2015 ISA Calgary Show: IACS Cyber Incident Preparation
•Download as PPTX, PDF•
1 like•842 views
The document discusses preparing for cyber incidents involving industrial automation and control systems (IACS). It defines a cyber incident and outlines the PICERL framework for incident response involving preparation, identification, containment, eradication, remediation, and lessons learned. The document also provides statistics on IACS cyber incidents in 2014, including the top targeted industries and main attack vectors, and recommends establishing an incident response team, network documentation, and security controls.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to 2015 ISA Calgary Show: IACS Cyber Incident Preparation
Similar to 2015 ISA Calgary Show: IACS Cyber Incident Preparation (20)
Recently uploaded
Recently uploaded (20)
2015 ISA Calgary Show: IACS Cyber Incident Preparation
- 1. IACS CYBER INCIDENT PREPARATION by Austin Scott, GICSP, SSCP Project and Services Delivery Manager, Cimation Canada
- 2. IACS CYBER INCIDENT PREPARATION Industrial Cyber Security Challenges 2
- 3. Disruption in electronic communications between systems or systems and people that impacts: 1. Confidentiality, 2. Integrity, and/or 3. Availability. IACS CYBER INCIDENT PREPARATION Cyber Incident Defined 3
- 4. P.I.C.E.R.L. Lifecycle 1. Preparation 2. Identification 3. Containment 4. Eradication 5. Remediation 6. Lessons Learned 4 IACS CYBER INCIDENT PREPARATION Incident Response Framework • Mitigation of Risk • Reduce Impact • Save Time
- 5. IACS CYBER INCIDENT PREPARATION Cyber Incident Industry Trends 5 0 100 200 300 2011 2012 2013 2014 0 100 200 2011 2012 2013 2014 Incidents Vulnerabilities Incidents By Industry Attack Vectors Energy 32% Unknown 40%
- 6. IACS CYBER INCIDENT PREPARATION Life Cycle Approach to Incident Management 6
- 7. IACS CYBER INCIDENT PREPARATION People 7 Cyber Drills • Add Cyber Element to existing ERP / safety drills Educate Community • Policies • Identification • Escalation Assign a Team • Senior Management • Industrial IT / Programmer / MCSE • Operations • Communications Manager • Legal Representation
- 8. IACS CYBER INCIDENT PREPARATION Process 8 Who to Contact, Escalation, Incident Logging Identification Classification Intent
- 9. IACS CYBER INCIDENT PREPARATION Technology 9 Network Diagram and Asset Inventory Enable and Protect Network and Windows Event Logging
- 10. APPENDIX – 2014 Energy Cyber Incidents
- 11. 11 11 2014 ENERGY CYBER INCIDENTS Energetic Bear / Dragonfly Group / Havex / Karagany WHAT: Systematic targeting of Western energy companies by Russian hackers. Injected a Trojan into industrial control systems with remote control capabilities. HOW: Spear fishing / Watering hole / Remote Access Tools / Trojans in ICS Software WHY: Industrial espionage. Industrial sabotage. IMPACT: Over 1000 energy companies in 84 countries were reported compromised. WHEN: Reported June 2014. Learn more in Cimation’s report.
- 12. 12 12 2014 ENERGY CYBER INCIDENTS Black Energy WHAT: Russian cyber underground hacking toolkit that provides an advanced Trojan with command and control capabilities. Used to target the users of various Human Machine Interface (HMI) products. HOW: Targeting GE and Siemens SCADA/HMI products directly connected to the Internet. WHY: Industrial espionage. Industrial sabotage. IMPACT: Compromised “numerous” industrial control systems. WHEN: Reported December 2014
- 13. 13 WHAT: 300 Energy companies in Norway were targeted by a sophisticated attack. Largest cyber attack in Norway's history. HOW: Not publicly disclosed. WHY: Industrial espionage. IMPACT: 50 Energy companies were reported compromised. WHEN: Reported August 2014 13 2014 ENERGY CYBER INCIDENTS Norwegian Energy Industry Targeted
- 14. IACS CYBER INCIDENT PREPARATION 2014 ICS-CERT Incidents By Industry 1 4 Energy 32% Critical Manufacturing 25% Other 26% Healthcare 6% Government 5% Water 5% Nuclear 2%
- 15. IACS CYBER INCIDENT PREPARATION 2014 ICS-CERT Incident Attack Vectors 1 5 Unknown 38% Scanning 22% Spear Phishing 17% Misc 23%
Editor's Notes
- About Austin: Austin started his career as a software developer working on SCADA products for Schneider Electric and has been a Controls and Automation consultant for over 12 years. In 2006 Austin founded a boutique Automation consulting company in Calgary called Synergist SCADA Inc. Synergist SCADA was acquired by Cimation in 2013 which served as the genesis for the Cimation Calgary office. For the past 5 years, Austin has focused his personal development towards Cyber Security for Industrial Automation and Control Systems (IACS) and has published articles, blogs and books on the subject. Austin is currently a delivery lead for Shell’s Operating Asset Cyber Security Program and is responsible for organizational practices for sustainable cyber risk management globally. Introduction: Cyber Security is in its quite simply Risk Management. If you are in a boat that sinking, plugging the largest holes first will help to reduce your risk of drowning. Each organization has its own unique challenges, constraints and risks. There are thousands of ways of reducing Cyber Risk in an organization. The goal of any organization should be to put the controls in place that reduce the greatest amount of risk for the resources consumed. Implementing Incident Management will help you to identify the size of each hole in your boat so that you can optimize the value of your Risk Management. Agenda: Industrial Cyber Security Challenges Incident Impacts Incident Management Lifecycle Industry Trends How to Prepare for a Cyber Incident
- Description: 15 years ago we started to see a wider adoption of standard Ethernet networking in industrial control systems and an ever growing demand for data from IACS. From there, we started to encounter some serious issues once control systems were added to business networks or connected to the Internet. In this presentation, we begin by talking about the cyber security challenges facing the industry today. Story: IACSs are a lot like a Ferraris. They are both fit for purpose and are both engineered to excel in one particular area. Ferraris are fast cars. They are lightweight race cars design for speed and agility. Industrial control and automation systems are build to process and interpret massive amounts of real-time data. And, to quickly adapt to changing process conditions. However, you would never drive a Ferrari into battle. It is fast, but not particularly bullet proof. It was never designed to be reinforced with armor or with weapon mounts. Comparatively, a Control System can be easily taken down with some simply fuzzing with some bad traffic. Today’s control systems were not designed to repel attacks but they are really good at doing what they were designed to do. There are certainly some trade offs when you start to add armor plating and guns to a Ferrari. Suddenly it is heavier, less agile and slower on the race track. As an industry we have a long way to go to catch up with the IT world. Because of the long-term investment nature of this industry, it moves at a glacial pace. Key Message: Balancing security in this industry is a Long Term journey. There is no easy button for IASC Cyber Security.
- Description: Before we look at Incident Preparation, we have to ask ourselves: Why should anyone care about Cyber Incidents in the Industrial Control and Automation Systems? Operations: The effect on operations includes: Loss of View / Loss of Control Long nights or weekends away from your families. An example includes the “Conficker” worm outbreak ended up with a $300k bill from the vendor. LOV due to virus on remote offshore rig required an operator to sit out in a boat for two days ready to hit the ESD button if things went wrong. Company The effects on the company include: Reputational Damage Product Deferment Story: A real life example is the Sony Hack. It caused reputational damage – Amy Pascal the head of Sony Pictures stepped down. BP Reputational Damage. Regulatory Regulatory impacts include: Confidentiality, Integrity, Availability Penalties Key Message: A Cyber Incident does not have to be malicious in nature. It could be accidental, or a bad Antivirus update, or SCADA software upgrade gone bad. Cyber Incident = Any Digital Disruption = Safety Issue , Reliability Issue as well as a Security Issue References: The NIST definition of a cyber incident as defined in FIPS PUB 200, Minimum Security Requirements for Federal Information and Information System, http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf Federal Information Processing Standards Publications (FIPS PUBS) are issued by the National Institute of Standards and Technology (NIST)
- How do you know if your diet is working if you never step on the scale? How do you know you are mitigating cyber risk if you are not documenting and managing incidents? Real-world Story: We work with one Energy company at Cimation whose security program will not perform any network remediation until an incident response plan has been established at an operating asset. If something goes wrong with a change being made to a network, the proper procedures must be in place to handle it. What is the value in Incident Management? It is a lifecycle approach to incident response, which promotes continuous business improvement. (Six Sigma) PICERL is one incident response framework that I like because it is easy to remember. It is a lifecycle approach to incident response, which promotes continuous business improvement. Why focus on preparation? It’s the first step in the process – be prepared. Mitigation of Risk Reduce Impact Save Time Key Message: Safe, Reliable and Secure There is a strong business case for having a formal Cyber Incident response framework in place which will: Reduce Risk – Safety, Financial, Environmental Improve Reliability Overtime will produce valuable statistical data for measuring the digital health of an operating asset Value proposition of cyber incident management is continuous improvement. References: Pickerel is a freshwater fish in the pike family found in the Eastern half of the United States.
- Description: 2014 ICS-CERT = Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) This was created by the Department of Homeland Security (DHS) which deals with security related to industrial control systems. Most often the Cyber incidents reported to the ICS-CERT are emergencies and malicious in nature. The majority of IASC cyber incidents occur in the energy sector. This has been the case for several years. In 2014 the second largest slice of the pie was the Critical Manufacturing sector, which represents a number of SI, OEMs and Vendors being targeted by Cyber Attacks in order to gain access directly to control systems. 40% of the incidents are from unknown origins. So these organizations have no idea how the Bad Actors gained access. How do you remediate that? If you don’t know how they got in you cannot close that hole, and they will likely be back. Key Message: We are seeing an increased number of incidents and threats reported annually. References: Incidents 2011 140 2012 197 2013 257 2014 245 Vulnerabilities 2011 138 2012 137 2013 187 2014 159 ICS-CERT: https://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Sep2014-Feb2015.pdf ICS-CERT: https://ics-cert.us-cert.gov/sites/default/files/documents/Year_In_Review_FY2013_Final.pdf
- Description: Lets talk about a few foundational ways that an organization can prepare for a cyber incident. These are all pretty basic things that most organizations can do to some degree. In order to sustain an IT Solution in the long term, a lifecycle approach is taken involving People, Process and Technology. Without these three things, you cannot sustain incident management within an organization. Key Message: Cyber incident preparation is a long-term journey and not a short-term destination. A life-cycle approach to incident response is required in order for it to be sustainable and effective.
- Description: Again, a lifecycle approach should be taken in order to be prepared for an incident. Assign the People: Assign a Cyber Incident Response Team that incorporates the roles and skills in order to handle all aspects of an incident. Educate the People: Create a community of Cyber Incident Awareness and Accountability The team should work to also educate the site community on the Incident Response processes. Drill the People: Regular practice, in the form of exercises 2-3 times/year, is key to preparation. Exercises should be realistic, and diverse so that responses. Review and update on a regular basis. Key Message: Empower an incident response team and ensure they practice the process. Engage the site community in the Incident Identification and Response Process
- Description: Real-world Story: My role at Shell focuses on people and process within a global program. Policies, Procedures and Work Instructions for Incident Management. However, this is not the right answer for all companies. At the very least you should create a one page policy stating “You Shall Report Incidents” Documented processes lay the foundation to support incident handling. Your processes must be driven by a level of leadership that is ultimately accountable for managing Risk of an operating asset. (Safety, Financial and Environmental accountability) Policies should be a one page document that is signed by leadership and provides the Shall statements and consequences for not following. Procedures should outline the process for identification and classification of events and incidents and the thresholds at which events should be escalated. Procedures should also provide guidance for the frequency at which logs should be reviewed Work Instructions provide the key information and paper work requited to log, escalate and manage a incident. They should contain the specific contact information of the members of the incident response team (more on that when we talk about the people aspect of incident preparation). Some questions to ask yourself: What is a Cyber Event of Interest? When does it become a Cyber Incident? What levels of escalation exist for a Cyber Incident? Remember, all the documents should have a document owner, be reviewed / updated on a regular basis and follow proper management of change processes. The documents should be Accessible to everyone at an operating asset and hyperlinked together. Key Message: A solid foundation for incident preparation begins with Process that is: documented, supported by leadership, maintainable and accessible References: http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf http://niccs.us-cert.gov/research/cybersecurity-capability-maturity-model.
- Description: There are thousands of security technology solutions on the market today. In reality, we are not even taking advantage of basic features of Windows and Network hardware that could drastically reduce risk, why would we start buying expensive hardware and software solutions. Network Diagrams: In my experience it is extremely rare to encounter an operating asset that has a Network Diagram and an Asset inventory. Quite often they are outdated or just wrong. You cannot be prepared for a Cyber Incident if you do not even understand what you have in the field. Real-world Story: A company pulled together it’s incident response team because the FBI had contact them. The FBI had arrested a Bad Actor and on his laptop they found network diagrams and asset inventory information belonging to the company. The company was perplexed because the network diagram and asset inventory did not match what the company had on file. But, the MAC addresses (the globally unique identifiers found on all network equipment) matched. Upon further investigation, it turns out the network diagrams and asset inventory in the Bad Actor’s possession was much more accurate and up to date than what the company had on file. Event Logging: I am not even talking about an advanced SIEM (Security Information and Event Management) hardware solution here. I am talking about turning ON event logging in Windows and on Network equipment. That is Step ONE. If you recall from the ICS-CERT 2014 findings, 40% of attacks can from an unknown origin. I am sure that in 1% of those cases they hackers were clever enough to cover their tracks and 99% of the cases event logging was not event turned on. Step TWO is centrally archiving and storing the Windows logs and Network Device Syslogs in a secure location. Again, you can just do this using features built into Windows. Step THREE is actually looking at the logs from time to time. If you have the advanced skills and resources to make sense of the events you are logging, then perhaps it is time to purchase a hardware / software SIEM solution. But if you cannot maintain it then don’t bother. At the very least if a serious incident occurs, experts will be able to have access to the event information and determine the root cause. If you don’t know why the Incident occurred then you cannot prevent it from occurring again. You will not be prepared for when it happens again. Before adding more technology to your IACS, ensure you can properly manage the technology you have. Real-wold Story: I heard a story from one of Cimation’s customers about an Event Management system installed at an operating asset. The vendor came plugged it into the network, configured it, showed a few operators how to use it and then left. The problem was that the customer did not create any processes to view, update or maintain this system. No one ever looked at this system because no one was accountable for looking at it. And if they did look at it, they were not properly trained to understand what it was telling them. This system collected dust for a few years until one day, its logs overflowed and it started to spew traffic on the network and created a 2 million dollar outage. All because the customer implemented technology that they lacked the processes and knowledge to properly maintain. Key Message: Focus on the basics. Technology can be a great way to reduce Cyber Risk. Ensure that you actually have the dedicated skills and resources to maintain the solution for the long term. Make sure you are taking full advantage of the technology you currently have in your IACS before you add new technology. There are a ton of simple things you can do with Window, switches, routers and firewalls that can drastically reduce your cyber risk. Reducing Cyber Risk doesn’t have to eat into your CapEx budgets.
- Description: 2014 ICS-CERT - Industrial Automation and Control System emergency responses by industry. Key Message: The Energy industry continues to represent the largest number of cyber incident emergency responses. References: ~300 2014 ICS Incidents Energy 79 Critical Manufacturing 65 Other 57 Healthcare 15 Government 13 Nuclear 6 IT 5 Finance 3 Food and Ag 2 OTHER Communications 14 Commercial Factilities 7 Chemical 4 Unknown 6 Water 14 Transportation 12
- Description: 2014 ICS-CERT - Nearly 40% of incidents ICS-CERT was unable to determine how the Industrial Control System was compromised Key Message: Inability to determine the origin of a Cyber Incident reflects poorly on the industries level of preparation for a Cyber Incident. 60% is a D grade References: ~300 ICS 2014 Incidents: Unknown 94 Scanning 53 Spear Phishing 42 Misc 56 MISC Misc 21 Auth 13 Abuse Access Auth 9 USB 5 SQL Injection 5 Brute Force 3