Upload
lelien
View
216
Download
0
Embed Size (px)
Citation preview
© Copyright 2016 OSIsoft, LLC© Copyright 2016 OSIsoft, LLC
Bryan S Owen PEPrincipal Cyber Security Manager
@bryansowen
No Stone UnturnedStories from the Aftermath of Cyber Incidents
© Copyright 2016 OSIsoft, LLC
Who’s next?
3
Hollywood hospital hit with ransomware:
Hackers demand $3.6 million ransom
© Copyright 2016 OSIsoft, LLC
NIST CSF Core Function – “Recover”
4
• Recovery Planning
• Improvements
• Communications
…plans for resilience and to restore any
capabilities or services that were
impaired due to a cybersecurity event…
© Copyright 2016 OSIsoft, LLC
Long Tail Cost Example – SCADA
5
Dave Kennedy and Ryan Macfarlane (Oct 2010) – The long tail of information security
© Copyright 2016 OSIsoft, LLC
Disclaimer
• Incident response at OSIsoft
– Limited to PI System domain of expertise
• 3 case studies supporting large user communities
– No direct attacks on PI System, collateral damage
– Unofficially attributed to nation state actor
– IOC and forensic analysis by others
– Please don’t ask who, when, where, etc.
7
© Copyright 2016 OSIsoft, LLC 2
PI Interfaces
PI Connectors
PI Server
CollectManage
EnhanceDeliver
The PI System Layers
PI Data Access
© Copyright 2016 OSIsoft, LLC 2
Case 1
Enterprise
Zone
Cell/Area
Zone
Manufacturing
Zone
DMZ
Level 0
Level 1
Level 2
Level 3
Level 4
Level 5
Attack with Impact
© Copyright 2016 OSIsoft, LLC
Timeline
Respond
T0
“Disconnection”
Recover
T0+47 days
“Communication”
Recover
T0+140 days
“Improvement”
Recover
T0+320 days
“New Normal”
10
© Copyright 2016 OSIsoft, LLC
Respond
• Tool to verify installation files and registry entries
• Tool to verify meta data and configuration
• What to look for in logs to identify anomalies
• Review of known vulnerabilities
• Guidelines for anti-virus
11
© Copyright 2016 OSIsoft, LLC
Recover – Lessons Learned
• Post breach verification of big data sets is exhaustive
– Limit scope with read only PI archives
12
© Copyright 2016 OSIsoft, LLC
Restore
• Comprehensive architecture review
• Hardware platform and operating system concerns
• Application resiliency and residual risk
• Consideration of non-routable protocol
• Data flow diagrams and one-way enforcement
13
Webinar with Bryan Owen and Ralph Langner – Trends in OT Security
© Copyright 2016 OSIsoft, LLC
Restore – Lessons Learned #1
• Communication
– Involve executives early and often
14
© Copyright 2016 OSIsoft, LLC
Restore – Lessons Learned #2
• Diminished Risk Appetite
– Unclear approval process to restore service
– Plan resiliency for long disconnects
15
© Copyright 2016 OSIsoft, LLC
Restore – Lessons Learned #3
• Network segmentation
– DMZ between IT/OT
proved very effective
– Add unidirectional flow
control as appropriate
16
NIST 800-82r2 Figure 5.4
Paired Firewalls between Corporation Network and Control Network
© Copyright 2016 OSIsoft, LLC 2
Case 2
Enterprise
Zone
Cell/Area
Zone
Manufacturing
Zone
DMZ
Level 0
Level 1
Level 2
Level 3
Level 4
Level 5
Attack with Impact
© Copyright 2016 OSIsoft, LLC
Timeline
Respond
T0
“Disconnection”
Recover
T0+18 days
“New Normal”
Respond
T1
“Disconnection”
Recover
T1+3 days
“New Normal”
18
1 year
© Copyright 2016 OSIsoft, LLC
Respond
• Could attacker use PI to actuate control?
• Advice on potentially sensitive data or configuration
19
© Copyright 2016 OSIsoft, LLC
Respond – Lessons Learned #1
• Planning during crisis isn’t ideal
– Have a plan
– 2nd time was ‘rote execution’
20
© Copyright 2016 OSIsoft, LLC
Respond – Lessons Learned #2
• Narrow the scope of response activities
– Monitoring only
– Contain control protocol and credential use to zone
21
Enterprise
Zone
Cell/Area
Zone
Manufacturing
Zone
DMZ
Level 0
Level 1
Level 2
Level 3
Level 4
Level 5
Dedicated Logon Authority
© Copyright 2016 OSIsoft, LLC
Restore
• Assistance with restore procedures
• Review all password persistence
• Advice on changing host name, IP address, TCP port
(security by obscurity)
22
© Copyright 2016 OSIsoft, LLC
Restore – Lessons Learned #1
• Time to restore key factors:
– IT professionals and vendor remote access
– Virtualization infrastructure
23
© Copyright 2016 OSIsoft, LLC
Restore – Lessons Learned #2
• Credential theft and reuse is a chronic problem
– Restrict direct access to database servers
– Shift majority of load to application servers
– MFA recommendation dismissed
24
© Copyright 2016 OSIsoft, LLC 2
Case 3
Enterprise
Zone
Cell/Area
Zone
Manufacturing
Zone
DMZ
Level 0
Level 1
Level 2
Level 3
Level 4
Level 5
Attack with Impact
© Copyright 2016 OSIsoft, LLC
Timeline
Recover
T0
“Communication”
Recover
T0+21 days
“Improvement”
Normal
T0+26 days
26
© Copyright 2016 OSIsoft, LLC
Response – Lessons Learned #1
• Plan for a rooted layer 3 computer
– Disconnect is not sufficient
27
© Copyright 2016 OSIsoft, LLC
Response – Lessons Learned #2
• Communication of forensic summary was helpful
– Theft of trade secrets
– Supply chain responders can optimize effort
28
© Copyright 2016 OSIsoft, LLC
Restore
• Deep dive on PI remote diagnostic service
– What is sent from diagnostic center to field agents
– Automatic update mechanism
– Crypto and minimum OS specifications
29
© Copyright 2016 OSIsoft, LLC
Restore – Lessons Learned #1
• ‘Repave’ the affected systems
– Migrate validated data and configuration
– Upgrades may not be deemed appropriate
30
© Copyright 2016 OSIsoft, LLC
Restore – Lessons Learned #2
• Remote diagnostic service
– Reduces overall response time
– Due diligence and strict platform prerequisites
are justified
31
© Copyright 2016 OSIsoft, LLC
Summary
• Stage 2 ICS attack observables are sparse
• Defending the ‘long tail’ of ICS risk is doable!
• Heed the sliding scale of security
32
© Copyright 2016 OSIsoft, LLC
Thank YouBryan S. Owen PE
OSIsoft – Principal Cyber Security Manager