I N I N D U S T R I A I A L C O N T R O L S Y S T E M E M S C Y B E R E R S E C E C U R I T Y SAF SAFEGUAR ARDING ING CIV IVIL ILIZ IZATIO ION FORGING A CYBERSECURITY DEFENSE FO FO FOR UTILITIES JASON D. CHRISTOPHER
INDUSTRIAL TECHNOLOGIES Focused on processes that impact the real world, using industrial control systems (ICS) and operational technology (OT) 24 x 7 operations 10-30 year lifecycle 16 critical infrastructure sectors 3
What ar are industrial control systems? When a 0 or 1 impacts the Human- Safety Machine Systems Interface physical world. Motors Generators Controllers Devices and Sensors I/O Devices systems Field include: IEDs Devices 4
Evolution of Operational Technology (OT) STAND-ALONE LOOSELY CONNECTED HIGHLY CONNECTED s t a n d a r d i z a t i o n 4 th Industrial Revolution DCS | Distributed Control System 3 rd Industrial Revolution Smart Connected Systems SCADA | Supervisory Control & Data Automation of Production by Electronics “Industry 4.0” // “Industrial IoT” Acquisition 5
Traditional IT Security Issues in OT EN ENCRYPTION PATCHING PA AN ANTI- Endpoint En VIRUS VI Ag Agents VU VULNERABILITY Y SCANNING SC 6
Real-world cyber-based industrial-impacts AG AGAIN 2015 & Think physical 2016: Power Outages 2014: processes… 2001: Furnace Sewage Loss of Spill Control 2012: Telvent Espionage 2009: 2017: Centrifuge (un)Safety Failure System 7
INDUSTRIAL ATTACKS: STAGE 1 IT and OT Stage 1 and Stage 2 work together to impact industrial Corporate IT processes, stretching across Plant OT both IT and OT networks STAGE 2
Industrial Process Impacts For ICS-specific capabilities, the impact would be focused on operational impacts. 9
ICS Attack Difficulty The knowledge involved in ICS attacks, with physical impact, includes: • IT security • OT security • OT-specific protocols • Engineering processes • Incident response • Disaster recovery 10
WannaCry 150+ countries 230+ companies 11 Animated map from New York Times, accessed 2020-03-30: https://www.nytimes.com/interactive/2017/05/12/world/europe/wannacry-ransomware-map.html
NotPetya… Not Ransomware “Wiper disguised as ransomware,” with increased collateral damage beyond any initial targets. +$10B in estimated damages 2M computers impacted in 2HRs +65 countries involved in response 12
Th The I ICS Se S Securit ity C Crucible ible 13
cr cru·ci· ci·ble le / ˈ kro ͞ os os ə b( ə )l )l/ Very high temperatures noun: These programs need tons of energy to achieve success. a ceramic or metal container in which metals or other substances may be melted or subjected to very high Situation of severe trial temperatures. Managing competing interests and resources across operations a situation of severe trial, or in which Creating something new different elements interact, leading to the creation of something new. A sustainable, business-oriented & goal-busting ICS security program 14
Forging an ICS Security Program Metals Weapons & Armor 15
starting with BRONZE strengthen using IRON Initial defenses may be resource-constrained further refine with No documentation, no lessons learned Moving beyond ”oral STEEL history” to written law Loss of “lotto winners” could cripple the program Partnered with multiple People are trained, ready, and stakeholders exercised Resources are less scarce Executives are active participants in ICS security Capabilities are “double- checked” and reviewed
TH THE CYBER R ARS RSENA NAL Assess criticality Link ICS security to critical The The metals s desc scribe reso sour urces s and nd processes, systems, and devices re resilience acro ross your r pro rogram, wh whereas the weapons are how w utilit ilitie ies Segments & Zones can defend th ca themselves from atta ttack ckers. Invest in strong perimeters around the crown jewels Hunt evil… Log and monitor across both IT & OT environments "Your enemy cares not that the maintainer of an Internet- Incident Response connected server left 10 Build and train incident years ago." response and recovery teams @Su SunTzuCyber 17
What metal is right for your program? Roadmap where you are Build organically Assess where you are headed § Do you have a champion? § Be honest. Brutally so. § Map back to criticality § Can you scale a team? § Think about processes, and impacts. § Can you e ff ectively use § Talk in terms of people, and technology § Include discussions about your tools? business risk. § Roadmaps help address things like “the lotto winner” or executive current gaps and build engagement. budgets.
What metal is right for your program?
What metal is right for your program?
What metal is right for your program?
What standard is right for your program? RESPOND COVER OTECT IFY NTIF DETECT CT IDENT RECO PROT PR DE RE RE ID
HOW...? WE U WE USED ED A A MA MATU TURITY ITY MO MODEL EL 23
The ICS Security Crucible is applying standards & maturity models across business units, with executive support. …so how do we get there? 24
And start with literally any standard National Institue of Standards and Technology U.S. Department of Commerce 26
AWESOME. SO WE C SO WE CAN AN USE USE TH THE R E RIGHT T T TOOL OOLS 27
cru·ci· cr ci·ble le / ˈ kro ͞ os os ə b( ə )l )l/ Find (or be) a champion Management, IT, OT, legal, HR– you are not alone. noun: A plan to create and sustain an ICS Roadmap the destination security program, with governance and executive support, based on Make an honest evaluation of where industry-accepted standards. you are & where you are headed Adopt ICS standards ICS security needs to be “how we do business,” not “that weird thing over in the corner.” 28
PREVENTION IS IDEAL. DETECTION IS A MUST.* *detection without response, however, is of little value
ICS VULNER IC ERABIL ILIT ITIES IES REP EPORT Provides an analysis of ICS-specific vulnerabilities and discusses impacts, risks, Dragos’ Year in Review provides and mitigation options for defenders insights and lessons learned from our team’s first-hand experience IC ICS THREA EAT LANDSCAPE E REP EPORT hunting, combatting, and responding to ICS adversaries Provides insights on the state of ICS cybersecurity, the latest trends and observations throughout the year. of ICS-specific adversaries, and proactive defensive recommendations. LE LESSONS LE LEARNED FROM TH THE F E FRONT L T LINES ES R REP EPORT Provides a synopsis of trends observed within the industry and lessons learned from Dragos’ proactive and responsive service engagements 30
THANK YOU @jdchristopher linkedin.com/in/jdchristopher
Recommend
More recommend
