defending your base of operations: how industrial control systems are being targeted at technet...
TRANSCRIPT
Defending Your Base of Operations
How Industrial Control Systems are being Targeted
TechNet Augusta 2015
Role of Cyber in Conflict?
Cyber Statecraft
Russia is using cyber attacks including online network disruptions, espionage, disinformation and propaganda activities in the Ukraine conflict.
Iran and North Korea now consider disruptive and destructive cyberspace operations a valid instrument of statecraft, including during what the U.S. considers peacetime. These states likely view cyberspace operations as an effective means of imposing costs on their adversaries while limiting the likelihood of damaging reprisals.
Terrorist groups and non-state actors also have shown an interest in cyber attacks but lack the capability of state-sponsored threats.
The director of the Defense Intelligence Agency, Marine Corps Lt. Gen. Vincent Stewart,House Armed Services CommitteeFeb. 3, 2015
Artic Competition Scenario
Cyber Espionage & IPB
www.fireye.com
FireEye Threat Intelligence assesses that threat actors aggressively target strategic industries and government and military organizations in search of valuable economic, political, or military intelligence.
• State sponsored threat actors• Possibility of strategic offensive computer network attacks
“Russia-based threat groups are known to target Nordic governments and industries that compete with Russia in the European energy market. Russia and its Arctic Circle neighbors have overlapping territorial claims and conflicting interests in the region.”
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-nordic-threat-landscape.pdf
IPB & Espionage: The Patient Warrior?
The patient warrior codex: Do no instantly
recognizable harm today. Maneuver to gain the
advantage and accumulate small victories in time. Act
so not to be perceived as striking. All the time learning,
taking, and eventually formulating a decisive blow.
Is IPB the cyber equivalent of the Battle of Ilipa in 206 BC?
Day after day, the battle lines formed up as both sides sized each other up. One side was being lulled by the routine, while the other was learning and formulating their attack. Each day the Carthaginian force took the field, Scipio was taking away something valuable from them...until he understood their critical weakness
…and on any given day we may wake to a surprise as the opponent’s line draws down with the full benefit of knowing us
What Has Changed?The value-driven business model of targeted cyber attack.
Installation ‘ICS’ Susceptibility
Dangerous Seas - Behind?
OPM Espionage
Havex
Black Energy
APT1 Energy Campaign
German Iron Works
Tip of the Iceberg (ICS Attackers)
Observed Attack Trends• ICS-specific targeting, delivery, payloads (Stuxnet, Havex, BE2)
• Overcome expected defenses - gap jumping (Stuxnet, Havex)
• Protocol custom/capable attacks (Havex)
• ICS-specific exploit tool development (Researchers, Havex, BE2)
• ICS-specific exploit tools used (Honeypot research, Havex, BE2)
• Process-focused & equipment under control (Stuxnet, BSI Incident)• Firmware aware (Honeypot research)
• Data destruction/resource depletion (Incidents, BE2 Module)
• Sophisticated cyber tradecraft able to defeat security tools
Requires Multi-Staged Attacks
Stage 1 - ICS Kill Chain
Stage 2 - ICS Kill Chain
Energy Targeting
How Sophisticated is It?
ICS 515
Importance of Engineering
Technology
O
p
e
r
a
t
i
o
n
s
P
r
o
c
e
s
s
“Attackers are learning the importance of what is below the waterline…so
should we”
Cyber Informed engineering
Questions?