SESSION ID:

#RSAC

Industrial Defence In-Depth

SBX1-R12

Andrey NikishinSpecial Projects DirectorKaspersky Lab@andreynikishin

#RSAC

Agenda

2

Industrial specifics

Industrial Cyber Security in Depth

#RSAC

INDUSTRIAL SPECIFICS

#RSAC

Critical infrastructure sectors By State

•Emergency Services•Communications•Financial Services•Government Facilities•Healthcare and Public Health

• Information Technology

•Communications•Emergency Services•Financial Services•Government•Health

•Energy•Transport•Water•Food

•Energy•Chemical•Commercial Facilities•Nuclear•Transportation Systems•Water and Wastewater•Critical Manufacturing•Dams•Defense Industrial Base•Food and Agriculture

#RSAC

5

IS all INDUSTRIAL Infrastructure Critical?

#RSAC

6

Simplified IT schema

#RSAC

7

Simplified ICS (OT) network schema

#RSAC

ICS Network: Common devices

SCADA server

HMI

Development system (IDE) / Engineering WS

Data Historian

Field equipment

PLC/DCS

#RSAC

ICS Network: Common devices

#RSAC

Industrial Security Approach

1. Availability2. Integrity

3. Confidentiality

1. Confidentiality2. Integrity

3. Availability

Corporate NetworkIndustrial Network

Corporate IT Security is about Data protection

Industrial Security is about Process protection

Process should be continuous and only then secure

#RSAC

WHY NOT TO USE IT SOLUTIONS? (1)

Technologies

Antivirus

Patching

Security testing and audit

IT

Typical, highly automated

Typical, highly automated

Use of modern tools, external experts

ICS

Difficult, performance, FP, legacy systems

Difficult, Require switching to service

mode

Modern method and tools not applicable

#RSAC

WHY NOT TO USE IT SOLUTIONS? (2)

Technologies

Change management

Incident management

Equipment life cycle

IT

Typical

Event handling, recording is automated.

Post mortem and audit analysis is

common

ICS

Non-standard,Per case solutions

Difficulty replaying events

Not automatedonly when necessary

#RSAC

WHY NOT TO USE IT SOLUTIONS? (3)

Technologies

Physical security

Security development cycle

Compliance to standards

IT

Low security for offices, High for data

centers

Integrated into development cycle

Limited to some areas

ICS

Highly demanded

Rare in use

Highly demanded

#RSAC

Industrial Security today — Low awareness

Mutual understanding and partnership between these 3 are crucial to successful cyber security and Critical Infrastructure Protection

Doesn’t see how Cyber Security spending

relates to Revenues

C-levelIs not allowed to go into Industrial sites

IT SecurityAre more concerned

about security measures than malware

Engineers

#RSAC

What makes protection difficult today

Low awareness, mix of hype and real, no ‘hard data’

Typical ‘office’ IT security is not applicable

Most attacks target the following objects: old, unsecure and hard to update

Lack of cyber security skills, and industrial cyber security practice

Lack of OT cyber security ownership

#RSAC

Industrial Specifics. Summary

16

Industrial Security is about Process protection

Process should be continuous and only then secure

IT vs OT

The ICS network protocols do not have integrity check, user authorization and authentication

Old or unsupported OS with no patching (Windows XP too)

Specially designed approach, products & services

#RSAC

Industrial Defence In-Depth

#RSAC

Cyber security is a process not a project

Support & update

Implementation

Risk & threats awareness

Risk assessment

Proposal & pilot

#RSAC

Cyber risks and threats

Mistakes by SCADA operators or contractors (3rd parties)Actions of Insiders (made on purpose or not)Incidental infection Infection via contractors (removable media or network connection)Lack of awareness and hard data for incident forensicsHacktivists actions and cyber hooligans attacksAPTs and Governmental-backed attacksCyber sabotage (any sort of it)ComplianceFraud

#RSAC

ATTACK VECTORS

Vulnerable software (SCADA, OS, 3rd-party)ERP/MES & Internet connectionsUncontrolled software usageUnauthorized mobile device usageUncontrolled external devices (USB, SATA, etc.)3rd parties and contractorsSupply chainMalware

#RSAC

Conceptual Topology

Level 4

Level 0

Level 2

Level 3

I/O, Devices, Sensors

ERP, APO, Logistics Systems

MES, LIMS, WMS, CMM Systems

PLC, DCS, Packaged Systems

Business Process Information Network

Operations Information Network

Automation Network

Discrete & Process Device Communication Networks

HMI, SCADA, Batch Systems

Level 1

#RSAC

Risks, Malware & Internet Treats

Manufacturing Operations management

LEVEL 3

SCADAHMIEngineering WksPLC, TRUetc

LEVEL 2, 1

Physical

LEVEL 0

Malware via USB, Network, Corporate network, email, WebHuman actions (intention or not) (insiders, contractors) Internet attacks (hackers, radicals, hacktivists, etc)

Malware via USB, Network, ContractorsHuman actions (insiders, contractors) Internet attacks

Malware via Industrial networkHuman actions

Human

#RSAC

Risk assessment (Security gap assessment)

AssessmentNon-Invasive approach (based by traffic analysis)InterviewsAgentless vulnerability / weakness scanning Pentests (on test facilities)

Cyber Threat Model

Recommendations and step by step plan based on risks and specifics of a client

#RSAC

Cyber risks and threats

Malware & AttacksIncidental infection

Infection via contractors (removable media or network connection)

Hacktivists actions and cyber hooligans attacks

APTs & Governmental-backed attacks

Cyber sabotage (any sort of it)

Human actionsMistakes by SCADA operators or contractors (3rd parties)

Actions of Insiders (made on purpose)

Compliance

Lack of awareness and hard data for incident forensics

Nodes SecurityFirewall/IDSPolicyEducationProtect, Prevent,Report & RemediateNetwork SecurityPolicyEducationDetect, report

#RSAC

Defense strategies

Percentage of ICS-CERT FY 2014 and FY 2015 Incidents Potentially Mitigated by Each Strategy

#RSAC

Node Security

Protect & Prevent & Report & RemediateWorks on ICS/SCADA Servers, engineering workstations and supports Human Machine InterfacesRun in high-availability mode & without updatesWhitelisting is main technologyExternal Device ControlVulnerability Assessments

#RSAC

Network Security

Detect & ReportNetwork traffic anomaly detection in a passive modeDetection of potentially dangerous control commands from technological process point of viewNetwork integrity monitoring (Detection of new network devices and communications in ICS network)Collect and store events -- Forensic, monitoring and incident detector tool

27

#RSAC

Firewall/IDS/Remote access

Protect & Prevent & Detect & Report

Support industrial protocols

Knows specific industrial attacks

28

#RSAC

Pilot testing

Pilot testing on test environment isan essential part

Fine-tuning

Customisation/for industry/for customer / for product line

Certification / vendors & regulators

Approval by a client

#RSAC

Standards & best practices

#RSAC

Education

Cyber Security Awareness (should be part of induction process)Employee cyber security training

ICS Cyber Security basics

Social attack in critical infrastructure environment

Cyber Security for SOCAdvanced cyber security trainings (malware analysis, reverse engineering etc.) on yearly basis

#RSAC

Incident response & Forensic

Common response and forensic servicesOn-demand reportsCustomized reports on incidents/infectionsEarly warnings on threatsPrivate investigations (from malware analysis to complex service)

Own CERTHelp with organizing itTraining for staffReports

#RSAC

Summary

Industrial Cyber Security is not like Office Cyber Security

It requires specific approach, products and services

Employees are the weakest link so education is extremely important

Cyber security is not a project, it is a process

33

SESSION ID:

#RSAC

Industrial Defence In-Depth

SBX1-R12

Andrey NikishinSpecial Projects DirectorKaspersky Lab@andreynikishin