the axis of physical and cyber security – providing three ... · • send your defenders to...

The Axis of Physical and Cyber Security –providing three-dimensional threat protectionPresenters:

Jim Willis, CEO, InDev Tactical

Doug King, Technical Service Engineer Sr. StaffLockheed Martin Energy @ Rappahannock Electric Cooperative

PresentersJim Willis, CMAS, CHS-I

CEO, InDev Tactical

• Security consulting for electric co-op clients• 40+ years electric power experience

(co-op lineman/engineer/manager/NRECA/consultant/subject-matter expert)

• Credentialed security & anti-terrorism expert

• Afghanistan, 6 yrs, reconstruction & security, (USAID, DOD, ISAF)

• Developed “ASSIST” a proprietary active shooter and violence prevention training for electric power industry.

MSc, International Development & SecurityBS, Electrical Engineering.

Presenters

Doug is a senior member of Lockheed Martin Energy’s Rappahannock Electric Cooperative IT and Cybersecurity services team.

Doug has over 20 years IT experience which includes:• 4 years DoD Global Operational Support• 14 years of electric cooperative support in information security operations,

Doug’s expertise includes cyber threat and targeted attack defense and response

Doug KingTechnical Service Engineer and Cybersecurity Lead

Physical & Cyber Security

Different roles

Same goals

Cost of a data breach in 2016

Cost of a data breach in 2016

Energy sector per/unit cost = $148

For a co-op with 35,000 records that is =

over $5,000,000

Data Protection:

Defending against unauthorized access

Physically&

Digitally

Cyber Security

3 Dimensional Data Protection

Physical Security

Collaboration

Cyber Security Pre-attack

Defense

Active Attack

Response

Static Security

Measures

Dynamic Security Tactics

3 Dimensional Data Protection

Physical Security

Static Security Measures Dynamic Security Tactics

Physical Security

Static Security Measures

Security elements utilized to protect the co-op’s

digital sphere from internal and external assault.


Approach Access

Theft of stored data


Physical Vulnerabilities

Server RoomsVoice & Data interface cabinets

SCADA systems cabinets



Server Room access

Approach access

Theft of stored data



Voice & Data interface points

& cabinets



SCADA network cabinets

Physical VulnerabilitiesSCADA network cabinets


Employing human resources (subject-matter

experts & security consultants) to -


Implement active security measures,

Effectively communicate the threat,

&

Modify workplace culture.


Physical Security

Training


Physical Security

Security audits


Physical Security

Enhanced procedure development &

Action plans

Cyber Security

Pre-attack Defense Active Attack Response

The Dilemmas

“We have to get security right every time –an attacker only has to get it right once.”

Defender’s Dilemma

The Dilemmas

“We only need to detect one of the indicators of the attacker’s presence in order to initiate incident response.”

Attacker’s Dilemma

ScenarioOver a long summer holiday weekend,

someone cut a substation fence and

attempted to steal a few dollars worth of

copper. The communications shed in the

substation was also broken into, but

nothing was taken. Copper is not stored in

the communications shed.

Scenario

Later that fall, the cooperative’s troublesome, aging security

system alarmed over Thanksgiving weekend. The Sheriff’s

department and a senior cooperative employee responded but

didn’t find any signs of a break-in. They silenced the alarm and

returned to their families.

ScenarioOn Monday, a cursory check shows nothing of value of taken.

However, an administrator notices that sometime over the

weekend a server completely lost power and power was

restored approximately 10 minutes later. The server is normal

and healthy. The administrator worries about possible hardware

failure. The hardware vendor checked the system and all is well.

Scenario (cont)

What really happened?

Scenario (cont)Two years prior, an advanced persistent threat (APT) team was tasked by a foreign nation state to breach a US electric distribution cooperative that serves strategically and politically sensitive US government facilities.

The primary purpose of this tasking was to, at a time of the foreign nation state’s choosing, send a strong message to US leadership and intelligence communities by demonstrating hostile command and control (C2) of a US utility. In order to accomplish this task the APT decided to use the cover of a “routine” PII attack in case their attempts were detected.

The APT team found that remote external network penetration was too “noisy”. Instead, the APT team decided to engage with a physical attack.

Scenario (cont)Using OSINT (Open Source Intelligence) gathered from Google Maps, the APT first chose to attack the substation as Google Maps imagery showed that there was a communications shed that was not well protected. Ultimately, the shed contained only a minimal amount of equipment and had no direct enterprise or grid connectivity.

At the cooperative HQ, Google Maps showed little fencing and large cooling equipment on one the roofs. The APT team assumed that this building contained the datacenter.

The APT used a duplicated RFID badge to access the building. The original badge was scanned for duplication during TechAdvantage 2017.

Scenario (cont)Once inside the data center, a physical server was located. The server had a label affixed to it - “Domain Controller 002”. The APT forced powered off the system, reapplied power and inserted bootable removable media into to copy a single file from the domain controller.

Scenario (cont)The APT stole a copy of the cooperative’s Active Directory database and which has the password hashes for all AD accounts.

Scenario (cont)All password hashes and configuration information is stored there. Secretsdump.py was used to extract the password hashes.

Scenario (cont)The APT plans to leverage the password hashes to create custom malicious payloads what will be delivered by email, USB flash drives and social media later that year to establish remote C2. Since they are customized and using the credentials of stolen service accounts the probably of success is quite high.

Pre-attack Defense

Cybersecurity – Preattack Defense

• Develop and practice a physical attack incident response plan

• Treat ALL physical attacks as a potential cyber attack

• Be proactive and adversarial

• Threat hunt for Indicators of Compromise (IOCs)

Pre-attack Defense


• Research & Study Tactics, Techniques, and Procedures of Threats (TTPs)

• Search for and explain anomalies

• Minimal 2 years of logs for all PCs, servers and systems

Pre-attack Defense


• Regular open box red team penetration testing

• Forensic logging for all PCs, servers and systems

• 24/7/365 IDS/IPS monitoring & alerting

• Install and maintain centralized logging and reporting (SIEM)

Pre-attack Defense


• Consistent and dedicated InfoSec training for support staff

• PowerShell logging for all PCs and servers

• Do not implicitly “trust” the security practices of your vendors

Pre-attack Defense


• Practice Least Administrative Privilege (Local Administrator)

• Randomize Local Administrator Passwords (LAPS)

• Install a SIEM (GrayLog, Splunk, etc.)

• Event logs from all PCs, IoT devices, & Servers ingested into SIEM(Security Information & Event Management)

Pre-attack Defense


• Endpoint Detection and Response (Carbon Black, FireEye, etc.)

• Audit and monitor internet ingress/egress from your networks

• Audit Active Directory (Ask the hard questions)

Pre-attack Defense


• Monitor Active Directory for changes (Netwrix Auditor, etc.)

• Baseline processes and store in safe place(Get-Process|Select-Object name,fileversion,productversion,company,path |Export-Csv process.csv)

• Microsoft Advanced Threat Analytics (MS ATA)

Pre-attack Defense


• Honeypots (Canary)• Honey Files• Honey Tokens / Honey Accounts• Pepper your enterprise with detection “tripwires”• Deploy deception

(Fake employees, LinkedIn, Facebook, Twitter, email, etc.)

Pre-attack Defense


Purple Teams

• Send your defenders to penetration testing and hacking courses

• Your defenders will become better defenders

Pre-attack Defense


• Your defenders will be able to anticipate and quickly adapt to threats

• Conduct a reoccurring 3rd party penetration test to test you defenders

• The money spent on a penetration test is actually training for your defenders

Active Attack Response

Cybersecurity – Active Attack Response

• Follow a well rehearsed IRP that addresses all facets of

your organization.

• Work quickly to protect what makes you a valuable target

– PII and Grid Control Systems



• Immediately secure your backup solution

• Be prepared to work with law enforcement (FBI, DHS, etc.)



• Assume the worst until proven otherwise

• Be prepared to sever network connections (LAN & WAN)

• Preserve forensic evidence whenever possible



• Look for devices that were left behind – network taps, wireless devices, etc.

• Review any and all available camera footage • When in doubt, shutdown and remove power from

potentially compromised equipment



Potential IOCs• Anomalies In Privileged User Account Activity• Unusual Outbound Network Traffic – any change from baseline• Geographic Anomalies• Unexplained account lockouts for legitimate accounts



Potential IOCs• Failed logon attempts for non existent accounts• Increase in database read volume• Increase in website reads• Distributed Denial of Service Attack (DDOS smoke screen)



Stopping the attack is the first definitive stepThe next step

Repair and remediation, butthat’s an entirely different issue.

Cyber Security

The key to 3 Dimensional Data Protection

Physical Security

Collaboration

This is NOT collaboration

Collaboration

A team effort betweenIT,

Safety, & Security

For more info or questionsContact:

Jim Willis, Physical Security [email protected]

Doug King, Cyber Security [email protected]

the axis of physical and cyber security – providing three ... · • send your defenders to...

Documents