Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ICS case studies v2

627 views

Published on

Implementing security for ICS (from FireEye)

Published in: Devices & Hardware
  • Be the first to comment

  • Be the first to like this

ICS case studies v2

  1. 1. 1 Copyright © 2014, FireEye, Inc. All rights reserved. Case StudiesIndustrial Control Systems Dan Scali, Manager – Industrial Control Systems Mandiant Security Consulting Services
  2. 2. 2 Copyright © 2014, FireEye, Inc. All rights reserved. ICS security threats Enterprise/IT Plant DMZ SCADA/ICS Control SCADA HistorianHMI PLCs, Controllers, RTUs, PACs Threat vector: Attacks on the enterprise Threat vector: Attacks on ICS/SCADA systems and devices
  3. 3. 3 Copyright © 2014, FireEye, Inc. All rights reserved. Case studies  Building a comprehensive program: How an ICS operator used Mandiant Security Consulting Services to build an IT/OT cyber security program  Defending the SCADA & field-level devices: How an ICS operator used passive network monitoring to identify SCADA network configuration flaws
  4. 4. 4 Copyright © 2014, FireEye, Inc. All rights reserved. Case Study Building a cyber security program
  5. 5. 5 Copyright © 2014, FireEye, Inc. All rights reserved. The challenges Maintain compliance Resist targeted attacks Support reliability Business imperative Implications • 10-20k serial assets coming into scope for NERC CIP • Requires coordination across OT & IT Transition from NERC CIP v3 to NERC CIP v5 Detect, respond to, and contain incidents impacting grid assets IT/OT convergence and next-generation grid • Integrated SOC will need visibility into grid assets • IR processes and technologies must be adapted for control system environment • Legacy control systems technology will be replaced • Connectivity & exposure of power systems will increase
  6. 6. 6 Copyright © 2014, FireEye, Inc. All rights reserved. FireEye’s solution: Program strategy Mission: To support the reliable operation of the bulk electric system in accordance with legal and regulatory responsibilities by preventing, detecting, and responding to cybersecurity incidents. Governance Technology Operations Stakeholders: Transmission & Distribution – Cybersecurity – Power Systems IT • Policy • Compliance • Training • Asset inventory • Metrics • New projects • Technical standards • Evaluation & Procurement • External working groups • Maintenance • Incident Response • Vulnerability & Patch Management Key functions & activities
  7. 7. 7 Copyright © 2014, FireEye, Inc. All rights reserved. Sample roadmap
  8. 8. 8 Copyright © 2014, FireEye, Inc. All rights reserved. Sample heatmap
  9. 9. 9 Copyright © 2014, FireEye, Inc. All rights reserved. Sample project plan
  10. 10. 10 Copyright © 2014, FireEye, Inc. All rights reserved. Case Study Protecting the SCADA
  11. 11. 11 Copyright © 2014, FireEye, Inc. All rights reserved. The challenge  Customer had invested heavily in a network segmentation and firewall configuration effort  Needed a way to validate that: – No connections were possible directly from the business network to the SCADA network – SCADA was not able to communicate with the internet
  12. 12. 12 Copyright © 2014, FireEye, Inc. All rights reserved. The Solution: FireEye PX  Ultrafast packet capture up to 20Gbps sustained in single appliance allows for aggregation and cost savings  Internal or external storage options (FC or SAS)  Ultrafast search  patented tiered indexing system (search TBs in seconds)  Session Analysis  full reconstruction of web, email, DNS, & ftp traffic  File extraction  User extensible  Industry standard PCAP format for capture data  Export of index data in Netflow v9 or IPFIX format
  13. 13. 13 Copyright © 2014, FireEye, Inc. All rights reserved. PX deployment options Firewall/DMZ Switch ICS Router Firewall/DMZ Switch ICS Router Tap (OOB) SPAN NX PX Pivot2Pcap TAP NX PX Pivot2Pcap Router Firewall/DMZ ICS Tap (Inline) Switch NX PX Pivot2PcapTap Enterprise Network Enterprise Network Enterprise Network
  14. 14. 14 Copyright © 2014, FireEye, Inc. All rights reserved. Results 15 minutes of network traffic capture data revealed:  Traffic direct from business network to SCADA zone  External DNS requests  Potential multi-homed devices  Limited segmentation between SCADA zones
  15. 15. 15 Copyright © 2014, FireEye, Inc. All rights reserved. Incident response workflow FireEye threat prevention platform (NX, EX, FX, or AX) detects threat and generates alert with detailed OS change report. Detect A A A A A Contain OS change report is sent to HX appliance which then generates indicator and pushes to endpoint agent. Operator can contain & isolate the compromised endpoint by blocking all A A A A A traffic with single click workflow while continuing with the investigation. Analyst can view detailed exploit timeline from the endpoint to better understand the attack. Validate & Contain HX HX PX Analyst pivots to PX with IP address and time of infection to reconstruct kill chain before, during and after to determine the scope and impact of a threat via captured packets. Forensics Analysis
  16. 16. 16 Copyright © 2014, FireEye, Inc. All rights reserved. Questions?

×