Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The 4horsemen of ics secapocalypse


Published on

What are the myths & legends around securing Industrial Controlled Systems? In a short presentation some of the day to day experiences are explained around problems/risks, fairy-tales around securing ICS. After reading the presentation will lead to start doing some homework....

Published in: Technology
  • Be the first to comment

  • Be the first to like this

The 4horsemen of ics secapocalypse

  1. 1. “The four horsemen of the ICS security apocalypse” Christiaan Beek Director of Incident Response & Forensics EMEA
  2. 2. What to expect v Intro v ICS security a myth? v The Four Horsemen v Wrap-up v Questions? Thanks @Beaker for approving the title of this presentation
  3. 3. Foundstone Foundstone Services – McAfee Strategic Security
  4. 4. McAfee Cyber Defense Center Incident Response Training Advanced Malware Analysis Strategic Services/ Assessments Contextual Threat intelligence SCADA assessments Mobile Forensics Computer Forensics McAfee CDC in Dubai
  5. 5. Forensics and IR Lead for EMEA Christiaan Beek •  Digital Forensics As an Enterprise Architect on the Foundstone Services team, Christiaan is the Head of and practice lead for the Incident Response and Forensics services team in EMEA. He has performed numerous forensic investigations from system compromise, theft, child pornography, malware infections, Advanced Persistent Threats (APT) and mobile devices. He has also participated as an expert witness for the Dutch Department of Justice in high-profile investigations and leading a team of computer forensics specialists assisting police with evidence recovery. •  Vulnerability Assessment and Network Penetration Testing Since 2000 Christiaan has been performing security assessments and penetration testing for companies in in almost every industry. •  Risk Assessment and Policy Development With extensive experience in PCI-DSS, Christiaan has assisted numerous international clients in Banking, Insurance, Government with their Risk Management strategy. As the Security Officer of the largest water company in the Netherlands, he developed IT security policies for both the data and SCADA networks. •  Foundstone Education Christiaan is the author and lead-instructor of the class ‘Malware Forensics and Incident Response’ (MFIRE). •  Hack Exposed Book Christiaan has co-authored the APT chapter in the new Hacking Exposed 7 book. Our Incident Response Team •  Most of the first responders have more than a decade of experience •  Many of them have participated in law enforcement investigations •  Our consultants write articles for digital forensics magazines, and well known security e-publications •  We teach forensics and malware analysis to governments and at globally-known conferences like… •  We participate in
  6. 6. ICS Security….. March6
  7. 7. The Four Horsemen of the Apocalypse are described in the Book of Revelation. The four riders are seen as symbolizing & represent the following powers: -  War -  Famine -  Death -  Pestilence
  8. 8. Horseman #1:
  9. 9. War: IT departments Corporate IT Production IT
  10. 10. War: Last 6 months.. Position Country 1 KSA 2 Iran 3 Egypt 4 UAE 5 Turkey Vertical Government Oil & Gas Financials Telco ISP Attack Types DDoS SQL injection Defacements Targeted malware Account Hijacking
  11. 11. Horseman #2:
  12. 12. Famine: Priorities ICS/SCADA perspective Availability Integrity Confidentiality IT perspective Confidentiality Integrity Availability
  13. 13. Famine: Incident Response v Handling incidents in an ICS environment is different v Forensics could be challenging v Where’s the evidence-data v Different OS & applications than corporate
  14. 14. Famine: People & Education v Lack of skilled, experienced and passionate people v  Not a lot of good education around v Only a few good books out there
  15. 15. Famine: sigh….. Some still don’t get it, So for once and for all: BASE64 is NOT encryption!
  16. 16. Horseman #3:
  17. 17. An Intel company
  18. 18. An Intel company Your ICS vendor We The MS09-XX patch cannot be applied for the next two years on our product…. Kind regards, your ICS vendor
  19. 19. Horseman # 4:
  20. 20. Easiness of attack: SCADA networks are attached to the corporate network or Internet. Exploiting of the systems is becoming easy… Background & S7 example: project IRAM –
  21. 21. Researchers focus more on exploits Still many firmware updates contain username & pwd in cleartext….
  22. 22. Don’t give up!!!
  23. 23. Initiatives v Many ICS vendors nowadays have a dedicated security team and are addressing vulnerabilities v Security vendors are partnering with ICS vendors to certify their products for the platforms used
  24. 24. How is McAfee contributing? EndpointNetworkData Corporate IT SCADA Device Network Enterprise Apps Ethernet, TCP/IP Modern Computers (Windows, Linux, Mac) SCADA, HMI Ethernet, Serial Legacy Computers (Windows) Ladder Logic Ethernet, Serial, Relays Special Function (Embedded OS)
  25. 25. McAfee is working with all major SCADA & ICS vendors to test, certify, and in many cases embed McAfee technology
  26. 26. Product Acceptance & Certification Currently Supported Products Cert’d OEM Integrity Control, Embedded Control, Device Control, HIPS, VirusScan Enterprise, AntiSpyware Enterprise, ePO, Roque System Detection, McAfee Agent Integrity Control, Embedded Control, Device Control Embedded Control, Device Control, HIPS, ePO, Enterprise Security Manager, IPS Integrity Control, Embedded Control, Device Control, HIPS, VirusScan Enterprise, AntiSpyware Enterprise, ePO, Rogue System Detection, McAfee Agent VirusScan Enterprise, Embedded Control ✔ ✔ ✔ OEM✔ Enterprise Security Manager, IPS VirusScan Enterprise, Embedded Control ✔ OEM✔ OEM✔ Process Management Vendor In October 2013, McAfee announced partnership with Yokogawa
  27. 27. Final thoughts….. •  What is your outside footprint? •  Do you know your critical assets? (they are not equal to a server or single system) •  Who’s responsible for what? •  When was your last assessment? •  Be realistic and agree on what risk is accepted •  What metrics do you use?