Top Banner
1 Copyright © 2014, FireEye, Inc. All rights reserved. Case Studies Industrial Control Systems Dan Scali, Manager – Industrial Control Systems Mandiant Security Consulting Services
16

ICS case studies v2

Feb 08, 2017

Download

Devices & Hardware

Nguyen Binh
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: ICS case studies v2

1 Copyright © 2014, FireEye, Inc. All rights reserved.

Case StudiesIndustrial Control Systems

Dan Scali, Manager – Industrial Control SystemsMandiant Security Consulting Services

Page 2: ICS case studies v2

2 Copyright © 2014, FireEye, Inc. All rights reserved.

ICS security threatsEnterprise/IT

Plant DMZ

SCADA/ICS

Control

SCADA Historian HMI

PLCs, Controllers, RTUs, PACs

Threat vector:Attacks on the enterprise

Threat vector:Attacks on ICS/SCADA systems

and devices

Page 3: ICS case studies v2

3 Copyright © 2014, FireEye, Inc. All rights reserved.

Case studies

Building a comprehensive program:How an ICS operator used Mandiant Security Consulting Services to build an IT/OT cyber security program

Defending the SCADA & field-level devices:How an ICS operator used passive network monitoring to identify SCADA network configuration flaws

Page 4: ICS case studies v2

4 Copyright © 2014, FireEye, Inc. All rights reserved.

Case StudyBuilding a cyber security program

Page 5: ICS case studies v2

5 Copyright © 2014, FireEye, Inc. All rights reserved.

The challenges

Maintain compliance

Resist targeted attacks

Support reliability

Business imperative Implications

• 10-20k serial assets coming into scope for NERC CIP

• Requires coordination across OT & IT

Transition from NERC CIP v3 to NERC CIP v5

Detect, respond to, and contain incidents

impacting grid assets

IT/OT convergence and next-generation grid

• Integrated SOC will need visibility into grid assets

• IR processes and technologies must be adapted for control system environment

• Legacy control systems technology will be replaced

• Connectivity & exposure of power systems will increase

Page 6: ICS case studies v2

6 Copyright © 2014, FireEye, Inc. All rights reserved.

FireEye’s solution: Program strategyMission:To support the reliable operation of the bulk electric system in accordance with legal and regulatory responsibilities by preventing, detecting, and responding to cybersecurity incidents.

Governance Technology Operations

Stakeholders:Transmission & Distribution – Cybersecurity – Power Systems IT

• Policy• Compliance• Training• Asset inventory• Metrics

• New projects• Technical standards• Evaluation &

Procurement• External working groups

• Maintenance• Incident Response• Vulnerability & Patch

Management

Key functions & activities

Page 7: ICS case studies v2

7 Copyright © 2014, FireEye, Inc. All rights reserved.

Sample roadmap

Page 8: ICS case studies v2

8 Copyright © 2014, FireEye, Inc. All rights reserved.

Sample heatmap

Page 9: ICS case studies v2

9 Copyright © 2014, FireEye, Inc. All rights reserved.

Sample project plan

Page 10: ICS case studies v2

10 Copyright © 2014, FireEye, Inc. All rights reserved.

Case StudyProtecting the SCADA

Page 11: ICS case studies v2

11 Copyright © 2014, FireEye, Inc. All rights reserved.

The challenge

Customer had invested heavily in a network segmentation and firewall configuration effort

Needed a way to validate that:– No connections were possible directly from the business network

to the SCADA network– SCADA was not able to communicate with the internet

Page 12: ICS case studies v2

12 Copyright © 2014, FireEye, Inc. All rights reserved.

The Solution: FireEye PX Ultrafast packet capture up to 20Gbps sustained

in single appliance allows for aggregation and cost savings

Internal or external storage options (FC or SAS) Ultrafast search

patented tiered indexing system (search TBs in seconds)

Session Analysis full reconstruction of web, email, DNS, & ftp

traffic File extraction User extensible

Industry standard PCAP format for capture data Export of index data in Netflow v9 or IPFIX format

Page 13: ICS case studies v2

13 Copyright © 2014, FireEye, Inc. All rights reserved.

PX deployment options

Firewall/DMZ

Switch

ICS

Router

Firewall/DMZ

Switch

ICS

Router Tap(OOB)

SPAN

NX

PX

Pivot2Pcap

TAP

NX

PX

Pivot2Pcap

Router

Firewall/DMZ

ICS

Tap(Inline)

Switch

NX

PX

Pivot2PcapTap

Enterprise Network Enterprise Network Enterprise Network

Page 14: ICS case studies v2

14 Copyright © 2014, FireEye, Inc. All rights reserved.

Results

15 minutes of network traffic capture data revealed: Traffic direct from business network to SCADA zone External DNS requests Potential multi-homed devices Limited segmentation between SCADA zones

Page 15: ICS case studies v2

15 Copyright © 2014, FireEye, Inc. All rights reserved.

Incident response workflow

FireEye threat prevention platform (NX, EX, FX, or AX) detects threat and generates alert with detailed OS change report.

Detect

A A AA

A

Contain

OS change report is sent to HX appliance which then generates indicator and pushes to endpoint agent.

Operator can contain & isolate the compromised endpoint by blocking all

A A AA

A

traffic with single clickworkflow while continuing with the investigation.

Analyst can view detailed exploit timeline from the endpoint to better understand the attack.

Validate & Contain

HX HXPX

Analyst pivots to PX with IP address and time of infection to reconstruct kill chain before, during and after to determine the scope and impact of a threat via captured packets.

Forensics Analysis

Page 16: ICS case studies v2

16 Copyright © 2014, FireEye, Inc. All rights reserved.

Questions?