Industrial Control Systems Security
Denny Gregianin_Sales Area Manager
VEM in Numbers
5
29
170
800
495
5000
Dipendenti e Fatturato
Operations
Sales &
Marketing
Design &
Delivery
NOC
SOC
Custom
Application
Development
IT
Advisory
Finance &
Admin
HR &
Quality
Network &
Data Center
Infrastructure
Cloud
Technologies
Collaboration Building Efficiency
& Controls
Security &
IT Governance
Des& Delivery Design & Delivery Solutions
Security & IT Governance
Network Security Content Security Cyber Security
Assessment
IT Governance &
Business
Continuity
• Ransomware on the rise
• Mobile Malware
• Social Media Malware & Malvertising
• Defacement
• Distributed Denial of Service (DDoS)
• Nuove forme di pagamento elettronico (i.e. Mobile, Digital Wallets, etc.)
• ICS e SCADA on the rise
Comprendere le nuove minacce
Response
Risk Anticipation
Prevention
Detection
• Identificare rapidamente i tentativi e gli attacchi informatici che riguardano gli
asset del Cliente;
• Elaborare le procedure di risposta più idonee per contenere l’attacco, rimuovere
l’infezione e ridurre gli impatti sul business;
• Supportare il Cliente nelle attività di gestione dell’incidente riconducendo il
problema di sicurezza ad una attività di IT Administration;
• Ottimizzare i sistemi di sicurezza del Cliente grazie ad una analisi del rischio basata
sulle evidenze (Evidence-Based Risk Management);
Data Breach Detection, Investigation & Response
Customer
Certego
Incident
Response
Team
Sensors
Service Portal
IRT Tools
Collectors & Correlator
Certego è l'unica azienda italiana ad essere citata come Regional Player per i servizi di Threat Intelligence nel report “Competitive Landscape: Threat Intelligence Services, Worldwide, 2015” di Gartner.
Certego: la cybersecurity certificata
La qualifica di CERT, rilasciata dal SEI (Software Engineering Institute) della Carnegie Mellon University, ufficializza il nostro impegno nella protezione delle reti connesse ad Internet e ci permette di collaborare con gli altri team CERT internazionali nella gestione degli incidenti di sicurezza informatica.
Industrial Control Systems (ICS) & SCADA Security
ICS: Vulnerabilità rilevate
Recorded Future Special Intelligence Desk
Summary
› Capabilities for attacks on ICS/SCADA1 systems (collectively referred to as ICS below) are growing. The number of publicly disclosed
vulnerabilities and off-the-shelf exploits targeting ICS systems continues to grow over time and well into 2015, even as awareness of dangers
for critical infrastructure is improving.
› Vulnerability patterns are improving for some vendors but not for others. Our assumption is that investments in application and control logic
security along with active threat intelligence efforts, are paying dividends for some vendors.
› Siemens and Schneider, the largest and fourth largest industrial automation vendors2, account for the largest number of reported vulnerabilities,
with close to 50% of the total. Of note, Siemens PLC product was the target of STUXNET, the predominant example of ICS/SCADA attacks.
› The combination of continued growth in ICS vulnerabilities along with off-the shelf exploits targeting these as well as credentials for critical
infrastructure companies being routinely accessible in public forums leaves critical infrastructure open to potentially more aggressive
motivations. Historically few cyber attacks on ICS have been observed; STUXNET continues to be the predominant example. Recently we’ve
seen novel patterns of attacks that are destructive and extortionist in nature – such as the Sony attack, bank extortion by the Rex Mundi hacker
group, and the more prevalent Cryptolocker strain of malware. Destructive/extortionist attacks on ICS are a potentially logical continuation, if
yet observed in the wild.
Introduction
The capabilities for ICS attacks are growing and actual ICS probes and attacks are growing as well. Dell SecureWorks states in
their 2015 Annual Threat Report, “ In 2014, Dell saw a 2X increase in SCADA attacks compared with 2013.” Further, in terms
of motivations, Dell states, “SCADA attacks tend to be political in nature, since they target operational capabilities within power
plants, factories, and refineries, rather than credit card information.” DigitalBond introduces some alternative motivations in
their blog Monetizing SCADA Attacks.
Trend Micro very nicely lays out results of honeypots designed to catch ICS attacks in their report The SCADA That Didn’t Cry
Wolf.
To study risks to ICS infrastructure we analyze a few datasets – including the NIST Vulnerability database as well as the
Recorded Future Web intelligence holdings, which includes data from the open, deep, and dark Web.
The totality of the NIST Vulnerability database at the time of this analysis included over 71,500 vulnerabilities across many
types of software systems. We used a series of search criteria to identify a subset of ICS vulnerabilities (such as “SCADA” ,
“ ICS” , “PLC” , as well as a series of key vendor names, but then filtering out non-SCADA records – for example, PLC is an
overloaded term and some vendors are in multiple industries). Our result set was about 400 records in size.
THREAT INTELLIGENCE REPORT
Up and to the RightICS/SCADA Vulnerabilities by the Numbers
1 Industrial Control Systems / Supervisory Control and Data Acquisition2 “ BofA Merrill Lynch Global Research” . Date 16 May 2014
Prevenire non è più sufficiente…
Le tecnologie di tipo
Preventivo (Firewall,
Antivirus, UTM, etc.) hanno
progressivamente perso la
capacità di contrastare in
modo efficace le nuove
minacce.
“Non abbiamo più un problema di Malware, abbiamo piuttosto un problema di confronto
con un avversario.”
Shawn Henry, FBI Executive Assistant Director
L’evoluzione della security….
Certego BDIR for ICS/SCADA
SITUATIONAL
AWARENESS
Capire cosa sta
accadendo
CONTINOUS
CONTROL
Rilevare
anomalie
ACTIONABLE
SECURITY
Elaborare le
procedure di
risposta
Certego PanOptikon Architecture
Incident Response
Team
Cliente
CSA + PanOptikon
Service Portal
Modbus/TCP
EtherNet/IP
DNP3
SNMP
…