SCADA Security Situational Awareness Briefing. Michael Assante, Brent Huston, & Bob Huber February 5, 2013
“ICS / SCADA Security Situational Awareness Briefing” Michael Assante, Brent Huston, & Bob Huber February 5, 2013
What we will cover today! • Positi...
“ICS / SCADA Security Situational Awareness Briefing” Michael Assante, Brent Huston, & Bob Huber February 5, 2013
What we will cover today! • Positive developments enhancing the security of legacy & new ICS installs • 2010 turning point for some negative trends • Other trends continue to increase the attack surface and weaken the core • A few leaders are making material changes (authentication of devices and updates) • Are we keeping up? Trends impacting security
2012 Previewed the Change to Come ICS Cyber Risk & Incidents
• ICS Vulnerabilities in the public 20012012 (by quarter) • Significant increase in published exploits • Incidents & press • Training & awareness programs
ICS Supplier Progress • Universal progress on the basics • Some are driving security features • VPN to controllers and authentication • Help improve understanding of system and expected behavior
Budgets • Grid modernization capital projects • Involved boards • CEO leadership in specific sectors • Compliance resourcing • Wave of automation investment & asset renewal
ICS Security Investment – A New Category $14B 2018 Pike Research estimates for Cybersecurity spend for Smart Grid
Growing Investment in ICS Security 2015
Spawns lots of questions • What is it being spent on? • What could it be spent on? • If you had an additional security dollar where would it go? • Who are the buyers? (plant engineers, CSOs, ICS Suppliers) • Are the market signals strong enough to motivate ICS Suppliers to change product design concepts?
ICS – Specific Vulnerabilities
Source: Critical Intelligence
ICS – Specific Vulnerabilities - Example
Source: Critical Intelligence
Increasing Threats to ICS
Hacker Bragging / Selling Exploits “Hi guys, Today I’m selling a bulk of 8 SCADA exploits - Allows Admin Access I have uploaded pictures ( copy links below ) for you to see as a p0c. Each Picture is for different types of SCADA software.”
- Unknown Hacker
Source: Critical Intelligence
Integrating Security & Reliability: Who is responsible?
Corporate Vs. Cyber Risk
Business Unit Generation
Transmission
Plants Control Centers & Substations
Engineering Operations
How well do you know yourself ? What is that little blinky thingy controlling? What happens if that blinky thing goes down? How much money is on the line?
P&ID on state regulatory Web site - marked “confidential” - includes reference to state code protecting the filing from public disclosure
Situational Awareness & Threat Intelligence Situational Awareness is the “here and now” • Activists are staging a protest now • A new ICS vulnerability was released today
Intelligence is forward-looking • A spike in port port 17185 on the internet at large • A security researcher asking questions about Profinet on a hacking forum
How to leverage SitA and Threat Intel? Intelligence and Situational Awareness feeds all layers of your defense in depth: • Updates and informs policies and procedures • Increases physical security in response to threats from activists • Provides mitigation and detection capabilities such as: • Indicators of Compromise (IOCs) – filenames, file hashes, IP addresses, hostnames, email information etc. • Intrusion Protection signatures • Heightens overall cyber security awareness
How to leverage SitA & Threat Intel? – cont. Intelligence and Situational Awareness helps you to: • Know the enemy: • Who is a threat to my organization? • What attack tools and exploits are available? • Know yourself: • How and why did they target specific individuals? • Where do I have the largest exposure? • What is my attack surface? • Which vulnerabilities do I have? • What assets do I have? (IT, people, facilities etc.)
Proactive steps ICS asset owners should take in response to ICS Cyber Security Trends Advanced Persistent Threats • • • •
Consider implementing message filtering User Security Education and Awareness on Spear-phishing Implement central web proxy solutions, limit outbound web traffic to your proxies, and BLOCK uncategorized or sites not rated Situational Awareness and Threat Intelligence provides: IOCs to feed into your cyber security solutions IOCs to search your collection/logging/SIEM solutions
Increasing ICS Vulnerabilities •
Situational Awareness and Threat Intelligence helps: Understand the external threat environment (exploits, latest vulns, actors Understand your internal environment
Increasing Regulation & Legislation •
Situational Awareness and Threat Intelligence provides: Analysis and updates on the latest regulation and legislative activity that affects ICS owner/operators