ics case studies v2
TRANSCRIPT
1 Copyright © 2014, FireEye, Inc. All rights reserved.
Case StudiesIndustrial Control Systems
Dan Scali, Manager – Industrial Control SystemsMandiant Security Consulting Services
2 Copyright © 2014, FireEye, Inc. All rights reserved.
ICS security threatsEnterprise/IT
Plant DMZ
SCADA/ICS
Control
SCADA Historian HMI
PLCs, Controllers, RTUs, PACs
Threat vector:Attacks on the enterprise
Threat vector:Attacks on ICS/SCADA systems
and devices
3 Copyright © 2014, FireEye, Inc. All rights reserved.
Case studies
Building a comprehensive program:How an ICS operator used Mandiant Security Consulting Services to build an IT/OT cyber security program
Defending the SCADA & field-level devices:How an ICS operator used passive network monitoring to identify SCADA network configuration flaws
4 Copyright © 2014, FireEye, Inc. All rights reserved.
Case StudyBuilding a cyber security program
5 Copyright © 2014, FireEye, Inc. All rights reserved.
The challenges
Maintain compliance
Resist targeted attacks
Support reliability
Business imperative Implications
• 10-20k serial assets coming into scope for NERC CIP
• Requires coordination across OT & IT
Transition from NERC CIP v3 to NERC CIP v5
Detect, respond to, and contain incidents
impacting grid assets
IT/OT convergence and next-generation grid
• Integrated SOC will need visibility into grid assets
• IR processes and technologies must be adapted for control system environment
• Legacy control systems technology will be replaced
• Connectivity & exposure of power systems will increase
6 Copyright © 2014, FireEye, Inc. All rights reserved.
FireEye’s solution: Program strategyMission:To support the reliable operation of the bulk electric system in accordance with legal and regulatory responsibilities by preventing, detecting, and responding to cybersecurity incidents.
Governance Technology Operations
Stakeholders:Transmission & Distribution – Cybersecurity – Power Systems IT
• Policy• Compliance• Training• Asset inventory• Metrics
• New projects• Technical standards• Evaluation &
Procurement• External working groups
• Maintenance• Incident Response• Vulnerability & Patch
Management
Key functions & activities
7 Copyright © 2014, FireEye, Inc. All rights reserved.
Sample roadmap
8 Copyright © 2014, FireEye, Inc. All rights reserved.
Sample heatmap
9 Copyright © 2014, FireEye, Inc. All rights reserved.
Sample project plan
10 Copyright © 2014, FireEye, Inc. All rights reserved.
Case StudyProtecting the SCADA
11 Copyright © 2014, FireEye, Inc. All rights reserved.
The challenge
Customer had invested heavily in a network segmentation and firewall configuration effort
Needed a way to validate that:– No connections were possible directly from the business network
to the SCADA network– SCADA was not able to communicate with the internet
12 Copyright © 2014, FireEye, Inc. All rights reserved.
The Solution: FireEye PX Ultrafast packet capture up to 20Gbps sustained
in single appliance allows for aggregation and cost savings
Internal or external storage options (FC or SAS) Ultrafast search
patented tiered indexing system (search TBs in seconds)
Session Analysis full reconstruction of web, email, DNS, & ftp
traffic File extraction User extensible
Industry standard PCAP format for capture data Export of index data in Netflow v9 or IPFIX format
13 Copyright © 2014, FireEye, Inc. All rights reserved.
PX deployment options
Firewall/DMZ
Switch
ICS
Router
Firewall/DMZ
Switch
ICS
Router Tap(OOB)
SPAN
NX
PX
Pivot2Pcap
TAP
NX
PX
Pivot2Pcap
Router
Firewall/DMZ
ICS
Tap(Inline)
Switch
NX
PX
Pivot2PcapTap
Enterprise Network Enterprise Network Enterprise Network
14 Copyright © 2014, FireEye, Inc. All rights reserved.
Results
15 minutes of network traffic capture data revealed: Traffic direct from business network to SCADA zone External DNS requests Potential multi-homed devices Limited segmentation between SCADA zones
15 Copyright © 2014, FireEye, Inc. All rights reserved.
Incident response workflow
FireEye threat prevention platform (NX, EX, FX, or AX) detects threat and generates alert with detailed OS change report.
Detect
A A AA
A
Contain
OS change report is sent to HX appliance which then generates indicator and pushes to endpoint agent.
Operator can contain & isolate the compromised endpoint by blocking all
A A AA
A
traffic with single clickworkflow while continuing with the investigation.
Analyst can view detailed exploit timeline from the endpoint to better understand the attack.
Validate & Contain
HX HXPX
Analyst pivots to PX with IP address and time of infection to reconstruct kill chain before, during and after to determine the scope and impact of a threat via captured packets.
Forensics Analysis
16 Copyright © 2014, FireEye, Inc. All rights reserved.
Questions?