IBRAHIM SAMIR HAMAD · 50 Shades of Industrial Controls Systems Security Controls Ibrahim Samir...
Transcript of IBRAHIM SAMIR HAMAD · 50 Shades of Industrial Controls Systems Security Controls Ibrahim Samir...
IBRAHIM SAMIR HAMADOil & Gas Company
Qatar
➢ Corporate Information Security Officer in the oil and gas sector
➢ Has a 17 years’ experience in IT, Telecom, Industrial Systems and
Data Protection
➢ Active contributor in the Cyber Security Community efforts in Middle
East
➢ CISA, CISM , CRISC , CISSP, CSSA, ITILV3 Found/PPO , ISO27001
LA, PRINCE2
@ishamad
50 Shades of Industrial Controls Systems Security Controls
Ibrahim Samir Hamad CISO Oil and Gas
CISA®, CISM® , CRISC® , CISSP®, CSSA® , ITIL®V3 Found/PPO , ISO® 27001 LA, PRINCE2®
This presentation is based on my personal research using the most powerful means of the Knowledge nowadays - Google, Feeds and Twitter. This material is neither representing my current or previous employers nor their shareholders, and never it shall be.To reach me, please use my LinkedIn or twitter (@ishamad)Disclaimer …I represent nobody but me
This presentation is based on my personal research using the most powerful of Knowledge nowadays - Google, Feeds and Twitter.
This material is neither representing my current or previous employers nor their shareholders, and never it shall be.
To reach me, please use my LinkedIn or twitter (@ishamad)Disclaimer …I represent nobody but me
The Equation !
3
Risk
RISK
ImpactLikelihood
Threat Vulnerability
Countermeasure
This presentation is based on my personal research using the most powerful of Knowledge nowadays - Google, Feeds and Twitter.
This material is neither representing my current or previous employers nor their shareholders, and never it shall be.
To reach me, please use my LinkedIn or twitter (@ishamad)Disclaimer …I represent nobody but me
The State of Global Cyber Threats
4
Threat
Cyber WeaponsDubbed as Cyber War, Cyber Politics , Cold War 2.0 e.g US Elections
Cyber trauma / Sony Hack / French Election, etc…
Surveillance ToolsPhineas Fisher – Hacking Team / Shadow Brokers – NSA Leak / Wiki
Leaks – CIA Leak
IoEBy 2020 – 26Billion “Things” shall be connected: convergence of the physical
and logical world e.g. Virgin Atlantic, GE , Olympic committees, etc…
Cyber Underground / OperationsDarkWeb , Zeronet, TOR…,Cyber Crime as A Service and Shift towards
Ransomware , Fileless malware, etc…
This presentation is based on my personal research using the most powerful of Knowledge nowadays - Google, Feeds and Twitter.
This material is neither representing my current or previous employers nor their shareholders, and never it shall be.
To reach me, please use my LinkedIn or twitter (@ishamad)Disclaimer …I represent nobody but me
Malware…
2010 2011 2012 2013 2014 2015 2016 2017
Stuxnet
(cyber weapon)
Triton/Trisis
(safety system)
Stuxnet
(cyber weapon)
Ukraine #2
(CrashOveride)
Ukraine #1
(BlackEnergy)
NotPetya
(rapid spread)
WannaCry
(rapid spread)
Shamoon
(data destruction)
Shamoon(data destruction)
Havex
(espionage)
DragonFly
(OT focus)
HEALTH & SAFETY
Catastrophic
OPERATIONS IMPACT
Loss of Control
OPERATIONAL DISRUPTION
Financial Loss
BUSINESS DISRUPTION
Financial Loss
RECON/ ESPIONAGE
Threat
This presentation is based on my personal research using the most powerful of Knowledge nowadays - Google, Feeds and Twitter.
This material is neither representing my current or previous employers nor their shareholders, and never it shall be.
To reach me, please use my LinkedIn or twitter (@ishamad)Disclaimer …I represent nobody but me
People Process Technology
To Begin with …!
6
Vulnerability
• Savvy's
• Obscurity
• Ignorance
• Compliance
• Audit
• Configuration Management
• Outsource
• Access Control
• Codes
• Applications
• Architecture
• Physical
This presentation is based on my personal research using the most powerful of Knowledge nowadays - Google, Feeds and Twitter.
This material is neither representing my current or previous employers nor their shareholders, and never it shall be.
To reach me, please use my LinkedIn or twitter (@ishamad)Disclaimer …I represent nobody but me
Economy of Global Cyber Threats
7
Vulnerability
97% of Phishing emails contained
Ransomware
46% of Compromised Systems had no malware on them
23% of phishing recipients opened
the attachment
$3.5 Million average cost of cyber breach
99.9%Vulnerabilities dated to 1
year or more old
748% increase in Ransomware
$3 Trillion Impact of lost productivity and
business revenue
200+ Days Attackers present on the victim
System
80+ Days from detection to recovery
This presentation is based on my personal research using the most powerful of Knowledge nowadays - Google, Feeds and Twitter.
This material is neither representing my current or previous employers nor their shareholders, and never it shall be.
To reach me, please use my LinkedIn or twitter (@ishamad)Disclaimer …I represent nobody but me
Sample …Even gets “better” with ICS Savvy's
8
Vulnerability
This presentation is based on my personal research using the most powerful of Knowledge nowadays - Google, Feeds and Twitter.
This material is neither representing my current or previous employers nor their shareholders, and never it shall be.
To reach me, please use my LinkedIn or twitter (@ishamad)Disclaimer …I represent nobody but me
Sample ….IoE … Make it even more obvious
9
Vulnerability
This presentation is based on my personal research using the most powerful of Knowledge nowadays - Google, Feeds and Twitter.
This material is neither representing my current or previous employers nor their shareholders, and never it shall be.
To reach me, please use my LinkedIn or twitter (@ishamad)Disclaimer …I represent nobody but me
Sample ..… Technology Flaws
10
Vulnerability
Ignition by Inductive Automation is
the first SCADA software solution
built entirely on Java. Ignition’s use
of Java makes it totally cross-
platform compatible and easily web-
deployable, two major reasons for
the software’s growing community
of global Ignition users.
This presentation is based on my personal research using the most powerful of Knowledge nowadays - Google, Feeds and Twitter.
This material is neither representing my current or previous employers nor their shareholders, and never it shall be.
To reach me, please use my LinkedIn or twitter (@ishamad)Disclaimer …I represent nobody but me
Sample .… Vendor Flaws
11
Vulnerability
Distribution of ICS Software Update
on USBs as secure way of sending
updates
This presentation is based on my personal research using the most powerful of Knowledge nowadays - Google, Feeds and Twitter.
This material is neither representing my current or previous employers nor their shareholders, and never it shall be.
To reach me, please use my LinkedIn or twitter (@ishamad)Disclaimer …I represent nobody but me
Reality… OT Vs Banking Security
12
Big Picture
Banking Industrial
• Monetary
• Reputation
• Privacy Impact
• Fatalities
• Environment
• State Disruption
• Fraud
• Data Leak
Threat
• Nation State
• Domain 5
• Vendors
• Insider
• Application
• Accessible to ALL Vulnerability
• Legacy
• Everything ….
This presentation is based on my personal research using the most powerful of Knowledge nowadays - Google, Feeds and Twitter.
This material is neither representing my current or previous employers nor their shareholders, and never it shall be.
To reach me, please use my LinkedIn or twitter (@ishamad)Disclaimer …I represent nobody but me
Zoom Out …Where did IT Controls fail ?
13
IT
Hacking TeamPassword was “passw0rd” and download data as “engineer”
Ashley MadisonSQLi and Password was “Pass1234” on all servers
IRSSocial Engineering through data gathering from
credit reports followed by undetected 400,000
attempts
AnthemWatering Hole Attack and weak admin
password.
This presentation is based on my personal research using the most powerful of Knowledge nowadays - Google, Feeds and Twitter.
This material is neither representing my current or previous employers nor their shareholders, and never it shall be.
To reach me, please use my LinkedIn or twitter (@ishamad)Disclaimer …I represent nobody but me
Zoom In….Where Do ICS Controls Promise to Fail
14
OT
False Understanding of Patch Management vs Vulnerability Management
Patch Management is effective but inefficient towards Vulnerability Management
Aggregate of vulnerabilities
In many cases; the perpetrators have used many vulnerabilities to achieve their goal
Obscurity• Understanding that Antivirus (not even anti-Malware) is the Only required security
protection
• Counting only on Physical Security and Air Gaps
• Thinking that a Recovery is possible counting on vendors and manual operation
01
02
03
This presentation is based on my personal research using the most powerful of Knowledge nowadays - Google, Feeds and Twitter.
This material is neither representing my current or previous employers nor their shareholders, and never it shall be.
To reach me, please use my LinkedIn or twitter (@ishamad)Disclaimer …I represent nobody but me
When IT & ICS Risks Converge……German Steel Factory
15
ISA FLASH N°62 – Décembre 2016
This presentation is based on my personal research using the most powerful of Knowledge nowadays - Google, Feeds and Twitter.
This material is neither representing my current or previous employers nor their shareholders, and never it shall be.
To reach me, please use my LinkedIn or twitter (@ishamad)Disclaimer …I represent nobody but me
Controls … “Typical IT Modern” High Level Controls
16
CountermeasureT
rain
ing
, Ed
ucatio
n a
nd
Aw
are
ness
Organization
Governance
Compliance
Inventory,
Identification
and
Classification
End point
hardening &
Perimeter
Security
Controls,
Risk,
Vulnerability
Management
Backup &
Recovery
Security
Posture
Monitoring
Threat
Management
Mobile
device
security
Identity
governance
Data
Ecosystem
Business
resilience
strategy
Data centric
security
Cloud
security
Supply Chain
Security
IT & IoE
security
convergence
Dig
ital
Re
ad
y
Secu
rity
Matu
re
Se
cu
rity
Fo
un
dati
on
al
Secu
rity
This presentation is based on my personal research using the most powerful of Knowledge nowadays - Google, Feeds and Twitter.
This material is neither representing my current or previous employers nor their shareholders, and never it shall be.
To reach me, please use my LinkedIn or twitter (@ishamad)Disclaimer …I represent nobody but me
Controls … ICS “Typical” Controls
17
CountermeasureT
rain
ing
, Ed
ucatio
n a
nd
Aw
are
ness
Organization
Governance
Compliance
Inventory,
Identification
and
Classification
End point
hardening &
Perimeter
Security
Controls,
Risk,
Vulnerability
Management
Backup &
Recovery
Security
Posture
Monitoring
Threat
Management
Mobile
device
security
Identity
governance
Data
Ecosystem
Business
resilience
strategy
Data centric
security
Cloud
security
Supply Chain
Security
IT & IoE
security
convergence
Dig
ital
Re
ad
y
Secu
rity
Matu
re
Se
cu
rity
Fo
un
dati
on
al
Secu
rity
This presentation is based on my personal research using the most powerful of Knowledge nowadays - Google, Feeds and Twitter.
This material is neither representing my current or previous employers nor their shareholders, and never it shall be.
To reach me, please use my LinkedIn or twitter (@ishamad)Disclaimer …I represent nobody but me
Controls … OT “Modern Enough” Controls
18
Organization
and
Governance
Inventory,
Identification
and
Classification
Awareness
and
Education
End point
hardening
IT and OT
Interface
security
3rd Party
Interface
Security
Security
Posture
Monitoring
SIEMBackup &
Recovery
Risk
Management
Incident
Management
Cloud
security
Operation
resilience
strategy
Vulnerability
Management
Business
resilience
strategy
Dig
ital
Read
y
Secu
rity
Matu
re
Secu
rity
Fo
un
dati
on
al
Secu
rity
Compliance
Management
Threat
Management
Supply Chain
Security
Identity
governance
Countermeasure
This presentation is based on my personal research using the most powerful of Knowledge nowadays - Google, Feeds and Twitter.
This material is neither representing my current or previous employers nor their shareholders, and never it shall be.
To reach me, please use my LinkedIn or twitter (@ishamad)Disclaimer …I represent nobody but me
OT Security Monitoring is Key
19
The Approach
Collection Processing Analysis
Gathering of relevant
ICS/OT Events and
Process Data
Correlation of data with
operational base lines and
posture
Pin point known bads or
Unknows outside the baseline
Malicious Activity
Unintentional
Activity
Capability ???
ICS Environment
Internal
External
Governance
This presentation is based on my personal research using the most powerful of Knowledge nowadays - Google, Feeds and Twitter.
This material is neither representing my current or previous employers nor their shareholders, and never it shall be.
To reach me, please use my LinkedIn or twitter (@ishamad)Disclaimer …I represent nobody but me
ICS/OT Security Monitoring Capability
20
Ecosystem
Baseline Identify
• Traffic (North-to-South, East-to-West)
• Asset Behavior
• Commands on the wire (Modbus commands,
DNP3…etc)
• Protocol baseline for desired process
operations (shutdown, Production,
maintenance …etc)
• Monitor most prevalent vulnerabilities
• Identify Anomalous behavior by deviation from
the Baseline
• Detect new running services and new files , Spot
changed files
• Monitor on the wire commands and detect
inserted commands (computational), sensor
overwrite value (false data injection) and traffic
reroute.
• Monitor firmware upload to serial-to-ethernet
devices
• Some specific indicators e.g.
- Discover anomalous DNS requests
- Identify any network connections using the
Windows SMB1 protocol
- port scan Automatically to create a baseline of
network devices,
- network communication patterns (e.g.
machines communicating using BE3 and
Killdisk)
ICS
-CE
RT
An
nu
al A
sse
ssm
en
t R
ep
ort
This presentation is based on my personal research using the most powerful of Knowledge nowadays - Google, Feeds and Twitter.
This material is neither representing my current or previous employers nor their shareholders, and never it shall be.
To reach me, please use my LinkedIn or twitter (@ishamad)Disclaimer …I represent nobody but me
CISO perspective…OT Security Monitoring is Key
21
Ecosystem
ICS/OT
Monitoring
Incident Response
Threat
Management
Minimize Impact
Of Prolonged
Mitigations and
Legacies
Optimize
Maximize
Investment
RISK
Monitoring
Business
Enablement (IoE ,
Convergence ,
Block Chain ,
Digital
Outsourced or in house?
This presentation is based on my personal research using the most powerful of Knowledge nowadays - Google, Feeds and Twitter.
This material is neither representing my current or previous employers nor their shareholders, and never it shall be.
To reach me, please use my LinkedIn or twitter (@ishamad)Disclaimer …I represent nobody but me 22
THANKYOU