Sylvain Denoncourt GSEC, CISSP

IoT architecture Consultant

Cisco

OT/ICS Cyber-Hacking into Industrial organizations

June 7th 2018

What would you do differently if you KNEW you were going to be compromised?

It’s no longer a question of “if” you’ll be breached, it’s a question of “when”…

4

Computer networks controlling the buildings and

infrastructure architects design are regularly being

hacked…

This tends to go under-reported, because it often involves private

companies concerned for their public images, and untreated, because

these systems are coordinated by various parties that have never been

responsible for cyber security.

Source Architizer : https://architizer.com/blog/hacking-architecture/

#WWST #CISCOVT #CISCOSE

The Evolution of the Cyber CriminalNow a sophisticated business focused on ROI

Old School Threats Modern Threats

Cyber-punks/Hackers

Individual’s Data

Unsophisticated

Notoriety/Political

Professional

organized crime

Trusted Insiders

Targeted/ROI

Sophisticated Supply

Chains

Opportunistic Nation State Nation StateMulti-Billion $$

Business $

#WWST #CISCOVT #CISCOSE

The many faces of IoT hacking

https://thehackernews.com/2018/04/iot-hacking-thermometer.html

Samsung and

Roku Smart TVs

Vulnerable to

Hacking,

Consumer

Reports Finds

https://www.consumerreports.org/televisions/samsung-roku-smart-

tvs-vulnerable-to-hacking-consumer-reports-finds/

Casino Gets Hacked Through Its

Internet-Connected Fish Tank Thermometer

Vehicule

CANBUS

control

Massive DDoS Attack Against Dyn DNS

Service Knocks Popular Sites Offline

https://thehackernews.com/2016/10/dyn-dns-ddos.html

9

IT vs OT

IT - Information Technology

Pertains mainly to the corporate offices

Connects people and servers

More homogeneous in nature

OT - OperationTechnology

Pertains to Industrial environments (ICS –Industrial Communication Systems) : manufacturing floor, utility substation, oil rig, mining etc

Connect mainly endpoints, sensors and meters…

Multiplicity, difference in data format as well often huge amount of raw data

10

IT and OT organisations are converging

• Convergence driven by technology evolution and the pressure to reduce costs

• Different culture and skillset between the two organisations

• OT: driven by resilience objectives

• IT: driven by the need to meet end user expectations at the lowest possible cost

• Resistance to change

• Very different reporting structures

13

Industrial networks are increasingly Becoming Targets

15

Escalating Attacks in IoT /OT Domain

Shamoon wipes

30K

computers

17

2010 Stuxnet hits centrifuges in Iran nuclear compound

18

PLCNetwork(PhysicalDevices)

ICSNetwork(Programming,Maintenance)

HMINetwork(Sit.Awareness,Control,Protec on)D

MZ

Internet

Media

Computers

CorporateNetwork

DMZ

Vendors/Partners

Stuxnet in ActionLosing Trust at the PLC Layer

2014 hack attack causes 'massive damage' at German smelter

http://www.bbc.com/news/technology-30575104

…the attackers infiltrated the corporate

network using a spear-phishing attack

that appears to come from a trusted

source in order to trick the recipient

into opening a malicious attachment or

visiting a malicious web site where

malware is downloaded to their computer. – WIRED 2015

2015 Ukraine power grid hack

https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/

Aftermath of the Attack

• At 3:35 pm on Dec 23rd 2015, the Ukrainian Kyivoblenergo(local Energy company) experienced outages as a result of its SCADA systems being hacked

• Breakers were opened by hackers in 7 x 110 kV & 23 x 35kV substations

• 225K people impacted, 6 hrs of lost power over 3 regions

25

Ukraine power grid attack - The killchain a highly orchestratedapproach

Spear phishing to gain

access to IT corporate

network

Delivery + exploit +

install BlackEnergy

malware on victims

workstation: C2

(command and control)

PSExec gather env.info

Recon

Credentials

theft:

Mimikatz &

LM-hashed

Attackers issued

VPN connections

from the

corporate network

into the ICS

network.

Malicious firmware

developed for the

serial-to-ethernet

devices PLC/RTU.

- Firmware upload

- UPS compromised in DC

- DDOS the call centers

- KillDisk to erase evidence + delete targeted logs

IT Domain - The Intrusion

1

3

2

3 5Hijacking of the

substation SCADA

HMI’s

4

Phase 1 The Preparation Phase 2 The ICS Attack

6outages

Attack on OT Domain

Execute power outages

attacks SCADA thru HMI

with malicious operation

to open breakers :

phantom mouse

8

ICS

CORP.

7

A few observations and facts…

Common Pathways into OT Environments

The human element is usually the path of least resistance

= Risk

Coupled System

+

Spear-phising – fake targeted email

#WWST #CISCOVT #CISCOSE

Phishing leaves business on the line

• Phishing continues to be the root

cause of major breaches

• URL shorteners, URLs in

attachments, Domain shadowing

& Domain squatting are the tricks

employed by adversaries

• Relying on Social engineering methods to trick users click the bad links

• Strong integration of Web Intelligence with Email gateway & User awareness are the

need of the hour

Scale Too Many Alerts

Complexity Securing Everything

Sophistication Keeping up Against Attackers

100%Customers Lack

Network Segmentation

at Time of Breach

$3.8MAverage cost of

a data breach

The Security Challenge

Motivated & Targeted

Adversaries

Increased Attack

Surface

Increased Attack

Sophistication

BYOD blurring Perimeter

Public Cloud Services

Enterprise IOT

State Sponsored

Financial/Espionage motives

$1T Cybercrime market

Advanced Persistent Threats

Encrypted Malware

Zero-Day Exploits

200daysIndustry Average

Detection Time

for a Breach

60daysIndustry Average

Time To Contain

a Breach

Network Architecture Concerns…

• A bad network design is as big a threat to security success as the lack of security.

• Better to know what you are missing than to think you are safe.

EnterpriseEthernet

ProprietaryEthernet

To next machine

I/O FieldbusMotion Net

Safety Net

STAR

TRUNK/DROP

FIBERRING

DAISYCHAIN

This does not mean that there was no

architecture - It is likely that the architecture

eroded over time.

Access Control

• User and Device Identity

• Authentication, Authorization & Accounting

Data Confidentiality and Data Privacy

• Network Segmentation

• Secure Connectivity

Threat Detection and Mitigation• Security Zones• Intrusion Prevention; Application Visibility

Device and Platform Integrity

• Device Hardening and Secure Platform

• Configuration Assurance

IoT Cyber Security Principles for IT environment

C I A

Policy M

anagem

ent w

ith IT

Co

nvergen

ce & Ease o

f Use

Availability

Integrity

Confidentiality

Access Control

• User and Device Identity

• Authentication, Authorization & Accounting

Data Confidentiality and Data Privacy

• Network Segmentation

• Secure Connectivity

Threat Detection and Mitigation• Security Zones• Intrusion Prevention; Application Visibility

Device and Platform Integrity

• Device Hardening and Secure Platform

• Configuration Assurance

IoT Cyber Security Principles for OT environment

A I C

Policy M

anagem

ent w

ith O

T / IT C

on

vergence &

Ease of U

se

Availability

Integrity

Confidentiality

48

IT comes down to one simple question

How do you deal with that ?

It takes an Architecture

Yes, but would you flysomething like this ?

Cisco IoT Threat DefenseDetect, block, and respond to IoT threats

Delivery + exploit + install BlackEnergymalware on victims workstation

Credentials theft

Attackers issued VPN connections from the corporate network into the ICS network. C2 (command and control)

Malicious firmware developed for the serial-to-ethernet devices.

IT Domain - The Intrusion

1

3

2

3 5Hijacking of the substation SCADA HMI’s

4

Phase 1 The Preparation Phase 2 The ICS Attack

6outages

Attack on OT Domain

Execute power outages attacks SCADA with malicious operation to open breakers

8

ICS

CORP.

7

Ukraine power grid attack - The killchain What could have been done ?

AMP &

ThreatGRID

Cisco ISE

ISA-3K industrial

Spear phishing to gain access to IT corporate network

Email Security,Umbrella

Police registervalues !

ISA 3000 FW

Firepower

ISA 3000 FW

- Firmware upload- UPS compromised in DC- DDOS the call centers- KillDisk to erase evidence + delete targeted logs

Big data machine Learning, correlation

Firmware uploadUPS compromised in DCDDOS the call centersKillDisk to erase MBR and delete targeted logsStealthwatch

Splunk

Remote Access Control to the ESP / ICS sensitive zoneSeparation between corporate and production networks is a must !

✖

Industrial FW

Jump Box

1

2

3

4

5

Corporatezone

External contractor

Industr.SW

Multi-Service zone

Industr.SW

Enterpr. SW

Centralized logging of events promotes accurate audits

User profile + NGFW limits applied Disable split tunnel.2

VDI Host operates as a virtual air gap providing isolation to the ESP

Jump Box

3

Switch port security and Identity profiling control such as TOD and duration + monitor device 4

5

Device is scanned and user auth. verified –2-factor auth. 802.1x, cert.1

ESP Zone / ICS sensitive zone

MPLS Substation Edge router

It takes an Architecture

… with a central security intelligent cloud capable of analyzing billions of requests and sharing that

information to all end security network devices …

Talos security cloud Intelligence

AMP +

Stealthwatch

ASR/ISR w Firepower services

Firepower FTD 4K,9K

Conclusion & takeawaysWhat to do and to enforce

Data and Applications

Attacks must be uncovered in the early stages of the attacks

Understanding the needs and difference for IT vs OT Security

Password reset enforcement after a pre-determined period

Prioritize vulnerabilities patching on critical assets

IP host and URL resolution black listing through reputation inspection

Look for abnormal spikes in traffic pattern

Check endpoint file integrity through hashing SHA/MD5 through anti-malware protection

Firmware modifications over the network cause spikes in network traffic

TakeawaysWhat to do and to enforce

Data and Applications

Attacks must be uncovered in the early stages of the attacks

Understanding the needs and difference for IT vs OT Security

Password reset enforcement after a pre-determined period

Prioritize vulnerabilities patching on critical assets

IP host and URL resolution black listing through reputation inspection

Look for abnormal spikes in traffic pattern

Check endpoint file integrity through hashing SHA/MD5 through anti-malware protection

TakeawaysWhat to do and to enforce

Host and network

Segmentation of the SCADA network (secured zoning)

Logging must be enabled on all SCADA devices

Backup of all critical firmware

Restrict and control remote connections to the SCADA systems through secured jumppoints

IPS adapted ICS rules for detection within industrial environment

Policies and procedures

Training OT staff operators

Segregation of duties, make sure no single HMI console has full control end to end

Invite business process owners to discuss what is important to protect

Make sure IT/OT is up to date and knowledgeable on ICS security

DR scenarios in place to switch to manual mode

Security compliance is not enough, organizations

must set their security foundations taking into consideration:

• Attack vector and threats

• Changing business environment and operational procedures

• Technological evolution

“We have a culture of compliance when we shouldreally have a culture of security.”

Timothy E. RoxeyVP and Chief E-ISACOperations Officer at NERC

Merci