ot/ics cyber-hacking into industrial organizations · 2019-02-20 · ot/ics cyber-hacking into...
TRANSCRIPT
![Page 1: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/1.jpg)
Sylvain Denoncourt GSEC, CISSP
IoT architecture Consultant
Cisco
OT/ICS Cyber-Hacking into Industrial organizations
June 7th 2018
![Page 2: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/2.jpg)
What would you do differently if you KNEW you were going to be compromised?
It’s no longer a question of “if” you’ll be breached, it’s a question of “when”…
![Page 3: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/3.jpg)
4
Computer networks controlling the buildings and
infrastructure architects design are regularly being
hacked…
This tends to go under-reported, because it often involves private
companies concerned for their public images, and untreated, because
these systems are coordinated by various parties that have never been
responsible for cyber security.
Source Architizer : https://architizer.com/blog/hacking-architecture/
![Page 4: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/4.jpg)
#WWST #CISCOVT #CISCOSE
The Evolution of the Cyber CriminalNow a sophisticated business focused on ROI
Old School Threats Modern Threats
Cyber-punks/Hackers
Individual’s Data
Unsophisticated
Notoriety/Political
Professional
organized crime
Trusted Insiders
Targeted/ROI
Sophisticated Supply
Chains
Opportunistic Nation State Nation StateMulti-Billion $$
Business $
![Page 5: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/5.jpg)
#WWST #CISCOVT #CISCOSE
The many faces of IoT hacking
https://thehackernews.com/2018/04/iot-hacking-thermometer.html
Samsung and
Roku Smart TVs
Vulnerable to
Hacking,
Consumer
Reports Finds
https://www.consumerreports.org/televisions/samsung-roku-smart-
tvs-vulnerable-to-hacking-consumer-reports-finds/
Casino Gets Hacked Through Its
Internet-Connected Fish Tank Thermometer
Vehicule
CANBUS
control
Massive DDoS Attack Against Dyn DNS
Service Knocks Popular Sites Offline
https://thehackernews.com/2016/10/dyn-dns-ddos.html
![Page 6: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/6.jpg)
9
IT vs OT
IT - Information Technology
Pertains mainly to the corporate offices
Connects people and servers
More homogeneous in nature
OT - OperationTechnology
Pertains to Industrial environments (ICS –Industrial Communication Systems) : manufacturing floor, utility substation, oil rig, mining etc
Connect mainly endpoints, sensors and meters…
Multiplicity, difference in data format as well often huge amount of raw data
![Page 7: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/7.jpg)
10
IT and OT organisations are converging
• Convergence driven by technology evolution and the pressure to reduce costs
• Different culture and skillset between the two organisations
• OT: driven by resilience objectives
• IT: driven by the need to meet end user expectations at the lowest possible cost
• Resistance to change
• Very different reporting structures
![Page 8: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/8.jpg)
13
Industrial networks are increasingly Becoming Targets
![Page 9: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/9.jpg)
15
Escalating Attacks in IoT /OT Domain
Shamoon wipes
30K
computers
![Page 10: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/10.jpg)
17
2010 Stuxnet hits centrifuges in Iran nuclear compound
![Page 11: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/11.jpg)
18
PLCNetwork(PhysicalDevices)
ICSNetwork(Programming,Maintenance)
HMINetwork(Sit.Awareness,Control,Protec on)D
MZ
Internet
Media
Computers
CorporateNetwork
DMZ
Vendors/Partners
Stuxnet in ActionLosing Trust at the PLC Layer
![Page 12: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/12.jpg)
2014 hack attack causes 'massive damage' at German smelter
http://www.bbc.com/news/technology-30575104
…the attackers infiltrated the corporate
network using a spear-phishing attack
that appears to come from a trusted
source in order to trick the recipient
into opening a malicious attachment or
visiting a malicious web site where
malware is downloaded to their computer. – WIRED 2015
![Page 13: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/13.jpg)
2015 Ukraine power grid hack
https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/
![Page 14: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/14.jpg)
Aftermath of the Attack
• At 3:35 pm on Dec 23rd 2015, the Ukrainian Kyivoblenergo(local Energy company) experienced outages as a result of its SCADA systems being hacked
• Breakers were opened by hackers in 7 x 110 kV & 23 x 35kV substations
• 225K people impacted, 6 hrs of lost power over 3 regions
![Page 15: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/15.jpg)
25
Ukraine power grid attack - The killchain a highly orchestratedapproach
Spear phishing to gain
access to IT corporate
network
Delivery + exploit +
install BlackEnergy
malware on victims
workstation: C2
(command and control)
PSExec gather env.info
Recon
Credentials
theft:
Mimikatz &
LM-hashed
Attackers issued
VPN connections
from the
corporate network
into the ICS
network.
Malicious firmware
developed for the
serial-to-ethernet
devices PLC/RTU.
- Firmware upload
- UPS compromised in DC
- DDOS the call centers
- KillDisk to erase evidence + delete targeted logs
IT Domain - The Intrusion
1
3
2
3 5Hijacking of the
substation SCADA
HMI’s
4
Phase 1 The Preparation Phase 2 The ICS Attack
6outages
Attack on OT Domain
Execute power outages
attacks SCADA thru HMI
with malicious operation
to open breakers :
phantom mouse
8
ICS
CORP.
7
![Page 16: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/16.jpg)
A few observations and facts…
![Page 17: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/17.jpg)
Common Pathways into OT Environments
![Page 18: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/18.jpg)
The human element is usually the path of least resistance
= Risk
Coupled System
+
![Page 19: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/19.jpg)
Spear-phising – fake targeted email
![Page 20: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/20.jpg)
![Page 21: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/21.jpg)
#WWST #CISCOVT #CISCOSE
Phishing leaves business on the line
• Phishing continues to be the root
cause of major breaches
• URL shorteners, URLs in
attachments, Domain shadowing
& Domain squatting are the tricks
employed by adversaries
• Relying on Social engineering methods to trick users click the bad links
• Strong integration of Web Intelligence with Email gateway & User awareness are the
need of the hour
![Page 22: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/22.jpg)
Scale Too Many Alerts
Complexity Securing Everything
Sophistication Keeping up Against Attackers
100%Customers Lack
Network Segmentation
at Time of Breach
$3.8MAverage cost of
a data breach
The Security Challenge
Motivated & Targeted
Adversaries
Increased Attack
Surface
Increased Attack
Sophistication
BYOD blurring Perimeter
Public Cloud Services
Enterprise IOT
State Sponsored
Financial/Espionage motives
$1T Cybercrime market
Advanced Persistent Threats
Encrypted Malware
Zero-Day Exploits
200daysIndustry Average
Detection Time
for a Breach
60daysIndustry Average
Time To Contain
a Breach
![Page 23: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/23.jpg)
Network Architecture Concerns…
• A bad network design is as big a threat to security success as the lack of security.
• Better to know what you are missing than to think you are safe.
EnterpriseEthernet
ProprietaryEthernet
To next machine
I/O FieldbusMotion Net
Safety Net
STAR
TRUNK/DROP
FIBERRING
DAISYCHAIN
This does not mean that there was no
architecture - It is likely that the architecture
eroded over time.
![Page 24: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/24.jpg)
Access Control
• User and Device Identity
• Authentication, Authorization & Accounting
Data Confidentiality and Data Privacy
• Network Segmentation
• Secure Connectivity
Threat Detection and Mitigation• Security Zones• Intrusion Prevention; Application Visibility
Device and Platform Integrity
• Device Hardening and Secure Platform
• Configuration Assurance
IoT Cyber Security Principles for IT environment
C I A
Policy M
anagem
ent w
ith IT
Co
nvergen
ce & Ease o
f Use
Availability
Integrity
Confidentiality
![Page 25: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/25.jpg)
Access Control
• User and Device Identity
• Authentication, Authorization & Accounting
Data Confidentiality and Data Privacy
• Network Segmentation
• Secure Connectivity
Threat Detection and Mitigation• Security Zones• Intrusion Prevention; Application Visibility
Device and Platform Integrity
• Device Hardening and Secure Platform
• Configuration Assurance
IoT Cyber Security Principles for OT environment
A I C
Policy M
anagem
ent w
ith O
T / IT C
on
vergence &
Ease of U
se
Availability
Integrity
Confidentiality
![Page 26: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/26.jpg)
48
IT comes down to one simple question
How do you deal with that ?
![Page 27: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/27.jpg)
It takes an Architecture
Yes, but would you flysomething like this ?
![Page 28: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/28.jpg)
Cisco IoT Threat DefenseDetect, block, and respond to IoT threats
![Page 29: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/29.jpg)
Delivery + exploit + install BlackEnergymalware on victims workstation
Credentials theft
Attackers issued VPN connections from the corporate network into the ICS network. C2 (command and control)
Malicious firmware developed for the serial-to-ethernet devices.
IT Domain - The Intrusion
1
3
2
3 5Hijacking of the substation SCADA HMI’s
4
Phase 1 The Preparation Phase 2 The ICS Attack
6outages
Attack on OT Domain
Execute power outages attacks SCADA with malicious operation to open breakers
8
ICS
CORP.
7
Ukraine power grid attack - The killchain What could have been done ?
AMP &
ThreatGRID
Cisco ISE
ISA-3K industrial
Spear phishing to gain access to IT corporate network
Email Security,Umbrella
Police registervalues !
ISA 3000 FW
Firepower
ISA 3000 FW
- Firmware upload- UPS compromised in DC- DDOS the call centers- KillDisk to erase evidence + delete targeted logs
Big data machine Learning, correlation
Firmware uploadUPS compromised in DCDDOS the call centersKillDisk to erase MBR and delete targeted logsStealthwatch
Splunk
![Page 30: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/30.jpg)
Remote Access Control to the ESP / ICS sensitive zoneSeparation between corporate and production networks is a must !
✖
Industrial FW
Jump Box
1
2
3
4
5
Corporatezone
External contractor
Industr.SW
Multi-Service zone
Industr.SW
Enterpr. SW
Centralized logging of events promotes accurate audits
User profile + NGFW limits applied Disable split tunnel.2
VDI Host operates as a virtual air gap providing isolation to the ESP
Jump Box
3
Switch port security and Identity profiling control such as TOD and duration + monitor device 4
5
Device is scanned and user auth. verified –2-factor auth. 802.1x, cert.1
ESP Zone / ICS sensitive zone
MPLS Substation Edge router
![Page 31: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/31.jpg)
It takes an Architecture
… with a central security intelligent cloud capable of analyzing billions of requests and sharing that
information to all end security network devices …
![Page 32: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/32.jpg)
Talos security cloud Intelligence
AMP +
Stealthwatch
ASR/ISR w Firepower services
Firepower FTD 4K,9K
![Page 33: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/33.jpg)
Conclusion & takeawaysWhat to do and to enforce
Data and Applications
Attacks must be uncovered in the early stages of the attacks
Understanding the needs and difference for IT vs OT Security
Password reset enforcement after a pre-determined period
Prioritize vulnerabilities patching on critical assets
IP host and URL resolution black listing through reputation inspection
Look for abnormal spikes in traffic pattern
Check endpoint file integrity through hashing SHA/MD5 through anti-malware protection
![Page 34: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/34.jpg)
Firmware modifications over the network cause spikes in network traffic
![Page 35: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/35.jpg)
TakeawaysWhat to do and to enforce
Data and Applications
Attacks must be uncovered in the early stages of the attacks
Understanding the needs and difference for IT vs OT Security
Password reset enforcement after a pre-determined period
Prioritize vulnerabilities patching on critical assets
IP host and URL resolution black listing through reputation inspection
Look for abnormal spikes in traffic pattern
Check endpoint file integrity through hashing SHA/MD5 through anti-malware protection
![Page 36: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/36.jpg)
TakeawaysWhat to do and to enforce
Host and network
Segmentation of the SCADA network (secured zoning)
Logging must be enabled on all SCADA devices
Backup of all critical firmware
Restrict and control remote connections to the SCADA systems through secured jumppoints
IPS adapted ICS rules for detection within industrial environment
Policies and procedures
Training OT staff operators
Segregation of duties, make sure no single HMI console has full control end to end
Invite business process owners to discuss what is important to protect
Make sure IT/OT is up to date and knowledgeable on ICS security
DR scenarios in place to switch to manual mode
![Page 37: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/37.jpg)
Security compliance is not enough, organizations
must set their security foundations taking into consideration:
• Attack vector and threats
• Changing business environment and operational procedures
• Technological evolution
“We have a culture of compliance when we shouldreally have a culture of security.”
Timothy E. RoxeyVP and Chief E-ISACOperations Officer at NERC
![Page 38: OT/ICS Cyber-Hacking into Industrial organizations · 2019-02-20 · OT/ICS Cyber-Hacking into Industrial organizations June 7th 2018. What would you do differently if you KNEW you](https://reader035.vdocuments.mx/reader035/viewer/2022062603/5f0b3c957e708231d42f8515/html5/thumbnails/38.jpg)
Merci