Industry Best Practices for Securing Critical Infrastructure

Cyber Security and Critical Infrastructure

- Difference between IT and OT

- Real World Examples of Cyber Attacks Across the IT/OT Boundary

- How to Select Industry Standards that help bridge the gap between IT and OT

- Apply Industry Standards that help bridge the gap between IT and OT

AGENDA

The Difference Between IT and OT

IT Meets OT

IT

OT

Difference between IT and OT

• ICS control the physical world and IT systems manage data

• Risk– Health and safety of human lives

– Damage to environment

– Financial issues such as production losses

• Priorities (CIA)

• Performance

• Reliability

Real World Examples of Cyber Attacks Across the IT/OT Boundary

Real World Examples of Cyber Attacks Across the IT/OT Boundary

- Baku-Tbilisi-Ceyhan (BTC) Pipeline Blast in Eastern Turkey

- German Steel Mill Cyber Attack

- Target Corporation Attack

- Ukraine’s Power Plant Hack

Real World Examples of Cyber Attacks Across the IT/OT BoundaryTarget Corporation Attack

o November 2013 hackers stole unencrypted credit and debit card data for 40 million customers including PINS from point of sale machines

o The names, addresses, phone numbers, and email addresses of some 70 million customers which indicated backend databases breached probably the CRM system

o Not the first time, In 2005 Target was hacked

o Companies accepting credit and debit cards adhere to a Payment Card Industry standard for security known as PCI-DSS

o Audits take only a snapshot of a company’s security at the time of the audit, which can change quickly if anything on the system changes

o The payment card industry now uses a technology called EMV, also known as “chip-and-PIN” cards

o Target will pay hack victims $10Million

Real World Examples of Cyber Attacks Across the IT/OT BoundaryUkraine’s Power Plant Hack

o December 23, 2015 two power distribution companies in Ukraine said that hackers had hijacked their systems to cut power to more than 80,000 people

o Hackers sabotaged operator workstations to make it harder to restore electricity to customers. Screens were frozen

o Power was out in some areas up to 6 hours

o Breakers had to be manually closed since the SCADA management system was down (the outage was caused by opening breakers on the grid)

o BlackEnergy 3 Malware was used to go from the IT to the OT

o Utility company call center was the victim of a Denial of Service Attack simultaneously during the outage so that operators would be unaware of how wide spread was the outage

o The KillDisk malware was used to destroy the Operator Workstations and Servers.

o March 2015 BlackEnergy 2 was used as part of a spear-phishing campaign

Real World Examples of Cyber Attacks Across the IT/OT BoundaryGerman Steel Mill Cyber Attack

o December 2015, German Agency (BSI) Reported Hackers attacked a steel mill and through the ICS destroyed a blast furnace

o Caused “Massive” damaged

o The attackers gained access to the steel mill through the plant’s business IT network

o Used a spear-phishing attack

o Demonstrated knowledge of traditional IT Security and applied Industrial Controls

o Illustrates the need for strict separation between business IT and production OT networks

Real World Examples of Cyber Attacks Across the IT/OT BoundaryBaku-Tbilisi-Ceyhan (BTC) Pipeline Blast in Eastern Turkey

o August 7, 2008 The pipeline had sensors and cameras to monitor 1000 miles of pipeline. Pressure and oil flow were fed to a central control room via a SCADA control system

o Hackers had shut off alarms, cut off communications and over-pressurized the crude oil in the line

o No Alarms were triggered by the blast

o 60 hours of surveillance video were erased by the hackers

o A single infrared camera not connected to the SCADA network captured images of two men with laptop computers walking near the pipeline days before the explosion

o The control room didn’t learn about the blast until 40 minutes after it happened, from a security worker who saw the flames

o The hackers’ point of entry was the surveillance cameras

o The explosion caused more than 30,000 barrels of oil to spill in an area above a water aquifer. Cost BP and its partners $5 million a day

o The State Oil Fund of the Republic of Azerbaijan lost $1 billion in export revenue

Selecting a Cyber Security Program

Security Controls and Assessments

1. Security Controls Standards

2. Assessment Methodologies

1. Security Controls

• ISA/IEC 62443 Industrial Automation and Control Systems Security Document Series (including principles in ISA-99).

Can be purchased here: https://www.isa.org/standards-and-publications/isa-standards/find-isa-standards-in-numerical-order/

http://isa99.isa.org/ISA99%20Wiki/Home.aspx

1. Security Controls

• NIST 800-82 Guideline to Industrial Control Systems (ICS) Security. Includes guidance on how to tailor traditional IT security controls to accommodate unique ICS performance:

- Reliability and safety requirements- Sections on threats and vulnerabilities- Risk management- Recommended practices - Security architectures and security capabilities and tools

Here is the link: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

2. Assessment Methodologies

• Open Source Security Testing Methodology Manual (OSSTMM). Focus is on transparency and getting business value:

- Useful broad description of categories of testing (Step by step process description)

- Covers scoping, metrics, human security testing, physical security testing, wireless security testing, telecomm security testing, and data networks security testing

- Includes numerous information-gathering templates

You can obtain a copy at www.isecom.org/osstmm.

2. Assessment Methodologies

• Penetration Testing Execution Standard (PTES).

- Helps organizations understand what is involved in conducting a penetration test

- Includes information about Pre-engagement interactions (Scoping and Rules of Engagement), Intelligence gathering (recon), Threat modeling, Vulnerability analysis, Exploitation and post exploitation, and Reporting

- A great Outline of an in-depth penetration test

Available for free from www.pentest-standard.org

2. Assessment Methodologies

• NIST 800-115 Guideline on Network Security Testing.

- Covers planning, process, analysis, and validation techniques

- Includes an appendix with rules of engagement template

- Includes an appendix with some common tools used in Vulnerability Assessments and Penetration Tests

Available at http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf

2. Assessment Methodologies

• NIST 800-30 Rev 1 Risk Management Guide for Information Technology Systems.

Provides guidance for carrying out each of the three steps in a risk assessment process (i.e., prepare for the assessment, conduct the assessment, and maintain the assessment

Available here: http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

How to Apply Industry Standards that help bridge the gap between IT and OT

Types of Assessments

1. Vulnerability Assessment

2. Risk Assessment

3. Penetration Test

Types of Assessments Definitions

Vulnerability : a security flaw that can be exploited to cause harm

1. Vulnerability Assessment:

- Focus on finding vulnerabilities but not Exploiting said vulnerabilities

- Includes Policy, Process and Procedure review

Types of Assessments Definitions

Risk = Impact × ProbabilityImpact : Amount of harm that would be done if a Threat successfully exploits a vulnerabilityProbability : Likelihood that a Threat will exploit a vulnerability

2. Risk Assessment :Analyzes the Likelihood that a Threat will exploit a Vulnerability to cause harm to a customer’s business

Types of AssessmentsDefinitions

3. Penetration Test :

- Identifies Vulnerabilities in the environment

- Exploits said Vulnerabilities to gain access to customers systems

- Mimics what real world hackers would do

Products

Processes

People

ASSESS IMPLEMENT MANAGE

Cyber Security Program Methodology

Risk and Vulnerability Assessment

Training

Process improvement

Perimeter protectionInline protectionEnd point protection

Competence management

Continuous process improvement

System and event monitoring and management

Transparency on risks and vulnerabilities

Wholistic approach of security breaches from different angles

Solution oriented

Minimized risk for unauthorized access, downtime and security breach

Extensive, long-term support for all security concerns by security experts and trusted vendor of automation systems

Fully integrated monitoring solution

Overall visibility of security related events and status of security measures

“Defense in Depth” conceptCreating multiple layers of protection

IT

Potentialattack

Physical Security Physical access to facilities and equipment

Policies & procedures Security management processes Operational Guidelines Business Continuity Management & Disaster Recovery

Security cells & DMZ Secure architecture based on network segmentation

Firewalls and VPN Implementation of Firewalls as the only

access point to a security cell

System hardening adapting system from default to secure

User Account Management Administration of operator and user

rights (role based access control)

Patch Management

Malware detection and prevention Anti Virus and Whitelisting

Cyber Security Risk Assessment Offer Multiple Benefits

Know your current security posture

Identify the risks Know what controls are in place

Develop a prioritized security roadmap

Cyber Security Risk Assessment Process

CYBER SECURITY ASSESSMENT

PHASE I PHASE II PHASE III PHASE IV

Request Documentation

On-siteAssessment

AnalyzeInformation

Deliver Report

Cyber Security Assessment Report

Policy Gap Analysis

Vulnerability Assessment

Threat Assessment

RiskAssessment

Security Roadmap (Solution)

Advantages of closing the gap between IT and OT

Marketplace Advantages of an Intel Cyber Security Program

1.Take Advantage of Data Driven Services (EA, MTA, DTA)

2. The Right Decision at the Right Time based on Reliable Real Time Data

3. Increase Availability, Performance and Quality at lower Energy Costs

ICS Cyber Security Services groupthanks you for your attention!

Khaled BROWN, CISSP

Intel Security | ICS Cyber Security Services | Senior Cyber Security Consultant

Mobile: +1 425-658-6150 |

E-mail: khaled.brown@intel.com

Site : www.intelsecurity.com