The document discusses preparing for cyber incidents involving industrial automation and control systems (IACS). It defines a cyber incident and outlines the PICERL framework for incident response involving preparation, identification, containment, eradication, remediation, and lessons learned. The document also provides statistics on IACS cyber incidents in 2014, including the top targeted industries and main attack vectors, and recommends establishing an incident response team, network documentation, and security controls.
An overview of why knowing programming can make you a better cyber security professional, a look at the most popular languages and some pitfalls to avoid
We look at what is a Capture the Flag Event and how it can provide a great training opportunity for anyone interested or working in Cyber Security... for free! We also look at some examples of thinking outside the box challenges
IDS are great tools for blue teams and resource for network forensics, however they can also be a great resource for the red teams and as part of a penetration testing exercise.
A quick look at what you should be considering when assessing the security of a mobile application, looking at an established framework and some of the common tools to get started
Open Source IDS - How to use them as a powerful fee Defensive and Offensive toolSylvain Martinez
What is an IDS? What is required for a successful implementation and utilisation? IDS can also be used for penetration testing activities, not just for defence purposes. See how!
This was presented as part of the FIRST Technical Colloquium 2017 Conference in Mauritius on the 30th of November 2017.
Feel free to contact us for more information.
If you are reusing some of the slides or their content, can you please reference our website as the source: https://www.elysiumsecurity.com
Holy Threat Intelligence AMPman! We Need Endpoint Security!Force 3
Some men just want to watch the network burn.
With malware on the rise and hackers attacking government agencies from every angle, federal agencies face an uphill battle. In the Malware Universe, federal networks need a hero, one who wages a never-ending fight for truth, justice and American data.
Are you ready to be the hero your network deserves?
An overview of why knowing programming can make you a better cyber security professional, a look at the most popular languages and some pitfalls to avoid
We look at what is a Capture the Flag Event and how it can provide a great training opportunity for anyone interested or working in Cyber Security... for free! We also look at some examples of thinking outside the box challenges
IDS are great tools for blue teams and resource for network forensics, however they can also be a great resource for the red teams and as part of a penetration testing exercise.
A quick look at what you should be considering when assessing the security of a mobile application, looking at an established framework and some of the common tools to get started
Open Source IDS - How to use them as a powerful fee Defensive and Offensive toolSylvain Martinez
What is an IDS? What is required for a successful implementation and utilisation? IDS can also be used for penetration testing activities, not just for defence purposes. See how!
This was presented as part of the FIRST Technical Colloquium 2017 Conference in Mauritius on the 30th of November 2017.
Feel free to contact us for more information.
If you are reusing some of the slides or their content, can you please reference our website as the source: https://www.elysiumsecurity.com
Holy Threat Intelligence AMPman! We Need Endpoint Security!Force 3
Some men just want to watch the network burn.
With malware on the rise and hackers attacking government agencies from every angle, federal agencies face an uphill battle. In the Malware Universe, federal networks need a hero, one who wages a never-ending fight for truth, justice and American data.
Are you ready to be the hero your network deserves?
The numbers are shocking: 69% of enterprise security executives report having experienced insider threats over one year. At the same time, 62% of business users report having access to data they should not see. Making matters worse? 43% of business say it takes at least a month (if not longer) to detect employees viewing files and emails they’re not authorized to access.*
With its comprehensive suite of flexible, simple, efficient solutions, Cisco Security offers a seamless approach designed to ease the burden on your IT team while strengthening your security posture. That includes Cisco Stealthwatch, a network visibility and security analytics system. Using NetFlow, Stealthwatch helps you use your network as a security sensor and enforcer to detect and remediate attacks, ultimately improving your threat defense—including time to detection and response.
Today, nearly a third of organizations lack the ability to prevent or deter insider threats.* Don’t let your agency be one of them.
Gartner recently released a report on IT security priorities for the remainder of 2014. Amongst respondents, network security, application security, endpoint security, and security services all ranked highly.
Together with our event partners Cisco, F5, and Bromium, Scalar brings you solutions to these problems, as well as a full presentation on our managed security services portfolio.
This presentation looks at the core component of an Incident Response plan (NIST 800-61) as well as custom practical implementation framework developed by ELYSIUMSECURITY based on NIST and FIRST.
This talk will attempt to illustrate the close link between both safety and security, as well as the reasons they should remain distinct and separated efforts; the speakers will discuss case studies that relate to security incidents with safety impact, discuss practices that may be adopted in this space, before opening a discussion on the means for maintaining effective security and safety programs that neither overlap, nor underlap each other. The talk is aimed at those with an interest in Operational Technology security; whilst it will be open to a range of knowledge and abilities, the emphasis is towards the simple, basic concepts that are often found wanting in relation to cyber-attacks in the industry.
How Aetna Mitigated 701 Malware Infections on Mobile DevicesSkycure
View webinar recording - http://hubs.ly/H06134H0
Learn how Aetna protects its corporate data from mobile threats while providing a better user experience and complying with strict industry regulations.
Tools for Evaluating Mobile Threat Defense SolutionsSkycure
View recorded webinar - http://get.skycure.com/evaluating-mobile-threat-defense-solution
Get the tools and information you need to make the evaluation process of Mobile Threat Defense solutions easier and ensure your success.
Watch the webinar recording: http://hubs.ly/y0XwTS0
In this RSA Conference webcast, security experts Adi Sharabani and Yair Amit describe the current threat landscape for mobile devices and discuss security strategies.
Here we report the current state of the ICS threat landscape, as presented at the IT&Automation 2018 conference in Böblingen.
To learn more about Kaspersky Lab's ICS CERT, visit https://kas.pr/e34v
Iot Cyber Security & Vulnerabilities Challenges and Opportunities in Security of Internet of Things
Security is the Key
Inherent Security Challenges
Threat Spectrum – Trends
Securing the “Things”
IoT Cybersecurity – Security Triad
Threat Model
Availability threats
Integrity threats
Authenticity threats
Confidentiality threats
Non-repudiation/accountability threats
The numbers are shocking: 69% of enterprise security executives report having experienced insider threats over one year. At the same time, 62% of business users report having access to data they should not see. Making matters worse? 43% of business say it takes at least a month (if not longer) to detect employees viewing files and emails they’re not authorized to access.*
With its comprehensive suite of flexible, simple, efficient solutions, Cisco Security offers a seamless approach designed to ease the burden on your IT team while strengthening your security posture. That includes Cisco Stealthwatch, a network visibility and security analytics system. Using NetFlow, Stealthwatch helps you use your network as a security sensor and enforcer to detect and remediate attacks, ultimately improving your threat defense—including time to detection and response.
Today, nearly a third of organizations lack the ability to prevent or deter insider threats.* Don’t let your agency be one of them.
Gartner recently released a report on IT security priorities for the remainder of 2014. Amongst respondents, network security, application security, endpoint security, and security services all ranked highly.
Together with our event partners Cisco, F5, and Bromium, Scalar brings you solutions to these problems, as well as a full presentation on our managed security services portfolio.
This presentation looks at the core component of an Incident Response plan (NIST 800-61) as well as custom practical implementation framework developed by ELYSIUMSECURITY based on NIST and FIRST.
This talk will attempt to illustrate the close link between both safety and security, as well as the reasons they should remain distinct and separated efforts; the speakers will discuss case studies that relate to security incidents with safety impact, discuss practices that may be adopted in this space, before opening a discussion on the means for maintaining effective security and safety programs that neither overlap, nor underlap each other. The talk is aimed at those with an interest in Operational Technology security; whilst it will be open to a range of knowledge and abilities, the emphasis is towards the simple, basic concepts that are often found wanting in relation to cyber-attacks in the industry.
How Aetna Mitigated 701 Malware Infections on Mobile DevicesSkycure
View webinar recording - http://hubs.ly/H06134H0
Learn how Aetna protects its corporate data from mobile threats while providing a better user experience and complying with strict industry regulations.
Tools for Evaluating Mobile Threat Defense SolutionsSkycure
View recorded webinar - http://get.skycure.com/evaluating-mobile-threat-defense-solution
Get the tools and information you need to make the evaluation process of Mobile Threat Defense solutions easier and ensure your success.
Watch the webinar recording: http://hubs.ly/y0XwTS0
In this RSA Conference webcast, security experts Adi Sharabani and Yair Amit describe the current threat landscape for mobile devices and discuss security strategies.
Here we report the current state of the ICS threat landscape, as presented at the IT&Automation 2018 conference in Böblingen.
To learn more about Kaspersky Lab's ICS CERT, visit https://kas.pr/e34v
Iot Cyber Security & Vulnerabilities Challenges and Opportunities in Security of Internet of Things
Security is the Key
Inherent Security Challenges
Threat Spectrum – Trends
Securing the “Things”
IoT Cybersecurity – Security Triad
Threat Model
Availability threats
Integrity threats
Authenticity threats
Confidentiality threats
Non-repudiation/accountability threats
The following PowerPoint was presented during EVF 2019 by Alexandre Darcherif, Invited Speaker.
The aim of this presentation is to present the threat landscape for communication between Smart factories and their cyber system as modeled in the concept of Industry 4.0
Cybersecurity Critical Infrastructure Threats and Examples 2022- Presentation...Certrec
A presentation from Certrec showcasing the cybersecurity threats plaguing critical infrastructure in the United States. Includes examples of major cyber attacks within the past few years.
To learn how Certrec's cyber security solutions can help keep your power plant secure from threats, visit: https://www.certrec.com/
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Abhishek Goel
SCADA systems control some of the most vital infrastructure in industrial and energy sectors, from oil and gas pipelines to nuclear facilities to water treatment plants.
Critical infrastructure is defined as the physical and IT assets, networks and services that if disrupted or destroyed would have a serious impact on the health, security, or economic wellbeing of citizens and the efficient functioning of a country’s government.
Threats to industrial control systems are on the rise. This briefing explores potential threats and vulnerabilities as well as what organizations can do to guard against them.
Public services such as electricity, water, hospital management and transport are important for the smooth functioning of our daily lives. The critical nature of these services make these systems a key target for cyber threats. This is why the public sector experiences more incidents than any other industry.
Hence why the public sector needs to focus more on strengthening their cybersecurity strategies to address critical gaps – especially the devices used and policies governing their use.
In this session, Asela addressed some of our critical services and how the lack of security focus has affected their use.
Certrec’s Fas Mosleh presents some of the biggest cyber threats currently targeting utilities. This webinar includes examples of attacks on utilities that have happened in recent years and action steps to prevent future breaches.
As cyber-attacks from nation-state and domestic threats increase, it is important that power plants meet these threats to avoid costly reputational and equipment damage.
For more, visit: https://www.certrec.com/
Jason Christopher, Dragos Principal Cyber Risk Advisor, joins CyberWire for this podcast that discusses the evolution of ICS/OT ransomware, its impacts on the community, and cybersecurity best practices ICS/OT practitioners can implement to combat it. Listen to the full podcast here: https://dragos.com/resource/ransomware-in-an-industrial-world/
Similar to 2015 ISA Calgary Show: IACS Cyber Incident Preparation (20)
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
3. Disruption in electronic communications between
systems or systems and people that impacts:
1. Confidentiality,
2. Integrity, and/or
3. Availability.
IACS CYBER INCIDENT PREPARATION
Cyber Incident Defined
3
11. 11
11
2014 ENERGY CYBER INCIDENTS
Energetic Bear / Dragonfly Group / Havex / Karagany
WHAT:
Systematic targeting of Western energy companies by Russian hackers.
Injected a Trojan into industrial control systems with remote control
capabilities.
HOW:
Spear fishing / Watering hole / Remote Access Tools / Trojans in ICS Software
WHY:
Industrial espionage. Industrial sabotage.
IMPACT:
Over 1000 energy companies in 84 countries were reported compromised.
WHEN:
Reported June 2014. Learn more in Cimation’s report.
12. 12
12
2014 ENERGY CYBER INCIDENTS
Black Energy
WHAT:
Russian cyber underground hacking toolkit that provides an advanced Trojan
with command and control capabilities. Used to target the users of various
Human Machine Interface (HMI) products.
HOW:
Targeting GE and Siemens SCADA/HMI products directly connected to the
Internet.
WHY:
Industrial espionage. Industrial sabotage.
IMPACT:
Compromised “numerous” industrial control systems.
WHEN:
Reported December 2014
13. 13
WHAT:
300 Energy companies in Norway were targeted by a sophisticated attack.
Largest cyber attack in Norway's history.
HOW:
Not publicly disclosed.
WHY:
Industrial espionage.
IMPACT:
50 Energy companies were reported compromised.
WHEN:
Reported August 2014
13
2014 ENERGY CYBER INCIDENTS
Norwegian Energy Industry Targeted
14. IACS CYBER INCIDENT PREPARATION
2014 ICS-CERT Incidents By Industry
1
4
Energy
32%
Critical
Manufacturing
25%
Other
26% Healthcare
6%
Government
5%
Water
5%
Nuclear
2%
About Austin:
Austin started his career as a software developer working on SCADA products for Schneider Electric and has been a Controls and Automation consultant for over 12 years. In 2006 Austin founded a boutique Automation consulting company in Calgary called Synergist SCADA Inc. Synergist SCADA was acquired by Cimation in 2013 which served as the genesis for the Cimation Calgary office. For the past 5 years, Austin has focused his personal development towards Cyber Security for Industrial Automation and Control Systems (IACS) and has published articles, blogs and books on the subject.
Austin is currently a delivery lead for Shell’s Operating Asset Cyber Security Program and is responsible for organizational practices for sustainable cyber risk management globally.
Introduction:
Cyber Security is in its quite simply Risk Management.
If you are in a boat that sinking, plugging the largest holes first will help to reduce your risk of drowning.
Each organization has its own unique challenges, constraints and risks. There are thousands of ways of reducing Cyber Risk in an organization.
The goal of any organization should be to put the controls in place that reduce the greatest amount of risk for the resources consumed.
Implementing Incident Management will help you to identify the size of each hole in your boat so that you can optimize the value of your Risk Management.
Agenda:
Industrial Cyber Security Challenges
Incident Impacts
Incident Management Lifecycle
Industry Trends
How to Prepare for a Cyber Incident
Description:
15 years ago we started to see a wider adoption of standard Ethernet networking in industrial control systems and an ever growing demand for data from IACS. From there, we started to encounter some serious issues once control systems were added to business networks or connected to the Internet. In this presentation, we begin by talking about the cyber security challenges facing the industry today.
Story:
IACSs are a lot like a Ferraris. They are both fit for purpose and are both engineered to excel in one particular area. Ferraris are fast cars. They are lightweight race cars design for speed and agility. Industrial control and automation systems are build to process and interpret massive amounts of real-time data. And, to quickly adapt to changing process conditions.
However, you would never drive a Ferrari into battle. It is fast, but not particularly bullet proof. It was never designed to be reinforced with armor or with weapon mounts.
Comparatively, a Control System can be easily taken down with some simply fuzzing with some bad traffic. Today’s control systems were not designed to repel attacks but they are really good at doing what they were designed to do. There are certainly some trade offs when you start to add armor plating and guns to a Ferrari. Suddenly it is heavier, less agile and slower on the race track.
As an industry we have a long way to go to catch up with the IT world. Because of the long-term investment nature of this industry, it moves at a glacial pace.
Key Message:
Balancing security in this industry is a Long Term journey. There is no easy button for IASC Cyber Security.
Description:
Before we look at Incident Preparation, we have to ask ourselves:
Why should anyone care about Cyber Incidents in the Industrial Control and Automation Systems?
Operations:
The effect on operations includes:
Loss of View / Loss of Control
Long nights or weekends away from your families.
An example includes the “Conficker” worm outbreak ended up with a $300k bill from the vendor. LOV due to virus on remote offshore rig required an operator to sit out in a boat for two days ready to hit the ESD button if things went wrong.
Company
The effects on the company include:
Reputational Damage
Product Deferment
Story:
A real life example is the Sony Hack. It caused reputational damage – Amy Pascal the head of Sony Pictures stepped down.
BP Reputational Damage.
Regulatory
Regulatory impacts include:
Confidentiality, Integrity, Availability
Penalties
Key Message:
A Cyber Incident does not have to be malicious in nature.
It could be accidental, or a bad Antivirus update, or SCADA software upgrade gone bad. Cyber Incident = Any Digital Disruption = Safety Issue , Reliability Issue as well as a Security Issue
References:
The NIST definition of a cyber incident as defined in FIPS PUB 200, Minimum Security Requirements for Federal Information and Information System,
http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf
Federal Information Processing Standards Publications (FIPS PUBS) are issued by the National Institute of Standards and Technology (NIST)
How do you know if your diet is working if you never step on the scale?
How do you know you are mitigating cyber risk if you are not documenting and managing incidents?
Real-world Story:
We work with one Energy company at Cimation whose security program will not perform any network remediation until an incident response plan has been established at an operating asset. If something goes wrong with a change being made to a network, the proper procedures must be in place to handle it.
What is the value in Incident Management?
It is a lifecycle approach to incident response, which promotes continuous business improvement. (Six Sigma)
PICERL is one incident response framework that I like because it is easy to remember.
It is a lifecycle approach to incident response, which promotes continuous business improvement.
Why focus on preparation?
It’s the first step in the process – be prepared.
Mitigation of Risk
Reduce Impact
Save Time
Key Message:
Safe, Reliable and Secure
There is a strong business case for having a formal Cyber Incident response framework in place which will:
Reduce Risk – Safety, Financial, Environmental
Improve Reliability
Overtime will produce valuable statistical data for measuring the digital health of an operating asset
Value proposition of cyber incident management is continuous improvement.
References:
Pickerel is a freshwater fish in the pike family found in the Eastern half of the United States.
Description:
2014 ICS-CERT = Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
This was created by the Department of Homeland Security (DHS) which deals with security related to industrial control systems.
Most often the Cyber incidents reported to the ICS-CERT are emergencies and malicious in nature.
The majority of IASC cyber incidents occur in the energy sector. This has been the case for several years.
In 2014 the second largest slice of the pie was the Critical Manufacturing sector, which represents a number of SI, OEMs and Vendors being targeted by Cyber Attacks in order to gain access directly to control systems.
40% of the incidents are from unknown origins. So these organizations have no idea how the Bad Actors gained access.
How do you remediate that? If you don’t know how they got in you cannot close that hole, and they will likely be back.
Key Message:
We are seeing an increased number of incidents and threats reported annually.
References:
Incidents
2011 140
2012 197
2013 257
2014 245
Vulnerabilities
2011 138
2012 137
2013 187
2014 159
ICS-CERT: https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Sep2014-Feb2015.pdf
ICS-CERT: https://ics-cert.us-cert.gov/sites/default/files/documents/Year_In_Review_FY2013_Final.pdf
Description:
Lets talk about a few foundational ways that an organization can prepare for a cyber incident.
These are all pretty basic things that most organizations can do to some degree.
In order to sustain an IT Solution in the long term, a lifecycle approach is taken involving People, Process and Technology.
Without these three things, you cannot sustain incident management within an organization.
Key Message:
Cyber incident preparation is a long-term journey and not a short-term destination.
A life-cycle approach to incident response is required in order for it to be sustainable and effective.
Description:
Again, a lifecycle approach should be taken in order to be prepared for an incident.
Assign the People:
Assign a Cyber Incident Response Team that incorporates the roles and skills in order to handle all aspects of an incident.
Educate the People:
Create a community of Cyber Incident Awareness and Accountability
The team should work to also educate the site community on the Incident Response processes.
Drill the People:
Regular practice, in the form of exercises 2-3 times/year, is key to preparation. Exercises should be realistic, and diverse so that responses.
Review and update on a regular basis.
Key Message:
Empower an incident response team and ensure they practice the process.
Engage the site community in the Incident Identification and Response Process
Description:
Real-world Story:
My role at Shell focuses on people and process within a global program.
Policies, Procedures and Work Instructions for Incident Management. However, this is not the right answer for all companies. At the very least you should create a one page policy stating “You Shall Report Incidents”
Documented processes lay the foundation to support incident handling.
Your processes must be driven by a level of leadership that is ultimately accountable for managing Risk of an operating asset. (Safety, Financial and Environmental accountability)
Policies should be a one page document that is signed by leadership and provides the Shall statements and consequences for not following.
Procedures should outline the process for identification and classification of events and incidents and the thresholds at which events should be escalated. Procedures should also provide guidance for the frequency at which logs should be reviewed
Work Instructions provide the key information and paper work requited to log, escalate and manage a incident. They should contain the specific contact information of the members of the incident response team (more on that when we talk about the people aspect of incident preparation).
Some questions to ask yourself:
What is a Cyber Event of Interest?
When does it become a Cyber Incident?
What levels of escalation exist for a Cyber Incident?
Remember, all the documents should have a document owner, be reviewed / updated on a regular basis and follow proper management of change processes. The documents should be Accessible to everyone at an operating asset and hyperlinked together.
Key Message:
A solid foundation for incident preparation begins with Process that is:
documented,
supported by leadership,
maintainable
and accessible
References:
http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
http://niccs.us-cert.gov/research/cybersecurity-capability-maturity-model.
Description:
There are thousands of security technology solutions on the market today. In reality, we are not even taking advantage of basic features of Windows and Network hardware that could drastically reduce risk, why would we start buying expensive hardware and software solutions.
Network Diagrams:
In my experience it is extremely rare to encounter an operating asset that has a Network Diagram and an Asset inventory. Quite often they are outdated or just wrong. You cannot be prepared for a Cyber Incident if you do not even understand what you have in the field.
Real-world Story:
A company pulled together it’s incident response team because the FBI had contact them. The FBI had arrested a Bad Actor and on his laptop they found network diagrams and asset inventory information belonging to the company. The company was perplexed because the network diagram and asset inventory did not match what the company had on file. But, the MAC addresses (the globally unique identifiers found on all network equipment) matched. Upon further investigation, it turns out the network diagrams and asset inventory in the Bad Actor’s possession was much more accurate and up to date than what the company had on file.
Event Logging:
I am not even talking about an advanced SIEM (Security Information and Event Management) hardware solution here. I am talking about turning ON event logging in Windows and on Network equipment.
That is Step ONE.
If you recall from the ICS-CERT 2014 findings, 40% of attacks can from an unknown origin. I am sure that in 1% of those cases they hackers were clever enough to cover their tracks and 99% of the cases event logging was not event turned on.
Step TWO is centrally archiving and storing the Windows logs and Network Device Syslogs in a secure location. Again, you can just do this using features built into Windows.
Step THREE is actually looking at the logs from time to time.
If you have the advanced skills and resources to make sense of the events you are logging, then perhaps it is time to purchase a hardware / software SIEM solution. But if you cannot maintain it then don’t bother. At the very least if a serious incident occurs, experts will be able to have access to the event information and determine the root cause.
If you don’t know why the Incident occurred then you cannot prevent it from occurring again. You will not be prepared for when it happens again. Before adding more technology to your IACS, ensure you can properly manage the technology you have.
Real-wold Story:
I heard a story from one of Cimation’s customers about an Event Management system installed at an operating asset. The vendor came plugged it into the network, configured it, showed a few operators how to use it and then left. The problem was that the customer did not create any processes to view, update or maintain this system. No one ever looked at this system because no one was accountable for looking at it. And if they did look at it, they were not properly trained to understand what it was telling them. This system collected dust for a few years until one day, its logs overflowed and it started to spew traffic on the network and created a 2 million dollar outage. All because the customer implemented technology that they lacked the processes and knowledge to properly maintain.
Key Message:
Focus on the basics.
Technology can be a great way to reduce Cyber Risk.
Ensure that you actually have the dedicated skills and resources to maintain the solution for the long term.
Make sure you are taking full advantage of the technology you currently have in your IACS before you add new technology.
There are a ton of simple things you can do with Window, switches, routers and firewalls that can drastically reduce your cyber risk.
Reducing Cyber Risk doesn’t have to eat into your CapEx budgets.
Description:
2014 ICS-CERT - Industrial Automation and Control System emergency responses by industry.
Key Message:
The Energy industry continues to represent the largest number of cyber incident emergency responses.
References:
~300 2014 ICS Incidents
Energy 79
Critical Manufacturing 65
Other 57
Healthcare 15
Government 13
Nuclear 6
IT 5
Finance 3
Food and Ag 2
OTHER
Communications 14
Commercial Factilities 7
Chemical 4
Unknown 6
Water 14
Transportation 12
Description:
2014 ICS-CERT - Nearly 40% of incidents ICS-CERT was unable to determine how the Industrial Control System was compromised
Key Message:
Inability to determine the origin of a Cyber Incident reflects poorly on the industries level of preparation for a Cyber Incident.
60% is a D grade
References:
~300 ICS 2014 Incidents:
Unknown 94
Scanning 53
Spear Phishing 42
Misc 56
MISC
Misc 21
Auth 13
Abuse Access Auth 9
USB 5
SQL Injection 5
Brute Force 3