Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Industrial Threats Landscape, H2'2017

Here we report the current state of the ICS threat landscape, as presented at the IT&Automation 2018 conference in Böblingen.

To learn more about Kaspersky Lab's ICS CERT, visit https://kas.pr/e34v

  • Login to see the comments

Industrial Threats Landscape, H2'2017

  1. 1. Kirill Kruglov, Critical Infrastructure Threat Analysis, Kaspersky Lab ICS CERT INDUSTRIAL CONTROL SYSTEMS CYBER THREAT LANDSCAPE
  2. 2. THE NATURE OF THE THREAT KICS is a portfolio of technologies and services designed to secure Industrial Control System environments Launched at the end of 2015 More than 15 customers globally since launch 4 official references KL ICS Cyber Emergency Response Team is a special non-commercial project that offers a wide range of information and research services Officially launched at the end of 2016 OUR INDUSTRIAL CYBERSECURITY ACTIVITIES IN A NUTSHELL Regularly contributes to Industrial cybersecurity, e.g. helping prepare IIFS v 1.0 Found more than 100 ICS vulnerabilities Raising awareness through hackathons, CTF, Workshops and demos worldwide
  3. 3. CYBER SECURITY INCIDENTS
  4. 4. CRASHOVERRIDE what if turn it on and off?
  5. 5. CYBER-PHYSICAL ATTACKS: ENERGY WHEN: DECEMBER 2016 WHERE: UKRAINE, KIEV DIGITAL SUBSTATION «NOTHERN». PHYSICAL: POWER OUTAGE FOR 1HOR 15 MIN History repeating: CRASHOVERRIDE CYBER: (possibly?) CRASHOVERRIDE / Industroyer malware platform, plugins for IEC 101/104, 61850 and OPC, second (after STUXNET) case of malware designed to target physical systems
  6. 6. CYBER-PHYSICAL ATTACKS: ENERGY WHEN: DECEMBER 2015 WHERE: UKRAINE PHYSICAL: power cell switches operated, remote control disabled for operators, power outage on 7 110kV and 23 35 kV substations. FINANCIAL: POWER OUTAGE IN 5 REGIONS FOR 6 HOURS BlackEnergy 2.0 CYBER: BlackEnergy 2.0 as the door opener, the rest of the attack performed manually.
  7. 7. , CYBER-PHYSICAL ATTACKS: OIL & GAS, SHAMOON WHEN: DECEMBER 2012 WHERE: SAUDI ARABIA, SAUDI ARAMCO, 35000 COMPUTERS WIPED OUT, 50 000 HDDS WHERE REPLACED PHYSICAL: 17 DAYS OF DELAYED PRODUCT DELIVERY History repeating
  8. 8. , CYBER-PHYSICAL ATTACKS: OIL & GAS, SHAMOON 2.0 STONEDRILL WHEN: NOV 2016 – JAN 2017 WHERE: SAUDI ARABIA, ME, EUROPE, MANUFACTURING AND OIL & GAS, CONNECTED TO NEWSBEEF, PROBABLY IRAN DAMAGE: ??? STILL TO BE CALCULATED History repeating
  9. 9. RANSOMWARE ATTACKS: UTILITY Michigan, USA, 2016 CYBER ATTACK: • Phishing attack to deliver ransomware • Mail delivery and finance operation affected • Phone lines not working including Technical Support line • Customers stopped from getting their bills $2.4M FOR EXTRA CYBER SECURITY DIRECT LOSSES: • $25K ransom
  10. 10. RANSOMWARE ATTACKS: WannaCry in ICS? 12-15 May, 2017, more than 150 countries COMPANYES REPORTED: • Renault, France • Gas Natural, Spain • NHS, UK • Computers in Police units in India • Enterprises in Mumbai, Hyderabad, Bengaluru, Chennai • Schools, Universities, • Railways? • Etc…
  11. 11. RANSOMWARE ATTACKS: WannaCry in ICS? ICS machines affected the most according to KSN statistics
  12. 12. OT vs IT+ = RANSOMWARE ATTACKS: WannaCry in ICS – incident response DOS attacks inside ICS networks
  13. 13. RANSOMWARE ATTACKS: MOST POPULAR RANSOMWARE IN ICS % of ICS computers attacked by ransomware according to KSN attack statistics
  14. 14. ADVANCED PERCISTENT (and other) THREATS
  15. 15. 90% 9.9% 0.1% Targeted attacks Advanced persistent threats Traditional cybercrime Targeted threats to organizations Cyber-weapons THE NATURE OF THE THREAT 310 000 New threats per day OUR DAY-TO-DAY RESEARCH We discover and prevent > 300 000 new threats a day
  16. 16. OUR DAY-TO-DAY RESEARCH We discover and dissect the world’s most sophisticated threats 2011 2012 2013 2014 2015 2016 2010 Duqu miniFlame Gauss Icefog Winnti NetTraveler Miniduke Epic Turla Energetic Bear / Crouching Yeti RedOctober CosmicDuke Darkhotel Careto / The Mask Regin Sofacy Carbanak Desert Falcons Equation Naikon Hellsing TeamSpy Duqu 2.0 Animal Farm Kimsuky Stuxnet Flame Darkhotel MsnMM Campaigns Satellite Turla Wild Neutron Blue Termite Spring Dragon Metel Adwind Lazarus Lurk
  17. 17. 25% of all the APTs found by KL in 2016 were targeting industrial companies OUR DAY-TO-DAY RESEARCH We discover more targeted attacks and APTs than the rest of the industry >100 private reports delivered in 2016
  18. 18. ICS VULNERABILITIES
  19. 19. OT vs IT SCADA vs OS vs OTHER IT VULNERABILITIES STUXNET ENERGETIC BEAR WANNACRY/ EXPEXTR BLACKENERGY2 • CVE-2010-2729, MS10-061 (Print Spooler, RCE, privilege escalation) • CVE-2010-2568 , MS10-046 (LNK Vulnerability, RCE) • MS08-067 (RPC in network folders) • MS10-73 (win32.sys privilege escalation) • CVE-2011-0611 (Adobe Flash exploit) • CVE-2013-2465, CVE-2013- 1347, CVE-2012-1723 (Java 6,/7 IE 7/8, Watering hole on web sites) • CVE-2017-0144, MS17-010 (SMB v.1) • CVE-2014-4114, MS14-060 (Windows OLE RCE Exploit) • CVE-2014-0751 (GE Simplicity, Directory traversal vulnerability)
  20. 20. KL ICS CERT VULNERABILITY RESEARCH 100+ 0-days discovered by KL ICS CERT and reported to ICS vendors KASPERSKY ICS CERT
  21. 21. OT vs IT ICS VULNERABILITY PATCH TRACKING/ANALYSIS % of vulnerable ICS according to KSN statistics (EXAMPLE)
  22. 22. STATISTIC
  23. 23. ICS THREAT STATISTICS % ICS attacked: Germany compared to European region (2017 H1 vs. H2)
  24. 24. ICS THREAT STATISTICS Sources of infection: Germany compared to Ukraine (2017 H1 vs. H2)
  25. 25. ICS THREAT STATISTICS Sources of infection: Internet
  26. 26. ICS THREAT STATISTICS Sources of infection: email clients
  27. 27. ICS THREAT STATISTICS Sources of infection: removable media
  28. 28. ICS THREAT STATISTICS Sources of infection: removable media
  29. 29. √ KASPERSKY ICS CERT INDUSTRIES UNDER ATTACK IN 2017 – WORLD-WIDE % of ICS computers attacked according to KSN statistics
  30. 30. TRAGETTED ATTACK ANALYSIS targeted phishing attack KASPERSKY ICS CERT
  31. 31. TRAGETTED ATTACK ANALYSIS Infected supply chain KASPERSKY ICS CERT
  32. 32. TRAGETTED ATTACK ANALYSIS Business Email Compromise Attack (5 scenarios) UAE company’s corporate email database… …for $99 KASPERSKY ICS CERT
  33. 33. OT vs IT BUSINESS EMAIL COMPROMISE INFECTION INSPECTION TRANSACTION HIJACK MONEY TRANSFER
  34. 34. TRAGETTED ATTACK ANALYSIS Finance? … but (probably) not only... KASPERSKY ICS CERT
  35. 35. ICS THREAT DISCOVERY ICS targeted spear phishing campaign: affected industries KASPERSKY ICS CERT
  36. 36. HONEYPOTS
  37. 37. CYBER-PHYSICAL ATTACK VECTORS: ENERGY § Equipment and configuration equal to the real-world substation § Cyber security settings hardened § 4 security expert teams competing in CTF competition § Goal: to demonstrate ways to damage to the physical world. WHEN : OCTOBER 2015 WHERE: MOSCOW TARGET: Penetration testing 500kV substation model: Kaspersky Lab Study 2015: Digital Substation
  38. 38. § Multiple IEC 61850 (MMS/GOOSE) and SIEMENS DIGSI architecture and implementation vulnerabilities exploited § Circuit protection logic turned off, terminal firmware changed, three 0-days found § 2 out of 8 terminals damaged (bricked) § Multiple unauthorized power cell operations PHYSICAL: FIRST SHORT CIRCUIT IN 3 HOURS, 2 TERMINALS BRICKED Identified attack vectors against RTUs and protection terminals: CYBER-PHYSICAL ATTACK VECTORS: ENERGY Kaspersky Lab Study 2015: Digital Substation
  39. 39. CYBER-PHYSICAL ATTACK VECTORS: ENERGY Kaspersky Lab Study 2016: Micro Grid Infrastructures: • Hydro Power Plant • High Voltage Substation 110 kV • Distribution Substation 10kV • Solar Power Station • Other equipment Hardware: • Ruggetcom & Hirschmann • S7-1500,Siprotec 4 • PLC modem, NTP, Wi-Fi, etc.
  40. 40. CYBER-PHYSICAL ATTACK VECTORS: ENERGY Kaspersky Lab Study 2016: Micro Grid
  41. 41. CYBER-PHYSICAL ATTACK ANATOMY Attack steps to gain control over terminal facilities to destroy equipment and/or break the process. Get access to industrial network Reconnaissance Get access to SCADA and PLC + get the password Create modified PLC programs Deliver modified logic to target PLCs Emergency alarm 0,5-48 hours 1-4 hours 0,5-6 hours 1-24 hours 0.5-2 hours INCIDENT OBJECT: gasoil discharge terminal TARGET: get access to ICS network, get control over the process, find the ways to break the process / do physical damage. Cyber sabotage scenario modeling / analysis
  42. 42. AWARENESS EDUCATION COLLABORATION
  43. 43. SECURITY AWARENESS & TRAINING SERVICES PLC Fieldbus Control Network SCADA/DCS Network Plant DMZ Network Office Network PLC SCADA SCADA SCADA Internet SCADA Infected USB keys Infected USB keys Infected PLC logic Infected Laptops Insecure Wireless Bad Access Rules Insecure Remote Support Insecure Internet connection
  44. 44. MIT THINK SECURITY Industrial Cyber Security workshop 2016
  45. 45. OT vs IT BERKLEY Industrial Cyber Security workshop Oct 2017
  46. 46. ICS GOVERNENCE ANALYSIS 2016 CIP cybersecurity governance maturity for the countries around the globe
  47. 47. COLLABORATION: INDUSTRIAL AUTOMATION VENDORS
  48. 48. COOPERATION WITH RECOGNIZED INDUSTRY DRIVERS
  49. 49. ics-cert.kaspersky.com
  50. 50. Kaspersky Lab ICS CERT ics-cert.kaspersky.com www.kaspersky.com

×