SESSION ID:SESSION ID:

#RSAC

Gib Sorebo

SCADA Security: How Do I Know If I’ve Already Been Owned?

SOP-W04

Chief Cybersecurity TechnologistLeidos@gibsorebo

17-Leidos-0918-1850

#RSAC

Overview

2

Reasons for Concern

Cybersecurity Challenges within Industrial Controls Systems (ICS)

The Undiscovered Breach

The Attack Lifecycle

Current State of Control System Cybersecurity Monitoring

Options for Greater Visibility

Potential Ecosystem

#RSACReasons for Concern: Supply Chain, Network Attacks, and Accidents

3

Soviet Trans-Siberian Pipeline Sabotage (1982)

Stuxnet (2010)

Taum Sauk (2005)Federal Energy Regulatory Image.

Used by permission.

WannCry / NotPetya (2017)German Steel Mill (2014) Ukraine Grid (2015 & 2016)

Turkish Pipeline (2008)

#RSAC

Anatomy of an Attack: Ukraine Electric Grid 2015

4

Attacker sends phishing e-mail with pdf containing malicious macro Macro captures user

credentials and returns them to attacker

Attacker uses credentials log into utility’s VPN

Attacker maneuvers to HMI and logs in with same credentials

Attacker begins switching off power at various substations around country

HMI = Human Machine Interface

User clicks infected pdf

#RSAC

Cybersecurity challenges within ICS

5

Lack of Cybersecurity Expertise/Culture

Long Update Cycle

Limited Visibility

IT/OT Divide

#RSAC

The Undiscovered Breach

6

Median number of days attackers were present on a victim’s network before

being discovered in 2016

Source: 2017 Mandiant M-Trends Report

*Note: Much of the recent dwell time decline is due to attacks designed to attract immediate attention such as ransomware and data wiping malware.

99* “. . .Excellus discovered the attack on Aug. 5 [2015] and an investigation determined that it occurred on Dec. 23, 2013.”

#RSAC

Typical IT Attack Lifecycle

7

1. Conduct Reconnaissance

2. Establish Foothold

3. Move Laterally and

Gain Privileges

4. Accomplish Mission

1. Conduct Reconnaissance: Attacker analyzes the intended victim to identify a way to get in and what they want to get once they penetrate the network

2. Establish Foothold: Attacker gains control of a single computer inside the perimeter – generally a server or a personal computer – and then load tools onto that computer for remote control

3. Move Laterally and Gain Privileges: Attacker moves around the network to get closer to the computers that they want to access, and obtains privileged credentials to access them

4. Accomplish Mission: Attacker accomplishes their mission, stealing data (confidentiality), changing data (integrity) or destroying data (availability)

#RSAC

The Purdue Model – An OT Attack Lifecycle

8OT = Operational Technology

Proprietary Technology

Goal is to control or disrupt here

#RSAC

Current State of Industrial Security Monitoring

9HMI = Human Machine Interface WAN = Wide Area Network SIEM = Security Information and Event Management SOC = Security Operations Center PLC = Programmable Logic Controller

Security Operations Center

ActuatorTraditional IT

No security data; only control & performance information

MonitoredUnmonitored

#RSAC

Covering All Layers of the Software/Device

10

HMIs and Engineering workstations (Purdue layer 2)

• Variable data (e.g., set points)• Start/Stop• Alarm setting• Underlying HMI code• Controller programming code• Binaries/configuration files

PLC - Controller (Purdue layer 1)• Programming logic (e.g., ladder logic,

structured text, instruction lists)• Variable data (e.g., set points)

Higher layers (Purdue layers 3-5)• Application level settings (e.g.,

analytics, alarms, triggers)• Access control settings• Application and workstation

configuration

Field devices (Purdue layer 0)• Sensors (current state)• Actuators (current state)

#RSAC

Control Systems Options for Greater Visibility

11

Where feasible, install monitoring agent on controllers

Look for power and frequency changes on actuators & sensors

Packet capture and parsing of proprietary protocols

Consider network honeypots where appropriate

#RSAC

Outcomes for Monitoring Scenarios

12

• Detect anomalies• Identify performance issues• Build baseline• Identify authorized changes

Network & Serial Data Captures

• Compare with intended input• Detect anomalies• Build baseline

Power and frequency measurements

• Detect performance issues• Correlate across multiple log sources• Build baseline• Identify anomalies

Parse log files

• Block prohibited operations (optional)• Real-time reporting of anomalies• Compare with intended input

Software Monitoring Agent

• On perimeter, get early insights on potential threats

• Internally, quickly validate intrusionsHoneypots

#RSAC

Example Architecture

13

Packet collection/IDS

SIEM

Log parser

Data Aggregator

Power monitoring

Endpoint agents

Honeypots

#RSAC

Building Custom Parsers

14

Original Logdevice_id=6, state_time=2017-6-20 16:43:10.970, device_state=1, teststat=0

Post ParsingEvent Time = 2017-6-20 16:43:10

Device ID = Pump 3Device State = Turning Pump On

Status = OK

Set correlation rule to trigger

when unexpected events occur

• Logs Read Like a sentence.• Making logs human readable allows for anyone to understand exactly what happened• Increases readability of reports on historical data

#RSAC

Options for Tools

15

Power Monitoring

Some commercial options available

SIEM and Aggregators

OSSIMSimple Event Correlator

Packet Collection

BroSuricataMoloch

Parsers and Analytics

OpenSOCMetronSkyline

EndpointAgents

OSSECSamhainConpot

Honeypots Conpot

#RSAC

How the Defenses Address Each Layer

16

Honeypots offer early warning of scans and other reconnaissance

Endpoint agents detect initial landing point (e.g., via phishing of IT side)

Packet collection & IDS sensors alert on lateral movement

Agents on HMIs and other OT systems detect suspicious connections and programs

OT aware packet analysis tools detect set point and other changes sent to controllers

Internal honeypots alert when touched

OT-aware honeypots detect attempts to change OT components

Log parser detects changes to controllers

Power monitoring on actuators & sensors offer final detection option

1. Conduct Reconnaissance

2. Establish Foothold

3. Move Laterally and

Gain Privileges

4. Accomplish Mission

SIEMs and other back-end platforms pull all the pieces together

#RSAC

Putting it All Together

17

Conduct Hardware and Software Inventory

While many OT environments are good at keeping track of the physical inventory, software, and particularly their version, are often missed

#RSAC

Putting it All Together

18

Conduct Hardware and Software Inventory

Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity, endpoint configuration files)

Often referred to as a “Kill Chain Analysis,” this is where one might find evidence of an attack

#RSAC

Putting it All Together

19

Conduct Hardware and Software Inventory

Identify commercial, ICS vendor-provided, and open source tools

Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity)

Be creative; some of the best tools may not even be considered security tools (e.g., configuration management, data historians)

#RSAC

Putting it All Together

20

Conduct Hardware and Software Inventory

Identify commercial, ICS vendor-provided, and open source tools

Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity)

Build and implement test environment to demonstrate capabilities

Many control system vendors offer “virtual twins” for testing and modeling; other comparable environments are freely available

#RSAC

Putting it All Together

21

Conduct Hardware and Software Inventory

Identify commercial, ICS vendor-provided, and open source tools

Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity)

Build and implement test environment to demonstrate capabilities

Coordinate with production team for access to data and tool deployment

Be patient and conscious of IT/OT culture differences; help OT understand why this help them

#RSAC

Putting it All Together

22

Conduct Hardware and Software Inventory

Identify commercial, ICS vendor-provided, and open source tools

Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity)

Build and implement test environment to demonstrate capabilities

Coordinate with production team for access to data and tool deployment

Build use cases and develop analytics and correlation rules

Focus on what the bad guys would want to do and how they would want to accomplish it (e.g., tactics, techniques, and procedures)

#RSAC

Putting it All Together

23

Conduct Hardware and Software Inventory

Identify commercial, ICS vendor-provided, and open source tools

Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity)

Build and implement test environment to demonstrate capabilities

Coordinate with production team for access to data and tool deployment

Deploy tools and collect data

This will be an iterative process based on tool feasibility, budget, time, and skills.

Build use cases and develop analytics and correlation rules

#RSAC

Putting it All Together

24

Conduct Hardware and Software Inventory

Identify commercial, ICS vendor-provided, and open source tools

Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity)

Build and implement test environment to demonstrate capabilities

Coordinate with production team for access to data and tool deployment

Deploy tools and collect data

Build use cases and develop analytics and correlation rules

Test by simulating threats

Start small with low risk environments less sensitive to disruption working with tabletop environments first

#RSAC

What Else?

25

Other Considerations

False Positives

Alignment with Control

Processes

Staffing Levels for Security Operations

CenterCoverage of

All Attack Stages

No Disruption to Operations

#RSAC

Apply What You’ve Learned Today

26

Next Week You Should:Review the architectures for your control system environmentsTalk to process control engineers and managers about feasibility of gaining more visibility and explain how that helps themInquire about virtual environments and modeling tools available

In the Next Three Months You Should:Acquire and gain familiarity with tools in a test environment based on “kill chain” analysis of your control system environmentsDemonstrate operating model in a virtual environmentDevelop use cases

#RSAC

Apply What You’ve Learned Today

27

In the Next Six Months You Should:Develop and present deployment plan based on research and testing performed and coordination with OT teams and gain approvalDeploy tools and data collection processes to low risk control system environmentsSimulate threats at multiple locations in OT environmentAnalyze data collected to determine ability to detect threatsIterate exercises and migrate approach to progressively higher risk environments (will likely take longer than six months to complete)

#RSAC

Questions

28

Gib SoreboLeidos Chief Cybersecurity Technologistphone: 703-318-4553email: sorebog@leidos.com

For more information contact:

#RSAC

Tools Reference

29

Can leverage enterprise SIEM with some customizations; open source and commercial options also available. Open source: OSSIM: https://www.alienvault.com/products/ossim/downloadSimple Event Correlator: http://simple-evcorr.sourceforge.net/

SIEM and Aggregators

Multiple commercial options for both collection and analysis for ICSOpen source: Wireshark: https://www.wireshark.org/download.htmlBro: https://www.bro.org/download/index.htmlSuricata: https://suricata-ids.org/download/Moloch: https://github.com/aol/moloch

Packet Collection

Included with SIEM and tools to build custom parsersOpen source: OpenSOC: http://opensoc.github.io/Apache Metron: http://metron.apache.org/Skyline (anomaly detection): https://github.com/etsy/skyline

Parsers and Analytics

Most are targeted at enterprise, but can be customized for ICS environmentsOpen source: OSSEC (host-based IDS): https://github.com/ossec/ossec-hidsSamhain: http://la-samhna.de/samhain/Conpot (Control System Honeypot): http://conpot.org/

Endpoint Agents

Power Monitoring Some commercial options available