1
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected] is strictly prohibited. © Copyright SCCE 2017
Cyber Security Threats and Defense for Protecting Industrial Operations
1
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
Presented by:
Daniel Ehrenreich
SCCE- Secure Communications and Control
Experts
Meeting 13-9-2017
Cyber Security
Threats and Defense
Measures for
Protecting Industrial
Operations
Cyber Security Threats and Defense for Protecting Industrial Operations
2
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
……. Introduction
• 1976 -1990 Tadiran Inc.
• 1991 - 2011 Motorola Ltd,
• 2011 - 2013 Siemens - Ltd
• 2014 - 2014 Waterfall Security
• 2014 - SCCE Consulting
• 2014 - SCCE Training
Daniel Ehrenreich
SCCESecure Communication and Control Experts
Tel: +972-54-9151594
Over 40 years of industrial activity
Cyber Security Threats and Defense for Protecting Industrial Operations
3
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
Critical Infrastructure
• Water and Waste Water
• Electricity Distribution
• Early Flood Warning
• Water Distribution
• Oil and Gas Pipelines
• Communication Monitoring
• Public Safety and Security
• Transportation Monitoring
• Environment Monitoring
Cyber Security Threats and Defense for Protecting Industrial Operations
4
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
Risks on Industrial Control and IT Systems
Organizations which already were under cyber attack- and already took actions ☺☺☺☺
Organizations which does not know, but they are under attack. The Virus is already sitting there !
Organizations which will be under cyber-attack as soon as tomorrow !!
OT- Operation Technology ICS - Industrial Control SystemsSCADA - Supervisory Control and Data Acquisition
2
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected] is strictly prohibited. © Copyright SCCE 2017
Cyber Security Threats and Defense for Protecting Industrial Operations
5
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
• Prevent damaged equipment from hurting people
– Mechanical fault, faulty control process
• Prevent people causing damage to assets
– Wrong action, lack of training, sabotage
• Seamless operation and high productivity
– Consistent, cost effective and quality water supply
ICS must assure Safety & Reliability
Cyber Security Threats and Defense for Protecting Industrial Operations
6
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
Remember the IT and ICS Differences
Confidentiality
Integrity Availability
IT Security Challenges
Safety
Reliability Productivity
ICS Security Challenges
You can not handle ICS security as you handle IT security!
Every change in ICS is a potential risk to safety and reliability of the critical infrastructure operation.
Cyber Security Threats and Defense for Protecting Industrial Operations
7
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
Layers in Customer Organization
Enter-
prise
Production Process Control
Control Operation
Production Level and Machinery control
IT Section
OT Section
Air-gap Isolation
Aimed to Prevent
External Cyber Attack
But it is not enough
Internet/Cloud
Cyber Security Threats and Defense for Protecting Industrial Operations
8
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
Public
Internet
firewal
l
CORPORATE NETWORK
CONTROL NETWORK
OT SYSTEM
Service
Eng.
SOFTWARE TEST LAB
VENDOR EXPERT CENTER
Eng.
Station
View Consoles
Typical ICS System Structure
3
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected] is strictly prohibited. © Copyright SCCE 2017
Cyber Security Threats and Defense for Protecting Industrial Operations
9
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
Technical Malfunctions and Force Majeure
• Events can be interpreted as an attack!
• Faulty Sensor / Hardware / Program Bug
– May be interpreted as a cyber attack
• Incorrect action of an Authorized person
– May cause unstable-difficult to analyze condition
• Action by Unauthorized person – Attack on ICS
– Internally or externally generated attack
Cyber Security Threats and Defense for Protecting Industrial Operations
10
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
ICS Attacks (same as IT but differently)
• Man-in-the-Middle attack
– Attackers monitor/alter messages
• Denial of Service (DoS)
– The attacker can “make is busy”
• Stealing Business Data
– Part of MitM process after access
• Damage to equipment
– Last but most Critical
• Sniff Information
• Replay message
• Modify feedback data
• Fake ping to OT
• Caused by MitM
• May boost to DDoS
• Competitor interest
• Nation funded
• Reputation Damage
• Remember Stuxnet
Defense: Complementing and Compensating Cyber Defense measures
Cyber Security Threats and Defense for Protecting Industrial Operations
11
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
Infection Spread Across IT-OT Systems 2/2
Public
Internet
firewal
l
CORPORATE NETWORK
CONTROL NETWORK
OT SYSTEM
Service
Eng.
SOFTWARE TEST LAB
VENDOR EXPERT CENTER
Eng.
Station
View Consoles
Cyber Security Threats and Defense for Protecting Industrial Operations
12
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
MitM Attack
Public
Internet
firew
all
CORPORATE NETWORK
CONTROL NETWORK
1 2
3
4
5
6
SCADASYSTE
M MitM Attack
Service
Eng.
7
8
SOFTWARE TEST LAB
VENDOR EXPERT
CENTER
Eng.
Station
View Consoles
Delivering Malware via Ext. Media
The hacker approaches the control system by using a USB stick (1) or
wireless backdoor (2,4) or through infecting an HMI (3)
4
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected] is strictly prohibited. © Copyright SCCE 2017
Cyber Security Threats and Defense for Protecting Industrial Operations
13
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
Data flow from the ICS to IT network
for purpose of boosting productivity
and operation cost reduction
Sensors Actuators IEDs
PLC Control
Control SystemSecured
Data Network
OT, DCS
Business Network
InternetNetwork
ICS & Business Networks’ Interconnection
Cyber Security Threats and Defense for Protecting Industrial Operations
14
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
• Harvest email addresses, company information, etc.Reconnaissance
• Couple exploit with backdoor into deliverable payloadWeaponization
• Deliver weaponized bundle via email, web, usb, etc.Delivery
• Exploit vulnerability to execute code on victim systemExploitation
• Install malware on the assetInstallation
• Command channel for remote manipulation of victimCommand & Control
• With “Hands on Keyboard” access, intruders accomplish their original goal
Actions on Objectives
Source: Lockheed Martin Cyber Kill Chain
Malware Infection via network
• The Lockheed Martin Cyber Kill Chain (CKC)
14
Cyber Security Threats and Defense for Protecting Industrial Operations
15
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
Attacking ICS via Authorized Access
• Potential threat scenarios
– Authorized remote access is common for ICS ����
• Poorly defended access e.g. via default passwords or
even hardcoded passwords is a major vulnerability.
– Lack of strong authentication and authorization measures
• Service people use the same ID and access methods.
– External service providers perform updates for devices.
• Additional challenges for cyber defense
– Use of VPN is provided only to a specific device
• Additional devices are accessible via light security
Cyber Security Threats and Defense for Protecting Industrial Operations
16
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
GPS Time Reference Spoofing
• Outcome of the attack
– Nor synchronized operation > Outage > Damage
• Detection and Mitigation Efforts
– Compare the signal strength to the expected strength.
– Alert if a deviation from normal is detected.
5
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected] is strictly prohibited. © Copyright SCCE 2017
Cyber Security Threats and Defense for Protecting Industrial Operations
17
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
Cyber attack damages to BEMS
• Energy control
– Alter the power meter
reading/wring billing
– Re-setting the air-
condition temperature
– Resetting the operation
hours (heating-cooling)
– Re-setting the light
control timer
– Causing power outage in
the building
• Safety-security control
– Start fire alarm to
evacuate offices
– Activate fire-fight
sprinklers in rooms
– Stealing data on
authorized people
– Changing the biometric
setting and access
– Slowing down the
system response
Cyber Security Threats and Defense for Protecting Industrial Operations
18
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
Bring Your Own Device (BYOD)
• 90 % of people use private smartphones at work
• BYOD policies not enforced-cause vulnerabilities
– Can be stolen
– Can be hacked-compromised
– Can be manipulated to create attack
– Can serve for preparing a BIG one
BYOH(Bring your own Hacker!)
Cyber Security Threats and Defense for Protecting Industrial Operations
19
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
Duqu and Flame - follow the Stuxnet
• Stuxnet (June 2010)
– Virus - Internally generated Cyber Attack with USB (?)
– Aimed to destroy Centrifuges by resonance speed
– Operators were misled seeing normal conditions
• Duqu (Sept 2011)
– Malware with large similarities with Stuxnet
– Trojan horse aiming to capture and exfiltrate information
• Ukraine Power Grid (December 2015)
– Residents of Western Ukraine City were affected
– 80,000 – 250,000 (?) people we in dark ~ 6 hours (?)
Cyber Security Threats and Defense for Protecting Industrial Operations
20
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
Malware Infection via network
• Is there a way to minimize damage?
– Behavior of People
• Training, drills, careful behavior, reporting, use
of Authentication Proxy Access
– Deployment of Technology
• Privilege account defense, Industrial IDS
detecting process/communication anomalies
– Enforcement of Policy
• Proper procedure for detected alarms
• Employing strong SIEM for analyzing events
6
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected] is strictly prohibited. © Copyright SCCE 2017
Cyber Security Threats and Defense for Protecting Industrial Operations
21
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
• Controls of the traffic
– Filters external access to OT
– Slow down worm spreading
• Segregation spots:
– Internal from External
– Different Hierarchy
– Minimal linked nodes
– Highly secured zones
• Data flow direction
– The malware blocked from receiving instructions
Separation into Zones
Application
HMI-ENG level
CorporateIntranet
Automation
DMZ
UnsecuredInternet
Cyber Security Threats and Defense for Protecting Industrial Operations
22
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
DMZ Basic Principles
• Preventing direct In/Out path to OT
– Limited inbound traffic to Control Zone
– Controlled outbound traffic from OT
– No direct connection between In/Out
– Emergency disconnect; inside or outside
– Altering the protocol in the DMZ
– No DMZ management from outside
– Conducting deep packet inspection
DMZ – Demilitarized Zone
IT - Lower Security
Section
OT- Higher
Security Section
Cyber Security Threats and Defense for Protecting Industrial Operations
23
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
Data Sanitizing Kiosk
• Preforms file’s inspection to detect
malware in documents and software
– Extra defense against zero day attacks
– Performs sort of “Sandbox process”
• Transfer of files to the Network
– Manually, on transferable media
– Through direct connection to network
• Special Challenges
– The “Kiosk” must be periodically updated
with new signatures supplied by AV vendors
Incoming Data
Certified
Data
Scanning
Cyber Security Threats and Defense for Protecting Industrial Operations
24
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
• Learning the Network Topology: Devices, Links
– Detecting devices
– Detecting topology changes
– Learning device Sampling time
• Passive Machine Profiling
– Detecting out-of-order commands
– Detecting PLC scanning attacks
• Detecting abnormal memory access to devices
– Preventing un-authorized Firmware upgrade.
Anomaly Detection
7
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected] is strictly prohibited. © Copyright SCCE 2017
Cyber Security Threats and Defense for Protecting Industrial Operations
25
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
Application Control / Whitelisting
• Maintain list of all programs and data libraries
– Allow only recognized files / programs to be executed
– Programs which are not listed can not run
• White listing is actually
– Must be protected from modification
– If compromised… you have no defense
• Good fit for SCADA:
– No virus signatures update
– Predictable execution costs
Every software based cyber defense can be compromised and cause severe cyber attack
Cyber Security Threats and Defense for Protecting Industrial Operations
26
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
• Diode performs One way data transfer
• Historian Server is seamlessly copied to the H-Copy
• External attack can not infiltrate to the ICS
– Leaving it 100% safe
ICS defense through Data Diode
OT
Historian
Server
Historian
Server
Historian
ServerHistorian
Copy
Corporate NetworkIndustrial Network
Optical
Transmit
Optical
Receive
Data
1 way
Fiber
Cyber Security Threats and Defense for Protecting Industrial Operations
27
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
• Downloadable Access Control rules
– Who Can access the site
– Which devices can be accessed
– What action can be performed
– Time slot for service execution
• Benefits of the APA
– Well documented pre-set process
– Using updated AAA processes
• Audit Trail
– More granular post event Forensic
Authenticated Proxy Access (APA)
Cyber Security Threats and Defense for Protecting Industrial Operations
28
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
Anomaly Detection
• Learning the Network Topology: Devices, Links
– Detecting devices
– Detecting topology changes
– Learning device Sampling time
• Passive Machine Profiling
– Detecting out-of-order commands
– Detecting PLC scanning attacks
• Detecting abnormal memory access to devices
– Preventing un-authorized Firmware upgrade.
8
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected] is strictly prohibited. © Copyright SCCE 2017
Cyber Security Threats and Defense for Protecting Industrial Operations
29
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
SIEM Provide Network-Wide Detection
• Collection of information from multiple sites
– For large organizations having geographically spread OT
– Reliable and comprehensive detection of cyber attacks
Security Information and Event Management (SIEM)
Cyber Security Threats and Defense for Protecting Industrial Operations
30
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
Linking the IDS to SIEM
• IDS- Intrusion Detection System
– IDS is suitable for ICS monitoring
– Collects data from range of field devices
– Input from Anomaly detection computers
• IPS can not (!) be used for OT
– Unpredictable condition if process stops
– Impossible test all possibilities prior stop
– Operation SAFETY is most important
IDS IDS
SIE
M
SIEM provides a broad view on the entire system operated by a large corporation
Cyber Security Threats and Defense for Protecting Industrial Operations
31
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
SW Updates fort ICS: How? When?
• Every OS is introducing a patching code!!
– Risk of incompatibility with the system shall be mitigated
• Security update programs are mandatory, but the
implementation must be careful
– The new software must be tested, certified and accredited
• Testing for safe and reliable operation of new code is
extremely costly & takes time
– Occasional spectacular failures might stall
the application programs
– The process may take many weeks !!
Cyber Security Threats and Defense for Protecting Industrial Operations
32
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
Top 10 Cyber Attacks on ICS
1. Social Engineering and Phishing as a start action
2. Delivering Malware to ICS via External Media
3. Malware Infection via connected network
4. Attacking ICS via Authorized Remote Access
5. Attack through Human Error and Sabotage
6. Attack of IIoT devices connected to Internet
7. Technical Malfunctions and Force Majeure
8. Compromising ICS through Cloud Access
9. Deployment of DDoS Attacks on the ICS
10. Compromise of Smartphones controlling ICS
9
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected] is strictly prohibited. © Copyright SCCE 2017
Cyber Security Threats and Defense for Protecting Industrial Operations
33
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
5 cyber defense actions you must do?
• Conduct periodic cyber drills and exercises
– Employees, contractors, suppliers…
• You must train your technical staff and users
– Understanding specific defense for ICS and IT
• Become and experts on analyzing cyber events
– Refer to specific sections in both IT and ICS
• Establish security policy for all operation levels
– Without policy people may not act carefully
• Remember to be prepared for new challenges
– Expect the Unexpected !
Cyber Security Threats and Defense for Protecting Industrial Operations
34
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
10 things which you Can NOT do? 1/2
• Do not deploy a solution which interfere with the
ICS control process
• Do not deploy an IPS unless you got approval from
committee involving ICS and Cyber experts
• Do not install software programs, patches or
updates prior significant safety tasting
• Do not allow remote connection to the ICS unless
you got approval ICS and Cyber experts
• Do not allow backdoor connection to ICS unless you
got approval ICS and Cyber experts
Cyber Security Threats and Defense for Protecting Industrial Operations
35
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
10 things which you Can NOT do? 2/2
• Do not use unsecured communication network
between the remote and central sites
• Do not allow using default identical access password
for all PLC/RTU at remote sites
• Do not allow direct connection between ICS
segments having different rank of security
• Do not justify/explain ROI to your management for
obtaining budget for ICS cyber defense
• Do not allow panic interrupting of the ICS operation
using not approved and not tested methods.
Cyber Security Threats and Defense for Protecting Industrial Operations
36
SCCE
Presented by Daniel Ehrenreich, SCCE, [email protected]
Duplication is strictly prohibited. © Copyright SCCE 2017
Questions Please…..
Presented by:
Daniel EhrenreichSecure Communication and Control ExpertsMail: [email protected]: 054-9151594
SCADA
Cyber security?