Your SlideShare is downloading. ×
0
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
From Air Gap to Air Control
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

From Air Gap to Air Control

219

Published on

Industrial control networks have been thrust into a world of network interconnectivity the likes we haven’t seen before, and that is expanding at an astonishing rate. A cultural and technical …

Industrial control networks have been thrust into a world of network interconnectivity the likes we haven’t seen before, and that is expanding at an astonishing rate. A cultural and technical recalibration is vital to defend ICS assets from cyber threats, and the risks and potential consequences of a successful attack against our critical infrastructure are well known, yet few would argue that these changes are slow in coming. Why is that? In part, the notion that control networks are adequately defensible against cyber attack by “air gapping” the control network from the Internet and corporate network is still believed to be the best defense.

In this presentation, the value and vulnerabilities of the air gap will be discussed, as well as specific methods to mitigate cyber threats along the attack continuum.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
219
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 From Air Gap to Air Control Marc Blackmer and John Ode EnergySec: August 2014
  • 2. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
  • 3. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
  • 4. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
  • 5. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
  • 6. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
  • 7. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
  • 8. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
  • 9. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
  • 10. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
  • 11. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 //----- (10002271) -------------------------------------------------------- int __cdecl sub_10002271(int a1, int a2, int a3) { int result; // eax@1 *(_DWORD *)(a1 + 80) = *(_DWORD *)(a2 + 40) + *(_DWORD *)(a2 + 52); *(_DWORD *)(a1 + 84) = 0; *(_DWORD *)(a1 + 88) = *(_DWORD *)(a2 + 96); *(_DWORD *)(a1 + 92) = *(_DWORD *)(a2 + 100); *(_DWORD *)(a1 + 96) = *(_WORD *)(a2 + 92); *(_WORD *)(a1 + 100) = *(_WORD *)(a2 + 74); *(_WORD *)(a1 + 102) = *(_WORD *)(a2 + 72); *(_DWORD *)(a1 + 104) = 0; *(_WORD *)(a1 + 108) = *(_WORD *)(a2 + 22); *(_WORD *)(a1 + 110) = *(_WORD *)(a2 + 94); *(_WORD *)(a1 + 112) = *(_WORD *)(a2 + 4); *(_BYTE *)(a1 + 114) = 1; *(_BYTE *)(a1 + 115) = 4; *(_DWORD *)(a1 + 116) = *(_DWORD *)(a2 + 112); *(_DWORD *)(a1 + 120) = a3; result = a1 + 80; *(_DWORD *)(a1 + 124) = 0; return result; }
  • 12. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
  • 13. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 Thoughts To Brighten your Day… …and what to do about them • Everyone gets breached • You have to be right 100% of the time; they only need to be successful once • Isolating IT, OT, and physical security into separate pillars introduces gaps that can be exploited • Identify and prioritize the crown jewels • Hedge your bets -> defense in depth • I didn’t actually say “convergence”
  • 14. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14Cisco Confidential 14© 2013 Cisco and/or its affiliates. All rights reserved. The Near-Miss
  • 15. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 • Planes/tower not following procedures? • Potential for runway collision • Aborted landing • No collision • No fatalities or injuries • On-time arrival Case Study: On a Recent Flight The Negatives The Positives Success or Failure?
  • 16. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 The Psychology of the Near-Miss1 Georgetown University McDonough School of Business research • Outcome = definition of success • Near-miss considered a success if outcome is positive • Near-miss = near-failure 1 Ben Paynter, “The Fire Next Time,” Wired, August 2012
  • 17. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Case Study: Eliminating Near-Misses US Federal Aviation Administration • Reporting and analysis of all near-misses Tower reports Crew reports Flight and terrain data • Modification of: Flight patterns Airport approaches
  • 18. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 Case Study Result Massive reduction in airline-related deaths 83%
  • 19. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19Cisco Confidential 19© 2013 Cisco and/or its affiliates. All rights reserved. Risk
  • 20. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 • Exploration • Medical breakthroughs • Technology advances • Entrepreneurism • False sense of security • Complacency • Point-in-time view of security Risk in context The Positives The Negatives
  • 21. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 Case Study: Risk Lightning Storm vs. Data Center • No servers or critical systems were connected to uninterruptible power supplies (UPS) • Company hadn’t experienced an outage in over 13 years • Severe electrical storm
  • 22. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 Case Study Result All systems down 100%
  • 23. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23Cisco Confidential 23© 2013 Cisco and/or its affiliates. All rights reserved. Datakinesis: “An action taken in cyber space that produces a result in the physical world”
  • 24. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 • Los Angeles, USA Traffic operations center breached Light delays at 4 key intersections Snarled traffic for days No physical injuries • Natanz, Iran Undetected malware on control network Malware falsified centrifuge data readings Nuclear enrichment centrifuges suffered mass breakdowns No physical injuries Case Studies: Datakinesis
  • 25. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 • Lodz, Poland Teenager with modified TV remote Changed tram track switches at will 4 commuter trams derailed 12 commuters injured Case Studies: Datakinesis
  • 26. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 • Utah New government intelligence agency data center 10 unexplained, major electrical malfunctions in 13 months Construction set back by at least 1 year Cause undetermined Case Studies: Datakinesis
  • 27. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 • Human error • Reduced budgets • Operational inefficiencies • Talent acquisition and retention Most Pervasive Threats
  • 28. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28Cisco Confidential 28© 2013 Cisco and/or its affiliates. All rights reserved. Bunk/De-bunk
  • 29. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 “I spent $[x]M on security last year, and you’re telling me I’m not secure?!”
  • 30. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 “We’re all set; we just bought a [y] security widget.”
  • 31. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 “We just passed [z] audit. We’re secure.”
  • 32. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 “We’ve never been breached, so…”
  • 33. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33 “If we’re so insecure, why hasn’t anything happened yet?”
  • 34. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34 In Spite of Layers of Defense Malware is getting through control based defenses Malware Prevention is NOT 100% Breach Existing tools are labor intensive and require expertise Attack Continuum BEFORE Discover Enforce Harden AFTER Scope Contain Remediate Detect Block Defend DURING Point in Time Continuous
  • 35. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35 Point-in-Time Vs Continuous Temporal • Blind beyond point-in-time • Focused on detection and finding static artifacts • Misses malware ecosystem Lacks Visibility • Event enumeration without context • Misses scope and root causes • Blind to attack chain behavior Limited Control • Requires intelligence update • Not targeted • Limited integration Continuous Analysis Extended and continuous analysis and correlation of telemetry data Retrospective Security Real-time attack chain detection, analysis and visualization Real-time Containment Quickly target, contain, and remediate the specific malware and root causes Point-in-Time Continuous
  • 36. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 Continuous changes the conversation  Continuous feed of event AND telemetry data  Data is always up to date when you need it  Analysis happens in cloud to reduce impacts  Analysis can happen indefinitely – Retrospection  More than event enumeration/correlation: telemetry data is continuously woven together over time  Collective Intelligence shared immediately  Can be deployed pervasively Collective Security Intelligence
  • 37. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110 1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 Breadth and Control points: File Fingerprint and Metadata File and Network I/O Process Information Telemetry Stream Continuous feed Web WWW Endpoints NetworkEmail Continuous analysis DevicesIPS Analysis happens along the attack continuum Retrospection TrajectoryBehavioral Indications of Compromise Advanced levels of detection, tracking and response Threat Hunting Retrospective Detection
  • 38. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38 Enables unique innovation 0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110 1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 Breadth and Control points: File Fingerprint File and Network I/O Process Information Telemetry Stream Continuous feed Web WWW Endpoints NetworkEmail Retrospection TrajectoryBehavioral Indications of Compromise Threat hunting  File Retrospection  Process Retrospection  Connection Retrospection  Attack Chain Weaving Continuous  Blind Point-in-Time Retrospective Detection
  • 39. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39 That continues to analyze what happens along the attack continuum 0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110 1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 Breadth and Control points: File Fingerprint File and Network I/O Process Information Telemetry Stream Continuous feed Web WWW Endpoints NetworkEmail Retrospection TrajectoryBehavioral Indications of Compromise Threat hunting  Retrospective Detection  Prevalence  Static IoC’s  Behavioral IoC’s Continuous  Static IoC’s Point-in-Time Retrospective Detection
  • 40. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40 That continues to analyze what happens along the attack continuum 0001110 1001 1101 1110011 0110011 101000 0110 00 0111000 111010011 101 1100001 110 1000111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 0100001100001 1100 0111010011101 1100001110001110 1001 1101 1110011 0110011 101000 0110 00 Breadth and Control points: File Fingerprint File and Network I/O Process Information Telemetry Stream Continuous feed Web WWW Endpoints NetworkEmail Retrospection TrajectoryBehavioral Indications of Compromise Threat hunting  File Trajectory - Scope  Device Trajectory – Root Cause  File Analysis – Detail Analysis  Elastic Search Continuous  Event Enumeration  Static IoC’s Point-in-Time Retrospective Detection
  • 41. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41 Know where to start Who What Where When How Focus on these users first These applications are affected The breach impacted these areas This is the scope of exposure over time Here is the origin and progression of the threat
  • 42. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42 Key Takeaways  The problem is likely worse than you think it is  Many threats getting through, creating beach heads  Think “infections”, not “detections”  Think continuous vs point-in-time
  • 43. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43 Thank You Learn more at www.sourcefire.com

×