New Threat Vectors for ICS/SCADA Networks and How to Prepare for - PowerPoint PPT Presentation

New Threat Vectors for ICS/SCADA Networks — and How to Prepare for Them June 27, 2017 Phil Neray, VP of Industrial Cybersecurity

Why Now? Featuring CyberX’s threat intelligence & vulnerability research

3 Key Trends Driving ICS Cybersecurity OPERATIONAL TECH (OT) RANGE OF CYBERATTACKERS INDUSTRIAL NETWORKS & IT ARE CONVERGING WITH VARYING MOTIVATIONS ARE EASY TARGETS • IIoT & sensors everywhere • Geopolitical aggression • Perimeter security insufficient • Cyber-physical integration • Financial (ransomware) • Weak or no authentication • Increased attack surface • Theft of corporate IP • Malicious or careless insiders • Increased cyber risk • Hacktivism • No visibility into industrial malware or targeted threats

How a Michigan Utility Got Hacked “Cybersecurity firm CyberX said it has uncovered a cyber-espionage operation in Ukraine that has “These kinds of campaigns are running, compromised more than 70 victims including an energy ministry, a scientific research institute and even as we speak,” said Omer Schneider, a firm that designs remote monitoring systems for co-founder of CyberX (Dec. 2016) oil & gas pipelines.” May 2015: CyberX analysis of BlackEnergy Flaw in Schneider Industrial Firewalls Allows Remote Code Execution reveals data exfiltration behind sophisticated multi-year attack campaign To demonstrate that attackers could easily bypass defenses if proper ICS protection technologies are Dec. 2016: CyberX: Threat actors bring not in place, researchers at industrial security firm ransomware to industrial sector with new CyberX have disclosed the existence of several version of KillDisk critical 0-day vulnerabilities.

“ If I had a world of my own … Nothing would be what it is, because everything would be what it isn't. And contrary wise, what is, it wouldn't be. And what it wouldn't be, it would. You see? ”

Operation BugDrop • Cyber-espionage operation targeting 70+ organizations in the Ukraine • Captures audio, screen shots, files, passwords, keylogger • Uses Dropbox for data exfiltration • Reflective DLL Injection – Like Stuxnet & BlackEnergy • Encrypted DLLs • Uses free web hosting services for C&C servers

RADIATION IIoT Botnet • Discovered by CyberX in June 2016 – Preceded Mirai • DDoS-for-hire service • Botnet army = 25,000 devices • Exploits 0-day in CCTVs (not default credentials) • Advertised on AlphaBay • Took down websites of 4 major Russian banks

• Dec. 2014 : “ICS-CERT has identified a “How An Entire Nation sophisticated malware campaign that has Became Russia's Test Lab compromised numerous ICS environments using a variant of the BlackEnergy malware. Analysis for Cyberwar” indicates that this campaign has been ongoing since at least 2011.” • “A hacker army has systematically undermined practically every sector of Ukraine: media, finance, transportation, military, politics, energy.” • “In 2015, the hackers were like a group of brutal street fighters. In 2016, they were ninjas” (Marina Krotofil) • “They’re testing out red lines, what they can get away with. You push and see if you’re pushed back. If not, you try the next step.” (Thomas Rid, War Studies professor at King’s College) Andy Greenberg

“Using OPC, the malware component gathers any details about connected devices and sends them back to the C&C for the attackers to analyze. It appears that this component is used as a tool for intelligence gathering. So far, we have not seen any payloads that attempt to control the connected hardware.”

Honda discovered the virus had infected networks across Japan, Europe, North America and China … Nissan and Renault were also affected by WannaCry, forcing them to stop production at plants in Japan, Britain, India, France and Romania Image: Tomohiro Ohsumi/Getty Images

“U.S. companies lose about $250 billion per year through IP theft … the loss of industrial information through cyber espionage constitutes the greatest transfer of wealth in history.” General Keith Alexander, former commander of US Cyber Command Image: Politico

“Unit 61398 is part of the People's Liberation Army. And it's charged with spying on North American corporations … Every industry, engineering documents, manufacturing processes, chip designs, telecommunications, pharmaceutical, you name it it's been stolen.” George Kurtz, CrowdStrike CEO “The Great Brain Robbery” Images: FPM, NYT

Manufacturing = #1 Target for Cyber-Espionage Verizon DBIR 2016, P. 25

DBIR: Trade Secrets = #1 Target in Manufacturing (91%) Verizon DBIR 2017, P. 27

ICS Environments are Easy Targets “31% of manufacturers have never conducted a vulnerability assessment … and 50% only do them occasionally.” Photo: Manufacturing America

If If yo your OT T ne network we were br brea eached, hed, ho how w wo would you kn know? Image: Kaspersky

Why IT Security Tools Aren’t Designed for OT Security IT Security OT Security Standard IP-based protocols Standard & proprietary industrial protocols (e.g., TCP/IP, HTTP) (e.g., GE SRTP, Siemens S7) Non-deterministic behavioral analytics Deterministic behavioral analytics (humans) (machine-to-machine) Active vulnerability scanning OK Active scanning creates downtime Regular patching & OS upgrades are Patching creates downtime & OS upgrades encouraged force SCADA application re-writes

CyberX Overview • Founded in 2013 by IDF cyber experts responsible for securing critical national infrastructure • Global HQ in Boston • Industrial cybersecurity platform built from ground-up for OT – Continuous threat monitoring – Non-invasive risk assessment & asset discovery – ICS-specific threat intelligence – Rapid integration with existing environments (SIEMs, etc.) – Open system with rich API for customized integrations • In-house ICS threat intelligence research team (former IR team for IDF) • Deployments worldwide in diverse industrial domains worldwide – Electrical utilities, oil & gas, manufacturing, pharmaceuticals, chemicals, nuclear, …

CyberX M2M Behavioral Analytics • Industrial Finite State Machine (IFSM) – Deep understanding of industrial protocols – Unique machine learning algorithms – Based on deterministic behavior of OT networks – Patent-pending approach • How it works – Models unique DNA of M2M communications – Rapidly detects anomalous behavior with minimal false positives – Detects both cyber and operational anomalies – Zero configuration required (no rules or signatures) Image: Film4, DNA Films

Simple, Non-Invasive Deployment Advanced M2M behavioral analytics with data mining CMDB asset data, firewall rules, etc. (optional) Network traffic data SPAN port

What the Experts are Saying About CyberX “CyberX's specialization in providing in-depth visibility Only Industrial Cyber Vendor Only Industrial Cyber Vendor and threat intelligence across different specialized industrial Chosen for Innovation Award Recognized by International protocols has resulted in Sponsored by US DHS & DoD Society of Automation powerful capabilities.”

How CyberX Supports the NIST Cybersecurity Framework • Identify Identify asset inventory & network topology – Identify risks such as unpatched devices, unauthorized remote connections, bridges – between subnets, etc.) with recommended, risk-prioritized mitigations • Protect Identifies vulnerable or weak firewall rules – Integrates with firewalls/IPS to automatically block new threats – Partnership with Waterfall Security for unidirectional security gateways – • Detect Continuous, real-time monitoring for threats & industrial malware – Advanced M2M behavioral analytics for rapid anomaly detection – Proprietary ICS-specific threat intelligence to enrich analytics – • Respond Deep ICS network forensics & investigation tools identify breach impact – Integration with SIEMs via REST APIs supports automated SOC workflows – • Recover Automated reporting supports communication with stakeholders, including verifying – that risks have been mitigated & malware has been removed

How CyberX Would Have Protected Against Industroyer Examples of anomalies detected • Malware scanning OT network to identify targets • Reading and writing to all targets using multiple protocols • C2 communication via local proxy listening on TCP 3128 Image: Reuters

For More Information • Check out our ICS Security Knowledge Base – Free download of first 2 chapters from ICS Hacking Exposed (McGraw-Hill) • Visit us at EnergySec (Aug. 14-16) & European Utility Week (Oct. 3-5) • See us at Black Hat (July 26-27) – Innovation City, Booth # IC58 (near Arsenal tools) – Book giveaway and book signing with lead author Clint Bodungen on Wednesday, July 26 @ 3pm

Thank You! phil@cyberx-labs.com