1. Security Intelligence for
Energy Control Systems
Chris Poulin
Q1 Labs, CSO
David Swift
Accuvant, Solutions Architect
Twitter: #Q1energy
2. Agenda
Introductions and Housekeeping
When Refrigerators Attack
Smart Grid – Vulnerabilities and Security Concerns
Energy Sector Zero Days and Logs
Compliance – Best Practices
Q&A
#Q1energy
3. A man is stuck in traffic on his way to work.
#Q1energy
4. He takes his eyes off the road to glance at his phone.
#Q1energy
41. Energy Sector Top Concerns
APTs – Advanced Persistent Threats
Morphing code, DNS fast flux changing Command and Control
Channels, Google searches for new C&C hosts
May be state or terrorist sponsored, lots of money and
resources behind some of these attacks
Compliance – NERC/FERC/NRC/SOX/PCI
Log, review, report and DOCUMENT
#Q1energy
42. How do you find Zero Days and APTs?
Add Context to Events
Use the network hierarchy and remote networks to overly quick
source network and destination network NAMES, not just IP
addresses.
Use GEO IP information for quick wins and situational
awareness.
Use Reference Lists to check for known attackers, known
terminated employees, contractors logging in after hours…
#Q1energy
43. Review Logs
Analyze Volume and Variety
Firewall
Even when signatures don’t trigger, firewalls (when configured to
log accepts), provide a record.
Attacks are sloppy, not single event, look for the spray of
bullets, Offender Source IP scans the network or target first with
lots of drops.
IDS/IPS
Log Everything
Filter and eliminate in SIEM by comparing Vulnerability
Scan/Asset data and Known Attacker/Remote Networks
#Q1energy
44. Review Logs
Look for patterns
Instant messaging logon (IDS event)
IM download (IDS Event)
Anti-Virus/HIPS/FIC event – EVIL FILE
Now we know the source.
Fuzz the logic
– Look for anyone else talking to the same source /24 CIDR
– Look for the same file name to have been modified on another host
Any Traffic to/from a Known Attacker (remote network or
reference list)
Traffic outbound may indicate an already infected system calling
home
Any traffic from that is allowed should open an offense
#Q1energy
45. Review Logs
Everything counts in large amounts
Single firewall drop – who cares?
100 firewall drops in 1 minute – Why?
Misconfigurations – noise, chaff that has to be culled
Reconnaissance – phase one of the attack
One IDS event – IM Login – Who cares?
IM Login + File Transfer + Buffer Overflow Attempt – I CARE!
#Q1energy
46. Improve Defenses Iteratively
Review Events by Signature
Count of HOW MANY this month by signature
And, how many unique hosts triggered the sig
10 from one host – hmm, block it, won’t break anything, might
help, and check the host
1,000,000 – disable logging, crappy signature
– Unless – 1Million from < 10 hosts
0 events for a given signature – block it, won’t hurt
Repeat the process each month for each device
#Q1energy
47. Compliance Strategy
A successful log management strategy involves a logging
tool, documentation, processes, and procedures.
Key Steps:
Define your Scope
Document which devices are in scope for each compliance regulation
Define your Events of Interest (EOI) – and create appropriate reports and alerts to
monitor for them
Define an Incident Handling Policy (IH) and process to follow for each EOI
Define Standard Operating Procedures (SOPs) with Service Level Agreements
(SLAs), for each EOI and follow up IH process
Create and Maintain an Audit trail showing both EOI’s and IH responses, tracking the
mean time to detect (MTD) and mean time to remediate (MTR)
Define the Record of Authority (RoA) for each device in scope for an audit
Document IP’s in scope and where the authoritative log source is for each.
Document the retention period, and the auto-destroy policy followed.
#Q1energy
Defenses are never complete, and must be continuously tuned.
By providing unambiguous prepared and documented sources, events of interest, and incident handling policies to auditors followed by spot checks to confirm both an event was logged, and remediated in accordance with standard operating procedures within the define service level agreement, audits can be made quite quick and painless.