3. Tech.Talent
+
Lack of ICS Experience
Minimal Cybersecurity Expertise
Difficult to Keep Pace with
Threat Actors and Methods
Requires Actionable and
Operations Aware Data
Need Automation in a ICS
Cybersecurity Platform
ICS Focused Technology, not
misapplied IT tech.
Threats
+
Without intelligence Threat
activity remains uncertain
Annual reports show that #1 attack
vector remains “Unknown”
Threats to ICS are constantly
evolving
ICS Cybersecurity Challenges
4. Enterprise Network
Level 5
Operations & Support
Level 3
Supervisory
Level 2
Field Devices
Level 0
Controllers
Level 1
Facility Network
Level 4
Classic Purdue Model
5. State of the Art
TRISIS
Authored by XENOTIME
TARGET
CAPABILITIES
Triconex Safety Systems (3008 /
PowerPC)
Memory Resident Rootkit
CLASSIFICATION
Memory Resident Rootkit
DELIVERY
Windows host with network access via
legitimate Tristation Protocol
6. Field Devices
Level 0
Operations, Supervisory,
Controllers, SISLevel 1 through 3
Enterprise
& Facility NetworksLevel 4 and 5
Real World - Purdue Model
9. • Respond systematically to events and incidents
• Make sure the appropriate actions are taken
• Minimize impact caused by incidents
• Apply lessons to future incidents and how they are handled
Incident Response
10. • Attack Vectors
• Signs of an Incident
• Sources of Precursors and Indications
• Incident Analysis
• Incident Documentation
• Incident Prioritization
• Incident Notification
Detection and Analysis
Prerequisites:
o Understand the Environment
o Understand the Threat
o Skill & Experience
11. Enterprise Network
Level 5
Operations & Support
Level 3
Supervisory
Level 2
Field Devices
Level 0
Controllers
Level 1
Facility Network
Level 4
o Attack Vectors?
o Signs of an Incident?
o Sources of
Precursors and
Indications?
o Incident Analysis?
12. “A focused and iterative approach to
searching out, identifying and
understanding adversaries internal
to the defender’s networks.”
Should extend automation footprint
1
Why hunt in ICS?
• Historically low level of visibility
and automation footprint
• Can be done safely during
operations
• Responders lack comfort level in
actually responding in industrial
environments
2 Why hunt in ICS?
What is hunting?
3 Hunt cycle
13. o Attack Vectors?
o Signs of an Incident?
o Sources of
Precursors and
Indications?
o Incident Analysis?
Develop New
Requirements
Develop a
Collection Plan
ImplementTest
Update
Collection Plan
TTX, Crown
Jewel
analysis, risk
mgmt.
processes
Gap analysis,
threat
modeling, kill
chain analysis
Environment
manipulation,
process and
playbook
creation
Measure and
understand
Remove
unneeded
requirements,
update
changes,
disseminate /
communicate
Visibility & Collection
14. Sample CMF
IDS Windows Event
Collector
RTU Cisco Firewall Data Historian
Location Control Center Control Center Substation DMZ Control Center
Data Type System Alert Host Based Logs Syslog System Alert Process
Information
Kill Chain Coverage Delivery and C2 Exploitation,
Installation, and
AOO
AOO Delivery and C2 AOO
Follow on
Collection
Packet Capture Files and Timelines None Approved Flows
and Blocked
Connections
None
Typical Storage 5 days 90 Days 10 Days 30 Days 5 years
16. What Forensically Matters
• Where is the serial number / model number?
• How do you identify the MAC Address? IP
Address?
• Do we know what the embedded OS is?
• What interfaces exist?
• Which interfaces can you download programs or
update firmware?
• Is there removable storage?
• What is stored on the removable storage?
• What file system is used on the removable
storage?
• What modes are possible and implications?