New Threat Vectors for ICS/SCADA Networks and How to Prepare for - - PowerPoint PPT Presentation

new threat vectors for ics scada networks and how to
SMART_READER_LITE
LIVE PREVIEW

New Threat Vectors for ICS/SCADA Networks and How to Prepare for - - PowerPoint PPT Presentation

Aug 09, 2023 272 likes •538 views

New Threat Vectors for ICS/SCADA Networks and How to Prepare for Them June 27, 2017 Phil Neray, VP of Industrial Cybersecurity Why Now? Featuring CyberXs threat intelligence & vulnerability research 3 Key Trends Driving ICS

slide-1
SLIDE 1

Phil Neray, VP of Industrial Cybersecurity

New Threat Vectors for ICS/SCADA Networks — and How to Prepare for Them

June 27, 2017

slide-2
SLIDE 2

Why Now?

Featuring CyberX’s threat intelligence & vulnerability research

slide-3
SLIDE 3

RANGE OF CYBERATTACKERS WITH VARYING MOTIVATIONS

  • Geopolitical aggression
  • Financial (ransomware)
  • Theft of corporate IP
  • Hacktivism

INDUSTRIAL NETWORKS ARE EASY TARGETS

  • Perimeter security insufficient
  • Weak or no authentication
  • Malicious or careless insiders
  • No visibility into industrial malware or

targeted threats

3 Key Trends Driving ICS Cybersecurity

OPERATIONAL TECH (OT) & IT ARE CONVERGING

  • IIoT & sensors everywhere
  • Cyber-physical integration
  • Increased attack surface
  • Increased cyber risk
slide-4
SLIDE 4

“These kinds of campaigns are running, even as we speak,” said Omer Schneider, co-founder of CyberX (Dec. 2016) How a Michigan Utility Got Hacked

“Cybersecurity firm CyberX said it has uncovered a cyber-espionage operation in Ukraine that has compromised more than 70 victims including an energy ministry, a scientific research institute and a firm that designs remote monitoring systems for

  • il & gas pipelines.”

May 2015: CyberX analysis of BlackEnergy reveals data exfiltration behind sophisticated multi-year attack campaign

  • Dec. 2016: CyberX: Threat actors bring

ransomware to industrial sector with new version of KillDisk

Flaw in Schneider Industrial Firewalls Allows Remote Code Execution To demonstrate that attackers could easily bypass defenses if proper ICS protection technologies are not in place, researchers at industrial security firm CyberX have disclosed the existence of several critical 0-day vulnerabilities.

slide-5
SLIDE 5

“If I had a world of my own … Nothing would be

what it is, because everything would be what it isn't. And contrary wise, what is, it wouldn't be. And what it wouldn't be, it would. You see?”

slide-6
SLIDE 6

Operation BugDrop

  • Cyber-espionage operation targeting

70+ organizations in the Ukraine

  • Captures audio, screen shots, files,

passwords, keylogger

  • Uses Dropbox for data exfiltration
  • Reflective DLL Injection

– Like Stuxnet & BlackEnergy

  • Encrypted DLLs
  • Uses free web hosting services for

C&C servers

slide-7
SLIDE 7

RADIATION IIoT Botnet

  • Discovered by CyberX in June 2016

– Preceded Mirai

  • DDoS-for-hire service
  • Botnet army = 25,000 devices
  • Exploits 0-day in CCTVs

(not default credentials)

  • Advertised on AlphaBay
  • Took down websites of

4 major Russian banks

slide-8
SLIDE 8
  • Dec. 2014: “ICS-CERT has identified a

sophisticated malware campaign that has compromised numerous ICS environments using a variant of the BlackEnergy malware. Analysis indicates that this campaign has been ongoing since at least 2011.”

  • “A hacker army has systematically undermined

practically every sector of Ukraine: media, finance, transportation, military, politics, energy.”

  • “In 2015, the hackers were like a group of brutal

street fighters. In 2016, they were ninjas” (Marina Krotofil)

  • “They’re testing out red lines, what they can get

away with. You push and see if you’re pushed

  • back. If not, you try the next step.” (Thomas Rid,

War Studies professor at King’s College)

Andy Greenberg

“How An Entire Nation Became Russia's Test Lab for Cyberwar”

slide-9
SLIDE 9

“Using OPC, the malware component gathers any details about connected devices and sends them back to the C&C for the attackers to analyze. It appears that this component is used as a tool for intelligence

  • gathering. So far, we have

not seen any payloads that attempt to control the connected hardware.”

slide-10
SLIDE 10

Honda discovered the virus had infected networks across Japan, Europe, North America and China … Nissan and Renault were also affected by WannaCry, forcing them to stop production at plants in Japan, Britain, India, France and Romania

Image: Tomohiro Ohsumi/Getty Images

slide-11
SLIDE 11

“U.S. companies lose about $250 billion per year through IP theft … the loss of industrial information through cyber espionage constitutes the greatest transfer of wealth in history.”

General Keith Alexander, former commander of US Cyber Command

Image: Politico

slide-12
SLIDE 12

George Kurtz, CrowdStrike CEO “The Great Brain Robbery”

“Unit 61398 is part of the People's Liberation Army. And it's charged with spying on North American corporations … Every industry, engineering documents, manufacturing processes, chip designs, telecommunications, pharmaceutical, you name it it's been stolen.”

Images: FPM, NYT

slide-13
SLIDE 13

Verizon DBIR 2016, P. 25

Manufacturing = #1 Target for Cyber-Espionage

slide-14
SLIDE 14

DBIR: Trade Secrets = #1 Target in Manufacturing (91%)

Verizon DBIR 2017, P. 27

slide-15
SLIDE 15

“31% of manufacturers have never conducted a vulnerability assessment … and 50% only do them occasionally.”

ICS Environments are Easy Targets

Photo: Manufacturing America

slide-16
SLIDE 16

If If yo your OT T ne network we were br brea eached, hed, ho how w wo would you kn know?

Image: Kaspersky

slide-17
SLIDE 17

Why IT Security Tools Aren’t Designed for OT Security

IT Security OT Security

Standard IP-based protocols (e.g., TCP/IP, HTTP) Standard & proprietary industrial protocols (e.g., GE SRTP, Siemens S7) Non-deterministic behavioral analytics (humans) Deterministic behavioral analytics (machine-to-machine) Active vulnerability scanning OK Active scanning creates downtime Regular patching & OS upgrades are encouraged Patching creates downtime & OS upgrades force SCADA application re-writes

slide-18
SLIDE 18

CyberX Overview

  • Founded in 2013 by IDF cyber experts

responsible for securing critical national infrastructure

  • Global HQ in Boston
  • Industrial cybersecurity platform built from ground-up for OT

– Continuous threat monitoring – Non-invasive risk assessment & asset discovery – ICS-specific threat intelligence – Rapid integration with existing environments (SIEMs, etc.) – Open system with rich API for customized integrations

  • In-house ICS threat intelligence research team (former IR team for IDF)
  • Deployments worldwide in diverse industrial domains worldwide

– Electrical utilities, oil & gas, manufacturing, pharmaceuticals, chemicals, nuclear, …

slide-19
SLIDE 19

CyberX M2M Behavioral Analytics

  • Industrial Finite State Machine (IFSM)

– Deep understanding of industrial protocols – Unique machine learning algorithms – Based on deterministic behavior of OT networks – Patent-pending approach

  • How it works

– Models unique DNA of M2M communications – Rapidly detects anomalous behavior with minimal false positives – Detects both cyber and operational anomalies – Zero configuration required (no rules or signatures)

Image: Film4, DNA Films

slide-20
SLIDE 20

Simple, Non-Invasive Deployment

SPAN port

Network traffic data

CMDB asset data, firewall rules, etc.

(optional)

Advanced M2M behavioral analytics with data mining

slide-21
SLIDE 21

Only Industrial Cyber Vendor Chosen for Innovation Award Sponsored by US DHS & DoD Only Industrial Cyber Vendor Recognized by International Society of Automation

“CyberX's specialization in providing in-depth visibility and threat intelligence across different specialized industrial protocols has resulted in powerful capabilities.”

What the Experts are Saying About CyberX

slide-22
SLIDE 22

How CyberX Supports the NIST Cybersecurity Framework

  • Identify

– Identify asset inventory & network topology – Identify risks such as unpatched devices, unauthorized remote connections, bridges between subnets, etc.) with recommended, risk-prioritized mitigations

  • Protect

– Identifies vulnerable or weak firewall rules – Integrates with firewalls/IPS to automatically block new threats – Partnership with Waterfall Security for unidirectional security gateways

  • Detect

– Continuous, real-time monitoring for threats & industrial malware – Advanced M2M behavioral analytics for rapid anomaly detection – Proprietary ICS-specific threat intelligence to enrich analytics

  • Respond

– Deep ICS network forensics & investigation tools identify breach impact – Integration with SIEMs via REST APIs supports automated SOC workflows

  • Recover

– Automated reporting supports communication with stakeholders, including verifying that risks have been mitigated & malware has been removed

slide-23
SLIDE 23

How CyberX Would Have Protected Against Industroyer

Examples of anomalies detected

  • Malware scanning OT network to identify targets
  • Reading and writing to all targets using multiple protocols
  • C2 communication via local proxy listening on TCP 3128

Image: Reuters

slide-24
SLIDE 24

For More Information

  • Check out our ICS Security Knowledge Base

– Free download of first 2 chapters from ICS Hacking Exposed (McGraw-Hill)

  • Visit us at EnergySec (Aug. 14-16) &

European Utility Week (Oct. 3-5)

  • See us at Black Hat (July 26-27)

– Innovation City, Booth # IC58 (near Arsenal tools) – Book giveaway and book signing with lead author Clint Bodungen on Wednesday, July 26 @ 3pm

slide-25
SLIDE 25

Thank You! phil@cyberx-labs.com