A Case Study on Asset Baselining, Threat Detection, and Response - presented by Tim Watkins, Schweitzer Engineering Laboratories, and Matt Cowell, Dragos.
The webinar – now available on-demand at https://selinc.com/events/on-demand-webinar/126340/ – provides insights on baselining your operation, building cyber defense, and streamlining ongoing management. SEL and Dragos also shared a case study based on a recent joint effort to address key cybersecurity challenges at a mid-sized US electric utility.
Learn more about Dragos at https://dragos.com or follow us at https://twitter.com/dragosinc
Learn more about SEL cybersecurity at https://selinc.com/solutions/security-for-critical-infrastructure/ or follow us at https://twitter.com/SEL_news
2. • Overview of energy control systems
• Holistic look at risk
• Importance of baselining and
defense-in-depth security
• Dragos overview and case study
• SEL solution components
Today’s Webinar
3. Power – The Most Critical
of Critical Control Systems
4. • Detect and isolate energy system fault
• Respond and reconfigure alternate path or source
• Recover and restore energy flow
Energy Flowing at the Speed of Light
5. Growing Target
2018 Dragos Engagements
Electric industry
contributed to 56% of
all threat operations
37% of incident responses
involved initial vector dating
over 365 days of adversary
dwell time
6. Lack of Historical Data Makes It Difficult to
Monetize and Prioritize Human Cyber Risk
Holistic
Risk
Natural
Technical
HumanEnvironmental
Operational
Low
Probability
High
Impact
$
7. Baseline – What Is Normal?
30,000 SEL Devices Over Large Geographic Area
12. • Mid-sized U.S. electric utility
• Generation, transmission, and distribution networks
• Control system manufacturer diversity
• Limited team for OT cybersecurity functions
• Network infrastructure that supports monitoring
• IT and OT SOC convergence
Case Study Background
13. Case Study Objectives
Improve visibility of networked OT assets
Improve NERC CIP compliance functions
Better enable limited OT security team
Improve visibility of OT threats
14. • Passive network
monitoring
• Sensor- and
server-based system
• 16 distributed sensors
• Centralized monitoring
Dragos Platform Architecture
Hydro
Gas
Dragos
Platform
Wind
Solar
Coal
Sitestore
15. • 30,000+ assets
• Vast volumes of
data available
• Distribution across
hundreds of miles
• Some physical
network separation
Challenge 1 – Asset Visibility
Summary
17. • NERC CIP
• High level of manual effort
• Lack of trusted partners
Challenge 2 – Compliance
Summary
18. Address specific
NERC CIP requirements
through technology
Solution 2 – Compliance
Discuss
compliance
pains
Establish credibility
through industry-
trusted partners
19. Challenge 3 –
Limited Personnel
Summary
• Small, dedicated team
• Varied experience levels
• Many different functions
• IT and OT SOC
convergence
20. Solution 3 – Limited Personnel
Dragos team experience (leverage through technology)
Onsite assistance and ongoing support
Training (to empower existing team)
IR support escalation through retainer
21. Challenge 4 – OT Threat Awareness
Summary
Need better
information sharing
of industry-wide
threats
Improve detection
based on known
TTPs and behaviors
Reduce amount
of work analysts
perform to
validate alerts
Know how to
respond to
threats
23. • Many customers are facing similar challenges
• IT and OT teams are blending
• Solution requires combination of technology
and personnel to be effective
• Threats are increasing, but defense is doable
Case Study Summary
Pursue Proactive Threat Hunting vs. Reactive IR
24. Integrating SEL Innovation
Into the Dragos Platform
RTAC (SEL-3555)
OT SDN (SEL-2740S
and SEL-5056)
Security Gateway (SEL-3620)
25. • Minimizes CIP-007-3 R3 or CIP-007-5 R3.1
• Addresses CIP-007 R4
RTAC Security Features
Verifying RTAC Application Integrity With exe-GUARD®
Refer to SEL Whitepaper, “Leveraging Security – Using the SEL
RTAC’s Built-In Security Features,” for more information
Syslog
Dragos MPSSEL-3555 RTAC
26. RTAC Security Features
Securing Engineering Access
Syslog
Packet Capture and Syslog
Dragos MPSSEL-3555 RTAC
Telnet
or FTP
Engineering
Access
SEL OT SDN
User authenticates and
creates SSH or TLS
connection to RTAC
RTAC determines access
level of user to relay
RTAC acts as proxy
for user to relay
Syslog adds context
to packet capture
27. RTAC Security Features
Security Auditing – Event Monitoring and Reporting
Event
Report
Syslog
Dragos MPSSEL-3555 RTAC
SEL OT SDN
RTAC collects events
RTAC stores and
forwards events to
data concentrator
Certain events trigger
Syslog message
Packet Capture
28. RTAC Security Features
Relay Settings Monitoring
DNP3
Syslog
Dragos MPSSEL-3555 RTAC
SEL OT SDN
RTAC periodically pulls
information from relays
Important events occur
(e.g., new logons, settings
or firmware changes, or
other new events)
Certain events trigger
Syslog message
Ethernet Tap and Syslog
29. RTAC Security Features
Ethernet and Serial Taps
Syslog
Ethernet Tap and Syslog
Dragos MPSSEL-3555 RTAC
Serial Tap
SEL OT SDN
RTAC can send serial
packet captures for
visibility
31. SEL-3355-2 SEL-3355
Engineering
AccessDNP3
GOOSE 1
GOOSE 2
SEL-2740S
SEL-2740S
SEL-2740S
SEL-411L
SEL-2740S
SEL-411L
SEL-5056
Dragos
Midpoint
Sensor
SEL-3555
SEL OT SDN and Dragos Combined Solution
Add context to
passive monitoring
Selective packet
capture flows out
multiple ports
32. SEL-3355-2 SEL-3355
DNP3
GOOSE 1
GOOSE 2
SEL-2740S
SEL-2740S
SEL-2740S
SEL-411L
SEL-2740S
SEL-411L
SEL-5056
Dragos
Midpoint
Sensor
Engineering
AccessUnauthorized
Device
SEL-3555
Instant Visibility Against Baseline
Engineering
Access
Suspicious
behavior occurs
Unknown packets are sent
to Dragos midpoint sensor
with a VLAN tag
Insider Threat or
Compromised
System
33. IPsec VPN
Dragos MPS
SEL-3620 – Substation Firewall
and ESP Boundary
SEL-3620 SEL-3620WAN
SEL OT SDN
User requires remote access to
substation to review event reports
SEL-3555 RTAC
Tap
Operations Center Substation
Authorized
User
Unauthorized
User
IPsec VPN tunnel connects
operations center to substation
Unauthorized user is stopped by
IPsec VPN and firmware rules
34. SEL-3620 Password Management
Centralized Authentication to SEL-3355
With Active Directory or RADIUS
Dragos MPS
Ethernet Tap
SEL-3620
SEL OT SDN
User authenticates with
centralized credentials
SEL-3620 authenticates
with relays
Each relay has its own
complex password
Syslog
User connects to relay by
security gateway proxy
35. SEL-3620 Password Checkout
Ethernet Tap and Syslog
SEL OT SDN
User authenticates to SEL-3620
and performs a relay checkout
Syslog
SEL-3620 sets password on
relay to an approved password
User connects to front serial
interface and authenticates
Dragos MPS
SEL-3620
36. • OT SDN telemetry data
• Dragos using SEL device API or REST interface
• Development of Dragos playbooks for SEL systems
• Active defense on noncritical devices
Future Innovation Ideas
SEL and Dragos