0100110001101111011100100110010101101101001000000110100101110 0000111001101110101011011010010000001100100011011110110110001 1011110111001000100000011100110110100101110100001000000110000 1011011010110010101110100001011000010000001100011011011110110 1110011100110110010101100011011101000110010101110100011101010 1110010001000000110000101100100010100110001101111011100100110 0101011011010010000001101001011100000111001101110101011011010 0100000011001000110111101101100011011110111001000100000011100 1101101001011101000010000001100001011011010110010101110100001 0110000100000011000110110111101101110011100110110010101100011 0111010001100101011101000111010101110010001000000110000101100 10001 0100110001101111011100100110010101101101001000000110100 1011100000111001101110101011011010010000001100100011011110110 1100011011110111001000100000011100110110100101110100001000000 1100001011011010110010101110100001011000010000001100011011011 1101101110011100110110010101100011011101000110010101110100011 1010101110010001000000110000101100100010100110001101111011100 1001100101011011010010000001101001011100000111001101110101011 0110100100000011001000110111101101100011011110111001000100000 0111001101101001011101000010000001100001011011010110010101110 1000010110000100000011000110110111101101110011100110110010101 1000110111010001100101011101000111010101110010001000000110000 1011001000101001100011011110111001001100101011011010010000001 1010010111000001110011011101010110110100100000011001000110111 1011011000110111101110010001000000111001101101001011101000010Your Critical Infrastructure 0000011000010110110101100101011101000010110000100000011000110 1101111011011100111001101100101011000110111010001100101011101is No Longer Immune 0001110101011100100010000001100001011001000101001100011011110 1110010011001010110110100100000011010010111000001110011011101to Cyber Attacks 010110110100100000011001000110111101101100011011110111001000 Learn How to Protect it Before it is Too Late Whitepaper WHITEPAPER

TABLE OF CONTENTS

Executive Summary 3

More Threats Than Ever, No Slowing Down 4

Concurrently Increasing Threat Sophistication 4

Everyone is Affected – But CIs See Highest Impact 5

Where are CIs Vis à Vis These Threats? 5

Six Factors Making CIs More Vulnerable to Cyber Threats Than Any Other Organization 6 Security for ICS/SCADA Was Not Built-In From the Get Go 6 Reluctance to Replace/Update Equipment and Software 7 Cyber Security Directives are Mostly Voluntary 7 Assumed Physical Isolation, Obscurity, Are Myths 8 Using Security Solutions That Don’t Fit the Job 8 CIs are Prime Target for Hostile Hackers, Hacktivists and Nation States 9

What Can CIs Do to Dramatically Lower risk Exposure? 9 Periodic Training and Awareness Campaigns 9 Strategic Segmentation 10 Defense in Depth 10 Real-Time Malware Protection 10 Detect Unknown Cyber and Operational Threats 11 Keep Evolving! Threats Are a Moving Target 11

Your Critical Infrastructure is No Longer Immune to Cyber Attacks Confidential 2 WHITEPAPER

EXECUTIVE SUMMARY

Researchers and organizations tasked with evaluating the evolution of cyber threats as they apply to consumers, businesses and critical infrastructure (CI), have been increasingly sounding the alarm that threats are growing in severity. Cyber- borne malice is on the rise in scale and sophistication, frequently bringing highly targeted, complex, and dangerous attack scenarios to light.

The information revolution launched by the Internet has reached into every corner of our lives, and cyber threats nowadays adversely affect every type of organization. However, there is one sector where impact by an attack can be devastating. That sector is the industries defined as critical infrastructure; the backbone of the economy and the facilitator of life as we know it.

Critical infrastructure is not only where impact from cyber-attacks can reach catastrophic dimensions, it is also a very vulnerable sector due to the historical way security was neglected for most systems still being used today.

This paper will explore the particularities that result in significantly higher risk levels for CIs as compared with those encountered by other organizations. The conclusion section offers some best practices and suggests ways to use technological innovations to make CIs more resilient and better protected in the face of a brave new world of connectivity and threats from cyber space.

Your Critical Infrastructure is No Longer Immune to Cyber Attacks Confidential 3 WHITEPAPER

MORE THREATS THAN EVER, NO SLOWING DOWN

The way things stand in the world of online threat nowadays, the information revolution and Internet connectivity have brought with them the threat of constant cyber-attacks that increase in number every year.

Looking at some statistics, 2013 was the seventeenth record year for phishing attacks, with over 450,000 incidents. The number of phishing attacks have increased every single year since 1996 when this type of cyber threat started gaining momentum. On the malware front, new malicious code of all types exceeded the 20 million variant mark in the third quarter of 20131, and the tally grows every year. In fact, one AV vendor2 claimed that 20% of all malware ever invented saw light in 2013.

Another stark example is mobile malware. 2014 marks the tenth anniversary of this threat, which saw a major boom throughout the past four years, evolving to include Trojans, spyware, adware, and most troubling – leveraged in the facilitation of targeted cyber espionage attacks. Researchers3 note having found an average of 272 new malware variants and five new families per month in 2013. In a report released late March 2014, it was further indicated that mobile malware and high risk apps reached the 2 million milestone, which is double the number reported a mere six months earlier.

The picture is clear: the number of threats and attacks they are used in is growing exponentially and their rapid evolution is unstoppable.

CONCURRENTLY INCREASING THREAT SOPHISTICATION

Beyond their sheer number, cyber threats and the attacks experts who see the escalation first hand. Take for they are linked with have also been evolving in terms example the espionage operation dubbed Careto / of sophistication. This trend holds true for commercially The Mask; the campaign was named “One of the most available threats, sold in underground markets, where a new, advanced global cyber espionage campaigns to date5” notable maturity has been emerging, pointing to greater by Kaspersky Labs researchers. sophistication, stealthier malware, and better encryption keeping attackers anonymous and out of sight4. Another recent example is the Uroburos APT; it was named “one of the most advanced rootkits we have ever analyzed”, It is quite alarming that the same progression applies by G-Data’s research team. to targeted attacks (and advanced persistent threats). Carefully tailored to their victims’ systems, APTs are made To that effect, in a recent interview at the RSA Conference to circumvent existing security, infiltrate the infrastructure, 2014, Wade Baker, principal analyst at Verizon, noted: and slowly make their way toward the final mark. Those targeted attack schemes are one of the top concerns for security teams in all types of organizations. “…The bad guys are winning at a faster rate than The notable, increased intricacy of the targeted breed the good guys are winning and we’ve got to of cyber-attacks is frequently underscored by industry solve that; we’ve got to do something different. ”

Phishing: Over 450,000 unique attacks in 2013

Malware: Tens of millions of variants per quarter in 2013. 20% of all malware ever was released in 2013.

Mobile Malware: On average 272 new malware variants and five new families per month in 2013. Variant count doubles within six months from 1 million to 2 million.

1 Source: McAfee Labs 2 Source: Panda Security 3 Source: Symantec 4 Source: RAND Corp. 5 Source: Kaspersky Labss

Your Critical Infrastructure is No Longer Immune to Cyber Attacks Confidential 4 WHITEPAPER

EVERYONE IS AFFECTED – Another quote on the subject came from former head of the NSA Gen. Keith Alexander (see side bar). In a speech to the BUT CIs SEE HIGHEST IMPACT senate, Alexander described the imminence of a devastating cyber-attack that would affect critical infrastructure and the High profile cyber-attacks publicized over the past five years population as a whole, indicating it was only a matter of time have organizations of all sizes more invested than ever in before such a scenario becomes reality. protecting their sensitive data and that of their customers. Nevertheless, adversaries still seem to be getting through, disrupting, destroying, stealing intellectual property and valuable, sensitive data even from organizations with the WHERE ARE CIs VIS À VIS largest security budgets. THESE THREATS? The list of victims exposed in the aftermath of large scale operations is widely diverse. While some industries suffer Facing the increasing threats and the new means attackers more attacks than others, not one sector is exempt from the have nowadays to infiltrate organizations and inflict harm, threats posed by hackers and attackers, which can result in critical infrastructure IT security teams are under major customer data breaches, bank account heists, intelligence pressure to find ways to secure their mixed environments collection, and the theft of invaluable intellectual property. of machines, computers and connectivity.

Well known cases of targeted attack campaigns, like The task is daunting; much more daunting in fact than Operation Aurora, Night Dragon, Red October or APT1, securing any other enterprise’s systems. The reason critical invariably reveal an eclectic list of aims from different countries infrastructure is much more complex is the fact that beyond and industries, for example: Google, Adobe, HBGary, its more typical enterprise network, it is further made up of old DuPont, Intel, Juniper Networks, defense contractor Northrop machinery, dated software, and uses protocols devised in the Grumman, and Dow Chemical, to name just a few. Other 1970s, 1980s or 1990s alongside high-tech networks, new targets on the list include government, diplomatic missions smart metering, grids, monitoring and connectivity schemes. and embassies, scientific research organizations, trade and commerce, the energy sector (nuclear, oil and gas), aerospace, and all branches of the military.

Gen. Keith Alexander: …it is only a matter of time before the sort of sophisticated“ tools developed by well-funded state actors find their way to groups or even individuals who in their zeal to make some political statement do not know or do not care about the collateral damage they inflict on bystanders and critical infrastructure. ”

Indeed, attackers seem to have a big appetite for variety, but while commercial entities and large corporations are prime targets for hostile agents and nations, they stand to absorb impact and repercussions that are almost entirely financial in nature. It is critical infrastructure that nations are much more The reality for those organizations is that not only do they have concerned about for the simple reason that impact to those to find ways to secure machines, devices and connections organizations can be catastrophic. that were not created with security in mind, but also, the heterogeneity of the overall environment raises technological The nature of critical infrastructure organizations and their role challenges that make it harder to harmonize and protect. in serving the nation’s daily activities is what makes potential harm to them so daunting. It is all too easy and extremely Since CIs are already highly regulated and their operations disheartening to imagine a blackout due to an attack on the are part of nations’ legislative makeup, they receive ample power grid, the pollution of drinking water, major train or air attention from leaders and from national and regional travel disasters, and even a nuclear meltdown or explosion committees, designed to guide them in protecting themselves attributed to a successful attack by foreign adversaries. from any factor that can inflict extensive collateral damage or disastrous outcomes, including cyber-attacks. While a major cyber-attack has not affected any particular nation at the time of writing this report, national defense Seeing as cyber threats are an increasing concern to homeland officials have already publicly warned about the possibility security as a whole, the issue has seen the emergence of very of a “cyber-Pearl Harbor” due to increased vulnerability to specific directives intended to underscore the urgent need foreign hackers who could make it their aim to dismantle and attention to cyber security, and to empower leaders of power grids, transportation systems, financial networks and organizations with a set of guidelines, professional advice, government resources6. and policies they could use to build a robust plan.

6 Source: NY Times (quoting Defense Secretary Leon E. Panetta)

Your Critical Infrastructure is No Longer Immune to Cyber Attacks Confidential 5 WHITEPAPER

For example, in February 2013, President Obama factors that can be attributed to the rise of hacktivists who signed Executive Order (EO) 13,636, “Improving Critical specifically target CIs and run attack campaigns against, for Infrastructure Cybersecurity,” and Presidential Policy Directive example, oil and gas companies. (PPD)-21, “Critical Infrastructure Security and Resilience.”

As awareness of these threats continues to grow round the SECURITY FOR ICS/SCADA WAS NOT world, similar guidelines were also established in Europe BUILT-IN FROM THE GET GO by the European Commission, and in various countries throughout Latin America, Asia and the Pacific region, The first issue and the root cause of the current cyber Australia, North Africa, and others. insecurity of CIs is the fact that ICS/SCADA were never built with security notions in mind 20 and 30 years ago. At the time, In most countries, including the US, adopting cyber security vendors and internal teams could not foresee the coming guidelines and operating accordingly is still surprisingly information revolution and therefore failed to plan accordingly. voluntary. It is only very recently that the Department of Defense (DoD), in a significant change in security policy, Keith Stouffer, chairman of the Process Control Security decided to drop its longstanding DIACAP compliance Requirements forum and an engineer at the NIST put it plainly: scheme and adopt the NIST’s civilian risk-focused security approach, thereby enforcing it de facto. The DoD is the SCADA systems were designed around first organization to enforce an elaborate cyber-security “ reliability and safety, not security. Now infrastructure for compliance status; it plans to transition all SCADA systems are becoming increasingly accreditations to the new scheme by September 2017. interconnected with IP networks and have become vulnerable to internet threats. While these changes are taking place, it appears that experts ” are rather apprehensive about the current state of affairs. In a prepared statement from the former NSA Director, Gen. Keith Alexander was quoted as saying: “On a scale of one to 10, In more detail, ICS protocols like Modbus and SNMP were with 10 being strongly defended, our critical infrastructure’s defined in the 1980s and 1990s, they were not defined preparedness to withstand a destructive cyber-attack is with security in mind since the then foreseeable future only about a three, based on my experience.” expected them to connect to an internal network or a local console, literally air gapped from the internet. Fast forward to today and ICS is no longer isolated; rather it is networked and operating as part of larger IT systems and moving closer to a variety of newer connectivity schemes. This is where the SIX FACTORS MAKING CIs lack of security leads to reports of cases of ICS that connect directly and openly to the Internet, allowing access to MORE VULNERABLE TO CYBER machinery with default passwords, which in turn can let even THREATS THAN ANY OTHER the least crafty attackers in. ORGANIZATION Another issue that plays its part in the lower security level for ICS, and which is nonexistent in the other domains, is the lack It is evident that CIs are the focus of much concern and of patching procedures or bug bounty programs for controls protection efforts nowadays in face of converging security which are basic and very easy to hack. The present day control threats to their operations and physical integrity, in the systems that are used to manage power plants, chemical shape of cyber-borne attacks. In this section we explore a manufacturing plants, and many more strategic facilities across number of the most problematic factors that contribute to the the world, are wholly inadequate and they are considered to be vulnerability of industrial CIs, which differs from any other as simple to tamper with as “hacking in the 80s”. type of organization. The result of the relative ease of hacking ICS is exemplified 1. Security for ICS/SCADA was not built-in from the get go through attacks like the one that affected an Illinois water 2. Reluctance to Replace/Update Equipment and Software utility, where an external attacker operating from a Russia 3. Cyber Security Directives are Mostly Voluntary based IP address was able to power a SCADA water pump 4. Assumed Physical Isolation, Obscurity, Are Myths on and off until it burnt out. Although minor glitches were observed in remote access to the SCADA system for 2-3 5. Using Security Solutions That Don’t Fit the Job months before it was identified as a cyber-attack, no action 6. CIs are Prime Target for Hostile Hackers, Hacktivists, was taken to secure it. With better security and advanced and Nation States anomaly detection capabilities, this incident could have been discovered upon its earliest signs and stopped before any These factors can be divided into two main types: damage occurred. • Issues the CI has direct control over • Issues the CI cannot control Indeed, the benefits of connectivity are many and marked, but without proper security for this newfound machine For the first type, factors can be an internal decision awareness, the potential threats can tilt the balance in the to postpone, or refrain from, equipment and software wrong direction. Yes, although connectivity is risky for CIs at upgrades. The second type includes uncontrollable this time, the fact of the matter is that it cannot be stopped and so it should be enabled securely. 7 Source: DOD Information Assurance Certification and Accreditation Process

Your Critical Infrastructure is No Longer Immune to Cyber Attacks Confidential 6 WHITEPAPER

A quote from Patrick C. Miller, founder of the nonprofit Energy This is the place to note that even without connectivity, recent Sector Security Consortium, illustrates the overall situation attack incidents showed that there are ways to access air rather figuratively: gapped systems even if they are not connected to the Internet. We’ve got this cancer that is growing inside Furthermore, malware, such as the Uroburos APT proves that “ out critical infrastructure. When are we attackers have devised workarounds to enable access to going to go under the knife instead of letting machines that are not connected to the Internet, through the this fester? We need to restructure some use of a P2P proxy from a machine that is. regulations and incentives. ” Another issue that plays into the same factor is the attempt to save money by upgrading parts of the system, like moving The issue persists as companies continue to put upgrades to an electronic network, and while at it, not spending any off, sometimes all the way until a crash happens, or until extra on security. This creates patches of vulnerabilities that ordered to take action by the regulators, or unless a riddle the entire attack surface, exacerbating the problem. meaningful incentive is granted. While the notions of connectivity seem to open a wide door to attackers, the way to protect CIs is not by stopping connectivity, The same goes for SCADA, where updating the systems but rather through adapted security and training that can help is so complex that CIs take the ‘don’t fix it if it’s not broken’ organizations enjoy and profit from all aspects of connectivity, approach. Replacing or implementing SCADA is even more while deploying technology that can minimize the risks. daunting a project, both in magnitude and intricacy, which causes utilities for example, to steer away from revamps unless there is no other choice. The result here can easily be RELUCTANCE TO REPLACE/UPDATE an update that is ten years overdue before it is addressed, EQUIPMENT AND SOFTWARE and then only due to some sort of a crisis. Considering the previous factor, the go-to answer would Another issue that comes into play here is that the older be to start demanding and using more secure controls and devices used by CIs are readily available, and so hackers ‘baking-in’ security into everything. However, that is not what and nation-sponsored adversaries can easily obtain and happens in reality. analyze them thoroughly, finding exploits they can then use on numerous targets. Experts in the field of industrial CI operations and security are sounding the alarm on the fact that many organizations The bottom line of this ongoing mix of reluctance to act due delay upgrades, avoid updating software, and refrain from to costs, complexity of upgrades, and lack of incentives from temporary downtime for the purpose of revamping security. regulators, together with outdated equipment, controls, and software leaves CIs highly vulnerable to hackers who can easily The reasons for decisions of this type, which are usually attack systems for which zero day patches are no longer being taken internally and in the hope that things will be okay issued, not to mention simpler reach into high impact assets. for the short term, are the strong reluctance of CIs to have to deal with issues like: • Downtime CYBER SECURITY DIRECTIVES ARE • Multi-million dollar cost of stopping critical assets even MOSTLY VOLUNTARY for a few hours Understanding that organizations are reluctant to upgrade • Complex implementation and integration of SCADA for different reasons, and bringing up the concept of • Complex and time consuming recalibration regulation and incentives – is it not possible to oblige CIs • Complex and time consuming load balancing to apply certain updates periodically?

What ends up happening in the case of most CIs is that their So far, regulators have not been enforcing advanced cyber overall operation runs with very minimal security, while the security directives. Regulation requirements, like the NERC need for very tight security is on a sharp incline. Being aware CIP were only approved in 2008 – a mere two years before of that dire need, security teams attempt to “bolt on” and layer Stuxnet was discovered in Iran. An initiative like the NIST security in the middle, in a rather patchy fashion, as much as Cyber Security framework in the US are recommended they can. One example result of this approach is that some CIP guidelines, and as such, companies that choose to turbines, oil rigs, and other various industrial installations are implement them only do so to a certain extent, if at all. still running on the Windows 98 platform, which exposes them to exploitation and remote access by attackers. Beyond the official entities, stakeholders from the process control world in different countries are working to bring A recent example quotes researchers who say: together users, academics, government officials, integrators and suppliers to create a common language, define security “ We went from zero to total compromise ” needs, but more importantly, exactly how to solve them. While these advancements are positive, regulators will have After finding several holes in Yokogawa’s Centum CS 3000 to begin enforcing them, and governments will have to software. incentivize the process.

Your Critical Infrastructure is No Longer Immune to Cyber Attacks Confidential 7 WHITEPAPER

ASSUMED PHYSICAL ISOLATION, OBSCURITY, ARE MYTHS In the past, before network connectivity came into the world of ICS/SCADA, these systems were considered possible to air gap. The idea was that creating a physical gap between the control network and the business network, threats like hackers and malware will never be able to reach into critical control systems.

This notion of physical isolation, while it did address the need for security in the 60s when monolithic or distributed connections were most in use, is impossible to truly implement nowadays at a time when ICS/SCADA is networked and connected by IP and to Internet resources.

Gen 1: Gen 2: Gen 3: Today - Gen 4: Monolithic Distributed Networked Internet of Things

Things changed over time, systems’ purposes have been There is no air gap to rely on, and even if there was, it could redefined, reconfigured, and connected on different levels. be exploited via a radio pathway, as demonstrated by the For example, a system that used to only be accessible to a NSA in late 20138. single computer operating in proximity to a robotic palletizer or a pump system became accessible via the Internet, with The bottom line is to accept the fact that CIs are increasingly very little hindrance. and progressively connected, that this connectivity is only going to become more widespread and touch on more smart Vendors are not disinclined to make CIs understand that metering, control and monitoring systems. There is no way air gaps are a thing of the past. Stefan Woronka, Siemens to avoid finding out what security is needed to make this Director of Industrial Security Services, was publically quoted process safe and secure, and keep the CI well protected. on the subject, saying:

USING SECURITY SOLUTIONS THAT DON’T Forget the myth of the air gap – the control FIT THE JOB “ system that is completely isolated is history. ” When it comes to IT security for CI organizations, especially those operating in the industrial markets, the use of security Another, similar notion that contributed to the blatant solutions is a challenging matter. insecurity of industrial controls, was “Security by Obscurity”. A risky idea hoping that if controls remain an unknown Industrial plants, facilities and key resources were never domain to hackers and adversaries, they will not know how connected to external resources on the same level as their to reverse-engineer them or exploit their vulnerabilities. This enterprise environment. As described in the previous section, concept was declared no security at all, since it is clear that security notions for the plant and mechanical zones counted current day attackers are able to study their aims carefully on isolation, a concept that has long since dissipated. and devise ways to compromise any system. Since CIs do need to maintain some level of security, they Security is not an option, it is a must. The purpose of connecting typically use enterprise grade solutions for perimeter defense SCADA systems to the network and the Internet is so that (such as IPS and NGFW), and in some cases some detection designated personnel can have remote access to the network tools based on rules. The ICS/SCADA zone is much less from remote locations, via mobile devices, and from home. It updated, secured or updated, and the enterprise security is often required that vendors and third parties apply patches schemes are not a good match for it. Moreover, these and updates that can take place remotely. Connectivity affords solutions do not understand industrial protocols nor are they timely notifications that can help address potential disruptions able to harmonize data from machines and controls into to operations and services regardless of where the technician a complete, detailed picture of the attack surface. is, or the time of day. Connectivity cannot be avoided, and it shouldn’t because it benefits the organization. Most of the solutions used by CIs nowadays are focused on preventing intrusion by detecting previously known The reality of ICS/SCADA shows that all control systems are signatures, rules, patterns or fathomable behaviors, and less connected to the outside world in some fashion: a network on detecting them once they are already in. Unfortunately, the connection, a serial line, laptops, and removable drives that prevention of threats (IPS, IDS, NGFW), can only work to an can be exploited by modern malware like Stuxnet. extent, if at all, in the case of unprecedented issues. They thus mostly address run of the mill threats while

8 Source: NY Times

Your Critical Infrastructure is No Longer Immune to Cyber Attacks Confidential 8 WHITEPAPER attackers make sure to modify their strategy and tactics every to steal and expose sensitive and confidential information, time they plan and launch new campaigns. or deface their websites and social media accounts.

All too often, anything outside the scope of existing or While these disruptions and nuisances are never welcome, foreseeable issues succeeds in infiltrating and ultimately the principal risks are related to the possibility of further hurting organizations and the result is security teams that fail sabotage that could damage physical assets. to detect advanced attackers, and can’t find or stop them once they are already in. The most prominent threat to CIs nowadays comes from nation states and their highly skilled deploys. Cyber-attacks CIs are also generating a lot more data and information than launched against nations, like Estonia in 2007, Georgia in ever before, and enterprise solutions are not designed to 2009, and Iran in 2010, all either paralyzed government deal with the masses of unique protocols and environments operations, or targeted the critical infrastructure in a quest that come in different shapes and forms within the industrial to disrupt activity, obtain intelligence by means of espionage, world. Solutions that attempt to deal with the issue see the r cause destruction to varying extents. data in silos, which is insufficient for making sense of it or revealing crucial connections in the rich data, which can be These types of cases are the most sophisticated, targeted the very evidence of a multi-vector attack. and well-planned attacks. Discovering and countering them is not impossible, but it is a serious challenge CIs have to The use of the wrong tool for the job means inadequate tackle in order to raise security awareness, change practices, security that cannot protect the organization. adapt training and technological solutions, and begin detecting unknown threats to ultimately become a lot more This deepens concerns about the imminence of a large resilient and better protected. scale attack, especially in view of an ever growing number of successful APT attacks, proving that current day enterprise-grade solutions are simply not enough; not in the case of commercial companies, and surely not for critical WHAT CAN CIs DO TO infrastructure where impact can be calamitous. DRAMATICALLY LOWER RISK Security for CIs has to be adapted to their mixed and unique EXPOSURE? environment. The solutions they implement have to be more sophisticated than the professional attackers that will typically While implementing proper security is a complex task for plan attacks, with a clear emphasis on detecting ongoing IT and IT security teams, there are some main concepts threats and unknown schemes. and a number of key tactics that can dramatically lower risk exposure and the potential impact of cyber threats. CIs ARE PRIME TARGET FOR HOSTILE HACKERS, HACKTIVISTS AND NATION PERIODIC TRAINING STATES AND AWARENESS CAMPAIGNS Another factor is the unprecedented negative attention CIs The very first tactic on the list is training and awareness of are getting from attackers. From nation states to hacktivists employees and all levels of management, making sure they to opportunistic malicious hackers, adversaries have found understand and know how to partake in the mitigation of threats the soft spot of their targets. CIs are the key to paralyzing an that can compromise their infrastructure and end in disaster. economy or causing it considerable damage. While training and awareness are supposedly integrated Recent history already lists cases of sabotage campaigns where into regulation requirements and are part of every security attackers likely based in the Middle East targeted U.S. energy implementation, a recent survey by Globalscape10 found companies, using probes to identify ways to seize control of some alarming facts: processing plants. The ultimate goal was infiltrating industrial • Only 48% of employees said that their companies have machinery to shut down the networks that deliver energy or run policies for sending sensitive files industrial processes9. Attribution is always a challenge, and the group behind these attacks could have been state-sponsored as • 30% said that their companies don’t have policies in place much as they could have been hackers or cybercriminals. • 22% weren’t sure whether a policy existed

Hacktivist operations have also become a common cyber Of those employees at companies that have policies threat to CIs, especially the energy sector, since energy is both for sending sensitive information: critical to everyday life, and a major driver of the economy. • 62% still use remote devices • 54% still use personal email, thereby circumventing The Anonymous collective, for example, menaces companies security controls and ultimately putting the data at risk. in the energy sector with DDoS attacks, hacking into systems

9 Source: DHS via NY Times 10 Source: GlobalScape via CSO Online

Your Critical Infrastructure is No Longer Immune to Cyber Attacks Confidential 9 WHITEPAPER

Making sure security awareness is part of the company’s DEFENSE IN DEPTH policies is crucial to every part of the organizational hierarchy, especially since the higher team members are placed, the Defense in depth is the tactical layering of security controls more privileged they are in the infrastructure, and thereby to varying levels of redundancy to ensure consistent more adversely impactful if they have poor security habits. resilience in the event one of the layers is compromised or fails. It is a necessity in an era where malware can easily To step up awareness, the IT security team can initiate disable and circumvent firewall and AV products or tamper awareness campaigns about proper password security, with their functions. locking machines when stepping away, spear phishing and social engineering. A healthy level of leeriness comes in The layers typically employed by most organizations are: handy when it comes to opening email attachments, sending • Physical security of key assets or giving information over the phone to potential imposters, • Firewall using company resources for personal purposes and risking • VPN malware infection, as well as putting the entire network at • Intrusion prevention and detection (IPS, IDS) risk by plugging in personal devices (with or without BYOD policies in place). • Anti-virus software • Whitelisting approved hosts and blacklisting known malicious hosts STRATEGIC SEGMENTATION • Hashing passwords and encrypting communications The way an underlying network is designed, including strategic segmentation and perimeter defenses, play a Layering security, in combination with diligent security routines critical role in determining its overall vulnerability levels. (keeping all machines, drivers, and software up to date, patching regularly, changing passwords, etc.), can foil a variety 12 Sectioning security zones and controlling different parts of opportunistic attacks, like drive-by infection by botnets , of the network (VES systems, ICS, SCADA devices) can be and impede an attacker’s foothold in the infrastructure. the element that would help stop an attack from spreading throughout the organization, or from one environment (like the business IT) to another (plant, machines, ICS/SCADA zone). REAL-TIME MALWARE PROTECTION The communication schemes between segments can also Real-time malware protection has to be part of every security play a role in their security, or lack thereof. For example, stack, used in the detection of infections that made it through the use of MPLS11, which is often implemented by CIs to endpoints on the network, and can develop further into for speeding up network traffic flow, can spell the sort of other parts of it. Malware protection can help keep run of the vulnerability that will ultimately result in critical downtime if an mill cyber-malice at bay, like automated, opportunistic, run of attacker breaches the physical security of the infrastructure. the mill malicious code (worms, viruses, some Trojans). Telnet is another example; this insecure remote protocol Note that while malware protection works for most assets, it is is all too often the culprit in the compromise of connected not suitable for PLCs and ICS protocols. CIs need more than resources. Planning for secure communication and disabling enterprise grade solutions to protect their complex networks telnet can mitigate unnecessary risk. from external and internal threats that use malware. Conversely, the use of high-bandwidth Ethernet technology for Internet access is inherently more secure and can help reduce network vulnerability overall. When it comes to communications for web-based ICS/SCADA systems, the use of SSL/TLS is the more secure choice.

11 Source: Multiprotocol Label Switching 12 Source: A Solutionary report found that 34% of all attacks are botnet based; the largest type of attack

Your Critical Infrastructure is No Longer Immune to Cyber Attacks Confidential 10 WHITEPAPER

USE A SOLUTION THAT CAN DETECT ThetaRay is a leading provider of unknown threats detection UNKNOWN CYBER AND OPERATIONAL solutions to critical infrastructure, financial institutions and organizations using Industrial Internet. The company’s core THREATS technology is based on state of the art machine learning While segmentation, defense in depth and malware detection algorithms which power its proprietary Hyper-Dimensional can offer some protection from known threats, their ability Big Data Analytics™. ThetaRay customers detect unknown to detect unknowns is much less effective, if at all. Current cyber and operational threats at their earliest signs, defeating day solutions based on signatures, rules, heuristics, surreptitious attackers and unidentified equipment faults in and fathomable attacker behaviors are not able to find minutes and before any damage can occur. unprecedented issues. The case of highly sophisticated and targeted attacks which are methodically tailored to their victims, leaves those solutions powerless and those they KEEP EVOLVING! protect, exposed. THREATS ARE A MOVING TARGET

Detecting unknowns is the most crucial factor in securing While this last item can apply to any organization, it is CIs, not from the disguised malware that perpetually comes especially true for CIs: not keeping up with threat modeling knocking, but rather from surreptitious threats that may have and sticking to an outdated security policy can be the very already infiltrated the infrastructure and could be collecting reason your CI will get compromised in a targeted attack. The intelligence, exfiltrating information, or planning the next step rising number of APT attacks and ever increasing large-scale towards operational or physical harm. It is the plan for when breaches make it safe to say that the current security policy the infrastructure is breached, not if. state of affairs—risk assessments, audits, and compliance schemes—might be leading the way to staying behind The best technological fit for gaining an all-encompassing threats, instead of the resilience they should be creating. view of CI systems, effectively securing their heterogeneous complexity, is the use of a Hyper-dimensional Big Data Another way security teams stay behind security is by shying Analytics solution. This type of platform is designed to away from the advents of BYOD, mobility, connectivity, or easily handle the massive amounts of big data generated IoT schemes in order to avoid the security issues those may by the entire organization and leverage every source of it, bring along. The right way to go about these inevitable signs including the ICS/SCADA traffic, and machine data of all of progress is to use security to enable it. types, for insightful predictive analytics and the discovery of undetected threats. Much as threats are rapidly evolving and adversaries keep stepping up their skill and tactics, security teams Issues typically revealed by Hyper-dimensional Big Data and decision makers have to evolve with the threat and Analytics are zero day, mutated malware incidents, APT regard the status quo as a risk factor. The time to reexamine attacks in progress, underlying operational issues, and longstanding policies and refresh them is now. Moving looming equipment faults or malfunctions that are not forward with the times is an important factor that can perceptible without the ability to simultaneously analyze data dramatically improve the resilience of the network and reduce from all possible sources. expenses tied to securing it in the long term.

A platform leveraging Hyper-dimensional big data analytics should be computationally efficient, flexible, and easy to deploy on premises or in the cloud, offering the following capabilities: 1. Easy handling of the unlimited amount of big data generated by both the business, and the operational networks, by design. 2. Simultaneously and efficiently analyzeall sources of data in a non-silo fashion, including ICS/SCADA traffic, network traffic, industrial machine data (turbines, sensors, etc.), various database records, and host based data, to name a few. 3. Offer rule-free detection, non-reliant on patterns, signatures, heuristics etc. 4. Alert about issues with the lowest achievable false positive rate. 5. Come as an automatic, unsupervised solution. 6. Provide complete, laser-focused forensics the security team can leverage and quickly act on. 7. Not requiring any big data expertise from security teams, yet allowing them to use the full capacity of the platform to detect and defeat threats.

Your Critical Infrastructure is No Longer Immune to Cyber Attacks Confidential 11 ABOUT THETARAY ThetaRay is a leading provider of unknown threat detection solutions to critical infrastructure, financialinstitutions and organizations using Industrial Internet. The company’s core technology is based on state of the art machine learning algorithms which power its proprietary Hyper-Dimensional Big Data Analytics™. Nowadays, highly customized, sophisticated cyber-attacks easily circumvent traditional security, with adversaries being able to breach, lurk, and operate surreptitiously inside compromised networks for months and years before they are exposed due to impact.

ThetaRay’s patented, award-winning threat detection platform automatically uncovers unknown cyber and operational issues within minutes, allowing customers to take action and avert disaster before any damage occurs. Organizations tasked with securing highly heterogeneous environments that include ICS/SCADA devices, IoT and multiple other data sources, leverage ThetaRay’s unmatched detection and low false positive rates as a see-all power that enables them to unify detection and defeat the unknown.

To learn more about how you can begin uncovering unknown threats and start protecting your critical infrastructure, contact ThetaRay today: www.thetaray.com | @ThetaRayTeam | LinkedIn | Facebook | Pinterest

01001100011011110111001001100101011011010010000001101001011100000 111001101110101011011010010000001100100011011110110110001101111011 100100010000001110011011010010111010000100000011000010110110101100 101011101000010110000100000011000110110111101101110011100110110010 101100011011101000110010101110100011101010111001000100000011000010 110010001010011000110111101110010011001010110110100100000011010010 111000001110011011101010110110100100000011001000110111101101100011 011110111001000100000011100110110100101110100001000000110000101101 101011001010111010000101100001000000110001101101111011011100111001 10110010101100011011101000110010101110100011101010111001000100000 011000010110010001 01001100011011110111001001100101011011010010000 001101001011100000111001101110101011011010010000001100100011011110 110110001101111011100100010000001110011011010010111010000100000011 000010110110101100101011101000010110000100000011000110110111101101 110011100110110010101100011011101000110010101110100011101010111001 000100000011000010110010001010011000110111101110010011001010110110 100100000011010010111000001110011011101010110110100100000011001000 110111101101100011011110111001000100000011100110110100101110100001 000000110000101101101011001010111010000101100001000000110001101101 111011011100111001101100101011000110111010001100101011101000111010 101110010001000000110000101100100010100110001101111011100100110010 101101101001000000110100101110000011100110111010101101101001010101

ThetaRay 24 Hebron Road, Jerusalem, 9354212, Israel Tel: +972-2-640-9763 I [email protected] www.thetaray.com