ISA-Calgary-Show-2015-IACS-Cyber-Incident-Preparation
-
Upload
austin-scott -
Category
Documents
-
view
197 -
download
1
Transcript of ISA-Calgary-Show-2015-IACS-Cyber-Incident-Preparation
![Page 1: ISA-Calgary-Show-2015-IACS-Cyber-Incident-Preparation](https://reader031.fdocuments.in/reader031/viewer/2022030314/588888581a28ab3e658b5245/html5/thumbnails/1.jpg)
IACS CYBER INCIDENT PREPARATIONby Austin Scott, GICSP, SSCP
Project and Services Delivery Manager, Cimation Canada
![Page 2: ISA-Calgary-Show-2015-IACS-Cyber-Incident-Preparation](https://reader031.fdocuments.in/reader031/viewer/2022030314/588888581a28ab3e658b5245/html5/thumbnails/2.jpg)
IACS CYBER INCIDENT PREPARATIONIndustrial Cyber Security Challenges
2
![Page 3: ISA-Calgary-Show-2015-IACS-Cyber-Incident-Preparation](https://reader031.fdocuments.in/reader031/viewer/2022030314/588888581a28ab3e658b5245/html5/thumbnails/3.jpg)
Disruption in electronic communications between systems or systems and people that impacts:
1. Confidentiality,
2. Integrity, and/or
3. Availability.
IACS CYBER INCIDENT PREPARATIONCyber Incident Defined
3
![Page 4: ISA-Calgary-Show-2015-IACS-Cyber-Incident-Preparation](https://reader031.fdocuments.in/reader031/viewer/2022030314/588888581a28ab3e658b5245/html5/thumbnails/4.jpg)
P.I.C.E.R.L. Lifecycle
1. Preparation2. Identification3. Containment4. Eradication5. Remediation6. Lessons Learned
4
IACS CYBER INCIDENT PREPARATIONIncident Response Framework
• Mitigation of Risk• Reduce Impact• Save Time
![Page 5: ISA-Calgary-Show-2015-IACS-Cyber-Incident-Preparation](https://reader031.fdocuments.in/reader031/viewer/2022030314/588888581a28ab3e658b5245/html5/thumbnails/5.jpg)
IACS CYBER INCIDENT PREPARATIONCyber Incident Industry Trends
5
0
100
200
300
2011 2012 2013 20140
100
200
2011 2012 2013 2014
Incidents Vulnerabilities
Incidents By Industry Attack Vectors
Energy 32% Unknown 40%
![Page 6: ISA-Calgary-Show-2015-IACS-Cyber-Incident-Preparation](https://reader031.fdocuments.in/reader031/viewer/2022030314/588888581a28ab3e658b5245/html5/thumbnails/6.jpg)
IACS CYBER INCIDENT PREPARATIONLife Cycle Approach to Incident Management
6
![Page 7: ISA-Calgary-Show-2015-IACS-Cyber-Incident-Preparation](https://reader031.fdocuments.in/reader031/viewer/2022030314/588888581a28ab3e658b5245/html5/thumbnails/7.jpg)
IACS CYBER INCIDENT PREPARATIONPeople
7
Cyber Drills• Add Cyber Element to
existing ERP / safety drills
Educate Community • Policies • Identification• Escalation
Assign a Team
• Senior Management
• Industrial IT / Programmer / MCSE
• Operations
• Communications Manager
• Legal Representation
![Page 8: ISA-Calgary-Show-2015-IACS-Cyber-Incident-Preparation](https://reader031.fdocuments.in/reader031/viewer/2022030314/588888581a28ab3e658b5245/html5/thumbnails/8.jpg)
IACS CYBER INCIDENT PREPARATIONProcess
8
Who to Contact, Escalation, Incident Logging
IdentificationClassification
Intent
![Page 9: ISA-Calgary-Show-2015-IACS-Cyber-Incident-Preparation](https://reader031.fdocuments.in/reader031/viewer/2022030314/588888581a28ab3e658b5245/html5/thumbnails/9.jpg)
IACS CYBER INCIDENT PREPARATIONTechnology
9
Network Diagram and Asset Inventory
Enable and Protect Network and Windows Event Logging
![Page 10: ISA-Calgary-Show-2015-IACS-Cyber-Incident-Preparation](https://reader031.fdocuments.in/reader031/viewer/2022030314/588888581a28ab3e658b5245/html5/thumbnails/10.jpg)
APPENDIX – 2014 Energy Cyber Incidents
![Page 11: ISA-Calgary-Show-2015-IACS-Cyber-Incident-Preparation](https://reader031.fdocuments.in/reader031/viewer/2022030314/588888581a28ab3e658b5245/html5/thumbnails/11.jpg)
11
11
2014 ENERGY CYBER INCIDENTSEnergetic Bear / Dragonfly Group / Havex / Karagany
WHAT: Systematic targeting of Western energy companies by Russian hackers. Injected a Trojan into industrial control systems with remote control capabilities.
HOW:Spear fishing / Watering hole / Remote Access Tools / Trojans in ICS Software
WHY:Industrial espionage. Industrial sabotage.
IMPACT:Over 1000 energy companies in 84 countries were reported compromised.
WHEN:Reported June 2014. Learn more in Cimation’s report.
![Page 12: ISA-Calgary-Show-2015-IACS-Cyber-Incident-Preparation](https://reader031.fdocuments.in/reader031/viewer/2022030314/588888581a28ab3e658b5245/html5/thumbnails/12.jpg)
12
12
2014 ENERGY CYBER INCIDENTSBlack EnergyWHAT: Russian cyber underground hacking toolkit that provides an advanced Trojan with command and control capabilities. Used to target the users of various Human Machine Interface (HMI) products.
HOW:Targeting GE and Siemens SCADA/HMI products directly connected to the Internet.
WHY:Industrial espionage. Industrial sabotage.
IMPACT:Compromised “numerous” industrial control systems.
WHEN:Reported December 2014
![Page 13: ISA-Calgary-Show-2015-IACS-Cyber-Incident-Preparation](https://reader031.fdocuments.in/reader031/viewer/2022030314/588888581a28ab3e658b5245/html5/thumbnails/13.jpg)
13
WHAT: 300 Energy companies in Norway were targeted by a sophisticated attack. Largest cyber attack in Norway's history.
HOW:Not publicly disclosed.
WHY:Industrial espionage.
IMPACT:50 Energy companies were reported compromised.
WHEN:Reported August 2014
13
2014 ENERGY CYBER INCIDENTSNorwegian Energy Industry Targeted
![Page 14: ISA-Calgary-Show-2015-IACS-Cyber-Incident-Preparation](https://reader031.fdocuments.in/reader031/viewer/2022030314/588888581a28ab3e658b5245/html5/thumbnails/14.jpg)
IACS CYBER INCIDENT PREPARATION2014 ICS-CERT Incidents By Industry
14
Energy32%
Critical Manufacturing
25%
Other26% Healthcare
6%
Government5%
Water5%
Nuclear2%
![Page 15: ISA-Calgary-Show-2015-IACS-Cyber-Incident-Preparation](https://reader031.fdocuments.in/reader031/viewer/2022030314/588888581a28ab3e658b5245/html5/thumbnails/15.jpg)
IACS CYBER INCIDENT PREPARATION2014 ICS-CERT Incident Attack Vectors
15
Unknown38%
Scanning22%
Spear Phishing17%
Misc23%