Critical Infrastructure Protection & Resilience...• Cyber terrorism can be also defined as the intentional use of computer, networks, and public internet to cause destruction and

© Copyrights CRC-ICS 2017 – All Rights Reserved – www.crc-ics.net

Cyber Research CenterIndustrial Control Systems © Copyrights CRC-ICS 2017 – All Rights Reserved – www.crc-ics.net

Critical Infrastructure Protection & Resilience

ITARC Amsterdam, September 2017

There is No place Anymore for Enterprise and IT Architecture, if you can' t deal with Current and Future Cyber Threats!

© Copyrights CRC-ICS 2017 – All Rights Reserved – www.crc-ics.net 2

Cyber Research Director, Speaker & Publicist

Thought LeaderCyber Terrorism, ICS & EA President & Thought Leader

Author / Co-author of 15 Professional Books & more than 100+ Articles / Papers

Awarded with the 2013 Global Excellence iCMG

Hall of Fame Award, India

Cyber Research Center -

Industrial Control Systems

Advisor NIST Cyber Security FrameworkCritical Infrastructure Development

Ass. - Professor


All the information contained in this presentation and shared with you duringthe presentation is in the public domain. The Cyber Research Center – IndustrialControl Systems (CRC-ICS) is not responsible for the accuracy or correctness ofthe shared public domain information. Reference to any specific website,process, or service by trade name, trademark, supplier, or otherwise, does notconstitute or imply its endorsement, recommendation, or favouring by CRC-ICS.

3


Food Industry

Chemical Industry

Nuclear / Power

Healthcare / Hospitals

Manufacturing Industry

Energy Grids

Telecom Networks

Oil & Gas Industry

Water Supply Networks

Banking / Finance

Transport / Aviation

Government / Military

An Interconnected, Intelligent & Instrumented World?


The Art of War is an ancient (-496 B.C.) Chinese military treatise attributed to Sun Tzu, a high-ranking militarygeneral, strategist and tactician. It is commonly known to be the definitive work on military strategy and tactics,and for the last two thousand years has remained the most important military dissertation in Asia. It has had aninfluence on Eastern and Western military thinking, business tactics, legal strategy and beyond. Leaders as diverseas Mao Zedong and General Douglas MacArthur have drawn inspiration from the work.

5

Admiral Rogers lead the NSA and is the commander of the U.S.A. Cyber Command,

the Pentagon's army of cyber warriors; Since March 2014.

Many of Sun Tzu conclusions remain valid today in the cyber warfare era as Admiral Michael S. Rogers said recently.

Characteristics - Art of Cyber War1. Artificial Environment2. Geography changes without warning3. Physical proximity loses relevance4. Blinding development of technology5. Anonymity6. Few moral inhibitions


NATO (2008)

• Cyber terrorism is “a cyber attack using or exploiting computer or communication networks to cause sufficient destruction to generate fear or intimidate a society into an ideological goal.”

US Federal Bureau of Investigation

• Cyber terrorism is any "premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against non-combatant targets by sub-national groups or clandestine agents."

Center for Strategic and International Studies (CSIS):

• The use of computer network tools to shut down critical infrastructures (e.g., energy, transportation, government operations) or to coerce or intimidate a government or civilian population.

Henry C. Lee College of Criminal Justice and Forensic Sciences: William Tafoya, Professor of Criminal

• The intimidation of civilian enterprise through the use of high technology to bring about political, religious, or ideological aims, actions that result in destroying or disabling critical infrastructures.

• Cyber terrorism is a controversial term. Some authors choose a very narrow definition, relating to deployments, by knownterrorist organizations, of disruption attacks against information systems for the primary purpose of creating alarm and panic.

• Cyber terrorism can be also defined as the intentional use of computer, networks, and public internet to cause destruction andharm for personal objectives. Objectives may be political or ideological since this can be seen as a form of terrorism.


Cyber Crime Research Center

• Cybercrime is defined as crimes committed on the internet using the computer as either a tool or a targetedvictim. It is very difficult to classify crimes in general into distinct groups as many crimes evolve on a dailybasis. Even in the real world, crimes like rape, murder or theft need not necessarily be separate. However, allcybercrimes involve both the computer and the person behind it as victims, it just depends on which of thetwo is the main target. Hence, the computer will be looked at as either a target or tool for simplicity’s sake.For example, hacking involves attacking the computer’s information and other resources. It is important totake note that overlapping occurs in many cases and it is impossible to have a perfect classification system.

Techopedia

• Cybercrime is defined as a crime in which a computer is the object of the crime (hacking, phishing,spamming) or is used as a tool to commit an offense (child pornography, hate crimes). Cybercriminals mayuse computer technology to access personal information, business trade secrets or use the internet forexploitive or malicious purposes. Criminals can also use computers for communication and document ordata storage.

© Copyrights CRC-ICS 2017 – All Rights Reserved – www.crc-ics.net 8Snapshot Cyber Attack Monitoring 09-25-2017


OCTOBER 2017

On Access Scan

On Demand Scan

Mail Anti Virus

Web Anti Virus

Intrusion Detection Scan

Vulnerability Scan

Kaspersky Anti Spam

Botnet Activity Detection

TOP RANKINGMOST ATTACKEDCOUNTRIES

# 1 MALI# 2 GERMANY# 3 ECUADOR# 4 SOUTH KOREA# 5 BRAZIL# 6 FRANCE# 8 UNITED STATES# 9 RUSSIA# 11 NETHERLANDS# 22 CHINA

SEPTEMBER 2017

9


Cyber

Espionage

Malware Is

So

Advanced

It Has Its

Own API

A virus

that has

shut down

the ECMC

hospital's

entire

computer

network

APT29

Uses

Stealthy

Backdoor

to Maintain

Access to

Targets

Point of Sale

(PoS)

Manufacturer

Verifone

Breached

ISIS-

Linked

hackers

Attack

NHS

Websites

January February March April May June July August September October November December

2017

10

Hamas

‘Honeypot’

Operations

shows a

Sophisticated

Cyber-

Espionage

Unit

Secret

Details

Emerge

on Iran’s

Cyber

Army ?

???

???

?

Saudi

Arabia:

Cyber Attack

on Chemical

Firm

?

Ukraine

Charges

Russia with

New Cyber

Attacks on

Infrastructure

Several

Polish Banks

Hacked,

Information

Stolen by

Unknown

Attackers

University

suffers

cyber attack

from its own

vending

machines

and lamp

posts

Rotterdam

Airport and

Rumag

websites

Hacked by

Turkish

Hacking Group

ThyssenKrupp

Secrets Stolen

in ‘Massive’

Cyber Attack

?

?

?

?

?

? ?

Industroyer:

Biggest

Threat to

Industrial

Control

Systems

since Stuxnet

Petya

Goldeneye

ransomware

attack using

‘stolen NSA

cyber-

weapon’

called

EternalBlue

sweeps the

world

?

?

Renault shut

down

several

French

factories

after

WannaCry

Cyberattack.

Hackers Are

Targeting US

Nuclear

Facilities ?

FedEx /

TNT

Express

Heavily hit

by Petya

Cyber-

Attack

Maersk hack

impact from

Petya

/Nonpetya

on the APM

terminal in

Rotterdam

Operations

cancelled

as cyber

attack hits

NHS

Lanarkshire

hospitals

and GPs

US Nuclear

Breach

opens new

chapter in

Cyber

Struggle

North Korea

intensifies

cyber

attacks

against

Bitcoin

exchanges

?

??

?Hackers

Gain

Direct

Access to

US Power

Grid

Controls

?

Massive

Equifax

Data

Breach Hits

143 Million

Customers

UK

Universities

Targeted

by Cyber-

Thieves

Iranian Cyber

Espionage

APT33

Targets

Aerospace &

Energy

Sectors and

has Ties to

Destructive

Malware

?

Deloitte hit

by Cyber

Attack

Revealing

Clients’

Secret

Emails


Hackers

destroy

computers

Saudi

Aviation

Agency

Japan Denies

Report of

‘State-Backed’

Cyber Attack

on Military

Hackers are

holding San

Francisco’s

Light-Rail

System for

Ransom

Classified

US Defense

Network

Outage Hits

Air Force’s

Secret

Drone

Operations

DDoS Attack

halts Heating

in Finland

amidst Winter

Security

camera was

infected by

Mirai-like worm

malware 98

seconds after it

was plugged in

DDOS Attack

Against Dyn

Managed DNS

Servers

Nuclear

Power Plant

Disrupted by

Cyber Attack

?

?

?

???

US Accuses

Russia of

Hacking

Attempts on

Political Groups

Ghost

Squad

Hackers

Attack

Websites

For

Israeli

Prime

Minister

Washington Think

Tank Organizations

Hacked by APT29

Monsoon APT Has

Been Hacking

Targets Around the

Globe Since 2010

US Ports

Targeted with

Zero-Day

SQL Injection

Flaw

Operation Ghoul

Industrial Espionage

Hackers Targeted

130 Companies in

More than 30

Countries

Iran Investigates If

Series of Oil

Industry Accidents

Were Caused by

Cyber Attack

Strider

Cyberespionage Group

Hit Seven Targets in

China, Russia,

Belgium, Sweden

Israel’s Electric

Authority Hit by

‘Severe’ Hack

attack

Airport

Systems at 2

major Airports

in Vietnam

Hacked by

Chinese

Group

UK Railway

Network Suffered 4

Cyber Attacks in the

Past Year

SFG Malware

Discovered in

European

Energy

Company

Saudi Military &

Government Security

Personnel Targets

Android Spyware

NATO Declares

Cyber an Official

Warfare

Battleground,

Next to Air, Sea

and Land

Terrorist Groups

Acquiring the

Cyber Capabilities

to bring major

Cities to a

Standstill

Stuxnet-like

IRONGATE

Malware Found

Targeting

SCADA

Equipment

Ke3chang is

Back and It’s

Targeting

Indian

Embassies

Suckfly Cyber

Espionage

Group Targets

Indian

Companies

South Korea

Accuses North

Korea of

Hacking

Defense

Contractor

Tick Cyber

Espionagegroup

active for at least

10 years in Japan

Ransomware

Virus Shuts

Down US

Electric and

Water Utility

German Nuclear

Plant’s Fuel Rod

System

Swarming with

Old Malware

Bangladesh

Central

Bank –

Billion

Dollar Hack

US to blame Iran for

Cyber Attack on small

NY Dam

Pirates Hack into

Shipping

Company’s Servers

to Identify Booty

Israel is

Pioneering

new weapons

on the “Modern

Battlefield”

Russian

Software Could

Threaten US

Industrial

Control Systems

China Hacking

& Stealing

Military

Secrets of

Norway

Hackers take

Hospital

Offline,

demand $

3.6 M

ransom

UK (GCHQ):

We Failed On

Cybersecurity

?

?

?

Clever Bank

Hack allowed

Crooks to make

Unlimited ATM

withdrawals

Cyber Security

Threat could

cause

‘Fukushima-like

Disaster’

December January February March April May June July August September October November December

2015 2016

11

Loco Motives?

Hacker Attacks

could Derail

Train Cyber

Security

?

?

??

Ukraine Blackout

is a Cyberattack

Milestone ?

F35 – Joint

Strike Fighter,

Cyber Security

Tests delay

prompts

Vulnerability

Concerns

APT28: A Window

into Russia's Cyber

Espionage

Operations?

China blamed

for ‘Massive”

Cyber Attack

on Australian

Government

?

?

?

?

?

?

?

?

US Govt.

Hackers

Ready to

hit Back if

Russia

Tries to

Disrupt

Election?

?

?


?

Russian Proxy Forces Bring

Down An F-16 In a Beta

Test for World War III

US Cyber Warfare:

Use of Drones to

Infect Spyware

November December January February March April May June July August September October November

2014 2015

Turla APT malware

threat uses satellites to

avoid detection.

Russian Signature

12

Operation Pawn

Storm: Russian

hackers exploit

unusual Java zero-

day to hit unnamed

NATO country

Russian Cyber

Attack Targets

Pentagon Email

Systems

Black Vine:

Formidable Cyber

Espionage group

Targeted Aerospace

Operation Pawn Storm: Russian

hackers exploit unusual Java

zero-day to hit unnamed NATO

country

Cyberespionage Group behind

“Duke” Family of Malware

Operation Morpho: Multi-

billion dollar corporations hit

by secretive attack group.

German Patriot

Missile Battery

receives orders

from… unknown

‘Hackers’ – Report

Hacking Team hacked:

Firm sold Spying Tools to

Repressive regimes,

documents claim

Dino backdoor trojan

(Cyber-Espionage

tool) target computers

in Iran

U.S.A. Federal

employee Data stolen -

China Signature

Operation Epic Turla –

Russian Signature?

Sony Pictures hit by a Major

Cyber Attack – Origin NK?

French Network TV5

Monde Hacked

Operation Pawn

Storm - Ramps Up its

Activities; Targets

NATO, White House

– Russian Signature?

LOT Polish Airlines

Ground Operations

Hacked

German Parliament

Hacked, Russia is

Primary Suspect

Hacked Turkey

Pipeline exploded

China-Based APT17

(DeputyDog)

conducted network

intrusions against

several Industries

Project Pistachio Harvest -

Iran Increasing Both

Sophistication and

Frequency of Cyber Attacks

NSA & GCHQ accused of

Hacking Sim Card firm

Gemalto

Equation Group –

Targeting several

Industries: NSA Related?

Regin – Top-tier

Espionage Tool

– NSA related?

Operation Cleaver –

Targeting Several Industries:

Iran Nation-State Activities

U.S. Officials Report Hackers

Gained Access to Sensitive

White House Networks

China Reveals Its

Cyberwar Secrets: The

Science of Military

Strategy 2013

Anthem Blue Cross /

Blue Shield Hacked

The Carbanak

Cybergang Stole $ 1bn

from Banks

ASML hack: Global Chip

Machine producer in the

Netherlands and France

– China related?

Cyber Attack Causes

Physical Damage at German

Iron Plant in Brasil – Origin ?

Australian Mining and

Natural Resources

Companies Hacked

?

?

?

??

? ?

?

?

?

??

?

?

?

?

?

?

?

?

?

? ?

?

?

?

Iranian Military

Spear-phish of

US Government

ISIS is

attacking

the US

Energy Grid

ISIS plotting

Cyber Warfare

to Kill People

in UK

Hacking Group

Strontium dogs NATO

and Government

targets

?

?

?

?

© Copyrights CRC-ICS 2017 – All Rights Reserved – www.crc-ics.net© Copyrights CRC-ICS 2017 – All Rights Reserved – www.crc-ics.net 13


Networked Consumer Electronics

Networked Everything (IoT)

What about Securing Networked Society?

Cyber Protection is about…..

>2020

Process

Mobile

Business

Home

DataThings

People P2P

P2M

M2M

Networked Industries

All these Functionalities are

Never Designed with Security in Mind

© Copyrights CRC-ICS 2017 – All Rights Reserved – www.crc-ics.net© Copyrights CRC-ICS 2017 – All Rights Reserved

All the data used for the creation of this

image is based on the Shodan Engine

looking for BMS/ICS/SCADA open ports.

• Bacnet (Port 47808)

• DNP3 (Port 20000)

• EtherNet/IP (Port 44818)

• Niagara Fox (Ports 1911 and 4911)

• IEC-104 (Port 2404

• Red Lion (Port789)

• Modbus (Port 502)

• Siemens S7 (Port 102)

Source: https://www.shodan.io 15


Cyber

Resilience

Cyber

ResistanceCyber

Awareness

ControlsDefense in

Depth

Cyber Governance Model

Threats

Vulnerabilities

Operations

Risk

Cyber Risk Analysis

Assessment

Security

Enterprise / Corporate IT Security

Industrial Control Systems /

Critical Infrastructures Security

(Most

Important

Assets /

Crown

Jewels)

What to Defend? - Where is the Risk? – What can you Do?


3 Domains in Cyber & Architectural Governance





“Defense-in-Depth” & “Separation of Concerns”

Resistance / Resilience where possible on every level:Device / hardware / network / firmware / operating systems / network protocols software / applications / organisation / user / contractor / developer / vendor

18

Segregate /

separate

networks &

functionalities

Wireless &

(Remote) Identity /

Access Control

Increase Robustness,

Harden Systems,

Networks, Devices

Immediate Patch,

Patch where

possible,

Patch!!!

Monitor & Control,

Deep Packet

Inspection

People,

Policies,

Procedures,

Technology,

EnvironmentIncident Response & Recovery


Security Zone Definition ‘Security zone: grouping of logical or physical assets

that share common security requirements’.

[ANSI/ISA99-IEC62443]

A zone has a clearly defined border (either logical or

physical), which is the boundary between included and

excluded elements.

Conduit DefinitionA conduit is a path for the flow of information between

two zones:

It can provide the security functions that allow different

zones to communicate securely.

Any transfer of electronic data between zones must

have a conduit.

Conduit

Supervisory Zone Controller Zone

Level 6

IoT / Mobile (Industrial)

Level 0

Process Equipment Under Control

Level 1

Local or Basic Control

Level 2

Supervisory Control

Level 3

Operations Management

Level 4

Enterprise Systems

Level 5

Enterprise Network

Business Planning & Logistics

Process Operations

Management

Production Supervison

Production Control

Production Ind

ust

rial

Co

ntr

ol

Syst

em

s (I

CS

)

Enterprise Facilities

IoT / Mobile Facilities

Fundamentals of “Defense-in-Depth” & “Separation of Concerns”Awareness / Resistance / Resilience on every Level!


Protection? Protection?

Detection?

Attack Indications

& Warnings

Intrusion

Detection &

Monitoring

Business

Network Events

Process Control

Network / System

Events

Analysis &

Correlation

External

Events

Detection?

Find the Right Balance between

Protection versus Detection / Respond





Important Aspects of Protection / Detection

Process

P2P

Mobile

People

P2M

Business

DataThings

M2M

Business

21

Information

Security Program &

Planning

(IR, DR, BC)

Awareness,

Education &

Training

Access, Measures &

Security Controls;

Procedures;

Policies & Laws;

Recovery &

Continuity Plans

People & Processes Technology

Access

Controls

Backups

Encryption

Proxy Servers

Network IDS

Firewalls

(UTM / DPI)

Host IDS

Patches &

upgrades

Networks &

Systems Monitoring

Redundancy

Network IPS

Processes

People

Systems

Networks

Internet





PRIVACY & INFORMATION GOVERNANCE

INFORMATION ASSURANCE

BUSINESS CONTINUITY MANAGEMENT

RESILIENCE,DIVERSITY

REDUNDANCY INFORMATION

RECOVERY

ADEQUACY OF CONTROLS

CORPORATE

CYBER

NETWORK ATTACK

RADSEC

(TEMPTEST+EMI,E

LSEC,RFSEC)

INFOSEC

IA RISK

MANAGEMENT

SECURITY BY DESIGN

COMSEC

&

TRANSEC

EMIP

(EM Interference

Protection :EMC,

HEMP/HERF)

CORPORATE

CYBER

NETWORK

OPERATIONS

COMPUTER

NETWORK

EXPLOTATION

CERTIFICATION & ACCREDITATION

SECURE DEVELOPMENT

COMPLIANCE & AUDIT

SECURITY OPERATION CENTER

PLANT / SITE

PROCESS CONTROL

NETWORKS

SCADA / DCS

CONTROL

NETWORKS

SENSOR I/O

CONTROL

NETWORKS

SITE / PLANT

COMPUTER NETWORK

OPERATIONS

PLANT COMPUTER NETWORK

EXPLOTATION

PLANT COMPUTER

NETWORK ATTACK

NETWORK MONITORING & PROTECTION

THREAT & VULNERABILITY

ANALYSIS

CYBER SECURITY

SECURITY

PHYSICAL

SECURITY

PERSONNEL

SECURITY

CONTRACTORS

SECURITY

IDENTITY /

ACCESS

MANAGEMENT

COMPLIANCE

MANAGEMENT

NETWORK

INTRUSION

DETECTION

WIRELESS INTRUSION

PROTECTION

DEEP PACKET

INSPECTION

DOCUMENT

SECURITY

INVESTIGATIONS,

Incl. FORENSICS

DATA / IP SECURITY

DATA SECURITY

ORGANIZATIONAL

SECURITY

PHYSICAL / CYBER SECURITY

ENTERPRISE ARCHITECTURE

OPERATIONS MANAGEMENT

BUSINESS & IT ARCHITECTURE

RISK & COMPLIANCE

BUSINESS CONTINUITY, ETC.


Level 5

Enterprise

Network

Level 4

Enterprise

Systems

Level 3

Operations

Management

Level 2

Supervisory

Control

Level 1

Local or

Basic Control

Level 0

Process

Equipment

Under Control

Internet

Office Network

Control Network

External Network

Insecure External IoT

/ Mobile Connections

Misconfigured

Firewalls

Wrong Type

FirewallsInfected

Laptops

Insecure

Wireless LANInsecure

Modems

Infected USB

Keys

Insecure

Serial Links

3rd Party /

Contractor IssuesRS-232

11

2

1

4

9

Spoofing / Phishing

7

6

8

10

Infected PLC

Logic

X

X

Insecure

Wireless I/O

Insecure RFID

Insecure

Bluetooth

13

14

12

15

5

Insecure NFC

16

APT / Zero-

Day-Exploits

ISA99 /

IEC62443

Unpatched

Software17

Production Network

Level 6

IoT / Mobile

3

External Mobile Workers

Contractors

Internet of Things

Machinery

Misconfigured

Login Credentials

18


Cyber Protection & Resilience

Original Source: Digitalist Magazine July 2016

Sa

fety

, S

ec

uri

ty,

Pri

va

cy,

GD

PR

Sa

fety, S

ec

urity, P

riva

cy, G

DP

R

Cyber Protection & Reselience

Digital TransformationC

u

s

t

o

m

e

r

s

The New Reality!

Level 5

Enterprise

Network

Level 4

Enterprise

Systems

Level 3

Operations

Management

Level 2

Supervisory

Control

Level 1

Local or

Basic Control

Level 0

Process

Equipment

Under Control

ISA

99

/ I

EC

62

44

3Level 6

IoT / Mobile



Mobile Drilling

Rig

Battery Tank RTU - Remote Terminal Unit

PLC - Programmable Logic

Controller

Emergency

Response

Work Vehicle

CWE - Collaborative Work Environment

Process

Domain

Video Monitoring

To HQ

Central Control

Room

SCADA Systems

CYBER SECURITY -

SMART / DIGITAL OIL

FIELD

Well Pad

Field

Office

Well Head Automation

Mobile Field Connectivity

Operational Video Surveillance

Micro Seismic Applications

Asset Tracking via RF-ID

Energy Management

Collaborative Working Env.

Smart Drilling

Sea Drilling Rig

Cyber Security

26


Local Energy

Massive Solar Energy

Hydro Energy

Wind Energy

Energy Storage

Conventional Energy CYBER SECURITY -

SMART GRID (E2E)

Solar Energy Automation

Wind Energy Automation

Hydro Energy Automation

Grid Energy Balancing Applic.

Energy Transport Management

Energy Storage / Management

Collaborative Working Env.

Mobile Vehicle Connectivity

Cyber Security

Central Control RoomsSCADA Systems

27


• Accept the FACT that Vulnerabilities, Open Doors to the Unexpected.

• Accept that the Type of Threats will Change Continuously.

• Accept that there is NO Separation between the Cyber World and the Physical World.

• Accept that Investing & Maintaining Cyber Protection & Resilience is an Ongoing Activity.

• We’ve become distracted – Outsider & Insider Threat is real & growing

• Terrorism is Multifaceted. Traditional Definitions must be adapted to the New Realities.

You can't Defend.... You can't Prevent….(only to a certain level)

The only thing you can do is Detect and Respond!



The Cyber Research Center - Industrial Control Systems / Critical Infrastructures is a not for profit research & information sharing, expert

center working on the future state of Physical & Cyber Protection and Resilience. CRC-ICS goals are to inform industries / critical

infrastructures about the fast changing threats they are facing and the measures, controls and techniques that can be implemented to be

prepared to deal with these cyber threats.

Jaap Schekkerman | Research Director & Thought Leader [email protected]

30

Cyberspace the Fifth Domain of War ?!

Industrial Control SystemsCyber Governance Guide

Documents

Critical Infrastructure Protection & Resilience...• Cyber terrorism can be also defined as the intentional use of computer, networks, and public internet to cause destruction and