scada security: how do i know if i’ve already been owned? · scada security: how do i know if...
TRANSCRIPT
SESSION ID:SESSION ID:
#RSAC
Gib Sorebo
SCADA Security: How Do I Know If I’ve Already Been Owned?
SOP-W04
Chief Cybersecurity TechnologistLeidos@gibsorebo
17-Leidos-0918-1850
#RSAC
Overview
2
Reasons for Concern
Cybersecurity Challenges within Industrial Controls Systems (ICS)
The Undiscovered Breach
The Attack Lifecycle
Current State of Control System Cybersecurity Monitoring
Options for Greater Visibility
Potential Ecosystem
#RSACReasons for Concern: Supply Chain, Network Attacks, and Accidents
3
Soviet Trans-Siberian Pipeline Sabotage (1982)
Stuxnet (2010)
Taum Sauk (2005)Federal Energy Regulatory Image.
Used by permission.
WannCry / NotPetya (2017)German Steel Mill (2014) Ukraine Grid (2015 & 2016)
Turkish Pipeline (2008)
#RSAC
Anatomy of an Attack: Ukraine Electric Grid 2015
4
Attacker sends phishing e-mail with pdf containing malicious macro Macro captures user
credentials and returns them to attacker
Attacker uses credentials log into utility’s VPN
Attacker maneuvers to HMI and logs in with same credentials
Attacker begins switching off power at various substations around country
HMI = Human Machine Interface
User clicks infected pdf
#RSAC
Cybersecurity challenges within ICS
5
Lack of Cybersecurity Expertise/Culture
Long Update Cycle
Limited Visibility
IT/OT Divide
#RSAC
The Undiscovered Breach
6
Median number of days attackers were present on a victim’s network before
being discovered in 2016
Source: 2017 Mandiant M-Trends Report
*Note: Much of the recent dwell time decline is due to attacks designed to attract immediate attention such as ransomware and data wiping malware.
99* “. . .Excellus discovered the attack on Aug. 5 [2015] and an investigation determined that it occurred on Dec. 23, 2013.”
#RSAC
Typical IT Attack Lifecycle
7
1. Conduct Reconnaissance
2. Establish Foothold
3. Move Laterally and
Gain Privileges
4. Accomplish Mission
1. Conduct Reconnaissance: Attacker analyzes the intended victim to identify a way to get in and what they want to get once they penetrate the network
2. Establish Foothold: Attacker gains control of a single computer inside the perimeter – generally a server or a personal computer – and then load tools onto that computer for remote control
3. Move Laterally and Gain Privileges: Attacker moves around the network to get closer to the computers that they want to access, and obtains privileged credentials to access them
4. Accomplish Mission: Attacker accomplishes their mission, stealing data (confidentiality), changing data (integrity) or destroying data (availability)
#RSAC
The Purdue Model – An OT Attack Lifecycle
8OT = Operational Technology
Proprietary Technology
Goal is to control or disrupt here
#RSAC
Current State of Industrial Security Monitoring
9HMI = Human Machine Interface WAN = Wide Area Network SIEM = Security Information and Event Management SOC = Security Operations Center PLC = Programmable Logic Controller
Security Operations Center
ActuatorTraditional IT
No security data; only control & performance information
MonitoredUnmonitored
#RSAC
Covering All Layers of the Software/Device
10
HMIs and Engineering workstations (Purdue layer 2)
• Variable data (e.g., set points)• Start/Stop• Alarm setting• Underlying HMI code• Controller programming code• Binaries/configuration files
PLC - Controller (Purdue layer 1)• Programming logic (e.g., ladder logic,
structured text, instruction lists)• Variable data (e.g., set points)
Higher layers (Purdue layers 3-5)• Application level settings (e.g.,
analytics, alarms, triggers)• Access control settings• Application and workstation
configuration
Field devices (Purdue layer 0)• Sensors (current state)• Actuators (current state)
#RSAC
Control Systems Options for Greater Visibility
11
Where feasible, install monitoring agent on controllers
Look for power and frequency changes on actuators & sensors
Packet capture and parsing of proprietary protocols
Consider network honeypots where appropriate
#RSAC
Outcomes for Monitoring Scenarios
12
• Detect anomalies• Identify performance issues• Build baseline• Identify authorized changes
Network & Serial Data Captures
• Compare with intended input• Detect anomalies• Build baseline
Power and frequency measurements
• Detect performance issues• Correlate across multiple log sources• Build baseline• Identify anomalies
Parse log files
• Block prohibited operations (optional)• Real-time reporting of anomalies• Compare with intended input
Software Monitoring Agent
• On perimeter, get early insights on potential threats
• Internally, quickly validate intrusionsHoneypots
#RSAC
Example Architecture
13
Packet collection/IDS
SIEM
Log parser
Data Aggregator
Power monitoring
Endpoint agents
Honeypots
#RSAC
Building Custom Parsers
14
Original Logdevice_id=6, state_time=2017-6-20 16:43:10.970, device_state=1, teststat=0
Post ParsingEvent Time = 2017-6-20 16:43:10
Device ID = Pump 3Device State = Turning Pump On
Status = OK
Set correlation rule to trigger
when unexpected events occur
• Logs Read Like a sentence.• Making logs human readable allows for anyone to understand exactly what happened• Increases readability of reports on historical data
#RSAC
Options for Tools
15
Power Monitoring
Some commercial options available
SIEM and Aggregators
OSSIMSimple Event Correlator
Packet Collection
BroSuricataMoloch
Parsers and Analytics
OpenSOCMetronSkyline
EndpointAgents
OSSECSamhainConpot
Honeypots Conpot
#RSAC
How the Defenses Address Each Layer
16
Honeypots offer early warning of scans and other reconnaissance
Endpoint agents detect initial landing point (e.g., via phishing of IT side)
Packet collection & IDS sensors alert on lateral movement
Agents on HMIs and other OT systems detect suspicious connections and programs
OT aware packet analysis tools detect set point and other changes sent to controllers
Internal honeypots alert when touched
OT-aware honeypots detect attempts to change OT components
Log parser detects changes to controllers
Power monitoring on actuators & sensors offer final detection option
1. Conduct Reconnaissance
2. Establish Foothold
3. Move Laterally and
Gain Privileges
4. Accomplish Mission
SIEMs and other back-end platforms pull all the pieces together
#RSAC
Putting it All Together
17
Conduct Hardware and Software Inventory
While many OT environments are good at keeping track of the physical inventory, software, and particularly their version, are often missed
#RSAC
Putting it All Together
18
Conduct Hardware and Software Inventory
Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity, endpoint configuration files)
Often referred to as a “Kill Chain Analysis,” this is where one might find evidence of an attack
#RSAC
Putting it All Together
19
Conduct Hardware and Software Inventory
Identify commercial, ICS vendor-provided, and open source tools
Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity)
Be creative; some of the best tools may not even be considered security tools (e.g., configuration management, data historians)
#RSAC
Putting it All Together
20
Conduct Hardware and Software Inventory
Identify commercial, ICS vendor-provided, and open source tools
Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity)
Build and implement test environment to demonstrate capabilities
Many control system vendors offer “virtual twins” for testing and modeling; other comparable environments are freely available
#RSAC
Putting it All Together
21
Conduct Hardware and Software Inventory
Identify commercial, ICS vendor-provided, and open source tools
Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity)
Build and implement test environment to demonstrate capabilities
Coordinate with production team for access to data and tool deployment
Be patient and conscious of IT/OT culture differences; help OT understand why this help them
#RSAC
Putting it All Together
22
Conduct Hardware and Software Inventory
Identify commercial, ICS vendor-provided, and open source tools
Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity)
Build and implement test environment to demonstrate capabilities
Coordinate with production team for access to data and tool deployment
Build use cases and develop analytics and correlation rules
Focus on what the bad guys would want to do and how they would want to accomplish it (e.g., tactics, techniques, and procedures)
#RSAC
Putting it All Together
23
Conduct Hardware and Software Inventory
Identify commercial, ICS vendor-provided, and open source tools
Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity)
Build and implement test environment to demonstrate capabilities
Coordinate with production team for access to data and tool deployment
Deploy tools and collect data
This will be an iterative process based on tool feasibility, budget, time, and skills.
Build use cases and develop analytics and correlation rules
#RSAC
Putting it All Together
24
Conduct Hardware and Software Inventory
Identify commercial, ICS vendor-provided, and open source tools
Note opportunities for visibility (e.g., log files, network tap/span port options, connectivity)
Build and implement test environment to demonstrate capabilities
Coordinate with production team for access to data and tool deployment
Deploy tools and collect data
Build use cases and develop analytics and correlation rules
Test by simulating threats
Start small with low risk environments less sensitive to disruption working with tabletop environments first
#RSAC
What Else?
25
Other Considerations
False Positives
Alignment with Control
Processes
Staffing Levels for Security Operations
CenterCoverage of
All Attack Stages
No Disruption to Operations
#RSAC
Apply What You’ve Learned Today
26
Next Week You Should:Review the architectures for your control system environmentsTalk to process control engineers and managers about feasibility of gaining more visibility and explain how that helps themInquire about virtual environments and modeling tools available
In the Next Three Months You Should:Acquire and gain familiarity with tools in a test environment based on “kill chain” analysis of your control system environmentsDemonstrate operating model in a virtual environmentDevelop use cases
#RSAC
Apply What You’ve Learned Today
27
In the Next Six Months You Should:Develop and present deployment plan based on research and testing performed and coordination with OT teams and gain approvalDeploy tools and data collection processes to low risk control system environmentsSimulate threats at multiple locations in OT environmentAnalyze data collected to determine ability to detect threatsIterate exercises and migrate approach to progressively higher risk environments (will likely take longer than six months to complete)
#RSAC
Questions
28
Gib SoreboLeidos Chief Cybersecurity Technologistphone: 703-318-4553email: [email protected]
For more information contact:
#RSAC
Tools Reference
29
Can leverage enterprise SIEM with some customizations; open source and commercial options also available. Open source: OSSIM: https://www.alienvault.com/products/ossim/downloadSimple Event Correlator: http://simple-evcorr.sourceforge.net/
SIEM and Aggregators
Multiple commercial options for both collection and analysis for ICSOpen source: Wireshark: https://www.wireshark.org/download.htmlBro: https://www.bro.org/download/index.htmlSuricata: https://suricata-ids.org/download/Moloch: https://github.com/aol/moloch
Packet Collection
Included with SIEM and tools to build custom parsersOpen source: OpenSOC: http://opensoc.github.io/Apache Metron: http://metron.apache.org/Skyline (anomaly detection): https://github.com/etsy/skyline
Parsers and Analytics
Most are targeted at enterprise, but can be customized for ICS environmentsOpen source: OSSEC (host-based IDS): https://github.com/ossec/ossec-hidsSamhain: http://la-samhna.de/samhain/Conpot (Control System Honeypot): http://conpot.org/
Endpoint Agents
Power Monitoring Some commercial options available