“ICS / SCADA Security Situational Awareness Briefing” Michael Assante, Brent Huston, & Bob Huber February 5, 2013

What we will cover today! • Positive developments enhancing the security of legacy & new ICS installs • 2010 turning point for some negative trends • Other trends continue to increase the attack surface and weaken the core • A few leaders are making material changes (authentication of devices and updates) • Are we keeping up? Trends impacting security

2005

2012

Compressed Cyber Timeline Strategic Cyber Warfare – Highly Structured Targeted Cyber Attacks – Structured

General Cyber Attacks - Less Structured

1990

2010

2000

90 91 92 93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10

Specialization

APT

2011+ 11Q1 11Q2 11Q3

Stuxnet

11Q4

12Q1

12Q2

12Q3

12Q4

(Cyber – Physical) What is it?

ICS

2012 Previewed the Change to Come ICS Cyber Risk & Incidents

• ICS Vulnerabilities in the public 20012012 (by quarter) • Significant increase in published exploits • Incidents & press • Training & awareness programs

ICS Supplier Progress • Universal progress on the basics • Some are driving security features • VPN to controllers and authentication • Help improve understanding of system and expected behavior

Legislation, Policy, & Regulation

• Pending Executive Order • Cyber Security Act 2012 • Cyber Caucus • EPACT 2005 FPA Section 215 • SEC guidance

Budgets • Grid modernization capital projects • Involved boards • CEO leadership in specific sectors • Compliance resourcing • Wave of automation investment & asset renewal

ICS Security Investment – A New Category $14B 2018 Pike Research estimates for Cybersecurity spend for Smart Grid

Growing Investment in ICS Security 2015

Spawns lots of questions • What is it being spent on? • What could it be spent on? • If you had an additional security dollar where would it go? • Who are the buyers? (plant engineers, CSOs, ICS Suppliers) • Are the market signals strong enough to motivate ICS Suppliers to change product design concepts?

ICS – Specific Vulnerabilities

Source: Critical Intelligence

ICS – Specific Vulnerabilities - Example

Source: Critical Intelligence

Increasing Threats to ICS

Hacker Bragging / Selling Exploits “Hi guys, Today I’m selling a bulk of 8 SCADA exploits - Allows Admin Access I have uploaded pictures ( copy links below ) for you to see as a p0c. Each Picture is for different types of SCADA software.”

- Unknown Hacker

Source: Critical Intelligence

Integrating Security & Reliability: Who is responsible?

Corporate Vs. Cyber Risk

Business Unit Generation

Transmission

Plants Control Centers & Substations

Engineering Operations

How well do you know yourself ? What is that little blinky thingy controlling? What happens if that blinky thing goes down? How much money is on the line?

SCADA/HMI

Controller

Internet Facing Control System Devices

Source: ICS-CERT Monthly Monitor, Oct/Nov/Dec 2012

Recent Cyber Attacks – Media & DHS reporting

The Wall Street Journal

New York Times

US Energy - Targeted Cyber Attacks

Asset Inventory  Feeds  Action

P&ID on state regulatory Web site - marked “confidential” - includes reference to state code protecting the filing from public disclosure

Situational Awareness & Threat Intelligence Situational Awareness is the “here and now” • Activists are staging a protest now • A new ICS vulnerability was released today

Intelligence is forward-looking • A spike in port port 17185 on the internet at large • A security researcher asking questions about Profinet on a hacking forum

How to leverage SitA and Threat Intel? Intelligence and Situational Awareness feeds all layers of your defense in depth: • Updates and informs policies and procedures • Increases physical security in response to threats from activists • Provides mitigation and detection capabilities such as: • Indicators of Compromise (IOCs) – filenames, file hashes, IP addresses, hostnames, email information etc. • Intrusion Protection signatures • Heightens overall cyber security awareness

How to leverage SitA & Threat Intel? – cont. Intelligence and Situational Awareness helps you to: • Know the enemy: • Who is a threat to my organization? • What attack tools and exploits are available? • Know yourself: • How and why did they target specific individuals? • Where do I have the largest exposure? • What is my attack surface? • Which vulnerabilities do I have? • What assets do I have? (IT, people, facilities etc.)

Proactive steps ICS asset owners should take in response to ICS Cyber Security Trends Advanced Persistent Threats • • • •

Consider implementing message filtering User Security Education and Awareness on Spear-phishing Implement central web proxy solutions, limit outbound web traffic to your proxies, and BLOCK uncategorized or sites not rated Situational Awareness and Threat Intelligence provides:  IOCs to feed into your cyber security solutions  IOCs to search your collection/logging/SIEM solutions

Increasing ICS Vulnerabilities •

Situational Awareness and Threat Intelligence helps:  Understand the external threat environment (exploits, latest vulns, actors  Understand your internal environment

Increasing Regulation & Legislation •

Situational Awareness and Threat Intelligence provides:  Analysis and updates on the latest regulation and legislative activity that affects ICS owner/operators

Where can I get ICS specific SitA & Threat Intel?

Your environment

NexDefense ICS Situational Awareness Service

Questions?