Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Cyber security for ICS 
© 2014 by Elbit Systems | Elbit Systems Proprietary 
Lev – 1 
Lev – 2 
Lev - 3 
Rani Kehat CISSP 
...
Siting by my computer screen 
White turns to Black, Black turns to White 
All just Shades of Grey 
© 2014 by Elbit Systems...
ICS Protection 
Application and DPI White Listing 
© 2014 by Elbit Systems | Elbit Systems Proprietary
AIG – New Cyber Policy 
© 2014 by Elbit Systems | Elbit Systems Proprietary 
Will cover : 
Physical Damage 
Property 
Harm...
Application White Listing 
© 2014 by Elbit Systems | Elbit Systems Proprietary
© 2014 by Elbit Systems | Elbit Systems Proprietary 
What is What ?
© 2014 by Elbit Systems | Elbit Systems Proprietary 
What is AWL 
Node level protection against Malware and unauthorized e...
In two words ... Or More 
Whitelisting – Only allow the Trusted good to run 
Anti Virus – Only stops known bad things to r...
AWL Protection – Benefits 
We get protection against unsigned Malware . 
We get Log Audit on systems instances , allowing ...
Turning Grey to White 
Trusted User 
Trusted Directory 
Updater – An uplifted privilege application – SCCM ( system Center...
Turning Grey to White – Trusted Change 
Check as part of your it Operational Best Practice: TNO ( Trust no One ) 
3rd part...
Golden Image – For relatively static environments 
Hardware from a secure chain of supply 
If possible , secure code revie...
AWL - What it does NOT Do 
Memory based attacks – DLL injection , IAT ( import address table ) Hooking 
Interpreted Code (...
Shellshock – Bash Bug – Sep’ 2014 
Allows remote attackers to execute arbitrary code given 
certain conditions, by passing...
AWL _ DPI 
White Application High jacking 
© 2014 by Elbit Systems | Elbit Systems Proprietary 
Filed to center threats 
F...
© 2014 by Elbit Systems | Elbit Systems Proprietary 
DNP3 - 2013 
Send a request or command or 
change the protocol stack ...
ICS - Multi Vendor environment 
© 2014 by Elbit Systems | Elbit Systems Proprietary 
 Modbus TCP/RTU/+ 
 IEC 60870-5-101...
www.c4-security.com 
© 2014 by Elbit Systems | Elbit Systems Proprietary 
AWL - DPI 
XiXiXiXiXiXiXiXiiXiXXiXXXXXX
To Summarize - Defense in Layers 
© 2014 by Elbit Systems | Elbit Systems Proprietary 
AWL 
AWL 
DPI 
AWL 
System 
Network...
うとがりあ 
Thank You 
© 2014 by Elbit Systems | Elbit Systems Proprietary 
Rani Kehat CISSP 
Director Marketing 
Intelligence ...
Upcoming SlideShare
Loading in …5
×

Application Whitelisting and DPI in ICS (English)

1,494 views

Published on

Rani Kehat of Elbit discusses Application Whitelisting and Deep Packet Inspection (DPI) used to protect ICS.

Published in: Technology
  • You can get paid up to $25 per hour to be on Facebook? ▲▲▲ http://t.cn/AieX6y8B
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hi! Get Your Professional Job-Winning Resume Here! 👉 http://bit.ly/rexumtop
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Application Whitelisting and DPI in ICS (English)

  1. 1. Cyber security for ICS © 2014 by Elbit Systems | Elbit Systems Proprietary Lev – 1 Lev – 2 Lev - 3 Rani Kehat CISSP Director Marketing Intelligence & Cyber Solutions Elbit Systems Ran.kehat@elbitsystems.com
  2. 2. Siting by my computer screen White turns to Black, Black turns to White All just Shades of Grey © 2014 by Elbit Systems | Elbit Systems Proprietary
  3. 3. ICS Protection Application and DPI White Listing © 2014 by Elbit Systems | Elbit Systems Proprietary
  4. 4. AIG – New Cyber Policy © 2014 by Elbit Systems | Elbit Systems Proprietary Will cover : Physical Damage Property Harm to People Not only “ data breach “ SecurityWeek April 2014 : “ request especially from SCADA industrial power plants , but as they review applicants , they refused most of them…. that protection were inadequate “ AIG is setting high demands ? or inadequate protection ? Or both ??
  5. 5. Application White Listing © 2014 by Elbit Systems | Elbit Systems Proprietary
  6. 6. © 2014 by Elbit Systems | Elbit Systems Proprietary What is What ?
  7. 7. © 2014 by Elbit Systems | Elbit Systems Proprietary What is AWL Node level protection against Malware and unauthorized executable . Scans disk for executable and stamps them with HASH ( MD5, SHA1 , SHA256…) To each HASH a security Policy is attached . One policy for all nodes , or differentiated according to operational function . Policy example : File creation , Trusted Path , File Integrity, Execution control . HASH to Policy: Rule A Rule B Run Pending Deny Hash Executable File
  8. 8. In two words ... Or More Whitelisting – Only allow the Trusted good to run Anti Virus – Only stops known bad things to run What about the rest ? Executable © 2014 by Elbit Systems | Elbit Systems Proprietary Run Process Pending Trusted Bad Not allowed Bad A=B B>C C<D D=C
  9. 9. AWL Protection – Benefits We get protection against unsigned Malware . We get Log Audit on systems instances , allowing greater visibility to data integrity and user accountability . End point Security – driver level – USB , I/O , execute only ….. File Rights management – Access Control and rights to Folders & Files Snapshot – Gold Image ( Baseline ) Config’ , inventory of files Proactive - only needed when software changes are made , ( can cut down patching – but does not mean you can stop all together ) Change Management – Certificate ,Temporary Policy for updates, trusted location , manual approval © 2014 by Elbit Systems | Elbit Systems Proprietary
  10. 10. Turning Grey to White Trusted User Trusted Directory Updater – An uplifted privilege application – SCCM ( system Center Configuration Management ) Installer – Using a HASH DB Publisher – Using digitally signed applications Binary – Precompiled binary , registered by HASH , Interpreters © 2014 by Elbit Systems | Elbit Systems Proprietary End User Notification Grey App’ – Run in restrictive mode , limited access to corporate data , no network access . Administrating a whitelisting system is a key function that must be understood and planned .
  11. 11. Turning Grey to White – Trusted Change Check as part of your it Operational Best Practice: TNO ( Trust no One ) 3rd party digital certificates ( CRL ) IT department digital certificates Periodically check your trusted sources Integration to SIEM / Security dashboard New AWL policies during plant operation Tools for rollout policy changes to entire system Check performance issues on Host and Network © 2014 by Elbit Systems | Elbit Systems Proprietary
  12. 12. Golden Image – For relatively static environments Hardware from a secure chain of supply If possible , secure code review on executable with access to source . Harden not only Application but Hardware and drivers according to chosen Best Practice . Run in staging environment “ SandBox – mode “ i.e using non intrusive anomaly visibility tools for host and network . Trying to simulate real-time environment - user , applications , services , protocols , Topology, Boot up the machine’s . Run Observe Mode at “Staging site “ ( Lab ) – and preform policy discovery Pull your Whitelist and check reputation Then the Gold image is HASHed © 2014 by Elbit Systems | Elbit Systems Proprietary
  13. 13. AWL - What it does NOT Do Memory based attacks – DLL injection , IAT ( import address table ) Hooking Interpreted Code ( JavaScript _ JAR , Pearl_PL , Piton _ PY ) – Conflicker , Duqu Text instructions can be stored anywhere: web pages, databases, project files, “tmp” files WEB interface in Control systems are written in Scripting Languages ( PHP , Pearl .. ) , very susceptible to injection attack’s . DDoS - Bandwidth or Application attacks Does NOT prevent White Application High jacking : Corruption / Theft of Data Rouge commands to SCADA services Denial of Service at the application and network Level Filed to center threats - Not at All © 2014 by Elbit Systems | Elbit Systems Proprietary Field to Field threats –Not at All
  14. 14. Shellshock – Bash Bug – Sep’ 2014 Allows remote attackers to execute arbitrary code given certain conditions, by passing strings of code following environment variable assignments © 2014 by Elbit Systems | Elbit Systems Proprietary
  15. 15. AWL _ DPI White Application High jacking © 2014 by Elbit Systems | Elbit Systems Proprietary Filed to center threats Field to Field threats Does not address Authenticity , but Anomaly . Open database solution allows for correlation with process data, alarm data and traditional IT products like SIEM solution Static and well defined Environment
  16. 16. © 2014 by Elbit Systems | Elbit Systems Proprietary DNP3 - 2013 Send a request or command or change the protocol stack to drive the Master Station crazy It makes no difference if its IP or native Serial . DPI – WL relevant to the ICS environment Encryption – is a bump in the wire , your may be encrypting the bad stuff.
  17. 17. ICS - Multi Vendor environment © 2014 by Elbit Systems | Elbit Systems Proprietary  Modbus TCP/RTU/+  IEC 60870-5-101/104  MDLC / MDLC over IP  DNP3 / DNPi  Siemens Profinet/Profibus  Siemens Teleperm XP  Siemens TIM  GE UDH  Rockwell Automation DF1  C37.118 (Smart Grid Synchrophasor)  IEC 60870-6-503 (TASE.2)  IEC 61850 (GOOSE)  ICCP  And more……. Very few Logs on our SCADA Data Catch the crafted commands coming into your trusted Application .
  18. 18. www.c4-security.com © 2014 by Elbit Systems | Elbit Systems Proprietary AWL - DPI XiXiXiXiXiXiXiXiiXiXXiXXXXXX
  19. 19. To Summarize - Defense in Layers © 2014 by Elbit Systems | Elbit Systems Proprietary AWL AWL DPI AWL System Network Host
  20. 20. うとがりあ Thank You © 2014 by Elbit Systems | Elbit Systems Proprietary Rani Kehat CISSP Director Marketing Intelligence & Cyber Solutions Elbit Systems Ran.kehat@Elbitsystems.com

×