The Axis of Physical and Cyber Security –providing three-dimensional threat protectionPresenters:
Jim Willis, CEO, InDev Tactical
Doug King, Technical Service Engineer Sr. StaffLockheed Martin Energy @ Rappahannock Electric Cooperative
PresentersJim Willis, CMAS, CHS-I
CEO, InDev Tactical
• Security consulting for electric co-op clients• 40+ years electric power experience
(co-op lineman/engineer/manager/NRECA/consultant/subject-matter expert)
• Credentialed security & anti-terrorism expert
• Afghanistan, 6 yrs, reconstruction & security, (USAID, DOD, ISAF)
• Developed “ASSIST” a proprietary active shooter and violence prevention training for electric power industry.
MSc, International Development & SecurityBS, Electrical Engineering.
Presenters
Doug is a senior member of Lockheed Martin Energy’s Rappahannock Electric Cooperative IT and Cybersecurity services team.
Doug has over 20 years IT experience which includes:• 4 years DoD Global Operational Support• 14 years of electric cooperative support in information security operations,
Doug’s expertise includes cyber threat and targeted attack defense and response
Doug KingTechnical Service Engineer and Cybersecurity Lead
Physical & Cyber Security
Different roles
Same goals
Cost of a data breach in 2016
Cost of a data breach in 2016
Energy sector per/unit cost = $148
For a co-op with 35,000 records that is =
over $5,000,000
Data Protection:
Defending against unauthorized access
Physically&
Digitally
Cyber Security
3 Dimensional Data Protection
Physical Security
Collaboration
Cyber Security Pre-attack
Defense
Active Attack
Response
Static Security
Measures
Dynamic Security Tactics
3 Dimensional Data Protection
Physical Security
Static Security Measures Dynamic Security Tactics
Physical Security
Static Security Measures
Security elements utilized to protect the co-op’s
digital sphere from internal and external assault.
Static Security Measures
Approach Access
Theft of stored data
Static Security Measures
Physical Vulnerabilities
Server RoomsVoice & Data interface cabinets
SCADA systems cabinets
Static Security Measures
Physical Vulnerabilities
Server Room access
Approach access
Theft of stored data
Static Security Measures
Physical Vulnerabilities
Voice & Data interface points
& cabinets
Static Security Measures
Physical Vulnerabilities
SCADA network cabinets
Physical VulnerabilitiesSCADA network cabinets
Physical VulnerabilitiesSCADA network cabinets
Physical VulnerabilitiesSCADA network cabinets
Dynamic Security Tactics
Employing human resources (subject-matter
experts & security consultants) to -
Dynamic Security Tactics
Implement active security measures,
Effectively communicate the threat,
&
Modify workplace culture.
Dynamic Security Tactics
Physical Security
Training
Dynamic Security Tactics
Physical Security
Security audits
Dynamic Security Tactics
Physical Security
Enhanced procedure development &
Action plans
Cyber Security
Pre-attack Defense Active Attack Response
The Dilemmas
“We have to get security right every time –an attacker only has to get it right once.”
Defender’s Dilemma
The Dilemmas
“We only need to detect one of the indicators of the attacker’s presence in order to initiate incident response.”
Attacker’s Dilemma
ScenarioOver a long summer holiday weekend,
someone cut a substation fence and
attempted to steal a few dollars worth of
copper. The communications shed in the
substation was also broken into, but
nothing was taken. Copper is not stored in
the communications shed.
Scenario
Later that fall, the cooperative’s troublesome, aging security
system alarmed over Thanksgiving weekend. The Sheriff’s
department and a senior cooperative employee responded but
didn’t find any signs of a break-in. They silenced the alarm and
returned to their families.
ScenarioOn Monday, a cursory check shows nothing of value of taken.
However, an administrator notices that sometime over the
weekend a server completely lost power and power was
restored approximately 10 minutes later. The server is normal
and healthy. The administrator worries about possible hardware
failure. The hardware vendor checked the system and all is well.
Scenario (cont)
What really happened?
Scenario (cont)Two years prior, an advanced persistent threat (APT) team was tasked by a foreign nation state to breach a US electric distribution cooperative that serves strategically and politically sensitive US government facilities.
The primary purpose of this tasking was to, at a time of the foreign nation state’s choosing, send a strong message to US leadership and intelligence communities by demonstrating hostile command and control (C2) of a US utility. In order to accomplish this task the APT decided to use the cover of a “routine” PII attack in case their attempts were detected.
The APT team found that remote external network penetration was too “noisy”. Instead, the APT team decided to engage with a physical attack.
Scenario (cont)Using OSINT (Open Source Intelligence) gathered from Google Maps, the APT first chose to attack the substation as Google Maps imagery showed that there was a communications shed that was not well protected. Ultimately, the shed contained only a minimal amount of equipment and had no direct enterprise or grid connectivity.
At the cooperative HQ, Google Maps showed little fencing and large cooling equipment on one the roofs. The APT team assumed that this building contained the datacenter.
The APT used a duplicated RFID badge to access the building. The original badge was scanned for duplication during TechAdvantage 2017.
Scenario (cont)Once inside the data center, a physical server was located. The server had a label affixed to it - “Domain Controller 002”. The APT forced powered off the system, reapplied power and inserted bootable removable media into to copy a single file from the domain controller.
Scenario (cont)The APT stole a copy of the cooperative’s Active Directory database and which has the password hashes for all AD accounts.
Scenario (cont)All password hashes and configuration information is stored there. Secretsdump.py was used to extract the password hashes.
Scenario (cont)The APT plans to leverage the password hashes to create custom malicious payloads what will be delivered by email, USB flash drives and social media later that year to establish remote C2. Since they are customized and using the credentials of stolen service accounts the probably of success is quite high.
Pre-attack Defense
Cybersecurity – Preattack Defense
• Develop and practice a physical attack incident response plan
• Treat ALL physical attacks as a potential cyber attack
• Be proactive and adversarial
• Threat hunt for Indicators of Compromise (IOCs)
Pre-attack Defense
Cybersecurity – Preattack Defense
• Research & Study Tactics, Techniques, and Procedures of Threats (TTPs)
• Search for and explain anomalies
• Minimal 2 years of logs for all PCs, servers and systems
Pre-attack Defense
Cybersecurity – Preattack Defense
• Regular open box red team penetration testing
• Forensic logging for all PCs, servers and systems
• 24/7/365 IDS/IPS monitoring & alerting
• Install and maintain centralized logging and reporting (SIEM)
Pre-attack Defense
Cybersecurity – Preattack Defense
• Consistent and dedicated InfoSec training for support staff
• PowerShell logging for all PCs and servers
• Do not implicitly “trust” the security practices of your vendors
Pre-attack Defense
Cybersecurity – Preattack Defense
• Practice Least Administrative Privilege (Local Administrator)
• Randomize Local Administrator Passwords (LAPS)
• Install a SIEM (GrayLog, Splunk, etc.)
• Event logs from all PCs, IoT devices, & Servers ingested into SIEM(Security Information & Event Management)
Pre-attack Defense
Cybersecurity – Preattack Defense
• Endpoint Detection and Response (Carbon Black, FireEye, etc.)
• Audit and monitor internet ingress/egress from your networks
• Audit Active Directory (Ask the hard questions)
Pre-attack Defense
Cybersecurity – Preattack Defense
• Monitor Active Directory for changes (Netwrix Auditor, etc.)
• Baseline processes and store in safe place(Get-Process|Select-Object name,fileversion,productversion,company,path |Export-Csv process.csv)
• Microsoft Advanced Threat Analytics (MS ATA)
Pre-attack Defense
Cybersecurity – Preattack Defense
• Honeypots (Canary)• Honey Files• Honey Tokens / Honey Accounts• Pepper your enterprise with detection “tripwires”• Deploy deception
(Fake employees, LinkedIn, Facebook, Twitter, email, etc.)
Pre-attack Defense
Cybersecurity – Preattack Defense
Purple Teams
• Send your defenders to penetration testing and hacking courses
• Your defenders will become better defenders
Pre-attack Defense
Cybersecurity – Preattack Defense
• Your defenders will be able to anticipate and quickly adapt to threats
• Conduct a reoccurring 3rd party penetration test to test you defenders
• The money spent on a penetration test is actually training for your defenders
Active Attack Response
Cybersecurity – Active Attack Response
• Follow a well rehearsed IRP that addresses all facets of
your organization.
• Work quickly to protect what makes you a valuable target
– PII and Grid Control Systems
Active Attack Response
Cybersecurity – Active Attack Response
• Immediately secure your backup solution
• Be prepared to work with law enforcement (FBI, DHS, etc.)
Active Attack Response
Cybersecurity – Active Attack Response
• Assume the worst until proven otherwise
• Be prepared to sever network connections (LAN & WAN)
• Preserve forensic evidence whenever possible
Active Attack Response
Cybersecurity – Active Attack Response
• Look for devices that were left behind – network taps, wireless devices, etc.
• Review any and all available camera footage • When in doubt, shutdown and remove power from
potentially compromised equipment
Active Attack Response
Cybersecurity – Active Attack Response
Potential IOCs• Anomalies In Privileged User Account Activity• Unusual Outbound Network Traffic – any change from baseline• Geographic Anomalies• Unexplained account lockouts for legitimate accounts
Active Attack Response
Cybersecurity – Active Attack Response
Potential IOCs• Failed logon attempts for non existent accounts• Increase in database read volume• Increase in website reads• Distributed Denial of Service Attack (DDOS smoke screen)
Active Attack Response
Cybersecurity – Active Attack Response
Stopping the attack is the first definitive stepThe next step
Repair and remediation, butthat’s an entirely different issue.
Cyber Security
The key to 3 Dimensional Data Protection
Physical Security
Collaboration
This is NOT collaboration
Collaboration
A team effort betweenIT,
Safety, & Security
For more info or questionsContact:
Jim Willis, Physical Security [email protected]
Doug King, Cyber Security [email protected]