scada security: how do i know if i’ve already been owned? · scada security: how do i know if...

Post on 19-Apr-2018






Click to see full reader




Gib Sorebo

SCADA Security: How Do I Know If I’ve Already Been Owned?


Chief Cybersecurity TechnologistLeidos@gibsorebo





Reasons for Concern

Cybersecurity Challenges within Industrial Controls Systems (ICS)

The Undiscovered Breach

The Attack Lifecycle

Current State of Control System Cybersecurity Monitoring

Options for Greater Visibility

Potential Ecosystem

#RSACReasons for Concern: Supply Chain, Network Attacks, and Accidents


Soviet Trans-Siberian Pipeline Sabotage (1982)

Stuxnet (2010)

Taum Sauk (2005)Federal Energy Regulatory Image.

Used by permission.

WannCry / NotPetya (2017)German Steel Mill (2014) Ukraine Grid (2015 & 2016)

Turkish Pipeline (2008)


Anatomy of an Attack: Ukraine Electric Grid 2015


Attacker sends phishing e-mail with pdf containing malicious macro Macro captures user

credentials and returns them to attacker

Attacker uses credentials log into utility’s VPN

Attacker maneuvers to HMI and logs in with same credentials

Attacker begins switching off power at various substations around country

HMI = Human Machine Interface

User clicks infected pdf


Cybersecurity challenges within ICS


Lack of Cybersecurity Expertise/Culture

Long Update Cycle

Limited Visibility

IT/OT Divide


The Undiscovered Breach


Median number of days attackers were present on a victim’s network before

being discovered in 2016

Source: 2017 Mandiant M-Trends Report

*Note: Much of the recent dwell time decline is due to attacks designed to attract immediate attention such as ransomware and data wiping malware.

99* “. . .Excellus discovered the attack on Aug. 5 [2015] and an investigation determined that it occurred on Dec. 23, 2013.”


Typical IT Attack Lifecycle


1. Conduct Reconnaissance

2. Establish Foothold

3. Move Laterally and

Gain Privileges

4. Accomplish Mission

1. Conduct Reconnaissance: Attacker analyzes the intended victim to identify a way to get in and what they want to get once they penetrate the network

2. Establish Foothold: Attacker gains control of a single computer inside the perimeter – generally a server or a personal computer – and then load tools onto that computer for remote control

3. Move Laterally and Gain Privileges: Attacker moves around the network to get closer to the computers that they want to access, and obtains privileged credentials to access them

4. Accomplish Mission: Attacker accomplishes their mission, stealing data (confidentiality), changing data (integrity) or destroying data (availability)


The Purdue Model – An OT Attack Lifecycle

8OT = Operational Technology

Proprietary Technology

Goal is to control or disrupt here


Current State of Industrial Security Monitoring

9HMI = Human Machine Interface WAN = Wide Area Network SIEM = Security Information and Event Management SOC = Security Operations Center PLC = Programmable Logic Controller

Security Operations Center

ActuatorTraditional IT

No security data; only control & performance information



Covering All Layers of the Software/Device


HMIs and Engineering workstations (Purdue layer 2)

• Variable data (e.g., set points)• Start/Stop• Alarm setting• Underlying HMI code• Controller programming code• Binaries/configuration files

PLC - Controller (Purdue layer 1)• Programming logic (e.g., ladder logic,

structured text, instruction lists)• Variable data (e.g., set points)

Higher layers (Purdue layers 3-5)• Application level settings (e.g.,

analytics, alarms, triggers)• Access control settings• Application and workstation


Field devices (Purdue layer 0)• Sensors (current state)• Actuators (current state)


Control Systems Options for Greater Visibility


Where feasible, install monitoring agent on controllers

Look for power and frequency changes on actuators & sensors

Packet capture and parsing of proprietary protocols

Consider network honeypots where appropriate


Outcomes for Monitoring Scenarios


• Detect anomalies• Identify performance issues• Build baseline• Identify authorized changes

Network & Serial Data Captures

• Compare with intended input• Detect anomalies• Build baseline

Power and frequency measurements

• Detect performance issues• Correlate across multiple log sources• Build baseline• Identify anomalies

Parse log files

• Block prohibited operations (optional)• Real-time reporting of anomalies• Compare with intended input

Software Monitoring Agent

• On perimeter, get early insights on potential threats

• Internally, quickly validate intrusionsHoneypots


Example Architecture


Packet collection/IDS


Log parser

Data Aggregator

Power monitoring

Endpoint agents



Building Custom Parsers


Original Logdevice_id=6, state_time=2017-6-20 16:43:10.970, device_state=1, teststat=0

Post ParsingEvent Time = 2017-6-20 16:43:10

Device ID = Pump 3Device State = Turning Pump On

Status = OK

Set correlation rule to trigger

when unexpected events occur

• Logs Read Like a sentence.• Making logs human readable allows for anyone to understand exactly what happened• Increases readability of reports on historical data


Options for Tools


Power Monitoring

Some commercial options available

SIEM and Aggregators

OSSIMSimple Event Correlator

Packet Collection


Parsers and Analytics




Honeypots Conpot


How the Defenses Address Each Layer


Honeypots offer early warning of scans and other reconnaissance

Endpoint agents detect initial landing point (e.g., via phishing of IT side)

Packet collection & IDS sensors alert on lateral movement

Agents on HMIs and other OT systems detect suspicious connections and programs

OT aware packet analysis tools detect set point and other changes sent to controllers

Internal honeypots alert when touched

OT-aware honeypots detect attempts to change OT components

Log parser detects changes to controllers

Power monitoring on actuators & sensors offer final detection option

1. Conduct Reconnaissance

2. Establish Foothold

3. Move Laterally and

Gain Privileges

4. Accomplish Mission

SIEMs and other back-end platforms pull all the pieces together


Putting it All Together


Conduct Hardware and Software Inventory

While many OT environments are good at keeping track of the physical inventory, software, and particularly their version, are often missed


Putting it All Together


Conduct Hardware and Software Inventory

Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity, endpoint configuration files)

Often referred to as a “Kill Chain Analysis,” this is where one might find evidence of an attack


Putting it All Together


Conduct Hardware and Software Inventory

Identify commercial, ICS vendor-provided, and open source tools

Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity)

Be creative; some of the best tools may not even be considered security tools (e.g., configuration management, data historians)


Putting it All Together


Conduct Hardware and Software Inventory

Identify commercial, ICS vendor-provided, and open source tools

Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity)

Build and implement test environment to demonstrate capabilities

Many control system vendors offer “virtual twins” for testing and modeling; other comparable environments are freely available


Putting it All Together


Conduct Hardware and Software Inventory

Identify commercial, ICS vendor-provided, and open source tools

Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity)

Build and implement test environment to demonstrate capabilities

Coordinate with production team for access to data and tool deployment

Be patient and conscious of IT/OT culture differences; help OT understand why this help them


Putting it All Together


Conduct Hardware and Software Inventory

Identify commercial, ICS vendor-provided, and open source tools

Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity)

Build and implement test environment to demonstrate capabilities

Coordinate with production team for access to data and tool deployment

Build use cases and develop analytics and correlation rules

Focus on what the bad guys would want to do and how they would want to accomplish it (e.g., tactics, techniques, and procedures)


Putting it All Together


Conduct Hardware and Software Inventory

Identify commercial, ICS vendor-provided, and open source tools

Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity)

Build and implement test environment to demonstrate capabilities

Coordinate with production team for access to data and tool deployment

Deploy tools and collect data

This will be an iterative process based on tool feasibility, budget, time, and skills.

Build use cases and develop analytics and correlation rules


Putting it All Together


Conduct Hardware and Software Inventory

Identify commercial, ICS vendor-provided, and open source tools

Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity)

Build and implement test environment to demonstrate capabilities

Coordinate with production team for access to data and tool deployment

Deploy tools and collect data

Build use cases and develop analytics and correlation rules

Test by simulating threats

Start small with low risk environments less sensitive to disruption working with tabletop environments first


What Else?


Other Considerations

False Positives

Alignment with Control


Staffing Levels for Security Operations

CenterCoverage of

All Attack Stages

No Disruption to Operations


Apply What You’ve Learned Today


Next Week You Should:Review the architectures for your control system environmentsTalk to process control engineers and managers about feasibility of gaining more visibility and explain how that helps themInquire about virtual environments and modeling tools available

In the Next Three Months You Should:Acquire and gain familiarity with tools in a test environment based on “kill chain” analysis of your control system environmentsDemonstrate operating model in a virtual environmentDevelop use cases


Apply What You’ve Learned Today


In the Next Six Months You Should:Develop and present deployment plan based on research and testing performed and coordination with OT teams and gain approvalDeploy tools and data collection processes to low risk control system environmentsSimulate threats at multiple locations in OT environmentAnalyze data collected to determine ability to detect threatsIterate exercises and migrate approach to progressively higher risk environments (will likely take longer than six months to complete)




Gib SoreboLeidos Chief Cybersecurity Technologistphone: 703-318-4553email:

For more information contact:


Tools Reference


Can leverage enterprise SIEM with some customizations; open source and commercial options also available. Open source: OSSIM: Event Correlator:

SIEM and Aggregators

Multiple commercial options for both collection and analysis for ICSOpen source: Wireshark:

Packet Collection

Included with SIEM and tools to build custom parsersOpen source: OpenSOC: Metron: (anomaly detection):

Parsers and Analytics

Most are targeted at enterprise, but can be customized for ICS environmentsOpen source: OSSEC (host-based IDS): (Control System Honeypot):

Endpoint Agents

Power Monitoring Some commercial options available

top related