cip malicious code with... cip-003-8; cip-005-6 •ids/ips cip-007-6 •authentication...

Click here to load reader

Post on 05-Feb-2021

2 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Kenath Carver

    Manager, CIP Compliance Monitoring

    CIP Malicious Code

  • 2

    November 18, 2020

    Antitrust Admonition

    Texas Reliability Entity, Inc. (Texas RE) strictly prohibits persons

    participating in Texas RE activities from using their participation as a

    forum for engaging in practices or communications that violate

    antitrust laws. Texas RE has approved antitrust guidelines available on

    its website. If you believe that antitrust laws have been violated at a

    Texas RE meeting, or if you have any questions about the antitrust

    guidelines, please contact the Texas RE General Counsel.

    Notice of this meeting was posted on the Texas RE website and the

    open portion of this meeting is being held in public. Participants should

    keep in mind that the listening audience may include members of the

    press, representatives from various governmental authorities, and

    industry stakeholders.

  • Kenath Carver

    Manager, CIP Compliance Monitoring

    CIP Malicious Code

  • 4

    November 18, 2020

    THREATS + VULNERABILITIES = RISKS

    Reliability & Security

    Compliance Controls

  • 5

    November 18, 2020

    Risks

    Advanced Persistent Threat

    Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)

    Malicious Code and Communications

    SQL Injection

    Malware

    Virus

    Trojan

    Spyware

    Ransomware

    Worm

    Social Engineering

    Black Energy

    Stuxnet

    Spectre

    Cryptolocker

    WannaCry

    Spear Phishing

    Dragonfly

    OilRig

    Sandworm

  • 6

    November 18, 2020

    Industrial Control Systems

    Programable Logic

    Controllers

    Distributed Control Systems

    Supervisory Control and

    Data Acquisition

    Remote Terminal Units

    Human-Machine Interface

    Intelligent Electronic Devices

    Data Historian Relays Communication

    Processors

  • 7

    November 18, 2020

    Lockheed Martin - The Cyber Kill Chain®

    Reconnaissance Weaponization Delivery Exploitation Installation Command &

    Control Actions on Objectives

  • 8

    November 18, 2020

    The MITRE Corporation (MITRE) - ATT&CK®

    Initial Access

    Execution Persistence Evasion Discovery Lateral

    Movement Collection

    Command and Control

    Inhibit Response Function

    Impair Process Control

    Impact

  • 9

    November 18, 2020

    The Cyber Kill Chain® versus ATT&CK®

    Reconnaissance

    Weaponization

    Delivery

    Exploitation

    Installation

    Command & Control

    Actions on Objectives

    ATT&CK®

    1. Initial Access

    2. Execution

    3. Persistence

    4. Evasion

    5. Discovery

    6. Lateral Movement

    7. Collection

    8. Command and Control

    9. Inhibit Response Function

    10. Impair Process Control

    11. Impact

  • 10

    November 18, 2020

    ATT&CK® for Industrial Control Systems

    Initial Access

    • Data Historian Compromise

    • Drive-by Compromise

    • Engineering Workstation Compromise

    • Exploit Public-Facing Application

    • External Remote Services

    • Internet Accessible Device

    • Replication through Removable Media

    • Spear Phishing Attachment

    • Supply Chain Compromise

    • Wireless Compromise

    CIP-003-8; CIP-005-6

    • Network segmentation

    CIP-007-6

    • Host-based Firewall

    • Security Patch Management

    • Antivirus protection

    • White-listing

    • Security Event Logs

    • Authentication

    CIP-010-3

    • Vulnerability assessments

    CIP-013-1

    • Supply Chain Risk Management

  • 11

    November 18, 2020

    ATT&CK® for Industrial Control Systems

    Execution • Change Program State

    • Command-Line Interface

    • Execution through API

    • Graphical User Interface

    • Man in the Middle

    • Program Organization Units

    • Project File Infection

    • Scripting

    • User Execution

    CIP-004-6 • Access Management

    CIP-003-8; CIP-005-6 • IDS/IPS

    CIP-007-6 • Authentication

    CIP-10-3 • Baseline Configuration

    • Baseline Monitoring

  • 12

    November 18, 2020

    ATT&CK® for Industrial Control Systems

    Persistence

    • Hooking

    • Module Firmware

    • Program Download

    • Project File Infection

    • System Firmware

    • Valid Accounts

    CIP-004-6

    • Account privileges auditing

    CIP-003-8; CIP-005-6

    • Network Segmentation

    • Inbound and outbound permissions

    CIP-010-6

    • Software and security patch authenticity and integrity

  • 13

    November 18, 2020

    ATT&CK® for Industrial Control Systems

    Evasion

    • Exploitation for Evasion

    • Indicator Removal on Host

    • Masquerading

    • Rogue Master Device

    • Rootkit

    • Spoof Reporting Message

    • Utilize/Change Operating Mode

    CIP-007-6

    • Security Patch Management

    • Antivirus protection

    • White-listing

    CIP-010-3

    • Baseline Configuration

    • Baseline Monitoring

    • Software and security patch authenticity and integrity

  • 14

    November 18, 2020

    ATT&CK® for Industrial Control Systems

    Discovery

    • Control Device Identification

    • I/O Module Discovery

    • Network Connection Enumeration

    • Network Service Scanning

    • Network Sniffing

    • Remote System Discovery

    • Serial Connection Enumeration

    CIP-003-8; CIP-005-6

    • Network Segmentation

    • Multi-factor Authentication

    CIP-012-1

    • Encrypt Network Traffic

  • 15

    November 18, 2020

    ATT&CK® for Industrial Control Systems

    Lateral Movement

    • Default Credentials

    • Exploitation of Remote Services

    • External Remote Services

    • Program Organization Units

    • Remote File Copy

    • Valid Accounts

    CIP-004-6

    • Access Management

    CIP-005-6

    • Network Segmentation

    CIP-007-6

    • White-listing Software

    • Security Patch Management

    • Password Policies

    CIP-010-3

    • Monitoring Baselines

    • Vulnerability Scanning

    • Software and security patch authenticity and integrity

  • 16

    November 18, 2020

    ATT&CK® for Industrial Control Systems

    Collection

    • Automated Collection

    • Data from Information Repositories

    • Detect Operating Mode

    • Detect Program State

    • I/O Image

    • Location Identification

    • Monitor Process State

    • Point & Tag Identification

    • Program Upload

    • Role Identification

    • Screen Capture

    CIP-005-6

    • Network Segmentation

    • Inbound and outbound permissions

    CIP-004-6

    • Personnel Training

    • Access Management

    CIP-007-6

    • Authentication

    • Password Policies

    CIP-011-2

    • Information Protection

    • Encryption

  • 17

    November 18, 2020

    ATT&CK® for Industrial Control Systems

    Command and Control

    • Commonly Used Port

    • Connection Proxy

    • Standard Application Layer Protocol

    CIP-005-6

    • Network Segmentation

    • IDS/IPS

    CIP-007-6

    • Ports and Services

  • 18

    November 18, 2020

    ATT&CK® for Industrial Control Systems

    Inhibit Response Function

    • Activate Firmware Update Mode

    • Alarm Suppression

    • Block Command Message

    • Block Reporting Message

    • Block Serial COM

    • Data Destruction

    • Denial of Service

    • Device Restart/Shutdown

    • Manipulate I/O Image

    • Modify Alarm Settings

    • Modify Control Logic

    • Program Download

    • Rootkit

    • System Firmware

    • Utilize/Change Operating Mode

    CIP-004-6

    • Access Management

    CIP-005-6

    • Network Segmentation

    • Inbound and outbound permissions

    CIP-007-6

    • Authentication

  • 19

    November 18, 2020

    ATT&CK® for Industrial Control Systems

    Impair Process Control

    • Brute Force I/O

    • Change Program State

    • Masquerading

    • Modify Control Logic

    • Modify Parameter

    • Module Firmware

    • Program Download

    • Rogue Master Device

    • Service Stop

    • Spoof Reporting Message

    • Unauthorized Command Message

    CIP-004-6

    • Account Management

    CIP-005-6

    • Network Segmentation

    CIP-007-6

    • White-listing

    CIP-010-3