OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into...
Transcript of OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into...
Sylvain Denoncourt GSEC, CISSP
IoT architecture Consultant
Cisco
OT/ICS Cyber-Hacking into Industrial organizations
June 7th 2018
What would you do differently if you KNEW you were going to be compromised?
It’s no longer a question of “if” you’ll be breached, it’s a question of “when”…
4
Computer networks controlling the buildings and
infrastructure architects design are regularly being
hacked…
This tends to go under-reported, because it often involves private
companies concerned for their public images, and untreated, because
these systems are coordinated by various parties that have never been
responsible for cyber security.
Source Architizer : https://architizer.com/blog/hacking-architecture/
#WWST #CISCOVT #CISCOSE
The Evolution of the Cyber CriminalNow a sophisticated business focused on ROI
Old School Threats Modern Threats
Cyber-punks/Hackers
Individual’s Data
Unsophisticated
Notoriety/Political
Professional
organized crime
Trusted Insiders
Targeted/ROI
Sophisticated Supply
Chains
Opportunistic Nation State Nation StateMulti-Billion $$
Business $
#WWST #CISCOVT #CISCOSE
The many faces of IoT hacking
https://thehackernews.com/2018/04/iot-hacking-thermometer.html
Samsung and
Roku Smart TVs
Vulnerable to
Hacking,
Consumer
Reports Finds
https://www.consumerreports.org/televisions/samsung-roku-smart-
tvs-vulnerable-to-hacking-consumer-reports-finds/
Casino Gets Hacked Through Its
Internet-Connected Fish Tank Thermometer
Vehicule
CANBUS
control
Massive DDoS Attack Against Dyn DNS
Service Knocks Popular Sites Offline
https://thehackernews.com/2016/10/dyn-dns-ddos.html
9
IT vs OT
IT - Information Technology
Pertains mainly to the corporate offices
Connects people and servers
More homogeneous in nature
OT - OperationTechnology
Pertains to Industrial environments (ICS –Industrial Communication Systems) : manufacturing floor, utility substation, oil rig, mining etc
Connect mainly endpoints, sensors and meters…
Multiplicity, difference in data format as well often huge amount of raw data
10
IT and OT organisations are converging
• Convergence driven by technology evolution and the pressure to reduce costs
• Different culture and skillset between the two organisations
• OT: driven by resilience objectives
• IT: driven by the need to meet end user expectations at the lowest possible cost
• Resistance to change
• Very different reporting structures
13
Industrial networks are increasingly Becoming Targets
15
Escalating Attacks in IoT /OT Domain
Shamoon wipes
30K
computers
17
2010 Stuxnet hits centrifuges in Iran nuclear compound
18
PLCNetwork(PhysicalDevices)
ICSNetwork(Programming,Maintenance)
HMINetwork(Sit.Awareness,Control,Protec on)D
MZ
Internet
Media
Computers
CorporateNetwork
DMZ
Vendors/Partners
Stuxnet in ActionLosing Trust at the PLC Layer
2014 hack attack causes 'massive damage' at German smelter
http://www.bbc.com/news/technology-30575104
…the attackers infiltrated the corporate
network using a spear-phishing attack
that appears to come from a trusted
source in order to trick the recipient
into opening a malicious attachment or
visiting a malicious web site where
malware is downloaded to their computer. – WIRED 2015
2015 Ukraine power grid hack
https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/
Aftermath of the Attack
• At 3:35 pm on Dec 23rd 2015, the Ukrainian Kyivoblenergo(local Energy company) experienced outages as a result of its SCADA systems being hacked
• Breakers were opened by hackers in 7 x 110 kV & 23 x 35kV substations
• 225K people impacted, 6 hrs of lost power over 3 regions
25
Ukraine power grid attack - The killchain a highly orchestratedapproach
Spear phishing to gain
access to IT corporate
network
Delivery + exploit +
install BlackEnergy
malware on victims
workstation: C2
(command and control)
PSExec gather env.info
Recon
Credentials
theft:
Mimikatz &
LM-hashed
Attackers issued
VPN connections
from the
corporate network
into the ICS
network.
Malicious firmware
developed for the
serial-to-ethernet
devices PLC/RTU.
- Firmware upload
- UPS compromised in DC
- DDOS the call centers
- KillDisk to erase evidence + delete targeted logs
IT Domain - The Intrusion
1
3
2
3 5Hijacking of the
substation SCADA
HMI’s
4
Phase 1 The Preparation Phase 2 The ICS Attack
6outages
Attack on OT Domain
Execute power outages
attacks SCADA thru HMI
with malicious operation
to open breakers :
phantom mouse
8
ICS
CORP.
7
A few observations and facts…
Common Pathways into OT Environments
The human element is usually the path of least resistance
= Risk
Coupled System
+
Spear-phising – fake targeted email
#WWST #CISCOVT #CISCOSE
Phishing leaves business on the line
• Phishing continues to be the root
cause of major breaches
• URL shorteners, URLs in
attachments, Domain shadowing
& Domain squatting are the tricks
employed by adversaries
• Relying on Social engineering methods to trick users click the bad links
• Strong integration of Web Intelligence with Email gateway & User awareness are the
need of the hour
Scale Too Many Alerts
Complexity Securing Everything
Sophistication Keeping up Against Attackers
100%Customers Lack
Network Segmentation
at Time of Breach
$3.8MAverage cost of
a data breach
The Security Challenge
Motivated & Targeted
Adversaries
Increased Attack
Surface
Increased Attack
Sophistication
BYOD blurring Perimeter
Public Cloud Services
Enterprise IOT
State Sponsored
Financial/Espionage motives
$1T Cybercrime market
Advanced Persistent Threats
Encrypted Malware
Zero-Day Exploits
200daysIndustry Average
Detection Time
for a Breach
60daysIndustry Average
Time To Contain
a Breach
Network Architecture Concerns…
• A bad network design is as big a threat to security success as the lack of security.
• Better to know what you are missing than to think you are safe.
EnterpriseEthernet
ProprietaryEthernet
To next machine
I/O FieldbusMotion Net
Safety Net
STAR
TRUNK/DROP
FIBERRING
DAISYCHAIN
This does not mean that there was no
architecture - It is likely that the architecture
eroded over time.
Access Control
• User and Device Identity
• Authentication, Authorization & Accounting
Data Confidentiality and Data Privacy
• Network Segmentation
• Secure Connectivity
Threat Detection and Mitigation• Security Zones• Intrusion Prevention; Application Visibility
Device and Platform Integrity
• Device Hardening and Secure Platform
• Configuration Assurance
IoT Cyber Security Principles for IT environment
C I A
Policy M
anagem
ent w
ith IT
Co
nvergen
ce & Ease o
f Use
Availability
Integrity
Confidentiality
Access Control
• User and Device Identity
• Authentication, Authorization & Accounting
Data Confidentiality and Data Privacy
• Network Segmentation
• Secure Connectivity
Threat Detection and Mitigation• Security Zones• Intrusion Prevention; Application Visibility
Device and Platform Integrity
• Device Hardening and Secure Platform
• Configuration Assurance
IoT Cyber Security Principles for OT environment
A I C
Policy M
anagem
ent w
ith O
T / IT C
on
vergence &
Ease of U
se
Availability
Integrity
Confidentiality
48
IT comes down to one simple question
How do you deal with that ?
It takes an Architecture
Yes, but would you flysomething like this ?
Cisco IoT Threat DefenseDetect, block, and respond to IoT threats
Delivery + exploit + install BlackEnergymalware on victims workstation
Credentials theft
Attackers issued VPN connections from the corporate network into the ICS network. C2 (command and control)
Malicious firmware developed for the serial-to-ethernet devices.
IT Domain - The Intrusion
1
3
2
3 5Hijacking of the substation SCADA HMI’s
4
Phase 1 The Preparation Phase 2 The ICS Attack
6outages
Attack on OT Domain
Execute power outages attacks SCADA with malicious operation to open breakers
8
ICS
CORP.
7
Ukraine power grid attack - The killchain What could have been done ?
AMP &
ThreatGRID
Cisco ISE
ISA-3K industrial
Spear phishing to gain access to IT corporate network
Email Security,Umbrella
Police registervalues !
ISA 3000 FW
Firepower
ISA 3000 FW
- Firmware upload- UPS compromised in DC- DDOS the call centers- KillDisk to erase evidence + delete targeted logs
Big data machine Learning, correlation
Firmware uploadUPS compromised in DCDDOS the call centersKillDisk to erase MBR and delete targeted logsStealthwatch
Splunk
Remote Access Control to the ESP / ICS sensitive zoneSeparation between corporate and production networks is a must !
✖
Industrial FW
Jump Box
1
2
3
4
5
Corporatezone
External contractor
Industr.SW
Multi-Service zone
Industr.SW
Enterpr. SW
Centralized logging of events promotes accurate audits
User profile + NGFW limits applied Disable split tunnel.2
VDI Host operates as a virtual air gap providing isolation to the ESP
Jump Box
3
Switch port security and Identity profiling control such as TOD and duration + monitor device 4
5
Device is scanned and user auth. verified –2-factor auth. 802.1x, cert.1
ESP Zone / ICS sensitive zone
MPLS Substation Edge router
It takes an Architecture
… with a central security intelligent cloud capable of analyzing billions of requests and sharing that
information to all end security network devices …
Talos security cloud Intelligence
AMP +
Stealthwatch
ASR/ISR w Firepower services
Firepower FTD 4K,9K
Conclusion & takeawaysWhat to do and to enforce
Data and Applications
Attacks must be uncovered in the early stages of the attacks
Understanding the needs and difference for IT vs OT Security
Password reset enforcement after a pre-determined period
Prioritize vulnerabilities patching on critical assets
IP host and URL resolution black listing through reputation inspection
Look for abnormal spikes in traffic pattern
Check endpoint file integrity through hashing SHA/MD5 through anti-malware protection
Firmware modifications over the network cause spikes in network traffic
TakeawaysWhat to do and to enforce
Data and Applications
Attacks must be uncovered in the early stages of the attacks
Understanding the needs and difference for IT vs OT Security
Password reset enforcement after a pre-determined period
Prioritize vulnerabilities patching on critical assets
IP host and URL resolution black listing through reputation inspection
Look for abnormal spikes in traffic pattern
Check endpoint file integrity through hashing SHA/MD5 through anti-malware protection
TakeawaysWhat to do and to enforce
Host and network
Segmentation of the SCADA network (secured zoning)
Logging must be enabled on all SCADA devices
Backup of all critical firmware
Restrict and control remote connections to the SCADA systems through secured jumppoints
IPS adapted ICS rules for detection within industrial environment
Policies and procedures
Training OT staff operators
Segregation of duties, make sure no single HMI console has full control end to end
Invite business process owners to discuss what is important to protect
Make sure IT/OT is up to date and knowledgeable on ICS security
DR scenarios in place to switch to manual mode
Security compliance is not enough, organizations
must set their security foundations taking into consideration:
• Attack vector and threats
• Changing business environment and operational procedures
• Technological evolution
“We have a culture of compliance when we shouldreally have a culture of security.”
Timothy E. RoxeyVP and Chief E-ISACOperations Officer at NERC
Merci