Defending Your Base of Operations

How Industrial Control Systems are being Targeted

TechNet Augusta 2015

Role of Cyber in Conflict?

Cyber Statecraft

Russia is using cyber attacks including online network disruptions, espionage, disinformation and propaganda activities in the Ukraine conflict.

Iran and North Korea now consider disruptive and destructive cyberspace operations a valid instrument of statecraft, including during what the U.S. considers peacetime. These states likely view cyberspace operations as an effective means of imposing costs on their adversaries while limiting the likelihood of damaging reprisals.

Terrorist groups and non-state actors also have shown an interest in cyber attacks but lack the capability of state-sponsored threats.

The director of the Defense Intelligence Agency, Marine Corps Lt. Gen. Vincent Stewart,House Armed Services CommitteeFeb. 3, 2015

Artic Competition Scenario

Cyber Espionage & IPB

www.fireye.com

FireEye Threat Intelligence assesses that threat actors aggressively target strategic industries and government and military organizations in search of valuable economic, political, or military intelligence.

• State sponsored threat actors• Possibility of strategic offensive computer network attacks

“Russia-based threat groups are known to target Nordic governments and industries that compete with Russia in the European energy market. Russia and its Arctic Circle neighbors have overlapping territorial claims and conflicting interests in the region.”

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-nordic-threat-landscape.pdf

IPB & Espionage: The Patient Warrior?

The patient warrior codex: Do no instantly

recognizable harm today. Maneuver to gain the

advantage and accumulate small victories in time. Act

so not to be perceived as striking. All the time learning,

taking, and eventually formulating a decisive blow.

Is IPB the cyber equivalent of the Battle of Ilipa in 206 BC?

Day after day, the battle lines formed up as both sides sized each other up. One side was being lulled by the routine, while the other was learning and formulating their attack. Each day the Carthaginian force took the field, Scipio was taking away something valuable from them...until he understood their critical weakness

…and on any given day we may wake to a surprise as the opponent’s line draws down with the full benefit of knowing us

What Has Changed?The value-driven business model of targeted cyber attack.

Installation ‘ICS’ Susceptibility

Dangerous Seas - Behind?

OPM Espionage

Havex

Black Energy

APT1 Energy Campaign

German Iron Works

Tip of the Iceberg (ICS Attackers)

Observed Attack Trends• ICS-specific targeting, delivery, payloads (Stuxnet, Havex, BE2)

• Overcome expected defenses - gap jumping (Stuxnet, Havex)

• Protocol custom/capable attacks (Havex)

• ICS-specific exploit tool development (Researchers, Havex, BE2)

• ICS-specific exploit tools used (Honeypot research, Havex, BE2)

• Process-focused & equipment under control (Stuxnet, BSI Incident)• Firmware aware (Honeypot research)

• Data destruction/resource depletion (Incidents, BE2 Module)

• Sophisticated cyber tradecraft able to defeat security tools

Requires Multi-Staged Attacks

Stage 1 - ICS Kill Chain

Stage 2 - ICS Kill Chain

Energy Targeting

How Sophisticated is It?

ICS 515

Importance of Engineering

Technology

O

p

e

r

a

t

i

o

n

s

P

r

o

c

e

s

s

“Attackers are learning the importance of what is below the waterline…so

should we”

Cyber Informed engineering

Questions?