mitigating security risks in industrial control systems and smart...
TRANSCRIPT
![Page 1: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/1.jpg)
1
Mitigating Security Risks in Industrial Control Systems and Smart Meter deployments A View from Symantec
Michelle Lewis Device Authentication Specialist EMEA Region
Industrial Security and Smart Grid: A View from Symantec
Tom Thomassen Senior Development Manager Office of the CTO
![Page 2: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/2.jpg)
SYMANTEC VISION 2012
Agenda
• Industrial Security and Smart Grid – Setting the Stage
• Industrial Security and Smart Grid – Challenges
• Targeted Threats and Advanced Persistent Threats (APT)
• Prevention
• Detection
• Conclusions
2 Industrial Security and Smart Grid: A View from Symantec
![Page 3: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/3.jpg)
3
Industrial Security and Smart Grid – Setting the Stage
Industrial Security and Smart Grid: A View from Symantec
![Page 4: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/4.jpg)
SYMANTEC VISION 2012
Grid Technology Operations Service Providers
Content
Data at Rest
• Customer billing • Personal data / privacy • Data retention • Compliance • MDM (meter) data hub
Infrastructure
• Servers • Storage • Gateways • Grid IT asset
management
Network/Cloud
Data in Motion
• Private & public cloud /
networks • Networks are IP based
Embedded Devices
Data in Use
• Substations: Windows XP embedded (XPe), Linux, Intel
• Meters: ARM, Flash
Electrical Grid
GENERATION TRANSMISSION DISTRIBUTION CUSTOMER
Industrial Grid: IT and Operations Architecture
AMI Data
Private Wireless Network
Customer
Demand Response
Public / Internet
SCADA
Private & Public Networks
Industrial Security and Smart Grid: A View from Symantec 4
Operations Domain
![Page 5: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/5.jpg)
SYMANTEC VISION 2012 Industrial Security and Smart Grid: A View from Symantec
• Utilize ‘defense-in-depth’ techniques
• Leverage years of network security experience in IP world
Operations Security
• Encrypt information
• Authenticate devices
• Manage keys
• Managed / hosted PKI & device level certificates
• Windows-based control systems: harden and control applications running on these systems
Embed Security Close to „Field‟ Manage Endpoints
• Manage Windows sub-station automation systems
• Securely update device firmware e.g. AMI collectors
• Securely invoke SSL services through trusted mechanisms resident on device
Manage Data Explosion
Symantec Industrial Security Solutions – ‘Four Pillars’
• Make state of the art IT security solutions ubiquitous in the operations control centers
• Utilize Common Data model: information shared among solutions to meet regulatory compliance needs
Information Governance • Compliance • Control access • Regulatory & auditing • Customer Privacy • Reporting
Information Infrastructure • Storage management • Data protection • Archiving • Legal discovery
5
Operations Domain
![Page 6: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/6.jpg)
6
Industrial Security and Smart Grid – Challenges
Industrial Security and Smart Grid: A View from Symantec
![Page 7: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/7.jpg)
Industrial Security and Smart Grid: A View from Symantec 7
Industrial Security and Critical Infrastructure Threats
![Page 8: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/8.jpg)
SYMANTEC VISION 2012
Industry Challenges Rapid Change and Increased Complexity
Operational Grid
Networking
Distributed Data
Cyber Security
Utilities playing catch up National security issue – physical access not required
Operations Complexity
Convergence: Enterprise IT, TCP/IP w/field operations, SCADA; Smart Meter requires new thinking
Reliability
Expectations higher for uptime and recovery
Data Explosion
10M meters = 28 petabytes of data to manage
Privacy
Protect PII – now on internet
Visibility and Transparency
Threats more targeted and persistent. Monitoring, Risk Identification and mitigation needs to keep pace.
Regulation and Compliance
Existing Regulations Increased Focus on Consumer Protection
Insider Risk
Data and IP Leakage
Industrial Security and Smart Grid: A View from Symantec 8
![Page 9: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/9.jpg)
SYMANTEC VISION 2012 9
1.0%
1.5%
2.0%
2.5%
3.0%
Val
ue
of
Co
nn
ecti
vity
(%
of
Wo
rld
GD
P)
Number of Connections (# of devices, people, services)
Increased Networking
Growth in Connectivity (1959 – Today)
Thousands Billions
0.5%
Mainframe Era (1959 – 1981)
Internet Era (1996 – 2007)
Interaction Era (2007 – )
Client-Server Era (1981 – 1996)
Millions
Industrial Security and Smart Grid: A View from Symantec
Internet of Things (2010 – )
![Page 10: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/10.jpg)
SYMANTEC VISION 2012 10
1.0%
1.5%
2.0%
2.5%
3.0%
Val
ue
of
Co
nn
ecti
vity
(%
of
Wo
rld
GD
P)
Number of Connections (# of devices, people, services)
More Threats
Changes in Threat Landscape (1959 – Today)
Thousands Billions
0.5%
Data Corruption (1959 – 1981)
Era of Fame & Glory (1996 – 2007)
Era of Mass Cybercrime
(2007 – )
Era of Discovery (1981 – 1996)
Millions
Industrial Security and Smart Grid: A View from Symantec
Era of Targeted Threats Against Critical Infrastructure
(2010– )
![Page 11: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/11.jpg)
SYMANTEC VISION 2012
• The goal is to do damage, destruct, influence, reach political goals, or support a conventional attack.
Changing Threat Landscape
• Highly sophisticated
• Infinite financial resource
• Well-planned and executed with unprecedented levels of control.
Newest Motivation
Political
Espionage and Sabotage
11 Industrial Security and Smart Grid: A View from Symantec
![Page 12: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/12.jpg)
SYMANTEC VISION 2012
Number of Targeted Attacks Increasing
0
50
100
150
200
250
300
350
400
450
500
Ave
rage
nu
mb
er
of
atta
cks
pe
r d
ay
Month Source: Symantec.cloud email scanning service.
Figures for June, July, August may be subject to revision.
Industrial Security and Smart Grid: A View from Symantec 12
![Page 13: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/13.jpg)
SYMANTEC VISION 2012
Vulnerability Analysis of Energy Delivery Control Systems
13 Industrial Security and Smart Grid: A View from Symantec
25%
17%
16%
8% 7%
6%
5%
5% 4% 4% 3%
ICCP Services and Protocol Stack
Supervisory Control Protocol Services
SCADA Hosts
Historian Database
Supervisory Control Protocol
Control Protocol Services
Network Devices
Source: Vulnerability Analysis of Energy Delivery Control Systems , 2011, Idaho National Laboratory,Idaho Falls, Idaho 83415, http://www.inl.gov
NSTB = National Supervisory Control and Data Acquisition (SCADA) Test Bed
![Page 14: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/14.jpg)
SYMANTEC VISION 2012
BSI – Germany - ranking of Industrial Vulnerabilities
14
BSI ranking BSI Vulnerability descrption
1 Non authorized use of remote access
2 Online attacks over the Office and Enterprise Network
3 Attacks again standard ICS components (Application Server, DB)
4 (D) DOS attacks
5 User and Sabotage
6 Attacks over remote devices (USB)
7 Read and write of messages over the ICS network
8 Unauthorized access to resources
9 Attacks agains network and network components (Man-in-the-middle Attack)
10 Technical issues
Industrial Security and Smart Grid: A View from Symantec
(The Myth of the Network Air Gap)
![Page 15: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/15.jpg)
SYMANTEC VISION 2012
Industrial Attacks in Detail
15 Industrial Security and Smart Grid: A View from Symantec
![Page 16: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/16.jpg)
16
Targeted Threats and Advanced Persistent Threats (APT)
Industrial Security and Smart Grid: A View from Symantec
![Page 17: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/17.jpg)
SYMANTEC VISION 2012
Recent Attacks on Production Systems (ICS)
17
W32.Gauss
AUG 2012
Estonia DDoS
APR 2007
W32.Duqu
[dyü-kyü]
SEP 2011
W32.Disttrack
SEP 2012
W32.Stuxnet
JUL 2010
W32.Flamer
W32 FLAMER
MAY 2012
Industrial Security and Smart Grid: A View from Symantec
2 0 0 7 2 0 0 8 2 0 0 9 2 0 1 0 2 0 1 1 2 0 1 2
![Page 18: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/18.jpg)
SYMANTEC VISION 2012
Advanced Persistent Threats (APT) – the Beginning…
18 Industrial Security and Smart Grid: A View from Symantec
![Page 19: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/19.jpg)
SYMANTEC VISION 2012
Case Study: Stuxnet
19
Brought cyber-sabotage to the world’s attention
Key Features
• Targets very specific industrial processes associated with controls of high speed centrifuges
• Configuration of targeted systems known to attackers
• Modifications made to PLC code to change behavior of infected systems
Machine Code Injection
PLC
Control PC running Step 7 Software
Industrial Security and Smart Grid: A View from Symantec
![Page 20: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/20.jpg)
SYMANTEC VISION 2012
Advanced Persistent Threats (APT) - Shamoon
20 Industrial Security and Smart Grid: A View from Symantec
![Page 21: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/21.jpg)
21
Recent Energy Industry Attacks
Industrial Security and Smart Grid: A View from Symantec
![Page 22: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/22.jpg)
SYMANTEC VISION 2012 Industrial Security and Smart Grid: A View from Symantec 22
What Happened?
![Page 23: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/23.jpg)
SYMANTEC VISION 2012 Industrial Security and Smart Grid: A View from Symantec 23
Sources:
www.bbc.com/news/technology-19293797
www.bbc.com/news/technology-19434920
15thAugust
31st August
Two Oil Companies Attacked
![Page 24: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/24.jpg)
SYMANTEC VISION 2012 Industrial Security and Smart Grid: A View from Symantec 24
Key Points
• Shamoon malware used in both attacks (also known as W32.Disttrack))
• Targeted attack using bespoke malware
• Malware written to run on both 64bit and 32bit systems
Spreader function disseminates malware over network
Exfiltration function passes data to attackers
Wiper function erases disks of infected machines
Malware modules
![Page 25: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/25.jpg)
SYMANTEC VISION 2012 Industrial Security and Smart Grid: A View from Symantec 25
ATTACKER
Company Network
Unknown vector
Initial point of
infection
Malware spreads
via network shares
Transmits
information
Receives
instructions
Command &
control over
internet
Spreads to
domain
controller
Spreads directlyCollects information
Issues commands
At predetermined
time wipes disksXX
Infection Schema
![Page 26: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/26.jpg)
SYMANTEC VISION 2012
Case Study: W32.Disttrack – Shamoon Attacks
26
Destructive attacks against energy companies
Two middle eastern organizations targeted in quick succession
Multi Stage Attack
• Gather information about target network
• Acquire user credentials
• Gain access to domain controllers
• Spread to computers across network
• Trigger destructive payload
Industrial Security and Smart Grid: A View from Symantec
![Page 27: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/27.jpg)
27
Advanced Persistent Threats: Prevention and Detection
Industrial Security and Smart Grid: A View from Symantec
![Page 28: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/28.jpg)
SYMANTEC VISION 2012
The Targeted Attack
New Attackers… New Targets…
• New Attacker
– State-sponsored or state-condoned attacker
– Long-term, strategic goals rather than short-term gain
• New Strategies
– The attacker uses social engineering to infiltrate the network
– Attacks targeted at properly-placed individuals with access to key systems
– Multiple attacks launched simultaneously, over prolonged periods
• New Targets
– Ultimate targets are key intellectual property and critical infrastructure
• Intellectual Property: Emails, PKI credentials, strategic plans, Schematics, process documents
• Critical infrastructure: Industrial control systems – hydro, power, manufacturing
Industrial Security and Smart Grid: A View from Symantec 28
![Page 29: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/29.jpg)
SYMANTEC VISION 2012
APT Lifecycle
29
Activities APT Steps
Source: M-Trends, Symantec
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Initial Intrusion into the network
Establish a backdoor into the network
Obtain user credentials
Install various utilities
Privilege escalation / Lateral movement / Data exfiltration
Maintain Persistence
Step 1 Reconnaissance
Spear phishing
Log in as domain administrator
Staging servers
Camouflaged network traffic
Infect 10-150 hosts
Attackers respond to partial cleanup
Identify multiple victims in target organization, research using public information sources
Obtain domain admin credentials
Spread backdoors, dump passwords, etc with valid credentials
Target domain controllers to obtain password hashes en masse
Industrial Security and Smart Grid: A View from Symantec
![Page 30: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/30.jpg)
30
Symantec Four Pillars
Industrial Security and Smart Grid: A View from Symantec
![Page 31: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/31.jpg)
SYMANTEC VISION 2012
Grid Technology Operations Service Providers
Content
Data at Rest
• Customer billing • Personal data / privacy • Data retention • Compliance • MDM (meter) data hub
Infrastructure
• Servers • Storage • Gateways • Grid IT asset
management
Network/Cloud
Data in Motion
• Private & public cloud /
networks • Networks are IP based
Embedded Devices
Data in Use
• Substations: Windows XP embedded (XPe), Linux, Intel
• Meters: ARM, Flash
Electrical Grid
GENERATION TRANSMISSION DISTRIBUTION CUSTOMER
Industrial Grid: IT and Operations Architecture
AMI Data
Private Wireless Network
Customer
Demand Response
Public / Internet
SCADA
Private & Public Networks
Industrial Security and Smart Grid: A View from Symantec 31
Operations Domain
![Page 32: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/32.jpg)
SYMANTEC VISION 2012 Industrial Security and Smart Grid: A View from Symantec
• Utilize ‘defense-in-depth’ techniques
• Leverage years of network security experience in IP world
Operations Security
• Encrypt information
• Authenticate devices
• Manage keys
• Managed / hosted PKI & device level certificates
• Windows-based control systems: harden and control applications running on these systems
Embed Security with Data Manage Endpoints
• Manage Windows sub-station automation systems
• Securely update device firmware e.g. AMI collectors
• Securely invoke SSL services through trusted mechanisms resident on device
Manage Data Explosion
Symantec Industrial Security Solutions – ‘Four Pillars’
• Make state of the art IT security solutions ubiquitous in the operations control centers
• Utilize Common Data model: information shared among solutions to meet regulatory compliance needs
Information Governance • Compliance • Control access • Regulatory & auditing • Customer Privacy • Reporting
Information Infrastructure • Storage management • Data protection • Archiving • Legal discovery
32
Operations Domain
![Page 33: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/33.jpg)
SYMANTEC VISION 2012
At the Center of Everything ...
33
Source: Koramis AG
Industrial Security and Smart Grid: A View from Symantec
![Page 34: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/34.jpg)
SYMANTEC VISION 2012
IT Security Policies & Procedures
Infrastructure Security
Security Operations & Management
Critical Information Protection
Device Protection
Immediate Risk Reduction Initiatives
Industrial Security and Smart Grid: A View from Symantec
Critical System Protection (CSP)
Network Protection
Mobile Security
Endpoint Security
Patch Management
Security Monitoring
Incident Response & Management
Security Operations
Threat & Vulnerability Management
Early Warning Alters
Data Backup
Data Encryption
Data Protection
Emergency Response
Risk Management
Crisis Management
Forensics
Governance & Compliance
Identity & Access Management
2 Factor Authentication
Device Authentication
34
![Page 35: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/35.jpg)
35
Prevention and Detection: SCSP – Symantec Critical System Protection
Industrial Security and Smart Grid: A View from Symantec
![Page 36: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/36.jpg)
SYMANTEC VISION 2012
SCSP – Real Time Exploit Prevention (IPS)
Industrial Security and Smart Grid: A View from Symantec 36
Symantec Critical
System Protection
creates a “shell”
around each program
and daemon/service
that defines
acceptable behavior
How it Works Files
Registry
Network
Devices
Read/Write Data Files
Read Only Configuration Information
Usage of Selected Ports and Devices
… Email Client
Office
Browser
Web
… crond
RPC
LPD Printer
Core OS Daemons
Application Daemons
Interactive Programs
Normal Resource Access Host Programs
…
![Page 37: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/37.jpg)
SYMANTEC VISION 2012
Symantec Critical System Protection
37
Auditing & Alerting
Network Protection
System Controls
Exploit Prevention
• Monitor logs & security events
• Consolidate & forward logs for archives and reporting
• Smart event response for quick action
• Limit network connectivity by application
• Restrict traffic flow inbound and outbound
• Close back doors (blocks ports)
• Locks down configuration & settings
• Enforces security policy
• De-escalates user privileges
• Prevents removable media use
• Restrict application & O/S behaviors
• Protect systems from buffer overflow
• Intrusion prevention for day-zero attacks
• Application control
Real-Time Visibility. Maximum Control
Intrusion Detection System (IDS) Intrusion Prevention System (IPS) System Hardening and Application Control
Industrial Security and Smart Grid: A View from Symantec
![Page 38: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/38.jpg)
SYMANTEC VISION 2012
SCSP = Least Privilege Application Control (LPAC) …
38
• Windows UAC
• Google Chrome
• Adobe Reader X
• Android OS
• Apple
• SELinux & Others
Industry Examples Also known as Sandboxing…
.. Processes
• Based on Fundamental Security Principles • Highly effective against malware (known & unknown) • Containment model limits the potential for exploitation • Proactive, policy-based security complements AV solutions • Applicable to all environments and applications • Dramatically improves security posture & reduces IA costs
Industrial Security and Smart Grid: A View from Symantec
![Page 39: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/39.jpg)
SYMANTEC VISION 2012
SCSP – advantages agains Anitvirus and System lockdown
• Low system impact (RAM, CPU and Hard disk) - a CSP agent is using 14MB on Windows and 9MB on Linux
• Low operational cost
• 24h protection, no recalculating as on a System lockdown approach is necessary
• No pre requirement checks are requested (an System lockdown approach is needing a initial check like AV)
• Resistant against persistent methods and CA attacks
• Is supporting Patch mitigation
• Is supporting (case based) non Antivirus Solution on device
• In most cases customer a take the standard Strict Policy with additional tasks
Industrial Security and Smart Grid: A View from Symantec 39
![Page 40: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/40.jpg)
SYMANTEC VISION 2012
Correlate SCSP Events with SSIM
• Rules
– Pre defined out of the box rules
– CSP events map to EMR
– Custom rules based on CSP data
– Cross correlate rules of different type
40 Industrial Security and Smart Grid: A View from Symantec
![Page 41: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/41.jpg)
41
Prevention and Detection: SSIM – Symantec Security Information Manager
Industrial Security and Smart Grid: A View from Symantec
![Page 42: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/42.jpg)
SYMANTEC VISION 2012
Symantec Information Manager
Identified .
threats
Known vulnerabilities
Business-critical IT assets
Risk-based Prioritization Threat Determined
Firewalls/ VPN
Intrusion Detection Systems
Vulnerability Assessment
Network Equipment
Server and Desktop OS Anti-Virus Applications Databases
User Activity Monitoring
Critical file modifications
Policy
Changes
Malicious IP
Traffic
Web Traffic
Tens of Millions:
Raw Events
Millions:
Security Relevant Events
Hundreds:
Correlated Events
42 Industrial Security and Smart Grid: A View from Symantec
![Page 43: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/43.jpg)
SYMANTEC VISION 2012
Symantec Security Information Manager
“Optional”
Intelligence
Feed
(GIN)
Universal
Collector
Other
sources…
Firewall
Intrusion
Prevention
Windows
Events
Syslog
Collectors
Correlation
Manager
Manager
Console
Pre-built
Queries
LiveUpdate
Service
Log
Archiving
Infrastructure
Components Reports and
Dashboards
All Inclusive Solution
150+
Pre-defined
Reports
• Only 1 Optional Component
• No excessive “add-on” costs
• Single deployment supports evolving needs
43 Industrial Security and Smart Grid: A View from Symantec
![Page 44: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/44.jpg)
SYMANTEC VISION 2012
APT Detection: Data Sources Used by SSIM
• Account and identity data to detect account compromise
• Log repeated login attempts
• Identity Access logging
• Integrate key logs (firewall, VPN, DNS, DHCP, etc)
• Messaging Gateway detects suspect payload (exe) and alerts SIEM
Infiltration Backdoor Lateral
Movement
Data
Discovery Exfiltration
• Change control information logged and compared to CMDB asset information
• IPS observes phone-home attempt, notes in log
• HIPS systems note changes to registry
• File reputation detects unknown program
• IPS detects remote service initiation
• Privilege escalation flagged by HIPS to SIEM
• Several login attempts logged for database and email systems
• Systems attacked compared against vulnerability database
• IPS flags admin login to privileged account
• DLP detects access to password file
• Database and application monitoring to detect access to critical information systems
• Data Insight and DLP log sensitive documents being encrypted and accessed by privileged users
• IP addresses of outbound connection on external data blacklist
Industrial Security and Smart Grid: A View from Symantec 44
![Page 45: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/45.jpg)
SYMANTEC VISION 2012
45
Security Risk translated for the Business
Industrial Security and Smart Grid: A View from Symantec 45
![Page 46: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/46.jpg)
46
Prevention and Detection: Device Authentication
Industrial Security and Smart Grid: A View from Symantec
![Page 47: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/47.jpg)
SYMANTEC VISION 2012
Connected Devices need to be secured
47 Industrial Security and Smart Grid: A View from Symantec
![Page 48: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/48.jpg)
SYMANTEC VISION 2012
Smart Grid Domains
Industrial Security and Smart Grid: A View from Symantec 48
Gas Electric
IHD
Hub / Gateways
Metropolitan Area Network (MAN)
Home Area Network (HAN)
Controllable Local Systems
Device Domain Application Domain (Multi-tenant Cloud)
M2M Application Platforms
Cloud characteristics: - Service-based - Scalable & elastic - Shared - Self Service - Internet Technologies - Pay as you go billing
Network Domain
Mobile / Fixed Line Network (WAN)
SGSN
GGSN
Base Station
GSM / GRPS / UMTS
S-GWY P-GWY
MME
HSS
EPC - Evolved Packet Core
4G / LTE
![Page 49: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/49.jpg)
SYMANTEC VISION 2012
Smart Grid Domains - challenges
Industrial Security and Smart Grid: A View from Symantec 49
Gas Electric
IHD
Hub / Gateways
Metropolitan Area Network (MAN)
Home Area Network (HAN)
Controllable Local Systems
Device Domain Application Domain (Multi-tenant Cloud)
M2M Application Platforms
Cloud characteristics: - Service-based - Scalable & elastic - Shared - Self Service - Internet Technologies - Pay- as you go
Network Domain
Mobile / Fixed Line Network (WAN)
SGSN
GGSN
Base Station
GSM / GRPS / UMTS
S-GWY P-GWY
MME
HSS
EPC - Evolved Packet Core
4G / LTE
Application Domain
M2M Application Platforms
Cloud characteristics: - Service-based - Scalable & elastic - Shared - Self Service - Internet Technologies - Pay- as you go
Various network bearers
Various communication protocols
Internet / All-IP networks
Denial of Service attacks
Less sophisticated devices need good network protection
Detection of network-based attacks against the AMI/Grid
![Page 50: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/50.jpg)
SYMANTEC VISION 2012 50
PKI – A Renaissance
Industrial Security and Smart Grid: A View from Symantec
![Page 51: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/51.jpg)
SYMANTEC VISION 2012
History of PKI
• Initially discovered by GCHQ scientists in 1969
• Commercially available in 1976
PKI’s have been typically used for
• Web Servers (SSL)
• Email, document and/or user encryption and authentication
• Bootstrapping secure communications protocols
• Mobile environments e.g. Code signing
51 Industrial Security and Smart Grid: A View from Symantec
![Page 52: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/52.jpg)
SYMANTEC VISION 2012
Smart Grid Eco System
Source: NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 1.0
52
Device Manufacturer
Smart PKI
• Large companies are typically active in multiple domains
• Markets are regulated in several countries
Appliance Man.
Industrial Security and Smart Grid: A View from Symantec
![Page 53: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/53.jpg)
SYMANTEC VISION 2012
Smart PKI
• Smart grid devices need to be authenticated in order to protect smart grids against attacks. As a consequence such devices need cryptographic keys for authentication and encryption.
• PKI is best practice for large scale key management. It is proposed to be used for smart grids1.
• As most households will be connected to the smart grid in the future, a scalable and robust PKI supporting millions of devices is required.
• Smart Grid projects are complex.
53
1: IEEE Transactions on Smart Grid: Security Technology for Smart Grid Networks
Industrial Security and Smart Grid: A View from Symantec
![Page 54: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/54.jpg)
SYMANTEC VISION 2012
PKI Benefits to Industrial Security and Smart Grid
• By implementing PKI into the meters themselves, ...
– the smart grid can be secured at the communication layer,
– Verifies that the meters are configured correctly
– No tampering
– Validates the meters for network access.
• PKIs are ideal for large-scale security deployments that require a high level of security with minimal impact on performance.
• In a PKI environment, it is essential that private keys and certificates are guarded with a reliable key management solution that protects against ever-evolving data threats
Industrial Security and Smart Grid: A View from Symantec 54
![Page 55: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/55.jpg)
SYMANTEC VISION 2012 55
Smart Meter Security Design Considerations
Industrial Security and Smart Grid: A View from Symantec
![Page 56: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/56.jpg)
SYMANTEC VISION 2012
PKI Related Smart Grid Security Measures
Gas Electric
IHD
Hub
56
Concentrator
or Back-end
Metropolitan Area Network (MAN)
Home Area Network (HAN)
Controllable Local Systems
WAN + FAN
• Only trusted devices
• Only authenticated access through WAN, FAN, MAN and HAN to Hub
• Hub must authenticate itself to Back-end and MAN+HAN devices
• It must be possible to change security domain of Hub to different utility
• Authenticated firmware updates for Hubs and Smart Meters
• Integrity of measurement data from meters needs to be protected
• Encrypted data transmission WAN: Wide Area Network
FAN: Field Area Network
Industrial Security and Smart Grid: A View from Symantec
![Page 57: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/57.jpg)
SYMANTEC VISION 2012
PKI Related Smart Grid Security Measures
• Only trusted devices
• Only authenticated access through WAN, FAN, MAN and HAN to Hub
• Hub must authenticate itself to Back-end and MAN+HAN devices
• It must be possible to change security domain of Hub to different utility
• Authenticated firmware updates for Hubs and Smart Meters
• Integrity of measurement data from meters needs to be protected
• Encrypted data transmission
Manufacturer device certificate attesting device certification
Operator device certificates for authenticating Hubs and other devices
Firmware Code Signing
Signing of metering data
Encryption certificates
57 Industrial Security and Smart Grid: A View from Symantec
![Page 58: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/58.jpg)
SYMANTEC VISION 2012
Certificate Purposes
Manufacturer Security Domain
Device type attestation
Attestation of
- device id
- device type
- device certification
Firmware signing
Operator Security Domain
Strong device authentication and authorization
Persistent signing of meter data
Encryption of metering data
58 Industrial Security and Smart Grid: A View from Symantec
![Page 59: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/59.jpg)
SYMANTEC VISION 2012
Device Certificate – Project Focus
CI Plus LLP • Content protection of premium pay
TV services
• Batch issuance of manufacturer
device certificates for TV sets
• Device certificates - delivered world
wide to the major TV set
manufacturers - attest device
identity and compliance to CI+
security standard
• More than 60 million certificates
issued in 2010.
Confidential I • Authenticating LTE devices when
accessing backbone network
• Online (real-time) issuance of
operator device certificates to LTE
devices.
• Certificates are delivered to LTE
devices operated by our customer.
• Device certificate attests authenticity
of the LTE device.
• Specifics: SHA2; CMPv2 according to
3GPP standard
Confidential II • Authenticating smart meters to the
back-end system
• Online (real-time) issuance of
operator device certificates to
smart meters.
• Certificates are delivered to smart
meters operated by our customer.
• Certificate attests authenticity of
the smart meter device.
• Specifics: ECDSA, SHA2
59 Industrial Security and Smart Grid: A View from Symantec
![Page 60: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/60.jpg)
SYMANTEC VISION 2012
Spotlight on EMEA Utility – Device Certificates for Smart Grid
• Symantec is providing:
– A fully managed cloud based PKI solution
– Extremely easy to manage, portal access for Utility Admin staff
– Highly scalable – this particular solution will support in excess of 12 million smart meters
– Online solution where certificates are implemented at time of Meter Installation
• Device Certificates are implemented in Smart Meters and Head End Communications Devices
• The solution ensures that genuine devices are the only ones on the Smart Grid network, and also ensures that any data sent from the Meters to the Head End Systems is protected and unable to be viewed, compromised or tampered with
• The certificates are installed at time of meter installations in consumer homes. When certificates expire and new ones are issues, this is all done online with no requirement for engineer attendance
Industrial Security and Smart Grid: A View from Symantec 60
![Page 61: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/61.jpg)
SYMANTEC VISION 2012
Symantec’s Pedigree: A Proven Enterprise Approach
Cross-platform
Applications
Browsers
Devices
Transparent
Automated
Flexible
Simplified
Reliable
Efficient
Extensible
Robust and Scalable
61
5.7m PKI seats loaded to
accounts at Symantec last year
>200m device certificates
issued to date
Millions more PKI seats loaded to
Processing Centers and CLPs
11,500 secure online
transactions enabled every second
Industrial Security and Smart Grid: A View from Symantec
![Page 62: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/62.jpg)
SYMANTEC VISION 2012
Industrial Security: Things to Consider
• Windows systems are still a significant part of any industrial operations domain
• But typical enterprise approaches must be modified
• Authentication of device identity ensures integrity & security for the device, protecting the network and the device
• Operator certificates to protect the operator
• Contractor system: was on internet, now on private LAN
• Testing, and pushing applications directly to the field
• USB drives … do not allow automatic execution
• Security for SCADA systems – security needs to be built-in from the ground up
• Networking SCADA devices can help secure the operations domain by enabling more powerful systems for detection
Industrial Security and Smart Grid: A View from Symantec
Windows
Systems
Security
Certificate
Management
Air gaps
do not protect
SCADA
Security
62
![Page 63: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/63.jpg)
SYMANTEC VISION 2012
Data Sharing Among Symantec Solutions
• Symantec solutions share information among compliance, data control, application control, monitoring and archiving systems. Some examples of solutions:
– Critical System Protection (CSP – application, device, file & execution control, system intrusion protection)
– SSIM (Symantec Security Incident Manager – security event correlation)
– Control Compliance Suite (CCS – Compliance reporting and monitoring)
– Symantec Protection Center (SPC – security console)
– Symantec Storage Foundation HA
– Data Loss Prevention (DLP) for content aware security policy
• For categorizing, archiving and controlling information, high level of integration among Symantec solutions including:
– Data Loss Prevention & Data Insight (Critical information control and discovery)
– Enterprise Vault (Archiving)
– Backup Exec (Backup
Industrial Security and Smart Grid: A View from Symantec 63
![Page 64: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/64.jpg)
SYMANTEC VISION 2012
Grid Technology Operations Service Providers
Content
Data at Rest
• Customer billing • Personal data / privacy • Data retention • Compliance • MDM (meter) data hub
Infrastructure
• Servers • Storage • Gateways • Grid IT asset
management
Network/Cloud
Data in Motion
• Private & public cloud /
networks • Networks are IP based
Embedded Devices
Data in Use
• Substations: Windows XP embedded (XPe), Linux, Intel
• Meters: ARM, Flash
Electrical Grid
GENERATION TRANSMISSION DISTRIBUTION CUSTOMER
Industrial Grid: IT and Operations Architecture
AMI Data
Private Wireless Network
Customer
Demand Response
Public / Internet
SCADA
Private & Public Networks
Industrial Security and Smart Grid: A View from Symantec 64
Operations Domain
![Page 65: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/65.jpg)
SYMANTEC VISION 2012 Industrial Security and Smart Grid: A View from Symantec
• Utilize ‘defense-in-depth’ techniques
• Leverage years of network security experience in IP world
Operations Security
• Encrypt information
• Authenticate devices
• Manage keys
• Managed / hosted PKI & device level certificates
• Windows-based control systems: harden and control applications running on these systems
Embed Security with Data Manage Endpoints
• Manage Windows sub-station automation systems
• Securely update device firmware e.g. AMI collectors
• Securely invoke SSL services through trusted mechanisms resident on device
Manage Data Explosion
Symantec Industrial Security Solutions – ‘Four Pillars’
• Make state of the art IT security solutions ubiquitous in the operations control centers
• Utilize Common Data model: information shared among solutions to meet regulatory compliance needs
Information Governance • Compliance • Control access • Regulatory & auditing • Customer Privacy • Reporting
Information Infrastructure • Storage management • Data protection • Archiving • Legal discovery
65
Operations Domain
![Page 66: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/66.jpg)
SYMANTEC VISION 2012
Infection Recovery
Recent Oil Industry Attacks 66
Prevent
Detect
Review & Improve
Identify vulnerabilities for affected systems
Establish data perimeter
Stop the attackers reacting
Stop the attack repeating
Identify the infection & affected systems
Stop infection spread
Keep vital systems functioning
Prioritise systems to restore first
Engage, communicate with users and public
Learn from the experience
![Page 67: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/67.jpg)
SYMANTEC VISION 2012
Prepare in Advance
Recent Oil Industry Attacks 67
Prepare response team now
• Include an executive who has authority to approve actions
• Include appropriate stake holders
• Include technical experts
• Will you need external resources?
Prepare response plan
• Define policies, roles & responsibilities
• Define procedures
• How will the response plan be triggered?
• Who will do what?
Practice, practice, practice
• Paper simulations
• Live penetration testing
![Page 68: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/68.jpg)
SYMANTEC VISION 2012
Symantec helps Industrial Security challenges across various dimensions
Compliance and Privacy Protection Control Compliance Suite, Data Loss Prevention
Compliance & Privacy
Threats Infrastructure Protection: SEP, Critical System Protection; Insider Threat: Data …… Loss Prevention; Field security: NAC,
Data Growth & Complexity Storage Foundation-HA, Command Central Storage, Netbackup, Backup
Outage Management Symantec Security Information Manager, Symantec Workflow
Engine, CMDB; SF/HA and Clustering for failover and disaster recovery
Endpoint Management Endpoint Management Solutions: Server Management Suite, Client Management Suite, Configuration Management Database (CMDB), LiveUpdate
Data Deluge & Complexity
Availability
Management Security & Insider Risk
SEP for Embedded , MSS Deepsight, Cloud based security & Key Mgment
Exec, Enterprise Vault, Control Compliance Suite, Data Loss Prevention, Cloud based Data Protection
Industrial Security and Smart Grid: A View from Symantec 68
![Page 69: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/69.jpg)
Thank you!
Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Tom Thomassen Office of the CTO [email protected]
Michelle Lewis Device Authentication Specialist [email protected]
Industrial Security and Smart Grid: A View from Symantec 69
![Page 70: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/70.jpg)
SYMANTEC VISION 2012
Attacks in Detail
70 Industrial Security and Smart Grid: A View from Symantec
![Page 71: Mitigating Security Risks in Industrial Control Systems and Smart …vox.veritas.com/legacyfs/online/veritasdata/ST B08.pdf · 2016. 7. 4. · Exfiltration function passes data to](https://reader035.vdocument.in/reader035/viewer/2022071217/60491b71aecc70605f05b3b2/html5/thumbnails/71.jpg)
SYMANTEC VISION 2012
Example: SCADA Attacks in Production Systems (ICS)
71
1982|...|1994|…|1999|2000|…|2003|…|2006|2007|2008|2009|2010
Roosevelt Dam (1994): Hacker breaks into floodgate SCADA systems
California Canal System (2007): Insider hacks SCADA systems
Trans-Siberian Pipeline Explosion (1982): Trojan inserted into SCADA software that caused an explosion
Slammer (2003): Knocks nuclear monitoring system offline;
GAZPROM (2000): Hackers gain control of Russian natural gas pipeline
Stuxnet Ring Runs First SCADA operations (2009): Early proof-of-concept attacks launched and detected by Symantec
Sewage Dump (2000): Insider attack on sewage systems in Australia; Dumps 1 million gallons of raw sewage
Industrial Security and Smart Grid: A View from Symantec
W32.Stuxnet
JUL 2010