SIEM via network appliance or VM to prevent unwanted connections to network devices.
ENDPOINT THREAT DETECTION & RESPONSE (EDR)
Endpoint Detection and Response using ML and AI with active virus threat and malware predictors.
ASSESSMENT, POLICY DEVELOPMENT & TRAININGPolicy assessment and implementation based on Federal
and industry guidelines. Training across all organizational levels.
Page 7
Cybersecurity as a Service
Controlled penetration attempts of secured network by Certified Ethical Hackers to identify potential and/or existing issues.
PENETRATION TESTING
Sensor data with local and SIEM/AI-ML AnalysisIntegrated to active response and mitigation.
FINGERPRINT SENSORS (PFP)
PDNS – Protective DNSWhite and blacklist of DNS, analyzes DNS queries with
AI/ML, Content Filtering, DGA/Phishing Mitigation
Select some or all of the above selected must include SOC/SIEM/SOAR
Endpoint Detection and
Response (EDR)
INTEGRATED CYBERSECURITY SUITE
Pg 8
Core Subscription Components
Complete Subscription Components
Assessment
Policy Development
Training
Compliance Tracking
Vulnerability Assessment &
Penetration Testing
Social ExploitsSIEM
(Security Incident & Event Management)
24x7x365 Security
Operations Center
SOAR (Security
Orchestration Automation &
Response)
RMM & Patch Management
IP &DNS
Filtering
Backup and Restoration
Core Subscription Components
IDENTIFY PROTECT DETECT RECOVER& RESPOND
Complete SubscriptionComplete Subscription Optional
Component Protection
“Complete” services can be changed per branch/customer requirements or integrated to existing systems.
Subscription FeaturesFlexible
To MissionRequirements
Pg 9
CYBERLEAF Feature Core CompleteCYBERLEAF Security Operations Center and Response Orchestration including : SIEM - Security Information and Event Management SOAR - Security Orchestration, Automation & Response
✓ ✓MITRE ATT@CK Framework with Over 200 Threat Techniques ✓ ✓Up to Date Threat Intelligence Feeds Included ✓ ✓Active Threat Detection & Mitigation with AI / ML ✓ ✓Cross Platform Support: Windows, MacOS, Linux, Cloud ✓ ✓24x7 Support & Maintenance ✓ ✓Searchable Event Storage 90 Days 90 DaysSearchable Alarms & Vulnerabilities 120 Days 120 DaysCold Storage of Logs 1 year (extensions available) 1 year (extensions available)Cyberleaf Customizable Realtime Dashboard ✓ ✓Built-in Compliance Reports ✓ ✓Supports PCI log storage requirements ✓ ✓Notifications Email, IM, Slack / Teams & others Email, IM, Slack / Teams & others
Cyberleaf IT Training ✓ ✓CYBERLEAF MODULES AND OPTIONS
Cyber Security Assessment Tools On-Boarding On-BoardingPolicy Development (Templates) Option ✓End User Training Option ✓Penetration Testing Option ✓Remote Monitoring and Management Option ✓End Point Threat Detection and Response (EDR) Option ✓Searchable Event Storage - 365 Days Option OptionBackup Available 50GB to 1TB / User Available 50GB to 1TB / User
David, please add PFP to this table.
ADVANTAGES• Pro-active engagement to mitigate
threats• Reduced time to identify and mitigate• X-filtration of data• Unauthorized access to data• Vulnerabilities based on behavior• Zero Trust Architecture (applied)
• Compliance and Reporting• Full compliance with regulatory requirements• Audit capable with 3rd party validation• Check and balance• Enabler of NAVFACINST11000.2.
• Specialized training and expertise• Requires Dedicated Staffing• Specialization in AI/Development• Dedicated threat hunters and utilization of a
24x7x365 SOC• Focused on Cybersecurity - not IT, network,
support/break fix, telecom etc.
• Cost Savings• Minimal Capital Investment• No investments in specialized IT Security
Staffing• Decreased lifetime costs
Page 10
Protect critical defense/supply chain and other infrastructure with a Subscription Service
INCIDENT RESPONSE
FRAMEWORK
PREPARATION
DETECTION AND ANALYSIS
CONTAINMENT, ERADICATION
AND RECOVERY
POST-INCIDENT ACTIVITY
Assessment & Readiness Evaluation
Documentation and Response ProceduresTool Implementation
Escalation & Communications
Follow Up Incident ReportingConfirm Recovery
Incident Containment
Secure evidenceMitigate vulnerability
Recover systems
Determination, Analysis, Correlation, Verification, Prioritization, Reporting
REACTIVE / INCIDENT RESPONSE SUPPORT• Incident Response Support Services
• Threat detection• Forensic Analysis• Recovery support
• Response Team Works With Client Internal Staff And Service Providers• Shut down threats and breaches• Recover critical systems and information• Post incident documentation and improvement
• Builds On Cyberleaf Service Assessment, On-boarding & Proactive 7x24x365 SOC Monitoring
• On-Demand Support
WATERLEAF CYBER EXPERTISE• Extensive Cybersecurity leadership
• Personnel have MSEE, MSCE, PhD’s, industry and federal certifications (CMMC-AB)• Cybersecurity SME advisory to DHS• Founding Board Member - Center for Internet Security (CIS)
• Experience with Forensic Cybersecurity, Offensive/Defensive postures• Working members of TIA, CTIA, NIST, NSC, IEEE and other industry committees/boards• Implementing MITRE ATT&CK methodology for pro-active defensive
posture with real time monitoring using AI/ML to mitigate and defend the enterprise• Cybersecurity past performance
• Design, develop, integrate, operate, maintain, train and staff• Cyber protection for sensitive telecom networks• Industrial security and R&D focused on IoT, IC, PLC
• Secure, resilient infrastructure• Tier III/IV Data centers• IL4 and IL 5 GCC high compliance as needed
• Requires ATO (~3-6 months)
Since 2010 Waterleaf International provides of end-to-end Network, Cybersecurity and Data Science Solutions
for Federal / DoD, Municipal, Carrier and Commercial clients.
Our engineers, scientists and program managersconnect, secure and understand your world –
one bit at a time
Page 12
CMMC–ABPROVISIONAL
ASSESSOR
END-TO-END PROCESS FOR CYBER READINESS
SERVICEAGREEMENT
ASSESSMENT
DEPLOYMENT
OPERATIONS
ONGOINGMONITORING &
REPORTING
1 3 5
2 4Establish organizational
requirements and targetsPolicy and Procedure
Development / UpdatesSecurity updates as required: Network,
Devices, UsersInstall and Train SIEMInstall and Train PFP sensors and Edge
ComputeEducation at ALL LEVELS
Management & Board Level Cyber Reporting
Compliance MeasurementContinuous
Improvement
Define state of readiness,
recommended improvements.
Regulatory Compliant Reporting
SOAR / SOC OperationRegular Updates –
Software, AV, Network Threat Identification
and MitigationIncident Response
Support
Dashboard & Reporting
Page 13
THREATS - CYBER-KINETIC AND ICS/DCS ATTACKSDEFINITIONS AND KEY COMPONENTS
• Cyber attacks are often called non-violent or non-kinetic attacks…however there is a credible capability to use cyber attacks to achieve kinetic effects.
• Kinetic Cyber refers to … cyber attacks that can cause direct or indirect physical damage, injury or death solely though the exploitation of vulnerable information systems and processes.
• Examples –• Stuxnet and variants; Duqu, Flame• Industroyer (aka Crashoverride)• Harvey
• Stuxnet – USB drop, targets Windows machines/networks, self replicating. Search/Find Siemens SW, used to program ICS that operate equipment, such as centrifuges. Compromises the PLC’s. Spy on the industrial systems cause centrifuges to tear themselves apart.
• Industroyer sophisticated malware designed effect (kinetic) working processes of Industrial Control Systems (ICS), used in electrical substations. Industroyer allegedly used in the attacks on the Ukrainian power grid in December 2016
• Harvey ‘Man-in the-PLC’. Exploit intercepts the PLC’s input and output values, provides an arbitrary view of the system to the control logic (i.e., the program running on the PLC), and simulates a semantically correct system state towards the central control unit while changing the actual system state
Pg 14
Problem Statement• Proposed embedded security approaches do not provide a complete solution and require
additional security measures for defense-in depth• Current embedded end-point solutions often relay on load-time attestation performed by the
same target processor being monitored• These approaches “steal” processing cycles from the system, limiting their algorithms to very
simple approaches to avoid introducing excessive overhead• Overhead or latency limits applicability to severely constrained platforms, such as those in
critical systems, including industrial controllers, unmanned aerial vehicles (UAVs), etc.• In case of a compromise, security solutions running on the same processor being monitored, can
be disabled or bypassed by an attacker. The security monitor must be considered compromised as well. (see previous examples)• Further, memory hashing-based approaches are potentially vulnerable to attacks executing
from dynamic memory• Software-only approaches are vulnerable to hardware tampering and cannot detect attacks
introduced throughout the supply chain• We recognize more sophisticated systems may not be processor, memory or system
constrained by using external machines, VM’s and network aware sensing.
Pg 15
Proposed Solution Set• A holistic solution that monitors the network traffic, log/sys files as well as EDR/RMM files
INCLUDING (RF Fingerprinting with AI/ML) to integrate to the non IP connected devices.• Power Fingerprinting (PFP) technology is an integrity assessment approach based on analog
side-channel analysis (e.g. electromagnetic emissions or power consumption) and machine learning capable of monitoring a device and detecting attacks, without impacting hardware and software system resource utilization operations.
Pg 16
t
s(t)
Local and remote analysis of any variance to baseline EMR/EMF and other observable Side Channel characteristics
even when there is no traffic generated that can be associated with malicious behavior.
MeasuredBaseline
Clock cycle
PFP Side-Channel Patterns
DUT
DCPower
+V
EMI
PFP INTEGRATED TO SIEM/SOAR/SOC WITH AI/ML ENGINES
• Power Fingerprinting (PFP) is an adaptation of RF Fingerprinting a novel approach to the integrity assessment of critical embedded systems, allowing detection of malicious intrusions at all levels of the execution stack, including hardware, firmware, and software.
Pg 17
PFP Advantages:
Ø Detects HW/FW tampering
Ø Immediate attack detection
Ø Suitable for resource-constrained platforms
Ø Effective against zero-day attacks
Ø Logically and physically isolated operation from target platform
Digital System
Attack
Attack
Attack
PFP Independent Integrity
Monitor
Successful Attack
Side Channels
Trad
ition
al s
ecur
itym
easu
res
• The data is analyzed in real/near time on site or through our SIEM with ML in both an unsupervised algo and a semi supervised algo for learning the environment and based on policies execute commands to take defensive or corrective action before an attack occurs.
• The SIEM/SOAR integrates to the OT/IT network via a network appliance into the FW/Router & or managed switch
PFP EXAMPLE: PFP REAL-TIME CYBER KILL CHAIN TRACKING IN CRITICAL INFRASTRUCTURE
Pg 18
PFP simultaneously monitors multiple devices in a critical infrastructure setup and detects attacks in real time to track adversaries’ lateral movement.
PFP’s alerts and threat indicators are delivered to SIEM/SOAR
PFP tracks intrusion through each step. Most current
solutions detect too late.
1
2 3
4
IP Camera
Router
PLC
5
6 7
1.Attacker exploits faulty camera API–bypasses authentication2. Exploits
buffer overflow to
gain access to router and
changes setting
3. Breaks network isolation
4. Modifies Siemens PLC logic, which also
spoofs the HMI
1
2
34
5 65. Erases tracks
on router
6. Erases tracks on camera
Storage/servers
IIOT NETWORK HW TOPOLOGY EX. W/ DD AND SIEM/SOAR
LAN
sensoractuators
Gateway . . . M2M
actuatorsactuatorsactuatorssensorsensorsensor
sensoractuatorsactuatorsactuatorsValves/relaysIoT and IIoT
sensorsensorsensor. . .
gateway
TCP/IP TCP/IP
20
PFP sensors
DataDiode(s)
Firewall(s) SCADA Ingestion Engine
Cyberleaf - SIEM/SOARAlgos – AI/ML
1 way only comms
Encrypted VPN’s1. VPN Secure Tunnel2. Static IP3. Certificates from FW
to FW4. MFA w/ 3rd party
token5. Monitored on SIEM 6. Monitored on EDR
DataDiode(s)
Non TCP/IP
Optional Low Cost Data Diodes
13
PFP INTEROPERABILITY
P2Scan – Analytics, Mobile, disconnected
P3Scan – Enterprise Analytics
pMon-751pMon M.2
Current Sensors
EM Sensors
Raspberry Pi
• Innovative cybersecurity, advanced network, data science, and engineering solutions and services
• CMMC certifications: Advisory (RPO) & Assessment (C3PAO)
• CYBERLEAF - SIEM/SOAR/SOC – Cybersecurity as a Service (CaaS) https://cyberleaf.io/
• Waterleaf: Small business innovation
• Built on deep technical and program management leadership
• Rich history / past performance and dedication to delivering excellent services
• People and mission-focused culture
• TS Facility Clearance
• Small business under NAICS codes: 541990, 541330, 541519, 541512, 541715
• GSA Schedule 70
• Seaport NxG
SUMMARY
Pg 21
✓ Proactive and Reactive cybersecurity defense for IT/OT & ICS✓ Bundled solution bringing tools and expertise
§ Easy to implement with limited in-house resources§ Modular, flexible implementations integrated with your
existing systems§ Fastest way to secure infrastructure• Implement in weeks, not years
§ Cost effective ✓ Prompt, automated responses to threats and events✓ Continuous updates to maintain best practices✓ Independent – best of breed solutions and industry tools✓ Enhanced compliance and reporting✓ Flexible agreements
Page 22
www.waterleafinternational.com
CONTACT US
General Information David Levitan, President and COO& Sales [email protected]
239-431-4286
Technical Shawn Evans, Director Cybersecurity [email protected]
Deployment / Operations Marshall Howard, [email protected]
Waterleaf International, LLC11571 Majestic Palms Blvd, Suite 100-110DFort Myers, FL 33908
Atlanta, GA | Washington, DC
www.waterleafinternational.comwww.cyberleaf.io
Waterleaf CMMC Solutions
Registered Provider Organization (RPO)
• Registered Practitioners on staff• Certifications, resources, and cyber
expertise to successfully prepare you for the CMMC Assessment
CMMC compliance solution as a simple monthly service
• Top-tier tools to accelerate detection and remediation
• Active threat mitigation powered by AI/ML and supported by highly trained experts
• Constant monitoring and updates• Implementation in hours not months• Policies, procedures and training tools
for enhanced protection and compliance• Up to 77% savings vs in-house solutions
Pg 26
CMMC–ABPROVISIONAL
ASSESSOR
Certified Third Party Assessment Organization
(C3PAO)Waterleaf staff are certified
by the CMMC-AB as Provisional Assessors Level 1-3.
Prepare For & CompleteYour CMMC Assessment
On-Going Proactive Cybersecurity-as-a-Service
OR *
* Waterleaf serves as either RPO or C3PAO for any single entity to avoid conflicts
January 5, 2021