Top Banner

Click here to load reader

ICS case studies v2

Feb 08, 2017

ReportDownload

PowerPoint Presentation

Case StudiesIndustrial Control SystemsDan Scali, Manager Industrial Control SystemsMandiant Security Consulting Services

#Copyright 2014, FireEye, Inc. All rights reserved. ICS security threats

Enterprise/ITPlant DMZSCADA/ICSControlSCADAHistorian HMIPLCs, Controllers, RTUs, PACsThreat vector:Attacks on the enterpriseThreat vector:Attacks on ICS/SCADA systems and devices

#Copyright 2014, FireEye, Inc. All rights reserved.

2

Case studiesBuilding a comprehensive program:How an ICS operator used Mandiant Security Consulting Services to build an IT/OT cyber security programDefending the SCADA & field-level devices:How an ICS operator used passive network monitoring to identify SCADA network configuration flaws

#Copyright 2014, FireEye, Inc. All rights reserved. Case StudyBuilding a cyber security program

#Copyright 2014, FireEye, Inc. All rights reserved. The challengesMaintain complianceResist targeted attacksSupport reliabilityBusiness imperativeImplications10-20k serial assets coming into scope for NERC CIPRequires coordination across OT & ITTransition from NERC CIP v3 to NERC CIP v5Detect, respond to, and contain incidents impacting grid assets IT/OT convergence and next-generation gridIntegrated SOC will need visibility into grid assetsIR processes and technologies must be adapted for control system environmentLegacy control systems technology will be replacedConnectivity & exposure of power systems will increase

#Copyright 2014, FireEye, Inc. All rights reserved. FireEyes solution: Program strategyMission:To support the reliable operation of the bulk electric system in accordance with legal and regulatory responsibilities by preventing, detecting, and responding to cybersecurity incidents.GovernanceTechnologyOperationsStakeholders:Transmission & Distribution Cybersecurity Power Systems ITPolicyComplianceTrainingAsset inventoryMetricsNew projectsTechnical standardsEvaluation & ProcurementExternal working groupsMaintenanceIncident ResponseVulnerability & Patch ManagementKey functions & activities

#Copyright 2014, FireEye, Inc. All rights reserved. Sample roadmap

#Copyright 2014, FireEye, Inc. All rights reserved. Sample heatmap

#Copyright 2014, FireEye, Inc. All rights reserved. Sample project plan

#Copyright 2014, FireEye, Inc. All rights reserved. Case StudyProtecting the SCADA

#Copyright 2014, FireEye, Inc. All rights reserved. The challengeCustomer had invested heavily in a network segmentation and firewall configuration effortNeeded a way to validate that:No connections were possible directly from the business network to the SCADA networkSCADA was not able to communicate with the internet

#Copyright 2014, FireEye, Inc. All rights reserved. The Solution: FireEye PXUltrafast packet capture up to 20Gbps sustained in single appliance allows for aggregation and cost savings Internal or external storage options (FC or SAS)Ultrafast search patented tiered indexing system (search TBs in seconds)Session Analysis full reconstruction of web, email, DNS, & ftp trafficFile extractionUser extensibleIndustry standard PCAP format for capture dataExport of index data in Netflow v9 or IPFIX format

#Copyright 2014, FireEye, Inc. All rights reserved. PX deployment options

Firewall/DMZSwitchICS

RouterFirewall/DMZSwitchICSRouterTap(OOB)SPANNXPX

Pivot2PcapTAPNXPX Pivot2Pcap

RouterFirewall/DMZICSTap(Inline)SwitchNXPX

Pivot2Pcap

Tap

Enterprise NetworkEnterprise NetworkEnterprise Network

#Copyright 2014, FireEye, Inc. All rights reserved. Results15 minutes of network traffic capture data revealed:Traffic direct from business network to SCADA zoneExternal DNS requestsPotential multi-homed devicesLimited segmentation between SCADA zones

#Copyright 2014, FireEye, Inc. All rights reserved. Incident response workflow

FireEye threat prevention platform (NX, EX, FX, or AX) detects threat and generates alert with detailed OS change report.

Detect

A

A

A

A

A

Contain

OS change report is sent to HX appliance which then generates indicator and pushes to endpoint agent.

Operator can contain & isolate the compromised endpoint by blocking all

A

A

A

A

A

traffic with single clickworkflow while continuing with the investigation.

Analyst can view detailed exploit timeline from the endpoint to better understand the attack.

Validate & Contain

HXHX

PXAnalyst pivots to PX with IP address and time of infection to reconstruct kill chain before, during and after to determine the scope and impact of a threat via captured packets.Forensics Analysis

#Copyright 2014, FireEye, Inc. All rights reserved. Questions?

#Copyright 2014, FireEye, Inc. All rights reserved.