Threats
◦ Insider – Recently demoted, fired, laid off
contractor. Intimate knowledge of operations and
how to use PLCs and a MODBUS connection.
◦ Outsider – Someone with a rifle shooting at a
substation.
◦ Accidents – Homer sleeping at the nuclear power
plant.
◦ Malware – Lives on networks.
◦ Governments.
◦ Terrorists.
◦ Competitors – Espionage, deny business.
◦ Activists.
Chapter 2 – Cont.
Isolate networks using protocols,
firewalls, encryption, and physical air gaps
but a “network” is inherently vulnerable
by definition.
IPv6 – Enough addressable space to
network everything, IoT.
Most ICS can’t talk IPv6 - Requiring
modified sockets.
Chapter 3 – Threat Vectors
FERC & NERC – CIP
NIST – SP 800-82, Guide to ICS Security
Stuxnet – Designed to cause centrifuge
failures.
Flame – Designed to collect intelligence.
◦ http://www.nerc.com/pa/CI/Comp/Pages/default.as
px
◦ http://csrc.nist.gov/publications/nistpubs/80082/SP800-82-final.pdf
Chapter 3 – Cont.
Point to point communication of SCADA
Master Stations, DCSs, PLCs, RTUs, must
not be left to default off-the-shelf
implementations of Bluetooth, 802.x,
infrared, and other network layer
protocols.
Talent – 65% human skills, 35% technical
solutions.
Chapter 3 – Cont.
Defense is about successfully sustaining
critical operations while running in a
degraded status.
Vendors need to allows APIs that share
information and alerts in real-time so
defenders may close the time gap from
detection to reaction.
Chapter 3 – Cont.
Exploit Operations
◦ National legislation takes years.
◦ International cooperation takes decades.
◦ Exhaustive digital analysis of malware, code structure
reviews, behavioral analysis, and digital forensics of an
exploited ICS provide details of the exploiter.
◦ Engaging in offensive operations could subject the defender
to legal action. How? A proxy server, etc. Example, the
Aussie furniture store.
◦ True defense – Learn about your attacker.
◦ Collecting digital intelligence on code assembly reveals
patterns used to identify and correlate families of malware
attributable to certain hacker groups or governments or
activists.
◦ To become proficient an analyst has to learn Unicode, many
coding languages, file compression techniques, encryption
schemes, hexadecimal encoding, byte offsets, file
signatures, code bit shifting, file formats, encapsulation
protocols, encryption algorithms, etc.
Chapter 3 – Cont.
Sources of Digital Intelligence
◦ Is it memory resident malware that lives in a
process? Use a memory-imaging tool to
preserve the entire memory space, including
the kernel-protected area.
Methods
◦ Malware authors will encrypt their code, pack it
to obfuscate it.
Analyze the system while it’s infected.
Chapter 3 – Cont.
Collecting more intelligence – TOR, VPS, Tails,
Proxies, all leave a trail of IPs.
The Honeynet Project
https://www.honeynet.org/
Some malware recognizes virtualization and will
self-eradicate, or has routines to invoke a
harmless signature. Cloud virtualization is
changing this.
Malware droppers such as PDFs often reveal the
IP where the payload is coming from but it’s
usually a proxy.
Other delivery methods are USB sticks, social
engineering – The most successful method.
Chapter 3 – Cont.
ICS incident responders will deploy to isolated
environments and need to create VLANs and use
firewalls to ensure the safety and operability of
the rest of the ICS systems, while allowing the
malware to call home, check Twitter C&C. – This
is tough because down-range devices (sensors)
may need a heartbeat.
They need kits, rapid response procedures,
equipment staging locations.
Forensically sterile software exists that will reach
end-points and preserve and analyze data until
incident responders arrive.
Chapter 3 – Cont.
Incident responders should be able to pass
back malware to specialized labs that will
reverse engineer.
Remote access to repository of evidence.
Emerging threats – Same as IT: lack of
patching leads to vulns that are exploited,
SQL injection, buffer overflows, default
username/passwords, logic flaws, bypassing
authentication and authorization, escalating
privileges, exploit traffic being sent as a DNS
query during peak traffic.
Chapter 3 – Cont.
Know your ICS
◦ Authority to operate:
◦ Document all devices, version of
firmware/OS/software, make, model, patch
level, open ports & protocols used, gather
documentation from manufacturer, run
Wireshark, Snort IDS, pen test device.
◦ Change management.
Chapter 3 – Cont.
Risk Assessments:
◦ What do you do? (Business Mission)
◦ What assets make that happen?
◦ What threatens those assets?
◦ Analysts compare threats to vulnerabilities.
◦ Vulnerability gaps are addressed by risk
management techniques.
◦ Residual risk is treated.
Chapter 4 – Risk Management
Uncertainties/risks that impact ICS
systems must be identified, analyzed,
assessed, and treated to reduce them to
an acceptable level to both senior
management and ICS control engineers.
The ICS policy should be aligned with the
business rules.
Chapter 4 – Cont.
Elements of risk management.
◦ Mission analysis – What business is trying to do?
◦ Scope – How much you are trying to do?
◦ Asset valuation – What you are using to do what
you do?
◦ Threat assessment – Who are the “bad guys” and
their tools and their motivations and objectives?
◦ Vulnerability assessment – What are the holes in
security?
◦ Risk analysis – How bad is it if the vulnerabilities
are exploited?
◦ *Final – Risk assessment – How bad is it for the
business?
Chapter 4 – Cont.
AP&S – Addresses risk in all industries. Of note, SCADA AIC vs.
traditional IT CIA.
AP&S formula – Calculates the exposure of an organization to
losses that result from a threat agent exploiting a vulnerability to
cause injury to an asset.
R = f (M, AV, T, V)
R – risk, M – mission importance, AV – asset values, T – threats,
V – vulnerabilities.
Any increase in one of these factors leads to an increase in risk.
Is a qualitative process.
Chapter 4 – Cont.
Risk – Defined as the likelihood of a threat
exploiting a vulnerability supporting the AIC
of assets supporting business activities.
Probability – Defined as the number of
times a specific outcome occurs given a total
number of events.
AP&S risk management is based on an
accurate assessment of probabilities of
negative events occurring, and taking
mitigative action.
Chapter 4 – Cont.
Risk assessment information gathering
methodology:
1. What does mission success mean? – What
good or service do we provide? To whom?
Where? How important is it? How reliable are
we?
2. How do we provide this good or service?
3. Is this all reflected in the mission
statement?
4. Business lines should emerge:
Manufacturing, distributing, marketing, sales,
customer support, etc.
Chapter 4 – Cont.
5. ICS assets needing AIC should emerge.
They support the business lines.
◦ For example:
Manufacturing – Supply chain ICS, materials
handling, etc.
Build product – Assembly line ICS.
Deliver the product – Packaging, loading ICS.
*There are a lot more IT related risk needs like
protecting the customer database.
Chapter 4 – Cont.
Risk ethics – Don’t overlay the reason why
an organization exists with morals, ethics,
principals. They exist to be profitable.
Safeguards must map to residual risk levels
approved by senior management and be
consistent with industry best practices,
training, and education.
Ethical considerations become irreconcilable
when protections become too ineffective for
the risk manager to tolerate. – Fracking
ICS risk management ultimately falls under
ERM – Senior management.
Chapter 4 – Cont.
Risk factor – The public relies on ICSs to
provide water, power, heat, traffic lights,
filtered air, etc but most critical
infrastructure is privately owned and not
accountable to the populace for highquality uninterrupted service.
The government has compliance programs
for accountability.
Chapter 4 – Cont.
4 step risk communication process:
◦ 1. Express risk at the equipment level. Loss of
functions. Gets buy-in of control engineers in
order to convince managers.
◦ 2. Extrapolate how loss of function effects
operations and reporting to headquarters/main
office.
◦ 3. Move risk into the strategic level by
communicating how negatively impacted
operations effects corporate business.
◦ 4. Identify how corporate loss effects
community, regional, or national level.
Chapter 4 – Cont.
Asset valuation – The process of
determining how important (qualitatively
or quantitatively) an asset is to mission
success in terms of AIC, also how
important an asset is to an adversary.
Quantitative asset valuation – Total
cost of ownership through lifecycle.
Qualitative asset valuation – Focuses
on what the asset does and how critical it
is to completing a process.
Chapter 4 – Cont.
Critical Infrastructure Protection (CIP)
organizes assets into these categories:
◦
◦
◦
◦
Personnel
Materiel
Infrastructure and Facilities
Activities
Chapter 4 – Cont.
The value of assets must be directly
linked to business processes.
◦ How does the loss of an asset effect the
availability of a service?
◦ What are the confidentiality concerns
associated with unauthorized disclosure of info?
◦ How would these losses affect the larger
system, community, or corporate?
◦ *For example: The monetary cost may be
negligible but have an impact: GE’s ignition
switch.
Chapter 4 – Cont.
Threat – Defined as any condition or
action, typically negative, which causes
injury to the AIC of an asset by exploiting
some vulnerability.
Threats within the AP&S domain are
usually grouped into: Deliberate,
accidental, natural, or deterioration.
The determining factors are: Capability,
opportunity, and intent.
Chapter 4 – Cont.
Insider threat.
◦
◦
◦
◦
◦
70% of SCADA attacks are internal.
Conduct background checks.
Separation of duties.
Classify data and have safeguards.
Limit physical access to buildings.
Chapter 4 – Cont.
Threat analysis – How bad is it?
3 important threat analysis elements:
◦ The threat itself in terms of the nature of the
injury. – The What?
◦ The threat agent. The Who?
◦ The threat vector. – The How?
Chapter 4 – Cont.
Threat Community
◦ ICS security information sharing is necessary.
◦ FBI Infraguard
◦ Conferences
*Improves analysis.
Information may be stripped of names,
agency notes, locations, etc –
Anonymized.
Chapter 4 – Cont.
Once a threat analyst understands the
threats they may compare them to
vulnerabilities to determine the likelihood
of a threat event exploiting a vulnerability.
Chapter 4 – Cont.
Vulnerabilities – Described as a gap or
weakness.
Many times a vulnerability is not seeing
ICS systems as unsecure.
Not all risk may be mitigated. Senior
management has to accept some risk as
part of doing business.
Chapter 4 – Cont.
Taxonomy of vulnerabilities:
Physical – Improper physical control, no
defense in depth, no physical locking of systems
to maintain positive control.
Technical – Systems not hardened, no
integrated management of systems, no
configuration management, wrong clipping levels
(false alarms), infrequent maintenance.
Operational – Conflicting processes, lack of
training, inadequate safety, silos between
business lines, no OPSEC.
Procedural – Lack of or no security policy or
procedures.
Personnel – Lack of clearance, training, egos,
poor supervision, no security awareness
program.
Chapter 4 – Cont.
Mitigative threat factors:
Span of control – AP&S analysts have
approval to make change.
Span of influence – AP&S analysts
create a MOU and SLA.
Span of awareness – Bulletins, technical
advisories.
No influence – Enterprise relies on
assets belonging to someone else.
Chapter 4 – Cont.
Risk Management – The application of safeguards
by security professionals and the assumption of
residual risk by senior management.
Once risks have been assessed they must be treated.
Ask these questions:
1. What options are available?
2. What are the trade-offs in terms of costs, benefits,
and risks.
3. What are the impacts of current management
decisions on future options?
Remember – All risks map to some loss of the AIC of
valued assets.
Chapter 4 – Cont.
Risk Taxonomy:
Personnel – Injuries, absenteeism, etc.
Technical – Incorrect sequencing of processes, disclosure of info,
modification of systems, etc.
◦ Fix: HR department, OSHA standards.
◦ Fix: Certification and Accreditation program, IT security best practices.
Procedural – Processing line stoppages.
Physical – Unauthorized access leading to threats to assets and
personnel. ICS systems needing repair from use.
◦ Fix: Process mapping, formally documented procedures.
◦ Fix: Access control program (badges), facilities management for
maintenance.
Operational – Disclosure of trade secrets, intellectual property.
◦ Fix: Data leakage protection tools. Employee indoctrination and awareness.
◦ *There should be an overall risk management program that includes
security intelligence and incident investigations.
Chapter 4 – Cont.
Selling Risk Management
“If it hasn’t happened yet, why worry?”
Once an incident takes place the organization
goes on a marketing campaign to regain
trust.
Competitors try to take your customers,
employees, vendor contracts, and finally buy
you out.
Provide reasonable risk forecasts based on
strong situational awareness and use of
threat and intelligence information.
Chapter 4 – Cont.
Effective Risk Management:
◦ Mapping mission, asset, threat, and
vulnerability to the operations of the
organization.
◦ Using the mapping consistently.
◦ Getting management’s buy-in for the metrics.
◦ Finding out management risk tolerance early
on.
◦ Communicating regulatory compliance.
Chapter 4 – Cont.
Risk Treatment Options
◦
◦
◦
◦
◦
◦
Mitigating risk.
Sharing risk.
Transferring risk.
Accepting risk.
Avoiding risk.
Ignoring risk.
Chapter 4 – Cont.
Risk-Based Penetration Testing/Thinking
Like an Adversary
(Reconn, Information Gathering, Vulnerability
Identification, Exploitation)
◦
◦
◦
◦
◦
◦
◦
◦
◦
◦
Where is system and can I access it?
What is level of protection and does it change over time?
Are there cameras, fences, guards?
I must get past controlled doors, secretaries, staff
members, and gain access to a restricted area.
I must remain undetected for 15 minutes.
I must turn on a system and use tools to crack into it.
I must create a persistent presence on the system or
grab files or modify files.
I must be able to leave with my tools and files.
I must download the files to my system.
I must decrypt those files.
Chapter 4 – Cont.
Purchase answer to see full
attachment