IACS CYBER INCIDENT PREPARATIONby Austin Scott, GICSP, SSCP

Project and Services Delivery Manager, Cimation Canada

IACS CYBER INCIDENT PREPARATIONIndustrial Cyber Security Challenges

2

Disruption in electronic communications between systems or systems and people that impacts:

1. Confidentiality,

2. Integrity, and/or

3. Availability.

IACS CYBER INCIDENT PREPARATIONCyber Incident Defined

3

P.I.C.E.R.L. Lifecycle

1. Preparation2. Identification3. Containment4. Eradication5. Remediation6. Lessons Learned

4

IACS CYBER INCIDENT PREPARATIONIncident Response Framework

• Mitigation of Risk• Reduce Impact• Save Time

IACS CYBER INCIDENT PREPARATIONCyber Incident Industry Trends

5

0

100

200

300

2011 2012 2013 20140

100

200

2011 2012 2013 2014

Incidents Vulnerabilities

Incidents By Industry Attack Vectors

Energy 32% Unknown 40%

IACS CYBER INCIDENT PREPARATIONLife Cycle Approach to Incident Management

6

IACS CYBER INCIDENT PREPARATIONPeople

7

Cyber Drills• Add Cyber Element to

existing ERP / safety drills

Educate Community • Policies • Identification• Escalation

Assign a Team

• Senior Management

• Industrial IT / Programmer / MCSE

• Operations

• Communications Manager

• Legal Representation

IACS CYBER INCIDENT PREPARATIONProcess

8

Who to Contact, Escalation, Incident Logging

IdentificationClassification

Intent

IACS CYBER INCIDENT PREPARATIONTechnology

9

Network Diagram and Asset Inventory

Enable and Protect Network and Windows Event Logging

APPENDIX – 2014 Energy Cyber Incidents

11

11

2014 ENERGY CYBER INCIDENTSEnergetic Bear / Dragonfly Group / Havex / Karagany

WHAT: Systematic targeting of Western energy companies by Russian hackers. Injected a Trojan into industrial control systems with remote control capabilities.

HOW:Spear fishing / Watering hole / Remote Access Tools / Trojans in ICS Software

WHY:Industrial espionage. Industrial sabotage.

IMPACT:Over 1000 energy companies in 84 countries were reported compromised.

WHEN:Reported June 2014. Learn more in Cimation’s report.

12

12

2014 ENERGY CYBER INCIDENTSBlack EnergyWHAT: Russian cyber underground hacking toolkit that provides an advanced Trojan with command and control capabilities. Used to target the users of various Human Machine Interface (HMI) products.

HOW:Targeting GE and Siemens SCADA/HMI products directly connected to the Internet.

WHY:Industrial espionage. Industrial sabotage.

IMPACT:Compromised “numerous” industrial control systems.

WHEN:Reported December 2014

13

WHAT: 300 Energy companies in Norway were targeted by a sophisticated attack. Largest cyber attack in Norway's history.

HOW:Not publicly disclosed.

WHY:Industrial espionage.

IMPACT:50 Energy companies were reported compromised.

WHEN:Reported August 2014

13

2014 ENERGY CYBER INCIDENTSNorwegian Energy Industry Targeted

IACS CYBER INCIDENT PREPARATION2014 ICS-CERT Incidents By Industry

14

Energy32%

Critical Manufacturing

25%

Other26% Healthcare

6%

Government5%

Water5%

Nuclear2%

IACS CYBER INCIDENT PREPARATION2014 ICS-CERT Incident Attack Vectors

15

Unknown38%

Scanning22%

Spear Phishing17%

Misc23%