Embed Size (px)
Citation preview
P A G E
Proactive Security Intelligence for Smart Utilities
September 11, 2012Canadian Utility Telecom Conference, Vancouver, Canada
Seema [email protected] Security
1
2P A G E
What is so difficult about cyber security??
P A G E 3
Let’s cover the threat LandscapeStuxnet: “Most Sophisticated Malware Ever”
● Artifact: autonomous, highly-targeted sabotage-oriented worm
● Adversary: Nation-state military / intelligence
● Most likely vector: compromised insider (USB drive!)
● Evaded:
● Firewalls
● AV
● Patching
● Host Hardening
You can protect against theartifact, but not the adversary.If you are targeted, escalate.
P A G E 4
Threat: High Tech, Targeted Attacks
● Flame: forged Microsoft update certificate
● DuQu: zero-day kernel exploit embedded in Word document
● Gauss: encrypted payload – can only be decrypted on target machine
● Nation-state adversaries, but still manual remote control
Conventional ICS security guidancedoes not address targeted attacks
P A G E 5
Threat: Low Tech, Targeted Attacks
● Night Dragon, Shady RAT
● Trick users into providing passwords, installing malware
● Custom malware, tested to evade anti-virus
● Remote control: steal credentials, propagate
● Steal administrator credentials, create own passwords
● Create accounts, don’t guess long passwords
● Firewalls allow connections with passwords
Conventional ICS security guidancedoes not address targeted attacks
P A G E 6
Threat: High-Volume Attacks
● Authors: organized crime
● Black market – stolen credit card number $0.25, stolen bank account / password $1.00
● High volume, auto-propagating, indiscriminate attacks – compromise hundreds of thousands or millions of machines and extract pennies of value from each
● Target of conventional anti-virus solutions
Viruses, worms and bot-nets are thepervasive “background noise” of theInternet. Any interaction with the Internetrisks contamination.
7P A G E
Management understanding of cyber risk..
P A G E 8
H
Challenge in securing critical infrastructures..
SCADA (Device level)
Hardware and Software Protocols
Management Software Layer
Windows or Linux based(NOT as air-gapped as we think!!)
P A G E
Layered controls at each part of technology stack but no correlation
99
• The vast majority at the management software layer are built to defend, react or monitor
• This model has inherent gaps:− Overwhelming amounts of data− Little correlation /
communication between solutions
− By the time alerts go off, it’s too late
?
P A G E 1 0
Key standards and mandates provide a starting point
Key standards and Guidance documents
Description
NERC Standards CIP-002-4 through CIP-009-4
Cyber asset identification, security controls, physical, security management, incident response and recovery planning
NIST SP 800-137 Continuous Monitoring Framework
FERC Approved NERC CIP rules in 2008 and in addition looks to NIST coordinates with NIST
Canadian Standards Council Task force on Smart Grid Tech & standards created by National Committee of IEC promotes harmonization with NIST and NERC
.. The non-technical “managerial and organizational process” controls (e.g. NIST) are just as important as the technical
controls.
P A G E 1 1
Findings of the ICS- CERT across 150 incidents
People
• Failure to perform risk and consequence analyses
• Lack of situational awareness and training on cyber threats such as spear phishing
• Lack of minimum standards
Process
• Business siloes – IT and control systems need to be safeguarded as ‘one”
• Policy on removable media and security maturity
• Lack of incident response planning
Technology
• No risk assessment and impact analysis
• Network segmentation
• Patch management in test bed
• User access/log on
• OS & Firmware
Source: US Dept. of Homeland Security Industrial Control Systems Cyber Emergency Response Team 2011 Summary report
P A G E 1 2
Proactive Security Intelligence - Taking a performance and analytics driven approach
What should we do about risks?
How do we convey the risk to get action?
What is happening? Why? What is likely?
What really matters and what doesn’t?
P A G E
What is happening? What is likely?
Penetration TestingMulti-vector, multi-surface and ‘what-if’
testing helps us think like an attacker
Management software for PLC
Alarm to monitor
temp.
Network operations center
Network simulation or
VM clone
P A G E 1 4
What is happening? What is likely..
Unique challenges across distribution and corporate monitoring networks - Local privilege escalation and spear phishing are
examples
P A G E 1 5
A predictive security architecture and process offers a risk-based approach for proactive insights.
1. Environment Profiling and security data
collectionTell Insight about your
environment.
3. Threat Planning and Simulation
Insight calculates likely attack paths to your
defined assets.
2. Campaign Definition
You define critical IT assets (aka goals), scope and timing.
5. Adaptive Path Adjustment
Insight seeks new paths as systems are
compromised.
4. Threat Replication
Insight attempts to exploit vulnerabilities
along the paths.
GOAL 6. Infrastructure
ChangeCampaigns can
automatically adapt as you deploy new
systems.
Security Verified!
Security Verified!
New system added to environment!
P A G E
What really matters? Get above the noise of the security data..
Remove false positives and make sense of the noise..
(Exploit)Identify and prove critical
exposures
Remediation
Apply patches and other updates
Repeat Pen Testing
(Exploit)Validate fix
effectiveness
Incident and Scan data
Discover assets , collect incident
data and scan for vulnerabilities
P A G E 1 71 7
Before• Small security staff• Needed to scale and enhance
testing, understand risk to most critical assets
• Getting 82,000 vulnerability signatures from scanner
• Yet only working on 300 results due to resource constraints (hopefully the right 300?)
• Yearly vulnerability management cost: $144,000
• Yearly remediation/Patch management estimate at 300 tickets passed to IT: $700,000
Value of getting above the noise of data
After• Proactively determine attack path
across 1000 assets• Identified the 30 most critical
exploitable vulnerabilities of the 82,000 worth addressing first
• Prioritize & validate vulnerabilities
Savings• VM costs per year: $43,200• Trouble tickets passed ~ 30
P A G E 1 8
What should we do with security data?How do we convey risk and take action?
• Security Metrics and Reporting with Continuous Assessment• Status of the safeguards• Trending• Change management• Hand-off to remediation
systems
• Enterprise Risk Management• Safety, continuity,
operational implications• Business asset tagging
Enabling Performance Management like best practices for security
P A G E 1 9
Benefits of a proactive security intelligence approach
Balancing risk mitigation with improved security ‘performance’
• Keep the bad guys out: Predict threats without disrupting operations• Don’t break the bank: Eliminating data overload drives
actionable insight and improves efficiency • Demonstrate business impact: Convey implications of cyber
risk – resiliency and operational continuity.
P A G E 2 0
About Core Security
• Leading provider of predictive security intelligence solutions− Established: 1996, first commercial product: Core Impact 2001− Headquartered in Boston, CoreLabs in Buenos Aires− 1,400 customers, ~200 employees
• Diverse, experienced organization driving segment leadership− Experienced management -- backgrounds include Sophos, CA, Symantec, Seagate, IBM− Active Customer Advisory Board and Core Customer Community group− Recognized by leading analysts in the emerging category of Security Intelligence− Consistent award recognition from industry groups and media
• Groundbreaking research & product development− Leading-edge consulting services brings field experience− CoreLabs vulnerability research team world renowned – publish more than 200 exploits− High-profile research community involvement− 6 patents approved / 7 pending
2 1P A G E
