Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastructure Defender

2,076 views

Published on

A talk delivered by Vladimir Dashchenko at S4x19 in Miami on the history of Kaspersky Industrial Cybersecurity experience development: from delivering AV to investigation of sophisticated attacks and vulnerabilities in ICS hardware and software to providing the customers with threat intelligence and security awareness services and specific technologies for ICS threats detection and prevention.

Published in: Business
  • Be the first to comment

How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastructure Defender

  1. 1. How We Stopped Being Just Antivirus ─ And Became A Unique Industrial Infrastructure Defender
  2. 2. Most Tested. Most Awarded. Kaspersky Lab Protection.* 0% 20% 40% 60% 80% 100% 20 40 60 80 100 No of independent tests/reviews Bitdefender Sophos G DATA Symantec F-Secure Intel Security (McAfee) Trend Micro Avira Avast AVG ESET In 2017 Kaspersky Lab products participated in 86 independent tests and reviews. Our products were awarded 72 firsts and achieved 78 top-three finishes. Kaspersky Lab 1st places – 72. Participation in 86 tests/reviews. TOP 3 = 91% * Notes: • According to summary results of independent tests in 2017 for corporate, consumer and mobile products. • Summary includes independent tests conducted by : AV-Comparatives, VirusBulletin, ICSA Labs, SELabs, MRG Effitas, AV-Test. • Tests performed in these programs assess all protection technologies against known, unknown and advanced threats. • The size of the bubble reflects the number of 1st places achieved. ScoreofTOP3places www.kaspersky.com/top3
  3. 3. Our Major Discoveries 2011 2010 2012 Stuxnet Duqu Gauss Flame miniFlame 2013 2014 2015 2016 2017 NetTraveler Miniduke RedOctober Icefog Winnti Kimsuky TeamSpy CosmicDuke Darkhotel Regin Careto / The Mask Epic Turla Energetic Bear / Crouching Yeti Wild Neutron Blue Termite Spring Dragon Desert Falcons Carbanak Equation Animal Farm Darkhotel - part 2 MsnMM Campaigns Satellite Turla Hellsing Sofacy Naikon Duqu 2.0 ProjectSauron Saguaro StrongPity Lazarus Lurk Adwind Metel Ghoul Fruity Armor ScarCruft Poseidon GCMan Danti Dropping Elephant Moonlight Maze ATMitch ShadowPad BlackOasis WhiteBear Silence WannaCry Shamoon 2.0 ExPetr/NotPetya BlueNoroff StoneDrill https://apt.securelist.com
  4. 4. Anti Targeted Attack Comprehensive multi-vector discovery and risk mitigation of advanced threats and targeted attacks Endpoint Security The leading multi-layered endpoint protection platform, based on true cybersecurity technologies Cloud Security Borderless security engineered for your hybrid cloud Cybersecurity Services Leveraging Threat Intelligence, Security Training, Incident Response and Assessment from the world leader Security Operations Center Empowering your SOC with the tools and information to efficiently detect and remediate threats Fraud Prevention Proactive detection of cross-channel fraud in Real Time Financial Services Cybersecurity Providing Financial Services with the tools to raise security levels, prevent and predict cyber-incidents and respond efficiently Telecom Cybersecurity Efficient protection for telecoms infrastructure and information systems against the most advanced cyberthreats Healthcare Cybersecurity Protecting healthcare infrastructures and sensitive clinical data in a ruthless cyberthreat landscape Data Center Security Empowering your data center to detect and respond to the most advanced cyberthreats Government Cybersecurity Security controls and services geared to the demands of government organizations and related public bodies Industrial Cybersecurity Specialized protection for industrial control systems Technological By Industries Kaspersky Enterprise Security Solutions
  5. 5. Kaspersky Industrial CyberSecurity Expertise and Technologies
  6. 6. Kaspersky Lab ICS CERT structure Vulnerability Researchers Security auditors Developers Security analysts Industrial engineers 2016 CVE Numbering Authority
  7. 7. Kaspersky ICS CERT: ICS/IIOT Vulnerability Research More than 170+ ICS / IIoT vulnerabilities have been found since 2016
  8. 8. Kaspersky ICS CERT: ICS/IIOT Vulnerability Research Some of the ICS Vendors we helped https://ics-cert.us-cert.gov/advisories
  9. 9. …This Gemalto solution is used in products by other software vendors, including such companies as ABB, General Electric, HP, Cadac Group, Zemax and many other organizations, the number of which, according to some estimates, reaches 40 thousand. …Many products that use the OPC UA technology by the OPC Foundation may include that server, making them vulnerable to the XXE attack. This makes this vulnerability much more valuable from an attacker’s viewpoint... Vulnerabilities in Common Components
  10. 10. Industrial Cybersecurity Assesments https://www.securityweek.com/ics-security-experts-share-interesting-stories
  11. 11. TANK Control Valve Level Meter Malicious overrides of process setpoints Tank overfill / fraud Malicious changes of PID parameters Equipment overstress/disruption Pump Malicious changes of measurement values Tank overfill / fraud Malicious changes of process control logic hydraulic surge, equipment damage, emergency shutdown Malicious STOP command Process out of control PLC SCADA OIL REFINERY POWER GRID CHEMICALMANUFACTURING Kaspersky ICS Security Assessment: Impact Analysis
  12. 12. Threat Intelligence Web crawlers BotFarm Spam trap Sensors APT research team Partners OSINT Honeypots Kaspersky Lab Statistics Kaspersky Lab Expert Systems Kaspersky Lab Analysis Data Feeds Customer 3 1 4 Whitelisting Kaspersky Global Users 5 2
  13. 13. ►Threat data sources ►Kaspersky Security Network (KSN) ►Kaspersky Industrial CyberSecurity service projects ►Surveys ►Public sources ► ICS Computers protected by Kaspersky Lab products ►supervisory control and data acquisition (SCADA) servers; ►data storage servers (Historian); ►data gateways (OPC); ►stationary workstations of engineers and operators; ►mobile workstations of engineers and operators; ►Human Machine Interface (HMI). ►ICS Supply Chain participants Kaspersky ICS CERT: Threat landscape for ICS
  14. 14. ►Main findings ►Random malware attacks in ICS ►Cryptominers in ICS ►Ransomware in ICS ►Remote administration tools (RATs) ►Mass-targeting campaigns ►Main sources of malware as always ►Web ►Removable devices ►Mail Geographical distribution of attacks on industrial automation systems, H1 2018, percentage of ICS computers attacked in each country https://ics-cert.kaspersky.com/reports/2018/09/06/threat-landscape-for-industrial-automation-systems-h1-2018/ Kaspersky ICS CERT: Malware in ICS
  15. 15. Contribution to the global ICS/IIoT Security standardization
  16. 16. Contribution to the global ICS/IIoT Security standardization Some of the released studies we contributed to
  17. 17. State of ICS Security Surveys https://ics.kaspersky.com/media/2018-Kaspersky-ICS-Whitepaper.pdf
  18. 18. Kaspersky ICS Security trainings Advanced Industrial CyberSecurity in Practice • 2 DAYS, 10-20 specialists ICS Penetration Testing for Professionals • 5 DAYS, up to 10 professionals ICS Digital Forensics for Professionals • 4 DAYS, up to 10 professionals
  19. 19. Kaspersky ICS CERT: University Cooperation
  20. 20. KIPS is an exercise that places business decision makers IT security teams from corporations and government departments into a simulated business environment facing a series of unexpected cyber threats, while trying to maximize profit and maintain confidence. Industrial scenarios: • Oil & Gas • Power station • Water plant • Transportation References: Government agencies, BASF, CERN, Mitsubishi, Yokogawa, RusHydro, Panasonic, ISA, SANS,... https://media.kaspersky.com/en/business-security/enterprise/KL_SA_KIPS_overview_A4_Eng_web.pdf Kaspersky Interactive Protection Simulation (KIPS)
  21. 21. Kaspersky Lab ICS/IIOT Capture the Flag Сapture the flag (CTF) contest is a competition for cybersecurity experts organized in the form of a game, in which the participants solve computer security problems. They must either capture (attack/bring down) or defend computer systems in a CTF environment. https://ctf.kaspersky.com
  22. 22. Kaspersky Industrial Cybersecurity Conference https://ics.kaspersky.com/conference/
  23. 23. SAS is an annual event that attracts high- caliber anti-malware researchers, global law enforcement agencies and CERTs and senior executives from financial services, technology, healthcare, academia and government agencies. ►Nation state cyber-espionage and advanced threat actors ►Internet of Things ►Government surveillance issues and privacy rights ►Threats against banks, financial institutions ►Mobile Malware ►Critical infrastructure protection (SCADA/ICS) ►Law-enforcement coordination and information sharing ►Vulnerability discovery and responsible disclosure Singapore April 8-11, 2019 https://sas.kaspersky.com Kaspersky Security Analyst Summit
  24. 24. Kaspersky Industrial CyberSecurity Products
  25. 25. KICS for Nodes – Industrial Endpoint Protection Protection for Industrial Endpoints • SCADA Servers • SCADA Clients • Human Machine Interfaces (HMI) • Engineering Workstations • Historians • OPC Gateways Security capabilities • Application whitelisting • Antimalware protection • Ransomware protection • Removable device control • File Integrity Monitoring • Exploit Prevention • Wireless access control • Log Inspection • PLC integrity checker Industrial Specifics • Easy to deploy • Local Signature Updates • Less resource consuming than other EPP • Legacy OS support • Tested by ICS/SCADA vendors
  26. 26. KICS for Networks – Industrial Network Anomaly and Breach Detection • Network Activity Monitoring • Safe Non-Invasive Mode • Asset Discovery • Commands and Telemetry Analysis • Anomaly Detection • Cyber Attack Detection • Remote Access Detection • Malware Spreading Detection • Network Visualization • Event Correlation • SOC/SIEM Integration Some of the supported devices & protocols
  27. 27. KICS for Networks – Industrial Network Anomaly and Breach Detection
  28. 28. KICS for Networks powered by Machine Learning for Anomaly Detection • Detect independently of reason: • cyber attack, • human factor, • equipment faults,… • Anomaly Interpretation • Predictive maintenance • State-of-the-art ML technology • No need to manually create rules Case Studies: Secure Water Treatment System (SWaT) SUTD, Singapore Crude & Vacuum distillation units, at Oil Refining Plant Chemical plant: Tennessee Eastman Process (TEP)
  29. 29. Kaspersky Lab is cited in 4 categories for its dedicated OT security portfolio, KICS:  OT Endpoint security  OT Network Monitoring and Visibility  Anomaly Detection, Incident Response, Reporting  OT Security Services Competitive Landscape: Operational Technology Security, Ruggero Contu, 29 October 2018. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved. Comprehensive approach to Operational Technology Security https://ics.kaspersky.com/KICS-cited-in-Gartner-competitive-landscape-OT-security Get a complimentary copy of this Gartner report:
  30. 30. Kaspersky Industrial CyberSecurity Experience • German Glass Manufacturer • Challenge: • Needs to prevent delays in production and a complete breakdown of the production lines due to cyber attacks, that can not only incur cancellation fees, but in many cases expensive contractual penalty charges, too. • Solution: • KICS for Nodes System • KICS for Networks System • Case Study Link • Czech Brewery • Challenge: • Needs to make sure the production lines and all OT related software and hardware of brewing part and bottling lines, including in total 2 brew houses and CCT areas and 8 packaging lines in Pilsen plant were resistant to cyber attacks, and that the company was ready to implement a holistic industrial cybersecurity strategy • Solution: • Industrial Cyber Security Assessment Service • Case Study Link • Danish ICS Security Service Company • Challenge: • Needs of additional qualifications to conduct pentesting in the industrial area, and enhancing ICS knowledge in a prompt and efficient manner. • Solution: • Industrial Penetration Testing Training • Case Study Link • Russian Steel Producer • Challenge: • Improve protection of modern automation infrastructure combining the computing resources of industrial control systems (ICS) in several territorially distributed data centers and reduce maintenance costs • Solution: • KICS for Nodes System • KICS for Networks System • Case Study Link
  31. 31. ►Kaspersky OS (KOS) ►key feature is a sophisticated approach that makes possible to control inter- process communications in accordance with specified security policies ►Kaspersky Security System (KSS) for Linux ►a security policy verdict computation engine. It works in conjunction with KasperskyOS (or can be embedded into Linux-based firmware) that enforces KSS verdicts. ►Kaspersky Secure Hypervisor (KSH) ►a Type 2 hypervisor that runs on the KasperskyOS microkernel with Kaspersky Security System, that can run multiple untrusted guest operating environments on a single HW platform and avoid their unwanted influence to each other as well as to the host operating system https://os.kaspersky.com Kaspersky OS: Family
  32. 32. ►Telecom equipment ►Trusted Layer 3 Routing Switch by Craftway ►Trusted Network Equipment by Eltex ►Connected cars ►Vehicle Secure Communication Unit by AVL ►Internet of Things ►Kaspersky IoT Secure Gateway by Kaspersky Lab ►Industrial equipment ► CODESYS protection by BE.services’s Security Shield (ESS) Kaspersky OS: Implementation
  33. 33. Customer data storage and processing Software assembly Opening Transparency center Independent supervision and review by third-party organization Switzerland For Europe, with the U.S., Canada, Singapore, Australia, Japan and South Korea, as well as other countries, to follow later For compiling software before distribution to customers worldwide For trusted partners to review the source code and software updates Global Transparency Initiative (GTI): Kaspersky Lab moves core infrastructure to Switzerland
  34. 34. Let’s talk! ICS-CERT.kaspersky.com ICS.kaspersky.com OS.kaspersky.com @KasperskyICS

×