SlideShare a Scribd company logo

Darktrace white paper_ics_final

CMR WORLD TECH
CMR WORLD TECH

Darktrace white paper_ics_final

Data & Analytics
1 of 12
Download to read offline
Cyber Security for Corporate and Industrial Control Systems WHITE PAPER Darktrace Industrial Immune System Provides Continuous Threat Monitoring for Oil & Gas, Energy, Utilities, and Manufacturing Plants
"CISOs responsible for cyber security strategies should consider solutions for advanced persistent threat detection and analysis that can be used across both IT and OT environments." Earl Perkins, Gartner Cool Vendors in Energy and Utilities, 2015 Darktrace named Gartner 'Cool Vendor' 2015 "The worst case scenario is a critical infrastructure attack, and these organizations are ill prepared to deal with it." Dr Larry Ponemon, Founder of Ponemon Institute
White Paper 3 Executive Summary Industrial Control Systems (ICS) underpin both individual businesses and large parts of the National Critical Infrastructure. They maintain control over facilities such as power stations, water distribution and car production lines. Historically they were kept separate from corporate networks, but significant achievable business benefits are driving a convergence between Operational Technology (OT) systems, such as ICS, and the corporate Information Technology (IT) environment, and hence the wider internet. The business of cyber security has changed dramatically in the past few years, presenting a significant challenge to managementteamsacrossallindustriesandbusinessdomains.Organizationstodayareinauniquepositiontoquantifiably outpace threats and manage them to minimize organizational impact, whether that be reputational, financial or physical. We see an increasing trend toward IT security teams taking on more accountability and responsibility for securing the OT systems, which require different specialist skills and working practices. This cultural and technical convergence will be a steep learning curve, one to be overcome. Now open to the same attack vectors used in the majority of cyber-attacks, ICS devices are inherently much less secure but their compromise can lead to enormous physical damage and danger to human lives. Ever since the Stuxnet malware was widely reported in 2010, threats to industrial systems have grown rapidly in both number and capability. This was made clear in the 2014 compromise of a German steel mill that caused massive damage to a blast furnace. Ongoing malware campaigns such as ‘Energetic Bear’ are actively acquiring critical data about control systems, while quietly maintaining persistent access. Existing defenses such as firewalls have repeatedly proven inadequate on their own, especially against insiders who may already have privileged access. Darktrace’s Industrial Immune System is a fundamental innovation that views data from an ICS network in real time, and establishes an evolving baseline for what is normal for operators, workstations and automated systems within that environment. Advanced Bayesian mathematics and cutting-edge machine learning detect abnormal behavior and flag it for investigation, capable of discovering previously unknown attacks as they emerge. Total prevention of all cyber compromises is not a realistic goal but, if identified early enough, threats can be mitigated before they become a full- blown crisis. Darktrace’s technology can be deployed across both IT and OT environments to provide full coverage of an organization.
4 •• Enhanced performance through cost and time saving which allows for the smooth transition of newly-developed products into existing manufacturing operations, reducing time to market •• Business optimization using data transferred between IT and OT environments The breakdown of this cultural divide between OT and IT staffs will often require CISOs to manage across teams that historically have different approaches to cyber security. During this convergence the assurance of long-term reliability and safety requires CISOs to reshape enterprise security practices. The merging of specialized OT systems with IT technologies and endpoints will require CISOs to assume responsibility for OT cyber security without specialized OT skills or in matrix-based organizational environments, thereby exposing new technology and change-management risks. This gap in skill sets as IT and OT systems converge will generate new cyber security problems as attacks become more focused and sophisticated. A strategic and unified approach to cyber security will inevitably benefit organizations, allowing them to operate in a more reliable and efficient manner. Industrial Control Systems face numerous cyber- security threat vectors with varying degrees of potential loss, ranging from non-compliance to disruption of operations which could result in destruction of property and, unfortunately, potential loss of human life. Examples of potential ICS-related threats include: •• Advanced Persistent Threats (APTs) •• Unintended spillover of corporate network compromises •• Disruption of voice & data network services •• Coordinated physical & cyber-attack •• Insider sabotage •• Hacktivist attacks •• Supply chain disruption or compromise •• Catastrophic human error •• Distributed Denial of Service (DDOS) The cost is significantly higher to remediate a system than to detect a cyber threat early, not only in time and money, but also in safety and reputation. Legacy approaches have fallen short as evidenced by cyber- attacks ranging from the infamous Stuxnet to a recent German steel mill compromise. What if the Saudi Aramco attack had been aimed at critical infrastructure instead of business workstations? Enabling Modern Industry Industrial Control Systems (ICS) are at the heart of modern industry, monitoring and controlling complex processes and equipment. Many businesses are wholly underpinned by the reliable functioning of this Operational Technology (OT), such as automated production lines at car manufacturing plants. For organizations that form part of the National Critical Infrastructure, the consequences of unplanned outages are far-reaching, being responsible for maintaining utilities such as power, heating and clean water to huge numbers of households and places of work. In many industrial processes, reliability of an ICS has a direct and immediate impact on the safety of human lives. ICS and SCADA ICS is an umbrella term covering many historically different types of control system such as SCADA (Supervisory Control and Data Acquisition) and DCS (Distributed Control Systems). Also known as IACS (Industrial Automation and Control Systems), they are a form of Operational Technology. In practice, media publications often use “SCADA” interchangeably with “ICS”. Corporate Information Technology (IT) systems and Industrial Control Systems have different objectives, even when operating within the same organization. While IT and OT often speak different languages, cyber- attacks across both environments have continued to evolve to become more targeted and destructive. When it comes to ICS, reliability is the primary concern as attackers aim to disrupt the critical services customers rely upon. IT and OT systems are converging, driven primarily by economic pressures resulting from globalization and intensifying competition, along with the benefits and eventual competitive advantages that stem from the integration of these disciplines. These benefits include; •• Cost reduction by applying similar technology, standards and governance principles for IT and OT, including remote management •• Risk reduction through jointly addressing safety issues, leading to an integrated approach that provides enhanced security against cyber intrusions from outside the company and to central cyber- security governance within the company
White Paper 5 ICS Cyber Security Issues Historically, industrial control environments were ‘air- gapped’; physically isolated from corporate networks and the internet. However, computer viruses and other forms of cyber-attacks such as Stuxnet [1] and “agent.btz” [2] have been known to bridge the gap by exploiting security holes related to the handling of removable media, or simple human error. While security is an upside of having a seemingly closed or isolated system, the downside includes the limited access or inability to access enterprise decision making data or to allow control engineers to monitor systems from other networks. Additionally, ICS often tie together decentralized facilities such as power, oil & gas pipelines, water distribution and wastewater collection systems, among many others, where the network is hard to physically secure. ICS systems, whilst effectively designed to be interoperable and resilient, are not necessarily secure. With the increasing number of connections between ICS systems, corporate networks and the internet, combined with the move from proprietary technologies to more standardized and open solutions, they are becoming more susceptible to the kind of network attacks that are found more commonly in IT environments. Cyber-security researchers are particularly concerned about the systemic lack of authentication in the design, deployment and operation of some existing ICS networks and the belief that they are completely secure simply because they are physically secure. It has become clear that any possible connection to the internet can be exploited, even if it is not direct. ICS- specific protocols and proprietary interfaces are now well documented and easily exploited. The use of a VPN (Virtual Private Network) is also not sufficient protection for ICS users as this can be trivially bypassed with physical access to network switches and never provides end-to-end coverage. ICS vendors are increasingly urging CISOs to converge their approaches to IT and OT cyber security, with an equal level of caution and depth in defense strategy. Challenges Facing Industry Industry faces a growing challenge in dealing with cyber threats, both external and internal. There are an increasing number of threat actors with both the motivation and capability to compromise industrial control networks and devices. The consequences of compromise range from damaging to catastrophic, from immediate physical harm to long-term industrial espionage. Control engineers historically have not had to worry about cyber threats coming through corporate IT systems, while IT security staff have had little to do with the fundamental differences in control systems or the physical equipment that those systems manage. ICS devices are inherently insecure, and extremely difficult to update with even the rudimentary protections that are possible. A New Approach: Darktrace and the Immune System Utilities, OT-centric industries and other national infrastructure organizations, are challenged with rethinking cyber security across all technologies to deliver continuous insight that provides early warning of both indiscriminate and targeted compromises, supported by mechanisms that can manage incidents before they become a business crisis. Total prevention of compromise at any cost is untenable, however, detection and response to prevent a crisis from developing is an achievable cyber security goal in an IT/ OT environment. Darktrace’s Industrial Immune System for ICS is a fundamental innovation that implements a real- time “immune system” for operational technologies and enables a fundamental shift in the approach to cyber defense. Based on groundbreaking advances in Bayesian probability theory and powered by cutting- edge machine learning, Darktrace analyzes data and "Darktrace adds another level of sophistication to our defense systems, and had already identified threats with the potential to disrupt out networks." Martin Sloan, Group Head of Security, Drax
6 creates a unique behavioral understanding of “self” for each user and device within the network and, like a biological immune system, it detects threats that cannot be defined in advance by identifying even subtle shifts in expected behavior. People and devices all behave in a unique way that necessarily differs from their peers to varying degrees. However, their behaviors are significantly more predictable when compared to their historical behaviors and patterns of change. With Darktrace’s self-learning “immune system”, organizations are able to detect and respond to emerging threats, even if novel or tailored, and regardless of whether they originate in either the IT or operational domains, or traverse between them. By identifying unexpected anomalies in behavior, defendersareabletoinvestigatemalwarecompromises and insider risks as they emerge and throughout stages of the attack lifecycle. Darktrace provides the real-time visibility required to make intelligence-based decisions in live situations, while enabling in-depth investigations into historical activity. Real Vulnerability While it is likely that many attacks are never revealed to the public, the list of known compromises is growing. The most notorious incident that arguably propelled the vulnerability of ICS into the mainstream consciousness was the discovery of the Stuxnet attack in June 2010 [1], a “weaponized” form of malware. Stuxnet targeted the Natanz nuclear facilities in Iran with great precision, causing nuclear centrifuge equipment to wear out at a vastly increased rate. Sabotage and Shutdowns Significant attacks have been made by former employees who wrongfully retained access following dismissal, such as Mario Azar, who was indicted for disabling a computer system detecting pipeline leaks in Southern California [3]. Attacks by individuals who never possessed legitimate access include the compromise of the South Houston, TX water system. [4]. ICS networks have also been damaged as unintended side effects of problems starting in corporate networks that took advantage of the increasing connectivity, proving clearly that the standard PCs which now form part of a typical ICS are open to the same compromises as their enterprise counterparts. At least three problems at major power stations have been publicly attributedtothis;theDavis-Bessenuclearpowerstation (Ohio, USA) when safety systems were crippled by the Slammer worm [5], the Browns Ferry nuclear power station (Alabama, USA) being manually scrammed as a result of a drastic increase in network traffic [3], and the Hatch nuclear power station (Georgia, USA) due to a faulty software update on a business network machine that communicated with the control network [6]. German Steel Mill At the end of 2014, the most significantly publicized attack since Stuxnet was revealed in a German report disclosing that hackers had struck an unnamed steel mill in Germany [7]. This was a targeted Advanced Persistent Threat (APT) compromise, beginning with a spear-phishing attack that enabled the hackers to gain initial access onto the office network of the steelworks. From there, they were able to successfully explore the company’s networks and eventually manipulate and disrupt the production networks. Failures of individual control components accelerated, resulting in a blast furnace being unable to shut down which caused “massive” damage to the installation. Reconnaissance and Pre-positioning The goals of the largest known ongoing ICS attack campaigns have mostly shifted away from active sabotage to long-term persistent compromise and reconnaissance. Recently the Energetic Bear campaign has used the Havex [8] Remote Access Trojan (RAT) and the Sandworm APT group have been using a variant of the BlackEnergy malware [9]. In both cases ICS-CERT, the USA’s Industrial Control Systems Cyber Emergency Response Team, have long-running alerts tracking them [10][11]. Both provide persistent external access to compromised control networks and are capable of downloading additional modules to enhance their capability. Having identified all of the devices in a network, it would be simple for them to download additional sabotage modules and cause immediate, widespread damage. Havex was targeted against ICS customers by using a highly effective ‘watering-hole’ attack, where the attackers compromised three legitimate ICS vendor websites and replaced real software updates with versions already containing the malware. There was no possible way for traditional network defenses such as border firewalls to protect against this, and standard procedures employed in many corporations would have trusted the trojanized updates and added them to internal whitelists of software for authorized use.
White Paper 7 If an environment is infected in this manner, only its unique behavior, once installed on the ICS network, could be used to detect Havex’s presence. A survey published in April 2014 by the SANS Institute [12] reported a significant increase in the number of identified or reported breaches of control systems over just the previous twelve months. Respondents also noted that their ability to protect these systems had not improved within the same period. This is a chilling indictment of the challenges facing the OT cyber-security efforts of organizations today. Darktrace Technology New vulnerabilities are emerging at a pace that is difficult to keep up with, and looking only for published historical attack types is an unsuitable approach for operationally important environments. Darktrace does not require a priori assumptions about environments or threats, and can therefore detect the ‘unknown unknown’ threats that are as yet unidentified, either because they are novel or have been tailored to a particular defender. The Darktrace architecture continues to adapt and self-learn throughout its entire deployment. Its understanding is constantly being revised and refined in light of new evidence as it ingests and analyzes new information - the more data it sees, the more it learns. This adaption means that no new or customized threat has the ability to hide from Darktrace. Whenever an abnormal change to behavior takes place within the environment, the Industrial Immune System identifies deviations from the learned ‘pattern of life’ and alerts the organization to the possible threat. Changes that are not real threats are incorporated into Darktrace’s evolving understanding of normality. The advanced mathematics inside Darktrace make it uniquely capable of highlighting significant potential threats without burying them beneath many misguided, insignificant or repeating alerts. Far more than a set of simple rules applied to network traffic, it can correlate many subtle indicators separated by location or time into strong evidence of a real emerging threat, meaning that security analysts are not flooded with false positives. Darktrace’s Threat Visualizer interface can be used to manage these detections, but it is also possible to route the output to an organization’s existing Security Information and Event Management (SIEM) system, to integrate with established processes and procedures. Passive Observation Connecting new devices into a corporate network is straightforward and routine, with little attached risk. The same is not true of industrial networks, where for many applications even the slightest interruption in service could be damaging. This is why larger and more critical networks are left as untouched as possible between planned outages. The Darktrace appliance runs on a server that is connected completely passively to an ICS network, receiving copies of as much communication traffic as possible. It does not interfere with the operation of the control network in any way, flagging anomalies for investigation but not attempting to influence the situation. The appliance receives copies of raw network data using the built-in port mirroring or “spanning” capabilities of network switches, or using fail-safe taps, sometimes via an aggregator to bring together numerous connections in one location. ICS networks are deliberately segregated into Trust Levels as defined by the ISA95/Purdue reference model [13], depending on how much each device on the network is trusted to behave as expected. Darktrace can be connected at Level 2 (supervisory control), Level 3 (data servers) and Level 4 (IT networks) to provide defense in depth. It also extends cyber-security coverage down into Level 1 (field devices). A highly flexible, distributed architecture allows Darktrace to securely cover multiple Trust Levels and the wide variety of network topologies within and between them. Examples include wholly separate appliances for each Trust Level, or multiple appliances within a widely distributed single Trust Level with a master appliance providing a single interface. If required, a network diode device could guarantee that a channel for moving data from one Trust Level to a higher Trust Level to reach a single appliance covering both cannot be used to communicate in the other direction.
8 Darktrace Proof of Value Darktrace's Proof of Value (POV) allows organizations to experience first-hand its Industrial Immune System's ability to detect previously unseen threats and anomalous behaviors within a customer’s own environment. Along with the POV, Darktrace provides access to our Threat Visualizer (below) for use during the POV as well as weekly Threat Intelligence Reports produced by its team of cyber security specialists. Some organizations prefer to trial Darktrace on their corporate IT systems to confirm the passive and secure operation before engaging installation into ICS networks. Visibility Into Industrial Control Systems Architectures of ICS systems and their operational networks are often documented to a standard that exceeds corporate equivalents, but these long-lived environments are complicated and will typically have undergone many changes by multiple individuals over their lifetime. Knowing and understanding what is genuinely happening inside the environment can be a real challenge. Darktrace addresses this challenge by observing, analyzing and capturing communications along with their associated metadata. In addition to its core identification of anomalous activity and possible compromise, Darktrace’s Threat Visualizer interface uniquely displays all this rich information in an intuitive 3D dashboard that allows the operator to get a true and real-time overview of what is happening. This can be used to investigate whether the control system’s real behavior matches its intended design. Darktrace’s Industrial Immune System retains all of the capabilities of Darktrace in the corporate environment, and will ideally be deployed observing both the ICS and corporate networks. The most likely attack vector for ICS compromise is the IT network. Discovering threats while still within the corporate network vastly increases the defense-in-depth of the control system. This also protects confidential data about the control system stored on corporate servers, which might include detailed operational diagrams, device details or efficiency and safety reports. Fig. 1 - Threat Visualizer
White Paper 9 Insider Threat Threat from ‘trusted’ insiders is an important consideration for OT environments. Over the long lifecycles involved with the building and utilization of infrastructure and manufacturing equipment, a large number of different individuals, including both permanent staff and short-term contracted specialists, will usually have interacted with control systems. Many of them will have had privileges that allow them to modify configurations or the underlying software and hardware. Vetting and training staff can reduce but not eliminate the risk of insider incidents from occurring. These incidents can be unintentional due to a mistake or intended short-cut that puts something important at risk, or a deliberate act by a disaffected or ideologically motivated individual. The increased access and organizational familiarity that insiders have means their malicious actions can be very well targeted and effective at disrupting operations. They also have a greater ability to interfere with monitoring or masquerade as others, making their activities harder to identify and attribute. Insider risk is a serious challenge often underestimated in breadth. When supply chains or contractors are involved, it becomes impossible to draw a neat line between ‘inside’ and ‘outside’. We need to trust people in our extended organizations with the access and privilege that they require to do their jobs, but we also need mechanisms to identify when something is going wrong and needs to be corrected. Traditional network border defenses such as firewalls perform an important function in a complete cyber- security solution, but insiders are a key example of their limitations. Insiders do not have to pass through border defenses to accomplish most of their potential goals, meaning that those defenses have no chance at all to prevent or identify their actions [14]. Given the complexity and the variety of people and processes that make up an organization, any monitoring approach needs to start from a complete understanding of what is normal for the unique environment. Only then can it have the insight to identify subtle patterns and correlated action over time that can be the only early signs of emerging issues, and allow them to be handled before they become major crises.
10 Conclusion Businesses face many challenges as we move into an era of ever increasing connectivity and standards of communication. Those trying to secure industrial control systems as well as corporate networks face additional and substantially different problems, as the devices involved are far less secure than their corporate counterparts. There is public evidence of growing motivation and capability of threat actors towards control systems, a trend likely to continue and brought into sharp focus by the 2014 cyber sabotage of a German steel mill. This attack used state-of- the-art methods to reach the control system of a target with little political or ideological significance, a combination not previously observed. De-risking the OT environment is a perpetual challenge requiring new technologies that will deliver continuous insight and provide early warning of both indiscriminate and targeted compromises. Total prevention of compromise seems effectively impossible for the foreseeable future, but prevention of crises is an achievable goal across both corporate IT and operational technology environments. A new approach that can manage incidents across corporate IT and OT before they become an operational crisis is required. With Darktrace’s self-learning immune system, organizations are able to detect and respond to emerging threats in real-time. Advanced behavioral analysis mathematics can detect even previously unseen novel or tailored attacks, regardless of whether they originate in the corporate IT or OT domains or traverse between them.
White Paper 11 Resources These additional resources, available from our website, complement the information in this white paper. Data Sheet: Stuxnet Example and Full References For a detailed example of how Darktrace can detect previously unseen ICS cyber-threats like Stuxnet, and the full list of supporting references to this White Paper, please email ics@darktrace.com Data Sheet: Standards and Compliance for ICS: NERC CIP V5 Darktrace Industrial Immune System can help organizations transition to the new cyber-security standards set by the North American Electric Reliability Corporation can be found at www.darktrace.com/resources/data-sheets Case Study: Darktrace at Drax A case study of the use of Darktrace at Drax can be found at www.darktrace.com/resources/case-studies White Paper: Enterprise Immune System White Paper A white paper covering the wider use of the Darktrace Enterprise Immune System across a whole organization can be found at www.darktrace.com/resources/whitepapers
ICS-001r2en Darktrace © Copyright 2015 Darktrace Limited. All rights reserved. Darktrace is a registered trademark of Darktrace Limited. Enterprise Immune System, and Threat Visualizer are unregistered trademarks of Darktrace Limited. Other trademarks included herein are the property of their respective owners. About Darktrace Darktrace is one of the world’s fastest-growing cyber threat defense companies and the leader in Enterprise Immune System technology. Darktrace detects previously unknown threats in real time using advanced machine learning and mathematics developed at the University of Cambridge to analyze the behavior of every device, user and network within an organization. Some of the world’s largest corporations rely on Darktrace’s self-learning appliance in sectors including energy and utilities, financial services, telecommunications, healthcare, manufacturing, retail and transportation. The company was founded in 2013 by leading machine learning specialists and government intelligence experts, and is headquartered in Cambridge, UK and Washington D.C., with offices in London, Milan, New York, Paris, San Francisco, and Singapore. Contact Us US: +1 (917) 363 0822 Europe: +44 (0) 1223 350 653 Email: info@darktrace.com www.darktrace.com

Recommended

The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...Amazon Web Services
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep DiveUlisses Albuquerque
 
Microsoft Azure Sentinel
Microsoft Azure SentinelMicrosoft Azure Sentinel
Microsoft Azure SentinelBGA Cyber Security
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceMarlabs
 
introduction to Azure Sentinel
introduction to Azure Sentinelintroduction to Azure Sentinel
introduction to Azure SentinelRobert Crane
 
Threat Hunting on AWS using Azure Sentinel
Threat Hunting on AWS using Azure SentinelThreat Hunting on AWS using Azure Sentinel
Threat Hunting on AWS using Azure SentinelAshwin Patil, GCIH, GCIA, GCFE
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 

Recommended

The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...
The-Enterprise-Immune-System-Using-Machine-Learning-for-Next-Generation-Cyber...Amazon Web Services
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep DiveUlisses Albuquerque
 
Microsoft Azure Sentinel
Microsoft Azure SentinelMicrosoft Azure Sentinel
Microsoft Azure SentinelBGA Cyber Security
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceMarlabs
 
introduction to Azure Sentinel
introduction to Azure Sentinelintroduction to Azure Sentinel
introduction to Azure SentinelRobert Crane
 
Threat Hunting on AWS using Azure Sentinel
Threat Hunting on AWS using Azure SentinelThreat Hunting on AWS using Azure Sentinel
Threat Hunting on AWS using Azure SentinelAshwin Patil, GCIH, GCIA, GCFE
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsJoel Divekar
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
Cloud security
Cloud securityCloud security
Cloud securityTushar Kayande
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligencePrachi Mishra
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...MITRE - ATT&CKcon
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architectureBirendra Negi ☁️
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxMark Simos
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
Azure Sentinel
Azure SentinelAzure Sentinel
Azure SentinelCheah Eng Soon
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation PrasadThorat23
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsMITRE ATT&CK
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Critical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist AttacksCritical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist AttacksBGA Cyber Security
 
Cybersecurity in the Era of IoT
Cybersecurity in the Era of IoTCybersecurity in the Era of IoT
Cybersecurity in the Era of IoTAmy Daly
 

More Related Content

What's hot

Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligencePrachi Mishra
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...MITRE - ATT&CKcon
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architectureBirendra Negi ☁️
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxMark Simos
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation JourneyDevOps Indonesia
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsMITRE ATT&CK
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security OverviewAlert Logic
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 

What's hot (20)

Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
Cloud security
Cloud securityCloud security
Cloud security
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
 
cyber-security-reference-architecture
cyber-security-reference-architecturecyber-security-reference-architecture
cyber-security-reference-architecture
 
The Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptxThe Open Group - ZT Commandments and Reference Model.pptx
The Open Group - ZT Commandments and Reference Model.pptx
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
 
Azure Sentinel
Azure SentinelAzure Sentinel
Azure Sentinel
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation
 
DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- Campaigns
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 

Similar to Darktrace white paper_ics_final

Critical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist AttacksCritical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist AttacksBGA Cyber Security
 
Cybersecurity in the Era of IoT
Cybersecurity in the Era of IoTCybersecurity in the Era of IoT
Cybersecurity in the Era of IoTAmy Daly
 
Sb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetSb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetIvan Carmona
 
An Internet of Things Reference Architecture
An Internet of Things Reference Architecture An Internet of Things Reference Architecture
An Internet of Things Reference Architecture Symantec
 
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Abhishek Goel
 
Booz Allen Industrial Cybersecurity Threat Briefing
Booz Allen Industrial Cybersecurity Threat BriefingBooz Allen Industrial Cybersecurity Threat Briefing
Booz Allen Industrial Cybersecurity Threat BriefingBooz Allen Hamilton
 
Capstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid SecurityCapstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid Securityreuben_mathew
 
VET4SBO Level 2 module 6 - unit 4 - v0.9 en
VET4SBO Level 2 module 6 - unit 4 - v0.9 enVET4SBO Level 2 module 6 - unit 4 - v0.9 en
VET4SBO Level 2 module 6 - unit 4 - v0.9 enKarel Van Isacker
 
Cybersmart_buildings_securing your investment in connectivity and automation
Cybersmart_buildings_securing your investment in connectivity and automationCybersmart_buildings_securing your investment in connectivity and automation
Cybersmart_buildings_securing your investment in connectivity and automationIron Mountain
 
Be wp cybersmart_buildings (1)
Be wp cybersmart_buildings (1)Be wp cybersmart_buildings (1)
Be wp cybersmart_buildings (1)JeremyGarcia46
 
Be wp cybersmart_buildings
Be wp cybersmart_buildingsBe wp cybersmart_buildings
Be wp cybersmart_buildingsJeremyGarcia46
 
Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices IJECEIAES
 
Recommended Solutions to Major Security Challenges Facing OT & IT Personnel w...
Recommended Solutions to Major Security Challenges Facing OT & IT Personnel w...Recommended Solutions to Major Security Challenges Facing OT & IT Personnel w...
Recommended Solutions to Major Security Challenges Facing OT & IT Personnel w...Power System Operation
 
CABA Whitepaper - Cybersecurity in Smart Buildings
CABA Whitepaper - Cybersecurity in Smart BuildingsCABA Whitepaper - Cybersecurity in Smart Buildings
CABA Whitepaper - Cybersecurity in Smart BuildingsIron Mountain
 
Strengthening Critical Infrastructure Security.pdf
Strengthening Critical Infrastructure Security.pdfStrengthening Critical Infrastructure Security.pdf
Strengthening Critical Infrastructure Security.pdfssuserc1c354
 
Discussion paper: ”The coming obsolescence of the enterprise network”
Discussion paper: ”The coming obsolescence of the enterprise network” Discussion paper: ”The coming obsolescence of the enterprise network”
Discussion paper: ”The coming obsolescence of the enterprise network” Ericsson
 
Challenges and Security Issues in Future IT Infrastructure Components
Challenges and Security Issues in Future IT Infrastructure ComponentsChallenges and Security Issues in Future IT Infrastructure Components
Challenges and Security Issues in Future IT Infrastructure ComponentsMubashir Ali
 
Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...
Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...
Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...Dhana Raj Markandu
 
WIRELESS DEFENSE STRATEGIES IN THE IOT ERA
WIRELESS DEFENSE STRATEGIES IN THE IOT ERAWIRELESS DEFENSE STRATEGIES IN THE IOT ERA
WIRELESS DEFENSE STRATEGIES IN THE IOT ERAAharon Aharon
 
HOW TO AUGMENT YOUR CNI CYBERSECURITY WHEN USING CLOUD TECHNOLOGY.docx
HOW TO AUGMENT YOUR CNI CYBERSECURITY WHEN USING CLOUD TECHNOLOGY.docxHOW TO AUGMENT YOUR CNI CYBERSECURITY WHEN USING CLOUD TECHNOLOGY.docx
HOW TO AUGMENT YOUR CNI CYBERSECURITY WHEN USING CLOUD TECHNOLOGY.docxVOROR
 

Similar to Darktrace white paper_ics_final (20)

Critical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist AttacksCritical Infrastructure Protection from Terrorist Attacks
Critical Infrastructure Protection from Terrorist Attacks
 
Cybersecurity in the Era of IoT
Cybersecurity in the Era of IoTCybersecurity in the Era of IoT
Cybersecurity in the Era of IoT
 
Sb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetSb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinet
 
An Internet of Things Reference Architecture
An Internet of Things Reference Architecture An Internet of Things Reference Architecture
An Internet of Things Reference Architecture
 
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
 
Booz Allen Industrial Cybersecurity Threat Briefing
Booz Allen Industrial Cybersecurity Threat BriefingBooz Allen Industrial Cybersecurity Threat Briefing
Booz Allen Industrial Cybersecurity Threat Briefing
 
Capstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid SecurityCapstone Team Report -The Vicious Circle of Smart Grid Security
Capstone Team Report -The Vicious Circle of Smart Grid Security
 
VET4SBO Level 2 module 6 - unit 4 - v0.9 en
VET4SBO Level 2 module 6 - unit 4 - v0.9 enVET4SBO Level 2 module 6 - unit 4 - v0.9 en
VET4SBO Level 2 module 6 - unit 4 - v0.9 en
 
Cybersmart_buildings_securing your investment in connectivity and automation
Cybersmart_buildings_securing your investment in connectivity and automationCybersmart_buildings_securing your investment in connectivity and automation
Cybersmart_buildings_securing your investment in connectivity and automation
 
Be wp cybersmart_buildings (1)
Be wp cybersmart_buildings (1)Be wp cybersmart_buildings (1)
Be wp cybersmart_buildings (1)
 
Be wp cybersmart_buildings
Be wp cybersmart_buildingsBe wp cybersmart_buildings
Be wp cybersmart_buildings
 
Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices Augmentation of a SCADA based firewall against foreign hacking devices
Augmentation of a SCADA based firewall against foreign hacking devices
 
Recommended Solutions to Major Security Challenges Facing OT & IT Personnel w...
Recommended Solutions to Major Security Challenges Facing OT & IT Personnel w...Recommended Solutions to Major Security Challenges Facing OT & IT Personnel w...
Recommended Solutions to Major Security Challenges Facing OT & IT Personnel w...
 
CABA Whitepaper - Cybersecurity in Smart Buildings
CABA Whitepaper - Cybersecurity in Smart BuildingsCABA Whitepaper - Cybersecurity in Smart Buildings
CABA Whitepaper - Cybersecurity in Smart Buildings
 
Strengthening Critical Infrastructure Security.pdf
Strengthening Critical Infrastructure Security.pdfStrengthening Critical Infrastructure Security.pdf
Strengthening Critical Infrastructure Security.pdf
 
Discussion paper: ”The coming obsolescence of the enterprise network”
Discussion paper: ”The coming obsolescence of the enterprise network” Discussion paper: ”The coming obsolescence of the enterprise network”
Discussion paper: ”The coming obsolescence of the enterprise network”
 
Challenges and Security Issues in Future IT Infrastructure Components
Challenges and Security Issues in Future IT Infrastructure ComponentsChallenges and Security Issues in Future IT Infrastructure Components
Challenges and Security Issues in Future IT Infrastructure Components
 
Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...
Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...
Dhana Raj Markandu: Control System Cybersecurity - Challenges in a New Energy...
 
WIRELESS DEFENSE STRATEGIES IN THE IOT ERA
WIRELESS DEFENSE STRATEGIES IN THE IOT ERAWIRELESS DEFENSE STRATEGIES IN THE IOT ERA
WIRELESS DEFENSE STRATEGIES IN THE IOT ERA
 
HOW TO AUGMENT YOUR CNI CYBERSECURITY WHEN USING CLOUD TECHNOLOGY.docx
HOW TO AUGMENT YOUR CNI CYBERSECURITY WHEN USING CLOUD TECHNOLOGY.docxHOW TO AUGMENT YOUR CNI CYBERSECURITY WHEN USING CLOUD TECHNOLOGY.docx
HOW TO AUGMENT YOUR CNI CYBERSECURITY WHEN USING CLOUD TECHNOLOGY.docx
 

More from CMR WORLD TECH

Cyber Security for Everyone Course - Final Project Presentation
Cyber Security for Everyone Course - Final Project PresentationCyber Security for Everyone Course - Final Project Presentation
Cyber Security for Everyone Course - Final Project PresentationCMR WORLD TECH
 
Cpq basics bycesaribeiro
Cpq basics bycesaribeiroCpq basics bycesaribeiro
Cpq basics bycesaribeiroCMR WORLD TECH
 
Questoes processautomation
Questoes processautomationQuestoes processautomation
Questoes processautomationCMR WORLD TECH
 
Aws migration-whitepaper-en
Aws migration-whitepaper-enAws migration-whitepaper-en
Aws migration-whitepaper-enCMR WORLD TECH
 
Delivery readness for pick season and higth volume
Delivery readness for pick season and higth volumeDelivery readness for pick season and higth volume
Delivery readness for pick season and higth volumeCMR WORLD TECH
 
Why digital-will-become-the-primary-channel-for-b2 b-engagement
Why digital-will-become-the-primary-channel-for-b2 b-engagementWhy digital-will-become-the-primary-channel-for-b2 b-engagement
Why digital-will-become-the-primary-channel-for-b2 b-engagementCMR WORLD TECH
 
Transcript Micrsosft Java Azure
Transcript Micrsosft Java Azure Transcript Micrsosft Java Azure
Transcript Micrsosft Java Azure CMR WORLD TECH
 
Buisiness UK Trading Marketing Finance
Buisiness UK Trading Marketing Finance Buisiness UK Trading Marketing Finance
Buisiness UK Trading Marketing Finance CMR WORLD TECH
 
Hyperledger arch wg_paper_1_consensus
Hyperledger arch wg_paper_1_consensusHyperledger arch wg_paper_1_consensus
Hyperledger arch wg_paper_1_consensusCMR WORLD TECH
 
Apexand visualforcearchitecture
Apexand visualforcearchitectureApexand visualforcearchitecture
Apexand visualforcearchitectureCMR WORLD TECH
 
Trailblazers guide-to-apps
Trailblazers guide-to-appsTrailblazers guide-to-apps
Trailblazers guide-to-appsCMR WORLD TECH
 
Berkeley program on_data_science___analytics_1
Berkeley program on_data_science___analytics_1Berkeley program on_data_science___analytics_1
Berkeley program on_data_science___analytics_1CMR WORLD TECH
 
Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_
Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_
Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_CMR WORLD TECH
 
Salesforce voice-and-tone
Salesforce voice-and-toneSalesforce voice-and-tone
Salesforce voice-and-toneCMR WORLD TECH
 

More from CMR WORLD TECH (20)

Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Cyber Security for Everyone Course - Final Project Presentation
Cyber Security for Everyone Course - Final Project PresentationCyber Security for Everyone Course - Final Project Presentation
Cyber Security for Everyone Course - Final Project Presentation
 
CPQ Básico
CPQ BásicoCPQ Básico
CPQ Básico
 
Cpq basics bycesaribeiro
Cpq basics bycesaribeiroCpq basics bycesaribeiro
Cpq basics bycesaribeiro
 
Apexbasic
ApexbasicApexbasic
Apexbasic
 
Questoes processautomation
Questoes processautomationQuestoes processautomation
Questoes processautomation
 
Process automationppt
Process automationpptProcess automationppt
Process automationppt
 
Transcript mva.cesar
Transcript mva.cesarTranscript mva.cesar
Transcript mva.cesar
 
Aws migration-whitepaper-en
Aws migration-whitepaper-enAws migration-whitepaper-en
Aws migration-whitepaper-en
 
Delivery readness for pick season and higth volume
Delivery readness for pick season and higth volumeDelivery readness for pick season and higth volume
Delivery readness for pick season and higth volume
 
Why digital-will-become-the-primary-channel-for-b2 b-engagement
Why digital-will-become-the-primary-channel-for-b2 b-engagementWhy digital-will-become-the-primary-channel-for-b2 b-engagement
Why digital-will-become-the-primary-channel-for-b2 b-engagement
 
Transcript Micrsosft Java Azure
Transcript Micrsosft Java Azure Transcript Micrsosft Java Azure
Transcript Micrsosft Java Azure
 
Buisiness UK Trading Marketing Finance
Buisiness UK Trading Marketing Finance Buisiness UK Trading Marketing Finance
Buisiness UK Trading Marketing Finance
 
Hyperledger arch wg_paper_1_consensus
Hyperledger arch wg_paper_1_consensusHyperledger arch wg_paper_1_consensus
Hyperledger arch wg_paper_1_consensus
 
Master lob-e-book
Master lob-e-bookMaster lob-e-book
Master lob-e-book
 
Apexand visualforcearchitecture
Apexand visualforcearchitectureApexand visualforcearchitecture
Apexand visualforcearchitecture
 
Trailblazers guide-to-apps
Trailblazers guide-to-appsTrailblazers guide-to-apps
Trailblazers guide-to-apps
 
Berkeley program on_data_science___analytics_1
Berkeley program on_data_science___analytics_1Berkeley program on_data_science___analytics_1
Berkeley program on_data_science___analytics_1
 
Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_
Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_
Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_
 
Salesforce voice-and-tone
Salesforce voice-and-toneSalesforce voice-and-tone
Salesforce voice-and-tone
 

Recently uploaded

Predicting Employee Churn: A Data-Driven Approach Project Presentation
Predicting Employee Churn: A Data-Driven Approach Project PresentationPredicting Employee Churn: A Data-Driven Approach Project Presentation
Predicting Employee Churn: A Data-Driven Approach Project PresentationBoston Institute of Analytics
 
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfSocial Samosa
 
Dubai Call Girls Wifey O52&786472 Call Girls Dubai
Dubai Call Girls Wifey O52&786472 Call Girls DubaiDubai Call Girls Wifey O52&786472 Call Girls Dubai
Dubai Call Girls Wifey O52&786472 Call Girls Dubaihf8803863
 
Aminabad Call Girl Agent 9548273370 , Call Girls Service Lucknow
Aminabad Call Girl Agent 9548273370 , Call Girls Service LucknowAminabad Call Girl Agent 9548273370 , Call Girls Service Lucknow
Aminabad Call Girl Agent 9548273370 , Call Girls Service Lucknowmakika9823
 
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Unveiling Insights: The Role of a Data Analyst
Unveiling Insights: The Role of a Data AnalystUnveiling Insights: The Role of a Data Analyst
Unveiling Insights: The Role of a Data AnalystSamantha Rae Coolbeth
 
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130Suhani Kapoor
 
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...Suhani Kapoor
 
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiLow Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiSuhani Kapoor
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfLars Albertsson
 
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779Delhi Call girls
 
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service AmravatiVIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service AmravatiSuhani Kapoor
 
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...Jack DiGiovanna
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxJohnnyPlasten
 
代办国外大学文凭《原版美国UCLA文凭证书》加州大学洛杉矶分校毕业证制作成绩单修改
代办国外大学文凭《原版美国UCLA文凭证书》加州大学洛杉矶分校毕业证制作成绩单修改代办国外大学文凭《原版美国UCLA文凭证书》加州大学洛杉矶分校毕业证制作成绩单修改
代办国外大学文凭《原版美国UCLA文凭证书》加州大学洛杉矶分校毕业证制作成绩单修改atducpo
 
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.pptdokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.pptSonatrach
 
Industrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdfIndustrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdfLars Albertsson
 

Recently uploaded (20)

Predicting Employee Churn: A Data-Driven Approach Project Presentation
Predicting Employee Churn: A Data-Driven Approach Project PresentationPredicting Employee Churn: A Data-Driven Approach Project Presentation
Predicting Employee Churn: A Data-Driven Approach Project Presentation
 
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
 
E-Commerce Order PredictionShraddha Kamble.pptx
E-Commerce Order PredictionShraddha Kamble.pptxE-Commerce Order PredictionShraddha Kamble.pptx
E-Commerce Order PredictionShraddha Kamble.pptx
 
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdfKantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
Kantar AI Summit- Under Embargo till Wednesday, 24th April 2024, 4 PM, IST.pdf
 
Dubai Call Girls Wifey O52&786472 Call Girls Dubai
Dubai Call Girls Wifey O52&786472 Call Girls DubaiDubai Call Girls Wifey O52&786472 Call Girls Dubai
Dubai Call Girls Wifey O52&786472 Call Girls Dubai
 
Aminabad Call Girl Agent 9548273370 , Call Girls Service Lucknow
Aminabad Call Girl Agent 9548273370 , Call Girls Service LucknowAminabad Call Girl Agent 9548273370 , Call Girls Service Lucknow
Aminabad Call Girl Agent 9548273370 , Call Girls Service Lucknow
 
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Unveiling Insights: The Role of a Data Analyst
Unveiling Insights: The Role of a Data AnalystUnveiling Insights: The Role of a Data Analyst
Unveiling Insights: The Role of a Data Analyst
 
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
VIP Call Girls Service Miyapur Hyderabad Call +91-8250192130
 
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
 
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
 
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiLow Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdf
 
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
 
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service AmravatiVIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
 
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
Building on a FAIRly Strong Foundation to Connect Academic Research to Transl...
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptx
 
代办国外大学文凭《原版美国UCLA文凭证书》加州大学洛杉矶分校毕业证制作成绩单修改
代办国外大学文凭《原版美国UCLA文凭证书》加州大学洛杉矶分校毕业证制作成绩单修改代办国外大学文凭《原版美国UCLA文凭证书》加州大学洛杉矶分校毕业证制作成绩单修改
代办国外大学文凭《原版美国UCLA文凭证书》加州大学洛杉矶分校毕业证制作成绩单修改
 
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.pptdokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
dokumen.tips_chapter-4-transient-heat-conduction-mehmet-kanoglu.ppt
 
Industrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdfIndustrialised data - the key to AI success.pdf
Industrialised data - the key to AI success.pdf
 

Darktrace white paper_ics_final

  • 1. Cyber Security for Corporate and Industrial Control Systems WHITE PAPER Darktrace Industrial Immune System Provides Continuous Threat Monitoring for Oil & Gas, Energy, Utilities, and Manufacturing Plants
  • 2. "CISOs responsible for cyber security strategies should consider solutions for advanced persistent threat detection and analysis that can be used across both IT and OT environments." Earl Perkins, Gartner Cool Vendors in Energy and Utilities, 2015 Darktrace named Gartner 'Cool Vendor' 2015 "The worst case scenario is a critical infrastructure attack, and these organizations are ill prepared to deal with it." Dr Larry Ponemon, Founder of Ponemon Institute
  • 3. White Paper 3 Executive Summary Industrial Control Systems (ICS) underpin both individual businesses and large parts of the National Critical Infrastructure. They maintain control over facilities such as power stations, water distribution and car production lines. Historically they were kept separate from corporate networks, but significant achievable business benefits are driving a convergence between Operational Technology (OT) systems, such as ICS, and the corporate Information Technology (IT) environment, and hence the wider internet. The business of cyber security has changed dramatically in the past few years, presenting a significant challenge to managementteamsacrossallindustriesandbusinessdomains.Organizationstodayareinauniquepositiontoquantifiably outpace threats and manage them to minimize organizational impact, whether that be reputational, financial or physical. We see an increasing trend toward IT security teams taking on more accountability and responsibility for securing the OT systems, which require different specialist skills and working practices. This cultural and technical convergence will be a steep learning curve, one to be overcome. Now open to the same attack vectors used in the majority of cyber-attacks, ICS devices are inherently much less secure but their compromise can lead to enormous physical damage and danger to human lives. Ever since the Stuxnet malware was widely reported in 2010, threats to industrial systems have grown rapidly in both number and capability. This was made clear in the 2014 compromise of a German steel mill that caused massive damage to a blast furnace. Ongoing malware campaigns such as ‘Energetic Bear’ are actively acquiring critical data about control systems, while quietly maintaining persistent access. Existing defenses such as firewalls have repeatedly proven inadequate on their own, especially against insiders who may already have privileged access. Darktrace’s Industrial Immune System is a fundamental innovation that views data from an ICS network in real time, and establishes an evolving baseline for what is normal for operators, workstations and automated systems within that environment. Advanced Bayesian mathematics and cutting-edge machine learning detect abnormal behavior and flag it for investigation, capable of discovering previously unknown attacks as they emerge. Total prevention of all cyber compromises is not a realistic goal but, if identified early enough, threats can be mitigated before they become a full- blown crisis. Darktrace’s technology can be deployed across both IT and OT environments to provide full coverage of an organization.
  • 4. 4 •• Enhanced performance through cost and time saving which allows for the smooth transition of newly-developed products into existing manufacturing operations, reducing time to market •• Business optimization using data transferred between IT and OT environments The breakdown of this cultural divide between OT and IT staffs will often require CISOs to manage across teams that historically have different approaches to cyber security. During this convergence the assurance of long-term reliability and safety requires CISOs to reshape enterprise security practices. The merging of specialized OT systems with IT technologies and endpoints will require CISOs to assume responsibility for OT cyber security without specialized OT skills or in matrix-based organizational environments, thereby exposing new technology and change-management risks. This gap in skill sets as IT and OT systems converge will generate new cyber security problems as attacks become more focused and sophisticated. A strategic and unified approach to cyber security will inevitably benefit organizations, allowing them to operate in a more reliable and efficient manner. Industrial Control Systems face numerous cyber- security threat vectors with varying degrees of potential loss, ranging from non-compliance to disruption of operations which could result in destruction of property and, unfortunately, potential loss of human life. Examples of potential ICS-related threats include: •• Advanced Persistent Threats (APTs) •• Unintended spillover of corporate network compromises •• Disruption of voice & data network services •• Coordinated physical & cyber-attack •• Insider sabotage •• Hacktivist attacks •• Supply chain disruption or compromise •• Catastrophic human error •• Distributed Denial of Service (DDOS) The cost is significantly higher to remediate a system than to detect a cyber threat early, not only in time and money, but also in safety and reputation. Legacy approaches have fallen short as evidenced by cyber- attacks ranging from the infamous Stuxnet to a recent German steel mill compromise. What if the Saudi Aramco attack had been aimed at critical infrastructure instead of business workstations? Enabling Modern Industry Industrial Control Systems (ICS) are at the heart of modern industry, monitoring and controlling complex processes and equipment. Many businesses are wholly underpinned by the reliable functioning of this Operational Technology (OT), such as automated production lines at car manufacturing plants. For organizations that form part of the National Critical Infrastructure, the consequences of unplanned outages are far-reaching, being responsible for maintaining utilities such as power, heating and clean water to huge numbers of households and places of work. In many industrial processes, reliability of an ICS has a direct and immediate impact on the safety of human lives. ICS and SCADA ICS is an umbrella term covering many historically different types of control system such as SCADA (Supervisory Control and Data Acquisition) and DCS (Distributed Control Systems). Also known as IACS (Industrial Automation and Control Systems), they are a form of Operational Technology. In practice, media publications often use “SCADA” interchangeably with “ICS”. Corporate Information Technology (IT) systems and Industrial Control Systems have different objectives, even when operating within the same organization. While IT and OT often speak different languages, cyber- attacks across both environments have continued to evolve to become more targeted and destructive. When it comes to ICS, reliability is the primary concern as attackers aim to disrupt the critical services customers rely upon. IT and OT systems are converging, driven primarily by economic pressures resulting from globalization and intensifying competition, along with the benefits and eventual competitive advantages that stem from the integration of these disciplines. These benefits include; •• Cost reduction by applying similar technology, standards and governance principles for IT and OT, including remote management •• Risk reduction through jointly addressing safety issues, leading to an integrated approach that provides enhanced security against cyber intrusions from outside the company and to central cyber- security governance within the company
  • 5. White Paper 5 ICS Cyber Security Issues Historically, industrial control environments were ‘air- gapped’; physically isolated from corporate networks and the internet. However, computer viruses and other forms of cyber-attacks such as Stuxnet [1] and “agent.btz” [2] have been known to bridge the gap by exploiting security holes related to the handling of removable media, or simple human error. While security is an upside of having a seemingly closed or isolated system, the downside includes the limited access or inability to access enterprise decision making data or to allow control engineers to monitor systems from other networks. Additionally, ICS often tie together decentralized facilities such as power, oil & gas pipelines, water distribution and wastewater collection systems, among many others, where the network is hard to physically secure. ICS systems, whilst effectively designed to be interoperable and resilient, are not necessarily secure. With the increasing number of connections between ICS systems, corporate networks and the internet, combined with the move from proprietary technologies to more standardized and open solutions, they are becoming more susceptible to the kind of network attacks that are found more commonly in IT environments. Cyber-security researchers are particularly concerned about the systemic lack of authentication in the design, deployment and operation of some existing ICS networks and the belief that they are completely secure simply because they are physically secure. It has become clear that any possible connection to the internet can be exploited, even if it is not direct. ICS- specific protocols and proprietary interfaces are now well documented and easily exploited. The use of a VPN (Virtual Private Network) is also not sufficient protection for ICS users as this can be trivially bypassed with physical access to network switches and never provides end-to-end coverage. ICS vendors are increasingly urging CISOs to converge their approaches to IT and OT cyber security, with an equal level of caution and depth in defense strategy. Challenges Facing Industry Industry faces a growing challenge in dealing with cyber threats, both external and internal. There are an increasing number of threat actors with both the motivation and capability to compromise industrial control networks and devices. The consequences of compromise range from damaging to catastrophic, from immediate physical harm to long-term industrial espionage. Control engineers historically have not had to worry about cyber threats coming through corporate IT systems, while IT security staff have had little to do with the fundamental differences in control systems or the physical equipment that those systems manage. ICS devices are inherently insecure, and extremely difficult to update with even the rudimentary protections that are possible. A New Approach: Darktrace and the Immune System Utilities, OT-centric industries and other national infrastructure organizations, are challenged with rethinking cyber security across all technologies to deliver continuous insight that provides early warning of both indiscriminate and targeted compromises, supported by mechanisms that can manage incidents before they become a business crisis. Total prevention of compromise at any cost is untenable, however, detection and response to prevent a crisis from developing is an achievable cyber security goal in an IT/ OT environment. Darktrace’s Industrial Immune System for ICS is a fundamental innovation that implements a real- time “immune system” for operational technologies and enables a fundamental shift in the approach to cyber defense. Based on groundbreaking advances in Bayesian probability theory and powered by cutting- edge machine learning, Darktrace analyzes data and "Darktrace adds another level of sophistication to our defense systems, and had already identified threats with the potential to disrupt out networks." Martin Sloan, Group Head of Security, Drax
  • 6. 6 creates a unique behavioral understanding of “self” for each user and device within the network and, like a biological immune system, it detects threats that cannot be defined in advance by identifying even subtle shifts in expected behavior. People and devices all behave in a unique way that necessarily differs from their peers to varying degrees. However, their behaviors are significantly more predictable when compared to their historical behaviors and patterns of change. With Darktrace’s self-learning “immune system”, organizations are able to detect and respond to emerging threats, even if novel or tailored, and regardless of whether they originate in either the IT or operational domains, or traverse between them. By identifying unexpected anomalies in behavior, defendersareabletoinvestigatemalwarecompromises and insider risks as they emerge and throughout stages of the attack lifecycle. Darktrace provides the real-time visibility required to make intelligence-based decisions in live situations, while enabling in-depth investigations into historical activity. Real Vulnerability While it is likely that many attacks are never revealed to the public, the list of known compromises is growing. The most notorious incident that arguably propelled the vulnerability of ICS into the mainstream consciousness was the discovery of the Stuxnet attack in June 2010 [1], a “weaponized” form of malware. Stuxnet targeted the Natanz nuclear facilities in Iran with great precision, causing nuclear centrifuge equipment to wear out at a vastly increased rate. Sabotage and Shutdowns Significant attacks have been made by former employees who wrongfully retained access following dismissal, such as Mario Azar, who was indicted for disabling a computer system detecting pipeline leaks in Southern California [3]. Attacks by individuals who never possessed legitimate access include the compromise of the South Houston, TX water system. [4]. ICS networks have also been damaged as unintended side effects of problems starting in corporate networks that took advantage of the increasing connectivity, proving clearly that the standard PCs which now form part of a typical ICS are open to the same compromises as their enterprise counterparts. At least three problems at major power stations have been publicly attributedtothis;theDavis-Bessenuclearpowerstation (Ohio, USA) when safety systems were crippled by the Slammer worm [5], the Browns Ferry nuclear power station (Alabama, USA) being manually scrammed as a result of a drastic increase in network traffic [3], and the Hatch nuclear power station (Georgia, USA) due to a faulty software update on a business network machine that communicated with the control network [6]. German Steel Mill At the end of 2014, the most significantly publicized attack since Stuxnet was revealed in a German report disclosing that hackers had struck an unnamed steel mill in Germany [7]. This was a targeted Advanced Persistent Threat (APT) compromise, beginning with a spear-phishing attack that enabled the hackers to gain initial access onto the office network of the steelworks. From there, they were able to successfully explore the company’s networks and eventually manipulate and disrupt the production networks. Failures of individual control components accelerated, resulting in a blast furnace being unable to shut down which caused “massive” damage to the installation. Reconnaissance and Pre-positioning The goals of the largest known ongoing ICS attack campaigns have mostly shifted away from active sabotage to long-term persistent compromise and reconnaissance. Recently the Energetic Bear campaign has used the Havex [8] Remote Access Trojan (RAT) and the Sandworm APT group have been using a variant of the BlackEnergy malware [9]. In both cases ICS-CERT, the USA’s Industrial Control Systems Cyber Emergency Response Team, have long-running alerts tracking them [10][11]. Both provide persistent external access to compromised control networks and are capable of downloading additional modules to enhance their capability. Having identified all of the devices in a network, it would be simple for them to download additional sabotage modules and cause immediate, widespread damage. Havex was targeted against ICS customers by using a highly effective ‘watering-hole’ attack, where the attackers compromised three legitimate ICS vendor websites and replaced real software updates with versions already containing the malware. There was no possible way for traditional network defenses such as border firewalls to protect against this, and standard procedures employed in many corporations would have trusted the trojanized updates and added them to internal whitelists of software for authorized use.
  • 7. White Paper 7 If an environment is infected in this manner, only its unique behavior, once installed on the ICS network, could be used to detect Havex’s presence. A survey published in April 2014 by the SANS Institute [12] reported a significant increase in the number of identified or reported breaches of control systems over just the previous twelve months. Respondents also noted that their ability to protect these systems had not improved within the same period. This is a chilling indictment of the challenges facing the OT cyber-security efforts of organizations today. Darktrace Technology New vulnerabilities are emerging at a pace that is difficult to keep up with, and looking only for published historical attack types is an unsuitable approach for operationally important environments. Darktrace does not require a priori assumptions about environments or threats, and can therefore detect the ‘unknown unknown’ threats that are as yet unidentified, either because they are novel or have been tailored to a particular defender. The Darktrace architecture continues to adapt and self-learn throughout its entire deployment. Its understanding is constantly being revised and refined in light of new evidence as it ingests and analyzes new information - the more data it sees, the more it learns. This adaption means that no new or customized threat has the ability to hide from Darktrace. Whenever an abnormal change to behavior takes place within the environment, the Industrial Immune System identifies deviations from the learned ‘pattern of life’ and alerts the organization to the possible threat. Changes that are not real threats are incorporated into Darktrace’s evolving understanding of normality. The advanced mathematics inside Darktrace make it uniquely capable of highlighting significant potential threats without burying them beneath many misguided, insignificant or repeating alerts. Far more than a set of simple rules applied to network traffic, it can correlate many subtle indicators separated by location or time into strong evidence of a real emerging threat, meaning that security analysts are not flooded with false positives. Darktrace’s Threat Visualizer interface can be used to manage these detections, but it is also possible to route the output to an organization’s existing Security Information and Event Management (SIEM) system, to integrate with established processes and procedures. Passive Observation Connecting new devices into a corporate network is straightforward and routine, with little attached risk. The same is not true of industrial networks, where for many applications even the slightest interruption in service could be damaging. This is why larger and more critical networks are left as untouched as possible between planned outages. The Darktrace appliance runs on a server that is connected completely passively to an ICS network, receiving copies of as much communication traffic as possible. It does not interfere with the operation of the control network in any way, flagging anomalies for investigation but not attempting to influence the situation. The appliance receives copies of raw network data using the built-in port mirroring or “spanning” capabilities of network switches, or using fail-safe taps, sometimes via an aggregator to bring together numerous connections in one location. ICS networks are deliberately segregated into Trust Levels as defined by the ISA95/Purdue reference model [13], depending on how much each device on the network is trusted to behave as expected. Darktrace can be connected at Level 2 (supervisory control), Level 3 (data servers) and Level 4 (IT networks) to provide defense in depth. It also extends cyber-security coverage down into Level 1 (field devices). A highly flexible, distributed architecture allows Darktrace to securely cover multiple Trust Levels and the wide variety of network topologies within and between them. Examples include wholly separate appliances for each Trust Level, or multiple appliances within a widely distributed single Trust Level with a master appliance providing a single interface. If required, a network diode device could guarantee that a channel for moving data from one Trust Level to a higher Trust Level to reach a single appliance covering both cannot be used to communicate in the other direction.
  • 8. 8 Darktrace Proof of Value Darktrace's Proof of Value (POV) allows organizations to experience first-hand its Industrial Immune System's ability to detect previously unseen threats and anomalous behaviors within a customer’s own environment. Along with the POV, Darktrace provides access to our Threat Visualizer (below) for use during the POV as well as weekly Threat Intelligence Reports produced by its team of cyber security specialists. Some organizations prefer to trial Darktrace on their corporate IT systems to confirm the passive and secure operation before engaging installation into ICS networks. Visibility Into Industrial Control Systems Architectures of ICS systems and their operational networks are often documented to a standard that exceeds corporate equivalents, but these long-lived environments are complicated and will typically have undergone many changes by multiple individuals over their lifetime. Knowing and understanding what is genuinely happening inside the environment can be a real challenge. Darktrace addresses this challenge by observing, analyzing and capturing communications along with their associated metadata. In addition to its core identification of anomalous activity and possible compromise, Darktrace’s Threat Visualizer interface uniquely displays all this rich information in an intuitive 3D dashboard that allows the operator to get a true and real-time overview of what is happening. This can be used to investigate whether the control system’s real behavior matches its intended design. Darktrace’s Industrial Immune System retains all of the capabilities of Darktrace in the corporate environment, and will ideally be deployed observing both the ICS and corporate networks. The most likely attack vector for ICS compromise is the IT network. Discovering threats while still within the corporate network vastly increases the defense-in-depth of the control system. This also protects confidential data about the control system stored on corporate servers, which might include detailed operational diagrams, device details or efficiency and safety reports. Fig. 1 - Threat Visualizer
  • 9. White Paper 9 Insider Threat Threat from ‘trusted’ insiders is an important consideration for OT environments. Over the long lifecycles involved with the building and utilization of infrastructure and manufacturing equipment, a large number of different individuals, including both permanent staff and short-term contracted specialists, will usually have interacted with control systems. Many of them will have had privileges that allow them to modify configurations or the underlying software and hardware. Vetting and training staff can reduce but not eliminate the risk of insider incidents from occurring. These incidents can be unintentional due to a mistake or intended short-cut that puts something important at risk, or a deliberate act by a disaffected or ideologically motivated individual. The increased access and organizational familiarity that insiders have means their malicious actions can be very well targeted and effective at disrupting operations. They also have a greater ability to interfere with monitoring or masquerade as others, making their activities harder to identify and attribute. Insider risk is a serious challenge often underestimated in breadth. When supply chains or contractors are involved, it becomes impossible to draw a neat line between ‘inside’ and ‘outside’. We need to trust people in our extended organizations with the access and privilege that they require to do their jobs, but we also need mechanisms to identify when something is going wrong and needs to be corrected. Traditional network border defenses such as firewalls perform an important function in a complete cyber- security solution, but insiders are a key example of their limitations. Insiders do not have to pass through border defenses to accomplish most of their potential goals, meaning that those defenses have no chance at all to prevent or identify their actions [14]. Given the complexity and the variety of people and processes that make up an organization, any monitoring approach needs to start from a complete understanding of what is normal for the unique environment. Only then can it have the insight to identify subtle patterns and correlated action over time that can be the only early signs of emerging issues, and allow them to be handled before they become major crises.
  • 10. 10 Conclusion Businesses face many challenges as we move into an era of ever increasing connectivity and standards of communication. Those trying to secure industrial control systems as well as corporate networks face additional and substantially different problems, as the devices involved are far less secure than their corporate counterparts. There is public evidence of growing motivation and capability of threat actors towards control systems, a trend likely to continue and brought into sharp focus by the 2014 cyber sabotage of a German steel mill. This attack used state-of- the-art methods to reach the control system of a target with little political or ideological significance, a combination not previously observed. De-risking the OT environment is a perpetual challenge requiring new technologies that will deliver continuous insight and provide early warning of both indiscriminate and targeted compromises. Total prevention of compromise seems effectively impossible for the foreseeable future, but prevention of crises is an achievable goal across both corporate IT and operational technology environments. A new approach that can manage incidents across corporate IT and OT before they become an operational crisis is required. With Darktrace’s self-learning immune system, organizations are able to detect and respond to emerging threats in real-time. Advanced behavioral analysis mathematics can detect even previously unseen novel or tailored attacks, regardless of whether they originate in the corporate IT or OT domains or traverse between them.
  • 11. White Paper 11 Resources These additional resources, available from our website, complement the information in this white paper. Data Sheet: Stuxnet Example and Full References For a detailed example of how Darktrace can detect previously unseen ICS cyber-threats like Stuxnet, and the full list of supporting references to this White Paper, please email ics@darktrace.com Data Sheet: Standards and Compliance for ICS: NERC CIP V5 Darktrace Industrial Immune System can help organizations transition to the new cyber-security standards set by the North American Electric Reliability Corporation can be found at www.darktrace.com/resources/data-sheets Case Study: Darktrace at Drax A case study of the use of Darktrace at Drax can be found at www.darktrace.com/resources/case-studies White Paper: Enterprise Immune System White Paper A white paper covering the wider use of the Darktrace Enterprise Immune System across a whole organization can be found at www.darktrace.com/resources/whitepapers
  • 12. ICS-001r2en Darktrace © Copyright 2015 Darktrace Limited. All rights reserved. Darktrace is a registered trademark of Darktrace Limited. Enterprise Immune System, and Threat Visualizer are unregistered trademarks of Darktrace Limited. Other trademarks included herein are the property of their respective owners. About Darktrace Darktrace is one of the world’s fastest-growing cyber threat defense companies and the leader in Enterprise Immune System technology. Darktrace detects previously unknown threats in real time using advanced machine learning and mathematics developed at the University of Cambridge to analyze the behavior of every device, user and network within an organization. Some of the world’s largest corporations rely on Darktrace’s self-learning appliance in sectors including energy and utilities, financial services, telecommunications, healthcare, manufacturing, retail and transportation. The company was founded in 2013 by leading machine learning specialists and government intelligence experts, and is headquartered in Cambridge, UK and Washington D.C., with offices in London, Milan, New York, Paris, San Francisco, and Singapore. Contact Us US: +1 (917) 363 0822 Europe: +44 (0) 1223 350 653 Email: info@darktrace.com www.darktrace.com