2. 2
Convergence of IT and Traditional OT
What was air gapped and proprietary is now connected and general purpose
In the past, they were …
Isolated from IT
Run on proprietary control
protocols
Run on specialized hardware
Run on proprietary embedded
operating systems
Connected by copper and twisted
pair
Now they are …
Bridged into corporate networks
Riding on common internet
protocols
Running on general purpose
hardware with IT origins
Running mainstream IT operating
systems
Increasingly connected to wireless
technologies
3. 3
Typical SCADA Components are Vulnerable
Domain-specific technologies: Many technologies require specialized knowledge of industrial control
systems technology & communications. Enterprise IT security technologies are not ICS-aware
Operational Technology deficiencies: PLCs and RTUs are low computational computers built for
controlling physical components such as valves, pumps, motors, etc.
Lack of authentication
Lack of encryption
Backdoors
Buffer overflow
Tailored attacks on physical
control components
5. 5
ICS Cybersecurity: Making the Headlines
A Worm in the Centrifuge- Stuxnet
30 Sept. 2010
An unusually sophisticated cyber-weapon is
mysterious but important. A new software
“worm” called Stuxnet …
A Cyberattack Has Caused Confirmed
Physical Damage
30 Sept. 2015
Massive damage by manipulating and
disrupting control systems at German steel mill
U.S. Finds Proof: Cyberattack on Ukraine
Power Grid
3 Feb. 2016
Almost immediately, investigators found
indications of a malware called BlackEnergy.
Industroyer; A Cyberweapon can disrupt Power Grids
12 June 2017
Hackers allied with the Russian government have devised a
cyberweapon that has the potential to be the most disruptive
yet against electric systems that Americans depend on for
daily life, according to U.S. researchers.
The Ukraine’s Power Outage Was a Cyber Attack
18 Jan. 2017
A power blackout in Ukraine's capital Kiev last month was
caused by a cyber attack and investigators are trying to
trace other potentially infected computers.
Hackers halt plant operations in watershed cyberattack
15 Dec. 2017
Schneider confirmed that the incident had occurred and that
it had issued a security alert to users of Triconex, which
cyber experts said is widely used in the energy industry,
including at nuclear facilities, and oil and gas plants.
Triton: hackers take out safety systems in
'watershed' attack on energy plant
15 Dec. 2017
Sophisticated malware halts operations at
power station in unprecedented attack which
experts believe was state-sponsored
6. 6
Top Threat Vectors for OT - 2017 SANS Survey
What are the top three threat vectors you are most concerned with? Rank the top three, with
“First” being the threat of highest concern.
0% 10% 20% 30% 40%
Other
Industrial espionage
Internal threat (intentional)
External threats (supply chain or partnerships)
Integration of IT into control system networks
Malware families spreading indiscriminately
Phishing scams
Extortion, ransomware or other financially…
External threats (hacktivism, nation states)
Internal threat (accidental)
Devices and “things” (that cannot protect…
First Second Third
Source: SANs: The 2017 State of Industrial Control System Security: July 2017
7. 7
2017 SANS Survey: Security Technologies In Use
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Anti-malware/Antivirus
Access controls
Assessment and audit
User and application access controls
Monitoring and log analysis
Vulnerability scanning
Security awareness training for staff,…
Asset identification and management
Control system network security monitoring…
Industrial intrusion prevention systems (IPS)
Industrial intrusion detection systems (IDS)
In Use Planned
What security technologies or solutions do you currently have in use? What new technologies
or solutions would you most want to add for control system security in the next 18 months?
Source: SANs: The 2017 State of Industrial Control System Security: July 2017
8. 8
Capabilities Required of an Integrated Solution
Rapidly Detect Cybersecurity
Vulnerabilities, Threats
and Incidents
Reduce
Troubleshooting and
Remediation Efforts
Quickly Recognize and
Remediate Operational
Anomalies
Track Industrial Assets
and Corresponding
Cybersecurity Risks
Deploy at Enterprise
Scale with Proven
Performance
Centrally Supervise and
Monitor Distributed
Networks
11. 11
SIEM SOC Corporate
Firewall
Remote
Access
Historian Firewall DNS
Local SCADA
& HMI
Local SCADA
& HMI
Local SCADA
& HMI
www
Site #1 Site #2 Site #N
PLCs RTUs PLCs RTUs PLCs RTUs
Comprehensive Security for ICS
Level 4
Production
Scheduling
Level 3
Production
Control
Level 2
Plant
Supervisory
Level 1
Direct Control
Level 0
Field Level
Selected threats
detected
• Monitoring of remote access connection to networks
• Connection to Internetcorporate network DMZ
• MITM & Scanning Attacks (Port, Network)
• Unauthorized cross level communication
• IP conflicts
• Weak passwords (FTP /
TFPTP / RDP / DCERPC)
• Traffic activity summaries
Bad configurations (NTP /
DNS / DHCP/ etc.)
• Network topologies
• Used ports of assets
• Unencrypted
communications (Telnet)
• Insecure Internet
connections
• Anomalous protocol behavior
• Online edits to PLC projects
• Communication changes
• Configuration downloads
• New assets in the network
• Non-responsive assets
• Corrupted OT packets
• Firmware downloads
• Logic changes
• Authentication to PLCs
• PLC actions (Start, Stop, Monitor, Run, Reboot,
Program, Test)
• Fieldbus I/O monitoring
12. 12
SCADAguardian with FortiGate
Automatically learns ICS
behavior and detects
suspicious activities
Security Policy
Enforcement
Flexibility to enforce security policies
with different degree of granularity
Deep understanding of all
key SCADA protocols, open
and proprietary
Active Traffic
Control
Proactive filtering of malicious and
unauthorized network traffic
Real-time passive monitoring guarantees
no performance impact and permits
visibility at different layers of the Control
and Process Networks
In-line
Protection
In-line separation between IT
and OT environments
Turn–key Internal and
Perimeter Visibility
Fine Tuning, Control and
Monitoring of the Firewall Ruleset
Proactive SCADA
Security
Behavioral
Analysis
Deep SCADA
Understanding
Non-intrusive
Passive
Monitoring
13. 13
Fortinet / Nozomi Networks Integrated Solution
Full Protection, Visibility and
Monitoring Thanks to Nozomi
Networks and Fortinet
The Nozomi Networks solution
passively monitors the network,
thus not affecting the performance
of the control system
The appliance is connected to the
system via a SPAN or mirror port
on a switch
Valve
Fan
Pump
14. 14
Responding to Threats in Real Time
Monitor
A threat is detected by SCADAguardian
and an alert is generated
Detect
User-defined policies are examined
and the appropriate corresponding
action is triggered
Protect
FortiGate responds according to the user-
configured action (Node Blocking, Link
Blocking, or Kill Session) in order to
mitigate the issue
2
1
3
Valve
Fan
Pump
3
1
2
15. 15
Three Use Case Scenarios: Blocking Attack Vectors
Blocking Reconnaissance
Activity
Blocking Unauthorized Activity
Blocking Advanced Malware or
Zero Day Attack
New unknown node joins trusted
control network (or process
network)
SCADAguardian detects it and
triggers alert to FortiGate
FortiGate enforces policy and
blocks node from all access
Node in trusted networks issues
a command to reprogram a PLC
SCADAguardian detects anomaly
and triggers alert to FortiGate
FortiGate enforces policy and
blocks communication
SCADA Master changes process
in subtle way towards a critical
state
SCADAguardian detects anomaly
and triggers alert for FortiGate
FortiGate enforces policy and
blocks SCADA Master from all
access
1 2 3
21. 21
Nozomi Networks: Leading ICS Cybersecurity
Since Oct 2013 ~$24m invested
+200,000 Monitored
+200 Global Installations
FOUNDED
DEVICES
CUSTOMERS
SERVING VERTICALS
Editor's Notes
SCRIPT:
…”BUT DON’T TAKE OUR WORD FOR IT. LISTEN TO ICS STAKEHOLDERS ACROSS THE GLOBE”