scada security: the 5 stages of cyber grief

Download SCADA Security: The 5 Stages of Cyber Grief

Post on 18-Nov-2014

484 views

Category:

Technology

3 download

Embed Size (px)

DESCRIPTION

Lancope’s Director of Security Research, Tom Cross, examines the five stages of grief that organizations seem to pass through as they come to terms with security risks, and how far we’ve come regarding Industrial Control Systems. Hear about: * The state of Control System security vulnerabilities * Attack activity that is prompting a change in perspective * The unique, long term challenges associated with protecting SCADA networks * How anomaly detection can play a key role in protecting SCADA systems now

TRANSCRIPT

  • 1. SCADA Security:The Five Stages of Cyber GriefTom CrossDirector of Security Research
  • 2. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 3. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)The 5 Stages of Cyber Grief
  • 4. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 5. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)Its not connected to the Internet.Stage 1: Denial
  • 6. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 7. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)"In our experience in conducting hundreds of vulnerabilityassessments in the private sector, in no case have we everfound the operations network, the SCADA system or energymanagement system separated from the enterprise network.On average, we see 11 direct connections between thosenetworks.Source: Sean McGurk, VerizonThe Subcommittee on National Security, Homeland Defense,and Foreign Operations May 25, 2011 hearing.Its connected to the Internet.
  • 8. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 9. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)ICS Cert In February 2011, independent security researcher Ruben Santamartaused SHODAN to identify online remote access links to multipleutility companies Supervisory Control and Data Acquisition (SCADA)systems. In April 2011, ICS-CERT received reports of 75 Internet facing controlsystem devices, mostly in the water sector. Many of those controlsystems had their remote access configured with default logoncredentials. In September 2011, independent researcher Eireann Leverettcontacted ICS-CERT to report several thousand Internet facingdevices that he discovered using SHODAN.
  • 10. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)SHODAN Project STRIDE: To date,we have discovered over500,000 control systemrelated nodes world-wide on the internet.About 30% are from theUS, and most are on ISPaddresses.
  • 11. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 12. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)Stage 2: Anger
  • 13. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 14. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)Stage 3: Bargaining
  • 15. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)Stage 3: Bargaining Stuxnet First widely reported use of malware to destroy a physical plant Extremely sophisticated Jumped the air-gap via USB keys Widespread infections throughout the Internet Shamoon Targeted the energy sector Destructive Over writes files Destroys the Master Boot RecordStuxnet infections, source Symantec:
  • 16. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 17. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)Stage 4: Depression
  • 18. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)Stage 4: DepressionThe Patching Treadmill Control systems are not designed to be shut down regularly Entire systems may need to be shut down for a single patch install Patching may mean upgrading Upgrades can cascade through a system Even assessments may require downtime! Patching leads to Interconnectivity Interconnectivity leads to compromise Solutions? Third-Party Run-Time In-Memory Patching? Intrusion Prevention Systems?
  • 19. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)
  • 20. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)Stage 5: AcceptanceWhat would acceptance mean? Getting serious about interconnectivity We need to find new ways to work We need to accept some inconvenience Designing systems for patchability Systems that can be patched without being restarted Hot Standby failover Patches that do not require upgrades Security patches that can be accepted without performance concerns Built in IDS capability? Designing systems for failure
  • 21. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)Lancope does Netflow
  • 22. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)Network Visibility through NetflowDMZVPNInternalNetworkInternetNetFlow Packetssrc and dst ipsrc and dst portstart timeend timemac addressbyte count- more -NetFlow3GInternet3GInternetNetFlowNetFlowNetFlowNetFlowNetFlow Collector
  • 23. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)Intrusion Audit Trails1:06:15 PM:Internal HostVisits MaliciousWeb Site1:06:30 PM:Malware InfectionComplete, AccessesInternet Command andControl1:06:35 PM:Malware beginsscanning internalnetwork1:13:59 PM:Multiple internalinfected hosts1:07:00 PM:Gateway malware analysisidentifies the transactionas malicious1:14:00 PM:Administratorsmanually disconnectthe initial infected hostDo you know what went on while you were mitigating?
  • 24. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)Behavioral Anomaly Detection
  • 25. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)Get Engaged with Lancope!@Lancope@NetFlowNinjasSubscribeJoin DiscussionDownload@stealth_labsAccessStealthWatchLabs Intelligence Center(SLIC) ReportsSecurity Research
  • 26. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)Lancope at Cisco Live 2013Return of the famous Lancope Ninja Sword! Visit booth #737 Emailsales@lancope.com torequest a private demoat the event.
  • 27. 2013 Lancope , Inc. All Rights Reserved. Company Confidential (not for distribution)Thank you!Tom CrossDirector of Security Research

Recommended

View more >