SESSION ID:
#RSAC
Industrial Defence In-Depth
SBX1-R12
Andrey NikishinSpecial Projects DirectorKaspersky Lab@andreynikishin
#RSAC
Critical infrastructure sectors By State
•Emergency Services•Communications•Financial Services•Government Facilities•Healthcare and Public Health
• Information Technology
•Communications•Emergency Services•Financial Services•Government•Health
•Energy•Transport•Water•Food
•Energy•Chemical•Commercial Facilities•Nuclear•Transportation Systems•Water and Wastewater•Critical Manufacturing•Dams•Defense Industrial Base•Food and Agriculture
#RSAC
ICS Network: Common devices
SCADA server
HMI
Development system (IDE) / Engineering WS
Data Historian
Field equipment
PLC/DCS
#RSAC
Industrial Security Approach
1. Availability2. Integrity
3. Confidentiality
1. Confidentiality2. Integrity
3. Availability
Corporate NetworkIndustrial Network
Corporate IT Security is about Data protection
Industrial Security is about Process protection
Process should be continuous and only then secure
#RSAC
WHY NOT TO USE IT SOLUTIONS? (1)
Technologies
Antivirus
Patching
Security testing and audit
IT
Typical, highly automated
Typical, highly automated
Use of modern tools, external experts
ICS
Difficult, performance, FP, legacy systems
Difficult, Require switching to service
mode
Modern method and tools not applicable
#RSAC
WHY NOT TO USE IT SOLUTIONS? (2)
Technologies
Change management
Incident management
Equipment life cycle
IT
Typical
Event handling, recording is automated.
Post mortem and audit analysis is
common
ICS
Non-standard,Per case solutions
Difficulty replaying events
Not automatedonly when necessary
#RSAC
WHY NOT TO USE IT SOLUTIONS? (3)
Technologies
Physical security
Security development cycle
Compliance to standards
IT
Low security for offices, High for data
centers
Integrated into development cycle
Limited to some areas
ICS
Highly demanded
Rare in use
Highly demanded
#RSAC
Industrial Security today — Low awareness
Mutual understanding and partnership between these 3 are crucial to successful cyber security and Critical Infrastructure Protection
Doesn’t see how Cyber Security spending
relates to Revenues
C-levelIs not allowed to go into Industrial sites
IT SecurityAre more concerned
about security measures than malware
Engineers
#RSAC
What makes protection difficult today
Low awareness, mix of hype and real, no ‘hard data’
Typical ‘office’ IT security is not applicable
Most attacks target the following objects: old, unsecure and hard to update
Lack of cyber security skills, and industrial cyber security practice
Lack of OT cyber security ownership
#RSAC
Industrial Specifics. Summary
16
Industrial Security is about Process protection
Process should be continuous and only then secure
IT vs OT
The ICS network protocols do not have integrity check, user authorization and authentication
Old or unsupported OS with no patching (Windows XP too)
Specially designed approach, products & services
#RSAC
Cyber security is a process not a project
Support & update
Implementation
Risk & threats awareness
Risk assessment
Proposal & pilot
#RSAC
Cyber risks and threats
Mistakes by SCADA operators or contractors (3rd parties)Actions of Insiders (made on purpose or not)Incidental infection Infection via contractors (removable media or network connection)Lack of awareness and hard data for incident forensicsHacktivists actions and cyber hooligans attacksAPTs and Governmental-backed attacksCyber sabotage (any sort of it)ComplianceFraud
#RSAC
ATTACK VECTORS
Vulnerable software (SCADA, OS, 3rd-party)ERP/MES & Internet connectionsUncontrolled software usageUnauthorized mobile device usageUncontrolled external devices (USB, SATA, etc.)3rd parties and contractorsSupply chainMalware
#RSAC
Conceptual Topology
Level 4
Level 0
Level 2
Level 3
I/O, Devices, Sensors
ERP, APO, Logistics Systems
MES, LIMS, WMS, CMM Systems
PLC, DCS, Packaged Systems
Business Process Information Network
Operations Information Network
Automation Network
Discrete & Process Device Communication Networks
HMI, SCADA, Batch Systems
Level 1
#RSAC
Risks, Malware & Internet Treats
Manufacturing Operations management
LEVEL 3
SCADAHMIEngineering WksPLC, TRUetc
LEVEL 2, 1
Physical
LEVEL 0
Malware via USB, Network, Corporate network, email, WebHuman actions (intention or not) (insiders, contractors) Internet attacks (hackers, radicals, hacktivists, etc)
Malware via USB, Network, ContractorsHuman actions (insiders, contractors) Internet attacks
Malware via Industrial networkHuman actions
Human
#RSAC
Risk assessment (Security gap assessment)
AssessmentNon-Invasive approach (based by traffic analysis)InterviewsAgentless vulnerability / weakness scanning Pentests (on test facilities)
Cyber Threat Model
Recommendations and step by step plan based on risks and specifics of a client
#RSAC
Cyber risks and threats
Malware & AttacksIncidental infection
Infection via contractors (removable media or network connection)
Hacktivists actions and cyber hooligans attacks
APTs & Governmental-backed attacks
Cyber sabotage (any sort of it)
Human actionsMistakes by SCADA operators or contractors (3rd parties)
Actions of Insiders (made on purpose)
Compliance
Lack of awareness and hard data for incident forensics
Nodes SecurityFirewall/IDSPolicyEducationProtect, Prevent,Report & RemediateNetwork SecurityPolicyEducationDetect, report
#RSAC
Defense strategies
Percentage of ICS-CERT FY 2014 and FY 2015 Incidents Potentially Mitigated by Each Strategy
#RSAC
Node Security
Protect & Prevent & Report & RemediateWorks on ICS/SCADA Servers, engineering workstations and supports Human Machine InterfacesRun in high-availability mode & without updatesWhitelisting is main technologyExternal Device ControlVulnerability Assessments
#RSAC
Network Security
Detect & ReportNetwork traffic anomaly detection in a passive modeDetection of potentially dangerous control commands from technological process point of viewNetwork integrity monitoring (Detection of new network devices and communications in ICS network)Collect and store events -- Forensic, monitoring and incident detector tool
27
#RSAC
Firewall/IDS/Remote access
Protect & Prevent & Detect & Report
Support industrial protocols
Knows specific industrial attacks
28
#RSAC
Pilot testing
Pilot testing on test environment isan essential part
Fine-tuning
Customisation/for industry/for customer / for product line
Certification / vendors & regulators
Approval by a client
#RSAC
Education
Cyber Security Awareness (should be part of induction process)Employee cyber security training
ICS Cyber Security basics
Social attack in critical infrastructure environment
Cyber Security for SOCAdvanced cyber security trainings (malware analysis, reverse engineering etc.) on yearly basis
#RSAC
Incident response & Forensic
Common response and forensic servicesOn-demand reportsCustomized reports on incidents/infectionsEarly warnings on threatsPrivate investigations (from malware analysis to complex service)
Own CERTHelp with organizing itTraining for staffReports
#RSAC
Summary
Industrial Cyber Security is not like Office Cyber Security
It requires specific approach, products and services
Employees are the weakest link so education is extremely important
Cyber security is not a project, it is a process
33