Jason Christopher, Dragos Principal Cyber Risk Advisor, joins CyberWire for this podcast that discusses the evolution of ICS/OT ransomware, its impacts on the community, and cybersecurity best practices ICS/OT practitioners can implement to combat it. Listen to the full podcast here: https://dragos.com/resource/ransomware-in-an-industrial-world/
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos, Inc.
Principal Industrial Pentester, Austin Scott, presents at S4x20 on how to map ICS incidents to the MITRE ATT&CK Framework.
View the webinar here: https://dragos.com/resource/introducing-mitre-attck-for-ics-and-why-it-matters/
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Dragos, Inc.
Robert M. Lee's, Dragos CEO, presentation from RSA 2019.
Description: Most industrial security best practices are essentially enterprise security best practices copy/pasted into industrial networks. Yet that is not an effective way to reduce risk against industrial-specific threats. Instead, we can learn from ICS attacks that have occurred. In this presentation, Robert M, Lee, CEO and co-founder of Dragos will provide first-hand insights into industrial threats and the lessons learned for industrial security.
More information here: https://dragos.com/rsa-2019/
More info: www.dragos.com
Follow us on LinkedIn: https://www.linkedin.com/company/drag....
Follow us on Twitter: https://twitter.com/dragosinc
Dragos S4x20: How to Build an OT Security Operations CenterDragos, Inc.
Senior Director of Business Development, Matt Cowell's, S4x20 presentation details how to build an effective OT security operations center and the tools and skills needed.
How to Increase ICS Cybersecurity Return on Investment (ROI) Dragos, Inc.
In Austin's presentation, he will align his 2019 top 5 findings from the Dragos Industrial Penetration Testing team to tactical activities that can be performed to reduce cyberrisk within industrial environments. Return on Investment (ROI) is a broad and subjective term. Even in terms of industrial cyberrisk reduction, the interpretation of ROI can change drastically depending on who you ask. As a member of the Dragos Industrial Penetration Testing team, he sees the world around him in terms of exploitation effort. Exploitation effort is the investment required by an adversary to advance through a network. In his presentation, Austin will detail five ways that will significantly increase the time and energy needed for an adversary while minimizing operational and capital expenditure.
Dragos Adversary Hunter Jimmy Wylie presents "TRSIS in Perspective" at the 13th annual API conference in Houston, TX. This presentation analyzes the 2017 TRISIS event at an unspecified gas facility in Saudi Arabia--the first deliberate targeting of SIS that could have resulted in potential loss of life. This presentation also examines post-TRISIS, as Dragos has observed that XENOTIME, the adversary group responsible for TRSIS, has expanded its targeting to North America and other safety systems.
Visit www.dragos.com to learn more.
Industrial Control Systems Cybersecurity Technology SelectionDragos, Inc.
Selection criteria for today’s ICS cybersecurity technology presented at S4 2019. Includes:
- Recommendations for best practices before evaluating an industrial cybersecurity solution in OT environments
- Outline of different ICS cybersecurity technologies such as the differences between active and passive scanning, anomaly detection, threat behavior analytics
- What’s important in an industrial control systems cybersecurity platform
- Practical guide to pilots and bake-offs
To learn more read the whitepaper Key Considerations For Selecting An Industrial Cybersecurity Solution for Asset Identification, Threat Detection, and Response https://dragos.com/resource/key-considerations-for-selecting-an-industrial-cybersecurity-solution-for-asset-identification-threat-detection-and-response/
For more about Dragos and the 2019 S4 Detection challenge, read the blog and watch the video here: https://dragos.com/blog/industry-news/dragos-results-of-s4-industrial-cybersecurity-detection-challenge-contest/
More info: www.dragos.com
Follow us on LinkedIn: https://www.linkedin.com/company/dragos-inc./
Follow us on Twitter: https://twitter.com/dragosinc
Dragos S4X20: Mapping ICS Incidents to the MITRE Attack FrameworkDragos, Inc.
Principal Industrial Pentester, Austin Scott, presents at S4x20 on how to map ICS incidents to the MITRE ATT&CK Framework.
View the webinar here: https://dragos.com/resource/introducing-mitre-attck-for-ics-and-why-it-matters/
Intelligence-Driven Industrial Security with Case Studies in ICS Attacks Dragos, Inc.
Robert M. Lee's, Dragos CEO, presentation from RSA 2019.
Description: Most industrial security best practices are essentially enterprise security best practices copy/pasted into industrial networks. Yet that is not an effective way to reduce risk against industrial-specific threats. Instead, we can learn from ICS attacks that have occurred. In this presentation, Robert M, Lee, CEO and co-founder of Dragos will provide first-hand insights into industrial threats and the lessons learned for industrial security.
More information here: https://dragos.com/rsa-2019/
More info: www.dragos.com
Follow us on LinkedIn: https://www.linkedin.com/company/drag....
Follow us on Twitter: https://twitter.com/dragosinc
Dragos S4x20: How to Build an OT Security Operations CenterDragos, Inc.
Senior Director of Business Development, Matt Cowell's, S4x20 presentation details how to build an effective OT security operations center and the tools and skills needed.
How to Increase ICS Cybersecurity Return on Investment (ROI) Dragos, Inc.
In Austin's presentation, he will align his 2019 top 5 findings from the Dragos Industrial Penetration Testing team to tactical activities that can be performed to reduce cyberrisk within industrial environments. Return on Investment (ROI) is a broad and subjective term. Even in terms of industrial cyberrisk reduction, the interpretation of ROI can change drastically depending on who you ask. As a member of the Dragos Industrial Penetration Testing team, he sees the world around him in terms of exploitation effort. Exploitation effort is the investment required by an adversary to advance through a network. In his presentation, Austin will detail five ways that will significantly increase the time and energy needed for an adversary while minimizing operational and capital expenditure.
Dragos Adversary Hunter Jimmy Wylie presents "TRSIS in Perspective" at the 13th annual API conference in Houston, TX. This presentation analyzes the 2017 TRISIS event at an unspecified gas facility in Saudi Arabia--the first deliberate targeting of SIS that could have resulted in potential loss of life. This presentation also examines post-TRISIS, as Dragos has observed that XENOTIME, the adversary group responsible for TRSIS, has expanded its targeting to North America and other safety systems.
Visit www.dragos.com to learn more.
Industrial Control Systems Cybersecurity Technology SelectionDragos, Inc.
Selection criteria for today’s ICS cybersecurity technology presented at S4 2019. Includes:
- Recommendations for best practices before evaluating an industrial cybersecurity solution in OT environments
- Outline of different ICS cybersecurity technologies such as the differences between active and passive scanning, anomaly detection, threat behavior analytics
- What’s important in an industrial control systems cybersecurity platform
- Practical guide to pilots and bake-offs
To learn more read the whitepaper Key Considerations For Selecting An Industrial Cybersecurity Solution for Asset Identification, Threat Detection, and Response https://dragos.com/resource/key-considerations-for-selecting-an-industrial-cybersecurity-solution-for-asset-identification-threat-detection-and-response/
For more about Dragos and the 2019 S4 Detection challenge, read the blog and watch the video here: https://dragos.com/blog/industry-news/dragos-results-of-s4-industrial-cybersecurity-detection-challenge-contest/
More info: www.dragos.com
Follow us on LinkedIn: https://www.linkedin.com/company/dragos-inc./
Follow us on Twitter: https://twitter.com/dragosinc
Reassessing the 2016 CRASHOVERRIDE Cyber AttackDragos, Inc.
Upon discovery and initial analysis in mid-2017, audiences primarily viewed CRASHOVERRIDE as a disruptive event targeting electric utility operations in Ukraine. Similar to the 2015 attack in the same area, CRASHOVERRIDE interrupted the flow of electricity by manipulating ICS equipment and delayed recovery operations to prolong the impact. However, CRASHOVERRIDE’s immediate effects represent only the precursors for an attempt at a more ambitious attack than what was achieved.
In this presentation, Dragos Principal Adversary Hunter Joe Slowik reexamines the CRASHOVERRIDE event and likely attacker intentions, highlighting how CRASHOVERRIDE attempted a different type of attack than 2015.
Viewers learn how to begin developing and deploying the required visibility, resilience, and response measures needed to cope with an attack like CRASHOVERRIDE.
To view the webinar, go here: https://youtu.be/yX0ZSu_rVc0
Virtualizing Industrial Controllers (PLCs/DCS Controllers) represents a fundamental shift in the industrial automation industry. Most industries have fully embraced virtualization as a means to support reliability, scalability and resource optimization. However, the industrial control system industry has been slow to adopt virtualization into automation controllers fully. These slides are from Austin Scott's S4 2019 presentation and outlines the benefits of industrial controller virtualization and why automation vendors see this as a threat to their business model. The slides describe a virtualized PLC deployment at a large refinery in North America that allowed them to scale to support the massive size of the plant and includes:
- What is PLC virtualization?
- A brief history of PLC virtualization
- Challenges with PLC virtualization
- The benefits of PLC/Controller virtualization
- Commodity controllers
Dragos’ Year in Review 2018 report provides insights and lessons learned from our team’s first-hand experience hunting and responding to industrial control systems (ICS) adversaries throughout the year, so we can offer recommendations for stronger defenses for industrial organizations and help drive change in the ICS cybersecurity community.
The advent of complex communication networks has revolutionized operational architecture in industrial environments over the last 20-30 years. The availability of real-time operational data has proven to effectively compress decision cycles, increase productivity, and has freed organizations of many resource constraints in their operational environments. However, the fact remains that the reliance on real-time operational data and asset connectivity and communication within industrial environments has also opened the way for attackers to potentially compromise asset functions through the very communication networks that are now depended upon for control of physical processes and safety. Additionally, the steady worldwide increase of industrial cyber-attacks has motivated security professionals to develop a plethora of assessment frameworks to help identify weak points in network defense and lower risk.
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDragos, Inc.
Selena Larson, Dragos Intelligence Analyst's presentation from RSA 2019.
There have been public narratives about the US being on the precipice of a nationwide hacker-caused blackout. What is the reality of adversary activity and the potential or likelihood of a cyber attack that could disrupt the electric grid? What are hackers currently doing in ICS networks? In this presentation, Selena Larson, Intelligence Analyst at Dragos will separate fact from (science) fiction.
More information here: https://dragos.com/rsa-2019/
More info: www.dragos.com
Follow us on LinkedIn: https://www.linkedin.com/company/drag....
Follow us on Twitter: https://twitter.com/dragosinc
In this presentation, Matt Bodman, Director of Special Programs at Dragos, demonstrates the basics of Neighborhood Keeper.
Neighborhood Keeper is a collaborative threat detection and intelligence program, led by Dragos in partnership with the DOE, that makes ICS threat analytics and data accessible to the greater ICS community. Its initial participants include: Dragos, Ameren, First Energy, Department of Energy’s Idaho National Labs, North American Electric Reliability Corporation’s Electricity Information Sharing and Analysis Center, and Southern Company.
Neighborhood Keeper will serve smaller providers who lack sufficient resources to buy and manage advanced security technologies, giving them access to collaborative ICS data at near-real-time and providing them immediate insight into the ICS threat landscape without revealing sensitive data.
For more information, please visit https://dragos.com/neighborhood-keeper/
How Long to Boom: Understanding and Measuring ICS Hacker MaturityDragos, Inc.
Sergio Caltagirone's, Dragos VP of Threat Intelligence, presentation from RSA 2019.
The industrial control system threat is growing quickly. But ICS hackers do not start by disrupting electric grids. Instead, they mature predictably leading them from things that go bad, to things that go boom. In this presentation, Sergio Caltagirone will explain how using ICS threat intelligence Dragos has developed an ICS hacker maturity model enabling us to determine how much risk a threat poses and predict how long until they reach maximum risk.
More information here: https://dragos.com/rsa-2019/
More info: www.dragos.com
Follow us on LinkedIn: https://www.linkedin.com/company/drag....
Follow us on Twitter: https://twitter.com/dragosinc
2018 Year in Review- ICS Threat Activity GroupsDragos, Inc.
Intelligence Analyst Selena Larson, Sr. Adversary Hunter Joe Slowik, and Sr. Adversary Hunter Amy Bejtlich overview the 2018 Year in Review report detailing the eight ICS threat activity groups Dragos' Intelligence team tracks and the changing threat landscape.
This presentation overviews the key findings and takeaways from Dragos' 2019 ICS Year in Review reports, detailing ICS vulnerability data, global ICS threat activity, and observations from Dragos' professional service engagements--including threat hunts, penetration tests, tabletop exercises, incident response, and more. Go here to read all of the Year in Review reports, view infographics, and watch the webinar: https://dragos.com/year-in-review-2019/
In this presentation Daniel Michaud-Soucy, Principal Threat Analyst at Dragos, will demonstrate three separate models in order to identify gaps in ICS security posture. First, threat modeling serves as an inward look as an ICS network defender in order to properly understand the environment, the threat actors, the impacts, the risks and the crown jewels pertaining to an industrial process. Second, the ICS cyber kill chain serves as an outward look at the steps an adversary needs to take in order to achieve their objectives. Third, the bowtie model allows a graphical representation of the threats to the environment as well as the protection, detection, and response controls that help secure it. In the end, the asset owner creates a holistic picture of the security controls in their network, pertaining to the threat actors they care about and allows identification of gaps in their strategy.
Visit www.dragos.com to learn more about the Dragos industrial cybersecurity platform for increased visibility of assets, threats and guided responses.
Presentation from Cyber Security for Critical Assets conference (CS4CA ) in Houston, March 26-28 2019 presented by Sergio Caltagirone, Vice President of Threat Intelligence.
Covers:
- overview of the OT threat landscape
- new OT threats Dragos has uncovered through its industrial cybersecurity technology platform, array of services, and industrial threat intelligence.
- details on major industrial threat activity groups and root causes of many recent OT compromises
Learn more here: https://dragos.com/year-in-review/
More info: www.dragos.com
Follow us on LinkedIn: https://www.linkedin.com/company/dragos-inc./
Follow us on Twitter: https://twitter.com/dragosinc
Solving ICS Cybersecurity Challenges in the Electric IndustryDragos, Inc.
Electric utilities are an integral component of critical infrastructure, and as such, are unique targets for adversaries who aim to disrupt their operations and the day-to-day lives of people who depend on them.
This presentation outlines the experiences of a medium sized US electric utility and how Dragos helped various teams overcome some of their specific OT cyber security challenges.
Securing Electric Utility InfrastructureDragos, Inc.
A Case Study on Asset Baselining, Threat Detection, and Response - presented by Tim Watkins, Schweitzer Engineering Laboratories, and Matt Cowell, Dragos.
The webinar – now available on-demand at https://selinc.com/events/on-demand-webinar/126340/ – provides insights on baselining your operation, building cyber defense, and streamlining ongoing management. SEL and Dragos also shared a case study based on a recent joint effort to address key cybersecurity challenges at a mid-sized US electric utility.
Learn more about Dragos at https://dragos.com or follow us at https://twitter.com/dragosinc
Learn more about SEL cybersecurity at https://selinc.com/solutions/security-for-critical-infrastructure/ or follow us at https://twitter.com/SEL_news
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Dragos, Inc.
Joe Slowik, Dragos Sr. Adversary Hunter's presentation from RSA 2019.
Cyber-defense centers on “what” a technology is designed to look for, with capabilities and limitations depending on the method. Three distinct approaches have emerged: traditional IOCs, anomaly detection and behavioral analytics. Unfortunately, marketing has muddied these terms beyond recognition. In this presentation, Joe Slowik, Adversary Hunter at Dragos will critically examine each approach and its capabilities.
More information here: https://dragos.com/rsa-2019/
More info: www.dragos.com
Follow us on LinkedIn: https://www.linkedin.com/company/drag....
Follow us on Twitter: https://twitter.com/dragosinc
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...Dragos, Inc.
Adversary groups and activities targeting industrial control systems are on the rise. Security teams are now tasked with defending increasingly complex and critical control systems without interrupting operations. This presentation highlights plans and progress of a large public electric utility to extend threat detection capability using PI system data sets. Integration with a threat detection platform improves situational awareness and adds value in three ways. It first provides confidence for quickly eliminating threat activity as a root cause of operational upsets. The second benefit is improved likelihood of detecting malicious tradecraft targeting control systems. Finally, the integrated approach provides data in support of control system incident response and forensic activities.
Video for presentation here: https://youtu.be/Inn6FPaXN1w
Learn more www.dragos.com
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
A key business goal of any organization is to maintain the constant availability of data and systems that can be trusted for decision-making purposes. The evolving threat landscape has resulted in increasing focus, right to board level, on cybersecurity. IT operational and security teams should demonstrate a comprehensive, cohesive approach in their response to security incidents and data breaches.
IDS for Security Analysts: How to Get Actionable Insights from your IDSAlienVault
The fun with IDS doesn't stop after installation, in fact, that's really where the fun starts. Join our panel of IDS experts for an educational discussion that will help you make sense of your IDS data, starting from Day 1. We will discuss signature manipulation, event output and the three "P's" - policy, procedure and process. We won't stop there either! You will find out the meaning behind the terms all the cool kids are using like "False Positives" and "Baselining". We'll round it out with more information about how IDS interacts with the rest of your IT applications and infrastructure. If you installed an IDS and are wondering what to do next then signup now!
Improve Threat Detection with OSSEC and AlienVault USMAlienVault
Host-based IDS systems, or HIDS, work by monitoring activity that is occurring internally on a host. HIDS look for unusual or nefarious activity by examining logs created by the operating system, looking for changes made to key system files, tracking installed software, and sometimes examining the network connections a host makes. AlienVault USM features a complete integration of OSSEC, one of the most popular and effective open source HIDS tools.
In this live demo, we'll show you how USM helps you get more out of OSSEC with:
Remote agent deployment, configuration and management
Behavioral monitoring of OSSEC clients
Logging and reporting for PCI compliance
Data correlation with IP reputation data, vulnerability scans and more
We'll finish up by showing a demo of how OSSEC alert correlation can be used to detect brute force attacks with USM
Supply Chain Threats to the US Energy SectorKaspersky
This presentation by Cynthia James discusses steps to take towards cyber-securing the supply chain of Energy sector organizations in the U.S. From the biggest challenges to a review of regulation and compliance guidelines, this deck covers three areas of Energy: nuclear, electric and "other".
Cynthia James is a CISSP (Certified Information Systems Security Professional) and frequent presenter for the TABD group at Kaspersky Lab, global provider of cybersecurity solutions. With 9 years of experience in the cybersecurity space, Cynthia is a regular speaker on the subject and has authored a book on cybercrime: “Stop Cybercrime from Ruining Your Life".
Nozomi Networks is the leader of industrial cybersecurity, delivering real-time visibility to manage cyber risk & improve resilience for industrial operations. With one solution, customers gain advanced cybersecurity, improved operational reliability & easy IT/OT integration. Innovating the use of artificial intelligence, the company helps the largest industrial sites around the world See and Secure™ their critical industrial control networks. Today Nozomi Networks supports over a quarter of a million devices in the critical infrastructure, energy, manufacturing, mining, transportation & utility sectors, making it possible to tackle the escalating cyber risks to operational networks (OT).
Reassessing the 2016 CRASHOVERRIDE Cyber AttackDragos, Inc.
Upon discovery and initial analysis in mid-2017, audiences primarily viewed CRASHOVERRIDE as a disruptive event targeting electric utility operations in Ukraine. Similar to the 2015 attack in the same area, CRASHOVERRIDE interrupted the flow of electricity by manipulating ICS equipment and delayed recovery operations to prolong the impact. However, CRASHOVERRIDE’s immediate effects represent only the precursors for an attempt at a more ambitious attack than what was achieved.
In this presentation, Dragos Principal Adversary Hunter Joe Slowik reexamines the CRASHOVERRIDE event and likely attacker intentions, highlighting how CRASHOVERRIDE attempted a different type of attack than 2015.
Viewers learn how to begin developing and deploying the required visibility, resilience, and response measures needed to cope with an attack like CRASHOVERRIDE.
To view the webinar, go here: https://youtu.be/yX0ZSu_rVc0
Virtualizing Industrial Controllers (PLCs/DCS Controllers) represents a fundamental shift in the industrial automation industry. Most industries have fully embraced virtualization as a means to support reliability, scalability and resource optimization. However, the industrial control system industry has been slow to adopt virtualization into automation controllers fully. These slides are from Austin Scott's S4 2019 presentation and outlines the benefits of industrial controller virtualization and why automation vendors see this as a threat to their business model. The slides describe a virtualized PLC deployment at a large refinery in North America that allowed them to scale to support the massive size of the plant and includes:
- What is PLC virtualization?
- A brief history of PLC virtualization
- Challenges with PLC virtualization
- The benefits of PLC/Controller virtualization
- Commodity controllers
Dragos’ Year in Review 2018 report provides insights and lessons learned from our team’s first-hand experience hunting and responding to industrial control systems (ICS) adversaries throughout the year, so we can offer recommendations for stronger defenses for industrial organizations and help drive change in the ICS cybersecurity community.
The advent of complex communication networks has revolutionized operational architecture in industrial environments over the last 20-30 years. The availability of real-time operational data has proven to effectively compress decision cycles, increase productivity, and has freed organizations of many resource constraints in their operational environments. However, the fact remains that the reliance on real-time operational data and asset connectivity and communication within industrial environments has also opened the way for attackers to potentially compromise asset functions through the very communication networks that are now depended upon for control of physical processes and safety. Additionally, the steady worldwide increase of industrial cyber-attacks has motivated security professionals to develop a plethora of assessment frameworks to help identify weak points in network defense and lower risk.
Debunking the Hacker Hype: The Reality of Widespread BlackoutsDragos, Inc.
Selena Larson, Dragos Intelligence Analyst's presentation from RSA 2019.
There have been public narratives about the US being on the precipice of a nationwide hacker-caused blackout. What is the reality of adversary activity and the potential or likelihood of a cyber attack that could disrupt the electric grid? What are hackers currently doing in ICS networks? In this presentation, Selena Larson, Intelligence Analyst at Dragos will separate fact from (science) fiction.
More information here: https://dragos.com/rsa-2019/
More info: www.dragos.com
Follow us on LinkedIn: https://www.linkedin.com/company/drag....
Follow us on Twitter: https://twitter.com/dragosinc
In this presentation, Matt Bodman, Director of Special Programs at Dragos, demonstrates the basics of Neighborhood Keeper.
Neighborhood Keeper is a collaborative threat detection and intelligence program, led by Dragos in partnership with the DOE, that makes ICS threat analytics and data accessible to the greater ICS community. Its initial participants include: Dragos, Ameren, First Energy, Department of Energy’s Idaho National Labs, North American Electric Reliability Corporation’s Electricity Information Sharing and Analysis Center, and Southern Company.
Neighborhood Keeper will serve smaller providers who lack sufficient resources to buy and manage advanced security technologies, giving them access to collaborative ICS data at near-real-time and providing them immediate insight into the ICS threat landscape without revealing sensitive data.
For more information, please visit https://dragos.com/neighborhood-keeper/
How Long to Boom: Understanding and Measuring ICS Hacker MaturityDragos, Inc.
Sergio Caltagirone's, Dragos VP of Threat Intelligence, presentation from RSA 2019.
The industrial control system threat is growing quickly. But ICS hackers do not start by disrupting electric grids. Instead, they mature predictably leading them from things that go bad, to things that go boom. In this presentation, Sergio Caltagirone will explain how using ICS threat intelligence Dragos has developed an ICS hacker maturity model enabling us to determine how much risk a threat poses and predict how long until they reach maximum risk.
More information here: https://dragos.com/rsa-2019/
More info: www.dragos.com
Follow us on LinkedIn: https://www.linkedin.com/company/drag....
Follow us on Twitter: https://twitter.com/dragosinc
2018 Year in Review- ICS Threat Activity GroupsDragos, Inc.
Intelligence Analyst Selena Larson, Sr. Adversary Hunter Joe Slowik, and Sr. Adversary Hunter Amy Bejtlich overview the 2018 Year in Review report detailing the eight ICS threat activity groups Dragos' Intelligence team tracks and the changing threat landscape.
This presentation overviews the key findings and takeaways from Dragos' 2019 ICS Year in Review reports, detailing ICS vulnerability data, global ICS threat activity, and observations from Dragos' professional service engagements--including threat hunts, penetration tests, tabletop exercises, incident response, and more. Go here to read all of the Year in Review reports, view infographics, and watch the webinar: https://dragos.com/year-in-review-2019/
In this presentation Daniel Michaud-Soucy, Principal Threat Analyst at Dragos, will demonstrate three separate models in order to identify gaps in ICS security posture. First, threat modeling serves as an inward look as an ICS network defender in order to properly understand the environment, the threat actors, the impacts, the risks and the crown jewels pertaining to an industrial process. Second, the ICS cyber kill chain serves as an outward look at the steps an adversary needs to take in order to achieve their objectives. Third, the bowtie model allows a graphical representation of the threats to the environment as well as the protection, detection, and response controls that help secure it. In the end, the asset owner creates a holistic picture of the security controls in their network, pertaining to the threat actors they care about and allows identification of gaps in their strategy.
Visit www.dragos.com to learn more about the Dragos industrial cybersecurity platform for increased visibility of assets, threats and guided responses.
Presentation from Cyber Security for Critical Assets conference (CS4CA ) in Houston, March 26-28 2019 presented by Sergio Caltagirone, Vice President of Threat Intelligence.
Covers:
- overview of the OT threat landscape
- new OT threats Dragos has uncovered through its industrial cybersecurity technology platform, array of services, and industrial threat intelligence.
- details on major industrial threat activity groups and root causes of many recent OT compromises
Learn more here: https://dragos.com/year-in-review/
More info: www.dragos.com
Follow us on LinkedIn: https://www.linkedin.com/company/dragos-inc./
Follow us on Twitter: https://twitter.com/dragosinc
Solving ICS Cybersecurity Challenges in the Electric IndustryDragos, Inc.
Electric utilities are an integral component of critical infrastructure, and as such, are unique targets for adversaries who aim to disrupt their operations and the day-to-day lives of people who depend on them.
This presentation outlines the experiences of a medium sized US electric utility and how Dragos helped various teams overcome some of their specific OT cyber security challenges.
Securing Electric Utility InfrastructureDragos, Inc.
A Case Study on Asset Baselining, Threat Detection, and Response - presented by Tim Watkins, Schweitzer Engineering Laboratories, and Matt Cowell, Dragos.
The webinar – now available on-demand at https://selinc.com/events/on-demand-webinar/126340/ – provides insights on baselining your operation, building cyber defense, and streamlining ongoing management. SEL and Dragos also shared a case study based on a recent joint effort to address key cybersecurity challenges at a mid-sized US electric utility.
Learn more about Dragos at https://dragos.com or follow us at https://twitter.com/dragosinc
Learn more about SEL cybersecurity at https://selinc.com/solutions/security-for-critical-infrastructure/ or follow us at https://twitter.com/SEL_news
Unraveling Detection Methodologies: Indicators vs. Anomalies vs. Behaviors Dragos, Inc.
Joe Slowik, Dragos Sr. Adversary Hunter's presentation from RSA 2019.
Cyber-defense centers on “what” a technology is designed to look for, with capabilities and limitations depending on the method. Three distinct approaches have emerged: traditional IOCs, anomaly detection and behavioral analytics. Unfortunately, marketing has muddied these terms beyond recognition. In this presentation, Joe Slowik, Adversary Hunter at Dragos will critically examine each approach and its capabilities.
More information here: https://dragos.com/rsa-2019/
More info: www.dragos.com
Follow us on LinkedIn: https://www.linkedin.com/company/drag....
Follow us on Twitter: https://twitter.com/dragosinc
Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...Dragos, Inc.
Adversary groups and activities targeting industrial control systems are on the rise. Security teams are now tasked with defending increasingly complex and critical control systems without interrupting operations. This presentation highlights plans and progress of a large public electric utility to extend threat detection capability using PI system data sets. Integration with a threat detection platform improves situational awareness and adds value in three ways. It first provides confidence for quickly eliminating threat activity as a root cause of operational upsets. The second benefit is improved likelihood of detecting malicious tradecraft targeting control systems. Finally, the integrated approach provides data in support of control system incident response and forensic activities.
Video for presentation here: https://youtu.be/Inn6FPaXN1w
Learn more www.dragos.com
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
A key business goal of any organization is to maintain the constant availability of data and systems that can be trusted for decision-making purposes. The evolving threat landscape has resulted in increasing focus, right to board level, on cybersecurity. IT operational and security teams should demonstrate a comprehensive, cohesive approach in their response to security incidents and data breaches.
IDS for Security Analysts: How to Get Actionable Insights from your IDSAlienVault
The fun with IDS doesn't stop after installation, in fact, that's really where the fun starts. Join our panel of IDS experts for an educational discussion that will help you make sense of your IDS data, starting from Day 1. We will discuss signature manipulation, event output and the three "P's" - policy, procedure and process. We won't stop there either! You will find out the meaning behind the terms all the cool kids are using like "False Positives" and "Baselining". We'll round it out with more information about how IDS interacts with the rest of your IT applications and infrastructure. If you installed an IDS and are wondering what to do next then signup now!
Improve Threat Detection with OSSEC and AlienVault USMAlienVault
Host-based IDS systems, or HIDS, work by monitoring activity that is occurring internally on a host. HIDS look for unusual or nefarious activity by examining logs created by the operating system, looking for changes made to key system files, tracking installed software, and sometimes examining the network connections a host makes. AlienVault USM features a complete integration of OSSEC, one of the most popular and effective open source HIDS tools.
In this live demo, we'll show you how USM helps you get more out of OSSEC with:
Remote agent deployment, configuration and management
Behavioral monitoring of OSSEC clients
Logging and reporting for PCI compliance
Data correlation with IP reputation data, vulnerability scans and more
We'll finish up by showing a demo of how OSSEC alert correlation can be used to detect brute force attacks with USM
Supply Chain Threats to the US Energy SectorKaspersky
This presentation by Cynthia James discusses steps to take towards cyber-securing the supply chain of Energy sector organizations in the U.S. From the biggest challenges to a review of regulation and compliance guidelines, this deck covers three areas of Energy: nuclear, electric and "other".
Cynthia James is a CISSP (Certified Information Systems Security Professional) and frequent presenter for the TABD group at Kaspersky Lab, global provider of cybersecurity solutions. With 9 years of experience in the cybersecurity space, Cynthia is a regular speaker on the subject and has authored a book on cybercrime: “Stop Cybercrime from Ruining Your Life".
Nozomi Networks is the leader of industrial cybersecurity, delivering real-time visibility to manage cyber risk & improve resilience for industrial operations. With one solution, customers gain advanced cybersecurity, improved operational reliability & easy IT/OT integration. Innovating the use of artificial intelligence, the company helps the largest industrial sites around the world See and Secure™ their critical industrial control networks. Today Nozomi Networks supports over a quarter of a million devices in the critical infrastructure, energy, manufacturing, mining, transportation & utility sectors, making it possible to tackle the escalating cyber risks to operational networks (OT).
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Abhishek Goel
SCADA systems control some of the most vital infrastructure in industrial and energy sectors, from oil and gas pipelines to nuclear facilities to water treatment plants.
Critical infrastructure is defined as the physical and IT assets, networks and services that if disrupted or destroyed would have a serious impact on the health, security, or economic wellbeing of citizens and the efficient functioning of a country’s government.
Public services such as electricity, water, hospital management and transport are important for the smooth functioning of our daily lives. The critical nature of these services make these systems a key target for cyber threats. This is why the public sector experiences more incidents than any other industry.
Hence why the public sector needs to focus more on strengthening their cybersecurity strategies to address critical gaps – especially the devices used and policies governing their use.
In this session, Asela addressed some of our critical services and how the lack of security focus has affected their use.
The Quality “Logs”-Jam: Why Alerting for Cybersecurity is Awash with False Po...Mark Underwood
What happens when the (Observe) Plan-Do-Check-Adjust cycle is undermined by lapses in data integrity? Observations are questioned. Plans may be ill-conceived. Actions may be undertaken that undermine rather than enhance. “Checks” can fail. Adjustments may be guesswork. In cybersecurity, the results of poor data integrity can be expensive outages, ransom requests, breaches, fines -- even bankruptcy (think Cambridge Analytica). But data integrity issues take many forms, ranging from benign to malicious. The full range of these issues is surveyed from a cybersecurity perspective, where logs and alerts are critical for defenders -- as well as quality engineers . Techniques borrowed from model-based systems engineering and ontology AI to are identified that can mitigate these deleterious effects on PDCA.
Webinar - Reducing the Risk of a Cyber Attack on UtilitiesWPICPE
Jim Girouard, Sr. Product Development Manager at Worcester Polytechnic Institute, outlines the growing menace of cyber attacks on utility companies and how to educate yourself to reduce risk.
Practical risk management for the multi cloudUlf Mattsson
This session will take a practical approach to IT risk management and discuss multi cloud, Verizon Data Breach Investigations Report (DBIR) and how Enterprises are losing ground in the fight against persistent cyber-attacks. We simply cannot catch the bad guys until it is too late. This picture is not improving. Verizon reports concluded that less than 14% of breaches are detected by internal monitoring tools.
We will review the JP Morgan Chase data breach were hackers were in the bank’s network for months undetected. Network configuration errors are inevitable, even at the largest banks as Capital One that recently had a data breach where a hacker gained access to 100 million credit card applications and accounts.
Viewers will also learn about:
- Macro trends in Cloud security and Micro trends in Cloud security
- Risks from Quantum Computing and when we should move to alternate forms of encryption
- Review “Kill Chains” from Lockhead Martin in relation to APT and DDoS Attacks
- Risk Management methods from ISACA and other organizations
Speaker: Ulf Mattsson, Head of Innovation, TokenEx
CyCron 1 is a cyber security-focused conference for the Industrial Control Systems.
The event will cater to the power generation, transmission and distribution, water
utilities, chemicals, oil and gas, pipelines, data centers, medical devices, energy,
utility transportation, manufacturing, and other industrial and critical
infrastructure organizations.
CyCron 1 will address the myriad cyber threats facing operators of ICS around the
world, and will address topics covering ICSs, including protection for SCADA
systems, plant control systems, engineering workstations, substation equipment,
programmable logic controllers (PLCs), and other field control system devices.
Similar to Dragos and CyberWire: ICS Ransomware (20)
Rising Cyber Escalation US Iran Russia ICS Threats and Response Dragos, Inc.
Dragos discusses the quickly rising tensions between the US, Russia, and Iran, threat intelligence on malicious activity surrounding these tensions, and recommended responses to defend industrial control systems and critical infrastructure worldwide.
Presentations included from Dragos Threat Intelligence following these threats and the Dragos Threat Operations Center currently responding and defending against these threats.
Visit www.dragos.com for more info about industrial cybersecurity
Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...Dragos, Inc.
Key Considerations for Executives from Dragos Executive Year In Review on Industrial Cybersecurity Strategy by Robert M Lee
Addresses questions of :
- How do we know if we’re underspending or overspending on ICS/industrial cybersecurity?
- What is the best thing we can do to get started that will help move us forward in OT security?
- If a major attack happens, what is the role of the government?
More Info here:
https://dragos.com/resource/insights-to-build-an-effective-industrial-cybersecurity-strategy-for-your-organization/
https://www.linkedin.com/company/dragos-inc./
Twitter: https://twitter.com/dragosinc
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeDragos, Inc.
From #CTISUMMIT.
More info here: https://dragos.com/blog/industry-news/meet-me-in-the-middle-threat-indications-and-warning-in-principle-and-practice/
Video here: https://youtu.be/79RdB3aj2vA
Discussions on threat intelligence often get bogged down between “machine speed” ingestion of atomic indicators and in-depth analysis of activity taking weeks (or months) to produce. Left in the cold in such debates is a very important but seldom considered middle ground: time-sensitive and incomplete but enriched threat intelligence. In the U.S. Navy and similar services, this is referred to as threat “indications and warning” (I&W) – a step beyond a simple observable refined to ensure accuracy and timely receipt.
The goal of I&W is to get actionable, important information to those in need of it most as quickly, efficiently, and accurately as possible, even if as a result some context or other insights are lost. As a result of this activity, consumers are better armed and equipped to deal with and counter threats as they emerge, rather than either reacting to items with no context whatsoever or only reading about their challenges weeks after the fact in a complete intelligence report. This discussion explores the concept of threat I&W within the context of network security generally and threat intelligence specifically to identify this topic as a shamefully ignored middle ground between extremes. The presentation explores the conceptual background behind this idea, then transition to real-life examples of I&W drawn from the speaker’s past activity in threat intelligence, incident response, and military operations.
Uncovering ICS Threat Activity Groups for Intelligence-Driven Defense: Dragos has released information about eight threat activity groups that have targeted industrial companies. These groups range from espionage, to learning industrial environments for future effects, to causing a power outage and targeting human life directly. But what are threat activity groups? They are different than what is normally tracked in the community as threat actors and have a different focus for defenders.
The Four Types of Threat Detection and Use Cases in Industrial SecurityDragos, Inc.
Dragos' Sergio Caltagirone and Robert M. Lee discuss the four types of threat detection methods for industrial control systems operations, while providing ICS-specific use cases, to help you determine which detection strategy is most effective for your organization.
The recorded webinar can be found here: hhttps://youtu.be/zqvDu0OaY8k
Aslo check out: Four Types of Threat Detection White Paper: https://dragos.com/blog/FourTypesOfTh...
Part of the Secrets of ICS Cybersecurity webinar series: https://dragos.com/blog/20181017Webin...
More info www.dragos.com
Follow us on LinkedIn: https://www.linkedin.com/company/drag....
Follow us on Twitter: https://twitter.com/dragosinc
Dragos Adversary Hunter Joe Slowik presents on Behavior-Based Defense in ICS at the 13th annual API conference in Houston, TX. This presentation discusses how identifying adversary behaviors and their common requirements and behaviors can help network defenders prepare for future events--exemplifying how network defense for sensitive environments is strengthened through continuous improvement from prior events.
Visit www.dragos.com to learn more.
Trisis in Perspective: Implications for ICS DefendersDragos, Inc.
Discovery of TRISIS/TRITON was a landmark event in the Industrial Control Systems (ICS) security community. It is the fifth known ICS-specific malware (following Stuxnet, Havex, BlackEnergy2, and CRASHOVERRIDE), and the first such malware to specifically target safety instrumented systems. Since identification and public disclosure in early December 2017, much has been written on TRISIS, its operation, and mitigations; however, such mitigations are usually too specific to TRISIS and fall short in assisting defenders with safety systems other than a Schneider Electric Triconex. In May, Dragos discovered that XENOTIME, the activity group behind TRISIS, had expanded its targeting to North America and other safety systems. Given this new data, a generalized approach to safety system defense is critical knowledge for ICS security personnel. This discussion aims to provide such an approach to guarding safety systems. We will provide an overview of the TRISIS malware, including its installation, execution and modification to the controller. Next, we will break down the TRISIS event's specific tactics, techniques and procedures (TTPs) and generalize them across the ICS kill chain. Using this model, we provide present-day actionable defense strategies for asset owners, as well as guidance for forensics, restoration, and recovery should an attack be discovered. We also look to the future and recommend ways in which the state of the art can be improved by vendors and ICS owners to empower defenders with the information they need to stop future attacks.
Learn more here: https://www.dragos.com/blog/trisis/
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Neuro-symbolic is not enough, we need neuro-*semantic*
Dragos and CyberWire: ICS Ransomware
1. I N D U S T R I A L C O N T R O L S Y S T E M S C Y B E R S E C U R I T Y
V I S I B I L I T Y . D E T E C T I O N . R E S P O N S E .
RANSOMWARE IN AN INDUSTRIAL WORLD
2. Principal Cyber Risk Advisor
JASON D. CHRISTOPHER
§ Cyber risk management professional services,
tied to threat intel & Dragos platform
§ Certified SANS Instructor for industrial control
systems security
§ Former CTO for Axio Global, Inc., leading
critical infrastructure protection strategy
§ Federal energy lead for several industry
standards and guidelines, including NERC CIP,
NIST CSF, and the C2M2
§ Led cyber incident & risk management
team for US Department of Energy
§ Security metrics development across
EPRI and other research organizations
§ Began career deploying & securing ICS
§ Frequent speaker at conferences &
client events
§ MS, Electrical Engineering, Cornell
@jdchristopher
linkedin.com/in/jdchristopher
3. 3
Quick ICS Overview
Ransomware… where?
Actionable Recommendations
• OT security concepts
• ICS Cybersecurity Kill Chain
• Attacking ICS
• Evolution of ransomware
• ICS & untargeted ransomware
• Recent events and examples
• OT-specific security programs
• The M&M model
• ICS hardening and limitations
RANSOMWARE in an
INDUSTRIAL WORLD
4. 4
Focused on processes that impact the real
world, using industrial control systems
(ICS) and operational technology (OT)
INDUSTRIAL
TECHNOLOGIES
24 x 7
10-30
16
operations
year lifecycle
critical infrastructure
sectors
5. What are industrial control systems?
When a 0 or 1
impacts the
physical world.
Devices and
systems
include:
Sensors
Controllers
Motors Generators
Safety
Systems
I/O Devices
Field
Devices IEDs
Human-
Machine
Interface
5
6. Evolution of Operational Technology (OT)
3rd Industrial Revolution
Automation of Production by Electronics
DCS | Distributed Control System
SCADA | Supervisory Control &
Data Acquisition
4th Industrial Revolution
Smart Connected Systems
“Industry 4.0” // “Industrial IoT”
STAND-ALONE LOOSELY CONNECTED HIGHLY CONNECTED
s t a n d a r d i z a t i o n
6
7. Traditional IT Security Issues in OT
Endpoint
Agents
ENCRYPTION
VULNERABILITY
SCANNING
ANTI-
VIRUS
PATCHING
7
8. Real-world cyber-based industrial-impacts
8
AGAIN
Think physical
processes…
2009:
Centrifuge
Failure
2012:
Telvent
Espionage
2001:
Sewage
Spill
2014:
Furnace
Loss of
Control
2015 &
2016:
Power
Outages
2017:
(un)Safety
System
9. Describing ICS Cyber Attacks
9
The Lockheed Martin
Cyber Kill Chain® is a
model to help in the
identification and
prevention of cyber
intrusions activity…
but does not
consider steps
needed for ICS-
specific attacks
STAGE1
10. Describing ICS Cyber Attacks
10
Stage 2 of the ICS
Cyber Kill Chain
discusses unique
capabilities required
to result in real-world
impacts.
STAGE2
11. STAGE1STAGE2
Stage 1 and Stage 2 work
together to impact industrial
processes, stretching across
both IT and OT networks
INDUSTRIAL
ATTACKS:
IT and OT
Corporate IT
Plant OT
15. THE DRAGOS PLATFORM
ICS SECURITY SERVICES
DRAGOS WORLDVIEW
2017-2018 2018-PresentPre-2017
Evolution of Ransomware
§ Interactive operations to
attack corporate networks
§ Hold entire networks
hostage
§ RISE OF THE WORMS
§ Single victim machine,
opportunistic targeting
§ Primary targeting via
phishing, malicious
websites
§ Single victim, single
machine focus
15
16. 16
WannaCry
Animated map from New York Times, accessed 2020-03-30: https://www.nytimes.com/interactive/2017/05/12/world/europe/wannacry-ransomware-map.html
17. 17
“Wiper disguised as ransomware,”
with increased collateral damage
beyond any initial targets.
NotPetya…
Not Ransomware
+$10B
2M
+65
in estimated damages
computers impacted in 2HRs
countries involved in response
18. Norsk Hydro & LockerGoga
…at execution…
…through encryption…
…to lock out…
§ Removes self, launches child
process
§ Writes ransom note
§ Encrypts files, binaries, etc
§ Changes local user and admin
credentials
§ Disables system network card
§ Logs off all logged-in users
Read more here: https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/
18
19. STAGE1STAGE2
Again, think back to the ICS
Cyber Kill Chain – there are no
OT-specific knowledge or tools
leveraged during these events.
IT-Centric
RANSOMWARE
in OT Systems
Corporate IT
Plant OT
OT was collateral
damaged
20. 20
EKANS and ICS
§ Ransomware with ICS-specific
system processes highlighted
Trends & Considerations
What’s next?
§ Ransomware evolution over the
past few years shows trending
towards bigger impacts
Ransom = $$$
§ What are organizations willing to
pay to unlock data?
§ Whole networks?
§ Entire industrial facilities?
Ransomware vs. Wiper
§ Careful distinction, but would that
change your behavior?
§ Regardless of paying the ransom,
would you ever trust that device
again?
21. 21
Paying the Ransom as
“Remediation”
P a y t h e r a n s o m ? … o r g o o u t o f p o c k e t ?
V S
Read more here: https://www.forbes.com/sites/forbestechcouncil/2020/01/07/taking-governments-hostage-three-fixes-for-a-ransomware-world/
24. Getting Started on
Industrial
Cybersecurity
Dedicate OT-specific resources
Planning for a bad day
Understanding the impacts
§ Who knows how to protect ICS?
§ In-house & 3rd party resources
§ What’s the worst-case scenario?
How would you prepare?
§ Who would you call?
§ What’s the cost associated with
downtime? Or broken equipment?
§ What are the “crown jewels?”
25. invest in
PERIMETERS
Strengthen & harden
SYSTEMS
where possible
BACK-UP
Lock up those crown
jewels
Restrict external
communications
Look for bad stuff
happening
Mileage will vary
Understand the last known
“good state”
ICS is a critical, high-trust
zone. Treat it accordingly!
Hot and cold storage
considerations
ICS-specific: set points, project
files, engineering documents
TEST. TEST. TEST.
26. 26
BRINGING IT ALL TOGETHER
Establish, Enable, & Enhance Your ICS Defenses
Understand your ICS
environments with impact-
based prioritization
Learn attackers’ behaviors,
proactively find threats, and
reinforce your detection methods
Test your defenses with real-
world scenarios and strengthen
your response procedures
1 3
2
- ARCHITECTURE REVIEW
- OT-SPECIFIC RESOURCES
- CROWN JEWEL ANALYSIS
- INVEST IN PERIMETERS
- HARDEN SYSTEMS
- BACK-UPS!
- DATA COLLECTION
- OT DETECTION
- THREAT HUNTING
- TABLE TOP EXERCISE
- PENETRATION TESTING
- MANAGED THREAT HUNTING
S T A R T H E R E
27. Dragos’ Year in Review provides
insights and lessons learned from
our team’s first-hand experience
hunting, combatting, and
responding to ICS adversaries
throughout the year.
Provides an analysis of ICS-specific
vulnerabilities and discusses impacts, risks,
and mitigation options for defenders
ICS VULNERABILITIES REPORT
Provides insights on the state of ICS
cybersecurity, the latest trends and observations
of ICS-specific adversaries, and proactive
defensive recommendations.
ICS THREAT LANDSCAPE REPORT
Provides a synopsis of trends observed within
the industry and lessons learned from Dragos’
proactive and responsive service engagements
LESSONS LEARNED FROM
THE FRONT LINES REPORT
27
28. THANK YOU
JASON D. CHRISTOPHER
@jdchristopher
linkedin.com/in/jdchristopher