Critical Infrastructure Protection Convergence of Cyber, Physical and RF Security
1 Company Confidential – Digital Global Systems Inc. 2018 Convergence of Cyber/Physical/RF = Increased threats
• Nearly 2 decades of innovation, focused on RF utilization and computer processing, have reshaped the way that humans interact with the world.
• Devices have become smaller and more capable, with radio frequencies (RF) acting as the medium for connectivity.
• Just as innovation has delivered increased efficiency, RF enabled devices also significantly increase vulnerability and risk.
• Cyber and Physical security strategies must now include components addressing threats from RF enabled devices.
2 Company Confidential – Digital Global Systems Inc. 2018 Remote Surveillance and Sensitive Data Collection
DJI Mavic Snoopy AirHopper
• 5 – 7 km range/takeoff < 1 sec. • hacks into smart devices/laptops • Establishes connectivity with an isolated • broadcasts 1080P • extracts MAC addresses, user computer (command and control) • automated RF interference and names/passwords, credit card • Utilizes the cpu’s graphics card or video obstacle avoidance information display to send sensitive information to an infected mobile phone’s FM receiver • flight time up to 30 minutes • enables attacker to access social media accounts and e-mail • Data is forwarded via internet or SMS • Speed up to 40 km/hour • provides location data
3 Company Confidential – Digital Global Systems Inc. 2018 Communication Disruption and Covert Communications
Wireless Jammer Frequency Hopping Radio
• tunable, can obstruct VHF, UHF, Telco, • frequency-hopping spread spectrum WiFi transmissions (FHSS) utilizes the repeated switching of frequencies during a transmission • typical range can be up to 100 meters (amplifiers can significantly increase • FHSS is useful to avoid interception range) and counter eavesdropping • available for less than € 260, procured over the internet • FH radios have become a useful • small form factors available communications tool to coordinate moving shipments across borders
Use Case: Ports globally are becoming more automated. WiFi in 2.4 and 5.8 GHz has become the preferred medium for command and control. Introducing a jammer into a port environment, would bring operations to a halt, costing the port million of Euros a day in lost revenue.
4 Company Confidential – Digital Global Systems Inc. 2018 Wireless Devices – Unique Characteristics
Wireless devices transmit and receive signals on specific radio frequencies (RF) for command, control and data transfer.
With analysis, unique attributes can be utilized to reveal the type of device, the operator, and in When combined with Big Data some cases, intent. Analytics, data collected over time can reveal:
Phantom 4 Video and Drone Signature • RF Patterns for proactive remediation • Activity consistent with multiple events
• Common mobile phones 5 Company Confidential – Digital Global Systems Inc. 2018• Drone surveillance Advantages of Adding RF to Cyber and Physical Security
Detection of new or systematic RF can indicate the presence of drones, mobile phones, mobile radios, or jammers. This information, coupled with direction finding, provides stakeholders/incident responders the situational intelligence needed to make informed decisions and respond rapidly.
RF situational awareness assists in:
• Reducing the risk of financial losses due to theft, vandalism, and disruptions.
• Providing additional safety for employees and visitors.
• Making other security technologies, such as thermal cameras and IP video, more effective by working in tandem to identify and locate the presence of threats. Use Case – Metcalfe Incident
The Metcalfe Incident was a fairly sophisticated assault on Pacific Gas and Electric (PG&E) Company's Metcalf Transmission Substation in California. On the morning of April 16, 2013, a team of gunmen, using rifles, opened fire on the Metcalf Transmission Substation, severely damaging 17 transformers, causing over $15 million USD worth of damage.
Metcalfe was "an unprecedented and sophisticated attack” on an electric grid substation with military-style weapons.
Although most of the details are classified:
• multiple rock formations were found around the site capable of supporting sniper riffles. • AT&T fiber-optic telecommunications cables were cut not far from the facility. • customers of Level 3 Communications, an Internet service provider, lost service. • cables in its vault near the Metcalf substation were also cut. • Flashlights could be seen signaling both the beginning and end of the attack
It is widely believed that detailed surveillance activities were performed before the attack.
RF sensors placed around the facility would have detected mobile phones, WiFi enabled devices, TPMS data from cars, two-way radios or wireless cameras. Signal intel could7 have includedCompany pre Confidential-identifiers, – Digital Global or Systemsassisted Inc. 2018 with the post-incident investigation. RF Detection Critical Components – Automation and Learning
Automated analysis of the entire communications spectrum at the edge
• Fast, targeted scanning 40 MHz to 6 GHz 40 MHz 6 GHz
• Accurate measurements of the noise floor and signal activity over time Mobile Phone – Potential Illicit Activity • Bandwidth • Center frequency • Amplitude • Duration
• Signal characterization • Modulation Machine Learning • Usage • Allocation (License) • Builds baselines over • Efficient Storage of Big Data Drone Detected – Potential • Multiple data types (FFT, IQ) time Surveillance • On RF sensor and at data center 8 Company Confidential• Identifies – Digital Global Systems anomalies Inc. 2018 • Characterizes Machine Learning and Big Data Analytics
Big Data Analytics and Machine Learning have become an integral part of modern risk management platforms, providing key insights regarding potential attacks, vandalism and theft. For RF detection platforms, learning and analytics can be applied to assist with: Direction • Drone Detection/Classification
• Pattern Recognition for: Drone Type • Pre-identifiers • Post-event Investigations Threat Level • Detecting anomalies such as: • Jammers • Intermittent Interference
9 Company Confidential – Digital Global Systems Inc. 2018 • Whitelist Activities: Logic and Coordinated Intelligence – Reduction in False Positives
Not all activity observed in a spectral environment represents a threat. Even in remote locations, mobile activity may be observed. Pedestrians may be in the area utilizing mobile devices.
RF detection systems must be equipped with logic to determine:
• The typical makeup of an environment (common signals based on time of day) • Proximity to site • Duration (time on site)
Logic limits false positives to produce alarms that are meaningful. Pedestrian walking by a critical asset site
A coordinated physical plan will also make alarms more relevant and meaningful. An RF detection system should be able to work in tandem with existing systems to drive knowledge.
Example: CCTV cameras: RF alarms can trigger a camera to record or turn to a specific azimuth (RF-based direction finding) 10 Company Confidential – Digital Global Systems Inc. 2018 Use Case – RF Situational Intelligence for Physical Security
Utility customer in Spain has several hundred facilities in remote locations. Although the sites are remote, automobiles and foot traffic (with mobile phones and other devices) pass by on regular basis.
Customer requirements: Perpetrator coordinating with associates via mobile device. • Alarm when a signal loiters near a facility for more than 10 seconds AND is within a certain proximity
• Detect mobile phones even when not on active calls (capture registration bursts, Facebook pushes, email, etc.)
• Detect unauthorized 2-way radios (not whitelisted)
• Alert security and provide azimuth to camera systems when signal is detected
• Minimize false positives with a logic engine analyzing variables such as proximity
The RF system will reduce theft and vandalism at the site
11 Company Confidential – Digital Global Systems Inc. 2018 Remote Facility Use Case Expanded - Cyber
Protecting remote sites is not only critical from a physical perspective, but also from a network perspective:
• Sites typically have access to the network: • Ethernet at site • CCTV backhaul • Command/Control operations
• Attacking a network from the inside is typically easier, as most cyber security strategies are focused on external intrusions vs. attacks coming from inside the network.
12 Company Confidential – Digital Global Systems Inc. 2018 Components Required – RF Detection System
• Combined RF Situational Intelligence and Drone Threat Management System
• Integrates with 3rd party platforms, such as cameras
• Machine learning and patented signal analysis methods, making the systems autonomous
• Efficient data management, reducing backhaul requirements and latency
• Fast scanning, enabling the detection of intermittent and bursting signals
• Drone detection at significant distances (i.e., at least 2 km), providing time to react
• Modular architecture, reducing CAPEX
• Automated real-time analysis, alarming and reporting
13 Company Confidential – Digital Global Systems Inc. 2018 Convergence – RF, Cyber, Physical Security
Organizations must focus on security in a holistic way to minimize risk and provide a safe environment. Cyber, Physical and RF security have now converged and security strategies require each to be addressed.
RF
Physical Cyber
14 Company Confidential – Digital Global Systems Inc. 2018 Networking Coffee Break Session 6b: SCADA Systems and IT/OT Integration Chair Tony Kingham
Editor, World Security Report Can Demirel ICS Cyber Security Services Manager, Biznet Bilisim A.S
Melih Berk Eksioglu Team Lead - Penetration Tests, Penetra Cyber Security B.V CIPRE 2018 Den Haag, The Netherlands
A Real Cyber Physical Experience: Red Teaming on a Power Plant
Can Demirel, CSSA, GICSP ICS Cyber Security Services Manager, Biznet Bilisim A.S.
Melih Berk Eksioglu, CSSA, OSCP Security Audits Team Lead, Penetra Cyber Security B.V.
biznet.com.tr | [email protected] 19 About us
• Since 2000 • Cyber Security focus only • TR, NL • 80+ employees in total • 25+ penetration testers • 10+ years penetration testing experience • ICS Security focus since 2015 • Listed in Gartner OT Security Market Guide 2018 Oil & Power Power Mining Pipelin Gas Distribution Generation e
biznet.com.tr | [email protected] 20 By 2021, Disruptive attacks on unsecured OT networks will have led to environmental damage or/and harm to people. * By 2021, Gartner expects that the needs of security and risk management leaders for industrial process control penetration testing will double, from 10% to 20%. **
* Published: 25 April 2018 ID: G00348369 **Published: 30 December 2016 ID: G00321220 biznet.com.tr | [email protected] 21 Back to basics!
Vulnerability Assessment Should be able to Penetration Testing demonstrate Industrial Penetration Testing intrusion to ICS and manipulate Industrial Red Teaming the process.
biznet.com.tr | [email protected] 22 Kill Chain Phase 1: IT Pentester Phase 2: OT Pentester
Next
Kill Chain Steps
Systems
Network
Intrusion to to Intrusion
Penetration to to Penetration to Penetration
Intrusion to ICS ICS to Intrusion
Controller Level Controller
Supervisory Level Supervisory
Intrusion to Safety to Intrusion Corporate Network Corporate
https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297 biznet.com.tr | [email protected] 23 Phase 1
Corporate WLAN Camera Server
File Server
ICS E-Mail Server Firewall OT End User Jump Box Firewall
Mobile Server Web Server Stolen Laptop Terminal WLAN Hand Terminal
biznet.com.tr | [email protected] 24 State of ICS Vulnerabilities
63% 71% 61%
Loss of Control Loss of View Both Loss of Control and Loss of View
Source: https://dragos.com/media/2017-Review-Industrial-Control-Vulnerabilities.pdf
biznet.com.tr | [email protected] 25 Facts for Phase 2
IT Pentesters; • Do not have proper road map for process manipulation • Do not have process knowledge at all • Miss the most critical assets • Do not understand if they are able to manipulate process
In our cyber-physical LAB, more than %75 of IT Pentesters crashed the controllers.
biznet.com.tr | [email protected] 26
Phase 2 SIS/ESD
ICS
OT Pentester Level HMI
OT Process Firewall
OPC PLC Level Controller Supervisory
IT Pentester Server &Workstation https://www.sans.org/reading-room/whitepapers/ICS/secure-architecture-industrial-control-systems-36327
biznet.com.tr | [email protected] 27 Case 1: Industrial Switch
Fact: Some plants are signal sensitive. In case of pocket loss, it is possible trip turbines.
POST /goform/PortSetting HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: http://
• Intrusion to ICS networks is just a matter of time! • Industrial process knowledge is a must! • Industrial Red Teaming requires ICS infrastructure knowledge • Industrial Red Teaming is not just a device testing/vulnerability assessment • ICS Security is not only a technical issue (Worldwide common password usage) • The biggest problem: Mitigation
biznet.com.tr | [email protected] 30 Questions? Cevn Vibert
Global Director of Industrial Cyber Security Advisory, Vibert Solutions Ltd Industrial Cyber Security Practical Improvement Strategies, Project Engagement Approaches and Integrated Security Thinking.
linkedin.com/in/vibertprofile [email protected] www.vibertsolutions.com 07909 992786 Vibert Solutions Vibert Solutions in the industry ?
Vibert Solutions Cevn Vibert
Industrial Cyber Security Advisor, Architect, Consultant, Trainer, Coach
I advise companies in many countries and in most industry verticals.
Experienced in IACS, OT, Security, Cyber, C2, MES, SCADA, CNI, Industrial Cyber Cevn Cyber Networks and Manufacturing Information Solutions Consultancy and Training.
20+ yrs experience in Industrial Information and Control Systems.
Board Advisor. Director. Chartered IT Professional.
Analyst Cevn Analyst CITP, MIET, MISA, MISSA, MCSA, MISACA, MinstMC, MBCS, MIoD…
Build Communities
linkedin.com/in/vibertprofile
Community Cevn Community [email protected] www.vibertsolutions.com 07909 992786 Vibert Solutions Nuclear Manufacturin g Cyber Security
Vibert Solutions The IT World
Vibert Solutions Vibert Solutions Vibert Solutions Cyber Attacks are increasing because…??? LinkedIn breach affected around 117 million. MySpace breach exposed 427 million users. Tumblr data breach exposed 65 million accounts. VK.com security breach exposed 93 million accounts. DropBox security breach exposed 69 million accounts. Verizon exposed 14 million records, BellCanada breach 19 million records, Hacked sell price. iTunes $8 Edmodo breach 77 million accounts, Groupon.com $5 GoDaddy.com $4 Equifax breach 143 million accounts Facebook $2.50 Twitter $2.50
http://resources.infosecinstitute.com/the-biggest-cyber-security-incidents-of-2016/#gref Vibert Solutions The Industrial IT World
Vibert Solutions Stuxnet cybercampaigns.net and apt.securelist.com for APT Groups
We were missing The Stories of relevance to IACS …. But now.. DarkHotel DroppingElephant StoneDrill Industroyer DragonFly Shamoon CrouchingYeti Equation Andromeda wiper Carbanak KillDisk ShadowBrokers WannaCry
Petya Havex Turla Mirai NotPetya Gaus BlackEnergy Ukraine1 ZeuS Ukraine2 BlackEnergy2 Dallas Emergency Sirens Kemuri Water EnergeticBear / CozyBear PetulantPenguin German Steelmill Flame Slammer and Conficker Worm NightDragon Maersk Duqu Agora+ for Canvas and RedOctober Aurora Test Metasploit Vibert Solutions Industrial IT System Architectures
Example industrial network
TI-E2E Vibert Solutions The Industrial World…… vendor examples
Vibert Solutions What IT, Computers, Networks should be Physically, Cyber and Operationally protected? What “IT things” in a facility could be compromised?
Office Networks CCTV Network Office Backups CCTV Cameras Computer Server Room Backup Power Supply Generators Room Computer Server Room Fire Suppression Systems UPS Backup Systems PA Public Address System Fire Detection and Alarm Systems Access Control Network Fire System Network Card Reader and Biometrics devices Building Management Systems Security Control Room Building Management Network Reception Computer Terminals HVAC Systems Printers everywhere Gate Control Systems WiFi repeaters Vehicle Stopper Control Systems Door Control systems Vending Machines and networks TV on-demand networks
Vibert Solutions Exploits – now easier to use
Compromise “Test” Tools << FREE AND EASY !! >>
Is your site listed on SHODAN?……. CRAFT Are your trusted suppliers listed?……. DEPLOY “Compromise Wizard” LAUNCH The New Super-Simple Targeting App…… ? Is this the future? Vibert Solutions The Cyber Capability Iceberg • Experience • CNI • Training • Tier 1 Primes & Tier 1 Integrators • Certification • Threat Awareness • Purpose • Requirement 20 • Budget The Cyber Knowledge Plimsol Line
6000
• No Hands-on Experience • Systems Integrators • Minimal Training • Academia • Minimal Certification • Supply Chain/VARs • No Threat Awareness • Vendors • Occasional Requirement • Tier 2, 3, 4, 5 Suppliers • Little Budget • End-Users
Vibert Solutions Common Sense Methodologies
Vibert Solutions Security Methodologies Programmes not Projects Audits The Jigsaw
Relationships The A-Team
The Stairway
Vibert Solutions Expert Books and Articles
Raising Awareness
Sharing Experience
Cyber Games
Basic Mitigations
‘Threats ‘Profitable /Risks/ Business Impacts Operations ’ ’
Vibert Solutions Predictions from 2017….. • Disclosing Attacks becomes mandatory. ✓ • Nation-State Alliances form. ✓ • Cyber and Safety no longer in silos. ✓ • Supply Chain security mandatory. • ICS Cyber Insurance becomes “real”. • The Kaspersky Effect grows. • OT Security Market thins. ✓ • ICS Specific Malware Exploits grow. ✓ • AI OT Cyber Security grows. • Growth of Security-By-Design. • Nation State ICS probing grows. ✓
Vibert Solutions Thanks ……and What’s
Next….>>>>>>…• What did you learn? ????
• How can you improve your security?
• What are you going to do next?
• Do you need help?
• We look forward to being on YOUR Security A-Team.
[email protected] www.vibertsolutions.com 07909 992786 linkedin.com/in/vibertprofile Vibert Solutions Vibert Solutions Vibert Solutions Ltd.
The Business Challenge European Gas Pipeline Infineum (Exxon and Shell JV) has several Process Controlled(PCS) sites around the globe running a variety of vendor control systems. The Business Challenge Infineum recognised the security enhancement and coordination benefits A Gas Pipeline has a number of pipeline control systems managed of providing a Global Security Operations Centre(GSOC) bringing through Control Centres in different countries. The provision of Security together the current site security capabilities. and Network Operations Centre(SOC) and (NOC) capabilities is essential Vibert Solutions were asked to provide Subject Matter Expertise with both Assistance was provided for to ensuring security for pipeline operational and safety management. Process Control and Cyber Security experience together with industrial cyber security Vibert Solutions were asked to provide Subject Matter Expertise with both Governance and Risk Assessment capabilities. expertise. Process Control and Cyber Security experience together with Governance and Risk Assessment capabilities. The Solution Vibert Solutions provided assistance to a range of project challenges The Solution aligned with the GSOC Program. Tasks such as; to assess current state Vibert Solutions provided assistance to a range of project challenges of compliance with industry standards; to act as Customer Subject Matter aligned with the Gas Pipeline Control Systems Program. Tasks such as; Expert; to link across Process Control, Project Management and Vendor to assess current state of compliance with industry standards; to act as groups; and to provide both Technical Design, Governance and Human Customer Subject Matter Expert; to link across Process Control, Project input based on experiences, within highly controlled critical national Management and Vendor groups; and to provide both Technical Design, infrastructures, to the Infinium GSOC solution. Governance and Human input based on experiences, within highly The project phase completed with high levels of success and acclaim controlled critical national infrastructures, to the Gas Pipeline solution. from senior management and is being extended to further plants.
SOS Security and People's University Assistance was provided for industrial cyber security Loss of systems, information, knowledge and competitive advantage is a major risk for Norwegian compliance and go-to-market strategies with business companies. Most have thought about the idea of securing themselves, but unfortunately it usually plans and industrial cyber security market knowledge. stops at the idea. Assistance was provided for practical cyber security enhancements. The assistance was tailored to be suitable for business leaders at all levels who want advice and tips on how to enhance cyber security. The work covered a taste of current threats, technologies and services to reduce threats, and an introduction to countermeasures and security strategies.
Assistance was provided for industrial cyber security go- to-market strategies, website, marcoms and industrial cyber security market knowledge. Vibert Solutions Cyber Security Basic Mitigations
• Surveys and Risk Assessments • Integrity Controls – whitelisting/lockdowns • Anti-Malware • Incident Investigation • Intrusion Monitoring and Prevention (IDS/IPS) • Command and Control Management (SOC/GSOC/NOC) • Vulnerability Management/Intel – external links • Training – … in all its forms…. • Simulation and Strategizing • Maintenance and Controls
Cyber Essentials/SANS top 20/CERT advice/…….common sense .?…..
Vibert Solutions 94% of security professionals expect IIoT to increase risk and vulnerability in their organizations – Tripwire – Jan 2017
Petya/NotPetya/Nyetya/Goldeneye A month or so after WannaCry, another wave of ransomware infections that partially leveraged Shadow Brokers Windows exploits hit targets worldwide. This malware, called Petya, NotPetya and a few other names, was more advanced than WannaCry in many ways, but still had some flaws, like an ineffective and inefficient payment system. Though it infected networks in multiple countries—like the US pharmaceutical company Merck, Danish shipping company Maersk, and Russian oil giant Rosnoft—researchers suspect that the ransomware actually masked a targeted cyberattack against Ukraine. The ransomware hit Ukrainian infrastructure particularly hard, disrupting utilities like power companies, airports, public transit, and the central bank, just the latest in a series of cyber assaults against the country. Wired – Jan 2017 Vibert Solutions Piotr Ciepiela
OT/IoT Security & Critical Infrastructure Leader / EMEIA Associate Partner at Ernst & Young Using disruptive technology to safeguard Critical Infrastructures Critical Infrastructure Protection & Resilience Europe (CIPRE)
Piotr Ciepiela EMEIA OT/IoT Security & Critical Infrastructure Leader
Hague 04/10/2018
The b etter the qu estion. The b etter the an swer. The b etter the world works. The world is changing… Disturbing cybersecurity facts
More and more malicious programs It is estimated that approximately $1 are being launched: trillion will be spent on cybersecurity 1.2 million new malware per day. globally in the years 2017-2021.
Only 38% of global Cybercrime damage costs are organizations claim that they estimated to hit $6 trillion are prepared to handle a annually by 2021. sophisticated cyberattack.
According to Lloyd’s of London, a potential global cyberattack may trigger economic losses reaching $53 Average cost of data breach in 2020 On average, cyberattack is billion. will exceed $150 million, as more detected after 170 days of business infrastructure gets attacker’s presence in the connected. network.
Sources: Cybint: https://www.cybintsolutions.com/cyber-security-facts-stats/ LLoyd’s: ttps://www.lloyds.com/news-and-risk-insight/press-releases/2017/07/cyber-attack-report Page 60 04 October 2018 Presentation title Heimdal Security: https://heimdalsecurity.com/blog/10-surprising-cyber-security-facts-that-may-affect-your-online-safety/ https://www.itspmagazine.com/from-the-newsroom/keep-calm-and-here-is-a-list-of-alarming-cybersecurity-statistics IT and OT worlds are converging
15 years delay in moving from isolated, closed Emerging systems to unified interconnecded environments Isolated Connection with Technologies systems business LAN ... Close OT cooperation
OT Department Problems: Closed SECURITY systems OT Department 80s 90s 2000 2012 2018
I S S U E E U S I S S ITIoT/OT No Problems: SECURITY IT Effectiveness standards Lack of IT Closed Corporate IT Department knowledge systems costs IT IT Department
ERP / CRM Isolated Unification of Centralized Virtualisation Cloud new Emerging systems technologies systems SSCs computing Technologies functionalities Critical Infrastructure security in the context of NIS Essential Service Operator perspective
Implementation of Identification of appropriate technical and critical systems organizational measures and networks (e.g. for sectors)
NIS Directive
Incident Alignment with identfication National Strategy & notification
Page 62 04 October 2018 Presentation title What we need NOW…
What we can use in the NEAR FUTURE What is OT SOC?
The fundamental mission of a SOC is to Detect and Respond to events on the network. A highly mature detection and response capability requires a tailored network security solutions and structured team with well-defined responsibilities and processes.
The SOC is… ► The focal point for security operations and computer network defence, operating in the Detect & Respond tier.
► A SOC is a team primarily composed of security analysts and responders organised to detect, analyse, respond to, report on, and prevent cybersecurity incidents.
► A SOC is not just a SIEM.
Page 64 04 October 2018 Presentation title How OT SOC can be developed?
Depending on clients needs we have three different approaches:
IT SOC extension to IT/OT SOC Separate OT SOC OT SOC as managed service
Client CISO/Security Manger ► Development of Monitoring architecture and selection of the solution based on client needs and client OT environment Premises ► Development of use cases and testing feasibility and integration in EY’s OT Lab Enterprise Service Management ► Selection of data to be gathered by SOC and definition of correlation rules ► SRT — incident response ► Project management during implementation phases ► Requests for information ► Supervision over the FAT and SAT ► Provide reports EY Account ► Ticketing of Incident Alerts ► Extension of SOC Operational Model to OT Environment ► Development of SOC Operational Model Service ► Development of the Incident Management processes Advisor ► Adjustment of the Incident Management processes to OT ► Incident response ► Requests for information
Internet Internet OT SOC Level 5 Level 5
Internet DMZ Web Servers Internet DMZ Web Servers
Level 4 Level 4 Enterprise Enterprise 24x7x365 Admin Authentication Servers Enterprise Destkops File Servers Admin Authentication Servers Enterprise Destkops File Servers
Level 3 Level 3 Operations Operations VPN Metadata Admin AV OT IDS OT Monitoring Historian Patch Mg. SIEM Admin AV OT IDS OT Monitoring Historian Patch Mg. SIEM
Extension OTto Client Focus on Focus OT on Premises EY Cyber Analytics Platform Level 2 Level 2 Supervisory Supervisory SIEM
Level 1 RTU / ... RTU / RTU / ... RTU / RTU / ... RTU / Level 1 RTU / ... RTU / RTU / ... RTU / RTU / ... RTU / Control PLC/ IED PLC/ IED PLC/ IED PLC/ IED PLC/ IED PLC/ IED Control PLC/ IED PLC/ IED PLC/ IED PLC/ IED PLC/ IED PLC/ IED
Level 0 Field devices Field devices Field devices Level 0 Field devices Field devices Field devices Process Process NetFlow DNS Databases Servers Firewalls Page 65 04 October 2018 Presentation title Antivirus IDS/IPS How to respond to a cyberattack in the OT system? Incident Handling
Detection Analysis Containment Eradication Recovery Post-incident
INCIDENT: OBJECTIVES OF INCIDENT MANAGEMENT: An unexpected series or single security event that entails the possibility of deterioration in business ► Quick detection operations and threatens information security. ► Correct diagnosis ► Correct incident management SECURITY OPERATIONS MANAGEMENT (SOM): ► Minimization of damage Incident management system using tools for ► Restoration of service collecting, monitoring and analyzing data. By combining multiple solutions in one place, it ► Determining the cause of the incident enables to focus on information that is important ► Implementation of improvements and for security. protection against repetition ► Documentation and reporting
Page 66 04 October 2018 Presentation title How to respond to a cyberattack in the OT system? Technology outlook
Detection Analysis Containment Eradication Recovery Post-incident
Industrial Log SOM Firewall Management
Industrial Break Fix or Recovery from Digital SIEM Patch, AV/AM IDS Quick Heal Backup Forensic
Long term System System rebuild Reporting containment cleaning
Page 67 04 October 2018 Presentation title What we need NOW…
What we can use in the NEAR FUTURE Disruptive technology to safeguard Critical Infrastructures
Blockchain Artificial Intelligence Internet of Things
Page 69 04 October 2018 Presentation title Questions?
Piotr Ciepiela EMEIA OT/IoT Security & Critical Infrastructure Leader [email protected]