protecting utility mission critical systems from ... · pdf filehackers also attempted to...

Protecting Utility Mission Critical Systems From Cybersecurity Threats

Presented By:

Miroslav Karlicic

Director, Business Development and Innovation

Utilismart Corporation

+1 (888) 652-0689

mkarlicic@utilismartcorp.com

www.utilismartcorp.com

January 2018 – Markham, Ontario

EDIST 2018

Cybercrime

“Cybercrime is a fast-growing area of crime. More and more criminals are exploiting the speed, convenience and anonymity of the internet to commit a diverse range of criminal activities that know no borders, either physical or virtual, cause serious harm and pose very real threats to victims worldwide.”

Interpol

Cybercrime_______________

Cyberwarfare_______________________

Cyber warfare involves the actions by a

nation-state or international

organization to attack and attempt to

damage another nation's computers or

information networks through, for

example, computer viruses or denial-

of-service attacks.

Cybercriminal

A cybercriminal is an individual who commits cybercrimes, where he/she makes use of the computer either as a tool or as a target or as both.

techopedia

Programmers

Distributors

IT Experts

HackersFraudsters

System Hosts and Providers

Leaders

Cashiers

Money Mules

Tellers

Cybercriminals Network

Corporate BuyersAccount Buyers

Bosses

Cybercrime Threats_____________________________

• Deep Web

• Darknet

• Malware

• Bots and Botnets

Cybercrime Threats_____________________________

• Malware - Trojans, Viruses and Worms• Code with malicious intent that typically steals data or destroys

something on the computer.

• Phishing• Phishing emails include a link that directs the user to a dummy site that

will steal a user’s information. In some cases, all a user has to do is click on the link.

• Password Attacks• Third party trying to gain access to your systems by cracking a user’s

password.

• Denial-of-Service (DoS) Attacks• Focuses on disrupting the service to a network.

Cybercrime Threats_____________________________

• “Man in the Middle” MITM• Impersonating the endpoints in an online information exchange

• Drive-By Downloads• Through malware on a legitimate website, a program is downloaded to

a user’s system

•Malvertising• A way to compromise your computer with malicious code that is downloaded

to your system when you click on an affected ad.

• Rogue Software• Malware that masquerades as legitimate and necessary security software that

will keep your system safe.

Cybercrime Threats – 2017____________________________________________

• Ransomware – Ransomware top threat in 2017 cybercrime 'epidemic’ – Europol

• Data breaches

• Payment fraud

• Direct attacks on bank networks

• First serious attacks by botnets using insecure IoT

Darknet remains the cybercrime’s enabling platform!

Ala'a Elbeheri - LinkeIn

Anatomy of a Crypto-Ransomware Attack

Sophos - Twitter

Distribution of global data breach incidents in 2017

Statista – The Statistics Portal

Data Breaches are Expensive

419 companies in 13 country or regional samples

2,600 to 100,000 compromised records per company

Ponemon 2017 Cost of Data Study

Average total cost of

data breach

One-year decrease in

average total cost

The average cost per

lost or stolen record

Likelihood of a

recurring over the

next two years

$3.62 Million

10% $141 27.7%

Case Studies

Three-quarters of energy companies and utilities have

experienced at least one data breach in the past 12

months, resulting in average clean-up costs of $156,000

per breach

Unisys Ponemon Survey

Case Studies• December 2015 – Over 225,000 people lost power when hackers gained access to three

regional electric power distribution companies. Attackers demonstrated planning,

coordination, and the ability to use malware and possible direct remote access to blind system

dispatchers, cause undesirable state changes to the distribution electricity infrastructure. The

hackers also attempted to delay the restoration by wiping SCADA servers after they caused

the outage.

• March 2016 – A US water utility was the subject of a cyber attack carried out by a group with

ties to Syria. Hackers gained access to the SCADA control system and adjusted the chemical

levels being used to treat tap water. The hack also resulted in the exposure of the personal

information of 2.5 million customers.

• April 2016 – a US water and light utility were the victim of a ransomware attack which

knocked their internal computer systems offline and encrypted their data. The utility decided

to shut down its network and suspended some services in order to prevent further damage. A

hefty ransom was demanded.

emerginrisk.com

Utility Industry – Cyberthreats

Utility Industry -Cyberthreats

•Malware

•Ransomware

•Data Breaches

Utility Industry – Vulnerabilities

• General Business Disruption

• Inoperable Mission critical systems

• Financial, CIS, GIS, AMI/AMR, OMS, SCADA

• Loss of corporate documents and records

• Service Disruption

• SCADA

• AMI

• DMS

• Confidential Information Exposure

• Corporate

• Customer

Utility Industry – Business Impact

• Billing• Delayed

• Erroneous / incomplete

• Service Delivery• Power Outages

• Equipment Failures

• Health and Safety Issues

Utility IndustryConsequences of Cyber Events

• Regulatory Penalties

• Customer Dissatisfaction

• Lawsuits

• Loss of License

• Labor Disputes

• Financial Losses

• Workplace fatalities

• Other

What to do? Where to start?

1. Select and Engage MSSP – Managed Security Services Provider

2. Conduct Security Training

3. Build / Improve Business Continuity and Disaster Recovery Plan

4. Redesign / Harden Your Network and Security Architecture

5. Third Party Network Security Assessment and Make Improvements

6. Implement / Improve ISMS (Information Security Management System)

7. Adopt ISO 27001:2013 International Standard

8. Implement NIST Cybersecurity Framework

9. Maintain a Sustainable Security Organization

Select and Engage MSSPManaged Security Services Provider

Gartner’s MSSP Magic

Quadrant 2017

Establish MSSPSelection Criteria

1. Track Record

2. Size, Experience and Qualifications• SEIM Development

• R&D Funds and Capabilities

3. Solution Content• Managed SEIM (IPS, IDS) Capabilities

• Dashboard, client console, reports, policies, rulesets (inbound outbound, others), messages, implementation plan, administration, communication, cloud / on-premise, etc.

4. MDR (Managed Detection and Response) - END POINT Solution

The Forrester Wave™ Endpoint Security Suites, Q4 2016

Establish MSSPSelection Criteria

5. Managed Firewall / SEIM Appliances

6. Has / Uses Threat Intelligence database• Owns, third party, both, none

7. Incident Management and Response Capabilities• Cyber Incident Forensic Capabilities

8. Number and Capabilities of SOC’s (Security Operation Centres)• SLA, skilled staff

9. Secure Email Gateway

10. Price

MSSPImplementation

• Phased approach

• Protect external perimeter• Firewalls / SEIM Dual Appliances in High Availability (Auto Failover)

Mode• Managed Firewall Recommended

• Protect End Points (All Devices) - MDR

• Implement Managed Compliance Monitoring on all servers

• Develop a responsibility matrix and communication plan

• Document workflows for all procedures that require MSSP

• Conduct training

• Assess / improve security posture

Conduct Security Training

1. ISO 27001:2013 Lead Auditor

2. Security Awareness Training – Provided by IT and Third Party

3. System Hardening Training

4. Consider hiring Information Security Management program graduates

Build / Improve Business Continuity and Disaster Recovery Plan

1. Conduct TRA (Threat Risk Assessment)• Determine which systems need to be backed up and how frequently

• Determine RPO (Recovery Point Objective) and RTO (Recovery Time Objective)

2. Design backup / recovery plan using TRA for guidance

3. Ensure that backup media is encrypted

4. Use different network and domain credentials

5. Implement Backup plan

6. Test backup and recovery procedures

Redesign / Harden Your Network and Security Architecture

1. Using TRA, determine exposure of sensitive information assets

2. Design dedicated virtual local area networks (VLAN) for databases, financial systems and other mission critical systems

3. Disable access to internet for these systems

4. Ensure that access is given only to security and system administration personnel

5. Configure application access through port management and routing rules

6. Upgrade / update all systems to the latest patch level possible and implemental automatic patching process

7. Filter egress traffic

8. Implement system uptime and resource utilization monitoring and conduct frequent application penetration (PEN) tests

Third Party Network Security Audit

1. Conduct Network Security Audit / Assessment Test• i.e. Selected MSSP, Rogers Managed Services, Digital Boundary

Group, Scalar, Dell SecureWorks, etc.

2. Create CAPA (Corrective Action Preventive Action) Log

3. Prepare Improvement Plan based on CAPA log

4. Execute Improvement Plan

Third Party Network Security Audit Assessment

MCGlobalTech

Implement / Improve ISMS (Information Security Management System)

1. Complete ISO 27001:2013 Lead

Auditor Training

2. Complete Asset Register

Identify and classify information

assets

Assess their consolidation to fewer

secure networks

3. Establish Security Organization

4. Conduct TRA

5. Develop Policies

6. Develop Procedures

• Incident Management

• Change Management

• Information Handling

• User Access

• Risk Assessment

• Internal Audit

• Physical Security

Implement / Improve ISMS (Information Security Management System)

7. Create Manuals

• ISMS

• IT

• BCP

8. Create forms

9. Create IT Manual

• Backup

• Offsite Data Storage

• Monitoring and Alerts

• Computer Deployment

• Server Build

• Patch Management

• System Hardening

• User Setup / Termination

Maintain ISMS

Adopt ISO 27001:2013 International Standard

• Contact BSI Canada

• Use ISO 27002 Code Practice guidelines• Enhance ISMS to meet the

requirements

• Schedule Audit

• Maintain ISMS

Implement NIST Cybersecurity Framework

• Join OEB Cyber Security Working Group (CSWG)

• Get familiar with Proposed Ontario Cyber Security Framework

• Compare the framework requirement against the your ISMS security controls and identify gaps

• Create plan to implement gaps

• Collaborate with other LDC’s

Maintain a Sustainable Security Organization

• Maintain ISMS using PDCA model

• Provide security training to staff

• Focus on network design, access management and data encryption

• Conduct TRA every time a change / modification to the system is required

• Review BCP based on TRA input and test it frequently

• Use CAPA log to identify and track all changes required

• Evaluate MSSP every six month

• Continue investing into staff with cybersecurity background and experience

• Collaborate with other LDC’s

• Ensure that there is a full corporate buy-in and commitment to a sustainable ISMS

• Keep investing into security appliances and software and keep it up to date

• Conduct frequent internal and external network security assessments and PEN tests

Utilismart MSSP

Rogers Security Powered by Trustwave As your network carrier, Rogers:

• Knows your network best

• Continues to be a single point of contact

• Keeps your billing simple

Objective: Protect data,

manage risk and achieve

compliance while driving

efficiency and innovation.DataCentres

Apps

& Systems

ContactCentre

Cloud SecurityNetworks CollaborationAssets

Customers

Internet

Fixed

Mobile

PublicTelephoneNetwork

Why TrustwaveServing

Global

Growing

Innovating

over 3 Million subscribers

with over 1,600 Employees

employees in 26 countries customers in 98 countries

over 56 patents granted / pending

Vulnerability Management

Global Threat Database feeding Big Data back-end

ThreatManagement

Integrated portfolio of technologies delivering

comprehensive protection

ComplianceManagement

Leading provider of cloud delivered IT-GRC services

Threat Intelligence

Trustwave’s Global ReachHeadquarters:

•Chicago*, London, Sydney, São Paulo

Sales and Consulting:

•US, Canada, Mexico, Columbia, Brazil,

UK, The Netherlands, Sweden, France,

Germany, Greece, Jordan, UAE, S. Africa,

China, Singapore, Australia, New Zealand

SpiderLabs & Innovation Centers:

•US, Canada, Israel, New Zealand

9 Advanced Security Operations Centers:

•Chicago, Denver, Minneapolis, Warsaw, Singapore,

Waterloo, Ontario, Manila, Sydney, Japan

• 67 % staff dedicated to Developing/Delivery Solutions

Headcount:1,600+

Trustwave’s SpiderLabs

SpiderLabs Team

• Industry veterans and thought leaders in ethical

hacking and security research

• Over 150 experts across 17 countries, with average 12

years of experience

• Backgrounds in law enforcement, government and

military services

• Sought out industry speakers and published authors

EXPERT

TESTINGOffensive security testing

delivered on time, on

budget and on demand

INCIDENT READINESS

& RESPONSEServices designed to prevent

compromise and protect

integrity of business and data

FORENSICS

INVESTIGATIONS

Post-incident analysis of

actual security breaches

and data loss

SpiderLabs Research - Annual GSR Report

• Hundreds of investigations in 17 countries

• Billions of events each day – 8 Global SOCs

• 4 million vulnerability scans

• Tens of millions of web transactions

• Millions of malicious websites blocked

• Thousands of penetration tests

Questions?

Thank You