SlideShare une entreprise Scribd logo

Ot ics cyberattaques dans les organisations industrielles

Cisco Canada
Cisco Canada

Ot ics cyberattaques dans les organisations industrielles

Technologie
1  sur  41
Télécharger pour lire hors ligne
Sylvain Denoncourt GSEC, CISSP Conseiller en architecture IoT, Cisco OT-ICS Cyberattaques dans les organisations industrielles Cisco Connect Montréal Nov. 2017
3 IT vs OT IT - Information Technology Pertains mainly to the corporate offices Connects mainly people and servers More homogeneous in nature OT - OperationTechnology Pertains to Industrial environments ! the manufacturing floor, utility substation, oil rig, mining environment etc Connect mainly endpoints, sensors and meters… Multiplicity, difference in data format as well as huge amount of raw data
4 IT and OT organisations are converging • Convergence driven by technology evolution and the pressure to reduce costs • Different culture and skillset between the two organisations • OT: driven by resilience objectives • IT: driven by the need to meet end user expectations at the lowest possible cost • Resistance to change • Very different reporting structures
What would you do differently if you KNEW you were going to be compromised? It’s no longer a question of “if” you’ll be breached, it’s a question of “when”…
6 Computer networks controlling the buildings and infrastructure architects design are regularly being hacked This tends to go under-reported, because it often involves private companies concerned for their public images, and untreated, because these systems are coordinated by various parties that have never been responsible for cyber security. Source Architizer : https://architizer.com/blog/hacking-architecture/
Adversary Capabilities are Rapidly Advancing • Threat actors are highly capable and very adaptable • Adversaries are extremely patient and willing to invest time and large sums of money to exploit their targets • The expertise needed to exploit utility OT is no longer a “barrier to entry” • Specialized knowledge of control system and utility operations is moderate, i.e. vast information is freely and readily available • Exploits are sophisticated and becoming highly automated • Traditional defensive measures are becoming inadequate
8 Industrial networks are increasingly Becoming Targets
9 Escalating Attacks in IoT /OT Domain Shamoon wipes 30K computers
11 2010 Stuxnet hits centrifuges in Iran nuclear compound
12 PLC Network (Physical Devices) ICS Network (Programming, Maintenance) HMI Network (Sit. Awareness, Control, Protec on) DMZ Internet Media Computers Corporate Network DMZ Vendors / Partners Stuxnet in Action Losing Trust at the PLC Layer
2014 hack attack causes 'massive damage' at German smelter http://www.bbc.com/news/technology-30575104 …the attackers infiltrated the corporate network using a spear-phishing attack that appears to come from a trusted source in order to trick the recipient into opening a malicious attachment or visiting a malicious web site where malware is downloaded to their computer. – WIRED 2015
2015 Ukraine power grid hack https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/
Aftermath of the Attack • At 3:35 pm on Dec 23rd 2015, the Ukrainian Kyivoblenergo (local Energy company) experienced outages as a result of its SCADA systems being hacked • Breakers were opened by hackers in 7 x 110 kV & 23 x 35kV substations • 225K people impacted, 6 hrs of lost power over 3 regions
Steps, process and hacking tools used Intruders stayed dormant in the system for 6 months before the attack took place! Numerous ressources, money and probably around 20 people involved Ukraine power grid attack - The killchain http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf
19 Ukraine power grid attack - The killchain a highly orchestrated approach Spear phishing to gain access to IT corporate network Delivery + exploit + install BlackEnergy malware on victims workstation. C2 (command and control) Credentials theft Attackers issued VPN connections from the corporate network into the ICS network. Malicious firmware developed for the serial-to-ethernet devices. - Firmware upload - UPS compromised in DC - DDOS the call centers - KillDisk to erase evidence + delete targeted logs IT Domain - The Intrusion 1 3 2 3 5 Hijacking of the substation SCADA HMI’s 4 Phase 1 The Preparation Phase 2 The ICS Attack 6 outages Attack on OT Domain Execute power outages attacks SCADA with malicious operation to open breakers 8 ICS CORP. 7
Video shot the actual attack Phantom mouse forced control of the HMI console
Nonetheless Ukraine got attacked a second time in 2016…. https://www.reuters.com/article/us-ukraine-crisis-cyber-attacks/ukraine-investigates- suspected-cyber-attack-on-kiev-power-grid-idUSKBN1491ZF ‘Ukraine investigates suspected cyber attack on Kiev power grid’
A few observations and facts…
Common Pathways into OT Environments
The human element is usually the path of least resistance = Risk Coupled System +
Access Control •User and Device Identity •Authentication, Authorization & Accounting Data Confidentiality and Data Privacy •Network Segmentation •Secure Connectivity Threat Detection and Mitigation •Security Zones •Intrusion Prevention; Application Visibility Device and Platform Integrity •Device Hardening and Secure Platform •Configuration Assurance IoT Cyber Security Principles for IT C I A PolicyManagementwithIT Convergence&EaseofUse Availability Integrity Confidentiality
Access Control •User and Device Identity •Authentication, Authorization & Accounting Data Confidentiality and Data Privacy •Network Segmentation •Secure Connectivity Threat Detection and Mitigation •Security Zones •Intrusion Prevention; Application Visibility Device and Platform Integrity •Device Hardening and Secure Platform •Configuration Assurance IoT Cyber Security Principles for OT A I C PolicyManagementwithOT/IT Convergence&EaseofUse Availability Integrity Confidentiality
Dynamic Threat Landscape The average time between an attacker breaching a network and its owner noticing the intrusion is 205 days. Nov 7, 2015 – The Economist Limited Newspaper http://ww2.cfo.com/cyber-security-technology/2015/11/cybersecurity-cost-immaturity/
35 IT comes down to one simple question How do you deal with that ?
It takes an Architecture Yes, but would you fly something like this ?
An Architecture… …end to end simple to integrate security solutions capable of detecting, blocking and responding to threats with all components working together. Integrated Threat Defense Architecture
Network Architecture Concerns… • A bad network design is as big a threat to security success as the lack of security. • Better to know what you are missing than to think you are safe. Enterprise Ethernet Proprietary Ethernet To next machine I/O Fieldbus Motion Net Safety Net STAR TRUNK/DROP FIBER RING DAISY CHAIN This does not mean that there was no architecture - It is likely that the architecture eroded over time.
Ukraine power grid attack - The killchain What could have been done ? Spear phishing to gain access to IT corporate network Delivery + exploit + install BlackEnergy malware on victims workstation Credentials theft Attackers issued VPN connections from the corporate network into the ICS network. C2 (command and control) Malicious firmware developed for the serial- to-ethernet devices. Firmware upload UPS compromised in DC DDOS the call centers KillDisk to erase MBR and delete targeted logs IT Domain - The Intrusion 1 3 2 3 5 Hijacking of the substation SCADA HMI’s 4 Phase 1 The Preparation Phase 2 The ICS Attack 6 outages Attack on OT Domain Execute power outages attacks SCADA with malicious operation to open breakers 8 ICS CORP. 7
Spear phishing to gain access to IT corporate network Delivery + exploit + install BlackEnergy malware on victims workstation Credentials theft Attackers issued VPN connections from the corporate network into the ICS network. C2 (command and control) Malicious firmware developed for the serial- to-ethernet devices. IT Domain - The Intrusion 1 3 2 3 5 Hijacking of the substation SCADA HMI’s 4 Phase 1 The Preparation Phase 2 The ICS Attack 6 outages Attack on OT Domain Execute power outages attacks SCADA with malicious operation to open breakers 8 ICS CORP. 7 Firmware upload UPS compromised in DC DDOS the call centers KillDisk to erase MBR and delete targeted logs Police register values ! Ukraine power grid attack - The killchain What could have been done (cont.) ? Big data machine Learning, correlation Firepower AMP & Threatgrid Cisco ISE Stealthwatch ISA-3K industrial Email Security, Umbrella Splunk
It takes an Architecture … with a central security intelligent cloud capable of analyzing billions of requests and sharing that information to all end security network devices.
Security Intelligence Cloud Cisco TALOS Anti-malware queries
Remote Access Control to the OT / ICS sensitive zone Separation between corporate and production networks is a must ! ✖ Industrial FW MPLS Substation Edge router Jump Box 1 2 3 4 5 Corporate zone External contractor Industr.SW Multi- Service zone Industr.SW Enterpr. SW Centralized logging of events promotes accurate audits User profile applied + NGFW limits appl. and path. Dis split tunnel.2 VDI Host operates as a virtual air gap providing isolation to the ESP Jump Box 3 Switch port security and Identity profiling control such as TOD and duration + monitor device 4 5 Device is scanned and user auth. verified – 2- factor auth.1ESP Zone
Observations and key takeaways
Observations  In Ukraine, there were: Multiple attacks, multi phases, multi sites  Once in, attackers blend in quickly in the environment, hackers remained in the environment long enough to understand the SCADA systems  Ukraine recovered fast because a lot of their power systems are not automated and networked. If an organization cannot fall back that easily to manual procedures, power recovery might not be that easy / possible
Takeaways What to do and to enforce Data and Applications  Attacks must be uncovered in the early stages of the attacks  Understanding the needs and difference for IT vs OT Security  Password reset enforcement after a pre-determined period  Prioritize vulnerabilities patching on critical assets  IP host and URL resolution black listing through reputation inspection  Look for abnormal spikes in traffic pattern  Check endpoint file integrity through hashing SHA/MD5 through anti-malware protection
Firmware modifications over the network cause spikes in network traffic
Takeaways What to do and to enforce Data and Applications  Attacks must be uncovered in the early stages of the attacks  Understanding the needs and difference for IT vs OT Security  Password reset enforcement after a pre-determined period  Prioritize vulnerabilities patching on critical assets  IP host and URL resolution black listing through reputation inspection  Look for abnormal spikes in traffic pattern  Check endpoint file integrity through hashing SHA/MD5 through anti-malware protection
Takeaways What to do and to enforce Host and network  Segmentation of the SCADA network (IEC 61850 secured zoning)  Logging must be enabled on all SCADA devices  Backup of all critical firmware  Restrict and control remote connections to the SCADA systems through secured jumppoints  IPS adapted ICS rules for detection within industrial environment Policies and procedures  Training OT staff operators  Segregation of duties, make sure no single HMI console has full control end to end  Invite business process owners to discuss what is important to protect  Make sure IT/OT is up to date and knowledgeable on ICS security  DR scenarios in place to switch to manual mode
Organization needs to have a strong “culture of security” • Security programs should not be built based on • security compliance requirements alone; they • must also factor in: • Evolving threat landscape • Changing operational and business requirements • Technological evolution “We have a culture of compliance when we should really have a culture of security.” Timothy E. Roxey VP and Chief E-ISAC Operations Officer at NERC
Links of interest  SANS Overview of the Ukraine Grid attack, E-ISAC | Analysis of the Cyber Attack on the Ukrainian Power Grid | March 18, 2016 10 http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf  SANS - German Steel Mill Cyber Attack https://ics.sans.org/media/ICS-CPPE-case-Study-2-German-Steelworks_Facility.pdf  SANS - Anatomy of an ICS attack https://securingthehuman.sans.org/cyberattackdemo  Cisco IoT Threat Defence http://www.cisco.com/c/en/us/solutions/security/iot-threat- defense/index.html?dtid=osscdc000283&stickynav=1
Merci

Recommandé

Magical meeting experiences
Magical meeting experiences Magical meeting experiences
Magical meeting experiences
Cisco Canada
 
Gain Insight and Programmability with Cisco DC Networking
Gain Insight and Programmability with Cisco DC NetworkingGain Insight and Programmability with Cisco DC Networking
Gain Insight and Programmability with Cisco DC Networking
Cisco Canada
 
Cisco Connect 2018 Thailand - Cisco Meraki an innovation journey to a smarter...
Cisco Connect 2018 Thailand - Cisco Meraki an innovation journey to a smarter...Cisco Connect 2018 Thailand - Cisco Meraki an innovation journey to a smarter...
Cisco Connect 2018 Thailand - Cisco Meraki an innovation journey to a smarter...
NetworkCollaborators
 
Cisco Meraki - Simplifying Powerful Technology
Cisco Meraki - Simplifying Powerful TechnologyCisco Meraki - Simplifying Powerful Technology
Cisco Meraki - Simplifying Powerful Technology
Cisco Canada
 
TAC Vision & Strategy
TAC Vision & StrategyTAC Vision & Strategy
TAC Vision & Strategy
Cisco Canada
 
Cisco connect winnipeg 2018 simply powerful networking with meraki
Cisco connect winnipeg 2018 simply powerful networking with merakiCisco connect winnipeg 2018 simply powerful networking with meraki
Cisco connect winnipeg 2018 simply powerful networking with meraki
Cisco Canada
 
Data Center Security Now and into the Future
Data Center Security Now and into the FutureData Center Security Now and into the Future
Data Center Security Now and into the Future
Cisco Security
 
Cisco Meraki - Let Simple Work for You
Cisco Meraki - Let Simple Work for YouCisco Meraki - Let Simple Work for You
Cisco Meraki - Let Simple Work for You
Cisco Canada
 

Recommandé

Magical meeting experiences
Magical meeting experiences Magical meeting experiences
Magical meeting experiences
Cisco Canada
 
Gain Insight and Programmability with Cisco DC Networking
Gain Insight and Programmability with Cisco DC NetworkingGain Insight and Programmability with Cisco DC Networking
Gain Insight and Programmability with Cisco DC Networking
Cisco Canada
 
Cisco Connect 2018 Thailand - Cisco Meraki an innovation journey to a smarter...
Cisco Connect 2018 Thailand - Cisco Meraki an innovation journey to a smarter...Cisco Connect 2018 Thailand - Cisco Meraki an innovation journey to a smarter...
Cisco Connect 2018 Thailand - Cisco Meraki an innovation journey to a smarter...
NetworkCollaborators
 
Cisco Meraki - Simplifying Powerful Technology
Cisco Meraki - Simplifying Powerful TechnologyCisco Meraki - Simplifying Powerful Technology
Cisco Meraki - Simplifying Powerful Technology
Cisco Canada
 
TAC Vision & Strategy
TAC Vision & StrategyTAC Vision & Strategy
TAC Vision & Strategy
Cisco Canada
 
Cisco connect winnipeg 2018 simply powerful networking with meraki
Cisco connect winnipeg 2018 simply powerful networking with merakiCisco connect winnipeg 2018 simply powerful networking with meraki
Cisco connect winnipeg 2018 simply powerful networking with meraki
Cisco Canada
 
Data Center Security Now and into the Future
Data Center Security Now and into the FutureData Center Security Now and into the Future
Data Center Security Now and into the Future
Cisco Security
 
Cisco Meraki - Let Simple Work for You
Cisco Meraki - Let Simple Work for YouCisco Meraki - Let Simple Work for You
Cisco Meraki - Let Simple Work for You
Cisco Canada
 
Cisco connect winnipeg 2018 introducing the network intuitive
Cisco connect winnipeg 2018 introducing the network intuitiveCisco connect winnipeg 2018 introducing the network intuitive
Cisco connect winnipeg 2018 introducing the network intuitive
Cisco Canada
 
Cisco connect winnipeg 2018 we make it simple
Cisco connect winnipeg 2018 we make it simpleCisco connect winnipeg 2018 we make it simple
Cisco connect winnipeg 2018 we make it simple
Cisco Canada
 
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco Canada
 
Cisco connect winnipeg 2018 simple it leads to simple it management
Cisco connect winnipeg 2018 simple it leads to simple it managementCisco connect winnipeg 2018 simple it leads to simple it management
Cisco connect winnipeg 2018 simple it leads to simple it management
Cisco Canada
 
Cisco connect winnipeg 2018 unlocking business value with network programma...
Cisco connect winnipeg 2018 unlocking business value with network programma...Cisco connect winnipeg 2018 unlocking business value with network programma...
Cisco connect winnipeg 2018 unlocking business value with network programma...
Cisco Canada
 
TechWiseTV Workshop: OpenDNS and AnyConnect
TechWiseTV Workshop: OpenDNS and AnyConnectTechWiseTV Workshop: OpenDNS and AnyConnect
TechWiseTV Workshop: OpenDNS and AnyConnect
Robb Boyd
 
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Canada
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Service
George Fares
 
Cisco Connect Halifax 2018 Simple IT
Cisco Connect Halifax 2018 Simple ITCisco Connect Halifax 2018 Simple IT
Cisco Connect Halifax 2018 Simple IT
Cisco Canada
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
Cisco Canada
 
Meraki Overview
Meraki OverviewMeraki Overview
Meraki Overview
Cloud Distribution
 
The Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and LancopeThe Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and Lancope
Cisco Enterprise Networks
 
[Cisco Connect 2018 - Vietnam] Rajinder singh cisco sd-wan-next generation ...
[Cisco Connect 2018 - Vietnam] Rajinder singh cisco sd-wan-next generation ...[Cisco Connect 2018 - Vietnam] Rajinder singh cisco sd-wan-next generation ...
[Cisco Connect 2018 - Vietnam] Rajinder singh cisco sd-wan-next generation ...
Nur Shiqim Chok
 
Cisco connect winnipeg 2018 simplifying cloud adoption with cisco ucs
Cisco connect winnipeg 2018 simplifying cloud adoption with cisco ucsCisco connect winnipeg 2018 simplifying cloud adoption with cisco ucs
Cisco connect winnipeg 2018 simplifying cloud adoption with cisco ucs
Cisco Canada
 
Ottawa e-NFV Session
Ottawa e-NFV Session Ottawa e-NFV Session
Ottawa e-NFV Session
Cisco Canada
 
Cisco connect winnipeg 2018 a look at network assurance in dna center
Cisco connect winnipeg 2018 a look at network assurance in dna centerCisco connect winnipeg 2018 a look at network assurance in dna center
Cisco connect winnipeg 2018 a look at network assurance in dna center
Cisco Canada
 
Protect your guest wifi - NOW
Protect your guest wifi - NOWProtect your guest wifi - NOW
Protect your guest wifi - NOW
Joshua Sibaja
 
MX Deep Dive PPT
MX Deep Dive PPTMX Deep Dive PPT
MX Deep Dive PPT
omar awad
 
Cisco connect winnipeg 2018 accelerating incident response in organizations...
Cisco connect winnipeg 2018 accelerating incident response in organizations...Cisco connect winnipeg 2018 accelerating incident response in organizations...
Cisco connect winnipeg 2018 accelerating incident response in organizations...
Cisco Canada
 
Simplifying Cloud Adoption with Cisco
Simplifying Cloud Adoption with CiscoSimplifying Cloud Adoption with Cisco
Simplifying Cloud Adoption with Cisco
Cisco Canada
 
Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18
Nozomi Networks
 
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Jiunn-Jer Sun
 

Contenu connexe

Tendances

Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
Cisco Canada
 
MX Deep Dive PPT
MX Deep Dive PPTMX Deep Dive PPT
MX Deep Dive PPT
omar awad
 

Tendances (20)

Cisco connect winnipeg 2018 introducing the network intuitive
Cisco connect winnipeg 2018 introducing the network intuitiveCisco connect winnipeg 2018 introducing the network intuitive
Cisco connect winnipeg 2018 introducing the network intuitive
 
Cisco connect winnipeg 2018 we make it simple
Cisco connect winnipeg 2018 we make it simpleCisco connect winnipeg 2018 we make it simple
Cisco connect winnipeg 2018 we make it simple
 
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
 
Cisco connect winnipeg 2018 simple it leads to simple it management
Cisco connect winnipeg 2018 simple it leads to simple it managementCisco connect winnipeg 2018 simple it leads to simple it management
Cisco connect winnipeg 2018 simple it leads to simple it management
 
Cisco connect winnipeg 2018 unlocking business value with network programma...
Cisco connect winnipeg 2018 unlocking business value with network programma...Cisco connect winnipeg 2018 unlocking business value with network programma...
Cisco connect winnipeg 2018 unlocking business value with network programma...
 
TechWiseTV Workshop: OpenDNS and AnyConnect
TechWiseTV Workshop: OpenDNS and AnyConnectTechWiseTV Workshop: OpenDNS and AnyConnect
TechWiseTV Workshop: OpenDNS and AnyConnect
 
Cisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attackCisco Connect Toronto 2017 - Anatomy-of-attack
Cisco Connect Toronto 2017 - Anatomy-of-attack
 
Security As A Service
Security As A ServiceSecurity As A Service
Security As A Service
 
Cisco Connect Halifax 2018 Simple IT
Cisco Connect Halifax 2018 Simple ITCisco Connect Halifax 2018 Simple IT
Cisco Connect Halifax 2018 Simple IT
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
 
Meraki Overview
Meraki OverviewMeraki Overview
Meraki Overview
 
The Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and LancopeThe Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and Lancope
 
[Cisco Connect 2018 - Vietnam] Rajinder singh cisco sd-wan-next generation ...
[Cisco Connect 2018 - Vietnam] Rajinder singh cisco sd-wan-next generation ...[Cisco Connect 2018 - Vietnam] Rajinder singh cisco sd-wan-next generation ...
[Cisco Connect 2018 - Vietnam] Rajinder singh cisco sd-wan-next generation ...
 
Cisco connect winnipeg 2018 simplifying cloud adoption with cisco ucs
Cisco connect winnipeg 2018 simplifying cloud adoption with cisco ucsCisco connect winnipeg 2018 simplifying cloud adoption with cisco ucs
Cisco connect winnipeg 2018 simplifying cloud adoption with cisco ucs
 
Ottawa e-NFV Session
Ottawa e-NFV Session Ottawa e-NFV Session
Ottawa e-NFV Session
 
Cisco connect winnipeg 2018 a look at network assurance in dna center
Cisco connect winnipeg 2018 a look at network assurance in dna centerCisco connect winnipeg 2018 a look at network assurance in dna center
Cisco connect winnipeg 2018 a look at network assurance in dna center
 
Protect your guest wifi - NOW
Protect your guest wifi - NOWProtect your guest wifi - NOW
Protect your guest wifi - NOW
 
MX Deep Dive PPT
MX Deep Dive PPTMX Deep Dive PPT
MX Deep Dive PPT
 
Cisco connect winnipeg 2018 accelerating incident response in organizations...
Cisco connect winnipeg 2018 accelerating incident response in organizations...Cisco connect winnipeg 2018 accelerating incident response in organizations...
Cisco connect winnipeg 2018 accelerating incident response in organizations...
 
Simplifying Cloud Adoption with Cisco
Simplifying Cloud Adoption with CiscoSimplifying Cloud Adoption with Cisco
Simplifying Cloud Adoption with Cisco
 

Similaire à Ot ics cyberattaques dans les organisations industrielles

Sb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetSb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinet
Ivan Carmona
 
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks
 
ICS_WhitePaper_Darktrace
ICS_WhitePaper_DarktraceICS_WhitePaper_Darktrace
ICS_WhitePaper_Darktrace
Austin Eppstein
 
An Internet of Things Reference Architecture
An Internet of Things Reference Architecture An Internet of Things Reference Architecture
An Internet of Things Reference Architecture
Symantec
 

Similaire à Ot ics cyberattaques dans les organisations industrielles (20)

Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18Nozomi Fortinet Accelerate18
Nozomi Fortinet Accelerate18
 
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
Build A Solid Foundation For Industrial Network Security - Cybersecurity Webi...
 
Io t security defense in depth charles li v1 20180425c
Io t security defense in depth charles li v1 20180425cIo t security defense in depth charles li v1 20180425c
Io t security defense in depth charles li v1 20180425c
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware
 
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
 
Sb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetSb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinet
 
Network Security v1.0 Network Security v
Network Security v1.0 Network Security vNetwork Security v1.0 Network Security v
Network Security v1.0 Network Security v
 
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company Introduction
 
2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation2012 02 14 Afcom Presentation
2012 02 14 Afcom Presentation
 
SCADA White Paper March2012
SCADA White Paper March2012SCADA White Paper March2012
SCADA White Paper March2012
 
Conférence ENGIE ACSS 2018
Conférence ENGIE ACSS 2018 Conférence ENGIE ACSS 2018
Conférence ENGIE ACSS 2018
 
Internet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issuesInternet of Things - Privacy and Security issues
Internet of Things - Privacy and Security issues
 
Iot(security)
Iot(security)Iot(security)
Iot(security)
 
Darktrace white paper_ics_final
Darktrace white paper_ics_finalDarktrace white paper_ics_final
Darktrace white paper_ics_final
 
IoT Security Challenges and Solutions
IoT Security Challenges and SolutionsIoT Security Challenges and Solutions
IoT Security Challenges and Solutions
 
ICS_WhitePaper_Darktrace
ICS_WhitePaper_DarktraceICS_WhitePaper_Darktrace
ICS_WhitePaper_Darktrace
 
An Internet of Things Reference Architecture
An Internet of Things Reference Architecture An Internet of Things Reference Architecture
An Internet of Things Reference Architecture
 
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
Understanding Cyber Industrial Controls in the Manufacturing and Utilities En...
 
How to Respond to Industrial Intrusions
How to Respond to Industrial Intrusions How to Respond to Industrial Intrusions
How to Respond to Industrial Intrusions
 
Critical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist AttacksCritical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist Attacks
 

Plus de Cisco Canada

Plus de Cisco Canada (20)

Cisco connect montreal 2018 net devops
Cisco connect montreal 2018 net devopsCisco connect montreal 2018 net devops
Cisco connect montreal 2018 net devops
 
Cisco connect montreal 2018 iot demo kinetic fr
Cisco connect montreal 2018 iot demo kinetic frCisco connect montreal 2018 iot demo kinetic fr
Cisco connect montreal 2018 iot demo kinetic fr
 
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal VirtualizationCisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
Cisco connect montreal 2018 - Network Slicing: Horizontal Virtualization
 
Cisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dcCisco connect montreal 2018 secure dc
Cisco connect montreal 2018 secure dc
 
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla nsCisco connect montreal 2018 enterprise networks - say goodbye to vla ns
Cisco connect montreal 2018 enterprise networks - say goodbye to vla ns
 
Cisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse localeCisco connect montreal 2018 vision mondiale analyse locale
Cisco connect montreal 2018 vision mondiale analyse locale
 
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec CiscoCisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
Cisco Connect Montreal 2018 Securité : Sécuriser votre mobilité avec Cisco
 
Cisco connect montreal 2018 collaboration les services webex hybrides
Cisco connect montreal 2018 collaboration les services webex hybridesCisco connect montreal 2018 collaboration les services webex hybrides
Cisco connect montreal 2018 collaboration les services webex hybrides
 
Integration cisco et microsoft connect montreal 2018
Integration cisco et microsoft connect montreal 2018Integration cisco et microsoft connect montreal 2018
Integration cisco et microsoft connect montreal 2018
 
Cisco connect montreal 2018 compute v final
Cisco connect montreal 2018 compute v finalCisco connect montreal 2018 compute v final
Cisco connect montreal 2018 compute v final
 
Cisco connect montreal 2018 saalvare md-program-xr-v2
Cisco connect montreal 2018 saalvare md-program-xr-v2Cisco connect montreal 2018 saalvare md-program-xr-v2
Cisco connect montreal 2018 saalvare md-program-xr-v2
 
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
 
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
Cisco Connect Toronto 2018 DNA automation-the evolution to intent-based net...
 
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kineticCisco Connect Toronto 2018 an introduction to Cisco kinetic
Cisco Connect Toronto 2018 an introduction to Cisco kinetic
 
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
Cisco Connect Toronto 2018 IOT - unlock the power of data - securing the in...
 
Cisco Connect Toronto 2018 DevNet Overview
Cisco Connect Toronto 2018 DevNet OverviewCisco Connect Toronto 2018 DevNet Overview
Cisco Connect Toronto 2018 DevNet Overview
 
Cisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assuranceCisco Connect Toronto 2018 DNA assurance
Cisco Connect Toronto 2018 DNA assurance
 
Cisco Connect Toronto 2018 network-slicing
Cisco Connect Toronto 2018 network-slicingCisco Connect Toronto 2018 network-slicing
Cisco Connect Toronto 2018 network-slicing
 
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco merakiCisco Connect Toronto 2018 the intelligent network with cisco meraki
Cisco Connect Toronto 2018 the intelligent network with cisco meraki
 
Cisco Connect Toronto 2018 sixty to zero
Cisco Connect Toronto 2018 sixty to zeroCisco Connect Toronto 2018 sixty to zero
Cisco Connect Toronto 2018 sixty to zero
 

Dernier

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Dernier (20)

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

Ot ics cyberattaques dans les organisations industrielles

  • 1. Sylvain Denoncourt GSEC, CISSP Conseiller en architecture IoT, Cisco OT-ICS Cyberattaques dans les organisations industrielles Cisco Connect Montréal Nov. 2017
  • 2. 3 IT vs OT IT - Information Technology Pertains mainly to the corporate offices Connects mainly people and servers More homogeneous in nature OT - OperationTechnology Pertains to Industrial environments ! the manufacturing floor, utility substation, oil rig, mining environment etc Connect mainly endpoints, sensors and meters… Multiplicity, difference in data format as well as huge amount of raw data
  • 3. 4 IT and OT organisations are converging • Convergence driven by technology evolution and the pressure to reduce costs • Different culture and skillset between the two organisations • OT: driven by resilience objectives • IT: driven by the need to meet end user expectations at the lowest possible cost • Resistance to change • Very different reporting structures
  • 4. What would you do differently if you KNEW you were going to be compromised? It’s no longer a question of “if” you’ll be breached, it’s a question of “when”…
  • 5. 6 Computer networks controlling the buildings and infrastructure architects design are regularly being hacked This tends to go under-reported, because it often involves private companies concerned for their public images, and untreated, because these systems are coordinated by various parties that have never been responsible for cyber security. Source Architizer : https://architizer.com/blog/hacking-architecture/
  • 6. Adversary Capabilities are Rapidly Advancing • Threat actors are highly capable and very adaptable • Adversaries are extremely patient and willing to invest time and large sums of money to exploit their targets • The expertise needed to exploit utility OT is no longer a “barrier to entry” • Specialized knowledge of control system and utility operations is moderate, i.e. vast information is freely and readily available • Exploits are sophisticated and becoming highly automated • Traditional defensive measures are becoming inadequate
  • 7. 8 Industrial networks are increasingly Becoming Targets
  • 8. 9 Escalating Attacks in IoT /OT Domain Shamoon wipes 30K computers
  • 9. 11 2010 Stuxnet hits centrifuges in Iran nuclear compound
  • 10. 12 PLC Network (Physical Devices) ICS Network (Programming, Maintenance) HMI Network (Sit. Awareness, Control, Protec on) DMZ Internet Media Computers Corporate Network DMZ Vendors / Partners Stuxnet in Action Losing Trust at the PLC Layer
  • 11. 2014 hack attack causes 'massive damage' at German smelter http://www.bbc.com/news/technology-30575104 …the attackers infiltrated the corporate network using a spear-phishing attack that appears to come from a trusted source in order to trick the recipient into opening a malicious attachment or visiting a malicious web site where malware is downloaded to their computer. – WIRED 2015
  • 12. 2015 Ukraine power grid hack https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/
  • 13. Aftermath of the Attack • At 3:35 pm on Dec 23rd 2015, the Ukrainian Kyivoblenergo (local Energy company) experienced outages as a result of its SCADA systems being hacked • Breakers were opened by hackers in 7 x 110 kV & 23 x 35kV substations • 225K people impacted, 6 hrs of lost power over 3 regions
  • 14. Steps, process and hacking tools used Intruders stayed dormant in the system for 6 months before the attack took place! Numerous ressources, money and probably around 20 people involved Ukraine power grid attack - The killchain http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf
  • 15. 19 Ukraine power grid attack - The killchain a highly orchestrated approach Spear phishing to gain access to IT corporate network Delivery + exploit + install BlackEnergy malware on victims workstation. C2 (command and control) Credentials theft Attackers issued VPN connections from the corporate network into the ICS network. Malicious firmware developed for the serial-to-ethernet devices. - Firmware upload - UPS compromised in DC - DDOS the call centers - KillDisk to erase evidence + delete targeted logs IT Domain - The Intrusion 1 3 2 3 5 Hijacking of the substation SCADA HMI’s 4 Phase 1 The Preparation Phase 2 The ICS Attack 6 outages Attack on OT Domain Execute power outages attacks SCADA with malicious operation to open breakers 8 ICS CORP. 7
  • 16. Video shot the actual attack Phantom mouse forced control of the HMI console
  • 17. Nonetheless Ukraine got attacked a second time in 2016…. https://www.reuters.com/article/us-ukraine-crisis-cyber-attacks/ukraine-investigates- suspected-cyber-attack-on-kiev-power-grid-idUSKBN1491ZF ‘Ukraine investigates suspected cyber attack on Kiev power grid’
  • 18. A few observations and facts…
  • 19. Common Pathways into OT Environments
  • 20. The human element is usually the path of least resistance = Risk Coupled System +
  • 21. Access Control •User and Device Identity •Authentication, Authorization & Accounting Data Confidentiality and Data Privacy •Network Segmentation •Secure Connectivity Threat Detection and Mitigation •Security Zones •Intrusion Prevention; Application Visibility Device and Platform Integrity •Device Hardening and Secure Platform •Configuration Assurance IoT Cyber Security Principles for IT C I A PolicyManagementwithIT Convergence&EaseofUse Availability Integrity Confidentiality
  • 22. Access Control •User and Device Identity •Authentication, Authorization & Accounting Data Confidentiality and Data Privacy •Network Segmentation •Secure Connectivity Threat Detection and Mitigation •Security Zones •Intrusion Prevention; Application Visibility Device and Platform Integrity •Device Hardening and Secure Platform •Configuration Assurance IoT Cyber Security Principles for OT A I C PolicyManagementwithOT/IT Convergence&EaseofUse Availability Integrity Confidentiality
  • 23. Dynamic Threat Landscape The average time between an attacker breaching a network and its owner noticing the intrusion is 205 days. Nov 7, 2015 – The Economist Limited Newspaper http://ww2.cfo.com/cyber-security-technology/2015/11/cybersecurity-cost-immaturity/
  • 24. 35 IT comes down to one simple question How do you deal with that ?
  • 25. It takes an Architecture Yes, but would you fly something like this ?
  • 26. An Architecture… …end to end simple to integrate security solutions capable of detecting, blocking and responding to threats with all components working together. Integrated Threat Defense Architecture
  • 27. Network Architecture Concerns… • A bad network design is as big a threat to security success as the lack of security. • Better to know what you are missing than to think you are safe. Enterprise Ethernet Proprietary Ethernet To next machine I/O Fieldbus Motion Net Safety Net STAR TRUNK/DROP FIBER RING DAISY CHAIN This does not mean that there was no architecture - It is likely that the architecture eroded over time.
  • 28. Ukraine power grid attack - The killchain What could have been done ? Spear phishing to gain access to IT corporate network Delivery + exploit + install BlackEnergy malware on victims workstation Credentials theft Attackers issued VPN connections from the corporate network into the ICS network. C2 (command and control) Malicious firmware developed for the serial- to-ethernet devices. Firmware upload UPS compromised in DC DDOS the call centers KillDisk to erase MBR and delete targeted logs IT Domain - The Intrusion 1 3 2 3 5 Hijacking of the substation SCADA HMI’s 4 Phase 1 The Preparation Phase 2 The ICS Attack 6 outages Attack on OT Domain Execute power outages attacks SCADA with malicious operation to open breakers 8 ICS CORP. 7
  • 29. Spear phishing to gain access to IT corporate network Delivery + exploit + install BlackEnergy malware on victims workstation Credentials theft Attackers issued VPN connections from the corporate network into the ICS network. C2 (command and control) Malicious firmware developed for the serial- to-ethernet devices. IT Domain - The Intrusion 1 3 2 3 5 Hijacking of the substation SCADA HMI’s 4 Phase 1 The Preparation Phase 2 The ICS Attack 6 outages Attack on OT Domain Execute power outages attacks SCADA with malicious operation to open breakers 8 ICS CORP. 7 Firmware upload UPS compromised in DC DDOS the call centers KillDisk to erase MBR and delete targeted logs Police register values ! Ukraine power grid attack - The killchain What could have been done (cont.) ? Big data machine Learning, correlation Firepower AMP & Threatgrid Cisco ISE Stealthwatch ISA-3K industrial Email Security, Umbrella Splunk
  • 30. It takes an Architecture … with a central security intelligent cloud capable of analyzing billions of requests and sharing that information to all end security network devices.
  • 31. Security Intelligence Cloud Cisco TALOS Anti-malware queries
  • 32. Remote Access Control to the OT / ICS sensitive zone Separation between corporate and production networks is a must ! ✖ Industrial FW MPLS Substation Edge router Jump Box 1 2 3 4 5 Corporate zone External contractor Industr.SW Multi- Service zone Industr.SW Enterpr. SW Centralized logging of events promotes accurate audits User profile applied + NGFW limits appl. and path. Dis split tunnel.2 VDI Host operates as a virtual air gap providing isolation to the ESP Jump Box 3 Switch port security and Identity profiling control such as TOD and duration + monitor device 4 5 Device is scanned and user auth. verified – 2- factor auth.1ESP Zone
  • 33. Observations and key takeaways
  • 34. Observations  In Ukraine, there were: Multiple attacks, multi phases, multi sites  Once in, attackers blend in quickly in the environment, hackers remained in the environment long enough to understand the SCADA systems  Ukraine recovered fast because a lot of their power systems are not automated and networked. If an organization cannot fall back that easily to manual procedures, power recovery might not be that easy / possible
  • 35. Takeaways What to do and to enforce Data and Applications  Attacks must be uncovered in the early stages of the attacks  Understanding the needs and difference for IT vs OT Security  Password reset enforcement after a pre-determined period  Prioritize vulnerabilities patching on critical assets  IP host and URL resolution black listing through reputation inspection  Look for abnormal spikes in traffic pattern  Check endpoint file integrity through hashing SHA/MD5 through anti-malware protection
  • 36. Firmware modifications over the network cause spikes in network traffic
  • 37. Takeaways What to do and to enforce Data and Applications  Attacks must be uncovered in the early stages of the attacks  Understanding the needs and difference for IT vs OT Security  Password reset enforcement after a pre-determined period  Prioritize vulnerabilities patching on critical assets  IP host and URL resolution black listing through reputation inspection  Look for abnormal spikes in traffic pattern  Check endpoint file integrity through hashing SHA/MD5 through anti-malware protection
  • 38. Takeaways What to do and to enforce Host and network  Segmentation of the SCADA network (IEC 61850 secured zoning)  Logging must be enabled on all SCADA devices  Backup of all critical firmware  Restrict and control remote connections to the SCADA systems through secured jumppoints  IPS adapted ICS rules for detection within industrial environment Policies and procedures  Training OT staff operators  Segregation of duties, make sure no single HMI console has full control end to end  Invite business process owners to discuss what is important to protect  Make sure IT/OT is up to date and knowledgeable on ICS security  DR scenarios in place to switch to manual mode
  • 39. Organization needs to have a strong “culture of security” • Security programs should not be built based on • security compliance requirements alone; they • must also factor in: • Evolving threat landscape • Changing operational and business requirements • Technological evolution “We have a culture of compliance when we should really have a culture of security.” Timothy E. Roxey VP and Chief E-ISAC Operations Officer at NERC
  • 40. Links of interest  SANS Overview of the Ukraine Grid attack, E-ISAC | Analysis of the Cyber Attack on the Ukrainian Power Grid | March 18, 2016 10 http://www.nerc.com/pa/CI/ESISAC/Documents/E-ISAC_SANS_Ukraine_DUC_18Mar2016.pdf  SANS - German Steel Mill Cyber Attack https://ics.sans.org/media/ICS-CPPE-case-Study-2-German-Steelworks_Facility.pdf  SANS - Anatomy of an ICS attack https://securingthehuman.sans.org/cyberattackdemo  Cisco IoT Threat Defence http://www.cisco.com/c/en/us/solutions/security/iot-threat- defense/index.html?dtid=osscdc000283&stickynav=1
  • 41. Merci