scada security: the five stages of cyber grief scada security: the five stages of cyber grief ......

Download SCADA Security: The Five Stages of Cyber Grief SCADA Security: The Five Stages of Cyber Grief ... The

Post on 29-May-2020




0 download

Embed Size (px)


  • SCADA Security: The Five Stages of Cyber Grief

    Daniel Tulen Sr. Channel SE Europe

  • The 5 Stages of Cyber Grief

  • Its not connected to the Internet.

    Stage 1: Denial

  • Example: Wifi at a power plant

    Power Plant SCADA


    SCADA Network


    Office Network Lab


  • "In our experience in conducting hundreds of

    vulnerability assessments in the private sector, in no

    case have we ever found the operations network, the

    SCADA system or energy management system

    separated from the enterprise network. On average, we

    see 11 direct connections between those networks.”

    Source: Sean McGurk, Verizon

    The Subcommittee on National Security, Homeland

    Defense, and Foreign Operations May 25, 2011


    Its connected to the Internet.

  • SANS Survey Feb 2013

    Feedback from the respondents:

    • 70% of them thinks that the risks are high to severe

    • 33% them already had a security incident related to SCADA

    • 40% thinks, had or doesn’t know if they are compromised.

    • 29% takes Cyber Security into consideration in their procurement process

    Top 3 risks by respondents:

    1. Malware (Stuxnet etc.)

    2. Internal Threats

    3. External Threats (Hacking, Government Espionage etc.)

    #1 reason for investing in Security: Avoid Service Interruption.

  • ICS CERT • In February 2011, independent security researcher Ruben Santamarta used

    SHODAN to identify online remote access links to multiple utility companies’ Supervisory Control and Data Acquisition (SCADA) systems.

    • In April 2011, ICS-CERT received reports of 75 Internet facing control system devices, mostly in the water sector. Many of those control systems had their remote access configured with default logon credentials.

    • In September 2011, independent researcher Eireann Leverett contacted ICS- CERT to report several thousand Internet facing devices that he discovered using SHODAN.

    • In 2012 ICS-CERT reported 198 Cyber Incidents regarding SCADA. 23 of them were targeted attacks. A rise of 264% compared to 2011!

  • Stage 2: Anger

  • Stage 3: Bargaining

  • Stage 3: Bargaining • Stuxnet

    • First widely reported use of malware to destroy a physical plant • Extremely sophisticated • Jumped the air-gap via USB keys • Widespread infections throughout the Internet

    • Shamoon • Targeted the energy sector • Destructive

    • Over writes files • Destroys the Master Boot Record

  • ICS Honeypot Results • Kyle Wilhoit – Trend Micro Threat Research Team

  • DDOS Attacks More Automated &


    • Prolexic Q2 2012 to Q2 2013

    – 33% increase in attacks

    – 925% increase in bandwidth

    • 4.47 Gbps to 49.24 Gbps

    – 1655% increase in pps

    • 2.7 Mpps to 47.4 Mpps

  • Stage 4: Depression

  • Stage 4: Depression The Patching Treadmill

    • Control systems are not designed to be shut down regularly • Entire systems may need to be shut down for a single patch install

    • Patching may mean upgrading • Upgrades can cascade through a system

    • Even assessments may require downtime!

    • Patching leads to Interconnectivity • Interconnectivity leads to compromise

    • Solutions? – Third-Party Run-Time In-Memory Patching?

    – Intrusion Prevention Systems?

  • Stage 5: Acceptance What would acceptance mean?

    • Getting serious about interconnectivity • We need to find new ways to work

    • We need to accept some inconvenience

    • Designing systems for patchability • Systems that can be patched without being restarted

    • Hot Standby failover

    • Patches that do not require upgrades

    • Security patches that can be accepted without performance concerns

    • Built in IDS capability?

    • Designing systems for failure

  • Cisco Confidential 21 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

    You Can’t Protect What You Can’t See The Network Gives Deep and Broad Visibility














  • Cisco Confidential 22 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

    What Can The Network Do For You?

    Detect Anomalous Traffic Flows, Malware e.g. Communication with Malicious Hosts, Internal Malware Propagation, Data Exfiltration

    Detect App Usage, User Access Policy Violations e.g. Maintenance Contractor Accessing Financial Data

    Detect Utilization, Baseline Behavior e.g. Utilization of Uplinks, Discover Odd User Behavior

  • Cisco Confidential 23 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

    Behavioral Detection Model

    As flows are collected, behavioral algorithms are applied to build “Security Events”. Security Events will add points to an alarm category to allow for easy summarization higher degree of confidence of the type of activity detected:

    • 100% LAN accountability

    • 90+ days flow storage average

    • 365+ days summary data stored

    • Profile over 1M internal hosts

    Continuous Network Monitoring Apply Network Segmentation

    Outside - Internet

    • Geo Location

    • Business Partners

    • Cloud Providers

    • Social Media

    Inside - Internal

    • Location – Site - Branch

    • Datacenter

    • Function - Application

    • Business Unit

    • Sensitivity - Compliance

    Build logical boundaries

    Command & Control

    • New Malware Families

    • Point-of-Sale malware

    • Banking malware

    • Keylogger, Exfil data

    • DDOS

  • Cisco Confidential 24 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

    Who, What, When Where and How?


    Catalyst 3850/3650

    Catalyst® 4500 Sup7E/LE/8E

    Catalyst® 4500 Sup7E/LE/8E

    Access Point

    Access Point

    Access Dist/Core

    Catalyst 4500-X

    Nexus 7K M-Series

    Catalyst® 6800/6500



    Site-to- Site VPN



    ASA With


    ESA StealthWatch FlowSensor

    WSA with CWS redirect



    B ra

    n c h


    a m

    p u



    ISR- G2/ISR40

    00/ ASR1K

    Catalyst 3850/3650


    There is a need to

    understand what is

    connecting to the network,

    including software resident on

    trusted endpoints. NetFlow

  • Heynen werkt voor vernieuwers

    Mocht u meer informatie willen, neem dan

    contract op met Heynen.

    Heynen is de Lancope partner voor de

    Benelux en verzorgt graag een demo. of

  • Thank you!

    Daniel Tulen Sr. Channel SE Europe

View more >