Palestra realizada no S4x17 - Miami - EUA (em Inglês)

125 views

Published on

Palestra realizada por Marcelo Branquinho no dia 11/1/17 no palco principal do evento S4x17, em Miami, EUA.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
125
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Palestra realizada no S4x17 - Miami - EUA (em Inglês)

  1. 1. TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. Ransomware in ICS..... It begins Marcelo Branquinho January, 2017
  2. 2. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. • Introduction • About Ransomware • Ransomware in ICS Study Case #1 – Furniture Factory Study Case #2 – Electrical Company • What if the worst happens? Agenda
  3. 3. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. INTRODUCTION
  4. 4. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. Threats have changed: Advanced Attacks Data Data Internet Encryption Targeted PURPOSE: Profit, Sabotage and Conflict among organized nations • Targeted Attacks • Funded – Industry Growing Focus PURPOSE: Notoriety • One person, small groups • Limited Knowledge and Resources • Basic Attacks Internet ?Past Present
  5. 5. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. SCADA / ICS - The perfect storm for cyber attacks
  6. 6. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. Unknown control and persistent advanced threats Malware impacting industrial production
  7. 7. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. The scenery is bad, but can it get worse ??
  8. 8. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. The attackers have figured out that ICS are an easy target…..and started to attack them! Sure!!
  9. 9. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. ABOUT RANSOMWARE
  10. 10. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. What is Ransomware? • Ransomware is a type of malware that prevents the user from accessing your data. • The user will recover access to the data only by paying a redemption. • Ransomware affects directly the availability of ICS by blocking access to vital information for its operation.
  11. 11. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. Is Ransomware a new threat?
  12. 12. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. Ransomware in ICS....It Begins
  13. 13. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados.
  14. 14. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. The redemption is rising...just happened last week
  15. 15. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. Ransomware in OT x Ransomware in IT • Ransomware in OT can be much worst than Ransomware in IT because it can directly affect SCADA systems operation by:  Blocking Access to HMIs  Ciphering Windows SCADA supervision and programming machines (HMI)  Ciphering Historians and Production Databases  Ciphering Engineering stations  Spreading to other plants through remote access or VPNs  Blocking access to utilities systems
  16. 16. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. RANSOMWARE IN ICS TWO STUDY CASES IN BRAZIL
  17. 17. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. STUDY CASE #1 FURNITURE FACTORY
  18. 18. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. Study Case #1 – Furniture Factory • Where: State of Goias, Brazil • Type of Ransomware: cryptoRSA4096-Ransomware • Machines infected: Windows SCADA supervision and programming machines (HMI) inside the factory.
  19. 19. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. Study Case #1 – Furniture Factory • Consequence: The factory stopped working. The company lost customer and supplier registrations, employee payroll and machine supervision and programming. • Redemption requested: U$ 3.061,00 • Financial Loss: The factory stayed 15 days stopped (loss of approximately US $ 100,000.00 due to downtime in production and delays in deliveries), until it restructured, to return the normal routines. • No redemption was paid for infected machines that had to be fully recovered because the OT team didn´t have healthy and updated backups.
  20. 20. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. Video - Ransomware in Furniture Factory Video produced by Globo TV (Brazil) and broadcasted for the whole brazilian territory at “Fantastico”, a sunday night TV show
  21. 21. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. STUDY CASE #2 ELECTRICAL COMPANY Special thanks to Mr. Alexandre Freire, from the Palo Alto Networks SCADA & ICS Tiger Team, for sharing information over this study case
  22. 22. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. Study case #2 – Electrical Company • Where: South of Brazil • Type of Ransomware: CryptoLocker • Machines infected: Windows SCADA supervision machines (HMI) inside a control center.
  23. 23. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. Study case #2 – Electrical Company • Infection Vector: A Flash Drive used at one HMI. The ransomware spreaded through file shares and network mapped folders infecting other 3 supervision stations at the same automation network segment. • Consequence: momentary loss of supervision and control of power distribution. • Redemption requested: USD 300,00 per machine (4 machines were infected) • Financial Loss: No financial loss happened because the control was automatically transferred to a secondary control center that wasn´t physically connected to the main control center. No redemption was paid for infected machines that could be resettled through healthy backups.
  24. 24. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. WHAT IF THE WORST HAPPENS?
  25. 25. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. What if the worst happens? When mitigation fails, it is important for organizations and individuals to consider all possible responses to a Ransomware attack: • Have a prepared incident response team: This team must have previously planned a procedure to follow in the event of a ransomware attack during its risk assessment. This procedure should start notifying the authorities and regulators because Ransomware attacks are crimes prescribed by law. • Switch control to a secondary control center: in case of non stop real time systems, a secondary control center must be fully prepared to be activated. • Try to recover lost data: System backup and recovery are the only technical solution to revert ransomware attacks. Having updated backups is vital in cases of critical data loss. In this case, it will be necessary to perform a recover of the systems and data to return to normal business activity. • Do Nothing: In cases where the rescue outweighs the cost of the system, the victim can purchase a new device and dispose of the infected system.
  26. 26. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. What if the worst happens? ( cont.. ) • Pay the redemption: Some attackers may release the system after receiving payment, because doing different would reduce the probability that new victims will fall into the blow. Unfortunately, however, there is no guarantee that the attackers would help you recover the data after the redemption paid. •A Hybrid Solution: includes simultaneous efforts to pay the rescue and attempt to restore systems from a trusted backup. Organizations opt for this strategy when system downtime is even more critical than the consequences of the redemption payment.
  27. 27. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. An important detail .... • Modern Ransomware is able to search servers and backup applications running on the network and also encrypt them ... • In these cases, the only possible solution will be to pay the redemption. • Paying redemptions can be easy for private institutions, but public companies do not have the money allocated for this ... They would have to bid the redemption 
  28. 28. www.tisafe.com TI Safe Segurança da Informação LTDA, 2007-2010.Todos os direitos reservados. Marcelo Branquinho Marcelo.branquinho@tisafe.com +55 21 994002290

×