What are the myths & legends around securing Industrial Controlled Systems? In a short presentation some of the day to day experiences are explained around problems/risks, fairy-tales around securing ICS. After reading the presentation will lead to start doing some homework....
DevEX - reference for building teams, processes, and platforms
The 4horsemen of ics secapocalypse
1. “The four horsemen
of the ICS security
apocalypse”
Christiaan Beek
Director of Incident Response & Forensics EMEA
2. What to expect
v Intro
v ICS security a myth?
v The Four Horsemen
v Wrap-up
v Questions?
Thanks @Beaker for approving the title of this presentation
5. Forensics
and IR
Lead for
EMEA
Christiaan Beek
• Digital Forensics
As an Enterprise Architect on the Foundstone Services team,
Christiaan is the Head of and practice lead for the Incident Response
and Forensics services team in EMEA. He has performed numerous
forensic investigations from system compromise, theft, child
pornography, malware infections, Advanced Persistent Threats (APT)
and mobile devices. He has also participated as an expert witness for
the Dutch Department of Justice in high-profile investigations and
leading a team of computer forensics specialists assisting police with
evidence recovery.
• Vulnerability Assessment and Network Penetration Testing
Since 2000 Christiaan has been performing security assessments and
penetration testing for companies in in almost every industry.
• Risk Assessment and Policy Development
With extensive experience in PCI-DSS, Christiaan has assisted
numerous international clients in Banking, Insurance, Government with
their Risk Management strategy. As the Security Officer of the largest
water company in the Netherlands, he developed IT security policies for
both the data and SCADA networks.
• Foundstone Education
Christiaan is the author and lead-instructor of the class ‘Malware
Forensics and Incident Response’ (MFIRE).
• Hack Exposed Book
Christiaan has co-authored the APT chapter in the new Hacking
Exposed 7 book.
Our Incident Response Team
• Most of the first responders have
more than a decade of experience
• Many of them have participated in law
enforcement investigations
• Our consultants write articles for
digital forensics magazines, and well
known security e-publications
• We teach forensics and malware
analysis to governments
and at globally-known
conferences like…
• We participate in
7. The Four Horsemen of the Apocalypse are described
in the Book of Revelation.
The four riders are seen as symbolizing & represent
the following powers:
- War
- Famine
- Death
- Pestilence
13. Famine: Incident Response
v Handling incidents in an ICS environment is
different
v Forensics could be challenging
v Where’s the evidence-data
v Different OS & applications than corporate
14. Famine: People & Education
v Lack of skilled, experienced and passionate people
v Not a lot of good education around
v Only a few good books out there
18. An Intel company
Your ICS vendor
We s..ck
The MS09-XX patch cannot be applied for the next two
years on our product….
Kind regards,
your ICS vendor
20. Easiness of attack:
SCADA networks are attached to the corporate
network or Internet.
Exploiting of the systems is becoming easy…
Background & S7 example: project IRAM – http://www.scadacs.org
21. Researchers focus more on exploits
Still many firmware updates contain username &
pwd in cleartext….
23. Initiatives
v Many ICS vendors nowadays have a dedicated security
team and are addressing vulnerabilities
v Security vendors are partnering with ICS vendors to
certify their products for the platforms used
24. How is McAfee contributing?
EndpointNetworkData
Corporate IT SCADA Device Network
Enterprise Apps
Ethernet, TCP/IP
Modern Computers
(Windows, Linux, Mac)
SCADA, HMI
Ethernet, Serial
Legacy Computers
(Windows)
Ladder Logic
Ethernet, Serial, Relays
Special Function
(Embedded OS)
25. McAfee is working with all major SCADA & ICS vendors to test, certify, and in
many cases embed McAfee technology
26. Product Acceptance & Certification
Currently Supported Products Cert’d OEM
Integrity Control, Embedded Control, Device Control,
HIPS, VirusScan Enterprise, AntiSpyware Enterprise,
ePO, Roque System Detection, McAfee Agent
Integrity Control, Embedded Control, Device Control
Embedded Control, Device Control, HIPS,
ePO, Enterprise Security Manager, IPS
Integrity Control, Embedded Control, Device Control,
HIPS, VirusScan Enterprise, AntiSpyware Enterprise,
ePO, Rogue System Detection, McAfee Agent
VirusScan Enterprise, Embedded Control
✔
✔
✔
OEM✔
Enterprise Security Manager, IPS
VirusScan Enterprise, Embedded Control ✔
OEM✔
OEM✔
Process Management
Vendor
In October 2013, McAfee announced partnership with Yokogawa
27. Final thoughts…..
• What is your outside footprint?
• Do you know your critical assets?
(they are not equal to a server or single system)
• Who’s responsible for what?
• When was your last assessment?
• Be realistic and agree on what risk is accepted
• What metrics do you use?