In this presentation Daniel Michaud-Soucy, Principal Threat Analyst at Dragos, will demonstrate three separate models in order to identify gaps in ICS security posture. First, threat modeling serves as an inward look as an ICS network defender in order to properly understand the environment, the threat actors, the impacts, the risks and the crown jewels pertaining to an industrial process. Second, the ICS cyber kill chain serves as an outward look at the steps an adversary needs to take in order to achieve their objectives. Third, the bowtie model allows a graphical representation of the threats to the environment as well as the protection, detection, and response controls that help secure it. In the end, the asset owner creates a holistic picture of the security controls in their network, pertaining to the threat actors they care about and allows identification of gaps in their strategy. Visit www.dragos.com to learn more about the Dragos industrial cybersecurity platform for increased visibility of assets, threats and guided responses.

1. Dressing up the ICSKill Chain
DANIEL MICHAUD-SOUCY
A Collision of Models

2. About
• Daniel Michaud-Soucy,ICSSecurity guy
• Current:Dragos, ThreatAnalyst
• Previous:
• Sempra Energy,Cybersecurity Engineer(R&D)
• Red TigerSecurity, Professional ServicesDirector (vulnerabilityassessments, penetration testing, red
teaming)
• Universityof Ottawa: BASc ComputerEngineering

3. About Dragos
?

4. Agenda
01 THREATMODELING
02 ICSKILL CHAIN
03 BOWTIEMODEL
04 PRACTICALAPPLICATION

5. On Models...
All models arewrong,but some areuseful
- George Box
Ce qui est simple est toujours faux. Ce qui ne l’est pasest inutilisable
- Paul Valéry
Only a Sith deals in absolutes
- Obi-Wan Kenobi

6. Threat Modeling
• Analysis of environment, threat actors, impacts, risks, crown jewels
• Assists with prioritization of securitycontrols
• Based on threat modeling, what security controls arein place to prevent an insider from changing
logic to a controller from mycorporate network?
• What about a 3rd party connection from a vendor directlyinto myOT network?
• Someone else’s threat model !=your threatmodel

7. Threat Modeling – The Environment
Corporatenetwork
DMZ
Operations
Supervisory
Control
Instrumentation
Vendor

8. Threat Modeling – The Threat Landscape
INSIDER HACKTIVIST
CYBERCRIME ”APT”
A malicious insider, someonewith prior system
knowledge and “thekeysto thekingdom”
Propaganda-driven, not aswell resourced as others
Financially-driven, opportunistic, commodity or
custom malware
Nation-state actors, well funded and resourced,most
sophisticated

9. ICS Cyber Kill Chain
• Originallycreated by Lockheed Martin as the CyberKill Chain, adapted to ICSby Michael J. Assante &
Robert M. Lee
• Understanding, visualizing and organizing the steps (tradecraft) required for an adversaryto achievetheir
goal
• Two stages:
• Cyberintrusionpreparation and execution – “IT”
• ICSattack development and execution – “OT”
• Breaking the chainincreases adversary friction
• As ICSnetwork defenders, wehave manyopportunities to do this!

10. ICS Cyber Kill Chain – ”APT” Style on Electric Power
OSINT
Spear-phishing campaign
Email
Malicious document
Mimikatz
IPv6DNS
ICSnetworkbreach
Info gathering
Notobserved…
NativeWindows commands
Run payload as service
Breakertrip

11. Bowtie Model
• Risk assessment methodology
• Originates from a blend of fault and event treemethodologies
• Threats lead to an event on a hazardthat leads to consequences, plus barriers
Hazard
Event
Threat Consequence
Threat Consequence
Barrier
Barrier
Barrier
Barrier

12. Bowtie Model – Driving a Car
Driving a car
Car crashOther drivers Bodily injury
Tire failure Vehicle totaled
Car mirrors
Defensive
driving
Airbag
Bumpers
Road
conditions
Expulsion from
car
ABS Seatbelt
Threats
Preventative
Barriers
Recovery
Barriers
Consequences
Hazard
Event

13. 01
THREAT MODELING
• Wehavea waytoanalyzethethreatsthatmatter to
us
• Thisprovidescontextandfeedsintoourkillchain
02
ICSKILLCHAIN
• Weunderstandwhatstepsan adversaryhas togo
throughtoaccomplishtheirgoal
• Thesestepsbecomeour“threats”
03
BOWTIE MODEL
• Wehavea waytovisualizeourthreatsas wellas our
barriers
• Ourbarriersareoursecuritycontrols
Dressing up the ICS Kill Chain

14. Threat Modeling – The Environment
Corporatenetwork
DMZ
Operations
Supervisory
Control
Instrumentation
Vendor
KILL CHAIN

15. ICS Cyber Kill Chain – ”APT” Style on Electric Power
OSINT
Spear-phishing campaign
Email
Malicious document
Mimikatz
IPv6DNS
ICSnetworkbreach
Info gathering
Notobserved…
NativeWindows commands
Run payload as service
Breakertrip
Domain Admin
Credentials
Credential
Reuse
Backdoor
accounts
Pivoting
Credential
harvesting
New processes
Service
accounts
EDR
Disable
account
Application
whitelisting
Threats
Preventative
Barriers
Recovery
Barriers
Consequences

16. Practical Application – ”APT” Style on Electric Power
Loss of power
delivery
Operating a
substation
Reconnaissance
Weaponization
Targeting
Delivery
Exploit
Install
Modify
C2
Act
Develop
Test
Delivery
Install
Modify
Execute ICS
attack
Limit public
information
Patch
management
Mail proxy, web
proxy
Hardening,
patching
Disable
PowerShell
DNS redirect
Network
segmentation
Backup
management
N/A
Privileged
access
Privileged
access
Controller run
mode
Awareness,
culture
AV, IDS
Awareness,
report phishing
Anti-exploit,
sandboxing
EDR tool
DNS logging
Access control
monitoring
N/A
N/A
Behavior
analytics
Behavior
analytics
Process data
monitoring
Internal
reporting
Patching
Sinkholing
SOC
SOC, CSIRT
SOC, CSIRT
SOC, CSIRT
N/A
N/A
SOC, CSIRT
CMDB, backups
and recovery
Incident
response plan
Kill ChainStep Protection Detection Response

17. Practical Application – Evaluation and Gap Analysis
Loss of power
delivery
Operating a
substation
Reconnaissance
Weaponization
Targeting
Delivery
Exploit
Install
Modify
C2
Act
Develop
Test
Delivery
Install
Modify
Execute ICS
attack
Limit public
information
Patch
management
Mail proxy, web
proxy
Hardening,
patching
Disable
PowerShell
DNS redirect
Network
segmentation
?
N/A
Privileged
access
?
?
Awareness,
culture
AV, IDS
Awareness,
report phishing
Anti-exploit,
sandboxing
EDR tool
DNS logging
Access control
monitoring
N/A
N/A
?
?
Process data
monitoring
Internal
reporting
Patching
Sinkholing
SOC
SOC, CSIRT
SOC, CSIRT
SOC, CSIRT
N/A
N/A
?
?
?
Kill ChainStep Protection Detection Response
Control exists
Partial control
No control

18. In Conclusion…
• Threatmodeling is the first step
• What does mynetworklook like, what are the threats I am worried about?
• Understanding the adversary’s success criteria
• What are tactics, techniquesand procedures utilized by threatactors I am concernedwith?
• Complete by overlaying security controls as barriers
• What do I have in place that allows me to protect, detect andrespond to these threats?

19. Thank you! Questions?
DanielMichaud-Soucy
dms@dragos.com, @danms0