Industrial Attacks Increasing in Frequency ...media.arpel2011.clk.com.uy/ciber/28.pdf · - Inject...

1

ARPEL CONFERENCIA EN BUENOS AIRES CIBERSEGURIDAD INDUSTRIAL

19 Octobre 2016Francisco Souto

© 2015 by Honeywell International Inc. All rights reserved.


Industrial Attacks Increasing in Frequency & Sophis ticationImpacting Uptime, Efficiency and Time to Market

Customer Requirements Are Not One Size Fits All

Global Industry Challenges• IIoT Increases Cyber Risk• Inconsistent Standards• More Regulation is Expected• Cyber Skill Set Gaps + Aging Workforce• IT/OT Convergence• Operational Silos

2

© 2015 by Honeywell International Inc. All rights reserved. Honeywell Confidential


• Critical Infrastructure Reported Incidents

• In FY 2015, ICS-CERT responded to 295 cyber incidents. This represented a 20 percent increase over FY 2014.

• The Critical Manufacturing Sector nearly doubled to a record 97 incidents, becoming the leading sector for ICS-CERT in FY 2015.

- “wide spread spear-phishing campaign that primarily targeted critical manufacturing companies”

- …a significant number of incidents enabled by insufficiently architected networks …”

(* Fiscal Year October 2014 – September 2015)

Critical Manufacturing Is Now the Leading Sector in Cyber Security Incidents

2

ICS-CERT Incident Statistics 2015*

Source: ICS-CERT Monitor



ICS-CERT Incident Sources 2015

Some Incredibly Easy Ways In

3

Spearphishing Has Grown

Substantially

Bad Passwords

Network Probes

3



ICS-CERT Recent Analysis

Multiple Approaches Offer Best Cyber Security Prote ction

4

Source: ICS-CERT



March-April 2016 ICS-CERT Monitor: First Ransomware ICS Hit

Lansing Board of Water & Light (Lansing BWL) hit 25 April 2016

Due to Common Practices, ICS Are Extremely Vulnerab le

5

4



Attack Vectors: How Did They Get In? (statistics from ICS-CERT 2015)

Typically Spreads Across Network, Device to Device

• We don’t know (38%)• Brought in by employees, contractors, security

guards, janitors, etc.- Spearfishing (37%)- Laptops, phones, USB sticks, FitBit and IoT equivalents- Files from business side of plant

� Adobe PDFs, Excel spreadsheets, Word documents� Windows update files, Anti-Malware files (source isn’t what you

think)

- Games (Adobe Flash)

• Access from external network- Network scanning/probing- Inadequate / Improperly configured firewalls- Communication with Business side of Plant

• They are getting better at hiding when they’re done- “Approximately 69 percent of incidents had no evidence of

successful intrusion into the asset owner’s environment”

6

Fit Bit Injecting Malware into a PC



Spearphishing

Simple Methodology Now Dropping More Sophisticated Malware

7

Source: AstraID

Malware InjectionOnce Injected, can spread

5



The Bad News: Malware Travels8

A graph of computers infected from an initial victim (May 11th, 2010 infection). Courtesy of Symantec Corporation

Malware Spread from Ground Zero

Once Malware Infects One System; It Will Spread



Get In & Establish Communication Out

• Access is unintentionally provided - Gain foothold on the endpoint

� Phishing & social media� Weak or common passwords� “Security” at home

- Inject Malware/Infected files� Updates not maintained

- Create a backdoor

• Establish Communication• Firewalls typically configured for

INBOUND traffic rules- PCN � Internet- PCN � Business � Internet- PCN � Carried Device �Outside - Others…

AirGap is a Myth…

9

A graph of computers infected from an initial victim (May 11th, 2010 infection). Courtesy of Symantec Corporation

Way Out

Backdoor

6



Firewalls Add to Architecture Segmentation

Goal Is Safety & Containment

10

• Zones and Conduits- Protect and Contain

- Grouping of nodes with like security requirements

- Conduits should always be from adjacent zones

• Security Controls- Separation from Business Network

- Firewall Segmentation� Rule Management – Especially

Outbound� Review Configuration� Log Review� Consider Next Generation Firewall

- Includes advanced inspection functionality

Level 1Process Control

Level 2Supervisory Control

Level 3Advanced Control

Level 3.5DMZ

Level 4Business Network

Zone

BlockNon-Essential

CommunicationProtocols

FilterCommunicationsBetween Zones

Disable AppsNot RequiredWithin Zone

Process C

ontrol

ModBus FirewallTofino

Or NG Firewall Q1Zone Zone

: Managed by PCN

Check BOTHIngress and Egress

Rules


Customer Cyber Challenges and Impacts

* Source: ARC 2016

Global Industry Challenges• Process: Reactive � Need Proactive• Technology: Standalone � Need Integrated• People: Skills Shortage with Regulatory Pressures

Customer Impacts

PublicImage

Safety

Availability

EnvironmentFinancial

7


Driven by standards and regulations

• IEC 62443 (Formerly ISA 99 & WIB)• Industrial Automation Control Systems (IACS) Security• Global standard for wide range of industry• Honeywell ICS is active contributor to the development of the standard through ISA

• NERC CIP• North American Power

• ANSSI, BSI, CPNI, MSB, INCIBE, OLF/Norog, etc.• European guidelines, best practices and country-specific measures

• JRC & ENISA recommendations • European Union

• NIST• US technology standards (SP 800-82)

• And others: ISO, API, OLF• E.g. ISO 27000, API 1164, OLF 104

• Local regulations

12


Typical Cyber security level

Skills Motivation Means

ICS specific

ModerateSophisti-

cated(Attack)

Moderate(groups of hackers)

Generic Low SimpleLow

(Isolated individuals)

No attack skills

MistakesNon-

intentionalEmployee, contractor

Resources

ICS Specific

HighSophisti-

cated(Campaign)

Extended (multi-

disciplinary teams)

SL4

SL3

SL2

SL1

Nation-state

Hacktivist,Terrorist

Cyber crime,Hacker

Careless employee, contractor

IEC 62443

13

8


C2M2 Maturity Indicator Levels14


• Cyber Security Assessments• Thread Risk Assessments• Network & Wireless Assessments• Audits and Design Reviews

• Firewall, Next Gen FW• Intrusion Prevention (IPS)• Network Access Control

• Industrial Anti-Virus & Patching• End Node Hardening• Industrial Application Whitelisting• Portable Media/Device/USB Security

• Risk Manager (in SOC)• Continuous Monitoring• Compliance & Reporting• Industrial Security Information

& Event Management (SIEM)• Security Awareness Training

• Secure Design and Optimization• Zone & Conduit Separation

• Backup and Recovery• Incident Response• Disaster Recovery

15

Industrial Cyber Security Solutions

9


Industrial Cyber Security Risk ManagerReal time, continuous visibility, understanding and decision support

Proactively identifies cyber security vulnerabilities and threats, and quantifies and prioritizes risks

Easy-to-use Interface

No need to be a cyber security expert

Real time assessment and continuous monitoring for improved situational awareness

Multi automation vendor supportLow impact technology won’t disrupt operations

Proactively Monitor, Measure, and Manage Cyber Secu rity RiskProactively Monitor, Measure, and Manage Cyber Secu rity RiskProactively Monitor, Measure, and Manage Cyber Secu rity Risk

16


Managed Industrial Cyber Security Services

Monitoring, Reporting and Expert Support Monitoring, Reporting and Expert Support Monitoring, Reporting and Expert Support

Patch and Anti-Virus Automation

Security and Performance Monitoring

Activity and Trend Reporting

Advanced Monitoring and Co-Management

Secure Access

Tested and qualified patches for operating systems & DCS software

Tested and qualified anti-malware signature file updates

Comprehensive system health & cybersecurity monitoring

24x7 alerting against predefined thresholds

Monthly or quarterly compliance & performance reports

Identifying critical issues and chronic problem areas

Honeywell Industrial Cyber Security Risk Manager

Firewalls, Intrusion Prevention Systems, etc.

Highly secure remote access solution

Encrypted,two factor authentication

Complete auditing: reporting &video playback

17

10


• German BSI reported in 2015: - Hackers manipulated and disrupted control systems at a steel mill in Germany

- Blast furnace could not be properly shut down resulting massive damage!

• Blackout in Western-Ukraine on 23 Dec 2015: First Cyber-Attack to cause Power Outage- BlackEnergy backdoor + KillDisk component = Deletes Files/Events, Terminat Processes

- “Blinded" the dispatchers and wiped SCADA system hosts (servers and workstations)

- Flooded the call centers to deny customers calling to report power out

- Mitigation via staff who manned substations to manually re-close breakers to energize the system

• SYNful knock- Cisco router (1841, 2811, 3825) implants (firmware modification)

- Creates backdoor into the system

• Hammertoss- Spear phishing attack (Email, Twitter, Github)

- Espionage

• Pawnstorm- Adobe zero-day and Java zero day exploits used

- Espionage

Recent Cyber Security Incidents



Additional Resources

ICS-CERT: Seven Steps to Effectively Defend ICShttps://ics-cert.uscert.gov/sites/default/files/documents/Seven%20Steps%20to%20Effectively%20Defend%20Industrial%20Control%20Systems_S508C.pdf

ICS-CERT: Overview of Cyber Vulnerabilitieshttps://ics-cert.us-cert.gov/content/overview-cyber-vulnerabilities

NIST: Guide to Industrial Control Systems (ICS) Security, REVISION 2http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Homeland Security Today: Iranian Cyber Attack…Clear and Present Dangerhttp://www.hstoday.us/briefings/daily-news-analysis/single-article/iranian-cyberattack-reveals-clear-and-present-danger-to-us-critical-

infrastructure/1f1aeae7c1a03dfc86ebb7c985bc8289.html

Homeland Security Today: Four Dangerous Myths…http://www.hstoday.us/single-article/special-four-dangerous-myths-about-infrastructure-cybersecurity/d188461055c71fd8f39bf09ed28ad324.html

Link for Obsolete Switch/Routers:http://hpsvault.honeywell.com/sites/HPSVaultSupportLibrary/software-downloads/FTE-Qualified-IOS-Firmware-for-Cisco-Switches.pdf

19

11



Key References

• DHS: Department Homeland Security- DHS-CS&C: DHS Cyber Security & Communications

� ICS-CERT: Industrial Control Systems – Cyber Emergency Response Teams

• ISA/IEC-62443: Instrumentation, Systems, and Autom ation/ International Electrotechnical Commission- Network and system security for industrial-process measurement and control (Strong history

Honeywell activity)- Honeywell was the first company to achieve ISASecure Device Certification (Honeywell Safety

Manager)� Currently four Honeywell devices with ISASecure Certification� R410 received ISASecure Certification in September 2015

20


21

Gracias! Preguntas?

Industrial Attacks Increasing in Frequency ...media.arpel2011.clk.com.uy/ciber/28.pdf · - Inject...

Documents

Transcript of Industrial Attacks Increasing in Frequency ...media.arpel2011.clk.com.uy/ciber/28.pdf · - Inject...