The Current ICS Threat Landscape

•

3 likes•2,092 views

Presentation from Cyber Security for Critical Assets conference (CS4CA ) in Houston, March 26-28 2019 presented by Sergio Caltagirone, Vice President of Threat Intelligence. Covers: - overview of the OT threat landscape - new OT threats Dragos has uncovered through its industrial cybersecurity technology platform, array of services, and industrial threat intelligence. - details on major industrial threat activity groups and root causes of many recent OT compromises Learn more here: https://dragos.com/year-in-review/ More info: www.dragos.com Follow us on LinkedIn: https://www.linkedin.com/company/dragos-inc./ Follow us on Twitter: https://twitter.com/dragosinc

Technology

Industrial Control
System Threats
Sergio Caltagirone
Vice President, Threat Intelligence & Analytics
@cnoanalysis
sergio@dragos.com

Dragos Ecosystem
Dragos Platform
Monitoring system that
utilizes behavioral
analytics to identify
threats as they occur and
workflow automation for
Incident Response
Dragos WorldView
Expertise and
knowledge in ICS threat
identification and
understanding
Dragos ThreatView
Experienced ICS Threat
Hunting, Incident
Response and Training

The Problem
IOIO
IOIO
IOIO
IOIO
IOIO
IOIO
LACK OF THREAT INSIGHTS
No collection and analysis in industrial
networks; no threat intel
LACK OF TECHNOLOGY
Unique industrial challenges demand
industrial tech not repurposed IT
LACK OF PEOPLE
Few People Worldwide Know How to
Protect the ICS that Run Our World

ICS Threat “Hockey Stick”
1998 - 2009
2010 - 2012
2013 - 2015
2015-2017
Lack of Collection
• Campaigns: APT1
• ICS Malware: None
New Interest in ICS
• Campaigns: Sandworm
• ICS Malware: Stuxnet
Campaigns Target ICS
• Campaigns: Dragonfly
• ICS Malware: BlackEnergy 2
and Havex
• First attack to cause physical
destruction on civilian
infrastructure (German Steel)
Adversaries Disrupt ICS
• Campaigns: 10 Unique
• ICS Malware:
CRASHOVERRIDE
and TRISIS
• First and second ever electric
grid attacks that disrupt
power
• First malware to target human
life

ICS Cyber Threat Kill-Chain
• Dec 18, 2014 German Government’s
BSI released annual report
highlighting incidents
• Identified “massive damage” in a steel
facility due to a cyber attack
• 2nd publicly known case of physical
damage to control systems from
cyber attacks

Ukraine 2015
• 1st Ever cyber attack on a
power grid to lead to
outages
• 3 power companies across
Ukraine
• SCADA Hijack scenario by
a well funded team

Middle East 2017 - TRISIS
• TRISIS was delivered into a
petrochemical facility in the Middle
East by a well funded attack team
• Targeted Safety Instrumented System
(SIS) and failed causing a stop in
operations
• 1st malware to specifically target
human life

HOW DID WE GET HERE? TARGETED ICS MATURITY
01
INTEREST
• Acquisition
• Funding
• Training
02
RESEARCH
• IT-focused
• Access Ops
03
ACCESS
• ICS access
• OT Ops
04
EFFECTS
• Loss of Control
• Loss of View
• Process
05
COUNTER-
SAFETY
• Death
• Destruction
• Environment

ICS Cyber Threat Score Matrix
Xt
Ra
Al Cv
El
Mg Ch
Electric Sector O&G Sector
Both Sectors
Dy

You Cannot Just Patch Away the Problem
DRAGOS’ 2017 IN REVIEW REPORTS REVEALED
THAT FOR ICS VULNERABILITIES:
• 64% of all vulns didn’t eliminate the risk
• 72% provided no alternate mitigation to the
patch
• Only 15% could be leveraged to gain initial
access

You Cannot Just Patch Away the Problem
• 204 total ICS vulnerability advisories
• 25% increase from 2017
• 30%+ of vulnerability advisories are
INCORRECT

What Can You Do Today?
1 Enable two-factor (not phone factor) authentication across internal assets and services
2 Control IT-OT boundary
3 Audit and monitor high-value systems: HMI, VPN, safety systems, routers
4 Add OT monitoring, look for behaviors, not indicators
5 Get ICS threat intelligence
6 Manage 3rd Party Risk

ICS Cyber Threat Kill-Chain
STAGE1
STAGE2

Questions?
Sergio Caltagirone
Twitter: @cnoanalysis
Email: sergio@dragos.com
Web: www.dragos.com

Conducting regular security assessments on the organizational network and computer systems has become a vital part of protecting information-computing assets. Security assessments are a proactive and offensive posture towards information security as compared to the traditional reactive and defensive stance normally implemented with the use of Access Control-Lists (ACLs) and firewalls. Too effectively conduct a security assessment so it is beneficial to an organization, a proven methodology must be followed so the assessors and assesses are on the same page. This presentation will evaluate the benefits of credential scanning, scanning in a virtual environment, distributed scanning as well as vulnerability management.

Being aware of the trends that are expected to shape the digital landscape is an important step in ensuring the security of your data and online assets. Amongst others, the webinar covers: • Top Cyber Trends for 2023 • Cyber Insurance • Prioritization of Cyber Risk Presenters: Colleen Lennox Colleen Lennox is the Founder of Cyber Job Central, a newly formed job board dedicated to Cybersecurity job openings. Colleen has 25+ years in Technical Recruiting and loves to help other find their next great job! Madhu Maganti Madhu is a goal-oriented cybersecurity/IT advisory leader with more than 20 years of comprehensive experience leading high-performance teams with a proven track record of continuous improvement toward objectives. He is highly knowledgeable in both technical and business principles and processes. Madhu specializes in cybersecurity risk assessments, enterprise risk management, regulatory compliance, Sarbanes-Oxley (SOX) compliance and system and organization controls (SOC) reporting. Date: January 25, 2023 Tags: ISO, ISO/IEC 27032, Cybersecurity Management ------------------------------------------------------------------------------- Find out more about ISO training and certification services Training: https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27032 https://pecb.com/article/cybersecurity-risk-assessment https://pecb.com/article/a-deeper-understanding-of-cybersecurity Webinars: https://pecb.com/webinars Article: https://pecb.com/article Whitepaper: https://pecb.com/whitepaper ------------------------------------------------------------------------------- For more information about PECB: Website: https://pecb.com/ LinkedIn: https://www.linkedin.com/company/pecb/ Facebook: https://www.facebook.com/PECBInternational/ Slideshare: http://www.slideshare.net/PECBCERTIFICATION YouTube video: https://youtu.be/BAAl_PI9uRc

Introduction to Risk Management via the NIST Cyber Security Framework

PECB

The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk. Main points covered: • Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms. • Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments. • Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management. Presenters: David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications. Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence. Recorded webinar: https://youtu.be/hxpuYtMQgf0

Introduction to MITRE ATT&CK

Arpan Raval

Need of SIEM when You have SOAR

Siemplify

Insight into SOAR

DNIF

This presentation showcased live during the DNIF KONNECT meetup on 19th December 2019. We have our presenter: Ruchir Shah- Account Manager at DNIF, walk us through the importance of SOAR Some key points discussed during the meetup: -Understand, what is SOAR. -The problems a SOAR solution solves. -Real-time demo by DNIF expert on SOAR. Watch the full presentation here: https://www.youtube.com/watch?v=bCp-WAs6w5I

Endpoint ProtectionSophos

An introduction to SOC (Security Operation Center)

Ahmad Haghighi

Cyber threat intelligence ppt

Kumar Gaurav

Industrial Cybersecurity and Critical Infrastructure Protection in EuropePositive Hack Days

ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...

Cyber Security Alliance

What's hot

Intro to Security in SDLCTjylen Veselyj

Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...

Edureka!

Threat Intelligence 101 - Steve Lodin - SubmittedSteve Lodin

Cyber Security 101: Training, awareness, strategies for small to medium sized...

Stephen Cobb

Threat Hunting with Cyber Kill Chain

Suwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP

Cyber Attack Methodologies

Geeks Anonymes

Cybersecurity Metrics: Reporting to BoD

Pranav Shah

VAPT PRESENTATION full.pptx

DARSHANBHAVSAR14

MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...

MITRE - ATT&CKcon

Roadmap to security operations excellence

Erik Taavila

Secure Coding and Threat Modeling

Miriam Celi, CISSP, GISP, MSCS, MBA

Analysing Ransomware

Napier University

Cybersecurity trends - What to expect in 2023

PECB

Introduction to Risk Management via the NIST Cyber Security Framework

PECB

Introduction to MITRE ATT&CK

Arpan Raval

Need of SIEM when You have SOAR

Siemplify

Insight into SOAR

DNIF

Endpoint ProtectionSophos

An introduction to SOC (Security Operation Center)

Ahmad Haghighi

Cyber threat intelligence ppt

Kumar Gaurav

What's hot (20)

Intro to Security in SDLC

Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...

Threat Intelligence 101 - Steve Lodin - Submitted

Cyber Security 101: Training, awareness, strategies for small to medium sized...

Threat Hunting with Cyber Kill Chain

Cyber Attack Methodologies

Cybersecurity Metrics: Reporting to BoD

VAPT PRESENTATION full.pptx

MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...

Roadmap to security operations excellence

Secure Coding and Threat Modeling

Analysing Ransomware

Cybersecurity trends - What to expect in 2023

Introduction to Risk Management via the NIST Cyber Security Framework

Introduction to MITRE ATT&CK

Need of SIEM when You have SOAR

Insight into SOAR

Endpoint Protection

An introduction to SOC (Security Operation Center)

Cyber threat intelligence ppt

Similar to The Current ICS Threat Landscape

Industrial Cybersecurity and Critical Infrastructure Protection in EuropePositive Hack Days

ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...

Cyber Security Alliance

Best of Positive Research 2013

qqlan

• ERP security • ICS security assessment • Protection of payment applications, remote banking systems, ATMs • Cloud technologies and virtualization systems • Detection of zero-day vulnerabilities and prevention of APT attacks • Use of Big Data in information security • Analysis of source code and the SAST/DAST/IAST technologies • Complex protection of web applications and portals • Mobile platform and application security

Hunting for cyber threats targeting weapon systems

Fidelis Cybersecurity

While traditional cybersecurity defenses focus on prevention, there are many vulnerabilities and potential attacks against weapon systems. While weapon systems are more software dependent and networked than ever before, cybersecurity has not always been prioritized with regards to weapon systems acquisition. Threat actors have advanced in their sophistication as they are well-resourced and highly skilled, oftentimes gathering detailed knowledge of the systems they want to attack. Ensuring stronger detection methods is imperative, but because these types of threats are very targeted and advanced, agencies need the capability to proactively hunt.

Considerazioni su ITC Security e sui Cyber Attacks seeweb

The Future of Cybersecurity courses.pptx

RykaBhatt

G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...qqlan

2018 Year in Review- ICS Threat Activity Groups

Dragos, Inc.

The Technology Horizon & Cyber Security from EISIC 2015

Ollie Whitehouse

Cyber Threats on the Industrial Environment

Eduardo Arriols Nuñez

Cybersecurity Critical Infrastructure Threats and Examples 2022- Presentation...

Certrec

Jd sherry howard a. schmidt cyber crime, cyberspy, cyberwar - taking the le...Graeme Wood

Conférence ENGIE ACSS 2018

African Cyber Security Summit

Insight live om It-sikkerhed- Peter Schjøtt

Mediehuset Ingeniøren Live

Threat Intelligence: State-of-the-art and Trends - Secure South West 2015

Andreas Sfakianakis

Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?

Raffael Marty

The cyber security industry has spent trillions of dollars to keep external attackers at bay. To what effect? We still don't see an end to the cat and mouse game between attackers and the security industry; zero day attacks, new vulnerabilities, ever increasingly sophisticated attacks, etc. We need a paradigm shift in security. A shift away from traditional threat intelligence and indicators of compromise (IOCs). We need to look at understanding behaviors. Those of devices and those of humans. What are the security approaches and trends that will make an actual difference in protecting our critical data and intellectual property; not just from external attackers, but also from malicious insiders? We will explore topics from the 'all solving' artificial intelligence to risk-based security. We will look at what is happening within the security industry itself, where startups are putting placing their bets, and how human factors will play an increasingly important role in security, along with all of the potential challenges that will create.

Opening Keynote - Cybersecurity Summit 2018

aztechcouncil

Cyber threat Intelligence and Incident Response by:-Sandeep Singh

OWASP Delhi

Cyber threat enterprise leadership required march 2014

Peter ODell

SCADA Security Webinar

AVEVA

Similar to The Current ICS Threat Landscape (20)

Industrial Cybersecurity and Critical Infrastructure Protection in Europe

ASFWS 2013 - Critical Infrastructures in the Age of Cyber Insecurity par Andr...

Best of Positive Research 2013

Hunting for cyber threats targeting weapon systems

Considerazioni su ITC Security e sui Cyber Attacks

The Future of Cybersecurity courses.pptx

G. Gritsai, A. Timorin, Y. Goltsev, R. Ilin, S. Gordeychik, and A. Karpin, “S...

2018 Year in Review- ICS Threat Activity Groups

The Technology Horizon & Cyber Security from EISIC 2015

Cyber Threats on the Industrial Environment

Cybersecurity Critical Infrastructure Threats and Examples 2022- Presentation...

Jd sherry howard a. schmidt cyber crime, cyberspy, cyberwar - taking the le...

Conférence ENGIE ACSS 2018

Insight live om It-sikkerhed- Peter Schjøtt

Threat Intelligence: State-of-the-art and Trends - Secure South West 2015

Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?

Opening Keynote - Cybersecurity Summit 2018

Cyber threat Intelligence and Incident Response by:-Sandeep Singh

Cyber threat enterprise leadership required march 2014

SCADA Security Webinar

More from Dragos, Inc.

How to Increase ICS Cybersecurity Return on Investment (ROI)

Dragos, Inc.

In Austin's presentation, he will align his 2019 top 5 findings from the Dragos Industrial Penetration Testing team to tactical activities that can be performed to reduce cyberrisk within industrial environments. Return on Investment (ROI) is a broad and subjective term. Even in terms of industrial cyberrisk reduction, the interpretation of ROI can change drastically depending on who you ask. As a member of the Dragos Industrial Penetration Testing team, he sees the world around him in terms of exploitation effort. Exploitation effort is the investment required by an adversary to advance through a network. In his presentation, Austin will detail five ways that will significantly increase the time and energy needed for an adversary while minimizing operational and capital expenditure.

Dragos 2019 ICS Year in Review

Dragos, Inc.

This presentation overviews the key findings and takeaways from Dragos' 2019 ICS Year in Review reports, detailing ICS vulnerability data, global ICS threat activity, and observations from Dragos' professional service engagements--including threat hunts, penetration tests, tabletop exercises, incident response, and more. Go here to read all of the Year in Review reports, view infographics, and watch the webinar: https://dragos.com/year-in-review-2019/

Dragos and CyberWire: ICS Ransomware

Dragos, Inc.

Dragos S4x20: How to Build an OT Security Operations Center

Dragos, Inc.

Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework

Dragos, Inc.

Reassessing the 2016 CRASHOVERRIDE Cyber Attack

Dragos, Inc.

Upon discovery and initial analysis in mid-2017, audiences primarily viewed CRASHOVERRIDE as a disruptive event targeting electric utility operations in Ukraine. Similar to the 2015 attack in the same area, CRASHOVERRIDE interrupted the flow of electricity by manipulating ICS equipment and delayed recovery operations to prolong the impact. However, CRASHOVERRIDE’s immediate effects represent only the precursors for an attempt at a more ambitious attack than what was achieved. In this presentation, Dragos Principal Adversary Hunter Joe Slowik reexamines the CRASHOVERRIDE event and likely attacker intentions, highlighting how CRASHOVERRIDE attempted a different type of attack than 2015. Viewers learn how to begin developing and deploying the required visibility, resilience, and response measures needed to cope with an attack like CRASHOVERRIDE. To view the webinar, go here: https://youtu.be/yX0ZSu_rVc0

Solving ICS Cybersecurity Challenges in the Electric Industry

Dragos, Inc.

Purple Teaming ICS Networks

Dragos, Inc.

Securing Electric Utility Infrastructure

Dragos, Inc.

A Case Study on Asset Baselining, Threat Detection, and Response - presented by Tim Watkins, Schweitzer Engineering Laboratories, and Matt Cowell, Dragos. The webinar – now available on-demand at https://selinc.com/events/on-demand-webinar/126340/ – provides insights on baselining your operation, building cyber defense, and streamlining ongoing management. SEL and Dragos also shared a case study based on a recent joint effort to address key cybersecurity challenges at a mid-sized US electric utility. Learn more about Dragos at https://dragos.com or follow us at https://twitter.com/dragosinc Learn more about SEL cybersecurity at https://selinc.com/solutions/security-for-critical-infrastructure/ or follow us at https://twitter.com/SEL_news

Rising Cyber Escalation US Iran Russia ICS Threats and Response

Dragos, Inc.

Dragos discusses the quickly rising tensions between the US, Russia, and Iran, threat intelligence on malicious activity surrounding these tensions, and recommended responses to defend industrial control systems and critical infrastructure worldwide. Presentations included from Dragos Threat Intelligence following these threats and the Dragos Threat Operations Center currently responding and defending against these threats. Visit www.dragos.com for more info about industrial cybersecurity

Neighborhood Keeper - Introduction

Dragos, Inc.

In this presentation, Matt Bodman, Director of Special Programs at Dragos, demonstrates the basics of Neighborhood Keeper. Neighborhood Keeper is a collaborative threat detection and intelligence program, led by Dragos in partnership with the DOE, that makes ICS threat analytics and data accessible to the greater ICS community. Its initial participants include: Dragos, Ameren, First Energy, Department of Energy’s Idaho National Labs, North American Electric Reliability Corporation’s Electricity Information Sharing and Analysis Center, and Southern Company. Neighborhood Keeper will serve smaller providers who lack sufficient resources to buy and manage advanced security technologies, giving them access to collaborative ICS data at near-real-time and providing them immediate insight into the ICS threat landscape without revealing sensitive data. For more information, please visit https://dragos.com/neighborhood-keeper/

Dressing up the ICS Kill Chain

Dragos, Inc.

In this presentation Daniel Michaud-Soucy, Principal Threat Analyst at Dragos, will demonstrate three separate models in order to identify gaps in ICS security posture. First, threat modeling serves as an inward look as an ICS network defender in order to properly understand the environment, the threat actors, the impacts, the risks and the crown jewels pertaining to an industrial process. Second, the ICS cyber kill chain serves as an outward look at the steps an adversary needs to take in order to achieve their objectives. Third, the bowtie model allows a graphical representation of the threats to the environment as well as the protection, detection, and response controls that help secure it. In the end, the asset owner creates a holistic picture of the security controls in their network, pertaining to the threat actors they care about and allows identification of gaps in their strategy. Visit www.dragos.com to learn more about the Dragos industrial cybersecurity platform for increased visibility of assets, threats and guided responses.

Consequence Informed Cyber Security

Dragos, Inc.

The advent of complex communication networks has revolutionized operational architecture in industrial environments over the last 20-30 years. The availability of real-time operational data has proven to effectively compress decision cycles, increase productivity, and has freed organizations of many resource constraints in their operational environments. However, the fact remains that the reliance on real-time operational data and asset connectivity and communication within industrial environments has also opened the way for attackers to potentially compromise asset functions through the very communication networks that are now depended upon for control of physical processes and safety. Additionally, the steady worldwide increase of industrial cyber-attacks has motivated security professionals to develop a plethora of assessment frameworks to help identify weak points in network defense and lower risk.

Dragos year in review (yir) 2018

Dragos, Inc.

Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...

Dragos, Inc.

Adversary groups and activities targeting industrial control systems are on the rise. Security teams are now tasked with defending increasingly complex and critical control systems without interrupting operations. This presentation highlights plans and progress of a large public electric utility to extend threat detection capability using PI system data sets. Integration with a threat detection platform improves situational awareness and adds value in three ways. It first provides confidence for quickly eliminating threat activity as a root cause of operational upsets. The second benefit is improved likelihood of detecting malicious tradecraft targeting control systems. Finally, the integrated approach provides data in support of control system incident response and forensic activities. Video for presentation here: https://youtu.be/Inn6FPaXN1w Learn more www.dragos.com

Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...

Dragos, Inc.

Key Considerations for Executives from Dragos Executive Year In Review on Industrial Cybersecurity Strategy by Robert M Lee Addresses questions of : - How do we know if we’re underspending or overspending on ICS/industrial cybersecurity? - What is the best thing we can do to get started that will help move us forward in OT security? - If a major attack happens, what is the role of the government? More Info here: https://dragos.com/resource/insights-to-build-an-effective-industrial-cybersecurity-strategy-for-your-organization/ https://www.linkedin.com/company/dragos-inc./ Twitter: https://twitter.com/dragosinc

Industrial Control Systems Cybersecurity Technology Selection

Dragos, Inc.

Selection criteria for today’s ICS cybersecurity technology presented at S4 2019. Includes: - Recommendations for best practices before evaluating an industrial cybersecurity solution in OT environments - Outline of different ICS cybersecurity technologies such as the differences between active and passive scanning, anomaly detection, threat behavior analytics - What’s important in an industrial control systems cybersecurity platform - Practical guide to pilots and bake-offs To learn more read the whitepaper Key Considerations For Selecting An Industrial Cybersecurity Solution for Asset Identification, Threat Detection, and Response https://dragos.com/resource/key-considerations-for-selecting-an-industrial-cybersecurity-solution-for-asset-identification-threat-detection-and-response/ For more about Dragos and the 2019 S4 Detection challenge, read the blog and watch the video here: https://dragos.com/blog/industry-news/dragos-results-of-s4-industrial-cybersecurity-detection-challenge-contest/ More info: www.dragos.com Follow us on LinkedIn: https://www.linkedin.com/company/dragos-inc./ Follow us on Twitter: https://twitter.com/dragosinc

Intelligence-Driven Industrial Security with Case Studies in ICS Attacks

Dragos, Inc.

Robert M. Lee's, Dragos CEO, presentation from RSA 2019. Description: Most industrial security best practices are essentially enterprise security best practices copy/pasted into industrial networks. Yet that is not an effective way to reduce risk against industrial-specific threats. Instead, we can learn from ICS attacks that have occurred. In this presentation, Robert M, Lee, CEO and co-founder of Dragos will provide first-hand insights into industrial threats and the lessons learned for industrial security. More information here: https://dragos.com/rsa-2019/ More info: www.dragos.com Follow us on LinkedIn: https://www.linkedin.com/company/drag.... Follow us on Twitter: https://twitter.com/dragosinc

How Long to Boom: Understanding and Measuring ICS Hacker Maturity

Dragos, Inc.

Sergio Caltagirone's, Dragos VP of Threat Intelligence, presentation from RSA 2019. The industrial control system threat is growing quickly. But ICS hackers do not start by disrupting electric grids. Instead, they mature predictably leading them from things that go bad, to things that go boom. In this presentation, Sergio Caltagirone will explain how using ICS threat intelligence Dragos has developed an ICS hacker maturity model enabling us to determine how much risk a threat poses and predict how long until they reach maximum risk. More information here: https://dragos.com/rsa-2019/ More info: www.dragos.com Follow us on LinkedIn: https://www.linkedin.com/company/drag.... Follow us on Twitter: https://twitter.com/dragosinc

Debunking the Hacker Hype: The Reality of Widespread Blackouts

Dragos, Inc.

Selena Larson, Dragos Intelligence Analyst's presentation from RSA 2019. There have been public narratives about the US being on the precipice of a nationwide hacker-caused blackout. What is the reality of adversary activity and the potential or likelihood of a cyber attack that could disrupt the electric grid? What are hackers currently doing in ICS networks? In this presentation, Selena Larson, Intelligence Analyst at Dragos will separate fact from (science) fiction. More information here: https://dragos.com/rsa-2019/ More info: www.dragos.com Follow us on LinkedIn: https://www.linkedin.com/company/drag.... Follow us on Twitter: https://twitter.com/dragosinc

More from Dragos, Inc. (20)

How to Increase ICS Cybersecurity Return on Investment (ROI)

Dragos 2019 ICS Year in Review

Dragos and CyberWire: ICS Ransomware

Dragos S4x20: How to Build an OT Security Operations Center

Dragos S4X20: Mapping ICS Incidents to the MITRE Attack Framework

Reassessing the 2016 CRASHOVERRIDE Cyber Attack

Solving ICS Cybersecurity Challenges in the Electric Industry

Purple Teaming ICS Networks

Securing Electric Utility Infrastructure

Rising Cyber Escalation US Iran Russia ICS Threats and Response

Neighborhood Keeper - Introduction

Dressing up the ICS Kill Chain

Consequence Informed Cyber Security

Dragos year in review (yir) 2018

Dragos & SRP, PI World 2019: Utilizing Operations Data for Enhanced Cyber Thr...

Insights To Building An Effective Industrial Cybersecurity Strategy For Your ...

Industrial Control Systems Cybersecurity Technology Selection

Intelligence-Driven Industrial Security with Case Studies in ICS Attacks

How Long to Boom: Understanding and Measuring ICS Hacker Maturity

Debunking the Hacker Hype: The Reality of Widespread Blackouts

Recently uploaded

Video Streaming: Then, Now, and in the Future

Alpen-Adria-Universität

In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.

Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

Elizabeth Buie - Older adults: Are we really designing for our future selves?

Nexer Digital

PCI PIN Basics Webinar from the Controlcase Team

ControlCase

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

91mobiles

Pushing the limits of ePRTC: 100ns holdover for 100 days

Adtran

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance

By Design, not by Accident - Agile Venture Bolzano 2024

Pierluigi Pugliese

Essentials of Automations: The Art of Triggers and Actions in FME

Safe Software

In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation. We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios. Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Neo4j

Leonard Jayamohan, Partner & Generative AI Lead, Deloitte This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.

Securing your Kubernetes cluster_ a step-by-step guide to success !

KatiaHIMEUR1

Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster. However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks. In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.

Introduction to CHERI technology - Cybersecurity

mikeeftimakis1

Generative AI Deep Dive: Advancing from Proof of Concept to Production

Aggregage

GraphRAG is All You need? LLM & Knowledge Graph

Guy Korland

Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs. 1. Unifying Large Language Models and Knowledge Graphs: A Roadmap. https://arxiv.org/abs/2306.08302 2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs: https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/

Free Complete Python - A step towards Data Science

RinaMondal9

UiPath Test Automation using UiPath Test Suite series, part 5

DianaGray10

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Communications Mining Series - Zero to Hero - Session 1

DianaGray10

This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered: • Communication Mining Overview • Why is it important? • How can it help today’s business and the benefits • Phases in Communication Mining • Demo on Platform overview • Q/A

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

Uni Systems Copilot event_05062024_C.Vlachos.pdf

Uni Systems S.M.S.A.

Recently uploaded (20)

Video Streaming: Then, Now, and in the Future

Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...

Elizabeth Buie - Older adults: Are we really designing for our future selves?

PCI PIN Basics Webinar from the Controlcase Team

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

Pushing the limits of ePRTC: 100ns holdover for 100 days

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

By Design, not by Accident - Agile Venture Bolzano 2024

Essentials of Automations: The Art of Triggers and Actions in FME

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Securing your Kubernetes cluster_ a step-by-step guide to success !

Introduction to CHERI technology - Cybersecurity

Generative AI Deep Dive: Advancing from Proof of Concept to Production

GraphRAG is All You need? LLM & Knowledge Graph

Free Complete Python - A step towards Data Science

UiPath Test Automation using UiPath Test Suite series, part 5

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

Communications Mining Series - Zero to Hero - Session 1

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

Uni Systems Copilot event_05062024_C.Vlachos.pdf

The Current ICS Threat Landscape

1. Industrial Control System Threats Sergio Caltagirone Vice President, Threat Intelligence & Analytics @cnoanalysis sergio@dragos.com

2. Dragos Ecosystem Dragos Platform Monitoring system that utilizes behavioral analytics to identify threats as they occur and workflow automation for Incident Response Dragos WorldView Expertise and knowledge in ICS threat identification and understanding Dragos ThreatView Experienced ICS Threat Hunting, Incident Response and Training

3. The Problem IOIO IOIO IOIO IOIO IOIO IOIO LACK OF THREAT INSIGHTS No collection and analysis in industrial networks; no threat intel LACK OF TECHNOLOGY Unique industrial challenges demand industrial tech not repurposed IT LACK OF PEOPLE Few People Worldwide Know How to Protect the ICS that Run Our World

4. ICS Threat “Hockey Stick” 1998 - 2009 2010 - 2012 2013 - 2015 2015-2017 Lack of Collection • Campaigns: APT1 • ICS Malware: None New Interest in ICS • Campaigns: Sandworm • ICS Malware: Stuxnet Campaigns Target ICS • Campaigns: Dragonfly • ICS Malware: BlackEnergy 2 and Havex • First attack to cause physical destruction on civilian infrastructure (German Steel) Adversaries Disrupt ICS • Campaigns: 10 Unique • ICS Malware: CRASHOVERRIDE and TRISIS • First and second ever electric grid attacks that disrupt power • First malware to target human life

5. ICS Cyber Threat Kill-Chain • Dec 18, 2014 German Government’s BSI released annual report highlighting incidents • Identified “massive damage” in a steel facility due to a cyber attack • 2nd publicly known case of physical damage to control systems from cyber attacks

6. Ukraine 2015 • 1st Ever cyber attack on a power grid to lead to outages • 3 power companies across Ukraine • SCADA Hijack scenario by a well funded team

7. Ukraine 2016 - CRASHOVERRIDE

8. Middle East 2017 - TRISIS • TRISIS was delivered into a petrochemical facility in the Middle East by a well funded attack team • Targeted Safety Instrumented System (SIS) and failed causing a stop in operations • 1st malware to specifically target human life

9. HOW DID WE GET HERE? TARGETED ICS MATURITY 01 INTEREST • Acquisition • Funding • Training 02 RESEARCH • IT-focused • Access Ops 03 ACCESS • ICS access • OT Ops 04 EFFECTS • Loss of Control • Loss of View • Process 05 COUNTER- SAFETY • Death • Destruction • Environment

10. ICS Cyber Threat Score Matrix

11. MODERATE EXTREME HIGH

12. ICS Cyber Threat Score Matrix Xt Ra Al Cv El Mg Ch Electric Sector O&G Sector Both Sectors Dy

13. Midpoint Access and Attack

14. Attack via Third Parties/Vendors

15. Commodity Malware

16. You Cannot Just Patch Away the Problem DRAGOS’ 2017 IN REVIEW REPORTS REVEALED THAT FOR ICS VULNERABILITIES: • 64% of all vulns didn’t eliminate the risk • 72% provided no alternate mitigation to the patch • Only 15% could be leveraged to gain initial access

17. You Cannot Just Patch Away the Problem • 204 total ICS vulnerability advisories • 25% increase from 2017 • 30%+ of vulnerability advisories are INCORRECT

18. What Can You Do Today? 1 Enable two-factor (not phone factor) authentication across internal assets and services 2 Control IT-OT boundary 3 Audit and monitor high-value systems: HMI, VPN, safety systems, routers 4 Add OT monitoring, look for behaviors, not indicators 5 Get ICS threat intelligence 6 Manage 3rd Party Risk

19. ICS Cyber Threat Kill-Chain STAGE1 STAGE2

20. Questions? Sergio Caltagirone Twitter: @cnoanalysis Email: sergio@dragos.com Web: www.dragos.com

The Current ICS Threat Landscape

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to The Current ICS Threat Landscape

Similar to The Current ICS Threat Landscape (20)

More from Dragos, Inc.

More from Dragos, Inc. (20)

Recently uploaded

Recently uploaded (20)

The Current ICS Threat Landscape