Ronnie Rahman 2019 CYBER THREAT LANDSCAPE April 18, 2019 · 2019 Cyber Predictions* •Increase in...
Transcript of Ronnie Rahman 2019 CYBER THREAT LANDSCAPE April 18, 2019 · 2019 Cyber Predictions* •Increase in...
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
1
The Rapid Proliferation of IIoT Devices Exponentially Increases Risks
Industrial Cybersecurity Customer Challenges
Industrial Control System Complexity
• Multiple sites
• Increasing number of IIoTdevices and connections
• Multiple vendors and users requiring access to assets and/or data
• Mix of legacy and proprietary equipment
• Data security vs loss of view, loss of control
• Immediate patching vs batched patching
• Partial data on assets; no proper discovery & inventory
• Multiple remote access points
IT/OT Misalignment
• Hard to find industrial cyber security expertise
• Cannot place experts at every site
• Manual processes don’t scale; provide limited security
• Multiple security solutions partially utilized
Skilled Resources Shortfall and Budget Limitation
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
Source: LNS ResearchPutting Industrial Cybersecurityat the Top of the CEO Agenda
53%of industrials experienced
a cyber attack in last 12 months*
Increasing Pace of Industrial Cyber Attacks
Attacks on Industrial Control
Systems on the Rise SEPT 9, 2018
Concern Rises About Cyber-Attacks Physically Damaging Industries APRIL 26, 2018
New Type of Cyberattack
Targets Factory Safety Systems JANUARY 19, 2018
More than half of major malware attack’s
victims are industrial targets JUNE 29, 2017
2
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
Which cyber loss scenarios present the
greatest potential impact to your
organization?*
Source: Marsh Research report 2018
76%of energy executives citedbusiness interruption (BI)
as the most impactful cyber loss scenario for their
organization.
Increasing awareness of potential impact
Source: Marsh-Microsoft Cyber Perception Survey
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
Planning ICS Attacks Now Easier Than Ever
4
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
2019 Cyber Predictions*
• Increase in ICS targeted cyber ransomware
• Targeted Phishing attacks continue as
number #1 threat vector
• USBs continue to be top threat vector (#2)
• Nation state sponsored attacks will continue
(more to come … other stolen malware still not
used yet)
• Shortage of cyber skills continues
*Source: various web sites (E.g. CIO.com)
5
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
But Threat Level Remains Higher than Ever!
RA
NS
OM
WA
RE
CR
YP
TO
JA
CK
ING
VIR
US
TR
OJA
N
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
ATTACK REPORT
Nuclear Power Plant Data
7
• Date Reported: Nov 2018
• Company based in France
• Vector: Hack
• Type: Exfiltration
• Industry: Construction
• Result:
- 11,000 files from a dozen projects
were accessed.
- 65 GB data relating to nuclear
power plants and other projects
- Cost unreported
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
ATTACK REPORT
Public Cable Car
8
• Date Reported: Dec 2018
• Company based in Russia
• Vector: Ransomware
• Type: Unknown
• Industry: Public transport
• Result:
- System taken offline for 24 hours
- Cost unreported
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
ATTACK REPORT
LockerGoga Ransomware Allegedly Used in Attack
• Date Reported: Jan 24th 2019
• Company Based France
• Vector: Phishing/Ransomware
• Type: LockerGoga
• Industry: Engineering
• Result
- Manual shut down of network and
applications. Est. cost unknown
9
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
ATTACK REPORT
LockerGoga Strikes Again
• Date Reported: Mar 19th 2019
• Company Based in Norway
• Vector: Ransomware
• Type: LockerGoga
• Industry: Aluminum and energy
company
• Result
- Switch to manual operations.
- Est. impact $40M+
10
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
ATTACK REPORT
And LockerGoga Hits Again…
• Date Reported: Mar 19th 2019
• Company Based USA
• Vector: Ransomware
• Type: LockerGoga
• Industry: Chemical Production
• Result
- Replacement of infected computers
- Cost unreported
11
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
LockerGoga
• A form of ransomware which targets
industrial systems
• The Norway attack infected multiple
systems through copying to the shared
directory and subsequent lateral
movement, affecting the entire
organization.
• This lateral movement is a technique that
hasn't been used commonly in other
attacks
12
RA
NS
OM
WA
RE
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
ATTACK REPORT
Cryptojacking Manufacturing Resources
• Date Reported: Late Feb 2019
• Company Based in
Japan/Thailand
• Vector: Virus/Cryptojacking
• Type: Unknown
• Industry: Manufacturing
• Result
- Partial shutdown of production – 3
days
- Cost unreported
13
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
Cryptojacking
• Cryptojacking is a way for cybercriminals
to make free money with minimal effort.
• Cybercriminals can simply hijack
someone else’s machine with just a few
lines of code.
• This leaves the victim bearing the cost of
the computations and electricity that are
necessary to mine cryptocurrency. The
criminals get away with the tokens.
14
CR
YP
TO
JA
CK
ING
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
ATTACK REPORT
New Shamoon Cyber-attack on oil targets in ME
• Date Reported: Dec 2018
• Company Based in Italy/Middle
East
• Vector: Virus
• Type: Shamoon
• Industry: Oil services
• Result
- Minor shutdown 400 plus servers
effected
- Cost unreported
15
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
New Shamoon Variant
• Shamoon disables computers by
overwriting the master boot record,
making it impossible for devices to start
up.
• These latest Shamoon attacks are doubly
destructive, since they involve a new
wiper (Trojan.Filerase) that deletes files
from infected computers before the
Shamoon malware wipes the master boot
record.
16
VIR
US
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
ATTACK REPORT
Electricity Utlility
• Date Reported: Feb 2019
• Company Based in South Africa
• Vector: Breach, downloader
• Type: Azorult Trojan
• Industry: Power/Electricity
• Result
- Impact currently unknown
- Cost unreported
17
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
AZORult
• AZORult is a Trojan stealer that collects
various data on infected computers and
sends it to the command & control server
• Designed to exfiltrate files, passwords,
banking credentials and cryptocurrency
wallets
• It is also known to act as a downloader for
other malware payloads in multi-stage
campaigns including ransomware, data
and cryptocurrency stealing malware.
18
TR
OJA
N
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
ATTACK REPORT
Deep Dive: TRITON
• A petrochemical company with
a plant in ME was hit in August
2017 by a cyberattack aimed
at sabotaging the firm’s
operations and triggering an
explosion
• Reported that within minutes
of the attack, the hard drives
inside the company’s
computers were destroyed
and their data wiped clean
19
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
ATTACK REPORT
The TRITON cyber attack
• The malware burrows into a target’s networks and sabotage their industrial control systems
• Triton is designed to tamper with or even disable Triconex products, which are known as "safety-instrumented systems," as well as "distributed control systems"
20
POTENTIAL DISASTER HOW IT WORKS
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
The TRITON cyber attack
• Researchers revealed more about how the hackers work.
• Their findings showed the hackers could spend close to a year after their initial
compromise of a facility’s network before launching a deeper assault, taking the time to
prioritize their understanding of how the network looked and how to pivot from one system
to another.
• The hackers’ goal is to quietly gain access to the facility’s safety instrumented system, an
autonomous monitor that ensures physical systems don’t operate outside of their normal
operational state.
• These critical systems are strictly segmented from the rest of the network to prevent any
damage in the event of a cyberattack.
• By gaining access to the critical safety system, the hackers focused on finding a way to
effectively deploy Triton’s payloads to carry out their mission without causing the systems
to enter into a safe fail-over state.
21
DE
EP
DIV
E
Source https://techcrunch.com/2019/04/09/triton-malware-strike/
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
Hackers Behind Triton ICS Malware Hit Additional Critical
Infrastructure Facility
22
•A highly capable hacker group reportedly behind a
failed plot to blow up a petrochemical plant has now
been found in a second facility.
•According to researchers the cybercriminals behind
Triton have once again targeted industrial control
systems this time at an undisclosed company in the
Middle East.
Source: Techcrunch
Update: April 10 2019
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
Plant Cyber Security – Site Offerings
Target
Solution
Cyber Vantage
Consulting Services
Secure Media
Exchange (SMX)
Secure Network
Refresh (SNR)Cyber Security
Risk Manager
Application
Whitelisting
Cyber Security
Technology
Centers
Addresses
Business
Problem
• Uncertain of existing security posture
• Lack security expertise• Desire to be assessed by
an independent, third party ICS cyber security consultant
• Removable media need for file transfer & PCN maintenance
• Risk of USB-borne threats (malware, code injection, Bad USB machine takeover, etc.)
• PCN does not meet modern security requirements due to vulnerable, unsupported network infrastructure and lack of segmentation (flat network)
• Unable to consistently report current PCN cyber security risks
• Incorrect & inefficient workflow to lower cyber risk
• Prevention of industrial cyber-attacks by denying any applications that have not been previously identified as 'non-malicious'.
• Offers customers safe environment for custom configuration, validation, testing, qualification and support to deploy a secure layer of industrial cyber security defense
Opportunities
Look Like
• Early in addressing cyber requirements
• New projects needing security architecture
• Ongoing need for 3rd party security reviews
• Customer interest incontrolling USB usage
• Heavy contractoractivity on site
• Multiple physical plant locations
• New projects & PCN migrations/ upgrades
• Funded digital transformation initiatives
• Multiple sites & defined security policies
• Need to report• Poor or inefficient
security management
• Customer is looking for additional protection beyond anti-virus to increase their defense-in-depth strategy
• Customer interested in validating new solutions faster in a variety of scenarios to increase defenses against threat of cyber attacks
23
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
Multi Site Cyber Security – Offerings
Target
Solution
ICS ShieldCyber Security Risk
Manager
Managed Security
Services (MSS)
Network
Operations Center
Security
Operations
Center
Cyber Security
Technology
Centers
Addresses
Business
Problem
• Inability to patch systemscost-effectively
• Slow patch upkeep• Limited remote site
maintenance• No visibility across multi-
vendor assets
• Unable to consistently report current PCN cyber security risks
• Incorrect & inefficient workflow to lower cyber risk
• Lack skilled resources to maintain (patch & AV), monitor and report out on PCN security posture.
• Need secure way for personnel & 3rd parties to connect to PCN remotely
• Provides comprehensive OT solution to enterprise-wide cyber security; supportsvendor neutral PCN security
• Overcome customer challenges in developing and maintaining an enterprise SOC; consistent enterprise-wide cyber security
• Offers customers safe environment for custom configuration, validation, testing, qualification and support to deploy a secure layer of industrial cyber security defense
Opportunities
Look Like
• Many plants across dispersed locations
• High-cost labor markets• Industrial assets from
many vendors
• Multiple sites & defined security policies
• Need to report• Poor or inefficient
security management
• Remote locations with limited staff to maintain PCN. Define capability in prequalification and FEED documents
• Customer has multiple sites andcontrol system vendors not connected with consistent cyber security policies
• Customer has limited cyber security capabilities but is looking to improve centralization of security
• Customer interested in validating new solutions faster in a variety of scenarios to increase defenses against threat of cyber attacks
24
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
Security Controls / Tools
Integrated Cyber Security Management
25
Security Management
Intrusion Protection & Threat Intelligence
Application & Endpoint Security
Next Generation Firewall
Network Security
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
Centers of Excellence: Innovation & Security Service Hubs
26
Cyber Security Centers of Excellence Around the World
Solutions Development
Training and Certification
Customer Demonstrations
Research Labs& Testing
Houston
Managed Security Service Center
Singapore
Bucharest
Cyber Security Innovation Center
Dubai
Atlanta
Managed Security Services
Cyber Security Research Lab
Edmonton
Phoenix
Amsterdam
Bangalore
Atlanta Cyber Security Innovation Center
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
Honeywell Provides Full Solutions for Industrial Cyber Security
27
Comprehensive, Proven and Trusted End-to-End Solutions
- Whitelisting
- Antivirus
- Next-generation Firewall
- IDS/IPS
- Security Information & Event Management (SIEM)
- Threat Intelligence
- Industrial security program development
- Assessment services
- Architecture and design
- Implementation and systems integration
- Operational service and support
- Compliance audit & reporting
INDUSTRIALSECURITY
CONSULTING
Adaptive
Emergent
Se
curity
Ma
turity
- Secure remote access
- Continuous monitoring and alerting
- Automated patch & antivirus updates
- Incident response & recovery/back up
- Security device co-management
- Hosting, management and operation of ICS Shield®
- OT SOC management & operations
INTEGRATED SECURITY
TECHNOLOGY
CYBER SECURITY
SOFTWARE
- ICS Shield® platform forcyber security operations
- Industrial Cyber SecurityRisk Manager: Enterprise and Site
- Secure Media Exchange (SMX)
- Advanced Threat Intelligence Exchange (ATIX)
- Industrial assessment software & tools
MANAGED SECURITY SERVICES
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
28
Award Winning Cyber Security Solutions
Best Product of the Year
Control Engineering China
Winner – Safety – Process
Safety, Intrinsic Safety
Control Engineering 2018
Engineers’ Choice Awards
Frost & Sullivan
Global Industrial Cybersecurity
Solutions Customer Value
Leadership Award 2018
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
29
THANK YOU
Visit www.becybersecure.com to know more