Ot ics cyberattaques dans les organisations industrielles
1. Sylvain Denoncourt GSEC, CISSP
Conseiller en architecture IoT,
Cisco
OT-ICS Cyberattaques dans les
organisations industrielles
Cisco Connect Montréal
Nov. 2017
2. 3
IT vs OT
IT - Information Technology
Pertains mainly to the corporate
offices
Connects mainly people and
servers
More homogeneous in nature
OT - OperationTechnology
Pertains to Industrial environments ! the
manufacturing floor, utility substation, oil rig,
mining environment etc
Connect mainly endpoints, sensors and
meters…
Multiplicity, difference in data format as well
as huge amount of raw data
3. 4
IT and OT organisations are converging
• Convergence driven by technology evolution and the pressure to reduce costs
• Different culture and skillset between the two organisations
• OT: driven by resilience objectives
• IT: driven by the need to meet end user expectations at the lowest possible cost
• Resistance to change
• Very different reporting structures
4. What would you
do differently if
you KNEW you
were going to be
compromised?
It’s no longer a question of “if” you’ll be
breached, it’s a question of “when”…
5. 6
Computer networks controlling the buildings and infrastructure
architects design are regularly being hacked
This tends to go under-reported, because it often involves private
companies concerned for their public images, and untreated, because
these systems are coordinated by various parties that have never been
responsible for cyber security.
Source Architizer : https://architizer.com/blog/hacking-architecture/
6. Adversary Capabilities are Rapidly Advancing
• Threat actors are highly capable and very adaptable
• Adversaries are extremely patient and willing to invest time and
large sums of money to exploit their targets
• The expertise needed to exploit utility OT is no longer a “barrier to
entry”
• Specialized knowledge of control system and utility operations
is moderate, i.e. vast information is freely and readily available
• Exploits are sophisticated and becoming highly automated
• Traditional defensive measures are becoming inadequate
10. 12
PLC Network
(Physical Devices)
ICS Network
(Programming,
Maintenance)
HMI Network
(Sit. Awareness,
Control, Protec on)
DMZ
Internet
Media
Computers
Corporate
Network
DMZ
Vendors /
Partners
Stuxnet in Action
Losing Trust at the PLC Layer
11. 2014 hack attack causes 'massive damage' at
German smelter
http://www.bbc.com/news/technology-30575104
…the attackers infiltrated the corporate
network using a spear-phishing attack
that appears to come from a trusted
source in order to trick the recipient
into opening a malicious attachment or
visiting a malicious web site where
malware is downloaded to their
computer. – WIRED 2015
12. 2015 Ukraine
power grid hack
https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/
13. Aftermath of
the Attack
• At 3:35 pm on Dec 23rd 2015, the Ukrainian Kyivoblenergo
(local Energy company) experienced outages as a result of its
SCADA systems being hacked
• Breakers were opened by hackers in 7 x 110 kV & 23 x 35kV
substations
• 225K people impacted, 6 hrs of lost power over 3 regions
14. Steps, process and hacking tools used
Intruders stayed dormant in the system for 6 months
before the attack took place!
Numerous ressources, money and probably around 20
people involved
Ukraine power grid attack -
The killchain
http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf
15. 19
Ukraine power grid attack - The killchain a highly orchestrated
approach
Spear phishing to gain
access to IT corporate
network
Delivery + exploit +
install BlackEnergy
malware on victims
workstation. C2
(command and
control)
Credentials
theft
Attackers issued
VPN connections
from the
corporate network
into the ICS
network.
Malicious firmware
developed for the
serial-to-ethernet
devices.
- Firmware upload
- UPS compromised in DC
- DDOS the call centers
- KillDisk to erase evidence +
delete targeted logs
IT Domain - The Intrusion
1
3
2
3 5
Hijacking of the
substation SCADA
HMI’s
4
Phase 1 The Preparation Phase 2 The ICS Attack
6
outages
Attack on OT Domain
Execute power
outages attacks
SCADA with
malicious
operation to
open breakers
8
ICS
CORP.
7
16. Video shot the actual attack
Phantom mouse forced control of the HMI console
17. Nonetheless Ukraine got attacked a second time
in 2016….
https://www.reuters.com/article/us-ukraine-crisis-cyber-attacks/ukraine-investigates-
suspected-cyber-attack-on-kiev-power-grid-idUSKBN1491ZF
‘Ukraine investigates suspected cyber attack on Kiev power grid’
20. The human element is usually the path of
least resistance
= Risk
Coupled System
+
21. Access Control
•User and Device Identity
•Authentication, Authorization & Accounting
Data Confidentiality and Data Privacy
•Network Segmentation
•Secure Connectivity
Threat Detection and Mitigation
•Security Zones
•Intrusion Prevention; Application Visibility
Device and Platform Integrity
•Device Hardening and Secure Platform
•Configuration Assurance
IoT Cyber Security Principles for IT
C I A
PolicyManagementwithIT
Convergence&EaseofUse
Availability
Integrity
Confidentiality
22. Access Control
•User and Device Identity
•Authentication, Authorization & Accounting
Data Confidentiality and Data Privacy
•Network Segmentation
•Secure Connectivity
Threat Detection and Mitigation
•Security Zones
•Intrusion Prevention; Application Visibility
Device and Platform Integrity
•Device Hardening and Secure Platform
•Configuration Assurance
IoT Cyber Security Principles for OT
A I C
PolicyManagementwithOT/IT
Convergence&EaseofUse
Availability
Integrity
Confidentiality
23. Dynamic Threat Landscape
The average time between an attacker breaching a network and its owner noticing the
intrusion is 205 days.
Nov 7, 2015 – The Economist Limited Newspaper
http://ww2.cfo.com/cyber-security-technology/2015/11/cybersecurity-cost-immaturity/
24. 35
IT comes down to one simple question
How do you deal with that ?
25. It takes an Architecture
Yes, but would you fly
something like this ?
26. An Architecture…
…end to end simple to
integrate security
solutions capable of
detecting, blocking and
responding to threats
with all components
working together.
Integrated Threat Defense Architecture
27. Network Architecture Concerns…
• A bad network design is as big
a threat to security success as
the lack of security.
• Better to know what you are
missing than to think you are
safe.
Enterprise
Ethernet
Proprietary
Ethernet
To next
machine
I/O Fieldbus
Motion Net
Safety Net
STAR
TRUNK/DROP
FIBER
RING
DAISY
CHAIN
This does not mean that there was no
architecture - It is likely that the architecture
eroded over time.
28. Ukraine power grid attack - The killchain
What could have been done ?
Spear phishing to gain
access to IT corporate
network
Delivery + exploit +
install BlackEnergy
malware on victims
workstation
Credentials
theft
Attackers issued VPN
connections from
the corporate
network into the ICS
network. C2
(command and
control)
Malicious firmware
developed for the serial-
to-ethernet devices.
Firmware upload
UPS compromised in DC
DDOS the call centers
KillDisk to erase MBR and
delete targeted logs
IT Domain - The Intrusion
1
3
2
3 5
Hijacking of the
substation SCADA
HMI’s
4
Phase 1 The Preparation Phase 2 The ICS Attack
6
outages
Attack on OT Domain
Execute power
outages attacks
SCADA with
malicious
operation to open
breakers
8
ICS
CORP.
7
29. Spear phishing to gain
access to IT corporate
network
Delivery + exploit +
install BlackEnergy
malware on victims
workstation
Credentials
theft
Attackers issued VPN
connections from
the corporate
network into the ICS
network. C2
(command and
control)
Malicious firmware
developed for the serial-
to-ethernet devices.
IT Domain - The Intrusion
1
3
2
3 5
Hijacking of the
substation SCADA
HMI’s
4
Phase 1 The Preparation Phase 2 The ICS Attack
6
outages
Attack on OT Domain
Execute power
outages attacks
SCADA with
malicious
operation to open
breakers
8
ICS
CORP.
7
Firmware upload
UPS compromised in DC
DDOS the call centers
KillDisk to erase MBR and
delete targeted logs
Police register
values !
Ukraine power grid attack - The killchain What could have been done (cont.) ?
Big data machine
Learning, correlation
Firepower
AMP
&
Threatgrid
Cisco ISE
Stealthwatch
ISA-3K
industrial
Email Security,
Umbrella
Splunk
30. It takes an Architecture
… with a central security intelligent cloud capable of
analyzing billions of requests and sharing that
information to all end security network devices.
32. Remote Access Control to the OT / ICS sensitive zone
Separation between corporate and production networks is a must !
✖
Industrial FW
MPLS Substation
Edge router
Jump Box
1
2
3
4
5
Corporate
zone
External contractor
Industr.SW
Multi-
Service zone
Industr.SW
Enterpr. SW
Centralized logging of events promotes accurate
audits
User profile applied + NGFW limits appl. and
path. Dis split tunnel.2
VDI Host operates as a virtual air gap providing
isolation to the ESP
Jump Box
3
Switch port security and Identity profiling
control such as TOD and duration + monitor device
4
5
Device is scanned and user auth. verified – 2-
factor auth.1ESP Zone
34. Observations
In Ukraine, there were: Multiple attacks, multi phases, multi sites
Once in, attackers blend in quickly in the environment, hackers remained in
the environment long enough to understand the SCADA systems
Ukraine recovered fast because a lot of their power systems are not
automated and networked. If an organization cannot fall back that easily to
manual procedures, power recovery might not be that easy / possible
35. Takeaways
What to do and to enforce
Data and Applications
Attacks must be uncovered in the early stages of the attacks
Understanding the needs and difference for IT vs OT Security
Password reset enforcement after a pre-determined period
Prioritize vulnerabilities patching on critical assets
IP host and URL resolution black listing through reputation inspection
Look for abnormal spikes in traffic pattern
Check endpoint file integrity through hashing SHA/MD5 through anti-malware protection
37. Takeaways
What to do and to enforce
Data and Applications
Attacks must be uncovered in the early stages of the attacks
Understanding the needs and difference for IT vs OT Security
Password reset enforcement after a pre-determined period
Prioritize vulnerabilities patching on critical assets
IP host and URL resolution black listing through reputation inspection
Look for abnormal spikes in traffic pattern
Check endpoint file integrity through hashing SHA/MD5 through anti-malware protection
38. Takeaways
What to do and to enforce
Host and network
Segmentation of the SCADA network (IEC 61850 secured zoning)
Logging must be enabled on all SCADA devices
Backup of all critical firmware
Restrict and control remote connections to the SCADA systems through secured jumppoints
IPS adapted ICS rules for detection within industrial environment
Policies and procedures
Training OT staff operators
Segregation of duties, make sure no single HMI console has full control end to end
Invite business process owners to discuss what is important to protect
Make sure IT/OT is up to date and knowledgeable on ICS security
DR scenarios in place to switch to manual mode
39. Organization needs to have a strong “culture of security”
• Security programs should not be built based on
• security compliance requirements alone; they
• must also factor in:
• Evolving threat landscape
• Changing operational and business requirements
• Technological evolution
“We have a
culture of
compliance when
we should really
have a culture of
security.”
Timothy E. Roxey
VP and Chief E-ISAC
Operations Officer at NERC
40. Links of interest
SANS Overview of the Ukraine Grid attack,
E-ISAC | Analysis of the Cyber Attack on the Ukrainian Power Grid | March 18, 2016 10
http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf
SANS - German Steel Mill Cyber Attack
https://ics.sans.org/media/ICS-CPPE-case-Study-2-German-Steelworks_Facility.pdf
SANS - Anatomy of an ICS attack
https://securingthehuman.sans.org/cyberattackdemo
Cisco IoT Threat Defence
http://www.cisco.com/c/en/us/solutions/security/iot-threat-
defense/index.html?dtid=osscdc000283&stickynav=1