Embed Size (px)
Citation preview
© 1991 − 2019, CLICO sp. z o.o.
Security auditing of critical systems
Mariusz Stawowski, Ph.D.
CISSP, CEH, CCISO
© 1991 − 2018, CLICO sp. z o.o.
CLICO Competency Center
• +35 security and network experts
• The biggest Security VAD in the region (IDG report)
• Security audits, ATC, PS, etc.
• 6 security audits of critical infrastructure
• Operating in Central and Eastern Europe:• Poland• Bulgaria• Croatia• Czech• Romania • Slovakia• Slovenia• Serbia• Hungary• Strong presence in Baltics and Georgia
© 1991 − 2018, CLICO sp. z o.o.
Control devices (PLC, PAC, RTU, etc.)
Visualization, supervision and
control (SCADA, DCS, HMI, etc.)
Advanced analytics and data storage (MES, APC,
Historian, etc.)
WAN
LAN
LAN Internet
VPN
Cameras, IP phones, many
more
OT Maintenance
OT
IT
Business
Critical
Systems
Mission
Critical
Systems
Life
Critical
Systems
Data
Critical
Systems
© 1991 − 2018, CLICO sp. z o.o.
How to safely test security of critical systems?
VA and pen-testing in the production are risky!
1. Full VA scan of IT environment connecting the critical systems (e.g. Rapid7 Expose)
2. Soft VA of critical systems (e.g. Rapid7 SCADA scan template)
3. Authenticated scan for vulnerability validation (e.g. CyberArk and Rapid7 Expose)
4. Audit of safeguards configuration (e.g. Tufin)
5. Threat modeling to find weaknesses in security design (e.g. SecureVisio)
6. Social tests of users / operators of critical systems (e.g. Rapid7 Metasploit)
© 1991 − 2018, CLICO sp. z o.o.
Control devices (PLC, PAC, RTU, etc.)
Visualization, supervision and
control (SCADA, DCS, HMI, etc.)
Advanced analytics and data storage (MES, APC,
Historian, etc.)
WAN
LAN
LAN Internet
VPN
Cameras, IP phones, many
more
OT Maintenance
Industrial/Enterprise DMZ
Reduce attack surface with the networks segmentation and vulnerabilities mitigation
Full scan and exploits
Safechecksonly
Find and mitigate vulnerabilities
before intruders reach critical
infrastructure
SCADA audit
This is a “polite,” or less aggressive, network audit of sensitive Supervisory Control And Data Acquisition
(SCADA) systems, using only safe checks. Packet block delays have been increased; time between sent
packets has been increased; protocol handshaking has been disabled; and simultaneous network access to
assets has been restricted.
Use this template to scan SCADA/OT critical systems
Vulnerability Management
© 1991 − 2019, CLICO sp. z o.o.
Protected by CyberArk, the admin credentials allow Nexpose to
dig deeper into IT systems for effective vulnerability assessment
Network
Devices
Servers
Databases
Applications
Enterprise
Password
VaultSecure Storage
Password Rotation
*****
Key request
Key sent
Authenticated
Scan
Authenticated scan for vulnerability validation
© 1991 − 2019, CLICO sp. z o.o.
Audit of safeguards configuration
© 1991 − 2019, CLICO sp. z o.o.
Threat modeling with business damage analysis
© 1991 − 2019, CLICO sp. z o.o.
Social tests of users / operators of critical systems
© 1991 − 2019, CLICO sp. z o.o.
Control devices (PLC, PAC, RTU, etc.)
Visualization, supervision and
control (SCADA, DCS, HMI, etc.)
Advanced analytics and data storage (MES, APC,
Historian, etc.)
WAN
LAN
LAN Internet
VPN
Cameras, IP phones, many
more
OT Maintenance
Industrial/Enterprise DMZ
Security monitoring
Security Operations
Center
© 1991 − 2019, CLICO sp. z o.o.
Training "SOC design and operational procedures"
More information: [email protected]
Day 1. Technical design and SOC organization
1. Terminology, elements and scope of SOC 2. Standards, methodologies and guidelines for SOC
for IT and OT3. Information needed to build SOC and achieve
compliance with legal and regulatory requirements (NISD, GDPR, PCI-DSS)
4. SOC organizational framework in accordance with the SIM3 (Security Incident Management Maturity Model)
5. Incident and vulnerability management process in accordance with the international ISO/IEC 27035 standard
6. Specialized tools supporting SOC operational procedures
Day 2. SOC operational procedures and tools
1. Stages of the security incident management process (Workflow)
2. Handling security alarms in accordance with the structured SOAR incident management process
3. Automate incident management and incident response using Playbooks
4. Assessing the reputation of IP addresses, URLs and hash files related to events
5. Estimating the risk and consequences of a security breach for incident classification
6. Checking potential attack paths in the event of high risk in relation to online attack threats (e.g. exploit)
7. Security vulnerability management with business prioritization
