industrial attacks increasing in frequency ...media.arpel2011.clk.com.uy/ciber/28.pdf · - inject...
TRANSCRIPT
1
ARPEL CONFERENCIA EN BUENOS AIRES CIBERSEGURIDAD INDUSTRIAL
19 Octobre 2016Francisco Souto
© 2015 by Honeywell International Inc. All rights reserved.
© 2015 by Honeywell International Inc. All rights reserved.
Industrial Attacks Increasing in Frequency & Sophis ticationImpacting Uptime, Efficiency and Time to Market
Customer Requirements Are Not One Size Fits All
Global Industry Challenges• IIoT Increases Cyber Risk• Inconsistent Standards• More Regulation is Expected• Cyber Skill Set Gaps + Aging Workforce• IT/OT Convergence• Operational Silos
2
© 2015 by Honeywell International Inc. All rights reserved. Honeywell Confidential
© 2015 by Honeywell International Inc. All rights reserved.
• Critical Infrastructure Reported Incidents
• In FY 2015, ICS-CERT responded to 295 cyber incidents. This represented a 20 percent increase over FY 2014.
• The Critical Manufacturing Sector nearly doubled to a record 97 incidents, becoming the leading sector for ICS-CERT in FY 2015.
- “wide spread spear-phishing campaign that primarily targeted critical manufacturing companies”
- …a significant number of incidents enabled by insufficiently architected networks …”
(* Fiscal Year October 2014 – September 2015)
Critical Manufacturing Is Now the Leading Sector in Cyber Security Incidents
2
ICS-CERT Incident Statistics 2015*
Source: ICS-CERT Monitor
© 2015 by Honeywell International Inc. All rights reserved. Honeywell Confidential
© 2015 by Honeywell International Inc. All rights reserved.
ICS-CERT Incident Sources 2015
Some Incredibly Easy Ways In
3
Spearphishing Has Grown
Substantially
Bad Passwords
Network Probes
3
© 2015 by Honeywell International Inc. All rights reserved. Honeywell Confidential
© 2015 by Honeywell International Inc. All rights reserved.
ICS-CERT Recent Analysis
Multiple Approaches Offer Best Cyber Security Prote ction
4
Source: ICS-CERT
© 2015 by Honeywell International Inc. All rights reserved. Honeywell Confidential
© 2015 by Honeywell International Inc. All rights reserved.
March-April 2016 ICS-CERT Monitor: First Ransomware ICS Hit
Lansing Board of Water & Light (Lansing BWL) hit 25 April 2016
Due to Common Practices, ICS Are Extremely Vulnerab le
5
4
© 2015 by Honeywell International Inc. All rights reserved. Honeywell Confidential
© 2015 by Honeywell International Inc. All rights reserved.
Attack Vectors: How Did They Get In? (statistics from ICS-CERT 2015)
Typically Spreads Across Network, Device to Device
• We don’t know (38%)• Brought in by employees, contractors, security
guards, janitors, etc.- Spearfishing (37%)- Laptops, phones, USB sticks, FitBit and IoT equivalents- Files from business side of plant
� Adobe PDFs, Excel spreadsheets, Word documents� Windows update files, Anti-Malware files (source isn’t what you
think)
- Games (Adobe Flash)
• Access from external network- Network scanning/probing- Inadequate / Improperly configured firewalls- Communication with Business side of Plant
• They are getting better at hiding when they’re done- “Approximately 69 percent of incidents had no evidence of
successful intrusion into the asset owner’s environment”
6
Fit Bit Injecting Malware into a PC
© 2015 by Honeywell International Inc. All rights reserved. Honeywell Confidential
© 2015 by Honeywell International Inc. All rights reserved.
Spearphishing
Simple Methodology Now Dropping More Sophisticated Malware
7
Source: AstraID
Malware InjectionOnce Injected, can spread
5
© 2015 by Honeywell International Inc. All rights reserved. Honeywell Confidential
© 2015 by Honeywell International Inc. All rights reserved.
The Bad News: Malware Travels8
A graph of computers infected from an initial victim (May 11th, 2010 infection). Courtesy of Symantec Corporation
Malware Spread from Ground Zero
Once Malware Infects One System; It Will Spread
© 2015 by Honeywell International Inc. All rights reserved. Honeywell Confidential
© 2015 by Honeywell International Inc. All rights reserved.
Get In & Establish Communication Out
• Access is unintentionally provided - Gain foothold on the endpoint
� Phishing & social media� Weak or common passwords� “Security” at home
- Inject Malware/Infected files� Updates not maintained
- Create a backdoor
• Establish Communication• Firewalls typically configured for
INBOUND traffic rules- PCN � Internet- PCN � Business � Internet- PCN � Carried Device �Outside - Others…
AirGap is a Myth…
9
A graph of computers infected from an initial victim (May 11th, 2010 infection). Courtesy of Symantec Corporation
Way Out
Backdoor
6
© 2015 by Honeywell International Inc. All rights reserved. Honeywell Confidential
© 2015 by Honeywell International Inc. All rights reserved.
Firewalls Add to Architecture Segmentation
Goal Is Safety & Containment
10
• Zones and Conduits- Protect and Contain
- Grouping of nodes with like security requirements
- Conduits should always be from adjacent zones
• Security Controls- Separation from Business Network
- Firewall Segmentation� Rule Management – Especially
Outbound� Review Configuration� Log Review� Consider Next Generation Firewall
- Includes advanced inspection functionality
Level 1Process Control
Level 2Supervisory Control
Level 3Advanced Control
Level 3.5DMZ
Level 4Business Network
Zone
BlockNon-Essential
CommunicationProtocols
FilterCommunicationsBetween Zones
Disable AppsNot RequiredWithin Zone
Process C
ontrol
ModBus FirewallTofino
Or NG Firewall Q1Zone Zone
: Managed by PCN
Check BOTHIngress and Egress
Rules
© 2015 by Honeywell International Inc. All rights reserved.
Customer Cyber Challenges and Impacts
* Source: ARC 2016
Global Industry Challenges• Process: Reactive � Need Proactive• Technology: Standalone � Need Integrated• People: Skills Shortage with Regulatory Pressures
Customer Impacts
PublicImage
Safety
Availability
EnvironmentFinancial
7
© 2015 by Honeywell International Inc. All rights reserved.
Driven by standards and regulations
• IEC 62443 (Formerly ISA 99 & WIB)• Industrial Automation Control Systems (IACS) Security• Global standard for wide range of industry• Honeywell ICS is active contributor to the development of the standard through ISA
• NERC CIP• North American Power
• ANSSI, BSI, CPNI, MSB, INCIBE, OLF/Norog, etc.• European guidelines, best practices and country-specific measures
• JRC & ENISA recommendations • European Union
• NIST• US technology standards (SP 800-82)
• And others: ISO, API, OLF• E.g. ISO 27000, API 1164, OLF 104
• Local regulations
12
© 2015 by Honeywell International Inc. All rights reserved.
Typical Cyber security level
Skills Motivation Means
ICS specific
ModerateSophisti-
cated(Attack)
Moderate(groups of hackers)
Generic Low SimpleLow
(Isolated individuals)
No attack skills
MistakesNon-
intentionalEmployee, contractor
Resources
ICS Specific
HighSophisti-
cated(Campaign)
Extended (multi-
disciplinary teams)
SL4
SL3
SL2
SL1
Nation-state
Hacktivist,Terrorist
Cyber crime,Hacker
Careless employee, contractor
IEC 62443
13
8
© 2015 by Honeywell International Inc. All rights reserved.
C2M2 Maturity Indicator Levels14
© 2015 by Honeywell International Inc. All rights reserved.
• Cyber Security Assessments• Thread Risk Assessments• Network & Wireless Assessments• Audits and Design Reviews
• Firewall, Next Gen FW• Intrusion Prevention (IPS)• Network Access Control
• Industrial Anti-Virus & Patching• End Node Hardening• Industrial Application Whitelisting• Portable Media/Device/USB Security
• Risk Manager (in SOC)• Continuous Monitoring• Compliance & Reporting• Industrial Security Information
& Event Management (SIEM)• Security Awareness Training
• Secure Design and Optimization• Zone & Conduit Separation
• Backup and Recovery• Incident Response• Disaster Recovery
15
Industrial Cyber Security Solutions
9
© 2015 by Honeywell International Inc. All rights reserved.
Industrial Cyber Security Risk ManagerReal time, continuous visibility, understanding and decision support
Proactively identifies cyber security vulnerabilities and threats, and quantifies and prioritizes risks
Easy-to-use Interface
No need to be a cyber security expert
Real time assessment and continuous monitoring for improved situational awareness
Multi automation vendor supportLow impact technology won’t disrupt operations
Proactively Monitor, Measure, and Manage Cyber Secu rity RiskProactively Monitor, Measure, and Manage Cyber Secu rity RiskProactively Monitor, Measure, and Manage Cyber Secu rity Risk
16
© 2015 by Honeywell International Inc. All rights reserved.
Managed Industrial Cyber Security Services
Monitoring, Reporting and Expert Support Monitoring, Reporting and Expert Support Monitoring, Reporting and Expert Support
Patch and Anti-Virus Automation
Security and Performance Monitoring
Activity and Trend Reporting
Advanced Monitoring and Co-Management
Secure Access
Tested and qualified patches for operating systems & DCS software
Tested and qualified anti-malware signature file updates
Comprehensive system health & cybersecurity monitoring
24x7 alerting against predefined thresholds
Monthly or quarterly compliance & performance reports
Identifying critical issues and chronic problem areas
Honeywell Industrial Cyber Security Risk Manager
Firewalls, Intrusion Prevention Systems, etc.
Highly secure remote access solution
Encrypted,two factor authentication
Complete auditing: reporting &video playback
17
10
© 2015 by Honeywell International Inc. All rights reserved.
• German BSI reported in 2015: - Hackers manipulated and disrupted control systems at a steel mill in Germany
- Blast furnace could not be properly shut down resulting massive damage!
• Blackout in Western-Ukraine on 23 Dec 2015: First Cyber-Attack to cause Power Outage- BlackEnergy backdoor + KillDisk component = Deletes Files/Events, Terminat Processes
- “Blinded" the dispatchers and wiped SCADA system hosts (servers and workstations)
- Flooded the call centers to deny customers calling to report power out
- Mitigation via staff who manned substations to manually re-close breakers to energize the system
• SYNful knock- Cisco router (1841, 2811, 3825) implants (firmware modification)
- Creates backdoor into the system
• Hammertoss- Spear phishing attack (Email, Twitter, Github)
- Espionage
• Pawnstorm- Adobe zero-day and Java zero day exploits used
- Espionage
Recent Cyber Security Incidents
© 2015 by Honeywell International Inc. All rights reserved.
© 2015 by Honeywell International Inc. All rights reserved.
Additional Resources
ICS-CERT: Seven Steps to Effectively Defend ICShttps://ics-cert.uscert.gov/sites/default/files/documents/Seven%20Steps%20to%20Effectively%20Defend%20Industrial%20Control%20Systems_S508C.pdf
ICS-CERT: Overview of Cyber Vulnerabilitieshttps://ics-cert.us-cert.gov/content/overview-cyber-vulnerabilities
NIST: Guide to Industrial Control Systems (ICS) Security, REVISION 2http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
Homeland Security Today: Iranian Cyber Attack…Clear and Present Dangerhttp://www.hstoday.us/briefings/daily-news-analysis/single-article/iranian-cyberattack-reveals-clear-and-present-danger-to-us-critical-
infrastructure/1f1aeae7c1a03dfc86ebb7c985bc8289.html
Homeland Security Today: Four Dangerous Myths…http://www.hstoday.us/single-article/special-four-dangerous-myths-about-infrastructure-cybersecurity/d188461055c71fd8f39bf09ed28ad324.html
Link for Obsolete Switch/Routers:http://hpsvault.honeywell.com/sites/HPSVaultSupportLibrary/software-downloads/FTE-Qualified-IOS-Firmware-for-Cisco-Switches.pdf
19
11
© 2015 by Honeywell International Inc. All rights reserved.
© 2015 by Honeywell International Inc. All rights reserved.
Key References
• DHS: Department Homeland Security- DHS-CS&C: DHS Cyber Security & Communications
� ICS-CERT: Industrial Control Systems – Cyber Emergency Response Teams
• ISA/IEC-62443: Instrumentation, Systems, and Autom ation/ International Electrotechnical Commission- Network and system security for industrial-process measurement and control (Strong history
Honeywell activity)- Honeywell was the first company to achieve ISASecure Device Certification (Honeywell Safety
Manager)� Currently four Honeywell devices with ISASecure Certification� R410 received ISASecure Certification in September 2015
20
© 2015 by Honeywell International Inc. All rights reserved.
21
Gracias! Preguntas?