Upload
others
View
20
Download
0
Embed Size (px)
Citation preview
Example: Wifi at a power plant
Power Plant SCADA
Network
SCADA Network
controller
Office Network Lab
Network
"In our experience in conducting hundreds of
vulnerability assessments in the private sector, in no
case have we ever found the operations network, the
SCADA system or energy management system
separated from the enterprise network. On average, we
see 11 direct connections between those networks.”
Source: Sean McGurk, Verizon
The Subcommittee on National Security, Homeland
Defense, and Foreign Operations May 25, 2011
hearing.
Its connected to the Internet.
SANS Survey Feb 2013
Feedback from the respondents:
• 70% of them thinks that the risks are high to severe
• 33% them already had a security incident related to SCADA
• 40% thinks, had or doesn’t know if they are compromised.
• 29% takes Cyber Security into consideration in their procurement process
Top 3 risks by respondents:
1. Malware (Stuxnet etc.)
2. Internal Threats
3. External Threats (Hacking, Government Espionage etc.)
#1 reason for investing in Security: Avoid Service Interruption.
ICS CERT • In February 2011, independent security researcher Ruben Santamarta used
SHODAN to identify online remote access links to multiple utility companies’ Supervisory Control and Data Acquisition (SCADA) systems.
• In April 2011, ICS-CERT received reports of 75 Internet facing control system devices, mostly in the water sector. Many of those control systems had their remote access configured with default logon credentials.
• In September 2011, independent researcher Eireann Leverett contacted ICS-CERT to report several thousand Internet facing devices that he discovered using SHODAN.
• In 2012 ICS-CERT reported 198 Cyber Incidents regarding SCADA. 23 of them were targeted attacks. A rise of 264% compared to 2011!
Stage 3: Bargaining • Stuxnet
• First widely reported use of malware to destroy a physical plant • Extremely sophisticated • Jumped the air-gap via USB keys • Widespread infections throughout the Internet
• Shamoon • Targeted the energy sector • Destructive
• Over writes files • Destroys the Master Boot Record
DDOS Attacks More Automated &
Powerful
• Prolexic Q2 2012 to Q2 2013
– 33% increase in attacks
– 925% increase in bandwidth
• 4.47 Gbps to 49.24 Gbps
– 1655% increase in pps
• 2.7 Mpps to 47.4 Mpps
Stage 4: Depression The Patching Treadmill
• Control systems are not designed to be shut down regularly • Entire systems may need to be shut down for a single patch install
• Patching may mean upgrading • Upgrades can cascade through a system
• Even assessments may require downtime!
• Patching leads to Interconnectivity • Interconnectivity leads to compromise
• Solutions? – Third-Party Run-Time In-Memory Patching?
– Intrusion Prevention Systems?
Stage 5: Acceptance What would acceptance mean?
• Getting serious about interconnectivity • We need to find new ways to work
• We need to accept some inconvenience
• Designing systems for patchability • Systems that can be patched without being restarted
• Hot Standby failover
• Patches that do not require upgrades
• Security patches that can be accepted without performance concerns
• Built in IDS capability?
• Designing systems for failure
Cisco Confidential 21 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
You Can’t Protect What You Can’t See The Network Gives Deep and Broad Visibility
0101
0100
1011
0101
0100
1011
0101
0100
1011
0101
0100
1011
Video
Cisco Confidential 22 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
What Can The Network Do For You?
Detect Anomalous Traffic Flows, Malware e.g. Communication with Malicious Hosts, Internal Malware Propagation, Data Exfiltration
Detect App Usage, User Access Policy Violations e.g. Maintenance Contractor Accessing Financial Data
Detect Utilization, Baseline Behavior e.g. Utilization of Uplinks, Discover Odd User Behavior
Cisco Confidential 23 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Behavioral Detection Model
As flows are collected, behavioral algorithms are applied to build “Security Events”. Security Events will add points to an alarm category to allow for easy summarization higher degree of confidence of the type of activity detected:
• 100% LAN accountability
• 90+ days flow storage average
• 365+ days summary data stored
• Profile over 1M internal hosts
Continuous Network Monitoring Apply Network Segmentation
Outside - Internet
• Geo Location
• Business Partners
• Cloud Providers
• Social Media
Inside - Internal
• Location – Site - Branch
• Datacenter
• Function - Application
• Business Unit
• Sensitivity - Compliance
Build logical boundaries
Command & Control
• New Malware Families
• Point-of-Sale malware
• Banking malware
• Keylogger, Exfil data
• DDOS
Cisco Confidential 24 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Who, What, When Where and How?
Devices
Catalyst 3850/3650
Catalyst® 4500 Sup7E/LE/8E
Catalyst® 4500 Sup7E/LE/8E
Access Point
Access Point
Access Dist/Core
Catalyst 4500-X
Nexus 7K M-Series
Catalyst® 6800/6500
Sup2T
Edge
Site-to-Site VPN
Remote
Access
ASA With
FirePOWER
ESA StealthWatch FlowSensor
WSA with CWS redirect
WCCP
FirePOWER
Bra
nch
C
am
pu
s
Identity
ISR-G2/ISR40
00/ ASR1K
Catalyst 3850/3650
Visibility:
There is a need to
understand what is
connecting to the network,
including software resident on
trusted endpoints. NetFlow
Heynen werkt voor vernieuwers
Mocht u meer informatie willen, neem dan
contract op met Heynen.
Heynen is de Lancope partner voor de
Benelux en verzorgt graag een demo.
http://www.heynen.com of