SlideShare a Scribd company logo

Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Threat Detection

Download as PPTX, PDF
Dragos, Inc.
Dragos, Inc.

Adversary groups and activities targeting industrial control systems are on the rise. Security teams are now tasked with defending increasingly complex and critical control systems without interrupting operations. This presentation highlights plans and progress of a large public electric utility to extend threat detection capability using PI system data sets. Integration with a threat detection platform improves situational awareness and adds value in three ways. It first provides confidence for quickly eliminating threat activity as a root cause of operational upsets. The second benefit is improved likelihood of detecting malicious tradecraft targeting control systems. Finally, the integrated approach provides data in support of control system incident response and forensic activities. Video for presentation here: https://youtu.be/Inn6FPaXN1w Learn more www.dragos.com

Technology
1 of 39
#PIWorld ©2019 OSIsoft, LLC Utilizing operations data for enhanced cyber threat detection and response in industrial control systems (ICS). Mark Johnson-Barbier & Dan Gunter 1
#PIWorld ©2019 OSIsoft, LLC About 2 • Dan Gunter • Principal Threat Analyst • Dragos • @dan_gunter • Mark Johnson-Barbier • Sr. Principal Analyst • Salt River Project • @PulseOut101
#PIWorld ©2019 OSIsoft, LLC About SRP 3 • Founded 1903 (10 Years before AZ statehood): First multipurpose project under the National Reclamation act of 1902 • 5089 employees • 1,041,342 customers • 2,900 sq mile service area • 375 sq mile water service area • 13,000 sq mile watershed • Salt River Valley Water Users’ Association • 10 member board and 30 member council – elected by landowners • Canals largely follow 500 miles of ditches built 400-1450AD by the Hohokam • 2018 Water delivery: 773,527 acre-feet • 8 dams and lakes • Salt River Project Agricultural Improvement and Power District • 14 member board and 30 member council – elected by landowners • Generation Owner/Operator: 1 Nuclear, 12 Fossil, 8 hydro plants • Generation: Biomass, Utility Solar, Wind, Geothermal, Rooftop Solar • Transmission & Distribution • Peak Power System: 7,610 MW • Sustainable Portfolio 17.25% of retail requirements
#PIWorld ©2019 OSIsoft, LLC About SRP 4 • Founded 1903 (10 Years before AZ statehood): First multipurpose project under the National Reclamation act of 1902 • 5089 employees • 1,041,342 customers • 2,900 sq mile service area • 375 sq mile water service area • 13,000 sq mile watershed • Salt River Valley Water Users’ Association • 10 member board and 30 member council – elected by landowners • Canals largely follow 500 miles of ditches built 400-1450AD by the Hohokam • 2018 Water delivery: 773,527 acre-feet • 8 dams and lakes • Salt River Project Agricultural Improvement and Power District • 14 member board and 30 member council – elected by landowners • Generation Owner/Operator: 1 Nuclear, 12 Fossil, 8 hydro plants • Generation: Biomass, Utility Solar, Wind, Geothermal, Rooftop Solar • Transmission & Distribution • Peak Power System: 7,610 MW • Sustainable Portfolio 17.25% of retail requirements = .05 Texas
#PIWorld ©2019 OSIsoft, LLC About SRP 5 • Founded 1903 (10 Years before AZ statehood): First multipurpose project under the National Reclamation act of 1902 • 5089 employees • 1,041,342 customers • 2,900 sq mile service area • 375 sq mile water service area • 13,000 sq mile watershed • Salt River Valley Water Users’ Association • 10 member board and 30 member council – elected by landowners • Canals largely follow 500 miles of ditches built 400-1450AD by the Hohokam • 2018 Water delivery: 773,527 acre-feet • 8 dams and lakes • Salt River Project Agricultural Improvement and Power District • 14 member board and 30 member council – elected by landowners • Generation Owner/Operator: 1 Nuclear, 12 Fossil, 8 hydro plants • Generation: Biomass, Utility Solar, Wind, Geothermal, Rooftop Solar • Transmission & Distribution • Peak Power System: 7,610 MW • Sustainable Portfolio 17.25% of retail requirements = .021043125 QLD
#PIWorld ©2019 OSIsoft, LLC About Dragos 6
#PIWorld ©2019 OSIsoft, LLC • 3 Business/Security Challenges • Integration of PI System and Threat Detection assists with these challenges • SRP Test implementation (Proof of Concept) • Solution, Plans, Ideas for future use cases Agenda 7
#PIWorld ©2019 OSIsoft, LLC 3 Business/Security Challenges 8
#PIWorld ©2019 OSIsoft, LLC RESULTSCHALLENGE SOLUTION SRP 1. Eliminate threat activity as direct cause of operational outages 2. Improve detection of adversary tradecraft targeting OT 3. Provide data supporting fast & accurate Incident Response Integrate PI data with the Threat detection platform • PI Event Frames notify on specific events • Dragos Platform correlates PI data with network and endpoint data Enhance Cyber Threat detection with PI data 9
#PIWorld ©2019 OSIsoft, LLC Business Challenge: Eliminate Threat activity as cause of operational upsets • July 2004 Substation Fire High temps: 111°F/44°C Avg Temps: 101°F/38°C • Sep 8 2011 San Diego • July 2018 Transformer bushing 10
#PIWorld ©2019 OSIsoft, LLC Business Challenge: Preventing Breach 11
#PIWorld ©2019 OSIsoft, LLC Business Challenge: Incident Response 12
#PIWorld ©2019 OSIsoft, LLC 13 • German Steel Mill • Trisis • Crashoverride (Ukraine 2016) Event • Ukraine 2015 Observation Question Hypothesis Prediction Test Iterate ICS Events
#PIWorld ©2019 OSIsoft, LLC 2015 Ukraine Attack Summary 225 K Customer Outages 3.5 hr Outage Duration. 135 MW Load impact 100’s Server and Workstation Damage 10’s Field Device Damage 50 Substations Impacted 3Utilities Attacked
#PIWorld ©2019 OSIsoft, LLC 2016 Ukraine Attack Summary TBD Customer Outages 1.25 hr Outage Duration. 200 MWLoad impact TBD Server and Workstation Damage TBD Field Device Damage 1 Substation(s) Impacted 1Trans Co. Attacked
#PIWorld ©2019 OSIsoft, LLC How can we prevent, detect, and respond to a cyber attack at SRP? 16 Observation Question Hypothesis Prediction Test Iterate
#PIWorld ©2019 OSIsoft, LLC Adversary will utilize similar tactics as Electrum during an intrusion and will attempt to open breakers from the EMS system 17 Observation Question Hypothesis Prediction Test Iterate
#PIWorld ©2019 OSIsoft, LLC 1. If prevention fails, SRP can detect an adversary who opens a breaker by sending DNP3 operate commands from an abnormal source computer 2. SOC analysts will quickly gather data to prove or disprove cyber attack as the cause of disruption 18 Observation Question Hypothesis Predictions Test Iterate
#PIWorld ©2019 OSIsoft, LLC Test: Prevent, Detect, Respond to adversary using Result Existing corporate controls • Prevent: most, but not all, adversaries • Detect: untargeted att&cks • Respond: Slow Add Threat Focused network monitoring platform • Prevent: adds active defense capability to prevent att&ck techniques • Detect: targeted att&cks • Respond: Med Integrate data from PI system • Respond: Expect Fast but TBD 19 Observation Question Hypothesis Prediction Test Iterate
#PIWorld ©2019 OSIsoft, LLC Integrating: PI + Dragos 20
#PIWorld ©2019 OSIsoft, LLC Test: Event Frame on breaker open event 21 Test
#PIWorld ©2019 OSIsoft, LLC Test: Notification 22 Test
#PIWorld ©2019 OSIsoft, LLC Test: Query Focus Dataset 23 Test
#PIWorld ©2019 OSIsoft, LLC Test: Detections 24 Test
#PIWorld ©2019 OSIsoft, LLC Playbooks 25
#PIWorld ©2019 OSIsoft, LLC Start Test: Breaker Trips Event Frame Sent 26
#PIWorld ©2019 OSIsoft, LLC 27
#PIWorld ©2019 OSIsoft, LLC 28
#PIWorld ©2019 OSIsoft, LLC 29
#PIWorld ©2019 OSIsoft, LLC 30
#PIWorld ©2019 OSIsoft, LLC 31
#PIWorld ©2019 OSIsoft, LLC Quality of the Assessment (simulated) drives appropriate response actions 32 Defcon 5 Normal Operations – all connections active through firewalls Defcon 4 Add email content filtering Additional web proxy filtering/Only critical web use Reduce remote access to OT zones (vendors or employees) Disable non-critical external access Increase Geo-IP blocking Defcon 3 Strict email sanitization (reduce use, block attachments, TXT only) Limit remote access to corp Disable remote access to OT zones (vendors or employees) Reduce public internet surface area Defcon 2 Unplug all OT network connections Disable all corp remote access Defcon 1 Full internet disconnect Defcon 0 Go home, hug kids, grab bug-out bag
#PIWorld ©2019 OSIsoft, LLC Quality of the Assessment (simulated) drives appropriate response actions 33
#PIWorld ©2019 OSIsoft, LLC Solution, Plans, Future 35
#PIWorld ©2019 OSIsoft, LLC RESULTSCHALLENGE SOLUTION SRP 1. Eliminate threat activity as direct cause of operational outages 2. Improve detection of adversary tradecraft targeting OT 3. Provide data supporting fast & accurate Incident Response Integrate PI data with the Threat detection platform First (small) test has proven that this integration can add value • PI Event Frames notify on specific events • Dragos Platform correlates PI data with network and endpoint data. • Were able to launch an investigation based on operational events • Provided data that allowed the analyst to make better assessments Enhance Cyber Threat detection with PI data 36
#PIWorld ©2019 OSIsoft, LLC Future Use Cases 37 Safety • Can PI + Dragos identify unauthorized entry into a substation? Contract Compliance • Can PI + Dragos assure outside contractors are operating properly? Cyber Attack • Can PI + Dragos detect abnormal load shedding events from substations, meters, or solar inverters?
#PIWorld ©2019 OSIsoft, LLC Contact 39 • Dan Gunter • Principal Threat Analyst • Dragos • @dan_gunter • Mark Johnson-Barbier • Sr. Principal Analyst • Salt River Project • @PulseOut101
#PIWorld ©2019 OSIsoft, LLC Questions? Please wait for the microphone State your name & company Please remember to… Complete Survey! Navigate to this session in mobile agenda for survey DOWNLOAD THE MOBILE APP 40
#PIWorld ©2019 OSIsoft, LLC 41

Recommended

Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility Infrastructure
Dragos, Inc.
 
PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019
Dragos, Inc.
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustrySolving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric Industry
Dragos, Inc.
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Dragos, Inc.
 
Consequence Informed Cyber Security
Consequence Informed Cyber Security Consequence Informed Cyber Security
Consequence Informed Cyber Security
Dragos, Inc.
 
How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI)
Dragos, Inc.
 
Industrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionIndustrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology Selection
Dragos, Inc.
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware
Dragos, Inc.
 

Recommended

Securing Electric Utility Infrastructure
Securing Electric Utility InfrastructureSecuring Electric Utility Infrastructure
Securing Electric Utility Infrastructure
Dragos, Inc.
 
PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019PLC Virtualization Dragos S4 2019
PLC Virtualization Dragos S4 2019
Dragos, Inc.
 
Solving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric IndustrySolving ICS Cybersecurity Challenges in the Electric Industry
Solving ICS Cybersecurity Challenges in the Electric Industry
Dragos, Inc.
 
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber AttackReassessing the 2016 CRASHOVERRIDE Cyber Attack
Reassessing the 2016 CRASHOVERRIDE Cyber Attack
Dragos, Inc.
 
Consequence Informed Cyber Security
Consequence Informed Cyber Security Consequence Informed Cyber Security
Consequence Informed Cyber Security
Dragos, Inc.
 
How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI) How to Increase ICS Cybersecurity Return on Investment (ROI)
How to Increase ICS Cybersecurity Return on Investment (ROI)
Dragos, Inc.
 
Industrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology SelectionIndustrial Control Systems Cybersecurity Technology Selection
Industrial Control Systems Cybersecurity Technology Selection
Dragos, Inc.
 
Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware Dragos and CyberWire: ICS Ransomware
Dragos and CyberWire: ICS Ransomware
Dragos, Inc.
 
From Air Gap to Air Control
From Air Gap to Air ControlFrom Air Gap to Air Control
From Air Gap to Air Control
EnergySec
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
Lancope, Inc.
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing Keynote
Digital Bond
 
DHS ICS Security Presentation
DHS ICS Security PresentationDHS ICS Security Presentation
DHS ICS Security Presentation
guest85a34f
 
Compromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayCompromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles Away
EnergySec
 
New Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data CentersNew Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data Centers
Iben Rodriguez
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
Digital Bond
 
Incident Handling in a BYOD Environment
Incident Handling in a BYOD EnvironmentIncident Handling in a BYOD Environment
Incident Handling in a BYOD Environment
Iben Rodriguez
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations Center
Dragos, Inc.
 
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Priyanka Aash
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
centralohioissa
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
Digital Bond
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?
Digital Bond
 
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case StudyAccenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Honeywell
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
Digital Bond
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
Digital Bond
 
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Honeywell
 
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Dragos, Inc.
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
Marina Krotofil
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
Global C4IR-1 MasterClass Cambridge - Bose Intellisense 2017
Global C4IR-1 MasterClass Cambridge - Bose Intellisense 2017Global C4IR-1 MasterClass Cambridge - Bose Intellisense 2017
Global C4IR-1 MasterClass Cambridge - Bose Intellisense 2017
Justin Hayward
 
Diamond offshore drilling transforms control infrastructure from target to ce...
Diamond offshore drilling transforms control infrastructure from target to ce...Diamond offshore drilling transforms control infrastructure from target to ce...
Diamond offshore drilling transforms control infrastructure from target to ce...
IntelligentManufacturingInstitute
 

More Related Content

What's hot

From Air Gap to Air Control
From Air Gap to Air ControlFrom Air Gap to Air Control
From Air Gap to Air Control
EnergySec
 
Compromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayCompromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles Away
EnergySec
 
New Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data CentersNew Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data Centers
Iben Rodriguez
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
centralohioissa
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
Digital Bond
 
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Dragos, Inc.
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
Marina Krotofil
 

What's hot (20)

From Air Gap to Air Control
From Air Gap to Air ControlFrom Air Gap to Air Control
From Air Gap to Air Control
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
S4xJapan Closing Keynote
S4xJapan Closing KeynoteS4xJapan Closing Keynote
S4xJapan Closing Keynote
 
DHS ICS Security Presentation
DHS ICS Security PresentationDHS ICS Security Presentation
DHS ICS Security Presentation
 
Compromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles AwayCompromising Industrial Facilities From 40 Miles Away
Compromising Industrial Facilities From 40 Miles Away
 
New Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data CentersNew Threats, New Approaches in Modern Data Centers
New Threats, New Approaches in Modern Data Centers
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
 
Incident Handling in a BYOD Environment
Incident Handling in a BYOD EnvironmentIncident Handling in a BYOD Environment
Incident Handling in a BYOD Environment
 
Dragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations CenterDragos S4x20: How to Build an OT Security Operations Center
Dragos S4x20: How to Build an OT Security Operations Center
 
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
Defcon 22-aaron-bayles-alxrogan-protecting-scada-dc101
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
 
Should I Patch My ICS?
Should I Patch My ICS?Should I Patch My ICS?
Should I Patch My ICS?
 
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case StudyAccenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
Accenture & NextNine – Medium Size Oil & Gas Company Cyber Security Case Study
 
ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)ICS Network Security Monitoring (NSM)
ICS Network Security Monitoring (NSM)
 
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
ICS Security from the Plant Floor Up - A Controls Engineers Approach to Secur...
 
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
 
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 

Similar to Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Threat Detection

Overview Presentation ver 5 new
Overview Presentation ver 5 newOverview Presentation ver 5 new
Overview Presentation ver 5 new
Kim Gilmer
 
APPLYING DIGITAL METERING & REMOTE SENSORS TO DELIVER OPERATIONAL EFFICIENCY
APPLYING DIGITAL METERING & REMOTE SENSORS TO DELIVER OPERATIONAL EFFICIENCYAPPLYING DIGITAL METERING & REMOTE SENSORS TO DELIVER OPERATIONAL EFFICIENCY
APPLYING DIGITAL METERING & REMOTE SENSORS TO DELIVER OPERATIONAL EFFICIENCY
iQHub
 
Financial Opportunities And Constraints For Hydropower Development 021010
Financial Opportunities And Constraints For Hydropower Development 021010Financial Opportunities And Constraints For Hydropower Development 021010
Financial Opportunities And Constraints For Hydropower Development 021010
ronmiller74
 
EMEA14_CGI_FerreiraSergioPereira_WindEnergyManagementSystemPoweredbythePISyst...
EMEA14_CGI_FerreiraSergioPereira_WindEnergyManagementSystemPoweredbythePISyst...EMEA14_CGI_FerreiraSergioPereira_WindEnergyManagementSystemPoweredbythePISyst...
EMEA14_CGI_FerreiraSergioPereira_WindEnergyManagementSystemPoweredbythePISyst...
Nuno Ferreira
 
ENTERPRISE ASSET MANAGEMENT SYSTEMS APPLICATION TO OPTIMIZE OILFIELD ASSET DATA
ENTERPRISE ASSET MANAGEMENT SYSTEMS APPLICATION TO OPTIMIZE OILFIELD ASSET DATAENTERPRISE ASSET MANAGEMENT SYSTEMS APPLICATION TO OPTIMIZE OILFIELD ASSET DATA
ENTERPRISE ASSET MANAGEMENT SYSTEMS APPLICATION TO OPTIMIZE OILFIELD ASSET DATA
wle-ss
 

Similar to Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Threat Detection (20)

Global C4IR-1 MasterClass Cambridge - Bose Intellisense 2017
Global C4IR-1 MasterClass Cambridge - Bose Intellisense 2017Global C4IR-1 MasterClass Cambridge - Bose Intellisense 2017
Global C4IR-1 MasterClass Cambridge - Bose Intellisense 2017
 
Diamond offshore drilling transforms control infrastructure from target to ce...
Diamond offshore drilling transforms control infrastructure from target to ce...Diamond offshore drilling transforms control infrastructure from target to ce...
Diamond offshore drilling transforms control infrastructure from target to ce...
 
CD 2016 March - Advisian Showcase
CD 2016 March - Advisian ShowcaseCD 2016 March - Advisian Showcase
CD 2016 March - Advisian Showcase
 
CD December 2015 Le Geosystems Cable Detection presentation
CD December 2015 Le Geosystems Cable Detection presentationCD December 2015 Le Geosystems Cable Detection presentation
CD December 2015 Le Geosystems Cable Detection presentation
 
Overview Presentation ver 5 new
Overview Presentation ver 5 newOverview Presentation ver 5 new
Overview Presentation ver 5 new
 
Rajant MMC Minexpo Sept 2008
Rajant MMC Minexpo Sept 2008Rajant MMC Minexpo Sept 2008
Rajant MMC Minexpo Sept 2008
 
Falkonry overview deck
Falkonry overview deckFalkonry overview deck
Falkonry overview deck
 
Charlie Littlefair on digital disruption and the environment
Charlie Littlefair on digital disruption and the environment Charlie Littlefair on digital disruption and the environment
Charlie Littlefair on digital disruption and the environment
 
APPLYING DIGITAL METERING & REMOTE SENSORS TO DELIVER OPERATIONAL EFFICIENCY
APPLYING DIGITAL METERING & REMOTE SENSORS TO DELIVER OPERATIONAL EFFICIENCYAPPLYING DIGITAL METERING & REMOTE SENSORS TO DELIVER OPERATIONAL EFFICIENCY
APPLYING DIGITAL METERING & REMOTE SENSORS TO DELIVER OPERATIONAL EFFICIENCY
 
BigData Technology in energy and public sector
BigData Technology in energy and public sectorBigData Technology in energy and public sector
BigData Technology in energy and public sector
 
NEDAS Boston Symposium - Presentations July 12, 2017
NEDAS Boston Symposium - Presentations July 12, 2017NEDAS Boston Symposium - Presentations July 12, 2017
NEDAS Boston Symposium - Presentations July 12, 2017
 
Monitoring and Securing Active Directory Government Webinar for the US Army
Monitoring and Securing Active Directory Government Webinar for the US ArmyMonitoring and Securing Active Directory Government Webinar for the US Army
Monitoring and Securing Active Directory Government Webinar for the US Army
 
BioLargo LD Micro 3-8-2018 Commercialization Update
BioLargo LD Micro 3-8-2018 Commercialization UpdateBioLargo LD Micro 3-8-2018 Commercialization Update
BioLargo LD Micro 3-8-2018 Commercialization Update
 
REMOTE NETWORK CONDUCTIVITY MONITORING IN DUAL SUPPLY AREAS
REMOTE NETWORK CONDUCTIVITY MONITORING IN DUAL SUPPLY AREASREMOTE NETWORK CONDUCTIVITY MONITORING IN DUAL SUPPLY AREAS
REMOTE NETWORK CONDUCTIVITY MONITORING IN DUAL SUPPLY AREAS
 
2010 Future Farming
2010 Future Farming2010 Future Farming
2010 Future Farming
 
Financial Opportunities And Constraints For Hydropower Development 021010
Financial Opportunities And Constraints For Hydropower Development 021010Financial Opportunities And Constraints For Hydropower Development 021010
Financial Opportunities And Constraints For Hydropower Development 021010
 
How Fort Collins is taking steps to modernize their electric grid
How Fort Collins is taking steps to modernize their electric gridHow Fort Collins is taking steps to modernize their electric grid
How Fort Collins is taking steps to modernize their electric grid
 
Day 1 june 20 morning and track 1
Day 1 june 20 morning and track 1Day 1 june 20 morning and track 1
Day 1 june 20 morning and track 1
 
EMEA14_CGI_FerreiraSergioPereira_WindEnergyManagementSystemPoweredbythePISyst...
EMEA14_CGI_FerreiraSergioPereira_WindEnergyManagementSystemPoweredbythePISyst...EMEA14_CGI_FerreiraSergioPereira_WindEnergyManagementSystemPoweredbythePISyst...
EMEA14_CGI_FerreiraSergioPereira_WindEnergyManagementSystemPoweredbythePISyst...
 
ENTERPRISE ASSET MANAGEMENT SYSTEMS APPLICATION TO OPTIMIZE OILFIELD ASSET DATA
ENTERPRISE ASSET MANAGEMENT SYSTEMS APPLICATION TO OPTIMIZE OILFIELD ASSET DATAENTERPRISE ASSET MANAGEMENT SYSTEMS APPLICATION TO OPTIMIZE OILFIELD ASSET DATA
ENTERPRISE ASSET MANAGEMENT SYSTEMS APPLICATION TO OPTIMIZE OILFIELD ASSET DATA
 

More from Dragos, Inc.

Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction
Dragos, Inc.
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
Dragos, Inc.
 
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Dragos, Inc.
 
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker MaturityHow Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
Dragos, Inc.
 
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDebunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Dragos, Inc.
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Dragos, Inc.
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial Security
Dragos, Inc.
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS Defenders
Dragos, Inc.
 

More from Dragos, Inc. (20)

Dragos 2019 ICS Year in Review
Dragos 2019 ICS Year in ReviewDragos 2019 ICS Year in Review
Dragos 2019 ICS Year in Review
 
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework
 
Purple Teaming ICS Networks
Purple Teaming ICS NetworksPurple Teaming ICS Networks
Purple Teaming ICS Networks
 
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response
 
Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction Neighborhood Keeper - Introduction
Neighborhood Keeper - Introduction
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
 
Dragos year in review (yir) 2018
Dragos year in review (yir) 2018Dragos year in review (yir) 2018
Dragos year in review (yir) 2018
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups
 
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...
 
The Current ICS Threat Landscape
The Current ICS Threat LandscapeThe Current ICS Threat Landscape
The Current ICS Threat Landscape
 
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks
 
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker MaturityHow Long to Boom: Understanding and Measuring ICS Hacker Maturity
How Long to Boom: Understanding and Measuring ICS Hacker Maturity
 
Debunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDebunking the Hacker Hype: The Reality of Widespread Blackouts
Debunking the Hacker Hype: The Reality of Widespread Blackouts
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial Security
 
TRISIS in Perspective
TRISIS in PerspectiveTRISIS in Perspective
TRISIS in Perspective
 
Behavior-Based Defense in ICS
Behavior-Based Defense in ICSBehavior-Based Defense in ICS
Behavior-Based Defense in ICS
 
Trisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS DefendersTrisis in Perspective: Implications for ICS Defenders
Trisis in Perspective: Implications for ICS Defenders
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 

Recently uploaded (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Threat Detection

  • 1. #PIWorld ©2019 OSIsoft, LLC Utilizing operations data for enhanced cyber threat detection and response in industrial control systems (ICS). Mark Johnson-Barbier & Dan Gunter 1
  • 2. #PIWorld ©2019 OSIsoft, LLC About 2 • Dan Gunter • Principal Threat Analyst • Dragos • @dan_gunter • Mark Johnson-Barbier • Sr. Principal Analyst • Salt River Project • @PulseOut101
  • 3. #PIWorld ©2019 OSIsoft, LLC About SRP 3 • Founded 1903 (10 Years before AZ statehood): First multipurpose project under the National Reclamation act of 1902 • 5089 employees • 1,041,342 customers • 2,900 sq mile service area • 375 sq mile water service area • 13,000 sq mile watershed • Salt River Valley Water Users’ Association • 10 member board and 30 member council – elected by landowners • Canals largely follow 500 miles of ditches built 400-1450AD by the Hohokam • 2018 Water delivery: 773,527 acre-feet • 8 dams and lakes • Salt River Project Agricultural Improvement and Power District • 14 member board and 30 member council – elected by landowners • Generation Owner/Operator: 1 Nuclear, 12 Fossil, 8 hydro plants • Generation: Biomass, Utility Solar, Wind, Geothermal, Rooftop Solar • Transmission & Distribution • Peak Power System: 7,610 MW • Sustainable Portfolio 17.25% of retail requirements
  • 4. #PIWorld ©2019 OSIsoft, LLC About SRP 4 • Founded 1903 (10 Years before AZ statehood): First multipurpose project under the National Reclamation act of 1902 • 5089 employees • 1,041,342 customers • 2,900 sq mile service area • 375 sq mile water service area • 13,000 sq mile watershed • Salt River Valley Water Users’ Association • 10 member board and 30 member council – elected by landowners • Canals largely follow 500 miles of ditches built 400-1450AD by the Hohokam • 2018 Water delivery: 773,527 acre-feet • 8 dams and lakes • Salt River Project Agricultural Improvement and Power District • 14 member board and 30 member council – elected by landowners • Generation Owner/Operator: 1 Nuclear, 12 Fossil, 8 hydro plants • Generation: Biomass, Utility Solar, Wind, Geothermal, Rooftop Solar • Transmission & Distribution • Peak Power System: 7,610 MW • Sustainable Portfolio 17.25% of retail requirements = .05 Texas
  • 5. #PIWorld ©2019 OSIsoft, LLC About SRP 5 • Founded 1903 (10 Years before AZ statehood): First multipurpose project under the National Reclamation act of 1902 • 5089 employees • 1,041,342 customers • 2,900 sq mile service area • 375 sq mile water service area • 13,000 sq mile watershed • Salt River Valley Water Users’ Association • 10 member board and 30 member council – elected by landowners • Canals largely follow 500 miles of ditches built 400-1450AD by the Hohokam • 2018 Water delivery: 773,527 acre-feet • 8 dams and lakes • Salt River Project Agricultural Improvement and Power District • 14 member board and 30 member council – elected by landowners • Generation Owner/Operator: 1 Nuclear, 12 Fossil, 8 hydro plants • Generation: Biomass, Utility Solar, Wind, Geothermal, Rooftop Solar • Transmission & Distribution • Peak Power System: 7,610 MW • Sustainable Portfolio 17.25% of retail requirements = .021043125 QLD
  • 6. #PIWorld ©2019 OSIsoft, LLC About Dragos 6
  • 7. #PIWorld ©2019 OSIsoft, LLC • 3 Business/Security Challenges • Integration of PI System and Threat Detection assists with these challenges • SRP Test implementation (Proof of Concept) • Solution, Plans, Ideas for future use cases Agenda 7
  • 8. #PIWorld ©2019 OSIsoft, LLC 3 Business/Security Challenges 8
  • 9. #PIWorld ©2019 OSIsoft, LLC RESULTSCHALLENGE SOLUTION SRP 1. Eliminate threat activity as direct cause of operational outages 2. Improve detection of adversary tradecraft targeting OT 3. Provide data supporting fast & accurate Incident Response Integrate PI data with the Threat detection platform • PI Event Frames notify on specific events • Dragos Platform correlates PI data with network and endpoint data Enhance Cyber Threat detection with PI data 9
  • 10. #PIWorld ©2019 OSIsoft, LLC Business Challenge: Eliminate Threat activity as cause of operational upsets • July 2004 Substation Fire High temps: 111°F/44°C Avg Temps: 101°F/38°C • Sep 8 2011 San Diego • July 2018 Transformer bushing 10
  • 11. #PIWorld ©2019 OSIsoft, LLC Business Challenge: Preventing Breach 11
  • 12. #PIWorld ©2019 OSIsoft, LLC Business Challenge: Incident Response 12
  • 13. #PIWorld ©2019 OSIsoft, LLC 13 • German Steel Mill • Trisis • Crashoverride (Ukraine 2016) Event • Ukraine 2015 Observation Question Hypothesis Prediction Test Iterate ICS Events
  • 14. #PIWorld ©2019 OSIsoft, LLC 2015 Ukraine Attack Summary 225 K Customer Outages 3.5 hr Outage Duration. 135 MW Load impact 100’s Server and Workstation Damage 10’s Field Device Damage 50 Substations Impacted 3Utilities Attacked
  • 15. #PIWorld ©2019 OSIsoft, LLC 2016 Ukraine Attack Summary TBD Customer Outages 1.25 hr Outage Duration. 200 MWLoad impact TBD Server and Workstation Damage TBD Field Device Damage 1 Substation(s) Impacted 1Trans Co. Attacked
  • 16. #PIWorld ©2019 OSIsoft, LLC How can we prevent, detect, and respond to a cyber attack at SRP? 16 Observation Question Hypothesis Prediction Test Iterate
  • 17. #PIWorld ©2019 OSIsoft, LLC Adversary will utilize similar tactics as Electrum during an intrusion and will attempt to open breakers from the EMS system 17 Observation Question Hypothesis Prediction Test Iterate
  • 18. #PIWorld ©2019 OSIsoft, LLC 1. If prevention fails, SRP can detect an adversary who opens a breaker by sending DNP3 operate commands from an abnormal source computer 2. SOC analysts will quickly gather data to prove or disprove cyber attack as the cause of disruption 18 Observation Question Hypothesis Predictions Test Iterate
  • 19. #PIWorld ©2019 OSIsoft, LLC Test: Prevent, Detect, Respond to adversary using Result Existing corporate controls • Prevent: most, but not all, adversaries • Detect: untargeted att&cks • Respond: Slow Add Threat Focused network monitoring platform • Prevent: adds active defense capability to prevent att&ck techniques • Detect: targeted att&cks • Respond: Med Integrate data from PI system • Respond: Expect Fast but TBD 19 Observation Question Hypothesis Prediction Test Iterate
  • 20. #PIWorld ©2019 OSIsoft, LLC Integrating: PI + Dragos 20
  • 21. #PIWorld ©2019 OSIsoft, LLC Test: Event Frame on breaker open event 21 Test
  • 22. #PIWorld ©2019 OSIsoft, LLC Test: Notification 22 Test
  • 23. #PIWorld ©2019 OSIsoft, LLC Test: Query Focus Dataset 23 Test
  • 24. #PIWorld ©2019 OSIsoft, LLC Test: Detections 24 Test
  • 25. #PIWorld ©2019 OSIsoft, LLC Playbooks 25
  • 26. #PIWorld ©2019 OSIsoft, LLC Start Test: Breaker Trips Event Frame Sent 26
  • 32. #PIWorld ©2019 OSIsoft, LLC Quality of the Assessment (simulated) drives appropriate response actions 32 Defcon 5 Normal Operations – all connections active through firewalls Defcon 4 Add email content filtering Additional web proxy filtering/Only critical web use Reduce remote access to OT zones (vendors or employees) Disable non-critical external access Increase Geo-IP blocking Defcon 3 Strict email sanitization (reduce use, block attachments, TXT only) Limit remote access to corp Disable remote access to OT zones (vendors or employees) Reduce public internet surface area Defcon 2 Unplug all OT network connections Disable all corp remote access Defcon 1 Full internet disconnect Defcon 0 Go home, hug kids, grab bug-out bag
  • 33. #PIWorld ©2019 OSIsoft, LLC Quality of the Assessment (simulated) drives appropriate response actions 33
  • 34. #PIWorld ©2019 OSIsoft, LLC Solution, Plans, Future 35
  • 35. #PIWorld ©2019 OSIsoft, LLC RESULTSCHALLENGE SOLUTION SRP 1. Eliminate threat activity as direct cause of operational outages 2. Improve detection of adversary tradecraft targeting OT 3. Provide data supporting fast & accurate Incident Response Integrate PI data with the Threat detection platform First (small) test has proven that this integration can add value • PI Event Frames notify on specific events • Dragos Platform correlates PI data with network and endpoint data. • Were able to launch an investigation based on operational events • Provided data that allowed the analyst to make better assessments Enhance Cyber Threat detection with PI data 36
  • 36. #PIWorld ©2019 OSIsoft, LLC Future Use Cases 37 Safety • Can PI + Dragos identify unauthorized entry into a substation? Contract Compliance • Can PI + Dragos assure outside contractors are operating properly? Cyber Attack • Can PI + Dragos detect abnormal load shedding events from substations, meters, or solar inverters?
  • 37. #PIWorld ©2019 OSIsoft, LLC Contact 39 • Dan Gunter • Principal Threat Analyst • Dragos • @dan_gunter • Mark Johnson-Barbier • Sr. Principal Analyst • Salt River Project • @PulseOut101
  • 38. #PIWorld ©2019 OSIsoft, LLC Questions? Please wait for the microphone State your name & company Please remember to… Complete Survey! Navigate to this session in mobile agenda for survey DOWNLOAD THE MOBILE APP 40

Editor's Notes

  1. It seems like all operational outages are all cyber now… This transformer fire in July 2004 was the first time anyone asked me if it could have been caused by a cyber attack. My answer at the time, was “I don’t know”. Direct cause of the fire ended up being a Blue Huron pooping on an insulator and causing a fault. Gila Power Plant visit We made some changes in the am … testing complete, went to lunch Driving back to plant … black smoke coming from Unit 2 transformer “was it a cyber attack” Photo credit: APS Substation technician
  2. Talk about adversary capabilities and activity This is a software fight – to scale it we need data We want to use threat into to improve our path forward Value of red teaming
  3. After a breach Need to be able to quickly identify adversary actions IT security tools don’t do that well in OT If we are going to enhance IR, we need data – just like a picture needs more pixels to enhance IRL. We are looking at PI to provide some of that data. Meme credits: Battlestar Galactica The X-Files
  4. So as we follow the scientific method in our efforts to solve this business problems, we look to known ICS attacks. German Steel Mill OT team didn’t consider cyber Insurance company RCA discovered cyber intrusion as cause of equipment damage Trisis Vendor contacted 3 times prior to consideration of cyber attack Crashoverride (Ukraine 2016) Event Ukraine 2015
  5. Give a quick overview of Ukraine attacks – many attendees won’t know details What we are doing is based on the tactics of Explain why this matters Reference: Wall Street Journal: http://www.wsj.com/articles/cyberattacks-raise-alarms-for-u-s-power-grid-1483120708 For nine months, the hackers studied the Ukrainian electric system. When the attack finally happened on December 23, 2015, hackers remotely took control of three of Ukraine’s 30 power distribution utilities within a half-hour. During the attack, the first time that power systems had been blacked out through cyber means, control room engineers sat helplessly as ghostly hands moved cursors across their computer screens, opening circuit breakers at 50 substations and shutting off electricity to about 700,000 people.
  6. “Shortly before midnight on December 17, someone started disconnecting circuit breakers through remote means until the electrical substation was completely disabled, Mr. Kovalchuk said.” “Mr. Kovalchuk said he believes the latest attack was well planned because the targeted substation is one of the utility’s most automated.” Reference: Kovalchuk said the outage amounted to 200 megawatts of capacity, equivalent to about a fifth of the capital's energy consumption at night.
  7. After observing adversary instruction into other ICS, I’m left with a simple question – how to prevent, detect, and respond to these attacks.
  8. Prevention is our first line of defense – we believe we can prevent many adversaries and we are working on being a hard target. However, we need to test all levels of defense including response and to do that we have to assume that our preventive barriers fail Given what we know about ICS adversaries, and assuming that prevention fails I predicted that we will 1. detect some adversary tactics 2. Gather data to respond
  9. After testing the previous theory against existing controls and against the Dragos threat platform, we realized that we still have room for improvement. Quickly summarize tests of previous efforts: 1 – controls using existing corporate controls was effective but didn’t lower risk enough 2 – adding Threat intel and threat based detections improved detection rates and response 3 – if an event occurs we expect to need faster responses – therefore we are investigating the integration with PI
  10. So let’s talk about how the PI system was applied to help solve this problem.
  11. One step for preparing for a direct attack on our EMS would be to prepare alerts and integrations in advance that would allow a SOC analyst to Quickly confirm if a breaker operation is/not the result of a cyber attack Quickly gather necessary data that will help identify the extent of the intrusion and prepare an eviction plan
  12. In a simulated attack the PI event frame would connect to the Dragos platform to display a notification.
  13. When a behavior is associated to a threat behavior, the analyst would start investigating the behavior to determine if it is legitimate or not
  14. Creating an alert is only the first step of preparing for an event such as Ukraine 2015. We must also plan our response and ensure that the SOC analyst has all the data she needs to confirm the attack and provide necessary data to learn the extent of the intrusion. The pre-planned actions are recorded in a playbook. Playbook steps SOC analyst through analysis steps: Confirm communications to breaker is from expected hosts Confirm all data flows to breaker on uses expected ports/services Confirm that the DNP3 operations are only the expected operations Review PI data to observe historical state of breaker If necessary contact EMS to confirm operation was expected Review endpoint information from the source computer
  15. Playbook Step 1 – soc analyst validates that the source of the dnp3 breaker operate function was the expected source computer. Because of the visual diagram of traffic flows the analyst quickly identifies a source computer that began remote communications with the automated breaker just prior to the event.
  16. Playbook Step 2 The analyst reviews the content of the communications and identifies new protocols that are unexpected
  17. The analyst reviews the content of the valid traffic and finds that it uses a different operate command (direct operate) than the normal EMS system uses (select then operate)
  18. SOC analyst reviews history of breaker as part of investigation and finds that the system should be right at the start of an extended operational window and likely should have remained closed.
  19. SOC analyst reviews connections to the source computer Are there any unexpected remote connections Review Alerts for the computer – brute force attacks, etc Alert on EWS for interactive logon
  20. SOC analyst reviews data – assessment is made. Because all 5 steps in the playbook shows some level of anomalous activity, the analyst is able to provide a high confidence assessment. Quality of the assessment and amount of data contributes to a more appropriate decision - without necessary data we might overreact to a squirrel attack or underreact to a cyber adversary
  21. We also need to consider information sharing – how much of what we’ve gathered needs to be shared with partners, government, other utilities, regulators, and customers.
  22. Few companies actually monitor their vendor access in a way that would prevent Intel is never going to be perfect